on 09-25-2015 11:25 PM
I am testing SSL on my Netweaver dual stack lab system with 742 Kernel and CommonCrypto 8.4.37.
I set the following client_cipherssuite in the DEFAULT.PFL profile
ssl/client_ciphersuites = 151:HIGH
Which basically should use the latest TLS version first.
After setting I tested it to make sure SAP is calling (client) another Sap server.
For ABAP stack, via RFC (type G), the results was successful and I am able to see TLSv1.2 being negotiated.
For Java Stack, via Java Destination, the results was not successful. I am getting TLSv1.0 instead of 1.2 as what I've configured.
So am I setting it correctly or am I missing a setup in the Java stack or is there a bug on the code?
I would assume DEFAULT profile would take care of both the ABAP and Java Stack. Or am I wrong?
Hello L B,
The parameter you're using are valid only to setting SSL/TLS in ABAP stack. If you want to set the same in JAVA stack, please refer to SAP Notes 2088755 and 2094598.
I hope this guides you.
Best Regards,
Guilherme de Oliveira
SAP Active Global Support
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Oliveira,
The note 2088755 - it says for Netweaver AS Java - configuration is set in DEFAULT.PLF, just like in ABAP.
Same ssl/ciphersuites and ssl/client_ciphersuites parameter settings as in ABAP.
The settings look identical in the example.
Or do I have to force the port parameter ( icm/server_port_<xx> ) to the ciphersuite that I want?
Nope, still does not work.
And I think the icm/ssl_config_xx applies to the SSL server.
What I am having issue is SAP AS JAVA being the SSL Client.
SSL Server settings for both ABAP/Java stack is ok. I can see TLS 1.2 being used when I called it from a browser.
SSL Client settings:
In ABAP via SM59, I can call the target server and it's showing TLS 1.2 (line 4 - 20)
But in Java via Destination, calling the same target server, it shows TLS 1.0 (line 26 - 41).
Maybe it's a bug in CommonCrypto and not taking the ssl/client_ciphersuites settings?
Hello,
you are right, HTTP/S Destinations (SSL client) on AS Java is Java native. Only the ICM server side uses the CommonCryptotLib which supports TLS 1.2.
Currently the Java native implementation supports only TLS 1.0.
But there are plans to implement TLS1.2 support also on AS JAVA client side in the future.
Watch out for the release notes for upcoming patch releases on AS Java.
best regards
Alexander Gimbel
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.