3119755 - Domain certificate renewal for SAP Cloud for Customer URLs (*.crm.ondemand.com) 2021

Background

The existing server certificate for domain “*.crm.ondemand.com” is being renewed at Origin as it will expire on November 14th, 2021.

Impact

If you have third-party integrations like web services/APIs in your SAP Cloud for Customer (C4C) tenant, you may be required to update the domain certificate. These updates should be conducted by your internal IT resources, with the new certificate information that could be found below.

Impact on your tenant depends on the CDN configuration. For more details refer to the FAQs section.

Download New Certificate(*.crm.ondemand.com)

SAP Cloud for Customer

 NOTE: Issuer certificates(Root and Intermediate) of “*.crm.ondemand.com” is not getting changed.

FAQ's

What changes or adoption are required from the customer side?

If you have third-party integrations like web services/APIs in your test/production environment, you may be required to add the new certificate chain in the required trust stores.

As described in the impact section you need to take action based on the CDN configuration of your tenant.

• C4C URL's that are Akamai IPA enabled or Non-Akamai: Change required as the certificate change would impact your scenarios.
• C4C URL's that are Akamai ION enabled: There is no change required as the server certificate change is not applicable for this scenario

How to identify your SAP Cloud for Customer tenant’s CDN configuration

Below are the configurations available:

• Akamai ION:

If your SAP Cloud for Customer URL is AKAMAI Ion enabled, the output of the below-mentioned command looks as follows:                                                                                              

Run DNS lookup to the tenant URL via online utilities or with command nslookup myXXXXXX.crm.ondemand.com 
 
                Name:         e9343.a.akamaiedge.net 
                Address:    104.98.170.64 
                Aliases:       myXXXXXX.crm.ondemand.com 
                               row1.crm.ondemand.com.edgekey.net 
 
Please note the string *akamaiedge* in the results and if it is present then it means the URL is Akamai Ion enabled

• Akamai IPA (mainly relevant for tenants w/ EUDP contract):

If your SAP Cloud for Customer URL is AKAMAI IPA enabled then when you execute the command: nslookup myXXXXXX.crm.ondemand.com from your server or system 
The result will look like this: bydXX.akamai.sapbydesign.com.srip.net

Please note the string *srip.net* in the results and if it is present then it means the URL is Akamai IPA enabled

• Non-Akamai:

If your SAP Cloud for Customer URL does not show outputs like the above two configurations and if the command nslookup myXXXXXX.crm.ondemand.com shows the below result, This means your tenant is not coming through Akamai and directly hitting origin.
The result would look like: Non-authoritative answer: Name: wd-XXX-X.crm.ondemand.com

What are these certificates used for?

These certificates are used for the SSL/TLS handshake that any system using the 'secure' protocol does before allowing connection to/from the system. In our case, SAP Cloud for Customer uses the 'secure' HTTPS protocol, and hence the SSL handshake is a must for any system to connect to these URLs.

Are the new certificates known to modern web browsers?

DigiCert Root Certificates are automatically recognized by all common web browsers, mobile devices, and mail clients, therefore for browser scenarios there’s nothing to do. The same is true if one relies on the standard sapjvm trust list.

The CA root certificate is included in:

• SAP JVM patch level 8.1.035 or 7.1.054
• Cloud Foundry buildpack SAP-Java (sap_java_buildpack) version 1.6.15

How do I download or install the certificate?

You must have admin access to the server where you need to install the certificate. If you do not have access to your company's SSL server, notify your IT team and provide them with the respective certificate download link from the above table.

How do Import Single Certificate in SAP CPI Key Store?

Follow the steps mentioned in the link.

How to check the certificate in my browser trust list?

• Open Internet Explorer
• On the Tools menu, click Internet Options 
• Navigate to tab “content” 
• Click on the Certificates button

• And check-in “Trusted root certification Authorities” list and you should find “DigiCert Global Root CA"

• Similarly, check-in “Intermediate Certification Authorities” list and you should find “DigiCert TLS RSA SHA256 2020 CA1 "

• If the certificate is not present, please proceed with the steps mentioned under: “How to import the certificate into my browser?”

How to import the certificate into my browser?

• Open Internet Explorer.
• On the Tools menu, click Internet Options.
• On the Security tab, click "Custom Level" to open the Security Settings dialog box.
• Under "Reset custom settings", select Medium in the "Reset to" box. Click OK to close the Security Settings dialog box. 

Note: Certificates cannot be installed when the security setting is set to High.

• Navigate to tab “Content” 
• Click on the Certificates button.
• Go to the tab “Trusted root certification Authorities” list and Import the attached Digi Certificates using the "Import" button at the bottom.
• Ensure that “DigiCert Root and Intermediate" is added to the list.

I notice a discrepancy in the validity start date and end date mentioned in this knowledge article table and my downloaded certificate. What does this indicate?

Sometimes, due to time zone differences, you may see a different date in the downloaded certificate. There is no impact on the certificate update activity due to this. You will be renewing the certificate well in advance, before the certificate expiry date.

How to check the certificate in my Chrome browser trust list?

• Open settings in chrome browser and search for security in the search box and click on it.

• Go to the manage certificates tab and click on it to see the certificates window popup.

• And check-in “Trusted root certification Authorities” list and you should find “DigiCert Global Root CA"

• Similarly, check-in “Intermediate Certification Authorities” list and you should find “DigiCert TLS RSA SHA256 2020 CA1"

KBA , domain certificate renewal 2021 , LOD-CRM-SEC , Security Topics , How To