SAP BASIS Introductory Training

Program
DAY 5 – Java User Management and Internet Communication

CONFIDENTIAL
Day 5 : Agenda
• 09:00 AM-10:15 AM – UME Concepts
• 10:15 AM-10:30 AM – Break
• 10:30 AM-01:00 PM – User Management in Java
• 01:00 PM-02:00 PM – Lunch Break
• 02:00 PM-03:15 PM – Internet Communication: ICM, ITS & ICF
• 03:15 PM-03:30 PM – Break
• 03:30 PM-05:30 PM – SAP Web Dispatcher
• 05:30 PM-06:00 PM – Q&A and Break Out Session

18 October 2010
User Management in Java
&
UME

18 October 2010
User Management Engine (UME)
• The user management engine (UME) provides a centralized user management for all Java
applications and can be configured to work with user management data from multiple data
sources. It is seamlessly integrated in the SAP NetWeaver Application Server (AS) Java
as its default user store and can be administrated using the administration tools of the AS
Java.
• The UME runs as a service in the AS Java and is set up as the default user store.
• UME Functional areas are,
– UME core layer
– UME API layer
– UME services
– UME UI

18 October 2010
Architecture
Applications
Accessing User EP, BI Java, PI, etc.
Management

UME UI Logon User administration

User Profile /
UME Services Authentication / SSO Authorization
Provisioning

User
User Group Role ACL
UME API layer Account
API API API API
API

UME core layer Persistence Manager

Database SAP
Persistence layer LDAP
Netweaver
Java Directory
AS ABAP

18 October 2010
Features
• User Administration – Identity management enables administrators to perform routine
administration tasks such as creating or searching for users and groups, and assigning users and
groups to roles. You can also configure the UME for e-mail notification, whereby e-mails are
automatically sent to users or administrators on specific events, for example, if an administrator locks a
user account, the user receives an e-mail informing him or her of the change.
• Security Setting – You can define a password policy including settings such as minimum and
maximum length of passwords, number of failed logons before a user is locked, and so on.
• Self Service Scenarios – UME provides self-service scenarios that allow users to register
themselves as new users or to change their own data (address, password, and so on). It is also
possible to set up an approval workflow, whereby administrators approve newly registered users.
• Security Logging – The UME logs important security events, such as successful and failed user
logons, and creation or modification of users, groups, and roles.
• Import & Export User Data – The UME enables you to import and export user data from and
to external systems.
• Virtual Groups – The UME enables you to define virtual groups based on the content of a user
attribute.
• Companies – Enables you to support delegated user administration.

18 October 2010
Tools for Configuration
• UME Administration Console:
– You can use the UME Administration Console running in the web browser to modify
selected settings without it being necessary to know the technical parameter names
(path: URL /useradmin → Configuration).
• Configuration Tool (Offline Configuration Editor Mode):
– Only in Offline Configuration Editor Modus are you able to access all the UME
settings (path: cluster_data → server → cfg → services →
Propertysheetcom.sap.security.core.ume.service).
• Configuration Tool (simple mode):
– In the Configuration Tool's simple mode, you will see an area in which you can make
settings specially for the LDAP Server data source (path cluster_data → UME LDAP
data).
• UME Configuration iView:
– If the usage type EP Core has been installed in your SAP NetWeaver system, you
can use the portal interface to access an iView for UME configuration. This offers
similar setting options to the UME Administration Console (path System
Administration → System Configuration → UME Configuration).

18 October 2010
Parameters
Security Policy
E-mail notification
Data Sources
(ABAP, LDAP, DB)

Logging ON and OFF

Administration
UME Parameters

SAP logon Ticket

Further areas

Groups

18 October 2010
Parameters
UME Data Sources

Editing UME Properties

Configuring the Security Policy for User ID and Passwords

Configuring E-Mail Notification

Configuring Self-Registration

Configuring Self-Management

Enabling Users to Reset Their Own Password

Logon Screen Customization

Configuring Delegated User Administration Using Companies

Configuring Virtual Groups

Adding Custom Attributes to the User Profile

Allowing Users to View the Contact Information of Other Users

Additional Customizing Options

18 October 2010
Additional Information
• For the most recent changes in the UME, see SAP Note 720590 User Management
Engine (UME) on WAS 6.30 and higher.
• For more information about configuring the UME, see UME Configuration. Here you can
find information on configuring the data sources that UME uses to read and write user
management data, and other configuration options.
• For more information about administration with UME, see UME User Administration. The
UME provides an administration console for performing administrative tasks such as
searching for and creating users, groups, and roles.
• For more information about troubleshooting and monitoring options for the UME, see
Troubleshooting. This section also includes information about configuring the emergency
user.
• For reference material on the UME, see UME Reference. This includes information on the
UME properties and configuration files.

