I have seen many forums requesting to provide SAP predefined
security questions through custom application. Requirement for such application
could be because of enforcing end-users to add a security question after login or to verify
owner of the account by checking a security answer provided by user against answer
available in database. I could manage to find out some helpful SDN threads, but
the information is scattered and there is no concrete solution available on
SDN, so thought of sharing code of this custom application. I will be splitting this information into 2 parts : one for the basics and other for code.
Let’s start with attributes used for maintaining security questions and answers.
User Account attribute
The SAP predefined security questions and answers are User Account attributes and not User attributes. You can refer SAP help link for
more information.
Description
securityquestionpredefined | Identifies which of the predefined questions the user selected for use with the logon help, when users cannot write their own question. |
securityanswer | The answer the user provided to the security question for logon help. |
Mutable user account API is used to set these parameters. Following is the code snippet:
+IPortalComponentRequest request = (IPortalComponentRequest) this.getRequest();</p><p>IUserFactory userFact = UMFactory.getUserFactory();+
+IUserAccountFactory userAccFact =UMFactory.getUserAccountFactory();+
+IUser user =request.getUser();+
IUserAccount userAcc = user.getUserAccounts()[0];
IUserAccount userAaccMaint = userAccFact.getMutableUserAccount(userAcc.getUniqueID());
userAaccMaint.setAttribute( IPrincipal.DEFAULT_NAMESPACE,"securityquestionpredefined",<String array containing Key of the Question>);
Saving security questions:
Security questions are stored as key in database. For
example SECURITY_QUESTION_1, SECURITY_QUESTION_2 etc. The key and value pair
is:
| KEY | VALUE |
SECURITY_QUESTION_1 | What is your pet's name? |
SECURITY_QUESTION_2 | What street did you grow up on? |
SECURITY_QUESTION_3 | What is your mother's maiden name? |
SECURITY_QUESTION_4 | What make of car do you drive? |
SECURITY_QUESTION_5 | What is your favorite color? |
Saving security answer:
Security Answer is stored as encrypted value using salted SHA-1 hash algorithm. The same algorithm is used while saving user’s password in DB. Only
trick is, incase of Security answer, it is converted to uppercase before encryption. First 20 bytes of encrypted value contain Base64 encoded actual clear
text while next 12 Bytes contain the Base64 encoded salt used for encryption.
Following are the steps for encrypting answer and saving it to DB:
1) Get the source answer as string and convert it to Uppercase.
2) Generate random 6 bytes of salt.
3) Update MessageDigest object with uppercased answer and salt (byte array)
4) Calculate hash value resulting in binary data.
5) Concatenate hash value (from step 4) & salt (from step 2) and Base64 encode this concatenation output.
6) Add “A7LjH0FkZ1sSFxIST9kCwlOkCsCyvaT/3Bo=
Please note that, for identical answers, encrypted value would not be same for two users, as the salt used for encryption is random.
Comparing security answers:
Salted SHA is a one-way algorithm, so one can not get the clear text from encrypted value. To compare the answers, value provided by user
must be converted to hashed answer and then compare it with value available in DB. While digesting user provided answer, extract and use salt from the answer
in DB.
Steps for comparing answers are:
1) Get the encrypted value from DB and decode it using Base64.
2) Split the decoded value into 20 and 12 bytes.
3) Extracted 12 bytes form the Salt value used to encrypt the answer.
4) Use this salt value to encrypt the user provided answer and compare it with the DB
value.
For more explanation on Salted SHA (SSHA) algorithm please click
here.
The custom code for the application can be found here
