08-26-2014 2:55 PM
hi!
passwords of our internet users are stored in BAPIUSW01-PASSWORD as a password hash. The hash is calculated by the system-call XXPASSNET.
After we changed the password ruleset (kernel parameters login/min_password_digits and so on), hashes generated previously are no valid passwords anymore. The call returns an empty hexpass. In other words: no user can login anymore.
Is there a way to calculate a hash from a given string (=password) in the same way as XXPASSNET does? I already tried FM MD5_CALCULATE_HASH_FOR_CHAR or CALCULATE_HASH_FOR_CHAR, but they do not return the same result. Looks like XXNETPASS does not use MD5 or SHA1 but something else?
We authenticate using BAPI_PAR_EMPLOYEE_CHECKPASSWOR, which calls FM WWW_USER_AUTHORITY - inside, there is XXNETPASS called.
Thanks for all information
Roland
08-26-2014 4:07 PM
08-26-2014 4:36 PM
08-27-2014 8:31 AM
hi,
login/password_downwards_compatibility is set on (which is the default value) in our systems. As far as I understand, this parameter allows other (older) hashes to be used and does not affect password rules such as at least one upper-case char, one special char etc.
Thanks for the link to the blog, very interesting. XXPASSNET uses codeversion A when called from the above mentioned BAPI.
Roland
PS: if the security section is the right choice for this topic, please move.
08-27-2014 6:59 PM
Last I heard, the SU05 internet users were deprecated and no longer supported.
Take a look at FM susr_internet_user_migration, which converts them to SU01 users and issues them a proper code versioned password hash which is compatible and not reversable.
Cheers,
Julius
09-11-2014 9:22 AM
Thanks Julius. More-or-less I got the same reply from SAP support - it is simply not supported anymore. I cannot convert to SU01 users, so we are going to replace the password creation bapi by an own development and have all users to create new passwords.
09-11-2014 9:42 AM
I added the password-creation class in the SCN wiki. ABAP class to create random chars or passwords - Code Gallery - SCN Wiki
09-11-2014 10:51 AM
Hi,
I would suggest to use standard FM RSEC_GENERATE_PASSWORD that is used by SU01 when you ask system for an initial random password. The generated password will comply with system password policy.
Cheers