11-10-2011 3:37 PM
I have a dual stack Netweaver instance where the portal uses the ABAP Datasource for user management. I am trying to set up the ability for users to reset their password from the portal long screen.
When clicking "Get Support" on the login screen, I am able to input the username, last name, first name and email so the system can send a new password. However, when clicking "Submit" nothing happens. I have followed the SAP documentation and as far as I can see, everything is set up correctly. Anyone have an idea what could be missing in the set up or what logs I can check to possibly fine the problem?
Thanks!
11-10-2011 10:38 PM
Hi,
maybe stupid question but can you maintain users from Java stack or you set it up as read only?
Cheers
11-10-2011 10:38 PM
Hi,
maybe stupid question but can you maintain users from Java stack or you set it up as read only?
Cheers
11-11-2011 2:27 PM
11-11-2011 9:57 PM
SAP portals are seldom double-stack systems so I assume you mean the Java Stack UME is pointing to an ABAP client. This means that the password needs to be reset there..
So.. the service you have for the reset needs to be executed by a connection from the Java stack to the ABAP stack?
Does the user in this communication connection (default SAPJSF) have authorizations to reset passwords? The user is in the ABAP client and the authority will be checked there, so you need to check there.
That it does not give meaningful messages back is normal, but sometimes also a security feature to prevent external unauthenticated callers from obtaining information about the internal connections and services.
As you are the admin and on the inside already, you need to troubleshoot it on the ABAP side.
Cheers,
Julius
11-11-2011 10:12 PM
Just to add that SAPJSF user has a role communication. If the role name ends with _RO then any parameters can be maintained only in ABAP stack.
Cheeers
11-14-2011 3:17 PM
Julius,
I did find this error in a trace file:
#1.5 #001B789B91BA0067000000EA00003DF40004B1B33B42F3DC#1321283258301#System.err#sap.com/tcwddispwda
#System.err#J2EE_GUEST#0##n/a##640e12720ed211e1b38900000b9056ae#SAPEngine_Application_Thread[impl:3]
_27##0#0#Error##Plain###Caused by: java.lang.Exception: classname:
[com.sap.security.core.persistence.datasource.PersistenceException]message:BAPI_USER_CHANGE@BIACLNT200:
ID=00, NUMBER=279, MESSAGE=Password must be a maximum of 8 characters and cannot contain lower case
Could this be saying that the password it is trying to reset to, doesn't match the password parameters set in the instance profile?
Edited by: Julius Bussche on Nov 14, 2011 5:27 PM
Formatting corrected as post unreadable...
11-14-2011 4:32 PM
Yes, this means that the password wizard is generating a "maximum strength" password which does not comply with the "minimum requirements" of the password rules for the ABAP system which the UME is pointing to.
I know that in ABAP systems these maximum settings are in table PRGN_CUST. On the Java side I think they are in the NWA Configuration Security Services.
Cheers,
Julius
11-14-2011 7:21 PM
Julius,
There are no entries in the PRGN_CUST table on the ABAP side, and I cannot find the settings in NWA on the JAVA side. Can you provide specific instructions on where to maintain these settings in NWA? thanks!
11-14-2011 10:21 PM
Not off the top of my head. I would need to search for it, and I guess you can do that search as well.
Have you found it yet?
Cheers,
Julius
11-15-2011 12:00 PM
Dear jayson,
Hope you are doing good.
Do refer to the note 862989 and
Logon and Password Security in the ABAP System:
[http://help.sap.com/saphelp_nw70/helpdata/en/52/6717ed439b11d1896f0000e8322d00/frameset.htm]
Thank you and have a nice day :).
_____________
Kind Regards,
Hemanth
SAP AGS
11-15-2011 12:09 PM
Those are minimum rules for the ABAP stack. He is looking for maximum (generation) rules for the Java stack.
Cheers,
Julius
11-15-2011 12:14 PM
There are UME parameters for this on the JAVA end (ume.logon.security_policy.password_max_length)
Please refer the below links for more on this:
[http://help.sap.com/saphelp_nw70/helpdata/EN/7f/c52442ad9f5133e10000000a155106/frameset.htm]
[http://help.sap.com/saphelp_nw70/helpdata/en/b5/16c43bdd3da244a1d3372a77b5f83f/frameset.htm]
The values need to be amended in: configtool->switch to the configuration editor mode->configuration->cluster_data->server-> cfg> services-> Propertysheet com.sap.security.core.ume.service
Thank you and have a nice day :).
