SAP Knowledge Base Article - Public

2509971 - FAQs on the impact of Successfactors Certificate Renewal if you use APIs (SFAPI/OData API/adHoc API)

Symptom

Dear SuccessFactors Customer,

When you receieve certificate renewal notification from SAP and if you are using Successfactors integration with SAP or Non-SAP application via APIs (SFAPI/OData API/Adhoc API), below is the action needed from your end:

  • SF Domain certificate for API endpoint URL needs to be updated.
  • These updates should be conducted by your internal IT resources with the new certificate information that could be found below.

Please note that without this change, it is possible that your applications will not work in the Non-Production or Production SF environment.

Please read our handbook about this topic:

Environment

SAP SuccessFactors HCM Suite

Resolution

FAQs on SAP Successfactors Certificate Renewals

 

Question1: How do I know if I am impacted by the certificate renewal?

Answer: You will be impacted by the Certificate renewal activity only if-

  • You are using our APIs (SFAPI/Odata API/Adhoc API) and have some integration scenario setup for your SFSF Instance.
    • You can find list of API URLs for all datacenter HERE
  • You are using some middleware (eg: SAP CPI/HCI/PI/PO/XI) for integration setup. Note that for CPI, if you already have SuccessFactors' root certificate installed in your tenant, you won't be impacted.
  • The Successfators API domain for which the certificate is being renewed (Eg: *.successfactors.eu) is same as the domain you are using to access/connect to Successfactors API server  using API URL as the endpoint URL.

Question 2: What if I am using middleware’s that are supported by SAP? Will I still have to do it on my own?

Answer: Yes, you need to upload the new certificates yourself on your ERP/SAP PI/HCI system.

  • Earlier, maintaining CPI keystore was done by SAP, but now that has been made available as a self-service. But note that the SuccessFactors' root certificate is enough to properly establish the connection between CPI and SF.
  • In ERP, you can upload the renewed SF certificates in transaction 'STRUST'.
  • For Boomi, if you are using the SFSF Hosted Cloud atom of the same DC where your instance resides, you need not make any changes.
  • However, if you are using a local atom/Dell Atom Cloud in Boomi to connect to our APIs, you may need to upload the certificates in Boomi.

 

Question3: Who will upload the new certificates?

Answer: This must be done by the customer themselves.

 

Question4: What are these certificates used for?

Answer: These certificates are used for the SSL/TLS Handshake that any system using the 'secure' protocol does before allowing connection to/from the system. In our case, the Successfactor uses the 'secure' https protocol and hence the SSL Handshake is must for any system to connect to these url's.

 

Question5: My system has SSO enabled. Will that also be impacted?

Answer: No. This has no impact on SSO.

 

Question6: I have my learning interfaces running. Will they also be impacted?

Answer: If the certificate renewal is for *.successfactors.com/eu domain then there will be no impact on Learning interfaces as the learning module usually has the access domain *.plateau.com.

 

Question7: When should I renew the certificates?

Answer: It is recommended to renew the certificates soon after they are available. Note that you can maintain both the "old" certificate and the new one at the same time on your middleware storage. This way you won't face any issues when the change occur.

See Also

Keywords

API - SFAPI - Certificate renewal - New certificates - OData , KBA , LOD-SF-INT-API , API & Adhoc API Framework , LOD-SF-INT , Integrations , LOD-SF-INT-ODATA , OData API Framework , Problem

Product

SAP SuccessFactors HXM Suite all versions