Background

SAP Business ByDesign uses certificates issued by the SAP Passport Certificate Authority for authentication and encryption

As a part of our commitment to continuous improvement and to deliver industry standards in certificates issued and also with increasing user requirements for supporting higher signature algorithm (SHA256) certificates in our product SAP Business ByDesign, SAP plans to adapt its SAP Cloud Trust Center services including the SAP Passport Certificate Authority (CA) to the latest technology standards. Therefore, the SAP Passport CA certificate and all certificates issued by SAP Business ByDesign using this CA needs to be renewed

SAP will first start to migrate all your test tenants during the regular maintenance window

We emphasis you to take the chance to check after the migration of your test systems what needs to be done from your side and to perform the necessary changes there as well including some smoke test of related functionality. Please inform us in case you encounter problems within your test systems.

After a successful migration of all test tenants, SAP will migrate you productive tenants during the regular maintenance window

Are you affected?

Changes & Impact

Most steps required for the renewal will be taken by SAP for you. However, some steps might need your attention and action. Please find below an overview on how your tenants are affected and if any action is required from your side.

After the renewal managed by SAP, all existing tenant certificates provided and issued by your SAP ByDesign tenant will become invalid immediately and requires you to take an action immediately – please consider the dates provided for test and productive tenants.

All Passport CA certificates used for authentication within inbound communication or email encryption needs to be exchanged latest until November 30th, 2019 as they will not be accepted anymore by the new Passport CA after this date.

The following changes will be done by SAP in your SAP ByDesign tenant:

• A new SAP Passport CA certificate will be added to the certificate trust list of your SAP ByDesign tenant.


• SAP generates a new SAP ByDesign tenant certificate that replaces the existing tenant certificate (Also Known as: M-User certificate, client certificate)


• Certificates used for tenant operations and communication with SAP operational systems (like for example incident processing) will be renewed by SAP.

The following use cases require your action

After SAP has made the central changes as highlighted above, you might need to adjust e.g. communication arrangements, email configuration or other integration configuration. The below use-cases are affected.

You need to take an action when:

• You have a communication arrangement with an outbound communication with an external system and your communication arrangement uses the authentication method “SSL Client Certificate” with SAP Business ByDesign System Key Pair as certificate


• You have a communication arrangement providing an inbound communication service for an external system and if it uses the authentication method “SSL Client Certificate”


• You are using certificate-based e-mail encryption (S/MIME).


• You are a ByD partner and have an external service or application which has a certificate-based communication with ByDesign


• You are integrating any third-party application with ByDesign based on SSL Certificate authentication

Detailed description of necessary actions can be found in the following sections.

Outbound communication arrangements

Download the renewed tenant certificate, in case your communication arrangement uses the authentication method: “SSL Client Certificate” with an SAP Business ByDesign System Key Pair as certificate for outbound communication:

• Update the Certificate Trust List in the external (communication target) system:
  
  
  
  • Download the new SAP Cloud Root CA and SAP Passport CA G2 certificate (see Download Section).
  
  
  • Add the new SAP Cloud Root CA and SAP Passport CA G2 certificates to the target systems trust list (the old SAP Passport CA certificate can be removed after uploading the new one).
  
  
  
  


• Renew the key pair for certificate logon:
  
  
  
  • Open work center view Application and User Management - Communication Arrangements.
  
  
  • Select the communication scenario, click on “View All” button and navigate to section Technical Data and open Basic Settings.
  
  
  • Download the SAP Business ByDesign System Key Pair (tenant certificate).
  
  
  • Map the renewed tenant certificate to the respective user in the external system.
  
  
  
  

You should apply the changes immediately after receiving communication from us that switch is done on your instance(s). Please refer Change Schedule section of the communication sent / FAQ's below for Change Schedule

Action 1: Tenant Certificate is available after the renewal activity is completed on the mentioned dates and can be downloadable from the tenant, which can be used to upload in the relevant integration systems.

Action 2: Root certificates(or issuer certificates) SAP Passport CA G2 and SAP Cloud Root CA can be uploaded in the respective trust list of the integration systems/components before the mentioned dates itself as they are already available for Download in the Download section

Inbound communication arrangements

Renew the communication credentials of your communication arrangement, if it uses the authentication method “SSL Client Certificate” for inbound communication:

• Open work center view Application and User Management - Communication Arrangements.


