Symptom
With SAP NetWeaver 7.1 (SAP_BASIS 7.10) or SAP NetWeaver 7.0 Enhancement Pack 2 (SAP_BASIS 7.02), the list of supported hash value password processes was extended: In addition to the processes of previous releases, the NetWeaver Application Server ABAP (NWAS ABAP) now also supports hash value password processes for which a randomly generated value ("random salt") is used to calculate the hash value.
Other terms
SSHA1, salted SHA-1, RFC-2307, RFC-3112, USR02-PWDSALTEDHASH
Reason and Prerequisites
All the data required for calculating the hash value password process (the used hash algorithm and the salt value determined for the assignment of the password) are saved in a defined coding process in a text string.
During the password check, this text string is split into the parts mentioned above and a hash value is calculated using the plain text password. This hash value is checked for similarity with the reference hash value saved in the user master record.
By using (generic, self-descriptive) text strings you can support further hash value password processes in the future. All you need to do this is a new kernel version. You no longer have to adjust data structures to store password information.
Solution
This note provides an overview over which kernel versions support which hash value password processes or which coding processes. Furthermore, the note also provides information about what data is required for the login/password_hash_algorithm profile parameter or which data is analyzed in this parameter.
This note is updated regularly.
At the moment, only one hash value password process is supported:
With SAP NetWeaver 7.1 (SAP_BASIS 7.10) or SAP NetWeaver 7.0 Enhancement Pack 2 (SAP_BASIS 7.02), the list of supported hash value password processes was extended: In addition to the processes of previous releases, the NetWeaver Application Server ABAP (NWAS ABAP) now also supports hash value password processes for which a randomly generated value ("random salt") is used to calculate the hash value.
Other terms
SSHA1, salted SHA-1, RFC-2307, RFC-3112, USR02-PWDSALTEDHASH
Reason and Prerequisites
All the data required for calculating the hash value password process (the used hash algorithm and the salt value determined for the assignment of the password) are saved in a defined coding process in a text string.
During the password check, this text string is split into the parts mentioned above and a hash value is calculated using the plain text password. This hash value is checked for similarity with the reference hash value saved in the user master record.
By using (generic, self-descriptive) text strings you can support further hash value password processes in the future. All you need to do this is a new kernel version. You no longer have to adjust data structures to store password information.
Solution
This note provides an overview over which kernel versions support which hash value password processes or which coding processes. Furthermore, the note also provides information about what data is required for the login/password_hash_algorithm profile parameter or which data is analyzed in this parameter.
This note is updated regularly.
At the moment, only one hash value password process is supported:
- iterated salted SHA-1
Available as of: Kernel 7.10
(SAP NetWeaver 7.0 Enhancement Pack 2 uses kernel 7.20)
The default values for the login/password_hash_algorithm profile parameter as as follows:
encoding=RFC2307, algorithm=iSSHA-1, iterations=1024, saltsize=96
Value range for "iterations": 1 - 4294967294 (2 ^ 32)
Value range for "saltsize": 32 - 128
No comments:
Post a Comment