Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
Setting the right settings for TLS and cipher parameters for SAP PO can be difficult, as an overview of information available is mainly spread across a variety of notes by SAP. Currently, there’s more and more systems switching security levels to mandatory TLS 1.2 policy, as well as requiring higher security ECDHE and ECDSA ciphers. Setting the right parameters can be difficult for consultants, as different security requirements are set by different customers. Similarly, for developers at end clients, information on setting the different parameters might not be easily available, as information on parameters being spread through the various SAP notes. Subsequently, here is an overview of TLS, ciphers, and available parameters.

There are several topics for TLS version and ciphers which can be important to set the right parameters:

  • TLS version

  • Ciphers used

  • Testing allowed TLS versions and ciphers

  • Testing SAP PO TLS version and cipher compatibility

  • Enabling TLS version

  • Ciphers supported by default

  • Enabling additional cipher types using file

  • Enabling DHE ciphers

  • Enabling ECDHE and ECDSA ciphers

  • Example file

TLS version

Most systems are using TLS 1.2, although some systems are still supporting TLS 1.0 and 1.1. When SSL is displayed when testing TLS version used, SSL versions are similar to different TLS versions. SSL 3.1 is equal to TLS 1.0, SSL 3.2 is the same as TLS 1.1 and SSL 3.3 is equal to TLS 1.2.

Ciphers used

SAP PO supports three types of ciphers:

  • Default available

  • DHE ciphers

  • Elliptic curves

Default available are TLS RSA and SSL RSA ciphers, these can be identified by cipher name starting with TLS_RSA or SSL_RSA (for example TLS_RSA_WITH_AES_128_GCM_SHA256). Similarly, DHE ciphers can be recognized by cipher name starting with TLS_DHE (for example TLS_DHE_RSA_WITH_AES_128_GCM_SHA256). Elliptic curve ciphers can be identified by cipher name starting with either TLS_ECDHE or TLS_ECDSA (e.g TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256).

SAP PO by default supports all ciphers with a length of 128 bits, these can be identified by 128 following the cipher name (for example TLS_RSA_WITH_AES_128_CBC_SHA). All 256 bit ciphers use a longer key, and can only be used if unlimited strength policies are enabled.

Testing allowed TLS versions and ciphers

Allowed TLS versions and ciphers for a connection can be tested using the SSL test service by SSL labs:

Testing SAP PO TLS version and cipher compatibility

TLS version and cipher compatibility in SAP PO can be tested using XPI Inspector (example 11).

Enabling TLS version

From SAP PO 7.5 SP05 or higher, all TLS versions (up to TLS 1.2) are supported. In any other versions of SAP PI/PO, TLS 1.0 and 1.1 are supported by default. TLS 1.2 can be enabled by patching or SP update.

Minimum SP level (with patching):

  • SAP PI 7.10 SP18

  • SAP PI 7.11 SP12

  • SAP PI 7.30 SP13

  • SAP PI 7.31 SP08

  • SAP PI/PO 7.4 SP03

  • SAP PO 7.5 SP00

Ciphers supported by default

By default, SAP PO supports all 128bit TLS RSA and SSL RSA ciphers. 256bit ciphers are enabled by default depending on JVM version (6.1.107, 7.1.055, 8.1.036 or higher) of SAP PO, or can be enabled on lower JVM versions by downloading and installing unlimited strength policy files.

Enabling additional cipher types using file

Any additional ciphers can be enabled, when available in SAP PO version, by adding these to the file. When modifying the file, at least parameters client.allowLegacyRenegotiation=true (allow renegotiation of ciphers), extension=signature_algorithms and extension=server_name.noncritical (send signature algorithms and server name initiating the connection) should be present.

Preferred ciphers can be used by modifying file and manually adding ciphers, by adding cipherSuite=<name of cipher> to the file.

When modifying file with preferred ciphers, all other ciphers are no longer enabled. If default ciphers should remain enabled, these should be manually added as preferred ciphers to the modified file.

Enabling DHE ciphers

DHE ciphers are supported by default if TLS 1.2 is available in SAP PO. However, DHE ciphers have to be added manually to the file to be available.

Enabling ECDHE and ECDSA ciphers

ECDHE and ECDSA ciphers are supported in SAP PO 7.5 SP08 (with patching) or higher. Lower versions of SAP PI/PO do not support ECDHE and ECDSA ciphers.

To be enabled, a modified file is required, adding parameter extension=elliptic_curves.

Example file

An example file enabling all for SAP PO available ciphers, except ECDSA, can be found in note 2708581 (example 3). Availability of non-default (DHE, ECDHE etc) and 256bit ciphers is still dependent on SAP PO version and parameters set.


Hopefully this blog has been useful in explaining the different TLS versions and cipher types, testing these, as well as the parameters for TLS version and ciphers in SAP PO.

Overview of SAP notes used:

  • 2284059: default ciphers, DHE ciphers, TLS 1.2 upgrade

  • 1240081: unlimited strength policy files

  • 0002246884: finding JVM version

  • 2708581: ECDHE and ECDSA ciphers, examples of modified file

  • 2569156: modify file

  • 1514898: XPI Inspector

Further reading:
1 Comment
Labels in this area