Skip to Content
avatar image
Former Member

TLS 1.2 Support in SAP

Hello Colleagues,

I am in a process of establishing connection from SAP to External web-service from hosted by some vendor. Due to security reason they have disabled SSLV3 and TLS 1.2 and they are accepting connection protocol which comes through HTTPS and TLSV1.2.

So based on the note http://service.sap.com/sap/support/notes/2065806. It is possible to establish connection to eternal Web services who are running on TLS 1.2 protocol only  if our SAP has common Cyptolib 8.4.31 and above , So i have downloaded the latest common cryptolib 8.4.37 and upgraded.

I have also installed URL's Certificate in Strust store.

I have also setup the profile parameters mentioned in note http://service.sap.com/sap/support/notes/510007. After setting these profile parameters in RZ10 i have also restarted the server ,But for profile parameters when i check it says " Unknown profile parameter " i read in some note that this message can be ignore. Please find the additional parameters for my Cipher suits.

ssl/client_ciphersuites                 192:HIGH:MEDIUM:+e3DES:!aNULL ssl/ciphersuites                        135:HIGH:MEDIUM:+e3DES:!aNULL

From SE38 i have run program "SSF02" and and  selected radio button "Determine version" i see the below message assuming my cryptolib  up-gradtion has no issues.

SSF Test Program

Version              (on application server)

Result:  SSF_API_OK

Version information:                                      145

SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.37 (+MT) #Copyright (c) SAP AG, 2011-2015#compiled for linux-gcc-4.1-x86-64#

I have some open questions after setting up the system.

  1. Apart from the above mentioned setting do i need to perform any additional steps to set up the latest cryptolib.
  2. After extracting the common crypto i see an additional folder "fips" , how shall we deal with this folder content . do i need to set up any additional parameter for that folder content.
  3. Does SAP uses "operating system" open SSL to establish connection to External web service.
  4. Does SAP uses its own kernel / crypto (SAP own open SSL) and connects to external web serive.
  5. My OS is SUSE Linux SP11 , At current state it dose not have open SSL which support TLS V 1.2 , is that the reason that i am unable to connect to web serives which are running on TLS 1.2.
  6. I am able connect to other web services which are running on SSLV3 and TLS 1 . But it is not connection when it comes to pure TLSV 1.2.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please find the logs below mentioned logs from SMICM.

[Thr 140048473114368] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 140048473114368]    session uses PSE file "/usr/sap/SE1/DVEBMGS59/sec/SAPSSLC.pse"

[Thr 140048473114368] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 140048473114368]   secude_error 536875120 (0x20001070) = "SSL API error"

[Thr 140048473114368] >>            Begin of Secude-SSL Errorstack            >>

[Thr 140048473114368] 0x20001070   SAPCRYPTOLIB   SSL_connect

[Thr 140048473114368] SSL API error

[Thr 140048473114368] received a fatal TLS1.0 protocol version alert message from the peer

[Thr 140048473114368] 0xa0600278   SSL   ssl3_read_bytes

[Thr 140048473114368] received a fatal TLS1.0 protocol version alert message from the peer

[Thr 140048473114368] <<            End of Secude-SSL Errorstack

[Thr 140048473114368]   SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 140048473114368]   SSL NI-sock: local=10.1.1.214:34300  peer=10.1.1.33:443

[Thr 140048473114368] <<- ERROR: SapSSLSessionStart(sssl_hdl=7f5f8c01b220)==SSSLERR_SSL_CONNECT

[Thr 140048473114368] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000544} [icxxconn_m

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please help in resolving this issues.

Thanks in advance !!

Regards,

Vardhan.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Jun 04, 2015 at 08:53 AM

    Hello Vardhan,

    You have set:

    ssl/client_ciphersuites             192:HIGH:MEDIUM:+e3DES:!aNULL

    This will only cover TLSv1.0 and SSLv3.

    For you to get TLSv1.2 (also covering TLSv1.1) please try by setting the following and restart your system.

    ssl/client_ciphersuites     =     790:HIGH:MEDIUM:+e3DES

    KR,

    Amerjit

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hello Akhil,

      Could you open a new thread describing your problem and attaching the trace files(s) with the error(s).

      KR,

      Amerjit

  • avatar image
    Former Member
    Apr 25, 2016 at 08:35 AM

    Hi Vardhan,

    we have intigrated SAP PO to SFDC

    now Salesforce upgrading TLS 1.0 to TLS 1.1,

    now i am not able to connect SFDC after changing TLS 1.1

    Kinly let us know how to achive this?

    Regards

    Pradeep

    Add comment
    10|10000 characters needed characters exceeded