Asset lifecycle cloud asset sync fails with SAP due to certificate trust issues after cloud migration

After migrating our Aras 12.0 instance to cloud, our asset lifecycle sync with SAP is completely broken. We’re getting SSL certificate trust errors whenever the cloud connector tries to communicate with our on-premise SAP system.

The error we’re seeing:

SSL certificate validation failed
Certificate chain incomplete
Unable to verify certificate: CN=sap.ourcompany.local

Our SAP system uses a custom CA certificate issued by our internal certificate authority. This worked fine when Aras was on-premise because we had the CA cert installed in the server’s trust store. Now with the cloud deployment, we need to configure the SSL certificate chain properly but we’re not sure how to add our custom CA trust to the cloud connector.

The cloud connector configuration seems to have options for SSL, but the documentation isn’t clear on how to handle custom certificate authorities. Has anyone successfully configured cloud connector with custom CA certificates for SAP integration?

Custom CA certificates in cloud deployments require uploading the certificate chain to the cloud platform’s trust store. Check if your Aras cloud instance has a certificate management interface where you can upload custom CA certificates. Most cloud platforms support this but it’s not always obvious where to configure it.

The cloud connector certificate configuration is usually separate from the main Aras cloud settings. Look for a connector-specific admin panel or API. In some cloud deployments, you need to contact cloud support to have custom certificates installed because they require elevated privileges. Also make sure your certificate files are in the correct format - usually PEM or DER format, not PFX.

Your certificate trust issue requires proper configuration across all three areas for SAP cloud integration.

SSL Certificate Chain: The incomplete certificate chain error indicates missing certificates. You need the complete chain from SAP:

1. SAP server certificate (CN=sap.ourcompany.local)
2. Intermediate CA certificate(s)
3. Root CA certificate

Export these from your SAP server. If using Windows, export as Base64-encoded X.509 (.cer). Combine them into a single chain file:

-----BEGIN CERTIFICATE-----
[SAP server cert]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA cert]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root CA cert]
-----END CERTIFICATE-----

Verify the chain is complete using OpenSSL before uploading.

Custom CA Trust: For Aras cloud connector, custom CA certificates must be added to the cloud platform’s trust store. The process depends on your cloud provider:

For Aras managed cloud:

• Navigate to Administration > Cloud Connector > Security Settings
• Upload your CA certificate chain file
• Specify certificate type: “Trusted CA Certificates”
• Apply and restart the connector service

The cloud connector uses a separate trust store from the main Aras instance. This is why your on-premise configuration doesn’t carry over. You must explicitly configure the connector’s trust store.

Alternatively, use the Cloud Connector API:

POST /api/connector/certificates
Content-Type: multipart/form-data

certificate: [certificate-chain-file]
type: trusted-ca

Cloud Connector Configuration: Update your SAP integration connector settings to use the custom CA:

In connector configuration file or admin UI:

ssl.enabled=true
ssl.verify.mode=full
ssl.ca.cert.path=/config/custom-ca-chain.pem
ssl.hostname.verification=true

Critical: Set ssl.verify.mode=full to validate the entire certificate chain. Some guides suggest disabling verification for testing - never do this in production.

For SAP-specific configuration, ensure the connector is using the correct protocol version:

ssl.protocol=TLSv1.2
ssl.cipher.suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

SAP systems often require specific TLS versions and cipher suites. Verify your SAP system’s SSL requirements.

If your SAP system requires mutual TLS (client certificate authentication), you’ll also need to configure the client certificate:

ssl.client.cert.path=/config/client-cert.pem
ssl.client.key.path=/config/client-key.pem

After uploading certificates, test the connection with verbose SSL logging enabled:

ssl.debug.logging=true

This will show the exact point of certificate validation failure if issues persist.

One common gotcha: cloud connectors often cache SSL sessions. After updating certificates, you must restart the connector service, not just reload configuration. In some cloud deployments, this requires a support ticket.

Verify your uploaded certificates are actually being used by checking the connector logs. Look for messages like “Loaded custom CA certificates: 3 certificates” confirming all chain certificates were loaded.

If you’re still seeing trust errors after proper configuration, check if your internal CA uses certificate revocation lists (CRLs) or OCSP. The cloud connector might not be able to reach your internal CRL endpoints, causing validation failures. You may need to configure CRL endpoints accessible from the cloud or disable CRL checking for this specific integration.

For SAP integrations specifically, you might need to configure mutual TLS if your SAP system requires client certificates. The cloud connector should have options to specify both the trust store (for verifying SAP’s certificate) and a key store (for presenting a client certificate to SAP). Check your SAP integration settings to see if client authentication is enabled.

The issue is that the cloud connector needs the complete certificate chain - not just your custom CA root certificate, but also any intermediate certificates. Export the full chain from your SAP server and make sure you’re uploading all certificates in the correct order. The error message about incomplete chain suggests you might be missing an intermediate CA cert. Also verify that your SAP certificate hasn’t expired - migrations are a good time to check certificate validity.

I’ve exported the full certificate chain from SAP including root and intermediate certificates. Where exactly in the cloud connector configuration do I upload these? I see SSL settings but no obvious certificate upload option.