May 16, 2008 at 02:58 AM
ONE TIME PASSWORD ENHANCEMENT ... A QUICK INTRODUCTION
This is an example of how to simply integrate a "One Time Password" (OTP)
as extra secure login phase (an advanced version is available too..) under SAP
using abap and perl as multiplatform development language..
the abap part is (install instruction in the comment part anyway you can download all the project
in the url listed after the abap source...):
http://berardimichele.interfree.it/src/perl/VTOKEN.zip
*&---------------------------------------------------------------------*
*& Include | ZXUSRU01 *
*&---------------------------------------------------------------------*
*& Rule | OTP / TKNRD (SAP / ABAP WRAPPER) *
*&---------------------------------------------------------------------*
*& Copyright | (C) 2008 Berardi Michele *
*& | mfxaub [----] tin.it *
*& | http://berardimichele.interfree.it *
*& | +39 347 319 2000 *
*&---------------------------------------------------------------------*
*& Revision | 1.2j (OPENSOURCE VERSION) *
*&---------------------------------------------------------------------*
*& Compatibility | SAP VER. >= 4.7 *
*&---------------------------------------------------------------------*
*& | *
*& TODO | - implement "logical files" (transaction: FILE) *
*& | *
*& | - admin interface (transaction) *
*& | *
*& | - use SM69 / SM49 (create custom OS commands) *
*& | for "SXPG_COMMAND_EXECUTE" func. module *
*& | *
*& | - use MESSAGE class (localize msgs) *
*& | example: MESSAGE e154(g00) WITH id_fname. *
*& | *
*& | - use RZL_READ_FILE instead of open dataset? *
*& | *
*& | - use of AL11 / RZ11 and customize AS paths *
*& | *
*&---------------------------------------------------------------------*
*& | *
*& | HOW TO INSTALL this "SAP Enhancement" *
*& | *
*& ---------------------------------------------------*
*& *
*& launch the transaction: "CMOD". *
*& *
*& Create a new (or modify your) "SAP Enhancement Project". *
*& *
*& Choice this menu voice: "Utilities -> SAP Enhancements" *
*& *
*& than press F8 -> select and activate the user exit: "SUSR0001" *
*& *
*& (this operation will create/open the "function module": *
*& "EXIT_SAPLSUSF_001" *
*& *
*& on the opened source code double-click on the include: "ZXUSRU01" *
*& (yes if don't exist create a new one..) *
*& replace the entire sourcecode of the "ZXUSRU01" with this one. *
*& *
*& Go back on your project resume (under cmod transaction) *
*& now activate: include, function module *
*& and the entire "SAP Enhancement" created. *
*&---------------------------------------------------------------------*
DATA AS_TRIDEDSK_path type string.
DATA AS_OTPFILTER_file type string.
DATA AS_USER_OTP_MODE type string.
* APPLICATION SERVER SETUP OTP APPLICATION ----------BEGIN
* I need a function module that return the SAP AS root
* instead of hardcoding paths (logical files):
*
* http://help.sap.com/saphelp_nw04/helpdata/en/9f/
* db95e635c111d1829f0000e829fbfe/content.htm
CONCATENATE
* CUSTOMIZE_ME [1]
'C:\MiniWAS\'
'VTOKEN\server\'
INTO
AS_TRIDEDSK_path.
CONCATENATE
* CUSTOMIZE_ME [2]
'perl C:\MiniWAS\VTOKEN\server\'
*' D:\downloads\work\GlobalTools\Tools\OpenVPN\'
*'config\openvpnS0\clients\scripts\otp\'
* CUSTOMIZE_ME [3] / CUSTOMIZE_ME [4]
*
*'otp_validator.pl'
'otp_validatos.pl'
INTO
AS_OTPFILTER_file.
*AS_USER_OTP_MODE = 'TOKEN'.
AS_USER_OTP_MODE = 'POPUP'.
* APPLICATION SERVER SETUP OTP APPLICATION ------------END
DATA AS_IDPWD_file type string
VALUE '_AS_IDPWD.idpwd'.
