Technical Articles
Steps to enable and configure TLS 1.2 in a Double Stack SAP PI System and connect with CIG Ariba
I would like to acknowledge to my colleague Leonardo Arismendi for his significant contribution to have this configuration in place in a timely manner.
Audience.
The steps described in this white paper are to be executed by an SAP System Administrator
Background.
End of Support – TLS 1.1 deprecation and TLS 1.2 cipher suites hardening for SAP Ariba Cloud Integration Gateway
What is TLS 1.1?
Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between
two systems. It is used to authenticate one or both systems and protect the confidentiality and integrity of information that
passed between them. TLS 1.1 was introduced in 2006, its successor TLS 1.2 in 2008, and the most recent iteration TLS 1.3 in 2018.
What is TLS 1.2 hardening?
In order to secure data that is being transferred, TLS makes use of one or more cipher suites. A cipher suite is a combination of authentication, encryption and message authentication code (MAC) algorithms; all of which are used during the negotiation of security settings for a TLS connection as well as for the secure transfer of data.
TLS 1.2 hardening involves deprecating less secure cipher suites in favor of stronger cipher suites to ensure the TLS connection implements only the strongest available cipher suites.
Why do we need to eliminate TLS 1.1?
TLS 1.1 is no longer deemed to be secure. TLS 1.1 has been de-supported by the latest versions of the major web browsers effective March 2020. In the latter part of 2018, Apple, Google, Microsoft, and Mozilla had jointly announced their intentions to deprecate TLS 1.1 in early 2020.
That said, most communications had been using TLS 1.2 long before May 2018 so the impact should be limited to a small subset of integration traffic.
What cipher suites will be supported after the TLS 1.2 hardening?
As part of the TLS 1.2 hardening CIG will be supporting only the following cipher suites
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
The following cipher suites are being deprecated in favor of stronger cipher suites.
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
When will this change happen?
TLS 1.1 will no longer be supported, and TLS 1.2 hardening will be applied
Scenario.
This document is based on the scenario described below but you can check the SAP Note 510007 to verify if your current version is also compliant.
- SAP PI 7.4
- SAP Netweaver 7.4 Double Stack
- SAP Kernel Release 753
- Operative System: Microsoft Windows 2008 R2
- Java version: 1.8.0_25
- CommonCryptoLib 5.30
Note: All the steps have been executed with the <sid>adm user.
If you don’t know how to check current Cryptolib version, just open a cmd/Power shell window and type in “sapgenpse”.
sapgenpse (In order to post this blog SAP demands me to state that I have created this screenshot)
Step 1. Make sure Windows Registry is configured.
1.1.- Open your Windows Registry program and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
1.2.- Find the Keys TLS 1.2 and Client. If you can’t find them, just create them as in the image below
Keys TLS 1.2 and Client (In order to post this blog SAP demands me to state that I have created this screenshot)
1.3.- In the Key Client create the DWord (32 bit) Value “DisabledByDefault” with Hexadecimal Value “0”
DWord (32 bit) Value DisabledByDefault (In order to post this blog SAP demands me to state that I have created this screenshot)
1.4.- In the Key Client create the DWord (32 bit) Value “Enabled” with Hexadecimal Value “1”
DWord (32 bit) Value Enabled (In order to post this blog SAP demands me to state that I have created this screenshot)
Step 2.- Set up parameters in the ABAP stack
Please note that this step is Optional as the PI will connect with Ariba with the Java Stack.
2.1 In the Default profile set up the parameters below.
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE
SETENV_26 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27 = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28 = SAPSSL_CLIENT_SNI_ENABLED=TRUE
Step 3.- Set up JAVA Stack
3.1.- Get SSLContext.properties file that is present on your filesystem:
Navigate to folder “usr/sap/<SID>/SYS/global/security/lib/tools/” and choose iaik_ssl.jar file.
(In order to post this blog SAP demands me to state that I have created this screenshot)
3.2.- Create the folder ssl_context and copy the file “iaik_ssl.jar”
3.3.- Rename it into “iaik_ssl.zip”
(In order to post this blog SAP demands me to state that I have created this screenshot)
3.4.- Open this iaik_ssl.zip and extract file SSLContext.properties file. It can be found on path “…/iaik/security/ssl/”.
