Setting up of UME

Similar Messages

• Setting a new UME datasource during system copy

  Hi experts,
  As a part of an sap solution we are currently working onu2026.the following two systems have been installed: SAP NTW AS ABAP 7.01 and SAP NTW AS JAVA 7.01
  In a first moment the ABAP DB was set as the UME data sourceu2026.however according to new requirements, LDAP  should be set as data source. Iu2019m aware this is not possible. Apparently the only way to accomplish this is a complete reinstallation.
  My question isu2026..Itu2019s possible to perform a system copy instead of re install the system? Does sapinst provide the chance to define a new UME data source during the system copy?
  Thanks in advance

  Hi,
  Unfortunately, the SAPInst in system copy would not give an option to change the UME.
  Regards,
  Srikishan

• Accessing large data sets via UME

  NW 7
  What is the best way to access large user data sets via the UME?  Attribute mapping
  provides String[] for User Profiles but what is the best approach for larger user data sets?
  Say there is a list of user data exceeding 5 thousand records. What UME API/Approach is used to access this type of data.  I want to use UME API to access user data without being limited to 10 multi-valued String Array attributes? 
  Thanks

  NW 7
  What is the best way to access large user data sets via the UME?  Attribute mapping
  provides String[] for User Profiles but what is the best approach for larger user data sets?
  Say there is a list of user data exceeding 5 thousand records. What UME API/Approach is used to access this type of data.  I want to use UME API to access user data without being limited to 10 multi-valued String Array attributes? 
  Thanks

• NetWeaver UME user database

  Hello Experts,
  For SAP Sourcing 7.0, In a scenario the Buy Side and Sell side users need to be authenticated against NW UME data base. So while configuring the Directory settings the driver is set to NW UME. (for both internal and external users). And attributes (NAME, F.NAME, L.NAME and EMAIL) are mapped with NW UME (Users will be createdpushed to NW  in SAP Sourcing and UME). Along with this "bypass_error_block" property is set to "TRUE". When a new user is created in SAP Sourcing 7.0, The same user is created in the NW UME sucessfully.
  But while accessing to the URL few errors were noticed;
  1) For the first time, When tried to open buyside URL; SAP Netweaver log on page is displayed asking for the user credentials and when the user credentials are provided it takes to the SAP Sourcing page. BUT Is it that when we configure with NW UME, the users need to access through Netweaver log on page (or they will access the SAP Sourcing page)
  2) For the second time, When tried to access the system portal(fssystem) on the same explorer, the SAP Sourcing log on page is displayed. And system ID log in happened successfully.
  3) Now if the same buy side URL(fsbuyer) is opened on the same explorer then SAP Sourcing log on page is displayed (not the SAP NetWeaver) asking for user credentials and when user credentials are provided it throws an error "Entry Doesn't exist".
  (NOTE:- It was verified that the URL for point 1 and point 3 are one and the same)
  4) In order to get back to the NetWeaver log on page to access the SAP Sourcing system, we need to close all the explorers and reopen the buyside portal.
  More over; For the Enterprise log in, one interesting property was found; when we try to log in for the first time it throws an error " Entry doesn't exist". But from second time onwards it successfully allows for log in.
  Is there anyone who is facing similar type of error. Or is there any other settings need to be done for cluster and directory configuration?
  Your help would be really appreciated.
  Thanks
  Jagamohan

  This tool looks interesting, and might be useful to Rao, but it would need some improvements to make it secure. I suggest using cryptographically secured session between the domain controller and the SAP system so that password changes can be send to SAP, and then captured by an RFC function module, and written into SAP user store. Since RFCs in SAP can be secured using SNC, and AD uses Kerberos, it would be good/easy to use Kerberos to secure the session between the DC and SAP ABAP when passing the password over the network. Then, the J2EE engine can be configured to use ABAP as the user store via UME. The end result is that Active Directory can be used to authenticate to SAP, and if AD is not available, or wide area network is not available the ABAP/UME password can be used locally.
  One issue worth considering, is what happens when there is no network connection from the domain controller to the SAP system ? The software would have to queue the request so that when network connection is back, the password change is pushed to SAP system, and then the two password stores will be in sync at all times. Without this queuing system there is a chance the password will get out of sync.
  Obviously, a lot of work to do in order to make this work, especially if you want it to work securely and reliably. However, it has some possibilities.
  Take care,
  Tim