• Select the communication scenario, navigate to section Technical Data and open Basic Settings.


• Click on Create and Download Key Pair and get a new key pair referring to the new SAP Passport CA G2 certificate.


• Save the new key pair to the appropriate location


• Install the downloaded key pair in the same location that was used for the old key pair.

You can apply the changes described above only after the switch and you should apply the changes latest until November 30th, 2019. We recommend you should apply the changes immediately after receiving communication from us that switch is done on your instance(s)

Action : New Inbound Key Pair certificate will be available after the renewal activity is completed on the mentioned dates and a new key pair can be created and downloaded from the tenant, which can be used to upload in the relevant integration systems

Certificate-based e-mail encryption (S/MIME)

Please do the necessary changes described below in case you have enabled certificate-based e-mail encryption (S/MIME) for outgoing/incoming mails in your SAP ByDesign tenant.

• Download the new SAP Passport CA G2 and SAP Cloud Root CA certificates from the Download section below.


• Upload the new certificates in to your emailing clients.


• Navigate to Administrator work center - Common Tasks work center view - Configure S/MIME


• Check the settings for -  Signature and Decryption Incoming Mails → If you are using Passport CA generated certificate for Encrypting Mails
  Use the button "Renew S/MIME Certificate" to generate New Certificate(which generates a certificate based on Passport CA G2)
  Use the button "Download Certificate" to download the renewed certificate
  Upload this renewed certificate in your mail clients/server for sending the mails encrypted with newly generated certificated issued by Passport CA G2


• If you are sending outbound E-mails and encrypting these E-mails with the certificate provided by SAP Passport CA, Renew the S/MIME certificate to get the new certificate signed by SAP Passport CA G2

You can apply the changes described above only after the switch and you should apply the changes latest until November 30th, 2019. We recommend you should apply the changes immediately after receiving communication from us that switch is done on your instance(s)

Action: New S/MIME certificates will be available after the renewal activity is completed on the mentioned dates and a new S/MIME certificate has to be created and downloaded from the tenant, which can be used to upload in the relevant integration systems

Partner application or other third-party application with certificate-based communication

Download the new SAP Passport CA G2 and SAP Cloud Root CA certificates (see download section) and do the necessary changes within your application.

You can apply the changes described above only after the switch and you should apply the changes latest until November 30th, 2019. We recommend you should apply the changes immediately after receiving communication from us that switch is done on your instance(s)

Download Section

Download the New SAP Passport CA Certificate here
Download the SAP Cloud Root CA certificate here

Please download ROOT and Intermediate certificates and import in the relevant trust lists

• SAP Passport CA G2


• SAP Cloud Root CA

FAQ’s

What are these certificates used for?
-- These certificates are used for the Client Certificate authentication to your On-premise/third party system or Business ByDesign tenant.

Where should you import these certificates?
-- You should import these certificates “SAP Cloud Root CA and SAP Passport CA G2” in the trust lists where the SSL handshake happens on your server (Example: Web dispatcher, ABAP PSE’s, Java Trusted CA’s, etc)

How do I know if I am impacted by the certificate renewal?
-- If you are using one of the above described use cases in your ByD tenant, then this change is applicable for you

Where to Download the Root Certificate(SAP Cloud Root CA) and Intermediate Certificate(SAP Passport CA G2)?
-- SAP Cloud Root CA and SAP Passport CA G2 certificates are available in the Download section above

What are the consequences if customer/partner doesn’t act on this?
-- Integrations to all the aforesaid scenarios are bound to break if the actions suggested above are not taken before the timelines that we communicated

What if the customer/partner does not use any of the listed scenarios? (i.e., No LogOn with certificate, No Outbound communication, No Inbound communication, No E-Mail encryption)
-- Customer/Partner doesn’t have to take any action at their side.

How to check the certificate in my browser trust list?
• Open Internet Explorer.
• On the Tools menu, click Internet Options
• Navigate to tab “content”
• Click on Certificates button.
• And check in “Trusted root certification Authorities” list
• If root certificate (SAP Cloud Root CA) is present then no action required from here after. If the certificate is not present, please proceed to the next FAQ “How to import certificate into my browser?”

