Technical blog
SAP certificate renewal - practical guide
created by Midjourney
Jiri Fridrich
4. 10. 2024
Integration
This blog post should prepare you for a key or certificate renewal, which if not handled carefully, can result in communication failures and data loss. A typical example is the sap_cloudintegrationcertificate provided by SAP, which expires every year and is often used in integration flows for signing, decrypting and authentication.
All the technical setup is described in this great blog "Cloud Integration – Activate SAP Keys in Keystore Monitor". Here we will look at the practical aspects and steps to do when certificate expiry date is approaching.
Identify your affected communication partners
This was described in the above referred blog. You need to get a list of contacts, who are responsible for the certificate update at their side. This is usually an admin or a support group.
Schedule an outage window
Depending on how many integrations are affected, the length of the window may differ, but generally it should not take very long. At the SAP Cloud Integration side it is actually very quick, as we just activate the new certificate and restart outgoing iflows. One hour should be sufficient, just to give some time to our partners.
Share planned outage with your partners
Draft an email, which will inform your contacts about the scheduled outage. This can have a following structure:
Dear colleague,
Let me kindly inform you about a regular certificate renewal in our integration gateway - SAP Integration Suite.
This certificate is used in HTTPS communication between CLIENT and your system for authentication, encryption and signing and needs to be renewed before HARD DATE SET BY SAP.
We have scheduled the renewal at our side on DATE AND TIME OF SCHEDULED OUTAGE in TIMEZONE.
Attached you will find the new certificate CERTIFICATE NAME.
Action: Replace the current certificate with this new one within the above specified time window.
Current certificate SN: SERIAL NUMBER
New certificate SN: SERIAL NUMBER
Please notify us that you scheduled the certificate renewal. You can do so as reply to this email.
In case of any doubts or questions, please contact the integration team directly at CONTACTS OF TENANT ADMINS
Outage
Once we collect confirmations from our partners, that they have scheduled the certificate exchange on their side, we wait when the outage time comes.
On the scheduled time we and our partners stop both outbound and inbound iflows to prevent possible data loss.
Imagine that we update our certificate, but our partner hasn't done it yet. Then we are sending a message signed with new certificate, but partner's system declines the message, as it cannot verify the signature using the old certificate.
There are two possible outcomes:
The message is marked as Failed, which is a better option, as it can be subject of a retry loop
In AS2 scenarios, the message may be marked as Complete, but the MDN is negative, and so the iflow is green, even though the message was not delivered. If we overlook this, a data loss may occur in this case.
That is why the outage on both sides is recommended.
Perform the renewal
In this step we switch the old certificate for the new one. Again, it is thoroughly described in the blog I mentioned at the beginning.
First, let's download the certificate we want to replace, just for the case of rollback.
For example, in the case of the sap_cloudintegrationcertificate, we open the Keystore and in the Current tab, we download the current certificate.
For the renewal itself we go to New SAP Keys tab and select Activate. Another confirmation window will appear, which we also confirm.
Monitor and troubleshoot
When the new certificate is in place, we can start our iflows. We can do so partner by partner and always monitor the communication. If there are problems, they will most likely result from certificate mismatch and that probably means, that our counterparty did not correctly apply the new certificate. In that case we reach out to them and request a confirmation, that exchange has taken place.
In AS2 scenarios, we pay close attention to MDN acknowledgements and ensure that the response inside of the MDN text is positive.We can track the status in a very simple spreadsheet table:
Close the activity
After communication is up and running, we may need to reprocess messages that were lost due to a temporary certificate mismatch, as mentioned above in the Outage paragraph.
Once we resolve all problems and ideally the entire table turns green, we can close the activity. This can be represented by a confirmation email to our partners and interested audience.
A brief Lessons learned shared with the same parties may be also very useful. In fact, that is how this blog post originated.