Solved: Identity Management and password length problem

Former Member · ‎07-29-2008

Hi All,

we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem? Is it possible with a workaround to set a new password that is equal to the old? We have already solved the problem of passwords history that is we haven't any history.

Thanks and regards

Bob

Former Member · ‎07-29-2008

Hi Bob,

Try to change the length of the password with the parameter login/min_password_lng

later on when the 4.6c version is upgraded you can set the parameter login/password_change_for_SSO (Handling of password change enforcements in Single Sign-On situations

) to check if the users need to change the password.

Additionally check other login/* parameters.

Regards,

Srihari

tim_alsop · ‎07-29-2008

Bob,

I think you will find that max password length is not configurable.

Perhaps you should consider implementing a Single SignOn solution, so that you can use passwords that are managed outside of SAP (e.g. in Active Directory), and then you won't have to reduce the SAP system security by removing password history etc. In this case, the passwords in SAP systems are deactived, and not used.

An identity management product is not designed for SSO, and should be used as well as a Secure SSO solution.

If you need any help with this, please let me know.

Thanks,

Tim

Former Member · ‎07-29-2008

Tim,

thank you for SSO. I think that it is the best solution. Unfortunately at this moment we haven't the budget for implementing a SSO Solution. For this reason we need of a workaround.

Any idea?

Best regards

Bob

tim_alsop · ‎07-29-2008

Bob,

If you aim is to implement SSO in medium/long term, and you are looking for a workaround I suggest you tell your users to use passwords which are no longer than 10 characters.

I also suggest you start to look into SSO solutions as it might not be as expensive as you think it might be. I have worked with many companies who have been surprised how easy it is to impelement such a solution, and they are surpsied at the low license costs.

Regards,

Tim

Former Member · ‎07-29-2008

Hi Bob,

Try to change the length of the password with the parameter login/min_password_lng

later on when the 4.6c version is upgraded you can set the parameter login/password_change_for_SSO (Handling of password change enforcements in Single Sign-On situations

) to check if the users need to change the password.

Additionally check other login/* parameters.

Regards,

Srihari

Former Member · ‎07-29-2008

Hi Srihari,

the parameter login/min_password_lng has the values range from 3 to 8 on SAP R/3 4.6C. There aren't unfortunately on 4.6c other useful parameters. The problem is the max length password that is equal to 8 characters. The workaround that we have in mind is to have the possibility on SAP R/3 4.6c to set the new equal to the old password.

Have you any idea?

Thanks a lot

Bob

Former Member · ‎07-29-2008

Hi Bob,

Just looking for the probable work around. For me, the table USH02 and the field BCODE are striking.

I just wonder if this works??

"if we can try to clear the data in this filed for all users and then do a mass generation of passwords, will the purpose be resolved???"

But this is not the workaround though, any others who have some thoughts?

Added:

I tried changing my own password in one of our 46c system and found that the string value(BCODE) is the same. {{i have modified passwords (five new passwords) and then gave the first one. I found that both the 1st and 7th password strings are same.}}

But again one point pops in my mind is that -- the string stored is what the user has entered or only those 8 chars?

ahh.. this one is real teaser for me..

Regards,

Srihari

Edited by: Srihari Rao on Jul 29, 2008 3:44 PM

Former Member · ‎07-29-2008

Hi Srihari,

I have cleared the field BCODE of USH02 but the problem (possibility to set a new password equal to the old password) still persists. On SAP R/3 4.6C the stored string (regarding to the password) isn't what user has entered but the truncation to 8 characters. I think that BCODE of USH02 and USR02 are (as you said) striking

Bye,

Bob

Former Member · ‎07-29-2008

Hi Bob,

Try replacing the USH02-BCODE values with USR02-BCODE.

Regards,

Srihari

Former Member · ‎07-29-2008

Hi Srihari,

the values are already the same.

Regards,

Bob

Former Member · ‎07-29-2008

Hi Bob,

I think ABAPers help is needed here. Normally when the user tries to change the password and enters any one of previously used 5 passwords the system passes message stating that the user has to choose a different password than the previous 5.

Here, in your scenario, you want the new password exactly as the previous one.

Found that the domain XUCODE (Space for password) and XUBCODE (User password) under Development class SUSR.

I'm trying to find out the program which checks the previous passwords. If you can find that we can track where exactly these old password is stored and we can take the extract if possible and clean them. Then we can provide the new passwords from the extract.

I think there are security breaches by doing so. Better raise a SAP message and resolve this (instead of taking risk of security breach).

Any one who have thoughts about the auditing objections / security issues .. please let us know.

Regards,

Srihari

Former Member · ‎07-29-2008

> Any one who have thoughts about the auditing objections / security issues .. please let us know.

Yes...

It is not clear to me exactly why you (Bob) are wanting to do this, but clearly we don't understand exactly how this mechanism works and which change records play a role in it (certainly all of them if written play a role in consistency within the system), so caution is the obvious conclusion for me.

> Better raise a SAP message and resolve this (instead of taking risk of security breach).

That would be my advise as well.

Cheers,

Julius

Former Member · ‎07-29-2008

Hmm ... here ends the story.

Bob, please raise a SAP message for your requirement. Do close this thread.

Regards,

Srihari

Former Member · ‎07-29-2008

Though you may want to read SAP notes # 7 and # 83020 before you get your hopes up too high about solutions presented above.

Cheers,

Julius

Former Member · ‎07-29-2008

Ok,

thanks a lot to all.

Bye,

Bobo

Former Member · ‎07-29-2008

A last little note from me: The 2nd sentence in Tim's 2nd post is true in my experience. If you look in the FAQ sticky thread at the top of the forum page, you will find a link in the SSO category which will help you further.

Cheers,

Julius

Bernhard_SAP · ‎07-30-2008

>


> Hi All,
> we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem?

Hi Bob,

as you only need a workaround until your 46C-system is upgraded, i strongly recommend not to play around with direct DB-access-actions or so.

I suggest, to limit the password length until all your systems accept longer passwords to the old length of 8 with the parameter login/password_downwards_compatibility=5 in your 7.00-systems.

So you avoid all the mentioned problems as in your landscape only passwords with length=8 are valid.

After you upgraded, you can easyli switch then to the 'new' longer passwords.

b.rgds, Bernhard

Former Member · ‎07-30-2008

Hi Bernhard,

what you described is exactly the temporary solution that we have implemented.

Cheers,

Bob

WolfgangJanzen · ‎07-30-2008

>


> Hi All,
> we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem? Is it possible with a workaround to set a new password that is equal to the old? We have already solved the problem of passwords history that is we haven't any history.
> Thanks and regards
> Bob

Reading this I get the impression that you are (attempting to) synchronize passwords.

Kindly have a look on [SAP Note 376856|https://service.sap.com/sap/support/notes/376856] which provides you some good reasons why such an approach is subject of failure (by its nature). I agree with Tim: SSO is the recommended solution.