Thanks Marcelo,

Yes had seen that but found no equivalent talking about multiple ABAP data stores. Guess we can either try to configure using the same constraints or assume it isn't possible since SAP didn't include it in this section.

If anyone has tried this please let us know.

Thanks,

Doug

You can load anything you want to into an ABAP logical system as user master records, the the JAVA UME can only point to one ABAP logical system.

The other way around works though, because ABAP does not actually know that it is a UME source. So whether it is 1 or 10 UMEs pointing to it makes no difference.

Cheers,

Julius

OK Thanks Julius,

You see our goal, multiple applications on multiple ABAP app servers but all using a Central JAAS logon module for authentication. So that java box would have multiple ABAP user stores as long as we didn't have same user in multiple ABAP systems and passed any other restrictions. I was hopeful because the instructions for multiple LDAPS use the single configuration file to point to multiple LDAPS. Thought the same might be possible for ABAP user store. From what you are saying though this just isn't possible.

Thanks,

Doug

That is different.

Previously you mentioned the UME store configuration, now you are talking about login module stacks which are "sufficient" to authenticate the user.

As far as I know you can point a custom login module at anything, so you should be able to use the same module.

But your users will be very confused. They all have the same UME store (they generally dont know about that) but need to know which password to use... (without locking themselves out of other systems).

Dont you have a directory server? That is typically the prefered weapon.

Cheers,

Julius

Julius,

Thanks again for your reply. This is confusing. We have an existing .Net logon application where we centrally administer accounts and where users log in. On successful login they are issued a .net Auth cookie. Our JAAS module takes that cookie, does a web service call back to .Net and authenticates them. So authentication is done on the basis of the .Net cookie, not the java UME. We simply need a java ume to allow users to execute the application that invokes the JAAS module. The application invokes the JAAS module and if they successfully authenticate they are forwarded to the requesting SAP application. So the JAAS ume is really just needed to allow various users to run the JAAS invoking application starter. Ideally we'd use the same starter application for users of SAP Application 1,2,3, etc.

So that's where the question came from on multiple ABAP UME data sources for a single Java instance.

Hope that makes sense. Regardless the answer I guess is not possible but you see the method to our madness. And yes it is madness.

Thanks,

Doug

In that case you could just create a new client with all users from all systems and point UME to this client.

That is true, but there is a catch: If you want to give a user SAP_J2EE_ADMIN (just for for example) for one of the Java systems, you are forced to give them the UME role access for all of the Java systems.

But I think the intention and bigger catch here is that Jayson is wanting a login module with it's own set of "sufficient" calls to authenticate the user. Each one after the other as IF.. THEN.. ELSE.. ENDIF.. ENDIF... ENDIF... until one of them is sufficient. That will confuse the users to no end and will lock their passwords all over the place in the ABAP targets as a consequence.

Cheers,

Julius