Hi All,
I have followed the following document. I got the problem with update the dataSourceConfiguration_abap.xml file, please help me.
please help update the dataSourceConfiguration_abap.xml file.
Configuring the UME when Using Non-ADS Data Sources
Use
Use this topic to modify the UME data source configuration for using non-ADS data stores with Kerberos authentication. When the UME is using a non-ADS data source, we recommend that you use the prefixbased user resolution mode.
Using Kerberos for Windows Integrated authentication with non-ADS data sources on the J2EE Engine can lead to security vulnerabilities due to inconsistency of user data. The reason is that the source of authentication, the Windows DC acting as a KDC, can use a user store that is different from the user repository of the J2EE engine. For example, Joe in the KDC and Joe in an ABAP user repository for the J2EE Engine may not be the same physical person, and there may not even be a Joe in the ABAP system. Therefore, we recommend that you regularly synchronize the user information in the two user store, or use a single user data store.
Prerequisites
For this scenario, the UME uses the user account ID of the authenticated user to search for the user in the UME data source. Therefore, the attribute mapped to the user account ID must be unique for each of the users in the UME data source.
Procedure
...
1. Modify the value of the SPNegoLoginModule property com.sap.spnego.uid.resolution.mode to use prefixbased user resolution mode. For more information, see Managing Login Modules and SPNegoLoginModule Configuration Options.
2. Customize the UME data source configuration xml file. For more information, see Customizing UME Data Source Configuration.
a. Define the attribute kpnprefix in the responsibleFor section of the UME data source configuration file.
b. Map the attribute kpnprefix to the physical attribute in the UME data source that corresponds to the user account ID.
When using Sun JDK, you have to map the krb5principalname to the physical attribute user principal name. This is necessary for the acquisition of the J2EE Engine service user credentials.
3. Add an additional user profile attribute krb5principalname to the UME property ume.admin.addattrs. For more information about adding user attributes, see UME Reference ® Administration.
4. Create a J2EE Engine service user in the UME data source. For more information, see Creating and Removing Users.
a. For the krb5principalname attribute of the J2EE Engine service user choose a value matching the KPN used on the KDC, for example host/hades.customer.de@IT.CUSTOMER.DE. For more information, see User Management Administration Console ® User Profile.
b. Enable the No password change required option for the J2EE Engine service user. For more information, see Viewing User Information.
Example
Defining a UME attribute:
The uid attribute in the attribute mapping above is specific to this example. In many directory servers, for example Sun ONE LDAP server, the uid attribute is used as logonid and can be used to uniquely identify a user.
Regards
Radha