Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Portal Security Question

Former Member
0 Kudos
345

Our SAP Portal Version is NetWeaver 7.01 SP5 which uses an ABAP UME .

We are planning to implement the Security Question Feature and it has been implemented in Test systems Succesfully .

The Issue is that there are already 20,000 + Users in Portal .

What we plan to do is set "Birthdate" as default Question for users Already in the Portal so that when user goes to change his password he can give his birthdat and his password is reset .

The issue is , I do not know , which TABLE stores the Security Question and Answer .

Any Ideas !!!

Regards,

Ashish .A. Poojary

1 ACCEPTED SOLUTION

Former Member
0 Kudos
152

Refer following links

[Enabling Users to Reset Their Own Password|http://help.sap.com/saphelp_nw70/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm]

[Parameter to store Secret Question and Answer in UME|/message/4739460#4739460 [original link is broken];

Regards

Puneet

15 REPLIES 15

Former Member
0 Kudos
153

Refer following links

[Enabling Users to Reset Their Own Password|http://help.sap.com/saphelp_nw70/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm]

[Parameter to store Secret Question and Answer in UME|/message/4739460#4739460 [original link is broken];

Regards

Puneet

0 Kudos
152

Hey Punit ,

I have gone throught the Above Links . They didn't help much .

Regards,

Ashish .A. Poojary

mvoros
Active Contributor
0 Kudos
152

Hi,

you should use Java API to modify users. The package com.sap.security.api contains interface IPrincipalMaint which has a method setAttribute which should allow you to change any attribute on user. So you can try to write a simple Java program which will get all users and it will call method setAttribute to set attributes securityquestion and securityanswer. I've never done this so I can't help you more. The java API documentation is [here|http://help.sap.com/javadocs/NW04S/current/se/overview-summary.html]. Another solution mentioned in SAP documentation is to send an email to all users that they need to set up security question.

Cheers

Former Member
0 Kudos
152

Hi,

I dont think this can be acheived easily through portal API. We already try to change the property from IUserAccount. It's not giving any method to change this property.

How i can find the exact name of this attribute, so i can use set attribute method of that object.

Meanwhile please check this link also, which tells these are store encryped way, so you are not able to use even able to edit.

Regards

Baby

mvoros
Active Contributor
0 Kudos
152

you can find a list of attributes [here|http://help.sap.com/saphelp_nwpi71/helpdata/en/e6/d75d3760735b41be930f2dddae3126/content.htm].

I quickly set up security questions on my testing CE7.2 system and answer is hashed using SHA-1 algorithm. Fortunately, they also add some salt to this hash so you can't just hash the answer and then set it using Java API. You can try to figure out what format is used.The attributes are stored in table UME_STRINGS. Look for records where ATTR is equal to securityanswer. You can set up an answer for testing user and try to figure out what salt is used. I would start with user name or any other column from this table. The result seems to be stored in base64 enconding.

Cheers

Former Member
0 Kudos
152

Thank you for your quick reply.

Can you tell me which Object type i need to use for this. I already tried with IUserAccount. But did not find any method.

Can i set this property through setattribute method?

Please share the code.

Regards

Baby

mvoros
Active Contributor
0 Kudos
152

Hi,

I am not sure (I've never done this) but there is interface IPrincipalMaint which has two methods: setAttribute and setBinaryAttribute. I would try one of these two.

Cheers

Former Member
0 Kudos
152

Hi,

thanks for your helpful answer.

Now we are able to set Question and Answer using API. But issue with encryption with answer is remains.

Please check the code


	IUserAccountFactory account = UMFactory.getUserAccountFactory();
	IUserAccount[] user_account = user.getUserAccounts();
	IUserAccount maint =	account.getMutableUserAccount(user_account[0].getUniqueID());
	String ans[]= new String[1];
	ans[0]="answer";					  
maint.setAttribute("com.sap.security.core.usermanagement","securityanswer",ans);
	maint.commit();

Please help me on encryption part.

