2019275 - SAP Business One Mobile Apps Require a Valid SSL Certificate

2019275 - SAP Business One mobile apps require a valid SSL certificate

1 of 4

https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/u...

SAP Business One Notes

2019275 - SAP Business One mobile apps require a valid SSL certificate Version 9 active

Validity: 20.11.2014 -

Language English

Symptom To ensure the highest security standard for your company and your business data, SAP will introduce the exclusive use of valid SSL certificates. Securing your SAP Business One mobile application with a valid SSL certificate can be crucial. Fortunately, it is quite simple to do this. In some situations it is required that you buy a trusted certificate, but there are many cases where you can generate and use a self-signed certificate for free. Be aware that SAP cannot cover all possible security aspects due to customerspecific requirements and conditions. The mobile app needs to be embedded into each customer’s specific security concept. Nevertheless, some manual action is required. In this SAP Note, SAP presents examples of how to obtain and install valid certificates. For more details, technical backgrounds or questions please consult your partner or the diverse information sources that are available on this standard security technology. SAP enhances the security of the SAP Business One mobile app on SSL connections gradually in the following way: 1. 1st security stage - Using valid certificates is RECOMMENDED Starting with SAP Business One mobile app 1.10.0 for iOS and SAP Business One mobile app 1.1.4 for Android (both available), the apps show this warning message during the logon phase if no valid SSL certificate is deployed: The certificate for this server was not issued by a trusted certificate authority. In future version the connection to the server will be disabled until valid certificate is deployed. Contact your IT administrator for more details If this message comes up, users can continue working with the app as usual by tapping Continue. In this stage, this message is shown by default. To suppress the message for the user in this app versions permanently, disable the parameter 'Enforce Certificate Check' in the settings for SAP Business One mobile app on the device. 2. 2nd security stage - Using valid certificates is MANDATORY Starting with SAP Business One mobile app 1.11.x for iOS and mobile app 1.2.x for Android, a SSL connection without a valid SSL certificate is not possible anymore. The mobile apps will show this message at logon: The certificate for this server was not issued by a trusted certificate authority. The connection to the server is disabled. Contact your IT administrator for more details In this stage, connections without a valid SSL certificate are not possible anymore. SAP Business One mobile app 1.2 for Android and mobile app 1.11. for iOS are both planned to be delivered at the end of January 2015. Please check the SAP Business One Patch delivery schedule.

Solution The following informs on how to keep or make SAP Business One mobile apps working with valid certificates. Using valid certificates is strongly recommended at the 1st security stage (valid certificates RECOMMENDED), and mandatory at the 2nd security stage (valid certificates MANDATORY). A.) How to obtain a valid certificate Please Note: SAP cannot give recommendations when to use a self-signed certificate or a signed certificate from trusted third party. The selection depends on the specific use and the selected environment, as for example VPN, development/test systems, intranet/internet solutions, value / type of transferred information, incentive for someone to attack the connection, security needs, etc. Please read the following instructions carefully and pay attention to uppercase and lowercase (entries are

29/01/2015 9:45 a. m.


2 of 4


case-sensitive)! Note: For the keytool commands mentioned below, you need the following information:

keytool.exe location: ./SAP Business One Integration/sapjre_7_64/jre/bin/ (for 64-bit Windows system) or ./SAP Business One Integration/sapjre_7_32/jre/bin/ (for 32-bit Windows system) Keystore file: ./webapps/B1iXcellerator/.keystore (relative to the Tomcat base directory) Keystore password (): Find the default password in the ./Tomcat/conf/server.xml file in the keystorePass attribute Key password (): The default key password is the same as the keystore password Key alias: tomcat Generally there are two options to obtain a valid certificate: I. Purchase a signed certificate from trusted third party certification authority (CA) vendor 1. To delete the self-signed certificate from the keystore: keytool -delete -alias tomcat -keystore ./webapps/B1iXcellerator /.keystore -storepass 2. To generate a key pair: keytool -genkeypair -validity 3650 -keyalg RSA -storepass -keypass -dname "CN=server_domain_name" -alias tomcat -keystore ./webapps/B1iXcellerator/.keystore 3. To generate a certificate signing request (CSR): keytool -certreq -keyalg RSA -file mycsr.csr -keystore ./webapps /B1iXcellerator/.keystore -storepass -keypass 4. Send the CSR file to a CA 5. The CA sends a certificate request response to you that contains the signed public-key certificate 6. Deploy the trusted CA signed certificate on the SAP Business One Integration Framework (B1i) server: a. Either you can modify the existing B1i keystore file by: keytool -importcert -trustcacerts -alias tomcat -file mycsr.crt –keystore ./webapps/B1iXcellerator/.keystore -storepass -keypass (mycsr.crt contains the certificate the CA issued to you) b. Or you can replace the existing keystore file by the CA signed certificate according to the instruction provided by CA vendor II. Create a self-signed certificate 1. Create your own root CA (if it does not exist for other reason)