• Ume + LDAP ADS lock users

  I'm working with EP6 SP12 with UME connected to an LDAP Microsoft ADS in read-write mode.
  I have set the attribute "ume.logon.security_policy.lock_after_invalid_attempts=5" and when a user fails to login with wrong password 5 times it's locked.
  The issue is that a user is locked both in UME and in LDAP. Is it right? If yes how can I unlock a user in UME and in LDAP too. When I unlock user from UME it works fine from UME side but it remains locked in LDAP. As result this user it's not able to login in portal.
  Thanks a lot in advance.
  Tiziano

  I came across the same issue with my setup.
  I authenticate off of database + MS ADS read only.  If a user locks them self out, we have to unlock in portal and ADS.
  There is the option in the UME for read-write to ADS for users to be able to change passwords in the portal and have it replicate out to ADS.  If you went that way I would do SSL for LDAP and opening port 626 on your firewall as well. 
  We do not have employees using our portal as their only means of getting to the network so, I do not allow them to change passwords via portal.  I am sure that it would be safe but, the though of opening up something else on the firewall scares me.

• Cannot create predefined ume properties

  Hello,
  we set up multiple ume properties, which can be maintained by the user himself in the user profile and everything works fine. The properties are shown in the user details and everybody was happy! But now we are forced to create ume properties with predefined values
  I thought: "No Prob! Set 'em up like other predefined properties..." So I got into "Global Services > Property Metadata > Properties" and filled into "allowed values"
  some content separated by comma, but the user profile still shows an input field and no dropdown box! Why? Is it not possible at all or did I just forget something...I checked everything twice!
  best regards
  Steffen
  Message was edited by: Steffen Del Popolo

  Hi Steffen,
  thats a known problem and it is solved for NW2004 with SP16 Patch 2.
  Workaround for allowed values:
  If you use the "people" Property Renderer
  it will be possible to define allowed values via the
  logon id of the users (the unique id as GUID is not necessary).
  In addition to that you can decide if the user property is stored as
  logon id or as GUID (add "isEP60Principal" in the Additional Metadata,
  the default storage is logon id).
  Hope it helps.
  Best Regards
  Mathias

• Configuring UME to create virtual group ....

  Hello Friends,
  I am configuring UME to create virtual groups in Portal. And I successfully did that.
  My question is, Can I create virtual groups for multiple user attributes?
  For e.g. Can I create virtual groups based on location as well as employeetype?
  So I would be seeing somewat like this:
  <b>Cadre based groups: </b>Cadre_Staff, Cadre_Managers, Cadre_Executives, Cadre_Presidents
  <b>Location based groups: </b>location_India, location_USA, location_England
  Regards,
  Nilz

  Hi nilz,
  we can create Virtual groups; for that just follow below steps:
  1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
  Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
  2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
  3. Set below properties:
  ume.virtual_groups.names = Sales,Production,accounts          
  ume.virtual_groups.user_attribute = myAttribe (give any name)
  ume.virtual_groups.user_attribute.namespace = myNameSpace (give any name)
  4. Save and Restart the Engine.
  5. login to UME then search for Virtual Groups; you will get Sales,Products,Account groups.
  For further references just see this link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/43/40ad17fcae1bcde10000000a1553f7/frameset.htm
  <b>Please Reward Points; if it is usefull.</b>
  Thanks
  Nagaraju

• SSO to EP7 with Microsoft AD

  Hi All,
  We have implemented EP7 and have set the Portal UME to integrate with our Microsoft AD. We are now able to login to EP7 with a valid AD user and password.
  However, we would like to make it that once our user login to their workstation with a valid AD ID, password and domain. They are able to directly access the EP7 main page with the URL entered, ie. the default portal logon page will not be shown.
  Appreciate your advised if you have a solution in this.
  Many thanks.
  Best Rgds,
  Leonard

