PO hankshake failure

SAP PO在与第三方系统(tomcat)通信时报错误:
iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure,用浏览器直接访问第三方系统没有异常。

Handshake failure 发生是因为PO与远程系统的SSL配置不匹配。
1， TLS protocol versions 不同
2， cipher suites 不匹配
3，required extensions缺失

可以从第三方网站 https://www.ssllabs.com/ssltest 查远程系统的SSL配置，如SSL版本/加密套件/ Server Name Indication (SNI) support 等。

因远程系统没有连外网，可以openssl查询。没有找到具体的命令。
使用了openssl s_client -host [remotehost] -port [port]查询，只显示了部分信息。没有ssllabs那么具体。

用chrome或openssl访问远程系统，可以查到使用的也是TLS 1.2 ，密码套件使用的是ECDHE。
而访问PI，则显示的是TLS_RSA_WITH_AES_256_GCM_SHA384之类的。怀疑是套件不匹配。

查note发现NW 7.4及之前的版本不支持ECC的加密套件，7.5的需要升级到特定的SP及patch，再在SSL配置中添加相应的套件才可以。

默认配置支持的密码套件，让远程系统添加以下密码套件也可以解决此问题。

TLS_RSA_WITH_AES_256_GCM_SHA384 *
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 *
TLS_RSA_WITH_AES_256_CBC_SHA256 *
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 *
TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_CAMELLIA_256_CBC_SHA *
TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_SHA

SSL配置文件
2569156 - How to create, modify and validate SSLContext.properties file

1，Copy the customized SSLContext.properties file to a subfolder of the global folder "\usr\sap\<SID>\SYS\global\... e.g. to \usr\sap\<SID>\SYS\global\security\lib\tools folder. It is required for each node to access this config file.
2，Open Config Tool "\usr\sap\<SID>\<instnr>\j2ee\configtool". (You can also add this parameter via NWA. Check steps at the end of this session)
3，Navigate to "cluster-data" -> template -> instance.
4，Choose "VM Parameters" -> Additional -> New.
5，Add -Diaik.security.ssl.configFile=file:/<path of the SSLContext.properties file>
6，See formats: Name: "-Diaik.security.ssl.configFile"; Value: "file:/<path to the SSLContext.properties file/SSLContext.properties>".The file name must be included in the value.
7，The same result can be reached if you maintain the parameter "iaik.security.ssl.configFile=file:/<path of the SSLContext.properties file>" (without "-D" extension) under "VM Parameters" -> System.
8，Press OK. Now you should see the new additional parameter.
9，Repeat for all instances.
10，Save Config Tool.
11，Restart the AS Java to validate the changes.

SSLContext.properties 内容

client.allowLegacyRenegotiation=true extension=signature_algorithms
extension=server_name.noncritical extension=elliptic_curves
extension=ec_point_formats
securityProvider=iaik.security.ssl.ECCelerateProvider

######## enable cipher suites with ECDHE key exchange cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

####### keep default cipher suites as fallback cipherSuite=TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite=SSL_RSA_WITH_RC4_128_SHA

2708581 - ECC Support for Outbound Connections in SAP NW AS Java
以下两个组件相应的SP需要满足以下最低的补丁级别
J2EE ENGINE CORE TOOLS 7.50 SP008 000003
J2EE ENGINE CORE TOOLS 7.50 SP009 000003
J2EE ENGINE CORE TOOLS 7.50 SP010 000002
J2EE ENGINE CORE TOOLS 7.50 SP011 000002
J2EE ENGINE CORE TOOLS 7.50 SP012 000003
J2EE ENGINE CORE TOOLS 7.50 SP013 000005
J2EE ENGINE CORE TOOLS 7.50 SP014 000007
J2EE ENGINE CORE TOOLS 7.50 SP015 000000
J2EE ENGINE CORE TOOLS 7.50 SP016 000000
J2EE ENGINE SERVERCORE 7.50 SP008 000028
J2EE ENGINE SERVERCORE 7.50 SP009 000028
J2EE ENGINE SERVERCORE 7.50 SP010 000035
J2EE ENGINE SERVERCORE 7.50 SP011 000027
J2EE ENGINE SERVERCORE 7.50 SP012 000019
J2EE ENGINE SERVERCORE 7.50 SP013 000018
J2EE ENGINE SERVERCORE 7.50 SP014 000034
J2EE ENGINE SERVERCORE 7.50 SP015 000000
J2EE ENGINE SERVERCORE 7.50 SP016 000000

如果无法升级/更新系统并且目标服务器不愿意添加更多密码套件，那么可以在 PI/PO 和目标服务器之间配置反向代理。可以使用 SAP Web Dispatcher 或任何其他第三方解决方案。反向代理将创建到目标服务器的新 TLS 连接，如果配置正确，它将能够处理 TLS_ECDHE 密码套件。此解决方法也适用于较低的系统版本。（在这种情况下，BC-JAS-SEC-CPG 组件不相关，因为使用此配置的 AS Java 中没有 TLS。AS Java 将仅操作纯文本连接。TLS 将在 WebDispatcher 节点中终止）。