Disabling TLSv1.1 protocol for Outbound Communication Scenarios

As a part of our commitment to continuous improvement and to follow industries best practices, we plan to configure our servers to support the latest protocol versions to ensure we are using only the strongest algorithms and ciphers, but equally as important is to disable the older versions. Continuing to support old versions of the protocols can leave our systems vulnerable to downgrade attacks, where hackers force connections to our servers to use older versions of the protocols that have known exploits. This can leave the encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.

SCOPE

Disabling TLSv1.1 protocol for Outbound Communication Scenarios from your SAP Business ByDesign system.

Why are we disabling TLSv1.1 protocol?

The following is a quick summary of reasons to eliminate the use of TLS 1.0 / 1.1.

• Cloud providers across the market are deprecating the use of TLS 1.0 / 1.1
• Support of crypto-libraries offering TLS 1.0 and 1.1 is being ended
• PCI DSS requires TLS 1.1 or higher since 30.06.2018, TLS 1.2 is recommended even longer https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
• SSL Labs testing decreased the rating from A+ to B in January 2020 for servers supporting TLS 1.0 or 1.1
• Browsers started in 2019 / Q1 2020 deprecating TLS 1.0 and 1.1 marking servers that still support them as insecure (e.g. Chrome: https://blog.chromium.org/2019/10/chrome-ui-for-deprecating-legacy-tls.html)

SCENARIOS TO CHECK

1. Browser Settings – Check if TLSv1.2 are enabled.
2. Connectivity between SAP Business ByDesign to SAP CPI – No action to be taken as SAP CPI already support TLSv1.2
3. Connectivity between SAP Business ByDesign to SAP PI/ERP – Please follow the details mentioned in FAQ section below to know how to enable TLSv1.2 in your system in case if it is not done already

FAQ’s

1) What is TLS?

Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.

2) Which protocols are supported currently when BYD acts as Client?

TLSv1.1, TLSv1.2

3) After disabling TLSv1.1 which protocols are supported by BYD in the client role?

TLSv1.2

4) Cipher Suites that will be supported by BYD after this activity?

   Before and After the ciphers supported will remain same and will not be changed

• TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES256_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES256_CBC_SHA384
• TLS_ECDHE_ECDSA_WITH_AES256_CBC_SHA
• TLS_RSA_WITH_AES128_GCM_SHA256
• TLS_RSA_WITH_AES256_GCM_SHA384
• TLS_RSA_WITH_AES128_CBC_SHA
• TLS_RSA_WITH_AES256_CBC_SHA

5) Settings to enable/check if TLSv1.2 protocol is allowed in your SAP system

Check the parameter ssl/ciphersuites in your SAP system(PI/BW/ERP) and see if the value defined for it supports TLSv1.2 protocol or not, if YES – then the connection from SAP Business ByDesign to your on-premise system/application will work even after disabling TLSv1.1 protocol at BYD, in case if your system supports only TLSv1.1 then you need to enable TLSv1.2 protocol by following the details mentioned in the SAP Note: 510007

For SAP PO(Standalone Java) please refer the following SAP NOTES: 2284059, 2540433, 2569156, 2708581

6) Recommended Parameters and Library files for enabling TLSv1.2 protocol

CommonCryptoLib file should be greater than or equal to 8.4.48, ssl/ciphersuites(Server) value in your SAP System(PI/ERP/BW) is= 801:PFS:HIGH::EC_P256:EC_HIGH for limiting protocol versions to strict TLSv1.2, TLSv1.1 only or  ssl/ciphersuites = 545:PFS:HIGH::EC_P256:EC_HIGH for limiting protocol version to strict TLSv1.2(disabling SSLv3, TLSv1.0, TLSv1.1)

7) How to check which Protocol and Ciphers are supported by your SAP system?

Run the following command in your sap web dispatcher or application server whichever is talking to BYD → sapgenpse tlsinfo <parameter value defined in ssl/ciphesuites>

8) How to check the supported protocol and cipher suites of your Non-SAP systems?

There are external sites where you can check which protocols and cipher suites are supported by your system/URL

9) Examples of third-party components that have issues with TLSv1.2

In case if the SSL termination is happening in your BigIP F5 Load Balancer there is a known issue with digital signatures other than (sha1, RSA) in TLSv1.2, a patch is available for fixing digital signatures other than (sha1, RSA) with TLS client certificates – https://api-u.f5.com/support/kb-articles/K76313281?pdf