How to prevent: a simple user can discover the password for SAP BO BI connections

From a commercial version perspective there is no so much corrections

Posted on May 22, 2014

Exist a simple way to recover a password from a SAP BO BI Relational Connection with few code lines when you forgot or when you need to see if all security rules in your security baseline are working as expected and nobody can discover database connection passwords used for SAP BO BI reports with a simple logon and a simple application. Also you can test with your non-administrator username to see if you can see the password.

> The code is based in SAP BO SDK Java or .NET and in the test done was passing some parameters: CMS System, Username, Password, Kind of Authentication and CUID of the connection.

1. Main Source Code

I adapt and change from the original code used in my connector “SBOPRepositoryExplorer�? to explore CMS repository using a simple universe in real time (How to explore SAP BusinessObjects BI CMS Repository) and I did a test to check the vulnerability. By SAP Copyright policies I’m not allow to publish the content and bug is already reported.

2. Create a simple user in CMC associated to group everyone

> Create in CMC a simple user without any other group than everyone:
CMC1
CMC2

3. Create a simple connection from some database

> For example in IDT create a simple relational connection to test.
IDT
In our example username is “userOracleTst�? and password “simplePassword123.�?.

4. Test from command line

> “C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sapjvm\bin\java.exe�? -jar “D:\app\Tools\ConnectionProperties.jar�? BO4Server tstuser simplePassword123. secEnterprise Ace8qbWCgDlFvUmUYlHxuHs
Where ConnectionProperties.jar is a compiled application to check the content of the connection.
BO4Server is the CMS server.
tstUser is the usermane.
simplePassword123. is the password.
secEnterprise is the authentication method used.
Ace8qbWCgDlFvUmUYlHxuHs is the CUID of the connection created.
result

5. Workaround

> It can be a little bit dangerous that anyone with a simple username in BO can discover our DB password connection. This right has been introduced in BI 4.0 SP3 to secure the connection parameters –typically username, pwd, servername– that were downloaded for Web Intelligence offline. Indeed, Web Intelligence offline needs to keep a copy of the connection (username, pwd, servername…) in order to access the DB without being connected to the CMS. To address the danger of this approach, it is possible to deny the right in the CMC via the option “Download connection locally�?.
If the right “Download connection locally�? is granted, you can use WebI offline, but cnx parameters can be downloaded.
If the right “Download connection locally�? is denied, all sensitive cnx parameters remain on the CMS and thus WebI cannot be used offline anymore. As the cnx parameters remain on the CMS, then all DB access are performed server side.

For more information see p. 845 in the Business Intelligence Platform Administrator Guide