Changing Keystore Passwords With Keytool

The keystore and truststore are used by both SAP Mobile Platform Server and Management Cockpit to manage certificates and keys, and are protected by a password. In production environments, the initial keystore password is set during installation. The keystore password must be the same as all the private-key passwords associated with the certificates in the store.


SAP recommends that you manage the keystore/truststore using Management Cockpit, instead of the keytool utility—see Managing Certificates.

SAP Mobile Platform includes two keystore files, with the same initial password:
  • local_smp_keystore.jks – created and maintained by the product installer; on each cluster node, stores certificates for the local server, from which you access Management Cockpit. These certificates are used for HTTPS connections.

  • smp_keystore.jks – maintained by system administrators; stores trusted certificates and PKCS #12 certificates for technical user back-end connections, and the truststore. This keystore syncs to all servers in a cluster, so you need not import these certificates into each node.


  1. Back up the contents of both keystore files, <SMP_HOME>\Server\configuration\smp_local_keystore.jks and <SMP_HOME>\Server\configuration\smp_keystore.jks.
  2. Use keytool -storepass and -keypass commands repeatedly to change the password of the keystore itself, and each of the passwords for all private keys in the store. Passwords for both must be the same.
  3. Configure the SAP Mobile Platform configuration to recognize the new password.
    1. Encrypt the new password by obtaining the secret key from the -DsecretKey property in <SMP_HOME>\Server\props.ini.
    2. Run the following the command:
      java -jar tools\cipher\CLIEncrypter.jar <secretKey> <newPassword>
      where <secretKey> is the secret key obtained from props.ini and <newPassword> is the new password for the keystore and truststore.
    3. Open <SMP_HOME>\Server\config_master\\ and update privateKeystorePass to replace the existing password with the new encrypted password, keeping {enc} as the prefix.
    4. Save the changes.
    5. Restart restart the server for the changes to take effect.