Start of Content Area

Background documentation Logon and Password Security in the ABAP System Locate the document in its SAP Library structure

This section provides a general overview of logon and password security in the ABAP System. To increase the security of the passwords, they are encrypted, and are only stored and transferred as hash values.

After SAP NetWeaver 6.40, the password hash algorithm will be changed from MD5 to SHA-1. This means that more secure hash values, which are not backward-compatible, and which make reverse engineering attacks difficult, can be generated. By default, new systems generate two hash values: a backward-compatible value and a new value. However, you can configure the system so that only the new hash value, which is not backward-compatible, is generated. You can set the degree of backward compatibility with the profile parameter login/password_downwards_compatibility.

The system can determine the type (new or old) of the current user password at any time. During logon, the system calculates the password hash based on the entered data and in accordance with the information from the user master record (see the hash procedure used) and compares the hash values. The system decides itself which part of the entered password is evaluated.

      If the user master record shows that the user’s password was encrypted with the old password hash algorithm, the system only evaluates the first eight characters and converts these to upper-case

      If the user master record shows that the user’s password is encrypted with the new password hash algorithm, the system evaluates all characters as they were entered (up to 40 characters, with no conversion to upper-case).

The new functions do not initially have any consequences after the upgrade; the operation of the system and password queries continue to run as usual. The passwords of the new type gradually replace the passwords of the old type.

If your security requirements mean that you need to use exclusively the non-backward compatible passwords of the new type, this affects the following elements:

      Communication frameworks (RFC, ICF) that transfer or store the passwords

      Central User Administration, which distributes the password hash values

If you are using non-backward compatible passwords, communication with older systems (where the older system calls the newer system) and the shared use of a Central User Administration that consists of old and new systems are no longer possible in principle (see SAP Note 792850).

Initial Password

When you create a user master record, you must assign a password to the user. The password must meet the internal requirements set by the SAP system and your own regulations (see Password Rules). As the administrator you do not need to observe the following rules:

      List of invalid passwords or password templates in table USR40

      Password history; that is, the password can also be one of the last five passwords used by the user

      Minimum number of different characters between the old and the new password

When a new user logs on for the first time, he or she must change the password. To do this, the user enters the old password once and then the new password twice. When the user enters the new password, the system checks it against all password rules defined by SAP and by the administrator.

Logon with User ID and Password

To be able to access the SAP system and the data contained in it, the users of the SAP system must log on. To do this, they enter their user ID and password. A user must enter both user ID and password; it is not possible to have an empty password. (Alternatively, you can use the logon with Single Sign-On (BC-SEC))

Before the user is granted access after entering his or her password, the system checks

...

       1.      Whether the user has a password and whether the user can log on with a password logon

       2.      Whether the user has been locked and is therefore not allowed to log on:

       The user administrator can lock a user to prevent the user logging on to the system. More information: User Maintenance Functions, Lock/Unlock section.

       The system also sets a logon lock if the user exceeds the permitted number of logon attempts (only for password-based logons).

       3.      Whether the user’s logon data (password, user name, and client) are correct

       4.      Whether the user must set a new password (in the case of an initial password, an expired password, or a password that has been reset by the administrator)

You can specify how long passwords remain valid in the system profile. By default, there is no limit on the validity of passwords.

If the user ID and password are correct, then the system displays the date and time of the user’s last logon under System ® Status. With the date and time, the user can check that no suspicious logon activity has occurred. The logon date and time cannot be changed in a standard production system. The system does not record the logoff date and time.

Password Checks

Password Checks for Password-Based Logon

For every failed password check, the failed logon counter for the affected user master record is increased. If the user changes his or her password, the system first checks the current password. If this check fails, the system increases the incorrect logon counter.

If the user exceeds the limit set by the profile parameter login/fails_to_user_lock, the user is locked. This operation is logged in the Security Audit Log and in the Syslog. If a lock is set, subsequent password checks are immediately terminated (without a statement about the correctness of the password).

The lock is regarded as invalid after the end of the current day. (Exception: see the profile parameter login/failed_user_auto_unlock).

The failed logon counter is reset by a successful password check at logon or password change; this is also logged in the Security Audit Log. Non-password-based logons do not affect the failed logon counter; active logon locks, that is, locks that the administrator has set in transaction SU01, are taken into account at each logon or password change.

Password Checks for Non-Password-Based Logon

If you are using a SAP GUI logon, the system checks, in the case of non-password-based logon variants (SSO: SNC, X.509, PAS, logon ticket), whether the user has a password that must be changed.

If you are using SAP GUI logon, the administrator can use the profile parameter login/password_change_for_SSO and its parameters to display various dialog boxes. For more information about this, see the documentation for the profile parameter in transaction RZ11.

Logon Errors

If a user enters an incorrect password, then the system allows the user two retries before terminating the logon attempt. Should the user continue to enter an incorrect password in subsequent logon attempts, then the SAP GUI connection is terminated. By default, this is done after three consecutive failed logon attempts. You can use the parameter login/fails_to_user_session_end to specify the number of logon attempts that the system should allow before terminating the connection (see Profile Parameters for Logon and Password (Login Parameters)).

The user can repeat the logon attempt until he or she enters a valid user ID or until the permissible number of logon attempts is exhausted (parameter login/fails_to_user_lock). After SAP NetWeaver 6.40, the system differentiates between upper- and lower-case.

The locking of a user due to incorrect logon attempts with a password only applies on the same day (see the parameter login/fails_user_auto_unlock); however, the user administrator can also remove the lock earlier.

 

 

End of Content Area