ABAP 安全存储:如何存储密码?
[英]ABAP Secure Storage: how to store passwords?
问题描述
I never needed to store passwords in an ABAP System.. now it's time to learn something new...
我从来不需要在 ABAP 系统中存储密码..现在是学习新东西的时候了......
I need to store a password, which I use on an ABAP System to connect to a different system, so I cant store a (oneway) hash.我需要存储一个密码,我在 ABAP 系统上使用它来连接到不同的系统,因此我无法存储(单向)哈希。
I came across some function modules like FIEB_PASSWORD_ENCRYPT (which is using a hardcoded key) or some suggestions of storing a base64 encoded version of the password (gosh!) => both would only prevent anyone from "quickly reading" the password if it is on the screen, not prevent anyone from stealing it.我遇到了一些功能模块,如FIEB_PASSWORD_ENCRYPT (使用硬编码密钥)或一些存储密码的 base64 编码版本的建议(天哪!)=> 两者都只会阻止任何人“快速读取”密码,如果它打开屏幕,不阻止任何人窃取它。
I also came across SECSTORE ( SAP Help Link ), which apparently is only usable by SAP components not by custom applications.我还遇到了SECSTORE ( SAP 帮助链接),它显然只能由 SAP 组件使用,不能由自定义应用程序使用。
Basically, my need is基本上,我的需求是
store password in some DB table in encrypted form
以加密形式将密码存储在某个数据库表中impossible (at least very hard) to get the pw by plain select on that table
不可能(至少很难)通过该表上的普通选择获得密码get from the DB table in clear form to be able to pass it to the "other system"
以清晰的形式从数据库表中获取,以便能够将其传递给“其他系统”I don't want to re-invent the wheel, especially not in a security area.
我不想重新发明轮子,尤其是在安全领域。
I think, there MUST be something there that can be used for that purpose...我认为,必须有一些东西可以用于这个目的......
UPDATE Why do I need that:更新为什么我需要那个:
- I'm accessing an HTTPS System (destination type G) and all connection params are configured in the destination.我正在访问 HTTPS 系统(目标类型 G),并且所有连接参数都在目标中配置。
- unfortunately, a PW needs to be transmitted in body as form parameter不幸的是,PW 需要作为表单参数在 body 中传输
Disclaimer : I am in discussion currently whether this can be turned into basic auth, which is neither more nor less secure (header vs. body).免责声明:我目前正在讨论这是否可以变成基本身份验证,这既不安全也不安全(标题与正文)。 But with basic auth, I can use the destination config, which in turn uses SECSTORE.但是使用基本身份验证,我可以使用目标配置,而目标配置又使用 SECSTORE。 This discussion is a long story as many parties are involved and the access to the system is multi-layered...由于涉及多方并且对系统的访问是多层次的,因此这个讨论很长......
2 个解决方案
解决方案1
5 2018-09-12 18:08:53
You can use SSF_KRN_ENVELOPE function for encrypt and SSF_KRN_DEVELOPE for decrypt.您可以使用 SSF_KRN_ENVELOPE 函数进行加密,使用 SSF_KRN_DEVELOPE 函数进行解密。 It use RSA standart so result may be huge.它使用 RSA 标准,因此结果可能很大。 I prefer use ABAP AES class at https://github.com/Sumu-Ning/AES我更喜欢在https://github.com/Sumu-Ning/AES使用 ABAP AES 类
These functions using system certificates, AES library needs IV and keys so if user has debug or developer authorization he can get get it.这些功能使用系统证书,AES 库需要 IV 和密钥,因此如果用户具有调试或开发人员授权,他可以获得它。
Correct way is using standard ways for communication.正确的方式是使用标准的沟通方式。 For example using SOAP client with basic authentication and save password in SOA manager.例如,使用带有基本身份验证的 SOAP 客户端并在 SOA 管理器中保存密码。 Also basic authentication can be used http and https protocols in SM59 configuration.在 SM59 配置中也可以使用 http 和 https 协议进行基本身份验证。
解决方案2
0 2018-09-17 09:23:17
The option I post here is an option without encryption, but seems "quite secure (tm)".我在这里发布的选项是一个没有加密的选项,但似乎“非常安全(tm)”。 Feel free to comment随意评论
- store the password in a DB table as plain text将密码作为纯文本存储在数据库表中
- set that table as "N : display/modification not allowed"将该表设置为“N:不允许显示/修改”
- create a program for writing the PW into that table创建一个将 PW 写入该表的程序
- there is no probram that will output the PW.没有输出 PW 的问题。
This means that, in a productive ABAP environment, only someone with at least one of the following permissions can access the PW ( correct me if I am wrong )这意味着,在高效的 ABAP 环境中,只有至少具有以下权限之一的人才能访问 PW(如果我错了,请纠正我)
- Debugging permissiosn on production (basically no-one)生产调试权限(基本没有)
- direct DB access (basically no-one)直接数据库访问(基本上没有人)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.