Happy Business Starts Here

Zuora Staff

You will be affected by this change if your certificate store does not trust the root certificate chain specified below.  Please work with your technology teams to determine if this change will affect you.

 

Action is required on your part prior to December 6, 2016 if your certificate store does not trust the root certificate chain specified below to ensure you do not experience any disruption in service.

 

The TLS certificate for API Sandbox will expire on December 21, 2016.  The purpose of this maintenance is to renew the TLS certificate. As a part of this renewal we are changing Certificate Authority's (CA’s) from Cybertrust to Symantec. Symantec is a more widely recognized CA that is comprehensively supported across browsers as well software libraries and programming frameworks. This will also align with Production as Symantec is the CA being used in Production as well. As an added benefit, customers have the peace of mind to know that most common libraries support Symantec CAs out of the box.

 

When will these changes take effect?

 

  • The change will occur on  December 6, 2016  from 7:00 AM to 11:00 AM Pacific Time.  This is a zero downtime deployment,; therefore, there is no expected service interruption.

How will this change impact me?

 

You may be impacted by these changes if your systems do not trust the Symantec Class 3 Secure Server CA - G4 intermediate certificate or the VeriSign Class 3 Public Primary Certification Authority - G5 root certificate. Note, most systems recognize and trust Symantec root and intermediate certificates out of the box; however, we encourage you to follow up with your technology team for positive confirmation that the Symantec root and intermediate are trusted.

 

What action must I take?

 

If the Symantec Root and Intermediate Certificates are not trusted by your integration, you must must complete the following actions before the scheduled maintenance on December 6, 2016 to avoid any potential service disruption.  Please work with your technology teams to determine what actions you must take to trust this CA.

 

Download and install the Symantec Root Certificate Bundle

If your integration does not trust the Symantec Root Certificates, then the certificate must be imported into your application’s trusted CA store.  

 

Follow these steps to download the Symantec Root Certificates:

  1. The Symantec Root Certificates can be downloaded from this forum post
  2. Click the “apisb-fullrootchain-new.crt” link at the bottom of the post to download the chain
  3. Import these certificates into your trusted CA store based on your system parameters.

 

What happens if I take no action?

 

If the Symantec Root Certificate is not trusted by your integration, and you take no action, your systems will not be unable to connect to the Zuora API Sandbox environment after this change is implemented. Please discuss this change with your technology teams to ensure you take the appropriate actions.

 

How can I test connections to Sandbox using the new CA?

 

You can test prior to the change by pointing your Sandbox integrations to apisandbox-newca.zuora.com by replacing apisandbox.zuora.com and apisandbox-api.zuora.com in the connection URL. This applies to both SOAP and REST API calls. Everything else in the URL shall stay the same. The same credentials should be used as well. If you are able to connect successfully to the test endpoint, there is no further action required on your part as your integration will work after the certificate update.

 

Below is an example of the test URL for both SOAP and REST calls:

 

 

You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.

Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.


Best Regards,

Zuora Support Services & Community

2 Comments
Master

Hi there!

 

Quick Question - would we need to perform any changes on the SFDC / Zuora integration? Update the packages?

 

Cheers,

ECLF

Zuora Support Moderator

Hi @eclf

No change needed for Salesforce.  

Salesforce is configured for a different endpoint for API Sandbox (https://apisandbox-zforsf.zuora.com/apps/services/a/XX.0) so this certificate change doesn't apply to Salesforce environments.  

See Salesforce Zuora connection settings for additional details