Skip to Content

Background

With version 70 of the Chrome browser is due for release in the year 2018 (beta version in September 2018 and stable version in October 2018). This version of the Chrome browser will distrust any Symantec-issued certificates prior to December 1, 2017, or from their old PKI infrastructure. Therefore, we are renewing the existing certificates prior to their schedule so that their replacements can be issued prior to the version 70 release of the Chrome browser. Once distrusted, users will be prevented from loading the affected resources. See Distrust of the Symantec PKI: Immediate action needed by site operators for more information.

This knowledge article will be used to consolidate and publish all SSL certificates with the tentative deployment date and public certificate download links. This article also contains an FAQ section with relevant information on this topic. We highly recommend you to read the FAQ section before reporting any tickets.


Scope

You will be affected if either of the below scenarios are applicable to you:

  • Your Browsers does not have Digicert Certificates.
  • You have an inbound communication integration to your BYD product.

Impact

The SSL certificates for your below URLs are scheduled to be updated with new CA vendor

myXXXXXX.sapbyd.cn and myXXXXXX-sso.sapbyd.cn

Current CA Certificates:

VeriSign Class 3 Public Primary Certification Authority – G5

Symantec Class 3 Secure Server CA – G4

New CA Certificates:

DigiCert Global Root CA

DigiCert SHA2 Secure Server CA


Action for Customers/partners

If you consume any services under below mentioned URLs, please ensure that Digicert Root and Intermediate certificates are in the trust store of the calling client(Browser or System). You will be required to take this action on or before Friday – Aug 24th, 2018 (for non-production environment) and  Saturday – Sep 22nd,2018 (for production environment).

myXXXXXX.sapbyd.cn and myXXXXXX-sso.sapbyd.cn

We encourage you to bookmark this knowledge article. If you are not familiar with making the required changes, please notify your company’s internal IT department and request for the changes to be made as soon as possible.


Download new certificate

Below are two certificates which you can download directly from link DigiCert Certficate

  1. DigiCert Global Root CA
  2. DigiCert SHA2 Secure Server CA

Timelines

Certificate Common Name Environment Tentative Deployment Date
*.sapbyd.cn Non-production (Test) Aug-18
Production Sep-18

FAQ’s

What are these certificates used for?
These certificates are used for the SSL/TLS handshake that any system using the ‘secure’ protocol does before allowing connection to/from the system. In our case, SAP Business By Design uses the ‘secure’ HTTPS protocol and hence the SSL handshake is must for any system to connect to these URLs.

Are the new certificates known to modern web browsers?
DigiCert Root Certificates are automatically recognized by all common web browsers, mobile devices, and mail clients, therefore for browser scenarios there’s nothing to do. The same is true if one relies on the standard sapjvm trust list.

The CA root certificate is included in:

•  SAP JVM patch level 8.1.035 or 7.1.054

•  Cloud Foundry buildpack SAP-Java (sap_java_buildpack) version 1.6.15

How do I know if I am impacted by the certificate renewal?

You will be impacted by the certificate renewal activity, only if:

  • You are using our APIs and have some integration scenario setup for your instance.
  • You are using some middleware (E.g: SAP HCI/PI/Boomi) for integration setup.
  • The domain for which the certificate is being renewed is the same as the domain you are using to access/connect to your system.

How do I download or install the certificate?
You must have admin access to the server where you need to install the certificate. If you do not have access to your company’s SSL server, notify your IT team and provide them the respective certificate download link from the above table.

How to check the certificate in my browser trust list?

• Open Internet Explorer. • On the Tools menu, click Internet Options • Navigate to tab “content” • Click on Certificates button.

• And check in “Trusted root certification Authorities” list and you should find “DigiCert Global Root CA”.

• Similarly check in “Intermediate Certification Authorities” list and you should find “DigiCert SHA2 Secure Server CA”.

• If the certificate is not present, please proceed with steps mentioned under: “How to import certificate into my browser?”

How to import the certificate into my browser?

• Open Internet Explorer.

• On the Tools menu, click Internet Options.

• On the Security tab, click “Custom Level” to open the Security Settings dialog box.

• Under “Reset custom settings”, select Medium in the “Reset to” box. Click OK to close the Security Settings dialog box.

  Note: Certificates cannot be installed when the security setting is set to High.

• Navigate to tab “Content”

• Click on Certificates button.

• Go to tab “Trusted root certification Authorities” list and Import attached Digi Certificates using “Import” button at bottom.

• Ensure that “DigiCert Root and Intermediate” is added in the list.

What are the consequences if customer/partner doesn’t act on this?

Integrations to all the aforesaid are bound to break if the actions suggested are not taken on or before Aug 24, 2018(for non-production environment) and on or before Sep 22,2018(for production environment).

What if the customer/partner does not use any of the listed scenarios?(i.e.: Your browser have DigiCert certificates already in the trust store, No Inbound integration scenario to Business By Design)

Customer/Partner doesn’t have to take any action at their side.

I notice a discrepancy in the validity start date and end date mentioned in this knowledge article table and my downloaded certificate. What does this indicate?

Sometimes, due to time zone difference, you may see a different date in the downloaded certificate. There is no impact on the certificate update activity due to this. You will be renewing the certificate well in advance, before the certificate expiry date.

Is this change disruptive?

Yes, the change is disruptive. However, the change schedule falls under SAP standard regular maintenance window.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply