cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Setting Productive Passwords

Go to solution
former_member2987
Active Contributor

on ‎12-03-2012 8:43 PM

0 Kudos

Hello experts:

I'm working on setting passwords in some connected systems.  I'm seeing a couple of interesting things though:

1. Even though the repository definitons specify ABAP the Java password change is being executed (the systems are ECC and SRM if it matters) -- Any thoughts?

2. When I go to set the password I am setting PasswordChangeRequired to FALSE and I get the following message: 

putNextEntry failed storingSPML.SAPUSER.MPOLLICOVE

Exception from Modify operation:com.sap.idm.ic.ToPassException: Could not update user Productive Passwords can only be set via secure transport layers - What do I need to tell BASIS to do?

Thanks,

Matt

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-03-2012 10:32 PM
0 Kudos

Hi Matt

1.  Not off the top of my head - thats a little strange.

2.  I've encountered this before.  SNC needs to be enabled on the ABAP system and the correct constants need to be set up on your repository to enable it to use SNC when doing the change.

You also need to ensure that you update the rights on your user.  From SAP Note 1287410:

"To set passwords as productive, the communication user needs the authorization for object S_USER_GRP with activity 'PP'. This authorization is not included in the IDM role SAP_BC_SEC_IDM_COMMUNICATION"

Note that SAP Note 1602902 talks specifically about creation, not modification, as it goes through BAPI_USER_CREATE1.  Not sure if this'll work with modify - let me know how it goes.

Peter

Show replies
Show replies
former_member2987
Active Contributor
‎12-04-2012 1:09 PM
0 Kudos

Peter,

Thanks much!  I'll forward this information to my BASIS team!  Something tells me there might be a follow up question or two!

Matt

former_member2987
Active Contributor
‎12-04-2012 3:09 PM
0 Kudos

Peter,

Is it the same attribute (ProductivePwd) for Java and ABAP systems?

Thanks,

Matt

Former Member
‎12-04-2012 9:54 PM
0 Kudos

Hi Matt

I'm not sure - I've only ever done it with ABAP.  However, I seem to recall that the SPML implementation has an attribute 'passwordchangerequired' which is set to true by default on the To Custom job for setting the password.

If you set that to false it should work (logically - I make no guarantees)

Peter

Answers (2)

Answers (2)

former_member202491
Explorer
‎09-23-2013 9:27 PM
0 Kudos

Hi Matt

1. Doesn't sound right, would check the mx_hook8 for password change (if the operation is just that of a password change) - it's not dual stack?

2. Keep in mind that connections need to be encrypted to set a password as productive

So RFC-SNC for ABAP and HTTPS-SSL for JAVA

This error would indicate that connection from IDM is only http

Could not update user Productive Passwords can only be set via secure transport layers

Cheers

Craig

Show replies
Show replies
former_member2987
Active Contributor
‎09-23-2013 10:25 PM
0 Kudos

Craig,

I mentioned in my post that the attributes would need to be encrypted.  I'd recommend not using the framework in this case to prevent synchronization from taking place. Directly referencing a framework task could start synchronization which is specifically not called for in Deepak's scenario.  A copy of the task executed outside of the framework would be best IMO.

You could also look to 's post (and thread) above which references how to do this over multiple repositories.  And yes, you would need to hard code the repository.

You do have a valid point in that SSL is required for handling the setting of Productive passwords in SAP.  It also makes AD password setting much easier.

Regards,

Matt


Former Member
‎09-23-2013 6:13 PM
0 Kudos

Hi Matt

As we know Password management for IDM only manages 1 password for all target applications.   Correct !

I have a question,how IDM will manage passwords for the already existing users in target systems having Different User ID's (with different passwords ).

Like in my case.we are using SAP and AD as target systems. One user has different user id's in SAP and AD ( different passwords).

Looking forward for your reply soon.

Best Regards

Deepak

Show replies
Show replies
former_member2987
Active Contributor
‎09-23-2013 6:45 PM
0 Kudos

Deepak,

This should probably be it's own thread since it's really a different question, but I've put you through enough hoops already

First off, this is not really the way SAP wants things done.  As I've said elsewhere, the goal is password syncrhonization.  The product is not really designed to be a passworde manager.

However, the product is extremely flexible and the framework is meant to be extended, so here's how I would do it. (Note I'm not sitting in front of IDM as I am typing this so it's really a rough framework)

I would set up a "PW Management Task" with the following attributes:

ADPWD

MX_PASSWORD

These attributes should be encrypted with confirmation turned on to comply with best practices

Then in your workflow attached to this UI task you can set the passwords as needed by creating jobs to accomplish this (AD needs a to LDAP, use the framework passes for SAP)

This would then set your unique passwords as you need.

Good luck!

Matt

Former Member
‎09-23-2013 7:04 PM
0 Kudos

Hi Matt

Thanks for your reply.

I understand and agree with you that things should not be intended to divert the actual objective of the

product but it is a key requirement of client and they want to manage passwords.

I am more worried about the ALREADY EXISTING USERS and THEIR PASSWORDS.

Will these attributes you mentioned above be able to handle their passwords?

Is SNC the key requirement for those SAP Passwords to handle through IDM ( for existing users).If enabling SNC is not possible,then what would be the impacts and how this requirement could be achieved?.

Thanks

Deepak

Former Member
‎09-23-2013 7:30 PM
0 Kudos

Hello Deepak,

we have created repository specific attributes not only for password, but also for validity, locked values and many other. In addition one has to copy and change the Hook tasks.

If SNC is not an option you have to make an RFC call by yourself. In this document the procedure is mentioned:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/668e6629-0701-0010-7ca0-994cb7dec...

Set a productive password: The user is created with an initial password that needs to
be changed the first time the user logs on. However, there may be cases where you
want to set up a user that initially has a productive password. Technically this is not
possible, therefore in this case, you have to create the user with an initial password
and then change it using the function module
SUSR_USER_CHANGE_PASSWORD_RFC.

Edit: Almost forgot to mention this thread: http://scn.sap.com/thread/3418477

It isn't standard that is true, but asking provokingly and rhetorically: Who uses an unchanged SAP IdM anyway?! I always liked the flexibility of the SAP IdM and alot of processes wouldn't work without changing

Best regards

Dominik

Former Member
‎09-23-2013 7:42 PM
0 Kudos

Hi Dominik

Thanks for your prompt reply.

From the fresh start,I want to just simply manage the users and their passwords already in SAP ECC through IDM.

I know about the new users during provisioning but not much clear about the existing users.

Could you please give your views in detail?

Regards

Deepak

former_member2987
Active Contributor
‎09-23-2013 8:18 PM
0 Kudos

Deepak,

There's no real difference.  If you want to prevent a password that's already in the system from being overwritten, you can use the "." prefix in the destination tab of the pass to prevent overwriting the attribute or use a script to process the value.

If you need to do something different, please put the details in a new thread.

Matt

Ask a Question