Skip to Content

sap pi 7.4 http_aae tls 1.2 sap jvm

Hi

I'm using a http_aae receiver adaptor on sap pi 7.4 latest patch to connect to a https site which support now only tls 1.2

I implemented the note 2284059, i read all the blogs related to this problem, in xpi_inspector the connection is fine but when i test in the pi scenario the adapter is failing with

javax.net.ssl.SSLHandshakeException: Server chose unsupported or disabled protocol: Unknown-3.3.
So somehow it seems that tls1.2 it's completely disabled on the server when using it from adapter even if in xpi_inspector is working fine.

regards,

Florin

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Oct 13, 2017 at 07:28 AM

    Dear Florin,

    The HTTP_AAE adapter doesn't use the IAIK library so even if Note 2284059 is in your system, it's not taken into consideration. The HTTP_AAE adapter uses the JVM's SSL implementation. Please check SAP Note 2393811 - TLS/SSL setting in HTTP_AAE Adapter for receiver channel. This Note describes in detail what JVM version can be used for TLSv1.2 in the HTTP_AAE adapter.


    Best regards,
    Mate

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 13, 2017 at 08:05 AM

    Hi

    I forgot to say that i already configured at the channel level to try to use TLSv1.1(https.protocols=TLSv1.1), and i get the same error .

    javax.net.ssl.SSLHandshakeException: Server chose unsupported or disabled protocol: Unknown-3.3 (TLS 1.2).

    Then the problem can be that 1.1 is valid starting with oracle update 111 and i'm on sap jvm 6.1.072( oracle update85).

    I will try to update the sap jvm but from what you say 1.2 will never be supported in AAE on PI7.4 since this one is working only on jvm 6.1

    Best Regards,

    Florin Stoian

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Florin,

      If SAP Note 2393811 - TLS/SSL setting in HTTP_AAE Adapter for receiver channel is not available in your system with the JVM described then the parameter https.protocols will be never be interpreted.

      You understood it correctly, with JVM6.1 you won't be able to use TLSv1.2. I can suggest one workaround. The SOAP adapter uses the IAIK library. If the receiver application is able to handle calls from the SOAP adapter, then you can connect via TLSv1.2 (of course this is a far-fetched assumption from me, but in some cases HTTP_AAE can be replaced by SOAP adapter).

      Best regards,
      Mate