How to import ROOT and Intermediate certificates into my browser?
• Open Internet Explorer.
• On the Tools menu, click Internet Options.
• On the Security tab, click "Custom Level" to open the Security Settings dialog box.
• Under "Reset custom settings", select Medium / Medium-low (default) in the "Reset to" box. Click OK to close the Security Settings dialog box.
Note: Certificates cannot be installed when the security setting is set to High.
• Navigate to tab “Content”
• Click on Certificates button.
• Go to tab “Trusted root certification Authorities” list and Import SAPCloudRootCA.der using “Import” button at bottom
• Go to tab “Intermediate Certification Authorities” list and Import New SAPPassport CA.der using “Import” button at bottom
• Ensure that “SAP Cloud Root CA” and “SAP Passport CA” are added in the list.

When to install the certificates "SAP Cloud Root CA" in browsers(Example: Chrome, IE, Firefox etc.)?
-- If your end users are logging in to SAP Business ByDesign tenant with Certificate that is issued by the new Passport CA G2.

When can the customer download the renewed Client Certificate/Tenant certificate(aka M-User certificate) → Certificate for connecting to external systems?
-- New Client Certificate/Tenant Certificate(aka M-User certificate) will be available in the UI after the CMP hours of the scheduled date mentioned in the communication that is sent to you.

Overview of the Timelines below:

ByD Schedule
Data Center	Test Systems	Production Systems
Sydney	27 Sept, 2019 18:00 to 22:00 UTC	19 Oct, 2019 15:00 to 19:00 UTC
Shanghai	27 Sept, 2019 18:00 to 22:00 UTC	19 Oct, 2019 15:00 to 19:00 UTC
St. Leon Rot AND FRANKFURT	28 Sept, 2019 00:00 to 04:00 UTC	19 Oct, 2019 22:00 to 20 Oct, 2019 02:00 UTC
New Town Square	28 Sept, 2019 07:00 to 11:00 UTC	20 Oct, 2019 04:00 to 08:00 UTC

When can the customer download the renewed "Key Pair Certificate (Used for Inbound Scenario)" from the tenant → User for connecting from external systems to ByD?
-- New Key Pair Certificate(Used for Inbound Scenario) will be available and can be downloaded from the UI after the switch from SAP side - Please refer to communication sent on the change schedule timings (Also, you can refer to the Timelines in this Blog post)

Does Tenant certificate/M-User Certificate of your SAP Business ByDesign will have 2 tenant certificates coexist parallelly after the renewal? (Example: Old M-User Certificate issued by Passport CA and New M-User Certificate issued by Passport CA G2)?
-- After the renewal activity on the communicated date in CMP hours, the old certificate will be replaced with "new M-User certificate" and there will be only one Certificate available

Does the Key Pair certificate (used for Inbound Communication with ByD) of your SAP Business ByDesign tenant will have 2 key pair certificates co-exist parallelly after the renewal?
-- After the renewal activity on the communicated date in CMP hours the old key pair certificate will remain same and is not changed through the renewal process, the customer has to manually generate a new key pair and download/upload it the relevant trust list.

Potential Errors if SAP Cloud Root CA, SAP Passport CA G2 and the renewed certificates(M-User/tenant certificate, Key Pair Certificate) are not updated in the relevant SAP PSE's?
-- ICM_HTTP_UNAUTHORIZED (401)

What are the actions that customer should take if they are using any Integration with other third-party solutions like TIS, Computop, Dicentral...etc. from ByD?

Customer should engage the integration service provider and provide them following certificates to import in their systems trustlist:

1. New SAP Passport CA G2 certificate that can be downloaded from Download Section above


2. New SAP Cloud ROOT CA certificate the can be download from Download Section above


3. Once after you get the confirmation that the renewal is done from SAP side, please download the new Tenant / Client / M-User Certificate which can be downloadable from the tenant and provide it to your Integration system experts

What are the actions that ByD Partners should take as part of this exercise?

Partner should import below certificates in their Trust List:

1. New SAP Passport CA G2 certificate that can be downloaded from Download Section above


2. New SAP Cloud ROOT CA certificate the can be download from Download Section above


3. Please reach out to your Merchants and get the Renewed Tenant / Client / M-user Certificate: Once you receive the Tenant certificate from Merchants, please import this Tenant certificate into your Trust List


4. If there is any user Mapping done on your end, please update the settings accordingly (Please make a note: As mentioned above certificate issuer of Client Certificate is changing now with this renewal)