How to Change the UME of a J2EE Engine and SAP Supported ...a248.g.akamai.net/n/248/420835/55aac38a4529857a468218ff39de98143… · How to Change the UME of a J2EE Engine and SAP Supported

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com

© 2012 SAP AG 1

How to Change the UME of a J2EE

Engine and SAP Supported

Changes

Applies to:

SAP Netweaver WEB AS JAVA 640, 700, 7.1 and 7.3. For more information, visit the Java homepage.

Summary

The aim of this article is to show how to change the UME (user management Engine) of a J2EE engine from local DB to an ABAP server or a SAP certified LDAP solution. The article depicts this change for SAP versions -640, 700, 7.1, 7.2 and 7.3.

Author: Hemanth Kumar

Company: SAP

Created on: 19 January 2012

Author Bio

Hemanth is a senior SAP netweaver consultant working with the SAP Active Global Support organization.

https://www.sdn.sap.com/irj/sdn/javaee5

How to Change the UME of a J2EE Engine and SAP Supported Changes


© 2012 SAP AG 2

Table of Contents

Introduction ......................................................................................................................................................... 3

Options during Sapinst Installation ..................................................................................................................... 3

Ume Change in Dual Stack (Add-In) Servers ..................................................................................................... 3

R/3 Client Change INCASE Of Ume ABAP ........................................................................................................ 4

Ume Change From ABAP To LDAP ................................................................................................................... 4

Ume Change from ABAP To Local Db Incase Of Standalone J2ee................................................................... 4

SUPPORTED UME CHANGES: LOCAL DB TO LDAP ..................................................................................... 4

Supported UME changes: local db to ABAP server ......................................................................................... 11

SAP release 640 and 700 ............................................................................................................................. 11

SAP release 7.3 ............................................................................................................................................ 12

Important notes: ................................................................................................................................................ 12

Related Content ................................................................................................................................................ 13

Copyright........................................................................................................................................................... 14



© 2012 SAP AG 3

Introduction

The User Management Engine (UME) provides a centralized user management for all Java applications and can be configured to work with user management data from multiple data sources. It is seamlessly integrated in the J2EE Engine of SAP Web Application Server Java (SAP Web AS Java) as its default user store and can be administrated using the administration tools of SAP Web AS Java. The UME runs as a service in the J2EE Engine of the SAP Web AS Java and is set up as the default user store of the J2EE Engine. By default when a JAVA server is installed, the UME is set to local DB. However, depending on future needs and business requirements, this can be changed to use an R/3 server or a LDAP server which is SAP certified.

Options during Sapinst Installation

During the installation of a J2EE server using the SAPINST application, there is an option to specify whether the UME should be configured to point to an ABAP server rather than the default J2EE local database.

In such cases, if the R/3 server is the UME, the data source configuration file used will be “dataSourceConfiguration_abap.xml” instead of the default “dataSourceConfiguration_database_only.xml”, which is for the local DB. Very important to note here is that once this configuration file is changed during installation, then officially it is not supported to revert back to the old configuration. SAP Note No. 718383 specifies all the changes that are supported.

Ume Change in Dual Stack (Add-In) Servers

Note that clearly that due to various database architecture changes, configurations restrictions for dual stack servers, you cannot have any other datasource other than ABAP stack for the j2ee server in case of an ADD- IN installation. The reason for this is due to the basic underlying architecture of the dual stack server and this cannot be changed. In future releases, SAP plans to be slowly phasing out the usage of dual stack servers and no further enhancements are being done on the present architecture in the aspect of UME changes. Customers wishing to change the UME from ABAP to say, local DB or LDAP in Dual stack servers will need to either install a separate java server, or clone it from some system which already has that UME configuration or use the ABAP datasource; there is no other go in the present architecture.



© 2012 SAP AG 4

Also as per SAP standards presently, in case of an ADD-IN installation, a UME change from local ABAP server to a remote ABAP server is also not supported.

R/3 Client Change INCASE Of Ume ABAP

You can change the client details of the present R/3 server, but cannot change the UME datasource server all together. Switching the client configuration has some impact on the existing persisted data. For example role assignment, ACLs and also other application use the “uniqueID” of UME for persistence. Switching the user base means that users do not exist anymore (=> uniqueIDs are invalid) or users with the same LOGONID exist in different clients => these users have the same uniqueID as users in the old client if you do not take special steps in your configuration.

