XI Security Service Users

Similar Messages

• Security service error in OBIEE 11G LDAP configuration

  Hello
  I've recently set up some OBIEE 11G installations and they appear to work ok.
  I've more recently been using various guides on the internet to configure OBIEE 11G and Active Directory and can see the users and groups within Weblogic that belong the to the Provider that i've configured.
  However, when I attempt to start up OPMN, it always gives me the error like the following: 
  <Jun 24, 2013 1:45:38 PM NZST> <Warning> <oracle.jps.idmgmt> <BEA-000000> <Requested Object Class (user)not found in cache.
  oracle.security.idm.OperationFailureException: Requested Object Class (user)not found in cache.
  <Jun 24, 2013 1:52:20 PM NZST> <Error> <oracle.bi.security.service> <OBI-SEC-00004> <Unable to initialize oracle.bi.security.service.SecurityWebService>
  I initially had the User Object Class as User in the Provider configuration and noticed it wasn't in the LDAP directory so I tried changing it to a Object Class that did exist for one of the users but it made no difference.  It still says the same error message even though I have no reference to User in the configuration.
  Can anyone suggest something I might be doing wrong or missing?

  I have followed the same configuration. However i am getting the following error when i try to login
  Caused by: oracle.bi.security.service.SecurityServiceException: SecurityService::authenticateUserWithLanguage - '<LDAP user>' was authenticated but could not located within the Identity Store.
  I guess some configuration issue, but cannot be able to spot the error. Please let me know your idea
  Thanks

• External Web Service - User and password in HTTP header

  Hi!
  How is it possible to add user and password in the HTTP header in a external web service call? 
  I have created a "Portal Service from WSDL file - Client side" with the wizard in SAP Developer Studio.  I following the Java Development Guide - Web Service Security, and use the <i>secured service connection</i>.  I have also created a new <i>System Landscape</i>, but should the new system be based on HTTP, my own PAR or what?
  How can I check that the user and password is added to the HTTP header or the SOAP envelope? Do I have to scan http traffic with a proxy as Paros or can I find the request sent from SAP EP in the logs?
  Cheers
  Asle

  Hello All,
  I have been struggling a bit while putting a reasonable security framework on a jax-rpc style web service. I'm using JWSDP1.2 to set up the webservice. I've tried to outline my problem below. Please correct me where I'm wrong.
  I've been through the Sun's WS tutorials, but they are not really clear on security. However, from them I surmised that there are two decent authentication techniques. HTTP Basic and mutual authentication (MA) . Both have their drawbacks though. HTTP Basic suffers from poor encryption while MA is a bit difficult to set up on both client and server sides. Another problem with MA is that there is no central repository for users/passwords.
  OK, what I would really like to do is use my own user database to verify users/passwords i.e. use a HTTP Basic like authentication (but at application level) but run it over SSL for encryption. It seems simple, but is it possible?
  Also, I have noted that when I use HTTP Basic on the service side, and use a java client, then setting username/password has no effect. In other words, I can always access the web-service, even with wrong username/password.
  Sorry for the long post. Hope someone can help. Thanks.

• IOP 11.1.2.0 integration with Shared Services (User Provisioning)

  In the IOP 11.1.2.0 install guide, the Admin and Admin provisioning roles are provisioned through Shared Services.
  "Provision Integrated Operational Planning Administrator and Integrated Operational Planning
  Provisioning Manager roles for the Integrated Operational Planning instance to the Admin user through
  Oracle's Hyperion® Shared Services Console
  a. Connect to the Oracle's Hyperion® Shared Services Console; for example, http://
  hss_server:hssserver_port/interop.
  b. Log in as the administrator.
  c. Expand User Directories and Native Directory.
  d. Select Users and click Search.
  e. Right-click the Admin user and select Provision.
  f. Expand Default Application Group.
  g. Expand the Integrated Operational Planning instance created.
  h. Highlight IOP Administrator and Provisioning Manager.
  i. Click the right arrow in the middle of the two windows to select the roles.
  j. Click Save, and then click OK."
  The users and groups are defined in Shared Services, per the IOP 11.1.2.0 admin guide (p. 144).
  Is there an IOP user provisioning example in the shared services user's guide, and which version of the guide would I find that in?
  Access priveledges are controlled from the Admin workbench for IOP users, per p.145 of the IOP 11.1.2.00 user's guide.
  Thank you.

