Skip to end of metadata
Go to start of metadata

CCDB SPML Java Extractor - Getting User and Group Information

How to set up SPML based extractors for CCDB

As of SAP Solution Manager 7.1 SP14 and 7.2 SP03 it is possible to retrieve user and role configuration via the SPML interface of a Java Application Server into CCDB of the SAP Solution Manager. However, since on J2EE side there is no standard role available which could be assigned to the collection user of the Solution Manager and the SPML service may has been disabled by the customer this data is not collected automatically.

This document describes how to setup SPML based extractors for CCDB.

UME role with SPML read action

All SMD agent users (naming pattern: SM_COLL_<SID of Solman>) who are logging on to JEE systems (which are connected to a SAP Solution Manager) need a SPML read authorization as described in SAP note 1647157 - How to Set up Access to the SPML Service on AS Java  (find how to create manual below)

  1. Select search criteria "Role" in the upper part of the UI.
  2. Choose "Create Role".
  3. Enter the name of the new role in the "Unique Name" field on the tab "General Information".
  4. Navigate to the tab "Assigned Actions".
  5. Enter the search criteria "*spml*" in the "Get" field in the area "Available Actions" and choose the "Go" button.
  6. Add the UME action with the name "Spml_Read_Action" to the role.
  7. Save the new role by choosing the "Save" button.

CCDB template for config store based on SPML interface

You may add the following CCDB template definitions to the existing J2EE Engine Servercore 7.10 definitions (just add those definitions after the </Host> tag of the downloaded xml file).

<StoreGroup source="WS" name="SPML">
<Parameter value="SPML" name="Type"/>
<StoresDefinition>
<ConfigStore type="TABLE" subalias="JE045" name="sapGroupAllAssignedUsers:Administrators" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE045" name="sapGroupAllAssignedUsers:SAP_J2EE_ADMIN" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE046" name="sapGroupAllAssignedUsers:Guests" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE046" name="sapGroupAllAssignedUsers:SAP_J2EE_GUEST" alias="SPML"/>
<ConfigStore type="PROPERTY" subalias="JE148" name="sapUserProperties:Guest" alias="SPML"/>
<ConfigStore type="PROPERTY" subalias="JE148" name="sapUserProperties:J2EE_GUEST" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE085" name="sapRoleAllAssignedUsers:LcrAdministrator" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE085" name="sapRoleAllAssignedUsers:LcrInstanceWriterAll" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE085" name="sapGroupAllAssignedUsers:SAP_SLD_ADMINISTRATOR" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE085" name="sapGroupAllAssignedUsers:SAP_SLD_ORGANIZER" alias="SPML"/>
<ConfigStore type="TABLE" subalias="EP115" name="sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/system_admin/com.sap.portal.system_admin_role" alias="SPML"/>
<ConfigStore type="TABLE" subalias="EP116" name="sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/content_admin/com.sap.portal.content_admin_role" alias="SPML"/>
<ConfigStore type="TABLE" subalias="EP117" name="sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/user_admin/com.sap.portal.user_admin_role" alias="SPML"/>
<ConfigStore type="TABLE" subalias="EP153" name="sapRoleAllAssignedUsers:pcd:portal_content/administrator/super_admin/super_admin_role" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE149" name="sapRoleAssignedActions:Everyone" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE149" name="sapRoleAssignedActions:Administrator" alias="SPML"/>
</StoresDefinition>
</StoreGroup>

You may delete config store definitions if you don't want to collect those information and you are not planning to SOS services for those systems.

First, download the existing J2EE ENGINE SERVERCORE 7.10 definitions:

  1. Go to Solution Manager Administration work center,
  2. Select the Infrastructure scenario on the left,
  3. Click on the Content button and select the Root Cause analysis option.

