Hi Marco,

Thank you so much for testing it for me on SBO 9.0

Sadly, I have tried but still could not get it to work.

Must be something else that i am missing,

When I add the ciphers and restart the SLD, my SBO client complain that it can not find the SLD and prompt me for the License server address.

When I manually go to the SLD page, after log in it prompt me to make sure SLD is started.

Regards

Edy

Hi Edy,

deinstall the SAP Servertools

delete the sld Database

delete the SAP Servertools directory

install the servertools again und put the ciphers variable into the server.xml file.

Kind regards

marco

Hi Marco,

Done that, problem still persists.

Do you happen to use SQL Server 2014?

I am currently using SQL 2012.

I've done some digging and the issue boils down to the JRE 6 used by SBO9 SLD connecting to SQL Server prior to 2014 caused by the recent windows security update,.

Regards

Edy

In my case is was a SQL Server 2012.

I have no new idea to your case

Thank you very much attending to me Marco..

I finally got my 2nd server up and running.

I would share my solution here

The culprit is really the JRE6 which comes with .SLD 9.0 which can not handle cipher security strength of more than 1024.

The latest windows security update, had just up the SQL server security strength to probably 2048.

Conclusion, I have 2 options to rectify this problem :

1. Option 1 : Install the 9.2 SLD. Which has JRE8. (I kept my server in 9.0 PL15)

2. Option 2 : Use 3rd party java library. follow this below steps

Java: Why does SSL handshake give 'Could not generate DH keypair' exception? - Stack...

     a) Download these jars:

          https://www.bouncycastle.org/download/bcprov-jdk15on-154.jar

          https://www.bouncycastle.org/download/bcprov-ext-jdk15on-154.jar

     b) move these jars to $JAVA_HOME/lib/ext

     c) edit $JAVA_HOME/lib/security/java.security as follows:           security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider

     d) restart the SLD

In my case the JAVA_HOME folder points to

C:\Program Files (x86)\SAP\SAP Business One ServerTools\Common\sapjvm_6\jre

Disclaimer : Since this is using a third party library, use this at your own risk.

Regards

Edy

Hi ,

I did the same with the server.xml file but still having the same issue.

Do you have any idea?

Are you using  a self signed certificate for your SLD?

If you don't mind, can you paste  your modified connector part of this server.xml?

I would like to compare, or I can paste mine here.

Regards

Edy

Hi Edy,

the file was in the folder 

C:\Program Files (x86)\SAP\SAP Business One ServerTools\Common\tomcat\conf

there was a "common" between in my case.

or  C:\Program Files (x86)\SAP\SAP Business One ServerTools\SystemLandscape Directory\tomcat\conf

file  server.xml

<?xml version="1.0" encoding="utf-8" standalone="no"?>

<!--

  Licensed to the Apache Software Foundation (ASF) under one or more

  contributor license agreements.  See the NOTICE file distributed with

  this work for additional information regarding copyright ownership.

  The ASF licenses this file to You under the Apache License, Version 2.0

  (the "License"); you may not use this file except in compliance with

  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software

  distributed under the License is distributed on an "AS IS" BASIS,

  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  See the License for the specific language governing permissions and

  limitations under the License.

--><!-- Note:  A "Server" is not itself a "Container", so you may not

     define subcomponents such as "Valves" at this level.

     Documentation at /docs/config/server.html

--><Server port="-1" shutdown="SHUTDOWN">

    <!-- Security listener. Documentation at /docs/config/listeners.html

  <Listener className="org.apache.catalina.security.SecurityListener" />

  -->

    <!--APR library loader. Documentation at /docs/apr.html -->

    <Listener SSLEngine="off" className="org.apache.catalina.core.AprLifecycleListener"/>

    <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->

    <Listener className="org.apache.catalina.core.JasperListener"/>

    <!-- Prevent memory leaks due to use of particular java/javax APIs-->

    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>

    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>

    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

    <!-- Global JNDI resources

       Documentation at /docs/jndi-resources-howto.html

  -->

    <GlobalNamingResources>

        <!-- Editable user database that can also be used by

         UserDatabaseRealm to authenticate users

    -->

        <Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase"/>

    </GlobalNamingResources>

    <!-- A "Service" is a collection of one or more "Connectors" that share

       a single "Container" Note:  A "Service" is not itself a "Container",

       so you may not define subcomponents such as "Valves" at this level.

