Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Custom Domain Service Supports TLS 1.3 in the Neo Environment

dragomir_anachkov
Product and Topic Expert
Product and Topic Expert
‎04-08-2024 8:18 AM
0 Kudos

According to What’s New for SAP BTP, as of April 4th, the Custom Domain service in SAP BTP, Neo environment now also supports TLS 1.3. 

TLS 1.3 is the latest version of the TLS encryption protocol that’s supposed to be both faster by reducing HTTPS overhead and more secure than TLS 1.2. 

Here’s how you can manage these custom domain security settings:

 

Configuring a New Custom Domain

When you configure a custom domain in the Neo environment, one of the steps is to bind a certificate you’ve uploaded earlier in the procedure to the SSL host you’ve already created at the beginning of the configuration. 

When you bind the certificate to the SSL host with the bind-domain-certificate command, your custom domain supports by default both TLS 1.2 and TLS 1.3, and the following ciphers are enabled: AES128_SHA256, AES256_SHA256, AES128_SHA, AES256_SHA, ECDHE_RSA_AES128_CBC_SHA, ECDHE_RSA_AES128_SHA256, ECDHE_RSA_AES256_CBC_SHA, ECDHE_RSA_AES256_SHA384.

 

Already Configured Custom Domains: Updating the Supported TLS Protocol Version

If you have a custom domain that’s already configured in the Neo environment, you can enable TLS 1.2 or TLS 1.3 or both by running the set-ssl-host command with the optional parameter --supported-protocols:

- Only TLS 1.2 is enabled:

neo set-ssl-host -a mysubaccount -u mymail@example.com -h hana.ondemand.com -n mysslhostname -c mycert --supported-protocols "TLSV1_2"

- Only TLS 1.3 is enabled: 

neo set-ssl-host -a mysubaccount -u mymail@example.com -h hana.ondemand.com -n mysslhostname -c mycert --supported-protocols "TLSV1_3"

- Both TLS 1.2 and TLS 1.3 are enabled: 

neo set-ssl-host -a mysubaccount -u mymail@example.com -h hana.ondemand.com -n mysslhostname -c mycert --supported-protocols " TLSV1_2,TLSV1_3"

Note that if you have already enabled additional ciphers with the --supported-ciphers parameter, and later you decide to enable TLS 1.2 or TLS 1.3 or both, these ciphers will be disabled.

 

Already Configured Custom Domains: Updating the Supported TLS Protocol Version with Additional Ciphers

For example, if you want to replace the support of TLS 1.2 with TLS 1.3 and keep your additionally enabled ciphers, this is how you should run the set-ssl-host command: 

neo set-ssl-host -a mysubaccount -u mymail@example.com -h hana.ondemand.com -n mysslhostname -c mycert --supported-protocols "TLSV1_3" --supported-ciphers "AES128-SHA,AES256-SHA" 

In this example, AES128-SHA and AES256-SHA are the enabled ciphers in addition to TLS 1.3. 

If you have any questions, feel free to ask them in the comments section below. 

Labels in this area
Popular Blog Posts