SSL / TLS settings for SAP NetWeawer

A lot of SAP product such as NetWeaver using sapcrypto / commoncrypto library (sapcryptolib.dll or sapcryptolib.so) for SSL / TLS and encryption.

SSL / TLS client configuration.

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

SSL / TLS server configuration.

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

You need at least 8.4.40 sapcrpytolib for SNI (Server Name Indication) support. Before SNI protocol client request certificate with domain IP instead of domain name. SNI used for hosting multiple site on same port with encryption.

ssl/client_sni_enabled = TRUE

We need updated kernel for using this parameter, details are in this note.

You can also set this option with OS environment variable.

SAPSSL_CLIENT_SNI_ENABLED = TRUE

Minimum sapcryptolib versions for protocols.

ProtocolVersion
TLS 1.05.5.5 PL 28
TLS 1.28.4.31
SNI8.4.40

If SOAMANAGER not exists

Some old system hasn’t got SOAMANAGER for configuring/creating logical port or service. We can use below t-codes for same operation.

LPCONFIG
WSCONFIG
WSADMIN

distribution_policy not exist

Depending on SQL Server version some columns are change. In sap_tf_sysdatabases functions reference to distribution_policy column in sys.tables. With program MSSPROCS (run with se38) you can change stored procedure and functions which are using by SAP.