Symptom
Beginning November 25, 2023, TLS 1.2 cipher suites will be upgraded (and weak ciphers will be disabled), and TLS 1.3 will also be enabled for all modules in the DC66 Non-Production environment and then beginning December 9, 2023, the same weak TLS 1.2 ciphers will be disabled, and TLS 1.3 will also be enabled for all modules in the DC66 Production environment.
Environment
SAP SuccessFactors HXM Suite
Cause
Why is it happening?
At SuccessFactors, Trust is our #1 value and SAP SuccessFactors is focused on continually helping our customers improve their security by using the latest security protocols. SuccessFactors requires ongoing updates and security hardening and the continued use of strong TLS 1.2 ciphers to maintain the highest security standards and promote the safety of customer data. TLS 1.3 will also be enabled as it offers several improvements over earlier versions, most notably a faster TLS handshake and simpler, more secure cipher suites.
Resolution
Customers must ensure they can connect to SuccessFactors using only these new ciphers.
Only these TLS 1.3 ciphers will be supported:
- TLS_AES_256_GCM_SHA384 (0x1302)
- TLS_CHACHA20_POLY1305_SHA256 (0x1303)
- TLS_AES_128_GCM_SHA256 (0x1301)
Only these TLS 1.2 ciphers will be supported:
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Some of the weak TLS 1.2 ciphers which will be disabled include:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
Impact on customers?
After SuccessFactors disables the specific weak ciphers, any connections to SuccessFactors which rely on the older, weaker ciphers will fail. This change will affect all SuccessFactors URLs which use TLS encryption (web links starting with https://). External automated tools, which use SuccessFactors’ OData and SFAPI services, may require explicit support of the stronger ciphers via configuration or library upgrades.
Customers must take action to investigate, test and possibly upgrade/update their integration client libraries and configurations to ensure they can support the strong ciphers and avoid outages. Please contact your Partner/IT team to evaluate if you have any integrations that might be impacted by this change.
What is confirmed to be not impacted?
- End users will not observe any impact since all the web browsers on the SuccessFactors support list automatically will use the strong ciphers. Supported Desktop Browsers for SAP SuccessFactors: Guide
- Standard Boomi & CPI integrations with SuccessFactors will not be impacted.
- SFTP related processes will not be impacted.
Customer Action Required?
The action required by your organization will depend on which channels are used to access your SuccessFactors Services. Investigate, test, and possibly upgrade/update their integration client libraries and/or configurations to ensure they can support the strong ciphers and avoid outages related to their integrations and jobs. Customers should check their platform or library compatibility and upgrade or enable support for the new required ciphers :
- Java Sun Jersey HTTPClient Library
- Java Apache HttpClient
- Java IBM
- .NET (check your operating system for cipher compatibility)
- Python
- Ruby
- OpenSSL
- etc
If you are unfamiliar with making the necessary changes outlined in the knowledge base, please contact your company's internal IT department and convey these requirements and deadlines for prompt support.
What Modules are impacted?
SAP SuccessFactors HXM Suite (all modules) in DC66 (Sydney) data center.
What Environments?
All DC66 environments including Preview and Production are impacted by this change.
Is it planned for other Data Centers?
Currently, it will only be implemented in DC66 (Sydney). If there will be plans to implement it in other data centers, customers will be informed earlier, to have time for the call to actions.
Maintenance window:
The upgrade should take place during the weekend maintenance time period: between 15-19pm UTC. Please refer to the email notification to confirm the dates it will take place for your tenants.
Keywords
TLS 1.3, encryption protocol, DC66, TLS version, sf, , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , Product Enhancement