Skip to Content

SAP PI 7.40 SP 13 soap receiver HTTPS - cypher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Hi The community,

We are in SAP PI 7.40 SP13, in an adapter receiver SOAP, I want to connect to a site (Azure hosted in cloud of Microsoft) HTTPS with a cypher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA but I can't join the endurl. If I post the soap message with XMLSPY or SOAPUI, I receive an answer.

Can someone tell me if that cypher suite is present on the server PI?

Thanks you in advance

Eric Koralewski

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Feb 23, 2017 at 09:51 AM

    Dear Eric,

    What is the TLS version? If you are trying to connect to TLS12, than this cipher suite is not supported by the PI system.

    If you are trying to connect with lower TLS version, then it means that the target system does not support ECC and it might close the SSL connection.

    If you have xpi_isnpector installed on the system, please trace it with example 11 and 50 and provide some debug trace.

    Best regards,
    Bence

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 25, 2017 at 11:35 AM

    Dear Eric,

    If Note 2284059 - Update of SSL library within NW Java server is installed in your system then the following ciphersuites are enabled in your system: Cipher suites supported in the default configuration:

    TLS_RSA_WITH_AES_256_GCM_SHA384 *

    TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 *

    TLS_RSA_WITH_AES_256_CBC_SHA256 *

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 *

    TLS_RSA_WITH_AES_128_GCM_SHA256

    TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256

    TLS_RSA_WITH_AES_128_CBC_SHA256

    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

    TLS_RSA_WITH_AES_256_CBC_SHA *

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA *

    TLS_RSA_WITH_AES_128_CBC_SHA

    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

    SSL_RSA_WITH_3DES_EDE_CBC_SHA

    SSL_RSA_WITH_RC4_128_SHA

    As my colleagues Bence described ciphersuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is not supported. Actually ECDHE and DHE suites are disable by default as of Note 2284059. You can tune your settings to enable the mentioned ciphersuite.

    You can also use the following site to check the endpoint's ciphersuites:

    http://jcewww.iaik.tu-graz.ac.at/index.php/sic/Products/Communication_Messaging_Security/iSaSiLk/demo

    Regards,
    Mate

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 05, 2017 at 03:06 PM

    Dear Eric,

    Below API will provide list of cipher suites. Try to call this API through PI interface.

    https://www.howsmyssl.com/s/api.html


    Regards

    Krishna

    Add comment
    10|10000 characters needed characters exceeded