ABAP Secure Storage - storing passwords
ABAP Secure Storage - storing passwords
never needed to store passwords in an ABAP System.. now it's time to learn something new...
I need to store a password, which I use on an ABAP System to connect to a different system.
so I cant store a (oneway) hash.
I came across some function modules like FIEB_PASSWORD_ENCRYPT (which is using a hardcoded key) or some suggestions of storing a base64 encoded version of the passwort (gosh!) => both would only prevent anyone from "quickly reading" the passwort if it is on the screen. Not prevent anyone from stealing it.
FIEB_PASSWORD_ENCRYPT
I also came across SECSTORE (SAP Help Link), which appaerntly is only usable by SAP components, not by custom applications.
SECSTORE
Basically, my need is
get from the DB table in clear form to be able to pass it to the "other system"
I don't want to re-invent the wheel, especially not in a security area.
I think, there MUST be something there that can be used for that purpose...
UPDATE Why do I need that:
((I am in discussion currently whether this can be turned into basic auth, which is neither more nor less secure (header vs. body). But with basic auth, I can use the destination config, which in turn uses SECSTORE. This discussion is a long story as many parties are involved and the access to the system is multi-layered...))
@sandra-rossi (fixed acronym) FIEB_PASSWORD => whatever encryption, it's symmetric, so basically its same value as base64 :/ RFC dest: will add to original question
– iPirat
Sep 11 '18 at 14:33
2 Answers
2
You can use SSF_KRN_ENVELOPE function for encrypt and SSF_KRN_DEVELOPE for decrypt. It use RSA standart so result may be huge. I prefer use ABAP AES class at https://github.com/Sumu-Ning/AES
These functions using system certificates, AES library needs IV and keys so if user has debug or developer authorization he can get get it.
Correct way is using standard ways for communication. For example using SOAP client with basic authentication and save password in SOA manager. Also basic authentication can be used http and https protocols in SM59 configuration.
thanks, will have a look!
– iPirat
Sep 12 '18 at 19:34
as for standards: yeah I just gave up after weeks of discussion... SOAP or not SOAP is a completely different question. Basic Auth would at least help a lot in terms of "no need to reinvent password storage"
– iPirat
Sep 12 '18 at 19:34
Very bad design. Passwords need to be not-decrypt-able. I don't know Abap so I don't know the right answer but this is definitely not it.
– TheGreatContini
Sep 12 '18 at 19:59
@TheGreatContini: nothing to do with ABAP. if system A needs to send a password to system B, then system A must store it in a decryptable way! (yes, there are other methods of authentification out there, please dont start this discussion here) => do you use a password manager for yourself? does it store your passwords in a non-decryptable way? same principle here!
– iPirat
Sep 12 '18 at 21:38
@iPirat sorry I misread the question and retract my earlier comment.
– TheGreatContini
Sep 13 '18 at 11:14
The option I post here is an option without encryption, but seems "quite secure (tm)". Feel free to comment
This means that, in a productive ABAP environment, only someone with at least one of the following permissions can access the PW (correct me if I am wrong)
SE16N_INTERFACE and SQVI can be used for getting data from table whic has "N : display/modification not allowed".
– mkysoft
Sep 17 '18 at 11:30
Thanks for contributing an answer to Stack Overflow!
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
FuBa = German "acronym" for "function module" ; never use FIEB_PASSWORD_ENCRYPT/DECRYPT, they are based on the 16th century Vigenere algorithm. Yes SAP explicitly say to not use SecStore, as it's rare they are so clear, don't use SecStore. To connect to other systems, use RFC destinations. If you don't want, please explain why you can't use RFC destinations.
– Sandra Rossi
Sep 11 '18 at 13:43