Skip to Content
Technical Articles
Author's profile photo Monalisa Biswal

AES Encryption in ABAP


Recently we had a requirement in our organization to implement encryption for all data transmission happening from SAP to external systems to have an additional layer of security.  The requirement was to AES256 encrypt and Base64 Encode the information shared between the systems.The encryption/decryption was done with a common key which gets generated in SAP and shared through automated email from the system.

SAP Class/Function Modules used for the process:

  • CL_SEC_SXML_WRITER is used to implement the logic for generation of AES key and encryption/decryption of information.
  • SCMS_BASE64_<EN/DE>CODE_STR FM is being used for Base64 Encoding/Decoding the information.

High Level Process Flow

Following are the steps and sample code we have used for encryption/decryption.

Generate Encryption Key

We use following logic to generate Key for encryption which is stored in a table and then shared with external systems.

*Sample Code to generate Key:
data: random          type xstring, wa_bench_config type   zhr_bench_config.
  call method cl_sec_sxml_writer=>generate_key
        algorithm = cl_sec_sxml_writer=>co_aes256_algorithm
        key       = random.
    data(lr_conv_key) = cl_abap_conv_out_ce=>create( ).

    lr_conv_key->write( data = random ).
    e_key = lr_conv_key->get_buffer( ).



External System sends AES encrypted and Base64 encoded data and in SAP we used following logic to decrypt the text.

 data:  i_key_xstring type xstring, i_iv type xstring.
i_iv = '00000000000000000000000000000000'.
 if i_text is not initial.
      call function 'SCMS_BASE64_DECODE_STR'
          input  = i_text
*         UNESCAPE       = 'X'
          output = i_xstring
*         FAILED = 1
*         OTHERS = 2
      if sy-subrc <> 0.
* Implement suitable error handling here

    if i_xstring is not initial.
* For CL_SEC_SXML_WRITER to work with external application we need to add 16 bit 
* extra padding before decryption
      concatenate   i_iv(16) i_xstring into i_xstring  in byte mode.
              ciphertext = i_xstring
              key =        i_key_xstring
              algorithm =  cl_sec_sxml_writer=>co_aes256_algorithm_pem
              plaintext =  data(lv_message_decrypted) ).
          " convert xstring to string for output
          cl_abap_conv_in_ce=>create( input = lv_message_decrypted )->read( importing data = e_text_dec ).
        catch cx_sec_sxml_encrypt_error into data(oref). .


SAP processes the information and sends encrypted response back using following logic:

 data(lr_conv_sec) = cl_abap_conv_out_ce=>create( ).
      lr_conv_sec->write( data = i_text ).
      " encrypt using AES256
      i_xstring = lr_conv_sec->get_buffer( ).
  i_iv = '00000000000000000000000000000000'.

           plaintext  = i_xstring
           key        = i_key_xstring
           iv         = i_iv
           algorithm  = cl_sec_sxml_writer=>co_aes256_algorithm_pem
           ciphertext = data(lv_message)  ).

      data: lr_conv    type ref to cl_abap_conv_in_ce,
            lr_xstring type xstring,
            lr_string  type string.
*Before sending encrypted information to external system, remove the extra 
*16 bit padding from the xstring
      lr_xstring = lv_message+16.

      data: lt_data type tsfixml, l_len type i.
      call function 'SCMS_BASE64_ENCODE_STR'
          input  = lr_xstring
          output = e_text_enc.


Sample Output:

Text: Test AES@CBC#PKCS$5
Encrypted Text : B8Q1+w5vH9jG3V/ejYg5igeGNgfX6nvqUGrDnogyDdo=
After Decryption : Test AES@CBC#PKCS$5


The blog post provides information on how to encrypt and decrypt information in SAP and how you can plan the integration with external systems. The sample code here works for AES256/CBC/PKCS5 Padding algorithm, but CL_SEC_SXML_WRITER class has other AES encryption algorithms as well.

Please note along with the encryption key, we also need to share the IV key which is 16bit hexadecimal string (‘0000000000000000’).

Hopefully this blog post will help in implementing similar requirements where we need to send encrypted information between multiple systems.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Sandra Rossi
      Sandra Rossi

      Interesting post, thank you! Little typoS for CL_ABAP_XML_WRITER -> CL_SEC_SXML_WRITER (or are there some subclasses). Do you know what ABAP release it requires?


      Author's profile photo Monalisa Biswal
      Monalisa Biswal
      Blog Post Author

      Thanks Sandra. Yes, The class is CL_SEC_SXML_WRITER and corrected the names in the blog.

      I am not sure what is the minimum release required for this class? But it is part of BC-SEC Application component and SAP-BASIS software component. We have release 740 SP 20 for this component in our system.

      Author's profile photo Sourav Rai
      Sourav Rai

      Hi Ma'am,

      Will it work for RSA Algorithm(RSA/ECB/PKCS1 PADDING).

      Can you please help me on this.


      Author's profile photo Ankur Singh
      Ankur Singh

      Hi Saurav,


      can you provide your contact number??

      Please connect with me via SAP Community so that we can exchange a direct message.

      Author's profile photo Lars Hvam
      Lars Hvam is also a possibility, with support for


      • Encryption mode: ECB, CBC, PCBC, CFB, OFB, CTR.
      • Padding standard: None, PKCS #5, PKCS #7


      Author's profile photo Frank Koehntopp
      Frank Koehntopp

      Author's profile photo Lars Hvam
      Lars Hvam

      True, I wish SAP would support all the basic algorithms on also old versions. Having a bit of encryption is better than nothing. Also is above released for customer use? Using the secure store is not allowed for customers?

