
You have all heard that change is the new normal. This is true in many ways, including for IT security. Whether it is the cryptographic algorithm, the key length, or an individual key, we must always be ready to change to something “better”, namely more secure. This might not even be due to an attack, but rather be part of continuous efforts to stay ahead of all potential threats.
When it comes to protocols like Transport Layer Security (TLS), the level of security also depends on the root certificates that are the anchor of trust for the TLS-protected communication. In the past, the validity of root certificates could be decades, so a change would be a once in a lifetime thing. Today however, even though the root certificates are not really short-lived, they will still have to be replaced now and then.
Changing the trust anchor of communication in a large landscape requires some preparation, to ensure that everybody can communicate securely and without disruption. If you miss to update the trust configuration across all involved parties, then the change of a root certificate may cause an outage for all scenarios that rely on the trust.
When SAP changes the root certificates that are the trust anchors of BTP, we ensure that all scenarios inside the platform are ready, and the communication is not affected. However, you may also have clients or 3rd party applications that integrate with BTP. For these, the trust is not managed by SAP and so you need to take matters into your own hands.
With the new BTP Trust Store, we want to help you avoid outages by providing information about changes in the trust anchors of SAP BTP early. This gives you the time to roll out new root certificates before they become mandatory.
You will find the required root certificates in several well-known formats in the BTP Trust Store at https://github.com/sap-software/btp-trust-store
The trust store includes 2 sets of root certificates:
The “Required” root certificates are mandatory for all clients or services that communicate via TLS with SAP BTP-based services. Ensure that your clients or services trust these root certificates, and that changes to the list of root certificates are reflected early on your side, such as once per quarter. This will ensure that you can continue to communicate with BTP even if SAP changes root certificates over time.
The “Optional” set of root certificates represents the SAP Global Trust List provided by SAP Global Security, as documented in SAP Note 2801396.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
7 | |
7 | |
7 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |