4
votes

I never needed to store passwords in an ABAP System.. now it's time to learn something new...

I need to store a password, which I use on an ABAP System to connect to a different system, so I cant store a (oneway) hash.

I came across some function modules like FIEB_PASSWORD_ENCRYPT (which is using a hardcoded key) or some suggestions of storing a base64 encoded version of the password (gosh!) => both would only prevent anyone from "quickly reading" the password if it is on the screen, not prevent anyone from stealing it.

I also came across SECSTORE (SAP Help Link), which apparently is only usable by SAP components not by custom applications.

Basically, my need is

  • store password in some DB table in encrypted form

  • impossible (at least very hard) to get the pw by plain select on that table

  • get from the DB table in clear form to be able to pass it to the "other system"

  • I don't want to re-invent the wheel, especially not in a security area.

I think, there MUST be something there that can be used for that purpose...

UPDATE Why do I need that:

  • I'm accessing an HTTPS System (destination type G) and all connection params are configured in the destination.
  • unfortunately, a PW needs to be transmitted in body as form parameter

Disclaimer: I am in discussion currently whether this can be turned into basic auth, which is neither more nor less secure (header vs. body). But with basic auth, I can use the destination config, which in turn uses SECSTORE. This discussion is a long story as many parties are involved and the access to the system is multi-layered...

2
FuBa = German "acronym" for "function module" ; never use FIEB_PASSWORD_ENCRYPT/DECRYPT, they are based on the 16th century Vigenere algorithm. Yes SAP explicitly say to not use SecStore, as it's rare they are so clear, don't use SecStore. To connect to other systems, use RFC destinations. If you don't want, please explain why you can't use RFC destinations. - Sandra Rossi
@sandra-rossi (fixed acronym) FIEB_PASSWORD => whatever encryption, it's symmetric, so basically its same value as base64 :/ RFC dest: will add to original question - iPirat

2 Answers

5
votes

You can use SSF_KRN_ENVELOPE function for encrypt and SSF_KRN_DEVELOPE for decrypt. It use RSA standart so result may be huge. I prefer use ABAP AES class at https://github.com/Sumu-Ning/AES

These functions using system certificates, AES library needs IV and keys so if user has debug or developer authorization he can get get it.

Correct way is using standard ways for communication. For example using SOAP client with basic authentication and save password in SOA manager. Also basic authentication can be used http and https protocols in SM59 configuration.

0
votes

The option I post here is an option without encryption, but seems "quite secure (tm)". Feel free to comment

  • store the password in a DB table as plain text
  • set that table as "N : display/modification not allowed"
  • create a program for writing the PW into that table
  • there is no probram that will output the PW.

This means that, in a productive ABAP environment, only someone with at least one of the following permissions can access the PW (correct me if I am wrong)

  • Debugging permissiosn on production (basically no-one)
  • direct DB access (basically no-one)