  Hello Leonard,
  You could achieve this by windows based NTLM.
  Please check the below link
  <a href="https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/49ffe54b-0601-0010-ff9c-b7200de251e5?prtmode=navigate">https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/49ffe54b-0601-0010-ff9c-b7200de251e5?prtmode=navigate</a>
  Regards
  Ajey

• SSO: Portal - R/3

  Hi everybody,
  I'm trying to set up the SSO with Logon Tickets between the Portal and an ECC 5.0 System. I've done all the configuration steps on the portal and system side as read in literature and here on the forum. But when I try to test the conection to the system I'm getting: connection failed.
  Steps I've done:
  <b>Portal</b>
  - I created the system in the portal system landscape: even two systems. One SAP_R3_Dedicated and one SAP_R3_ConnectionString. This is because for remote access to the system I use a SAProuter and the system is running on a single server host. So I'm not sure which one should be taken. None of them works for now.
  - I created User Mapping for the System Aliases in User Administration
  <b>System</b>
  - I imported the verify.der through STRUSTSOO2 and made all the settings including adding to the ACL
  - I've set the profile parameters login/accept_sso2_ticket = 1 and  login/create_sso2_ticket = 1 through RZ10 and restarted the server
  - In RZ11 and SSO2 i checked the parameters and the sso setting. The parameters were successifuly changed and sso is enabled for the issuer from the verify.der file.
  So where is the problem? Maybe some tipps one where tipical problems in situations like this are lying.
  My presumptions are:
  - the System and Client in the ACL List in RZ10. I'm not sure that I've made correct setting for this values when I added the certificate to the ACL. What values should be entered here?
  - the connection string for the "connection string system in the portal". How should the connection string look like? I've tried the one I'm using when connecting through the GUI to the system.
  - application host in the dedicated system in portal or some other settings of the connector
  Every tipp or further information on this will be very appreciated!
  Regards,
  Mladen

  Hi Mladen
  There is a checklist for SSO in the portal wiki. I suggest you follow that as a first point. It covers things like using SM50 to look at errors in the backend.
  You shouldn't need to set up user mapping - the whole idea of SSO is to remove the need for user mapping.
  The entry in the ACL in STRUSTSSO2 is based on the values that you set in your UME. The SID is your portal SID and the client is the value from UME.
  The connection string should look like /H/host/S/server etc - same as for SAProuter.
  Cheers

• Login Page coming for Anonymous User

  Hi All,
  we have configured anonymous user for our portal. Created a role for anonymous access - added pages and iViews under that. All the iViews and pages are modified with authentication scheme property to Anonymous.
  Now when we access the portal with the url http://host:port/irj its showing the login box in the top part of the page and in the bottom part its showing the anonymous role which we created.
  Let me tell you what we have done...
  Created role, iViews for Anonymous role, set the authentication property to 'Anonymous'.
  In Visual Admin-> Server-> Services-> UME Provider set the variable ume.login.anonymous_user.mode to 1.
  Variable ume.login.basicauthentication to 1.
  Variable ume.login.guest_user.uniqueids to Guest.
  Then we have updated the index.html file under <drive>:\usr\sap\<SID>\<instance_number>\j2ee\cluster\serverX\apps\sap.com\irj\servlet_jsp\irj\root .. we changed
  <b><body onload="location.replace('portal' + document.location.search)"></body></b>
  to <b><body onload="location.replace('servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.anonymous' + document.location.search)"></body></b>
  But now when a guest user accesses the portal http://host:port/irj it gived the strange screen (logon + content page) as I described earlier.
  Please let us know where are we missing...
  thanks & regards,
  Shubhadip

  Hi,
  1 .  I have created a iView and set the authentication scheme anonymous.
  2.  Also I created a role and added the iview to a role.
  3. The role has only 1 iview.  The entry pt is yes  for the iview
  4.  The role has permissions of end user for anonymous user.
  5 I checked the masthead iview also.. It aslo has authentication scheme anonymous
  When I try accessing the iView  in the form <http/https>://<server>:<port>/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fmyfolder!2fmyiView
  I am able to view it without any login..
  But when the url is accessed <http/https>://<server>:<port>/irj/portal/anonymous
  I see a login page in the Detailed navigation..
  Please help me solve this problem ..
  Thanks,
  Preeti

• SPNego still allowing non Kerberos Logons

  After exhaustive searches and attempts, I thought I had the SPNegoLoginModule installed.  These are the steps that I have followed.
  1.     Created a service user in the user directory used by the KDC.
  2.     Created the keytab file and transferred it to the J2EE server.***Note that I have found that the directions in help.sap.com are different for NW2004 and NW2004s!  It seems there is an additional step there.  I am running EP6 SPS15 and using NW2004
  3.     Created krb5.conf
  4.     Added the 3 lines to the UME.
  5.     Configured the logon stacks. *** Note and warning, there is a difference between the instructions for NW2004 and NW2004s!  Coming from an Environment that never had to deal with this step before, I admit that I was totally lost on my first attempts.
  6.     Configured ADS data source for Kerberos Authentication.
  7.     Configured IE for Kerberos Authentication.
  I restarted the engine and I was able to log on to the Portal.   Victory, NO!
  I wanted to test so I undid step 7.  I was STILL able to log in.  SPNego is not working.  Not finding any other docs, I went to the VA and changed the SAP-J2EE-Engine logon module to SPNegoLoginModule.  DO NOT DO THIS!  The engine comes up, SPNego is still not working and you can no longer get into the VA.  I had to manually change the security settings in the configtool just to activate SAP* to undo the damage.
  The only thing I can think of that is still letting me log in is that I use MSADS as my LDAP.  In configuring the ADS for Kerberos I add the lines of code to the existing code that was used.  Is this the correct way to do this?
  Anyone see a step that I missed?

  Hello David.
  I've made the same mistake:
  I went to the VA and changed the SAP-J2EE-Engine logon module to SPNegoLoginModule.
  So could you tell me, how can I log on to VA now?
  Where can I activate SAP*?
  I've set the value ume.superadmin.activated = true,
  but I still cannot logon to VA.
  And could you tell me where do I need to define my
  SPNegoLoginModule for correct work of SPNego?
  If you have configured SSO using SPNego and
  have step by step manual for it, could you send it for me?
  Best Regards!
  Vitali
  [email protected]
  Message was edited by: Vitali Chasalau

• Self Registration Approval Details Error

  Hi
  I am trying to raise a self registration request. The Self Registration Request is raised but remains in Request Received status. This is the standard SR and should go to xelsysadm account for approval.
  When I click on the request and try to see Approval Details it gives me the following error. PLEASE HELP ASAP.
  ERROR,13 Sep 2009 20:49:06,632,[XELLERATE.APIS],Class/Method: tcProvisioningOperationsBean/getProcessDetailData encounter some problems: Process instance with key '0' does not exist.
  ERROR,13 Sep 2009 20:49:06,636,[XELLERATE.WEBAPP],Class/Method: RequestApprovalDetailAction/requestDetail encounter some problems: Process instance with key '0' does not exist.
  Thor.API.Exceptions.tcAPIException: Process instance with key '0' does not exist.
       at com.evermind.server.rmi.RMICall.EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER(RMICall.java:109)
       at com.evermind.server.rmi.RMICall.throwRecordedException(RMICall.java:125)
       at com.evermind.server.rmi.RMIClientConnection.obtainRemoteMethodResponse(RMIClientConnection.java:571)
       at com.evermind.server.rmi.RMIClientConnection.invokeMethod(RMIClientConnection.java:515)
       at com.evermind.server.rmi.RemoteInvocationHandler.invoke(RemoteInvocationHandler.java:63)
       at com.evermind.server.rmi.RecoverableRemoteInvocationHandler.invoke(RecoverableRemoteInvocationHandler.java:28)
       at com.evermind.server.ejb.StatelessSessionRemoteInvocationHandler.invoke(StatelessSessionRemoteInvocationHandler.java:43)
       at __Proxy7.getProcessDetail(Unknown Source)
       at Thor.API.Operations.tcProvisioningOperationsClient.getProcessDetail(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
       at Thor.API.Security.LoginHandler.oracleLoginSession.runAs(Unknown Source)
       at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
       at $Proxy2.getProcessDetail(Unknown Source)
       at com.thortech.xl.webclient.actions.RequestApprovalDetailAction.setStandardApprovalDetail(Unknown Source)
       at com.thortech.xl.webclient.actions.RequestApprovalDetailAction.requestDetail(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)

