HungDo Support Team

Support Team

[ACTION REQUIRED]: Maintenance to Update SSL Certificate for zuora.com, connect.zuora.com,

by Support Team 4 weeks ago - last edited a week ago by Zuora Moderator

We are updating the SSL certificate used for the following endpoints:

 

  1. eu.zuora.com - All EU Production Endpoints (soap.eu.zuora.com,dataloader.eu.zuora.com,zconnect.eu.zuora.com,static.eu.zuora.com,rest.eu.zuora.com,aqua.eu.zuora.com)
  2. *.zuora.com - US Production Rest and API, Sandbox, and PT1 (<anything>*zuora.com)
  3. rest.pt1.zuora.com - US Production PT1 Rest Endpoint

We are updating the SSL certificate used for the endpoints listed above from Symantec to Comodo, Digicert, or AWS issued certificates.

NOTE: no change required for sandbox.eu.zuora.com as it already has Comodo certificate

 

Action will be required on your part prior to October 10th, 2018 if your integration certificate store does not trust the appropriate new root and intermediate certificate chain (mentioned below). Please work with your technology teams to determine what actions you must take to ensure you do not experience any disruption in Zuora services.

 

When will these changes take effect on the Zuora side?

 

  • The change will occur on the schedule outlined below.
    • These changes will occur on October 10th, starting at 1AM and continuing until 11:00AM.

How will this change impact me?

 

Your integration will stop functioning if your systems do not trust the correct root and intermediate certificate.
*
Important Note: Some applications require a restart even if the trusted root store is in place in order to use the new certificate for SSL connections.


What action must I take?

 

If the Root and Intermediate Certificates are not trusted by your applications or libraries, you must complete the following actions before the scheduled maintenance to avoid any potential service disruption. Please work with your technology teams to determine what actions you must take to trust this CA.

 

Download and install the Appropriate Root Certificate Bundle
If your integration does not trust the Comodo Root Certificates, then the certificate must be imported into your application’s trusted CA store.

Follow these steps to download the Comodo Root Certificates:

  1. The CA Certificates can be downloaded from the links below:

 

https://knowledgecenter.zuora.com/BB_Introducing_Z_Business/Policies/Full_Certification_Chain

.eu.zuora.com - requires "eu-zuora-com-root.cer" and "eu-zuora-com-intermediate.cer"
*.zuora.com (apisandbox.zuora.com, rest.zuora.com, and api.zuora.com) - requires "zuora-com-root.cer" and "zuora-com-intermediate.cer"
rest.pt.zuora.com - requires "rest-pt1-zuora-com-fullrootchain.ca-bundle"

  1. Import these certificates into your trusted CA store based on your system parameters.
  2. Restart services if applicable.

We have provided basic instructions to load the the root and intermediate certificates for Java and .NET. For other applications, please follow up with your technology teams to determine what actions must be taken.

For Java:

Run the following command from your application server(s) that make connections to Zuora systems to import root and intermediate certificates into your keystore. Note, text in blue must be replaced based on your system specifics.

  • Root Certificate: keytool -import -trustcacerts -alias Zuora-AddTrustExternalCARoot.crt -file AddTrustExternalCARoot.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>
  • Intermediate Certificate 1: keytool -import -trustcacerts -alias Zuora-COMODORSAExtendedValidationSecureServerCA.crt -file COMODORSAExtendedValidationSecureServerCA.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>

 

  • Intermediate Certificate 2: keytool -import -trustcacerts -alias Zuora-COMODORSACa.crt -file COMODORSACa.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>

For .NET on Windows 2008/2012 R2 & Windows 2016:


Click here for instructions on adding certificates to Trusted Certification Authorities store for local computer

What happens if I take no action?

If the Root Certificate is not trusted by your integration, and you take no action, your systems will not be able to connect to the Zuora Production endpoint  after this change is implemented. Please discuss this change with your technology teams to ensure you take the appropriate actions.


You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.

Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.

 

Best Regards,

Zuora Support Services & Community

 

 

 

 

Comments
jlee Tutor

Tutor

by Tutor jlee
4 weeks ago

If our services use the URLs you specified should we use the Production Certs or the Services Certs? The Production Certs still seem to reference Symantec, so we're not sure if those are the right ones to use.

