Public Certificate Update Impact Questions
The following are commonly asked questions in regards to determining if a customer is impacted by a public certificate update.
How do I determine if I am impacted by this change?
SAP Ariba sends out a customer notification 60-days in advance of a certificate update to inform customers of the upcoming change. In this notification a list of URLs is provided are impacted by a certificate update. Not all customers are impacted by every certificate update. Customers should review their current configurations for integrations, APIs, or Single Sign-On (SSO) with their IT department to determine if they are impacted by the change. If determined that none of the URLs that are specified in the notification are being used, you are not impacted by this certificate update.
How do I determine if my integration scenarios are impacted by this change?
The following should be checked to determine if a customer’s integrations are impacted by a certificate update:
- Check to see if URLs specific in the notification are used in any integration configurations (webservices, integration toolkit, etc…)
- Check your configurations in the following areas:
- Inbound Webservices - Customers who have enabled an inbound web service are impacted regardless of their authentication mode (shared secret or certificate)
- Outbound Webservices - Customers who have enabled “Sign with Ariba Private Key” in the web services security of their Ariba outbound end point are impacted
- Integration Toolkit - All customers who are using ITK are impacted regardless of their authentication mode (shared secret or certificate) Please note: If you do not use SSL Handshake in ITK then you do not need to update the certificate if you are using shared secret authentication. Ariba does not have logs of a customer's use of sslhandshake, so this will need to be determined by the customer's internal IT team.
- ERP Integration to S4 via mediated connectivity (NOT though the Ariba Network) are impacted
- Punchout Scenarios - if the customer is using any impacted URLs mentioned in notification, they will need to update the certificate
How do I know if my single sign-on configuration is impacted?
Certificate updates only impacts single sign-on (SSO) configuration where a SAML signing certificate is mandatory. The following should be checked to determine if a customer’s SSO configuration is impacted by a certificate update:
- Check to see if the URLs specified in the notification are used in the single sign-on configuration
- The below configurations require the certificate update:
- Authentication type is SAML Authentication
- Use SAML Request is enabled (SAP Ariba generates a SAML Request to IDP)
Please Note: In other scenarios, the customer’s IT team needs to confirm if the SAP Ariba signing certificate change will impact their setup.
How do I know if my API configuration is impacted?
The following should be checked to determine if a customer’s API configuration is impacted by a certificate update:
- Check to see if the URLs that are mentioned in the notification are used in your API configuration
- Check to see if the client software that you use to make API calls requires a copy of the certificate to be stored locally.
If I am a Supplier using Ariba Network, how do I know if this certificate change impacts us?
The following should be checked for Suppliers on the Ariba Network to determine if they are impacted by a certificate update. If so, we recommend checking with your internal IT department to update the certificate.
- Single Sign-On: Certificate updates only impact single sign-on (SSO) configuration where a SAML signing certificate is mandatory. The following should be checked to determine if a customer’s SSO configuration is impacted by a certificate update:
- Check to see if the URLs specified in the notification are used in the single sign-on configuration
- If the URLs are mentioned, the below configurations require the certificate update:
- Authentication type is SAML Authentication
- Use SAML Request is enabled (SAP Ariba generates a SAML Request to IDP)
Please Note: In other scenarios, the customer’s IT team needs to confirm if the SAP Ariba signing certificate change will impact their setup.
- Integration Scenarios:
- Check to see if the URLs specified in the notification are used in your integrations
- Legacy EDI integration with the Ariba Network
- CIG Integration using Certificate based Authentication:
- EDI
- cXML
- PIDx
- Ariba Service Providers: If you are using an Ariba Service Provider, they will be contacted by SAP Ariba notifications to inform them that a certificate update is required.
- Third-Party Middleware or Third-Party VAN Provider - if you are using a third-party middleware or VAN provider, the customer should contact the third party and inform them if a certificate should be updated