Interface Transmission Encryption & Password Encryption

When a user logs on to the system through the GUI, is the password going clear text or is it encrypted? What about the Portal?
Also, if there is an interface between two SAP systems, do the IDocs go through using an encrypted protocol (internal network) or is that something you have to implement? Should we be encrypting the transmission? Does SAP provide the functionality or is it something extra?
Thanks,

Hi,
as it was mentioned by default the password is sent as plain text when you use SAP GUI. Actually, it's obfuscated but by fixed transformation so there is no difference. The portal security depends on what protocol you use to access it. HTTPS is way to go if you don't want passwords in plain text form. IDocs are usually transferred using RFC call ans there is a similar situation as in GUI. By default the password goes as plain text unless you use SNC.
I would suggest you starting with security guides for your SAP products. You can find them on [service.sap.com/securityguides|http://service.sap.com/securityguide] and they contain answers for all your questions.
Cheers

Similar Messages

Does anyone have experience with unzipping a password-encrypted ZipFile??

Does anyone have experience with unzipping a password-encrypted ZipFile??
My Zip Class works fine with every unencrypted file, but when I try to open an encrypted one, i get an error Message ("Encrypted ZIP entry not supported")
Is ist impossible to unzip encrypted ZIPs???

I've searched around a little bit and THIS IS THE SOLUTION!
There is a (beta)version of winzip8 that uses a cli (command line interface)
So, all you have to do is to implement a Runtime.getRuntime().exec(...) in your java program to call winzip8 and pass the zipfile path and the password.
Here's the URL: http://www.winzip.com/wzcline.htm

Default Encrypted Password

Dear All,
i want to insert encrypted Password of 'password' string into table user_dtl column PASSWORD .
How can i insert Encripted password into table.
Thanks

Hi Vedant,
See the CUSTOM_HASH function that is installed with sample application in the APEX.
Here is the code for it:
create or replace function custom_hash (p_username in varchar2, p_password in varchar2)
return varchar2
is
l_password varchar2(4000);
l_salt varchar2(4000) := 'XFSPL28ZTWEWWM6FHWMK68AG5NQVLU';
begin
-- This function should be wrapped, as the hash algorithm is exposed here.
-- You can change the value of l_salt or the method of which to call the
-- DBMS_OBFUSCATOIN toolkit, but you much reset all of your passwords
-- if you choose to do this.
l_password := utl_raw.cast_to_raw(dbms_obfuscation_toolkit.md5
(input_string => p_password || substr(l_salt,10,13) || p_username ||
substr(l_salt, 4,10)));
return l_password;
end;
i want to insert encrypted Password of 'password' string into table user_dtl column PASSWORD.The above function will give the encrypted password which can be inserted into USER_DTL as follows:
INSERT INTO USER_DTL(USERNAME,PASSWORD) VALUES(:P1_USERNAME, CUSTOM_HASH(:P1_USERNAME,:P1_PASSWORD))Be sure that PASSWORD column in USER_DTL is of type VARCHAR2 and of adequate length as to accommodate the encrypted password.
Hope it helps!
Regards,
Kiran

RBACx Encrypted Password Change Utility

Hi all,
In the OIA/SRM installation guide, there is a reference to a tool, to find out the password of rbacxservice.
"Oracle Identity Analytics utilizes an encrypted password when communicating with the database.
To change the default database password, use the RBACx Encrypted Password Change Utility"
Could you please help me finding out this tool.
Many thanks in advance.
Warm regards,
Manipradeep Sunku.

The mentioned tool only encrypts the password so that you don't have to store a plain text password in the config file. It does not decrypt it. The default rbacxservice password is rbacxservice.
The tool does not come with the OIA/SRM distribution so if you need it, you will need to contact support.

Reset encryption password for NEW iPhone backups

Hello Everyone,
I have an iPhone and iPad which are currently working perfectly. However during testing I figured out that I somehow lost my iTunes backup encryption password. As such I figured I would just change the backup password, delete the old backups, and create NEW backups for which I do know the password to and all would be good (and ready for a future device failure.)
However it appears that iTunes will not allow you to change or disable the encryption password for NEW backups without first knowing the old encryption password. Does anyone know if a way around this?
Thank you for your time.

