Technical Articles
Domain Certificate Renewal (*businessbydesign.cloud.sap) & (*sapbydesign.com)
Background
The existing server certificate for domain *businessbydesign.cloud.sap and *sapbydesign.com will be renewed as it is going to expire on 03rd December, 2022.
Scope
You will be affected if either of the below scenarios are applicable to you:
- Your browser does not have DigiCert Certificates.
- You have an inbound/outbound communication integration to your Byd product.
Impact
If you have third party integrations like web services/APIs in your Business ByDesign tenant, you may be required to update the domain certificate. These updates should be conducted by your internal IT resources, with the new certificate information that could be found below.
Download new certificate
Below are the steps to download new certificate:
- Kindly click on download link. You will be redirected to Digi Cert Website, here ensure Combined Certificate Files is set as shown below.
- Click download as shown below.
- A zip file by name: star_businessbydesign_cloud_sap_278466338 would be downloaded.
- Please unzip this file and we can see required certificate: star_businessbydesign_cloud_sap.crt.
FAQs
1) What are these certificates used for?
These certificates are used for the SSL/TLS handshake that any system using the ‘secure’ protocol does before allowing connection to/from the system. In our case, SAP Business ByDesign uses the ‘secure’ HTTPS protocol and hence the SSL handshake is must for any system to connect to these URLs.
2) Are the new certificates known to modern web browsers?
DigiCert Root Certificates are automatically recognized by all common web browsers, mobile devices, and mail clients, therefore for browser scenarios there is nothing to do. The same is true if one relies on the standard sapjvm trust list.
The CA root certificate is included in:
- SAP JVM patch level 8.1.035 or 7.1.054
- Cloud Foundry buildpack SAP-Java (sap_java_buildpack) version 1.6.15
3) How do I download or install the certificate?
You must have admin access to the server where you need to install the certificate. If you do not have access to your company’s SSL server, notify your IT team and provide them the respective certificate download link from the above table.
4) How do Import Single Certificate in SAP CPI Key Store?
Follow the steps mentioned in the link.
5) How to check the certificate in my browser trust list?
Navigate to chrome://settings and scroll down to ‘Advanced’.
- Under “Privacy and Security,” click “Manage Certificates.”
- On the popup that was launched, select “Trusted Root Certification Authorities’. The certificate will be displayed there.
6) How to import the certificate into my browser?
Procedure
- Open the browser.
- Click Customize and control Google Chrome button in the upper right corner.
- Choose Settings. …
- Under Privacy and security section, click More. …
- Click Manage certificates, The new window will appear. …
- Choose Trusted Root Certification Authorities tab.
- Click Import. …
- In the opened window, click Next
7) I notice a discrepancy in the validity start date and end date mentioned in this knowledge article table and my downloaded certificate. What does this indicate?
Sometimes, due to time zone difference, you may see a different date in the downloaded certificate. There is no impact on the certificate update activity due to this. You will be renewing the certificate well in advance, before the certificate expiry date.
Please do share feedback and your thoughts in the comment section below.
You can also refer SAP Business ByDesign environment Topic page (https://community.sap.com/topics/business-bydesign), post and answer questions (https://answers.sap.com/tags/01200615320800000691), and read other posts on the topic (https://blogs.sap.com/tags/01200615320800000691/).
Hi
Thank you for your information! I would like to ask you a question. how about this domain "myXXXXXX.sapbydesign.com" Do I need to do something for this old type of domain?
Thank you much.
Best,
Hello Daichi Wakamatsu,
Thank you for raising above question, please note action is required for "myXXXXXX.sapbydesign.com" domain as well,
Blog has been updated accordingly and we will mention the same in our communication for Production tenants as well.
Regards,
Hridesh
Hi Hridesh Kumar ,
I'm appreciate your quick response! Thank you so much
Best Regards,
Daichi
Hi Hridesh Kumar again
Excuse me for asking you many times but can you tell me below?
- Which certification should I download for "myXXXXXX.sapbydesign.com"? Certification on your link looks like for only " *businessbydesign.cloud.sap".
Kindly,
Daichi Wakamatsu
Hi Daichi Wakamatsu ,
No problem, please feel free to raise any queries.
You need to download same *businessbydesign.cloud.sap certificate,
As part of standard practice for SSL certificates it is recommended to use SAN extension for which your existing sapbydesign.com domain certificate is incorporated with *businessbydesign.cloud.sap domain certificate this is part of Multi Domain SSL Certificate feature.
Hi
Thank you so much!
Best,
Daichi Wakamatsu
Hi Hridesh Kumar ,
Web Service Request from a 3rd party system that didn't install the new certificate have run successfully in the test tenant.
I think it's because the authentication method for the Web Service is ID/Password instead of certificates.
So let me check the following.
Is this certificate update necessary for Web Services that use ID/Password?
Thank you
Regards,
Ryosuke Ii
Hello Ryosuke Ii,
Thank you for above query, ideally certificate based authentication is more trusted way for a secured communication, Please see if the authentication based communication that is currently working without certificate update, if it is using http or https ?
One of the most widely used methods of authentication is username and password. However, it is also one of the most targeted and vulnerable types of authentication due to how inconsistent it is depending on the user. Some users still use the same password for multiple accounts, which could result in several accounts being compromised once a hacker gains access to one.
In comparison to username and password, certificate-based authentication offers better security as it is issued by a Certificate Authority (CA) and uses asymmetric cryptography.
Certificate based authentication also allows SSO authentication so that you do not have to enter credentials manually. So it is recommended to always update the certificate to establish a secured web service communication.
Regards,
Hridesh
Hi Hridesh,
Thanks for the detailed blog. Very nice!
I had the same question as Ryosuke... From your response, I assume there's no action required if we use Username and Password for Web Service Authentication (although it is more vulnerable)?
It is using HTTPS and the Ping is successful in Test.
Thanks,
Victor
Hi Hridesh Kumar,
Sorry for late reply.
I appreciate your detail explanation.
Let me check again.
If we use User ID &Password for Web Service Authentication, do we need to handle this request?
Regards,
Ryosuke Ii
Hi Hridesh Kumar
I have same question Ryosuke mentioned above. This change will be applied to productive tenant soon. Please make it clear that "If we use User ID &Password for Web Service Authentication, do we need to handle this request?"
Thank you so much!
Best Regards,
Daichi Wakamatsu
Hello Daichi Wakamatsu
Basically user name and password authentication also works and is considered as Basic authentication type under Security profile Medium or Low means Authentication level Basic
Basic authentication (user name and password)
Authenticates the user based on the user ID and password in the HTTP header.
This option is supported for HTTP and HTTPS.
The user is authenticated on the basis of the user name and the password in the document. (Document Authentication)
--> Where as Security profile High means authentication level Strong
Strong authentication (X.509 Client Certificate)
Strong Authentication authenticates the user through mutual SSL authentication. An SSL client certificate must be provided for this.
Hope this helps!