Skip to Content
avatar image
Former Member

Setting a productive password in ABAP System

Hello all,

I've already written a post about this issue, but now I have an update.

Before when I tried to do a reset password I got this message : "Password for user xxxx changed, but not set as productive"

Now I don't get the message for the repository on which I have configured the SNC (which is normal) but in the SAP System the password is still initial.

Here is the setup of my Communication user between IDM and SAP System :

User Type : communication

Auth : SAP_ALL / SAP_NEW + SAP_BC_SEC_IDM_COMMUNICATION + SAP_BW_DEVELOPER (Just to be sure the user has everything needed, I'm thinking to S_USER_GRP with activity 'PP')

SU01 : SNC tab configured

As I don't get the error message in Identity Center that the password is not sent as productive I think the SNC is correctly set up.

To me the User is also correctly setup.

I've added the entry in the table :     USRACLEXT

i put sequence number 000 (i don't know what it is) and p:CN=IDM, OU=SAP, C=DE (as when i registered my pse).

What did I missed ?

I'm using HTTP instead of HTTPS connection for IDM, does it matter ?

Thx for your help.

Nicolas.

 

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

7 Answers

  • Best Answer
    Sep 24, 2013 at 05:46 AM

    Hello Nicolas,

    Generally we checked below prerequisites for setting productive pwd to ABAP systems:

    • SAP Note 1287410 is applied in target ABAP system.
    • SNC is configured properly:

    You can refer to section Appendix D from provisioning framework configuration guide about all the detail step by step configurations need to do:

    http://help.sap.com/saphelp_nwidmic_72/helpdata/en/60/d52bd1fd944aa5959a7245e64842a4/content.htm?frameset=/en/31/5f995557b94d0b8d8abd39fdcb18b7/frameset.htm

    There is also a part "Testing the connection" under this section, introduces how to verify the SNC connection set up.

    

    • ProductivePwd flag is set, for example, on the CreateABAPUser task. Or on the modify task accordingly.

    You can also get the information from SAP note 1602902 and 1575445.

    While if all of these are correct, you can then try to follow KBA note 1894092 to trace the detail parameters IDM uses to call the ABAP BAPI, and then debug the BAPI in target system accordingly if possible.

    Hope these helpful for you.

    BR, Keith

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 25, 2013 at 04:42 AM

    Hi Nicolas

    You can enable the trace from IDM by creating the system environment variables;

    RFC_TRACE = 1
    CPIC_TRACE = 3

    - Testing the Connection

    http://help.sap.com/saphelp_nwidmic_72/helpdata/en/55/0b0d63cd1c49eda934409899e40a60/content.htm?frameset=/en/31/5f995557b94d0b8d8abd39fdcb18b7/frameset.htm

    I take it you are following the setup from?

    - Appendix D: Configuring the ABAP Connector to Use SNC
    http://help.sap.com/saphelp_nwidmic_72/helpdata/en/60/d52bd1fd944aa5959a7245e64842a4/content.htm?frameset=/en/31/5f995557b94d0b8d8abd39fdcb18b7/frameset.htm

    Are the certificates exchanged okay?

    Also this get missed sometime ..

    - Creating Credentials

    http://help.sap.com/saphelp_nwidmic_72/helpdata/en/d8/b50371667740e797e6c9f0e9b7141f/content.htm?frameset=/en/31/5f995557b94d0b8d8abd39fdcb18b7/frameset.htm

    Set the SECUDIR variable and make sure the commend is executed on the IDM host; the [<NT_Domain>\]<user_ID>] should be that of the user that runs the mx_dispatcher service.

    sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]

    Rgrds
    Craig

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 24, 2013 at 12:27 PM

    Oh, now that looks like the connection can't be established. I just re-read your start post and I think I missunderstood the part:

    Before when I tried to do a reset password I got this message : "Password for user xxxx changed, but not set as productive"

    Now I don't get the message for the repository on which I have configured the SNC (which is normal) but in the SAP System the password is still initial.

    I thought you meant, that the password is changed, but just put on "initial", so the user has to change it with the next login. But it's not at all changed, because IDM can't even connect to the system.

    This is the only task that uses an RFC connection in your IdM landscape?

    Regards,

    Steffi.

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 24, 2013 at 09:04 AM

    Hello Nicolas,

                         for the IdM communication user that is used to logon to the AS ABAP you must also maintain the SNC tab in SU01 with the SNC identity of the Idm application (maintained in the repository in the MMC).

    Regards,

    Chris

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 24, 2013 at 09:06 AM

    Hi Nicolas,

    Ensure that SNC is properly set, please follow the steps to check that in the link given by Keith below for it.

    Once you confirm SNC is properly set, check the following.

    Check the last modified by field & timestamp of that user in the target system !!

    This is to ensure that SAP IDM has provisioned the password for the user in the target system.

    Say if the user entry is chaged by IDM communication user & still the password is same as initial password in the target SAP System, please check whether the password reset task is updating the MX_ENCRYPTED_PASSWORD attribue in SAP IDM or not.

    Next step is to verify the hook task that is called to provision password to ABAP repository.

    I presume you will be using a script to call the password reset task of repository from framework once the MX_ENCRYPTED_PASSWORD is updated.

    verify the script.

    My suggestion may not give you a techincal answer, but might help you to drill down the issue.

    All the best.

    Thanks,

    Krishna.

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 24, 2013 at 09:12 AM

    Hello Nicolas,

    you said, the password is indeed changed, just not set to productive. So doesn't that mean the connection user is configured correctly? If something is wrong on that end, the password change shouldn't be possible at all.

    Or am I missing something? 😕

    Regards,

    Steffi.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 25, 2013 at 09:10 AM

    Here is the trace file :

    *** Trace file opened at 20130925 110443 Romance Daylight Time, by java
    **** Versions SAP-REL 720,0,91 RFC-VER nU 3  MT-SL


    >>> RfcOpenEx ...
    Got following connect_param string:
       CLIENT=100 USER=SAP_IDM2 PASSWD=******* LANG=EN SYSNR=00 ASHOST=unbd2.eib.electrabel.be SNC_PARTNERNAME=p:CN=BD2, OU=Development, O=eib.electrabel.be, C=BE SNC_QOP=1 SNC_MYNAME=p:CN=IDM, OU=SAP, C=DE SNC_LIB=C:\sap\IdM\Identity Center\SAPCrypto\sapcrypto.dll SNC_MODE=1 TOUPPER=0
    <<< RfcOpenEx failed

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Nicolas,

      I don't think the version mismatch will cause a problem.

      Anyways, you have raised a ticket, Please keep us posted 😊

      Thanks,

      Krishna.