on 07-10-2020 10:02 AM
Hi Experts,
We have received below communication from SAP
We have the C4C integration with ECC via PI and a Web Dispatcher
I need to find out the minimum required Netweaver version of PI that will continue to support TLSv1.2 Our ECC and PI version are ECC6 EHP7 and PI Netweaver 7.4 SP12 respectively,
We have C4C Integration with ECC 6 EHP 7 and PI 7.4 SP12
As per above communication we need to change below parameters to be compliant with the disablement of TLSv1.1 at C4C end on ECC and PI
CommonCryptoLib file should be greater than or equal to 8.4.48, ssl/ciphersuites(Server) value in your SAP System(PI/ERP/BW) is= 801:PFS:HIGH::EC_P256:EC_HIGH for limiting protocol versions to strict TLSv1.2, TLSv1.1 only or ssl/ciphersuites = 545:PFS:HIGH::EC_P256:EC_HIGH for limiting protocol version to strict TLSv1.2(disabling SSLv3, TLSv1.0, TLSv1.1)
Will this be enough as per our understanding according to the version of ECC and PI (given above)
My concern is around the TLSV1.2 support on version of ECC and PI 7.4 SP12?
Please help!
Regards,
Vijish
Hi Vijish.
Yes,
Regards
SS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Vijish.
1. Only on PI you have to enable the TLS 1.2 and check the SAP Web dispatcher supported TLS 1.2.
2. Same PI might have used for on prime ERP to Non SAP systems for that you have to keep the TLS 1.0 & 1.1
Regards
SS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hmm, I did not quite get the whole picture. So some estimates below:
Now, when dealing with scenario 1, PI is out of scope when it comes to TLS. It is Web Dispatcher you have to look at. Also ECC or any receiver is out of scope, nothing will change there (if it is a good idea to rely on TLS 1.1 or even 1.0 when communicating within your own network, is another story.)
You need to make sure you allow for TLS 1.2 and matching cipher suites on the Web Dispatcher. You could easily check which TLS Version / Cipher Suites are allowed by your WebDisp (assuming it is reachable for public internet) via some tools like https://www.ssllabs.com/ssltest/index.html
Cheers
Jens
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jens,
Thanks for your comment, Yes we have the first scenario that you mentioned ie
C4C <--> Web Disp <--> PI <--> ECC
So below is the current output I get on our Web Dispatcher. Could you please suggest if any additional actions are needed considering the below KBA - https://cxwiki.sap.com/display/c4crelease/Disabling+TLSv1.1+protocol+and+weak+Ciphers+for+Outbound+C...
As server
As client
Hi Vijish,
I'm not exactly familiar with the configuration steps needed for Web Dispatcher regarding TLS 1.2 nor Do I think it is the job of a community to deliver custom tailored plug and play solutions to ones specific problems. I think it is more the job of the community to give directions to the right solution or have an overview of different opinions / POVs about a topic or question.
That being said I have four further remarks 🙂
Hi Jen,
The flow is in both the direction i.e.
SAP ECC --> PI --> C4C
C4C --> Web Dispatcher --> PI --> SAP ECC (No end to end SSL)
Apologies for the confusion. As I understand PI will need Kernel/Commoncryptolib patching along with the Parameter update.
Thanks for you suggestions, appreciate it!
Hi Vijish.
1. Current version of SAP NW PI 7.4 is supported TLS 1.2.
2. Your PI currently integrated with SAP C4C & ECC ? If it is yes, then you have to enable only TLS 1.2, don't disable the TLS 1.1 & 1.0 because it required you internal ERP system communicaiton.
3. From SAP C4C they are going to be disable the TLS 1.1, it will have communication from ERP to C4C using the TLS 1.2.
Regards
SS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sriram,
Thanks for your response, yes our PI is currently used for integration between ECC and SAP C4C. From your response I understand that setting of the suggested parameters(in default profile) of ECC and PI must be enough to comply with the SAP C4C's disablement of TLSv1.1 along with updating CommonCryptoLib. right?
Regards,
Vijish
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.