SAP Knowledge Base Article - Preview

3248732 - SAP kernel ports using a self-signed certificate and/or an insecure TLS protocol


It was determined that some SAP kernel components of an SAP system are using a self-signed certificate and/or that the TLS version in use by those ports is not considered secure (e.g., TLSv1.0 is used).

This is related to the Secure Internal Server Communication feature (SAP Note 2040644).

The ports in question are:

  • Message Server internal port (parameter "rdisp/msserv_internal"; TCP port 39XX, by default, where "XX" is the instance number).
  • Standalone Enqueue Server (TCP port 32XX).
    Notice that the Dispatcher uses the same port number, but the Secure Internal Server Communication feature is not active for the Dispatcher port.
  • RFC Gateway internal port (uses a random TCP port by default; a fixed port number can be defined through the parameter "gw/internal_port").
  • SAP Start Service - sapstartsrv (TCP port 5XX14).



  • SAP NetWeaver ABAP based product
  • SAP ABAP Platform based product
  • SAP_BASIS Release 7.40 SP8/higher and minimal kernel version 742


ABAP platform all versions ; SAP NetWeaver all versions


KBA , BC-CST , Client/Server Technology , BC-SEC-SSL , Secure Sockets Layer Protocol , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.