If I sell the password from the secret to the launcher as a parameter, is this password somehow secured?

------------------------------
Martin Hansgut
------------------------------

I would like to add that this is a question from a customer and I could not find the required information anywhere.

Alternatively, is there any possibility for the application to ask for the password via the API to the secret in PAM?

------------------------------
Martin Hansgut
------------------------------

Generally yes, the password does get sent to the application, so it's going to be best to try and rotate these credentials for custom launchers after each use. The alternate way to handle this would be to leverage "Session Connector" to do terminal based launchers. These generate a one time use password to connect to an RDS server hosting a terminal application. 

Hello Martin,

If we are implementing it using parameters for custom launchers, this password is sent by the secret server to the client machine and processed by the application running locally. Unless a new method has emerged that I am unaware of, individuals monitoring the traffic can see the password.

We tested this with a SAP GUI custom launcher and were able to capture the password on the end-user's machine. From this perspective, using RDS appears to be much more secure.

Hello Martin,

If we are implementing it using parameters for custom launchers, this password is sent by the secret server to the client machine and processed by the application running locally. Unless a new method has emerged that I am unaware of, individuals monitoring the traffic can see the password.

We tested this with a SAP GUI custom launcher and were able to capture the password on the end-user's machine. From this perspective, using RDS appears to be much more secure.