cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SLDDSUSER getting locked

bharathyp
Active Participant

on ‎07-08-2014 4:27 AM

0 Kudos

I have already did all the things that I could find on the web, but what can I do to actually pin point which server is having the wrong password?

A bit about my landscape is that we have solution manager and few systems.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎07-11-2014 10:51 AM
0 Kudos

Look in /usr/sap/<SID>/DVEBMGS<sysnr>/j2ee/cluster/server<X>/log/system/httpaccess in file responses.X.trc for error code 401, this way you can identify the system's IP which has the wrong password.

Show replies
Show replies
Former Member
‎07-08-2014 9:43 AM
0 Kudos

Hi Jack,

To see more information from which remote system is locking your system enable the following parameter:


rfc/signon_error_log

rfc/signon_error_log

Parameter description :

Value 0 = Inactive

          1 = Short dump active

         2 = Short dump activae and trace output in developer trace

        files (dev_w*)

        -1 = No short dump, but an ABAP message and trace output in

        developer trace files (dev_w*)

If you set the value of the profile parameter to 0 (that is,

rfc/signon_error_log = 0), no ABAP short dump is written, but an entry

is created in the syslog.

If you set the value of the profile parameter to 1 (that is,rfc/signon_error_log = 1), the system outputs the short dump

"CALL_FUNCTION_SIGNON_REJECTED" every time a logon error occurs. You can analyze the content of the dump using the ABAP short dump analysis

transaction (Transaction ST22).

If you set the value of the profile parameter to -1 (that is,rfc/signon_error_log = -1), an ABAP message is generated instead of the

short dump. This is the default setting.

Please note this will create short dumps in solman and if you have many rfc's might create a few but this will give you hostname of calling system to lock user. You can activate and deactivate via RZ11.

Kind Regards,

Johan

Show replies
Show replies
bharathyp
Active Participant
‎07-08-2014 10:07 AM
0 Kudos

Just a question,

As I mentioned that I am getting locked in the portal so should I enable this in the actual server or still in SOLMAN?

Former Member
‎07-08-2014 10:19 AM
0 Kudos

Hi.

You activate it in solman, as this is where user is getting locked, it will just display message in in portal saying user is locked. But in fact it is locked on solman.

i.e. if you know that the connection locks user in specific satellite system i.e. portal then you should just correct the password in your portal to what is correct on the remote solman system and push sld data to test if it works.

This parameter should assist in identifying remote system locking user but keep it active shortly after unlocking users depending on your system may generate lot of dumps.

Kind Regards,

Johan

bharathyp
Active Participant
‎07-10-2014 8:29 AM
0 Kudos

Hi Joan and the rest of the guys,

Just to update that so far it has been over 24hrs and it doesn't seem to be locked as no users complained, but will wait till the end of the week and update you guys again.

Former Member
‎07-10-2014 8:38 AM
0 Kudos

Hi Jack,

Thanks for the update how did you identify the target system locking the user?

Kind Regards,

Johan

bharathyp
Active Participant
‎07-10-2014 9:17 AM
0 Kudos

Actually I changed the user name in the SOLMAN, SLDAPICUST and so far no issues, but I wanted to know if the problem persists what else I can do to track down the issue. So the first solution seems to be working pretty good so far.

hemanth2
Product and Topic Expert
Product and Topic Expert
‎07-10-2014 11:50 AM
0 Kudos

Hi,

Hope you are doing good.

There is another way to get detailed traces from the J2ee end if the remote server in question is a j2ee server. Such locking issues are usually very complicated cause the J2EE server may interact with many external/ABAP server etc(using JCo destinations, JCo RFC destinations, system connection, /nSM59 connections), and if the password is set wrongly in one place and calls are made, then

after a particular number of tries, the user will get locked.

Please go through SAP Note 1493272 throughly and the attachment

LocationGuide.zip that contains the "How to create a new trace location

in NW 7.10 and above.doc" document which shows how you NEED to create

the "com.sap.security.userlocking". This won't be existing on your

system; you need to create it.

After this check all the possibilities mentioned in the note.

Thank you!

_____________

Kind Regards,

Hemanth

SAP AGS
 

bharathyp
Active Participant
‎07-11-2014 9:02 AM
0 Kudos

Hi,

BAD NEWS!

the portal still shows that slddsuser has been locked, hmm I am going to try Hemanth solution.

