cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Setting a productive password in ABAP System

Go to solution
Former Member

on ‎09-23-2013 5:55 PM

0 Kudos

Hello all,

I've already written a post about this issue, but now I have an update.

Before when I tried to do a reset password I got this message : "Password for user xxxx changed, but not set as productive"

Now I don't get the message for the repository on which I have configured the SNC (which is normal) but in the SAP System the password is still initial.

Here is the setup of my Communication user between IDM and SAP System :

User Type : communication

Auth : SAP_ALL / SAP_NEW + SAP_BC_SEC_IDM_COMMUNICATION + SAP_BW_DEVELOPER (Just to be sure the user has everything needed, I'm thinking to S_USER_GRP with activity 'PP')

SU01 : SNC tab configured

As I don't get the error message in Identity Center that the password is not sent as productive I think the SNC is correctly set up.

To me the User is also correctly setup.

I've added the entry in the table :     USRACLEXT

i put sequence number 000 (i don't know what it is) and p:CN=IDM, OU=SAP, C=DE (as when i registered my pse).

What did I missed ?

I'm using HTTP instead of HTTPS connection for IDM, does it matter ?

Thx for your help.

Nicolas.

 

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

keith_zhang
Active Participant
‎09-24-2013 6:46 AM
0 Kudos

Hello Nicolas,

Generally we checked below prerequisites for setting productive pwd to ABAP systems:

  • SAP Note 1287410 is applied in target ABAP system.
  • SNC is configured properly:

You can refer to section Appendix D from provisioning framework configuration guide about all the detail step by step configurations need to do:

http://help.sap.com/saphelp_nwidmic_72/helpdata/en/60/d52bd1fd944aa5959a7245e64842a4/content.htm?fra...

There is also a part "Testing the connection" under this section, introduces how to verify the SNC connection set up.

  • ProductivePwd flag is set, for example, on the CreateABAPUser task. Or on the modify task accordingly.

You can also get the information from SAP note 1602902 and 1575445.

While if all of these are correct, you can then try to follow KBA note 1894092 to trace the detail parameters IDM uses to call the ABAP BAPI, and then debug the BAPI in target system accordingly if possible.

Hope these helpful for you.

BR, Keith

Show replies
Show replies

Answers (6)

Answers (6)

Former Member
‎09-25-2013 10:10 AM
0 Kudos

Here is the trace file :

*** Trace file opened at 20130925 110443 Romance Daylight Time, by java
**** Versions SAP-REL 720,0,91 RFC-VER nU 3  MT-SL


>>> RfcOpenEx ...
Got following connect_param string:
   CLIENT=100 USER=SAP_IDM2 PASSWD=******* LANG=EN SYSNR=00 ASHOST=unbd2.eib.electrabel.be SNC_PARTNERNAME=p:CN=BD2, OU=Development, O=eib.electrabel.be, C=BE SNC_QOP=1 SNC_MYNAME=p:CN=IDM, OU=SAP, C=DE SNC_LIB=C:\sap\IdM\Identity Center\SAPCrypto\sapcrypto.dll SNC_MODE=1 TOUPPER=0
<<< RfcOpenEx failed

Show replies
Show replies
Former Member
‎09-25-2013 10:20 AM
0 Kudos

Another Log

Former Member
‎09-25-2013 11:12 AM
0 Kudos

Hi Nicolas,

In your repository constants JCO_CLIENT_SNC_LIB is "C:\sap\idM\Identity Center\SAPCrypto\sapcrypto.dll"

But in the RFC error, its only till "C:\sap\idM\Identity Center\SAPCrypto"

Can you check from this end !!

Thanks.,

Krishna.

Former Member
‎09-25-2013 11:19 AM
0 Kudos

Are you sure you are using the correct user ?

Becuase, you have used the user SAP_IDM in the repository constant.

But in the RFC Trace file, user is coming as SAP_IDM2

Thanks,

Krishna.

Former Member
‎09-25-2013 11:28 AM
0 Kudos

I'm doing several tests with differents users to check all possibilities.

Did you already succeded to configure SNC ?

If yes, what document did you use ? (you already sent me the help.sap link).

ChrisPS
Contributor
‎09-25-2013 11:41 AM
0 Kudos

Hi Nicolas,

                as Krishna said the Jco at runtime is unable to load sapcryptolib to invoke SNC based on the trace. See wiki at

http://wiki.scn.sap.com/wiki/display/Security/Securing+Connections+to+AS+ABAP+with+SNC

the secudir environmental variable on the host running the SAPJco must point to the sapcrypto library. This is the probable cause here.

Tks,

Chris

Former Member
‎09-25-2013 11:42 AM
0 Kudos

Hi Nicolas,

We have SNC configured & the system is up and running from quite a long time

I have used the Identity Management for SAP System Landscapes: Configuration Guide .( This doc contains the same as what I have shared with you earlier)

Luckily we dint run into any problems during the configuration.

