cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to enable TLSV1.1 on JAVA stack PI7.31?

Go to solution
former_member541302
Explorer

on ‎02-29-2016 7:25 PM

0 Kudos

Hello Guys,

We have a request from one of our FTPS clients to switch the certificates from SHA1 to SHA2. We installed the new certificates under Trusted CAs and also made sure that the network is open for the new ports that they requested for.

However, the connection is refused by the remote host. And , when we asked the client for resolution they told us to check the TLS version that we support.

Here is the log of the handshake ;

I need to know how can we make this work by supporting TLSV1.1?

As of scenario: The FTPS is working with SHA1 and Supports TLSV1.0 on port 21.

To be scenario:

We need to support FTPS on SHA2, TLSV1.1 on port 20021.

Our SAP PI 7.31 system is Java stack and have the SAPCRYPTO -Library 5.5.5pl38.

We tried adding the below parameters to make this work but failed with the same error even after restarting the server.

ssl/cipersuites=135:HIGH

ssl/client_ciphersuites=150:HIGH

I have gone through various SAP notes but can not think of the solution.

Do we need to import the higher version of libraries to make this work?

Regards,

Simran

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

engswee
Active Contributor
‎03-01-2016 1:46 AM
0 Kudos

Hi Simran

Please refer to the ongoing discussion below about support for TLS

Re: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake

If you refer to 's replies there, you would see that when AS Java is acting as the client, SAP Java Cryptographic Toolkit is used (instead of SAP Cryptolib). And at the moment the toolkit only has support for TLS1.0.

It is a very long thread but there seems to be some progress with assistance from SAP Development there - you can check if their solution (which is for SOAP Axis) can be applied to your case as well.

Regards

Eng Swee

Show replies
Show replies
former_member541302
Explorer
‎03-01-2016 6:58 PM
0 Kudos

Does that mean that SAPCRYPTO- Library can not support TLSv1.1?

engswee
Active Contributor
‎03-02-2016 1:51 AM
0 Kudos

Hi Simran

I saw your query in the other thread. Even though you are using FTPS as a sender channel, it behaves as a Client component and not a Server Component. A Server Component would mean that PI is actually the server that hosts the files.

As it is still behaving as a Client component, it uses SAP Java Cryptographic Toolkit and not SAP Cryptolib. And as mentioned already, the toolkit only supports TLS1.0 at the moment.

I'd suggest you open a call with SAP to get their support on this as well, since they are also assisting the few others in the other thread.

Regards

Eng Swee

Answers (1)

Answers (1)

former_member541302
Explorer
‎02-29-2016 11:05 PM
0 Kudos

Should I move this question to SAP basis?

Show replies
Show replies
Ask a Question