Skip to Content
Technical Articles

Disclosure Management – Password encryption

SAP Disclosure Management 10.1 has been using a new password encryption since Stack 800

This blog will briefly explain how this encryption works and what the consequences are.

 

The main principle of the encryption is the use of a “MachineSalt” (see “Salt (cryptography)” ) This key is a high-quality random number stored in the ‘web.config’ of the Disclosure Management site.

 

For each installation of Disclosure Management, there will be a different MachineSecret value

 

When you define a user password in the application, this password is salted with this key and is then hashed using a user-defined hash algorithm (defined in the password policy settings), e.g. hmacsha1 or hmacsha256. For further details see HMAC

In practice this means, that if you define a user with the same password on two different systems, the resulting password in the DB will be different

 

 

 

 

 

Note that the encryption is one-way so even if you have the MachineSecret and the password string (e.g. 331184793~bd4c746d34454f287993cb075e74eb35af48c7ec ) you cannot determine the password that was used (e.g. ‘12345’)

 

There are some consequences to this encryption

1. Updating passwords via SQL

The procedure as outlined here about changing a user’s password will no longer work, as you do not know the MachineSecret used.

 

2.  Moving a DB

If you move a DB (e.g. you backup and restore the PROD database in QA), you must also change the MachineSecret (i.e. on the target system you need to use the same key as the one being used on the source system)

See: 2515295 – The provided credentials are not associated with an active user error during logon

 

3. Locking out of DM is possible

In case you forget your password, you can be locked out of the application. Because of the one-way encryption, you will not be able to determine what password was used, nor can you update it via SQL

The easiest way is to ask another user if they can change the password (note: the user would need access to the “Security” options within DM)

If all fails, SAP has some tools that can reset all password – please contact Support by opening an incident.

 

Be the first to leave a comment
You must be Logged on to comment or reply to a post.