ASchwarz Valued Scholar

Valued Scholar

by Valued Scholar ASchwarz
4 weeks ago

You didn't mention the rollout for the EU sandbox? 

How are we supposed to see if this is working or not prior to the EU production roll out?

 

sapatel Tutor

Tutor

by Tutor sapatel
3 weeks ago

Hi, 

 

As per this, Zuora is planning to update symantec to Comodo certs for all US Data centers [Prod/Sandbox/Services Environment]

but the link which you mentioned clearly indicate only for Services Environment. 

 

Please update the link article with latest certs or clarify here. 

 

Thanks. 

btemko Savvy Scholar

Savvy Scholar

by Savvy Scholar btemko
3 weeks ago - last edited 3 weeks ago

This is some confusing information, and I have a few questions:

 

We're pointing to the NA sandbox environment, but not using the "sandbox.na.zuora.com" endpoint. If we don't point specifically to those hosts, (i.e. we use the "apisandbox-api.zuora.com" endpoint) will our integration be affected by the change on September 3rd, September 5th, or September 12th?

 

The "production" date is listed as September 12, but it includes the api sandbox ("rest.apisandbox.zuora.com") AND the production ("rest.zuora.com") endpoints. But there is also a "production date" which lists the same "rest.zuora.com" endpoint for September 5th. If I'm reading this correctly, the sandbox environment is going to get altered either after, or at the same time as, the production environment? It's impossible to tell which date applies to which environment using the schedule as posted. 

 

Also, September 3rd is Labor Day, and there will be massive problems with scheduling changes of this nature on that day as most of the workforce will, I imagine, be taking the day off.

 

Please, give some clarity to this scheule as soon as possible, as we will need to make some emergency changes to the system before next week's scheduled changes, and we need to start working on them RIGHT NOW.

 

Also in the future please give more time in advance of an important change like this. Posting after COB (EDT) on Friday less than a week before the first scheduled changes is not enough time in which to operate.

 

Thanks,

 

Ben

 

Vonagekate Senior Tutor

Senior Tutor

by Senior Tutor Vonagekate
3 weeks ago

Can this be moved out a week?  We're going into a US holiday weekend and this will not give us enough time for this to bake in QA and allow us time to fully test. 

skatdare Student

Student

by Student skatdare
3 weeks ago

First and foremost, we need the correct certificate chain attached to this post! Second, it would good to have atleast 2 weeks gaps in between annoucement and actual implementation especially when an long weekend is involved.

 

So can we have the new comodo certificate chain for all URLs including Sandbox & Production????????

scottb Zuora Moderator

Zuora Moderator

by Zuora Moderator
3 weeks ago

Hi folks

 

We are reviewing this issue with our Engineering team and expect to have a response shortly. 

 

Scott

ysireesha Scholar

Scholar

by Scholar ysireesha
3 weeks ago

We are using apisandbox.zuora.com URLs. Do we need the SSL certificate changes to be uptaken ?

 

Thanks !

pv Honor Student

Honor Student

by Honor Student pv
3 weeks ago

September 3rd is scheduled for Sandboxes is that also includes the Services(Production copy) environments?. So we can test the SSL cert changes in our services environments. 

baluanisetti Tutor

Tutor

by Tutor baluanisetti
3 weeks ago

Hi Team,

Could you please provide the End time of these changes?

 

  • Wednesday, August 29th 2018 7:00AM PDT: All Regions Connect - connect.zuora.com (connect.eu.zuora.com, connect.na.zuora.com), *.apps.zuora.com, *.apps.eu.zuora.com>End Time of change?
  • Monday, September 3rd 2018 7:00AM PDT: US Sandbox - sandbox.na.zuora.com (static.sandbox.na.zuora.com, rest.sandbox.na.zuora.com)>End Time of change?
  • Wednesday, September 5th 2018 7:00AM PDT: US Production - www.zuora.com (static.na.zuora.com, static.zuora.com, zuora.com, rest.na.zuora.com, na.zuora.com, rest.zuora.com, api.zuora.com) >End Time of change?
  • Wednesday, September 12th 2018 7:00AM PDT: US Production, PT1, Sandbox- *.zuora.com, rest.pt1.zuora.com, rest.zuora.com, rest.apisandbox.zuora.com, eu.zuora.com >End Time of change?(soap.eu.zuora.com,dataloader.eu.zuora.com,zconnect.eu.zuora.com,static.eu.zuora.com,rest.eu.zuora.com,aqua.eu.zuora.com), origin-rest.zuora.com

