11-08-2007 8:09 PM
Hello Colleagues,
In a 46C system, we want to implement a new solution for security. This solution is the following:
When a user locks his account, because for example he forgot it, and after 3 attempts his user is locked.
After for exemplo 15 minutes, a job checks all the users that has this problem, and unlock it automaticaly, and generated a new password, and send it through the system, by the email in su01. Can this password be sent encrypted? How can we do it?
Thanks in advance,
Pedro.
11-09-2007 7:29 AM
Simply donnot do thsi, as it is a big flaw in your security.
It is not whitout reason that SAP blocks users who used a wrong password.
It is a first but mayor step to keep hackers out the door.
11-09-2007 8:31 AM
If your users tend to forget their passwords quite often, have you ever thought of providing a <b>Single Sign-On solution</b> to them?
If your ABAP servers are operated on the Windows platform, you can consider to use the free-of-charge solution provided by <a href="https://service.sap.com/sap/support/notes/352295">SAP Note 352295</a>. Otherwise you have to purchase a partner product - there are many <b>certified SNC solutions</b> available (see <a href="https://service.sap.com/sap/support/notes/66687">SAP Note 66687</a>).
If you search this forum for the keyword 'Kerberos' or 'SNC' you'll find many postings.
Regards, Wolfgang
11-09-2007 10:52 AM
Hello Wolfgand,
My servers are unix, so I guess the the sso sulution does not apply here, or is there a way to use it in Unix systems?
According to note 66687, As of Release 4.5B, you can also use SNC between the SAP System application servers and the Internet Transaction Server (ITS) components (WGate and AGate). As far as I understand, using SNC, would be possible to make a program to sent the users passwords through the system by mail, to their outlook email, and the SNC would make the encryption automatically. Correct?
Another doubt about SNC, I have to buy it, or there is a standard one from sap?
Thanks in advance.
11-09-2007 10:55 AM
> My servers are unix, so I guess the the sso sulution does not apply here, or is there a way to use it in Unix systems?
Yes, that's right - you need to purchase a partner product in that case.
> As far as I understand, using SNC, would be possible to make a program to
> sent the users passwords through the system by mail, to their outlook email, and the SNC would make the encryption automatically.
> Correct?
No - where did you read this?!
Sorry, but SNC does <u>not</u> provide any features to encrypt mail (S/MIME).
11-09-2007 11:17 AM
From note 66687 it is saying the following:
As of Release 4.5B, you can also use SNC between the SAP System application servers and the Internet Transaction Server (ITS) components (WGate and AGate).
So, I though it could be a mechanism to encrypt the mail.
Do you know any option to encrypt the mails in this scenario that I have told you?
Cheers.
11-09-2007 11:24 AM
I've found <a href="https://service.sap.com/sap/support/notes/149926">SAP Note 149926</a> ("Secure Email: Encryption, Digital Signature"):
<i>"At present, the SAP system does <u>not</u> support encryption or digital signatures for incoming and outgoing e-mails."</i>
<i>"In SAP Web AS Technology Release 6.20 and higher, the missing functions can be covered to some extent by the proxy solution. This is possible as of the Support Packages listed below and <b>requires the use of an additional product ("Secure E-mail Proxy")</b>."</i>