SSI Custom User Management Integration

Simple System Integration (SSI) provides the possibility to integrate a custom user management system to retrieve passwords for technical users.

Passwords are obtained from a custom user management system for three kinds of users:

  1. Users in the SAP Focused Run system (the so called “back users”): they are used for inbound communication to the SAP Focused Run system, e.g. for connections established by Simple Diagnostics Agents (SDAs)
  2. Users in managed systems: they are used by Simple Diagnostics Agents to access a managed system, e.g. for collecting monitoring data
  3. OS Users on managed hosts: they are used for communication from the SAP Focused Run system to hosts

This custom user management feature is designed to support username/password-based authentication. Certificate-based authentication is not supported via this mechanism. For ABAP systems this for example means that only communication mode “RFC with Basic Authentication” is supported.

The custom user management integration makes use of SAP Enhancement Framework, especially the Business Add-In (BAdI).

This document presumes that the reader / implementer is familiar with the concepts of SAP ABAP BAdI. The above links (from publicly available standard SAP documentation) provide relevant background information. This document only describes the relevant BAdI to be implemented.

Passwords for Back Users

Back users exist on the SAP Focused Run system and are used for inbound communication, e.g. FRN_DPC_[CID] and FRN_CSA_[CID], where CID is the customer ID. Back users relate to a CID and are relevant for all customer networks of a specific customer.

Passwords of back users are obtained from a custom user management system during the setup of a customer network. Since back users are shared between all networks of a customer, passwords are only retrieved during creation of the first customer network which is created for a customer.

Back user credentials are sent to Simple Diagnostics Agents during the installation and configuration of the agents. This happens after outside discovery data of a host was received by LMDB or as part of the simple system configuration procedure.

The Global Settings & Network Configuration UI is used to create customer networks. It can be accessed via SAP Focused Run launchpad (transaction FRUN).

 

With the Create button the back users are created and the respective passwords are obtained from the custom user management system.

 

The below diagram shows the interaction between the SAP Focused Run system, the custom user management system and Simple Diagnostics Agents with respect to back user handling.


The below diagram, in addition shows the reset back user password interaction between the SAP Focused Run system and the custom user management system:

a)  SAP Focused Run performs a synchronous call to the custom user management system to request a back user password reset

b)  As part of a) the custom user management system resets the password in SU01 of the SAP Focused Run system

c)  SAP Focused Run reads the password from the custom user management system, and stores and distributes it accordingly

Passwords for Managed System Users

Managed system users are used by Simple Diagnostics Agents to access the managed systems, e.g. for collection of monitoring data. The password of the managed system user is obtained from a custom user management system during integration of a managed system into SAP Focused Run via Simple System Integration (SSI). During execution of the SSI procedure the credentials are sent to the Simple Diagnostics Agents residing on the physical hosts of the managed system.

A Simple System Integration UI link is integrated into the SAP Focused Run launchpad (transaction FRUN).

 

The password of the managed system user is obtained when the Establish Prerequisites or Configure Automatically functionality is launched for a specific system.

 

The below diagram shows the interaction between the SAP Focused Run system, the custom user management system and Simple Diagnostics Agents with respect to managed system user handling.


Manual Configuration of Managed System Credentials

In case a custom user management system is available for a specific managed system it is not possible to enter credentials for the system in the Edit Configuration dialog anymore:

Passwords for OS Users on Managed Hosts

OS credentials of managed hosts are needed for the communication from the SAP Focused Run system to Simple Diagnostics Agents and SAP Host Agents residing on the managed hosts.

Passwords of OS users are used in SM59 destinations on the SAP Focused Run system. They are obtained from a custom user management system when the destination is created.  Destinations are created when a connection to a specific host is established for the first time.  This usually happens during the automatically triggered installation and configuration of a Simple Diagnostics Agent after outside discovery data of a host was received by LMDB.

Creation of destinations is also triggered if the needed destination does not exist (no longer exists), on any other action which accesses the agent, especially by actions in Agent Administration UI, e.g.

  • Open Agent Internals
  • Ping Agent
  • Restart Agent

This diagram shows the interaction between the SAP Focused Run system, the custom user management system and SAP Host Agents with respect to OS user handling.

Implementation

To integrate a custom user management system into SAP Focused Run the following BAdI needs to be implemented:

  • Enhancement Spot: ES_SSI_PASSWORD_SERVICE
  • BAdI Definition: BADI_SSI_PASSWORD_SERVICE
  • Interface: IF_SSI_PASSWORD_SERVICE

Use transaction SE18 or the ABAP workbench (transaction SE80) to navigate to the enhancement spot.

The BAdI interface provides the following methods:

Method NameDescription
REQUEST_SOLMAN_USER_PASSWORD

Invoked to obtain the password for a back user during creation of a customer network.

Refer to chapter “Passwords for Back Users”.

REQUEST_TECH_SYS_USER_PASSWORD


Invoked to obtain the password for a managed system user during SSI configuration procedure.

Refer to chapter “Passwords for Managed System Users”.

REQUEST_OS_PASSWORD

Invoked to obtain the password for an OS user on a managed host.

Refer to chapter “Passwords for OS Users on Managed Hosts”.

IS_PASSWD_GENERATE_EXTERNALLY

Returns true or false indicating if a custom user management is available for the specified technical system.

If this method returns true it is not possible to enter credentials for the system in the Edit Configuration dialog anymore, see chapter “Manual Configuration of Managed System Credentials”.

IS_PASSWORD_CHANGED_EXTERNALLYIndicates if the custom user management system itself will change back user passwords in SU01 on the SAP Focused Run system, or if Simple System Integration must take care.

Please refer to the ABAP doc of interface IF_SSI_PASSWORD_SERVICE for a more detailed description of the methods.

Glossary

Acronym Description
SSI Simple System Integration
LMDB Landscape Management Database
OS Operating System
SDA Simple Diagnostics Agent