cancel
Showing results for 
Search instead for 
Did you mean: 

Remediation step on weak TLS vulnerability

SAPSupport
Employee
Employee
0 Kudos
99

 

 

I need on how to remediate system vulnerability reported by our VA tool. It is related to TLS. The step suggested by the tool is very general and not specific for SAP ECC on Suse Linux environment. Please find the attached file for detailed vulnerability.

 

Regards,

 

Zaharah


------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.
View Entire Topic
SAPSupport
Employee
Employee
0 Kudos

 I can provide a general approach to addressing TLS vulnerabilities in such an environment. Here are the steps you can follow:

  1. Review the Vulnerability Report: Carefully read the vulnerability report generated by your VA tool. Identify the specific TLS-related issues, such as weak ciphers, outdated protocols, or misconfigurations.

  2. Update OpenSSL: Ensure that OpenSSL is up-to-date on your SUSE Linux system. You can update OpenSSL using the following commands:

    sudo zypper refresh
    sudo zypper update openssl
  3. Configure Strong Ciphers and Protocols:

    • Edit the OpenSSL configuration file, typically located at /etc/ssl/openssl.cnf or /etc/ssl/openssl.conf.
    • Ensure that only strong ciphers and protocols are enabled. For example, you can disable SSLv2 and SSLv3 and enable TLSv1.2 and TLSv1.3:
      [system_default_sect]
      MinProtocol = TLSv1.2
      CipherString = DEFAULT@SECLEVEL=2
  4. Update SAP Profile Parameters:

    • Log in to your SAP system and navigate to the profile parameters.
    • Update the parameters related to TLS/SSL to enforce strong ciphers and protocols. For example:
      ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
      ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
      ssl/protocols = !SSLv2:!SSLv3:TLSv1.2:TLSv1.3
  5. Restart SAP Services: After making the necessary changes, restart the SAP services to apply the new configurations. You can do this using the following commands:

    sudo su - <sidadm>
    stopsap
    startsap
  6. Verify the Configuration: Use tools like openssl s_client or online SSL/TLS testing services to verify that the changes have been applied correctly and that the system is no longer vulnerable.