Skip to Content
0

TLS 1.2 upgrade requirements and configurations

Jul 26, 2017 at 09:31 AM

929

avatar image
Former Member

Scenario: NW AS JAVA 7.31 using TLS 1.0 which needs to be upgraded to use TLS 1.2. Web Dispatcher version 7.20.0 is installed. Common cryptolib version is 8.4.16. JAVA Portal accepts both inbound as well as outbound connections. It is connected to ECC system in backend.

Requirement: Upgrade existing TLS 1.0 to TLS 1.2.

Findings: We have referred to SAP Notes: 510007, 2284059, 2417205, 2110020, 2439769 and other SCN threads related to TLS 1.2 upgrade, but couldn't find satisfactory answers.

Steps we are going to take as pre-requisite to upgrade are:

1. Upgrading to Common Cryptolib version to 8.5.5.

2. Setting below parameters:

ssl/ciphersuites = 774:PFS:HIGH:MEDIUM

ssl/client_ciphersuites = 768:PFS:HIGH:MEDIUM

3. Current NW version is 7.31 SP 07(SERVERCORE component is having value 1000.7.31.7.15.2013...). As per SAP Note 2284059, there are no patches available for SP07 (SP08 to SP19 are available). So either upgrade to NW 7.31 SP20 or 7.5 SP01.

4. If required upgrade SAP Web Dispatcher version from 7.20.0 to 7.49.

Questions:

1. Someone please let us know if the above mentioned approach is correct and if we are missing out on anything?

2. Where it is best suitable to set the above mentioned parameters? NW AS JAVA or Web Dispatcher?

3. As per SAP Note 2284059, for NW 7.31 SP20,there are no patches available. So does it mean that no patches are required if upgraded to SP20?

4. If parameters are set in Web Dispatcher profile, is it still important to upgrade NW AS JAVA?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Milen Dontcheff
Aug 05, 2017 at 12:04 PM
0

1. I am not certain what do you mean. Yet, I would suggest you at least to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files .

2. Please revise this guide

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/98e6a84be0062fe10000000a42189d/content.htm

It is up to you decision which scenario you will configure. Accordingly to your choice you will need to configure SAP Web Dispatcher, AS Java or both. I would suggest you to use either 3,4 or 5.

3. There are no patches for SPS 19 neither. Also no patches are required for SERVERCORE 7.31 SPS20. This SCA contains all the fixes of the previous SPS.

4. If SERVERCORE 7.31 SPS 19, the AS Java will support TLS 1.2

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thank you Milen for your response and clarification on NW 7.31 SPS20 point.

We want to upgrade our TLS protocol version from 1.0 to 1.2. So for this, we referred above mentioned SAP notes and tried to figure out a tentative plan for upgrade. Wanted to know if the above mentioned plan is good to go ahead with or we are missing out on something.

Please elaborate how would installing JCE Unlimited Strength Jurisdiction Policy files will help in this case?

0

"Installing JCE Unlimited Strength Jurisdiction Policy files" will make possible to run more cipher suits. The default suite is only available if Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are installed. Hence, please make sure unlimited JCE is used by the JVM.

2284059 - Update of SSL library within NW Java server

This "step" you have not mentioned in the thread description. Otherwise I have commented on the rest.

0