Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Hide password in table

Former Member
0 Kudos

Hi

My program store a encrypted password in a z-table.

But how do I protect the password, so nobody just use the respective FM to see the password, or create a program to see the passwords.

I use these FM:

DECODE_SLDPWD_BASE64

ENCODE_SLDPWD_BASE64

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Encoding is not encryption, and encryption is decryptable. You need to accept that and protect it.

Having said that, where and why are you "encrypting" the password (for what?) and why are you using these FM's?

Standard SAP functionality (SM59, SICF, etc) offers you a SecureStore solution to protect the data, and protects it's callstack from other programs (as you have mentioned).

Please explain the scenario. There might be an easy solution.

Cheers,

Julius

15 REPLIES 15

Former Member
0 Kudos

Encoding is not encryption, and encryption is decryptable. You need to accept that and protect it.

Having said that, where and why are you "encrypting" the password (for what?) and why are you using these FM's?

Standard SAP functionality (SM59, SICF, etc) offers you a SecureStore solution to protect the data, and protects it's callstack from other programs (as you have mentioned).

Please explain the scenario. There might be an easy solution.

Cheers,

Julius

0 Kudos

Hi

It is a z program, where we want to store passwords to different page etc.

Ex. employee A has access to a webportal at a vendor.

These access details should everybody in the team be able to see.

A program is made to store these data, so all members in the team, can call a program to see that.

The manager has also access to the same webportal at the same vendor, but he/she has access to display more confidential data, than the employee A (and the rest in the team).

When the user run the program, the user informations including password will be shown for the user.

Therefore must the password be encrypted, so nobody can see it, and/or use a FM to decrypt it.

0 Kudos

Tell me something: Does the vendor support this anonymous access or insist on only one account being used?

I can only assume that the manager access is a seperate account and they might become suspect when they see their password in plaintext... or does the vendor support an anonlymous account on their side which has access to confidential information and they distribute this password?

This requirements sounds very suspect to me in it's design...

Just being honest,

Julius

0 Kudos

Okay, I'll try to explain in other words.

I have access to a lot of different systems, and need to remember my different username, account, password.

If I can store my data in SAP, and recall those when I need them, it would be more easy.

To be sure that nobody can see my password etc. that I store in SAP, I want to encrypt the data etc., so these detail wouldn't be visible for others than the relevant user.

If I as example store my data for my account to this forum, I would store:

company (SDN), username, password and homepage.

When I call the program, and look for login data for SDN - my entry will pop up.

These data should be stored in a secure way, so you as example shouldn't be able to see that, and you shouldn't be able to recall my data.

0 Kudos

> Okay, I'll try to explain in other words as well.

Okay, I'll try to explain in other (blunt) words as well.

=> Stupid idea.

What happens when the password changes?

What happens when you leave?

What happens when someone logs onto the vendor portal and changes the password?

What you should be looking for is either a personal password vault, or interoperability between your SAP system and the vendor portal which supports Singl-Sign-On.

Many customers also use XI/PI systems for these integrations with vendors...

Back to the topic: The standard mechanisms protect passwords for such "service or system type calls". They do not make the password known to the user, and you can encrypt it during transmission as well.

Cheers,

Julius

0 Kudos

I don't want to do any PI stuff...

This is just login information to a webpage, that I want to store, not an integration or something like that.

My issue is how I protect data.

It could also be field in a table, that was confidential and I don't wan't everybody to see. It could be a note, about something, that souldn't be visible for everybody who have access to the table, or could decrypt the field by the FM.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> I have access to a lot of different systems, and need to remember my different username, account, password.

> If I can store my data in SAP, and recall those when I need them, it would be more easy.

What you describe is the standard portal functionality (Single Sign-On across system boundaries).

Kindly notice that "password authentication" is not the only method to authenticate users; actually other authentication mechanisms are more suitable for SSO (Single Sign-On), e.g. X.509 client certificates, SAML 2.0, etc.

0 Kudos

>

> What you describe is the standard portal functionality (Single Sign-On across system boundaries).

> Kindly notice that "password authentication" is not the only method to authenticate users; actually other authentication mechanisms are more suitable for SSO (Single Sign-On), e.g. X.509 client certificates, SAML 2.0, etc.

Also, Kerberos is sometimes more suitable, especially if users are authenticating against Active Directory before they logon to SAP systems.

0 Kudos

Note that it is a vendor portal. I can only assume that it is not in a domain of the internal AD.

Cheers,

Julius

0 Kudos

>

> Note that it is a vendor portal. I can only assume that it is not in a domain of the internal AD.

>

> Cheers,

> Julius

That doesn't mean that Kerberos cannot be used. I am aware of many companies that use Kerberos for their vendor portal user authentication.

0 Kudos

Guys, my question is just how I protect my data in a database.

In my example it was a password, because I ment the example was easy to describe, but it could also be that I wan't to protect, encrypt a birthday or an ID of something.

So please forget anything about login, XI/PI, vendor etc.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> Guys, my question is just how I protect my data in a database.

> In my example it was a password, because I ment the example was easy to describe, but it could also be that I wan't to protect, encrypt a birthday or an ID of something.

Sorry, but that's not possible. Keep in mind: ABAP source code is visible. So, anyone with access to it can read your "encryption key" if it's contained in the ABAP source code. Furthermore: ABAP does not provide an API for cryptographic algorithms (which are subject of export control).

However: the standard tools (e.g. in ABAP: SM59 to store destination information, including UID/PWD) make use of the so-called "secure storage" (see ABAP transaction SECSTORE). The usage of the "secure storage" is controlled / restricted; only known SAP applications can use the API; and only UID/PWD information is allowed to be stored there (no arbritrary application content).

> So please forget anything about login, XI/PI, vendor etc:

No, that's not the way to solve problems.

You have been asking for help, so the first question will always be: what exactly do you want to achieve.

Only then one can you you by advising to use (existing) functionality.

0 Kudos

How about adding a scandalous affair to your fictitious story, and then Pamela tries to hide her telephone account from JR in a SAP system?

0 Kudos

Sorry, but that's not possible. Keep in mind: ABAP source code is visible. So, anyone with access to it can read your "encryption key" if it's contained in the ABAP source code. Furthermore: ABAP does not provide an API for cryptographic algorithms (which are subject of export control).

Thanks for your reply, it was helpfull.

So please forget anything about login, XI/PI, vendor etc:

No, that's not the way to solve problems.

You have been asking for help, so the first question will always be: what exactly do you want to achieve.

Only then one can you you by advising to use (existing) functionality.

I know i mention the pw, and my question was how to store a field encrypted, in this case it was a password, but it could be anything, that shouldn't be "public".

I didn't mention anything about XI/PI, direct access to vendor portal from SAP etc.

0 Kudos

>

> It is a z program, where we want to store passwords to different page etc.

> Ex. employee A has access to a webportal at a vendor.

> These access details should everybody in the team be able to see.

>

So this was the scene where Bobby finds the decryption key in Miss Ellie's subroutine, but then Pamela wakes up from a comma to discover that the whole thread was just a dream...