How to prevent: a simple user can discover the password for SAP BO BI connections

Exist a simple way to recover a password from a SAP BO BI Relational Connection with few code lines when you forgot or when you need to see if all security rules in your security baseline are working as expected and nobody can discover database connection passwords used for SAP BO BI reports with a simple logon and a simple application. Also you can test with your non-administrator username to see if you can see the password.

The code is based in SAP BO SDK  Java or .NET and in the test done was passing some parameters: CMS System, Username, Password, Kind of Authentication and CUID of the connection.

1. Main Source Code

I adapt and change from the original code used in my connector “SBOPRepositoryExplorer�? to explore CMS repository using a simple universe in real time (How to explore SAP BusinessObjects BI CMS Repository) and I did a test to check the vulnerability. By SAP Copyright policies I’m not allow to publish the content and bug is already reported.

 

2. Create a simple user in CMC associated to group everyone

Create in CMC a simple user without any other group than everyone:

CMC1

CMC2

 

3. Create a simple connection from some database

For example in IDT create a simple relational connection to test.

IDT

In our example username is “userOracleTst�? and password “simplePassword123.�?.

4. Test from command line

“C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sapjvm\bin\java.exe�? -jar “D:\app\Tools\ConnectionProperties.jar�?  BO4Server tstuser simplePassword123. secEnterprise Ace8qbWCgDlFvUmUYlHxuHs

Where ConnectionProperties.jar is a compiled application to check the content of the connection.

BO4Server is the CMS server.

tstUser is the usermane.

simplePassword123. is the password.

secEnterprise is the authentication method used.

Ace8qbWCgDlFvUmUYlHxuHs is the CUID of the connection created.

result

5. Workaround

It can be a little bit dangerous that anyone with a simple username in BO can discover our DB password connection. This right has been introduced in BI 4.0 SP3 to secure the connection parameters –typically username, pwd, servername– that were downloaded for Web Intelligence offline. Indeed, Web Intelligence offline needs to keep a copy of the connection (username, pwd, servername…) in order to access the DB without being connected to the CMS. To address the danger of this approach, it is possible to deny the right in the CMC via the option “Download connection locally�?.

If the right “Download connection locally�? is granted, you can use WebI offline, but  cnx parameters can be downloaded.

If the right “Download connection locally�? is denied, all sensitive cnx parameters remain on the CMS and thus WebI cannot be used offline anymore. As the cnx parameters remain on the CMS, then all DB access are performed server side.

For more information see p. 845 in the Business Intelligence Platform Administrator Guide


Jorge Sousa


  1. jacquelinesavage says:

    It’s awesome to pay a quick visit this web site and reading the views of all colleagues concerning this post,
    while I am also keen of getting know-how.

  2. garnet_harris says:

    Hello Dear, are you really visiting this site regularly, if so afterward you
    will without doubt take fastidious know-how.

Leave a Reply

Subscribe

  • Facebook
  • Twitter
  • Google+
  • RSS Feed
  • YouTube