18 October 2010
User Management in Java
• Users – Groups – Roles
– In the UME environment, the term Principle
designates the following, central objects:

Principles in UME environment

Principle Meaning

General properties of a user (such as name, e-mail, telephone

User
number etc.)
Logon-related properties of a user (such as password, validity,
User account
lock indicator etc.)

Group Set of user and/or groups

Role Set of (Java) authorizations

18 October 2010
Assigning Principles
Users are usually assigned to groups to which roles are then assigned. However,
it is also possible to assign roles to users directly. The Principle group supports
hierarchies of groups. A group may also possess super ordinate and subordinate
groups. Users actually possess the roles which
•are directly assigned to them
•are assigned to the groups to which they belong
•are assigned to the super ordinate group of the groups to which they belong
Super ordinate
Group

User Group

Subordinate
Group

Role
18 October 2010
BREAK

18 October 2010
Managing Users, Groups and Roles
• To manage users, groups, or roles, you must be assigned a role that includes the relevant
actions or combination of actions. For example, to assign roles to users, your role
assignments must include UME actions that enable you to change both principals, roles
and users, such as UME.Manage_Roles and UME.Manage_Users. The figure below
summarizes the UME actions available by default in the SAP NetWeaver Application
Server (AS).

18 October 2010
Special Features of the ABAP System Data Source
• If you use a client of an ABAP system (and consequently the configuration file
dataSourceConfiguration_abap.xml) as the data source then UME behaves as follows:
– The ABAP users are visible in AS Java and can log onto AS Java with their ABAP
passwords.
– The ABAP roles are depicted in AS Java as UME groups of the same name.
– In AS Java, the assignment of ABAP users to ABAP (composite) roles appears as
the assignment of UME users to UME groups.
• The reason for this group administration concept is the shared authorization administration
for applications that have both ABAP and Java components. Applications such as PI, for
example, are made of both ABAP and Java components. The ABAP authorizations are
mapped with PFCG roles. The J2EE authorizations are realized using UME roles. A user
should be assigned a PFCG role in the ABAP system and a UME role on the Java side for
the user to have both ABAP and Java authorizations.
• The connection between the UME in an AS Java and user management in an AS ABAP is
established via the Java Connector (JCo). A communication user existing in ABAP is
stored as a UME parameter (this usually has SAPJSF in its name). This communication
user's ABAP authorization determines whether it is possible to modify ABAP user master
records using UME resources.

18 October 2010
Special Features of the ABAP System Data Source
AS Java with “remote ABAP client” as data source

AS ABAP AS JAVA
User U User U

Role G Group G

Role R

AS ABAP + Java with “local ABAP client” as data source

AS ABAP + Java

User U User U

Role G Group G

Role R

18 October 2010
Administration Tools
• The most important tool for a user administrator in an AS Java system is the UME
Administration Console. This functions independently of the configured data source and is
implemented as an application running in a Web browser (based on Web Dynpro Java).
To get started the Administration Console...
– via the URL http(s)://<hostname>.<domain>:<http(s) port>/useradmin
– via the SAP NetWeaver Administrator (URL .../nwa) via the path System
Management → Administration → Identity Management
– via portal URL http(s)://<Hostname>.<domain>:http(s) port/irj via the path
System Administration → System Configuration → UME Configuration

18 October 2010
UME User Types

User Type Logon to AS Password Mapped ABAP user Types

Java Rules (with ABAP System as data
source)
Standard Possible Applies Dialog

Technical Users Possible Does not apply System

Internal Service user Not possible Applies ___

Unknown Possible Applies Communication,

Service and Reference

18 October 2010
Structure of J2EE Security Roles
Application: Purchase Order Visual Administrator:

J2EE Security
Order_01 Order_01 User
Role
Create Order
Java object J2EE Security Role