Please share as soon as possible.

cshin Tutor

Tutor

by Tutor cshin
3 weeks ago

So the plan is to update both rest.apisandbox.zuora.com and rest.zuora.com at the same time? So you're giving your customers no opportunity to test the cert change against your test environment prior to applying the change to your production?

skatdare Student

Student

by Student skatdare
3 weeks ago

@scottb- Do you have an update on this? You were going to get back to us after checking with Zuora Engineering? Please confirm on priority so that we can plan activities.

Vonagekate Senior Tutor

Senior Tutor

by Senior Tutor Vonagekate
3 weeks ago

Asking again for this to be moved to a week out due to the holiday.  Can this be moved out a week?  We're going into a US holiday weekend and this will not give us enough time for this to bake in QA and allow us time to fully test. 

sapatel Tutor

Tutor

by Tutor sapatel
3 weeks ago

Let us know if Zuora is seriosuly performing this activity and clarifying all concerns well in advance. 

With lack of information and no response on comment section clearly indicate differently. 

marcielaux Tutor

Tutor

by Tutor marcielaux
3 weeks ago
  • I don't see the new Cert for the Performance Type Tenants - listed in the KB per the link given above is EU and US - APISandbox and Production along with US Services.
  • I am also with everyone else that there is no way for us to test if Production and APISandbox are all done within 2 days of each other
  • Our API Sandbox is actually APISANDBOX.Zuora.com but that's not listed above unless it's included in *.zuora.com and then it's the same day as our Production?
  • Why would the change be made in Production before the PT and Sandbox environments? We use PT environments for our Day 2 and Project
  • Monday 9/3 as previously mentioned is a US Holiday
  • We also need a better hourly timeline for implementation; we are a global corporation and things are running 24/7 so we won't know when to update the certificate until it starts failing.
Zuora-Support Community Manager

Community Manager

by Community Manager
3 weeks ago

The Connect change was performed successfully. We will postpone production updates until a later date. More information will be provided shortly, and we apologize for the delay.

btemko Savvy Scholar

Savvy Scholar

by Savvy Scholar btemko
3 weeks ago

So you're postponing the production updates, what about the lower environment updates scheduled over the holiday weekend? Are those postponed as well or not?

skatdare Student

Student

by Student skatdare
3 weeks ago

@scottb@Zuora-SupportCan we have the full certificate chain for comodo for all URLs? https://knowledgecenter.zuora.com/BB_Introducing_Z_Business/Policies/Full_Certification_Chain does not have comodo certificats for all URLs subject to SSL cert replacement, so request to clear this asap.

Lana Community Manager

Community Manager

by Community Manager
3 weeks ago

Hi Everyone,

 

I’ll follow up with the team to get all of your questions and concerns addressed ASAP. 

 

Lana Lee

Senior Community Manager and Strategist

baluanisetti Tutor

Tutor

by Tutor baluanisetti
3 weeks ago

Hi Team,

Could you please provide the End time of these changes?

 

  • Wednesday, August 29th 2018 7:00AM PDT: All Regions Connect - connect.zuora.com (connect.eu.zuora.com, connect.na.zuora.com), *.apps.zuora.com, *.apps.eu.zuora.com>End Time of change?
  • Monday, September 3rd 2018 7:00AM PDT: US Sandbox - sandbox.na.zuora.com (static.sandbox.na.zuora.com, rest.sandbox.na.zuora.com)>End Time of change?
  • Wednesday, September 5th 2018 7:00AM PDT: US Production - www.zuora.com (static.na.zuora.com, static.zuora.com, zuora.com, rest.na.zuora.com, na.zuora.com, rest.zuora.com, api.zuora.com) >End Time of change?
  • Wednesday, September 12th 2018 7:00AM PDT: US Production, PT1, Sandbox- *.zuora.com, rest.pt1.zuora.com, rest.zuora.com, rest.apisandbox.zuora.com, eu.zuora.com >End Time of change?(soap.eu.zuora.com,dataloader.eu.zuora.com,zconnect.eu.zuora.com,static.eu.zuora.com,rest.eu.zuora.com,aqua.eu.zuora.com), origin-rest.zuora.com

Please share as soon as possible.

