cancel
Showing results for 
Search instead for 
Did you mean: 

How to enable TLS v1.2 or above for all communication on the SAP server ?

0 Kudos

Currently our server is running TLS v1.0

Due to security reasons, we want to update it to use TLS v1.2 or TLS v1.3

What steps are needed to do this upgrade ?

Accepted Solutions (1)

Accepted Solutions (1)

cris_hansen
Advisor
Advisor

Hello Mangesh,

You can follow SAP Note 510007 for this matter.

Regards,

Cris

Answers (1)

Answers (1)

former_member612251
Participant

As Cris has correctly pointed you to the above, this should provide you with the details you need. TLS 1.3 is not supported currently for ABAP last time I checked...I am presuming you are talking about your ABAP Stack and not the JAVA stack?

The below is from note 51007...

Over the course of year 2016, a growing number of TLS servers were reconfigured to abort/reject TLSv1.0 handshakes, or they are requring forward secrecy (PFS) cipher suites for access. The currently recommended settings for TLSv1.2 interoperability are (requiring at least CommonCryptoLib 8.4.38, recommending at least 8.4.49):

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

icm/HTTPS/client_sni_enabled = TRUE

ssl/client_sni_enabled = TRUE

SETENV_26 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27 = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28 = SAPSSL_CLIENT_SNI_ENABLED=TRUE

0 Kudos

Thanks for the response, I am getting this error wile trying to set above parametrs:

sap-tls-settings-error.png

0 Kudos

Also, are these parameters supposed to be maintained on 'Default' profile ? Or instance profile ?

You can put the parameters in any profile and they will apply, only an ICM restart is needed.

Keep in mind that the above values (which are taken from note 510007) enable TLS 1.2 with 1.1. and 1.0 fallback.

If you want to ensure TLS 1.2 without fallback see configuration from note 2384290 (this is also shown in 510007 in the section with the table that contains the cipher string options).

Also for the client cipher suites you should apply the settings on your icm/ssl_config_X using the CIPHERS option to configure.

Finally you can disable specific ciphers by prefixing them with the ! character, execute command sapgenpse.exe tlsinfo -H to see a list of ciphers and elliptic curves you can configure.