Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

AE Password in clear text

Former Member
0 Kudos

Friends,

We have implemented AE 5.2 SP3. Also we have SSO in place which uses third party tool Siteminder for authentication. And Apache plays the web server role.

In AE configuration, we have enabled additional authentication for approvers while approving.

This actually writes the password in clear text in the webserver log (Apache).

Is there any options we can avoid or encrypt this.

Thanks.

Muthu Kumaran KG

4 REPLIES 4

Former Member
0 Kudos

Please open a message in CSS. GRC Support may be able to help with this query.

Former Member
0 Kudos

Dear Muthu Kumaran KG,

Not sure, but, see if you can restrict this by setting proper trace options. Use the Identity Manager debug pages to set trace options on the following classes:

  • com.waveset.adapter.AccessEnforcerResourceAdapter

  • com.waveset.adapter.SAPResourceAdapter

Regards,

Naveen.

0 Kudos

@ Susan,

Thanks. I already have a CSS open with the support team.

@ Naveen

Do you think setting the trace to those mentioned will not write the password. Never mind I can try.

Think about this, I dunno whether this will work or not. Share your ideas.

Right now the communication between Apache and NW is through HTTP and the application works using port 80. So it means whatever been written in the web logs including the password are transmitted as HTTP packets.

Generally SSL will be used to secure the communication channel. There are two common types of encryption layers: Transport Layer Security (TLS) and Secure Sockets Layer (SSL), both of which <b>encode the data records being exchanged</b>.

My Infrastructure teams argument is SSL secures only the communication which is right. But my point is making the data exchange between Apache and NW as HTTPs using 443, will that not encode all the information before it being transmitted and write it in the same encrypted format in web logs. Not sure whether this works.

Believe me this issue taking its shape in such a way that this application (AE) cannot be attached to the existing production environment :-(....

Regards,

Muthu Kumaran KG

0 Kudos

Do we have any update on this. Found something interesting in SAP help.,

Password Security - Secure Programming Java

Are no passwords recorded in log/protocol/trace files?

&#9675; Do not use HTTP GET requests since all parameters will be found in the URL.

Use HTTP POST requests instead. In general, you should avoid transmitting passwords, in particular with every request you send. Use secure mechanisms instead, such as digital certificates for example.

&#9675; Take into account that the Web Server logs all the URLs.

&#9675; Passwords may also be displayed in readable form when tracing, depending on the trace settings

@ Naveen

The tracing is the one you suggested., this is the feedback from my server team.,

1. Web server is owned by different team

2. Just because this application is sending password in plain text the settings cannot be changed since its being used by many applications

3. Moreover this tracing doesnt mean that AE will not send the passwords in plain text instead you are turning it off

SAP make recommendations not to use GET but if you see the web logs.,

Apache Log

==========

sapaccess-access_log.20070717-000000:10.58.73.185 - - [17/Jul/2007:17:24:28 +0000] "<u><i><b>GET/AE/validateUser.do</b></i></u>?j_user=testuser&j_password=test1234 HTTP/1.1" 200 6631

And @ netweaver level the password cannot be displayed (Ref - SAP Help., The SAP NetWeaver platform uses secure hash values to store passwords) since it uses hash algorithm but.,

[1185458218505][Jul 26, 2007 1:56:58 PM ] - CLIENT: 160000, RESPONSE TIME: 2 [1185458224736][Jul 26, 2007 1:57:04 PM ] - CLIENT: 159744, REQUEST: M {<u><i><b>GET /AE/validateUser.do</b></i></u>?j_user=testuser&j_password=test1234 HTTP/1.1M

So the own application of SAP itself is against the recommendations.

Is there any specific reason to it ?????

Regards,

Muthu Kumaran KG