SAP PI/PO Error: "SSLException while handshaking:handshake failure" when connecting to SAP Integration Suite, managed gateway for spend management and SAP Business Network

	English	
Deutsch - Machine Translation Español - Machine Translation Français (France) - Machine Translation Italiano - Machine Translation 日本語 - Machine Translation 한국어 - Machine Translation Português (Brasil) - Machine Translation Русский - Machine Translation 简体中文 - Machine Translation

Support Note KB0406291

Symptom

After Managed Gateway for Spend&Network TLS 1.2 cipher suites hardening activity all my SAP Process Integration/Process Orchestration (PI/PO) outbound messages sent to Ariba SAP Integration Suite, managed gateway for spend management and SAP Business Network (CIG) are failing with below SSL handshake error in XPI inspector > SSL Example 11 traces:

Error: Begin IAIK Debug:
ssl_debug(xx): Starting handshake (iSaSiLk xxx)...
ssl_debug(xx): Sending v3 client_hello message to acig.ariba.com:443, requesting version x.x...
ssl_debug(xx): Sending extensions: renegotiation_info (xxxx), signature_algorithms (xx)
ssl_debug(xx): Received alert message: Alert Fatal: handshake failure
ssl_debug(xx): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure
ssl_debug(xx): Shutting down SSL layer...
ssl_debug(xx): Closing transport...

End IAIK Debug.

Cause

1. As part of TLS 1.2 cipher suite hardening SAP Integration Suite, managed gateway for spend management and SAP Business Network will deprecate the below ciphers for SAP Integration Suite, managed gateway for spend management and SAP Business Network. They have been removed for not supporting Perfect Forward Secrecy (PFS) and will no longer be offered during the TLS handshake. If any of your external clients still use any of the following deprecated cipher suites to establish SSL handshake will be unable to communicate with SAP Integration Suite, managed gateway for spend management and SAP Business Network. As a result, transactions will fail with SSL handshake errors.

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

2. As per client server architecture, client presents a list of ciphers and server selects the supported cipher and SSL handshake is established. If your SAP PI client is not sending at-least one of the SAP Integration Suite, managed gateway for spend management and SAP Business Network supported ciphers during TLS handshake with SAP Integration Suite, managed gateway for spend management and SAP Business Network server, SSL handshake failure occurs.

Resolution

Please ensure the IAIK Java library of your SAP PI version (SAP NetWeaver for AS Java) supports any of the below ciphers (i.e. either ECDHE or DHE)to establish successful SSL handshake with Managed Gateway for Spend&Network host URL's. Depending on which Managed Gateway for Spend&Network data center you are connecting, this URL will change.

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

The above ECDHE or DHE ciphers may not be enabled by default in every SAP PI system and depends on your specific SAP PI version.Please refer to KBA How do I check the list of Cipher suites enabled in my SAP PI AS Java runtime? for steps to check the list of ciphers enabled in your SAP PI system at runtime.

Refer to below steps for high level guidance to know how to enable ECHDE or DHE ciphers in your SAP PI system:

For information about support of above listed TLS_ECDHE ciphers in your SAP PI version, refer below:

1. If only TLS_ECDHE ciphers are to be used in your SAP PI the only options are the ones described in SAP KBA 2538934 - Handshake is failing in PI when connecting to a server which only supports TLS_ECDHE ciphers.
2. In order to enable ECDHE ciphers your SAP PI system must be in a version where SAP Note 2708581 - ECC Support for Outbound Connections in SAP NW AS Java can be implemented. This note is only available for NetWeaver AS Java release 7.50 Support Package 08 or higher.
3. If your SAP PI system is on any lower version than stated above, E.g. SAP PI 7.50 SP07 etc, it does not support ECDHE ciphers. In this case, please do not enable ECDHE using SSLContext.properties or you will cause issues affecting all your integrations.
If your SAP PI version does not support listed ECDHE ciphers, you can enable the DHE ciphers that are still part of the above supported list of SAP Integration Suite, managed gateway for spend management and SAP Business Network endpoint. For information about support of DHE ciphers in your SAP PI version, refer below:

1. In order to enable DHE ciphers, you can follow SAP KBA 2569156 - How to create, modify and validate SSLContext.properties file, this is applicable to SAP NetWeaver for AS Java 7.1X/7.2/7.3X/7.4/7.5 SAP PI environments.
2. Please be informed that if no Cipher suite entry is present in the SSLContext.properties file, it means that default ones are used listed in SAP Note 2284059 - Update of SSL library within NW Java server "Cipher suites supported in the default configuration" part.
3. If you want to use other Cipher suite configuration than default, see "Modify the list of supported cipher suites" part of SAP Note 2284059 - Update of SSL library within NW Java server and the KBA 2616983 - How to customize cipher suites in SSLContext.properties file with parameter cipherSuite=<name of cipher suite>.
4. Note that just one such line deactivates all the default ciphers and they must be listed explicitly if you still want to use the default ciphers when you have configured this parameter.
SSLContext.properties is loaded by system when your AS Java starts, so any changes in this file requires a system restart to make the changes available in your system.Hence one or more of the above steps may require SAP PI restart, so please plan accordingly.
There is no workaround to any of these steps and you should ensure your SAP PI is compatible to at-least one of the supported ciphers listed in SAP Integration Suite, managed gateway for spend management and SAP Business Network endpoint to successfully transact.

See Also

Please contact your internal SAP PI Basis/security teams for any further details on validating if your SAP PI version is compatible to any of the above listed SAP Integration Suite, managed gateway for spend management and SAP Business Network supported ciphers and implement changes that suit your PI version accordingly.
If your SAP PI Basis/security teams need any further explanation of how to implement the changes in your SAP PI system or has questions on what is relevant for your scenario even after reading above, please log an SAP PI OSS incident under component BC-JAS-SEC-CPG (SAP Netweaver AS Java) or BC-XI-CON-AFW-SEC (Security) as this is a pure SAP PI basis/security configuration. Steps on how to create an SAP OSS incident are detailed in FAQ How do I create an SAP OSS incident?
For additional information, please refer below SAP KBA's:

1. SAP KBA Enable JCE Unlimited Policies as per 1240081 - Java Cryptography Extension (JCE) Jurisdiction Policy Files. 256 Cipher Suites are only available with this option.
2. 2284059 - Update of SSL library within NW Java server
3. 2604240 - TLS handshake failure due to missing SNI extension
4. For information on XPI Inspector, refer to How do I install XPI Inspector in my SAP PI system?

Applies To

SAP Integration Suite Managed Gateway > Managed Gateway for Business Network
SAP Integration Suite Managed Gateway > Managed Gateway for Business Network SCC > Managed Gateway for Buyer Business Network SCC
SAP Integration Suite Managed Gateway > Managed Gateway for Sourcing Integration