New Root Certification Authority for saprouter certificates ( SAP Router Certificate expirtation 18/07/2015 )
Few days back some of SCN members reported the issue related with expiration date of SAP Router certificate i.e on 18/07/2015.
For issue SAP recently introduced New Root Authority Certification process for customers using SNC connections.
between SAP and at their end.
Purpose of the document is just to aware the members about the updated new SAP Router certificate Authority method
Referred SAP Note : 2131531 – New Root Certification Authority for saprouter certificates
With the implementations of New Root Authority Certification SAP customers needs to follow some software changes as well as the process changes
at their end.
With effect from 15/04/2015 all newly generated SAP router certificates requests will be signed by new SAPRouter CA only.To obtain the new SAPRouter
CA,customers can navigate to link https://support.sap.com/support-programs-services/services/trust-center/download/root-certificates.html
(Requires a valid S-User ID to download ).
Note : Certificates as obtained before 15/04/2015 will no longer be supported by SAP.
Timeline
4/15/2015 11:00 AM CET: switch to new SAProuter Root CA for certification requests,SAProuter certificates obtained before 04/15/2015 can still be used
7/18/2015 11:00 AM CET: switch sapservX to use PSEs signed by new SAProuter CA,SAProuter certificates obtained before 04/15/2015 can no longer be used. to establish SNC connections with SAP.
Steps Mandatory if SAPRouter Certificate applied after 18/07/2015
Customers using SNC network connection methods must
- Use of latest SAPRouter version.
- Use of latest SAPCrypto Library.
- PSE with key size 2048.
- Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015).
To get more detailed description customers can jump to SAP link at https://support.sap.com/remote-support/help/installing-saprouter.html
(With a valid S-User ID).
Hope you guys will find this as a helpful document & get the useful information as well.
Updates if any are highly appreciated at my end.
Issue occurred : hostname NiHLGetNoteAddr unknown
Resolution : After successful setup of New root cert method customers or users may experience above issue & will find similar error / failure message entries under dev_rout file hostname NiHLGetNoteAddr unknown during the remote connections with SAPRouter String if using latest SAP GUI version release 740 at their ends.To overcome the issue you could follow related SAP Notes
2035293 – known and open issues of SAP GUI for Windows.
or best to use lower SAP GUI version i.e 730 as a workaround.
Stay tuned !!
Gaurav Rana
Hi Samid / Arménio Teles,
You could follow this document & the SAP Note 2131531 - New Root Certification Authority for saprouter certificates in response to your issue underSAP Router - certificate expiration date (problem) of expiration of SAPRouter certificate .
Hope this will help you & others too.
Regards,
Gaurav
Hi Gaurav 🙂
Thank you very much for this! I already checked this blog and the sap note 2131531 - New Root Certification Authority for saprouter certificates but unfortunately I still have the same situation/problem. I will update the thread that I created SAP Router - certificate expiration date (problem) with more information about it.
Once again thank you.
Samid Raif
Hi Arménio Teles,
Hope you are doing good !!
I just checked the thread & saw your issue of still getting same dates.But i would suggest you to kindly follow below statement
from the note 2131531 - New Root Certification Authority for saprouter certificates
Hope you'll get your answer from the above statement.
Good luck !!
Hi Gaurav,
We have tried to install new certificate but we ran into the step from SAP Note OSS 2131531
establish the trust with the sapservX SAProuter at SAP until 07/18/2015)
Where can I find "old SAProuter Root CA" and what commands I shoul use to import it?
Thanks in advance
Best Regards
Emili Delgado
Hi Gaurav,
Sorry I think SAP Note OSS is a litle bit ambiguous, It is not clear that SAProuter CA attached is the old one. I could see this is quite clear in the link Installing the sapcrypto library and starting the SAProuter | SAP Support Portal
The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.
Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.
sapgenpse maintain_pk -a smprootca.der -p local.pse
This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.
Sorry and best regards!!!
Hello Emili,
The note isn't ambigious but the blog seems to start with the following:
Which may not be true, from what I can see SAP is upgrading its security by switching to a higher grade encryption which makes it mandatory for customers to use a PSE that uses a key size of 2048.
In the note, SAP simply states the following:
So in a nutshell, if you are requesting a certificate after 15th April 2015 11:00 CET, you will be provided client certificate that will be generated by the NEW ROOT CA, hence you will need to install the root certificates of the new ROOT CA in order to build the certificate chain and for your SNC to work.
