Topic
4 replies Latest Post - ‏2013-03-26T16:58:41Z by SystemAdmin
SystemAdmin
SystemAdmin
9855 Posts
ACCEPTED ANSWER

Pinned topic ITIM 51 - Unable to set "productive password" on SAP CRM (ABAP) system

‏2013-03-21T19:41:28Z |
Hello All,

Environment:

ITIM51
Version: 5.1.0.13
Build number: 201212050955
Maintenance level: FP0013

ITIM51 SAPNW Adapter: 5.1.11

SAP: non-CUA, CRM 7.0

I am able to provision SAP accounts, reconcile, change-passwords etc.

Problem: Upon changing password, I get the following WARNING in TIM audit-logs:

W: Password for user SAPTST1 changed, but not set as productive (41) (C:\IBM\TIM-SOL\xsl\sapnw_bapi_user_change.xsl) ; SapNWChangePassword

As per adapter install/config guide there are no steps necessary on TIM-side to enable "Password Management" extension if the target SAP env is non-CUA.

The transports that come with the adapter have been applied on the SAP side by basis-admins.

Let me know how we can set "productive password" from TIM such that SAP does NOT force password-change on the account-owner the first time he logs in.

Thanks!
Jatin
Updated on 2013-03-26T16:58:41Z at 2013-03-26T16:58:41Z by SystemAdmin
  • hydel
    hydel
    16 Posts
    ACCEPTED ANSWER

    Re: ITIM 51 - Unable to set "productive password" on SAP CRM (ABAP) system

    ‏2013-03-22T05:23:05Z  in response to SystemAdmin
    Hello Jatin,

    This is from adapters installation guide, have you done this?

    On the Service Form, configure advance mapping as follows:

    Non-CUA environment:
    - To set productive passwords on password change:
    Change Password XSL Stylesheets
    xsl/sapnw_tivsecty_bapi_user_sso_pwd.xsl

    - To set productive passwords on account creation:
    Add User XSL Stylesheets
    xsl/sapnw_bapi_user_create.xsl
    xsl/sapnw_bapi_user_change_licensedata.xsl
    xsl/sapnw_bapi_user_actgroups_assign.xsl
    xsl/sapnw_bapi_user_profiles_assign.xsl
    xsl/sapnw_tivsecty_bapi_user_sso_prop_pwd.xsl

    Regards,
    Jukka
    • SystemAdmin
      SystemAdmin
      9855 Posts
      ACCEPTED ANSWER

      Re: ITIM 51 - Unable to set "productive password" on SAP CRM (ABAP) system

      ‏2013-03-22T17:26:19Z  in response to hydel
      Thanks for the reply. Can you please attach the guide you have here?
      The guide (Adapter for SAP NetWeaver Installation
      and Configuration Guide) that I am referring to say the following:

      IBM® Tivoli® Identity Manager SAP NetWeaver Adapter 5.1.11

      <<
      The only advanced mapping required for the password extension is CHANGE
      PASSWORD ADVANCED MAPPING. The mapping is required for CUA
      deployments only. No mapping is required for standalone ABAP servers.
      >>

      Thanks,
      Jatin
      • hydel
        hydel
        16 Posts
        ACCEPTED ANSWER

        Re: ITIM 51 - Unable to set "productive password" on SAP CRM (ABAP) system

        ‏2013-03-22T18:41:48Z  in response to SystemAdmin
        Sorry, my mistake. I took that excerpt from a older version of the installation guide, apparently password management has been redesigned in newer versions.

        There is a new version 5.1.12 and yes, it says that mapping is not required in non-CUA environment but in release notes there is a new enhancement listed:

        Items included in 5.0.12/5.1.12 release
        INT75752 Support for productive password change over SNC. See "Productive Password Support" and "Known Limitation" sections for more detail.

        Limitations on support for SAP Productive Passwords
        1. SAP versions supported by the adapter require SNC to be enabled to set productive passwords.

        And also the following:

        Productive Password Support

        SAP recently introduced the support for productive password change over the standard BAPI. In order to allow the adapter to set productive passwords, the following prerequisites must be satisfied:
        · SAP AS ABAP uses SAP Cryptographic Library as its security provider for SNC.
        · SAP AS ABAP has been configured to use Secure Network Communication (SNC) for RFC communications.
        · SAP user account used by the adapter to communicate with SAP AS ABAP has the authorization for object S_USER_GRP with activity 'PP'.
        · The adapter is configured to use SNC for its communication with SAP AS ABAP. Please refer to "Securing the Adapter to SAP AS ABAP Communication" section for more detail.
        For more detail, please refer to SAP Note 1287410.

        Regards,
        Jukka
        • SystemAdmin
          SystemAdmin
          9855 Posts
          ACCEPTED ANSWER

          Re: ITIM 51 - Unable to set "productive password" on SAP CRM (ABAP) system

          ‏2013-03-26T16:58:41Z  in response to hydel
          Thanks Hydel. I have downloaded the .12 version of the adapter and awaiting SNC to be enabled on the SAP side.

          Regards,
          Jatin