Skip to Content
Technical Articles
Author's profile photo Matthias Hollstein

How to Solve Error during SUM Execution “The server selected protocol version TLS10 is not accepted by client preferences [TLS12]”

The SAP is implementing several Security Updates and Patches into several products to different times. In some circumstances, it may be happen, that too many of this updates and security patches accumulate into one maintenance window with conflicting results.

In our case this has happen on a Windows Server 2012 R2 running NetWeaver 7.5 JAVA on MSSQL Server 2012 DB Service Pack 1.
The issue is depending to SAP KERNEL, SAPJVM8 and current SUM versions.
The Problem is, that TLS1.0 is not longer supported by SAP, but it is used on MSSQL Server 2012 SP1.

With SAP KERNEL 7.53 Patch 800 the NetWeaver is working, but configtool is failing with error message regarding TLS1.0.
With SAPJVM 8.1.074 and higher, NetWeaver is not starting anymore, since TLS1.0 is disabled by default (
And finally also at SUM 26 Patch 3 or higher TLS1.0+1.1 is disabled by default.

  • /SUM10SP26_2/SUM/jvm/jre/lib/security/ > TLS 1+1.1 are not disabled (jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \)
  • /SUM10SP26_3/SUM/jvm/jre/lib/security/ > TLS 1+1.1 are disabled (jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \)

I have developed a routine to solve that issue and migrate the system from TLS1.0 to TLS1.2 (including Service Pack Upgrade for MSSQL Server to SP04 if needed).

  1. optional: check TLS1.0+1.1 are enabled (use IISCrypto.exe* for example)
  2. use SUM (Version before 26_3) to update kernel7.53 (800) + sapjvm8 (8.1.075)
    • java-only start will failing – continue with next step, but let SUM stay at it is! (See picture below)
  3. check and update files
    1. “/usr/sap/<SID>/SYS/exe/jvm/NTAMD64/sapjvm_8.1.075/sapjvm_8/jre/lib/security/”
    2. “/usr/sap/<SID>/J00/exe/sapjvm_8/jre/lib/security/”
      • enable tls1+1.1 temporarily
      • #jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
        jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
  4. Stop and Start NetWeaver
  5. continue SUM (Version before 26_3) to repeat Restart JAVA-Only (successfull)
  6. Stop NetWeaver afterwards
  7. update files
    1. “/usr/sap/<SID>/SYS/exe/jvm/NTAMD64/sapjvm_8.1.075/sapjvm_8/jre/lib/security/”
    2. “/usr/sap/<SID>/J00/exe/sapjvm_8/jre/lib/security/”
      • disable tls1+1.1 again (default settings)
      • jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
  8. Backup NetWeaver DB
  9. install sql server 2012 sp4 (KB4018073) – or each other RDBMS supporting TLS1.2
  10. install sql server 2012 sp4 security update (KB4583465) – or each other RDBMS supporting TLS1.2
  11. optional: disable TLS1.0+1.1 (use IISCrypto.exe* on client and server <Best Practices> for example)
  12. Reboot System (NetWeaver Auto Start)
  13. update SUM to version 26_3 or higher
  14. use SUM (Version 26_3 or higher) to continue update Maintenance for NetWeaver, ME and MII…


MSSQL Server 2012 Service Pack 04 Files:


SUM Process Execution Error in Restart System for Java-Only Step


Using this procedure make the update for SAP NetWeaver 7.5 JAVA SP20 with SAP Kernel 7.53 Patch 800 and SAPJVM8 Patch 75 on MSSQL SERVER 2012 SP4 possible. Otherwise it is not possible to update a system running a MSSQLSERVER 2012 with current patch and support packages from SAP.

Without this procedure JAVA Start will failing during update process und the update process is not able to finish properly.

please check also SAP Q & A:



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Kenola Boves
      Kenola Boves

      The point is: how to get an old version of SUM? I'll open a ticket to SAP, lets see if they provide me. Thanks

      Author's profile photo Matthias Hollstein
      Matthias Hollstein
      Blog Post Author


      oh, yes

      that is a good point

      luckily we have some similar systems that wasn't patched before and one of the previous versions were existing there.

      I've forgot a lesson learned: keep the version of the SUM that has worked fine till verified the next version is working fine too

      Good luck

      If you have trouble receiving an older version of the SUM, let me know.




      Author's profile photo Yann Goffin
      Yann Goffin

      Hello Matthias.


      Thanks for the tips

      The simplest way is to:

      • Stop the SUM, restore the backup done juste before the downtime.
      • Upgrade the MSSQL Server 2012 to the SP4
      • Use the last SUM and redo the update maintenance (Kernel + SAPJVM + Java components)
      • All will run with the TLS 12.


      Author's profile photo Matthias Hollstein
      Matthias Hollstein
      Blog Post Author

      Hello Yann
      thank you
      but this is almost the same, as I have described above, I think.

      so this may also work, too




      Author's profile photo Yann Goffin
      Yann Goffin

      I do agree. 🙂

      There is less manual actions in my way (modifying files in jvm directories).

      But sure, the result is the same: To have all component (DB, SAP Kernel, SAPJVM) using TLS12.

      Just sharing here. 🙂