Skip to Content

New ABAP Open Source Project: Class for YubiKey authentication

Before I start, I want to send some special thanks to:

Introduction

The ABAP class implements a clients for the Yubico Web Service API in ABAP. To use this API, you must own a YubiKey. The YubiKey is a tiny USB device that gets recognized as a keyboard by the operating system. By touching the green glowing circle it issues a 128-bit AES encrypted one-time-password (OTP) which is inserted where your cursor was placed.

Check out the YubiKey product homepage for more information.

Prerequisites

  • You have developer access to a SAP Web Application Server ABAP (SAP WebAS ABAP). A trial version is available for download on the SDN download page
  • You own a YubiKey.

Installation

  • Download and extract the current version of yubico-abap from the project download page.
  • Extract the ZIP-file to a local folder
  • Install the nugget using SAPlink. The SAPlink extensions for the object types CLAS, FUGR, PROG and TABL must be installed.

Configuration

  • Apply for a Yubico API key at the online API key generator
  • Start transaction SE16 and add a new entry in the ZYUBIKEY_APIKEY table. It should look like that afterwards:
  • When your SAP WebAS is not directly connected to the Internet, you have to configure a HTTP Proxy Server. This can be done using Transaction SICF. In the main menu open Client -> Proxy Settings and configure your local proxy server in “HTTP Log” and “HTTPS Log”.

Test

  • Start transaction SE37 and insert the function module name “Z_AUTH_YUBICO”
  • Click on the “Test” button or press F8
  • Check the flag “Uppercase/Lowercase”
  • Point the cursor to the “IV_TOKEN” field and touch your YubiKey
  • Click on the “Execute” button or press F8
  • The output should be like that:

Further development

The current clients implementation for the Yubico Web Service API in ABAP is only part of a complete authentication solution using YubiKey currently you rely on Yubico’s infrastructure, which is free to use but could be a single point of failure. Yubico already provides a Java implementation of the YubiKey Validation Server. I think the only challenge to implement such a Validation Server in ABAP is the programming of the secure store of the shared key. If you’re interested in such a project please contact me via the comment functionality of this blog or via my contact information you find on my SDN Business Card.

6 Comments
You must be Logged on to comment or reply to a post.
  • When the popup appears for OTP, what is there to prevent the user from simply opening a new session, or starting the debugger, or letting it dump?

    I don’t know the use case of your development, but my understanding is that bypassing it is an intentional feature to prevent lockouts…

    Cheers,
    Julius

    • Hi Julius,

      thank you for your comment. I’ve tested to open a new session and starting the debugger. I must say: You’re right. The user can open another session from within the OTP popup. Also it is possible to start the debugger by drag and drop a /h shortcut to the popup. The debugging is a developer authorization and can be restricted. But I don’t know a way how to restrict users to open another session.

      ABAP Gurus: Is there possibility to have a input field without the “start new session” feature?

      Best regards
      Gregor

      • Instead of using POPUP_TO_GET_VALUE

        If i remember the yubicokey copies the otp to clipboard …

        Why don’t grab otp from clipboard
        and use a simple POPUP_TO_CONFIRM (or similar f. modules) ?

        DATA: BEGIN OF myclipboard_table OCCURS 0,
                line(172) TYPE c,
              END OF myclipboard_table.

        DATA:
              myclipboard_length TYPE i.

        * Read ClipBoard into an internal table
        CALL METHOD cl_gui_frontend_services=>clipboard_import
          IMPORTING
            data   = myclipboard_table[]
            length = myclipboard_length.

        IF sy-subrc NE 0.
          WRITE: / `Unable to read ClipBoard`.
          WRITE: / `Exiting program`.
        ENDIF.

        Than check the clipboard via abap …


        You can still manage
        user allowed sessions and other restrictions
        via sap administrative transactions.

        And also Why don’t…:

            * save otp to file and upload it to sap as..
            * create a f. module with a “restricted” onscreen keyboard..

        following investigation ..

        Michele

  • customize user types (allowed sessions , etc..) from the SU01 transaction , or/and ….

    try this code:

    REPORT YSESSCHK NO STANDARD PAGE HEADING.

    * This porgram limits the number of login sessions of a given user
    * in a certain client
    * It runs from user exit SUSR0001
    * n-1 is the number of concurrent sessions allowed

    TABLES: UINFO.
    DATA: N TYPE I VALUE 2.                   “Upper limit of login sessions
    DATA: OPCODE TYPE X VALUE 2, I TYPE I, A(60).

    DATA: BEGIN OF BDC_TAB1 OCCURS 5.
            INCLUDE STRUCTURE BDCDATA.
    DATA: END OF BDC_TAB1.

    DATA: BEGIN OF USR_TABL OCCURS 10.
            INCLUDE STRUCTURE UINFO.
    DATA: END OF USR_TABL.

    CALL ‘ThUsrInfo’ ID ‘OPCODE’ FIELD OPCODE
      ID ‘TAB’ FIELD USR_TABL-*SYS*.

    LOOP AT USR_TABL.
      IF SY-UNAME = USR_TABL-BNAME AND SY-MANDT = USR_TABL-MANDT.
        I = I + 1.
      ENDIF.
    ENDLOOP.


    IF I >= N.

    A = ‘You have already ‘.
    A+17(2) = I – 1.
    A+19(25) = ‘login sessions in client ‘.
    A+44(4) = SY-MANDT.

      CALL FUNCTION ‘POPUP_TO_INFORM’
           EXPORTING
                TITEL = ‘UNSUCCESSFUL LOGIN’
                TXT1  = A
                TXT2  = ‘You are not allowed to log in’.

      MOVE: ‘SAPMSSY0’ TO BDC_TAB1-PROGRAM,
              ‘120’ TO BDC_TAB1-DYNPRO,
              ‘X’ TO BDC_TAB1-DYNBEGIN.
      APPEND BDC_TAB1.CLEAR BDC_TAB1.
      MOVE: ‘BDC_OKCODE’ TO BDC_TAB1-FNAM,
             ‘/nex’ TO BDC_TAB1-FVAL.
      APPEND BDC_TAB1.CLEAR BDC_TAB1.

      CALL TRANSACTION ‘SM04’ USING BDC_TAB1 MODE ‘N’.

    ENDIF.

    Michele

    Michele Berardi
    System Developer
    +39 347 319 2000
    http://berardimichele.interfree.it