Thanks!

Encrypted Password in AIAConfigurationProperties.xml

Hi,
During the installation of Primavera P6 to EBS Projects PIP, the Password is getting encrypted in the Service Configuration in AIAConfigurationProperties.xml. Is there any script that we can run so that we can avoid the encryption of the password there by having the flexibility to change the un-encrypted Password as and when required?
<Property name="User.P6EPPM_01.Name">primavera</Property>
<Property name="User.P6EPPM_01.pwd">Se8bfsuMJNvYmKB4mg9L3w==</Property>
Your pointers will be highly appreciated!
Regards,
Chaitanya

Try this:
There's a script that can be used to re-encrypt a new password. If the cleartext password is, say, welcome1, do the following -
- Go to AIA_HOME/Infrastructure/install/install/wlscripts/config
- Run command: ./encrypt.sh welcome1
This is useful for re-encrypting any of the passwords that are captured during installation in the deploy.properties file. I can't say for sure that it is the same encryption that is used for the P6 credentials, but it's worth a try.

HP Password Encryption Utility

Hi There,
I have HP Z230 Workstation. I want to use HP Password Encryption Utility to create a BIOS password which will be saved in an encrypted file. I have downloaded the SoftPaq from HP website (sp69088) but after installation of this SoftPaq I am not able to get the HPQPswd.exe. I have also tried to download different version of HP System Software Manager from HP ftp site but the result was not successful, everytime it didn't create the HPQPswd.exe
I am able to install BIOS Configuration Utilty. My intention is to set a BIOS Password from command promt. Am I missing something. If anyone has any idea, please share with me.
Thanks in advance!
souravdgupta

Hi:
You may also want to post your question on the HP Business Support Forum -- z Workstations section.
http://h30499.www3.hp.com/t5/Workstations-z-series-xw-series/bd-p/bsc-272#.VI77zek5C9I

ITunes will not let me backup and sync to new phone encrypted password??

iTunes will not let me backup and sync to new phone encrypted password?? I've never set a password for my old iPhone 3gs but tried my old Apple ID sign-in passwords to no avail. I've simply sat here so frustrated....my husband sync'd his new iPhone 4 no problem, somehow the checkbox shows Encrypted password and I'm at a loss on how to change this/find the password and transfer my old backup onto my new phone so I can use it. Can anyone help? Tnx

John,
buy an iTunes Music Card and redeem it to your account - the "none" option should be available then.

LDIF Importing a user with a non-encrypted password fails, anywork arounds?

I was able to import a group without issue:
dn: cn=Authenticated,cn=Groups,dc=oraclelinux,dc=com
description: test group
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: cn=orcladmin,cn=People,dc=oraclelinux,dc=com
cn: Authenticated
But when I try to import a standard user:
dn: cn=testuser2,cn=Users, dc=oraclelinux, dc=com
userpassword:: password1
description: test user
objectClass: top
objectClass: person
sn: testuser2
cn: testuser2
It fails if I remove the password field then I can import the user without issue, but I need to include the password field as it is part of what was exported from the old LDAP Server.
If I create a user in an ldif import it then add a password using oracle's Directory Manager upon exporting it the entry loks like:
dn: cn=testuser, cn=Users, dc=oraclelinux, dc=com
authpassword;orclcommonpwd: {MD5}fGoYCzaJagqMAnh+6vsOTA==
authpassword;orclcommonpwd: {X- ORCLLMV}E52CAC67419A9A2238F10713B629B565
authpassword;orclcommonpwd: {X- ORCLNTV}5835048CE94AD0564E29A924A03510EF
authpassword;oid: {SASL/MD5}tUquh+Duowh2aWSEwONtcQ==
authpassword;oid: {SASL/MD5-DN}lcQ7Z5O5vcwzXMeaZ65fYw==
authpassword;oid: {SASL/MD5-U}AAWzkmDDCJLbs9mxoWBTiw==
userpassword:: e1NIQX00NHJTRkpROXF0SFdUQkF2cnNLZDVLL3AyajA9
description: test user
objectclass: top
objectclass: person
sn: testuser
cn: testuser
Changing my imported ldif to look like the following WORKS:
dn: cn=testuser2,cn=Users, dc=oraclelinux, dc=com
userpassword:: e1NIQX00NHJTRkpROXF0SFdUQkF2cnNLZDVLL3AyajA9
description: test user
objectClass: top
objectClass: person
sn: testuser2
cn: testuser2
So the password must be encrypted then?, if so how to I generate a password hash on the command-line and through JAVA?
Can an import be forced with a plain text password (Tivoli, SUN both support this functionality).
Can I change the constraint that the password must contain a numeric char? (Found in document: http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b15991/pwdpolicies.htm#g1051713)
After fixing the constaints I can import a non-encrypted password from an ldif, but it can not be verified and only the authpassword;oid entries are created not the authpassword;orclcommonpwd entries.
Thanks for your assistance,
ERIC GANDT

