cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Minimum PI Netweaver version for Disabling TLSv1.1 protocol and weak Ciphers C4C

avijish
Participant

on ‎07-10-2020 10:02 AM

0 Kudos

Hi Experts,

We have received below communication from SAP

https://cxwiki.sap.com/display/c4crelease/Disabling+TLSv1.1+protocol+and+weak+Ciphers+for+Outbound+C...

We have the C4C integration with ECC via PI and a Web Dispatcher

I need to find out the minimum required Netweaver version of PI that will continue to support TLSv1.2 Our ECC and PI version are ECC6 EHP7 and PI Netweaver 7.4 SP12 respectively,

We have C4C Integration with ECC 6 EHP 7 and PI 7.4 SP12

As per above communication we need to change below parameters to be compliant with the disablement of TLSv1.1 at C4C end on ECC and PI

CommonCryptoLib file should be greater than or equal to 8.4.48, ssl/ciphersuites(Server) value in your SAP System(PI/ERP/BW) is= 801:PFS:HIGH::EC_P256:EC_HIGH for limiting protocol versions to strict TLSv1.2, TLSv1.1 only or ssl/ciphersuites = 545:PFS:HIGH::EC_P256:EC_HIGH for limiting protocol version to strict TLSv1.2(disabling SSLv3, TLSv1.0, TLSv1.1)

Will this be enough as per our understanding according to the version of ECC and PI (given above)

My concern is around the TLSV1.2 support on version of ECC and PI 7.4 SP12?

Please help!

Regards,

Vijish

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Sriram2009
Active Contributor
‎07-10-2020 2:49 PM
0 Kudos

Hi Vijish.

Yes,

Regards

SS

Show replies
Show replies
avijish
Participant
‎07-10-2020 3:09 PM
0 Kudos

Thanks Sriram, Cheers!

JaySchwendemann
Active Contributor
‎07-10-2020 3:52 PM
0 Kudos

This answer should really be a comment. I think it is now not longer possible to convert but maybe keep in mind for next time 🙂

Sriram2009
Active Contributor
‎07-10-2020 2:05 PM
0 Kudos

Hi Vijish.

1. Only on PI you have to enable the TLS 1.2 and check the SAP Web dispatcher supported TLS 1.2.

2. Same PI might have used for on prime ERP to Non SAP systems for that you have to keep the TLS 1.0 & 1.1

Regards

SS

Show replies
Show replies
avijish
Participant
‎07-10-2020 2:27 PM
0 Kudos

Thanks Sriram, so the action point will be to enable PI for TLS1.2 by adding the said profile parameters and updating Kernel/commoncryptolib

.

JaySchwendemann
Active Contributor
‎07-10-2020 1:29 PM
0 Kudos

Hmm, I did not quite get the whole picture. So some estimates below:

  1. Your scenario is C4C -- >WebDisp --> PI --> ECC (or some other receiver)
  2. You don't have a scenario ECC (or some other sender) --> PI --> (Proxy) --> C4C

Now, when dealing with scenario 1, PI is out of scope when it comes to TLS. It is Web Dispatcher you have to look at. Also ECC or any receiver is out of scope, nothing will change there (if it is a good idea to rely on TLS 1.1 or even 1.0 when communicating within your own network, is another story.)

You need to make sure you allow for TLS 1.2 and matching cipher suites on the Web Dispatcher. You could easily check which TLS Version / Cipher Suites are allowed by your WebDisp (assuming it is reachable for public internet) via some tools like https://www.ssllabs.com/ssltest/index.html

Cheers

Jens

Show replies
Show replies
avijish
Participant
‎07-10-2020 2:08 PM
0 Kudos

Hi Jens,

Thanks for your comment, Yes we have the first scenario that you mentioned ie

C4C <--> Web Disp <--> PI <--> ECC

So below is the current output I get on our Web Dispatcher. Could you please suggest if any additional actions are needed considering the below KBA - https://cxwiki.sap.com/display/c4crelease/Disabling+TLSv1.1+protocol+and+weak+Ciphers+for+Outbound+C...

As server

As client

JaySchwendemann
Active Contributor
‎07-10-2020 2:55 PM
0 Kudos

Hi Vijish,

I'm not exactly familiar with the configuration steps needed for Web Dispatcher regarding TLS 1.2 nor Do I think it is the job of a community to deliver custom tailored plug and play solutions to ones specific problems. I think it is more the job of the community to give directions to the right solution or have an overview of different opinions / POVs about a topic or question.

That being said I have four further remarks 🙂

  1. I'm still not sure if you have to support only the scenario 1. where C4C is sender (aka client) or if you also need to support a scenario 2. where C4C is receiver (aka server)
  2. If you have scenario 2. also, web dispatcher is out of scope for that (most probably). You would normally route such traffic over a Web Proxy (or have PI in a DMZ and allow for an open FW to directly reach C4C - quite uncommon)
  3. I think the screenshot about Wedispatcher in server mode looks quite good, doesn't it? Again I would suggest testing this with an SSL Tool
  4. (!) Important: I was under the impression you use your web dispatcher in a load balancing way. There is of course an option to use it as end-to-end ssl. If you are using this option, Web Dispatcher will be out of scope after all and PI will be in scope. Please check
avijish
Participant
‎07-10-2020 3:09 PM
0 Kudos

Hi Jen,

The flow is in both the direction i.e.

SAP ECC --> PI --> C4C

C4C --> Web Dispatcher --> PI --> SAP ECC (No end to end SSL)

Apologies for the confusion. As I understand PI will need Kernel/Commoncryptolib patching along with the Parameter update.

Thanks for you suggestions, appreciate it!

Sriram2009
Active Contributor
‎07-10-2020 10:40 AM
0 Kudos

Hi Vijish.

1. Current version of SAP NW PI 7.4 is supported TLS 1.2.

2. Your PI currently integrated with SAP C4C & ECC ? If it is yes, then you have to enable only TLS 1.2, don't disable the TLS 1.1 & 1.0 because it required you internal ERP system communicaiton.

3. From SAP C4C they are going to be disable the TLS 1.1, it will have communication from ERP to C4C using the TLS 1.2.

Regards

SS

Show replies
Show replies
avijish
Participant
‎07-10-2020 1:14 PM
0 Kudos

Hi Sriram,

Thanks for your response, yes our PI is currently used for integration between ECC and SAP C4C. From your response I understand that setting of the suggested parameters(in default profile) of ECC and PI must be enough to comply with the SAP C4C's disablement of TLSv1.1 along with updating CommonCryptoLib. right?

Regards,

Vijish

Ask a Question