Simple System Integration (SSI) provides the possibility to integrate a custom user management system to retrieve passwords for technical users.
Passwords are obtained from a custom user management system for three kinds of users:
This custom user management feature is designed to support username/password-based authentication. Certificate-based authentication is not supported via this mechanism. For ABAP systems this for example means that only communication mode “RFC with Basic Authentication” is supported.
This document presumes that the reader / implementer is familiar with the concepts of SAP ABAP BAdI. The above links (from publicly available standard SAP documentation) provide relevant background information. This document only describes the relevant BAdI to be implemented.
Back users exist on the FRUN system and are used for inbound communication, e.g. FRN_DPC_[CID] and FRN_CSA_[CID], where CID is the customer ID. Back users relate to a CID and are relevant for all customer networks of a specific customer.
Passwords of back users are obtained from a custom user management system during the setup of a customer network. Since back users are shared between all networks of a customer, passwords are only retrieved during creation of the first customer network which is created for a customer.
Back user credentials are sent to Simple Diagnostics Agents during the installation and configuration of the agents. This happens after outside discovery data of a host was received by LMDB or as part of the simple system configuration procedure.
The Global Settings & Network Configuration UI is used to create customer networks. It can be accessed via FRUN launchpad (transaction FRUN).
With the Create button the back users are created and the respective passwords are obtained from the custom user management system.
The below diagram shows the interaction between the FRUN system, the custom user management system and Simple Diagnostics Agents with respect to back user handling.
Managed system users are used by Simple Diagnostics Agents to access the managed systems, e.g. for monitoring data collection.
The password of the user is obtained from a custom user management system during integration of a managed system into FRUN via Simple System Integration (SSI). During the execute of the SSI procedure the credentials are sent to the Simple Diagnostics Agents residing on the physical hosts of the managed system.
A Simple System Integration UI link is integrated into the FRUN launchpad (transaction FRUN).
The password of the managed system user is obtained when the Establish Prerequisites or Configure Automatically functionality is launched for a specific system.
The below diagram shows the interaction between the FRUN system, the custom user management system and Simple Diagnostics Agents with respect to managed system user handling.
In case a custom user management system is available for a specific managed system it is not possible to enter credentials for the system in the Edit Configuration dialog anymore:
OS credentials of managed hosts are needed for the communication from the FRUN system to Simple Diagnostics Agents and SAP Host Agents residing on the managed hosts.
Passwords of OS users are used in SM59 destinations on the FRUN system. They are obtained from a custom user management system when the destination is created. Destinations are created when a connection to a specific host is established for the first time. This usually happens during the automatically triggered installation and configuration of a Simple Diagnostics Agent after outside discovery data of a host was received by LMDB.
This diagram shows the interaction between the FRUN system, the custom user management system and SAP Host Agents with respect to OS user handling.
Use transaction SE18 or the ABAP workbench (transaction SE80) to navigate to the enhancement spot.
The BAdI interface provides the following methods:
Invoked to obtain the password for a back user during creation of a customer network.
Refer to chapter “Passwords for Back Users”.
Refer to chapter “Passwords for Managed System Users”.
Invoked to obtain the password for an OS user on a managed host.
Refer to chapter “Passwords for OS Users on Managed Hosts”.
Returns true or false indicating if a custom user management is available for the specified technical system.
If this method returns true it is not possible to enter credentials for the system in the Edit Configuration dialog anymore, see chapter “Manual Configuration of Managed System Credentials”.
|IS_PASSWORD_CHANGED_EXTERNALLY||Indicates if the custom user management system itself will change back user passwords in SU01 on the FRUN system, or if FRUN SSI must take care.|
Please refer to the ABAP doc of interface IF_SSI_PASSWORD_SERVICE for a more detailed description of the methods.
|SSI||Simple System Integration|
|LMDB||Landscape Management Database|
|SDA||Simple Diagnostics Agent|