Portal UME in ABAP asking user mapping???

Similar Messages

• Portal Runtime Error while performing User Mapping  to SAP SRM

  Please find below the error I received while User Mapping from  Enterprise Portal to SAP SRM :
  Portal Runtime Error
  An exception occurred while processing a request for :
  iView : pcd:portal_content/administrator/super_admin/super_admin_role/com.sap.portal.user_administration/com.sap.portal.user_mapping/com.sap.portal.userMappingAdmin/com.sap.portal.userMappingAdmin
  Component Name : com.sap.portal.usermanagement.admin.UserMappingAdmin
  User Mapping not fully available..
  Exception id: 04:21_23/06/05_0073_8097650
  See the details for the exception ID in the log file

  Hi,
  yes, Karsten is correct. Just some background:
  "User Mapping not fully available.." finally means that user mapping is configured to use strong encryption, but the main crypto key for user mapping is missing. Usually, that's because "SAP Java Cryptographic Toolkit" and/or "JCE policy files for unlimited strength encryption" are not installed (or the server hasn't be restarted afterwards). The note will most likely help
  Best regards
  Heiko

• Updating J2EE engine (Portals UME) via ABAP/Java

  I need to update the 'Identity management' details of the Portals UME using SPML. I believe this will need to be done using Java in some way. I was wondering whether anyone has ever achieved this via ABAP->Java->UME?.
  If so, I would be pleased if anyone could supply sample code (ABAP), or perhaps let me know how you achived the same goal.
  Regards
  Gary

  Have a look at:
  Using the ABAP stack to perform Java stack UME group activities
  Paul

• File System Repository - User Mapping not Working

  Hi,
  I tried to integrate a file system into KM. For doing so, I followed the guide located at [http://help.sap.com/saphelp_nw04/helpdata/en/ed/b334ea02a2704388d1d2fc3e4298ad/frameset.htm|http://help.sap.com/saphelp_nw04/helpdata/en/ed/b334ea02a2704388d1d2fc3e4298ad/frameset.htm].
  The only problem is, tht the user mapping doesn't seem to work...
  The portal is running on a UNIX system, whereas the file share to be integrated is running on a Windows 2003 Server.
  Here are the single steps that I performed:
  -  Creation of a KM Windows System in the system landscape directory with the ID "MySystem". User Mapping is set to "User,Admin"
  -  Creation of a Windows System in the system landscpe of the KM with the ID "MySystem"
  - Creation of a Network Path in KM with following settings:
  jCIFS Protocol is activated; Network Path = "
  My Server\My Share"; User = "My Windows Domain\My User" and the according password. The specified user has administration permissions on the server.
  - Creation of a readonly File System Repository Manager with following settings:
  Root-Directory = "
  My Server\My Share", SecurityManager = W2kSecurityManager, ACL Manager Cache = ca_rsrc_acl, Windows Landscape System = "MySystem"
  - Configuration of the W2KSecurityManager: I specified the DomainFile-setting as "/etc/companydomaincontrollers.txt"
    and placed such a file in the KM with following setting: "My.Server.Domain=According IP Adress"
  - In UME I carried out user mapping for index_service user and placed the above mentioned admin user into the user mapping.
  Result: The indexing works fine, all fles are indexed. When I however try to carry out a user mapping for a "normal" portal user in the UME it doesn't work: The portal user has no access to the file system. (I used the same admin user for mapping... so it should work).
  Any help is appreciated...
  P.S. With portal super admin users I can however access the fle system repository, even without user mapping. But I think this is ok, because I read in one forum message that admin users have always access in general....

  >
  Frank Friedrich wrote:
  > Hi Clemens,
  >
  > so the good think is that indexing is working and you can navigate with your admin portal user through the file system repository. In this case the most configuration settings must be correct.
  >
  > I am not quite sure regarding your System objects with the ID "MySystem". Do you have as well define an Alias Name for this System Object with the same name "MySystem" ? As well upper and lower letters are important.
  >
  > Because the reference is all the time the Alias name and not the ID or Name of your System object.
  >
  > Best regards
  > Frank
  Hi Frank,
  thanks for your reply.
  I have as well definied an Alias Name with exactly the same id. So this gives us following:
  System landscape directory: KM Windows System with id="MySystem" and Alias="MySystem"
  KM System Landscape: Windows System with id="MySystem"
  In the created file system repository manager I also set "MySystem" for the Windows Landscape System parameter.
  So I think that this should be correct (I also considered upper- and lowercase letters).
  Maybe the probem lies in specifying the domain names? When I applied user mapping I always additionally specified the Windows domain name of the users, which is correct I think.
  In the security manager configuration for the domain controllers (-> [http://help.sap.com/saphelp_nw04s/helpdata/en/a9/c54e9e09448d46b73d154e93d5e995/content.htm]) I however mapped the network domain of the file share server to the according IP adress. Maybe this is wrong?

