Skip to Content

SSL warning when loading UI5 libraries from CDN

I am updating a suite of UI5 apps which are running on an on-premise Gateway hub. I have switched the library reference so that the UI5 libraries are loaded from the CDN. This is an excerpt from the index.html

<script id="sap-ui-bootstrap"
            src="https://sapui5.hana.ondemand.com/1.52.7/resources/sap-ui-core.js" etc. etc.

I note that my use of HTTPS matches the example in the UI5 documentation:

Variant for Bootstrapping from Content Delivery Network

When I run the apps in Chrome 65 I get the following warning in the console:

The SSL certificate used to load resources from https://sapui5.hana.ondemand.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

My question is, does everyone else get this warning too? Are SAP taking action to ensure that our users will still be able to download the libraries from the CDN?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Apr 06 at 06:02 AM

    Yes, we all get this warning. In fact, I realized this warning long time ago back in 2017. You're getting this even on https://www.sap.com because this references https://accounts.sap.com which in turn doesn't have a "good" cert yet. As you know the demokit has the same issue (both https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/). I can't tell why SAP is so slow fixing this by simply patching all the SSL certs. I've updated the certs for some of our clients and for our own site back in 2017 and the net effort is quite low, the monetary costs goe from free - a few tens/hundreds/thousands of bucks (depending on own requirements, i.e. wildcard certs, green color in browsers, and others...).

    I even thought about opening a ticket for OpenUI5 on Github (although it's more a topic for the site admins of *.ondemand.com and *.sap.com). Anyways... There is still some time for SAP to fix this. If I remember correctly, then Google will start shipping the first Chrome version (M70) blocking those certs around June/July in Canary or beta, before the rest of the world gets served in Sept/Oct 2018 or so.

    By the way:
    Back in Q4 2017 I've switched from NW ABAP UI5 versions to CDN for a couple of customers and so far this was the best decision:

    • way more frequent UI5 upgrade cycles (which even forces improved better code quality of custom apps, or at least more attention for it among devs). Simple example: some devs used "sap/m/button" for dependency injection in UI5. This worked perfectly when UI5 is served from NW ABAP, but it fails immediately when served from CDN because there case matters and thus the devs had to fix these kinda things (in the example the fix would be "sap/m/Button", else you would see HTTP 404s)
    • faster innovation cycles for custom apps because now we have all the latest stuff
    • way faster loading time!!!!!!
    • heavily decreased costs and time for UI5 upgrades (no SAP Notes need to be installed anymore!!!!)
    • As devs we can to the upgrade on our own within a few seconds only instead of fighting our SAP Basis people (they have lots of other things to do)
    • getting the latest bug fixes
    • ...

    Some drawbacks I discovered are (some of them I mentioned on the announcement blog of Former Member):

    • Theme Designer: makes sure to use the Theme Designer that matches your UI5 version. Most probably this won't be the one on your NW ABAP, so simply use your SAPCP trial version and there pick your UI5 version before starting.
    • Launchpad Designer: this one is an app on your NW ABAP. While it uses the UI5 version installed on your NW ABAP (not the CDN version) it uses the same system wide default theme. In case you have a custom default theme configured then you might run into some issues because let's say your default theme was made for SAPUI5 1.52.x while your SAPUI5 version deployed to NW ABAP is 1.44.x. In this case you have to live with this (if you can) or you have to install the latest SAPUI5 notes on NW ABAP to upgrade your SAPUI5 version on NW ABAP because of the Launchpad Designer.

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 06 at 04:46 AM

    As SAP is using Akamai for the SAPUI5 CDN I would think this could help https://community.akamai.com/community/web-performance/blog/2018/03/06/google-symantec-subca-transition

    Add comment
    10|10000 characters needed characters exceeded