(In order to post this blog SAP demands me to state that I have created this screenshot)
3.5.- Edit the just extracted file SSLContext.properties and copy-paste the lines as in the example below
#########################################
# SSLContext renegotiation properties
# supported since ISASILK 4.4
# Default available property set (incl. value if not defined)
# allowLegacyRenegotiation = false,
# useNoRenegotiationWarnings = false,
# allowIdentityChangeDuringRenegotiation = true
# disableRenegotiation=false
# more details at
# http://jce.iaik.tugraz.at/sic/Products/Communication-Messaging-Security/iSaSiLk/documentation/Secure-Renegotiation
# special properties implemented since ISASILK 4.403
# minProtocolVersion def. value SSL30
# maxProtocolVersion def. value TLS11
# with prefix client. or server. property can be set for one ssl direction, and remains default value for other.
#
# Location of configuration file is iaik/security/ssl/SSLContext.properties within CLASSPATH
# It can be redefined with system property iaik.security.ssl.configFile
# e.g.java -Diaik.security.ssl.configFile=file:c:/java/SSLCobtext.properties
#
#########################################
# allowLegacyRenegotiation is set to true otherwise we cann't communicate with unpatched peers
#allowLegacyRenegotiation=true
client.allowLegacyRenegotiation=true
# unsecure renegotiation is disabled for SSL server but remains allowed for client SSL
server.disableRenegotiation=true
# protocol version for ssl clients is limited to TLS10 to avoid conflicts with erroneous ssl server.
client.minProtocolVersion=TLS11
client.maxProtocolVersion=TLS12
#ensure default cipher suites remain available
cipherSuite=TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
cipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite=SSL_RSA_WITH_RC4_128_SHA
#additionally enable DHE cipher suites to support forward secrecy
cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
3.6.- Your file should look like the image below
(In order to post this blog SAP demands me to state that I have created this screenshot)
3.7.- Specify the path of SSLContext.properties file in Config Tool.
3.7.1.- Open Config Tool “\usr\sap\<SID>\<instnr>\j2ee\configtool”.
3.7.2.- Navigate to “cluster-data” -> template -> instance.
3.7.3.- Choose “VM Parameters” -> System -> New.
3.7.4.- Add iaik.security.ssl.configFile=file:/<path of the SSLContext.properties file>
See formats: Name: “iaik.security.ssl.configFile”; Value: “file:/<path to the SSLContext.properties file/SSLContext.properties>”.
The file name must be included in the value.
Please note that format include “/” and starts as “file:/…”
In our example the final path is: file:/X:/usr/sap/<SYSID>/SYS/global/security/lib/tools/ssl_context/SSLContext.properties
(In order to post this blog SAP demands me to state that I have created this screenshot)
3.7.5.- Click on Save to apply the changes
Step 4.- Restart the SAP PI System and the Windows Server for the changes to take effect
Step 5.- Import certificates in Java Stack
5.1.- Follow the steps described in KBA 2056672
This step is focused on an integration with SAP Ariba but any integration should include similar activities as described in this Note.
Step 6.- Test.
With XPI Inspector test and look for any error message.
(In order to post this blog SAP demands me to state that I have created this screenshot)
(In order to post this blog SAP demands me to state that I have created this screenshot)
(In order to post this blog SAP demands me to state that I have created this screenshot)
Lastly, ping the Communication channel
(In order to post this blog SAP demands me to state that I have created this screenshot)
Conclusion.
Even though preparing the system to transtion to TLS 1.2 seemed to be a very complicated task, it ended up being quite simple once you know accurately the changes you have to perform.
If you have questions about this post just let me know and I will try to respond all of them. If you liked this document also let me know so that I keep on sharing knowledge.
Reference Links and SAP Notes:
This document is based on our own research and the SAP Notes/KBA listed below:
- 510007 – Additional considerations for setting up SSL on Application Server ABAP
- 2056672 – How to import server certificates in PI system
- 2284059 – Update of SSL library within NW Java server
- 2456800 – How to change the supported SSL/TLS version in PI/PO system
- 2569156 – How to create, modify and validate SSLContext.properties file
- 2616983 – How to customize cipher suites in SSLContext.properties file
- 3026107 – Outbound connection from PI to Ariba is not working after TLS 1.1 deprecation
- 3030033 – How to check the TLS version range and Cipher Suites configured on the AS Java during runtime
Thank you for the blog article.
Great content!
Nice Write-up!
One of the most important realization is that AS Java uses the IAIK library for outgoing connections instead of the CCL. Due to this fact one has to take care of the available cipher suites. IAIK supports a limited set of cipher suites depending on its version. Without matching cipher suites a handshake between client and server will fail.
Hello Oscar Morrison León
Different Ways, but the same outcome - demystifying TLS/SSL Settings for NetWeaver ...
Best Regards Roland