  IOP Roles are listed in the 11.1.2 Shared Services User and Role Security Guide, on page 158:
  Integrated Operational Planning Roles
  Table 39 Integrated Operational Planning Roles
  Roles Tasks per Role
  Provisioning Manager Provisions users and groups with Disclosure Management roles
  IOP Administrator Administers Oracle Integrated Operational Planning, Fusion Edition. IOP Administrators can modify models, access
  ACL pages, and perform all Integrated Operational Planning tasks
  IOP User P erforms Oracle Integrated Operational Planning, Fusion Edition actions as a normal user

• Copy distribution list  to all content services user folders

  We have an Outlook distribution list PST file that current resides in a Windows file server. This gets pushed out the the personal folder of each user overnight.
  Going forward, we need to push this PST file to all the Content Services user personal folders (Users-A, Users-B ... Users-Z).
  I created a single superuser that has all administrative rights to all the users personal folders. And I can upload a file through the webdav http interface.
  with the "Upload" button while I'm "Switched to Administrative Mode" only.
  And I can't see the users personal folders while using the Oracle Drive nor
  thru a Network drive.
  Is there a way of pushing this to all the users' personal folders???

  Hi Juan,
  I tried that but it is not showing the shared distribution list for moving.
  I found 1 sap BC office document which stats that moving the distribution list form Private to public is not possible due to security reason.
  So, no options for me and to create manual shared distribution list.
  Thanks
  Anil

• PI 7.0 service users are locked

  Hi guys,
  We have PI7.0 installed and configured properly.
  We created a custom product and software component version in SLD and when we are trying to import it in IR we get "Unable to read software component versions from System Landscape Directory". Just to let you know PI is on one host and SLD on another.
  It is obvious that something is wrong with users in the communication between IB and SLD.
  We have tried everything:
  1) notes 764176, 768148, 720717, 741214, found on relevant posts.
  2) Exchange profile checks, we added extra roles to PIREPUSER, we replaced PIREPUSER in Exchange Profile with PISUPER, creating all PI service users with user roles in ABAP part of SLD etc... When I changed something in ABAP part, I performed "assign roles to user groups" in VA of Java part.
  However, I noticed that in SLD's UME in Java some of the PI service users are locked and I am unable to unlck them, since when I try to do so with user j2ee_admin, I get "There was an error. Please contact administrator"
  Any ideas??
  Evaggelos

  Thanks to both guys. I will award points.
  The problem was caused due to some PI users that were locked on the J2EE part of XI, and therefore they could not connect to the SLD. I unlocked them through VA 's, Security Provider service.
  Evaggelos

• After sql server 2012 installation, I have changed sql server database engine service account from network service user to system user. What is disadvantages of this process?

       After
   sql server 2012 installation, I   attached my production db. Because of some reasons, i
   changed sql engine account from network service user to system user by means of sql server configuration manager.
       Now , there isn’t
   a problem at sql server running system.  But
  I have doubts that
   this can produce problems later. Because  sql server database engine account must have privileges that listed below;
  Log on as a service (SeServiceLogonRight)
  Replace a process-level token (SeAssignPrimaryTokenPrivilege)
  Bypass traverse checking (SeChangeNotifyPrivilege)
  Adjust memory quotas for a process
  (SeIncreaseQuotaPrivilege)
  Permission to start SQL Writer
  Permission to read the Event Log service
  Permission to read the Remote Procedure Call service
   While sql server installation, setup gives these
   privileges to network service user automatically, but changing user by means of sql confugarition manager does not give these
  privileges.
  Now, system user has privileges listed below. And sql server has been running for 1,5 months without any problems.
  Log on as a service (SeServiceLogonRight)
       Bypass traverse checking
  (SeChangeNotifyPrivilege) (Everyone user has his privileges. So i think that system user has this privilege also)
  What problems can occur because of this situation? Shall i give other privileges to system user and restart sql server or not? And how can i give these privileges to system user listed below;
  Replace a process-level token (
  this can be set from user rights assignments)
  Adjust memory quotas for a process
  (this can be set from user rights assignments)
  Permission to start SQL Writer ( 
  ? - give advice )
  Permission to read the Event Log service (
  ? - give advice )
  Permission to read the Remote Procedure Call service (
  ? - give advice )

   Our server is  windows server 2008 r2 enterprise edition. I have looked the bunch of permissions in user rights menu  that is in local security policy settings gui.
  And i have seen those permissions below were not granted to system user;
  Bypass traverse checking (SeChangeNotifyPrivilege)
  Adjust memory quotas for a process
  (SeIncreaseQuotaPrivilege)
  So, briefly you say, don't panic ?

• NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

  Hi!
  (Sorry, if this is a wrong forum.)
  Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
  I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
  Access-Requests with User-Name="anonymous"
  Access-Challenges (I see certificate is sent from ACS)
  Access-Reject
  CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
  So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
  The following is excerpt from the CS ACS documentation:
  "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
  SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
  So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
  Any help is greatly appreciated.

  Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
  POD1-SW#sh run int fa1/0/1
  Building configuration...
  Current configuration : 378 bytes
  interface FastEthernet1/0/1
  switchport access vlan 999
  switchport mode access
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x timeout tx-period 10
  dot1x reauthentication
  dot1x critical
  dot1x critical recovery action reinitialize
  dot1x guest-vlan 91
  dot1x critical vlan 11
  spanning-tree portfast
  end
  After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
  Thx.

• Service users in SAP XI?

  what are service users in SAP XI?

  Hi Ankur,
  in XI basically we deal with two type of uses. they are
  Service users are used for internal communication between XI components, which is
  usually triggered by interaction of dialog users .The service users provide dialog-free
  access to the involved XI components. They have SAP user roles in the ABAP part of the SAP
  Web Application Server (AS) that are available as user groups in the J2EE part. The Integration Repository is associated with service user XIREPUSER. For each component, service users representing the respective components are created with the appropriate roles in the target components during installation. The passwords of the service users have to be defined during the installation process.
  Ex:
  Component Service   
  Exchange Profile,
  System Landscape
  Directory
  User Role                        
  SAP_BC_AI_LANDSCAPE_DB_RFC
  Service User
  XILDUSER
  Dialog users represent human users (as opposed to service users), who log on through the
  various UIs of the Integration Builder, System Landscape Directory, and Runtime Workbench.
  Dialog users are generally maintained in the ABAP part of the SAP Web AS. The roles for the different dialog users displayed in the following table are predefined and
  shipped.
  Dialog User Role Description
  SAP_XI_DISPLAY_USER-- Read-only access to Integration Directory and
  Integration Repository
  SAP_XI_DEVELOPER--- Design and development of integration processes
  Go to this location and find the documentation.
  /sap netweaver/sap netweaver in detail/security/security in Detail/SAP Security Guides

• How To Create a Service User

  Hello,
  How do I create a service user in EP (or the WAS) similar to the built in service users that come with EP like cadmin_service, index_service, etc.?
  Of course, I've tried creating a normal user, but it does not show up as a service user.  Do I have to create service users programmatically or is there a GUI to do it?
  Thanks!

  Hi Chris,
  > the code used still didn't work
  Please read the post carefully, the creation of the user worked, but the questionner had problems concerning permissions using this user as PCD access user.
  Even if I'm not from SAP: The way shown <i>is</i> the "official" way. To be concrete: IServiceUserFactory is not release, but this is the way SAP itself works with this issue. Also see http://media.sdn.sap.com/html/submitted_docs/60_sp2_javadocs/ume/com/sap/security/api/UMFactory.html#getServiceUserFactory()
  Hope it helps
  Detlev

• How to secure the users from deleting the work items

  Hi all,
  I have a question like this.........whether we could secure the users from deleting the work items by someone in the Project and also assigning a specific user to allow them to delete the idoc. 
  Please help me on this as this is critical.........
  Thanks in advance
  Chakri

  One of t he possible way is, ask the basis team to create users as Service Users and you can determine whether the login user is whether a service or dialog user  by using the a bapi BAPI_USER_GET_DETAIL under the exporting parameter logondata with field USRTYP where if the logged in user is Service user then this field will be populated as S if the user is a dialog user then it will be populated as A.
  Now in more efficient way of fixing this is get the list of users for whom you donot want to give the authorization of deleting workitems and assign the appropriate role for all the listed users...
  for roles and authorizations i hope the basis team is the right team to consult....

• Data Services user rights  on SAP BW

  Hi guys,
  I am currently in a project and BASIS team is asking me what authorization rights should they apply on BOBJ Data Services user to pull data from BW. And I have no idea what authorizations should be applied.
  Help please.
  Thanks,
  R.A.

  Hi,
  check the Guide:
  http://help.sap.com/businessobject/product_guides/boexir32/en/xi32_ds_sap_en.pdf
  Chapter "SAP applications security levels" starting on Page 53
  Regards
  -Seb.

