Skip to Content
0

SAP PI 7.40 SP 13 soap receiver HTTPS - cypher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Jan 19, 2017 at 04:31 PM

511

avatar image

Hi The community,

We are in SAP PI 7.40 SP13, in an adapter receiver SOAP, I want to connect to a site (Azure hosted in cloud of Microsoft) HTTPS with a cypher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA but I can't join the endurl. If I post the soap message with XMLSPY or SOAPUI, I receive an answer.

Can someone tell me if that cypher suite is present on the server PI?

Thanks you in advance

Eric Koralewski

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Bence Somlyo
Feb 23, 2017 at 09:51 AM
1

Dear Eric,

What is the TLS version? If you are trying to connect to TLS12, than this cipher suite is not supported by the PI system.

If you are trying to connect with lower TLS version, then it means that the target system does not support ECC and it might close the SSL connection.

If you have xpi_isnpector installed on the system, please trace it with example 11 and 50 and provide some debug trace.

Best regards,
Bence

Share
10 |10000 characters needed characters left characters exceeded
Mate Moricz
Feb 25, 2017 at 11:35 AM
0

Dear Eric,

If Note 2284059 - Update of SSL library within NW Java server is installed in your system then the following ciphersuites are enabled in your system: Cipher suites supported in the default configuration:

TLS_RSA_WITH_AES_256_GCM_SHA384 *

TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 *

TLS_RSA_WITH_AES_256_CBC_SHA256 *

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 *

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA *

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA *

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_RC4_128_SHA

As my colleagues Bence described ciphersuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is not supported. Actually ECDHE and DHE suites are disable by default as of Note 2284059. You can tune your settings to enable the mentioned ciphersuite.

You can also use the following site to check the endpoint's ciphersuites:

http://jcewww.iaik.tu-graz.ac.at/index.php/sic/Products/Communication_Messaging_Security/iSaSiLk/demo

Regards,
Mate

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Apr 05, 2017 at 03:06 PM
0

Dear Eric,

Below API will provide list of cipher suites. Try to call this API through PI interface.

https://www.howsmyssl.com/s/api.html


Regards

Krishna

Share
10 |10000 characters needed characters left characters exceeded