New Root Certification Authority for saprouter cer...

former_member182657 · ‎2015 Mar 11

Few days back some of SCN members reported the issue related with expiration date of SAP Router certificate i.e on 18/07/2015.

For issue SAP recently introduced New Root Authority Certification process for customers using SNC connections.

between SAP and at their end.

Purpose of the document is just to aware the members about the updated new SAP Router certificate Authority method

Referred SAP Note : 2131531 - New Root Certification Authority for saprouter certificates

With the implementations of New Root Authority Certification SAP customers needs to follow some software changes as well as the process changes

at their end.

With effect from 15/04/2015 all newly generated SAP router certificates requests will be signed by new SAPRouter CA only.To obtain the new SAPRouter

CA,customers can navigate to link https://support.sap.com/support-programs-services/services/trust-center/download/root-certificates.h...

(Requires a valid S-User ID to download ).

Note : Certificates as obtained before 15/04/2015 will no longer be supported by SAP.

Timeline

4/15/2015 11:00 AM CET: switch to new SAProuter Root CA for certification requests,SAProuter certificates obtained before 04/15/2015 can still be used

7/18/2015 11:00 AM CET: switch sapservX to use PSEs signed by new SAProuter CA,SAProuter certificates obtained before 04/15/2015 can no longer be used. to establish SNC connections with SAP.

Steps Mandatory if SAPRouter Certificate applied after 18/07/2015

Customers using SNC network connection methods must

Use of latest SAPRouter version.
Use of latest SAPCrypto Library.
PSE with key size 2048.
Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015).

To get more detailed description customers can jump to SAP link at https://support.sap.com/remote-support/help/installing-saprouter.html

(With a valid S-User ID).

Hope you guys will find this as a helpful document & get the useful information as well.

Updates if any are highly appreciated at my end.

Issue occurred : hostname NiHLGetNoteAddr unknown

Resolution : After successful setup of New root cert method customers or users may experience above issue & will find similar error / failure message entries under dev_rout file hostname NiHLGetNoteAddr unknown during the remote connections with SAPRouter String if using latest SAP GUI version release 740 at their ends.To overcome the issue you could follow related SAP Notes

2077230 - SAP Logon (Pad) 740: missing SAPRouter string for system entry and error "hostname 'NiHLGe...

2035293 - known and open issues of SAP GUI for Windows.

or best to use lower SAP GUI version i.e 730 as a workaround.

Stay tuned !!

Gaurav Rana

former_member182657 · ‎2015 Mar 11

Hi Samid / samidraif,

You could follow this document & the SAP Note 2131531 - New Root Certification Authority for saprouter certificates in response to your issue underSAP Router - certificate expiration date (problem) of expiration of SAPRouter certificate .

Hope this will help you & others too.

Regards,

Gaurav

Former Member · ‎2015 Mar 17

Hi Gaurav :smile:

Thank you very much for this! I already checked this blog and the sap note 2131531 - New Root Certification Authority for saprouter certificates but unfortunately I still have the same situation/problem. I will update the thread that I created SAP Router - certificate expiration date (problem) with more information about it.

Once again thank you.

Samid Raif

former_member182657 · ‎2015 Mar 17

Hi samidraif,

Hope you are doing good !!

I just checked the thread & saw your issue of still getting same dates.But i would suggest you to kindly follow below statement

Effective 07/18/2015 11:00 AM CET:

Certificates obtained before 04/15/2015 11:00 AM CET will no longer be supported. Only certificates issued by the new SAProuter CA will be accepted from this point on.

from the note 2131531 - New Root Certification Authority for saprouter certificates

Hope you'll get your answer from the above statement.

Good luck !!

Former Member · ‎2015 Apr 16

Hi Gaurav,

We have tried to install new certificate but we ran into the step from SAP Note OSS 2131531

Import old SAProuter Root CA (this step is important and necessary to
establish the trust with the sapservX SAProuter at SAP until 07/18/2015)

Where can I find "old SAProuter Root CA" and what commands I shoul use to import it?

