How to Solve Error during SUM Execution “The server selected protocol version TLS10 is not accepted by client preferences [TLS12]”
The SAP is implementing several Security Updates and Patches into several products to different times. In some circumstances, it may be happen, that too many of this updates and security patches accumulate into one maintenance window with conflicting results.
In our case this has happen on a Windows Server 2012 R2 running NetWeaver 7.5 JAVA on MSSQL Server 2012 DB Service Pack 1.
The issue is depending to SAP KERNEL, SAPJVM8 and current SUM versions.
The Problem is, that TLS1.0 is not longer supported by SAP, but it is used on MSSQL Server 2012 SP1.
With SAP KERNEL 7.53 Patch 800 the NetWeaver is working, but configtool is failing with error message regarding TLS1.0.
With SAPJVM 8.1.074 and higher, NetWeaver is not starting anymore, since TLS1.0 is disabled by default (https://launchpad.support.sap.com/#/notes/2199062).
And finally also at SUM 26 Patch 3 or higher TLS1.0+1.1 is disabled by default.
- /SUM10SP26_2/SUM/jvm/jre/lib/security/java.security > TLS 1+1.1 are not disabled (jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \)
- /SUM10SP26_3/SUM/jvm/jre/lib/security/java.security > TLS 1+1.1 are disabled (jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \)
I have developed a routine to solve that issue and migrate the system from TLS1.0 to TLS1.2 (including Service Pack Upgrade for MSSQL Server to SP04 if needed).
- optional: check TLS1.0+1.1 are enabled (use IISCrypto.exe* for example)
- use SUM (Version before 26_3) to update kernel7.53 (800) + sapjvm8 (8.1.075)
- java-only start will failing – continue with next step, but let SUM stay at it is! (See picture below)
- check and update java.security files
- enable tls1+1.1 temporarily
- #jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
- Stop and Start NetWeaver
- continue SUM (Version before 26_3) to repeat Restart JAVA-Only (successfull)
- Stop NetWeaver afterwards
- update java.security files
- disable tls1+1.1 again (default settings)
- jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
- Backup NetWeaver DB
- install sql server 2012 sp4 (KB4018073) – or each other RDBMS supporting TLS1.2
- install sql server 2012 sp4 security update (KB4583465) – or each other RDBMS supporting TLS1.2
- optional: disable TLS1.0+1.1 (use IISCrypto.exe* on client and server <Best Practices> for example)
- Reboot System (NetWeaver Auto Start)
- update SUM to version 26_3 or higher
- use SUM (Version 26_3 or higher) to continue update Maintenance for NetWeaver, ME and MII…
MSSQL Server 2012 Service Pack 04 Files: https://www.catalog.update.microsoft.com/Search.aspx?q=SQL%20Server%202012%20Service%20Pack%204
Using this procedure make the update for SAP NetWeaver 7.5 JAVA SP20 with SAP Kernel 7.53 Patch 800 and SAPJVM8 Patch 75 on MSSQL SERVER 2012 SP4 possible. Otherwise it is not possible to update a system running a MSSQLSERVER 2012 with current patch and support packages from SAP.
Without this procedure JAVA Start will failing during update process und the update process is not able to finish properly.
please check also SAP Q & A: https://answers.sap.com/questions/ask.html?primaryTagId=681405860242501232266070960678260
The point is: how to get an old version of SUM? I'll open a ticket to SAP, lets see if they provide me. Thanks
that is a good point
luckily we have some similar systems that wasn't patched before and one of the previous versions were existing there.
I've forgot a lesson learned: keep the version of the SUM that has worked fine till verified the next version is working fine too
If you have trouble receiving an older version of the SUM, let me know.
Thanks for the tips
The simplest way is to:
but this is almost the same, as I have described above, I think.
so this may also work, too
I do agree. 🙂
There is less manual actions in my way (modifying files in jvm directories).
But sure, the result is the same: To have all component (DB, SAP Kernel, SAPJVM) using TLS12.
Just sharing here. 🙂