      Author's profile photo Former Member
      Former Member

      This Prevention Agreement must be the reason, why all the Secstore, SSFS DAT and Key files are still DES-EDE encrypted.

      Author's profile photo Jelena Perfiljeva
      Jelena Perfiljeva

      Nice post! To the point and the example is described well.

      Author's profile photo Monalisa Biswal
      Monalisa Biswal
      Blog Post Author

      Thanks Jelena 🙂

      Author's profile photo Kishore Reddy Vuppuluri
      Kishore Reddy Vuppuluri

      What is the reason for 16 bit padding from XSTRING?

      Author's profile photo Shailesh Khandarkar
      Shailesh Khandarkar

      Hi Monalisa,


      How to download the key as ascii file or PGP public key block? and can you recommend how to set the validity?

      Author's profile photo liju john
      liju john

      Any article on RSA/ECB/PKCS1Encryption in ABAP?

      Author's profile photo raja palnati
      raja palnati

      Hello Monalisa,

      Thanks for the AES content!

      I am trying to use the Decryption logic.

      Error analysis
      An exception has occurred which is explained in more detail below. The
      an exception is assigned to class 'CX_SEC_SXML_ENCRYPT_ERROR' and was not caught
      in procedure
      "DECRYPT" "(METHOD)", nor was it propagated by a RAISING clause.
      Since the caller of the procedure could not have anticipated this
      exception, the current program was terminated.
      The reason for the exception is:
      Error when decrypting XML data




      Author's profile photo Mynyna Chau
      Mynyna Chau

      For the benefit of all SAP Community members having similar questions, please post your question here: That way, your question is addressed with all related experts within SAP Community and your answered question can be found and be helpful for others in future.

      Have a look at our tutorial for asking and answering questions in SAP Community:

      Best regards

      Mynyna (SAP Community moderator)

      Author's profile photo Rajesh Velaga
      Rajesh Velaga

      Hi Monalisa,

      I am trying to decrypt with the below key using the method "cl_sec_sxml_writer=>decrypt"  and the data is stored in the file


      random TYPE string VALUE 'Ut3AvBQbD6AbuMZZMmhA7w6C4zxrN9rD2J8ZKbxpaoM='.


      lr_conv_key->writedata random ).


      lr_conv_data->writedata gs_data-data ).


      ciphertext lv_data
      key lv_key
      algorithm =  cl_sec_sxml_writer=>co_aes256_algorithm
      plaintext =  DATA(lv_message_decrypted).


      I am getting the dump at the method - Decrypt. - CX_SEC_SXML_ENCRYPT_ERROR



      Rajesh Velaga

      Author's profile photo Sanjay Naik
      Sanjay Naik

      Hi Rajesh,

      I am also getting the same error. is this solved for you? if so, please explain me the steps.


      Best Regards,

      Sanjay Naik

      Author's profile photo Joaquin Murguia
      Joaquin Murguia

      the external system how should the encrypted string send?

      Author's profile photo zeng fangliang
      zeng fangliang

      HI  Monalisa,

      Did you find any alternative solution for RSA encryption?

      Author's profile photo Lucy Meng
      Lucy Meng

      Hello experts,

      I'm looking for a way to make the encryption of JSON data with AES/ECB/PKCS#5Padding   in SAP PO7.5 receiving REST adapter, anyone could share me any experience or information or any advice? Appreciate for your information!



      Author's profile photo Shekhar Tagra
      Shekhar Tagra

      I wrote UDF for that with pretty easy JAVA code.. but I needed to encrypt only couple of fields. You can also write custom adapter module and call it in sequence to encrypt the payload. Not sure if SAP has standard adapter modules for AES, it does have for PGP. See if any of those options work for you.

      Author's profile photo Shekhar Tagra
      Shekhar Tagra

      per note 2972991 - 'Neither the class CL_SEC_SXML_WRITER nor its methods , including the whole SEC_SXML package and SSF functions for en-/decryption are released for customer usage.
      All existing functions and methods exist exclusively for legal business requirements of SAP genuine applications and original for web service security (SOAP).'

      Also this note 

      Author's profile photo Marco Hammel
      Marco Hammel

      Hi Monalisa Biswal ,
      I came across your blog post by accident. As part of my job I'm doing code reviews for software including ABAP. I can bet there are many more developers out there just taking benefit from your write up. Sharing your experience is great, however I ask you to be cautiousness, at least when it comes to crypto because people start to copy them without thinking.
      I see some to the typical top 10 mistakes in your example implementation you can find here

      Most prominently: The initialization vector is not a key or part of the key. It needs to be a random value, as otherwise chosen plaintext attacks on the cryptographic implementation become practical no matter the key size. I'd kindly ask you to fix this in your example implementation or put a disclaimer in there to give other developers the chance to not copy the mistake.



      Author's profile photo Matthew Billingham
      Matthew Billingham

      The encryption/decryption was done with a common key which gets generated in SAP and shared through automated email from the system.

      Hmm. I guess doing it this way will mean that if you lose the key you can always ask on the dark web. Email is inherently insecure. Unless it's encrypted of course... 

      Author's profile photo Daniel Hernández
      Daniel Hernández

      Hi all,

      I got a convertion error when I try to convert xstring to string after use cl_sec_sxml_writer=>decrypt. The message say about error from 4110 to 4103.

      I can not solve that with any convertion utility.

      Can any one help me with that error? I am very interested in decrypt in memory