cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP JAVA PO - Error "Alert Fatal: handshake failure" on webservice

Go to solution
wlourens2
Participant

on ‎2025 Mar 05 1:52 PM

0 Kudos
202

Dear Experts,

We get a “iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure” error when testing a webservice:

2.png

The API doesn’t require User Authentication, It only requires a Header “apiKey” which was successfully entered.

We can get a successfull response on postman, seems the issue must be on the SAP PO system.

As per blogs and SAP note 2616423 this seems like a TLS error.

HTTPS is not enabled on the SAP PO system.  I see HTTPS is required for TLS 1.3.  Please confirm that the first step I should do is to enable HTTPS on the SAP PO system to point me in the right direction?  Or is HTTPS not relevant on the SAP PO system?

Kind Regards,

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Ryan-Crosby
Active Contributor
‎2025 Mar 05 1:58 PM
The first thing to confirm is whether the necessary certificate chain from the PO system is trusted on the remote end, and vice versa for the certificates from the remote host in the PO system.
wlourens2
Participant
‎2025 Mar 13 6:44 PM
0 Kudos

Hi Ryan,

Thanks for the input.  I now successfully activated HTTPS on the PO system, unfortunately still same error.

No certificates required as per functional PO consultant, the header contains a Header “apiKey”.  She can send queries from postman to the external URL without additional certificates when this "apiKey" is included.

Ryan-Crosby
Active Contributor
‎2025 Mar 15 11:21 AM
0 Kudos

I can assure you that you cannot execute TLS communication via system to system without setting up appropriate certificate trust on both ends.

Accepted Solutions (1)

Accepted Solutions (1)

junwu
SAP Champion
SAP Champion
‎2025 Mar 15 12:22 PM
0 Kudos

certificate from target server should be imported to your po as trusted.

Show replies
Show replies
wlourens2
Participant
‎2025 Mar 15 9:07 PM
0 Kudos
Dear Junwu, I exported the certificate from URL https://staging-bo.egp.gov.et, imported it to my SAP PO system -> to TrustedCAs and Service_SSL in "certificates adn Keys: Key storage". Unfortunately still same issue.
wlourens2
Participant
‎2025 Mar 18 12:01 PM
0 Kudos

I'll reply feedback from SAP Incident here, as it was very helpfull:

 

 

Proposed Solution:
Hello Team,

I hope you're doing well.

Thank you for the information you've provided so far.


This target server "..." demands the below ciphers on the client side (PO JAVA)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


Please follow below steps:

1)Please make sure your SSLContext.properties should be maintained in right path as per KBA:0002693382 - Cannot read config file SSLContext.properties

Incorrect configurations:
-Diaik.security.ssl.configFile=D:\usr\sap\<SID>\SYS\global\security\lib\tools\SSLContext.properties
-Diaik.security.ssl.configFile=/sapmnt/<SID>/global/security/lib/tools/SSLContext.properties


Correct configuration for Windows Systems: -Diaik.security.ssl.configFile=file:/<Logical Drive>:/usr/sap/<SID>/SYS/global/security/lib/tools/SSLContext.properties
Correct configuration for Unix based Systems: -Diaik.security.ssl.configFile=file:/usr/sap/<SID>/SYS/global/security/lib/tools/SSLContext.properties

2)Please SET JVM parameter in config tool refer point C as per KBA: 0002569156

3)And once this file is created,modify it by adding "Profile 3" from 0002708581 - ECC Support for Outbound Connections in SAP NW AS Java in the SSLConext.properties file.
Prerequisite for Example Profile 3: Unlimited strength jurisdiction policy (crypto.policy=unlimited) is enabled on the used JVM according to SAP KBA 1240081 (Java Cryptography Extension (JCE) Jurisdiction Policy Files)
In this KBA mentioned how to set crypto.policy=unlimited: 0003292308 : AES-256 algorithm requires unlimited cryptography!

Add like below:
#
client.allowLegacyRenegotiation=true
extension=signature_algorithms
extension=server_name.noncritical
extension=elliptic_curves
extension=ec_point_formats
securityProvider=iaik.security.ssl.ECCelerateProvider

# enable cipher suites with ECDHE key exchange (unlimited strength)
cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
#
# keep default cipher suites as fallback
cipherSuite=TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
cipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite=SSL_RSA_WITH_RC4_128_SHA
#
# enable old&slow DHE cipher suites (you don't want them with limited strength 1024-bit DHE at all)
cipherSuite=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Save the config file and restart J2EE system then test again the SSl flow.
This should resolve the problem...


Regards,

 

 

 

wlourens2
Participant
‎2025 Mar 18 12:02 PM
0 Kudos

.

Answers (0)

Ask a Question