Skip to Content
avatar image
Former Member

TLS support on SAP ASE 15.7


Hi,

Can anyone confirm that ASE 15.7 supports TLS 1.2?

We can get all cipher suites enabled but does it support TLS 1.2?

               
sp_ssladmin lscipher             
go

Cipher Suite
Name                                             
Preference

----------------------------------------------------------------
-----------

TLS_RSA_WITH_AES_256_CBC_SHA                                             
1

TLS_RSA_WITH_AES_128_CBC_SHA                                             
2

TLS_RSA_WITH_3DES_EDE_CBC_SHA     
                                      3

TLS_RSA_WITH_RC4_128_SHA                                                 
4

TLS_RSA_WITH_RC4_128_MD5                                                 
5

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA                       
                6

TLS_DHE_DSS_WITH_RC4_128_SHA                                             
7

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                                       
8

TLS_RSA_WITH_DES_CBC_SHA                                                 
9

TLS_DHE_DSS_WITH_DES_CBC_SHA                                           
10

TLS_DHE_RSA_WITH_DES_CBC_SHA                                           
11

This cipher is found within ASE and even it is used it does not mean it is using TLS1.2 protocol since we are not negotiating from WebSphere application server and we are forcing only TLSv1.2 to be used.

When I tried to retrieve the signer certificate from WebSphere console it gave me that the database server is not supporting TLS and it failed until I changed the security level for WebSphere to accept TLS1.0 or SSL which is not acceptable since both protocols are vulnerable (ASE should support TLS1.2).

And it is used for all secure communications of the application servers since it is a general configuration over the cell, when it is forced to TLS1.2 the error appear and when we decrease it to accept TLS1.0 or SSLv3 the application server is accepting the connection with the database server.

I have attached RFC that covers TLS/SSL... Please check the Appendix A.5 at page 75, you will find that TLS_RSA_WITH_AES_256_CBC_SHA is listed as a cipher suite for TLS 1.2

Regards,

Marc

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Jan 04, 2016 at 02:29 PM

    with sp_ssladmin you can show and set the allowed cipher suites

    to see what the client is actually using, you can check this variable: @@ssl_ciphersuite

    select @@ssl_ciphersuite

    go

    TLS_RSA_WITH_AES_256_CBC_SHA

    Note that older openssl versions do not support SHA2 certificates

    openssl is now delivered as part of your SAP Sybase installation, you need a recent version e.g.1.0.1h to be able to use SHA2 certificates (I didn't test all versions, but know for sure older versions like 1.0.1b do not support SHA2). As part of ASE 15.7 SP132 openssl 1.0.1h-fips is installed.

    I think OpenSSL 1.0.1 series is supported till the end of 2016 only, so sooner or later SAP Sybase will also have to switch to the OpenSSL 1.0.2 series

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Jeff Tallman

      Hi Jeff,

      Thanks a lot for the valuable info provided.

      I have already opened a technical case with SAP support (BC-SYB-ASE) in parallel.

      But, would it be feasible to ask for some additional feature or enhancement for future ASE releases... to be able to check the Protocol used by ASE without the need to check it with external tool such as openssl s_client?

      Maybe some new global variable similar the one used to check the cipher suite @@ssl_ciphersuite

      @Ryan, Thanks a lot for the effort done to test TLS 1.x support.

      I have done the same on my laptop and found the same result.

  • avatar image
    Former Member
    Jan 07, 2016 at 10:59 AM

    Hi again,

    As we were testing this SSL/TLS between WebSphere and SAP ASE 15.7. We have configured WebSphere to use SSL.

    We have encountered the below error on WebSphere when trying to connect to ASE:

    [12/28/15 18:10:40:735 GMT] 00000237 DSConfigurati W   DSRA8201W: DataSource Configuration: DSRA8040I: Failed to connect to the DataSource.  Encountered java.sql.SQLException: JZ0D5: Error loading protocol com.sybase.jdbc4.ssl.SSL. DSRA0010E: SQL State = JZ0D5, Error Code = 0.

    java.sql.SQLException: JZ0D5: Error loading protocol com.sybase.jdbc4.ssl.SSL. DSRA0010E: SQL State = JZ0D5, Error Code = 0

            at com.sybase.jdbc4.jdbc.ErrorMessage.raiseError(ErrorMessage.java:753)

            at com.sybase.jdbc4.jdbc.ProtocolManager.getProtocol(ProtocolManager.java:124)

            at com.sybase.jdbc4.jdbc.SybUrlManager.loadProtocol(SybUrlManager.java:325)

            at com.sybase.jdbc4.jdbc.SybDataSource$UrlProvider.<init>(SybDataSource.java:2744)

            at com.sybase.jdbc4.jdbc.SybDataSource.createSybUrlProvider(SybDataSource.java:2693)

            at com.sybase.jdbc4.jdbc.SybDataSource.getConnection(SybDataSource.java:311)

            at com.sybase.jdbc4.jdbc.SybConnectionPoolDataSource.getPooledConnection(SybConnectionPoolDataSource.java:103)

            at com.ibm.ws.rsadapter.DSConfigHelper$1.run(DSConfigHelper.java:1266)

            at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5477)

            at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5603)

            at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)

            at com.ibm.ws.rsadapter.spi.ServerFunction$6.run(ServerFunction.java:567)

            at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)

            at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1281)

            at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1189)

            at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:2071)

            at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:1947)

            at com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionForGUI(DSConfigurationHelper.java:2814)

