SAP Business One on Hana Mail service setup for Gmail

In SAP Business One Job Services, you setup a gmail account and click test. You got the following issue.

trustAnchor.PNG

you receive the error “PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path”, then perform the following steps on the Job Service’s Linux machine:

1. Run the command: “openssl s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp -state”. The result will be similar to the following:

resulttls.png

2. Create two empty files and copy both certificates (the red part in above screen shot) from the step 2.1 output separately. Remember the copy contains “—BEGIN CERTIFICATE—” and “—END CERTIFICATE–”. Save the first output as gmailsmtp.cer and the second as googleca.cer. You can test if both certificates were correctly created by double-clicking to open the googleca.cer in a MS Windows environment. Click Install Certificate → Next, select Place all certificates in the following store and choose Trusted Root Certification Authorities → Next → Finish.

Double-click to open gmailsmtp.cer and check if this certification is correct. If the file is correct, it should be opened as follows:

certgmail.png

3. Back up file /usr/sap/SAPBusinessOne/Common/sapjvm_8/jre/lib/security/cacerts with the command: “cp /usr/sap/SAPBusinessOne/Common/sapjvm_8/jre/lib/security/cacerts /usr/sap/SAPBusinessOne/Common/sapjvm_8/jre/lib/security/cacerts.bak”

4. Under the path /usr/sap/SAPBusinessOne/Common/sapjvm_8/jre/bin/ run the commands: “./keytool -keystore ../lib/security/cacerts -importcert -alias googleca -file /home/googleca.cer” and “./keytool -keystore ../lib/security/cacerts -importcert -alias gmailsmtp -file /home/gmailsmtp.cer“.

  • /home/googleca.cer and /home/gmailsmtp.cer are the certificates you saved in step 2.2.
  • Keytool default path is: /usr/sap/SAPBusinessOne/Common/sapjvm_8/jre/bin/
  • Cacerts default path is: /usr/sap/SAPBusinessOne/Common/sapjvm_8/jre/lib/security/cacerts
  • googleca and gmailsmtp are the names you want to import into as a trusted CA.

When you type this command, you will be required to verify the password. The default password is changeit. After you enter the password, the system will ask you if you want to import this certification; enter “y” to continue.

5. Run: “./keytool -list -v -keystore ../lib/security/cacerts|grep googleca” and “./keytool -list -v -keystore ../lib/security/cacerts|grep gmailsmtp”; verify that step 2.4 is correct and this certificate is then imported as a trusted CA.

6. Restart Server Tools and try to connect with Gmail again.