Skip to Content

How to enable TLS v1.2 or above for all communication on the SAP server ?

Currently our server is running TLS v1.0

Due to security reasons, we want to update it to use TLS v1.2 or TLS v1.3

What steps are needed to do this upgrade ?

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Best Answer
    Posted on Jun 01, 2020 at 03:48 PM

    Hello Mangesh,

    You can follow SAP Note 510007 for this matter.

    Regards,

    Cris

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jun 01, 2020 at 06:44 PM

    As Cris has correctly pointed you to the above, this should provide you with the details you need. TLS 1.3 is not supported currently for ABAP last time I checked...I am presuming you are talking about your ABAP Stack and not the JAVA stack?

    The below is from note 51007...

    Over the course of year 2016, a growing number of TLS servers were reconfigured to abort/reject TLSv1.0 handshakes, or they are requring forward secrecy (PFS) cipher suites for access. The currently recommended settings for TLSv1.2 interoperability are (requiring at least CommonCryptoLib 8.4.38, recommending at least 8.4.49):

    ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

    ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

    icm/HTTPS/client_sni_enabled = TRUE

    ssl/client_sni_enabled = TRUE

    SETENV_26 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
    SETENV_27 = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
    SETENV_28 = SAPSSL_CLIENT_SNI_ENABLED=TRUE

    Add a comment
    10|10000 characters needed characters exceeded

    • You can put the parameters in any profile and they will apply, only an ICM restart is needed.

      Keep in mind that the above values (which are taken from note 510007) enable TLS 1.2 with 1.1. and 1.0 fallback.

      If you want to ensure TLS 1.2 without fallback see configuration from note 2384290 (this is also shown in 510007 in the section with the table that contains the cipher string options).

      Also for the client cipher suites you should apply the settings on your icm/ssl_config_X using the CIPHERS option to configure.

      Finally you can disable specific ciphers by prefixing them with the ! character, execute command sapgenpse.exe tlsinfo -H to see a list of ciphers and elliptic curves you can configure.

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.