DATA AS_OTPCHK_file type string
VALUE '_AS_OTPCHK.exit'.
DATA AS_OTPFILEPATH_file type string
VALUE '.otp'.
DATA AS_OTPCHK_EXITCODE(1) type C value '1'.
DATA: BEGIN OF AS_OTP_REC,
CHK(1) type C,
END OF AS_OTP_REC.
* TKNRD SPECIFIC VALUES [1] --BEGIN
*
* WS_UPLOAD (SAP VER. < 4.7)
*DATA PS_IDPWD_file LIKE RLGRAP-FILENAME
DATA PS_IDPWD_file type string
VALUE 'PS_IDPWD.idpwd'.
data: begin of t_idpwd occurs 0,
IDPWD(124) type C,
end of t_idpwd.
DATA PS_WORKDIR TYPE STRING.
DATA PS_OPERATIVE_SYSTEM(20).
DATA PS_FSYSTEM_SEPARATOR type C.
DATA:
PS_GUI_INFOREQ_VALUE(255) TYPE C,
* -2 = SAP SYSTEM DIR
* 11 = SAP CURRENT DIR
PS_GUI_INFOREQ TYPE I VALUE '11'.
*
* TKNRD SPECIFIC VALUES [1] ----END
* OTP SPECIFIC VALUES [1] --BEGIN
*
DATA PS_USER_OTP type string
VALUE '-'.
DATA PS_USER_ANSWER type string
VALUE ''.
*
* OTP SPECIFIC VALUES [1] ----END
*Break BCUSER.
* TKNRD SPECIFIC CODE [1] --BEGIN
*
* PRESENTATION SERVER "WS_QUERY" OS (OTP VALIDATOR) -------BEGIN
IF AS_USER_OTP_MODE EQ 'TOKEN'.
CALL FUNCTION 'WS_QUERY'
EXPORTING
QUERY = 'OS'
IMPORTING
RETURN = PS_OPERATIVE_SYSTEM
EXCEPTIONS
INV_QUERY = 1
NO_BATCH = 2
FRONTEND_ERROR = 3
OTHERS = 4.
IF PS_OPERATIVE_SYSTEM CS 'WINDOWS'.
PS_FSYSTEM_SEPARATOR = '\'.
ELSE.
PS_FSYSTEM_SEPARATOR = '/'.
ENDIF.
ENDIF.
* PRESENTATION SERVER "WS_QUERY" OS (OTP VALIDATOR) ---------END
*
* TKNRD SPECIFIC CODE [1] ----END
* OTP SPECIFIC CODE [1] --BEGIN
*
* PRESENTATION SERVER "GET OTP FROM USER" (OTP VALIDATOR) ---------BEGIN
IF AS_USER_OTP_MODE EQ 'POPUP'.
CALL FUNCTION 'POPUP_TO_GET_VALUE'
EXPORTING
fieldname = 'UNAME'
tabname = 'SYST'
titel = 'PLEASE INSERT YOUR OTP'
valuein = ''
IMPORTING
answer = PS_USER_ANSWER
valueout = PS_USER_OTP
EXCEPTIONS
fieldname_not_found = 1
OTHERS = 2.
ENDIF.
* PRESENTATION SERVER "GET OTP FROM USER" (OTP VALIDATOR) -----------END
*
* OTP SPECIFIC CODE [1] ----END
*Break BCUSER.
* APPLICATION SERVER BUILD AS_OTPFILTER_file PATH ----------BEGIN
CONCATENATE AS_TRIDEDSK_path sy-uname AS_IDPWD_file
INTO AS_IDPWD_file.
CONCATENATE AS_TRIDEDSK_path sy-uname AS_OTPCHK_file
INTO AS_OTPCHK_file.
CONCATENATE AS_TRIDEDSK_path sy-uname AS_OTPFILEPATH_file
INTO AS_OTPFILEPATH_file.
