Technical Articles
Disclosure Management – Password encryption
SAP Disclosure Management 10.1 has been using a new password encryption since Stack 800
This blog will briefly explain how this encryption works and what the consequences are.
The main principle of the encryption is the use of a “MachineSalt” (see “Salt (cryptography)” ) This key is a high-quality random number stored in the ‘web.config’ of the Disclosure Management site.
For each installation of Disclosure Management, there will be a different MachineSecret value
When you define a user password in the application, this password is salted with this key and is then hashed using a user-defined hash algorithm (defined in the password policy settings), e.g. hmacsha1 or hmacsha256. For further details see HMAC
In practice this means, that if you define a user with the same password on two different systems, the resulting password in the DB will be different
Note that the encryption is one-way so even if you have the MachineSecret and the password string (e.g. 331184793~bd4c746d34454f287993cb075e74eb35af48c7ec ) you cannot determine the password that was used (e.g. ‘12345’)
There are some consequences to this encryption
1. Updating passwords via SQL
The procedure as outlined here about changing a user’s password will no longer work, as you do not know the MachineSecret used.
2. Moving a DB
If you move a DB (e.g. you backup and restore the PROD database in QA), you must also change the MachineSecret (i.e. on the target system you need to use the same key as the one being used on the source system)
See: 2515295 – The provided credentials are not associated with an active user error during logon
3. Locking out of DM is possible
In case you forget your password, you can be locked out of the application. Because of the one-way encryption, you will not be able to determine what password was used, nor can you update it via SQL
The easiest way is to ask another user if they can change the password (note: the user would need access to the “Security” options within DM)
If all fails, SAP has some tools that can reset all password – please contact Support by opening an incident.