Where do you store user passwords?
There are some user authentication mechanisms in SAP (ABAP systems). One of them – using classical user passwords. Yes, there are modern technics using certificates, tokens, SSO and so on. All of these methods are more complicated and requires additional financial costs to deploy. Therefore, passwords are still alive and relevant in the modern world.
Of course with the modern development of computers and hackers, password requirements are getting stronger, breaking passwords in 8 characters is no longer difficult. Actual security recommendations are passwords must contain letters, numbers, specials, an acceptable password length should be 10-12 characters. Passwords should be generated randomly, used passwords must be unique and should be changed every 90 days. How can an ordinary user remember such passwords? And if you are a system administrator, developer or security specialist (you have dozens of user accounts) how to be in this case?
You may write the passwords to diary, but it’s not safety and not convenient. One of the acceptable way to solve the problem above is the password manager usage. Nowadays there are two type of password managers – which store passwords in the cloud and on local drive (or flash drive). The cloud password managers are convenient, no doubt. But local password managers are more securely. You fully understand where your passwords stored, what protective measures used (antivirus, endpoint protection, encryption).
Let’s speak about local password managers and about KeePass. The KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can store all your passwords in one database, which is locked with a master key. So you only have to remember one single master key to unlock the whole database. Database files are encrypted using the best and most secure encryption algorithms currently known (AES-256, ChaCha20 and Twofish).
KeePass can store any type of user password (SAP or non-SAP solutions). I’ll try to explain how you can use it to manage SAP user passwords more effectually. Because what needs to be done to successfully login to SAP: start SAP Logon application, choose one of the initialized sap connection, open KeePass file, find needed password, copy and paste it to sap logon application. That’s not very easy. We just counted about 6 steps.
PyKeeSAP is a tool that helps you to manage SAP user passwords in KeePass database file. Passwords are stored in KeePass file and PyKeeSAP manages this file. For example, to log in to SAP you just need to type command pykeesap login TS1 (TS1 – SAPSID) in command line. So what happens under the hood? PyKeeSAP opens a KeePass file, find desired user, load its username and password, analyze saplogon.ini files and understand needed sap connection, run SAP Logon application, open SAP connection, insert known username and password. Almost all. If it’s needed to change password (previous password has expired for example) – PyKeeSAP will independently generate a new password and set it, of course save new information in the KeePass file.
Thus, the user may not know at all his passwords. But the passwords are always complex, complied to any password policy. At any time, you can manually open KeePass file and see actual passwords. Thus PyKeeSAP simplify KeePass usage to SAP. But that is not all interesting features.
Everyone knows the login/password_max_idle_productive parameter. It specifies the maximum period for which an unused productive password (a password set by the user) remains valid. Usually the parameter is set to 90 days.That seems to be logical – If someone didn’t login to SAP systems for 3 months more likely It means the employee has been fired. But there are exclusions. Suppose you are SAP system administrator or information security specialist. You may have about 50 user accounts in different SAP systems, different clients and you log into SAP only if something happened (for example, performance or security problems detected). Therefore, it’s very likely that you will have to login to SAP systems when your password expired due to inactive timeout.
PyKeeSAP helps you with this case too. PyKeeSAP can automatically emulate login to SAP once a month for example. Thus, your passwords never expire and you will always be sure that you can log to any SAP system at any time.
What else interesting? For example, PyKeeSAP could fast change one or all passwords in its KeePass file in case of compromise. For more information, download the project and read README file. I will notice PyKeeSAP is open source project, you can be sure that no negative actions are performed with your stored passwords.