  Hello Ramien,
  Set the following UME properties:
  ume.logon.selfreg is set to TRUE
  ume.admin.selfreg_company is set to TRUE
  You have defined companies
  ume.tpd.companies is set to a value other than 0.
  The action UME Selfregister_User is assigned to the role Everyone.
  The following link will be helpful.
  http://help.sap.com/saphelp_nw04s/helpdata/en/8e/53921c6d00064b8c58e528fd914dd4/frameset.htm
  Regards
  Deb
  [Reward Points for helpfull answers]

• Language for Service Map of business packages

  Hello All,
  I am using service map for Recruiter business package. In the SAP delivered contents the description for the workset/pages ect. which appears over the service map is specifed in french language.
  Now when the end users are accessing the service map, the text appears in french only and NOT converted to english.
  Is there any configuration needed so that the service map descriptions for the links changes according to the user language settings.
  Currently all the users in my landscape are having english as the language set in the UME.
  Regards
  Deb

  Hello,
  Any suggestion from anyone..
  Regards
  Deb

• Content Alignment in webdynpro iView based on user language

  Hi,
  We have a webdynpro application which has a search screen
  (Arabic as well as English), based on the user language setting in Portal UME, the respective language text with options are displayed.
  This webdynpro application runs on same WAS where Portal is running.
  When we test this application standalone like typing the URL of the webdynpro application, it shows english text with Left to right aligned content in browser for <b>user X with Language as EN</b>.
  When we test this application standalone like typing the URL of the webdynpro application, it shows arabic text with Right to Left aligned content in browser for <b>user Y with Language as Arabic</b>.It works fine when it is stand alone (when we directly run the webdynpro).
  <b>We created a WebDynpro iView in Portal, and we tested with user <i>Y (whose language is set to Arabic),</i> issue is text is properly displayed in Arabic, but the content alignment is left to right, which should be Right to Left</b>.
  Please let me know your solution/thought to the above mentioned issue/problem.
  Thanks
  Senthil

  Hi,
  The webdynpro application works fine (alignment and content is fine)when i access it directly.
  When i create a webdynpro iView and run it inside portal it is not working fine (alignment is LTR instead of RTL)
  I went through the SAP help <a href="http://help.sap.com/saphelp_nw04/helpdata/en/6e/8aae409567942ae10000000a155106/frameset.htm">RTL Alignment</a>and tried creating new themes and created a new desktop and assigned it to the user. It is still the same with LTR alignment.
  The issue is, why it is not working inside PRT, when it works fine inside WebDynpro Runtime.
  Thanks
  Senthil

• Disable Initial Password Reset.

  Hello;
  Is it possible to set that the user do not change the initial password
  when created or even if the SAP Administrator reset it, the first time
  the user log on the system.
  Thanks;
  Ali Gumusoglu

  Hi Ali,
  Yes, it is possible; for that follow below steps:
  1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
  Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
  2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
  3.Click on below property and set value is FALSE and click and "SET" button.
  "ume.logon.security_policy.password_change_required = FALSE"
  4.Save.
  5. Restart the engine.
  Now
  1. Login with an "Administrator"
  2. Create a user and define a password like "init123"
  3. logoff from "administrator"
  4. login with new user; password is "init123"
  now system will not ask to change password.
  Reward Points; if it is usefull.
  Thanks,
  Nagaraju Parlapalli