 

Regards,

Bala.

Zuora-Support Community Manager

Community Manager

by Community Manager
3 weeks ago

Hi All,

 

 

We'll be delaying deployment with the new dates to occur, tentatively, in early October.  We'll address everyone's questions when we have more information from our Engineering team and will ensure that the new dates will be provided in a more timely fashion.

 

Thanks for patience and understanding.

 

 

 

 

 

abhishek_grover Savvy Scholar

Savvy Scholar

by Savvy Scholar abhishek_grover
3 weeks ago

Hi Team

 

Just to add to the list of clarifications needed -

Does this only impact the API integrations, or does it impact any kind of access, i.e. even end users will need to update certificates on their machines.

 

Thanks

Abhishek

scottb Zuora Moderator

Zuora Moderator

by Zuora Moderator
a week ago - last edited a week ago

Hi folks

 

We have updated the original post with the new deployment schedule and clarified a few issues with the original post’s endpoints and included the proper links to the certificates in our Knowledge Center. Additionally here are some answers to several of your prior questions.

Question: What is the new date for the deployment
Answer: October 10, 2018 starting at 1am PDT


Question: What is the propagation time of deployment?
Answer: 6-8 hours propagation time (approximate) as it deploys through our CDN

 

Question: Can you clarify this impacts both UI and API endpoints?
Answer: Technically both although UI (browser) based access to Zuora endpoints impacted isn't likely to be an issue.  

Question: Can you clarify what endpoints are included with *.zuora.com

Answer: Basically anything that ends with zuora.com (www.zuora.com, apisandbox.zuora.com, rest.zuora.com etc)


Question: Why can’t Zuora support tell me if I’m impacted by this change?

Answer:  As Zuora cannot and does not have access or knowledge of our customer’s systems, it is important that the customer assess whether their systems are impacted or not by this change. Customer integration and truststore policy along with API integration standard practice is the responsibility of the customer and their security & technology teams to maintain.

Thanks!  Please let us know if there's any further questions

sapatel Tutor

Tutor

by Tutor sapatel
a week ago

Thanks for the udpate. 

 

As mentioned in updated article above, 

*.zuora.com (apisandbox.zuora.com, rest.zuora.com, and api.zuora.com) - requires “DigicertRoot.cer” and “digicert-star-int.cer”. 

 

But attached link for US production data centers has symantec chain [production-zuora-com-fullrootchain-bundle.crt]. 

 

Kindly clarify at earliest. 

pv Honor Student

Honor Student

by Honor Student pv
a week ago

Is that both the sandbox and production environments is going to get altered on the same day?. If this is the case how can we validate the changes in test environments before applying changes in Production?.

HungDo Support Team

Support Team

by Support Team
a week ago

Hi Sapatel and PV

 

Sapatel,  we have updated the filenames in the original article.

 

.eu.zuora.com - requires "eu-zuora-com-root.cer" and "eu-zuora-com-intermediate.cer"
*.zuora.com (apisandbox.zuora.com, rest.zuora.com, and api.zuora.com) - requires "zuora-com-root.cer" and "zuora-com-intermediate.cer"
rest.pt.zuora.com - requires "rest-pt1-zuora-com-fullrootchain.ca-bundle"

 

 

PV, due to the way our *.zuora.com endpoints are constructed and in alignment with our CDN configuration, unfortunately there's no way to stagger the deployments as a result.

calvinly Tutor

Tutor

by Tutor calvinly
a week ago

If the deployments can't be staggered, when can we deploy this in our sandbox to test before it hits prod?

abhishek_grover Savvy Scholar

Savvy Scholar

by Savvy Scholar abhishek_grover
Monday

We have integrations through Dell Boomi Atom Cloud and Salesforce directly to Zuora. Do we need to reach out to them and find out if they have the latest Zuora certificates, or are you already in touch with these players?