/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
*** Archived Reason : KBA is out-dated and no longer valid ***
*** Please check 3383588 - Enable TLS 1.3 encryption protocol and upgrade TLS 1.2 ciphers (weak ciphers disablement) - SAP SuccessFactors ***
As of August 30, 2021, TLS encryption protocol weak ciphers are disabled for the all modules in the Non-Production environment and Production environments.
Environment
SAP SuccessFactors HXM Suite (all modules)
Resolution
SAP SuccessFactors is requiring a disablement of weak ciphers to align with industry best practices for security and data integrity.
Beginning August 30, 2021, TLS encryption protocol weak ciphers will be disabled for the all modules in the Non-Production environment and Production environment. Action is required prior to this date to prevent any disruption to your Production instance. See below for the upgrade schedule for your data center.
This Knowledge Base Article contains all of the information currently available on SAP SuccessFactors disablement of the TLS encryption protocol weak ciphers. Please review the document for guidance on preparing for TLS weak ciphers disablement.
Table of Contents
- What is TLS?
- What is the change?
- How will customers be impacted?
- Why is this happening?
- How can customers avoid being negatively impacted?
- How and when will SAP SuccessFactors implement the change?
- Action to be taken for channels impacted
- TLS weak ciphers Disablement Schedule
What is TLS?
SAP SuccessFactors uses the TLS encryption protocol for its web and API connections.
TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.
Almost all communication between customer users and SuccessFactors products is through HTTP/web protected by encryption using one version of TLS or another. STARTTLS SMTP (e-mail) also use TLS as a key component of their security.
SAP SuccessFactors’ servers support several versions of the TLS protocol, TLS 1.2 and 1.3. At the start of communication (handshaking phase), a web browser and SAP SuccessFactors’ server exchange their supported TLS versions and choose the highest version they both support to carry out the rest of the communication.
The prevailing best security practice is to remove TLS weak ciphers which have been found weak in protection.
Beginning August 30, 2021, TLS encryption protocol weak ciphers will be disabled for the all modules in the Non-Production environment and Production environment. Action is required prior to this date to prevent any disruption to your Production instance. See below for the upgrade schedule for your data center..
How will customers be impacted?
The majority of SAP SuccessFactors users and integrations are already using TLS 1.2 with strong ciphers and will not be impacted. However, some older browsers and integrations may be using weak ciphers 1.1 and will require updates to use TLS 1.2 strong ciphers.
We encourage customers to update their integrations to use TLS 1.2 strong ciphers as soon as possible.
After SAP SuccessFactors disables TLS weak ciphers, any connections to SAP SuccessFactors that rely on these set of TLS weak ciphers will fail. This change will affect all SAP SuccessFactors TLS URLs (web links starting with https://...). End users will not observe the impact since all the browsers on the SAP SuccessFactors support list automatically will use TLS industry standard strong ciphers. Automated tools, which use SuccessFactors’ OData and SFAPI services, may require explicit support of TLS 1.2 with strong ciphers via configuration or library upgrades.
How to test your browser compatibility?
If you are able to view our test site–which has TLS weak ciphers–without errors, access to SAP SuccessFactors via your browser should not be impacted by this change and no action is required.
How can customers avoid a service disruption?
The action required by your organization will depend on which channels are used to access your SAP SuccessFactors Services. Please check the relevant topics below to be directed to the required actions pages(s).
Why is this happening?
At SAP SuccessFactors, Trust is our #1 value and SAP SuccessFactors is focused on continually helping our customers improve their security by using the latest security protocols. SAP SuccessFactors will require TLS 1.2 and latest strong ciphers encryption protocol in an effort to maintain the highest security standards and promote the safety of customer data.
How and when will SuccessFactors implement the change?
In an effort to align with the highest security standards and provide increased safety of customer data, SAP SuccessFactors has opted to require TLS 1.2 strong ciphers and above going forward. Action is required prior to this date to prevent any disruption to your Production instance. See below for the upgrade schedule for your data center.
