08-05-2009 9:26 AM
Hi,
In FTP_CONNECT we need to pass user name and password. Here if we pass hard coded password then that thing will be open to all. So my requirement is u201CHow to hide or encrypt FTP user password from user for security reasons?u201D Here I also want to mention that the source code or program name can be hiding from user by setting the tick mark in EDIT LOCK check box in attribute of se38 against the program. But it is not possible to stop access to my Z program source code from those users who are developer or having access to our development or quality server. My sample code is like given below
CALL FUNCTION 'FTP_CONNECT'
EXPORTING
*-- Your SAP-UNIX FTP user name (case sensitive)
USER = 'sap1'
PASSWORD = u2018test123u2019
*-- Your SAP-UNIX server host name (case sensitive)
HOST = '10.10.1.44'
RFC_DESTINATION = 'SAPFTP'
IMPORTING
HANDLE = MI_HANDLE
EXCEPTIONS
NOT_CONNECTED = 1
OTHERS = 2
regards,
-Pk
08-18-2009 11:01 AM
>
> Hi,
>
> In FTP_CONNECT we need to pass user name and password. Here if we pass hard coded password then that thing will be open to all. So my requirement is u201CHow to hide or encrypt FTP user password from user for security reasons?u201D Here I also want to mention that the source code or program name can be hiding from user by setting the tick mark in EDIT LOCK check box in attribute of se38 against the program. But it is not possible to stop access to my Z program source code from those users who are developer or having access to our development or quality server.
The only reliable way to store passwords is by using the so-called Secure Storage (see ABAP transaction SECSTORE).
However: the API is not released for general use - but only for certain, known SAP applications.
Maybe the Secure Storage API might become general available (unrestricted usage) in the future - under the precondition that the system is already using the SAPcrypto library. But that's just my personal point of view and should not be taken as official statement.
Regards, Wolfgang
08-05-2009 9:35 AM
08-05-2009 9:38 AM
Hi,
Please use following FM,
g_slen = STRLEN( p_pwd ).
CALL FUNCTION 'HTTP_SCRAMBLE'
EXPORTING
SOURCE = p_pwd
sourcelen = g_slen
key = g_key
IMPORTING
destination = p_pwd.
thanks & regards,
ShreeMohan
08-05-2009 9:44 AM
hi,
slen = STRLEN( pwd ).
key = '26101957'
CALL FUNCTION 'HTTP_SCRAMBLE'
EXPORTING
SOURCE = pwd
sourcelen = slen
key = key
IMPORTING
destination = pwd.
Hope this helps u .
Thanks & regards
08-05-2009 9:53 AM
Hi,
For hiding password at selection screen
INITIALIZATION.
LOOP AT SCREEN.
IF screen-name = 'P_PWD'.
screen-invisible = '1'.
MODIFY SCREEN.
ENDIF.
ENDLOOP.
For Ecrypting,
Use Function Module 'HTTP_SCRAMBLE' as suggested by shreemohan or karan.
Cheers!!
Vimal.
08-05-2009 9:54 AM
Hi,
AT SELECTION-SCREEN OUTPUT.
LOOP AT SCREEN.
IF screen-name = 'P_PWD'. <------- Parameter Name at selection Screen
screen-invisible = '1'. <-------- This will Give u star at Selection Screen
MODIFY SCREEN.
ENDIF.
ENDLOOP.
Thanks & regards,
08-05-2009 9:55 AM
Hi pk ,
You can do one thing in that case , store your password for the FTP server in some Ztable and when the FTP FMs are called at that time you can take the password from the Ztable.
Or you can pass it directly from the selection screen but you can make the password being entered in this form ********.
AT SELECTION-SCREEN OUTPUT.
LOOP AT SCREEN.
IF screen-name = 'P_PWD'.
screen-invisible = '1'.
MODIFY SCREEN.
ENDIF.
ENDLOOP.
Even when you are using the FM 'HTTP_SCRAMBLE' in that case also you will have to provide the password for FTP server in your code or through the selection screen.
Regards,
Anuj
08-05-2009 10:52 AM
Thank you every one for your quick and prompt reply. But I think I need to explain further my requirement. I have developed one Z report program to copy file from ftp location to another server. My Z program will run at back ground , means there is no human intervention. So user can not feed his/her password in a screen. Again 'AB_RFC_X_SCRAMBLE_STRING' is used to send an encrypted password to 'FTP_CONNECT' which is requirement or must for 'FTP_CONNECT' FM. If you look at my code given below before using 'AB_RFC_X_SCRAMBLE_STRING' I have to pass password in MC_PASSWORD.
