Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to check SAP User/Password from a third party with a RFC ? (Encrypted)

Former Member
0 Kudos
1,518

Hi,

I made a RFC to check user/password in R/3. It has two input parameters

IV_USER

IV_PASSWORD

Example:

IV_USER = ROBERTW

IV_PASSWORD = bed123

I'm using function SUSR_LOGIN_CHECK_RFC and it work's fine.

The RFC is called from an external third party device via SAP PI. The third party asks for the user and password and then calls the RFC to check is the values are correct.

Here is the thing. The password isn't encrypted. I want to send the password encrypted, but I don't know how to check if it's the correct password.

Any ideas ?

1 ACCEPTED SOLUTION

Former Member
0 Kudos
803

Thank you both for the suggestions, thanks for the help !

I'm going to keep the question open so I can post the implementation when I'm done.

15 REPLIES 15

bryan_cain
Contributor
0 Kudos
803

USR02-PASSCODE stores the hashed password. Assuming you used the same hashing algorithm you could compare them, although without doing more research I don't know if or how SAP might be salting that hash.

Former Member
0 Kudos
803

agree upon a encription methodology. both use the same.. 3rd party wull encrypt and you will decrypt using the same key. then call the RFC.. for what you need a Wrapper RFC ZFuncMoldule which internally will call this SUSR_LOGIN_CHECK_RFC

0 Kudos
803

And what happens if a fourth party hacks the key?

Rob

0 Kudos
803

Rob,

do you mean to say 4th party->3rd party->PI->sap??

but still 4th party needs to password.. right? without password what will they do with the key? keep generating passwords?

0 Kudos
803

Given bot the key and the encrypted password, a hacker could determine the password.

This is why we use both public and private keys to encrypt and decrypt data.

Rob

0 Kudos
803

how would the bot know the encrypted password?

rob, i am not arguing, just trying to know what you have experienced.

0 Kudos
803

I have no experience here, but I do know that single key encryption is weak. Have a look at [Public-key cryptography|http://en.wikipedia.org/wiki/Public/private_key_cryptography]

Germany lost the second world war sooner than it would have because it relied on it's Enigma encryption/decryption devices. They thoght their single key was unbreakable. But Polish code breakers got hold of one and passed it to the British.

Rob

0 Kudos
803

haha.. you went too deep.

british in that case interfered the German transmissions to get the encrypted message though the transmission lines(waves). in this case also only if 4th party interferes the sent message from 3rd party to PI that will cause a damage..

Moreover, I am waiting for the OP to tell us where does he/she wants the encryption to happen and from whom. i think the result should be leaning towards that

Former Member
0 Kudos
803

marian, it would be better if describe the flow and where do you need the encryption.. and from whom do you want to hide this password

Former Member
0 Kudos
803

OP Here, sorry for the delay and thanks for your input :).

@Bryan Cain, i've tried to do that but i don't know what hashing algorithm SAP uses to stores passwords in USR02. Do you know what one is it ?

@Soumyaprakash Mishra and @Rob Burbank, here is the complete escenario

We built an smartphone aplication (coded in Java). The communication goes like this

SMARTPHONE -


via a WebService -


> PI --- Via RFC ---> R/3

So, in the Smartphone the user types in ROBERTW / bed123 (user / password) and clicks the button "Login". This data is sended via Web Service to PI, and then to the RFC. (A Wrapper ZFunction Module that calls SUSR_LOGIN_CHECK_RFC)

I think that is a good solution that the Smartphone encrypts the password (with a private key) and then in R/3 I decrypt the password (with the same private key). But, do you know a hashing algorithm that allow encrypt in JAVA and decrypt in ABAP?

I want that in the WebService the password is already crypted so no one can see "bed123", but instead they see "aaf99839adef" or something like that.

0 Kudos
803

In my 10 minutes of research, I could not find how SAP hashes passwords.

As pointed out above, I don't think you want to use the same key to encrypt and decrypt. If the wrong person gets a hold of your smartphone app they would likely be able to determine the key and therefore be able to intercept and decrypt transmissions. You probably want public/private key encryption. The smartphone app would have your public key. The app could then encrypt the password and only you (with the private key) could decrypt it successfully.

PGP or GPG should do what you need - I believe there are bolt-ons for SAP and there are almost certainly java implementations you could use.

0 Kudos
803

in se37 go for "*encrypt" and "decrypt*" and F4

but i think you should go for a proper security method agreed by both 3rd party and the ERP owners..

0 Kudos
803

SAP doesn't encrypt / decrypt the passwords in USR02, but uses hashing algorithms instead.

Former Member
0 Kudos
804

Thank you both for the suggestions, thanks for the help !

I'm going to keep the question open so I can post the implementation when I'm done.

0 Kudos
803

Hello. Posting the solution, a bit late, but here we go.

I encrypted the file myself in the sender with a private key and decrypted in the receiver with the same private key.

Thanks to all !