Background
SAP is changing the root certificate of the domains BTP to DigiCert TLS RSA4096 Root G5 CA, see SAP Note 3566727 for more details.
The new certificate is supported by Android 14 and later. For older devices that cannot be upgraded, the certificate has to be installed on the device or pinned in the Android App. This post explains the application upgrade approach.
Important: The following approach essentially adds the DigiCert G5 certificate such that the application can validate the SAP Certificate signed by it. As such, great care should be taken to ensure that correct certificate is being added. The DigiCert TLS RSA4096 Root G5 used in the following was downloaded from DigiCert Trusted Root Authority Certificates.
These changes are based on Android Wizard generated App. Depending on your project, different changes may be required.
Online Functionality Only
1. Download the root certificate, e.g. from https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt mentioned in the above note
2. Store this certificate file in your resource folder; app/src/main/res/raw/digicert_tls_rsa_4096_root_g5.crt
3. Create or modify the file app/src/main/res/xml/network_security_config.xml and add a reference to the certificate file. In the following example, the App trusts servers that identify with this certificate in addition to all other certificates in the System store.
<?xml version=”1.0″ encoding=”utf-8″?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src=”system” />
<certificates src=”@raw/digicert_tls_rsa_4096_root_g5″ />
</trust-anchors>
</base-config>
</network-security-config>
4. In your android manifest (app/src/main/AndroidManifest.xml) locate the application element and add networkSecurityConfig attribute referencing the above config:
<application
android:name=”.app.SAPWizardApplication”
android:networkSecurityConfig=”@xml/network_security_config”
<!– other existing content ->
>
Offline Functionality
In addition to above, the following changes are required for apps utilizing the Offline functionality.
For Offline functionality, the certificate file has to be provided as a `trusted_certificates` in `OfflineODataParameters.extraStreamParameters` used for creating `OfflineODataProvider`. In the following example, the Wizard generated code is updated to trust the G5 certificate from the above example.
Locate the code where `OfflineODataParameters` object is created and add `extraStreamParameters`. Ensure that the property is not already assigned, which would overwrite these changes. In that case, concatenate this with existing value.
val offlineODataParameters = OfflineODataParameters().apply {
storeName = OFFLINE_DATASTORE
extraStreamParameters = “trusted_certificates=” + ensureTrustedRootsFile(context) + “;”
…// other attributes
}
Note the above code is using the function ensureTrustedRootsFile, which can be defined in the same file as follows. It simply creates a file on the device with the contents of the certificate provided in the manifest as a resource.
private fun ensureTrustedRootsFile(context: Context): String {
val target = File(context.filesDir, “digicert_tls_rsa_4096_root_g5”)
me.g5test.service.OfflineWorkerUtil.logger.error(“Checking for cert file”)
me.g5test.service.OfflineWorkerUtil.logger.error(target.absolutePath)
try {
if (!target.exists() || target.length() == 0L) {
context.resources.openRawResource(R.raw.digicert_tls_rsa_4096_root_g5).use { input ->
FileOutputStream(target).use { output ->
input.copyTo(output)
}
}
}
} catch (e: Exception) {
me.g5test.service.OfflineWorkerUtil.logger.error(“Failed to prepare trusted roots file: ${e.message}”)
throw e
}
return target.absolutePath
}
Sample
Please see hemal-pandya-sap/g5-android: Sample Android project to with old devices domains using G5 certificate for a working sample
Conclusion
As explained above, without any changes the mobile app may not be able to connect after the switch to G5 and result in complete outage. Feel free to post any follow-up questions here.
BackgroundSAP is changing the root certificate of the domains BTP to DigiCert TLS RSA4096 Root G5 CA, see SAP Note 3566727 for more details.The new certificate is supported by Android 14 and later. For older devices that cannot be upgraded, the certificate has to be installed on the device or pinned in the Android App. This post explains the application upgrade approach. Important: The following approach essentially adds the DigiCert G5 certificate such that the application can validate the SAP Certificate signed by it. As such, great care should be taken to ensure that correct certificate is being added. The DigiCert TLS RSA4096 Root G5 used in the following was downloaded from DigiCert Trusted Root Authority Certificates.These changes are based on Android Wizard generated App. Depending on your project, different changes may be required. Online Functionality Only1. Download the root certificate, e.g. from https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt mentioned in the above note2. Store this certificate file in your resource folder; app/src/main/res/raw/digicert_tls_rsa_4096_root_g5.crt3. Create or modify the file app/src/main/res/xml/network_security_config.xml and add a reference to the certificate file. In the following example, the App trusts servers that identify with this certificate in addition to all other certificates in the System store.<?xml version=”1.0″ encoding=”utf-8″?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src=”system” />
<certificates src=”@raw/digicert_tls_rsa_4096_root_g5″ />
</trust-anchors>
</base-config>
</network-security-config>4. In your android manifest (app/src/main/AndroidManifest.xml) locate the application element and add networkSecurityConfig attribute referencing the above config:<application
android:name=”.app.SAPWizardApplication”
android:networkSecurityConfig=”@xml/network_security_config”
<!– other existing content ->
>Offline FunctionalityIn addition to above, the following changes are required for apps utilizing the Offline functionality.For Offline functionality, the certificate file has to be provided as a `trusted_certificates` in `OfflineODataParameters.extraStreamParameters` used for creating `OfflineODataProvider`. In the following example, the Wizard generated code is updated to trust the G5 certificate from the above example.Locate the code where `OfflineODataParameters` object is created and add `extraStreamParameters`. Ensure that the property is not already assigned, which would overwrite these changes. In that case, concatenate this with existing value.val offlineODataParameters = OfflineODataParameters().apply {
storeName = OFFLINE_DATASTORE
extraStreamParameters = “trusted_certificates=” + ensureTrustedRootsFile(context) + “;”
…// other attributes
}Note the above code is using the function ensureTrustedRootsFile, which can be defined in the same file as follows. It simply creates a file on the device with the contents of the certificate provided in the manifest as a resource.private fun ensureTrustedRootsFile(context: Context): String {
val target = File(context.filesDir, “digicert_tls_rsa_4096_root_g5”)
me.g5test.service.OfflineWorkerUtil.logger.error(“Checking for cert file”)
me.g5test.service.OfflineWorkerUtil.logger.error(target.absolutePath)
try {
if (!target.exists() || target.length() == 0L) {
context.resources.openRawResource(R.raw.digicert_tls_rsa_4096_root_g5).use { input ->
FileOutputStream(target).use { output ->
input.copyTo(output)
}
}
}
} catch (e: Exception) {
me.g5test.service.OfflineWorkerUtil.logger.error(“Failed to prepare trusted roots file: ${e.message}”)
throw e
}
return target.absolutePath
} SamplePlease see hemal-pandya-sap/g5-android: Sample Android project to with old devices domains using G5 certificate for a working sampleConclusionAs explained above, without any changes the mobile app may not be able to connect after the switch to G5 and result in complete outage. Feel free to post any follow-up questions here. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
