SAP IdM 8.0 SP05 - Password Hook Configuration

skarsten · ‎11-07-2017

Dear Community,

is there anybody who has already configured Password Hook succesfully for IdM 8?

we did the installation and configuration according to the SAP Guide, but it doesn't work properly.

We used it also for SAP IdM 7.2 but there are some changes in SAP IdM 8.0.

Unfortunately there is no detailed documentation than the online help from SAP which is a little short.

On the Domain Controller it looks like something is happening and in the log files there are entries, but on the "IdM / NetWeaver" - Machine it looks like nothing reaches.

Please find attached the log-file if it helps

Kind regards

Sergius

bcappez-2 · ‎07-02-2018

For the community.

Hello,

In IDM 8, the password Hook is completly different from 7.x version.

The PH from DC server will communicate directly to an webUI using a 'technical' user and a specific UI. All with SSO and https.

[edit] You need IDM 8 SP5 SL4 or later

Set-Up the technical user in IDM

Install and set-up PH on the DC (using the Keys.ini file from IDM and the GUID of the PH Web UI)

Set-up the SSO by launching the configuration .bat (you may have to hard set in the PS script the location of the file to be generated).

You also have to install and deploy the AD CS service on a server that is not a DC. You can set it up as offline (no need to add IIS). The goal is to have a Root CA. Beware of the options of the root certificate, it must not try to access an URL to control the ACL.

Once done, you can generate IDM and DC certificate requests and certify them with your Root CA certificate.

Last step is to add root and DC certificate to NW pse file, then add IDM and root CA certificates to each DC on which PH will run.

Now test.

So. It's not an out-of-the box process, there is some tricky parts depending on your security options, OS version and so on...

[edit] Hope this helps some of you.

Benoît

Ckumar · ‎11-07-2017

Hello Sergius,

Could you please share that at which steps you are getting the above error.

Regards,

C Kumar

skarsten · ‎11-07-2017

Sorry, here the content of the log:

[ Tue Nov 07 08:57:56 2017 ] Init ===================================
[ Tue Nov 07 08:57:56 2017 ] Valid config= '1'
Log level = '3'
FilterProg = 'C:\usr\sap\IdM\Identity Center\newpass.bat'
Arguments = '%1 %2'
NotifyProg = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Arguments = '-file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "%1" -pass "%2"'
LogFile = 'C:\usr\sap\IdM\Identity Center\log.txt'
maxLogSize = '128'
Working Dir = 'C:\usr\sap\IdM\Identity Center'
Priority = '1'
Notify Wait = '3000'
Filter Wait = '3000'
Environment = ''
UTF-8 = '1'
Keys.ini = 'C:\usr\sap\IdM\Identity Center\KEY\Keys.ini'

[ Tue Nov 07 08:57:56 2017 ] End Init ===================================

[ Tue Nov 07 09:01:41 2017 ] Init ===================================
[ Tue Nov 07 09:01:41 2017 ] Valid config= '1'
Log level = '3'
FilterProg = 'C:\usr\sap\IdM\Identity Center\newpass.bat'
Arguments = '%1 %2'
NotifyProg = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Arguments = '-file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "%1" -pass "%2"'
LogFile = 'C:\usr\sap\IdM\Identity Center\log.txt'
maxLogSize = '128'
Working Dir = 'C:\usr\sap\IdM\Identity Center'
Priority = '1'
Notify Wait = '3000'
Filter Wait = '3000'
Environment = ''
UTF-8 = '1'
Keys.ini = 'C:\usr\sap\IdM\Identity Center\KEY\Keys.ini'

[ Tue Nov 07 09:01:41 2017 ] End Init ===================================

[ Tue Nov 07 09:01:41 2017 ] "C:\usr\sap\IdM\Identity Center\newpass.bat" VGVzdHVz {DES3CBC}1:642a18cb9455bf7a-8786fe7e7742666024f75f3e177206b1
[ Tue Nov 07 09:01:41 2017 ] ===================================

[ Tue Nov 07 09:01:41 2017 ] "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "VGVzdHVz" -pass "{DES3CBC}1:55d4cab87e6e9edd-8fce31875d36658332fffc9a5263a74a"
[ Tue Nov 07 09:01:44 2017 ] Wait timed out for the last process.
[ Tue Nov 07 09:01:44 2017 ] ===================================

[ Tue Nov 07 09:02:22 2017 ] Init ===================================
[ Tue Nov 07 09:02:22 2017 ] Valid config= '1'
Log level = '3'
FilterProg = 'C:\usr\sap\IdM\Identity Center\newpass.bat'
Arguments = '%1 %2'
NotifyProg = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Arguments = '-file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "%1" -pass "%2"'
LogFile = 'C:\usr\sap\IdM\Identity Center\log.txt'
maxLogSize = '128'
Working Dir = 'C:\usr\sap\IdM\Identity Center'
Priority = '1'
Notify Wait = '3000'
Filter Wait = '3000'
Environment = ''
UTF-8 = '1'
Keys.ini = 'C:\usr\sap\IdM\Identity Center\KEY\Keys.ini'

[ Tue Nov 07 09:02:22 2017 ] End Init ===================================

[ Tue Nov 07 09:02:22 2017 ] "C:\usr\sap\IdM\Identity Center\newpass.bat" VGVzdHVz {DES3CBC}1:76b4fabf746ed2f3-988cc65673fd209f523cd01540926645
[ Tue Nov 07 09:02:22 2017 ] ===================================

[ Tue Nov 07 09:02:22 2017 ] "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "VGVzdHVz" -pass "{DES3CBC}1:48a8c83d11072d2a-0f753d3a4ea877bccd5106362554d1cf"
[ Tue Nov 07 09:02:22 2017 ] ===================================

[ Tue Nov 07 09:03:44 2017 ] Init ===================================
[ Tue Nov 07 09:03:44 2017 ] Valid config= '1'
Log level = '3'
FilterProg = 'C:\usr\sap\IdM\Identity Center\newpass.bat'
Arguments = '%1 %2'
NotifyProg = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Arguments = '-file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "%1" -pass "%2"'
LogFile = 'C:\usr\sap\IdM\Identity Center\log.txt'
maxLogSize = '128'
Working Dir = 'C:\usr\sap\IdM\Identity Center'
Priority = '1'
Notify Wait = '3000'
Filter Wait = '3000'
Environment = ''
UTF-8 = '1'
Keys.ini = 'C:\usr\sap\IdM\Identity Center\KEY\Keys.ini'

[ Tue Nov 07 09:03:44 2017 ] End Init ===================================

[ Tue Nov 07 09:03:44 2017 ] "C:\usr\sap\IdM\Identity Center\newpass.bat" VGVzdHVz {DES3CBC}1:bcec27800b444ec6-cc93157980df129e930e835e8fa65590
[ Tue Nov 07 09:03:44 2017 ] ===================================

[ Tue Nov 07 09:03:44 2017 ] "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "VGVzdHVz" -pass "{DES3CBC}1:e12222f24c5ff1c2-a8fdd7063c583695e6ff6248f07ab6eb"
[ Tue Nov 07 09:03:45 2017 ] ===================================

[ Tue Nov 07 09:12:53 2017 ] Init ===================================
[ Tue Nov 07 09:12:53 2017 ] Valid config= '1'
Log level = '3'
FilterProg = 'C:\usr\sap\IdM\Identity Center\newpass.bat'
Arguments = '%1 %2'
NotifyProg = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Arguments = '-file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "%1" -pass "%2"'
LogFile = 'C:\usr\sap\IdM\Identity Center\log.txt'
maxLogSize = '128'
Working Dir = 'C:\usr\sap\IdM\Identity Center'
Priority = '1'
Notify Wait = '3000'
Filter Wait = '3000'
Environment = ''
UTF-8 = '1'
Keys.ini = 'C:\usr\sap\IdM\Identity Center\KEY\Keys.ini'

[ Tue Nov 07 09:12:53 2017 ] End Init ===================================

[ Tue Nov 07 09:12:53 2017 ] "C:\usr\sap\IdM\Identity Center\newpass.bat" VGVzdHVz {DES3CBC}1:c5ee2b9f22abc6f2-b3bc5bfaa7e7686716f29be9410ea00c
[ Tue Nov 07 09:12:53 2017 ] ===================================

[ Tue Nov 07 09:12:53 2017 ] "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file "C:\usr\sap\idm\Identity Center\Send-Password.ps1" -user "VGVzdHVz" -pass "{DES3CBC}1:32a684771da0c597-9eb43634f08e38bb752bd0833f8f5091"
[ Tue Nov 07 09:12:54 2017 ] ===================================

SAP IdM 8.0 SP05 - Password Hook Configuration

Accepted Solutions (0)

Answers (3)

Answers (3)

Re: ABAP2XLSX in an old Abap version

Re: CF Deployment Error: Error getting tenant t0

Re: Scheduled Report shows successful status; but ...

Re: Post payload to CPI iFlow from UI5 - Internal ...

Re: ABAP2XLSX in an old Abap version