On the tab "Stores", you can use the "browse" and "custom upload" buttons to upload the XMLs.
a) In tab "Tree View" it's possible to enter a filter, please enter: J2EE ENGINE SERVERCORE 7.10 (and press return).
b) Select the line which now displayed below the filter showing: J2EE ENGINE SERVERCORE 7.10
c) In tray Export export the XML using link: Export component.xml (Don't export complete xml!).

d) Load the xml file in an XML editor of your choice.

Edit the XML file and save it:

1. In the file search for tag </host> and enter your definitions right behind it and in front of the next <StoreGroup> tag
2. Save the file 

Upload the XML file your Solution Manager system as follow:

  1. Go to Solution Manager administration work center,
  2. Select the Infrastructure scenario on the left,
  3. Click on the Content button and select the Root Cause analysis option.
  4. On the tab "Stores", you can use the "browse" and "custom upload" buttons to upload the XMLs.
    a) In Upload: Click on button "Choose File" and select the XML file you've just saved.
    b) Click on button "Custom Upload" to import it.
  5. Before the new stores will be displayed in Change Reporting or CCDB admin two steps need to be performed:
    a) the nightly store check job identifies the new store definitions and schedules per technical system of type Java a new extractor.
    b) The next extrator after that will collect the config stores. 
    c) To be able to test your definitons you can run first a "Store Check" in CCDB admin / Techncial Systems / Expert functions for a technical system of type Java (this adds the new extractor) and trigger the extraction manual using CCDB admin / Techncial Systems "Execute Extractors" button.

Using SAP Solution Manager 7,2 Launchpad navigate to the group SAP Solution Manager Administration

  1. Make sure you see the tile: Templates – Root Cause Analysis.
    Note: You can add tiles, by using the Launchpad function “Personalize Home Page” (available underneath your user profile in the top right hand corner).

2. Open the tile: Templates – Root Cause Analysis.

Remarks:

In case of an Support Package Upgrade which contains an updated version of the J2EE ENGINE SERVERCORE 7.10 definition the above mentioned steps needs to repeated.
Other J2EE ENGINE SERVERCORE definitions for higher versions are just references to 7.10 and don't need to be updated. 

 

SPML Config Stores

Based on the config store defintions defined in the CCDB Template above you get the following config stores based on SPML:

sapGroupAllAssignedUsers:Administrators

Example content 

ID(K)

USER_LOGON(D)

DISPLAY_NAME(D)

DATASOURCE(D)

VALID_UNTIL(D)

IS_LOCKED(D)

IS_SYSTEM_USER(D)

IS_PASSWORD_CHANGE_REQUIRED(D)

USER.PRIVATE_DATASOURCE.un:Administrator

Administrator

Administrator,

PRIVATE_DATASOURCE

25001231000000

false

false

false

USER.PRIVATE_DATASOURCE.un:j2ee_admin

j2ee_admin

Administrator,

PRIVATE_DATASOURCE

25001231000000

false

false

false

sapGroupAllAssignedUsers:Guests

Example content 

ID(K)

USER_LOGON(D)

DISPLAY_NAME(D)

DATASOURCE(D)

VALID_UNTIL(D)

IS_LOCKED(D)

IS_SYSTEM_USER(D)

IS_PASSWORD_CHANGE_REQUIRED(D)

USER.PRIVATE_DATASOURCE.un:Guest

Guest

Guest,

PRIVATE_DATASOURCE

25001231000000

true

false

true

sapGroupAllAssignedUsers:SAP_J2EE_ADMIN

Example content 

sapGroupAllAssignedUsers:SAP_J2EE_GUEST

Example content 

sapGroupAllAssignedUsers:SAP_SLD_ADMINISTRATOR

Example content 

Content of sapGroupAllAssignedUsers:SAP_SLD_ADMINISTRATOR

ID(K)

USER_LOGON(D)

DISPLAY_NAME(D)

DATASOURCE(D)

VALID_UNTIL(D)

IS_LOCKED(D)

IS_SYSTEM_USER(D)

IS_PASSWORD_CHANGE_REQUIRED(D)

