cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Check SLD access for PIAFUSER

former_member229366
Explorer

on ‎08-01-2016 10:48 AM

0 Kudos

Hi all, we're trying to run the configuration wizard for PI 7.4 and trying to connect to a remote SLD hosted on a Solman 7.1

I have created all the PI* related users on the central SLD system using the template PIAFUSER (not PIAFUSER<SID> or PIAF<SID>) and ran the config but we get an error in step 143 out of 330:Check SLD access for PIAFUSER.

The only strange thing is that any login attempt in the Identity Management of the Java stack works successfully (therefore user is not locked) even if no users in the UME can be found...

User not locked (login attempts work sucessfully, as already said), software component updated to the last version available in Marketplace (I'm working on a 7.4 stack 15)

any help would be appreciated.

Thanks in advance.

Regards

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member229366
Explorer
‎08-03-2016 3:56 PM
0 Kudos

Benedikt, yes of course we restarted the AS

We managed to resolve the issue to the PIAFUSER related following these steps:

Looking in the security adit log located at OS level in \usr\sap\<SID>\DVEBMGS90\j2ee\cluster\server0 we found this:

#1.5#00155D80C415006200000013000022B0000539286C9FFE81#1470220667454#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.audit#PIAFUSER#91##62926A2D589C11E68A6200000B270046#5140E85F596611E6971C00000B270046-0#259e3f85589d11e6980f00000b270046#SAPEngine_Application_Thread[impl:3]_35##0#0#Error#1#com.sap.engine.services.security.roles.audit#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}] referencing J2EE security role [{3} : {4}].#5#ACCESS.ERROR#sap.com/com.sap.lcr*sld#LcrInstanceWriterCR#SAP-J2EE-Engine#administrators#

#1.5#00155D80C415006200000014000022B0000539286CA00227#1470220667455#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.audit#PIAFUSER#91##62926A2D589C11E68A6200000B270046#5140E85F596611E6971C00000B270046-0#259e3f85589d11e6980f00000b270046#SAPEngine_Application_Thread[impl:3]_35##0#0#Error#1#com.sap.engine.services.security.roles.audit#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#sap.com/com.sap.lcr*sld#LcrInstanceWriterLD#

#1.5#00155D80C415006200000015000022B0000539286CA00381#1470220667456#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.audit#PIAFUSER#91##62926A2D589C11E68A6200000B270046#5140E85F596611E6971C00000B270046-0#259e3f85589d11e6980f00000b270046#SAPEngine_Application_Thread[impl:3]_35##0#0#Error#1#com.sap.engine.services.security.roles.audit#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}] referencing J2EE security role [{3} : {4}].#5#ACCESS.ERROR#sap.com/com.sap.lcr*sld#LcrInstanceWriterNR#SAP-J2EE-Engine#administrators#

#1.5#00155D80C415006200000016000022B0000539286CA006FA#1470220667457#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.audit#PIAFUSER#91##62926A2D589C11E68A6200000B270046#5140E85F596611E6971C00000B270046-0#259e3f85589d11e6980f00000b270046#SAPEngine_Application_Thread[impl:3]_35##0#0#Error#1#com.sap.engine.services.security.roles.audit#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.ERROR#sap.com/com.sap.lcr*sld#LcrInstanceWriterAll#


Once assigned these roles to the user the problem still popped up;

By using the VisualAdmin feature shown in the image below (Assign application roles to user groups) we managed to solve the issue for the PIAFUSER 


Now in the CTC Wizard the same error message comes up for the next user : PIIUSER and the same steps used before does not works


Thanks


Show replies
Show replies
former_member229366
Explorer
‎08-01-2016 4:21 PM
0 Kudos

SLD log in the remote system:

#0 08/01/2016 16:45:20.875 [SAPEngine_Application_Thread[impl:3]_1] INFO com.sap.lcr.start.StartDirector: SLD application started successfully.

dev_icm in the remote system:

[Thr 1928] Mon Aug 01 17:20:07 2016

[Thr 1928] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 1928]  {000002a2} [icxxconn.c 2108]

Since the warning listed above coming from dev_icm  is OAC0 related, I think that SLD doesn't receive any attempt to login...

Show replies
Show replies
benedikt_bludau2
Participant
‎08-01-2016 4:38 PM
0 Kudos

I think the parameter gw/acl_mode = 1 is set in your remote system, right?

You can check this with transaction RZ11 or report RSPARAM in the remote system.

