Configuring the UME when Using Non-ADS Data Sources 

Use

Use this topic to modify the data source configuration of the user management engine (UME) for using non-ADS data stores with Kerberos authentication.

 

Using Kerberos for Windows Integrated authentication with non-ADS data sources on the AS Java can lead to security vulnerabilities due to inconsistency of user data. The reason is that the source of authentication, the Windows DC acting as a KDC, can use a user store that is different from the user repository of the AS Java. For example, Joe in the KDC and Joe in an ABAP user repository for the AS Java may not be the same physical person, and there may not even be a Joe in the ABAP system. Therefore, we recommend that you regularly synchronize the user information in the two user store, or use a single user data store.

Prerequisites

For this scenario, the used resolution mode is simple.

To make the required settings, you use the Config Tool.

Procedure

       1.      Start the Config Tool by double-clicking the configtool script file in the <SAP_install_dir>/<system_name>/<instance_name>/j2ee/configtool directory.

       2.      Open the template configuration and choose Services → com.sap.security.core.ume.service.

       3.      Select the property ume.admin.addattrs.

       4.      In the Custom Value field enter krb5principalname.

This attribute is used for resolving the user from his or her KPN.

       5.      To save the new value of the property, choose Set Custom value.

       6.      Restart the AS Java instance.

...

See also:

Customizing a UME Data Source Configuration