Eric, my first guess would be that the OID password policy prevents loading of the password i.e. the password doesn't match the existing password policy.
What version is your "old" OID and what is the version of the current OID you're using?
What is the error msg you get?
regards,
--Olaf

Doubts regarding db connection with encrypted password usage in sandbox

Hi All,
We have setup the db connection using configuration file. The configuration file contains db connection information including the encrypted password.
Below are my doubts:
1. If we are going to import the ETL project in zip file directly into the sandbox can we run the graphs directly or we need to check how the password which is encrypted in configuration file will be decoded.
2. Can we directly modify the configuration file for db connection like db connection,user name and password. Suppose I want the graphs to run in some other database which is not specified in configuartion fiel .Can I directly update that?
3.Is it possible to change the encrypted password in the configuration file in the sandbox. Is it that we need to create the project in Integrator Designer, change the password using the Integrator Designer, and then copy the encrypted password into the configuration file in sandbox, or the Endeca provides a functionality to allow user to directly change the password in the sandbox on the Integrator server.
Can someone please let me know their comments on above.
Thanks in Advance.
Regards,
Amrit

can someone please help me on this issue

Powershell script monitor with encrypted password

I have created a powershell script based monitor in my management pack and everything is ok but I can't get my credentials work inside the script. I want to open pssession to another computer with my credentials. I have triple checked that my pssession is
working because I can access it from powershell console.
This works perfectly at local server from PSconsole:
$EncryptedPassword ="01000000d08c9ddf0115d1118c7a00c04fc297eb01000000534b2....etc...etc..."
$pw = convertto-securestring -String $EncryptedPassword
$cred = new-object System.Management.Automation.PSCredential -argumentlist "MyDOMAIN\MyACCOUNT",$pw
$s = New-PSSession -ComputerName "MyServer" -Port MyPort -Credential $cred
But when I run the same lines inside my management pack the convertto-securestring
does nothing, it just wont convert the encrypted password to secure string!
I have tried this plain text method and it works
inside my management pack, but I don't want to use it because you can see the password in plain text:
ConvertTo-SecureString -String "myPlainTextPassword" -AsPlainText -Force
This is the $error variable, so it's basically says that I don't have anything in the password secure string variable because the convertion did not work for some reason:
The argument is null. Provide a valid value for the argument, and then try running the command again. Cannot process argument transformation on parameter 'Credential'. PromptForCredential Exception calling ".ctor" with "2" argument(s):
"Cannot process argument because the value of argument "password" is null. Change the value of argument "password" to a non-null value." The system cannot find the file specified. Exception calling "SecureStringToBSTR"
with "1" argument(s): "Value cannot be null. Parameter name: s" The system cannot find the file specified. Exception calling "SecureStringToBSTR" with "1" argument(s): "Value cannot be null. Parameter name: s"
The system cannot find the file specified.
So is there some known issue with SCOM Agent / management pack when you are dealing with convertto-securestring
function with encrypted passwords?
I used these methods to encrypt the password: Technet article about encryption