       Documentation at /docs/config/service.html

   -->

    <Service name="Catalina">

        <!--The connectors can use a shared executor, you can define one or more named thread pools-->

        <!--

    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"

        maxThreads="150" minSpareThreads="4"/>

    -->

        <!-- A "Connector" represents an endpoint by which requests are received

         and responses are returned. Documentation at :

         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)

         Java AJP  Connector: /docs/config/ajp.html

         APR (HTTP/AJP) Connector: /docs/apr.html

         Define a non-SSL HTTP/1.1 Connector on port 8080

    -->

        <!--

    <Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" />

    -->

        <!-- A "Connector" using the shared thread pool-->

        <!--

    <Connector executor="tomcatThreadPool"

               port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" />

    -->

        <!-- Define a SSL HTTP/1.1 Connector on port 8443

         This connector uses the JSSE configuration, when using APR, the

         connector should be using the OpenSSL style configuration

         described in the APR documentation -->

        <Connector ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" SSLEnabled="true" clientAuth="false" keystoreFile="C:\Program Files (x86)\SAP\SAP Business One ServerTools\Common\sapjvm_8\jre\bin\keystore.p12" keystorePass="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAVL5psXnm/kS+vWiKR4pNsQQAAAAOAAAASgBEAFAAQQBQAEkAAAADZgAAwAAAABAAAACn8RI36rOy50Sv5Am3MikrAAAAAASAAACgAAAAEAAAAJ/zkxm+mExLprvWaVooyREIAAAAxmkRx2HGrqYUAAAAWaUgfkDVLlTxoP/lp0wvL8nH4xI=" keystoreType="PKCS12" maxThreads="150" port="30010" protocol="org.apache.coyote.http11.SLDHttp11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,SSLv3,SSLv2Hello" sslProtocol="TLS"/>

        <!--

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" />

    -->

        <!-- Define an AJP 1.3 Connector on port 8009 -->

        <!--

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    -->

        <!-- An Engine represents the entry point (within Catalina) that processes

         every request.  The Engine implementation for Tomcat stand alone

         analyzes the HTTP headers included with the request, and passes them

         on to the appropriate Host (virtual host).

         Documentation at /docs/config/engine.html -->

        <!-- You should set jvmRoute to support load-balancing via AJP ie :

    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">

    -->

        <Engine defaultHost="localhost" name="Catalina">

            <!--For clustering, please take a look at documentation at:

          /docs/cluster-howto.html  (simple how to)

          /docs/config/cluster.html (reference documentation) -->

            <!--

      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>

      -->

            <!-- Use the LockOutRealm to prevent attempts to guess user passwords

           via a brute-force attack -->

            <Realm className="org.apache.catalina.realm.LockOutRealm">

                <!-- This Realm uses the UserDatabase configured in the global JNDI

             resources under the key "UserDatabase".  Any edits

             that are performed against this UserDatabase are immediately

             available for use by the Realm.  -->

                <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>

            </Realm>

            <Host appBase="webapps" autoDeploy="false" deployOnStartup="true" name="localhost" unpackWARs="false">

                <Context docBase="sld" path="/sld">

                    <Resource auth="Container" driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" factory="org.apache.tomcat.dbcp.dbcp.EncryptDataSourceFactory" maxActive="100" maxIdle="30" maxWait="10000" name="sld" password="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAmtbAl1SH30efoamWfZpIfQQAAAAOAAAASgBEAFAAQQBQAEkAAAADZgAAwAAAABAAAAAku2dby2oFovRdfH7P4xjVAAAAAASAAACgAAAAEAAAAEg1ISHHMfY51PDvdzzqAvUQAAAAlxC/EQ2buc4FIHVjs4+MwhQAAAC6vrLbF/lJGVAJ8vd46Q2sT0J1dQ==" type="javax.sql.DataSource" url="jdbc:sqlserver://NB-RAM; DatabaseName=SLDModel.SLDData" username="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAmtbAl1SH30efoamWfZpIfQQAAAAOAAAASgBEAFAAQQBQAEkAAAADZgAAwAAAABAAAAD8fJNwWPnBnkJ7lcRJQvP6AAAAAASAAACgAAAAEAAAAGg73AYr7yjUSHBLnXn1LnwIAAAAmHnT1pvh/kcUAAAANKpmAuGKwf+b2PpkEGpPFNQh3z4="/>

                    <Manager pathname=""/>

                </Context>

                <Context docBase="ControlCenter" path="/ControlCenter"/>

                <!-- SingleSignOn valve, share authentication between web applications

             Documentation at: /docs/config/valve.html -->

                <!--

        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

        -->

                <!-- Access log processes all example.

