SAP PI /PO supports client certification authentication using Java KeyStore. However, to enable it, users will have to generate the KeyStore outside of PI/PO. This article outlines the steps that users must follow to generate KeyStore using KeyStore Explorer, a third-party tool, and import it PI/PO. So, let’s start.
- First, make sure that you have JDK or JRE installed on the local system.
- Now, set the JAVA_HOME parameter to JDK or JRE folder.
- As you can see, JAVA_HOME is being set properly by running echo %JAVA_HOME%. This will show the path to JRE or JDK.
- Next, we need to create a KeyStore. Open KeyStore Explorer (this is a freeware and can be downloaded from https://keystore-explorer.org/downloads.html), and go to ‘Create a new KeyStore’. PI/PO needs PKCS12, so select that option.
- Fill in the required entries.
- Now generate the CSR Request.
- Send the CSR request to a certificate issuing authority. Please ask them to provide them the CA certification as well.
- Once CSR response is received, go to the KeyStore explorer, and open the Private Key.
- Import the CSR Response.
- Login to SAP PI/PO, and go to “Certs”->TrustedCA’s. Also, import the Private Key.
- Click ‘Import CSR Response’.
- Click ‘Choose File’, select the CA certification, press ‘Add’, and select the CSR response.
- Select ‘Import’. This should show you the Private Key as well as the certificate for it.
- Once done, make sure that the SSL certificate chain associate with the HTTPS URL is also imported in the PI.
- Open the SSL URL in the browser, and download all the SSL certificates.
- Import certificates in Certs->TrustedCA.
- In the communication channel, specify the Private Key. There is no need to specify the SSL certificates in the communication channel.
Using the above-mentioned steps, you can successfully setup client certificate authentication in SAP PI/PO. Please note that some vendors accept self-signed certificates. In such a case, you can generate the CSR Response by yourself (no need to send CSR request to certification-signing authority). However, the majority of the vendors need certificates signed by third-party authorities. When such a scenario runs by, you need to send CSR request to them, and pay a certain fee to get the CSR Response back.