SAP Knowledge Base Article - Public

3423003 - Handling of mTLS certificate expiration between IAS/IPS and SuccessFactors HXM Suite

Symptom

When using X.509/mTLS certificate for authentication between SuccessFactors HXM Suite and IAS/IPS, the mTLS certificate generated by IPS by default is set to expire in a year from the date when it is created. Should the certificate in IPS be regenerated, reimported into source/target system? 

“Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.”

Environment

SAP SuccessFactors HXM Suite

Resolution

There's the option to enable Automatic Regeneration so that mTLS certificate will be regenerated upon expiration: 

  • If you are using mTLS certificate based authentication between IAS/IPS and your SuccessFactors HXM Suite,  

    • In IAS/IPS Admin Console, go to Identity Provisioning > Source Systems, locate the SuccessFactors HXM Suite application integrated with IPS > Go to Outbound Certificate tab, set the radio button for Automatic Regeneration from OFF to ON:

       

  • If you are using mTLS certificate based authentication between IAS and IPS: 

    • In IAS/IPS Admin Console, go to Identity Provisioning --> Target Systems, locate the IAS tenant integrated with the current IPS tenant > Go to Outbound Certificate tab, set the radio button for Automatic Regeneration from OFF to ON:

       

With this “Automatic Regeneration” option enabled, the certificate will be automatically regenerated within 14 days prior to its expiration. This is no need to download and reimport the certificate into SuccessFactors HXM Suite with this option enabled. The reason is that SuccessFactors HXM Suite is validating certificates based on their subject and issuers, this option would allow the authentication to continue work between IAS/IPS and SuccessFactors HXM Suite continuously.  

This “Automatic Regeneration” option is supported for IPS tenants running on SAP Cloud Identity Service infrastructure. If your IPS tenants are still on the NEO infrastructure, please upgrade to SAP Cloud Identity Service infrastructure then enable this option.  

If you are still using basic authentication between IAS/IPS and SuccessFactors HXM Suite, we recommend that you migrate to X509/mTLS certificate based authentication as early as possible. For information regarding the migration, please refer to this blog 

See Also

Generate and Manage Certificates for Outbound Connection | SAP Help Portal 

Blog post: Secure your SuccessFactors to IAS/IPS integration by migrating to mTLS cert based authentication 

Keywords

mTLS certificate, x.509 certificate, IPS certificate, expiration certificate , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , BC-IAM-IPS , Identity Provisioning Service (IPS) , How To

Product

SAP SuccessFactors HXM Suite 2311