SAP Knowledge Base Article - Public

3084768 - SFTP weak Key Exchange Algorithm disablement for SAP SuccessFactors

Symptom

As part of continual improvement and hardening of SAP SuccessFactors SFTP infrastructure and services, we will be disabling weak ciphers globally in all our SFTP servers. The list of further allowed ciphers are in the table below.  

For DC-specific information and timelines please refer to the Customer Communication sent. 

You may need to accommodate this change on your end – without it, it is possible that your applications will not work in the non-production or production environment. If you are not familiar with making the required changes, please notify your company's internal IT department and request for the changes to be made as soon as possible.  

This change is required in order to align with industry best practices for security and data integrity and is part of continuous security improvements. 

 

 

Allowed ciphers 

Allowed MACs 

Allowed KEX ciphers 

aes256-gcm@openssh.com 

hmac-sha2-512-etm@openssh.com 

ecdh-sha2-nistp521 

 

aes256-ctr 

hmac-sha2-512 

ecdh-sha2-nistp384 

aes192-ctr 

 

hmac-sha2-256-etm@openssh.com 

ecdh-sha2-nistp256 

aes128-gcm@openssh.com 

hmac-sha2-256 

diffie-hellman-group18-sha512 

aes128-ctr 

 

diffie-hellman-group16-sha512 

chacha20-poly1305@openssh.com 

 

diffie-hellman-group14-sha256 

 

 

diffie-hellman-group-exchange-sha256 

 

 

curve25519-sha256 

 

 

curve25519-sha256@libssh.org 

Environment

SAP SuccessFactors HXM Suite

Resolution

FREQUENTLY ASKED QUESTIONS (FAQ) 

What is a key exchange algorithm? 

A key exchange algorithm is any method in cryptography by which secret cryptographic keys are exchanged between two parties, usually over a public communications channel. E.g. the diffie-hellman-group-exchange-sha1 is a FIPS 140-2 compliant key exchange algorithm which is being phased out due to well-known SHA1 vulnerabilities.  It is recommended that these weak key exchange groups be phased out. 

How and when will SuccessFactors implement the change? 

The implementation starts as defined in the customer communication. 

Does this apply to SSH based connections to SFTP? Or does it apply to web based connections to FTP? 

This applies to SFTP connections that are being made over Port 22. 

HTTPS protocol (login in using web browser) will not be impacted. 

Is there any impact for customers that use their own SFTP and integrate it with SuccessFactors? 

The impact is on SuccessFactors SFTP accounts only, and not any other external, customer-owned SFTP server. 

How do we check if we are impacted or not? How to verify this algorithm support on our SFTP tool? Does this change impact our setup with SuccessFactors SFTP? 

This depends on how the connection to the SuccessFactors SFTP account is being made, and needs to be checked on the end of the tool or server being used to connect to SFTP. 

It is unfortunately not possible for SuccessFactors support to provide guidance on how to verify this algorithm support on the varying external systems that might be connecting to our SFTP. Our recommendation will be to check any available technical documentation or contact support for the concerned system or tool. 

Some examples of relevant technical documentations for specific tools/system, 

Note: The above are just two common examples. SuccessFactors support can not offer documentation or technical support on these or any other SFTP applications. 

What exact actions will need to be taken in order to comply with the considerations of this change ? 

The customer and their IT team has to validate the server/tools which connect to SF SFTP service to verify they are using the below KEX / Cipher / MAC algorithm. Customers will be able to successfully connect to SF SFTP if they support any of these: 

Allowed ciphers 

Allowed MACs 

Allowed KEX ciphers 

aes256-gcm@openssh.com 

hmac-sha2-512-etm@openssh.com 

ecdh-sha2-nistp521 

 

aes256-ctr 

hmac-sha2-512 

ecdh-sha2-nistp384 

aes192-ctr 

 

hmac-sha2-256-etm@openssh.com 

ecdh-sha2-nistp256 

aes128-gcm@openssh.com 

hmac-sha2-256 

diffie-hellman-group18-sha512 

aes128-ctr 

 

diffie-hellman-group16-sha512 

chacha20-poly1305@openssh.com 

 

diffie-hellman-group14-sha256 

 

 

diffie-hellman-group-exchange-sha256 

 

 

curve25519-sha256 

 

 

curve25519-sha256@libssh.org 

It is unfortunately not possible for SuccessFactors support to provide guidance on how to configure this algorithm support on the varying external systems that might be connecting to our SFTP. Our recommendation will be to check any available technical documentation or contact support for the concerned system or tool. 

Does this impact any external (Non-SuccessFactors) SFTP accounts to which connections are being made from Integration Center and/or other Scheduled Jobs in SuccessFactors? 

The change applies to SuccessFactors SFTP accounts only. There is no impact for customers using their own SFTP accounts with Integration Center or other Scheduled Jobs. 

Does this impact the SuccessFactors SFTP connectivity with scheduled Jobs in provisioning ? 

SuccessFactors servers already have the latest configurations as per new standards, so no impact to scheduled FTP jobs in provisioning. 

Does this impact the SFTP connectivity we have in BOOMI integration ? 

BOOMI sftp connections will be initiated from BOOMI servers which are hosted within SuccessFactors data centers. 

Those servers already have the latest configurations as per new standards. 

We identified one exception (Failed to connect to host: XXX on port 22.  Exception message is: Algorithm negotiation fail; Caused by: Algorithm negotiation fail) due to configuration in Boomi processes connecting with SF Boomi Cloud atoms. To solve the issue, kindly follow the KBA 3045045 - Algorithm negotiation fail error in Boomi - SAP ONE Support Launchpad 

Does this impact the SFTP connectivity we have in SAP Cloud Integration (former CPI) ? 

Check KBA 3095982 for complete details. There will be no connection issues with the connectivity to Cloud Integration. 

Does this impact the SFTP connectivity we have in SAP Process Integration (PI) or Process Orchestration (PO) on-premise middlewares? 

Check KBA 3098668 for complete detail. The SFTP Adapter Software Component, PIB2BSFTP, needs to be at SP04 Patch Level 21 or higher, as per SAP Note 2337525 Jsch library upgrade to version Jsch 0.1.53.  
Note: SAP have changed how the PO SFTP Adapter software is delivered.
From PO 7.5 SP22, this is no longer a separate Add-on and is now part of the standard NetWeaver Support Pack Stack.
Refer to KBA 3106799 Change to PO Add-on Components in 7.50 SP22. 
Note 2337525  contains software released in 2016, so this is already available in the SP22 version (release 2022).
If required, use note 1381878 How/where to check the patch levels of your XI/PI system, to check the patch level.  
***It is recommended to keep security related software up to date by patching regularly.  

Does this impact the SFTP connectivity we have in SuccessFactors Learning (LMS) Connector jobs? 

LMS servers already have the latest configurations as per new standards, so no impact to SFTP connections for Connector jobs. 

Does this impact the SSO setup for SuccessFactors ? 

This change has no impact on SuccessFactors SSO setup.  

Does this impact the SFTP connectivity established via SM59 RFCs in On-Premise HCM ERP? 

Tests have been performed and no impacts were found when using RFC connections in SM59 to connect to the SFTP. 

Keywords

SuccessFactors, SFTP, Key Exchange algorithm, SHA1, vulnerabilities,diffie-hellman-group-exchange-sha1,SSH , KBA , LOD-SF-PLT-SEC , Security Reports , LOD-SF-PLT-FTPS , SFTP Account Creation, Reset Password & Install SSH Service , Product Enhancement

Product

SAP SuccessFactors HXM Suite all versions

Attachments

Pasted image.png