What are the supplier specific changes required for SAP Integration Suite, managed gateway for spend management and SAP Business Network - Certificate Replacement?

SAP Integration Suite, managed gateway for spend management and SAP Business Network Client Certificate Replacement: This change is for all customer using certificate based authentication or use encryption/signature of their payloads(Suppliers using AS2), this is independently of whatever they use to connect to Managed Gateway for Spend&Network. If supplier is using Basic Authentication then it will not impact them and the certificate customers might have currently will work.

1. When is the certificate change taking place? Oct 26, 2020 12:00pm – 3:00pm PST/ 9:00 PM -12:00 AM CET
2. What is changing?
   • SAP Integration Suite, managed gateway for spend management and SAP Business Network is separating the Tenant (Client) and the load balancer certificate for the test and production environments respectively due to security standards.
     1. Load Balancer certificates (these are used for Customer to SAP Integration Suite, managed gateway for spend management and SAP Business Network connectivity or SSL Connectivity with Managed Gateway for Spend&Network ) – testacig.ariba.com and acig.ariba.com and these are not changing. The one used or updated on July 23rd will remain same.
     2. Client (tenant) Certificates (used for Mutual authentication) / Signing /Encrypt-Decrypt new URLs are being implement.
     3. Certificates for TEST: testacig.ariba.com will be replaced with aribacloudintegration-test.ariba.com and for production: acig.ariba.com will be replaced with aribacloudintegration.ariba.com
        • Note: How to Identify Certificate based authentication through CIG?
          • Go to Managed Gateway for Spend&Network Menu > My Configurations > Connections
          • Transport Type should be HTTPS and Authentication Type should be Certificate.
3. Certificates can be downloaded from below:
   • aribacloudintegration-test.ariba.com
   • aribacloudintegration.ariba.com
   • acig.ariba.com
   • testacig.ariba.com
4. Supplier have to change the URL? - No, URL's are the same and it is not changing.
5. IP range needs to be changed: No IP range of Managed Gateway for Spend&Network remains same.
6. Supplier have to install all three layers of the new certificates: Yes, Supplier have to manually extract root, Intermediate and main certificate
7. TLS Complaince related common questions:
   • What should I do if my integration channel is still using TLS 1.1 or one of the de-supported ciphers?
     • We suggest you contact your IT department immediately. They should be familiar with these protocols and ciphers to determine if your integration is compliant.
   • What happens if we are not compliant by the deadline?
     • If an upgrade to TLS 1.2 is required (Most likely your systems already supports TLS 1.2 – verify with your IT department) then integration servers that support TLS 1.1 only will be unable to communicate with SAP Integration Suite, managed gateway for spend management and SAP Business Network. Additionally, ensure that your integration has implemented the supported ciphers or communication will be disrupted.
8. All the serial key for the certificates are as below:
   • acig.ariba.com - ‎02 21 96 a6 c3 dd b0 1f 3a 25 e0 78 9a 5a 3a 4a
   • testacig.ariba.com - ‎04 b7 3c eb 3b ce c4 1e 03 16 d3 5f f9 80 b0 d0
   • ‎aribacloudintegration.ariba.com - 02 9c 2a 7c fc 59 d9 28 5b c7 ad 09 ca 73 0d a8
   • ‎aribacloudintegration-test.ariba.com - 0f 40 2f 80 30 00 7f da d9 43 11 69 f9 9a 55 fc
9. Ensure that your systems that connect to Managed Gateway for Spend&Network are configured to accept SNI (Server Name Indication) TLS (Transport Layer Security) extension.

• TLS 1.1 is deprecated and upgraded to TLS 1.2
• SNI is enabled in your ERP:
  • As part of this change, we have a profile parameter icm/HTTPS/client_sni_enabled that should be enabled on your ERP system. This parameter is enabled by default on S/4 HANA or Kernel 777 and above but for ECC customer is not enabled by default. If this parameter is not enabled, the connection to Managed Gateway for Spend&Network will fail with “SSSLERR_SERVER_CERT_MISMATCH (-30)#Server certificate does not match supplied TargetHostname”. Below is the SAP note and Ariba KBA which explains how to activate this parameter. Also, we have a way to test this from our Managed Gateway for Spend&Network QA lab system.
  • https://launchpad.support.sap.com/#/notes/2970307
  • https://launchpad.support.sap.com/#/notes/2970307
• Certificates needs to be updated
• Subaccounts needs to be added in the Cloud Connector
  • More details will be as similar as buyer https://support.ariba.com/item/view/190590

If Suppliers are still facing issue to connect to Managed Gateway for Spend&Network than they can follow below steps as well as a workaround: Update 28th October, 2020

For the supplier transactions:

Inbound >Supplier to Managed Gateway for Spend&Network Transactions

1. AS2 Supplier - Encryption with our Public Key i.e. aribacloudintegration-test.ariba.com and aribacloudintegration.ariba.com
2. No impact on any other suppliers if they are not using AS2

Outbound: Managed Gateway for Spend&Network to Supplier Transactions:

1. Certificate Based Authentication:
   • For the decryption supplier would have to use aribacloudintegration-test.ariba.com for test
   • For the decryption supplier would have to use aribacloudintegration.ariba.com for production
2. AS2 Customers:
   • Managed Gateway for Spend&Network will Sign with Private key ( aribacloudintegration.ariba.com / aribacloudintegration-test.ariba.com ) and encryption on supplier with supplier public key

SAP Integration Suite Managed Gateway > Managed Gateway for Business Network