Introduction:
To understand and develop security around portal is of real essence. Its important to know how data sources are configured and how UME works for different portal across your system landscape.
This helps a Portal security consultant to think from portal architecture if a new system is added in Landscape that needs to be connected with portal.
You can further design the security for new SAP system or even move a step toward thinking for Federated portal network.
Its tricky though its interesting. We must not forget its portal !!
Step by step configuration of UME:
Purpose:
The user management engine (UME) provides a centralized user management for all Java applications and can be configured to work with user management data from multiple data sources.
It is seamlessly integrated in the SAP NetWeaver Application Server (AS) Java as its default user store and can be administrated using the administration tools of the AS Java.
UME can be configured for
(a) LDAP
(b) AS ABAP
(c) Database for AS JAVA.
UME runs as a service in the AS Java and is the default user store.
Following procedure should be used if you want to use AS ABAP as the data source.
Prerequisite:
1. Restart required: AS JAVA restart required post configuration.
2. AS ABAP Version:The AS ABAP must be SAP NetWeaver Application Server 6.20 SPS 38 and higher.
3. RFC Destination:You must have configured a Remote Function Call (RFC) destination for the AS ABAP with the nameUMEBackendConnectionfor the system user for UME-ABAP communication.
BEST Practice:
(a) Please use user SAPJSF as RFC user. User will be of type system and should be granted
role SAP_BC_JSF_COMMUNICATION_RO with below profiles.
- (b) Before you configure UME to use the AS ABAP as the data source, make sure the AS ABAP user management does not include any users with the same logon ID as users in the AS Java database.
If this criteria is not met then AS JAVA cannot start # UME Property applicable here is ume.login.guest_user.uniqueids
(c) Also confirm that no user group in Java should be of the same name as of SAP roles.
This also causes issue during restart.
Procedure.
1. Go to System Admin => System configuration => UME Configuration.
Choose Modify configuration and select data source as ABAP system.
If the UME RFC Destination is not created then click on UME RFC Destination.
A window will appear where in click on Create and follow the wizard set up
In the next screen you will be required to give destination details and technical user id and password.
4. Please save the settings and restart the AS JAVA server.
Result:
UME now uses AS ABAP as the data source.
Configuring UME to use LDAP as data source.
Purpose
The user management engine (UME) can use a directory service as its data source for user management data. You can link the UME to the directory service as either a read-only or read-write data source.
Prerequisite
1. The directory service has a hierarchy of users and groups that is supported by UME. The hierarchies supported by UME area:
Groups as tree
Flat hierarchy
2. The administrator of the directory service must create a user that UME can use to connect to the directory service. This user should have read and search permissions for all branches of the directory service. If UME also needs to write to the directory service, the user must additionally have create and change authorizations
Best Practice
1. Ensure the name of user and group created in LDAP should not exceed 240 characters.
2. UME property and their usages
(a) ume.ldap.blocked_groups # It blocks creation of group in UME from LDAP which already exists in UME
E.g. Everyone, Authenticated users.
(b) ume.ldap.blocked_accounts and ume.ldap.blocked_users # It blocks creation of users in UME from LDAP which already exist in UME.
Data Source Configuration:
Data source configuration files for certified LDAP directory vendors are delivered with the AS for Java or are available from SAP Note 983808. To find the configuration file, use the Config Tool.
There are two options for Data source configuration for LDAP.
1-Option: Read writer Directory service configuration file.
Using this method you can read and write to LDAP server
- If the LDAP directory has a flat hierarchy :dataSourceConfiguration_<LDAP_directory_vendor>_not_readonly_db.xml
- If the LDAP directory has a deep hierarchy :dataSourceConfiguration_<LDAP_directory_vendor>_deep_not_readonly_db.xml.
2-Option: Read-Only Directory Service configuration file
Using this method you can only read from LDAP server
- If the LDAP directory has a flat hierarchy:dataSourceConfiguration_<LDAP_directory_vendor>_readonly_db.xml
- If the LDAP directory has a deep hierarchy:dataSourceConfiguration_<LDAP_directory_vendor>_deep_readonly_db.xml
Procedure.
1.Go to system admin => System configuration => Ume configuration and then select the data source.
2. Then do the configuration of LDAP Server
Then save and close.
Result: UME is configured to use LDAP as data Source.
References:
2. Portal Administrator Guide.
3. LDAP Security information.
4. R3 Authorization concept.
5. Configuring UME to use directory service in synch with AS ABAP
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/44/28f44fdf6653ece10000000a11466f/content.htm