You are using SAP NetWeaver Process Integration (PI) and you have previously created or you plan to create a scenario connecting to Salesforce.
Why do I have to update the Transport Layer Security (TLS)?:
Starting in June 2016, Salesforce have began disabling the TLS 1.0 encryption protocol in a phased approach across impacted Salesforce services. The disablement of TLS 1.0 will prevent it from being used to access the Salesforce service within inbound and outbound connections (1).
Also, the older versions of PI use at maximum TLS 1.0. So you will need to update your system to be able to communicate with Salesforce with TLS 1.1 and/or TLS 1.2.
What will happen if I do not update my system to use TLS 1.1/1.2?
If you do not update your system, you will then not be able to configure a scenario accessing Salesforce.
You will also face an error when running your scenario. This error might be similar to the following one:
“TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.”
How do I update my PI system to use TLS 1.1/1.2?
Please review and apply SAP KBA 2344735 PI: Salesforce error with TLS 1.0 (2).
- As mentioned in the KBA, you have to update the Software Component SERVERCORE according to SAP Note 2284059 Update of SSL library within NW Java server (3).
- You should also apply every dependent Software Components as per SAP Note 1794179 Importing AS Java Core patches for NetWeaver 7.1+ (4).
- In general no further configuration steps are required after the update. All configurations in regards to usage of trusted certificates/keystore etc. remains unchanged.
- Due to the fact that the default range of supported TLS versions was extended it is possible that you will meet an old legacy system, not able to select a lower TLS version as a response of TLS client_hello containing TLS1.2 as highest possible version. Because of this we recommend to test all connections in QA/Test envoroment before implementing this note in production.