• User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)

  I hope someone can help me with the user mapping concept (X.509 V3 certificates) for both "worlds" (ABAP and JAVA Stack).
  I know how to install and configure certificate based (X.509) login to SAP ABAP and SAP JAVA (J2EE) Stack (--> enable encryption for communication and Single Sign On).
  Situation:
  We have a ready installed and configured X.509 certificate authentication environment for the ABAP world (between SAP GUI and SAP Server System)
  and the user mapping was configured in the ABAP System (SU01). As the users are using certificates, the passwords are deactivated on the ABAP System.
  Now if you want to integrate a JAVA (J2EE) Sytem and you want to configure the UME to the ABAP System (as Backend), you have an administrative effort problem with the user mapping (X.509) in the UME configuration.
  1.) It is possible to assign manually the user public key to every user --> But to much effort
  2.) As the user does not have a password (deactivated in the ABAP system), the way to combine the automatic mapping with a user login does not work.
  3.) In the distinguished name of the user certificate there is no information about the SAP username itself
      --> you are not able to use any information of the DN to bind a user in the Login Module configuration.
  Now my question:
  Is it possible to use the sncname information from the ABAP System (still configured and available) for the UME configuration?
  As i know, it is possible to write an own Login Module. Does anybody has a customized Login module for this issue?
  At the end the best solution would be to enable the same user mapping mechanism on the JAVA world as on the ABAP world. --> Mapping the Distinguished Name to the SAP User

  We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user  to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.
  This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.
  I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.
  Thanks,
  Tim

• Custom user attribute from ABAP to Portal UME

  Hi All,
  We have choose the ABAP as the data source for portal UME. We have a custom user attribute in the abap. Now i want to bring that custom user attribute from abap to custom user attribute in the UME.
  Any help will be rewarded.
  Thanks
  Sarang.

  Any resolution to this issue?

• Unable to created users through UME on portal with AS ABAP as its data sorc

  Hi,
  Unable to created users through UME on portal with AS ABAP as its data source.
  I have assigned SAP_BC_JSF_COMMUNICATION to the user SAPJSF but this only helps in editing the already existing users but not in creating new users on portal.
  I have checked that that the role SAP_BC_JSF_COMMUNICATION is properly generated and has *  in all authorizations. I have even assigned SAP_ALL and SAP_NEW to SAPJSF and another ID.
  DO we need to make any config changes to make the database writable from portal. Please advise.
  Thanks,

  Hi,
  If your system is a AS ABAP + +JAVA System,, you have to do the following
  1. Login to Client 001 using SAP GUI
  2. Create a user id
  3. Login to portal and you will be able to see the user.
  4.Assign him the portal rights
  If you want the portal to use seperate Database for USers, there is a setting in Visual admin, that you can change for the same, but i dont remember that

• Users mapping between EP and ABAP system

  Hello
  I'd like to ask for some guidance in my quest
  Current situation looks like this:
  I've configured UME in AS Java to work with LDAP as read only data source. Then I've configured SPNego to run SSO - It works, users from MS AD can log into portal.
  Now I have application in WD which authorizes via EP/AD - works fine.
  And next step is users mapping between AD and ABAP backend (serving some BAPI's for WD app)
  I've found a bunch of help pages starting from
  http://help.sap.com/saphelp_nwce711/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
  But somehow it's quite complicated to achieve this mapping. I've tried to set RFC destinations logon type to user mapping but without succes.
  Can anyone point me to some more clear example or give path to configure this scenario? Is there a way of configuring this with NWA or some XML file editing is required?
  Any help will be appreciated.
  BTW: whole environment is in version 7.11
  Best regards
  Maciej

