Skip to Content
Author's profile photo Former Member

A standard way to find out the password of PI* service users. Is it a serious security bug?

From my point of view the answer is: “yes, of course”.

What would you think if I told you that just with running a function module by means of transaction SE37 you could get the password of PIISUSER in clear text?

When I found out this the first time, several questions crossed into my mind unavoidably:

  • Will be this password the same as PIAPPLUSER or even as PISUPER?
  • And also, why not? The same as J2EE_ADMIN user or SAP* user, SIDADM…
  • Could I simulate an external Third System and send and process messages into PI  by logging with any of these users?
  • ….

Surely you are thinking that all these questions could be related with or intended to making “malicious” or “fraudulent” actions. This has been the main reason that made me think about writing this blog.

I mean, this blog is not intended for showing ways of hacking PI systems but showing and describing  the possible consequences if these credentials could reach inappropriate hands or people with deep knowledge in PI, in order to set some recommendations and strong security policies directed to PI systems administrators  so that they can prevent this kind of actions.

Let’s get to the point.

Working with a PI issue I run into the function module SAI_AE_DETAILS_GET (what this function does or what this function is used for is not within the scope of this blog).

When I googled it, I found many entries talking about this function but no one talking about that this function returns the password of PIISUSER in clear text.

Anyway, the point t is that if you run this function module in SE37 and enter AE name (af.<SID_SYSTEM>.<host_system_name>) as parameter, the function returns the URL of the adapter engine where the messages must be directed to and the credentials needed to log on into this URL (PIISUSER and password in clear text).



So, first of all: is it usual that a function module returns a password in clear text?

Secondly, what could mean the fact of knowing the password of PIISUSER?

Nowadays, in current releases of SAP Netweaver PI (excluding  AEX 7.3x with which does not apply this issue) after installing the system you must run a initial configuration wizard where PI* service users are created. In the initial step of this wizard you are prompted to type a masterpass for  all these service users. This password can be or not the same one as the installation masterpass of the main administrator users (J2EE_ADMIN, SIDADM, DDIC, etc). The user who runs the wizard (usually, the same user who installed the system) can decide to use the same masterpass or not. Who can know?

Note: I can`t remember if XI*/PI* service users were created during the installation of XI/PI system in releases XI 3.0 and PI 7.0 or they were created during the execution of the initial configuration wizard as happens with current releases. For more information about PI* service users refer to following link:

What is very likely and is not taken into account as it should be is that this wizard also creates the user PISUPER with this password; if it is not changed later it will remain the same as PIISUSER. The problem is that not everybody knows (basis administrators included) that PISUPER is created as a “log-on” user with admin roles, instead of as a system user (like the rest of PI* users are). So, knowing PIISUSER password can mean nearly full access to PI system if you log on with PISUPER.

On the other hand, knowing PIISUSER password means knowing PIAPPLUSER password as well, which means that I could send a message to PI system using these credentials (as if I was a trusted system) and this message would be processed as any other validated message. Obviously you should know the schema and metadata of the message, but it is not a major problem to PI developers, isn’t it? The problem is that this message can contain intrusive, dangerous  or damaging content.

So , regarding to your PI system security (in any environment: Development, TEST, Production): if you want your system to be safer, you should follow at least these recommendations:

  • Restrict the access to SE37 transaction. At least, restrict the execution of function module SAI_AE_DETAILS_GET. However, there are other tricky ways to run a function, which I am not going to describe, so you  are not totally safe.
  • Check the PISUPER user password. If it is the same as PIISUSER, then change it. Do the same with other admin users: SAP *, SIDADM, J2EE_ADMIN, etc
  • I would tell you: change PI*users passwords, but even if you change all PI*users passwords (which can be a little mess, as everybody knows), whenever you  run the previous function again you will get the new password. At least, PIISUSER password …

Edited on Sep 05, 2012

Adding further related content, Sunil Chandra  blog: Another way to find piisuser’s password

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Nageshwar Reddy
      Nageshwar Reddy

      I believe this is a serious security issue.

      Bringing it to the attention of William Li and Mariana Mihaylova to see if anything can be done from SAP.

      Author's profile photo Former Member
      Former Member

      Thank you for bringing this to our attention.  We are looking into this security hole.



      William Li

      Author's profile photo Former Member
      Former Member

      Hope it has been useful.



      Author's profile photo Prateek Raj Srivastava
      Prateek Raj Srivastava

      I am not sure if I should thank you for sharing this.

      I hope that the administrators follow some basic guidelines for PI in production unless there is a fix for this such as

      • No access whatsoever to SE37 in PI production
      • Different password for various service users



      Prateek Raj Srivastava

      Author's profile photo Former Member
      Former Member

      I see you.

      I was not sure that I'd published it either. But finally, I did it!



      Author's profile photo Former Member
      Former Member



      There are also other FMs or classes that you could use to read service user passwords like morning newspaper. Since you have 2 stack and both of them communicate it's rather inevitable to hide it to skilled abap developer/debbuger so please do not reveal them all.