Skip to main content
Blog

The importance of Transport layer encryption for SAP Security

By 21 December 2021May 10th, 2022No Comments

Check your network encryption related settings periodically

encryption sap security

In today’s world of doing business, it is unavoidable to communicate with parties outside your company’s walls. Think for example of outgoing or incoming interfaces, users that log on from remote places (like home), providing access to business partners or hybrid scenarios where data flows from on-premise systems to the cloud and back.

As we are exchanging data more and more over the public internet it is critical to make sure these dataflows are properly secured. This can be done for SAP-based protocols like SAP Gui or RFC traffic and for more standard HTTP-based traffic. This article only focuses on the latter. For HTTP-based traffic, there are standards to prevent malicious parties from eavesdropping on your communications. And while this may sound far-fetched or technically hard it really isn’t when you can ‘listen’ in on the traffic. For example, when sending passwords over an unencrypted channel, it is possible to sniff this data like shown below:

Figure 1 of SAP NetWeaver Java
Figure 1 Login screen of SAP NetWeaver Java
Figure 2 Sniffed password via Wireshark
Figure 2 Sniffed password via Wireshark

To prevent the above from happening one can use encryption. For HTTP-based traffic, this is typically done via SSL/TLS. This post is not a detailed paper on cryptography since this topic is big, but we hope to provide a basic understanding of the importance of encryption and to urge customers to use a recent and supported version.

Over time several versions of SSL and its successor TLS have been released, for an overview see the below table:

VersionRelease yearDeprecation year
SSL 1.0Never publicly releasedNever publicly released
SSL 2.019952011
SSL 3.019962015
TLS 1.019992020
TLS 1.120062020
TLS 1.22008  
TLS 1.32018  

Figure 3 SSL / TLS versions

Important to note is that all SSL versions and TLS versions 1.0 and 1.1 are deprecated and not considered secure anymore. This is because of practical or theoretical weaknesses in these versions. For example, for SSL there are many vulnerabilities found like the POODLE and DROWN attacks.

The currently considered secure and best-practice versions are TLS 1.2 and the more recent TLS 1.3. Where normally it is advised to use the most recent version, for SAP products this is not yet possible as TLS 1.3 is not yet supported for most SAP products. To provide some overview:

SAP ProductTLS 1.2TLS 1.3
ABAPYesNo
JAVAYes No
Business ObjectsYesNo
HANAYesNo
Cloud SolutionsYesYes
BTPYesYes

Figure 4 SAP Products and support for TLS 1.2 and 1.3

As currently TLS 1.3 is not supported for most common SAP products, a good practice is to use at least TLS 1.2. There are more specific recommendations to make on this topic as the implementation of TLS comes with many details, but on a high level please make sure to only implement supported TLS versions that are considered secure.

Checking all network encryption-related settings can involve a lot of manual work, it is therefore that in our Protect4S SAP Vulnerability Management solution we check your SAP landscape periodically in an automated way.

There is a lot more information available on this topic, some starting points are:

TLS on Java

TLS on ABAP

TLS on Hana

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!

Try out Protect4S for 1 month for free or request a demo!