I got it to work!
<TypeDefinitions>
<EntityTypes>
<ClassTypes>
<ClassType ID="MyClass" Accessibility="Public" Abstract="false" Base="Windows!Microsoft.Windows.LocalApplication" Hosted="true" Singleton="false" Extension="false"
/>
</ClassTypes>
</EntityTypes>
<SecureReferences>
<SecureReference ID="MyRunAsAccountProfile" Accessibility="Public" Context="System!System.Entity" />
</SecureReferences>
<ScriptBody>param (
[string]$Username,
[string]$Password
$API = new-object -comObject "MOM.ScriptAPI"
$PropertyBag = $API.CreatePropertyBag()
$cred = New-Object System.Management.Automation.PSCredential -Argumentlist @($Username,(ConvertTo-SecureString -String $Password -AsPlainText -Force))
$s = New-PSSession -ComputerName "myserver" -Credential $cred
Invoke-Command -Session $s -ScriptBlock { $service = Get-Service -Name Spooler}
$invcom = Invoke-Command -Session $s -ScriptBlock { $service.status}
Remove-PSSession -Id $s.Id
if ($invcom.Value -ne "Running") {
$PropertyBag.AddValue("State","ERROR")
$outputLongLine = "Spooler Service is not running on target server!"
$PropertyBag.AddValue("Description", $outputLongLine)
else {
$PropertyBag.AddValue("State","OK")
$outputLongLine = "Spooler is Running on target server."
$PropertyBag.AddValue("Description", $outputLongLine)
$PropertyBag</ScriptBody>
<Parameters>
<Parameter>
<Name>Username</Name>
<Value>$RunAs[Name="MyRunAsAccountProfile"]/Domain$\$RunAs[Name="MyRunAsAccountProfile"]/UserName$</Value>
</Parameter>
<Parameter>
<Name>Password</Name>
<Value>$RunAs[Name="MyRunAsAccountProfile"]/Password$</Value>
</Parameter>

Unencrypted password length vs. Encrypted password length

Hi,
Can anybody share the formula to get the resulting String length of an encrypted password.
For example: how long will the encrypted String be given a 5 letter unencrypted password?
Will this change across different algo? e.g. MD5/SHA1 and two way hash...
Need this to make sure the database field is of the correct size for the encrypted password...
based on prior experience, the resulting encrypted String is always longer than the inputted password but I cannot find a reference stating the formula...
Thanks in advance

A few things to keep in mind:
1) Do not think of Strings when you are using cryptography. Always think in byte buffers (byte[]). Strings can perform implicit character conversions that will mess up your encryption (and decryption).
2) Do you really need to encrypt the password? Most password files are simply hashed. You can go one step better by adding 'salt' prior to taking the hash.
As for calculating lengths, it depends on the algorithm. But in all likelihood, rather than trying to calculate the exact, expected size, just make the database field larger. (I know, sloppy programming, but space is cheap, especially for storing a password).
- Saish
"My karma ran over your dogma." - Anon

Decrypt the encrypted password

Hi there,
I have been scratching my head for some time to fix one issue. We are planning to change the plateform/technology and we need to bring over existing login to new system. In order to have the same password I need to decrypt the password before I send it to new system. When we stored the password, it encrypts them and stores it in database. I am using following code to decrypt it. it's not worlking . This is error I am getting.
Given final block not properly padded
Here is some more information:
Key is :javax.crypto.spec.SecretKeySpec@18f3a
Format is :RAW
getAlgorithm() is :DES
String encrypted = abcdefgh
Provider is: com.sun.crypto.provider.SunJCE()
This is my code to decrypt which throws error " Given final block not properly padded" :
public String decrypt(String encrypted){
          Cipher ci = null;
          byte [] result = null;
          try {
               ci = Cipher.getInstance("DES");
               ci.init(Cipher.DECRYPT_MODE, key);
               System.out.println("CryptoUtil()" +"before hexToByteArray. Byte Data: "+encrypted);
               byte [] encryptedData = hexToByteArray(encrypted, false);
               //Log.out("CryptoUtil()" +"after hexToByteArray. lenth: "+ encryptedData.length);
               result = ci.doFinal(encryptedData);
          catch (Exception e) {
               System.out.println("CryptoUtil()" +"ERROR: "+ e.getMessage());
               return encrypted;
          String strResult = new String(result);
          return strResult;
Please help.
Thank you.

