on 06-02-2015 6:20 PM
Hi,
I'm on NW IDM 7.2 sp9 absolute latest patch levels. windows 2012 /ms sql 2012. I have latest SAP Provisioning Framework Version 2 loaded.
In all the documentation I read on the topic of writing back permanent passwords to a NW AS ABAP when a user is newly created in the IDM admin UI it says I need to configure SNC.
For me that is not a straight forward proposition as it appears complex and ambiguous in the docs i find (and I need to be aware that my situation is half-way through an SSO implementation so there is that with the snc/...insecure settings for the NW AS ABAP, but i digress), and I've never done it and have no Security consultant help. But, I'm a long time ago Basis certified person so I know where to look and try some things:-).
So, I tried being lazy and provision a user without the SNC configured between the NW IDM AS JAVA and the NW AS ABAP i am testing with.
Of course the password appears not arrive in the NW AS ABAP, as the doc warns me it won't w/o SNC.
In general my setup (NW IDM on NW AS JAVA <-> NW AS ABAP) works fine, I can get users from the ABAP system, and add and remove them from there by driving this from the IDM by using the privileges and the SAP Provisioning Framework setup.
Here are my questions about this if any of you are game to explain:
I've also read various posts in this community about turning off the password disabled check in the create and modify abap jobs during initial loads but that seems odd to me, shouldn't the SAP Provisioning Framework just work after all this usage and feedback in the field over the years?
I want to avoid reading an ABAP server user set and then end up disabling passwords when I modify them in IDM, which right now to my uninitiated knowledge seems to be a problem I might have (but I will do some more testing in the lab to see).
Hello Ronald -
- AS Java uses SSL not SNC for encryption
- The requirement for SNC for permanent passwords comes from the ABAP server (a check is done there) and is mandatory for setting productive (permanent) passwords otherwise an initial password will be set for the user that must be changed at first logon
- when you set a password in IdM this stores it in the attribute MX_ENCRYPTED_PASSWORD i.e. yes there is automatic encryption of passwords
In terms of seeing the value of MX_PASSWORD_DISABLED you need to use a display task in the UI with this attribute set as one of the display attributes.
Regards,
Chris
SAP AGS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Chris,
Thanks for responding.
As to MX_ENCRYPTED_PASSWORD, I've found that in my version of the SAP Provisioning Framework V2 the handling of encrypted passwords is commented out in the to and from passes. No documentation to alert one on this, just off. I did a display task on this and found that encyrpted passwords are consistently not copied from the NW AS ABAP, or converted to the ENCRYPTED attribute when I make a new user in the UI. Now that I've gone through all the to and from passes and the web tasks it has become clear to me what is doing what, or not, with the passwords.
I'm cool with it not working, as I initiallydon't want IDM to do anything with passwords, not the ones it read from the ABAP system, or write them back if the user is made in IDM. However, now we seem to need a document on how to enable the whole thing. If I get some time I'll see if i can add to the SAP PF V2 and make it a selectable option, with or without password management based on a repository contant one can set.
I add a question to the community:
- keys.ini. Do I need to put the one I make on the IDM JAVA system to other JAVA or ABAP systems I manage with the IDM? I can only find docs on changing the keys.ini on the IDM system, but all leave ambiguous if I need to put this file on other servers that are managed so they can use the encrypted passwords once I will indeed use them.
keys.ini is used only internally by IdM, so just copy the file to the Portal hosting the UI (just follow the UI-component installation instructions) from under the IdM/MMC installation. Don't copy the file elsewhere as ABAP wouldn't know what to do with it.
The passwords are decrypted by IdM in the Create User or Change Password plugin before sending to ABAP/Java.
regards, Tero
Ronald De Vries wrote:
Hi Chris,
Thanks for responding.
As to MX_ENCRYPTED_PASSWORD, I've found that in my version of the SAP Provisioning Framework V2 the handling of encrypted passwords is commented out in the to and from passes.
If I generate the jobs from the templates I have in my PF2, only the passwords are commented out in the load jobs.
Either way, what is commented out by default (after the job is generated from the template) don't matter, you need to enable the attributes in your configuration according to the requirements.
As long as the keys.ini matches in the Portal hosting the UI to the version MMC/runtime uses, the password provisioning works pretty much out of the box (as long as correct fields are enabled).
regards, Tero
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.