Release Update KB0840650
Email
SAP Ariba TLS Update information
Symptom

On 24th January 2025 , there will be a change to the SAP Ariba applications and SAP Business Network supported cipher suite connections. Please review the following because this change may impact your connections with our solutions.

WHAT WILL HAPPEN

On 24th January 2025, SAP Ariba applications and SAP Business Network will:

The following weak TLS 1.2 cipher suites will not be supported after January 24, and will result in connection failures:


Environment

SAP NetWeaver 7.5


Reproducing the Issue

WHAT ARE THE IMPACTS

Starting 24th January 2025, the following will happen if TLS 1.3 is not enabled.


Cause

SAP Ariba and SAP Business Network are committed to protect security of the customers and their suppliers. SAP Ariba and SAP Business Network will be implementing some mandatory changes to ensure the use of stronger cryptographic algorithms, enhanced security mechanisms, and better protection against known vulnerabilities.


Resolution

If you haven’t already, move to the strong TLS 1.2 cipher suites (listed below) as soon as possible for improved security. In addition, we strongly recommend enabling TLS 1.3 which is the current protocol that provides maximum security connections. To ensure compatibility and support, take the following actions before 24th January 2025.

  1. Enable TLS 1.3 cipher suites
    To maximize the security of your SAP Ariba applications and SAP Business Network connections, we strongly recommend enabling TLS 1.3 which will be supported beginning January 24. Support for TLS 1.3 is not expected to be disruptive or incompatible with your SAP Ariba applications and SAP Business Network.
    We suggest using at least one of the following TLS 1.3 cipher suites:
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_AES_128_GCM_SHA256

      After enabling TLS 1.3 cipher suites, TLS handshakes from existing TLS 1.2 (using weak or strong TLS 1.2 cipher suites) will automatically switch to TLS 1.3 on January 24. If both strong TLS 1.2 and TLS 1.3 are available, the connections will default to the first supported cipher suite enabled.

  2. Enable strong TLS 1.2 cipher suites
    In addition to enabling TLS 1.3 cipher suites before January 24, we strongly recommend enabling strong TLS 1.2 cipher suites now, for a more secured connection.

    Examples of strong TLS 1.2 cipher suites:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    FAQ

    In general, if the connecting software version is relatively up to date then likely this will not impact. If your connecting software is quite old then you need to verify if you have interoperability in place.

    1. If you are connecting directly to NetWeaver ABAP or S/4HANA (no middleware involved) do I need to make any changes?
      A: Ensure parameter recommendations from section 7 of SAP Note 510007 Additional considerations about setting up SSL on Application Server ABAP, are in place.
      To restrict to TLS1.2, refer to SAP Note 2384290 SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients -> "Profile parameter values for limiting protocol versions to strict TLSv1.2-only"

    2. We are using SAP Process Integration (PI) or SAP Process Orchestration (PO) as our middleware, do we need to take any actions regarding this change?
      A: Yes. You need to ensure one or all of the above strong TLS 1.2 cipher suites are enabled in your system.
      1. The system must have the software version or higher as per SAP Note 2284059 Update of SSL library within NW Java server (for DHE ciphers) or software version or higher as per SAP Note 2708581 ECC Support for Outbound Connections in SAP NW AS Java (for ECDHE ciphers) AND
      2. The SSLContext.properties file must be manually updated to enable support for the strong TLS 1.2 ciphers listed above.

    3. The software versions are in place, how do we ensure one or all of the above strong TLS 1.2 cipher suites are enabled in NetWeaver?
      1. Update the SSLContext.properties file as per Example Profile 3 from SAP Note 2708581 - this will ensure the maximum level of interoperability is enabled on the PI/PO NetWeaver side.
      2. Instructions on maintaining the SSLContext.properties file are available in KBA 2569156 How to create, modify and validate SSLContext.properties file.

    4. Can we enable TLS 1.3 in SAP NetWeaver 7.50?
      A: For Outbound connections (PO Receiver Adapter -> SAP Ariba), no, TLS 1.3 is not supported in NetWeaver 7.5 or lower for outbound connections.
      For Inbound connections (SAP Ariba -> PO Sender Adapter), yes, TLS 1.3 is supported in NetWeaver 7.5 for inbound connections with SAP Note 3318423 Is TLS 1.3 Supported by SAP Kernel for Netweaver AS ABAP, (same is applicable for AS Java).

    5. We are using SAP Integration Suite or SAP Cloud Process Integration (CPI ) as our middleware, do we need to take any actions regarding this change?
      A: No. These capabilities already exist in SAP Integration Suite and no actions are necessary there.

    6. Is it necessary to ensure all of the ciphers are available?
      A: No, only 1 common cipher on both sides of the connection is necessary to ensure the connection will work.

    See Also

    KBA 2708581 - ECC Support for Outbound Connections in SAP NW AS Java



    Applies To

    Procurement Application Services

    Terms of Use  |  Copyright  |  Security Disclosure  |  Privacy