cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to provision PW set by self service ?

Go to solution
Former Member

on ‎08-11-2011 2:09 PM

0 Kudos

Hi all

I've set up IDM 7.1SP5 and try to provision passwords.

I could successfully set up Self service pw reset -> it sets the new pw in the IDM and in the UMD also (I marked teh "UME" option also).

I try to provision that password using ChangepasswordOfABAPUser -> but this task only sets the initial password set in the global constants. This is what I do not understand. ChangepasswordOfABAPUser calls function sap_getPassword but provisions then the (static) pw set by the constant as mentioned before.

What task/function is to call ?

Do I have to set up such a task/function by myself (no corresponding template available) ?

Where can i find more informations about that ?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-11-2011 2:54 PM
0 Kudos

Hi Stefan,

If I understand your question right, you're trying to set the password of your ABAP user to something other than the preset initial password constant; if you were to pass in your MX_ENCRYPTED_PASSWORD instead, you could then set your ABAP user's initial password to the password already stored for that user within MX_ENCRYPTED_PASSWORD:

Use:

password = $FUNCTION.sap_getPassword(%MX_ENCRYPTED_PASSWORD%)$$

instead of:

password = $FUNCTION.sap_getPassword(%$glb.DEFAULT_PASSWORD%)$$

Even this method would only set the Initial ABAP password for the user and not a productive password; you would have to refer to NOTE: 1287410 for details on setting a productive password.

Does this answer your question?

Cheers!

Sandeep

Show replies
Show replies
Former Member
‎08-11-2011 3:18 PM
0 Kudos

Dear Sandeep

thank you for your respoonse.

But this is not my problem.

I've set up the pw self service task that a new pw is not generated BUT can be issued by the user.

In the end I want to provision THIS ps to the ABABP user.

Currently in the ChangepasswordOfABAPUser task there is the call password = $FUNCTION.sap_getPassword(%MX_ENCRYPTED_PASSWORD%)$$ ==> but in the end by task ChangepasswordOfABAPUser just value is provisioned that is stored in the constant DEFAULT_PASSWORT.

It was my understnading the function $FUNCTION.sap_getPassword(%MX_ENCRYPTED_PASSWORD%)$$ gets the pw from the idm repository and will populate variable passsword. Then in the next step I expected that variable password will be provisioned TO the ABAP user.

Next question is : Can the provisioning of the password ONLY be called from the "Event handling" area of the "Password policy" tab of the according ID store ? When I call ChangepasswordOfABAPUser from there I get an error (SNC missing ?).

As per the note you mentioned pw provisioning is only working via SNC ?!

Where can I find more informations about configuring SNC connectivty ?

Kind regards

Stefan

former_member2987
Active Contributor
‎08-11-2011 4:12 PM
0 Kudos

Stefan,

The script you are referencing (sap_getPassword) decrypts the current value of the IDM attribute MX_ENCRYPTED_PASSWORD.

As Sandeep mentioned, once you generate a password, you need to set it in two places:

MX_ENCRYPTED_PASSWORD as a DES3 encrypted string

MX_PASSWORD as a MD5 hash.

There are functions and scripts as a part of the SAP Provisioning framework that will all you to do this or do this for you.

As far as creating a password goes, you can create and set one anywhere. The tasks you referenced are indeed in line with the established frameworks and functionality for IDM Password reset.

However all of them will rely on the MX_ENCRYPTED_PASSWORD and MX_PASSWORD attributes. IDM also will only check against these for access. If needed you can set temporary values in another attribute, as you suggest, but in the end both of these must be updated with the new value.

Hope this helps.

Matt

Former Member
‎08-12-2011 8:44 AM
0 Kudos

Dear Maat

thx. for reply. But there is a little misunderstanding.

I'm looking for a way simply to set an initial pw - not a productive.

But when I investigeate the mentioned I cannot see any parameter "DEFAULT_PASSWORD" ?! Is it hardocded anywhere ? Is it described anywhere ? For that case - can any tell refer to an document where I can find more informations about that procedure ?

The doc provided by SAP to set up self service ps reset is nice - but does not give any informations how to provision this new pw to a SAP isntance !?

Bytheway : you mentioned "There are functions and scripts as a part of the SAP Provisioning framework that will all you to do this" -> which are these functions ? Where can I find more informations ?

Definitely I miss a corresponding document like the CUA cookbook. As mentioned above the ssf pw reset doc is nice ... but obviously not "complete".

You say at teh beginning that the function I call is decrytping teh MX_ENCRYTPED_PASSWORD - this is also my understanding. But : how to populate MX_ENCRYPTED_PASSWORD after it's been set by the ssf PS reset function ? And as mentioned before already : how to provision ?

I'm thankful for any hint : I also would like to evaluate it by myself - just I don't know where because I miss according documention about the SAP provisional framwork.