Will update again.

bharathyp
Active Participant
‎07-11-2014 9:18 AM
0 Kudos

THanks for this, but I am confused as in where is this trace file located?

Former Member
‎07-11-2014 9:22 AM
0 Kudos

Hi Jack,

Just for my understanding.

Lets call your ECC DEV SLD system A, and your portal system B.

My understanding of your scenario:

In system A SLDDSUSER gets locked in System A on example client 100.

In system B portal system when you try and send SLD data push to the SLD it says the user is locked?

If this is your scenario and my understanding is correct, I think you should try the rfc/signon_error_log parameter in you ECC DEV system. The reason I am saying this is the warning message on your Portal would just stipulate the user is locked on System A (ECC DEV) and therefore data cannot be send. However the password may be incorrectly maintained on a System C/D/E that also connect to the ECC DEV and this may be locking the user. And what your see on the Portal is just informative message.

This is my understanding of your scenario and why I think doing the trace on the portal may not help.

Please advise if my understanding of your layout is correct? And good luck in resolving the issue quickly.

Kind Regards,

Johan

Former Member
‎07-11-2014 9:33 AM
0 Kudos

Hi,

Possibly

https://help.sap.com/saphelp_nw73/helpdata/en/48/5059dfe31672d4e10000000a42189c/frameset.htm

/usr/sap/{SID}/D{x}/j2ee/cluster/server{x}/log

/usr/sap/{SID}/DVEBMGS{xx}/j2ee/cluster/server{X}

/usr/sap/{SID}/DVEBMGS{xx}/j2ee/cluster/server{X}/log

Or you should be able to view it in the netweaver admin if you expand the trees on where you created it.

Kind Regards,

J

hemanth2
Product and Topic Expert
Product and Topic Expert
‎07-11-2014 10:35 AM
0 Kudos

Hi,

Hope you are doing good.

I hope you went through the note 1493272 throughly. The  last modified defaultTrace.X.trc file will have the details.

Thank you!

_____________

Kind Regards,

Hemanth

bharathyp
Active Participant
‎07-11-2014 10:36 AM
0 Kudos

Hi Johan,

ok my enviroment / scenario is similar to as you guessed.

So I guess the trace logs won't help much.

bharathyp
Active Participant
‎07-11-2014 11:13 AM
0 Kudos

Hi Johan,

I am yet to enable them in my backend system in your sample scenario it is System A.

But in the mean time as Hemanth suggested since I turned on the log this is what i got in the log. Although it is a few hours ago , 2hrs ago to be exact, even before I activated the trace as Hemanth suggested as I can tell from the time stamp of the file and this is what I found

#1.5 #00145E5A55FA006F0000011A000019580004EC233A23F341#1385535949360#/Applications/SLD#sap.com/com.sap.lcr#com.sap.sld.api.builder.app.DefineHostedSystem#J2EE_ADMIN#311##n/a##53f5e048573211e38af40000032e2b8a#SAPEngine_Application_Thread[impl:3]_7##0#0#Info#1#com.sap.sld.api.builder.app.DefineHostedSystem#Plain###Communication exception in SLD ping (HTTP 401 = UNAUTHORIZED): http://vq8c2:50500/sld/cimom/, namespace sld/active.#

in this case vq8c2 is where my portal is (System B).

hemanth2
Product and Topic Expert
Product and Topic Expert
‎07-11-2014 11:25 AM
0 Kudos

Hi,

Do check the settings for SLD data supplier. I guess the best option would be to add a new password (at all places) and then retry the post installation steps.

Please also check if you have maintained a correct logon information in

T-cd:SLDAPICUST according to note 1244841.

regards,
hemanth

bharathyp
Active Participant
‎07-11-2014 11:28 AM
0 Kudos

Yes I did, But I think this is something to do with SMD rather than portal.

Former Member
‎07-11-2014 12:50 PM
0 Kudos

The best thing is to uninstall SMD and install it from scratch.

bharathyp
Active Participant
‎07-18-2014 5:36 AM
0 Kudos

Hi Johan,

Sorry was out whole week.(sick) Just gained some strength to come back office today.

So I noticed that my setting is already default to what you mentioned, but where is the log file?

And ofcourse the issue is still persisting and SMD is not the cause.

Thanks man

Former Member
‎07-18-2014 8:34 AM
0 Kudos

Hi Jack,

I see your value is active to -1.