USER.PRIVATE_DATASOURCE.un:BBBBB

BBBBB

BBBBB,

PRIVATE_DATASOURCE

25001231000000

false

false

false

 sapGroupAllAssignedUsers:SAP_SLD_ORGANIZER

Example content 

ID(K)

USER_LOGON(D)

DISPLAY_NAME(D)

DATASOURCE(D)

VALID_UNTIL(D)

IS_LOCKED(D)

IS_SYSTEM_USER(D)

IS_PASSWORD_CHANGE_REQUIRED(D)

USER.PRIVATE_DATASOURCE.un:BBBBB

BBBBB

BBBBB, XXXX

PRIVATE_DATASOURCE

25001230230000

false

false

false

 sapRoleAllAssignedUsers:LcrAdministrator

Example content 

sapRoleAllAssignedUsers:LcrInstanceWriterAll

Example content 

sapRoleAllAssignedUsers:pcd:portal_content/administrator/super_admin/super_admin_role

Example content 

ID(K)

USER_LOGON(D)

DISPLAY_NAME(D)

DATASOURCE(D)

VALID_UNTIL(D)

IS_LOCKED(D)

IS_SYSTEM_USER(D)

IS_PASSWORD_CHANGE_REQUIRED(D)

USER.PRIVATE_DATASOURCE.un:Administrator

Administrator

Administrator,

PRIVATE_DATASOURCE

25001231000000

false

false

false

sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/content_admin/com.sap.portal.content_admin_role

Example content 

sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/system_admin/com.sap.portal.system_admin_role

Example content 

sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/user_admin/com.sap.portal.user_admin_role

Example content 

sapRoleAssignedActions:Administrator

Example content 

ID(K)

ACTION(D)

ACTN.AUTH_DS.un:L$JPL_1

ACTN.AUTH_DS.un:L$JPL_1

ACTN.AUTH_DS.un:L$JPL_10

ACTN.AUTH_DS.un:L$JPL_10

ACTN.AUTH_DS.un:L$JPL_100

ACTN.AUTH_DS.un:L$JPL_100

ACTN.AUTH_DS.un:L$JPL_100000

ACTN.AUTH_DS.un:L$JPL_100000

ACTN.AUTH_DS.un:L$JPL_100001

ACTN.AUTH_DS.un:L$JPL_100001

ACTN.AUTH_DS.un:L$JPL_100002

ACTN.AUTH_DS.un:L$JPL_100002

sapRoleAssignedActions:Everyone

Example content 

sapUserProperties:Guest

Example content 

PARAMETER(K)

VALUE(D)

datasource

PRIVATE_DATASOURCE

displayName

Guest,

id

USER.PRIVATE_DATASOURCE.un:Guest

isLocked

true

isPasswordChangeRequired

true

isSystemUser

false

sapUserProperties:J2EE_GUEST

Example content 

Target Systems to validate config stores based on SPML interface

Validate that user Guest is locked

Example target system definitionen: Guest account islocked = true shall be validated as compliant, if Guest account isLocked = false then it's validated as non-compliant

Validate the users of group Administrators

Example target system definition:

One generic rule to validate all user as non-compliant (shown in detail).

Additional two specific rules as exceptions to validate user Administrator and DEVSUPPORT as compliant.

Usage in the Security Optimization Service

The data in the above stores is used in the following checks of the Security Optimization Service:

  • Users of Standard User Group "Administrators" (JE045)
  • Users of Standard User Group "Guests" (JE046)
  • Guest User "GUEST" should be Locked (JE148)
  • Critical UME Actions of Role "Everyone" (JE149)
  • Users Authorized to Administer the SLD (JE085)
  • Portal Super Administrators Found (EP153)
  • Additional Portal Administrators Found (EP115)
  • Additional Portal User Administrators Found (EP117)
  • Additional Portal Content Administrators Found (EP116)

 

This page is part of the Application Operations Wiki. Notice that Application Operations itself is a use-case of SAP Solution Manager