• Adminserver throws weblogic.security.service.SecurityServiceException

  Hi all,
  When i installed weblogic 10.3.3 with java1.6 on RHEL 5.5 & created the domain. After the creation , i am not able to star the Admin server,it is throwing the below error. Do anyone have idea ,how to resolve this issue ?
  ####<Oct 28, 2010 3:38:41 AM PDT> <Error> <Security> <Unknown> <AdminServer> <[STANDBY] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1288262321492> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: java.lang.ExceptionInInitializerError.
  weblogic.security.service.SecurityServiceException: java.lang.ExceptionInInitializerError
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:342)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused By: java.lang.ExceptionInInitializerError
  at com.octetstring.vde.util.guid.GuidGenerator.nextGuidInBytes(GuidGenerator.java:125)
  at com.octetstring.vde.util.guid.Guid.<init>(Guid.java:84)
  at com.octetstring.vde.backend.standard.BackendStandard.add(BackendStandard.java:379)
  at com.octetstring.vde.backend.BackendHandler.add(BackendHandler.java:460)
  at com.octetstring.vde.util.LDIF.importLDIF(LDIF.java:279)
  at com.octetstring.vde.util.LDIF.importLDIF(LDIF.java:235)
  at weblogic.security.utils.ProviderUtils.loadFullLDIFTemplate(ProviderUtils.java:739)
  at weblogic.security.utils.ProviderUtils.loadLDIFTemplate(ProviderUtils.java:583)
  at weblogic.security.utils.ProviderUtils.loadLDIFTemplate(ProviderUtils.java:489)
  at weblogic.security.utils.ProviderUtils.loadLDIFAuthenticatorTemplate(ProviderUtils.java:316)
  at weblogic.security.providers.authentication.DefaultAuthenticationProviderImpl.initialize(DefaultAuthenticationProviderImpl.java:128)
  at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:65)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
  at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
  at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
  at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused By: java.lang.NullPointerException
  at java.lang.System.arraycopy(Native Method)
  at com.octetstring.vde.util.guid.GuidParamGenerator.generateNodeID(GuidParamGenerator.java:47)
  at com.octetstring.vde.util.guid.GuidStateManager.initializeGUIDParameters(GuidStateManager.java:59)
  at com.octetstring.vde.util.guid.GuidStateManager.<init>(GuidStateManager.java:30)
  at com.octetstring.vde.util.guid.GuidStateManager.<clinit>(GuidStateManager.java:23)
  at com.octetstring.vde.util.guid.GuidGenerator.nextGuidInBytes(GuidGenerator.java:125)
  at com.octetstring.vde.util.guid.Guid.<init>(Guid.java:84)
  at com.octetstring.vde.backend.standard.BackendStandard.add(BackendStandard.java:379)
  at com.octetstring.vde.backend.BackendHandler.add(BackendHandler.java:460)
  at com.octetstring.vde.util.LDIF.importLDIF(LDIF.java:279)
  at com.octetstring.vde.util.LDIF.importLDIF(LDIF.java:235)
  at weblogic.security.utils.ProviderUtils.loadFullLDIFTemplate(ProviderUtils.java:739)
  at weblogic.security.utils.ProviderUtils.loadLDIFTemplate(ProviderUtils.java:583)
  at weblogic.security.utils.ProviderUtils.loadLDIFTemplate(ProviderUtils.java:489)
  at weblogic.security.utils.ProviderUtils.loadLDIFAuthenticatorTemplate(ProviderUtils.java:316)
  at weblogic.security.providers.authentication.DefaultAuthenticationProviderImpl.initialize(DefaultAuthenticationProviderImpl.java:128)
  at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:65)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
  at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
  at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
  at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
  at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
  at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
  at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  thanks
  Arun

  Hi,
  It looks like your security services initilization has some problem.Please try to do below step.
  Please login to the Database and then run the below SQL file to execute different queries mentioned in this file:
  Suppose Database User Login is “weblogic” then login to Database with this credential and run the script under $BEA_HOME\wlserver_10.3\server\lib\rdbms_security_store_oracle.sql
  Then restart your Server.

• Server failed to connect to BI Security Service.

  The complete error is:
  [nQSError: 43146] FMW_UPDATE_ROLE_AND_USER_REF_GUIDS inside NQSConfig.INI is set to Yes but the server failed to connect to BI Security Service.
  BI server fails to come up...
  need urgent help !!!

