cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Web service authentication method

Go to solution
Former Member

on ‎09-01-2015 6:18 AM

0 Kudos

Hi,

We are using Web Services of an application to integrate with SAP ECC using SAP PI .Web Services authentication is based on the field values that are to be passed from SAP PI mapping(Short name and authcode) that are like user name and password for the services.

The communication is done with in the landscape and the poposal is to use put payload bean in the communication channel rather than sending the values from the mapping.The issue is the values that are sent from the module are not encrypted where any SAP PI user can view the shortname and authcode.However this cannot be used for dialog user and any user who has the SOAPUI accessa nd are in the landsape can trigger a message .

Client has raised a concern of shortname and authcode not being authenticated .Could you please let me know if there is any optimal solution in this case on how we can encrypt the username and password before it is sent to PI.

We found from the product team that there is no alternative authentication method for web services rather than shortname and authocode .

Thanks and Regards,

Rajesh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

iaki_vila
Active Contributor
‎09-01-2015 7:55 AM
0 Kudos

Hi Rajesh

Depending your PI version you can use SAP PGP encryption . On the worst case you can download the java libraries for JCE for example and to do the encryption at adapter or mapping level.

Regards.

Show replies
Show replies
Former Member
‎09-02-2015 9:07 AM
0 Kudos

We want to encrypt the parameter value that is sent in the communication channel and then decrypt the values before it is sent so that those values are not visible to the PI users .

We have done PGP encryption and decryption for the message when we are sending it to the banks .However the client doesnot want these values to appear and want to see them encrypted as the appearance of these values that are passed is a security risk.

Please suggest.

Harish
Active Contributor
‎09-02-2015 10:57 AM
0 Kudos

Hi Rajesh,

You have below option to achieve this req

1) Mast the sensitive data short name and authcode

2) encrypt the whole message and decrypt at receiver adapter level

3) restrict the interface monitoring to specific group or user

to restrict the monitoring refer the below blog from micheal

for masking option refer the below code

class Password {
   final String password; // the string to mask
   Password(String password) { this.password = password; } // needs null protection
   // allow this to be equal to any string
   // reconsider this approach if adding it to a map or something?
   public boolean equals(Object o) {
   return password.equals(o);
   }
   // we don't need anything special that the string doesnt
   public int hashCode() { return password.hashCode(); }
   // send stars if anyone asks to see the string - consider sending just
   // "******" instead of the length, that way you don't reveal the password's length
   // which might be protected information
   public String toString() {
   StringBuilder sb = new StringBuilder();
   for(int i = 0; < password.length(); i++)
  sb.append("*");
   return sb.toString();
   }
}


Note - i did not tried the masking but it would be good to give a shot.


regards,

Harish

Former Member
‎09-02-2015 4:23 PM
0 Kudos

Hello Harish,

We feel Masking would be the optimal silution and found that we need to write adapter module to mask the values and decrypt it at receiver channel.

Please suggest if you have any other suggestion or the below one is the better solution.

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0ac06cf-6ee2-2c10-df98-e17430ca5...

Thanks and Regards,

Rajesh

Answers (0)

Ask a Question