SAP Knowledge Base Article - Public

2659922 - TLS 1.0 encryption protocol disablement for Successfactors BizX Environment

Symptom

Beginning July 2018, we will disable TLS 1.0 encryption protocol in your Successfactors BizX Non-Production environments and Production environments. Action is required prior to this date to prevent any disruption to your Production instance. Click here to find the upgrade schedule for your data centers.

Environment

SAP SuccessFactors Bizx Environment

Resolution

SAP SuccessFactors is requiring an upgrade to TLS 1.1 or higher in order to align with industry best practices for security and data integrity.

Beginning July 2018, we will disable TLS 1.0 encryption protocol in your Successfactors BizX Non-Production environments and Production environments. Action is required prior to this date to prevent any disruption to your Production instance. Click here to find the upgrade schedule for your data centers.

This knowledgebase article contains all of the information currently available on SAP Success Factors disablement of the TLS 1.0 encryption protocol. Please review the document for guidance on preparing for TLS 1.0 disablement

Table of Contents

What is TLS?

TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.

Almost all communication between customer users and SuccessFactors products is through HTTP/web protected by encryption using one version of TLS or another. STARTTLS SMTP (email) also use TLS as a key component of their security.

SuccessFactors’ servers support all versions of TLS protocol, which are TLS 1.0, 1.1 and 1.2.  At the start of communication (handshaking phase), a web browser and SuccessFactors’ server exchange their supported TLS versions and choose the highest version they both support to carry out the rest of the communication.

TLS 1.0, in the past years, has been found weak in protection especially when combined with weak ciphers such as RC4.  SuccessFactors has removed support of the weak ciphers.  The prevailing best security practice is to remove TLS 1.0 support all together.

What is the change? 

Beginning July 2018, we will disable TLS 1.0 encryption protocol in your Successfactors BizX Non-Production environments and Production environments. Action is required prior to this date to prevent any disruption to your Production instance. Click here to find the upgrade schedule for your data centers.

How will customers be impacted?

After SuccessFactors disables TLS 1.0, any connections to SuccessFactors that rely on TLS 1.0 will fail. This change will affect all SuccessFactors TLS URLs (web links starting with https://...).  End users will not observe the impact since all the browsers on the SuccessFactors support list automatically will use TLS 1.2 or 1.1.  Automated tools, which use SuccessFactors’ OData and SFAPI services, may require explicit support of TLS 1.2 or 1.1 via configuration or library upgrades.

How to test your browser compatibility?

If you are able to view our test site–which has TLS 1.0 disabled–without errors, access to SuccessFactors via your browser should not be impacted by this change, and no action is required.

How to test your OData and SFAPI Integrations?

Customers can use https://soap4-pcidss.successfactors.com/ (a test URL which already has TLS 1.0 disabled) in place of https://soapX.successfactors.com/ or https://apiX.successfactors.com/ which they configure in PI currently.

  • This URL above is valid to all, independent of datacenter used.
  • The credentials are the same that is used on original URL.
  • If return shows Error 401 Unauthorized or FAILED_AUTENTICATION, the handshake are OK and TLS is updated.
  • If return shows Handshake error, the TLS isn't updated.

How can customers avoid a service disruption?
The action required by your organization will depend on which channels are used to access your SuccessFactors Services. Please check the relevant topics below to be directed to the required actions pages(s).

Why is this happening?
At SuccessFactors, Trust is our #1 value and SAP SuccessFactors is focused on continually helping our customers improve their security by using the latest security protocols. SuccessFactors will require TLS 1.1 and later encryption protocol in an effort to maintain the highest security standards and promote the safety of customer data.

How and when will SuccessFactors implement the change?

Beginning July 2018, we will disable TLS 1.0 encryption protocol in your Successfactors BizX Non-Production environments and Production environments. Action is required prior to this date to prevent any disruption to your Production instance. Click here to find the upgrade schedule for your data centers.