1 = enable security check

0 = disable security check.

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/ad5b358bc96744e10000000a421937/content.htm?orig...

This is an dynamic parameter, you can change the value without restart the system. But you have to restart the ICM. You can do this with transaction smicm.

Of course it´s better to maintain the safety rules, in place of disabling the check. But you can check, if this is your problem.

regards,

Benedikt

former_member229366
Explorer
‎08-02-2016 8:39 AM
0 Kudos

Hi Benedikt,

unfortunately we've already tried to set the value without any result.

Same error occured.

benedikt_bludau2
Participant
‎08-02-2016 12:16 PM
0 Kudos

Did you restart the system after setting the parameter to 0?

former_member229366
Explorer
‎08-01-2016 3:45 PM
0 Kudos

Yep, I noticed that a role in the ABAP stack is a group in Java. I've already assigned to all users ( PIAFUSER, PIRWBUSER, PIISUSER, PIDIRUSER, PIREPUSER and PIAPPLUSER) the SAP_SLD_CONFIGURATOR role. Restarted the AS Java and tried to retry the step without any success.

P.S: SAPJSF user on solman has SAP_BC_JSF_COMMUNICATION_RO (read only) role assigned.

The only way to lock/unlock users as you suggested was to give it SAP_ALL profile, but also this attempt gave no results. Same error when we retry the step of the CTC Wizard

Thanks

Show replies
Show replies
mate_moricz
Advisor
Advisor
‎08-01-2016 12:13 PM
0 Kudos

Hi Marco,

I assume you already checked if the SAP_SLD_CONFIGURATOR role is assigned to the user.

Can you clarify the following sentence?

"The only strange thing is that any login attempt in the Identity Management of the Java stack works successfully (therefore user is not locked) even if no users in the UME can be found..."

What do you mean no users in the UME can be found?

Regards,

Mate

Show replies
Show replies
former_member229366
Explorer
‎08-01-2016 1:00 PM
0 Kudos

Hi Mate,

yes, the role is already assigned to the users, at least on the Java part.

By "even if no users in the UME can be found" I meant that users had been created via ABAP transaction SU01 of the Solution Manager and they're also visible in the Identity Management of the same system selecting ABAP source from the dropdown menu

If we instead select UME from the dropdown menu no users are displayed.

Said that, with those users we are able to successfully login through http://hostname:port/nwa which clearly means that also exist in the Java part

Thanks

benedikt_bludau2
Participant
‎08-01-2016 1:32 PM
0 Kudos

Hi Marco,

that´s normal. On a dual stack system (ABAP + Java), you have two user administrations.

You users are in the abap stack and the java stack read the user from the abap stack with the RFC connection UMEBackendConnection. Check, if this connection is working fine.

Hope, it´s clear now?

Attempts to set the permissions with the NWA. Then block and unblock the user again. This should be the same with the SU01 in the abap stack. But in the past I had similar problems,and this was the solution.


Edit: The role in the abap stack and a role in the java stack aren´t the same. A role from in the abap stack is a group in the java stack. Give role SAP_SLD_CONFIGURATOR with the NWA, and try again.


regards,

Benedikt

former_member229366
Explorer
‎08-01-2016 1:54 PM
0 Kudos

Yes, already checked the RFC Connection as stated by SAP Notes I found, and yes, it works.

The only thing we changed to the UMEBackendConnection is entering the new client value after a SCCL client copy to change default client from 001 to 100, as customer requested.

UMEBackendConnection RFC on PI system still need to point to localhost, also if we chose to configure a remote SLD during the initial Configuration CTC Wizard, right?

We've tried to lock the user as you suggested and we've got this: "Attribute "lockreason" on namespace "com.sap.security.core.usermanagement" of principal "UACC.R3_DATASOURCE.PIAFUSER" is not modifiable."

Need to investigate this ....

Thanks

benedikt_bludau2
Participant
‎08-01-2016 3:36 PM
0 Kudos

Yes, the RFC destination is right on localhost. I think, your SLD Problems are in the remote SLD system. Please check the user PIAFUSER in the remote system. You can also check the system log from the NWA in the remote system.

Check the SLD log from the remote system.

Open SLD in the remote system --> administration --> log

It would be possible that you have security settings, which denied the access. Please also check log dev_icm in the remote system. You can find the log in the work directory on the operating system level (/usr/sap/PIT/DVEBMGSXX/work/dev_icm).

regards,

Benedikt

Ask a Question