Skip to Content
Technical Articles

Troubleshoot TLS 1.2 with Elliptic-curve cryptography

At the time of writing this blog – Election week 2020, Confluent Cloud Shema Registry using Let’s Encrypt to sign the certificates for Schema Registry (HTTPS endpoint), it uses TLS 1.2, ECDHE_RSA with P-256, and AES_256_GCM.

And it’s not working with SAP PO 7.5 latest SP 19. There is a list of default cipher suites, but it’s not including the one above. For more information or those steps below not working, refer to this note 2284059.

The solution is to update the cipher suits list. Follow these steps:

  1. Identify the problem. Follow this note 2616423
  2. Make sure the JCE policy files on the server are unlimited. Follow this note 1240081
  3. Add a system property “iaik.security.ssl.configFile” to point custom-defined cipher suites. Follow this note 2708581
  4. Restart Java AS to get the new system property effect.

 

Implementation Steps:

Note: Don’t forget to import certs chain of the target endpoint to the Netweaver Keystore.

  1. Identify the problem
  • Identify the certificate of the request endpoint.

Using Chrome Developer Tool (Ctrl + Shift + I)

Using%20Chrome%20Developer%20Tool%20%28Ctrl%20+%20Shift%20+%20I%29

Chrome Developer Tool

Or from website https://www.ssllabs.com/ssltest/index.html

SSLLabs

SSLLabs

  • With an error of handshake in SAP PO trace log or XPI Inspector – start XPI Inspector and then trigger a request message to the target endpoint.

XPI%20Inspector

XPI Inspector

SSLException: Peer sent alert: Alert Fatal: handshake failure

Or error of limited JCE policy
Unable to encrypt SSL message: java.security.InvalidKeyException: Illegal key size

 

  1. Edit/Validate file java.security to the JCE policy unlimited

\usr\sap\<SID>\SYS\exe\jvm\<platform>\sapjvm_8.1.065\sapjvm_8\jre\lib\security

  1. Add property “iaik.security.ssl.configFile”

File SSLContext.properties – place at anywhere in the server.

#
client.allowLegacyRenegotiation=true
extension=signature_algorithms
extension=server_name.noncritical
extension=elliptic_curves
extension=ec_point_formats
securityProvider=iaik.security.ssl.ECCelerateProvider
#
# enable cipher suites with ECDHE key exchange (unlimited strength)
cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
#
# keep default cipher suites as fallback
cipherSuite=TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
cipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite=SSL_RSA_WITH_RC4_128_SHA
#
# enable old&slow DHE cipher suites (you don't want them with limited strength 1024-bit DHE at all)
cipherSuite=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Add System property – NWA > Configuration > Infrastructure > Java System Properties > Additional VM Parameters

WINDOWS
-Diaik.security.ssl.configFile=file:/d:/tmp/SSLContext.properties

UNIX
-Diaik.security.ssl.configFile=file:/tmp/SSLContext.properties

  1. The restart Java AS.

 

1 Comment
You must be Logged on to comment or reply to a post.
  • Hi Dai Quach,

    Thank you for wonderful blog.Sometimes we dont look at these ciphers and simply start using url in the channel and when error is thrown, then we start digging the error and which eventually leads to this procedure.