on 02-15-2017 10:45 AM
Hi everybody,
Rem: This post is the last hope before forward the question to SAP support.
For a long time I see that my productive SLD_DS_PIP user (pi productive user) is being locked spontaneously. In http log I see
10:09:12 PM ] - 190.160.90.83 : POST /sld/ds HTTP/1.1 401 1734
The time is the same of lock time at ABAP.
SM21 also shows in this time that SAPJSF locked SLD_DS_PIP.
So, no more doubts that some service from 190.160.90.83 calls my productive PI with path /sld/ds by using SLD_DS_PIP with incorrect password.
But I cannot identify what service uses wrong credentials.
The calling system has abap and java (not dual stack) and diagnostic agent.
I checked the following settings:
In ABAP: sldapicust, sldcheck, SM59 - SLD* rfcs. PI development is determined everywhere.
In Java: NWA - Security - destinations, NWA - Infrastructure - SLD Data supplier config.
In DAA config I see that it uses pi development system as an sld host in runtime.properties file.
I though that it could be some problems with Java cache and configuration, but my calling system is being backed-up in offline mode every weekend. Technically we reboot it every weekend.
Could any one help me hot to identify the cause of this locking? What else I should check?
I've worked with many notes, the most helpful was 1665838, and many posts with similar issue, but no luck.
Best regards,
Artem
Hello Artem,
In the AS Java system running on 190.160.90.83, in its destinations configuration, have you already checked its SLD data supplier destination ('SLD_DataSupplier')? Which user account is used there? Reason why I ask this, is that normally, URI '/sld/ds' is used by Java-based SLD data suppliers, so my first guess would be to check all AS Java systems running on the mentioned host, in regards to their SLD data supplier destinations configuration.
AS ABAP systems' SLD data supplier doesn't send requests over HTTP(S) (doesn't make POST request to '/sld/ds'), but uses RFC connection instead (and sends calls to the gateway), so I would not be concerned about them.
What makes me concerned is, that you see SLD_DS_PIP being locked by SAPJSF. SAPJSF is the user, which is mainly used in dual-stack systems in ABAP/Java stack internal communication, it has no relation to SLD data supplier process. Can you get more details about user lock evidences that you see for this, in regards to SAPJSF activity (for example, from security audit log - SM20)? It is to verify if this is at all SLD data supplier that uses incorrect credentials, or the the user SLD_DS_PIP becomes locked prior to SLD data supplier job run due to some other reason. SLD_DS_PIP being locked by SAPJSF makes me assume, that HTTP POST requests to '/sld/ds' may not be a reason for locking SLD_DS_PIP, but consequence of another processing locking SLD_DS_PIP earlier and resulting calls to '/sld/ds' to end with HTTP 401 status code because SLD_DS_PIP is already locked by that time.
Another question is: how frequently the user becomes blocked? Is there any periodicity observed?
Regards,
Vadim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I know it has been a long time, but some update on this one?
artem.ivashkin2, did you report to your VAR or SAP that time?
Thanks a lot.
Dimitri
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Artem,
Did you get any solution for this issue?
Even I am facing same issue in our environment.
Regards,
Saket
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Vadim,
Thank your for the answer!
Sorry for the late reply, I haven't received any notifications from SCN about your reply.
Regarding your questions I should say that data supplier destination was checked here:
In Java: NWA - Security - destinations, NWA - Infrastructure - SLD Data supplier config.
I use hostname of my PI dev. system and SLD_DS_PID (development system user).
You are totally right about usage SAPJSF for dual-stack systems. SAPJSF is a communication user which manages users at UME, so if you lock SLD_DS_PIP in ABAP, SAPJSF depicts this changes on java side and vice versa, if SLD_DS_PIP is being locked at java side SAPJSF locks in ABAP. That's why I concluded that it is being locked on java side.
I switched on audit logs in SM19, but I don't think we could see there something useful, since it just shows
SAPJSF localhost SAPMSSY1 Logon Failed (Reason = 53, Type = U)
SAPJSF localhost SAPMSSY1 Successful RFC Call SYSTEM_RESET_RFC_SERVER (Function Group = SYSU)
SAPJSF localhost SAPMSSY1 Successful RFC Call SUSR_GET_ADMIN_USER_LOGIN_INFO (Function Group = SUSO)
SAPJSF localhost SAPMSSY1 Successful RFC Call SYSTEM_RESET_RFC_SERVER (Function Group = SYSU)
SAPJSF localhost SAPMSSY1 Successful RFC Call SUSR_CHECK_LOGON_DATA (Function Group = SUSO)
This information is almost similar to SM21. Maybe you could advice what options I should tick in order to get needed information?
I see that there are no failed attempts prior to 190.160.90.83 in http log access on java side.
Regards,
Artem
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.