05-27-2010 10:51 PM
When a user logs on to the system through the GUI, is the password going clear text or is it encrypted? What about the Portal?
Also, if there is an interface between two SAP systems, do the IDocs go through using an encrypted protocol (internal network) or is that something you have to implement? Should we be encrypting the transmission? Does SAP provide the functionality or is it something extra?
Thanks,
05-27-2010 11:12 PM
Hi,
With SAP GUI the password is normally entered in login screen and passed to SAP server in compress format, so it is not very secure. This is why SNC is becoming very common. When you use SNC to authenticate during logon with SAP GUI, there is no password transmission, not even encrypted passwrod. If you are concerned about security, I suggest you look at using SNC for authentication with SAP GUI.
Thanks,
Tim
05-28-2010 12:32 PM
Thank you all. What about interfaces? Is it the same concept?
I just read something online that confused me saying that if the saprouter is used, SNC is not needed. Don't get it?
http://help.sap.com/saphelp_nw04/Helpdata/EN/21/c6a73860bf5f2ce10000009b38f8cf/frameset.htm
Thanks,
05-29-2010 9:55 AM
Hi,
yes, you have two options. First one is to use SNC to secure communication between two SAP gates. Second one is to create a secure channel using SAP router. Here is a scheme rom SAP documentation gateway1 u2013 SAProuter1 u2013 SAProuter2 u2013 gateway2. Again, SAP router will use SNC to secure communication.
Cheers
05-28-2010 12:50 AM
Hi,
as it was mentioned by default the password is sent as plain text when you use SAP GUI. Actually, it's obfuscated but by fixed transformation so there is no difference. The portal security depends on what protocol you use to access it. HTTPS is way to go if you don't want passwords in plain text form. IDocs are usually transferred using RFC call ans there is a similar situation as in GUI. By default the password goes as plain text unless you use SNC.
I would suggest you starting with security guides for your SAP products. You can find them on [service.sap.com/securityguides|http://service.sap.com/securityguide] and they contain answers for all your questions.
Cheers