Ume Change From ABAP To LDAP

It is possible to change the datasource to a SAP certified LDAP from ABAP, but as the SAP NOTE 718383 states, it is not supported, as all role assignments etc. will be lost (this is unavoidable) with this change. Unfortunately, this can affect the present working of the J2EE engine and the whole UME will need to be revamped. If the SAP server in question has just been installed with an ABAP backend and if there is no content present, then the switch to a LDAP UME is relatively easy. Only the users J2EE_GUEST and J2EE_ADMIN must be present and the connection data for the ABAP system. However, if the system was running for a while and data/ configurations have accumulated overtime, this will cause a lot of inconsistent data and such a change can cause many issues.

Ume Change from ABAP To Local Db Incase Of Standalone J2ee

Such a change is not supported due to the same reasons mentioned earlier. SAP has not tested any scenario where such a change has been made and cannot guarantee that the system will operate 100% correctly after changing the datasource – it is not officially supported.

SUPPORTED UME CHANGES: LOCAL DB TO LDAP

This change from local DB to a SAP certified LDAP can be done with a plug-in that has been introduced from 6.40 and above servers onwards in the SAP J2EE Configtool. This tool can be used to set up the UME to use a directory server and almost all configuration possibilities can be done in this UI.

There is an additional advantage, as this UI gives you the possibility to perform an authentication check and a connection test. Such a check if not present when UME is connected to a ABAP server. Do note that the checks are disabled if SSL is used as the tool has no access to the keystore service of the engine containing the certificate to establish the connection. But when HTTP is employed, the test will work fine.

1) Navigate to Configtool ->UME LDAP data



© 2012 SAP AG 5

2) Make sure that the directory server details and the additional LDAP properties are configured as per need. There is an option to choose the configuration file and the UI shows only the file names of the files stored in the database with a file name starting with "dataSourceConfiguration_". However, there is an option to upload a new file by clicking on “browse” and upload the file you wish to upload. Do note that such a file that has been manually uploaded will be stored in the database now.

After that you have the possibility to configure the server name, server port, user and password. You can select if a unique attribute should be used to build the UME unique id for user and account objects. And finally you can choose the base paths where all users and groups are located in the directory server.

Some of the configuration possibilities are disabled due to the fact that they are defined in the data source configuration file. As this UI can only update properties and not the XML file, all properties that are defined in the xml file are disabled and cannot be changed in this UI.

The location of the configuration data source files can be seen by navigating to Configtool->switch to the configuration editor ->mode->configuration->cluster_data->server-> persistent -> com.sap.security.core.ume.service.



© 2012 SAP AG 6

Make sure that the new datasource file being uploaded is as per SAP standards. The officially supported list of files is available in SAP NOTE 983808: Certified LDAP servers.

Alternate Options

It is also possible that you can use a custom LDAP datasource file. This option is particularly useful when the existing LDAP datasource files are not enough for the customer configuration or additional features are needed. In such cases, users can download an existing datasource configuration file, amend it and then upload it to the UME persistence.

1) Open Configtool->switch to the configuration editor ->mode->configuration->cluster_data->server-> persistent -> com.sap.security.core.ume.service and download an existing file (which closely resembles the desired LDAP configuration).

In the below example, the desired file is amendments on top of the existing Novell LDAP configurations.



© 2012 SAP AG 7

2) Open the file and download it.



© 2012 SAP AG 8

3) Now make the desired changes on the file, rename it and load it in the UME persistence. In this case, the file has been renamed to NEW_ dataSourceConfiguration_novell_deep_not_ readonly_db.xml and loaded to the config tool.

4) Click on file entry and then upload the file.



© 2012 SAP AG 9

In a nutshell, 2 options are available: - Import the file .Select Upload Tab then give the path to your file. - COPY/PASTE (copy the text into the CREATE window).

If you choose the UPLOAD option press Upload then CREATE -> CLOSE WINDOW. If you choose COPY/PASTE, press the CREATE button and then CLOSE Window. Now the new data configuration file should be visible.

5) Now navigate to Configtool->switch to the configuration editor mode->configuration->cluster_data->server-> cfg> services-> Propertysheet com.sap.security.core.ume.service and make sure that the “ume.persistence.data_source_configuration” has been changed to reflect the new datasource file used.

A complete cluster restart is needed after this change.

