SAP Knowledge Base Article - Public

2509971 - FAQ on the impact of SuccessFactors Certificate Renewal if you use APIs (SFAPI and OData API)


If you are using SuccessFactors integration with SAP or Non-SAP application via APIs (SFAPI/OData API/Adhoc API) and you receive the certificate renewal notification from SAP, below is the action needed from your end:

  • SuccessFactors domain certificate for API endpoint URL needs to be updated.
  • These updates should be conducted by your internal IT resources with the new certificate information that could be found below.

Please note that without this change, it is possible that your applications will not work in the Non-Production or Production SuccessFactors environment.


SAP SuccessFactors HXM Suite


FAQ on SAP SuccessFactors Certificate Renewals if you use APIs

1) How do I know if I am impacted by the certificate renewal?
You will be impacted by the Certificate Renewal activity only if:

  • You are using our APIs (SFAPI and OData API) and have some integration scenario setup for your SuccessFators instance.
    • You can find list of API URLs for all datacenter in the KBA 2215682.
  • You are using some middleware (for example: SAP CPI/HCI/PI/PO/XI) for integration setup. Note that for CPI, if you already have SuccessFactors' root certificate installed in your tenant, you won't be impacted.
  • The SuccessFactors API domain for which the certificate is being renewed (Eg: * is same as the domain you are using to access/connect to SuccessFactors API server using API URL as the endpoint URL.

2) What if I am using middlewares that are supported by SAP? Will I still have to do it on my own?
Yes, you need to upload the new certificates yourself on your ERP/SAP PI/CPI system.

  • Earlier, maintaining CPI keystore was done by SAP, but now that has been made available as a self-service. But note that the SuccessFactors' root certificate is enough to properly establish the connection between CPI and SF.
  • In ERP, you can upload the renewed SF certificates in transaction "STRUST".
  • For Boomi, if you are using the SFSF Hosted Cloud atom of the same DC where your instance resides, you need not make any changes.
  • However, if you are using a local atom/Dell Atom Cloud in Boomi to connect to our APIs, you may need to upload the certificates in Boomi.

3) Who will upload the new certificates?
This must be done by the customer themselves.

4) What are these certificates used for?
These certificates are used for the SSL/TLS Handshake that any system using the 'secure' protocol does before allowing connection to/from the system. In our case, the Successfactor uses the 'secure' https protocol and hence the SSL Handshake is must for any system to connect to these url's.

5) My system has SSO enabled. Will that also be impacted?
No. This has no impact on SSO.

6) I have Learning interfaces running. Will they also be impacted?
If the certificate renewal is for * domain then there will be no impact on such interfaces as the Learning module usually has the access domain *

7) When should I renew the certificates?
It is recommended to renew the certificates as soon as they get available. Note that you can maintain both the "old" certificate and the new one at the same time on your middleware storage, this way you won't face any issues when the change occurs.

See Also


API, SFAPI, Certificate, renewal, New certificates, OData, cpi, boomi, pi, , KBA , LOD-SF-INT-API , API & Adhoc API Framework , LOD-SF-INT , Integrations , LOD-SF-INT-ODATA , OData API Framework , How To


SAP SuccessFactors HCM suite all versions