Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Hide Password in FTP_CONNCET FM

pkb
Participant
0 Kudos

Hi,

In FTP_CONNECT we need to pass user name and password. Here if we pass hard coded password then that thing will be open to all. So my requirement is u201CHow to hide or encrypt FTP user password from user for security reasons?u201D Here I also want to mention that the source code or program name can be hiding from user by setting the tick mark in EDIT LOCK check box in attribute of se38 against the program. But it is not possible to stop access to my Z program source code from those users who are developer or having access to our development or quality server. My sample code is like given below

CALL FUNCTION 'FTP_CONNECT'

EXPORTING

*-- Your SAP-UNIX FTP user name (case sensitive)

USER = 'sap1'

PASSWORD = u2018test123u2019

*-- Your SAP-UNIX server host name (case sensitive)

HOST = '10.10.1.44'

RFC_DESTINATION = 'SAPFTP'

IMPORTING

HANDLE = MI_HANDLE

EXCEPTIONS

NOT_CONNECTED = 1

OTHERS = 2

regards,

-Pk

1 ACCEPTED SOLUTION

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> Hi,

>

> In FTP_CONNECT we need to pass user name and password. Here if we pass hard coded password then that thing will be open to all. So my requirement is u201CHow to hide or encrypt FTP user password from user for security reasons?u201D Here I also want to mention that the source code or program name can be hiding from user by setting the tick mark in EDIT LOCK check box in attribute of se38 against the program. But it is not possible to stop access to my Z program source code from those users who are developer or having access to our development or quality server.

The only reliable way to store passwords is by using the so-called Secure Storage (see ABAP transaction SECSTORE).

However: the API is not released for general use - but only for certain, known SAP applications.

Maybe the Secure Storage API might become general available (unrestricted usage) in the future - under the precondition that the system is already using the SAPcrypto library. But that's just my personal point of view and should not be taken as official statement.

Regards, Wolfgang

13 REPLIES 13

Former Member
0 Kudos

Hi Pk,

Use the FM HTTP_SCRAMBLE before FTP_CONNECT to hide ur Password.

Former Member
0 Kudos

Hi,

Please use following FM,

g_slen = STRLEN( p_pwd ).

CALL FUNCTION 'HTTP_SCRAMBLE'

EXPORTING

SOURCE = p_pwd

sourcelen = g_slen

key = g_key

IMPORTING

destination = p_pwd.

thanks & regards,

ShreeMohan

0 Kudos

hi,

slen = STRLEN( pwd ).

key = '26101957'

CALL FUNCTION 'HTTP_SCRAMBLE'

EXPORTING

SOURCE = pwd

sourcelen = slen

key = key

IMPORTING

destination = pwd.

Hope this helps u .

Thanks & regards

Former Member
0 Kudos

Hi,

For hiding password at selection screen



INITIALIZATION.


  LOOP AT SCREEN.
    IF screen-name = 'P_PWD'.
      screen-invisible = '1'.
      MODIFY SCREEN.
    ENDIF.
  ENDLOOP.

For Ecrypting,

Use Function Module 'HTTP_SCRAMBLE' as suggested by shreemohan or karan.

Cheers!!

Vimal.

Former Member
0 Kudos

Hi,

AT SELECTION-SCREEN OUTPUT.

LOOP AT SCREEN.
    IF screen-name = 'P_PWD'. <------- Parameter Name at selection Screen
      screen-invisible = '1'.        <-------- This will Give u star at Selection Screen
      MODIFY SCREEN.
    ENDIF.
  ENDLOOP.

Thanks & regards,

anuj_srivastava
Active Participant
0 Kudos

Hi pk ,

You can do one thing in that case , store your password for the FTP server in some Ztable and when the FTP FMs are called at that time you can take the password from the Ztable.

Or you can pass it directly from the selection screen but you can make the password being entered in this form ********.

AT SELECTION-SCREEN OUTPUT.

LOOP AT SCREEN.

IF screen-name = 'P_PWD'.

screen-invisible = '1'.

MODIFY SCREEN.

ENDIF.

ENDLOOP.

Even when you are using the FM 'HTTP_SCRAMBLE' in that case also you will have to provide the password for FTP server in your code or through the selection screen.

