cancel
Showing results for 
Search instead for 
Did you mean: 

TLS 1.2 Support in SAP

Former Member
0 Kudos

Hello Colleagues,

I am in a process of establishing connection from SAP to External web-service from hosted by some vendor. Due to security reason they have disabled SSLV3 and TLS 1.2 and they are accepting connection protocol which comes through HTTPS and TLSV1.2.

So based on the note http://service.sap.com/sap/support/notes/2065806. It is possible to establish connection to eternal Web services who are running on TLS 1.2 protocol only  if our SAP has common Cyptolib 8.4.31 and above , So i have downloaded the latest common cryptolib 8.4.37 and upgraded.

I have also installed URL's Certificate in Strust store.

I have also setup the profile parameters mentioned in note http://service.sap.com/sap/support/notes/510007. After setting these profile parameters in RZ10 i have also restarted the server ,But for profile parameters when i check it says " Unknown profile parameter " i read in some note that this message can be ignore. Please find the additional parameters for my Cipher suits.

ssl/client_ciphersuites                 192:HIGH:MEDIUM:+e3DES:!aNULL
ssl/ciphersuites                        135:HIGH:MEDIUM:+e3DES:!aNULL

From SE38 i have run program "SSF02" and and  selected radio button "Determine version" i see the below message assuming my cryptolib  up-gradtion has no issues.

SSF Test Program

Version              (on application server)

Result:  SSF_API_OK

Version information:                                      145

SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.37 (+MT) #Copyright (c) SAP AG, 2011-2015#compiled for linux-gcc-4.1-x86-64#

I have some open questions after setting up the system.

  1. Apart from the above mentioned setting do i need to perform any additional steps to set up the latest cryptolib.
  2. After extracting the common crypto i see an additional folder "fips" , how shall we deal with this folder content . do i need to set up any additional parameter for that folder content.
  3. Does SAP uses "operating system" open SSL to establish connection to External web service.
  4. Does SAP uses its own kernel / crypto (SAP own open SSL) and connects to external web serive.
  5. My OS is SUSE Linux SP11 , At current state it dose not have open SSL which support TLS V 1.2 , is that the reason that i am unable to connect to web serives which are running on TLS 1.2.
  6. I am able connect to other web services which are running on SSLV3 and TLS 1 . But it is not connection when it comes to pure TLSV 1.2.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please find the logs below mentioned logs from SMICM.

[Thr 140048473114368] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 140048473114368]    session uses PSE file "/usr/sap/SE1/DVEBMGS59/sec/SAPSSLC.pse"

[Thr 140048473114368] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 140048473114368]   secude_error 536875120 (0x20001070) = "SSL API error"

[Thr 140048473114368] >>            Begin of Secude-SSL Errorstack            >>

[Thr 140048473114368] 0x20001070   SAPCRYPTOLIB   SSL_connect

[Thr 140048473114368] SSL API error

[Thr 140048473114368] received a fatal TLS1.0 protocol version alert message from the peer

[Thr 140048473114368] 0xa0600278   SSL   ssl3_read_bytes

[Thr 140048473114368] received a fatal TLS1.0 protocol version alert message from the peer

[Thr 140048473114368] <<            End of Secude-SSL Errorstack

[Thr 140048473114368]   SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 140048473114368]   SSL NI-sock: local=10.1.1.214:34300  peer=10.1.1.33:443

[Thr 140048473114368] <<- ERROR: SapSSLSessionStart(sssl_hdl=7f5f8c01b220)==SSSLERR_SSL_CONNECT

[Thr 140048473114368] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000544} [icxxconn_m

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please help in resolving this issues.

Thanks in advance !!

Regards,

Vardhan.

0 Kudos

Hello All,

After quite a long time i have to again work on TLS setup.

This time use case is different. Along with TLS 1.2 we are also using CDN, for that we need an additional step along with all the steps execute in this steps.

The recommended parameter values above also enable client-side sending of the optional TLS extension SNI, to further improve interop with Cloud-based servers (Azure, AWS), services hosted a some Content Distribution Networks (CDNs) such as Cloudflare and Akamai, plus Windows 2012R2 and Windows 2016 servers, all of which desperately requiring the presence of the optional TLS extension SNI for access (see SAP Note 2124480 for 74x Kernels and parameter icm/HTTPS/client_sni_enabled, and SAP Note 2384290 for 721/722 Kernels and parameter ssl/client_sni_enabled).

I am putting so that it would be helpful for someone who have similar kind of use case.

Please note there is a kernel dependecy

Thanks!!

Vardhan.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member

Hello Vardhan,

You have set:

ssl/client_ciphersuites             192:HIGH:MEDIUM:+e3DES:!aNULL

This will only cover TLSv1.0 and SSLv3.

