C.

Create a self-signed certificate manually

For Integration Framework (B1i) version below 1.22.0 (up to SAP Business One 9.1
PL07 and SAP Business One 9.1, version for SAP HANA PL07), this is the recommended
way for creating a self-signed certificate. Devices from different vendor may have
different the requirements for certificates, outside the scope of our SAP solution.
The following method should work on most mobile devices, if an issue is encountered
please consult with the device vendor for the requirement.
1. Install and configure OpenSSL
On Windows environment, OpenSSL is not pre-installed. You have to download it and
install it. Please refer to https://www.openssl.org.
The default installation path is C:\OpenSSL-Win64 (for 64-bit Windows systems) or
C:\OpenSSL-Win32 (for 32-bit Windows systems).
Go to the OpenSSL folder, open the bin\openssl.cfg file in a text editor, apply the
changes below, and save the file:
Find the [ CA_default ] section and change the line # copy_extensions = copy to
copy_extensions = copy
�
Find the [ v3_ca ] section and change the line # subjectAltName=email:copy to
subjectAltName=@alt_names
�
Under the [ v3_ca ] section add extendedKeyUsage = serverAuth to it.
�
Go to the end of the file and add one of the sections below:
�
� 2019 SAP SE or an SAP affiliate company. All rights reserved 4 of 8
2019-09-27 2019275
If the Business One mobile app is going to connect with IP address:
�
[ alt_names ] IP.1=xxx.xxx.xxx.xxx
If the Business One mobile app is going to connect with server domain name:
�
[ alt_names ] DNS.1=server_domain_name
2. Create your own root CA (if it does not exist for other reason)
2.1. Open Windows Command Prompt as administrator and change to the OpenSSL bin
folder (for example, cd C:\OpenSSL-Win64\bin).
2.2. Before using OpenSSL, run command: set OPENSSL_CONF=C:\OpenSSL-
Win64\bin\openssl.cfg (for 64-bit Windows system) or set OPENSSL_CONF=C:\OpenSSL-
Win32\bin\openssl.cfg (for 32-bit Windows system)
2.3. Create a private key file: openssl genrsa -out ServerKey.key 2048
2.4. Create the certificate file myCA.cer (to be deployed to the mobile devices):
openssl req -x509 -new -key ServerKey.key -sha256 -days 825 -out myCA.cer -subj
/C=CN/O=SAP/OU=B1/CN=server_domain_name_or_ip_address NOTE:
server_domain_name_or_ip_address must be exactly the same value used for the Server
field in SAP Business One mobile app settings (for example, the server domain name
or the server IP address, excluding the port). NOTE: the
server_domain_name_or_ip_address must be accessible from the mobile devices. For
any questions, please refer to SAP Note 1776825.
3. Deploy the self-signed certificate on the SAP Business One Integration Framework
(B1i) server
3.1. Read the Keytool command usage section carefully before proceeding.
3.2. Create a PKCS12 keystore: openssl pkcs12 -export -out keystore.p12 -inkey
ServerKey.key -in myCA.cer (For the Export Password, please enter the default
Keystore password).
3.3. Copy the keystore.p12 file to the Xcellerator folder of the SAP Business One
Integration
� 2019 SAP SE or an SAP affiliate company. All rights reserved 5 of 8
2019-09-27 2019275
Framework (B1i) server (..\SAP Business One
Integration\IntegrationServer\Tomcat\webapps\B1iXcellerator\keystore.p12) to make
sure that it can be accessible by keytool.
3.4. In the Command Prompt, change to the SAP Business One Integration Framework
jre bin folder according to your system (for example, cd C:\Program Files
(x86)\SAP\SAP Business One Integration\sapjre_64\bin for 64-bit Windows systems).
NOTE: Different SAP Business One Integration Framework versions may have a
different name for this folder (for example, sapjre_7_64).
3.5. Delete the original self-signed certificate from the keystore: keytool -delete
-alias tomcat -keystore "C:\Program Files (x86)\SAP\SAP Business One
Integration\IntegrationServer\Tomcat\webapps\B1iXcellerator\.keystore" -storepass
<keystore_password>
3.6. Import the PKCS12 keystore into the Java keystore: keytool -importkeystore
-srckeystore "C:\Program Files (x86)\SAP\SAP Business One
Integration\IntegrationServer\Tomcat\webapps\B1iXcellerator\keystore.p12"
-srcstoretype PKCS12 -destkeystore "C:\Program Files (x86)\SAP\SAP Business One
Integration\IntegrationServer\Tomcat\webapps\B1iXcellerator\.keystore"
-deststoretype JKS -deststorepass <keystore_password> -srcstorepass
<keystore_password>
3.7. Change the default alias name to tomcat: keytool -changealias -alias 1
-destalias tomcat -keystore "C:\Program Files (x86)\SAP\SAP Business One
Integration\IntegrationServer\Tomcat\webapps\B1iXcellerator\.keystore" -storepass
<keystore_password>
4. Restart SAP Business One Integration Service from Services window
5. Install your own root CA certificate (myCA.cer file) on mobile devices
The Server field in the SAP Business One mobile app settings must use the same
address used in step 2.4 above to create the myCA.cer file. NOTE: In the iOS mobile
app, the Server field must also have the port number.
Procedure for iOS devices
Email the myCA.cer file to the iOS device.
�
Click the email attachment to install the CA into the system.
�
� 2019 SAP SE or an SAP affiliate company. All rights reserved 6 of 8
2019-09-27 2019275
Set the certificate as trusted on the device in: Settings ? General ? About ?
Certificate Trust Settings
�
Procedure for Android devices
Copy the myCA.cer file via a microSD card onto the Android device.
�
Install the file via Settings ? Security ? Credential Storage ? Install from
storage, and follow the prompts.
�
6. Verify that the certificate has been successfully imported
Check access to SAP Business One Integration Framework via the https port (for
example, open https://<servername/IP>:8443 in the browser of the mobile device). If
successful, you should not receive any warning regarding https/certificates.
Keytool command usage
** Please read the following instructions carefully and pay attention to uppercase
and lowercase (entries are case-sensitive)! **
keytool.exe location: ..\SAP Business One Integration\sapjre_64\jre\bin\ (for 64-
bit Windows system) or ..\SAP Business One Integration\sapjre_32\jre\bin\ (for 32-
bit Windows system)
�
Keystore file: ..\SAP Business One
Integration\IntegrationServer\Tomcat\webapps\B1iXcellerator\.keystore
�
Keystore password (<keystore_password>): Find the default password in the ..\SAP
Business One Integration\IntegrationServer\Tomcat\conf\server.xml file in the
keystorePass attribute (for SAP Business One 9.2 PL07 and integration framework
version 1.22.10 or higher, the value of the keystorePass is encrypted and can be
modified as outlined in SAP Note 2405043)
�
Alias key password (<key_password>): The default key password is the same as the
keystore password
�
Key alias: tomcat
�
If you are using Windows Command Prompt, please ensure to run it as Administrator.
�
Default Integration Framework Xcellerator path: C:\Program Files (x86)\SAP\SAP
Business One Integration\IntegrationServer\Tomcat\webapps\B1iXcellerator