Thanks,

Krishna.

ChrisPS
Contributor
‎09-25-2013 11:51 AM
0 Kudos

Also include full path to the sapcrypto dll file i.e. include the filename also when setting secudir 😉

Former Member
‎09-25-2013 2:10 PM
0 Kudos

Windows "Environments Variables" Secudir shouldn't point there ?

C:\sap\IdM\Identity Center\SAPCrypto\sec

but C:\sap\IdM\Identity Center\SAPCrypto\sapcrypto.dll

Can you confirm this ?

Former Member
‎09-25-2013 2:23 PM
0 Kudos

Hi Nicolas,

The SECUDIR variable should point to C:\sap\IdM\Identity Center\SAPCrypto\sec which should contain the file cred_v2.

Thanks,

Krishna.

Former Member
‎09-25-2013 2:27 PM
0 Kudos

It's what I have.

We are going to check the sapcrypto.dll because it seems we are using 2 different versions (one from 2010 et the other from 2013).

I'll let you know.

ChrisPS
Contributor
‎09-25-2013 4:55 PM
0 Kudos

Hi Nicolas - yes krishna is correct that secudir should point to the location of the PSE files and cred_v2. The Repository constant JCO_CLIENT_SNC_LIB should C:\sap\IdM\Identity Center\SAPCrypto\sapcrypto.dll - my bad 😉 Think I was having a senior moment in my last reply.

Chris

Former Member
‎09-26-2013 9:42 AM
0 Kudos

All set correctly.

The guy from BC opened a ticket because we are pretty sure we've configured everything correctly but we still have an issue.

does it matter that the sapcrypto.dll on unix side and where the dispatcher runs is not the same version ?

Former Member
‎09-26-2013 10:50 AM
0 Kudos

Hi Nicolas,

I don't think the version mismatch will cause a problem.

Anyways, you have raised a ticket, Please keep us posted

Thanks,

Krishna.

former_member202491
Explorer
‎09-25-2013 5:42 AM
0 Kudos

Hi Nicolas

You can enable the trace from IDM by creating the system environment variables;

RFC_TRACE = 1
CPIC_TRACE = 3

- Testing the Connection

http://help.sap.com/saphelp_nwidmic_72/helpdata/en/55/0b0d63cd1c49eda934409899e40a60/content.htm?fra...

I take it you are following the setup from?

- Appendix 😧 Configuring the ABAP Connector to Use SNC
http://help.sap.com/saphelp_nwidmic_72/helpdata/en/60/d52bd1fd944aa5959a7245e64842a4/content.htm?fra...

Are the certificates exchanged okay?

Also this get missed sometime ..

- Creating Credentials

http://help.sap.com/saphelp_nwidmic_72/helpdata/en/d8/b50371667740e797e6c9f0e9b7141f/content.htm?fra...

Set the SECUDIR variable and make sure the commend is executed on the IDM host; the [<NT_Domain>\]<user_ID>] should be that of the user that runs the mx_dispatcher service.

sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]

Rgrds
Craig

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎09-24-2013 1:27 PM
0 Kudos

Oh, now that looks like the connection can't be established. I just re-read your start post and I think I missunderstood the part:

Before when I tried to do a reset password I got this message : "Password for user xxxx changed, but not set as productive"
Now I don't get the message for the repository on which I have configured the SNC (which is normal) but in the SAP System the password is still initial.

I thought you meant, that the password is changed, but just put on "initial", so the user has to change it with the next login. But it's not at all changed, because IDM can't even connect to the system.

This is the only task that uses an RFC connection in your IdM landscape?

Regards,

Steffi.

Show replies
Show replies
Former Member
‎09-24-2013 1:31 PM
0 Kudos

Hi Steffi,

You understood correctly 🙂

In fact I haven't configured the fields in the repository so that's normal it didn't work (the password was sent but as initial).

Now I have configured the fieldd I get this error :

My config is this :

I don't see what I forgot.

Steffi_Warnecke
Active Contributor
‎09-24-2013 1:40 PM
0 Kudos

Hello Nicolas,

at least we're on the same page now. ^^

Is this the only task that uses an RFC connection in your IdM landscape?

Former Member
‎09-24-2013 1:48 PM
0 Kudos

Connection between IDM and SAP works when I remove the SNC data.

When I put them back i got the message, so i guess something is wrong with the data.

Does the data seem correct to you ?

Steffi_Warnecke
Active Contributor
‎09-24-2013 1:53 PM
0 Kudos

Sadly I can't help you with that, because we don't use that.