  There is no equivalent to SPNEGO on the ABAP side.
  If your goal is to propagate the user, then possible options are:
  -> Wait for SAML 2.0 or invest now in a SAML 1.0 provider.
  -> Use the same kerberos ticket for the EP as what your ABAP system will accept: route = SNC and 3rd party libraries.
  -> Issue SAP logon tickets for the ABAP system from the EP, and use these in your WDA.
  Another option is to expose the service with saved logon data in the ICF. If the service is just a wrapper for the BAPI, then you can also consider using trusted RFC between the service and the backend, but this might not be acceptable for your service.
  I have only done experimental stuff with this and some of the above is not released yet. Also consider the consequences, even if it "does work"...
  Cheers,
  Julius

• SPNEGO in portal with abap data source + mapping on login & alias id

  Hello
  I successfully set up the new spnego autentification (with AD)  on our EP7 portal.
  Spnego module is configured with Mapping mod u201Cprincipal onlyu201D with source  u201Clogin idu201D.
  SSO is working perfectly for all users with the same u2018sap loginu2019 as the AD login.  ( they can use portal to connect on all sap ECC6 server true iview without login& password )
  But for user with login name different between AD and SAP , this doesnu2019t work. They have to enter their sap login & password on the portal. So spnego is not working for them.
  Such user have different login name between AD et SAP because abap system limit user length to 12 caracters.   So I could not change abap username. 
  And I could not change their AD login name. ( too much impact).
  Exemple :
  p.nametoolong  = 13  character  on  AD but too long for abap
  p.name = 6 ok for abap but different from AD login name.
  So if I could not change login id I have to work on user mapping.
  The Portal UME use our abab CUA as datasource. So I could not set up user mapping inside the u201Cuser management u201C
  A solution could be that Spnego mapping use as source  the u201Calias idu201D and not the u201Clogin idu201D.
  So I have to set all the u201Calias idu201D. I can do a script for copying in su01 all u201Clogin idu201D to u201Calias idu201D and then edit the u201Calias idu201D of user with a different AD login. ( by the way do you know a tx for that ? )
  But this is a little dirtyu2026 is there a simple way to do that ?
  it would be perfect if i could do mapping on user id or on alias id if it set. So that i should only manage the alias id user with a AD name different... is that possible ?
  thank you  !
  cdlt
  GSV
  Edited by: Patrick FABRIES on Oct 4, 2011 12:08 PM
  Edited by: Patrick FABRIES on Oct 4, 2011 12:11 PM

  Hi Patrick,
  Even if you perform this operation, the situation will worsen overtime.
  By the way, if you still want to do it, this is pretty simple: call 'BAPI_USER_CHANGE' with the username and pass:
  ALIAS = <new alias>
  ALIASX = 'X'
  Isn't there another attribute that you could use as a pivot: e-mail, maybe?
  Best regards,
  Guillaume

• SU01 or ABAP SYSTEM - User Language on Portal

  Dear All,
  I am working on Portal Framework - Masthead and Footer PCD files in JSP enivronment. Now, I have a requirement where I have to fetch the Language of User present in ABAP SYSTEM- SU01 transaction. Can anyone help me how to fetch this._ With some code or some way to tackle the condition?_
  Thanks,
  Roshan

  Hi Roshan,
  Check this thread - User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)
  Best Regards,
  Sen

• Portal User Mapping

  Hi,
  I have installed AS ABAP and AS JAVA on one host.
  I have installed EP along with AS JAVA.
  ecc6.0 with EP simply.
  no i have created a system alias in portal and done the connection parameters.
  during the connection test the user mapping is failed.
  I cannot create a user in portal also.
  my erp users are also not signing in .
  Let me know how to move further.
  Regards,
  Saravanan.S

  Hi Saravanan,
  Normally, if you installed ECC 6.0 with Java Stack together, Java Stack is connected to the Client 001. All the Users within this client must be able to logon to portal. If you want another Client to be used with portal, then you've to modify SAP Conneciton Parameters via Configtool > Global Server Configuration > Services > com.sap.security.core.ume.service and for parameters:
  ume.r3.connection.master.client
  ume.r3.connection.master.*
  parameters
  Usually a connector User created and named SAPJSF in client 001. Easiest way is to create those Portal Connector Users within the New client, or make a client copy with profile SAP_USER from 001 > <target_client>
  After you must be able to logon portal with users
  As PortalUID and SAPUID will be same, you must use SAP Logon Ticket to enable SSO between them. Also please check the profile parameters to enable SSO.
  for details please refer to
  http://help.sap.com/saphelp_nw04s/helpdata/en/1c/22afe3b26011d5993800508b6b8b11/frameset.htm
  regards

