To align with the industry best practices for security and data integrity, SAP SuccessFactors plans to discontinue the support for TLS 1.0. If you have SAP SuccessFactors extensions on SAP Cloud Platform, please check bellow if your application will be affected by this change and ensure that you take the recommended actions in advance to avoid disruption of your services.
The change may affect only Java applications. HTML5 applications will not be affected and will automatically adopt this change and will switch to a higher version of the TLS protocol.
Whether your application is affected and what are the recommended actions depends on how you establish connectivity to SAP SuccessFactors and what JRE version you are using to run the application:
A common indication for that is source code like this:
In this case your application must be restarted after July 27 to take the latest SAP Cloud Platform runtime version that has support for TLS 1.1 and TLS 1.2
A common indication for that is source code like this:
In this case your application must be restarted after July 27 to take the latest SAP Cloud Platform runtime version that has support for TLS 1.1 and TLS 1.2
A common indication for that is source code like this:
In this case you need to change your application to use higher protocol version or not to use any specific version at all (SSLContext.getDefault()) and then re-deploy and restart it after July 27.
In this case you need to ensure that those libraries support TLS 1.1 and TLS 1.2 and that you do not explicitly use lower protocol versions in the source code. For more information on the 3rd party support see the SAP SuccessFactors announcement.
In any of the above cases, if your application is running on JRE 6 or JRE 7 and is pinned to a particular SAP Cloud Platform runtime version, you should do one of the following:
To check the JRE your application is using you can either use the display-application-properties SAP Cloud Platform SDK for Neo environment command or navigate to your application, JMX Console, java.lang.Runtime in the SAP Cloud Platform Cockpit (see screenshot bellow)
Which applications are not affected?
- Applications that do not make any API calls to SAP SuccessFactors. Front-end integrations including SSO will not be affected as well
- HTML5 applications. These applications will automatically adopt to the change and will use higher TLS protocol version
- Java applications that run on JRE 8, and use the HTTP Destination API or the ConnectivityConfiguration API and do not explicitly specify TLSv1 when establishing connectivity to SAP SuccessFactors APIs
Which applications are affected?
The change may affect only Java applications. HTML5 applications will not be affected and will automatically adopt this change and will switch to a higher version of the TLS protocol.
Whether your application is affected and what are the recommended actions depends on how you establish connectivity to SAP SuccessFactors and what JRE version you are using to run the application:
- Java applications that run on JRE 6 or JRE 7, and use the HTTP Destination API to create HttpClient for making calls to SAP SuccessFactors APIs.
A common indication for that is source code like this:
HttpClient createHttpClient = destination.createHttpClient();In this case your application must be restarted after July 27 to take the latest SAP Cloud Platform runtime version that has support for TLS 1.1 and TLS 1.2
- Java applications that run on JRE 6 or JRE 7, use the ConnectivityConfiguration API, and do not explicitly specify any TLS version when establishing connectivity to SAP SuccessFactors APIs.
A common indication for that is source code like this:
ConnectivityConfiguration configuration = (ConnectivityConfiguration) ctx.lookup("java:comp/env/connectivityConfiguration");
…
SSLContext sslcontext = SSLContext.getDefault();In this case your application must be restarted after July 27 to take the latest SAP Cloud Platform runtime version that has support for TLS 1.1 and TLS 1.2
- Java applications that use the ConnectivityConfiguration API and explicitly specify TLSv1 when establishing connectivity to SAP SuccessFactors APIs
A common indication for that is source code like this:
ConnectivityConfiguration configuration = (ConnectivityConfiguration) ctx.lookup("java:comp/env/connectivityConfiguration");
…
SSLContext sslcontext = SSLContext.getInstance("TLSv1");In this case you need to change your application to use higher protocol version or not to use any specific version at all (SSLContext.getDefault()) and then re-deploy and restart it after July 27.
- Java applications that use any other libraries and APIs to establish the connectivity to SAP SuccessFactors APIs.
In this case you need to ensure that those libraries support TLS 1.1 and TLS 1.2 and that you do not explicitly use lower protocol versions in the source code. For more information on the 3rd party support see the SAP SuccessFactors announcement.
Pinned SAP Cloud Platform runtimes
In any of the above cases, if your application is running on JRE 6 or JRE 7 and is pinned to a particular SAP Cloud Platform runtime version, you should do one of the following:
- Unpin it to use the latest SAP Cloud Platform runtime version that has support for TLS 1.1 and TLS 1.2 after July 27.
- Re-deploy you application adding the following VM argument. Check the SAP Cloud Platform documentation to learn how to configure VM arguments
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
Checking the JRE version
To check the JRE your application is using you can either use the display-application-properties SAP Cloud Platform SDK for Neo environment command or navigate to your application, JMX Console, java.lang.Runtime in the SAP Cloud Platform Cockpit (see screenshot bellow)
- SAP Managed Tags:
