Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

TLS 1.2 Support in SAP

Hello Colleagues,

I am in a process of establishing connection from SAP to External web-service from hosted by some vendor. Due to security reason they have disabled SSLV3 and TLS 1.2 and they are accepting connection protocol which comes through HTTPS and TLSV1.2.

So based on the note http://service.sap.com/sap/support/notes/2065806. It is possible to establish connection to eternal Web services who are running on TLS 1.2 protocol only  if our SAP has common Cyptolib 8.4.31 and above , So i have downloaded the latest common cryptolib 8.4.37 and upgraded.

I have also installed URL's Certificate in Strust store.

I have also setup the profile parameters mentioned in note http://service.sap.com/sap/support/notes/510007. After setting these profile parameters in RZ10 i have also restarted the server ,But for profile parameters when i check it says " Unknown profile parameter " i read in some note that this message can be ignore. Please find the additional parameters for my Cipher suits.

ssl/client_ciphersuites                 192:HIGH:MEDIUM:+e3DES:!aNULL
ssl/ciphersuites                        135:HIGH:MEDIUM:+e3DES:!aNULL

From SE38 i have run program "SSF02" and and  selected radio button "Determine version" i see the below message assuming my cryptolib  up-gradtion has no issues.

SSF Test Program

Version              (on application server)

Result:  SSF_API_OK

Version information:                                      145

SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.37 (+MT) #Copyright (c) SAP AG, 2011-2015#compiled for linux-gcc-4.1-x86-64#

I have some open questions after setting up the system.

  1. Apart from the above mentioned setting do i need to perform any additional steps to set up the latest cryptolib.
  2. After extracting the common crypto i see an additional folder "fips" , how shall we deal with this folder content . do i need to set up any additional parameter for that folder content.
  3. Does SAP uses "operating system" open SSL to establish connection to External web service.
  4. Does SAP uses its own kernel / crypto (SAP own open SSL) and connects to external web serive.
  5. My OS is SUSE Linux SP11 , At current state it dose not have open SSL which support TLS V 1.2 , is that the reason that i am unable to connect to web serives which are running on TLS 1.2.
  6. I am able connect to other web services which are running on SSLV3 and TLS 1 . But it is not connection when it comes to pure TLSV 1.2.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please find the logs below mentioned logs from SMICM.

[Thr 140048473114368] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 140048473114368]    session uses PSE file "/usr/sap/SE1/DVEBMGS59/sec/SAPSSLC.pse"

[Thr 140048473114368] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 140048473114368]   secude_error 536875120 (0x20001070) = "SSL API error"

[Thr 140048473114368] >>            Begin of Secude-SSL Errorstack            >>

[Thr 140048473114368] 0x20001070   SAPCRYPTOLIB   SSL_connect

[Thr 140048473114368] SSL API error

[Thr 140048473114368] received a fatal TLS1.0 protocol version alert message from the peer

[Thr 140048473114368] 0xa0600278   SSL   ssl3_read_bytes

[Thr 140048473114368] received a fatal TLS1.0 protocol version alert message from the peer

[Thr 140048473114368] <<            End of Secude-SSL Errorstack

[Thr 140048473114368]   SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 140048473114368]   SSL NI-sock: local=10.1.1.214:34300  peer=10.1.1.33:443

[Thr 140048473114368] <<- ERROR: SapSSLSessionStart(sssl_hdl=7f5f8c01b220)==SSSLERR_SSL_CONNECT

[Thr 140048473114368] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000544} [icxxconn_m

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please help in resolving this issues.

Thanks in advance !!

Regards,

Vardhan.

Former Member
Former Member replied

Hi Vardhan,

I read through your initial message again as I was guilty of speed reading through it the first time.

I see that you also need to support TLS V1.0 and SSLV3.

With that in mind, the parameter should be set as follows (see option #7 of 510007 again to see how the 982 is derived):

ssl/client_ciphersuites     =     982:HIGH:MEDIUM:+e3DES

I'm honestly not sure about the OS dependency (if there is one). Let's see if @Martin Rex can help you out on this.

What I would do in any case (useful for troubleshooting) is update your openssl on your machine (I'm running 1.0.2a)

As an additional note, what version and patch level of the SAP kernel are you running ? The minimum required level is mentioned in the note below.

2110020 - Enabling TLS or disabling SSLv3 protocol versions on SAP WebDispatcher, or SAP WebAS

(AS ABAP 6xx, 7xx or AS Java >= 710)

KR,

Amerjit

1 View this answer in context

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question