Skip to Content
Before I start, I want to send some special thanks to:

Introduction

The ABAP class implements a clients for the Yubico Web Service API in ABAP. To use this API, you must own a YubiKey. The YubiKey is a tiny USB device that gets recognized as a keyboard by the operating system. By touching the green glowing circle it issues a 128-bit AES encrypted one-time-password (OTP) which is inserted where your cursor was placed.

Check out the YubiKey product homepage for more information.

Prerequisites

  • You have developer access to a SAP Web Application Server ABAP (SAP WebAS ABAP). A trial version is available for download on the SDN download page
  • You own a YubiKey.

Installation

  • Download and extract the current version of yubico-abap from the project download page.
  • Extract the ZIP-file to a local folder
  • Install the nugget using SAPlink. The SAPlink extensions for the object types CLAS, FUGR, PROG and TABL must be installed.

Configuration

  • Apply for a Yubico API key at the online API key generator
  • Start transaction SE16 and add a new entry in the ZYUBIKEY_APIKEY table. It should look like that afterwards:
  • When your SAP WebAS is not directly connected to the Internet, you have to configure a HTTP Proxy Server. This can be done using Transaction SICF. In the main menu open Client -> Proxy Settings and configure your local proxy server in “HTTP Log” and “HTTPS Log”.

Test

  • Start transaction SE37 and insert the function module name “Z_AUTH_YUBICO”
  • Click on the “Test” button or press F8
  • Check the flag “Uppercase/Lowercase”
  • Point the cursor to the “IV_TOKEN” field and touch your YubiKey
  • Click on the “Execute” button or press F8
  • The output should be like that:

Further development

The current clients implementation for the Yubico Web Service API in ABAP is only part of a complete authentication solution using YubiKey currently you rely on Yubico’s infrastructure, which is free to use but could be a single point of failure. Yubico already provides a Java implementation of the YubiKey Validation Server. I think the only challenge to implement such a Validation Server in ABAP is the programming of the secure store of the shared key. If you’re interested in such a project please contact me via the comment functionality of this blog or via my contact information you find on my SDN Business Card.

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Julius von dem Bussche
    When the popup appears for OTP, what is there to prevent the user from simply opening a new session, or starting the debugger, or letting it dump?

    I don’t know the use case of your development, but my understanding is that bypassing it is an intentional feature to prevent lockouts…

    Cheers,
    Julius

    (0) 
    1. Gregor Wolf Post author
      Hi Julius,

      thank you for your comment. I’ve tested to open a new session and starting the debugger. I must say: You’re right. The user can open another session from within the OTP popup. Also it is possible to start the debugger by drag and drop a /h shortcut to the popup. The debugging is a developer authorization and can be restricted. But I don’t know a way how to restrict users to open another session.

      ABAP Gurus: Is there possibility to have a input field without the “start new session” feature?

      Best regards
      Gregor

      (0) 
      1. Michele Berardi
        Instead of using POPUP_TO_GET_VALUE

        If i remember the yubicokey copies the otp to clipboard …

        Why don’t grab otp from clipboard
        and use a simple POPUP_TO_CONFIRM (or similar f. modules) ?

        DATA: BEGIN OF myclipboard_table OCCURS 0,
                line(172) TYPE c,
              END OF myclipboard_table.

        DATA:
              myclipboard_length TYPE i.

        * Read ClipBoard into an internal table
        CALL METHOD cl_gui_frontend_services=>clipboard_import
          IMPORTING
            data   = myclipboard_table[]
            length = myclipboard_length.

        IF sy-subrc NE 0.
          WRITE: / `Unable to read ClipBoard`.
          WRITE: / `Exiting program`.
        ENDIF.

        Than check the clipboard via abap …


        You can still manage
        user allowed sessions and other restrictions
        via sap administrative transactions.

        And also Why don’t…:

            * save otp to file and upload it to sap as..
            * create a f. module with a “restricted” onscreen keyboard..

        following investigation ..

        Michele

        (0) 
  2. Michele Berardi

    customize user types (allowed sessions , etc..) from the SU01 transaction , or/and ….

    try this code:

    REPORT YSESSCHK NO STANDARD PAGE HEADING.

    * This porgram limits the number of login sessions of a given user
    * in a certain client
    * It runs from user exit SUSR0001
    * n-1 is the number of concurrent sessions allowed

    TABLES: UINFO.
    DATA: N TYPE I VALUE 2.                   “Upper limit of login sessions
    DATA: OPCODE TYPE X VALUE 2, I TYPE I, A(60).

    DATA: BEGIN OF BDC_TAB1 OCCURS 5.
            INCLUDE STRUCTURE BDCDATA.
    DATA: END OF BDC_TAB1.

    DATA: BEGIN OF USR_TABL OCCURS 10.
            INCLUDE STRUCTURE UINFO.
    DATA: END OF USR_TABL.

    CALL ‘ThUsrInfo’ ID ‘OPCODE’ FIELD OPCODE
      ID ‘TAB’ FIELD USR_TABL-*SYS*.

    LOOP AT USR_TABL.
      IF SY-UNAME = USR_TABL-BNAME AND SY-MANDT = USR_TABL-MANDT.
        I = I + 1.
      ENDIF.
    ENDLOOP.


    IF I >= N.

    A = ‘You have already ‘.
    A+17(2) = I – 1.
    A+19(25) = ‘login sessions in client ‘.
    A+44(4) = SY-MANDT.

      CALL FUNCTION ‘POPUP_TO_INFORM’
           EXPORTING
                TITEL = ‘UNSUCCESSFUL LOGIN’
                TXT1  = A
                TXT2  = ‘You are not allowed to log in’.

      MOVE: ‘SAPMSSY0’ TO BDC_TAB1-PROGRAM,
              ‘120’ TO BDC_TAB1-DYNPRO,
              ‘X’ TO BDC_TAB1-DYNBEGIN.
      APPEND BDC_TAB1.CLEAR BDC_TAB1.
      MOVE: ‘BDC_OKCODE’ TO BDC_TAB1-FNAM,
             ‘/nex’ TO BDC_TAB1-FVAL.
      APPEND BDC_TAB1.CLEAR BDC_TAB1.

      CALL TRANSACTION ‘SM04’ USING BDC_TAB1 MODE ‘N’.

    ENDIF.

    Michele

    Michele Berardi
    System Developer
    +39 347 319 2000
    http://berardimichele.interfree.it

    (0) 

Leave a Reply