 

Actions for channels impacted:

SuccessFactors’ OData and SFAPI Integrations 

API Integrations are interfaces or applications–including mobile apps and desktop clients–that are separate from SuccessFactors, but use SuccessFactors data. If you have any Boomi, OData and SFAPI Integrations, please ensure that the TLS 1.1 and/or TLS 1.2 encryption protocols are enabled in those integrations.

Action Required for OData and SFAPI Integrations 

If your integrations that use inbound connections to SuccessFactors do not have TLS 1.1 and/or TLS 1.2 enabled after we make this change, your integrations may experience disruption. We recommend that you begin planning to support TLS 1.1 and TLS 1.2 as soon as possible.

Please refer to the compatibility guidelines below:

Platform or Library

Compatibility Notes

Java (Sun Jersey HTTPClient Library)

 

Java 8 and higher

Compatible with TLS 1.1 and TLS 1.2

Java 7

Configure JVM option https.protocols = TLSv1.2,TLSv1.1,TLSv1

Java 6 update 111 and higher

Configure JVM option https.protocols = TLSv1.2,TLSv1.1,TLSv1

Java Apache HttpClient 4.0 and higher

For Apache HttpClient 4.0 and higher to recognize the “https.protocols” JVM option, please use one of the following methods to configure the connection:

    1. HttpClientBuilder - call useSystemProperties() before calling build(). (Available since 4.3)
    2. HttpClients - call createSystem() to create an instance that recognizes “https.protocols” among other system properties. (Available since 4.3)
    3. Create an HttpClient based on SSLSocketFactory - get an SSLScoketFactory instance with getSystemSocketFactory() and use this instance for HttpClient creation.
    4. Create an HttpClient based on SSLConnectionSocketFactory - get an instance with getSystemSocketFactory() and use this instance for HttpClient creation. (Available since 4.3)
    5. Use SystemDefaultHttpClient instead of DefaultHttpClient. (Available since 4.2)

Java 8 and higher

Compatible with TLS 1.1 and TLS 1.2

Java 7 update 95 and higher

Configure JVM option https.protocols=TLSv1.2,TLSv1.1,TLSv1

Java 6 update 111 and higher

Configure JVM option https.protocols=TLSv1.2,TLSv1.1,TLSv1

Java Lower versions of Apache HttpClient

 

Java 8 and higher

Compatible with TLS 1.1 and TLS 1.2

Java 7 update 95 and higher

Configure JVM option jdk.tls.client.protocols = TLSv1.2,TLSv1.1,TLSv1

Lower versions of Java 7

Not compatible

Java 6 update 121 and higher

Configure JVM option jdk.tls.client.protocols = TLSv1.2,TLSv1.1,TLSv1

Lower versions of Java 6

 

Not compatible

Java (IBM)

Java 8

Compatible with TLS 1.1 or higher by default. You may need to set com.ibm.jsse2.overrideDefaultTLS=true if your application or a library called it by it uses SSLContext.getinstance("TLS").

Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher

Enable TLS 1.2 using the https. protocols Java system property for HttpsURLConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections, as recommended by IBM's documentation. You may also need to set com.ibm.jsse2.overrideDefaultTLS=true.

.NET

Compatible with the most recent version when running in an operating system that supports TLS 1.1 or TLS 1.2.

.NET 4.6 and higher

Compatible with TLS 1.1 or higher by default.

.NET 4.5 to 4.5.2

.NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.1 and TLS 1.2 by default. Two options exist to enable these, as described below.

Option 1:
.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11.

The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Option 2:
It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319".

Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers.

This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 4.0

.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file.

These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 3.5 and below

Not compatible with TLS 1.1 or higher encryption

Python

Compatible with the most recent version when running on an operating system that supports TLS 1.1 or TLS 1.2.

Python 2.7.9 and higher

Compatible with TLS 1.1 or higher by default.

Python 2.7.8 and below

Not compatible with TLS 1.1 or higher encryption

Ruby

Compatible with the most recent version when linked to OpenSSL 1.0.1 or higher.