As suggested by ANUJ SRIVASTAVA to store password in a Ztable , but there also if we able to store the password in encrypted form and same can be decrypt at the time of 'FTP_CONNECT u2018 then only it will full fill my purpose.
So how to hide the password in my source code or store enrypted password in Z table and decrypt the same?
MY ABAP Code:
-
START-OF-SELECTION.
*-- Your SAP-UNIX FTP password (case sensitive)
MC_PASSWORD = u2018test'.
DESCRIBE FIELD MC_PASSWORD LENGTH MI_PWD_LEN IN CHARACTER MODE.
*-- FTP_CONNECT requires an encrypted password to work
CALL 'AB_RFC_X_SCRAMBLE_STRING'
ID 'SOURCE' FIELD MC_PASSWORD ID 'KEY' FIELD MI_KEY
ID 'SCR' FIELD 'X' ID 'DESTINATION' FIELD MC_PASSWORD
ID 'DSTLEN' FIELD MI_PWD_LEN.
CALL FUNCTION 'SAPGUI_PROGRESS_INDICATOR'
EXPORTING
text = 'Connect to FTP Server'.
CALL FUNCTION 'FTP_CONNECT'
EXPORTING
*-- Your SAP-UNIX FTP user name (case sensitive)
USER = 'userid'
PASSWORD = MC_PASSWORD
*-- Your SAP-UNIX server host name (case sensitive)
HOST = 'unix-host'
RFC_DESTINATION = 'SAPFTP'
IMPORTING
HANDLE = MI_HANDLE
EXCEPTIONS
NOT_CONNECTED = 1
OTHERS = 2.
with warm regards,
-PK
08-05-2009 11:14 AM
Hi Pk,
U can create a Variant name where u specify ur Password and username.Than u can create a Background Job with the Variant name.Hope this helps u solve the problem
Thanks and Regards.
Karan
08-05-2009 11:45 AM
Hi Pk ,
You can use the following FMs to encrypt and decrypt the password.
CALL FUNCTION 'FIEB_PASSWORD_ENCRYPT' "FM to encrypt
Use the following FM to decrypt
CALL FUNCTION 'FIEB_PASSWORD_DECRYPT' "FM to decrypt
Regards,
Anuj
08-05-2009 10:07 PM
Variant data is saved somewhere as well. I have opned the thread again for further discussion and ideas...
But I agree with you that the above answers are much worste. Bordering on complete nonsense...
I will move this thread to the security forum, to see what other folks think of it.
Cheers,
Julius
08-06-2009 7:13 AM
Hi Julius,
May be we can use the 2 FM's as suggested by Anuj or may be try the FM('DB_CRYPTO_PASSWORD') for encryp and decrypt the password,so that encrypted password is stored in table and while receiving get the decrypt pswd,
Thanks
Karan
08-12-2009 6:33 AM
Thank you All,
I have solved the problem.
The suggestion given by ANUJ SRIVASTAVA was worthful to me. First I used 'HTTP_SCRAMBLEu2019 to encrypt the password and stored in a Z table and in subsequent FTP connect I read the password from Z table (already encrypted) and passed it to FTP connect.
Also as suggested by Karanb , we can store user name and password in a variant and that can be protected so that no one other than the creator of the variant can change the variant .Again variant data if you stored in protect mode then is not visible to any one even from the tables where that variant data stored .
But anyway, thank you every one.
-Pk
08-18-2009 11:01 AM
>
> Hi,
>
> In FTP_CONNECT we need to pass user name and password. Here if we pass hard coded password then that thing will be open to all. So my requirement is u201CHow to hide or encrypt FTP user password from user for security reasons?u201D Here I also want to mention that the source code or program name can be hiding from user by setting the tick mark in EDIT LOCK check box in attribute of se38 against the program. But it is not possible to stop access to my Z program source code from those users who are developer or having access to our development or quality server.
The only reliable way to store passwords is by using the so-called Secure Storage (see ABAP transaction SECSTORE).
However: the API is not released for general use - but only for certain, known SAP applications.
Maybe the Secure Storage API might become general available (unrestricted usage) in the future - under the precondition that the system is already using the SAPcrypto library. But that's just my personal point of view and should not be taken as official statement.
Regards, Wolfgang