SAP SuccessFactors will no longer support the following weak ciphers:
- TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
- TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
- TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
- TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
- TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
- TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
Actions for channels impacted:
TLS 1.2 Supported Browser Versions
- Google Chrome - Version 38 and higher
- Mozilla Firefox - Version 27 and higher
- Internet Explorer - Version 11
- Safari - Version 7 and higher
- Opera - Version 17 and higher
SAP PI connectors
Background:
- SAP NetWeaver 7.10 and 7.11 - Runs on Java 5 on SAP JVM 5.1 - does not support TLS 1.2. Some customers updated it to JVM 6 to resolve last years’ TLS 1.0 to 1.1 movement, but with this- their PI is not in a supported state.
- JDK 6 is only available since release 7.30 SP10, 7.31 and 7.40,.. which means that in 7.11 system are not possible to use TLSv1.2. However there is a note to support lower versions.
- SuccessFactors adapter uses the JDK's SSL library for secure connection establishment.
- Axis adapter uses the IAIK security library and not the underlying JDK's SSL library.
Solution:
- Customers have to do full stack upgrade to at least 7.11 SP15 and apply the patch as per SAP Note - 2292139 - TLSv1.2 support in Axis adapter.
- Please review this SAP Note which is relevant for SFSF adapter: 2677300 - PI SuccessFactors adapter: Setting minimum SSL version
- Additional Technical Instructions:
-
- Do not use SSL context property file, because it may introduce some constraints if properties are not properly specified.
- For the Axis channel specify the following properties for the transport handler:
- maxSSLVersion = TLS12
- minSSLVersion = TLS10
-
- Additional reference Note - 2284059 - Update of SSL library within NW Java server
- Testing Instructions to validate post patch update:
-
- Check the channel using the XPI Inspector.
- Select example: 50 (XI Channel) and the corresponding Axis receiver Channel. Reproduce the call.
-
-
- If maxSSLVersion = TLS12, then in the traces you will see something like this: ssl_debug(...): Sending v3 client_hello message to <host>, requesting version 3.3...
- If maxSSLVersion = TLS11, then in the traces you will see something like this: ssl_debug(...): Sending v3 client_hello message to <host>, requesting version 3.2...
-
SuccessFactors’ OData and SFAPI Integrations
API Integrations are interfaces or applications–including mobile apps and desktop clients–that are separate from SuccessFactors, but use SuccessFactors data. If you have any Boomi, OData and SFAPI Integrations, please ensure that the TLS 1.2 encryption protocol is enabled in those integrations.
Action Required for OData and SFAPI Integrations
- If your integrations that use inbound connections to SuccessFactors do not have TLS 1.2 enabled after we make this change, your integrations may experience disruption. We recommend that you begin planning to support TLS 1.2 as soon as possible.
- If you are integrating with OnPrem, or 3rd Party Systems, please reach out to your local Basis team or the 3rd party vendor to ensure TLS1.2 or higher is being used.
- If You are using Boomi SF Hosted Atoms or Dell Hosted will not be effected but Local Atoms will need to be upgraded to use TLS 1.2 or higher for more Information please see 2885877.
NOTES:
Compatibility guidelines and TLS 1.1 Disablement Schedule will be shared on this Knowledgebase article as soon as available.
See Also
2885877 - TLS 1.1 Encryption Protocol Disablement Effect on Boom
2790332 - SSL weak cipher suites supported - Security concern?
Keywords
TLS 1.1, TLS 1.2, TLS 1.3TLS 1.1 encryption protocol disablement , KBA , LOD-SF-PLT-SEC , Security Reports , LOD-SF-INT , Integrations , LOD-SF-EC , Employee Central , LOD-SF-ANA , Analytics & Reporting (Ad Hoc, YouCalc, ORD) , LOD-SF-RCM , Recruiting Management , LOD-SF-OBD , Onboarding , LOD-SF-PM , Performance Management , LOD-SF-RMK , Recruiting Marketing , LOD-SF-CDP , Career Development Planning , LOD-SF-CMP , Compensation Management , LOD-SF-GM , Goal Management , Product Enhancement
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)