Click on documentation you will see this:

Value 0 = Inactive

          1 = Short dump active

         2 = Short dump activae and trace output in developer trace

        files (dev_w*)

        -1 = No short dump, but an ABAP message and trace output in

        developer trace files (dev_w*)

So yours is active to -1 no short dump, but an ABAP message and trace output in developer trace file so you will have to go and investigate the dev_w* and dev_rfc* files.

Probably good idea is to check timestamp of when user is locked on your solman system client, and to search for entries matching that timestamp in dev_w* files. You should usually see in your sm21 log and when user locked.

If you want more information you can use option 2 this will for the period active create many short dumps as there are many RFC calls to a solman system, but the short dump created is usually very helpful as well in says which call system had error code that locked user.

See what you can find in the lower trace level remember you can set it in RZ11 and remember to set active on all server "same on all servers"

The short dumps should be CALL_FUNCTION_SIGNON_REJECTED.


This also explains a bit.



So now starts your searching process.

Kind Regards,

Johan

Former Member
‎07-22-2014 1:37 PM
0 Kudos

Hi Jack,

So usings Hermanth's solution worked for you?

Kind Regards,

Johan

bharathyp
Active Participant
‎07-25-2014 12:52 AM
0 Kudos

Hi,

Sorry for the late reply, nope it is not working.

bharathyp
Active Participant
‎07-25-2014 12:54 AM
0 Kudos

I couldn't find anything in the logs that point to user being locked.

Any specific line that i have to be looking for?

Former Member
‎07-25-2014 7:39 AM
0 Kudos

Hi,

Have you increased the trace level on that parameter so it creates you the detailed dumps?

Johan

bharathyp
Active Participant
‎07-30-2014 2:22 PM
0 Kudos

will change and update you guys..

Former Member
‎07-08-2014 5:35 AM
0 Kudos

This message was moderated.

Show replies
Show replies
bharathyp
Active Participant
‎07-08-2014 8:04 AM
0 Kudos

Hi Surya,

Tks for the info,

So a few things I checked my Solution Manager and this is what I got.

host name is my Solution Manager host.

also I was not sure what I am looking for here


J2EE: SLD DATA SUPPLIER (VisualAdmin, Service SLD Data Supplier)

The sld password here is the one that I have set it quite sometime ago and it is working fine, expect that some system somwhere in the landscape is still using the old password and locking the system


J2EE: JCo RFC Provider (VisualAdmin, Service Jco RFC Provider)

what I have to set or do here?


DIAGNOSTIC AGENT (Script smdsetup with argument)

I found the script so what are the arguments should I give?

akash_ahuja
Explorer
‎07-08-2014 8:22 AM
0 Kudos

HI,

first you have change the user j2ee_Admin to slddsuser and if you don't know the password reset it and then enter in SLDAPICUST and test it and same password enter in visual admin.

Regards:

Akash Ahuja

bharathyp
Active Participant
‎07-08-2014 8:53 AM
0 Kudos

ok done! But as you can see that my portnumber is 50000 but this is my details for SLD Data Provider where the port number i s50500, is that going to affect anything?

So now how do I check if the SLDDUSER is still getting locked due to some other system trying to log in?

Tks for the information folks!

former_member45419
Active Contributor
‎07-08-2014 5:35 AM
0 Kudos

This message was moderated.

Show replies
Show replies
former_member182657
Active Contributor
‎07-08-2014 4:54 AM
0 Kudos

This message was moderated.

Show replies
Show replies
bharathyp
Active Participant
‎07-08-2014 5:02 AM
0 Kudos

Hi,

We have a central SLD on our ECC Dev system.

Our landscape has ECC 6.0, NetWeaver 7.

The SLDDSUSER keeps on getting locked frequently on portal dev system.

The user keep getting locked in the portal and not able to make connection to the ECC to display the data, but once unlocked then it is ok again, and also this happens at the most 24hrs once

What can I do to pinpoint where is this problem occuring?

Regards,

Bharath

former_member182657
Active Contributor
‎07-08-2014 5:08 AM
0 Kudos

Hi,

Kindly follow SAP Notes  1650035 - SLDDSUSER locked due to incorrect logon to SLD

1828470 - SLDDSUSER and SLDAPIUser account lock

Regards,

Gaurav

Ask a Question