SAP is essentially giving you advance warning and time to replace your old certificates with new ones.
Regards,
Siddhesh
Thank you, you saved my day 🙂
Hi Siddhesh,
Thanks for your further explanation. What I mean because I had been doing this task a lot of times is that the certificate atached to the note it seems to be the new one (At least for me). And in the link it is quite clear that SMP Root CA certificate is the old one. In the link, SAP states:
This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.
So, from 15th April 2015 11:00 CET until 18th July 2015 10:59 CET you need old Root Certificate imported in your PSE
I have just applied the instructions in my installation and everything works fine.
Regards.
Hello Emili,
According to me, the root certificate attached in the note is OLD SMP Root CA(since it doesn't have the entry which belongs to the NEW SMP Root CA which is: O=SAP Trust Community II ).
Regards,
Siddhesh
Hi Siddhesh,
Thanks for the comments
Blog created just to highlight symptom & to aware members which i & Arménio Teles
faced or even experienced by some other members as well
& please read the purpose of blog as well
And yes of-course SAP is essentially giving you advance warning and time to replace your old certificates with new ones.
Regards,
Hello Gaurav,
No offence meant, but can you edit the blog and update it that SAP isn't fixing any issue by issuing the note.
In my opinion, the SAP Note itself is pretty clear.
Regards,
Siddhesh
Hi,
Yes i agree with you & with the statement
& have done some minor changes in this blog as well.Hope you & others will find it relevant now.
Thanks for the corrections. 🙂
Hello Gaurav,
Many thanks for your blog, as per your expertise and topic in this blog I thought you could help me, at the end it was not necessary, just following the link, sorry for that.
Hello Siddhesh,
When I was reviewing my previos SAP Router Certificate I could see the issuer was CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE as per the note, so if I see CN=SMP Root CA in the certificate attached to the note how can I know if it is the new root or the old one?
Obviously If you read books and books of SAP Router certificates, blogs and so on, everything it is quite clear, but not in the note, you should read definition of ambiguous
Best Regards.
Hello Emili,
I can see why the confusion is, to clear my confusion, I will look at the issue start date, the start date is very old (year 2000), so its found to be old.
The new CA will have an issue date of 2015.
Regards,
Siddhesh
Hi Siddhesh,
I full agree with you I saw the certificate more in detail just before and someone a little bit clever (not too much) might deduce that. ; ), but deducing is not an self explained reading, isn't it? It should be worth, SAP Note OSS with explicit comments, but this is only my opininon.
Best Regards
Hello Emili,
you are right 🙂
Regards,
Siddhesh
Hi Emili/Siddhesh,
I appreciate you & for your comments on the blog,each & every comments on the blog is an addition to make this information best for other members in future.
As the blog created during the time when faced expiration of router at specific date i.e on 07/18/15.To overcome the issue i too searched lot on SCN as well as on Support portal but failed to achieve the required results and last found it's known issue at SAP end.
SAP Router - certificate expiration date (problem) )
Still i'm in process to make this blog more informative & will update it soon with the latest available information in regards at my end.
Stay Tuned !!
Hello Gaurav,
Someone wrote a new blog - check this New SAProuter CA: Clock is ticking time to act now
Yups i just checked .
Thanks,
Hi ,
Do we need install fresh saprouter or just use existing saprouter with apply new certicate terminoly.thanks
The note stated, that you should install the newest version. So it depends on what version you are already using.
Hi Arul,
Thanks for the comment.
From SAP Note 2131531 - New Root Certification Authority for saprouter certificates
Please follow below as mandatory steps
Best would be to use latest CC library & PSE key with size 2048.In addition you need to
Generate the certificate Request with the command:
&
Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.
sapgenpse maintain_pk -a smprootca.der -p local.pse
In my opinion try to have a newest version for successful implementations by referring steps at Installing the sapcrypto library and starting the SAProuter | SAP Support Portal
Good luck !!
Hi uwe ,
my saprouter version is 38.10
Hi gaurav,
shall i apply new certifate without install new version above is version.thanks
The newest one is 40.4 (the 7.42 kernel version)
Hello everyone,
I would like to know if anyone here knows if it is possible to configure in the solution mananger an alert for the expiration date of the SAP router.
Best Regards,
Miguel