Developer Key Authentication

Former Member · ‎07-19-2011

The develoepr key for a developer is cretaed in the Service Market Place.Once the key is given for creation/change of a program, the developer key entry is updated in the DEVACCESS table of the corresponding development environment.

But how the key created at the market place is authenticated in the Development environement.

Is there any communication between the Market Place and the SAP Development environment after the developer key is created?

Regards,

Ashwin

Former Member · ‎07-19-2011

Hi,

Developer key associated with your installation number, and the installation number is determined by the license installed on the system.

Best Regards,

Aleh

markus_doehr2 · ‎07-19-2011

The SMP generates a hash key, you local SAP system does the same. If they are identical the key is correct.

Markus

Former Member · ‎07-19-2011

Marcus,

Thanks for that response.

Please explain in detail.

How does the SAP environment communicate with market place? Is there a port that is open at all time.?

Also explain the Hash key concept.

Regards,

Ashwin

Former Member · ‎07-19-2011

Hi,

There is some detailed info from Julius in the following post.

SAP does not communicate with the marketplace for this.

markus_doehr2 · ‎07-19-2011

> Please explain in detail.

> How does the SAP environment communicate with market place? Is there a port that is open at all time.?

No.

> Also explain the Hash key concept.

Read

http://en.wikipedia.org/wiki/Hash_function

You have an installation number and a user name, the SMP computes a hash key; that is the one you enter in your system. The SAP system itself has also user name and the installation number and does the same computation. If the key you entered (the one from the SMP) and the one SAP computes is identical, access is granted.

Markus

Former Member · ‎07-19-2011

I am not sure whether it realy is implemented as a one way hash function like the password hashes are.

The kernel function imports only the key and sets sy-subrc. Whether it uses the hash to verify the user and correct licensing data, or whether it computes the expected hash and compares them is debatable.

As there are different types of developer licenses, and this is attached to the key AFAIK, I suspect that it is not a one way hash. A one way hash could also call the kernel function with user name as import parameter or no impprt parameters at all to verify what is in DEVACCESS.

Anyway, IMO the key mechanism is an organizational and licensing issue based on a certain degree of trust in the customer implementation and not really a security mechanism to rely on. Enough S_DEVELOP (or z-programs, or program errors) is sufficient to create your own program (you can create your own SE38 in the debugger in about 2 lines of changed variables).

Using the application authorizations to determine access is a safer bet in this case.

Cheers,

Julius

martin_voros · ‎07-20-2011

Hi,

I have no idea how it is implemented but I doubt it's just a hash function. Usually, you use public crypto for this purpose. SAP has a private key and every AS has a public key. Service market place signs a request (user name + installation number) and AS just checks signature. As far as I know SAP they came up with their proprietary algorithm.

BTW this is how Adobe implements licensing for editable Adobe forms. You have to get a certificate from Adobe to be able to generate editable forms. This certificate is signed by Adobe. You use this certificate to sign PDF document and every Adobe Reader checks if a certificate used for signing document is signed by Adobe certificate. If it is (that means that customer paid for extra license) then it opens PDF form for input.

I doubt also that it was supposed to be a security feature. In my opinion the only reason was licensing.

Cheers