on 09-23-2013 5:55 PM
Hello all,
I've already written a post about this issue, but now I have an update.
Before when I tried to do a reset password I got this message : "Password for user xxxx changed, but not set as productive"
Now I don't get the message for the repository on which I have configured the SNC (which is normal) but in the SAP System the password is still initial.
Here is the setup of my Communication user between IDM and SAP System :
User Type : communication
Auth : SAP_ALL / SAP_NEW + SAP_BC_SEC_IDM_COMMUNICATION + SAP_BW_DEVELOPER (Just to be sure the user has everything needed, I'm thinking to S_USER_GRP with activity 'PP')
SU01 : SNC tab configured
As I don't get the error message in Identity Center that the password is not sent as productive I think the SNC is correctly set up.
To me the User is also correctly setup.
I've added the entry in the table : USRACLEXT
i put sequence number 000 (i don't know what it is) and p:CN=IDM, OU=SAP, C=DE (as when i registered my pse).
What did I missed ?
I'm using HTTP instead of HTTPS connection for IDM, does it matter ?
Thx for your help.
Nicolas.
Hello Nicolas,
Generally we checked below prerequisites for setting productive pwd to ABAP systems:
You can refer to section Appendix D from provisioning framework configuration guide about all the detail step by step configurations need to do:
There is also a part "Testing the connection" under this section, introduces how to verify the SNC connection set up.
You can also get the information from SAP note 1602902 and 1575445.
While if all of these are correct, you can then try to follow KBA note 1894092 to trace the detail parameters IDM uses to call the ABAP BAPI, and then debug the BAPI in target system accordingly if possible.
Hope these helpful for you.
BR, Keith
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here is the trace file :
*** Trace file opened at 20130925 110443 Romance Daylight Time, by java
**** Versions SAP-REL 720,0,91 RFC-VER nU 3 MT-SL
>>> RfcOpenEx ...
Got following connect_param string:
CLIENT=100 USER=SAP_IDM2 PASSWD=******* LANG=EN SYSNR=00 ASHOST=unbd2.eib.electrabel.be SNC_PARTNERNAME=p:CN=BD2, OU=Development, O=eib.electrabel.be, C=BE SNC_QOP=1 SNC_MYNAME=p:CN=IDM, OU=SAP, C=DE SNC_LIB=C:\sap\IdM\Identity Center\SAPCrypto\sapcrypto.dll SNC_MODE=1 TOUPPER=0
<<< RfcOpenEx failed
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nicolas,
as Krishna said the Jco at runtime is unable to load sapcryptolib to invoke SNC based on the trace. See wiki at
http://wiki.scn.sap.com/wiki/display/Security/Securing+Connections+to+AS+ABAP+with+SNC
the secudir environmental variable on the host running the SAPJco must point to the sapcrypto library. This is the probable cause here.
Tks,
Chris
Hi Nicolas,
We have SNC configured & the system is up and running from quite a long time
I have used the Identity Management for SAP System Landscapes: Configuration Guide .( This doc contains the same as what I have shared with you earlier)
Luckily we dint run into any problems during the configuration.
Thanks,
Krishna.
Hi Nicolas
You can enable the trace from IDM by creating the system environment variables;
RFC_TRACE = 1
CPIC_TRACE = 3
- Testing the Connection
I take it you are following the setup from?
- Appendix 😧 Configuring the ABAP Connector to Use SNC
http://help.sap.com/saphelp_nwidmic_72/helpdata/en/60/d52bd1fd944aa5959a7245e64842a4/content.htm?fra...
Are the certificates exchanged okay?
Also this get missed sometime ..
- Creating Credentials
Set the SECUDIR variable and make sure the commend is executed on the IDM host; the [<NT_Domain>\]<user_ID>] should be that of the user that runs the mx_dispatcher service.
sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]
Rgrds
Craig
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Oh, now that looks like the connection can't be established. I just re-read your start post and I think I missunderstood the part:
Before when I tried to do a reset password I got this message : "Password for user xxxx changed, but not set as productive"
Now I don't get the message for the repository on which I have configured the SNC (which is normal) but in the SAP System the password is still initial.
I thought you meant, that the password is changed, but just put on "initial", so the user has to change it with the next login. But it's not at all changed, because IDM can't even connect to the system.
This is the only task that uses an RFC connection in your IdM landscape?
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nicolas,
We have done a similar implementation, and for me your repository constants are maintained properly.
Can you check the SNC Name for the ABAP system in repository constant JCO_CLIENT_SNC_PARTNERNAME corresponds to the SNC name specified in the profile parameter snc/identity/as on the AS ABAP. The reason is when setting the snc/identity/as the Application server's SNC name has to have a matching Distinguished Name, which means that the Distinguished Name section must match the Distinguished Name that you specified when creating the SNC PSE.
To set it up, use RZ10 and then select the instance profile used by the server start-up.
Also ensure that you have set the profile parameter snc/enable to 1, as this activates SNC on the Application Server.
If above mentioned is maintained properly, can you enable the RFC_TRACE and post the trace from the log.
Thanks,
Krishna.
Hi Nicolas,
To enable trace for the RFC connection, do the following.
- Execute T Code SM59
- expand internal connections
- Double click the RFC connection to which RFC Trace has to be enabled (It will open a new window)
- Select change mode
- Go to "Special Options" tab.
- Under the Trace option, check the field "Set RFC Trace"
Thanks,
Krishna.
Hello Nicolas,
you said, the password is indeed changed, just not set to productive. So doesn't that mean the connection user is configured correctly? If something is wrong on that end, the password change shouldn't be possible at all.
Or am I missing something?
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I've only discovered that I haven't set up this part : http://help.sap.com/saphelp_nwidmic_72/helpdata/en/4e/0d33400d7a411cab99ae5dc881c95d/content.htm?fra...
I used a wiki guide to help me to configure the SNC but it's not so complete.
I hope it will work with this !
I'm not sure what to fill in for those 2 fields :
JCO_CLIENT_ SNC_MYNAME
JCO_CLIENT_ SNC_PARTNERNAME
I'm really close to the solution 🙂
but not yet 😞
Nicolas.
Hi Nicholas,
SNC My name is your Identity Center’s SNC name
SNC Partner name is your communication partner SNC Name
In our case,
JCO_CLIENT_ SNC_MYNAME is p:CN=<IDMSERVER SNC Name>, O=Company, C=SG
JCO_CLIENT_ SNC_PARTNERNAME is p:CN=<TargetSapServer SNC Name>, O=Company, C=SG
update the two fields as per your system configuration.
Refer to section 8.4 of SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide for more information
All the best,
Thanks,
Krishna.
Hi Nicolas,
Ensure that SNC is properly set, please follow the steps to check that in the link given by Keith below for it.
Once you confirm SNC is properly set, check the following.
Check the last modified by field & timestamp of that user in the target system !!
This is to ensure that SAP IDM has provisioned the password for the user in the target system.
Say if the user entry is chaged by IDM communication user & still the password is same as initial password in the target SAP System, please check whether the password reset task is updating the MX_ENCRYPTED_PASSWORD attribue in SAP IDM or not.
Next step is to verify the hook task that is called to provision password to ABAP repository.
I presume you will be using a script to call the password reset task of repository from framework once the MX_ENCRYPTED_PASSWORD is updated.
verify the script.
My suggestion may not give you a techincal answer, but might help you to drill down the issue.
All the best.
Thanks,
Krishna.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Nicolas,
for the IdM communication user that is used to logon to the AS ABAP you must also maintain the SNC tab in SU01 with the SNC identity of the Idm application (maintained in the repository in the MMC).
Regards,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.