Password storage for external site

We may have a need to create a username & password for customers to be able to log into an external custom website to view a list of their orders or their invoices.

I was thinking about setting up username & password custom fields on the customer contact table. But I don’t know how I could set the password so that the sales team could reset it but not see it.

I’m looking for ideas about how to approach this problem.

Bleh, hate password storage in a db where a db backup can fall off a truck and end up being sold to the highest bidder so PLEASE before anything else make sure you are doing encrypted backups, etc (and not attaching a password.txt next to the backup)
Now that I got that out of my system - PTSD from doing security reviews so apologies in advance…

First do you really need to store them?
For example, when communicating from server to server you can many times grant access to the SERVER then set the user context with a different mechanism. You see that in E10 with Impersonation as an example.

e.g. - You can assign an external server as a ‘Service Account’ by adding a User ‘SomeIntegrationUserID’ and giving that E10 User Impersonation right. Bonus points if that Service User Account is a Windows Domain account and you can enter that as an External Identity in Domain / UserID

Then when you call the other service you authenticate as the server and then pass in the real user name. In e10 this is the ‘OnBehalfOf’ user.

Barring all that and you REALLY have to come in as a user, is there some form of token you can store for the user instead of a username / password?

Now if all fails and you really really need to store a password… where does it need to be in ‘clear text’? Are you calling the other system from a E10 Server BPM? Hopefully not client side as then you have to protect the password on the wire and access to the password.

I would check out https://bezl.io/customer-portals/ You get an Azure website with a VPN back to your server. None of the data is stored in the cloud, they just make REST calls back to your server to fetch the data. No worries, no mess.

1 Like

What is the list of places where we typically store a password? here are some examples that I believe are relevant.
I know of a few where we Did or DO:

  • ECC - in order to access/update the ERP data, I believe it somehow has a stored account/password into the system to enter order

  • Service Connect scripts?

  • Task Manager

  • Company Maintenance in ERP:

    • SMTP Server info:
      image

    • SSRS Report server:
      image

    • Service Connect Options:
      image

When I say ‘customer’ I mean, the customer in the Epicor system.

The customers are not Epicor users in the system they are in the CustomerCnt table. They would never log into the Epicor system.

But I think I have a solution in mind that will work. I’ll store the passwords outside of Epicor in a separate database.

I’ll look into these guys they seem promising.

I believe that CommerceConnect does exactly that with both Customers and Suppliers.