SAP BusinessObjects BI 4.2 SP04, Security Updates
Like any other release, BI 4.2 SP04 is also packed with new innovations. We have been working on to make the BI platform more secure, and I am happy to announce that a good part of those changes are delivered with BI 4.2 SP04.
I will keep this blog focused on key security updates in BI 4.2 SP04. In case you are interested in all that’s new in BI platform then refer this What’s New Document
OpenSSL update
OpenSSL cryptographic libraries have been updated with this release. This would enable you to have more secure communication channels.
Support for SAP Secure Logon
SAP Secure logon is a Single Sign on (SSO) solution from SAP that works across products and allows customers to have seamless SSO expereince for their end users across applications.
With this release we support two factor authentication and SSO via Secure logon solution to thin clients of SAP BusinessObjects suite.
RSA and SAP Crypto updates
RSA libraries are gradually being replaced with SAP Crypto libraries, some changes comes with this release, more would follow in subsequent releases. Where we could not already replace RSA we have updated them to later versions. This allows us to provide customers with stronger ciphers, stricter and stronger algorithms and continued FIPS compliance.
And yes, we have now deprecated SSLv3.
Impact of these changes
Any desktop or thin clients using older BI platform libraries to connect to BI platform BI 4.2 SP04 will not connect anymore. This is because the older cryptographic libraries of BI platform do not have matching KeyExchange/ciphers with new cryptographic libraries in BI 4.2 SP04. Hence,
In all cases
- Client tools by partner or customers using older BI platform libraries needs to be updated with latest cryptographic libraries from BI 4.2 SP04. So that they can continue to connect to BI platform
- Patches are planned for add-on clients like Lumira 1.x, Design Studio 1.x etc. to make sure they continue to work once BI platform is upgraded to BI 4.2 SP04.
In case you have SSL enabled for SIA
- BI 4.2 SP04 would connect to older BI platform systems for promoting content via Promotion management. If this is done when SSL is enabled for SIA, it would not work. Following are the options
- Disable SSL on SIA and promote your content to BI 4.2 SP04
- Or, you need to install the right patch released for your BI 4.1 and 4.2 SP lines. This patch makes sure there is a common cipher between two systems and communication can happen. Refer SAP Note 2413907
- No plans to patch BI 3.x systems. Hence, customer’s need to move to BI 4.x system first, before they can move to BI 4.2 SP04
- You need to generate new certificates (minimum Key Size 2048) for older BI platform systems
For more information you can refer SAP Note 2433337
very encouraged to see two factor SSO. Proof that the Ideas Place feedback does work, thank you!
I know this is an old post but we are still on 4.2 sp04. We have Business Objects only not the whole SAP suite. Can we still use two factor? If yes how? Also can we use DUO or this is SAP created one?
Thank you.
Hi Alex,
This blog mentions support for SAP SSO solution.
However, today also you can configure your tomcat server for multiple factors of authentication (this is outside of BI application). And on success, you can use user information to perform trusted authentication to BI platform.
DUO is not specifically tested or support by SAP BI platform.
Regards,
Ashutosh
Thanks Ashutosh,
We are implementing DUO on all our systems, but there are some issues with the display of the notification choice page after clicking on the login button on BO home page (while using LDAP), that's why I was hoping SAP would support DUO. Anyways, thanks again.
Alex
Hi Alex,
We are on BOE SP4.2 SP07 and I am still scrounging the internet for a good multi-factor authentication solution preferably using DUO.
I cannot seem to find a documentation that talks about native MFA support in tomcat or BOE.
Did you find any solutions?