Ruby 2.0.0

TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled.

Ruby 1.9.3 and below

The TLSv1_2 symbol does not exist in 1.9.3 and below, but it is possible to patch Ruby to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher.

OpenSSL

Compatible with the most recent version, regardless of operating system.

OpenSSL 1.0.1 and higher

Compatible with TLS 1.1 or higher by default.

OpenSSL 1.0.0 and below

Not compatible with TLS 1.1 or higher encryption.

SAP Cloud Platform & Cloud Platform Integration (formerly known as HCI)

SAP Cloud Platform

Refer to this SCP blog for TLS 1.2 support.
Cloud Platform Integration (formerly known as HCI) TLS 1.2 is the default protocol.
SAP Netweaver Process Integration 7.1x and higher (PO/PI)” 
SAP Netweaver Process Integration 7.1x and higher (PO/PI)

TLS 1.0 Disablement Schedule

Datacenter/Environment

TLS 1.0 Disablement Schedule

DC2 Preview

7/22/2018

DC4 Preview

7/22/2018

DC8 Preview

7/22/2018

DC10 Preview

7/22/2018

DC12 Preview

7/22/2018

DC17 Preview

7/22/2018

DC18 Preview

7/22/2018

DC19 Preview

7/22/2018

DC16 Production

7/22/2018

DC17 Production

7/22/2018

DC18 Production

7/22/2018

DC19 Production

7/22/2018

DC2 SiemensPS/SiemensPEN

7/29/2018

DC2 Production

7/29/2018

DC4 Production

7/29/2018

DC8 Production

7/29/2018

DC10 Production

7/29/2018

DC12 Production

7/29/2018

DC15 Production

7/29/2018

DC12 Bosch

7/29/2018

DC12 Siemens

7/29/2018

 Note - This article will be updated as new information becomes available. Please check back often for guidance on preparing for TLS 1.0 disablement

 References

  1. https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
  2. http://blogs.perficient.com/microsoft/2016/04/tsl-1-2-and-net-support/

What I need to do if I have PI or PO system communicating with SF?

Follow recommendations inside of SAP Note 2677047 - Error in PI SuccessFactors Adapter after TLS 1.0 disabled.

See Also

  • 2461964 - TLS 1.0 encryption protocol disablement (LMS)
  • 2533915 - SAP SuccessFactors SSL Certificate Renewal Schedule and Public Certificate Repository

Keywords

TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.0 encryption protocol disablement, Could not create SSL/TLS secure channel , KBA , LOD-SF-FWK , Architecture Framework & Extensions , Product Enhancement

Product

SAP SuccessFactors HCM Core 1511 ; SAP SuccessFactors HCM Core 1602 ; SAP SuccessFactors HCM Core 1605 ; SAP SuccessFactors HCM Core 1608 ; SAP SuccessFactors HCM Core 1611 ; SAP SuccessFactors HCM Core 1702 ; SAP SuccessFactors HCM Core 1705 ; SAP SuccessFactors HCM Core 1708 ; SAP SuccessFactors HCM Core 1711 ; SAP SuccessFactors HCM Core 1802 ; SAP SuccessFactors HCM Core 1805 ; SAP SuccessFactors HCM Core 1808 ; SAP SuccessFactors Recruiting all versions ; SuccessFactors HCM Core 1207 ; SuccessFactors HCM Core 1210 ; SuccessFactors HCM Core 1302 ; SuccessFactors HCM Core 1305 ; SuccessFactors HCM Core 1308 ; SuccessFactors HCM Core 1311 ; SuccessFactors HCM Core 1402 ; SuccessFactors HCM Core 1405 ; SuccessFactors HCM Core 1408 ; SuccessFactors HCM Core 1411 ; SuccessFactors HCM Core 1502 ; SuccessFactors HCM Core 1505 ; SuccessFactors HCM Core 1508