Order_02 Order_02 Group

J2EE Security
Display Order
Role J2EE Security Role

J2EE Security
Order_03 Order_03
Role
Approval
J2EE Security Role

Developer: Administrator: assign User /

Create Security Roles Group to Security Role

18 October 2010
Structure of J2EE Security Roles
• The previous figure shows the Order application as an example. For this application, a
developer creates objects such as Create order, Approve order, and so on. If you are
using J2EE security roles, a security role must be created for each object. The role is
defined in the deployment descriptor (XML file) of a specific application. If the application
is made available on the J2EE server, the administrator must add user names or user
groups to each of these security roles for the users that are to use this application. The
administrator must assign each single authorization/J2EE security role individually to a
user or a group.

18 October 2010
Comparison of Authorization Concepts

User User User User

User User User User User

Set of ABAP
UME groups UME groups
Authorizations Composite Roles
&/or Users

Reference
Reference
Set of ABAP Roles UME
UMERoles
Roles
ABAP Roles Security
SecurityRoles
Roles
Authorizations

Authorizations Actions
Actions Security
SecurityRoles
Roles
Authorizations Authorizations

ABAP Java / UME J2EE Standard

18 October 2010
UME Datasources
• The data repositories or persistence layers from which the user management engine
(UME) retrieves user management data are referred to as data sources. With the UME,
you can leverage existing user data repositories in your system infrastructure by
connecting to them using configurable persistence adapters. You can read data from
and write data to multiple data sources in parallel.
• A persistence manager is responsible for reading the data from or writing the data to the
correct data source. The data source to which the persistence manager writes is
transparent to applications using UME.
• The configuration of the UME for the different data source types is defined by the data
source configuration file. The data source configuration file is an XML file that defines a
configuration for standard scenarios, such as storing standard user data in a corporate
LDAP directory (directory service) and application-specific data in the AS Java database.
For more information about the data source configuration files available, see the
sections about the individual data source types.
• The UME can use the following types of data sources:
1. Database of the AS JAVA
2. Directory Service
3. User Management of the AS ABAP

18 October 2010
Database Only as Data Source
All user, user account, role, and group data is stored in the database of the SAP
NetWeaver Application Server (AS) Java.
Configuration file: dataSourceConfiguration_database_only.xml

LDAP Directory as Data Source

The user management engine (UME) can use an LDAP directory as its data source for user
management data. You can connect the LDAP directory as a read-only data source or as a
writeable data source.
1. User management data is stored in a combination of an LDAP server and a database
You have a mixed system landscape including both SAP and non-SAP systems, or you
have an existing corporate LDAP directory in your system landscape. You want to store
standard user data such as name, address, email, and so on in the directory while you want
to store application-specific data in the database .
• Configuration file: If the LDAP directory has a flat hierarchy:
• dataSourceConfiguration_<LDAP_directory_vendor>_not_readonly_db.xml
• If the LDAP directory has a deep hierarchy:
• dataSourceConfiguration_<LDAP_directory_vendor>_deep_not_readonly_db.xml

18 October 2010
2. User management data is stored in a combination of a read-only LDAP server and a
database
You have an existing corporate LDAP directory in your system landscape and have
existing processes for administering user data on this directory. You are using the UME
with SAP NetWeaver Portal and want all users that register themselves in the portal to be
stored separately from the user data on the corporate directory.
• Configuration file: If the LDAP directory has a flat hierarchy:
• dataSourceConfiguration_<LDAP_directory_vendor>_readonly_db.xml
• If the LDAP directory has a deep hierarchy:
• dataSourceConfiguration_<LDAP_directory_vendor>_deep_readonly_db.xml

• The user management engine (UME) can use an SAP NetWeaver Application Server
(AS) ABAP as its data source for user management data. This enables you to take
advantage of the following:
• Users of the ABAP system are visible as users in the UME and can log on with their
passwords from the ABAP system.
• Roles of the ABAP system appear as groups in the UME.
• The AS Java depicts the hierarchy between collective roles and single roles as nested
group structures. When you create new groups created with the AS Java, the AS Java
stores them in its database

