Show TOC Start of Content Area

Function documentation Secure Storage for Application-Specific Data  Locate the document in its SAP Library structure

Use

Certain applications or services need to be able to store sensitive data such as passwords. To save such data in encrypted form, they can use the AS Java’s secure storage area. Data saved in this area is encrypted using a secret key that is created explicitly for the application or service.

Note

The server uses the triple DES (Data Encryption Standard) algorithm to perform the encryption.

Storage Approaches

There are two storage approaches available for storing the encrypted data:

·        Centralized storage

With centralized storage, the application or service uses the Secure Storage service on the AS Java to encrypt and decrypt the data. It also stores this data in its secure storage context on the AS Java.

·        Decentralized storage

With decentralized storage, the application or service maintains its own storage area for the encrypted data. It only uses the Secure Storage service on the AS Java for encrypting and decrypting the data.

Prerequisites

The Secure Storage and Key Storage services must be running when an application or service requests access to its secure storage area.

Activities

Obtaining a Context Area

Applications or services that use the AS Java’s secure storage are assigned a designated context area in secure storage where the encrypted data is stored. To receive a context area, the application or service “registers” with the secure storage service.

The first time the application or service requests access to secure storage, no context exists. Therefore, to register it, the system creates a context for the application or service, generates a secret key, and allows the application access to the context for future requests.

The application can then perform the following tasks:

      Store and retrieve data in its context. The data is encrypted and decrypted using the secret key.

      Modify or delete data in its context.

      Generate or exchange keys.

Note

Access to the contexts is protected using code-based permissions so that applications cannot access contexts belonging to other applications.

The secret key is stored in the securestorage keystore view. You can view these keys in the Key Storage service.

The encrypted data is stored in the database.

Replacing an Application’s Secret Key Using the Visual Administrator

You can use the Secure Storage service in the Visual Administrator to replace an application’s secret key, for example, if you think it has been compromised. For more information, see Replacing an Application's Secret Key.

Using Console Commands

For information about using the corresponding console commands, see the shell commands for secure storage in the Reference Manual.

 

End of Content Area