Import TLS Certificates Into SAP

Customers who use Chrome River's SAP Connector with an SSL connection may need to periodically update the associated Chrome River TLS certificates. Check that your organization meets the prerequisites, then follow the directions below to import the certificates into SAP.

Prerequisites

  • SAP Cryptographic Library must be Version 8.4.38 or higher to be TLS1.2 ready.

  • SAP Basis must be configured to talk to TLS1.2; see SAP Note 510007 for instructions.

  • Perfect Forward Secrecy cipher suites are required; see SAP Note 2181733 for instructions. 

  • TLS enhancement Server Name Indication (SNI) must be activated to enable Amazon Web Services communication.

Example

Download Chrome River TLS Certificates

Chrome River's TLS certificates may be downloaded from any web browser by accessing the URL you use to log in to Chrome River. For instructions, see Download Chrome River TLS Certificates.

Be sure to download all three types of certificates for each Chrome River environment used by your organization.

  • Chromeriver.com Certificate
  • Root Certificate
  • RSA/Intermediate Certificate
The name of the Chromeriver.com certificate will vary depending on your organization's instance (e.g., *chromeriver.com, *eu1.chromeriver.com, *ca1.chromeriver.com).

Upload Chrome River TLS Certificates Into SAP

Once you have downloaded the latest TLS certificates, you may upload them into SAP following the steps below.

Screenshots are examples only and may not correspond exactly to your configuration.

1. Call transaction “STRUST.”

2. Click on SSL Client Standard.

3. Click on Certificate > Import.

4. Select the path to your certificates.

Always use “Base64” if it is an option on this pop-up screen.

5. Click Add to Certificate List.

6. Verify that the certificate is in the list.

7. Repeat steps 1–6 for each of the certificates you downloaded.

8. In the menu bar, click PSE and select Check All. Then click PSE and select Distribute All.

9. Optionally, you may restart ICM with Transaction “SMICM.”

  • If needed, we recommend a soft exit for ICM.

Troubleshooting: SSL Handshake Error

If your environment is receiving an SSL handshake error, ensure the Root and RSA/Intermediate certificates have also been updated in your environment following the steps above.

Troubleshooting: RFCs Aren't Working

This optional SSL Client Standard Database Export is for Root and RSA/Intermediate certificates and should only be performed if Remote Function Calls (RFCs) aren't working.

Screenshots are examples only and may not correspond exactly to your configuration.

1. Call transaction “STRUST.”

2. Click on SSL Client Standard.

3. Click on Certificate > Import.

4. Select the path to your certificates.

Always use “Base64” if it is an option on this pop-up screen.

5. Select the Root certificate and click OK.

6. Click on Export Certificate.

7. In the Export Certificate pop-up, click on the Database tab.

8. Create a new, unique entry for the Root certificate (e.g., ZGODDY or ZAMAZON).

  • For example, for ZGODDY you might use ZGD.

If the name already exists, create a new one.

9. Repeat steps 1–8 for the RSA/Intermediate certificate.

10. In the menu bar, click PSE and select Check All. Then click PSE and select Distribute All.

11. Restart ICM with Transaction “SMICM.”

Was this article helpful?