These are the two values I am getting for encrypted password:
97654de7857cd9aab331995cba044fc6
a125a6b2a71e23adc002ac7fbe1a1042
Is this a hex code?
I think the key is: abcdefgh
This is my code to encrypt and decrypt:
      * empty constructor
      * @param keydata
     public CryptoUtil(String keydata){
          if (keydata.trim().equals("")){
               logDebug("CryptoUtil()" +" Constructor didn't get a valid key!");
               usage();
               System.exit(0);
          }else{
               keyBytes = keydata.getBytes();
               key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DES");
          try {
               Provider sp = new com.sun.crypto.provider.SunJCE();
               //logDebug("CryptoUtil() " + sp.getInfo());
                Security.addProvider(sp);
              }catch (Exception ex) {
                     logDebug("CryptoUtil() " +"Problem loading crypto provider \n error:"+ex.getMessage());
               usage();
                System.exit(0);
      * Encrypt
      * @param s
     public String encrypt(String s){
          Cipher ci = null;
              byte [] result = null;
              try {
               ci = Cipher.getInstance("DES");
               ci.init(Cipher.ENCRYPT_MODE, key);
               result = ci.doFinal(s.getBytes());
              }catch (Exception e) {
                    logDebug("CryptoUtil()" +"ERROR: "+ e.getMessage());
          String strResult = byteArrayToHex(result);
              return strResult;
      * decrypt a card number
      * @param encrypted
     public String decrypt(String encrypted){
          Cipher ci = null;
              byte [] result = null;
              try {
               ci = Cipher.getInstance("DES");
               ci.init(Cipher.DECRYPT_MODE, key);
               //Log.out("CryptoUtil()" +"before hexToByteArray. Byte Data: "+encrypted);
               byte [] encryptedData = hexToByteArray(encrypted, false);
               //Log.out("CryptoUtil()" +"after hexToByteArray. lenth: "+ encryptedData.length);
               result = ci.doFinal(encryptedData);
              catch (Exception e) {
               logError("CryptoUtil()" +"ERROR: "+ e.getMessage());
               return encrypted;
          String strResult = new String(result);
          return strResult;
     static final String hexDigitChars = "0123456789abcdef";
      * @param a
     public static final String byteArrayToHex(byte [] a) {
          int hn, ln, cx;
          StringBuffer buf = new StringBuffer(a.length * 2);
          for(cx = 0; cx < a.length; cx++) {
                hn = ((int)(a[cx]) & 0x00ff) / 16;
                ln = ((int)(a[cx]) & 0x000f);
                buf.append(hexDigitChars.charAt(hn));
                buf.append(hexDigitChars.charAt(ln));
                buf.append(' ');
         return buf.toString();
      * @param str
      * @param rev
     public static final byte [] hexToByteArray(String str, boolean rev) {
          StringBuffer acc = new StringBuffer(str.length() + 1);
          int cx, rp, ff, val;
          char [] s = new char[str.length()];
          str.toLowerCase().getChars(0, str.length(), s, 0);
          for(cx = str.length() - 1, ff = 0; cx >= 0; cx--) {
          if (hexDigitChars.indexOf(s[cx]) >= 0) {
               acc.append(s[cx]);
               ff++;
           }else {
               if ((ff % 2) > 0) acc.append('0');
                    ff = 0;
          if ((ff % 2) > 0) acc.append('0');
          byte [] ret = new byte[acc.length() / 2];
          for(cx = 0, rp = ret.length - 1; cx < acc.length(); cx++, rp--) {
                val = hexDigitChars.indexOf(acc.charAt(cx));
                cx++;
                val += 16 * hexDigitChars.indexOf(acc.charAt(cx));
                ret[rp] = (byte)val;
          if (rev) {
                byte tmp;
                int fx, bx;
                for(fx = 0, bx = ret.length - 1; fx < (ret.length / 2); fx++, bx--) {
                    tmp = ret[bx];
                    ret[bx] = ret[fx];
                    ret[fx] = tmp;
          return ret;
Will that give you any more information to help me?

