cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ssl/client_ciphersuite not working on my Java stack

Go to solution
Former Member

on ‎09-25-2015 11:25 PM

0 Kudos

I am testing SSL on my Netweaver dual stack lab system with 742 Kernel and CommonCrypto 8.4.37.

I set the following client_cipherssuite in the DEFAULT.PFL profile

ssl/client_ciphersuites = 151:HIGH

Which basically should use the latest TLS version first.

After setting I tested it to make sure SAP is calling (client) another Sap server.

For ABAP stack, via RFC (type G), the results was successful and I am able to see TLSv1.2 being negotiated.

For Java Stack, via Java Destination, the results was not successful. I am getting TLSv1.0 instead of 1.2 as what I've configured.

So am I setting it correctly or am I missing a setup in the Java stack or is there a bug on the code?

I would assume DEFAULT profile would take care of both the ABAP and Java Stack. Or am I wrong?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

guilherme_deoliveira
Participant
‎09-29-2015 9:32 PM
0 Kudos

Hello L B,

The parameter you're using are valid only to setting SSL/TLS in ABAP stack. If you want to set the same in JAVA stack, please refer to SAP Notes 2088755 and 2094598.

I hope this guides you.

Best Regards,

Guilherme de Oliveira
SAP Active Global Support

Show replies
Show replies
Former Member
‎09-29-2015 10:05 PM
0 Kudos

Hi Oliveira,

            The note 2088755 - it says for Netweaver AS Java - configuration is set in DEFAULT.PLF, just like in ABAP.

Same ssl/ciphersuites and ssl/client_ciphersuites parameter settings as in ABAP. 

The settings look identical in the example.

Or do I have to force the port parameter ( icm/server_port_<xx> ) to the ciphersuite that I want?



former_member202491
Explorer
‎09-30-2015 12:39 AM
0 Kudos

Hi LB

Typically run with the following as an example for both ABAP+JAVA, which is what you touched on in your last post


icm/server_port_X = PROT=HTTPS, ..., SSLCONFIG=ssl_config_X
icm/ssl_config_X ..., CIPHERS=151:HIGH
ssl/ciphersuites = 151:HIGH
ssl/client_ciphersuites = 151:HIGH

Cheers
Craig

Former Member
‎09-30-2015 6:10 AM
0 Kudos

Hi Craig,

      I'll try it out tomorrow and will post the test results.

Thanks.

regards,

LB

Former Member
‎10-01-2015 11:38 PM
0 Kudos

Nope, still does not work.


And I think the icm/ssl_config_xx applies to the SSL server.

What I am having issue is SAP AS JAVA being the SSL Client.

SSL Server settings for both ABAP/Java stack is ok. I can see TLS 1.2 being used when I called it from a browser.

SSL Client settings:

In ABAP via SM59, I can call the target server and it's showing TLS 1.2 (line 4 - 20)

But in Java via Destination, calling the same target server, it shows TLS 1.0  (line 26 - 41).

Maybe it's a bug in CommonCrypto and not taking the ssl/client_ciphersuites settings?

Former Member
‎10-02-2015 7:05 PM
0 Kudos

upgraded kernel to 7.42 pl 200 and common crypto lib 8.4.42 , still couldn't get it to use highest TLS.

Former Member
‎11-02-2015 7:15 AM
0 Kudos

Hello,

you are right, HTTP/S Destinations (SSL client) on AS Java is Java native. Only the ICM server side uses the CommonCryptotLib which supports TLS 1.2.
Currently the Java native implementation supports only TLS 1.0.
But there are plans to implement TLS1.2 support also on AS JAVA client side in the future.
Watch out for the release notes for upcoming patch releases on AS Java.

best regards

Alexander Gimbel

Answers (0)

Ask a Question