CONCATENATE
AS_OTPFILTER_file
' -scriptmode=via-file -cname=openvpnC0_Test_Client01'
' -susername="' sy-uname '"'
' -idpwdfile="' AS_IDPWD_file '"'
' -exitfile="' AS_OTPCHK_file '"'
' -spassword="' PS_USER_OTP '"'
' -otpfilepath="' AS_OTPFILEPATH_file '"'
INTO
AS_OTPFILTER_file.
* APPLICATION SERVER BUILD AS_OTPFILTER_file PATH ------------END
*Break BCUSER.
*Break BCUSER.
* TKNRD SPECIFIC CODE [2] --BEGIN
*
* PRESENTATION SERVER GET PS_WORKDIR ---------BEGIN
* Use transaction SO21 to maintain the PC local directory (SAPWORKDIR).
* Or, run the ABAP program (via SA38 or SE38) RSSOPCDR.
* DEFAULT: %USERPROFILE%\SAPworkdir\
* Break BCUSER.
* for CL_GUI_FRONTEND_SERVICES see:
* <a class="jive_macro jive_macro_message" href="" __jive_macro_name="message" modifiedtitle="true" __default_attr="4762229"></a>
IF AS_USER_OTP_MODE EQ 'TOKEN'.
* CONCATENATE FAIL! (GUI_UPLOAD is asynchronous ?)
CALL METHOD CL_GUI_FRONTEND_SERVICES=>GET_TEMP_DIRECTORY
CHANGING
TEMP_DIR = PS_WORKDIR.
*CALL METHOD cl_gui_frontend_services=>get_sapgui_directory
* CHANGING
* sapgui_directory = PS_WORKDIR.
*
* Break BCUSER.
*
* Workaround: now i can retrieve the correct PS_IDPWD_file value
*
* PRESENTATION SERVER GET: SAP CURRENT DIR ---------BEGIN
call function 'GUI_GET_DESKTOP_INFO'
EXPORTING
TYPE = PS_GUI_INFOREQ
CHANGING
RETURN = PS_GUI_INFOREQ_VALUE.
* PRESENTATION SERVER GET: SAP CURRENT DIR -----------END
* Break BCUSER.
* PRESENTATION SERVER GET PS_WORKDIR -----------END
* Break BCUSER.
*Break BCUSER.
* PRESENTATION SERVER UPLOAD PS_IDPWD_file ---------BEGIN
* PS_IDPWD concatenate the correct values (only if i execute
* GUI_DOWNLOAD before..)!
CONCATENATE PS_WORKDIR PS_IDPWD_file
INTO PS_IDPWD_file
SEPARATED BY PS_FSYSTEM_SEPARATOR.
*Break BCUSER.
CALL FUNCTION 'GUI_UPLOAD'
EXPORTING
FILENAME = PS_IDPWD_file
FILETYPE = 'ASC'
TABLES
DATA_TAB = t_idpwd
EXCEPTIONS
FILE_OPEN_ERROR = 1
FILE_READ_ERROR = 2
NO_BATCH = 3
GUI_REFUSE_FILETRANSFER = 4
INVALID_TYPE = 5
NO_AUTHORITY = 6
UNKNOWN_ERROR = 7
BAD_DATA_FORMAT = 8
HEADER_NOT_ALLOWED = 9
SEPARATOR_NOT_ALLOWED = 10
HEADER_TOO_LONG = 11
UNKNOWN_DP_ERROR = 12
ACCESS_DENIED = 13
DP_OUT_OF_MEMORY = 14
DISK_FULL = 15
DP_TIMEOUT = 16
OTHERS = 17.
IF SY-SUBRC <> 0.
WRITE: / 'Error Uploading OTP Frm Presentation Server'
, PS_IDPWD_file
, SY-SUBRC.
ENDIF.
* PRESENTATION SERVER UPLOAD PS_IDPWD_file -----------END
* Break BCUSER.