  Check these
  http://docs.oracle.com/cd/E21764_01/bi.1111/e10541/configfileref.htm at A.6.26
  http://www.varanasisaichand.com/2011/08/refresh-user-guids-obiee-11g.html?m=1
  Pls mark if helps

• Sapjsf locks ABAP service user psswd: M  ***LOG US1= Login, Wrong Password

  I have a PI system and a number of ABAP systems connecting to this.
  I have defined a service user in PI for each ABAP system - SY_SID_999 (where SID is the SAP System ID and 999 is the client).  Various connections (e.g., RFC, ABAP proxy) use these userid and I rely on the user name to identify the source of the activity within PI.
  I was forced to change the password of one of these userids and, subsequently,  to update connection details in RFCs etc within the source system.  All went well for these connections.
  Now, however, at 25 minutes past the hour, I get the following error in the PI system's developer trace
  M  ***LOG US1=> Login, Wrong Password (SY_SID_999 ) [sign.c       4545]
  and the SM21 log says
  10:25:47 DIA  000 100 SAPJSF                  US  1 User SY_SID_999 locked due to incorrect logon
  SU01 change records show no changes to SY_SID_999 from the time I unlock it until 25 minutes past the hour when this error occurs. 
  The SM19 security audit log in the PI system has errors:
  12.08.2009     10:08:18     SAPJSF     localhost          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  Type=U means "user switch (internal call)" according to the documentation.
  Reason 53 means "Too many failed password logon attempts"
  These errors occur in bunches but without a consistent repetition interval.  For example, there were 8 at 10:04:56/57 then 2 at 10:08:18 then a string of success messages as follows:
  12.08.2009     10:08:18     SAPJSF     localhost          SAPMSSY1     Logon Successful (Type=U)
  Then, at 10:25...
  12.08.2009     10:25:47     SAPJSF     localhost          SAPMSSY1     User SY_SID_999 Locked in Client 100 After Erroneous Password Checks
  12.08.2009     10:25:47     SAPJSF     localhost          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  If I do not unlock the SY_SID_999 userid in the PI ABAP system, there will be no further errors in SM21 but if I do, at 25 minutes past the hour after the error pattern will repeat.
  I have set the rfc/logon_error_log parameter to 3 in PI ABAP to trigger a short dump.
  Internal notes from the short dump do not identify the who, what or where of the sign-on attempt...
  Internal notes
      The termination was triggered in function "ab_xsignon"
      of the SAP kernel, in line 2725 of the module
       "//bas/710_REL/src/krn/rfc/absignon.c#4".
      The internal operation just processed is "CALY".
      Internal mode was started at 20090812112528.
      Caller system......: " "
      Caller.............: " "
      Caller client......: " "
      RFC user ID........: " "
      RFC client.........: 100
      Login return code..: 20
      Transaction code...: " "
      (Note: In releases < 4.0, no information on the caller is available)
  The source system represented by the SY_SID_999 userid is an ABAP ONLY stack so has no sapjsf userid.  (For the record, SY_SID_999 doesn't exist in client 999 of SID either - it's defined in the PI system to do work on behalf of SID client 999.)
  So the question, after all that, is:
  How do I identify the source of this password error?

  Thanks Michael
  I did get a short dump during the testing process and it indicates that the failed RFC logon attempt originates from within the PI system.  My implementation partner was rather careless in the assignment of userids to connections so, while this userid should only be used for connections originating from the SID, I cannot guarantee that.
  I've been into both my PI system and the ABAP system (which doesn't have a sapjsf userid so should not be the offending party) and run an SQL select script to find all RFC destinations which contain the string "SID" or "sid" in any of the RFCOPTIONx fields.  I've carefully checked out each of these RFC destinations and, in SID they contain the SY_SID_999 userid and, when that's unlocked in PI, the connection and authorisation tests succeed.  That rules out upper/lower case issues and pretty much eliminates these legitimate RFC destinations from the suspect list.  The RFC destinations identified in the PI system by the SQL search contain "SID" because they name that as their target system; these definitions don't reference the SY_SID_999 userid at all.
  All the evidence I can find points very strongly to some process running as SAPJSF in the Java stack of the PI (dual stack) system calling something on the ABAP side and trying to connect as SY_SID_999.  Trouble is I can't find it.  In fact, I'm don't even know where to start looking to find a job running in the Java stack - on the ABAP side I'd head for SM37 but what to use on the Java side?