07-29-2008 9:10 AM
Hi All,
we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem? Is it possible with a workaround to set a new password that is equal to the old? We have already solved the problem of passwords history that is we haven't any history.
Thanks and regards
Bob
07-29-2008 9:53 AM
Hi Bob,
Try to change the length of the password with the parameter login/min_password_lng
later on when the 4.6c version is upgraded you can set the parameter login/password_change_for_SSO (Handling of password change enforcements in Single Sign-On situations
) to check if the users need to change the password.
Additionally check other login/* parameters.
Regards,
Srihari
07-29-2008 9:17 AM
Bob,
I think you will find that max password length is not configurable.
Perhaps you should consider implementing a Single SignOn solution, so that you can use passwords that are managed outside of SAP (e.g. in Active Directory), and then you won't have to reduce the SAP system security by removing password history etc. In this case, the passwords in SAP systems are deactived, and not used.
An identity management product is not designed for SSO, and should be used as well as a Secure SSO solution.
If you need any help with this, please let me know.
Thanks,
Tim
07-29-2008 9:33 AM
Tim,
thank you for SSO. I think that it is the best solution. Unfortunately at this moment we haven't the budget for implementing a SSO Solution. For this reason we need of a workaround.
Any idea?
Best regards
Bob
07-29-2008 9:36 AM
Bob,
If you aim is to implement SSO in medium/long term, and you are looking for a workaround I suggest you tell your users to use passwords which are no longer than 10 characters.
I also suggest you start to look into SSO solutions as it might not be as expensive as you think it might be. I have worked with many companies who have been surprised how easy it is to impelement such a solution, and they are surpsied at the low license costs.
Regards,
Tim
07-29-2008 9:53 AM
Hi Bob,
Try to change the length of the password with the parameter login/min_password_lng
later on when the 4.6c version is upgraded you can set the parameter login/password_change_for_SSO (Handling of password change enforcements in Single Sign-On situations
) to check if the users need to change the password.
Additionally check other login/* parameters.
Regards,
Srihari
07-29-2008 10:19 AM
Hi Srihari,
the parameter login/min_password_lng has the values range from 3 to 8 on SAP R/3 4.6C. There aren't unfortunately on 4.6c other useful parameters. The problem is the max length password that is equal to 8 characters. The workaround that we have in mind is to have the possibility on SAP R/3 4.6c to set the new equal to the old password.
Have you any idea?
Thanks a lot
Bob
07-29-2008 11:13 AM
Hi Bob,
Just looking for the probable work around. For me, the table USH02 and the field BCODE are striking.
I just wonder if this works??
"if we can try to clear the data in this filed for all users and then do a mass generation of passwords, will the purpose be resolved???"
But this is not the workaround though, any others who have some thoughts?
Added:
I tried changing my own password in one of our 46c system and found that the string value(BCODE) is the same. {{i have modified passwords (five new passwords) and then gave the first one. I found that both the 1st and 7th password strings are same.}}
But again one point pops in my mind is that -- the string stored is what the user has entered or only those 8 chars?
ahh.. this one is real teaser for me..
Regards,
Srihari
Edited by: Srihari Rao on Jul 29, 2008 3:44 PM
07-29-2008 1:26 PM
Hi Srihari,
I have cleared the field BCODE of USH02 but the problem (possibility to set a new password equal to the old password) still persists. On SAP R/3 4.6C the stored string (regarding to the password) isn't what user has entered but the truncation to 8 characters. I think that BCODE of USH02 and USR02 are (as you said) striking
Bye,
Bob
07-29-2008 1:56 PM
Hi Bob,
Try replacing the USH02-BCODE values with USR02-BCODE.
Regards,
Srihari
07-29-2008 2:35 PM
07-29-2008 3:36 PM
Hi Bob,
I think ABAPers help is needed here. Normally when the user tries to change the password and enters any one of previously used 5 passwords the system passes message stating that the user has to choose a different password than the previous 5.
Here, in your scenario, you want the new password exactly as the previous one.
Found that the domain XUCODE (Space for password) and XUBCODE (User password) under Development class SUSR.
I'm trying to find out the program which checks the previous passwords. If you can find that we can track where exactly these old password is stored and we can take the extract if possible and clean them. Then we can provide the new passwords from the extract.
I think there are security breaches by doing so. Better raise a SAP message and resolve this (instead of taking risk of security breach).
Any one who have thoughts about the auditing objections / security issues .. please let us know.
Regards,
Srihari
07-29-2008 3:53 PM
> Any one who have thoughts about the auditing objections / security issues .. please let us know.
Yes...
It is not clear to me exactly why you (Bob) are wanting to do this, but clearly we don't understand exactly how this mechanism works and which change records play a role in it (certainly all of them if written play a role in consistency within the system), so caution is the obvious conclusion for me.
> Better raise a SAP message and resolve this (instead of taking risk of security breach).
That would be my advise as well.
Cheers,
Julius
07-29-2008 3:57 PM
Hmm ... here ends the story.
Bob, please raise a SAP message for your requirement. Do close this thread.
Regards,
Srihari
07-29-2008 4:06 PM
Though you may want to read SAP notes # 7 and # 83020 before you get your hopes up too high about solutions presented above.
Cheers,
Julius
07-29-2008 4:21 PM
07-29-2008 4:33 PM
A last little note from me: The 2nd sentence in Tim's 2nd post is true in my experience. If you look in the FAQ sticky thread at the top of the forum page, you will find a link in the SSO category which will help you further.
Cheers,
Julius
07-30-2008 7:46 AM
>
> Hi All,
> we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem?
Hi Bob,
as you only need a workaround until your 46C-system is upgraded, i strongly recommend not to play around with direct DB-access-actions or so.
I suggest, to limit the password length until all your systems accept longer passwords to the old length of 8 with the parameter login/password_downwards_compatibility=5 in your 7.00-systems.
So you avoid all the mentioned problems as in your landscape only passwords with length=8 are valid.
After you upgraded, you can easyli switch then to the 'new' longer passwords.
b.rgds, Bernhard
07-30-2008 8:15 AM
Hi Bernhard,
what you described is exactly the temporary solution that we have implemented.
Cheers,
Bob
07-30-2008 10:14 AM
>
> Hi All,
> we are implementing the Identity Management Solution of IBM and we have two SAP Landscapes. One for SAP R/3 4.6C (It will be upgraded next November) and the other for SAP BI 7.0. The problem is that on SAP 4.6c the max password length is 8 characters. So if a user sets a password of 10 characters (on SAP 4.6C it will be truncated to 8 characters) and after (when the password expires) he changes only the last two characters then on SAP 4.6c (by virtue of the truncation) the change password is not allowed because the new and the old password aren't different. How can we solve this problem? Is it possible with a workaround to set a new password that is equal to the old? We have already solved the problem of passwords history that is we haven't any history.
> Thanks and regards
> Bob
Reading this I get the impression that you are (attempting to) synchronize passwords.
Kindly have a look on [SAP Note 376856|https://service.sap.com/sap/support/notes/376856] which provides you some good reasons why such an approach is subject of failure (by its nature). I agree with Tim: SSO is the recommended solution.