Workaround for TLS 1.2 for older SAP PI/PO systems

I have been doing support for some clients that have SAP PI systems that do not support TLS 1.2. Now SAP CPI and suite will only support TLS1.2. That is not a problem that exists if you had not upgraded your systems within the last 2-5 years. 

If you find and one of your vendors has upgraded their system to only allow TLS 1.2 then the connection will not work. Upgrade projects do take some time and you may not have that. That is what I wanted to create a solution for. 

If you are in doubt if your systems support tls1.2, connect to a site that only supports TLS 1.2 like en.wikipedia.org from your client and see if it. If you get an SSL error it can either because of certificate is not in the trusted store or because TLS is not supported. 

You can apply SAP Note 2284059 to enable encryption on your system. If you for some reason is not able to apply that note you have a problem.

The same if you have older systems in your landscape then it may also give problems. 

What if you find that an important part of your landscape needs TLS1.2 and you don’t have an option to upgrade your system. Then you are out of luck. 

I wanted to find a simple workaround that could help you. It is not meant to be a permanent solution but it will give you a way to get started. There is a reason for using a higher TLS version. 

Solution

I came up with the following idea. You create a reverse proxy that you can call that resent all your requests unchanged and be cheap to run and configure. So you install a reverse proxy using nginx a popular Linux HTTP load balancer.

Then you can change your urls in your communication channels to https://https://proxy.com/realhost.com/endpoint and it will forward the request unchanged to https://realhost.com/endpoint but using TLS 1.2.

The flow looks like this

I deployed to an Amazon Lightsail server, which is really cheap to get started with. You can run a server for $3.5/month including traffic(first month free). You can get to host a Linux server at a lot of other places. This was just simple for running it. I got a Ubunto installation, so another system may be a little different. 

You want to set up access on port 443 from your IP or range. You don’t want to be a public service that everybody can use.  Once you have setup your server you must also setup the DNS for it or use the Amazon provided name for your server.

I know very little about Nginx so I got help on how to set it up. It took less than 2 hours to create the configuration and document. And it works pretty simply. Here we have used Lets Encrypt free certificate but you can also use self-signed.  

Set up an api reverse proxy with nginx

Install nginx

sudo apt update && apt install nginx

Install certbot

One of the commands will ask you to press enter, note that

sudo apt-get update && sudo apt-get install software-properties-common && sudo add-apt-repository universe && sudo add-apt-repository ppa:certbot/certbot && sudo apt-get update && sudo apt-get install certbot python3-certbot-nginx

Create letsencrypt certificate

Lets Encrypt is a free project that allows you to create SSL certificates free of charge. You can also use a self signed.

certbot certonly -d tlsproxy.figaf.com --nginx

Write your email address to get notifications if something goes wrong with updating the certificate

Configure nginx

Put content of nginx config into /etc/nginx/sites-available/tlsproxy.figaf.com.conf

nano /etc/nginx/sites-available/tlsproxy.figaf.com.conf

Here is the Config file: You can also download it here.

server {

    listen              443 ssl;

    ssl_certificate     /etc/letsencrypt/live/tlsproxy.figaf.com/fullchain.pem; #Change  when deploying

    ssl_certificate_key /etc/letsencrypt/live/tlsproxy.figaf.com/privkey.pem; #Change when deploying

    ssl_protocols       TLSv1 TLSv1.1;

    ssl_ciphers         HIGH:!aNULL:!MD5; 

    server_name tlsproxy.figaf.com; #Change when deploying

    if ($host != “tlsproxy.figaf.com”) { #Change when deploying

        return 403;

    }

    location ~* /([a-zA-Z0-9._-]+)/(.*) { #Works only if first location is domain ex /example.com/path_to_resource

        proxy_pass https://$1/$2;

        resolver 172.26.0.2 ipv6=off; #ipv6 is of since the server has an local only ipv6 address that is not connected to the internet

        proxy_ssl_server_name on;

        proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade; #Needed for web sockets

        proxy_set_header Connection “upgrade”; #Needed for web sockets

        proxy_read_timeout 86400;

    }

If doing changes or deploying on a different domain, important variables in the configuration file are the domain name (used for server_name and in the path of letsencrypt files) and the resolver.

Resolver is used by nginx for dns queries.

You can get the dns server used by the operating system using

grep nameserver /etc/resolv.conf |cut -d ' ' -f 2

Enable site and restart nginx

ln -s /etc/nginx/sites-available/tlsproxy.figaf.com.conf /etc/nginx/sites-enabled/

Systemctl restart nginx || service nginx restart

Testing

How to call the URLs that you want but just add the prefix for your own host. 

Notice that browser traffic may cause problems. 

I hope this helps you resolve the problem.

If you need looking to handle a SAP PI/PO upgrade/migration check out the Figaf Tool.

Seneste nyheder fra Figaf