Skip to end of metadata
Go to start of metadata

22 November 2017

Root Certificate Authority change for all new Data Centers and certificates renewal

Please be informed that after 28 November 2017 certificates on all new SAP CP Data Centers and certificates renewals on the existing CP Data Centers will be issued by new root CA issuer – DigiCert according to Knowledge Base article .

Existing valid certificates will not be affected. However, all certificates renewals will be issued with the new DigiCert CA - "DigiCert Global Root CA"!

DigiCert Root Certificates are automatically recognized by all common web browsers, mobile devices, and mail clients, therefore for browser scenarios there’s nothing to do. The same is true if one relies on the standard sapjvm trust list. Please have in mind that Chrome will stop accepting Symantec Certs after mid 2018 according to Google Security Blog

Please note that the new CA will be included in the upcoming on 7 December 2017 release. After that an application restart is required, so that the application's trust store is updated. 

If you use certificates for API calls (e.g. REST, OData, SOAP), please ensure that the new root CA certificate is included in all participating trust stores:

  • If you expose an API and have an own customer communication channel, inform all consumers (especially customers using onPremise clients) that they need to add the certificates to their trust store (SAP CP Core services operated by SAP CP ops will be informed centrally).
  • If you consume an API, please ensure that you add the certificates in your trust store.
  • If you use a server certificate validation against SAP CP applications, please add new DigiCert CA.

Please add the new DigiCert Root CA in all trust stores where the Symantec CA is currently included. Add new DigiCert Intermediate CA in case the previous Symantec intermediate CA was used too (which is mandatory if the client does not send the intermediates).Keep the Symantec included as well.

If you run SAP Cloud Connector please update with the latest SAP JVM patch release.

Please refer to Knowledge Base article for complete information and new URLs for OCSP and CRL.

Impact:

If DigiCert root CA is not added to the related trust store, remote API calls will fail with authentication error. This can break running productive scenarios.

SAP Cloud Connector use case: If SAP JVM installation is not upgraded and an expired certificate is renewed or a connection to a subaccount ´residing in a new SAP CP Data Center is established, existing connections will no longer work and new ones will not be possible as the trust store of the existing JVMs does not contain that new Root CA. Hence, plan an upgrade of the SAP JVM installation to at least the patch level 8.1.035 or 7.1.054 so that business processes crossing the Cloud Connector continue working.

 

If you use the Cloud Foundry buildpack SAP-Java (sap_java_buildpack) please update to at least version 1.6.15 (released on 21 December 2017). After that an application needs to be pushed again.

Update schedule:

Neo Environment: Please note that the new CA will be included in the upcoming on 7 December 2017 release. After that an application restart is required, so that the application's trust store is updated.


The certificates with the new DigiCert CA ("DigiCert Global Root CA") will be applied to the following SAP CP Neo regions according to the schedule below: 

Cloud Foundry Environment: Please note that the certificates with the new DigiCert CA ("DigiCert Global Root CA") will be applied to all Cloud Foundry regions as follows:

Thank you for showing understanding and co-operation!

 _________________________________________________________________________________________________________________________________________________________

23 May 2017


Australia (Sydney) Region Certificate Authority Change 25 May 2017

Please note that the Certificate Authority for *.cert.ap1.hana.ondemand.com will be changed. 

The Root CA will be updated on  25 May 2017.

The issuer (root CA/first intermediate CA) of SAP CP certificates for all external servers will be changed from Baltimore/Verizon to VeriSign/Symantec. Existing valid certificates will not be effected.

Due to this change, as of now till 25 May 2017 you have to update your dev tools to some of the latest versions, which are compatible with the new Certificate Authority server certificates.

You can find the new Root CA public key links below:

VerySign rootCA (VeriSign Universal Root Certification Authority):

https://www.symantec.com/page.jsp%3Fid%3Droots

Symantec intermediate CA (Symantec Class 3 Secure Server SHA256 SSL CA):

https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=SO26896&pmv=print&actp=PRINT

If you use certificates for API calls (e.g. REST, OData, SOAP), please ensure that the new root CA certificate is included in all participating trust stores:

  • If you expose an API and have an own customer communication channel, inform all consumers (especially customers using onPremise clients) that they need to add the certificates to their trust store (SAP CP Core services operated by SAP Cloud Platform Core will be informed centrally)
  • If you consume an API, please ensure that you add the certificates in your trust store
  • If you use a server certificate validation during client certificate authentication against Cloud Platform applications, please switch to new VeriSign CA

All current browsers have the Symantec CA included in their trust lists, so for browser scenarios there’s nothing to do. The same is true if you rely on the standard sapjvm trust list.

Impact:

If VeriSign (and Symantec if intermediate is required) is not added to the related trust store, remote API calls will fail with authentication error. This can break running productive scenarios.

Thank you for showing understanding and co-operation!

 

  • No labels