cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CLI or API for (re-)setting passwords in the secure store ?

Go to solution
detlef_wartke
Discoverer

on ‎05-05-2009 12:18 AM

0 Kudos

Hi out there,

in the data center we have the requirement to generate new passwords for the administration users administrator, j2ee_admin, ... on a regular base. For every single system (and I'm talking about a lot of systems!) we now have to change the password in the User data store which is no problem for ABAP - I can automate it from a perl script using sapnwrfc (thanks to Piers Harding!) calling a BAPI setting the new password. But the bad side is that we have to click throught the whole config tool for resetting the password in question for every single system...

Do you know a possibility to set the administrator's password via CLI or API ?

Best regards,

Detlef Wartke

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

anja_engelhardt2
Active Contributor
‎05-05-2009 7:56 AM
0 Kudos

Hi Detlef,

I don't know of any API or CLI to reset the password in secure store. But it is saved in SecStore.properties in directory \SYS\global\security\data within a text file. It's coded in base64 if you don't choose to use a key. Maybe this will help you to find a solution.

Cheers,

Anja

Show replies
Show replies
detlef_wartke
Discoverer
‎05-05-2009 5:25 PM
0 Kudos

Hi Anja,

thanks for the reply, but the secure stores are as they have to be: encrypted - and this is OK!

I do not intend to break the password encryption. I'm just looking for a more or less official way to connect to the system (authenticated) and change the password in the secure store from an automation script (I do not see how to automate the usage of the config tool).

any further ideas ? Is there perhaps a java class helping out there ?

Best regards

Detlef

Former Member
‎06-05-2009 1:14 PM
0 Kudos

Hi Detlef,

Did you finally find out a way to automate the password modification in the secure store. We've lately had a problem on a SAP GRC instance that didn't want to boot because we forgot to change the Administrator's secure store password after changing it in the database.

Thanks

markus_doehr2
Active Contributor
‎06-06-2009 11:38 PM
0 Kudos

You can try the following:

*(it's java coding, formatted and I put code tags around it. however, crappy Jive forum doesn't honor that apparently... sigh)*

import com.sap.security.core.server.secstorefs.SecStoreFS;

import javax.naming.Context;
import javax.naming.InitialContext;
import java.util.Properties;

public class CheckStore {

  public static void main(String[] args) {
   
   if (args.length < 3) {
      System.err.println("please define the arguments:");
      System.err.println("   SID  data_file  key_file");
      return;
    }

    String sid = args[0];
    String dataFile = args[1];
    String keyFile = args[2];
    String j2ee_host = null;
    String j2ee_port = null;
    String j2ee_admin = null;
    String j2ee_pass = null;
    String db_url = null;
    


    try {
      SecStoreFS.setSID(sid);
      SecStoreFS.setDefaultFilenames(dataFile, keyFile);
      SecStoreFS sec = new SecStoreFS();
    
      sec.openExistingStore();
      System.out.println("FS SS successful opened");
//      Properties prop = sec.getStringPairs();
//      Enumeration enum = prop.keys();
//      do {
//        String key = (String) enum.nextElement();
//        System.out.println("[" + key + "] = " + sec.getStringValue(key));
//      } while(enum.hasMoreElements());

      j2ee_host = sec.getStringValue("admin/host/" + sid);
      j2ee_pass = sec.getStringValue("admin/password/" + sid);
      j2ee_port = sec.getStringValue("admin/port/" + sid);
      j2ee_admin =  sec.getStringValue("admin/user/" + sid);
      db_url = sec.getStringValue("jdbc/pool/" + sid);

      System.out.println(" sid : " + sid);
      System.out.println(" data: " + dataFile);
      System.out.println(" key : " + keyFile);
      System.out.println(" host: " + j2ee_host);
      System.out.println(" port: " + j2ee_port);
      System.out.println(" user: " + j2ee_admin);
      System.out.println(" pass: " + j2ee_pass);
      System.out.println(" pass: " + db_url);
	
      String newPass = "vil0dera";
      sec.updatePair("admin/password/" + sid, newPass);
      System.out.println("******set password " + newPass);

      Properties p = new Properties();
      p.put(Context.INITIAL_CONTEXT_FACTORY, "com.sap.engine.services.jndi.InitialContextFactoryImpl");
      p.put(Context.SECURITY_PRINCIPAL, j2ee_admin);
      p.put(Context.SECURITY_CREDENTIALS, j2ee_pass);
      p.put(Context.PROVIDER_URL, j2ee_host + ":" + j2ee_port);
      System.out.println("  ===> "  + new InitialContext(p).lookup("keystore"));

      System.out.println("\r\n JNDI context successfully created");

    } catch (Exception e) {
      System.err.println("ERROR : " + e.getMessage());
      System.err.println("________________________________________________________________________________");
      e.printStackTrace();
    }
  }
  
}

Calling it using

#!/bin/csh
set J2EE_HOME=/usr/sap/DI1
set CP_HOME=$J2EE_HOME/JC01/j2ee

set CP=.:$CP_HOME/cluster/bootstrap/exception.jar:$CP_HOME/cluster/bootstrap/logging.jar:$CP_HOME/cluster/bootstrap/tc_sec_secstorefs.jar:$J2EE_HOME/SYS/global/security/lib/tools/iaik_jce.jar:$CP_HOME/admin/lib/admin.jar

echo $CP

javac -classpath $CP CheckStore.java

java -classpath $CP CheckStore DI1 $J2EE_HOME/SYS/global/security/data/SecStore.properties $J2EE_HOME/SYS/global/security/data/SecStore.key

Markus

markus_doehr2
Active Contributor
‎06-06-2009 11:39 PM
0 Kudos

Just to add: the coding is with tags, the backend Jive ignores them. If you're interested just write a short mail (see my business card).

Markus

detlef_wartke
Discoverer
‎06-07-2009 4:52 PM
0 Kudos

Hi Markus,

this seems to be exactly what I was looking for!

I need some time to check this out in detail. I'm not realy a java specialist and I do not even have installed the development environment for SAP... but I will start as soon as possible to check if it is working for me.

Thanks for your contribution!

Best regards,

Detlef Wartke

markus_doehr2
Active Contributor
‎06-07-2009 6:28 PM
0 Kudos

no need for a development environment (NWDI or the like) - you can compile that class on any Java-AS (with the script provided).

Markus

Answers (0)

Ask a Question