cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Password provisioning from IDM to ECC

Go to solution
Former Member

on ‎01-23-2015 12:29 AM

0 Kudos

Hello Experts,

I am very new to the concept of Password Hook. We have a requirement which we are trying to figure out.

Password Hook configuration needs to take place, and it should be able to capture change in password from Domain controller and relay it to IDM and then ECC.

The problem we are facing is once we capture the change password in IDM , how do we relay it to ECC.

I have seen a default ABAP connector present in IDM. I hope this could be used to relay the password to ECC. But what changes would be required , I am unable to comprehend.

Basic doubts :

  • Where is password written in ECC? Is it taken care by the framework?
  • What parameters  need to be configured in order to connect to ECC from IDM.

Looking forward for your expert advice.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-06-2015 7:36 PM
0 Kudos

Thanks Tero and Jai.

I was away the past week so couldnt respond back.

The configurations have been done in IDM and it works.

However, I face a new issue.

Password Hook component deployed on domain controller is not able to make the connection to IDM database.

I have deployed teh connection details in the form of a jar file.

Does domain controller need any extra configuration?

Unfortunately, we dont have a test domain controller to perform all these activities.

It would be directly done in production. We have tried once and failed.

Are there any log files that we could read except those present in passwordhook configuration.

Thanks,

Shanky

Show replies
Show replies
jaisuryan
Active Contributor
‎02-10-2015 12:03 PM
0 Kudos

Hi Shanky,

Please elaborate the error you are facing. Like screenshot or error msgs etc? Along with error msg, please post the screenshot of your HookConfig.exe file.

Also, confirm if you have installed SAP IDM RUNTIME component in your domain controller. Thanks.

Note: Password hook and SAP IDM runtime to be installed in all the domain controllers in your production system.

Kind regards,

Jaisuryan

Former Member
‎02-10-2015 4:19 PM
0 Kudos

Hi Jai,

Thanks for the response.

There seems to be no logs formed in Domain Controller. We had
tried for a single user and it seems that either it was not captured or not
relayed.

I attach below the Password Hook Configuration.

In the above file the batch file contains a Jar file that is formed by a
java class having connection details for the IDM environment. For its execution
purpose, we have installed JRE on Domain Controllers.

We have configured Java Runtime instead of the Windows Runtime, suggested in
SAP Guide. Does this have any effect on the behaviour of Domain Controller and
SAP IDM.

 

Also, we just have the Password Hook component installed on the Domain
Controllers and not SAP IDM RUNTIME. Is the path for SAP IDM RUNTIME, same as
Password Hook i.e. C:\usr\sap\IdM\Identity Center. Are there any other changes
that may be required.

Thanks,

Shanky

jaisuryan
Active Contributor
‎02-12-2015 3:51 AM
0 Kudos

Hi Shanky,

There can be many reason why its not being relayed. Have you read the document and followed the prerequisites correctly? If not, here's the link

Seems like you are missing quite a config.

To summarize,

1) Maintain proper environment variable (java home and JBDC driver paths)

2) Install SAP IDM RUNTIME in domain controllers along with password hook - This is shipped with installation package for SAP IDM. It is responsible for calling the execution of the job that writes the password into IDM database.

3) You had already mentioned that you created a batch file to call java runtime, just that you missed point 2.

4) Your arguments for notification is empty. i.e. job to be executed and the attributes to be passed. A simple toIdentityStore pass to write the password.

The document has all the required information.

Kind regards,

Jaisuryan

Answers (3)

Answers (3)

Former Member
‎01-27-2015 10:45 PM
0 Kudos

Thank you Tero and Matt. Your replies were really helpful.

II have one more doubt.

What explicit privilege needs to be given to the user in ECC for it to write the password in ECC.

Looking forward to your response.

Thanks,

Shanky Agarwal

Show replies
Show replies
former_member2987
Active Contributor
‎01-28-2015 1:38 AM
0 Kudos

Hi Shanky,

I'm not aware of any privilege being necessary (barring the system ONLY privilege of course!) I don't require it being needed at all.  To be safe check with your SAP Security / BASIS teams to see if there are any prerequisites.

Regards,

Matt

Former Member
‎01-28-2015 5:15 AM
0 Kudos

Hi Matt,

Thanks for your response. I would re-phrase by question a bit. I wanted to know if the communication user between IDM and ECC , required some additional privilege in ECC for password provisioning purpose. Looking forward for your response.

Thanks

terovirta
Active Contributor
‎01-28-2015 5:37 AM
0 Kudos

There is a authorisation role shipped within the IdM installation media that enables the communication between ABAP and IdM. It has the needed authority to make all the actions (provisioning, deprovisioning, modify, password change etc) happen IdM does out of the box towards ABAP.

Upload the role to the system and assign it to the technical user and you're done. In the example below the SAP-supplied role SAP_BC_SEC_IDM_COMMUNICATION has been copied with "Z_" prefix. Setting up the user is very basic stuff for authorizations guy, even if you wouldn't do it yourself.

regards, Tero

former_member2987
Active Contributor
‎01-23-2015 2:52 PM
0 Kudos

Hi Shanky,

Just as a clarification the password hook and password change mechanisms are related, but different.

The Password Hook directly relates to the ability to intercept password changes that occur in a Windows Domain. This would include, from AD Users and Computers, the password change interface on a workstation, or anything that touches your domain to change a password.  Microsoft allows this as an extension (or replacement) of the password filter DLL that is a part of Windows.  This is the only way to do that and all AD based password change mechanisms use the functionality provided by Microsoft.

When the password change is intercepted, as Tero says, you can choose to have this pass on to connected systems via the SAP IDM Provisioning Framework, which supports distributing password changes from the SAP IDM backend of Web UIs.

Hope this helps give some understanding.  Please let us know if you have further questions.

Regards,

Matt

Show replies
Show replies
terovirta
Active Contributor
‎01-23-2015 8:12 AM
0 Kudos

Hello,

the password change is automatic from IdM to all target systems if you have enabled the tasks in repository and the password (mx_encrypted_password) can trigger the Modify-workflow.

Standard connector works fine for password change from IdM to ABAP.

Will be you having UI-functionality also to reset AD-passwords in IdM?

One thing to be noted is that; you don't most likely want IdM to send the newly resetted AD-password back to AD.

If you don't have UI tasks etc that reset the AD-password in IdM then you can just disable the password change from IdM to AD.

If you need to reset the AD-password also in IdM then you probably want to have small customization in place that detects where the password was changed and skip the AD-password change but let the ABAP-password change to proceed.

regards, Tero

Show replies
Show replies
Ask a Question