Skip to Content

Few days back some of SCN members reported the issue related with expiration date of SAP Router certificate i.e on 18/07/2015.

For issue SAP recently introduced New Root Authority Certification process for customers using SNC connections.

between SAP and at their end.

Purpose of the document is just to aware the members about the updated new SAP Router certificate Authority method

Referred SAP Note : 2131531 – New Root Certification Authority for saprouter certificates

With the implementations of New Root Authority Certification SAP customers needs to follow some software changes as well as the process changes

at their end.

With effect from 15/04/2015 all newly generated SAP router certificates requests will be signed by new SAPRouter CA only.To obtain the new SAPRouter

CA,customers can navigate to link https://support.sap.com/support-programs-services/services/trust-center/download/root-certificates.html

(Requires a valid S-User ID to download ).

Note : Certificates as obtained before 15/04/2015 will no longer be supported by SAP.

Timeline

4/15/2015 11:00 AM CET: switch to new SAProuter Root CA for certification requests,SAProuter certificates obtained before 04/15/2015 can still be used

7/18/2015 11:00 AM CET: switch sapservX to use PSEs signed by new SAProuter CA,SAProuter certificates obtained before 04/15/2015 can no longer be used. to establish SNC connections with SAP.

Steps Mandatory if SAPRouter Certificate applied after 18/07/2015

Customers using SNC network connection methods must

  • Use of latest SAPRouter version.
  • Use of latest SAPCrypto Library.
  • PSE with key size 2048.
  • Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015).

To get more detailed description customers can jump to SAP link at https://support.sap.com/remote-support/help/installing-saprouter.html

(With a valid S-User ID).

Hope you guys will find this as a helpful document & get the useful information as well.

Updates if any are highly appreciated at my end.

Issue occurredhostname NiHLGetNoteAddr unknown

Resolution  :  After successful setup of New root cert method customers or users may experience above issue & will find similar error / failure message entries under dev_rout file hostname NiHLGetNoteAddr unknown during the remote connections with SAPRouter String if using latest SAP GUI version release 740 at their ends.To overcome the issue you could follow related SAP Notes

  2077230 – SAP Logon (Pad) 740: missing SAPRouter string for system entry and error “hostname ‘NiHLGetNodeAddr’ unknown”

2035293 – known and open issues of SAP GUI for Windows.

or best to use lower SAP GUI version i.e 730 as a workaround.

Stay tuned !!

Gaurav Rana

To report this post you need to login first.

24 Comments

You must be Logged on to comment or reply to a post.

      1. Gaurav Rana Post author

        Hi ,

        Hope you are doing good !!

        I just checked the thread & saw your issue of still getting same dates.But i would suggest you to kindly follow below statement

        Effective 07/18/2015 11:00 AM CET:

        Certificates obtained before 04/15/2015 11:00 AM CET will no longer be supported. Only certificates issued by the new SAProuter CA will be accepted from this point on.

        from the note  2131531 – New Root Certification Authority for saprouter certificates

        Hope you’ll get your answer from the above statement.

        Good luck !!

        (0) 
  1. Emili Delgado

    Hi Gaurav,

    We have tried to install new certificate but we ran into the step from SAP Note OSS 2131531

    • Import old SAProuter Root CA (this step is important and necessary to
      establish the trust with the sapservX SAProuter at SAP until 07/18/2015)

    Where can I find “old SAProuter Root CA” and what commands I shoul use to import it?

    Thanks in advance

    Best Regards

    Emili Delgado

    (0) 
  2. Emili Delgado

    Hi Gaurav,

    Sorry I  think SAP Note OSS is a litle bit ambiguous, It is not clear that SAProuter CA attached is the old one. I could see this is quite clear in the link Installing the sapcrypto library and starting the SAProuter | SAP Support Portal

    • From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:

    The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.

    Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.

    sapgenpse maintain_pk -a smprootca.der -p local.pse

    This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.

    Sorry and best regards!!!

    (0) 
    1. Siddhesh Ghag

      Hello Emili,

      The note isn’t ambigious but the blog seems to start with the following:

      Few days back some of SCN members reported the issue related with expiration date of SAP Router certificate i.e on 18/07/2015.

      To overcome the issue SAP recently introduced New Root Authority Certification process for customers using SNC connections.

      between SAP and at their end.

      Which may not be true, from what I can see SAP is upgrading its security by switching to  a higher grade encryption which makes it mandatory for customers to use a PSE that uses a key size of 2048.

      In the note, SAP simply states the following:

      1. SAP is implementing a new Root Certification Authority 15 April 2015 11:00 CET onwards.
      2. SAP will continue to keep the OLD Root Certification Authority alive till 18th July 2015 10:59 CET, however it will NOT issue any new certificates from this OLD Root Certification Authority
      3. Hence, between 15th April 2015 11:00 CET and 18th July 2015 10:59 CET, since both OLD and NEW Root Certification Authority Servers are alive, customers with old certificates and new certificates will be supported.
      4. After 18th July 2015 11:00 CET , the OLD Root Certification Authority will be Shutdown and certificates issued by OLD Root CA will no longer be valid.

