SAP HANA Cloud Integration (PI) Server Certificate to be Re-issued from the Baltimore Certification Authority (CA)
Blog posted : December 4, 2015
Upgrade Date : February 07, 2016, between 04:00 and 06:00 a.m. CET
Status : Released to customer/partners
Action : Important preparation necessary for business continuity post upgrade
Applicable for: Customers using SAP HANA Cloud Integration (Process Integration) who’s application is running on the European data center and who are currently using a server certificate other than the Baltimore CA Certificate.
Not applicable for: Customers using SAP HANA Cloud Integration – Data Services.
Effective February 07, 2016, SAP HANA Cloud Integration’s server will be replacing its SSL certificate.
Reasons for the SAP HCI (PI) Server Certificate Replacement:
- Intermediate CA and server certificates will be using a more secure signing algorithm (SHA-2)
- Moreover the current GTE CyberTrust Root Certificate will expire in February 2016.
- And thirdly the Root Certification Authority will be changed from GTE CyberTrust to Baltimore CA in order to stay current with industry-wide security best practices for trusted root certificates, which now uses a stronger key length and hashing algorithm.
-> This necessitates an exchange of the SAP HCI server root certificate by all SAP HCI (PI) customers (on the European data center and using a server certificate other than the Baltimore CA Certificate).
Please follow the step-by-step instructions prior to February 07, 2016, 04:00 a.m. to ensure uninterrupted communication between all the Cloud and on-premise systems that access HCI. For example, SAP Cloud for Customer integration with PI/ERP/CRM/BW and other third-party systems.
You can download the certificate from here: https://www.sme.sap.com/irj/sme/solutions?rid=/library/uuid/d0097732-7100-3310-e89f-b04ac42fea0d
If you have connected SAP HCI (PI) with a Cloud system
1. Check if your Cloud application has the Baltimore certificate.
a. Login to your Cloud application, for example, SAP Cloud for Customer.
b. Check if the Baltimore CyberTrust Root is listed under list of trusted root certificates. Example: In the SAP Cloud for Customer application -> Administrator work center -> Edit Certificate Trust List view. Look for the entry Baltimore CyberTrust Root.
2. If not, then download the Baltimore CA Certificate (link above).
3. Next, import this certificate.
a. Double-click on the downloaded certificate.
b. Upload the certificate into your Cloud application’s certificate trust list.
Example: In the SAP Cloud for Customer application -> Administrator work center -> Edit Certificate Trust List view -> click Upload -> choose the downloaded certificate -> click Add.
-> Check if the Baltimore Cybertrust Root Certificate was added sucessfully to the Certificate Trust List (as highlighted in screenshot above).
Please Note: SAP HCI recommends our customers to use only root certificates. In case you should be currently using intermediate certificates we recommend to resort back to using root certificates only. Action on intermediate certificates can be omitted.
If you have connected SAP HCI (PI) with an on-premise system
1. Download the Baltimore CA Certificate (link above).
2. Import the Baltimore CA certificate into the on-premise system’s trust store.
- For information on how to import a certificate to the trust store of an SAP on-premise system, see SAP ERP, SAP CRM, and SAP BW. The CA certificate should be imported into Anonymous PSE for basic authentication, and Client PSE (which is used in SM59 destination and SOAMANAGER) for certificate-based authentication. ICM restart may be needed depending on your NetWeaver BASIS release.
Further information on this subject can be found in the SAP HCI Security How-to-Guide at https://scn.sap.com/docs/DOC-68553 (see section Creating Certificates in SAP GUI.)
- For SAP NetWeaver PI, you must import the certificate in the Java Key Store, and also restart the SSL provider service in NetWeaver Administration (NWA). To restart SSL Provider in NWA, follow the path Operations -> Systems -> Start & Stop. Click JAVA Services -> SSL Provider -> Restart.
Further information on this subject can be found in Roberto Viana’s SCN blog at http://scn.sap.com/community/pi-and-soa-middleware/blog/2013/01/06/how-to-load-keys-and-certificates-in-sap-pi-sap-po-key-storage
For any questions/concerns, please create a support incident in the incident management system for your application. For example, if you connect to HCI from SAP Cloud for Customer system, please create a BCP incident in SAP Cloud for Customer system or call support hotline. We are with you in every step towards moving you to a more secure Cloud communication.
Frequently Asked Questions
Q: Even after HCI upgrade, why does HCI Web UI content catalogue page still show SHA-1 in root Baltimore cyber trust Certificate?
A: SHA-1 based signatures for root certificates are not a problem, because clients trust them by their identity, rather than by the signature of their hash. Therefore intermediate certificates & server own certificate are only changed to more secure SHA-2.
Q: Will this upgrade result in any downtime?
A:Yes, a short down-time between 5-10 minutes is expected during the certificate switch on server The switch will be executed on the 7th of February during the regular maintenance window between 04:00 and 06:00 a.m. CET
Q: What tests should I perform to ensure that I have completed all activities correctly?
A:As described in the step-by-step guide you need to make sure that the ‘Baltimore Cyber Trust Root’ certificate is added to your certificate trust list. Further tests are not required before the switch date. Once the new certificate is active on the SAP HCI server (on February 7th after maintenance window) all scenarios should continue to run. In addition you might want to perform an additional test activity, e.g. run the C4C end-to-end connectivity report. If that works fine, your update has been done correctly.
Q: We use PI for inbound communication, and have also integrated with HCI? Is there any action necessary in my PI system?
A: Yes, please import the Baltimore certificate in the Java Key Store (Trusted CAs Key Storage view), and also restart the SSL provider service.
Q: I have connected an SAP Cloud application with a non-SAP system using HCI? What actions are applicable for me?
A: Ensure that the Baltimore certificate is trusted in both the SAP Cloud application and the non-SAP application.
Q: Where can I download the latest CA certificate?
A: You can download the certificate from here: https://www.sme.sap.com/irj/sme/solutions?rid=/library/uuid/d0097732-7100-3310-e89f-b04ac42fea0d .
Q: Now that the Baltimore CA is trusted, can I remove the GTE CA from my trust store?
A: The new certificate will be used only on/after the upgrade date. We recommend that you retain both the GTE and Baltimore certificate until the migration is complete, and for four weeks later to ensure business connectivity is smooth.
Q: I am an ISV partner and am consuming SAP Cloud for Customer APIs. Do I have to do anything?
A: Yes, please add Baltimore CyberTrust CA certificate in the trust store of all partner applications that are consuming these APIs.
Q: Do these certificate changes also apply to HCI (DS)?
A: No, the HCI (DS) server is not impacted. In fact, HCI (DS) is already using the latest SHA-2 certificates, so no updates are required.