on 07-08-2014 4:27 AM
I have already did all the things that I could find on the web, but what can I do to actually pin point which server is having the wrong password?
A bit about my landscape is that we have solution manager and few systems.
Look in /usr/sap/<SID>/DVEBMGS<sysnr>/j2ee/cluster/server<X>/log/system/httpaccess in file responses.X.trc for error code 401, this way you can identify the system's IP which has the wrong password.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jack,
To see more information from which remote system is locking your system enable the following parameter:
rfc/signon_error_log
rfc/signon_error_log
Parameter description :
Value 0 = Inactive
1 = Short dump active
2 = Short dump activae and trace output in developer trace
files (dev_w*)
-1 = No short dump, but an ABAP message and trace output in
developer trace files (dev_w*)
If you set the value of the profile parameter to 0 (that is,
rfc/signon_error_log = 0), no ABAP short dump is written, but an entry
is created in the syslog.
If you set the value of the profile parameter to 1 (that is,rfc/signon_error_log = 1), the system outputs the short dump
"CALL_FUNCTION_SIGNON_REJECTED" every time a logon error occurs. You can analyze the content of the dump using the ABAP short dump analysis
transaction (Transaction ST22).
If you set the value of the profile parameter to -1 (that is,rfc/signon_error_log = -1), an ABAP message is generated instead of the
short dump. This is the default setting.
Please note this will create short dumps in solman and if you have many rfc's might create a few but this will give you hostname of calling system to lock user. You can activate and deactivate via RZ11.
Kind Regards,
Johan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi.
You activate it in solman, as this is where user is getting locked, it will just display message in in portal saying user is locked. But in fact it is locked on solman.
i.e. if you know that the connection locks user in specific satellite system i.e. portal then you should just correct the password in your portal to what is correct on the remote solman system and push sld data to test if it works.
This parameter should assist in identifying remote system locking user but keep it active shortly after unlocking users depending on your system may generate lot of dumps.
Kind Regards,
Johan
Hi,
Hope you are doing good.
There is another way to get detailed traces from the J2ee end if the remote server in question is a j2ee server. Such locking issues are usually very complicated cause the J2EE server may interact with many external/ABAP server etc(using JCo destinations, JCo RFC destinations, system connection, /nSM59 connections), and if the password is set wrongly in one place and calls are made, then
after a particular number of tries, the user will get locked.
Please go through SAP Note 1493272 throughly and the attachment
LocationGuide.zip that contains the "How to create a new trace location
in NW 7.10 and above.doc" document which shows how you NEED to create
the "com.sap.security.userlocking". This won't be existing on your
system; you need to create it.
After this check all the possibilities mentioned in the note.
Thank you!
_____________
Kind Regards,
Hemanth
SAP AGS
Hi Jack,
Just for my understanding.
Lets call your ECC DEV SLD system A, and your portal system B.
My understanding of your scenario:
In system A SLDDSUSER gets locked in System A on example client 100.
In system B portal system when you try and send SLD data push to the SLD it says the user is locked?
If this is your scenario and my understanding is correct, I think you should try the rfc/signon_error_log parameter in you ECC DEV system. The reason I am saying this is the warning message on your Portal would just stipulate the user is locked on System A (ECC DEV) and therefore data cannot be send. However the password may be incorrectly maintained on a System C/D/E that also connect to the ECC DEV and this may be locking the user. And what your see on the Portal is just informative message.
This is my understanding of your scenario and why I think doing the trace on the portal may not help.
Please advise if my understanding of your layout is correct? And good luck in resolving the issue quickly.
Kind Regards,
Johan
Hi,
Possibly
https://help.sap.com/saphelp_nw73/helpdata/en/48/5059dfe31672d4e10000000a42189c/frameset.htm
/usr/sap/{SID}/D{x}/j2ee/cluster/server{x}/log
/usr/sap/{SID}/DVEBMGS{xx}/j2ee/cluster/server{X}
/usr/sap/{SID}/DVEBMGS{xx}/j2ee/cluster/server{X}/log
Or you should be able to view it in the netweaver admin if you expand the trees on where you created it.
Kind Regards,
J
Hi Johan,
I am yet to enable them in my backend system in your sample scenario it is System A.
But in the mean time as Hemanth suggested since I turned on the log this is what i got in the log. Although it is a few hours ago , 2hrs ago to be exact, even before I activated the trace as Hemanth suggested as I can tell from the time stamp of the file and this is what I found
#1.5 #00145E5A55FA006F0000011A000019580004EC233A23F341#1385535949360#/Applications/SLD#sap.com/com.sap.lcr#com.sap.sld.api.builder.app.DefineHostedSystem#J2EE_ADMIN#311##n/a##53f5e048573211e38af40000032e2b8a#SAPEngine_Application_Thread[impl:3]_7##0#0#Info#1#com.sap.sld.api.builder.app.DefineHostedSystem#Plain###Communication exception in SLD ping (HTTP 401 = UNAUTHORIZED): http://vq8c2:50500/sld/cimom/, namespace sld/active.#
in this case vq8c2 is where my portal is (System B).
Hi Jack,
I see your value is active to -1.
Click on documentation you will see this:
Value 0 = Inactive
1 = Short dump active
2 = Short dump activae and trace output in developer trace
files (dev_w*)
-1 = No short dump, but an ABAP message and trace output in
developer trace files (dev_w*)
So yours is active to -1 no short dump, but an ABAP message and trace output in developer trace file so you will have to go and investigate the dev_w* and dev_rfc* files.
Probably good idea is to check timestamp of when user is locked on your solman system client, and to search for entries matching that timestamp in dev_w* files. You should usually see in your sm21 log and when user locked.
If you want more information you can use option 2 this will for the period active create many short dumps as there are many RFC calls to a solman system, but the short dump created is usually very helpful as well in says which call system had error code that locked user.
See what you can find in the lower trace level remember you can set it in RZ11 and remember to set active on all server "same on all servers"
The short dumps should be CALL_FUNCTION_SIGNON_REJECTED.
This also explains a bit.
So now starts your searching process.
Kind Regards,
Johan
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Surya,
Tks for the info,
So a few things I checked my Solution Manager and this is what I got.
host name is my Solution Manager host.
also I was not sure what I am looking for here
J2EE: SLD DATA SUPPLIER (VisualAdmin, Service SLD Data Supplier)
The sld password here is the one that I have set it quite sometime ago and it is working fine, expect that some system somwhere in the landscape is still using the old password and locking the system
J2EE: JCo RFC Provider (VisualAdmin, Service Jco RFC Provider)
what I have to set or do here?
DIAGNOSTIC AGENT (Script smdsetup with argument)
I found the script so what are the arguments should I give?
ok done! But as you can see that my portnumber is 50000 but this is my details for SLD Data Provider where the port number i s50500, is that going to affect anything?
So now how do I check if the SLDDUSER is still getting locked due to some other system trying to log in?
Tks for the information folks!
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
We have a central SLD on our ECC Dev system.
Our landscape has ECC 6.0, NetWeaver 7.
The SLDDSUSER keeps on getting locked frequently on portal dev system.
The user keep getting locked in the portal and not able to make connection to the ECC to display the data, but once unlocked then it is ok again, and also this happens at the most 24hrs once
What can I do to pinpoint where is this problem occuring?
Regards,
Bharath
Hi,
Kindly follow SAP Notes 1650035 - SLDDSUSER locked due to incorrect logon to SLD
1828470 - SLDDSUSER and SLDAPIUser account lock
Regards,
Gaurav
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.