• EP + BW: Problems with user mapping in the portal

  Hi,
  I'm trying to connect the portal with the BW by using the report RSPOR_SETUP which is a step-by-step guide. The steps #1 - #11 seems to be ok but my problem is the 12th step, the user mapping/allocation maintenance in the portal.
  There is an error emerging (in BW): System failure during call of function module RSWR_RFC_SERVICE_TEST (System failure indicates normally an authentication problem between ABAP and Java)
  Another error is emerging by testing the connection in the portal. (System administration u2013 system configuration u2013 system landscape u2013 connection test: the first connection, the SAP Web-AS connection is ok but the second, connection test for connector, is not working.
  Especially the connection to the backend system with the defined connector is not working. The output is: u201CConnection failure. Check that single sign on is correct configured.
  On step 12 of the step-by-step guide I have to select a user in the portal, relate him to a system alias und maintain his technical username and password for the BW. I think here is the problem. Iu2019m able to select and save a system alias for the user, but Iu2019m not able to save his technical username and password. There is another error emerging (in the portal): u201CVerification of user mapping data for system SAP_BW failed, check credentials for errorsu201D, so Iu2019m not able to save the username and password.
  I think thats the my problem. the log file confirms that: "Did not find any existing logon data for principal...." & "No user mapping data available for principal...."
  I hope my problem description is understandable.
  Any ideas how I can solve the credentials problem to save the username and the password?
  Thanks in advance.
  Tan
  Edited by: Tan Yildiz on Jul 22, 2009 1:26 PM

  I could deploy some of the usage types, but there is an error regarding the BI-REPPLAN package. I think it's one of the very last errors that stands between me and a working EP - BI connection. There is a problem with the version. Could you check the log details, to find out more?
  Thank you.
  <!LOGHEADER[START]/>
  <!HELP[Manual modification of the header may cause parsing problem!]/>
  <!LOGGINGVERSION[1.5.3.7185 - 630]/>
  <!NAME[D:\usr\sap\BIP\JC02\SDM\program\log\sdmcl20090806164716.log]/>
  <!PATTERN[sdmcl20090806164716.log]/>
  <!FORMATTER[com.sap.tc.logging.TraceFormatter(%24d %s: %m)]/>
  <!ENCODING[UTF8]/>
  <!LOGHEADER[END]/>
  Aug 6, 2009 6:47:16 PM   Info: -
  Starting validation -
  Aug 6, 2009 6:47:16 PM   Info: Prerequisite error handling strategy: OnPrerequisiteErrorSkipDepending
  Aug 6, 2009 6:47:16 PM   Info: Update strategy: UpdateLowerOrChangedVersions
  Aug 6, 2009 6:47:16 PM   Info: Starting deployment prerequisites:
  Aug 6, 2009 6:47:18 PM   Info: Loading selected archives...
  Aug 6, 2009 6:47:18 PM   Info: Loading archive 'D:\usr\sap\BIP\JC02\SDM\program\temp\BIREPPLAN04_0-10005889.SCA'
  Aug 6, 2009 6:47:21 PM   Info: Selected archives successfully loaded.
  Aug 6, 2009 6:47:21 PM   Error: Unresolved dependencies found for the following SDAs:
  1.: development component 'bi/plan/helpers/table2'/'sap.com'/'MAIN_NW701P03_C'/'2846642'/'0'
  dependency:
         name:     'bi/alv/common'
       vendor:     'sap.com'
  There is no component either in SDM repository or in Deployment batch that resolves the dependency.
  dependency:
         name:     'bi/alv/ui'
       vendor:     'sap.com'
  There is no component either in SDM repository or in Deployment batch that resolves the dependency.
  Deployment will be aborted.
  Aug 6, 2009 6:47:21 PM   Error: No Software Component Archive (SCA) or Software Delivery Archive (SDA) selected. Select at least one.
  Deployment will be aborted.
  Aug 6, 2009 6:47:21 PM   Error: Prerequisites were aborted.
  Aug 6, 2009 6:47:22 PM   Error: Error while creating deployment actions. No Software Component Archive (SCA) or Software Delivery Archive (SDA) selected. Select at least one.
  Deployment will be aborted.
  Aug 6, 2009 6:47:23 PM   Info: -
  Ending validation -

