11-27-2008 10:17 AM
Hello,
just like described in the blog of Mr. Holger Bruchelt
[https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/8235] [original link is broken] [original link is broken] [original link is broken];
I would like to connect an Active Directory server (running on Windows Server 2003)
as a UME datasource to a J2EE Engine NW7.0 (running on iSeries) in order to enable SSO login.
In the step "Connect the UME" I have the problem that the desired configuration
file "dataSourceConfiguration_ads_readonly_db_with_krb5.xml" cannot be selected as the appropriate fields are greyish.
SAP note 994791 is known.
Kind regards
Ru00FCdiger Hu00F6ckel
apetito AG
11-27-2008 10:23 AM
Here are some additional informations:
According to SAP note 718383 changing an existing datasource configuration "dataSourceConfiguration_abap.xml" is not possible.
But my aim is to connect an ADS server as datasource
(dataSourceConfiguration_ads_readonly_db_with_krb5.xml).
Can I use my existing J2EE Engine at all?
The system has evolved like this:
BW 3.5 installation, upgrade to NW2004s, then Java Add In-Installation.
Or is it necessary to install an additional java instance?
I have just experiemented a bit:
In the Offline-Configtool the UME Property "Global server configuration ->
services -> com.sap.security.core.ume.service ->
ume.persistence.data_source_configuration" changed like this:
OLD: dataSourceConfiguration_abap.xml
NEW: dataSourceConfiguration_ads_readonly_db_with_krb5.xml
Then I restarted the J2EE cluster.
Result: the server0 process does not start anymore.
But at least now I could enter same values for the LDAP server (in the Offline-Configtool),
choose values from the drilldown list for the several configuration files and so on...
-> but is this the correct way at all?
Kind regards
Rüdiger Höckel
apetito AG
11-27-2008 10:59 AM
11-27-2008 12:20 PM
Hello Fabien,
thanks for your quick reply.
The problem is that I don't want to start the SPNego wizard before I can enter the LDAP information in the offline configtool.
It's not the SPNego wizard that has an error.
I can't use the "Part 2" of the blog (Configuring and troubleshooting SPNego)
[]
because nothing has been set up so far.
First of all I need to know whether I can use my existing system or not.
Kind regards
Rüdiger Höckel
11-27-2008 12:39 PM
Ok.
What i would do is to cancel the step that make your system dysfuncionned, and try to set up the wizard without this step.
The krb5 xml file is here if you use Active directory as a datasource no ? i am not sure that you have to use this xml file as your data source is java, but i am not 100% sure.
Fabien.
12-01-2008 10:40 AM
Hi Rüdiger,
Did you only change the data source configuration file? What does the guest user exist in either the database or on the LDAPß Did you configure the LDAP communication user?
According to SAP, you should actually reinstall your AS Java, then follow the procedure for changing the data source to LDAP. You will have a cleaner install that way.
-Michael
12-04-2008 2:27 PM
Hi Michael,
thanks for your answer.
I think I have found the reason for my problem:
The AS Java was installed as an Add-On into an existing AS-ABAP.
According to
I didn't have the choice to select the database of the AS Java as a usage type (AS-Java).
So: "once you have selected a data source other than the AS Java database, you cannot change the data source of the UME."
And that is basically what is written in SAP note 718383:
"dataSourceConfiguration_abap.xml
No change is possible.
This configuration supports all usages (especially SAP Exchange Infrastructure and SAP Enterprise Portal) by making ABAP users and ABAP roles available as users and groups in the UME, and supports the creation of new groups in the UME (which are then stored in the local database) as well.
...
Changes different from those explicitly described above are not supported."
-
-
OK, so is there still a way to connect an LDAP server to my (Add-on) AS Java with usage type AS-ABAP?
Can I install a second AS Java?
I can't re-install the existing AS Java as it is already in productive Use (EP Portal).
Maybe someone directly from SAP can shed a little light on this?
Kind regards,
Rüdiger Höckel
12-04-2008 3:03 PM
Hi Rüdiger,
It all depends on what you want to do. You installed the AS Java as an Add-in to take adavantage of the existing user base in your AS ABAP and to access the resource from the AS ABAP from a portal.
OK, but now you want to do something about SSO and enable kerberos logon. For this you need the kerberos principal name from your ADS. OK, authentication is not my strong suit, but here are some ideas you can try. By the way in SAP NetWeaver 7.1 there is a configuration to log on to the AS Java using logon data from an LDAP, but still use the backend AS ABAP. See Configuring the UME for Directory Service Sync with AS ABAP for details. However, since you are still using 7.0, let's stick with that for now.
1. Use the LDAP Sync of the AS ABAP function to synchronize the user data of the AS ABAP and your ADS. You must populate the AS ABAP user records with the kerberos principal name. Which ABAP field you populate with this value I am not sure. You would then have to adapt the following procedure to get this data into your AS Java: Configuring the UME when Using Non-ADS Data Sources.
2. Set up a second AS Java and portal with the ADS as the datasource. Then migrate your users from the old one to the new one. Unfortunately, the users have different user IDs on the AS Java and the AS ABAP, so you would have to maintain user mapping between the two systems.
3. Use SAP NetWeaver Identity Management Identity Center to distribute the user data between the systems.
Unfortunately this kind of configuration is not well documented. I will see if I can find someone who can comment on this kind of setup.
-Michael
12-09-2008 8:58 AM
Hello,
it seems like I have found the correct blog for me (also by Holger Bruchelt):
So I will try to do these steps.
Kind regards,
Rüdiger Höckel