SAP Knowledge Base Article - Public

2861289 - TLS 1.1 encryption protocol disablement for SAP SuccessFactors

Symptom

Beginning February 16, 2020, TLS 1.1 encryption protocol will be disabled for the all modules in the Non-Production environment and beginning March 22, 2020, TLS 1.1 encryption protocol  will be disabled for all modules in the Production environment.

Environment

SAP SuccessFactors HXM Suite (all modules)

Resolution

SAP SuccessFactors is requiring an upgrade to TLS 1.2 or higher to align with industry best practices for security and data integrity.

Beginning February 16, 2020, TLS 1.1 encryption protocol will be disabled for the all modules in the Non-Production environment and beginning March 22, 2020, TLS 1.1 encryption protocol will be disabled for all modules in the Production environment. Action is required prior to this date to prevent any disruption to your Production instance. See below for the upgrade schedule for your data center.

This Knowledge Base Article contains all of the information currently available on SAP SuccessFactors disablement of the TLS 1.1 encryption protocol. Please review the document for guidance on preparing for TLS 1.1 disablement.

Table of Contents

What is TLS?

TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.

Almost all communication between customer users and SuccessFactors products is through HTTP/web protected by encryption using one version of TLS or another. STARTTLS SMTP (e-mail) also use TLS as a key component of their security.

SuccessFactors’ servers support several versions of the TLS protocol, TLS 1.1 and 1.2.  At the start of communication (handshaking phase), a web browser and SuccessFactors’ server exchange their supported TLS versions and choose the highest version they both support to carry out the rest of the communication.

TLS 1.1 has been found weak in protection especially when combined with weak ciphers.  The prevailing best security practice is to remove TLS 1.1 support all together.

What is the change? 

Beginning February 16, 2020, TLS 1.1 encryption protocol will be disabled for the all modules in the Non-Production environment and beginning March 22, 2020, TLS 1.1 encryption protocol will be disabled for all modules in the Production environment. Action is required prior to this date to prevent any disruption to your Production instance. See below for the upgrade schedule for your data center..

How will customers be impacted?

After SuccessFactors disables TLS 1.1, any connections to SuccessFactors that rely on TLS 1.1 will fail. This change will affect all SuccessFactors TLS URLs (web links starting with https://...).  End users will not observe the impact since all the browsers on the SuccessFactors support list automatically will use TLS 1.2.  Automated tools, which use SuccessFactors’ OData and SFAPI services, may require explicit support of TLS 1.2  via configuration or library upgrades.

How to test your browser compatibility?

If you are able to view our test site–which has TLS 1.1 disabled–without errors, access to SuccessFactors via your browser should not be impacted by this change, and no action is required.

How can customers avoid a service disruption?
The action required by your organization will depend on which channels are used to access your SuccessFactors Services. Please check the relevant topics below to be directed to the required actions pages(s).

Why is this happening?
At SuccessFactors, Trust is our #1 value and SAP SuccessFactors is focused on continually helping our customers improve their security by using the latest security protocols. SuccessFactors will require TLS 1.2 and later encryption protocol in an effort to maintain the highest security standards and promote the safety of customer data.

How and when will SuccessFactors implement the change?

Beginning February 16, 2020, TLS 1.1 encryption protocol will be disabled for the all modules in the Non-Production environment and beginning March 22, 2020, it will be disabled for all modules in the Production environment. Action is required prior to this date to prevent any disruption to your Production instance. See below for the upgrade schedule for your data center.

