SAP Knowledge Base Article

2616983 - How to customize cipher suites in SSLContext.properties file

Component: BC-JAS-SEC-CPG (Cryptography), Version: 4, Released On: 19.09.2019

Symptom
You update SSL Library on your system according to the KBA 2616423 and SAP Note 2284059 and you need to customize cipher suites.

Environment
SAP NetWeaver AS Java all versions
SAP Process Integration all versions

Reproducing the Issue

You want to maintain SSL connection between any SAP Netweaver PI Java system and another system.

Cause
The reason of this issue is that the cipher suites and/or enabled TLS versions which are requested by the receiver (test.example.it:443) iare not compatible with the SAP
default settings which are present on the NW Java server above certain SP and patch level detailed in SAP Note 2284059.

Resolution
See the following example scenario:

The default cipher suites are the following:

#default cipher suits

TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA

These cipher suites are part of the NW Java server above the certain SP and Patch level (SAP Note 2284059) without any custom setting. Hence, they are not visible in the
SSLContext.properties file of the iaik_ssl.jar file which can be found at "usr/sap/<SID>/SYS/global/security/lib/tools".

In this case, the other system (test.example.it:443) requires non-default type of cipher suites. It can be found out after you have tested the SSL configuration of the other server as
per KBA 2616423. See on the screenshot the list of cipher suites configured on "test.example.it:443".
  
The following cipher suites are configured and used in this server:

• Started with TLS_ECDHE_RSA_WITH*

• Started with TLS_DHE_RSA_WITH*

Note! Cipher Suites with ECDSA/ECDHE elliptic curve algorithms are supported only from a certain version of AS Java. See SAP Note: 2708581 - ECC Support for
Outbound Connections in SAP NW AS Java.

Regarding below versions that SAP Note 2708581 mentions, SAP does not support TLS_ECDHE type of cipher suites as per KBA 2538934, hence only TLS_DHE_RSA_WITH*
cipher suites can be used to set up the SSL communication between AS Java and the remote system (test.example.it:443). TLS_DHE_RSA_WITH* cipher suite is not among the
default ones listed above (and see SAP Note 2284059 section5.2). It means that a custom SSLContext.properties file needs to be used. To find help on how to get and maintain such
file in AS Java you can use the KBA 2569156. Customize the file according to this:

1. Add all the custom cipher suites starting with TLS_DHE_RSA_WITH* which can be find in the SSL test result, but do not add the ones with form TLS_ECDHE_RSA_WITH*.
2. Add all the default cipher suites as well, because if we specify any cipher suite in the properties file, after that no other cipher suites (even the default ones) will be used.
3. Check cipher suites under TLS 1.1 and TLS 1.0 as well. It can happen that additional cipher suites can be found there that are not present under TLS 1.2. Add also these
cipher suites to the custom SSLContext.properties file.

See an example for the above case (displayed in the screenshot) what and how they should be added in custom SSLContext.properties file:

#default cipher suits

cipherSuite=TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
cipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite=SSL_RSA_WITH_RC4_128_SHA

#custom cipher suites

cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA

After all default and additional cipher suites (displayed under TLS 1.2, TLS 1.1, TLS 1.0) which name is not starts with TLS_ECDHE_RSA_WITH* have been added to custom
SSLContext.properties file, do the followings:

1. Save the property file and add the file's path to the right instance according to the KBA 2569156.
2. Save configtool.
3. Restart AS Java.

This solution can be applied in any other cases when non-default cipher suites should be applied. The same steps should be executed, the cipher suites and TLS versions can be
different according to the SSL test result.

Be informed that customization is valid for all other settings regarding parameter types such as TLS version (if nothing is displayed in SSLContext.properties file it means
that the default settings are valid). For example if you maintain "client.minProtocolVersion=TLS11" parameter, it means that protocol versions will be accepted started from TLS1.1.
All the above like TLS1.2 will be also accepted. Recommendation is to maintain the supported options described in the SAP note 2284059 such as:
client.minProtocolVersion=TLS10
client.maxProtocolVersion=TLS12

In case you are on at least the version that SAP Note 2708581 mentions, you can add cipher suites with ECDHE/ECDSA elliptic curve algorithms to the customized
SSLContext.properties file as well.

In case it is required to use only specific TLS versions for SSL communication the remote system also needs to be modified to allow only that TLS version and not lower and/or
higher ones.

See Also
2540433 - Update of SSL library within NW Java server

Keywords
SSL, SSL configuration, secure socket layers, TLS, transport layer security, TLS protocol, cipher suites, handshake failure, alert fatal, SSLException, peer sent alert, version 3.3, PI
system, process integration, Netweaver Java, 443 port, ssl test, ssllabs, custom cipher suites, non-default cipher suites, DHE,
ECDHE, TLS_DHE_RSA_WITH_AES, TLS_ECDHE_RSA_WITH

Attributes

Key Value

Other Components BC-XI-CON-AFW-SEC (Security)

Products
Products

SAP NetWeaver all versions

SAP Process Integration all versions

This document refers to

SAP Note/KBA Title

2616423 SSL does not work between PI and Remote System - SSLException: Peer sent alert: Alert Fatal: handshake failure

2569156 How to create, modify and validate SSLContext.properties file

2538934 Handshake is failing in AS Java when connecting to a server which only supports TLS_ECDHE ciphers

2708581 ECC Support for Outbound Connections in SAP NW AS Java

2540433

2284059 Update of SSL library within NW Java server

This document is referenced by

SAP Title
Note/KBA

3108204 REST Adapter - Concur cipher suite changes

3056954 How to check the cipher suites enabled in SAP Process Integration system for outbound connection

3057117 Peer certificate rejected by ChainVerifier - EC signed SHA256withRSA server certificate server certificate not capable for ECDHE_ECDSA key exchange
algorithm!

3007243 Error retrieving certificates after changing SSLContext.properties file

2456800 How to change the supported SSL/TLS version in PI/PO system

2538934 Handshake is failing in AS Java when connecting to a server which only supports TLS_ECDHE ciphers

2569156 How to create, modify and validate SSLContext.properties file

2616423 SSL does not work between PI and Remote System - SSLException: Peer sent alert: Alert Fatal: handshake failure