3564902 - Security Center - Other Keys - Outdated SHA1 encryption used in key pair

When running an Integration Center job, you witness it failing with an error similar to the following:

"Authentication is failed for SFTP Server", and/or
"Authentication Failed due to invalid username or certificate"

SAP SuccessFactors Integration Center
SAP SuccessFactors Security Center

Product Enhancement

Our Engineering teams performed an evaluation as to whether the system was generating ssh-rsa keys in the Security Center which uses SHA-1 hash algorithm in the key generation.

For transparency, we can share that, after preliminary investigation, we could not identify that the RSA keys generated are using any specific SHA algorithm (SHA-1 or SHA-2) internally. For additional information on SHA keys, please see our FAQ below.



FAQ:

1) Do I have an option to create either SHA-1 or SHA-2 keys in the SuccessFactors Security Center -> Other Keys?

Customers can only generate RSA keys using the Security Center's Other Keys feature. SHA256 and SHA512 are signature algorithms utilized during handshake negotiations between the SFTP client and server. Currently, the BizX SFTP Client library supports only SHA1. However, the new SFTP Client library released in 1H 2025 will include support for SHA-256 and SHA-512, allowing customers to enable these algorithms on their SFTP Server for more secure communication.

2) For all the existing SHA-1 keys, will they stay as is in the SuccessFactors system after 1H 2025 release and work with the Vendor SFTP server authentication?

The new SFTP client library will continue supporting SHA-1, ensuring compatibility for customers who have configured this signature algorithm on their SFTP Servers. However, it is strongly recommended to transition to SHA-256 or SHA-512 to enhance communication security.

3) Is there any plan to expand the Key generation tool in SuccessFactors to generate the SSH Keys based on the Vendor SFTP server supported keys and other parameters? (e.g.: RSA, OpenSSH, different key length, etc.)

Current supported RSA key are typically vendor-agnostic. The new release, 1H 2025, provides an option to choose from key sizes of 2048, 3072, and 4096.

What's New Viewer: Improvements to SSH Key Generation Functionality in Security Center | SAP Help Portal 

KBA 2963487 - Supported SSH Encryption for Integration center

Authentication is failed for SFTP Server, Authentication Failed due to invalid username or certificate, SHA-1, SHA-2, RSA, SFINT-18716, Security Center, Security Centre, algorithm, key, security key, SFINT-15920, KI2505, 1H 2025, 2505, KEA, release, production, preview, H1, SFINT-18716, SSH, encryption , KBA , LOD-SF-INT-INC-SEC , Security Center , LOD-SF-INT , Integrations , LOD-SF-INT-INC , Integration Center , Product Enhancement