Hello Colleagues,
I am in a process of establishing connection from SAP to External web-service from hosted by some vendor. Due to security reason they have disabled SSLV3 and TLS 1.2 and they are accepting connection protocol which comes through HTTPS and TLSV1.2.
So based on the note http://service.sap.com/sap/support/notes/2065806. It is possible to establish connection to eternal Web services who are running on TLS 1.2 protocol only if our SAP has common Cyptolib 8.4.31 and above , So i have downloaded the latest common cryptolib 8.4.37 and upgraded.
I have also installed URL's Certificate in Strust store.
I have also setup the profile parameters mentioned in note http://service.sap.com/sap/support/notes/510007. After setting these profile parameters in RZ10 i have also restarted the server ,But for profile parameters when i check it says " Unknown profile parameter " i read in some note that this message can be ignore. Please find the additional parameters for my Cipher suits.
| ssl/client_ciphersuites | 192:HIGH:MEDIUM:+e3DES:!aNULL |
| ssl/ciphersuites | 135:HIGH:MEDIUM:+e3DES:!aNULL |
From SE38 i have run program "SSF02" and and selected radio button "Determine version" i see the below message assuming my cryptolib up-gradtion has no issues.
SSF Test Program
Version (on application server)
Result: SSF_API_OK
Version information: 145
SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.37 (+MT) #Copyright (c) SAP AG, 2011-2015#compiled for linux-gcc-4.1-x86-64#
I have some open questions after setting up the system.
- Apart from the above mentioned setting do i need to perform any additional steps to set up the latest cryptolib.
- After extracting the common crypto i see an additional folder "fips" , how shall we deal with this folder content . do i need to set up any additional parameter for that folder content.
- Does SAP uses "operating system" open SSL to establish connection to External web service.
- Does SAP uses its own kernel / crypto (SAP own open SSL) and connects to external web serive.
- My OS is SUSE Linux SP11 , At current state it dose not have open SSL which support TLS V 1.2 , is that the reason that i am unable to connect to web serives which are running on TLS 1.2.
- I am able connect to other web services which are running on SSLV3 and TLS 1 . But it is not connection when it comes to pure TLSV 1.2.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Please find the logs below mentioned logs from SMICM.
[Thr 140048473114368] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 140048473114368] session uses PSE file "/usr/sap/SE1/DVEBMGS59/sec/SAPSSLC.pse"
[Thr 140048473114368] SecudeSSL_SessionStart: SSL_connect() failed
[Thr 140048473114368] secude_error 536875120 (0x20001070) = "SSL API error"
[Thr 140048473114368] >> Begin of Secude-SSL Errorstack >>
[Thr 140048473114368] 0x20001070 SAPCRYPTOLIB SSL_connect
[Thr 140048473114368] SSL API error
[Thr 140048473114368] received a fatal TLS1.0 protocol version alert message from the peer
[Thr 140048473114368] 0xa0600278 SSL ssl3_read_bytes
[Thr 140048473114368] received a fatal TLS1.0 protocol version alert message from the peer
[Thr 140048473114368] << End of Secude-SSL Errorstack
[Thr 140048473114368] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"
[Thr 140048473114368] SSL NI-sock: local=10.1.1.214:34300 peer=10.1.1.33:443
[Thr 140048473114368] <<- ERROR: SapSSLSessionStart(sssl_hdl=7f5f8c01b220)==SSSLERR_SSL_CONNECT
[Thr 140048473114368] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000544} [icxxconn_m
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Please help in resolving this issues.
Thanks in advance !!
Regards,
Vardhan.