            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)

            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)

            at java.lang.reflect.Method.invoke(Method.java:611)

            at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnectionToDataSource2(DataSourceConfigHelperMBean.java:556)

            at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnection(DataSourceConfigHelperMBean.java:484)

            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)

            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)

            at java.lang.reflect.Method.invoke(Method.java:611)

            at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:69)

            at sun.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)

            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)

            at java.lang.reflect.Method.invoke(Method.java:611)

            at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:272)

            at javax.management.modelmbean.RequiredModelMBean$4.run(RequiredModelMBean.java:1152)

            at java.security.AccessController.doPrivileged(AccessController.java:301)

            at com.ibm.oti.security.CheckedAccessControlContext.securityCheck(CheckedAccessControlContext.java:30)

            at sun.misc.JavaSecurityAccessWrapper.doIntersectionPrivilege(JavaSecurityAccessWrapper.java:41)

            at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1146)

            at javax.management.modelmbean.RequiredModelMBean.invoke(RequiredModelMBean.java:999)

            at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:847)

            at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:783)

            at com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.java:1335)

            at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)

            at com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:1228)

            at com.ibm.ws.management.commands.AdminServiceCommands$InvokeCmd.execute(AdminServiceCommands.java:251)

            at com.ibm.ws.console.core.mbean.MBeanHelper.invoke(MBeanHelper.java:241)

            at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testNode(ResourceMBeanHelper.java:860)

            at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testConnection(ResourceMBeanHelper.java:292)

            at com.ibm.ws.console.resources.database.jdbc.DataSourceDetailAction.testConnection(DataSourceDetailAction.java:713)

            at com.ibm.ws.console.resources.database.jdbc.DataSourceCollectionAction.execute(DataSourceCollectionAction.java:339)

            at org.apache.struts.action.RequestProcessor.processActionPerform(Unknown Source)

            at org.apache.struts.action.RequestProcessor.process(Unknown Source)

            at org.apache.struts.action.ActionServlet.process(Unknown Source)

            at org.apache.struts.action.ActionServlet.doPost(Unknown Source)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)

            at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)

            at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)

            at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)

            at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)

            at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:136)

            at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:79)

            at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:964)

            at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1104)

            at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:1385)

            at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:194)

            at org.apache.struts.action.RequestProcessor.doForward(Unknown Source)

            at org.apache.struts.tiles.TilesRequestProcessor.doForward(Unknown Source)

            at org.apache.struts.action.RequestProcessor.processForwardConfig(Unknown Source)

            at org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(Unknown Source)

            at org.apache.struts.action.RequestProcessor.process(Unknown Source)

            at org.apache.struts.action.ActionServlet.process(Unknown Source)

            at org.apache.struts.action.ActionServlet.doPost(Unknown Source)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)

            at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)

            at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)

            at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)

            at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)

            at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:136)

            at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:97)

            at com.ibm.ws.console.core.servlet.WSCUrlFilter.setUpCommandAssistance(WSCUrlFilter.java:964)

            at com.ibm.ws.console.core.servlet.WSCUrlFilter.continueStoringTaskState(WSCUrlFilter.java:511)

            at com.ibm.ws.console.core.servlet.WSCUrlFilter.doFilter(WSCUrlFilter.java:332)

            at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)

            at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)

            at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:964)

            at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1104)

            at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87)

            at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:914)

            at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1662)

            at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)

            at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)

            at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)

            at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)

            at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287)

            at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1049)

            at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:643)

            at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1818)

            at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)

            at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)

            at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)

            at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)

            at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)

            at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)

            at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)

            at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1865)

    Can anyone help in explaining this issue and how to resolve it?

    Marc

    Add comment
    10|10000 characters needed characters exceeded

    • SQLException: JZ0D5: Error loading protocol

      JZ0D5

      Error loading protocol _____.

      Action: Check the settings for the CLASSPATH system variable.

      The test with isql, is that running from the same server where Websphere is installed?

      Is it using the same Sybase client as Websphere?

      One thing you might want to check is the version of the Sybase Open Client and jConnect version used by Websphere

      There are a lot of changes related to SSL in 15.7 SP100

  • avatar image
    Former Member
    Apr 05, 2016 at 07:45 AM

    Hello,

    FYI, I logged an incident for the same. As Jeff explained, the more customers the better. I've always found that SSL support with ASE was "lazy", since the initial release with the Certicom suite. The 16.0 documentation is more comprehensive, and openssl is finally used, but we're still running behind industry standards.

    Cheers,

    Laurent

    Add comment
    10|10000 characters needed characters exceeded

    • Please keep logging the cases.    As of now, it *looks* like TLS 1.2 support will be in 15.7 sp137 in June, with TLS 1.2 support for 16sp02 coming in Q4-ish.   All caveats apply wrt timing/roadmaps, etc.   While both 15.7 and 16.0sp02 (and earlier) used OpenSSL, it looks like future ASE's (beyond sp02) will transition to a common crypto library that is going through FIPS certification as we speak.   This will minimally help reduce a lot of confusion around SSL vulnerabilities as many of those that affect OpenSSL don't actually affect ASE.

  • avatar image
    Former Member
    Apr 05, 2016 at 06:13 PM

    Thank you for the clarification Jeff. Frankly, they should be building in TSL support into ALL connections.

    Add comment
    10|10000 characters needed characters exceeded