- Yubico AB for creating such a cool product.
- Leo Laporte and Steve Gibson for their introduction to YubiKey in episode 143 of Security Now: YubiKey.
- Martin Hajnik who allowed me to use his HMAC implementation.
- Michele Berardi who allowed me to use his implementation of the ONE TIME PASSWORD ENHANCEMENT … A QUICK INTRODUCTION.
- Dan McWeeney and Ed Herrmann for their SAPlink Project which allows the SAP Community to exchange code.
The ABAP class implements a clients for the Yubico Web Service API in ABAP. To use this API, you must own a YubiKey. The YubiKey is a tiny USB device that gets recognized as a keyboard by the operating system. By touching the green glowing circle it issues a 128-bit AES encrypted one-time-password (OTP) which is inserted where your cursor was placed.
Check out the YubiKey product homepage for more information.
- You have developer access to a SAP Web Application Server ABAP (SAP WebAS ABAP). A trial version is available for download on the SDN download page
- You own a YubiKey.
- Download and extract the current version of yubico-abap from the project download page.
- Extract the ZIP-file to a local folder
- Install the nugget using SAPlink. The SAPlink extensions for the object types CLAS, FUGR, PROG and TABL must be installed.
- Apply for a Yubico API key at the online API key generator
- Start transaction SE16 and add a new entry in the ZYUBIKEY_APIKEY table. It should look like that afterwards:
- When your SAP WebAS is not directly connected to the Internet, you have to configure a HTTP Proxy Server. This can be done using Transaction SICF. In the main menu open Client -> Proxy Settings and configure your local proxy server in “HTTP Log” and “HTTPS Log”.
- Start transaction SE37 and insert the function module name “Z_AUTH_YUBICO”
- Click on the “Test” button or press F8
- Check the flag “Uppercase/Lowercase”
- Point the cursor to the “IV_TOKEN” field and touch your YubiKey
- Click on the “Execute” button or press F8
- The output should be like that:
The current clients implementation for the Yubico Web Service API in ABAP is only part of a complete authentication solution using YubiKey currently you rely on Yubico’s infrastructure, which is free to use but could be a single point of failure. Yubico already provides a Java implementation of the YubiKey Validation Server. I think the only challenge to implement such a Validation Server in ABAP is the programming of the secure store of the shared key. If you’re interested in such a project please contact me via the comment functionality of this blog or via my contact information you find on my SDN Business Card.