3217689 - Identifying if you are impacted by SSL Certificate Renewal for SuccessFactors Learning

A reminder was received that there is a certificate renewal upcoming for the Learning system.

• How to validate that you are impacted by the certificate renewal?
• Where to download the certificate?
• Next steps after identifying there is an impact

• SAP SuccessFactors HXM Suite
• SAP SuccessFactors Learning

Preface: This is not a guaranteed way to know if you are impacted by the SSL certificate renewal. This will include possible ways to identify if you are impacted but it is still your responsibility to be thorough and discuss with your internal teams/external vendors. SAP Support cannot provide a the guarantee that there is an impact or not due to the nature of the servers/middleware applications being hosted outside the control of SuccessFactors.

How to validate that you are impacted by the certificate renewal?

The two major tools/features that are utilized in Learning that would be impacted by the certificate renewal center around APIs and middleware application.

APIs:

• There is a possibility that it is unknown if the application has been setup to use external APIs. The following steps are to perhaps discern if APIs are used or not. The reason for the perhaps are due to the nature that the client secret used in APIs could have been created but are no longer used. Note: OCN vendors do utilize APIs. If there is concern the vendor needs to update their server with the certificate, contact them directly.
• To check if a client secret has been generated, which are required for calling Learning APIs, follow these steps:
  
  1. Go to Learning Administration > Configuration > OAuth Token Server
  2. If the Client Secret Hash Value has information rather than just N/A, this means that APIs have been used or being used by an OCN vendor. Do not assume that only OCN is being used OCN but discuss internally other OData APIs are being used.
  3. If this is N/A, it does not mean APIs are not used. Go to Learning Administration > Security > Administrators > Search > Access an admin record. If there is no Client Secret Hash Value near the bottom of the record, check the other admins. This has to be done per admin. If there is an admin with a Client Secret Hash Value and it's not for an OCN vendor, then discuss internally if OData APIs are being used.

Middleware:

• There are many middleware applications that are used with the system. The most prevalent are with reports being placed on external SFTPs. Any other middleware application is not easily vetted by SAP Support so we suggest to discuss internally.
• To check if reports are placed on external SFTPs, follow these steps:
  
  1. Go to Learning Administration > Configuration > System Configuration > REPORT_SYSTEM > Search for "server".
  2. Example configurations to look for are defaultReportFtpConfig.server or reportFtpConfig.[ReportName].server
  3. If these are pointing to SFTP servers not hosted by SuccessFactors, discuss with your internal teams about the new certificate

Where to download the certificate?

The certificates can be downloaded from this KBA.

Next steps after identifying there is an impact:

The above image provides clarification on a structure of the SuccessFactors application along with externally hosted servers. Discuss with your internal IT and HR teams what needs to be updated such as in the image the API, IDP, Other type servers. If the impacted applications, tools, and/or servers are hosted by external vendors and not on your network, then discuss with vendors. Identifying, guidance, and installation of the certificate must be completed by you.

plateau.com, *.lms.sapsf.com, *.lms.sapsf.cn, *.lms.sapsf.eu, cert, certificate, update, renewal, change, expired, expiration, figure, impacted, impact, need, , KBA , LOD-SF-LMS-INT , Integrations with BizX , How To