Skip to content

Safe Tuesday with SNOK: Critical Java VM update for SAP Cloud Connector

In our latest article in the "Tech Thursday with SNOK" series, we discussed the key role of SAP Cloud Connector as a secure bridge linking the SAP…

In our latest article in the “Tech Thursday with SNOK” series, we discussed the key role of SAP Cloud Connector as a secure bridge linking the SAP Business Technology Platform (BTP) environment with on-premise systems. As Jarosław Zdanowski, Partner at SNOK, emphasised: “properly configuring and securing Cloud Connector has a direct impact not only on the security of the entire SAP ecosystem, but also on the reliability of business processes.”

In today’s article, we draw attention to a critical element of that security – the upcoming certificate change for SAP Datasphere, which requires an urgent update of the Java VM environment on servers running SAP Cloud Connector (SCC).

What is the challenge?

SAP has announced a certificate change for SAP Datasphere, which requires an update to the Java VM environment on servers running SAP Cloud Connector. The change involves migrating from the Let’s Encrypt ISRG Root X1 certificate to Let’s Encrypt ISRG Root X2.

Implementation timeline

The originally planned date of January 2025 was cancelled. The new implementation timeline is as follows:

Article content

Required actions

It is essential to update the Java VM on servers running SAP Cloud Connector by 2 June 2025. After this date, connections using SAP Cloud Connector with outdated Java VM versions will stop working.

For customer-managed servers:

  1. When using SAP JVM: update to version 8.1.097 or later

SAP JVM 8.1.097 corresponds to Oracle JDK 8u401

SAP Note 2219315 describes the required actions in detail

  1. When using other Java environments: a detailed compatibility analysis between JDK versions and SAP JVM should be carried out

For servers managed by SAP ECS (Enterprise Cloud Services) under the RISE with SAP model:

  • Cloud Connector 2.16.2 and later in ECS are secured (shipped with SAPJVM 8.1.097)

  • Contact your ECS representative

  • If an update is needed, raise an “Upgrade SAP Cloud Connector” ticket in accordance with Note 3239384, “How to use Service Requests application”

The key role of ECS tickets and BASIS partner support

The importance of ECS tickets

Raising a request for an update with SAP Enterprise Cloud Services (ECS) is absolutely critical, even when using the RISE with SAP model. Here’s why:

1. Infrastructure responsibility: Although in the RISE with SAP model the vendor takes over infrastructure management, requests concerning updates to critical components such as SAP Cloud Connector are not carried out automatically. ECS does not proactively monitor all potential version incompatibilities in the client’s environment.

2. Time windows: Updates to components such as SCC require appropriate maintenance windows to be scheduled. Submitting a request too late can result in a lack of available resources before the 2 June 2025 deadline.

3. Compliance documentation: A formal request ensures proper documentation of the update process, which is key for security audits and compliance checks.

4. Prioritisation: ECS handles many requests, and priorities are often set based on the order in which requests are received. Submitting a request early increases the chance of timely delivery.

The essential role of a BASIS partner, even under RISE with SAP

Despite the common belief that the RISE with SAP model eliminates the need for a BASIS partner, the reality is quite different:

1. Critical technical knowledge: A BASIS partner has the specialist knowledge needed to assess the impact of certificate changes on the entire SAP environment, which ECS teams often do not provide.

2. Liaison and coordination: A BASIS partner effectively acts as a liaison between business teams and ECS, translating technical matters into business language and vice versa.

3. Identifying dependencies: An experienced BASIS partner can identify non-obvious dependencies between components that a certificate change may affect.

4. Verifying implementation: After the JVM update, a BASIS partner can conduct comprehensive verification tests, confirming the correct operation of all business processes.

5. Risk management: Should problems arise, a BASIS partner can quickly propose interim solutions, minimising the impact on business processes.

SNOK’s experience

Acting proactively, the SNOK team has already begun informing its clients of the need to update Java VM for SAP Cloud Connector. What is more, for some clients this process has already been successfully completed. This was possible thanks to previously established and well-functioning Software Lifecycle Management processes for SAP solutions, which enabled the necessary updates to be planned and carried out well ahead of the deadline.

As we discussed in the article “Tech Thursday with SNOK: SAP Cloud Connector - The Link Between SAP BTP and On-Premise Solutions”, regularly updating SCC environment components, including managing certificates and their expiry dates, is essential for maintaining security and business continuity.

Our experience also confirms what we highlighted previously – redundant Cloud Connector deployments in a high-availability configuration, together with a proactive approach to certificate and software-version updates, help avoid costly downtime.

Additional information

Further detailed information can be found at:

  • SAP Note 3508452 – “Data Intelligence Connection fails to be established when trying to use SAP Cloud Connector”

  • SAP Note 2539713 – “Upgrade to a new version of the Cloud Connector”

  • SAP Note 3446675 – “SAP Cloud Connector - Supported JDKs”

  • SAP Note 3302250 – “Cloud Connector support strategy”

  • SAP Note 3184284 – “Where do I find the installed version of my SAP Cloud Connector?”

Conclusions

We recommend promptly scheduling the Java VM update on all servers running SAP Cloud Connector and contacting your BASIS partner to coordinate the update process. Please note that after 2 June 2025, all outdated installations will stop working correctly, which could have a critical impact on business integrations.

As we emphasised in our previous article, SAP Cloud Connector is not merely an infrastructure component but a strategic one that requires a professional approach. Updating the Java VM environment is a good example of such action, which, although it may seem like a technical detail, has fundamental importance for business continuity.

Tematy: Safe Tuesday IT advisory and integration SecurityBridge SAP S/4HANA SAP BTP

Get in touch