_____________
Kind Regards,
Hemanth
11-15-2011 1:40 PM
Hemanth,
I have already tried setting that in the UME Configuration screen under the security policy tab and that did not help. The problem is that the password that the UME password wizard is generating doesn't fit the ABAP profile parameters. Here is the error once again i see in the trace file:
#1.5 #001B789B91BA005A000000AA000012C40004B1C608FC790D#1321364019212#System.err#sap.com/tcwd
dispwda#System.err#J2EE_GUEST#0##n/a##6d3e77cb0f8e11e1a08500000b9056ae#SAPEngine_Application_
Thread[impl:3]_9##0#0#Error##Plain###Caused by: com.sap.security.core.persistence.datasource.Persistence
Exception: BAPI_USER_CHANGE@BIACLNT200: ID=00, NUMBER=279, MESSAGE=Password must be a
maximum of 8 characters and cannot contain lower case#
This is strange because there is not a parameter set on ABAP or JAVA side regarding no lower case characters. So where is this coming from??
Edited by: Julius Bussche on Nov 15, 2011 2:44 PM
Formatting fixed, again...
11-15-2011 1:47 PM
It sounds like your backend ABAP system has the login/password_downwards_compatibility parameter set to only use the old password rules.
So, if you want to keep that... then you must set the wizard in the Java config to generate an 8 character password without any lower-case characters.
It is advisable to use the new password rules and format.
Cheers,
Julius
11-15-2011 2:02 PM
Julius,
The backend system has login/password_downwards_compatibility = 5.
How do i set the wizard to generate a useable password? If you are referring to properties related to passwords in the UME ->Configuration -> Security Policy, I have already done that. Plus there is no setting/property that says only to use uppercase letters...
11-15-2011 2:56 PM
Yep, that is the problem.
You could try to set the Java properties to max 8 characters with minimum 2 digits and minimum 6 UPPER-CASE. That leaves nothing left for lower-case..
However you should seriously consider making your passwords compatible with the new mechanism and ideally setting the compatibility to 0 (incompatible with the old mechanism).
Cheers,
Julius
11-15-2011 7:46 PM
Julius,
So I left all the JAVA properties the same, and changed the login/password_downwards_compatibility value to "0" on the backend ABAP side and the password reset works!
Now can you explain in simple terms how the login/password_downwards_compatibility parameter works and why it is needed? I read the description for it in SAP Help, but still can't figure out it's use or purpose. Thanks!
11-15-2011 8:28 PM
If you changed the parameter (in RZ11?) then there is an information button there which explains the dependencies and how it works.
Normally one reads the documentation before making the change..
In this case, take note that the parameter is dynamically switchable for all values except '0'. Once you set it to '0' it becomes static (special feature which a few parameters have).
I assume that you are testing this in a sandbox, but you should still monitor failed logins for a while after making the change and be prepared for confused end-users in production systems.
A safer route is to set the parameter to '2' for a while and monitor the syslog, then switch it to 1 for a while (to be able to switch back) and when the waters have calmed then switch it to '0'.
Cheers,
Julius
11-15-2011 8:32 PM
no worries, i'm working in dev, made the change to test, then changed it back. thanks for your help.
11-15-2011 8:56 PM
Then you have a good argument to set it to '0' - which is a much better setting (from a security perspective).
Cheers,
Julius
11-11-2011 10:20 AM
Hello,
Can you please check if note 1082019 applies to your system?
I hope this helps you.
Regards,
Blanca
11-11-2011 2:27 PM
Blanca,
This note is for the Get Support link not working, which is not my problem. My problem is when I click submit for the system to email a new user password, nothing happens. This note also says to apply SP Stack #15. My instance is on SP Stack 22...
11-12-2011 8:06 AM
Dear jayson,
Hope you are doing good.
There are 2 parameters that can be used here:
1. ume.notification.pswd_reset_performed (Default TRUE)
The system sends an e-mail to the user when his or her password has been reset. It does not matter who changed it (Administrator or user). The value of this ume parameter is linked to the setting Administrator changes password (-> user)
Hence, when you uncheck this value, ume parameter is set to FALSE.
2. ume.notification.pswd_reset_request
The system sends an e-mail from the user to the administrator requesting a password reset. It doesn't mean the mail will be sent to the user when he will change the password.
The value of this ume parameter is linked to the setting: User requests new password (-> user)
Do make sure that the below links have been checked:
[http://help.sap.com/saphelp_nw70/helpdata/en/41/080aab7cefe34d8acb04861a467efc/content.htm]
and
[http://help.sap.com/saphelp_nw04/helpdata/EN/89/c5fd430b63c74bbdfaa5f2ec9bb20b/frameset.htm]
If the issue persists, deploy the latest version of web diagtool attached to note 1045019 and go through a trace of the issue.
Thank you and have a nice day :).
_____________
Kind Regards,
Hemanth
SAP AGS