Upload
paulo-oliveira
View
222
Download
0
Embed Size (px)
DESCRIPTION
Alteração certificado SAP
Citation preview
SAP Note
Header Data
Symptom
The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) will expire 07/18/2015 and needs to be replaced.
Effective 04/15/2015 11:00 AM CET
The new SAP SAProuter CA will go-live at SAP. This new SAProuter CA requires software changes as well as a process change at both SAP and at our customers by latest 07/18/2015 11:00 AM CET.
Effective 04/15/2015 11:00 AM CET all newly generated SAProuter certificate requests will be signed by the new SAProuter CA only. In order to create a new SAProuter certificate, all customers using SNC connections with SAP must have in place the new SAProuter CA requirements.
Effective 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET:
SAP will provide a transition period from 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET. During this transition period, SAP will support customers SAProuter certificates signed by both the old and the new SAProuter CA.
Effective 07/18/2015 11:00 AM CET:
Certificates obtained before 04/15/2015 11:00 AM CET will no longer be supported. Only certificates issued by the new SAProuter CA will be accepted from this point on.
Details how to manage setup for the old and new SAProuter CA can be found here:
Installing the sapcrypto library and starting the SAProuter
Other Terms
SAProuter SNC remote connection STFK
Reason and Prerequisites
The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) is valid until 07/18/2015 11:00:00 AM CET. After that point in time, certificates signed by that Root CA will not be valid any longer, such that SNC connections will not work. The SAProuter Root CA will be replaced by a new Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE).
SAP will sign certification requests with the new SAProuter Root CA from 04/15/2015 11:00 AM CET. If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET, you must use the latest Common Crypto Library (using the latest SAProuter executable is strongly recommended). The sapservX servers will use the old SAProuter CA until 07/18/2015 11:00 AM CET to ensure that SAProuters using an old SAProuter certificate can still connect.
Timeline
4/15/2015 11:00 AM CET: switch to new SAProuter Root CA for certification requests, SAProuter certificates obtained before 04/15/2015 can still be used 7/18/2015 11:00 AM CET: switch sapservX to use PSEs signed by new SAProuter CA, SAProuter certificates obtained before 04/15/2015 can no longer be used to establish SNC connections with SAP
Solution
The following steps need to be taken only if you are using SNC connections between your network and SAP:
Until 04/15/2015 11:00 AM CET
As stated, certificates signed by SAP before 04/15/2015 11:00 AM CET can be used until 07/18/2015 11:00 AM CET.
After 04/15/2015 11:00 AM CET
All certificates signed by SAP as of this date/time stamp will be created using the new SAProuter CA. This requires changes on the customer site
2131531 - New Root Certification Authority for saprouter certificates
Version 2 Validity: 10.03.2015 - active Language English (Master)
Released On 10.03.2015 07:33:42
Release Status Released for Customer
Component XX-SER-NET-HTL Problems with remote access from SAP to Customer system
Priority Hot News
Category Installation information
so please plan accordingly.
From 04/15/2015 11:00 AM CET until 07/18/2015 11:00 AM CET
All certificates signed by SAP during this period will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.
If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET the following steps are mandatory:
l Use latest Common Crypto Library l Use a PSE with a key size of 2048 l Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until
07/18/2015)
In addition, using the latest SAProuter version is strongly recommended.
After 07/18/2015 11:00 AM CET
All certificates signed by SAP as of this date/time stamp will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.
If you apply for an SAProuter certificate after 07/18/2015 11:00 AM CET the following steps are mandatory:
l Use latest Common Crypto Library l Use a PSE with a key size of 2048
In addition, using the latest SAProuter version is strongly recommended.
The SAProuter Root CA certificates are available from here. For a detailed description refer to Installing the sapcrypto library and starting the SAProuter.
If you have any further questions please open a customer ticket on component XX-SER-NET-HTL.
Validity
This document is not restricted to a software component or software component version
Attachments
File Name File Size (KB) Mime Type
smprootca.der 990 application/x-x509-ca-cert