Renewing the SSL Certificate

Objective

After completing this lesson, you will be able to configure your SSL certificate and renewal reminders.

SSL Certificate Overview

The purpose of setting up SSL is to encrypt personal data being passed between the Career Site Builder site and the SAP SuccessFactors Recruiting applicant tracking system (ATS) when a candidate applies to a job. SSL certificate-issuing authorities have set the duration of an SSL certificate to 398 days. An expired SSL certificate means that visitors to the career site see a security warning and are blocked from accessing the site. For this reason, you never want to let the SSL certificate expire. To view the expiration date for an existing SSL certificate, open the public career site and click the padlock icon to the left of the URL. Follow the prompts.

Career Site Builder has a feature that allows organizations to manage the SSL certificates for their public career site. Implementation partners use this tool to obtain and install the original SSL certificate for the customer’s CSB career site. Customers or partners use the tool to renew SSL certificates.

Screenshot displaying a web interface for managing SSL certificates, which opens when you select the SSL Certificates tab

SSL is only enabled for the production environment. Stage SSL is a low level of security settings applied to the entire environment. SAP may enable it, but most users see a certificate error during UAT as a result. This is not a defect. Wildcard certificates are not allowed. Customers need to set up a certificate specifically for the CSB subdomain.

As you have learned, access to Career Site Builder requires the Manage Career Site Builder permission from Admin Center. If Career Site Builder's role-based permissions are enabled, set the SSL Certificate permission from CSBUsersRoles for any users who should have access. Customers may wish to create a role that can only access SSL Certificates, not other parts of Career Site Builder. The role would allow other individuals in the organization, such as the IT security team, to manage SSL Certificates.

General Process

There are two options that system admin users can choose to start the certificate renewal process:

The recommended process is Option 1: To obtain and install your SSL (typical).

Option 2 allows you to upload a new SSL certificate based on an existing CSR.

The basic steps to complete Option 1 are as follows:

  1. Generate a Certificate Signing Request (CSR) file. See the Setting up and Maintaining SAP SuccessFactors Recruiting guide on the SAP Help Portal for tips on completing the fields.
  2. The customer then procures the certificate from a certificate authority.
  3. Once the SSL certificate is received, submit the certificate along with the intermediate certificate. (Note that an intermediate certificate is required.)
  4. Finally, install the SSL certificate.

Additional Information

Customers can have multiple certificates installed and in use. When there is more than one certificate issued to the same domain, for example, test01.sap.corp, the last one installed is active.

Remember that Recruiting Marketing only supports two domains to access the site, defined from CSBSettingsSite ConfigurationSite Information: Site URL and Use Redirect.

See additional information about SSL certificates in the Setting up and Maintaining SAP SuccessFactors Recruiting guide on the SAP Help Portal and KBA 3109381: Overview About SSL Certificates tab in CSB https://launchpad.support.sap.com/#/notes/3109381

Reminders Setup

SAP SuccessFactors Recruiting proactively reminds organizations when their career site's SSL certificate needs to be renewed to avoid career sites from becoming unreachable due to an expired SSL certificate.

Popup Banner Reminders

Career Site Builder offers two reminder methods:

  1. The ability to enable email reminders for admin users.
  2. A popup dialog that appears when logging in to Career Site Builder.

When the certificate is going to expire in less than 90 days, the pop-up banner is shown to all users who have access to the Site Configuration menu in Career Site Builder. For this reason, add users who are responsible for the SSL certificate to Recruiter Single Sign On.

  • If the user clicks Acknowledge, the banner will not display next time they log in.
  • If the user clicks Ignore, they will be reminded again the next time they log in.
A screenshot of the Edit Admin User section showing toggle switches for Is CSB Admin and Enable SSL Notification. Both are set to On.

Email Reminders

Email reminders are triggered at 90 days, 60 days, 30 days, and 7 days before the certificate expires. To help administrators identify the specific Recruiting career site certificate that is set to expire, the email reminders include the following information: RCM Company ID, Career Site Builder Site ID, Site Name, Career Site URL. The email reminder contains a link to unsubscribe.

Summary

  • SSL encrypts candidate data passed between the CSB site and Recruiting ATS; certificates last 398 days and must be renewed to avoid browser warnings/blocking. SSL is enabled only in production; wildcard certs aren’t allowed (certificate must be for the CSB subdomain), and stage may show certificate errors during UAT.
  • Who can manage SSL in CSB: Users need Manage Career Site Builder (Admin Center) and, if CSB role-based permissions are enabled, the SSL Certificate permission in CSB roles. Organizations may create a dedicated role so teams like IT security can manage SSL without broader CSB access.
  • CSB supports two access domains (Site URL and Use Redirect) and provides renewal reminders via email (90/60/30/7 days) and an in-product popup shown less than 90 days to users with Site Configuration access.
Learning
SAP FacebookSAP YoutubeSAP LinkedIn