Skip to Content
0

How to import .cer certificate to HCI keystore

Nov 01, 2017 at 02:03 PM

914

avatar image
Former Member

Hi All

I am having difficulty understanding how to upload the .cer certificate to HCI keystore as it only accepts .jks or jkes format there, i tried saving the same file as .jks but of no help.

Kindly add some light to it

Thanks a lot

Naina

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

5 Answers

Best Answer
Sriprasad Shivaram Bhat
Nov 02, 2017 at 07:58 AM
0

Hello Naina,

You willnot be able to upload the certificates like earlier directly from Eclipse by appending certificates to System.jks. Now you have to follow below steps in WEBUI

Blog 1: ( to Get overview of how to generate JKS file )

https://blogs.sap.com/2017/06/19/cloud-integration-how-to-setup-secure-outbound-http-connection-using-keystore-monitor/

Blog 2: ( How to upload JKS to CPI tenant via WEBUI and Make your scenario working)

https://blogs.sap.com/2017/06/19/cloud-integration-keystore-monitor-now-available-for-tenant-administrator/

Blog 3: ( How to take up backup of certificates via WEBUI )

https://blogs.sap.com/2017/08/14/cloud-integration-backuprestore-using-keystore-monitor/

Let me know if you still find any difficulties with certificates.

Regards,

Sriprasad Shivaram Bhat

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Sriprasad

I need a major help here.

My client has only provided an sha384RSA 2048 certificate with pkcs padding(.cer). They say it should be used for encryption in HCI as a MLS. Also they asked to used Base 64 encoding after the encryption is done.

They have not provided any public key or anything apart from that.

So for TLS i downloaded the public certificates from their website and that works fine.

Also i used keystore explorer to add this .cer to newly created java keystore and added to my HCI keystore

https://******.ap1.hana.ondemand.com/itspaces/shell/monitoring/Keystore

It is not encrypting by itself.

What should be the next step to call their .cer(sha384RSA 2048 certificate with pkcs padding) in my scenario.

Its very urgent and i am not able to find any solution to this.

  • Do i need to get more keys
  • do i need to use java program to encrypt here

Please help me with this.

Regards

Naina

0
Manoj K Nov 01, 2017 at 05:44 PM
1

In HCI you need to create a Java Key Store. Don't rename the certificate that is invalid.

Check these blogs: HCI Certificates.

And also please tag your query to HCI.

Br,

Manoj

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Manoj

Thanks for your reply, can you help me with my question above

0
avatar image
Former Member Nov 02, 2017 at 06:14 AM
0

Hi Manoj

I can see ssytem.jks in deployed artifacts and i want to download it in order to add .cer certificate to it but the field is disabled there.

Can i create a fresh keystore using keystore explorer tool and add cert to it and upload. will it work.

Kindly help.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Nov 09, 2017 at 06:34 AM
0

manoj

need urgent help...please share ur email ID

Show 3 Share
10 |10000 characters needed characters left characters exceeded

Hi Naina,

MLS-Message Level Security is concept to encrypt/sign the outgoing message using the third party provided certificate(encryption) or using own private key(signing)

So as you already have the third party certificate so using that you need to encrypt the message in HCI ,i believe you are using SOAP adapter so you need to select WS-Security and configure accordingly.

Sorry, currently i don't have HCI tenant access to provide you the screenshot.

Check this and this link .

Can you follow me so that i can message you personally.

Br,

0
Former Member
Manoj K

Hi Manoj

Followed....

I have a basic question from you as i am doing MLS first time in HCI..

i have client's .cer certificate where he has used

  • Asymmetrically encrypt the encoded request with RSA /ECB/PKCS1
  • Base 64 Encode the request using UTF-8 Character Encoding

So what i did is i tried downloading systm.jks from deployed artifacts but the download button is disabled...so i used keystore explorer to create a new keystore of type .jks and added client's certificate(.cer) along with client's public certificate that i downloaded from their site.

****Client is using JSON post so i am using HTTP adapter in HCI...scenario is like i am pushing JSON data from postman tool to HCI and HCI calls client's URL to post data into their system. Client wants the data to be encrypted using their .cer certificate and then they will decrypt using their private key.

So next step i tried is using PKCS7Encryptor of HCI to use the certificate using its alias from HCI keystore but its of no use.

Anything that i am missing to incorporate MLS here.

or is it that system.jks should be downloaded only from deployed artifacts.

Also the certificate of HCI i have doesnt contain private key....how to get that manoj

I'll be really greateful if u can help.

0

As per the blog there is no restriction to use the existing system.jks keystore . You can create your own keystore as well

To add the root certificate of the receiver systems private key, open an existing keystore in Keystore Explorer or create a new keystore. Easiest is to just create a new one, select JCEKS as type for the new keystore.

I am not sure if HTTP has inbuild MLS feature, if not then have to go for script .

And the private key for your tenant would be usually sent in the initial mail from SAP with your tenant/management/runtime URL , however, you can create a new pair as well . link

Please re-tag your query to : SAP Cloud Platform Integration for process services

1
Nitin Deshpande Nov 10, 2017 at 06:24 AM
0

Hello Naina,

You need to use the .cer file provided by your 3rd party in the Public key alias of PKCS7 encryptor. And to upload this .cer file to keystore, you need to create a .jks file. You can use the system.jks file if you know the password of it, else create a new .jks file and upload it to HCI keystore.

You can use keystore explorer to add the .cer file. Once uploaded use the alias of .cer file in PKCS7 encryptor.

Regards,

Nitin Deshpande

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

i did the same but my client doesnt want to use any symmetric key at their end...jusr RSA/ESB/PKCS#1 padding they are using

how to use PKCS encrypter in that case as its mandatory to use one of the content encryption algo there

0