If you use the default client certificate for certificate-based authentication in outbound integration scenarios, you must update the trust between the systems when a new default client certificate is issued.
Context
In outbound integration scenarios that use certificate-based authentication, SAP IBP needs to authenticate itself against the external system with a client certificate. For this purpose, you can use the default client certificate provided with SAP IBP. This certificate is valid for one year. Before its expiration, SAP issues a new certificate. The public key of this new certificate needs to be uploaded into the trust store of your external system that communicates with SAP IBP.
89 Days Before Expiration
The certificate renewal process begins 89 days before the expiration of the default client certificate. At that time, you will receive an email informing you about the upcoming expiration and the planned issuing of the new default client certificate.
You will not be required to take any action yet; however, we recommend that you prepare for the certificate replacement by checking which of your communication systems use the default client certificate for authentication and planning your replacement activities.
To check which communication systems use the default client certificate, open the Maintain Client Certificates app, select the Client Default certificate and choose the Communication Systems tab on the right.
30 Days Before Expiration
30 days before the expiration, SAP issues a new default client certificate. You will be informed about it by email.
The new default client certificate will be available for download in the Maintain Client Certificates app. It will be called Client Default. The expiring certificate will be renamed to Client Default Expiring.
Once the new default client certificate is available, you need to do the following:
- Open the Communication Systems app. Select the system that uses the default client certificate for outbound communication.
- In the Users for Outbound Communication section, change the certificate that is used by the user for outbound communication from Client Default Expiring to Client Default.
- Choose Download Certificate to download the public key of the default client certificate.
- Upload the public key that you have downloaded into the trust store of your external system.
On the Expiration Date
Once the old certificate expires, it will be removed from the list in the Maintain Client Certificates app. You will receive a confirmation of this action by email.
What Happens If You Don't Act
If you don’t update your communication users and your external system trust store with the new certificate, the outbound integration scenarios which use the default client certificate for authentication will be broken. You will get the 403 Forbidden HTTP status code message when trying to connect.
Contact Information
In case of questions and problems, please open a customer message using the component SCM-IBP-OPS-INC, with a title like "Default Client Certificate Renewal in SAP IBP".