cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Trusted root certificates in SAP

Former Member

on ‎04-28-2014 4:37 PM

0 Kudos

Hello Friends,


We currently have HTTPS RFC connections from both R/3 and CRM to various web services. These are used by our organization to both send and receive messages with various new services.

Currently we are checking each web service we connect to and loading the root (top level) certificate this is signed by. The idea is that if the website changes it's certificate but uses the same provider then there is a good chance this will continue to work.
HOWEVER - This is not perfect and recently we've had examples where they changed the certificate without notice AND the root certificate of the new certificate had changed. This resulted in the SSL connections failing until we loaded the new root certificate into STRUST and restarted the ICM.

This isn't normally a problem for normal web browser users as Microsoft or other web browser suppliers automatically install a list of trusted root certificates. We are wondering if we can achieve something similar by pre-loading a list of trusted root certificates to reduce the likely hood of a new certificate not being signed by a root certificate we already trust. There doesn't appear to be a universal list but Microsoft's list as loaded into Windows and used by IE appears to be a de facto standard. The added complication is that this list changes over time.

Please can you  recommend what should be best practice. Is there a recognized way of obtaining, installing and maintaining trusted root certificates in SAP so that it is more like a browser experience.


Regards,

Rakesh

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎08-27-2014 3:49 PM
0 Kudos

I had a similar observation and wanted to add to the discussion.  Effectively for Windows environments it seems possible that you don't need to worry about intermediate/root CA certificates!!!!

Background :

We needed to upload a new server cert (unrelated, but it was actually from SAP for one of their cloud systems we integrate our on-premise ERP with!).  When I first installed the original cert, I also installed the CAs along with it.  However I did not detect they changed the CAs so I did not do the full chain when I installed the new cert into STRUST.  However, it is working!!  I opened a customer message based on OSS http://service.sap.com/sap/support/notes/1094342 that seems to imply that the PSEs in STRUST are the sole source of CAs for doing SSL handshaking!  I did some level 3 tracing in SMICM and observed that it was aware of ~40 CAs that I had certainly never installed.  Come to find out these are installed into the Windows server's certificate store.  You can see this by running "certmgr.msc " on the windows machine. 

So, I'm following up with our infrastructure team to understand how they keep these certs updated, but it seems like we could just worry about 'end server certificates' in STRUST!!

Does this theory/approach seem logical to the SSL experts out there?!?

Show replies
Show replies
Former Member
‎04-28-2014 5:05 PM
0 Kudos

Hello Rakesh

The challenge you are facing is very common and is faced by many. Unfortunately, there is no standard and automatic way of adding new Root CA Certificates in the SAP Systems. One needs to add certificates manually. You may take reference of Windows IE as it keeps adding new Certification Authorities. You may define a time period after which list of CAs should be verified and certificates be renewed.

Hope this information will help you.

Regards,

Tapan

Show replies
Show replies
Ask a Question