Why use it?
The Payment Card Industry (PCI) announced SSL and TLS 1.0 as no longer secure. (Date Change for Migrating from SSL and Early TLS)
Vendors like Salesforce.com adopt PCI standards and disable SSL and TLS 1.0, so in near future we are forced to use TLS 1.1 or 1.2.
What's the problem
Activating TLSv1.1 or TLSv1.2 on the client side unfortunately results in handshake failures with a certain non-marginal number of older servers.
They implement the negotiation of the SSL/TLS protocol version incorrectly (TLS protocol version intolerance).
Beside version intolerance, TLS extensions in the ClientHello handshake message can cause handshake failures with older servers not supporting that(TLS extension intolerance).
Because of that, all TLS communication has to be tested before using TLSv1.1 or TLSv1.2.
See note 510007 - Setting up SSL on Application Server ABAP for further details.
Outbound communication using IAIK library
Note 2284059 - Update of SSL library within NW Java server introduced new TLS versions for outbound communication using the IAIK library.
Default configuration is stored in iaik_ssl.jar in folder /usr/sap/<SID>/J21/j2ee/cluster/bin/ext/mail-activation.
iaik_ssl.jar contains a SSLContext.properties in folder iaik\security\ssl, listing the default config parameters.
SSLContext.properties
#########################################
|
Manual configuration is possible using custom config file
To enable custom configuration, one has to set the property "iaik.security.ssl.configFile". This is possible using the ConfigTool.
Afterwards you have to create a file having your custom properties e.g. ssl.config.
Recommendation: Copy the values known from SSLContext.properties to avoid problems.
Important custom parameters are listed below:
| Parameter | Example values | Description |
|---|---|---|
| client.minProtocolVersion | TLS12 | Requires TLS 1.2 as minimum version for communication. Lower versions are disabled. |
| client.maxProtocolVersion | TLS11 | Limits usage of TLS to version 1.1 |
| protocolVersions | nfe.fazenda.sp.gov.br(TLS11,TLS11) | Limits communication to TLS 1.1 using domain names. First value is min and second max value. If ports other than 443 are used, they have to be added using a colon. example.com:5443(SSL20,TLS12) |
More options can be found in SAP Note 2284059 - Update of SSL library within NW Java server.
Testing outbound communication
To test communication you can use XPIInspector. Use Example 11 (Authentication, SSL & PP) or Example 50 (XI Channel) if Example 11 does not deliver any results. (Seems to happen for FTPS channels)
SSL Debug Error
Begin IAIK Debug:
|
SSL Debug Success
Begin IAIK Debug:
|
Solving problems
Facing any intolerance errors, try to reduce TLS Versions allowed for domain using parameter protocolVersions. To prevent that the server uses signature extensions, only possible way is to set min version to SSL20 at the moment.
Find channels using TLS/SSL
There is no standard way how to find all channels using TLS/SSL. Some channels can be found with the extended search of the Integration Builder using the attribute "Adapter Type".
This does not work for SOAP channels, therefore we used a SQL-statement to find out all SOAP channels and filtered for https in Excel.
SQL statement
select a.CONTEXTID, a.OBJECTID, b.channel,
|
Note: We are using DB2, xmlparse is a special function there
- SAP Managed Tags:
48 Comments
