2569156 - How to create modify and validate SSLContext.properties file

Symptom

You updated SSL Library as of SAP Note 2284059 and want to modify SSLContext.properties file (to set custom values).

Environment

SAP NetWeaver for AS Java 7.1X/7.2/7.3X/7.4/7.5 using SSL

Resolution

A) Get SSLContext.properties file that is present on your filesystem:

 

 

 

Navigate to folder "usr/sap//SYS/global/security/lib/tools/" and choose iaik_ssl.jar file.Copy this file to a specific folder.Rename it into iaik_ssl.zip.Open this iaik_ssl.zip and find SSLContext.properties file. It can be found on path ".../iaik_ssl/iaik/security/ssl/".Extract the file.

B) Modify SSLContext.properties file with the custom settings:

 

Resolution part A) is not mandatory, because if you create an empty text file and copy it to the appropriate folder, the result will be the same.So create an empty SSLContext.properties file or open the file that you got in the resolution part A) with a text editor e.g. with Notepad++.Maintain the desired custom properties. Be informed that regarding Cipher suites, if no Cipher suite entry is present in the properties file, it means that default ones are used listed in SAP Note 2284059 "Cipher suites supported in the default configuration" part. If you want to use other Cipher suite configuration than default, see "Modify the list of supported cipher suites" part of SAP Note 2284059 and the KBA 2616983 with parameter cipherSuite=. Note that just one such line deactivates all the default ciphers. They must be listed explicitly when you have configured this parameter.If you want to remove default ciphers, then you should explicitly list just those you want to have from the list in section 'Cipher suites supported in the default configuration' of note 2284059, again with parameter cipherSuite=.Make sure the file location can be accessed at runtime without any issue.Make sure that all permissions are granted to this file and its folder.

To handle customize TLS versioning refer to the following KBA:
2284059 - Update of SSL library within NW Java server

C) Specify the path of SSLContext.properties file in Config Tool:

Copy the customized SSLContext.properties file to a subfolder of the global folder "usrsapSYSglobal... e.g. to usrsapSYSglobalsecuritylibtools folder. It is required for each node to access this config file.
  

  Open Config Tool "usrsapj2eeconfigtool". (You can also add this parameter via NWA. Check steps at the end of this session)Navigate to "cluster-data" -> template -> instance.Choose "VM Parameters" -> Additional -> New.Add -Diaik.security.ssl.configFile=file:/
See formats: Name: "-Diaik.security.ssl.configFile"; Value: "file:/".
The file name must be included in the value.
   

  
The same result can be reached if you maintain the parameter "iaik.security.ssl.configFile=file:/" (without "-D" extension) under "VM Parameters" -> System.
   Press OK. Now you should see the new additional parameter.Repeat for all instances.Save Config Tool.Restart the AS Java to validate the changes.

To add this parameter via NWA, do the following:

Access NWA via http://:/nwa.Go to Configuration -> Infrastructure -> Java System Properties.Select tab "Additional VM Parameters".Click to "add" button.Fulfil "Name" and "Default Calculated Value" with correct valuesSave and restart the AS Java to validate the changes

For additional information regarding JVM parameter changes, see KBA 1888685 "How to add new JVM parameters" part.

See Also

SAP Note: 2708581 - ECC Support for Outbound Connections in SAP NW AS Java

KBA: 2538934 - ECDHE cipher suites handshake failure

KBA: 2616423 - SSL does not work between PI and Remote System - SSLException: Peer sent alert: alert Fatal: handshake failure

Keywords

SSLContext.properties, SSL, sslcontext, cipher suite, cipher suites, TLS, Config tool, configtool, iaik, iaik.jar, ssllib, ssl library, -Diaik.security.ssl.configFile, Diaik.security.ssl.configFile, Java Cryptography Extension, JCE, JVM, Java virtual machine, client.minProtocolVersion, client.maxProtocolVersion, protocolVersions, cipherSuite, client.allowLegacyRenegotiation, allowLegacyRenegotiation, extension