Show TOC

Changing Keystore Passwords With KeytoolLocate this document in the navigation structure

The keystore and truststore are used by both SAP Mobile Platform Server and Management Cockpit to manage certificates and keys, and are protected by a password. In production environments, the initial keystore password is set during installation. The keystore password must be the same as all the private-key passwords associated with the certificates in the store.


SAP recommends that you manage the keystore/truststore using Management Cockpit, instead of the keytool utility—see Managing Certificates.

SAP Mobile Platform includes two keystore files, with the same initial password:
  • local_smp_keystore.jks – created and maintained by the product installer; on each cluster node, stores certificates for the local server, from which you access Management Cockpit. These certificates are used for HTTPS connections.

  • smp_keystore.jks – maintained by system administrators; stores trusted certificates and PKCS #12 certificates for technical user back-end connections, and the truststore. This keystore syncs to all servers in a cluster, so you need not import these certificates into each node.


  1. Back up the contents of both keystore files, <SMP_HOME>\Server\configuration\smp_local_keystore.jks and <SMP_HOME>\Server\configuration\smp_keystore.jks.
  2. Use keytool -storepass and -keypass commands repeatedly to change the password of the keystore itself, and each of the passwords for all private keys in the store. Passwords for both must be the same.
  3. Configure the SAP Mobile Platform configuration to recognize the new password.
    1. Encrypt the new password by obtaining the secret key from the -DsecretKey property in <SMP_HOME>\Server\props.ini.
    2. Run the following the command:
      java -jar tools\cipher\CLIEncrypter.jar <secretKey> <newPassword>
      where <secretKey> is the secret key obtained from props.ini and <newPassword> is the new password for the keystore and truststore.
    3. Open <SMP_HOME>\Server\config_master\\ and update privateKeystorePass to replace the existing password with the new encrypted password, keeping {enc} as the prefix.
    4. Save the changes.
    5. Restart restart the server for the changes to take effect.
    Note In an SAP Mobile Platform cluster, you must repeat these steps and update the password on each node in the cluster. Alternately, you can copy the smp_keystore.jks and files to each node in the cluster; restart each server for the changes to take affect. If individual servers in the cluster have different CA-signed certificates for the smp_crt alias in the keystore, then those certificates must be reimported (with the newly defined password) before restarting the servers.