cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error after doing SSL and SSO configuration

Former Member

on ‎08-06-2015 1:31 PM

0 Kudos

Hi All,

We have done the SSL and SSO configuration for our Sandbox system.

Everything works fine with internet explorer but when we try to open the link: https://<hostname URL>/irj/portal with Google Chrome and firefox we get error saying:

"The certificate chain for this website contains at least one certificate that was signed using a deprecated signature using SHA-1"

As per SAP Note: 2094598 mentioned in SAP Note: 2088755, we deployed patch 14 for the component SAP-JEECOR after which we were able to see the two new properties in visual admin:

SSL_VERSION_MIN TLS10

SSL_VERSION_MAX TLS11

But after doing these changes also we are getting the same error. Our portal system is on Netweaver 701 patch 15.


Can someone please let me know what changes needs to be made in order to resolve the issue which is occuring in Google Chrome and Firefox.


Regards,

Nitin

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member200373
Participant
‎08-06-2015 2:04 PM
0 Kudos

Hello,

it´s not the TLS protocol, but the server certificate or its issuers that are using SHA-1.

So you have to replace it.

-- Stephan

Show replies
Show replies
Former Member
‎08-06-2015 11:25 PM
0 Kudos

Hi Stephan,

I'm working with Nitin on this issue and I'm not sure if we need to create a certificate request using SHA-2 (sha-256) pt what.  The certs are coming from our internal certificate authority server which is a  Windows 2012 PKI server.How do we resolve this with the new certificates?  We don't have this problem with IE (surprised huh?) but with the Chrome and Firefox browsers which look for deprecated signatures.

Thanks for your help,

Bill Brown

former_member200373
Participant
‎08-07-2015 8:29 AM
0 Kudos

It´s only Chrome and Firefox that pop up warnings about outdated crypto algorithms or weak key sizes, yes.

First you may check if the authorities of your PKI (i.e. the intermediate CA and the Root CA) are already signed with an SHA-2 hash.

For your new SSL server certificate in AS Java, you have to create a new certificate singing request in NWA, but you won´t find a way to use SHA-2 for signing this request. That´s not a blocker. Your CA should accept it but issue a new certificate with SHA-2.

-- Stephan

Ask a Question