Thanks in advance

Best Regards

Emili Delgado

Former Member · ‎2015 Apr 17

Hi Gaurav,

Sorry I think SAP Note OSS is a litle bit ambiguous, It is not clear that SAProuter CA attached is the old one. I could see this is quite clear in the link Installing the sapcrypto library and starting the SAProuter | SAP Support Portal

From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:

The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.

Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.

sapgenpse maintain_pk -a smprootca.der -p local.pse

This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.

Sorry and best regards!!!

former_member185954 · ‎2015 Apr 17

Hello Emili,

The note isn't ambigious but the blog seems to start with the following:

Few days back some of SCN members reported the issue related with expiration date of SAP Router certificate i.e on 18/07/2015.

To overcome the issue SAP recently introduced New Root Authority Certification process for customers using SNC connections.

between SAP and at their end.

Which may not be true, from what I can see SAP is upgrading its security by switching to a higher grade encryption which makes it mandatory for customers to use a PSE that uses a key size of 2048.

In the note, SAP simply states the following:

SAP is implementing a new Root Certification Authority 15 April 2015 11:00 CET onwards.
SAP will continue to keep the OLD Root Certification Authority alive till 18th July 2015 10:59 CET, however it will NOT issue any new certificates from this OLD Root Certification Authority
Hence, between 15th April 2015 11:00 CET and 18th July 2015 10:59 CET, since both OLD and NEW Root Certification Authority Servers are alive, customers with old certificates and new certificates will be supported.
After 18th July 2015 11:00 CET , the OLD Root Certification Authority will be Shutdown and certificates issued by OLD Root CA will no longer be valid.

So in a nutshell, if you are requesting a certificate after 15th April 2015 11:00 CET, you will be provided client certificate that will be generated by the NEW ROOT CA, hence you will need to install the root certificates of the new ROOT CA in order to build the certificate chain and for your SNC to work.

SAP is essentially giving you advance warning and time to replace your old certificates with new ones.

Regards,

Siddhesh

Former Member · ‎2015 Apr 17

Hi Siddhesh,

Thanks for your further explanation. What I mean because I had been doing this task a lot of times is that the certificate atached to the note it seems to be the new one (At least for me). And in the link it is quite clear that SMP Root CA certificate is the old one. In the link, SAP states:

This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.

So, from 15th April 2015 11:00 CET until 18th July 2015 10:59 CET you need old Root Certificate imported in your PSE

I have just applied the instructions in my installation and everything works fine.

Regards.

former_member182657 · ‎2015 Apr 17

Hi Siddhesh,

Thanks for the comments

The note isn't ambiguous but the blog seems to start with the following:

Which may not be true

Blog created just to highlight symptom & to aware members which i & samidraif

faced or even experienced by some other members as well

The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) will expire 07/18/2015 .

& please read the purpose of blog as well

Purpose of the document is just to aware the members about the updated new SAP Router certificate Authority method

And yes of-course SAP is essentially giving you advance warning and time to replace your old certificates with new ones.

Regards,

former_member185954 · ‎2015 Apr 17

Hello Emili,

According to me, the root certificate attached in the note is OLD SMP Root CA(since it doesn't have the entry which belongs to the NEW SMP Root CA which is: O=SAP Trust Community II ).

Regards,

Siddhesh

former_member185954 · ‎2015 Apr 17

Hello Gaurav,

No offence meant, but can you edit the blog and update it that SAP isn't fixing any issue by issuing the note.

In my opinion, the SAP Note itself is pretty clear.

Regards,

Siddhesh

former_member182657 · ‎2015 Apr 17

Hi,

Yes i agree with you & with the statement

SAP isn't fixing any issue by issuing the note

& have done some minor changes in this blog as well.Hope you & others will find it relevant now.