             Documentation at: /docs/config/valve.html

             Note: The pattern used is equivalent to using pattern="common" -->

                <!--

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"

               prefix="localhost_access_log." suffix=".txt"

                             pattern="{&quot;FROM&quot;:&quot;%h&quot;, &quot;Timestamp&quot;:&quot;%t&quot;,&quot;Method&quot;: &quot;%m&quot;,&quot;URL&quot;:&quot;%U&quot;,&quot;Status&quot;:%s, &quot;Sent&quot;:&quot;%b&quot;, &quot;Elapse&quot;:%D}" />

-->

            </Host>

        </Engine>

    </Service>

</Server>

Hi Edy,

the file was in the folder 

C:\Program Files (x86)\SAP\SAP Business One ServerTools\Common\tomcat\conf

there was a "common" between in my case.

or  C:\Program Files (x86)\SAP\SAP Business One ServerTools\SystemLandscape Directory\tomcat\conf

In my case i dont need to do point 4

4. Change attribute sslEnabledProtocols value to "TLSv1,TLSv1.1,TLSv1.2"

file  server.xml

<?xml version="1.0" encoding="utf-8" standalone="no"?>

<!--

  Licensed to the Apache Software Foundation (ASF) under one or more

  contributor license agreements.  See the NOTICE file distributed with

  this work for additional information regarding copyright ownership.

  The ASF licenses this file to You under the Apache License, Version 2.0

  (the "License"); you may not use this file except in compliance with

  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software

  distributed under the License is distributed on an "AS IS" BASIS,

  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  See the License for the specific language governing permissions and

  limitations under the License.

--><!-- Note:  A "Server" is not itself a "Container", so you may not

     define subcomponents such as "Valves" at this level.

     Documentation at /docs/config/server.html

--><Server port="-1" shutdown="SHUTDOWN">

    <!-- Security listener. Documentation at /docs/config/listeners.html

  <Listener className="org.apache.catalina.security.SecurityListener" />

  -->

    <!--APR library loader. Documentation at /docs/apr.html -->

    <Listener SSLEngine="off" className="org.apache.catalina.core.AprLifecycleListener"/>

    <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->

    <Listener className="org.apache.catalina.core.JasperListener"/>

    <!-- Prevent memory leaks due to use of particular java/javax APIs-->

    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>

    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>

    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

    <!-- Global JNDI resources

       Documentation at /docs/jndi-resources-howto.html

  -->

    <GlobalNamingResources>

        <!-- Editable user database that can also be used by

         UserDatabaseRealm to authenticate users

    -->

        <Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase"/>

    </GlobalNamingResources>

    <!-- A "Service" is a collection of one or more "Connectors" that share

       a single "Container" Note:  A "Service" is not itself a "Container",

       so you may not define subcomponents such as "Valves" at this level.

       Documentation at /docs/config/service.html

   -->

    <Service name="Catalina">

        <!--The connectors can use a shared executor, you can define one or more named thread pools-->

        <!--

    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"

        maxThreads="150" minSpareThreads="4"/>

    -->

        <!-- A "Connector" represents an endpoint by which requests are received

         and responses are returned. Documentation at :

         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)

         Java AJP  Connector: /docs/config/ajp.html

         APR (HTTP/AJP) Connector: /docs/apr.html

         Define a non-SSL HTTP/1.1 Connector on port 8080

    -->

        <!--

    <Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" />

    -->

        <!-- A "Connector" using the shared thread pool-->

        <!--

    <Connector executor="tomcatThreadPool"

               port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" />

    -->

        <!-- Define a SSL HTTP/1.1 Connector on port 8443

         This connector uses the JSSE configuration, when using APR, the

         connector should be using the OpenSSL style configuration

         described in the APR documentation -->

        <Connector ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" SSLEnabled="true" clientAuth="false" keystoreFile="C:\Program Files (x86)\SAP\SAP Business One ServerTools\Common\sapjvm_8\jre\bin\keystore.p12" keystorePass="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAVL5psXnm/kS+vWiKR4pNsQQAAAAOAAAASgBEAFAAQQBQAEkAAAADZgAAwAAAABAAAACn8RI36rOy50Sv5Am3MikrAAAAAASAAACgAAAAEAAAAJ/zkxm+mExLprvWaVooyREIAAAAxmkRx2HGrqYUAAAAWaUgfkDVLlTxoP/lp0wvL8nH4xI=" keystoreType="PKCS12" maxThreads="150" port="30010" protocol="org.apache.coyote.http11.SLDHttp11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,SSLv3,SSLv2Hello" sslProtocol="TLS"/>

        <!--

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" />

    -->

        <!-- Define an AJP 1.3 Connector on port 8009 -->

        <!--

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    -->

        <!-- An Engine represents the entry point (within Catalina) that processes

         every request.  The Engine implementation for Tomcat stand alone

         analyzes the HTTP headers included with the request, and passes them

         on to the appropriate Host (virtual host).