Actions for channels impacted:

TLS 1.2 Supported Browser Versions

  • Google Chrome - Version 38 and higher  
  • Mozilla Firefox - Version 27 and higher  
  • Internet Explorer - Version 11  
  • Safari - Version 7 and higher  
  • Opera - Version 17 and higher 

SAP PI connectors

Background:

  • SAP NetWeaver 7.10 and 7.11 - Runs on Java 5 on SAP JVM 5.1  - does not support TLS 1.2. Some customers updated it to JVM 6 to resolve last years’ TLS 1.0 to 1.1 movement, but with this- their PI is not in a supported state.
  • JDK 6 is only available since release 7.30 SP10, 7.31 and 7.40,.. which means that in 7.11 system are not possible to use TLSv1.2. However there is a note to support lower versions.
    • SuccessFactors adapter uses the JDK's SSL library for secure connection establishment.
    • Axis adapter uses the IAIK security library and not the underlying JDK's SSL library.

 

Solution:

  • Customers have to do full stack upgrade to at least 7.11 SP15 and apply the patch as per SAP Note - 2292139 - TLSv1.2 support in Axis adapter.
  • Please review this SAP Note which is relevant for SFSF adapter: 2677300 - PI SuccessFactors adapter: Setting minimum SSL version
  • Additional Technical Instructions:
    • Do not use SSL context property file, because it may introduce some constraints if properties are not properly specified.
    • For the Axis channel specify the following properties for the transport handler:
      • maxSSLVersion = TLS12
      • minSSLVersion = TLS10
    • Additional reference Note - 2284059 - Update of SSL library within NW Java server
  • Testing Instructions to validate post patch update:
    • Check the channel using the XPI Inspector.
    • Select example: 50 (XI Channel) and the corresponding Axis receiver Channel. Reproduce the call.
      • If maxSSLVersion = TLS12, then in the traces you will see something like this: ssl_debug(...): Sending v3 client_hello message to <host>, requesting version 3.3...
      • If maxSSLVersion = TLS11, then in the traces you will see something like this: ssl_debug(...): Sending v3 client_hello message to <host>, requesting version 3.2...

SuccessFactors’ OData and SFAPI Integrations 

API Integrations are interfaces or applications–including mobile apps and desktop clients–that are separate from SuccessFactors, but use SuccessFactors data. If you have any Boomi, OData and SFAPI Integrations, please ensure that the TLS 1.2  encryption protocol is enabled in those integrations.

Action Required for OData and SFAPI Integrations 

If your integrations that use inbound connections to SuccessFactors do not have TLS 1.2  enabled after we make this change, your integrations may experience disruption. We recommend that you begin planning to support  TLS 1.2 as soon as possible.

If you are integrating with OnPrem, or 3rd Party Systems, please reach out to your local Basis team or the 3rd party vendor to ensure TLS1.2 or higher is being used.
If You are using Boomi SF Hosted Atoms or Dell Hosted will not be effected but Local Atoms will need to be upgraded to use TLS 1.2 or higher for more Information please see 2885877

Please refer to the compatibility guidelines below:

Platform or Library

Compatibility Notes

Java (Sun Jersey HTTPClient Library)

 

Java 8 and higher

Compatible with TLS 1.2 and TLS 1.3

Java 7

Configure JVM option https.protocols = TLSv1.3,TLSv1.2,TLSv2

Java 6 update 111 and higher

Configure JVM option https.protocols = TLSv1.3,TLSv1.2,TLSv2

Java Apache HttpClient 4.0 and higher

For Apache HttpClient 4.0 and higher to recognize the “https.protocols” JVM option, please use one of the following methods to configure the connection:

  1. HttpClientBuilder - call useSystemProperties() before calling build(). (Available since 4.3)
  2. HttpClients - call createSystem() to create an instance that recognizes “https.protocols” among other system properties. (Available since 4.3)
  3. Create an HttpClient based on SSLSocketFactory - get an SSLScoketFactory instance with getSystemSocketFactory() and use this instance for HttpClient creation.
  4. Create an HttpClient based on SSLConnectionSocketFactory - get an instance with getSystemSocketFactory() and use this instance for HttpClient creation. (Available since 4.3)
  5. Use SystemDefaultHttpClient instead of DefaultHttpClient. (Available since 4.2)

