Symptom
Which TLS versions & ciphers are supported in SuccessFactors?
Environment
SAP SuccessFactors HCM Suite
Cause
At SuccessFactors, Trust is our #1 value and SAP SuccessFactors is focused on continually helping our customers improve their security by using the latest security protocols. SuccessFactors requires ongoing updates and security hardening and the continued use of strong TLS 1.2 ciphers to maintain the highest security standards and promote the safety of customer data. TLS 1.3 is also enabled as it offers several improvements over earlier versions, most notably a faster TLS handshake and simpler, more secure cipher suites.
Resolution
SuccessFactors supports the below TLS versions and ciphers:
TLS 1.3 ciphers:
- TLS_AES_256_GCM_SHA384 (0x1302)
- TLS_CHACHA20_POLY1305_SHA256 (0x1303)
- TLS_AES_128_GCM_SHA256 (0x1301)
TLS 1.2 ciphers:
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
What Environments?
This applies to all environments including Preview and Production.
Process Integration (PI) or Process Integration (PO) Middleware situation.
- TLS 1.3 is not supported in NetWeaver 7.5 or lower for outbound connections (PO Receiver Adapter -> SF).
- TLS 1.3 is supported in NetWeaver 7.5 for inbound connections with SAP Note 3318423 Is TLS 1.3 Supported by SAP Kernel for Netweaver AS ABAP, (same is applicable for AS Java).
- TLS 1.2 with ECDHE cipher enablement (100% required for outbound connections) is only supported in NetWeaver 7.5 with software levels mentioned in SAP Note 2708581 ECC Support for Outbound Connections in SAP NW AS Java.
- It is 100% necessary to manually enable the ECDHE ciphers e.g. as per Example Profile 3 of Note 2708581.
- This is only possible with the 7.5 release - it is not technically possible in 7.40 or lower.
- Manual enablement iof ECDHE ciphers is necessary as these are not enabled by default.
- Instructions on maintaining the SSLContext.properties file are available in KBA 2569156 How to create, modify and validate SSLContext.properties file.
- If a workaround is required for systems on lower releases...
- Workaround 1: Install a non-central Adapter Engine on version 7.50 with latest SP stack and link this to the central PI/PO. Then run the interface via the non-central Adapter Engine. Refer to KBA 3218132 Workaround for new PI/PO Adapter features not available in older SP's or Releases.
- Workaround 2: If you have SAP Integration Suite (SAP's Cloud equivalent middleware product), you can migrate the interface to CPI (or configure from scratch) where it will run seamlessly with this change.
- See SAP Process Orchestration to SAP Integration Suite Migration
- SFAPI Package in CPI: SuccessFactors HCM Suite Talent Management integration with SAP ERP HCM
- Odata Package in CPI: SAP SuccessFactors HCM Suite Talent Management Integration with SAP ERP HCM using OData
- Workaround 1: Install a non-central Adapter Engine on version 7.50 with latest SP stack and link this to the central PI/PO. Then run the interface via the non-central Adapter Engine. Refer to KBA 3218132 Workaround for new PI/PO Adapter features not available in older SP's or Releases.
Keywords
TLS 1.3, encryption protocol, DC66, TLS version, sf, , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , Product Enhancement
Product
Attachments
Pasted image.png |