Changing Service UserLocate this document in the navigation structure

Use

For reasons of security, we recommend that you change either the password of a certain service user or even the service user itself.

Example

If an attacker makes a denial-of-service attack, which locks a certain service user and thus disables certain internal communication, this user must be changed so that the attacker no longer knows the user.

As explained under Service User for Internal Communication , the service user are declared in the exchange profile and must exist in the user administration of the Integration Server (dual-stack standard PI installation) or the User Management Engine (Advanced Adapter Engine Extended) with the appropriate role. In addition, logon data of the following user may have to be maintained at the following locations, too:

  • PILDUSER

    • Connection settings for accessing the exchange profile for each host where PI is installed (Integration Server, non-central Advanced Adapter Engines). These connection settings are maintained with the user interface of the exchange profile, which can be accessed at http://<host:port>/webdynpro/dispatcher/sap.com/com.sap.xi.exprofui/XIProfileApp .

  • PIISUSER

    • SLD configuration with transaction SLDAPICUST.

    • SM59 destination INTEGRATION_DIRECTORY_HMI on the Integration Server.

    • SM59 destination of the logical port of the Web service proxy class CO_WSSEWEPROCESSOR_VI_DOCUMEN as described in Security Configuration at Message Level .

    • SM59 destinations for IDoc metadata (see transaction IDX1).

      In this case, the user is maintained in an IDoc business system, and it is not necessary to use PIISUSER here.

  • PIRWBUSER

    • Java destination PMISTORE on Java servers with Advanced Adapter Engines.

    • SM59 destinations PMI* on the central monitoring server.

    • SM59 destinations maintained for GRMG scenarios (beginning with XI_* in transaction GRMG) on the central monitoring sever.

  • PIAPPLUSER or any other messaging user identifying a sender system

    • Destination AI_INTEGRATION_SERVER in the sender system

Therefore, whenever you have to change the password of a service user, you must change it in the corresponding com.sap.aii.<component>.serviceuser.pwd entry in the exchange profile and also in the ABAP user administration (transaction SU01).

If you want to change the user itself, you must change both entries com.sap.aii.<component_A>.serviceuser.name and com.sap.aii.<component_A>.serviceuser.pwd in the exchange profile, and use transaction SU01 to copy the old service user to the new one with the corresponding password.

Finally, you must change the user name and password at the additional locations mentioned above. More information about changing the password: SAP Note 721548 Information published on SAP site.