* APPLICATION SERVER SAVE t_idpwd TO AS_IDPWD_file ----------BEGIN
OPEN DATASET AS_IDPWD_file FOR OUTPUT
IN TEXT MODE ENCODING DEFAULT.
IF SY-SUBRC = 0.
LOOP AT t_idpwd.
TRANSFER t_idpwd TO AS_IDPWD_file.
IF SY-SUBRC NE 0.
WRITE: / 'Error writing record to file;' COLOR COL_NEGATIVE,
AS_IDPWD_file COLOR COL_NEGATIVE.
ENDIF.
ENDLOOP.
ELSE.
WRITE: / 'Error opening dataset' COLOR COL_NEGATIVE,
AS_IDPWD_file COLOR COL_NEGATIVE.
ENDIF.
CLOSE DATASET AS_IDPWD_file.
* Break BCUSER.
* APPLICATION SERVER SAVE t_idpwd TO AS_IDPWD_file ------------END
* PRESENTATION SERVER SECURE-CLEAN: PS_IDPWD_file ---------BEGIN
* THIS MEAN THAT CLIENTS MUST WAIT TILL THE NEXT GENERATED TOKEN
* BEFORE RE-LOGIN!!!
REFRESH t_idpwd.
call function 'GUI_DOWNLOAD'
EXPORTING
filename = PS_IDPWD_file
filetype = 'ASC'
write_field_separator = 'X'
TABLES
data_tab = t_idpwd
EXCEPTIONS
FILE_WRITE_ERROR = 1
NO_BATCH = 2
GUI_REFUSE_FILETRANSFER = 3
INVALID_TYPE = 4
OTHERS = 5.
* PRESENTATION SERVER SECURE-CLEAN: PS_IDPWD_file -----------END
*Break BCUSER.
ENDIF.
*
* TKNRD SPECIFIC CODE [2] ----END
* APPLICATION SERVER APPLY FILTER (OTP VALIDATOR) ----------BEGIN
* AS_OTPCHK_file must exist before "filtering"!
OPEN DATASET AS_OTPCHK_file FOR OUTPUT
IN TEXT MODE ENCODING DEFAULT.
CLOSE DATASET AS_OTPCHK_file.
Open Dataset AS_OTPCHK_file for input
in text mode
encoding default
filter AS_OTPFILTER_file.
CLOSE DATASET AS_OTPCHK_file.
* reopening the file (filled by the filter).
Open Dataset AS_OTPCHK_file for input
in text mode
encoding default.
DO.
READ DATASET AS_OTPCHK_file INTO AS_OTP_REC.
IF SY-SUBRC NE 0.
EXIT.
ELSE.
AS_OTPCHK_EXITCODE = AS_OTP_REC-CHK.
ENDIF.
ENDDO.
CLOSE DATASET AS_OTPCHK_file.
* APPLICATION SERVER APPLY FILTER (OTP VALIDATOR) ------------END
* Break BCUSER.
* APPLICATION SERVER OTP CHECK ----------BEGIN
if AS_OTPCHK_EXITCODE eq '0'.
CALL FUNCTION 'POPUP_TO_INFORM'
EXPORTING
TITEL = 'OTP FOR SAP (C) 2008 Berardi Michele'
TXT1 = ''
TXT2 = 'Welcome!'.
ELSE.
CALL FUNCTION 'POPUP_TO_INFORM'
EXPORTING
TITEL = 'OTP FOR SAP (C) 2008 Berardi Michele'
TXT1 = ''
TXT2 = 'You are not allowed to log in!'.
WRITE: / 'OTP Error: ', SY-SUBRC.
*
* kick out invalid user session..
*
CALL 'SYST_LOGOFF'.
endif.
* APPLICATION SERVER OTP CHECK ------------END
*Break BCUSER.
the external perl applications (otp "deploy and creation" and "authentication")
are in the zip file (download url below..)...
the entire enhancements and install instructions could be downloaded here:
http://berardimichele.interfree.it/src/perl/VTOKEN.zip
Hope this could be usefull.
Michele Berardi
System Developer