Using Google Chrome?

Download my
free Chrome Extension, Power Notes Searcher, to make searching for and evaluating SAP notes, much easier.

Recent Posts

Thursday, February 06, 2014

Why You Should Never Use J2EE_ADMIN for SLD Access

Print Friendly and PDF
If you have a SAP Java stack (either pure or part of a dual stack), you should never ever use the J2EE_ADMIN account (or any other high privileged account) to access the SLD.
This is because on most SAP systems, the standard out-of-the-box installation and configuration for the SLD does not use SSL for communications to/from the SLD.

If you use the J2EE_ADMIN account to access the SLD, then each authentication  request that the SLD issues to the client system (the SAP system querying or updating the SLD) will be sent unencrypted.
If the client system responds with the J2EE_ADMIN account username and password (if you put this in the NWA or RZ70) then the username and password are simply combined into a standard HTTP BASIC authentication response (http://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA).

Essentially the username (J2EE_ADMIN) and password are combined into a string like this:  <user>:<password> and then encoded (not encrypted) with BASE64.
This will then be sent in the clear (unencrypted) across the network to the SLD.
If you have Java stack full HTTP tracing turned on, you can see the authentication requests and responses and therefore see the password.
If you have a network packet sniffer installed, then you can see the authentication requests and responses and therefore see the password.

If you have a SAP PI system, you should really consider using SSL (HTTPS) for the SLD traffic.  Since it is possible to completely bring down a SAP PI system by causing mayhem in the SLD.

No comments: