Skip to Content

POST /sld/ds HTTP/1.1

Hi everybody,

Rem: This post is the last hope before forward the question to SAP support.

For a long time I see that my productive SLD_DS_PIP user (pi productive user) is being locked spontaneously. In http log I see

10:09:12 PM ] - 190.160.90.83 : POST /sld/ds HTTP/1.1 401 1734

The time is the same of lock time at ABAP.

SM21 also shows in this time that SAPJSF locked SLD_DS_PIP.

So, no more doubts that some service from 190.160.90.83 calls my productive PI with path /sld/ds by using SLD_DS_PIP with incorrect password.

But I cannot identify what service uses wrong credentials.

The calling system has abap and java (not dual stack) and diagnostic agent.

I checked the following settings:

In ABAP: sldapicust, sldcheck, SM59 - SLD* rfcs. PI development is determined everywhere.

In Java: NWA - Security - destinations, NWA - Infrastructure - SLD Data supplier config.

In DAA config I see that it uses pi development system as an sld host in runtime.properties file.

I though that it could be some problems with Java cache and configuration, but my calling system is being backed-up in offline mode every weekend. Technically we reboot it every weekend.

Could any one help me hot to identify the cause of this locking? What else I should check?

I've worked with many notes, the most helpful was 1665838, and many posts with similar issue, but no luck.

Best regards,

Artem

Add comment
10|10000 characters needed characters exceeded

  • Former Member

    Hello Artem,

    Did you get any resolution for this. Even I am facing same issue in our environment.

    Regards,

    Saket

  • Get RSS Feed

3 Answers

  • Feb 15, 2017 at 12:28 PM

    Hello Artem,

    In the AS Java system running on 190.160.90.83, in its destinations configuration, have you already checked its SLD data supplier destination ('SLD_DataSupplier')? Which user account is used there? Reason why I ask this, is that normally, URI '/sld/ds' is used by Java-based SLD data suppliers, so my first guess would be to check all AS Java systems running on the mentioned host, in regards to their SLD data supplier destinations configuration.

    AS ABAP systems' SLD data supplier doesn't send requests over HTTP(S) (doesn't make POST request to '/sld/ds'), but uses RFC connection instead (and sends calls to the gateway), so I would not be concerned about them.

    What makes me concerned is, that you see SLD_DS_PIP being locked by SAPJSF. SAPJSF is the user, which is mainly used in dual-stack systems in ABAP/Java stack internal communication, it has no relation to SLD data supplier process. Can you get more details about user lock evidences that you see for this, in regards to SAPJSF activity (for example, from security audit log - SM20)? It is to verify if this is at all SLD data supplier that uses incorrect credentials, or the the user SLD_DS_PIP becomes locked prior to SLD data supplier job run due to some other reason. SLD_DS_PIP being locked by SAPJSF makes me assume, that HTTP POST requests to '/sld/ds' may not be a reason for locking SLD_DS_PIP, but consequence of another processing locking SLD_DS_PIP earlier and resulting calls to '/sld/ds' to end with HTTP 401 status code because SLD_DS_PIP is already locked by that time.

    Another question is: how frequently the user becomes blocked? Is there any periodicity observed?

    Regards,

    Vadim

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 17, 2017 at 07:11 AM

    Hello Vadim,

    Thank your for the answer!

    Sorry for the late reply, I haven't received any notifications from SCN about your reply.

    Regarding your questions I should say that data supplier destination was checked here:

    In Java: NWA - Security - destinations, NWA - Infrastructure - SLD Data supplier config.

    I use hostname of my PI dev. system and SLD_DS_PID (development system user).

    You are totally right about usage SAPJSF for dual-stack systems. SAPJSF is a communication user which manages users at UME, so if you lock SLD_DS_PIP in ABAP, SAPJSF depicts this changes on java side and vice versa, if SLD_DS_PIP is being locked at java side SAPJSF locks in ABAP. That's why I concluded that it is being locked on java side.

    I switched on audit logs in SM19, but I don't think we could see there something useful, since it just shows

    SAPJSF localhost SAPMSSY1 Logon Failed (Reason = 53, Type = U)
    SAPJSF localhost SAPMSSY1 Successful RFC Call SYSTEM_RESET_RFC_SERVER (Function Group = SYSU)
    SAPJSF localhost SAPMSSY1 Successful RFC Call SUSR_GET_ADMIN_USER_LOGIN_INFO (Function Group = SUSO)
    SAPJSF localhost SAPMSSY1 Successful RFC Call SYSTEM_RESET_RFC_SERVER (Function Group = SYSU)
    SAPJSF localhost SAPMSSY1 Successful RFC Call SUSR_CHECK_LOGON_DATA (Function Group = SUSO)

    This information is almost similar to SM21. Maybe you could advice what options I should tick in order to get needed information?

    I see that there are no failed attempts prior to 190.160.90.83 in http log access on java side.

    Regards,

    Artem

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jul 19, 2017 at 08:01 AM

    Hello Artem,

    Did you get any solution for this issue?

    Even I am facing same issue in our environment.

    Regards,

    Saket

    Add comment
    10|10000 characters needed characters exceeded

    • Unfortunately, no, we don't have solution... And it seems very hard to identify the cause of the locking. I believe I checked all my connected system and I didn't find any problem. Looks like we have to ask our VAR or SAP.

      If you will find a solution, please post it here.