TLS v1.2 setup

TLS stands for Transport Layer Security (full background you can read in this blog). It determines the security protocol used for the web part of the ABAP server.

Questions that will be explained in this blog:

  • How can I enable TLS v1.2 for my ABAP server?
  • How can I check TLS v1.2 is properly setup?
  • Can I disable TLS v1.0 and v1.1?

Setup of TLS v1.2 on ABAP

The setup of TLS v1.2 is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients.

Settings to enable TLS v1.2 and still allowing v1.0 and v1.1 for older clients:

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_26  =  SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27  = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28  =  SAPSSL_CLIENT_SNI_ENABLED=TRUE
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE

Set up of TLS v1.2 on HANA

For setup of TLS v1.2 on HANA follow the instructions in OSS note 2829919 – How to enable TLS 1.2 for all Hana ports.

How to check TLS v1.2 usage?

The TLS version usage per browser is a different process to check. Read this blog to find the exact instructions per browser.

The end result is as follows:

Can I switch off TLS v1.0 and v1.1?

Yes, you can switch off TLS v1.0 and v1.1. This is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients. Please also read the warning in this note: the advantage is very low, the risk that you will get issues is high.

So switching off in live system is tricky. Switching it off starting new system landscape is simple and a good idea to do.

TLS v1.3

TLS v1.3 is currently not supported for ABAP. See OSS note 2765639 – Is TLS 1.3 supported in NetWeaver AS ABAP?.

SAP background

More background can be found in OSS note 510007 – Additional considerations for setting up SSL on Application Server ABAP.