Symptom
Background
The existing server certificate for domain “*.crm.ondemand.com” is being renewed at Akamai as it will get expired on September 26th, 2024.
Change Schedule:
September 21st, 2024, SAT 22:00 UTC till SUN 02:00 UTC – September 22nd, 2024,for (Customer Test and Production).
Download New Certificate(*.crm.ondemand.com) from the Attachment section.
Environment
SAP Cloud for Customer
Resolution
Action Required
If you have third party integrations like web services/APIs in your SAP Cloud for Customer tenant, you may be required to update the domain certificate. These updates should be conducted by your internal IT resources, with the new certificate information as below.
Impact on your tenant depends on the CDN configuration. For more details refer the FAQs section.
FAQ's
What changes or adoption are required from customer side?
As described already, you need to take action based on the CDN configuration of your tenant.
- C4C URL's that are Akamai IPA enabled or Non-Akamai: No action required
- C4C URL's that are Akamai ION enabled: You may be required to update the domain certificate with the help of your internal IT resources if you have third party integrations like web services/APIs in your Cloud for Customer tenant
*Please Note: This is not an OS level action, this is a system level configuration in any Target System integrated with C4C. From C4C OS side, our operation already maintained the new certificate, if you have third party integrations like web services/APIs in your SAP Cloud for Customer tenant, you may be required to update the domain certificate. For example, if you need to update the certificate in CPI, please follow. Similar for any system connected with C4C tenant, update the certificate in the same way. This means, if you have third party integrations, renew certificate in Target (Not C4C). If you do not have third party integrations, you don't have to take any actions.
How to identify your SAP Cloud for Customer tenant’s CDN configuration?
Below are the configurations available:
Akamai ION: If your SAP Cloud for Customer URL is AKAMAI ION enabled, output of the below mentioned command should look like as follows:
- Run DNS lookup to the tenant URL via online utilities or with command nslookup myXXXXXX.crm.ondemand.com
Name: e9343.a.akamaiedge.net
Address: 104.98.170.64
Aliases: myXXXXXX.crm.ondemand.com
row1.crm.ondemand.com.edgekey.net – All the tenants
- Please note that if the string *akamaiedge* is present in the results, then it means the URL is Akamai Ion enabled.
Akamai IPA (mainly relevant for tenants w/ EUDP contract): If your SAP Cloud for Customer URL is AKAMAI IPA enabled then output of the below mentioned command should look like as follows:
- Execute the command: nslookup myXXXXXX.crm.ondemand.com from your server or system
Result will look like: fra.x-xxx.c4c.net.sap.srip.net - Please note the string *srip.net* in the results and if it is present then it means the URL is Akamai IPA enabled.
Non-Akamai: If your SAP Cloud for Customer URL does not show outputs like above two configurations and if the command nslookup myXXXXXX.crm.ondemand.com shows below result as Non-authoritative answer: Name: lb-xxxxx-xxx-xxxxx-x-xxx.c4c.cloud.sap - this means your tenant is not connected through Akamai and directly hitting the origin.
What are these certificates used for?
These certificates are used for the SSL/TLS handshake that any system using the 'secure' protocol does before allowing connection to/from the system. In our case, SAP Cloud for Customer uses the 'secure' HTTPS protocol and hence the SSL handshake is must for any system to connect to these URLs.
This certificate used for authentication when calling API from target system. Also, this certificate is not the only method for authentication, this can check with IT, if you have used old certificate before, you need to renew, otherwise, you don’t have to.
How do we test the new certificate?
The change is at Akamai platform and the renewal happens for both customer test and production tenants at the same time. You can still test the new certificate by following below steps.
- In CMD prompt give
nslookup row1.crm.ondemand.com.edgekey-staging.net”
You would see output like below
Name: e9343.a.akamaiedge-staging.net
Address: 23.201.233.6
Aliases: [X]ow1.crm.ondemand.com.edgekey-staging.net
- Copy the IP address you have got in step above
- Open the path C:\Windows\System32\drivers\etc
- Edit the host file with the IP assigned to your tenant URL(like sample IPs below)
23.201.233.6 myXXXXXX.crm.ondemand.com
23.201.233.6 myXXXXXX-sso.crm.ondemand.com
- After making changes save the file and restart your machine to apply the new changes
Are the new certificates known to modern web browsers?
DigiCert Root Certificates are automatically recognized by all common web browsers, mobile devices, and mail clients. Therefore no change is required for browsers. The same is true if one relies on the standard sapjvm trust list.
The CA root certificate is included in:
- SAP JVM patch level 8.1.035 or 7.1.054
- Cloud Foundry buildpack SAP-Java (sap_java_buildpack) version 1.6.15
How do I download or install the certificate?
You must have admin access to the server where you need to install the certificate. If you do not have access to your company's SSL server, notify your IT team and provide them the respective certificate download link from the above table.
How do Import Single Certificate in SAP CPI Key Store?
Follow the steps mentioned in the link.
How to check the certificate in my browser trust list?
Google Chrome:
- Open settings in chrome browser and search for security in the search box and click on it.
- Go to manage certificates tab and click on it to see the certificates window popup
- And check in “Trusted root certification Authorities” list and you should find “DigiCert Global Root G2".
- Similarly check in “Intermediate Certification Authorities” list and you should find “DigiCert Global G2 TLS RSA SHA256 2020 CA1".
Microsoft Edge:
- Open Microsoft Edge.
- Open settings in Microsoft Edge and search for security in the search box and click on it.
- Click on Manage Certificates
- And check in “Trusted root certification Authorities” list and you should find “DigiCert Global Root G2".
- Similarly check in “Intermediate Certification Authorities” list and you should find “DigiCert Global G2 TLS RSA SHA256 2020 CA1"
- If the certificate is not present, please proceed with steps mentioned under: “How to import certificate into my browser?”
How to import the certificate into my browser?
- Open Google Chrome or Microsoft Edge.
- Open settings and search for security in the search box and click on it.
- Click on Manage Device Certificates / Manage Certificates
- Go to tab “Trusted root certification Authorities” list and Import attached Digi Certificates using "Import" button at bottom.
- Go to tab “Intermediate certification Authorities” list and Import attached Digi Certificates using "Import" button at bottom.
- Ensure that “DigiCert Root and Intermediate" is added in the list.
I notice a discrepancy in the validity start date and end date mentioned in this knowledge article table and my downloaded certificate. What does this indicate?
Sometimes, due to time zone difference, you may see a different date in the downloaded certificate. There is no impact on the certificate update activity due to this. You will be renewing the certificate well in advance, before the certificate expiry date.
Keywords
KBA , akamai , domain certificate , LOD-CRM-SEC , Security Topics , Problem
Product
Attachments
star_crm_ondemand_com_akamai_2024.zip |