Skip to Content
Technical Articles
Author's profile photo Martijn van den Berg

SAP PO TLS and ciphers: an overview

Setting the right settings for TLS and cipher parameters for SAP PO can be difficult, as an overview of information available is mainly spread across a variety of notes by SAP. Currently, there’s more and more systems switching security levels to mandatory TLS 1.2 policy, as well as requiring higher security ECDHE and ECDSA ciphers. Setting the right parameters can be difficult for consultants, as different security requirements are set by different customers. Similarly, for developers at end clients, information on setting the different parameters might not be easily available, as information on parameters being spread through the various SAP notes. Subsequently, here is an overview of TLS, ciphers, and available parameters.

There are several topics for TLS version and ciphers which can be important to set the right parameters:

  • TLS version
  • Ciphers used
  • Testing allowed TLS versions and ciphers
  • Testing SAP PO TLS version and cipher compatibility
  • Enabling TLS version
  • Ciphers supported by default
  • Enabling additional cipher types using SSLContext.properties file
  • Enabling DHE ciphers
  • Enabling ECDHE and ECDSA ciphers
  • Example SSLContext.properties file

TLS version

Most systems are using TLS 1.2, although some systems are still supporting TLS 1.0 and 1.1. When SSL is displayed when testing TLS version used, SSL versions are similar to different TLS versions. SSL 3.1 is equal to TLS 1.0, SSL 3.2 is the same as TLS 1.1 and SSL 3.3 is equal to TLS 1.2.

Ciphers used

SAP PO supports three types of ciphers:

  • Default available
  • DHE ciphers
  • Elliptic curves

Default available are TLS RSA and SSL RSA ciphers, these can be identified by cipher name starting with TLS_RSA or SSL_RSA (for example TLS_RSA_WITH_AES_128_GCM_SHA256). Similarly, DHE ciphers can be recognized by cipher name starting with TLS_DHE (for example TLS_DHE_RSA_WITH_AES_128_GCM_SHA256). Elliptic curve ciphers can be identified by cipher name starting with either TLS_ECDHE or TLS_ECDSA (e.g TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256).

SAP PO by default supports all ciphers with a length of 128 bits, these can be identified by 128 following the cipher name (for example TLS_RSA_WITH_AES_128_CBC_SHA). All 256 bit ciphers use a longer key, and can only be used if unlimited strength policies are enabled.

Testing allowed TLS versions and ciphers

Allowed TLS versions and ciphers for a connection can be tested using the SSL test service by SSL labs:

https://www.ssllabs.com/ssltest/

SSL%20labs%20service

SSLlabs%20Service

SSLlabs%20service

Testing SAP PO TLS version and cipher compatibility

TLS version and cipher compatibility in SAP PO can be tested using XPI Inspector (example 11).

XPI%20Inspector

XPI%20Inspector

Enabling TLS version

From SAP PO 7.5 SP05 or higher, all TLS versions (up to TLS 1.2) are supported. In any other versions of SAP PI/PO, TLS 1.0 and 1.1 are supported by default. TLS 1.2 can be enabled by patching or SP update.

Minimum SP level (with patching):

  • SAP PI 7.10 SP18
  • SAP PI 7.11 SP12
  • SAP PI 7.30 SP13
  • SAP PI 7.31 SP08
  • SAP PI/PO 7.4 SP03
  • SAP PO 7.5 SP00

Ciphers supported by default

By default, SAP PO supports all 128bit TLS RSA and SSL RSA ciphers. 256bit ciphers are enabled by default depending on JVM version (6.1.107, 7.1.055, 8.1.036 or higher) of SAP PO, or can be enabled on lower JVM versions by downloading and installing unlimited strength policy files.

Enabling additional cipher types using SSLContext.properties file

Any additional ciphers can be enabled, when available in SAP PO version, by adding these to the SSLContext.properties file. When modifying the SSLContext.properties file, at least parameters client.allowLegacyRenegotiation=true (allow renegotiation of ciphers), extension=signature_algorithms and extension=server_name.noncritical (send signature algorithms and server name initiating the connection) should be present.

Preferred ciphers can be used by modifying SSLContext.properties file and manually adding ciphers, by adding cipherSuite=<name of cipher> to the file.

Manually%20adding%20ciphers%20to%20SSLContext%20properties%20file

When modifying SSLContext.properties file with preferred ciphers, all other ciphers are no longer enabled. If default ciphers should remain enabled, these should be manually added as preferred ciphers to the modified SSLContext.properties file.

Enabling DHE ciphers

DHE ciphers are supported by default if TLS 1.2 is available in SAP PO. However, DHE ciphers have to be added manually to the SSLContext.properties file to be available.

DHE%20ciphers

Enabling ECDHE and ECDSA ciphers

ECDHE and ECDSA ciphers are supported in SAP PO 7.5 SP08 (with patching) or higher. Lower versions of SAP PI/PO do not support ECDHE and ECDSA ciphers.

To be enabled, a modified SSLContext.properties file is required, adding parameter extension=elliptic_curves.

elliptic%20curves%20parameter

Example SSLContext.properties file

An example SSLContext.properties file enabling all for SAP PO available ciphers, except ECDSA, can be found in note 2708581 (example 3). Availability of non-default (DHE, ECDHE etc) and 256bit ciphers is still dependent on SAP PO version and parameters set.

 

Hopefully this blog has been useful in explaining the different TLS versions and cipher types, testing these, as well as the parameters for TLS version and ciphers in SAP PO.

Overview of SAP notes used:

  • 2284059: default ciphers, DHE ciphers, TLS 1.2 upgrade
  • 1240081: unlimited strength policy files
  • 0002246884: finding JVM version
  • 2708581: ECDHE and ECDSA ciphers, examples of modified SSLContext.properties file
  • 2569156: modify SSLContext.properties file
  • 1514898: XPI Inspector

Further reading:

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.