SAP Knowledge Base Article - Public

3383588 - TLS protocol support in SAP SuccessFactors

Symptom

Which TLS versions & ciphers are supported in SuccessFactors?

Environment

SAP SuccessFactors HCM Suite

Cause

At SuccessFactors, Trust is our #1 value and SAP SuccessFactors is focused on continually helping our customers improve their security by using the latest security protocols.  SuccessFactors requires ongoing updates and security hardening and the continued use of strong TLS 1.2 ciphers to maintain the highest security standards and promote the safety of customer data.  TLS 1.3 is also enabled as it offers several improvements over earlier versions, most notably a faster TLS handshake and simpler, more secure cipher suites.

Resolution

SuccessFactors supports the below TLS versions and ciphers:

TLS 1.3 ciphers:

  • TLS_AES_256_GCM_SHA384 (0x1302)
  • TLS_CHACHA20_POLY1305_SHA256 (0x1303)
  • TLS_AES_128_GCM_SHA256 (0x1301)

TLS 1.2 ciphers:

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) 

What Environments?

This applies to all environments including Preview and Production.

Process Integration (PI) or Process Integration (PO) Middleware situation. 

  1. TLS 1.3 is not supported in NetWeaver 7.5 or lower for outbound connections (PO Receiver Adapter -> SF).
  2. TLS 1.3 is supported in NetWeaver 7.5 for inbound connections with SAP Note 3318423 Is TLS 1.3 Supported by SAP Kernel for Netweaver AS ABAP, (same is applicable for AS Java).
  3. TLS 1.2 with ECDHE cipher enablement (100% required for outbound connections) is only supported in NetWeaver 7.5 with software levels mentioned in SAP Note 2708581 ECC Support for Outbound Connections in SAP NW AS Java. 
  4. It is 100% necessary to manually enable the ECDHE ciphers e.g. as per Example Profile 3 of Note 2708581.
    1. This is only possible with the 7.5 release - it is not technically possible in 7.40 or lower.
    2. Manual enablement iof ECDHE ciphers is necessary as these are not enabled by default. 
    3. Instructions on maintaining the SSLContext.properties file are available in KBA 2569156 How to create, modify and validate SSLContext.properties file.

  5. If a workaround is required for systems on lower releases...
    1. Workaround 1: Install a non-central Adapter Engine on version 7.50 with latest SP stack and link this to the central PI/PO. Then run the interface via the non-central Adapter Engine. Refer to KBA 3218132 Workaround for new PI/PO Adapter features not available in older SP's or Releases.

    2. Workaround 2: If you have SAP Integration Suite (SAP's Cloud equivalent middleware product), you can migrate the interface to CPI (or configure from scratch) where it will run seamlessly with this change. 

Keywords

TLS 1.3, encryption protocol, DC66, TLS version, sf,  , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , Product Enhancement

Product

SAP SuccessFactors HXM Suite 2311

Attachments

Pasted image.png