• Exception in User Mapping (Remote iViews) in Federated Portal Network (FPN)

  Hi all,
  I am trying to implement Federated Portal Network. Content Usage mode as 'Remote Delta link' but getting runtime exception at Consumer Portal side while navigating through following path:
  Ideally it should display login page asking for user credentials to connect to remote producer portal
  Path at Consumer Portal side: Personalize -> User Mapping (Remote iViews) -> select remote producer portal alias from Remote Content Provider dropdown
  Consumer portal : EP1 SPS 12
  Producer portal: EP4 SPS 11
  Exception as below:
  The initial exception that caused the request to fail, was:
    com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/every_user/general/eu_role/com.sap.portal.portal_personalization/com.sap.portal.umeEnduserRemoteUserMappingWD/com.sap.portal.umeEnduserRemoteUserMappingWD)
  at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422)
      at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248)
      at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
      at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
      at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  Request you to kindly share your inputs.
  Thanks and Regards

  Hi all,
  I am trying to implement Federated Portal Network. Content Usage mode as 'Remote Delta link' but getting runtime exception at Consumer Portal side while navigating through following path:
  Ideally it should display login page asking for user credentials to connect to remote producer portal
  Path at Consumer Portal side: Personalize -> User Mapping (Remote iViews) -> select remote producer portal alias from Remote Content Provider dropdown
  Consumer portal : EP1 SPS 12
  Producer portal: EP4 SPS 11
  Exception as below:
  The initial exception that caused the request to fail, was:
    com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/every_user/general/eu_role/com.sap.portal.portal_personalization/com.sap.portal.umeEnduserRemoteUserMappingWD/com.sap.portal.umeEnduserRemoteUserMappingWD)
  at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422)
      at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248)
      at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
      at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
      at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  Request you to kindly share your inputs.
  Thanks and Regards

• Sync User Locks from LDAP(Microsoft AD) to Portal UME

  Hi All,
  Currently we have our Portal UME connected to LDAP (Microsoft AD) as our data source. I can bring up all Active Directory users in Portal, however the users that are locked and disabled in Active directory are still active in portal. To be more clear the expiration date of a userid in AD does not sync with Portal UME account expiration date. Is there a way to bring in the expiration value in to portal?
  Regards,
  Junaid

  Config tool may not have expiry date as mapping in Additional LDAP prop tab, you may need to look for configuration file where you can map the logical attribute to the LDAP.
  Licensing impact depends on your contract with SAP.
  However you can check portal users with USMM at the end of URL.
  E.g.
  remove 'irj/portal' from your initial portal link and add 'usmm'

• Portal Runtime Error - User Mapping

  Hi
  I installed EP6 SP9, KMC and TREX successfully. I logged into the portal and created a system to connect to R3 and also the system alias. When I tried to do the user mapping I get the following error:
  Portal Runtime Error
  An exception occurred while processing a request for :
  iView : pcd:portal_content/administrator/super_admin/super_admin_role/com.sap.portal.user_administration/com.sap.portal.user_mapping/com.sap.portal.userMappingAdmin/com.sap.portal.userMappingAdmin
  Component Name : com.sap.portal.usermanagement.admin.UserMappingAdmin
  User Mapping not fully available..
  Exception id: 12:06_31/03/05_0003_3886350
  See the details for the exception ID in the log file
  Please help.
  Sriram

  This was also discussed several days ago in this forum - please search the forum before posting.
  Did you install the strong encryption libraries? Without those libraries then usermapping cannot be stored securly in the DB and thus you see the error - by default ume.usermapping.unsecure is set to false, for VERY GOOD REASON. If you allow unsecure usermapping the the user/pwd data is stored in BASE64 strings in the DB - this is hardly secure.
  Only set ume.usermapping.unsecure to true in non-productive environments.
  Nick