Java 8 and higher

Compatible with TLS 1.2 and TLS 1.3

Java 7 update 95 and higher

Configure JVM option https.protocols=TLSv1.3,TLSv1.2,TLSv2

Java 6 update 111 and higher

Configure JVM option https.protocols=TLSv1.3,TLSv1.2,TLSv2

Java Lower versions of Apache HttpClient

 

Java 8 and higher

Compatible with TLS 1.2 and TLS 1.3

Java 7 update 95 and higher

Configure JVM option jdk.tls.client.protocols = TLSv1.3,TLSv1.2,TLSv2

Lower versions of Java 7

Not compatible

Java 6 update 121 and higher

Configure JVM option jdk.tls.client.protocols = TLSv1.3,TLSv1.2,TLSv2

Lower versions of Java 6

 

Not compatible

Java (IBM)

Java 8

Compatible with TLS 1.2 or higher by default. You may need to set com.ibm.jsse2.overrideDefaultTLS=true if your application or a library called it by it uses SSLContext.getinstance("TLS").

Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher

Enable TLS 1.3 using the https. protocols Java system property for HttpsURLConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections, as recommended by IBM's documentation. You may also need to set com.ibm.jsse2.overrideDefaultTLS=true.

.NET

Compatible with the most recent version when running in an operating system that supports TLS 1.2 or TLS 1.3.

.NET 4.6 and higher

Compatible with TLS 1.2 or higher by default.

.NET 4.5 to 4.5.2

.NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.2 and TLS 1.3 by default. Two options exist to enable these, as described below.

Option 1:
.NET applications may directly enable TLS 1.2 and TLS 1.3 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls13.

The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls;

Option 2:
It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319".

Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers.

This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 4.0

.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file.

These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 3.5 and below

Not compatible with TLS 1.2 or higher encryption

Python

Compatible with the most recent version when running on an operating system that supports TLS 1.2 or TLS 1.3.

Python 2.7.9 and higher

Compatible with TLS 1.2 or higher by default.

Python 2.7.8 and below

Not compatible with TLS 1.2 or higher encryption

Ruby

Compatible with the most recent version when linked to OpenSSL 1.0.1 or higher.

Ruby 2.0.0

TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the TLSv1_2 (preferred) or:TLSv1_1 symbols with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled.

Ruby 1.9.3 and below

The TLSv1_2 symbol does not exist in 1.9.3 and below, but it is possible to patch Ruby to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher.

OpenSSL

Compatible with the most recent version, regardless of operating system.

OpenSSL 1.0.1 and higher

Compatible with TLS 1.2 or higher by default.

OpenSSL 1.0.0 and below

Not compatible with TLS 1.2 or higher encryption.

SAP Cloud Platform & Cloud Platform Integration (formerly known as HCI)

SAP Cloud Platform

Refer to this SCP blog for TLS 1.2 support.
Cloud Platform Integration (formerly known as HCI) TLS 1.2 is the default protocol.
SAP NetWeaver Process Integration 7.1x and higher (PO/PI)” 
SAP NetWeaver Process Integration 7.1x and higher (PO/PI)

TLS 1.1 Disablement Schedule

TLS1.png plsnoe.png

Keywords

TLS 1.1, TLS 1.2, TLS 1.3TLS 1.1 encryption protocol disablement , KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-INT , Integrations , LOD-SF-EC , Employee Central , LOD-SF-LMS , Learning Management System , LOD-SF-ANA , Analytics & Reporting (Ad Hoc, YouCalc, ORD) , LOD-SF-RCM , Recruiting Management , LOD-SF-EP , Employee Profile , LOD-SF-OBD , Onboarding , LOD-SF-PM , Performance Management , LOD-SF-CDP , Career Development Planning , LOD-SF-FWK , Platform Framework , LOD-SF-JAM , SAP Jam , LOD-SF-RPO , Recruiting Posting , LOD-SF-RMK , Recruiting Marketing , Product Enhancement

Product

SAP SuccessFactors Recruiting all versions