SAP Business One B1i SSL

Integration Installation
(Details)

Main SAP Note 2019275 (click for link)

NOTE: This article has been adapted from the main SAP note and expanded
upon based on several installations.

Prerequisites

1. You need to have B1i installed

2. You need the current .keystore password located at: C:\Program Files
(x86)\SAP\SAP Business One
Integration\IntegrationServer\Tomcat\conf\server.xml
3. Search the XML document for the keystorePass attribute. Default that I
have observed has been sapB1iP
4. You need a domain name associated with your raw IP address. IE,
mobile.lhimports.com as an example. This must resolve to their static IP
address with an A record in the subdomains DNS.

Initialize OpenSSL

1. Go to: http://slproweb.com/products/Win32OpenSSL.html
2. Download and install Visual C++ 2008 Redistributables (x64)
3. Download and install Win64 OpenSSL v1.0.2d Light
4. Install everything with default settings
5. Start Run and run “cmd /admin” or manually run Command Prompt as
Administrator. This is critical because it will give you various failed RND
errors especially on Server 2012
6. Navigate to C:\OpenSSL-Win64\bin
7. Enter:
set OPENSSL_CONF=c:\openssl-win64\bin\openssl.cfg

8. WARNING Carefully inspect your CMD outputs when entering the code
below. If at any point you see the term “Unable to write ‘random state'”
then you need to enter the following:
set RANDFILE=.rnd

(NOTE: View these screenshots to see what a successful command

completion looks like, some of the commands do not produce a positive
confirmation, they simply advance to the next line. After a series of
commands, these screenshots will show you what the result should be.)

Create Root Server Certificate

(Keep in mind you can copy and paste these into the command prompt, but
you have to click the icon in the upper left, Edit >> Paste. CTRL + V will NOT
work!)
Anything highlighted in YELLOW needs to be modified, everything else
you can leave the same.
1. Enter:
openssl genrsa -out ServerKey.key 1024

2. Enter:
openssl req -new -x509 -key ServerKey.key -out myCA.cer -days

3650 -subj /CN="custom_CA_name"

3. custom_CA_name can be whatever you want and shows up later when

installing on the mobile devices as the profile name.

Create Self-Signed Certificate for Domain

1. Enter:
openssl genrsa -out ClientKey.key 1024
2. Enter:
openssl req -new -key ClientKey.key -out CertReq.csr -subj

/CN="server_domain_name"
3. server_domain_name must be your subdomain which was created in
Prerequisites step #4. Something like mobile.yourcompanywebsite.com.
You will eventually feed this back to your mobile app using the server
mobile.yourcompanywebsite.com:8443 (or whatever your SSL port is).
This can simply be your IP address (209.253.12.153 for example, NO
PORT IS REQUIRED for this step just the IP address) as well and does
not need to have the HTTP:// or HTTPS:// in front of it. (*Special thanks
to Heath Gardner for testing the IP address theory and verifying that it
works.)

4. Enter:
openssl x509 -req -days 3650 -in CertReq.csr -CA myCA.cer -CAkey

ServerKey.key -CAcreateserial -out ClientCert.crt

Deploy the Certificate

1. Enter:
openssl pkcs12 -export -inkey ClientKey.key -in ClientCert.crt -

out keystore.pkcs12
2. You will be prompted to enter a password, which will be the password
from Prerequisites step #2-3 (should be sapB1iP). You will enter the
password, but you will not see anything in the command prompt, this is
NORMAL. You will have to confirm and you will also see nothing when
typing the confirmation password, this again is normal.

3. Manually copy (using regular File Explorer) the file C:\OpenSSL-

Win64\bin\keystore.keystore.pkcs12 to C:/Program Files (x86)/SAP/SAP
Business One
Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/
4. In command prompt, change directory to C:\Program Files
(x86)\SAP\SAP Business One Integration\IntegrationServer\Tomcat
5. NOTE: the next step might vary depending on your Windows Server
version. I have observed different behaviours.
6. Enter:
keytool

7. Push Enter
8. If the file is found and you see the help then follow the next steps, if the
file is NOT found then go to “Deploy the Certificate (Option #2). If the
file is found, then continue with the next steps.
9. NOTE: See screenshot after step 16 for successful confirmation
prompts.
10. Enter:
keytool -delete -alias tomcat -keystore

./webapps/B1iXcellerator/.keystore -storepass sapB1iP

11. Use your password from Prerequisites step #2. Likely to be sapB1iP.
12. Enter:
keytool -importkeystore -srckeystore

./webapps/B1iXcellerator/keystore.pkcs12 -srcstoretype PKCS12 -

destkeystore ./webapps/B1iXcellerator/.keystore -deststoretype

JKS -deststorepass sapB1iP -srcstorepass sapB1iP

13. Use your password from Prerequisites step #2. Likely to be sapB1iP.
14. Enter:
keytool -changealias -alias 1 -destalias tomcat -keystore

./webapps/B1iXcellerator/.keystore -storepass sapB1iP

15. Use your password from Prerequisites step #2. Likely to be sapB1iP.
16. All steps should be successful at this point:

Deploy the Certificate (Option #2)

1. If you do not find keytool installed in the environmental variables we have

to manually run the program from the exe directory and declare our
keystore files with their whole drive paths as follows.
2. In command prompt, change directory to C:\Program Files
(x86)\SAP\SAP Business One Integration\sapjre_7_64\jre\bin
3. This directory is where the keytool exists so we need to run the following
from here. To confirm you have the right directory, in the command
 prompt enter: keytool and push enter and you should see a help prompt.
This means you have the correct directory.
4. NOTE: See screenshot after step 10 for successful confirmation
prompts.
5. Enter:
keytool -delete -alias tomcat -keystore "C:/Program Files

(x86)/SAP/SAP Business One

Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/.key

store" -storepass sapB1iP

6. Use your password from Prerequisites step #2. Likely to be sapB1iP.
7. Enter:
keytool -importkeystore -srckeystore "C:/Program Files

(x86)/SAP/SAP Business One

Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/keys

tore.pkcs12" -srcstoretype PKCS12 -destkeystore "C:/Program

Files (x86)/SAP/SAP Business One

Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/.key

store" -deststoretype JKS -deststorepass sapB1iP -srcstorepass

sapB1iP
8. Use your password from Prerequisites step #2. Likely to be sapB1iP.
9. Enter:
keytool -changealias -alias 1 -destalias tomcat -keystore

"C:/Program Files (x86)/SAP/SAP Business One

Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/.key

store" -storepass sapB1iP

10. Use your password from Prerequisites step #2. Likely to be sapB1iP
Restart B1i Server

1. Find the “Run” prompt

2. Enter
services.msc

3. Shut down SAP Business One Integration Service, SAP Business One
EventSender Service, SAP Business One DI Proxy Service, SAP Business
One DI Proxy Service Monitor. Shut them down in that order.
4. Start them up in the same order you shut them down.

Installing on Your Devices

Procedure for iOS devices

1. Email C:\OpenSSL-Win64\Bin\myCA.cer file to the iOS device

2. NOTE: The certificate file will most likely not be visible in your mail
client (Outlook, etc.), you have to send it unzipped to the mobile
devices where it will be visible to install.
3. Click the email attachment to install the CA into the system
Procedure for Android devices
1. Copy the C:\OpenSSL-Win64\Bin\myCA.cer file via a microSD card onto
the Android device
2. Install the file via Settings -> Security -> Credential Storage and selecting
“Install from storage” and follow the prompts