For you to get TLSv1.2 (also covering TLSv1.1) please try by setting the following and restart your system.

ssl/client_ciphersuites     =     790:HIGH:MEDIUM:+e3DES

KR,

Amerjit

Former Member
0 Kudos

Hello Amerjit,

Thanks for your quick response.

I have set the parameter as mentioned by you and restarted system, but still i see the same error as mentioned above.

As i asked earlier , do we need to do any changes to my open SSL that is present on my OS.

Because after installing latest cryptolib in SAP , SAP has the capability to send / receive request over TLS 1.2, But my OS Suse Linux right now it only support till TLS 1.0 and not TLS V 1.2.

I want to know that to establish this secure SSL connection is there any dependency on the OS that SAP application has been installed  , Do i also need My  OS also to have the latest open SSL installed that supports TLS 1.2 or call is directly initiated from SAP to external web service with out any dependency on OS.

Thanks in advance!!

Regards,

Vardhan.

Former Member
0 Kudos

Hi Vardhan,

I read through your initial message again as I was guilty of speed reading through it the first time.

I see that you also need to support TLS V1.0 and SSLV3.

With that in mind, the parameter should be set as follows (see option #7 of 510007 again to see how the 982 is derived):

ssl/client_ciphersuites     =     982:HIGH:MEDIUM:+e3DES

I'm honestly not sure about the OS dependency (if there is one). Let's see if can help you out on this.

What I would do in any case (useful for troubleshooting) is update your openssl on your machine (I'm running 1.0.2a)

As an additional note, what version and patch level of the SAP kernel are you running ? The minimum required level is mentioned in the note below.

2110020 - Enabling TLS or disabling SSLv3 protocol versions on SAP WebDispatcher, or SAP WebAS

(AS ABAP 6xx, 7xx or AS Java >= 710)

KR,

Amerjit

Former Member
0 Kudos

Hello Amerjit,

Once again thanks for your quick turn around.

I have adjusted the profile parameter and tested still same error.

My kernel Release is 721 and support package level 201.

One last thing i would like to understand OS dependency for using sapcryptolib. Does SAP crypto depends on OS support to TLS V1.2.

Thanks,

Vardhan.

Former Member
0 Kudos

Hi Vardhan,

That's the one question I really can't answer.

I suppose the only way of answering it (unless someone else on SCN - from SAP  chips in) is to update your openssl as I suggested before. That way you take the question off the table.

Other thing is to get the moderator to move this question over to the SAP Single Sign-On space where I think you'll get more deep insight.

KR,

Amerjit

Former Member
0 Kudos

Hello Amerjit,

Thanks a lot !!!  for your continues support in getting me to an logical end.

I have raised an note with SAP , to get the information on the question regarding  OS support we have.

I was told SAP uses its own kernel to connect to external websites. there is no dependency on the OS open SSL version.

And the profile parameters you have mentioned has also worked for me .

ssl/client_ciphersuites     =     982:HIGH:MEDIUM:+e3DES

Sorry in the initial post i said it didn't worked because , my webservice side i requested them to enable cipersuits supportted by SAP as mentioned in Note # 510007.

Thanks,

Vardhan.

Former Member
0 Kudos

Hi Vardhan,

Glad it's working for you now and at least I now know the answer to the OS dependencies for the future :-).

Please close the thread.

KR,

Amerjit

akhil316
Discoverer
0 Kudos

HI Amarjit,

We have a same situation and I will like to know if you have done any changes to parameter ssl/ciphersuites which has a default value of 193. We have changed the parameter ssl/client_ciphersuites to 982 as advised.

Thanks,

Akhil

Former Member
0 Kudos

Hello Akhil,

Could you open a new thread describing your problem and attaching the trace files(s) with the error(s).

KR,

Amerjit

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Vardhan,

we have intigrated SAP PO to SFDC

now Salesforce upgrading TLS 1.0 to TLS 1.1,

now i am not able to connect SFDC after changing TLS 1.1

Kinly let us know how to achive this?

Regards

Pradeep

Former Member
0 Kudos

Hi Pradeep,

Try to set up this profiles parameter, this should work for all TLS version starting SSLv3 to latest , provided you are on the supported version of the kernel as mentioned above in the SAP note.

ssl/client_ciphersuites     =    982:HIGH:MEDIUM:+e3DES


Thanks,

Vardhan.

Former Member
0 Kudos

Hi Vardhan,

Thanks,

i have bit confusion as per SAP Note,

Request you to can you please explain how to set profile parameters step by step.

we are using SAP PO 7.4 Single stack (Java Only)

Regards

Pradeep A

edgar_humann
Explorer
0 Kudos

Hi Pradeep,

if I got your problem right, the PO Java system ist the SSL client?

Then have a look at this entry:

http://scn.sap.com/message/16715368

Hope this helps ...

Regards

Edgar