All about Tenant Certificate renewal in SAP Cloud for Customer
In this blog-post, you will understand the activities involved in the renewal of a Tenant Certificate and how to get notified in advance about the expiry of the tenant certificate,
The tenant certificate is used to authenticate a call from a Tenant(Cloud for Customer client) to a Server(CPI/PI).
The tenant certificate is renewed once per year. This is a standard renewal process and cannot be disabled.
Where can I find my tenant certificate?
Tenant Certificate can be viewed/downloaded from the below path in Cloud for Customer tenant.
- Work center: Administrator
- Workcenter View: Common Tasks
- Click on Edit Certificate Trust List
- On the right-hand side, click on “View tenant Certificate
- Work center: Administrator
- Workcenter View: General Settings
- Click on Communication Arrangements
- Open any Outbound communication arrangement
- Click on View All
- Go to Technica data facet
- Under Outbound Communications: Basic Settings, On Certificate field, make sure that you have set it to “SAP Business ByDesign System Key Pair”
- Click on download
- Save it locally
How can I check the validity of the certificate?
Administrator WC=> Common Tasks => Edit Certificate Trust List => View Tenant Certificate
Note: You can notice that the messages from C4C to your external system start to fail with ‘Unathorized(401)’ errors if the validity of the certificate has expired already.
What actions should I have to perform to renew and after the renewal of the tenant certificate?
Actions need to be taken in C4C as well as the middleware(CPI). First, we will see what actions are required in C4C
You can notice that there is an option to renew the tenant certificate on the above image on the top right. You will be able to renew your tenant certificate by clicking on that button.
You can only renew the certificate if the validity will expire in the next 92 days.
Else you will get the error message
There are no other actions from the C4C side, now the certificate has to be uploaded to the middleware. In the case of CPI as middleware
If Client Certificate-based authentication is used in the Iflows , then the certificate needs to be uploaded into all the Iflows where C4C is the sender. You can open the Iflow and click on configure to update the sender channel configuration. You can select and upload the Certificate downloaded as a part of the above steps and deploy the Iflow.
- Go to Operations view of CPI
- Under “Manage Security”, Select the tile “Certificate-to-User Mappings”
- Select the Integration user of CPI
- Edit the mapping
- Upload the certificate from theabove steps
- Click on OK
That’s all the actions you need to take for completing the renewal process.
These actions have to perform on non-productive hours to avoid any unnecessary interruption in the data flow.
How can I get notified about the expiry of my tenant certificate?
To get a notification, first, you need to Scope the Business Task Management in the below path
In the next step, scope the question
Do you want to use e-mail to notify business users about Business Task Management items?
Once the above question is scoped and activated, Open the Fine tuning activity
“Business Task Management for User and Access Management”
Check the below tasks and “Save and Close” the Activity.
If you wish to receive an email for the same, you have to manually subscribe to this notification using the above-highlighted “Subscribe to Email” action.
SAP has a background job that keeps a check on the validity period of the tenant certificate. This job runs at the start of every month and if the tenant certificate is going to expire in the next 60 days, it will automatically renew the certificate and triggers the notifications with the subject ‘Tenant Certificate has been renewed’.
If the expiration date is between 60-90 days from the job’s run date, then it will trigger the notification with the following subject: ‘Tenant Certificate is going to expire soon’. The reason for the second notification is to inform the customer that the certificate will be renewed in the next run.
Kindly note that you will not receive any mails to IT contacts from SAP operations team for the expiry.
I hope this blog provides all the information required wrt the Tenant certificate renewal process and actions that need to be taken for uninterrupted message processing