Create a private key file: openssl genrsa -out ServerKey.key 1024 Create the certificate (to be deployed to mobile devices): openssl req -new -x509 -key ServerKey.key -out myCA.cer -days 3650 -subj /CN="custom_CA_name" 2. Create self-signed certificate for multiple servers

Create a private key: openssl genrsa -out ClientKey.key 1024 Create the CSR (Client Signing Request): openssl req -new -key ClientKey.key -out CertReq.csr -subj /CN="server_domain_name" Use the CSR to create the certificate based on your own CA key file: openssl x509 -req -days 3650 -in CertReq.csr -CA myCA.cer -CAkey ServerKey.key -CAcreateserial -out ClientCert.crt 3. Deploy the self-signed certificate on the SAP Business One Integration Framework (B1i) server

Create a PKCS12 keystore and import: openssl pkcs12 -export -inkey ClientKey.key -in ClientCert.crt -out keystore.pkcs12 (The default export key password is the same as the keystore password) Delete the original self-signed certificate from the keystore: keytool -delete -alias tomcat -keystore ./webapps /B1iXcellerator/.keystore -storepass Copy keystore.pkcs12 to B1 Integration Framework (B1i) server (e.g. ./webapps/B1iXcellerator/keystore.pkcs12) to make sure that it can be accessible by keytool Convert PKCS12 keystore into Java keystore: keytool -importkeystore -srckeystore ./webapps/B1iXcellerator /keystore.pkcs12 -srcstoretype PKCS12 -destkeystore ./webapps/B1iXcellerator/.keystore -deststoretype JKS -deststorepass -srcstorepass Change the default alias name to tomcat: keytool -changealias -alias 1 -destalias tomcat -keystore ./webapps /B1iXcellerator/.keystore -storepass B.) Relevant only for option A II.: Install your own created root CA certificate on mobile devices Procedure for iOS devices Email myCA.cer file to the iOS device Click the email attachement to install the CA into the system Procedure for Android devices Copy the myCA.cer file via a microSD card onto the Android device Install the file via Settings -> Security -> Credential Storage and selecting “Install from storage” and follow the prompts

29/01/2015 9:45 a. m.


3 of 4


Other terms 该服务器证书不是由可信证书机构颁发。与该服务器的连接已禁用。有关更多详细信息,请联系系统管理员 Certifikát pro tento server nebyl vydán důvěryhodnou certifikační autoritou. Připojení k serveru je zakázáno. Další informace získáte od správce systému. Certifikatet til denne server blev ikke udstedt af en betroet certifikatmyndighed. Forbindelsen til serveren er inaktiveret. Kontakt systemadministrator for flere detaljer. Het certificaat voor deze server is niet afgegeven door een vertrouwde certificaatautoriteit. De verbinding met de server is uitgeschakeld. Neem contact op met uw systeembeheerder voor meer details. Tämän palvelimen varmenne ei ole luotettavan varmentajan myöntämä. Yhteys palvelimeen on katkaistu. Lisätietoja saat ottamalla yhteyttä järjestelmän pääkäyttäjään. Le certificat pour ce serveur n'a pas été émis par une autorité de certification de confiance. La connexion au serveur est désactivée. Contactez votre administrateur système pour plus de détails. Das Zertifikat für diesen Server wurde nicht von einer vertrauenswürdigen Zertifizierungsstelle ausgestellt. Die Verbindung zum Server ist deaktiviert. Weitere Informationen erhalten Sie von Ihrem Systemadministrator. Το πιστοποιητικό για αυτόν τον διακομιστή δεν χορηγήθηκε από αξιόπιστη αρχή έκδοσης πιστοποιητικών. Η σύνδεση με τον διακομιστή απενεργοποιήθηκε. Επικοινωνήστε με τον διαχειριστή συστήματος για περισσότερες λεπτομέρειες. ‫ צור קשר עם מנהל המערכת של‬,‫ לפרטים נוספים‬.‫ החיבור לשרת הופסק‬.‫ידי רשות אישורים מהימנה‬-‫האישור עבור שרת זה לא נופק על‬. A szerver tanúsítványát nem megbízható hitelesítésszolgáltató bocsátotta ki. A szerverrel való kapcsolat letiltva. További részletekért forduljon a rendszergazdához. Il certificato per questo server non è stato emesso da un'autorità di certificazione fidata. La connessione al server viene disattivata. Contattare l'amministratore di sistema per ulteriori dettagli. このサーバの証明書は信頼できる認証機関によって発行されていませんサーバへの接続は無効です詳細についてはシステム管理者に連絡してください 이 서버의 인증서는 신뢰할 만한 인증 기관에서 발급되지 않았습니다. 이 서버에 연결할 수 없습니다. 자세한 내용은 시스템 관리자에 게 문의하십시오. Sertifikatet for denne serveren er ikke utstedt av en klarert sertifiseringsinstans. Forbindelsen til serveren er deaktivert. Kontakt systemansvarlig for å få mer informasjon. Uprawiona jednostka certyfikująca nie stworzyła certyfikatu dla tego serwera. Połączenie z serwerem zostało przerwane. Skontaktuj się ze swoim administratorem systemu w celu uzyskania dodatkowych informacji. O certificado desse servidor não foi emitido por uma autoridade certificado confiável. A conexão ao servidor está desativada. Contate seu administrador sistema p/mais detalhes. O certificado para este servidor não foi emitido por uma autoridade de certificados de confiança. A ligação ao servidor está desativada. Contactar o administrador do sistema para obter mais detalhes. Сертификат для этого сервера не был выдан доверенным центром сертификации. Соединение с сервером прервано. За дальнейшей информацией обратитесь к системному администратору. Certifikát pre tento server nebol vydaný dôveryhodnou certifikačnou autoritou. Pripojenie k serveru je deaktivované. Ďalšie informácie získate od správcu systému. El certificado para este servidor no se emitió por una autoridad de certificación de confianza. Se desactiva la conexión al servidor. Contacte a su administrador de sistema para obtener más detalles. El certificado para este servidor no se emitió por una autoridad de certificación de confianza. Se desactiva la conexión al servidor. Contacte a su administrador de sistema para más detalles. Certifikatet för denna server har inte utfärdats av en betrodd certifikatsutfärdare. Anslutningen till servern är inaktiverad. Kontakta systemadministratören för mer information. Bu sunucu için sertifika güvenilir bir sertifika yetkilisi tarafından çıkarılmadı. Sunucuya bağlantı devre dışı bırakıldı. Daha fazla ayrıntı için sistem yöneticinize başvurun.

Header Data Released On 21.11.2014 12:28:25 Release Status Released for Customer Component SBO-INT-MOB Mobile Applications Priority HotNews Category Consulting

Validity Software Component SAP B1 ANDROID APPLICATIONS SAP B1 IOS APPLICATIONS SAP B1 VERSION FOR SAP HANA

SAP BUSINESS ONE

Version 1.1 SAP B1 APP FOR IOS 1.10.X 8.82 9.0 9.1 8.8

29/01/2015 9:45 a. m.


4 of 4


8.81 8.82 9.0 9.1

References This document is referenced by: SAP Business One Notes (3) 1602674 SAP Business One mobile app for iOS - Troubleshooting and compatibility information 1924930 SAP Business One mobile app for Android - Troubleshooting and compatibility information 2032767 Overview Note for SAP Business One mobile app 1.10.0 for iOS

29/01/2015 9:45 a. m.

2019275 - SAP Business One Mobile Apps Require a Valid SSL Certificate

Recommend Documents