The SAP is implementing several Security Updates and Patches into several products to different times. In some circumstances, it may be happen, that too many of this updates and security patches accumulate into one maintenance window with conflicting results.
In our case this has happen on a Windows Server 2012 R2 running NetWeaver 7.5 JAVA on MSSQL Server 2012 DB Service Pack 1.
The issue is depending to SAP KERNEL, SAPJVM8 and current SUM versions.
The Problem is, that TLS1.0 is not longer supported by SAP, but it is used on MSSQL Server 2012 SP1.
With
SAP KERNEL 7.53 Patch 800 the NetWeaver is working, but configtool is failing with error message regarding TLS1.0.
With
SAPJVM 8.1.074 and higher, NetWeaver is not starting anymore, since TLS1.0 is disabled by default (
https://launchpad.support.sap.com/#/notes/2199062).
And finally also at
SUM 26 Patch 3 or higher TLS1.0+1.1 is disabled by default.
- /SUM10SP26_2/SUM/jvm/jre/lib/security/java.security > TLS 1+1.1 are not disabled (jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \)
- /SUM10SP26_3/SUM/jvm/jre/lib/security/java.security > TLS 1+1.1 are disabled (jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \)
I have developed a routine to solve that issue and migrate the system from TLS1.0 to TLS1.2 (including Service Pack Upgrade for MSSQL Server to SP04 if needed).
- optional: check TLS1.0+1.1 are enabled (use IISCrypto.exe* for example)
- use SUM (Version before 26_3) to update kernel7.53 (800) + sapjvm8 (8.1.075)
- java-only start will failing - continue with next step, but let SUM stay at it is! (See picture below)
- check and update java.security files
- "/usr/sap/<SID>/SYS/exe/jvm/NTAMD64/sapjvm_8.1.075/sapjvm_8/jre/lib/security/java.security"
- "/usr/sap/<SID>/J00/exe/sapjvm_8/jre/lib/security/java.security"
- enable tls1+1.1 temporarily
- #jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
- Stop and Start NetWeaver
- continue SUM (Version before 26_3) to repeat Restart JAVA-Only (successfull)
- Stop NetWeaver afterwards
- update java.security files
- "/usr/sap/<SID>/SYS/exe/jvm/NTAMD64/sapjvm_8.1.075/sapjvm_8/jre/lib/security/java.security"
- "/usr/sap/<SID>/J00/exe/sapjvm_8/jre/lib/security/java.security"
- disable tls1+1.1 again (default settings)
- jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
- Backup NetWeaver DB
- install sql server 2012 sp4 (KB4018073) - or each other RDBMS supporting TLS1.2
- install sql server 2012 sp4 security update (KB4583465) - or each other RDBMS supporting TLS1.2
- optional: disable TLS1.0+1.1 (use IISCrypto.exe* on client and server <Best Practices> for example)
- Reboot System (NetWeaver Auto Start)
- update SUM to version 26_3 or higher
- use SUM (Version 26_3 or higher) to continue update Maintenance for NetWeaver, ME and MII...
*
https://www.nartac.com/Products/IISCrypto/Download
MSSQL Server 2012 Service Pack 04 Files:
https://www.catalog.update.microsoft.com/Search.aspx?q=SQL%20Server%202012%20Service%20Pack%204
SUM Process Execution Error in Restart System for Java-Only Step
Using this procedure make the update for SAP NetWeaver 7.5 JAVA SP20 with SAP Kernel 7.53 Patch 800 and SAPJVM8 Patch 75 on MSSQL SERVER 2012 SP4 possible. Otherwise it is not possible to update a system running a MSSQLSERVER 2012 with current patch and support packages from SAP.
Without this procedure JAVA Start will failing during update process und the update process is not able to finish properly.
please check also SAP Q & A:
https://answers.sap.com/questions/ask.html?primaryTagId=681405860242501232266070960678260
regards
Matthias