18 October 2010
User Management of Application Server ABAP as Data Source
• The user management engine (UME) can use an SAP NetWeaver Application Server
(AS) ABAP as its data source for user management data. This enables you to take
advantage of the following:
• Users of the ABAP system are visible as users in the UME and can log on with their
passwords from the ABAP system.
• Roles of the ABAP system appear as groups in the UME.
• The AS Java depicts the hierarchy between collective roles and single roles as nested
group structures. When you create new groups created with the AS Java, the AS Java
stores them in its database.
• User and role assignments in the ABAP system appear as user and group assignments
in the UME. You can use the ABAP roles for authorization management in the UME, by
adding the groups representing the ABAP roles to the UME roles.
• Configuration file is dataSourceConfiguration_abap.xml

18 October 2010
LUNCH BREAK

18 October 2010
Internet Communications – SAP ITS
• SAP delivered the first version of the SAP Internet Transaction Server (SAP ITS) with SAP
R/3 3.1G in 1996. It is a software component that acts as a gateway between a Web
server and an SAP system. SAP ITS switches between Internet protocols and formats
(such as HTTP, HTTPS, and HTML) and those of the SAP system (such as DIAG, RFC,
and screens).

Web browser
User Access
• SAP GUI
• Web browser or mobile devices through SAP ITS

User Interface SAP ITS

• Screen

Programming Language
• ABAP

Communication Interface
• RFC
• 3rd party products through connectors & gateways RFC
ABAP

Application Server

18 October 2010
SAP ICM
• Based on the highly-scalable infrastructure, new technologies are used as of SAP Web AS
6.10 to process HTTP requests (and other protocols) directly from the Internet or to send
HTTP client requests to the Internet. To achieve this, the SAP Kernel has been extended
with the Internet Communication Manager (ICM) process.
• The ICM process forwards requests to the Internet Communication Framework (ICF),
which supports numerous programming models. This is how the SAP CRM, SAP BW, and
SAP XI software components use this infrastructure. A programming model for such
applications are the Business Server Pages (BSPs).

HTTP(S)

SOAP/XML
User Access

SMTP
• SAP GUI Web Browser
• Web browser or mobile devices

User Interface
• Screen
• BSP
Internet Communication Manager

Programming Language
• ABAP

Communication Interface RFC

• RFC ABAP
• SMTP
• HTTP(S)
• SOAP/XML
SAP Web AS

18 October 2010
SAP ICM Components
• Thread Control: This thread accepts the incoming TCP/IP requests and creates (or
raises) a worker thread from the thread pool to process the request.
• Worker Thread: This thread handles requests and responses for a connection. A
worker thread contains an I/O handler for the network input and output, and various plug-
ins for the different supported protocols.
• Watchdog: A worker thread usually waits for a response (whether it is client or server); if
a timeout occurs, the watchdog takes over the task of waiting for the response. The
worker thread can then be used for other requests.
• Signal Handler: Processes signals that are sent from the operating system or another
process (such as the ABAP dispatcher).
• Connection Info: Table with information for each existing network connection.
• Memory Pipes: These memory-based communication objects allow data transfer
between the ICM and the ABAP work processes.

18 October 2010
SAP AS Java

HTTP(S)

SOAP/XML
User Access

SMTP
• SAP GUI Web Browser
• Web browser or mobile devices

User Interface
• Screen
• BSP
Internet Communication Manager
• JSP

Programming Language
• ABAP
• Java RFC
Java ABAP
Communication Interface
• RFC
• SMTP
• HTTP(S) SAP Web AS
• SOAP/XML

18 October 2010
Web Dynpro – Java

HTTP(S)

SOAP/XML
User Access

SMTP
• SAP GUI Web Browser
• Web browser or mobile devices

User Interface
• Screen
• Web Dynpro for Java
Internet Communication Manager
• BSP
• JSP

Programming Language
• ABAP RFC
• Java J2EE ABAP

Communication Interface
• RFC
• SMTP SAP Web AS
• HTTP(S)
• SOAP/XML

18 October 2010
Web Dynpro – ABAP

HTTP(S)

SOAP/XML
User Access

SMTP
• SAP GUI Web Browser
• Web browser or mobile devices

User Interface
• Screen
• Web Dynpro for Java
Internet Communication Manager
• Web Dynpro for ABAP
• BSP
• JSP

