I should have said that we will change all passwords used by PI...and some other applications...on a daily basis.

Actually, it is a good idea because the passwords are managed by Password Vault so we would never have to worry about a password in PI. Everytime a Communication Channel needed a passwrod it would request it from Password Vault. We would not care if they changed them once a day or once a minute since we would no longer have any responsibility for managing passwords...we would simply use whatever password was the current one.

It greatly improves our protection because the passwords would all be random, all have 15 characters (where possible) and would change so often that stealing a password would be of little value.

The rules would not apply to user passwords in AD, in databases or to logon to PI or SAP because, as you mention, noone could keep track of a password that changes daily.

You might be correct but I have no choice since it is a company wide effort that is going to be applied to many situations not just PI. The company has chosen Password Vault as the best way to enable enterprise wide password protection.

Once again. You might be correct about alternate approaches but it is not my choice. We are going to use Password Vault whether the PI group thinks it is a good idea or not.

The only question remaining is whether Password Vault will push the passwords on some sort of schedule which will require that we stop everything, update all the passwords and then restart everything or we will pull the passwords from Password Vault when we need them.

We know how to implement the push scenario from a technology point of view but it is messy and more complex that the pull solution.

We do not know how to implement the pull scenario because we do not know how to write a module that will get called by all Communication Channels when they need a password. This would be a much simpler solution if we could figure out how to implement it...which is the whole reason for this thread.

Actually, this could be a solution that would substitute for the pull solution. In other words get rid of passwords completely. I will suggest we take a look at this option.

I just needed a little time to get my head around the different direction.

> It greatly improves our protection because the passwords would all be random, all have 15 characters (where possible) and would change so often that stealing a password would be of little value.

You should also consider the stealth of someone wanting to steal a password, for which perhaps a minute of validity is all they need.

Personally I think that there are valid reasons for "Password Vaults" such as admin passwords for hundreds of systems & clients and standard users, but a general implementation accessible at runtime wakes some instrinct in me to go looking for the weakest link, or the module which retrieves all the passwords even if they are encrypted, or if not encrypted then it becomes even easier for misuse.

Later you might also want to have a self-service for passwords - should this also be able to change the passwords in the vault? Or there already is a function to set the password in the vault. That could be a real menace... and could easily cause a lockout and / or bring your PI and communication partners to a standstill...

The more places you store a password, the less secure in my opinion.

Cheers,

Julius

Actually, the Password Vault solves the problem of storing the passwrod in multiple places. The theory is that all applications when they need a password at runtime will pull it from the Password Vault so no application will have to store a password.

The problem is applications such as PI that have no ability to pull the password at runtime and do not provide any user hooks, apparently, that would all us to write code that would stand between the Communication Channel and the Password Vault transferring the current password when it is needed.

What you say makes sense but, as I said before, the decision to use passwords is not mine. I suggested we look at alternates such as certificates and got a "deer in the headlights stare" back from a number of people so it is not going to be considered for quite some time if ever.

It might appear as if you have all your eggs in one nest (no further comments about risks related to that and how they could be retrieved) but how will you control the Communication Partners expecting a correct password to be the same and their policies to be the same?

Also what I call "the lowest common security demoninator" kicks in, as some systems might not support 15 characters, special characters, case-sensitive passwords, etc.

Is there no "common authentication method" which these communication partners share with PI which is better than passwords?

You should also consider that some communication partners are less trustworthy than others, and passing the pwd on at runtime from internal systems to external ones might provide an attack vector for an external user - again the lowest common denominator (or weakest link) affects the others as well.

Okay, that is enough gospel now...

An idea: use a system account to invoke the communication with limited access (start a program, some user mapping perhaps, etc) and then do a "call back" to create an application session for the caller (from PI). This is much the same as "trusted RFC" in ABAP systems - using a combination of system trust and authorizations to permit callers in remote systems to logon without a password.

Might be worth looking into, but should be treated with caution.

Cheers,

Julius