Since the SAP instance specific sapstartsrv is using the instance profile you could try to set ssl/ciphersuites according to SAP note 510007 and see if it helps.

Yes that parameter will affect ICM services as well. Apart from testing the impact, I have no other recommendations.

Thank you for this information. After analyzing the parameters, I am worried it will generate a whole lot of work. Adding cipher control on the SSL communication. We have over 20+ production SAP and non-sap system communication with each other via http/https. I don't want to add additional complication to the already complex setup.

Samuli earlier explained that SAP note 1036107 has steps to disable https communication, I could not find steps to disable the communication, I do see steps on how to enable https for SAP MC. But I checked my system, most of the settings described are not there still I see in most of our systems 5$$14 is there.

Would you be so kind to provide steps on how to disable this service.

regards

Yogesh

Login to the HTTP port (5xx13) of your SAP MC using a browser. A Java applet is launched and that is why you need to have a working Java runtime. In the Java applet select menu entry Tools -> Settings... and uncheck "Use HTTPS".

Correct, you can even delete the indicator from tools--> settings.

Also, refer to 1439348 - Extended security settings for sapstartsrv :

"Restrict network access

Another option is to restrict the remote access via the network to ports 5XX13 / 5XX14 of the sapstartsrv agents to a minimum level required for operation. For example, restrict it so that only the sapstartsrv of a system can communicate with each other, and the Webservice clients used (SAP MMC, SAP MC, ...) from the computers from which they are operated (for example, Administrator Desktop PC). In addition to pure network routing measures, current sapstartsrv (as of 720 patch 45) offer the option to specify network ACL lists using the profile parameters service/http/acl_file and service/https/acl_file. After you set the profile parameters or change the ACL lists, you must restart the affected sapstartsrv to activate the changes. Note 1495075 describes the syntax of the ACL files."

That checkbox is already disabled when I connect via http. I connect via https and disable it but the access point is still there. I stopped and restarted the SAP service but same result.

I guess what you are suggesting is to switch the SAP MC connection to https/http but it is not disabling the SAP service listening on 5$$14. My problem is that this access point is available, we have a scan going on via a 3rd party which is scanning this port and finding that it allows weak ciphers.

How can I disable this access point altogether is still a question. From what I could find so far is that once I enable SSL, it automatically enables the 50014 https service. Not sure how to disable it. I will try and reverse engineer the note SAP note 1036107 suggested by Samuli if that works but in case you have other ideas.

Yogesh

Hi Martin,

Thank you.

One thing I don't understand, why only this port is giving this weak cipher issue. We have ssl enabled which means it will be effective for all ports. We have standard 443 https ports but this issue does not show up there. Anyway right now we have both http and https access to SAP MC, I am trying to disable https for this port, so nothing worse than what we currently have,  which seemingly does not seem possible. I even got confirmation from SAP that if you select SSL, this port gets active by default and there is no way of disabling it.

Of-course I am not putting off fixing this, but currently cannot put in the efforts of changing something which may have a widespread impact. We will plan in a big list of changes based on its priority.

I will close the thread, thank you all for your inputs.

Yogesh

Then sapstartsrv is not behaving the same way as ICM is, sounds like a bug to me. I guess sapstartsrv is not even respecting the ssl/ciphersuites parameter.