Regards

Baby

mvoros
Active Contributor
0 Kudos
152

That's going to be a tricky part. Unless it's documented somewhere (I couldn't find it) you have to reverse engineer algorithm which is used to store answer. It looks like they use SHA-1 and they add random bits as salt. I checked the stored value and weird thing is that the result is 208 bit long. The output of SHA-1 is 160 bits so they have to truncate two blocks or do some additional transformation. The tool John Ripper can crack ABAP passwords version B and G. The algorithm is described [here|http://marc.info/?l=john-users&m=121444075820309] so it may be similar. Code G iterates SHA-1 plus some magic. As salt it uses user name.

Cheers

mvoros
Active Contributor
0 Kudos
152

Hi,

I figured out what algorithm is used for passwords. It generates random 6 bytes (48bits) for each password which are used as salt (hence string length stored in DB is 208 bits). So it takes UTF-8 string and converts it into array of bytes, appends salt and calculates hash using SHA-1. After hashing it appends salt to the hashed value and encodes it using base64. As last step it adds prefix "" to the output

Same algorithm is used for security answers with one catch. It converts all characters into upper case. So here is a pseudo-algorithm:


answer = toUpperCase(answer);
salt = randomBytes( 6 );
hash = sha1( answer + salt );
output = "{SSHA}" + base64encode( hash + salt );

Cheers

Former Member
0 Kudos
152

That's sound good!

We will definitely try this way.

Meanwhile we decided to play safe.

We recently configured the security question feature for portal with thousands of existing users. We need to configure date of birth as default questions for all these existing users.

Now me made a small change in plan, we are planning to set Birth Year as Security question. So we will collection the encrypted

code for each year from portal database, then try to schedule a batch of jobs to update Q&A for different set of users based on their Birth Year.

Will update you the status.

Thank you Voros for your great support. Happy Christmas!

Regards

Baby

Former Member
0 Kudos
152

Did you succeed in setting the secret answer? . if so please share the solution details.

I am trying to retrieve the secret answer.

Thanks in advance,

Vasu

Former Member
0 Kudos
152

Hi Vasu,

We are able to configure it in our system. As i said in above thread, we are configuring Year of Birth as Security Question.

We manually retrieved all security answers (encrypted) from portal table, after setting values through portal for date range from 1950-2010.

Be schedule a batch job to set security question and answer for existing set of users.

For new users, we create one webservice in portal, and accessing it while creating new user in r3 system.

we are maintining all answers in table in r3 side and passing the encrypted values directly to webservice.

Regards

Baby

mvoros
Active Contributor
0 Kudos
152

Hi,

what exactly do you mean by retrieve? You can reconstruct original answers from the hashed values. You can only set a new answer using algorithm described in this thread.

Cheers

Former Member
0 Kudos
152

Sorry for Replying to this Thread Soo Late . I've taken up an assignment of Closing All my OPEN Questions .

Here goes the Answer for this One .

Well , we managed to find the Table which stores the USer INFO . It is UME_STRINGS in the SAPSR3DB Schema .

The Fields Important for my Scenario were , ATTRGUID which stores Username , ATTR and VALUE .

where

ATTR could be Any Attributes Like SECURITY QUestion , SECURITY Answer etc

VALUE = Associated Value for the Attrbute in ATTR .

As , I mentioned Earlier we Plan to Set the BIRTH YEAR as the Default Answer for Security Question , we Created 10 User Ids in Dev Portal and Set the Security Question and Answer for it .where :-

Security Question = BIRTH YEAR

Security Answer = Ranging from 1950 - 2001

We , then Took the Dump of these Feilds From Table UME_STRINGS . So , what it meant is we got the Encrypted Value for Different BIRTH YEARS from the Table UME_STRINGS .

These Encrypted Values were Mapped to User ids in Production based on the Users BIRTH YEAR and Dumped into the Table UME_STRINGS via a JAVA API .

So , the Result was we Had set a Default Question and Answer for 20,000 + Users along with the Encrypted Answer (BIRTH YEAR) .

Regards,

Ashish .A. Poojary