6.20

2004s

When you log on using the Visual Administrator tool, a user name and password is required.

A logon through the Visual Administrator tool is performed using specific connection entries.

For more information, see Logging on to the J2EE Engine and Creating a New Connection Entry in the Administration Manual.

6.20

2004s

Configuration using the Visual Administrator tool in the runtime controls of the Security, SSL and Keystore services.

Configuration using the Visual Administrator in the runtime controls of the Security Provider, SSL Provider and Key Storage services.

See An Overview of the Security-Related Services in the Administration Manual.

Configuration using Shell or Telnet access.

Configuration using Telnet access.

Configuration of HTTPS ports with X.509 certificates signed by CA.

Use the import functionality of the Key Storage Provider service in the Visual Administrator for both private keys and public certificates. For more information, see Managing Entries in the Administration Manual. Manually configure the SSL ports the same way as in 6.20.

See Managing the Credentials and Trusted Certificates to Use SSL in the Administration Manual.

Solution:

See the corresponding documentation about the services configuration and shell commands in 2004s. See J2EE Engine Security.

6.20

2004s

Resources tab is under Security service.

Resources tab is under Policy Configurations   ®  Resources.

Viewing users and groups under the User Management tab.

Viewing users and groups is under User Management  ® Tree tab.

Crypt Providers tab.

The tab is renamed to Cryptography Providers.

JAAS tab.

The tab is renamed to Authentication and moved under Policy Configurations.

Connector tab.

The tab is removed.

For more information about how to use run-as-identity, see Applying Security Restrains to a Security Role in the Administration Manual.

SAP Integration tab.

The tab is removed.

For more information, see SAP Web Application Server with ABAP and Java.

6.20

2004s

References to account “System”.

Use run-as-identity for Web and EJB applications. Use an account with administrative privileges.

Use of operations requiring certain permissions from applications that do not declare authentication, assuming “System” account.

Use run-as-identity. Use an account with administrative privileges.

Solution:

Replace the use of the “System” account with run-as-identity (see the J2EE Specification) in your J2EE applications.

Any references to strings or primitive data identifiers of this account should be replaced with references to J2EE security roles.

For more information about how to use run-as-identity, see Applying Security Restrains to a Security Role in the Administration Manual.

Change reason:

The improved service framework in 2004s (with different thread pools for system and application use) rendered the account obsolete.

6.20

2004s

Users in the internal user management.

Maintain in the Security Provider service. Transfer all server users that are not within the “root/guests/external” user group, either manually or using a custom tool.

Users in the external user management.

(In user group “root/guests/external”)

Maintain in the Security Provider service. Create or use a provided user store.

Solution:

The data for internal users (users/user groups) must be transferred manually.

Connection to external user management systems should be made with a user store configuration. For more information about user stores, see Managing User Stores Using the Visual Administrator in the Administration Manual.

Change reason:

A pluggable user-store framework was introduced to facilitate the use of different types of user management systems with the J2EE Engine.

6.20

2004s

The entries in the InQMy.config file can be managed directly by editing the file or by using the Visual Administrator tool.

The login context is the authentication part of security policy configurations and is stored in the database. The login context can be created programmatically.

Invoking the javax.security.auth.login.LoginContext constructor by using the “InQMyLoginSystem” string.

Use the “SAP-J2EE-Engine” string or a security policy configuration defined for the application instead of the old string.

Invoking the javax.security.auth.login.LoginContext constructor by using proprietary names.

Make sure a security policy configuration is registered in the Security Provider service.

Solution:

Convert your application to use security policy configurations. For more information, see Security Provider Service in the Administration Manual.

Change reason:

The introduction of security policy configurations facilitates the configuration of the security aspects of applications and services. For more information, see Managing Protection Domains in the Administration Manual.

6.20

2004s

Using entries in the Keystore service.

Maintain in the Key Storage service.

Make sure that the entries are in the DEFAULT keystore view, or that they use the correct keystore view.

Storing entries in the Keystore service.

Maintain in the Key Storage service.

Make sure that you do not damage the DEFAULT key storage view by deleting entries or storing inadequate entries. It is recommended that you use a special keystore view for your application. See Managing Key Storage Views in the Administration Manual.