6) It is also possible that due to various business standards present, you do not wish to specify confidential data similar to LDAP access passwords, ports in the datasource configuration file (the file has entries where such data can be added). The datasource configuration file can be downloaded from the http://<server>:<port>/useradmin page or by any user who has access to the OS file system. In such cases, for added security functionality, you can amend the Configtool settings to keep such values hidden and not being specified in the datasource file. The ume.ldap* properties that are available can be used for this. For example, the ume.ldap.access.additonal_password can be used to specify the password to access the Novell LDAP from the J2EE (for user master data modifications).



© 2012 SAP AG 10



© 2012 SAP AG 11

Supported UME changes: local db to ABAP server

SAP release 640 and 700

Login to the Configtool-> switch to the configuration editor mode (click on edit mode) ->configuration ->cluster_data->server-> cfg> services-> Propertysheet com.sap.security.core.ume.service.

Make sure that the below parameters are set:

ume.persistence.data_source_configuration: dataSourceConfiguration_abap.xml

ume.login.guest_user.uniqueids: J2EE_GUEST

ume.r3.connection.master.client: < Backend client to which the J2ee has to be connected >

ume.r3.connection.master.msghost: <Message server of the R/3 server).

ume.r3.connection.master.r3name: <SID>of the R/3 server.

ume.r3.connection.master.user: SAPJSF (make sure that the SAP_BC_JSF_COMMUNICATION should be assigned in the backend R/3 and in the right client).

ume.r3.connection.master.passwd: <password of the SAPJSF user>

Make sure that the J2EE_guest user is present only in the ABAP server (not in the local DB) and has the role SAP_J2EE_GUEST assigned to it.

After this restart the J2EE engine. More information is available at :

http://help.sap.com/saphelp_nw04/helpdata/en/84/10594aecd3e1408845e66c432b955e/frameset.htm




© 2012 SAP AG 12

SAP release 7.3

The procedure is different on 7.3 servers. Login to the Configtool-> switch to the configuration editor mode (click on edit mode) ->configurations-> destinations -> RFC -> Propertysheet <Destination Name> and add the details of the backend server. When you need to change data, only change the JCo properties and never change the properties that are internal data for the destination service.

It is also possible to change the data from the SAP Netweaver administrator. Navigate to http://<server>:<port>/nwa -> configuration management -> security ->destinations -> UMEBackendConnection RFC Destination in "Connection and Transport" tab and set the values here. Hence if a change of the properties is needed, you can use the online tool, /nwa. However, offline it can be done only via the Configtool.

Important notes:

1) Editing the properties offline, prevents user management data from becoming inconsistent in a running system because of changes made to UME properties with the Configtool. You can use user management configuration to edit properties in most cases (online). Only use the Configtool if you cannot use an online tool. This procedure requires you to stop the SAP NetWeaver Application Server (AS) Java. Make sure that you plan for the required downtime while the AS Java restarts.

2) The Security Provider service is one of the core services and if its startup fails, the whole engine will fail to start as well. At startup, its action depends on several other components as well, the most important of which are - the UME service (com.sap.security.core.ume.service) and the Userstore service. The references to them are hard, so if any of them fails to start or is not available, so will the security service itself.

3) If you are using the Central User Administration (CUA), check the below link: http://help.sap.com/saphelp_nw04/helpdata/en/49/9dd53f779c4e21e10000000a1550b0/content.htm

4) If you change to "dataSourceConfiguration_abap.xml" as per the above mentioned methods, see SAP Note 843061 for the changes to the “Administrator” user.

http://help.sap.com/saphelp_nw04/helpdata/en/49/9dd53f779c4e21e10000000a1550b0/content.htm



© 2012 SAP AG 13

Related Content

SAP Web AS ABAP User Management as Data Source

SAP ABAP-Based System as Data Source

SSO2 ticket generation and ticket evaluation in Java

Certified LDAP servers

NetWeaver: Supported UME Data Sources and Change Options

For more information, visit the Java homepage.

http://help.sap.com/saphelp_nw04/helpdata/en/49/9dd53f779c4e21e10000000a1550b0/content.htm


http://service.sap.com/sap/support/notes/843061



https://www.sdn.sap.com/irj/sdn/javaee5



© 2012 SAP AG 14

Copyright

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Oracle Corporation.

JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Documents

How to Change the UME of a J2EE Engine and SAP Supported ...a248.g.akamai.net/n/248/420835/55aac38a4529857a468218ff39de98143… · How to Change the UME of a J2EE Engine and SAP Supported