on 09-01-2015 6:18 AM
Hi,
We are using Web Services of an application to integrate with SAP ECC using SAP PI .Web Services authentication is based on the field values that are to be passed from SAP PI mapping(Short name and authcode) that are like user name and password for the services.
The communication is done with in the landscape and the poposal is to use put payload bean in the communication channel rather than sending the values from the mapping.The issue is the values that are sent from the module are not encrypted where any SAP PI user can view the shortname and authcode.However this cannot be used for dialog user and any user who has the SOAPUI accessa nd are in the landsape can trigger a message .
Client has raised a concern of shortname and authcode not being authenticated .Could you please let me know if there is any optimal solution in this case on how we can encrypt the username and password before it is sent to PI.
We found from the product team that there is no alternative authentication method for web services rather than shortname and authocode .
Thanks and Regards,
Rajesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We want to encrypt the parameter value that is sent in the communication channel and then decrypt the values before it is sent so that those values are not visible to the PI users .
We have done PGP encryption and decryption for the message when we are sending it to the banks .However the client doesnot want these values to appear and want to see them encrypted as the appearance of these values that are passed is a security risk.
Please suggest.
Hi Rajesh,
You have below option to achieve this req
1) Mast the sensitive data short name and authcode
2) encrypt the whole message and decrypt at receiver adapter level
3) restrict the interface monitoring to specific group or user
to restrict the monitoring refer the below blog from micheal
for masking option refer the below code
class Password {
final String password; // the string to mask
Password(String password) { this.password = password; } // needs null protection
// allow this to be equal to any string
// reconsider this approach if adding it to a map or something?
public boolean equals(Object o) {
return password.equals(o);
}
// we don't need anything special that the string doesnt
public int hashCode() { return password.hashCode(); }
// send stars if anyone asks to see the string - consider sending just
// "******" instead of the length, that way you don't reveal the password's length
// which might be protected information
public String toString() {
StringBuilder sb = new StringBuilder();
for(int i = 0; < password.length(); i++)
sb.append("*");
return sb.toString();
}
}
Note - i did not tried the masking but it would be good to give a shot.
regards,
Harish
Hello Harish,
We feel Masking would be the optimal silution and found that we need to write adapter module to mask the values and decrypt it at receiver channel.
Please suggest if you have any other suggestion or the below one is the better solution.
Thanks and Regards,
Rajesh
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.