Regards

Stefan

Former Member
‎08-12-2011 11:05 AM
0 Kudos

Stefan,

%$glb.DEFAULT_PASSWORD% should ideally be stored within your global constants under the management node in the MMC.

As for the MX_ENCRYPTED_PASSWORD, if you have set up the Password Self Service functionality as per the guide, MX_PASSWORD will automatically be set once you finish the task, and in turn MX_ENCRYPTED_PASSWORD will also be set.

And as we mentioned earlier, in order to provision the password to the target SAP systems you use the existing ChangePasswordOfABAPUser task passing in the MX_ENCRYPTED_PASSWORD through the sap_getPassword script onto the password attribute, just as mentioned earlier.

Hope this helps!

Best regards,

Sandeep

former_member2987
Active Contributor
‎08-12-2011 2:28 PM
0 Kudos

Stefan,

Ok, this makes sense. If you want to set just the initial password

In the setpassword task, use the parameter productivepwd. I know to set the password as productive you use a parameter of 1, so I'm guessing 0 would be an initial password.

Take a look at the various solution guides for IDM. While there is as of yet no "cookbook" there are some great ideas in them.

Frankly, cookbooks for IDM are tough since there are so many ways to achieve a given task.

In the Provisioning framework, look in System Specific type tasks. There's an ABAP and JAVA section where you can find all of these tasks. That's what I was referring to.

Cheers,

Matt

Former Member
‎08-12-2011 3:46 PM
0 Kudos

Thx to all for the response.

@Matt: where can I find the setpassword task you mentioned ?

Regards

Stefan

Former Member
‎08-15-2011 2:05 PM
0 Kudos

Hi all

Sandeep: I agree. But I do not understand the following :

I enabled the following ErrMsg line of JScript sap_getPassword :

UserFunc.uErrMsg(1,"decrypt MX_ENCRYPTED_PASSWORD: " + Par + " 2: " + password );

and in the system log I get the following :

decrypt MX_ENCRYPTED_PASSWORD: 1:a0a2a253eaf02e6d1d79329e7ecc9f5c 2: initial1

Value "initial1" is set in the global constant DEFAULT_PASSWORD al also stated by you in your previous msg.

Again: can any explain why task ChangePasswordOfABAPUser is setting the the pw to the global constant DEFAULT_PASSWORD ? What is the sense of the call of the function sap_getPassword when the pw finally is set to this constant anyway ? And last but not least : where is the parameter DEFAULT_PASSWORD defined that is used here ?

Matt refers to "setpassword" task -> is it just a synonym used by you for any of my processes ? As already mentioned I cannot find a task with exactly that name

Regards

Stefan

Former Member
‎08-16-2011 12:50 PM
0 Kudos

Sandeep

I'm following the guide respectively exactly your recommendation.

After pw self service the idm pw of the corresponding user is set accordingly -> I can use the new pw for IDM login of this user. THIS is ok. BUT: I call the original (or a copy - result is teh same) task ChangePasswordofABAPUser -> this provisions a password but STILL to the value of the global constant DEFAULT_PASSWORD.

When I replace the call of the function sap_getPassword by a constant/literal the password in the ABAP system will be set to this value. But STILL I cannot get the pw by using the function sap_getPassword

All is standard respectively according the SAP guides ...

Obviously function $FUNCTION.sap_getPassword(%MX_ENCRYPTED_PASSWORD%)$$ returns all the time the value of global constant DEFAULT_PASSWORD.

I don't know why global constant DEFAULT_PASSWORD is (still) populated by that value.

Maybe due to previous execution of job ModifyUser ?

I can see in the job log that ModifyUser is executed twice (??) at the end of the self service pw reset .

Any idea ?

Kind regards

Stefan

Former Member
‎08-17-2011 7:56 AM
0 Kudos

Stefan,

Have you verified that your ChangePasswordofABAPUser task is using the password parameter like this:

password = $FUNCTION.sap_getPassword(%MX_ENCRYPTED_PASSWORD%)$$

and NOT like this:

password = $FUNCTION.sap_getPassword(%$glb.DEFAULT_PASSWORD%)$$

passing the MX_ENCRYPTED_PASSWORD attribute into the sap_getPassword function should give you the user set decrypted password and allow you to set it to the password attribute.

Within the main identity store node, click on the Password Reset tab and verify that you have the right task selected for the Password reset task and that the Password creation method is set to "Ask the user".

There seems to be some old reference of the DEFAULT_PASSWORD constant that's lost somewhere in your identity store setup in some job/task; we just need to find that and replace it with the MX_ENCRYPTED_PASSWORD attribute.

Cheers!

Sandeep

Former Member
‎08-24-2011 10:50 AM
0 Kudos

Problem is solved.

provided me with the solution.

Kind regards

Stefan

Answers (0)

Ask a Question