2461964 - TLS 1.0 encryption protocol disablement

SAP Knowledge Base Article - Public

2461964 - TLS 1.0 encryption protocol disablement

Symptom

Beginning June 16, 2018, we will disable TLS 1.0 encryption protocol in your LMS Non-Production environments and Production environments. Action is required prior to this date to prevent any disruption to your Production instance. Click here to find the upgrade schedule for your data centers.

Environment

SAP SuccessFactors Learning Management (LMS)

Resolution

SAP SuccessFactors is requiring an upgrade to TLS 1.1 or higher in order to align with industry best practices for security and data integrity.

Beginning June 16, 2018, we will disable TLS 1.0 encryption protocol in your LMS Non-Production environments and Production environments. Action is required prior to this date to prevent any disruption to your Production instance. Click here to find the upgrade schedule for your data centers.

This knowledgebase article contains all of the information currently available on SAP Success Factors disablement of the TLS 1.0 encryption protocol. Please review the document for guidance on preparing for TLS 1.0 disablement.

Table of Contents

 What is TLS?

TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.

Almost all communication between customer users and SuccessFactors products is through HTTP/web protected by encryption using one version of TLS or another. STARTTLS SMTP (email) also use TLS as a key component of their security.

SuccessFactors’ servers support all versions of TLS protocol, which are TLS 1.0, 1.1 and 1.2.  At the start of communication (handshaking phase), a web browser and SuccessFactors’ server exchange their supported TLS versions and choose the highest version they both support to carry out the rest of the communication.

TLS 1.0, in the past years, has been found weak in protection especially when combined with weak ciphers such as RC4.  SuccessFactors has removed support of the weak ciphers.  The prevailing best security practice is to remove TLS 1.0 support all together

What is the change? 

Beginning June 16, 2018, we will disable TLS 1.0 encryption protocol in your LMS Non-Production environments and Production environments. Action is required prior to this date to prevent any disruption to your Production instance. Click here to find the upgrade schedule for your data centers.

How will customers be impacted?

After SuccessFactors disables TLS 1.0, any connections to SuccessFactors that rely on TLS 1.0 will fail. This change will affect all SuccessFactors TLS URLs (web links starting with https://...).  End users will not observe the impact since all the browsers on the SuccessFactors support list automatically will use TLS 1.2 or 1.1.  Automated tools, which use SuccessFactors’ OData and SFAPI services, may require explicit support of TLS 1.2 or 1.1 via configuration or library upgrades.

How to test your browser compatibility?

If you are able to view our test site–which has TLS 1.0 disabled–without errors, access to SuccessFactors via your browser should not be impacted by this change, and no action is required.

How to test your OData and SFAPI Integrations?

Customers can use https://soap4-pcidss.successfactors.com/ (a test URL which already has TLS 1.0 disabled) in place of https://soap4.successfactors.com/ or https://api4.successfactors.com/ which they configure in PI currently.

How can customers avoid a service disruption?
The action required by your organization will depend on which channels are used to access your SuccessFactors Services. Please check the relevant topics below to be directed to the required actions pages(s).

Why is this happening?

At SuccessFactors, Trust is our #1 value and SAP SuccessFactors is focused on continually helping our customers improve their security by using the latest security protocols. SuccessFactors will require TLS 1.1 and later encryption protocol in an effort to maintain the highest security standards and promote the safety of customer data.

How and when will SuccessFactors implement the change?

Beginning June 16, 2018, we will disable TLS 1.0 encryption protocol in your LMS Non-Production environments and Production environments. Action is required prior to this date to prevent any disruption to your Production instance. Click here to find the upgrade schedule for your data centers.

Actions for channels impacted:

SuccessFactors’ OData and SFAPI Integrations 

API Integrations are interfaces or applications–including mobile apps and desktop clients–that are separate from SuccessFactors, but use SuccessFactors data. If you have any Boomi, OData and SFAPI Integrations, please ensure that the TLS 1.1 and/or TLS 1.2 encryption protocols are enabled in those integrations.

Action Required for OData and SFAPI Integrations 

If your integrations that use inbound connections to SuccessFactors do not have TLS 1.1 and/or TLS 1.2 enabled after we make this change, your integrations may experience disruption. We recommend that you begin planning to support TLS 1.1 and TLS 1.2 as soon as possible.

