Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Java-administrator password keeps getting locked

Former Member
0 Kudos

Hi,

We have a portal 7.3 in which the Java-administrator password keeps getting locked. I can't see anything in the log traces in NWA. The only thing I've found is in security_audit logfile which doesn't really say much:

#2.0 #2014 07 17 05:47:03:913#+0200#Info#/System/Security/Audit/PrincipalModification#

#BC-JAS-SEC-UME#com.sap.security.core.sda#C000AC142D1F08D90000000000003284#52888950000000002#tc~bl~txmanager~plb#com.sap.security.core.util.SecurityAudit#Guest#0#JTA Transaction : 127261#040FAA9B0D6511E4C5A4000003270576#040faa9b0d6511e4c5a4000003270576#040faa9b0d6511e4c5a4000003270576#0#Thread[RMI/IIOP Worker [0],5,Dedicated_Application_Thread]#Plain##

User account modified    | USERACCOUNT.MODIFY    | UACC.PRIVATE_DATASOURCE.un:Administrator    |     | SET_ATTRIBUTE: islocked=[true], SET_ATTRIBUTE: lockreason=[1]#

Please advice,

Thanks.

1 ACCEPTED SOLUTION

davefitzgibbon
Advisor
Advisor

Hi,

there exists a trace location that should provide useful information for such cases. It is described in SAP note:

1493272 - A user gets locked automatically

My suggestion is add the location com.sap.security.core.userlocking as

specified in the attachment to the note and once it is added, set that

location to DEBUG and wait for the user to be locked again. Hopefully additional information concerning the origin of the bad credentials will be written to traces.

Exactly how you capture the traces depends on the frequency in which

the user becomes locked. For example if the user becomes locked every

few minutes, after adding the location in the configtool and

restarting the system, I suggest using the Security Troubleshooting

Wizard to do so. Refer to note 1332726 - Troubleshooting Wizard and

its attachments. Create a custom incident that is a copy of the

Authentication incident and add this location

com.sap.security.core.userlocking  to the newly created incident

Set the wizard to use this new incident for trace collection and wait

for the user to become locked. Then immediately stop the wizard's

trace collection

I

f the locking occurs less frequently than every few minutes, it is

preferable to use the NWA to adjust the severity of these locations

and their sublocations to DEBUG and wait for the issue to reoccur

com.sap.security.core.userlocking

com.sap.engine.interfaces.security

com.sap.engine.services.httpserver.HttpTraceRequest.traceRaw

com.sap.engine.services.httpserver.HttpTraceResponse.traceHeaders

com.sap.engine.services.security.authentication

com.sap.security.core.logon

com.sap.security.core.ticket

com.sap.security.core.util

com.sap.security.core.server.jaas

See Log Configuration with SAP NetWeaver Administrator

http://help.sap.com/saphelp_nw73/helpdata/en/47/af551efa711503e10000000a42189c/content.htm

Don't forgot to change these back to default severity levels after the

issue has captured in the traces

Regards,

David

2 REPLIES 2

michael_ruth3
Contributor
0 Kudos

This message was moderated.

davefitzgibbon
Advisor
Advisor

Hi,

there exists a trace location that should provide useful information for such cases. It is described in SAP note:

1493272 - A user gets locked automatically

My suggestion is add the location com.sap.security.core.userlocking as

specified in the attachment to the note and once it is added, set that

location to DEBUG and wait for the user to be locked again. Hopefully additional information concerning the origin of the bad credentials will be written to traces.

Exactly how you capture the traces depends on the frequency in which

the user becomes locked. For example if the user becomes locked every

few minutes, after adding the location in the configtool and

restarting the system, I suggest using the Security Troubleshooting

Wizard to do so. Refer to note 1332726 - Troubleshooting Wizard and

its attachments. Create a custom incident that is a copy of the

Authentication incident and add this location

com.sap.security.core.userlocking  to the newly created incident

Set the wizard to use this new incident for trace collection and wait

for the user to become locked. Then immediately stop the wizard's

trace collection

I

f the locking occurs less frequently than every few minutes, it is

preferable to use the NWA to adjust the severity of these locations

and their sublocations to DEBUG and wait for the issue to reoccur

com.sap.security.core.userlocking

com.sap.engine.interfaces.security

com.sap.engine.services.httpserver.HttpTraceRequest.traceRaw

com.sap.engine.services.httpserver.HttpTraceResponse.traceHeaders

com.sap.engine.services.security.authentication

com.sap.security.core.logon

com.sap.security.core.ticket

com.sap.security.core.util

com.sap.security.core.server.jaas

See Log Configuration with SAP NetWeaver Administrator

http://help.sap.com/saphelp_nw73/helpdata/en/47/af551efa711503e10000000a42189c/content.htm

Don't forgot to change these back to default severity levels after the

issue has captured in the traces

Regards,

David