/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
As part of continual improvement and hardening of SAP SuccessFactors SFTP infrastructure and services, we will be disabling weak ciphers globally in all our SFTP servers. The list of further allowed ciphers are in the table below.
For DC-specific information and timelines please refer to the Customer Communication sent.
You may need to accommodate this change on your end – without it, it is possible that your applications will not work in the non-production or production environment. If you are not familiar with making the required changes, please notify your company's internal IT department and request for the changes to be made as soon as possible.
This change is required in order to align with industry best practices for security and data integrity and is part of continuous security improvements.
|
Allowed ciphers |
Allowed MACs |
Allowed KEX ciphers |
|
aes256-gcm@openssh.com |
hmac-sha2-512-etm@openssh.com |
ecdh-sha2-nistp521 *
|
|
aes256-ctr * |
hmac-sha2-512 * |
ecdh-sha2-nistp384 * |
|
aes192-ctr *
|
hmac-sha2-256-etm@openssh.com |
ecdh-sha2-nistp256 * |
|
aes128-gcm@openssh.com |
hmac-sha2-256 * |
diffie-hellman-group18-sha512 |
|
aes128-ctr * |
|
diffie-hellman-group16-sha512 |
|
|
|
diffie-hellman-group14-sha256 * |
|
|
|
diffie-hellman-group-exchange-sha256 * |
|
|
|
curve25519-sha256 |
|
|
|
curve25519-sha256@libssh.org |
April 27, 2024 Update: Following ciphers removed from supported list for security reasons-
WFA Canvas SFTP library only supports the ones with *.
Environment
SAP SuccessFactors HXM Suite
Resolution
FREQUENTLY ASKED QUESTIONS (FAQ)
What is a key exchange algorithm?
A key exchange algorithm is any method in cryptography by which secret cryptographic keys are exchanged between two parties, usually over a public communications channel. E.g. the diffie-hellman-group-exchange-sha1 is a FIPS 140-2 compliant key exchange algorithm which is being phased out due to well-known SHA1 vulnerabilities. It is recommended that these weak key exchange groups be phased out.
How and when will SuccessFactors implement the change?
The implementation starts as defined in the customer communication.
Does this apply to SSH based connections to SFTP? Or does it apply to web based connections to FTP?
This applies to SFTP connections that are being made over Port 22.
HTTPS protocol (login in using web browser) will not be impacted.
Is there any impact for customers that use their own SFTP and integrate it with SuccessFactors?
The impact is on SuccessFactors SFTP accounts only, and not any other external, customer-owned SFTP server.
How do we check if we are impacted or not? How to verify this algorithm support on our SFTP tool? Does this change impact our setup with SuccessFactors SFTP?
This depends on how the connection to the SuccessFactors SFTP account is being made, and needs to be checked on the end of the tool or server being used to connect to SFTP.
It is unfortunately not possible for SuccessFactors support to provide guidance on how to verify this algorithm support on the varying external systems that might be connecting to our SFTP. Our recommendation will be to check any available technical documentation or contact support for the concerned system or tool.
Some examples of relevant technical documentations for specific tools/system,
- WinSCP application based SFTP connection- https://winscp.net/eng/docs/ui_login_kex
- Java Based JSCH connections to SFTP- http://www.jcraft.com/jsch/
Does this impact any external (Non-SuccessFactors) SFTP accounts to which connections are being made from Integration Center and/or other Scheduled Jobs in SuccessFactors?
The change applies to SuccessFactors SFTP accounts only. There is no impact for customers using their own SFTP accounts with Integration Center or other Scheduled Jobs.
Does this impact the SuccessFactors SFTP connectivity with scheduled Jobs in provisioning ?
SuccessFactors servers already have the latest configurations as per new standards, so no impact to scheduled FTP jobs in provisioning.
Does this impact the SFTP connectivity we have in BOOMI integration ?
BOOMI sftp connections will be initiated from BOOMI servers which are hosted within SuccessFactors data centers.
Those servers already have the latest configurations as per new standards.
We identified one exception (Failed to connect to host: XXX on port 22. Exception message is: Algorithm negotiation fail; Caused by: Algorithm negotiation fail) due to configuration in Boomi processes connecting with SF Boomi Cloud atoms. To solve the issue, kindly follow the KBA 3045045 - Algorithm negotiation fail error in Boomi - SAP for Me
Does this impact the SFTP connectivity we have in SAP Cloud Integration (former CPI) ?
Check KBA 3095982 for complete details. There will be no connection issues with the connectivity to Cloud Integration.
Does this impact the SFTP connectivity we have in SAP Process Integration (PI) or Process Orchestration (PO) on-premise middlewares?
Check KBA 3098668 for complete detail. The SFTP Adapter Software Component, PIB2BSFTP, needs to be at SP04 Patch Level 21 or higher, as per SAP Note 2337525 Jsch library upgrade to version Jsch 0.1.53.
Note: SAP have changed how the PO SFTP Adapter software is delivered.
From PO 7.5 SP22, this is no longer a separate Add-on and is now part of the standard NetWeaver Support Pack Stack.
Refer to KBA 3106799 Change to PO Add-on Components in 7.50 SP22.
Note 2337525 contains software released in 2016, so this is already available in the SP22 version (release 2022).
If required, use note 1381878 How/where to check the patch levels of your XI/PI system, to check the patch level.
***It is recommended to keep security related software up to date by patching regularly.
Does this impact the SFTP connectivity we have in SuccessFactors Learning (LMS) Connector jobs?
LMS servers already have the latest configurations as per new standards, so no impact to SFTP connections for Connector jobs.
Does this impact the SSO setup for SuccessFactors ?
This change has no impact on SuccessFactors SSO setup.
Does this impact the SFTP connectivity established via SM59 RFCs in On-Premise HCM ERP?
Tests have been performed and no impacts were found when using RFC connections in SM59 to connect to the SFTP.
Keywords
SuccessFactors, SFTP, Key Exchange algorithm, SHA1, vulnerabilities,diffie-hellman-group-exchange-sha1,SSH , KBA , LOD-SF-PLT-SEC , Security Reports , LOD-SF-PLT-FTPS , SFTP Account Creation, Reset Password & Install SSH Service , Product Enhancement
Product
Attachments
| Pasted image.png |
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)