Show TOC

Changing Keystore and Truststore PasswordsLocate this document in the navigation structure

The SAP Mobile Platform (used by both SAP Mobile Platform Server and Management Cockpit to manage certificates and keys) keystore and truststore locations are protected by a password. In production environments, the initial keystore password is set during installation. The keystore password must be the same as all the private key passwords associated with the aliases in the store.

Prerequisites

Before you begin, back up the contents of <SMP_HOME>\Server\configuration\smp_keystore.jks. This is the combined keystore and truststore for the server.

Context

In production environments, use the keytool utility to change the passwords for the keystore and truststore.

Procedure

  1. Use keytool -storepass and -keypass commands repeatedly to change the password of the keystore itself, and each of the passwords for all private keys in the store. Passwords for both must be the same.
  2. Configure the SAP Mobile Platform configuration to recognize the new password.
    1. Encrypt the new password by obtaining the secret key from the -DsecretKey property in <SMP_HOME>\Server\props.ini.
    2. Run the following the command:
      java -jar tools\cipher\CLIEncrypter.jar <secretKey> <newPassword>
      where <secretKey> is the secret key obtained from props.ini and <newPassword> is the new password for the keystore and truststore.
    3. Open <SMP_HOME>\Server\config_master\com.sap.mobile.platform.server.foundation.config.encryption\com.sap.mobile.platform.server.foundation.config.encryption.properties and update privateKeystorePass to replace the existing password with the new encrypted password, keeping {enc} as the prefix.
    4. Save the changes.
    5. Restart restart the server for the changes to take effect.
    Note In an SAP Mobile Platform cluster, you must repeat these steps and update the password on each node in the cluster. Alternatively, you can copy the smp_keystore.jks and encryption.properties files to each node in the cluster. Then you must restarts the servers for the changes to take affect. If individual servers in the cluster have different CA-signed certificates for the smp_crt alias in the keystore, then those certificates must be re-imported (with the newly defined password) before restarting the server.