cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

No password provisioned

former_member283791
Participant

on ‎05-20-2011 3:29 PM

0 Kudos

Hello guru's,

I'm building up an IdM to manage a few ABAP systems and 1 Active Directory. Everything in the development phase has worked up to now except password provisioning. It's been a thorn in my eye for to long and I am here to ask for your assistence in getting it fixed.

I'm using the standard SAP provisioning framework and creating/modifying/deleting users works without a problem, also when I create a user and fill out a password I get no warnings nor errors, everything seems to work. I am quite frankly at a loss.

So in order to help me fix this I'm looking for two answers:

1. How can I debug my password, I am apparently not able to use the sap_getPassword() script to get my password back from MX_ENCRYPTED_PASSWORD. (either that or it was never filled out, but that would mean an error on sap_setPassword() I guess?)

2. How do I get my password back from IDM in order to send it in an email to the user I just created?

Hope someone can help me.

Kind regards and have a nice weekend all.

Jonathan

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎05-20-2011 4:09 PM
0 Kudos

Hi Jonathan

1. do you have Password Provisioning enabled (In your identity store -> Password policy)

2. Have you set up 3DES en-/decryption & the correct key-File in MMC/UI?

3. If you look at the database, View MXIV_ALL_SENTRIES, do you have an AttrName with MX_ENCRYPTED_PASSWORD and aValue != NULL for the relevant MSKEY?

Then, for password debugging:

1. Create a new Action Task for PW-decryption

2. Create a script "decrypt" therein:


// Main function: decrypt

function decrypt(Par){
	//Example calling DSE internal function
	//uStop("Terminated by user");

	//Par is MX_ENCRYPTED_PASS

	var mxencpw = Par.get("encryptedPW");	
	var mskey = Par.get("mskey");
	var mskeyvalue = Par.get("mskeyvalue");

	var decryptedDES;
	
	decryptedDES = uDESDecrypt("", mxencpw );
	UserFunc.uErrMsg(1,"Encrypted Password for "+mskeyvalue+": "+mxencpw);
	UserFunc.uErrMsg(1,"Decrypted Password for "+mskeyvalue+": "+decryptedDES);

	return "";
}

3. Create a to Generic in that task, tab Destination:


MSKEY      |     %mskey%
encryptedPW     |     %MX_ENCRYPTED_PASSWORD%
mskeyvalue     |     %mskeyvalue%

4. As "Next data entry" select above script

5. Enable the Task/Pass, assign a dispatcher.

I use this task with "Test provisioning task" & enter a valid MX_PERSON mskeyvalue. If everything is correct the password is shown in the joblog.

Using portions of the script in a (more complex) sendMail-Task can also send the password as email

Hope this helped.

BR

Michael

Edited by: Michael Schüßler on May 20, 2011 5:10 PM

Show replies
Show replies
former_member283791
Participant
‎05-23-2011 1:42 PM
0 Kudos

hey Michael,

Brilliant answer, I've gotten alot closer to fixing my issue now.

The retrieve password script told me that there was in fact a password and that it was in fact provisioned only it wasn't the one I wrote in the create Identity window. It was in fact random generated by sap_handlePassword -> sap_initializePassword.

Although those two script clearly state:

if ( password == null || password == "")

Now I must say that I added mx_password as an attribute to create_identity myself but anyway to fix this? Or can I just leave sap_handlePassword out of my task and just encrypt mx_password using sap_encryptPassword ?

Edited by: Jonathan Gijsemans on May 23, 2011 2:42 PM

former_member283791
Participant
‎05-23-2011 3:30 PM
0 Kudos

Ok, there comes a point when you need to stop swimming against the stream. Think I'm there

Let's say we'll use the whole random generated password feature, how do I integrate the above script into a mail so I can actually mail my new user his/her initial pw?

Actually that question goes along with something I've been wondering: where does Par come from and how can you use what's returned in a task?

Regards,

Jonathan

former_member2987
Active Contributor
‎05-23-2011 7:28 PM
0 Kudos

Johnathan,

Ok, there comes a point when you need to stop swimming against the stream. Think I'm there

No worries, we've all been there and revisit the stream often!

Let's say we'll use the whole random generated password feature, how do I integrate the above script into a mail so I can actually mail my new user his/her initial pw?

Use the uSendSMTP function to send an email, Use the DSEDecrypt function to decrypt MX_ENCRYPTED_PASSWORD to send it in an email. Problem is how do you send a password via email to a user if they don't have a password to get into mail?

Actually that question goes along with something I've been wondering: where does Par come from and how can you use what's returned in a task?

In the destination grid, Par is the Attribute passed within the function

For example:


$FUNCTION.SomeFunction(%MSKEYVALUE%$$)

The value held in the attribute %MSKEYVALUE% would be passed as "Par" to the function.

Make sense?

former_member283791
Participant
‎05-24-2011 11:43 AM
0 Kudos

Hey Matt,

Does make sense and thanks for the answer. But how does that work when you place your script in let's say Entry Script? (as shown on the To Identity Store step of Add Password in the SAP provisioning framework)

I've already put some work into making a mail script so I guess it would be easy enough to include the DSEDecrypt script in there. Good point about the reading mail without access to mail but not an issue for our current setup. We're doing this setup in our test domain so the mail would be send to the person's regular address instead of the test domain one.

Former Member
‎05-24-2011 12:29 PM
0 Kudos 
But how does that work when you place your script in let's say Entry Script? (as shown on the To Identity Store step of Add Password in the SAP provisioning framework)

I think the official explanation is quite good: http://help.sap.com/saphelp_nwidmic71/en/managing_passes/to_passes/dse_toidstore_source.htm

former_member283791
Participant
‎05-24-2011 12:37 PM
0 Kudos

mmm, sorry. Allow me to restate that question:

What Par is handed to a script when it is loaded as an Entry script for example. Does it actually look at the MSKEYVALUE in the destination tab and provide all MX_PERSON info on that MSKEYVALUE through an array?

(getting quite far off topic here I think so i'll give this thread a rest after this)

former_member2987
Active Contributor
‎05-24-2011 1:32 PM
0 Kudos

Hmmm.... I don't recall what PAR is supposed to be in this case. Either MSKEY or MSKEYVALUE would be my guess. In a standaleone job I believe it's a dictionary object of the entry.

Matt

Former Member
‎07-25-2011 6:41 PM
0 Kudos

Entry Scripts get passed all source values in the Par variable in the form of "Variable = Value" pairs.

Example:

Par( MSKEY=1234 MSKEYVALUE=User1)

In your Script you use

var mskey = Par.get("MSKEY");

But here's the part that took me allot of looking to figure out. You can update and add variables so you can use them in your Destination tab.

Par.put("NEWVAR", NewValue);

Return Par;

Regards

Jim

Former Member
‎05-20-2011 3:46 PM
0 Kudos

I think that is not possible, because password decryption service is in kernel service layer...

Show replies
Show replies
Ask a Question