Reading Encrypted Password from Configuration File and Decrypt it at login

Hi All,
My application reads a configuration file to connect to the ORACLE database. The values defined for password are clear text as given below:
user: 'mh'
password='abcd1234'
Is there is any way I can give an encrypted password in the configuration file instead of a clear text file and at the time of login ORACLE decrypts it. I am using ORACLE 11g Database.
My company have a requirement that passwords are not stored in the clear in properties files. the reason being I suppose that if the password is stored in plaintext someone could hit the property file directly, get the password and then connect to the database with it.
For a regular user connecting through an Oracle client or SQL Developer they would need to have the plaintext password in order to connect.
its based on the requirements of
International Standards Organization Guidance
ISO 17799 � 9.5.4 requires password management systems to:
� enforce the use of individual passwords
� allow users to select and change their own passwords if appropriate
� enforce a choice of quality passwords
� force regular changes of passwords
� maintain a record of previous user passwords to prevent re-use
� not display passwords when they are being entered
� store password files separately from application system data
� store passwords in encrypted form using a one way encryption algorithm
� alter default vendor passwords following installation of software
So if I can store the password encrypted using a one way algorithm then hacker/user couldn't decrypt it and then access the database.
I have feeling there is a way of configuring this in Oracle advanced Security, but just can't quite get it to work.
Edited by: user5568473 on 20-May-2013 00:05

So if I can store the password encrypted using a one way algorithm then hacker/user couldn't decrypt it and then access the database.... and neither can your application. Encryption is needed in this case. The decryption must be written into your application. I've written my own in some cases, but finding a library for your development language is a smarter solution.
One alternative is using an Oracle wallet. It doesn't fit every circumstance and does have some maintenance headaches.
You can set up a basic secure password store to encrypt and store the password for a given user@instance combination, and then connect to the database without passing a password. SQL*Net adds in the appropriate password from the wallet for when you connect.
http://www.oracle.com/technetwork/database/security/twp-db-security-secure-ext-pwd-stor-133399.pdf
Advanced Security Option also allows you to set up a Public Key Infrastructure connections (SSL encryption and/or authentication). It also uses a wallet to store the SSL certificates and credentials. I don't have personal experience on this approach.
SSL and the wallet allow you to connect to the database similar to CONNECT/@net_service_name or sqlplus /@net_service_namehttp://docs.oracle.com/cd/B28359_01/network.111/b28530/asossl.htm#CIHCBIEG

How to write a pgm to change the existing encrypted password

Hi all,
can anybody tell me how to write a pgm to change the existing encrypted password.
thanks in advance.

Well, it's going to depend on how it's implemented in the current system.
But basically it's going to look a lot like the current login actions. Presumably you have something that takes the user ID and password, encrypts the password, looks up the encrypted password in the database matching that user ID, and compares them. This functionality would also take a new password (preferably twice so they can be checked for consistency), and if the existing encrypted passwords match, it will encrypt the new password and put it in the database where the old one was.
And if the application has a mechanism for new users to sign up, it'll look a lot like this as well.
But I'm just guessing. This is all going to depend on how the existing functionality is written. Probably the best thing you can do is talk to a programmer at your organization who has worked on the application, and ask them for help.
Hope this helps anyway.

Interface Transmission Encryption & Password Encryption

Similar Messages

Maybe you are looking for