/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
Context: The existing server certificate for domain “*.crm.ondemand.com” is being renewed at Akamai as it will be expired on August 20th, 2025.
For SAP PI/PO running on TLS 1.2 in combination with C4C Akamai ION-enabled sites, it is very important to know about the change in the signature algorithm of the certificate which might impact your integration with C4C. Technically we are moving from sha256RSA to sha384ECDSA (Elliptic Curve Digital Signature Algorithm) in order to meet the security requirements.
Change Schedule: August 18th, 2025 between 22:00 UTC and 02:00 UTC for Customer Test and Production.
In case you are using a PO SSL profile different from 1.0, consider the resolution outlined in this KBA, as it might break the existing integration with C4C.
Environment
Cloud for Customer
SAP PI/PO
Reproducing the Issue
You can run SSL Server test on the target C4C tenant using the following URL to visualize the cipher suites supported on TLS 1.2:
https://www.ssllabs.com/ssltest/analyze.html?d=myxxxxxx.crm.ondemand.com,
where myxxxxxx.crm.ondemand.com = it should be replaced by your C4C Production or Test URL.
Cause
SAP PO is integrated with C4C . Recently, C4C enhanced its security (*.crm.ondemand.com) and switched its certificates to use the ECDSA algorithm instead of RSA.
After this update, we encountered the following similar SSL handshake error in the SAP PO system:
SSL handshake failure, as seen in the IAIK debug logs:
ssl_debug(31739): Starting handshake (iSaSiLk 5.2)...
ssl_debug(31739): Sending v3 client_hello message to myxxxxxx.crm.ondemand.com:443, requesting version 3.3...
ssl_debug(31739): Sending extensions: elliptic_curves, renegotiation_info, signature_algorithms, server_name, ec_point_formats
ssl_debug(31739): Received alert message: Alert Fatal: handshake failure
ssl_debug(31739): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure
ssl_debug(31739): Shutting down SSL layer...
ssl_debug(31739): Closing transport...
The issue is because as per AKAMAI 2020q1 profile, the following cipher suites (TLS 1.2) should be supported, in addition to ECDSA:
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305
Resolution
If you are using the PI/PO with an SSL Profile different from 1, such as Profile 3, you have two options for resolution:
- Set the SSL properties to Profile 1
- Manually add the following cipher suites:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Please refer to the parameters outlined in the following KBA to enable cipher suites with elliptic curve algorithms ECDHE and ECDSA for outbound connections in SAP NetWeaver (NW) AS Java:
2708581 - ECC Support for Outbound Connections in SAP NW AS Java
Please Note:
In case the connection is still failing with an SSL handshake error after the adaption of the SSLConext.properties change the SOAP adapter to use the new HTTP handler as described in SAP Note 3171052 - New Feature: Adopt new HTTP client - SAP for Me.
After the change please stop/start your corresponding Communication Channel and retest again.
Also note:
- Allowing all EC cipher suites should not have any additional negative impact.
See Also
3132570 - Domain certificate renewal for SAP Cloud for Customer URLs (*.crm.ondemand.com) at Akamai
Keywords
C4C Akamai Certificate;2708581; ciphersuite; PO;cipher suites; TLS 1.2; TLS_ECDHE_ECDSA;RSA;ECDSA;sha256RSA;sha384ECDSA;Digicert G3;ECDHE;AKAMAI ION;POLY1305 , KBA , LOD-C4C-NET , Network Connectivity and Certificates , BC-JAS-SEC-CPG , Cryptography , Known Error
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)