Thanks for the corrections. :smile:

Former Member · ‎2015 Apr 17

Hello Gaurav,

Many thanks for your blog, as per your expertise and topic in this blog I thought you could help me, at the end it was not necessary, just following the link, sorry for that.

Hello Siddhesh,

When I was reviewing my previos SAP Router Certificate I could see the issuer was CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE as per the note, so if I see CN=SMP Root CA in the certificate attached to the note how can I know if it is the new root or the old one?

Obviously If you read books and books of SAP Router certificates, blogs and so on, everything it is quite clear, but not in the note, you should read definition of ambiguous

Best Regards.

former_member185954 · ‎2015 Apr 17

Hello Emili,

I can see why the confusion is, to clear my confusion, I will look at the issue start date, the start date is very old (year 2000), so its found to be old.

The new CA will have an issue date of 2015.

Regards,

Siddhesh

Former Member · ‎2015 Apr 17

Hi Siddhesh,

I full agree with you I saw the certificate more in detail just before and someone a little bit clever (not too much) might deduce that. ; ), but deducing is not an self explained reading, isn't it? It should be worth, SAP Note OSS with explicit comments, but this is only my opininon.

Best Regards

former_member185954 · ‎2015 Apr 17

Hello Emili,

you are right :smile:

Regards,

Siddhesh

former_member182657 · ‎2015 Apr 17

Hi Emili/Siddhesh,

I appreciate you & for your comments on the blog,each & every comments on the blog is an addition to make this information best for other members in future.

As the blog created during the time when faced expiration of router at specific date i.e on 07/18/15.To overcome the issue i too searched lot on SCN as well as on Support portal but failed to achieve the required results and last found it's known issue at SAP end.

SAP Router - certificate expiration date (problem) )

Still i'm in process to make this blog more informative & will update it soon with the latest available information in regards at my end.

Stay Tuned !!

former_member185954 · ‎2015 Apr 21

Hello Gaurav,

Someone wrote a new blog - check this New SAProuter CA: Clock is ticking time to act now

former_member182657 · ‎2015 Apr 21

Yups i just checked .

Thanks,

UweFetzer_se38 · ‎2015 Apr 21

Thank you, you saved my day 🙂

Former Member · ‎2015 Apr 23

Hi ,

Do we need install fresh saprouter or just use existing saprouter with apply new certicate terminoly.thanks

UweFetzer_se38 · ‎2015 Apr 23

The note stated, that you should install the newest version. So it depends on what version you are already using.

former_member182657 · ‎2015 Apr 23

Hi Arul,

Thanks for the comment.

From SAP Note 2131531 - New Root Certification Authority for saprouter certificates

Please follow below as mandatory steps

If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET the following steps are mandatory:

Use latest Common Crypto Library

Use a PSE with a key size of 2048

Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015)

Best would be to use latest CC library & PSE key with size 2048.In addition you need to

Generate the certificate Request with the command:

sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "<Distinguished Name>"

&

Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.

sapgenpse maintain_pk -a smprootca.der -p local.pse

In my opinion try to have a newest version for successful implementations by referring steps at Installing the sapcrypto library and starting the SAProuter | SAP Support Portal

Good luck !!

Former Member · ‎2015 Apr 23

Hi uwe ,

my saprouter version is 38.10

Hi gaurav,

shall i apply new certifate without install new version above is version.thanks

UweFetzer_se38 · ‎2015 Apr 23

The newest one is 40.4 (the 7.42 kernel version)

former_member397553 · ‎2018 May 16

Hello everyone,

I would like to know if anyone here knows if it is possible to configure in the solution mananger an alert for the expiration date of the SAP router.

Best Regards,

Miguel

New Root Certification Authority for saprouter certificates ( SAP Router Certificate expirtation 18/07/2015 )

SAP PI for Beginners

ABAP 7.40 Quick Reference

Difference between SAP S/4HANA :Public Vs Private edition : RISE with SAP