Skip to Content

Minimum PI Netweaver version for Disabling TLSv1.1 protocol and weak Ciphers C4C

Hi Experts,

We have received below communication from SAP

https://cxwiki.sap.com/display/c4crelease/Disabling+TLSv1.1+protocol+and+weak+Ciphers+for+Outbound+Communication+Scenarios

We have the C4C integration with ECC via PI and a Web Dispatcher

I need to find out the minimum required Netweaver version of PI that will continue to support TLSv1.2 Our ECC and PI version are ECC6 EHP7 and PI Netweaver 7.4 SP12 respectively,

We have C4C Integration with ECC 6 EHP 7 and PI 7.4 SP12

As per above communication we need to change below parameters to be compliant with the disablement of TLSv1.1 at C4C end on ECC and PI

CommonCryptoLib file should be greater than or equal to 8.4.48, ssl/ciphersuites(Server) value in your SAP System(PI/ERP/BW) is= 801:PFS:HIGH::EC_P256:EC_HIGH for limiting protocol versions to strict TLSv1.2, TLSv1.1 only or ssl/ciphersuites = 545:PFS:HIGH::EC_P256:EC_HIGH for limiting protocol version to strict TLSv1.2(disabling SSLv3, TLSv1.0, TLSv1.1)

Will this be enough as per our understanding according to the version of ECC and PI (given above)

My concern is around the TLSV1.2 support on version of ECC and PI 7.4 SP12?

Please help!

Regards,

Vijish

Add a comment
10|10000 characters needed characters exceeded

Related questions

4 Answers

  • Posted on Jul 10, 2020 at 09:40 AM

    Hi Vijish.

    1. Current version of SAP NW PI 7.4 is supported TLS 1.2.

    2. Your PI currently integrated with SAP C4C & ECC ? If it is yes, then you have to enable only TLS 1.2, don't disable the TLS 1.1 & 1.0 because it required you internal ERP system communicaiton.

    3. From SAP C4C they are going to be disable the TLS 1.1, it will have communication from ERP to C4C using the TLS 1.2.

    Regards

    SS

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Sriram,

      Thanks for your response, yes our PI is currently used for integration between ECC and SAP C4C. From your response I understand that setting of the suggested parameters(in default profile) of ECC and PI must be enough to comply with the SAP C4C's disablement of TLSv1.1 along with updating CommonCryptoLib. right?

      Regards,

      Vijish

  • Posted on Jul 10, 2020 at 12:29 PM

    Hmm, I did not quite get the whole picture. So some estimates below:

    1. Your scenario is C4C -- >WebDisp --> PI --> ECC (or some other receiver)
    2. You don't have a scenario ECC (or some other sender) --> PI --> (Proxy) --> C4C

    Now, when dealing with scenario 1, PI is out of scope when it comes to TLS. It is Web Dispatcher you have to look at. Also ECC or any receiver is out of scope, nothing will change there (if it is a good idea to rely on TLS 1.1 or even 1.0 when communicating within your own network, is another story.)

    You need to make sure you allow for TLS 1.2 and matching cipher suites on the Web Dispatcher. You could easily check which TLS Version / Cipher Suites are allowed by your WebDisp (assuming it is reachable for public internet) via some tools like https://www.ssllabs.com/ssltest/index.html

    Cheers

    Jens

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Jen,

      The flow is in both the direction i.e.

      SAP ECC --> PI --> C4C

      C4C --> Web Dispatcher --> PI --> SAP ECC (No end to end SSL)

      Apologies for the confusion. As I understand PI will need Kernel/Commoncryptolib patching along with the Parameter update.

      Thanks for you suggestions, appreciate it!

  • Posted on Jul 10, 2020 at 01:05 PM

    Hi Vijish.

    1. Only on PI you have to enable the TLS 1.2 and check the SAP Web dispatcher supported TLS 1.2.

    2. Same PI might have used for on prime ERP to Non SAP systems for that you have to keep the TLS 1.0 & 1.1

    Regards

    SS

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 10, 2020 at 01:49 PM

    Hi Vijish.

    Yes,

    Regards

    SS

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.