Programming Language RFC

• ABAP Java ABAP
• Java

Communication Interface
• RFC SAP Web AS
• SMTP
• HTTP(S)
• SOAP/XML

18 October 2010
Internet Communication Framework – ICF
• The Internet Communication Framework (ICF) provides an environment for handling Web
requests in the ABAP work process of an SAP system. The Internet Communication Framework
(ICF) provides a way for different systems to communicate with each other over the Internet using
standard protocols (such as HTTP and SMTP). No additional programming libraries (for AS
ABAP) are required from SAP.
• The ICF allows a response to a request to be generated using an application. An HTTP request is
sent from a client (such as a Web browser) to the server. It is then forwarded to an application by
the ICF. Here, data is collected and sent back to the client as a response by the ICF. The
response data is then displayed in the browser.
• ICF services can be active or inactive, which is indicated by different colors in transaction SICF

Status of ICF Services

Status Color in SICF Meaning
Active Black Service can be called
Inactive Gray Service explicitly deactivated
Inactive Blue Service implicitly deactivated

18 October 2010
ICM – Interaction Model
Web Browser

ICM

Memory pipes Dispatcher

Task Handler

ICF Controller

ICF manager

ABAP
HTTP
Application
extension
Program
ICF
AS ABAP
Dialog Work Process ≥ 6.10

18 October 2010
BREAK

18 October 2010
SAP Web Dispatcher
• The SAP Web Dispatcher, delivered as of SAP Web AS 6.20, acts like a software Web
switch. It is a stand-alone program that you can run on a separate host without any
additional software. In this way, the SAP Web Dispatcher implements a central entry point
for HTTP(S) requests to an SAP system, including load distribution across multiple
instances. Intranet
DMZ
(Demilitarized Zone) SAP NW AS

Central Instance

Load balancing and

ABAP Disp.
configuration: information ICM
from the Message Server Java Disp.

Dialog Instance
SAP Web
Web Browser Dispatcher ABAP Disp.
ICM
Java Disp.

Single point of entry: one IP Dialog Instance

address, port and URL
ABAP Disp.
ICM
Java Disp.
18 October 2010
SAP Web Dispatcher – Function
• The SAP Web Dispatcher ultimately forwards an HTTP(S) request to a specific
application server. This section outlines the criteria by which this is performed. An HTTP
request (or unpacked HTTPS request) is assigned to a server in two stages:
1. First, the SAP Web Dispatcher determines whether the incoming HTTP request is to
be forwarded to an ABAP or Java server. It then finds a group of servers in the SAP
system that can execute the request.
2. Load balancing is then carried out within this group. After the SAP Web Dispatcher
has identified a server, it forwards the request to the ICM of the relevant application
server.
• A SAP Web Dispatcher can distribute requests for only one SAP system. If multiple SAP
systems are required, you have to set up and start separate SAP Web Dispatcher
processes for each of the respective systems (which can run together on one
computer).

18 October 2010
From the HTTP(S) Request to the Application Server

Start

Yes No
Prefix in
URL table
ABAP load balancing Java load balancing

Application Yes Yes Application

Stateful? Server found Stateful?
No No
Prefix Specific
No No
Assigned to a Logon
Logon group? Group?
Yes Yes
Select this Select internal Select internal Select this
Logon group Group !DIAG Group !J2EE Logon group

Load Balancing between

Servers of this group

Server found

18 October 2010
SAP Web Dispatcher – Operation
• As of SAP Web AS 6.40, you can also start the SAP Web Dispatcher without a profile
file. For this bootstrap option (started with command sapwebdisp -bootstrap), the
following steps are carried out:
1. If the profile file sapwebdisp.pfl does not exist already, it is created based on
interactive entries.
2. If the authorization file icmauth.txt does not exist, it is created and a user is entered
for Web administration (see below).
3. The SAP Web Dispatcher is started with the profile file created.
• As of SAP Web AS 6.40, a Web-based interface is available for SAP Web Dispatcher
administration and monitoring.

18 October 2010
Summary
• User Management in Java
– UME Concepts
– Managing Users, Groups, and roles
– Principles, Roles, Groups

• Internet Communication
– ITS, ICM and ICF
– Web Dispatcher

18 October 2010
 Q&A
Break out session

18 October 2010
Q&A Session

18 October 2010