Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Showing results for 
Search instead for 
Did you mean: 
2,866

Background


The existing server certificate for domain “*.travel.ondemand.com” is being renewed as it is going to expire on 07th November, 2019.

Scope


You will be affected if either of the below scenarios are applicable to you:

  • Your browser does not have DigiCert Certificates.

  • You have an inbound communication integration to your ByD product.


Impact


If you have third party integrations like web services/APIs in your travel & expense management tenant, you may be required to update the domain certificate. These updates should be conducted by your internal IT resources, with the new certificate information that can be found below.

Impact


The SSL certificates for your below URLs are scheduled to be updated with new certificates

Eg: myXXXXXX.travel.ondemand.com and myXXXXXX-sso.travel.ondemand.com

Current Certificates:

Root: Baltimore Cybertrust Root

Intermediate: Verizon Public SureServer CA G14-SHA2

New Certificates:

Root: DigiCert Global Root CA

Intermediate: DigiCert SHA2 Secure Server CA

Download new certificate

Below is the certificate which you can download directly from here

  • DigiCert Global Root CADownload

  • DigiCert SHA2 Secure Server CA – Download



FAQs


1) What are these certificates used for?

These certificates are used for the SSL/TLS handshake that any system using the ‘secure’ protocol does before allowing connection to/from the system. In our case, SAP travel & expense management uses the ‘secure’ HTTPS protocol and hence the SSL handshake is must for any system to connect to these URLs.

2) Are the new certificates known to modern web browsers?

DigiCert Root Certificates are automatically recognized by all common web browsers, mobile devices, and mail clients, therefore for browser scenarios there is nothing to do. The same is true if one relies on the standard sapjvm trust list.

The CA root certificate is included in:

  • SAP JVM patch level 8.1.035 or 7.1.054

  • Cloud Foundry buildpack SAP-Java (sap_java_buildpack) version 1.6.15


3) How do I download or install the certificate?

You must have admin access to the server where you need to install the certificate. If you do not have access to your company’s SSL server, notify your IT team and provide them the respective certificate download link from the above table.

4) How do Import Single Certificate in SAP CPI Key Store?
Follow the steps mentioned in the link.

5) How to check the certificate in my browser trust list?

  • Open Internet Explorer.

  • On the Tools menu, click ‘Internet Options’.

  • Go to tab ‘Content’ and click on ‘Certificates’.

  • Go to tab ‘Trusted root certification Authorities’. Here you should find “DigiCert Global Root CA"

  • Go to tab ‘Intermediate Certification Authorities’. Here you should find ‘“DigiCert SHA2 Secure Server CA"

  • If the certificate is not present, please proceed with steps mentioned under: “How to import certificate into my browser?”


6) How to import the certificate into my browser?

  • Open Internet Explorer.

  • On the Tools menu, click ‘Internet Options’.

  • Go to tab ‘Security’, click ‘Custom Level’ to open the Security Settings dialog box.

  • Select ‘Medium’ in the ‘Reset Custom Settings’. Click OK to close the Security Settings dialog box. Note: Certificates cannot be installed when the security setting is set to High.

  • Go to tab ‘Content’and click on ‘Certificates’

  • Go to tab ‘Trusted root certification Authorities’and click on ‘Import’ to import the newly downloaded Digi Certificates.

  • Ensure that ‘DigiCert Root and Intermediate’ is added in the list.


7) I notice a discrepancy in the validity start date and end date mentioned in this knowledge article table and my downloaded certificate. What does this indicate?

Sometimes, due to time zone difference, you may see a different date in the downloaded certificate. There is no impact on the certificate update activity due to this. You will be renewing the certificate well in advance, before the certificate expiry date.