Skip to Content
Product Information
Author's profile photo Juergen Adolf
Juergen Adolf
June 7, 2019 1 minute read

SAP BTP Transport Layer Security (TLS) Connectivity Support

Many customers have questions regarding the encryption of data in transit. SAP BTP uses encrypted communication channels based on HTTPS/TLS.

What is TLS?

TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.The protocol is described by the Internet Engineering Task Force (IETF)  in  Requests for Comments (RFCs). It evolves over time to support higher standards. More information can be found under  https://en.wikipedia.org/wiki/Transport_Layer_Security

SAP BTPs` servers support the TLS 1.2 version of the TLS protocol. Older versions are not supported.

Since November 2021 it is possible to opt-in for the use of TLS 1.3 in the Custom Domain Manager. This allows the use of TLS1.3 with Applications running on SAP BTP. It does not allow the use of TLS 1.3 for SAP standard applications, like the SAP BTP Cockpit or SAP Cloud Identity Services. There the use of TLS 1.2 still applies.

Using the TLS Configurations tile in the Custom Domain Manager, you can opt to select the Enable HTTP/2 check box to support the use of the HTTP/2 protocol version. For more information, see SAP Note 3118912 Information published on SAP site and Manage TLS Configurations.

TLS 1.3 in addition to TLS 1.2 for all platform domains will be enabled in June 2023. Clients supporting TLS 1.3 will automatically agree to the new version during the TLS handshake with the Cloud Foundry Load Balancers. Clients not supporting TLS 1.3 will automatically stick to a TLS 1.2 handshake. For custom domains, the configuration will not be adjusted from platform-side and TLS 1.3 must be enabled in the custom domain configuration, see Manage TLS Configurations.

See SAP Note: 3308931 – TLS 1.3 Support for Cloud Foundry Platform Domains

 

In case of problems in the Neo environment and for more in-depth information please read:

SAP Note 2923117 – SAP Cloud Platform NEO – TLS 1.2 Migration – How to address problems with old TLS protocol versions in clients accessing SAP Cloud Platform NEO of SCP

 

 

Assigned Tags

      9 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi Juergen Adolf ,

      thanks for the helpful overview.

      However what is with TLS 1.3 and HTTP/2?

      We have 2019!

      Regards,

      Wolfgang

      Author's profile photo Patrick Lowin
      Patrick Lowin

      Hi, just stumbled across this.

      There is a dedicated blog about HTTP/2 in CF: https://blogs.sap.com/2022/02/16/http-2-on-sap-btp-cloud-foundry-runtime/

      Author's profile photo Juergen Adolf
      Juergen Adolf
      Blog Post Author

      Hello Wolfgang,

      it is on the roadmap and we will support it in the near future.

      Author's profile photo Jens Schwendemann
      Jens Schwendemann

      This statement is getting 2 years old soon, happy B-Day ;-P

      *SCNR*

      Author's profile photo Kai-Fabius Pribyl
      Kai-Fabius Pribyl

      Hello Juergen,

       

      can you please tell me the timeline for disabling TLS 1.0 and 1.1 ?

      We run a host via API Management Service on eu1 (neo) that is only supporting TLS 1.2 at the moment. I fear that the support of older versions has just ended, as we are experiencing some troubles that may be TLS related.

       

      Regards

      Kai

       

       

      Author's profile photo Juergen Adolf
      Juergen Adolf
      Blog Post Author

      Hello,

      I did update the blogpost . For compatibility reasons the old neo envrionments will not disable TLS 1.0 and TLS 1.1. The workaround is to use custom domains.

      If you want to activate the use of TLS 1.2 only in your Neo Region, you may use custom domains to do so. See SAP Note 2586984 – Restrict SAP Cloud Platform to use TLS1.2 only and SAP Note 2732964 – How to control TLS version in SAP Cloud Platform Neo Environment .

      Author's profile photo Simone Cattozzi
      Simone Cattozzi

      Could you please tell us the timeline for disabling TLS 1.0 and 1.1 ?

       

      Thanks

      Author's profile photo Juergen Adolf
      Juergen Adolf
      Blog Post Author

      Hello,

      I did update the blogpost . For compatibility reasons the old neo envrionments will not disable TLS 1.0 and TLS 1.1. The workaround is to use custom domains.

      If you want to activate the use of TLS 1.2 only in your Neo Region, you may use custom domains to do so. See SAP Note 2586984 – Restrict SAP Cloud Platform to use TLS1.2 only and SAP Note 2732964 – How to control TLS version in SAP Cloud Platform Neo Environment .

      Author's profile photo Franz Reitmayer
      Franz Reitmayer

      Hello Juergen Adolf

       

      You mentioned a roadmap for SCC regarding TLS 1.3. I can't find it at https://www.sap.com/germany/products/roadmaps/finder-all.html?sort=title_asc&search=connector

      Can you please refer to that roadmap? Can you please say whether TLS 1.3 is supported meanwhile or when it will be supported?

       

      Thanks and Regards,

      Franz