This is important because there are many existing properties configured there, and if we start with a blank file instead, all these default properties would be missing. So first of all, we need to find a copy of the default configuration file. The SAP Note mentions that the SSL handshake can be further configured using a custom SSL configuration file. Without this, the SSL handshake would fail and result in the error above. One of our external partners confirmed that when using TLS 1.2, they also require the SNI ( Server Name Indication) extension to be sent as well. Once we began testing, we noticed : Connection reset errors on some of the interfaces. Additional observation is that the renegotiation_info and signature_algorithms TLS extensions are also included. As shown below, the SSL debug logs shows that the client hello is sent requesting SSL version 3.3 (i.e. We can verify the new IAIK library is being used and TLS 1.2 capability is available by using XPI Inspector to troubleshoot HTTP SSL connections. As mentioned in the SAP Note, SAP strongly recommends that testing is done for all connections prior to deployment in production. So once we have the IAIK library installed, we could begin testing our HTTPS interfaces. In this blog, I will aim to share my own experience during this upgrade project with the intention of highlighting some of the key areas to take note for anyone going through a similar journey. Another useful resource related to this is Markus Schalk‘s blog Outbound support for TLS 1.1/1.2. Fast forward one year later, and that is still one of the most viewed blog of mine since the migration to this new SAP Community platform, so my guess is this topic is still relevant today as it was last year.Īs mentioned, this new library is delivered as part of SAP Note 2284059 – Update of SSL library within NW Java server and it provides a fair amount of details related to the configuration of the library. As mentioned in my previous blog post over a year ago, this is one of the more popular issue/discussion last year as it is a key functionality. However, as part of the upgrade, it included the new IAIK library that now supports TLS 1.2. Nothing really fancy in terms of features since SAP development in the PI space has pretty much come to a standstill these days. We recently upgraded our PI 7.4 systems to SPS 15.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |