Many customers have questions regarding the encryption of data in transit. SAP Cloud Platform uses encrypted communication channels based on HTTPS/TLS.
What is TLS?
TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.The protocol is described by the Internet Engineering Task Force (IETF) in Requests for Comments (RFCs). It evolves over time to support higher standards.
SAP Cloud Platforms` servers support all versions of TLS protocol, which are TLS 1.0, 1.1 and 1.2. At the start of communication (handshaking phase), a web browser and SAP Cloud Platforms’ server exchange their supported TLS versions and choose the highest version they both support to carry out the rest of the communication.
TLS 1.0, in the past years, has been found weak in protection especially when combined with weak ciphers such as RC4. SAP Cloud Platform has started to reduce the support of the weak ciphers.
All platform regions launched before 1 July 2018 support all three version of the TLS protocol: 1.0, 1.1, and 1.2. See Regions.
Following 1 July 2018, future platform regions will support only the more secure TLS version 1.2. Existing regions will continue to support versions 1.0 and 1.1.
We announce the provisioning of new regions using the SAP Cloud Platform release notes. You can use them if you need to check the date when a particular region was provisioned.
How can you adapt to this change?
Inbound HTTP connections relying on TLS 1.0 or 1.1 will not be possible. Make sure that the HTTP clients in use, such as web browsers, support TLS 1.2. In case TLS 1.0 or 1.1 is still needed, especially in integration scenarios with legacy systems, you may use a custom web domain, and enable TLS 1.0 or 1.1 for it. See Using Custom Domains (section Create an SSL Host part of Configuring Custom Domains).
In case you want to use solely the new standard you have the opportunity to either choose a region which does not support TLS 1.0, or you follow this description in the two SAP Notes:
If you want to activate the use of TLS 1.2 only in your Neo Region, you may use custom domains to do so. See SAP Note 2586984 – Restrict SAP Cloud Platform to use TLS1.2 only and SAP Note 2732964 – How to control TLS version in SAP Cloud Platform Neo Environment .
In the SAP Cloud Platform Cloud Foundry environment only TLS 1.2 is enabled.