SHA-2 migration: How to upload new Baltimore Root ...

marcus_echter · ‎09-30-2015

Hi all,

as you know we have replaced our OD Webdispatcher certificate to offer enhanced encryption standard SHA-2. For our integration scenarios to still work you need to upload the new Baltimore Root certificate into the customer’s NW PI trust store (in case PI is used). This was briefly described in a mail to our C4C customers. I wanted to share a very good SCN blog I found which describes how to upload a new trusted CA certificate into the PI keystore:

http://scn.sap.com/community/pi-and-soa-middleware/blog/2013/01/06/how-to-load-keys-and-certificates...

Please note that this knowledge should be available with the customer’s basis consultants.

One important step which is missing in above documentation and which we faced issues with some customers (if forgotten) is that you need to explicitly restart the system as well as the SSL provider so that the new settings are taken into account. This must be done via:

Operation Management-> Systems-> Start & Stop (System)
JAVA-EE Services> SSL Provider-> Restart (SSL Provider)

Please feel free to share this blog with our customers, consultants and/or partners.

Note: It is not necessary to upload the SHA-2 intermediate certificate into the PI trust store as our C4C Webdispatcher sends the whole certificate chain excluding root.

Thanks, Marcus

SHA-2 migration: How to upload new Baltimore Root certificate into NW PI keystore

SAP Cloud for Customer Integration with ERP and CRM: How-to Guides and E-Learning

SAP Hybris Cloud for Customer - All About Integration (No Longer Updated)

Tips and Tricks - Troubleshooting CRM (Interaction Center)