SAP Knowledge Base Article - Public

3084768 - SFTP weak Key Exchange Algorithm disablement for SAP SuccessFactors

Symptom

What is the change?

As part of continual improvement and hardening of SAP SuccessFactors SFTP infrastructure and services, beginning on January 15, 2022 SAP SuccessFactors will disable support for diffie-hellman-group-exchange-sha1 on our SFTP servers.

Without this change, it is possible that your applications will not work in the non-production or production environment. If you are not familiar with making the required changes, please notify your company's internal IT department and request for the changes to be made as soon as possible. 

Environment

SAP SuccessFactors HXM Suite

Cause

Why is this happening?

This change is required in order to align with industry best practices for security and data integrity and is part of continuous security improvements.

Resolution

FREQUENTLY ASKED QUESTIONS (FAQ)


What is a key exchange algorithm?

A key exchange algorithm is any method in cryptography by which secret cryptographic keys are exchanged between two parties, usually over a public communications channel. The diffie-hellman-group-exchange-sha1 is a FIPS 140-2 compliant key exchange algorithm which is being phased out due to well-known SHA1 vulnerabilities.  It is recommended that these weak key exchange groups be phased out.


How and when will SuccessFactors implement the change?

Beginning January 15, 2022, SAP SuccessFactors will disable diffie-hellman-group-exchange-sha1 support in our SFTP servers.  Customer action is required prior to this date to prevent any disruption to your instances.


Does this apply to SSH based connection to SFTP? Or does it apply to Username/Password based  connection to SFTP?

This applies to both forms of SFTP connection, that are being made over Port 22.

This does not apply to manual login to SFTP user interface from a browser, via username and password.


Is there any impact for customers that use their own SFTP and integrate it with SuccessFactors?

The impact is on SuccessFactors SFTP accounts only, and not any other external, customer-owned SFTP server.


How do we check if we are impacted or not? How to verify this algorithm support on our SFTP tool? Does this change impact our setup with SuccessFactors SFTP?

This depends on how the connection to the SuccessFactors SFTP account is being made, and needs to be checked on the end of the tool or server being used to connect to SFTP.

It is unfortunately not possible for SuccessFactors support to provide guidance on how to verify this algorithm support on the varying external systems that might be connecting to our SFTP. Our recommendation will be to check any available technical documentation or contact support for the concerned system or tool.

Some examples of relevant technical documentations for specific tools/system,

Note: The above are just two common examples. SuccessFactors support can not offer documentation or technical support on these or any other SFTP applications.


What exact actions will need to be taken in order to comply with the considerations of this change ?

The customer and their IT team has to validate the server/tools which connect to SF SFTP service to verify they are using the below KEX / Cipher / MAC algorithm. Customers will be able to successfully connect to SF SFTP if they support any of these:

Allowed ciphers

Allowed MACs

Allowed KEX ciphers

aes256-gcm@openssh.com

hmac-sha2-512-etm@openssh.com

ecdh-sha2-nistp384

aes256-ctr

hmac-sha2-512

ecdh-sha2-nistp256

aes256-cbc

hmac-sha2-256-etm@openssh.com

diffie-hellman-group18-sha512

rijndael-cbc@lysator.liu.se

hmac-sha2-256

diffie-hellman-group16-sha512

aes192-ctr

 

diffie-hellman-group14-sha256

aes192-cbc

 

diffie-hellman-group-exchange-sha256

aes128-gcm@openssh.com

 

curve25519-sha256

aes128-ctr

 

curve25519-sha256@libssh.org

chacha20-poly1305@openssh.com

 

 


It is unfortunately not possible for SuccessFactors support to provide guidance on how to configure this algorithm support on the varying external systems that might be connecting to our SFTP. Our recommendation will be to check any available technical documentation or contact support for the concerned system or tool.


Does this impact any external (Non-SuccessFactors) SFTP accounts to which connections are being made from Integration Center and/or other Scheduled Jobs in SuccessFactors?

The change applies to SuccessFactors SFTP accounts only. There is no impact for customers using their own SFTP accounts with Integration Center or other Scheduled Jobs.


Does this impact the SuccessFactors SFTP connectivity with scheduled Jobs in provisioning ?

SuccessFactors servers already have the latest configurations as per new standards, so no impact to scheduled FTP jobs in provisioning.


Does this impact the SFTP connectivity we have in BOOMI integration ?

BOOMI sftp connections will be initiated from BOOMI servers which are hosted within SuccessFactors data centers. Those servers already have the latest configurations as per new standards and hence have no impact.


Does this impact the SFTP connectivity we have in SAP Cloud Platform Integration (CPI) ?

For CPI SFTP adapter with the latest version, there should not be any issue after SF sever disable key exchange algorithm diffie-hellman-group-exchange-sha1. Currently our CPI support colleague are confirming whether there is impact on old version of CPI SFTP adapter with developers. We will update this KBA again once we get the feedback.


Does this impact the SFTP connectivity we have in SAP Process Integration (PI) or Process Orchestration (PO) on-premise middlewares?

Check KBA 3098668 for complete detail. The SFTP Adapter Software Component, PIB2BSFTP, needs to be at SP04 Patch Level 21 or higher. as per SAP Note 2337525 Jsch library upgrade to version Jsch 0.1.53. 
If required, use note 1381878 How/where to check the patch levels of your XI/PI system, to check the patch level. 
***It is recommended to keep security related software up to date by patching regularly. 


Does this impact the SFTP connectivity we have in SuccessFactors Learning (LMS) Connector jobs?

LMS servers already have the latest configurations as per new standards, so no impact to SFTP connections for Connector jobs.


Does this impact the SSO setup for SuccessFactors ?

This change has no impact on SuccessFactors SSO setup. 





Keywords

SuccessFactors, SFTP, Key Exchange algorithm, SHA1, vulnerabilities,diffie-hellman-group-exchange-sha1,SSH , KBA , LOD-SF-PLT-SEC , Security Reports , LOD-SF-PLT-FTPS , SFTP Account Creation, Reset Password & Install SSH Service , Product Enhancement

Product

SAP SuccessFactors HXM Suite all versions

Attachments

Pasted image.png