      So in a nutshell, if you are requesting a certificate after 15th April 2015 11:00 CET, you will be provided client certificate that will be generated by the NEW ROOT CA, hence you will need to install the root certificates of the new ROOT CA in order to build the certificate chain and for your SNC to work.

      SAP is essentially giving you advance warning and time to replace your old certificates with new ones.

      Regards,

      Siddhesh

      (0) 
  3. Emili Delgado

    Hi Siddhesh,

    Thanks for your further explanation. What I mean because I had been doing this task a lot of times is that the certificate atached to the note it seems to be the new one (At least for me). And in the link it is quite clear that  SMP Root CA certificate is the old one. In the link, SAP states:

    This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.

    So, from 15th April 2015 11:00 CET until 18th July 2015 10:59 CET you need old Root Certificate imported in your PSE

    I have just applied the instructions in my installation and everything works fine.

    Regards.

    (0) 
    1. Siddhesh Ghag

      Hello Emili,

      According to me, the root certificate attached in the note is OLD SMP Root CA(since it doesn’t have the entry which belongs to the NEW SMP Root CA which is:  O=SAP Trust Community II ).

      Regards,

      Siddhesh

      (0) 
  4. Gaurav Rana Post author

    Hi Siddhesh,

    Thanks for the comments

    The note isn’t ambiguous but the blog seems to start with the following:

    Which may not be true

    Blog created just to highlight symptom & to aware members which i & 

    The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) will expire 07/18/2015 .

    & please read the purpose of blog as well

    Purpose of the document is just to aware the members about the updated new SAP Router certificate Authority method

    And yes of-course SAP is essentially giving you advance warning and time to replace your old certificates with new ones.

    Regards,

    (0) 
    1. Siddhesh Ghag

      Hello Gaurav,

      No offence meant, but can you edit the blog and update it that SAP isn’t fixing any issue by issuing the note.

      In my opinion, the SAP Note itself is pretty clear.

      Regards,

      Siddhesh

      (0) 
      1. Gaurav Rana Post author

        Hi,

        Yes i agree with you & with the statement

        SAP isn’t fixing any issue by issuing the note

        & have done some minor changes in this blog as well.Hope you & others will find it relevant now.

        Thanks for the corrections. πŸ™‚

        (0) 
  5. Emili Delgado

    Hello Gaurav,

    Many thanks for your blog, as per your expertise and topic in this blog I thought you could help me, at the end it was not necessary, just following the link, sorry for that.

    Hello Siddhesh,

    When I was reviewing my previos SAP Router Certificate I could see the issuer was CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE as per the note, so if I see CN=SMP Root CA in the certificate attached to the note how can I know if it is the new root or the old one?

    Obviously If you read books and books of SAP Router certificates, blogs and so on, everything it is quite clear, but not in the note, you should read definition of ambiguous

    Best Regards.

    (0) 
    1. Siddhesh Ghag

      Hello Emili,

      I can see why the confusion is, to clear my confusion, I will look at the issue start date, the start date is very old (year 2000), so its found to be old.

      The new CA will have an issue date of 2015.

      Regards,

      Siddhesh

      (0) 
  6. Emili Delgado

    Hi Siddhesh,

    I full agree with you I saw the certificate more in detail just before and someone a little bit clever (not too much)  might deduce that. ;  ), but deducing is not an self explained reading, isn’t it? It should be worth, SAP Note OSS with explicit comments, but this is only my opininon.

    Best Regards

    (0) 
  7. Gaurav Rana Post author

    Hi Emili/Siddhesh,

    I appreciate you & for your comments on the blog,each & every comments on the blog is an addition to make this information best for other members in future.

    As the blog created during the time when faced expiration of router at specific date i.e on 07/18/15.To overcome the issue i too searched lot on SCN as well as on Support portal but failed to achieve the required results and last found it’s known issue at SAP end.

    SAP Router – certificate expiration date (problem) )

    Still i’m in process to make this blog more informative & will update it soon with the latest available information in regards at my end.

    Stay Tuned !!

    (0) 
    1. Gaurav Rana Post author

      Hi Arul,

      Thanks for the comment.

      From SAP Note   2131531 – New Root Certification Authority for saprouter certificates

      Please follow below as mandatory steps

      If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET the following steps are mandatory:

      • Use latest Common Crypto Library
      • Use a PSE with a key size of 2048
      • Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015)

      Best would be to use latest CC library & PSE key with size 2048.In addition you need to

      Generate the certificate Request with the command:

      sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse “<Distinguished Name>”

      &

      Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE. 

      sapgenpse maintain_pk -a smprootca.der -p local.pse

      In my opinion try to have a newest version for successful implementations by referring steps at Installing the sapcrypto library and starting the SAProuter | SAP Support Portal

      Good luck !!

      (0) 

Leave a Reply