cancel
Showing results for 
Search instead for 
Did you mean: 

How to protect the login information

Francis417
Participant
0 Kudos

Hi,

I'd like to know if there are any means to protect the login information that I must specify when starting the connection to SAP using the .net connector.

Our scenario is that we are using a single SAP user with SAP_ALL, SAP_NEW authorization to login using the .net connector. As I want the connection to be established automatically, so I need to hardcode the password within the login page or in the vs.net project itself.

Now what I want is that when other people/developer tryinh to access directly the source code of either the login page or the project itself, they cannot 'see' the password for the SAP account.

Any ways to achieve this?

Thanks for any suggestions in advance.

Francis

Accepted Solutions (0)

Answers (1)

Answers (1)

reiner_hille-doering
Active Contributor
0 Kudos

The best way to achieve this is to use one of the Single Sign On (SSO) feature available for the connector. I don't know what kind of application you are writing.

If it is a web based application and the user is authenticated by a SAP portal, you can use this article:

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/enabl... single sign-on for asp.net applications in enterprise portal 6.article

If it is a web application and the user is authenticated by a Windows logon, you can use this article:

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/how to use windows nt logon for single sign-on in an sap web application.article

If it is a Windows Form or Console application, you can use SNC directly, similary as used in SAPGUI. Information on this is in NCo documentation.

Francis417
Participant
0 Kudos

Thanks Reiner, I'll have a look at the suggested articles. However, I'd like to elaborate more on the scenario.

In our site, not all the employees have their own SAP login, however, their personal information as well as some absence records are stored in SAP HR.

Now we want to develope a ASP.net web application, at the very first phase, to allow all the employees to enquire their absence records through the browser.

Assumming all the employees have an Windows logon, they can use the browser to start the web application which will make the connection to SAP using an account, say OPERATOR account, with SAP_ALL, SAP_NEW authorization in order to retrieve the related records and display them in the browser.

My concern is that how can I ensure the confidentiality of the login information for the account OPERATOR.

Many thanks in advance for any advises.

Francis

reiner_hille-doering
Active Contributor
0 Kudos

I really can not recommend to use a common SAP Login for many users. First of all this might be a license violation. Second it will cause problems as many BAPIs use the login information for internal processing. Third it's indeed dangerous to have a common account that has too much rights.

Former Member
0 Kudos

What Reiner says seems to be the correct way to do things. My only issue according to the article above for single-sign on, it requires configuration changes to SAP. In some organizations (like mines) this could prove difficult to justify.

As an alternative (and i know Reiner will not approve of this), this is what can be done. You could store the UID/PWD and other configuration information for logging in, in the app's web.config. Unfortunately it will be stored in plain text. You could encrypt the password and store the encrypted string in web.config too. Google for how this can be done. I'm storing login information in the app's web.config file (internal only application) without any issues to date.

Former Member
0 Kudos

Actually, storing ID/PSWD information in the Web.Config file is not a best practice. It would be better to encrypt the password and store it someplace else.

Please see this article:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod12.asp

and this one:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod25.asp

Message was edited by: Jeremy Skelly

Francis417
Participant
0 Kudos

Many thanks to Jeremy for the attachement as well as the advises form all of you guys. I believe I'll go for Jeremy's suggestions most probably.

Thanks,

Francis