Please refer to the compatibility guidelines below:

Platform or Library

Compatibility Notes

Java (Sun Jersey HTTPClient Library)

 

Java 8 and higher

Compatible with TLS 1.1 and TLS 1.2

Java 7

Configure JVM option https.protocols = TLSv1.2,TLSv1.1,TLSv1

Java 6 update 111 and higher

Configure JVM option https.protocols = TLSv1.2,TLSv1.1,TLSv1

Java Apache HttpClient 4.0 and higher

For Apache HttpClient 4.0 and higher to recognize the “https.protocols” JVM option, please use one of the following methods to configure the connection:

    1. HttpClientBuilder - call useSystemProperties() before calling build(). (Available since 4.3)
    2. HttpClients - call createSystem() to create an instance that recognizes “https.protocols” among other system properties. (Available since 4.3)
    3. Create an HttpClient based on SSLSocketFactory - get an SSLScoketFactory instance with getSystemSocketFactory() and use this instance for HttpClient creation.
    4. Create an HttpClient based on SSLConnectionSocketFactory - get an instance with getSystemSocketFactory() and use this instance for HttpClient creation. (Available since 4.3)
    5. Use SystemDefaultHttpClient instead of DefaultHttpClient. (Available since 4.2)

Java 8 and higher

Compatible with TLS 1.1 and TLS 1.2

Java 7 update 95 and higher

Configure JVM option https.protocols=TLSv1.2,TLSv1.1,TLSv1

Java 6 update 111 and higher

Configure JVM option https.protocols=TLSv1.2,TLSv1.1,TLSv1

Java Lower versions of Apache HttpClient

 

Java 8 and higher

Compatible with TLS 1.1 and TLS 1.2

Java 7 update 95 and higher

Configure JVM option jdk.tls.client.protocols = TLSv1.2,TLSv1.1,TLSv1

Lower versions of Java 7

Not compatible

Java 6 update 121 and higher

Configure JVM option jdk.tls.client.protocols = TLSv1.2,TLSv1.1,TLSv1

Lower versions of Java 6

 

Not compatible

Java (IBM)

Java 8

Compatible with TLS 1.1 or higher by default. You may need to set com.ibm.jsse2.overrideDefaultTLS=true if your application or a library called it by it uses SSLContext.getinstance("TLS").

Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher

Enable TLS 1.2 using the https. protocols Java system property for HttpsURLConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections, as recommended by IBM's documentation. You may also need to set com.ibm.jsse2.overrideDefaultTLS=true.

.NET

Compatible with the most recent version when running in an operating system that supports TLS 1.1 or TLS 1.2.

.NET 4.6 and higher

Compatible with TLS 1.1 or higher by default.

.NET 4.5 to 4.5.2

.NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.1 and TLS 1.2 by default. Two options exist to enable these, as described below.

Option 1:
.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11.

The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Option 2:
It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319".

Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers.

This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 4.0

.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file.

These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 3.5 and below

Not compatible with TLS 1.1 or higher encryption

Python

Compatible with the most recent version when running on an operating system that supports TLS 1.1 or TLS 1.2.

Python 2.7.9 and higher

Compatible with TLS 1.1 or higher by default.

Python 2.7.8 and below

Not compatible with TLS 1.1 or higher encryption

Ruby

Compatible with the most recent version when linked to OpenSSL 1.0.1 or higher.

Ruby 2.0.0

TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled.

Ruby 1.9.3 and below

The TLSv1_2 symbol does not exist in 1.9.3 and below, but it is possible to patch Ruby to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher.

OpenSSL

Compatible with the most recent version, regardless of operating system.

OpenSSL 1.0.1 and higher

Compatible with TLS 1.1 or higher by default.

OpenSSL 1.0.0 and below

Not compatible with TLS 1.1 or higher encryption.

SAP Cloud Platform & Cloud Platform Integration (formerly known as HCI)

SAP Cloud Platform

Refer to this SCP blog for TLS 1.2 support.
Cloud Platform Integration (formerly known as HCI) TLS 1.2 is the default protocol.
SAP Netweaver Process Integration 7.1x and higher (PO/PI)” 
SAP Netweaver Process Integration 7.1x and higher (PO/PI)

Apply SSL library updates/patches according to note 2284059
And make necessary configuration changes according to note 2456800

 TLS 1.0 Disablement Schedule for LMS (Learning Management System)

Datacenter/Environment

TLS 1.0 Disablement Schedule for LMS

DC13, DC17, DC18, DC19 Preview

June 16, 2018 00:00 -07:00AM

DC13, DC17, DC18, DC19 Production

June 23, 2018 00:00 -07:00AM

DC15/DC16 ALL

June 30, 2018 00:00 -07:00AM

DC2, DC10 Preview

July 7, 2018 00:00 -07:00AM

DC2, DC10 Production

July 14, 2018 00:00 -07:00AM

DC12 Preview

July 21, 2018 00:00 -07:00AM

DC12 Production

July 28, 2018 00:00 -07:00AM

DC8 Preview

August 11, 2018 00:00 -07:00AM

DC8 Production

August 18, 2018 00:00 -07:00AM

Note - This article will be updated as new information becomes available. Please check back often for guidance on preparing for TLS 1.0 disablement.

References

  1. https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
  2. http://blogs.perficient.com/microsoft/2016/04/tsl-1-2-and-net-support/

    Keywords

    TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.0 encryption protocol disablement , KBA , LOD-SF-FWK , Architecture Framework & Extensions , LOD-SF-INT-API , SF API & Adhoc API Framework , LOD-SF-PLT , Foundational Capabilities & Tools , Product Enhancement

    Product

    SAP SuccessFactors HCM Core all versions