Former Member
‎09-24-2013 2:00 PM
0 Kudos

Anayway, thank you for trying 🙂

Former Member
‎09-24-2013 2:56 PM
0 Kudos

Hi Nicolas,

We have done a similar implementation, and for me your repository constants are maintained properly.

Can you check the SNC Name for the ABAP system in repository constant JCO_CLIENT_SNC_PARTNERNAME corresponds to the SNC name specified in the profile parameter snc/identity/as on the AS ABAP. The reason is when setting the snc/identity/as the Application server's SNC name has to have a matching Distinguished Name, which means that the Distinguished Name section must match the Distinguished Name that you specified when creating the SNC PSE.

To set it up, use RZ10 and then select the instance profile used by the server start-up.

Also ensure that you have set the profile parameter snc/enable to 1, as this activates SNC on the Application Server.


If above mentioned is maintained properly, can you enable the RFC_TRACE and post the trace from the log.

Thanks,

Krishna.

Former Member
‎09-24-2013 3:32 PM
0 Kudos

Hello Krishna,

Thanks for the hint !

Rsparam seems good.

I will reconfigur everything from scratch tomorrow, i hope it will work.

I tried to enable the trace, but I don't know where to enable it.

Nicolas.

Former Member
‎09-24-2013 3:49 PM
0 Kudos

Hi Nicolas,

To enable trace for the RFC connection, do the following.

- Execute T Code SM59

- expand internal connections

- Double click the RFC connection to which RFC Trace has to be enabled (It will open a new window)

- Select change mode

- Go to "Special Options" tab.

- Under the Trace option, check the field "Set RFC Trace"

Thanks,

Krishna.

Former Member
‎09-24-2013 4:01 PM
0 Kudos

I thought a trace in IDM 😉

Nicolas.

Former Member
‎09-24-2013 4:08 PM
0 Kudos

Haha !!

Its the trace on the RFC destination on ABAP system which we are using to connect from IDM.

Thanks,

Krishna.

Steffi_Warnecke
Active Contributor
‎09-24-2013 10:12 AM
0 Kudos

Hello Nicolas,

you said, the password is indeed changed, just not set to productive. So doesn't that mean the connection user is configured correctly? If something is wrong on that end, the password change shouldn't be possible at all.

Or am I missing something?

Regards,

Steffi.

Show replies
Show replies
Former Member
‎09-24-2013 11:04 AM
0 Kudos

I've only discovered that I haven't set up this part : http://help.sap.com/saphelp_nwidmic_72/helpdata/en/4e/0d33400d7a411cab99ae5dc881c95d/content.htm?fra...

I used a wiki guide to help me to configure the SNC but it's not so complete.

I hope it will work with this !

I'm not sure what to fill in for those 2 fields :

JCO_CLIENT_ SNC_MYNAME

JCO_CLIENT_ SNC_PARTNERNAME

I'm really close to the solution 🙂

but not yet 😞

Nicolas.

Former Member
‎09-24-2013 12:33 PM
0 Kudos

Hi Nicholas,

SNC My name is your Identity Center’s SNC name

SNC Partner name is your communication partner SNC Name

In our case,

JCO_CLIENT_ SNC_MYNAME is  p:CN=<IDMSERVER SNC Name>, O=Company, C=SG

JCO_CLIENT_ SNC_PARTNERNAME is p:CN=<TargetSapServer SNC Name>, O=Company, C=SG

update the two fields as per your system configuration.

Refer to section 8.4 of SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide for more information


All the best,

Thanks,

Krishna.

Former Member
‎09-24-2013 1:19 PM
0 Kudos

I get this :

here is my configuration :

Former Member
‎09-24-2013 10:06 AM
0 Kudos

Hi Nicolas,

Ensure that SNC is properly set, please follow the steps to check that in the link given by Keith below for it.

Once you confirm SNC is properly set, check the following.

Check the last modified by field & timestamp of that user in the target system !!

This is to ensure that SAP IDM has provisioned the password for the user in the target system.

Say if the user entry is chaged by IDM communication user & still the password is same as initial password in the target SAP System, please check whether the password reset task is updating the MX_ENCRYPTED_PASSWORD attribue in SAP IDM or not.

Next step is to verify the hook task that is called to provision password to ABAP repository.

I presume you will be using a script to call the password reset task of repository from framework once the MX_ENCRYPTED_PASSWORD is updated.

verify the script.

My suggestion may not give you a techincal answer, but might help you to drill down the issue.

All the best.

Thanks,

Krishna.

Show replies
Show replies
ChrisPS
Contributor
‎09-24-2013 10:04 AM
0 Kudos

Hello Nicolas,

                     for the IdM communication user that is used to logon to the AS ABAP you must also maintain the SNC tab in SU01 with the SNC identity of the Idm application (maintained in the repository in the MMC).

Regards,

Chris

Show replies
Show replies
Ask a Question