Regards,

Anuj

0 Kudos

Thank you every one for your quick and prompt reply. But I think I need to explain further my requirement. I have developed one Z report program to copy file from ftp location to another server. My Z program will run at back ground , means there is no human intervention. So user can not feed his/her password in a screen. Again 'AB_RFC_X_SCRAMBLE_STRING' is used to send an encrypted password to 'FTP_CONNECT' which is requirement or must for 'FTP_CONNECT' FM. If you look at my code given below before using 'AB_RFC_X_SCRAMBLE_STRING' I have to pass password in MC_PASSWORD.

As suggested by ANUJ SRIVASTAVA to store password in a Ztable , but there also if we able to store the password in encrypted form and same can be decrypt at the time of 'FTP_CONNECT u2018 then only it will full fill my purpose.

So how to hide the password in my source code or store enrypted password in Z table and decrypt the same?

MY ABAP Code:

-


START-OF-SELECTION.

*-- Your SAP-UNIX FTP password (case sensitive)

MC_PASSWORD = u2018test'.

DESCRIBE FIELD MC_PASSWORD LENGTH MI_PWD_LEN IN CHARACTER MODE.

*-- FTP_CONNECT requires an encrypted password to work

CALL 'AB_RFC_X_SCRAMBLE_STRING'

ID 'SOURCE' FIELD MC_PASSWORD ID 'KEY' FIELD MI_KEY

ID 'SCR' FIELD 'X' ID 'DESTINATION' FIELD MC_PASSWORD

ID 'DSTLEN' FIELD MI_PWD_LEN.

CALL FUNCTION 'SAPGUI_PROGRESS_INDICATOR'

EXPORTING

text = 'Connect to FTP Server'.

CALL FUNCTION 'FTP_CONNECT'

EXPORTING

*-- Your SAP-UNIX FTP user name (case sensitive)

USER = 'userid'

PASSWORD = MC_PASSWORD

*-- Your SAP-UNIX server host name (case sensitive)

HOST = 'unix-host'

RFC_DESTINATION = 'SAPFTP'

IMPORTING

HANDLE = MI_HANDLE

EXCEPTIONS

NOT_CONNECTED = 1

OTHERS = 2.

with warm regards,

-PK

0 Kudos

Hi Pk,

U can create a Variant name where u specify ur Password and username.Than u can create a Background Job with the Variant name.Hope this helps u solve the problem

Thanks and Regards.

Karan

0 Kudos

Hi Pk ,

You can use the following FMs to encrypt and decrypt the password.

CALL FUNCTION 'FIEB_PASSWORD_ENCRYPT' "FM to encrypt

Use the following FM to decrypt

CALL FUNCTION 'FIEB_PASSWORD_DECRYPT' "FM to decrypt

Regards,

Anuj

0 Kudos

Variant data is saved somewhere as well. I have opned the thread again for further discussion and ideas...

But I agree with you that the above answers are much worste. Bordering on complete nonsense...

I will move this thread to the security forum, to see what other folks think of it.

Cheers,

Julius

0 Kudos

Hi Julius,

May be we can use the 2 FM's as suggested by Anuj or may be try the FM('DB_CRYPTO_PASSWORD') for encryp and decrypt the password,so that encrypted password is stored in table and while receiving get the decrypt pswd,

Thanks

Karan

0 Kudos

Thank you All,

I have solved the problem.

The suggestion given by ANUJ SRIVASTAVA was worthful to me. First I used 'HTTP_SCRAMBLEu2019 to encrypt the password and stored in a Z table and in subsequent FTP connect I read the password from Z table (already encrypted) and passed it to FTP connect.

Also as suggested by Karanb , we can store user name and password in a variant and that can be protected so that no one other than the creator of the variant can change the variant .Again variant data if you stored in protect mode then is not visible to any one even from the tables where that variant data stored .

But anyway, thank you every one.

-Pk

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> Hi,

>

> In FTP_CONNECT we need to pass user name and password. Here if we pass hard coded password then that thing will be open to all. So my requirement is u201CHow to hide or encrypt FTP user password from user for security reasons?u201D Here I also want to mention that the source code or program name can be hiding from user by setting the tick mark in EDIT LOCK check box in attribute of se38 against the program. But it is not possible to stop access to my Z program source code from those users who are developer or having access to our development or quality server.

The only reliable way to store passwords is by using the so-called Secure Storage (see ABAP transaction SECSTORE).

However: the API is not released for general use - but only for certain, known SAP applications.

Maybe the Secure Storage API might become general available (unrestricted usage) in the future - under the precondition that the system is already using the SAPcrypto library. But that's just my personal point of view and should not be taken as official statement.

Regards, Wolfgang