         Documentation at /docs/config/engine.html -->

        <!-- You should set jvmRoute to support load-balancing via AJP ie :

    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">

    -->

        <Engine defaultHost="localhost" name="Catalina">

            <!--For clustering, please take a look at documentation at:

          /docs/cluster-howto.html  (simple how to)

          /docs/config/cluster.html (reference documentation) -->

            <!--

      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>

      -->

            <!-- Use the LockOutRealm to prevent attempts to guess user passwords

           via a brute-force attack -->

            <Realm className="org.apache.catalina.realm.LockOutRealm">

                <!-- This Realm uses the UserDatabase configured in the global JNDI

             resources under the key "UserDatabase".  Any edits

             that are performed against this UserDatabase are immediately

             available for use by the Realm.  -->

                <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>

            </Realm>

            <Host appBase="webapps" autoDeploy="false" deployOnStartup="true" name="localhost" unpackWARs="false">

                <Context docBase="sld" path="/sld">

                    <Resource auth="Container" driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" factory="org.apache.tomcat.dbcp.dbcp.EncryptDataSourceFactory" maxActive="100" maxIdle="30" maxWait="10000" name="sld" password="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAmtbAl1SH30efoamWfZpIfQQAAAAOAAAASgBEAFAAQQBQAEkAAAADZgAAwAAAABAAAAAku2dby2oFovRdfH7P4xjVAAAAAASAAACgAAAAEAAAAEg1ISHHMfY51PDvdzzqAvUQAAAAlxC/EQ2buc4FIHVjs4+MwhQAAAC6vrLbF/lJGVAJ8vd46Q2sT0J1dQ==" type="javax.sql.DataSource" url="jdbc:sqlserver://NB-RAM; DatabaseName=SLDModel.SLDData" username="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAmtbAl1SH30efoamWfZpIfQQAAAAOAAAASgBEAFAAQQBQAEkAAAADZgAAwAAAABAAAAD8fJNwWPnBnkJ7lcRJQvP6AAAAAASAAACgAAAAEAAAAGg73AYr7yjUSHBLnXn1LnwIAAAAmHnT1pvh/kcUAAAANKpmAuGKwf+b2PpkEGpPFNQh3z4="/>

                    <Manager pathname=""/>

                </Context>

                <Context docBase="ControlCenter" path="/ControlCenter"/>

                <!-- SingleSignOn valve, share authentication between web applications

             Documentation at: /docs/config/valve.html -->

                <!--

        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

        -->

                <!-- Access log processes all example.

             Documentation at: /docs/config/valve.html

             Note: The pattern used is equivalent to using pattern="common" -->

                <!--

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"

               prefix="localhost_access_log." suffix=".txt"

                             pattern="{&quot;FROM&quot;:&quot;%h&quot;, &quot;Timestamp&quot;:&quot;%t&quot;,&quot;Method&quot;: &quot;%m&quot;,&quot;URL&quot;:&quot;%U&quot;,&quot;Status&quot;:%s, &quot;Sent&quot;:&quot;%b&quot;, &quot;Elapse&quot;:%D}" />

-->

            </Host>

        </Engine>

    </Service>

</Server>

Hi Marco,

Sadly, it doesn't work for me.

Just wondering what is your SBO version?

I see that you have SAP JVM_8

Mine is still SAP JVM_6.

Thank you anyway for your kind help.

Regards

Edy

Have you restart the sld Service after you do the changes in the file?

Hi Marco,

Yes I did,

Regards

Edy

Hi Edy,

i did this 3 time on Win7. Which Versin of SAP B1 you installed?

Your last chance is to update SAP B1 to a verision 9.1 PL10 or higher

Hi Marco,

My affected version is SBO 9 PL15 running on Win 10.

This is my development machine, so I need this in case I need to support my client with the same version.

I have just tried to install SLD from SBO9.2 on this server.

The other component is still in SBO 9.0.

I can now start my sbo client, not sure if any problem will arise.

Anyone knows of any problem i might encounter ?

I know the Job service for mailer is a new component, I will test it out later and feed back here.

Regards
Edy