How to Enable TLS v1.2 in SAP Netweaver ABAP

In this article we’ll go through the process of enabling TLS v1.2 in SAP Netweaver ABAP system. At the beginning I have to mention about CommonCryptoLib (CCL) which many years ago replaced the SAPCRYPTOLIB. The new SAP Cryptographic Library not only supports the use of digital signatures in SAP Systems, but also provides for encryption. The CCL is available in its latest version 8.5.x and is used by many SAP components. Some examples are:

  • SAP Host Agent,
  • SAP Instance Agent,
  • SAP NetWeaver AS ABAP,
  • SAP NetWeaver AS Java,
  • SAP HANA,
  • SAP Web Dispatcher,
  • etc.

More information about CCL You can find in notes:

  • 1848999 – Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)
  • 2450794 – How to update CommonCryptoLib in a NetWeaver ABAP system
  • 2004653 – CommonCryptoLib 8 cryptographic algorithms

Background for TLS Handshakes

https://help.sap.com- TLS Handshake w/ Server and w/ Client Verification
  • Phase 1 Exchange of Crypto Info -> During this phase, the crypto info (such as cyptographic methods and random numbers) are exchanged.
  • Phase 2 Server Authentication -> The server authenticates itself to the client.
  • Phase 3 Client Authentication and Exchange of Per-Master-Secret

Configuration

The currently recommended settings for TLSv1.2 are:

ssl/ciphersuites        = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

icm/HTTPS/client_sni_enabled = TRUE

ssl/client_sni_enabled = TRUE

SETENV_26 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27 = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28 = SAPSSL_CLIENT_SNI_ENABLED=TRUE

 

 

 


 SAP recommends:

* Please add these parameters to your DEFAULT.PFL through tx RZ10, save and activate the profile.  Please ignore the tx RZ10/RZ11 warnings in Netweaver 70x/71x/72x/73x/74x about any of these profile parameters being unknown to ABAP tx RZ10 & RZ11— ssl/ciphersuites and ssl/client_ciphersuites are recognized by all 7xx Kernels!  Only parameter ssl/client_sni_enabled needs a fairly recent kernel: 721 patchno 920, 722 patchno 223 (SAP Note 2384290), 745 patchno 623, 749 patchno 415, 753 patchno 110 (SAP Note 2582368).  Parameter icm/HTTPS/client_sni_enabled is limited to Netweaver 742+ kernels plus recent 722 kernels (SAP Note 2124480)

* To make the SETENV_XX parameters take effect for AppServer child processes such as “saphttp”, a restart of the AppServer instance is necessary. Where changing the behaviour of icman is sufficient, it is possible to manually restart only the icman process, rather than the entire AppServer.  Use tx SMICM, and from Menu “Administration”->”ICM”->”Exit Soft”->”Global”

More information about configuration You can find in notes:

  • 510007 – Additional considerations for setting up SSL on Application Server ABAP
  • 2384243 – NetWeaver Application Server: How to configure strict TLS 1.2
  • 2570499 – How to adjust the supported SSL cipher suites in AS ABAP

TLS 1.3

In my opinion TLS 1.3 is now not supported for ABAP systems – check note: 2765639 – Is TLS 1.3 supported in NetWeaver AS ABAP?

Others SAP products have the same situation:

  • 2834475 – Does SAP NetWeaver AS Java support TLS 1.3?
  • 2942212 – Support for TLS 1.3 with SAP ASE and SDK
  • 2939945 – Is TLS1.3 supported with SAP BusinessObjects BI Platform 4.x?

Copyright © 2023. SAPBasisWorld.com Privacy Policy