Sunday 21 February 2016

Changing the TMSADM password

Skip to end of metadata
Go to start of metadata

Purpose

The purpose of this page is to describe the steps to be done when the password restrictions are preventing STMS from functioning.

 

Overview

This page describes the notes to be applied and the execution of report TMS_UPDATE_PWD_OF_TMSADM.

 

Changing the TMSADM password

The password restrictions are preventing STMS from functioning. Some password restrictions that affect the TMS user TMSADM:
  
You can also run in SE38 reports RSPFPAR and RSPARAM to get information about the parameters.
Also check parameter login/password_downwards_compatibility, make sure it is set to '1' in all systems. if it is set to '5', it means "compatible to old release" and this forbids lowercase characters.
Make sure the RFC's are not manipulated in all systems as detailed by article 1730407 - Internal error in TMS communication 5.
The trusted services are already activated:
  
You will find further information in Activating TMS Trusted Services.
The user TMSADM was already reset and the RFC’s were generated in STMS:
  
But it still keeps asking for the password in STMS activities:
  
According to SAP note 1568362 - TMSADM password change, there are two ways of solving this problem. One is to execute some manual steps (as of release 7.3, table TMSCROUTE is not involved in the TMSADM change password configuration.) and the other one is if there is a large landscape, there are some notes to be applied and you should run a report. In this example, we will go with the second option:
1. Implement SAP note 1414256 (for releases <= 640 manual steps in SAP note 761637 must still be applied);
  
Also notes 15159261691028 and 1679157:
  



Also review the following notes:
Apply the notes in the DC and in the other systems of the landscape.
2. Make sure the user TMSADM is not locked in all the systems of the landscape: 
3. Run report TMS_UPDATE_PWD_OF_TMSADM which must be run in the DC (domain controller) client 000. It should be noted that this report in itself does not support domain links, choosing the second option:
  
TMS_UPDATE_PWD_OF_TMSADM has three different options:
  1. Own Password as in System Settings
    With this option the customer will select his own created password for TMSADM user. When choosing this option, the following fields are available:
     - Password
    - Confirm Password
    It must be used by the customer to enter the password they want for TMSADM user.
  2. New Standard Password (see SAP Note 761637)
    With this option the program will automatically set "New Default Password" for TMSADM;
  3. Old Standard Password
    Finally, this option will set the "Old Default Password" for TMSADM user.
The "Old Default Password" is the password that SAP defined for TMSADM user long time ago and it has been used for years by our customers. That password only contains letters. But if a customer sets stringent password rules in a system (for example the password must contain at least one digit, or special characters), user TMSADM is affected by those restrictions. Therefore, SAP has created a "New Default Password" that complies with the general password restrictions that are set in a system. This new password contains uppercase and lowercase letters, digits and special characters.
The results of its execution:
  

3. Should domain links exist then use SAP note 1515926. The note should be applied to all systems of the connected domains. Once the note is applied start the report that is described in Note 1414256 on all of the domain controllers of the connected domains. That means executing TMS_UPDATE_PWD_OF_TMSADM in client 000 on all domain controllers.
When domain links are involved TMS_UPDATE_PWD_OF_TMSADM is more complex.
Let's illustrate with an example:
  • DOMAIN_A has 3 systems DEV1, QAS1, and PRD1.
  • DOMAIN_B has 3 systems DEV2, QAS2, and PRD2. 
In DEV1, QAS1 and PRD1 the following TMSADM RFC's exis
  1. TMSADM@DEV1.DOMAIN_A
  2. TMSADM@QAS1.DOMAIN_A
  3. TMSADM@PRD1.DOMAIN_A
 In DEV2, QAS2 and PRD2 the following TMSADM RFC's exist.
  1. TMSADM@DEV2.DOMAIN_B
  2. TMSADM@QAS2.DOMAIN_B
  3. TMSADM@PRD2.DOMAIN_B
 You link DOMAIN_A with DOMAIN_B.
The following RFCs are added to systems DEV1, QAS1 and PRD1.
  1. TMSADM@DEV2.DOMAIN_B
  2. TMSADM@QAS2.DOMAIN_B
  3. TMSADM@PRD2.DOMAIN_B
The following RFC's are added to systems DEV2, QAS2 and PRD2.
  1. TMSADM@DEV1.DOMAIN_A
  2. TMSADM@QAS1.DOMAIN_A
  3. TMSADM@PRD1.DOMAIN_A
This allows systems in DOMAIN_A to communicate with systems in DOMAIN_B.
As a result when you update the password for user TMSADM in DOMAIN_A (by running TMS_UPDATE_PWD_OF_TMSADM) it will also update
RFCs TMSADM@*.DOMAIN_A in DOMAIN_B (when note 1515926 is implemented to all systems in both domains).
The same happens when you update the user password for TMSADM in DOMAIN_B (by running TMS_UPDATE_PWD_OF_TMSADM). The report will update RFCs TMSADM@*.DOMAIN_B in DOMAIN_A.
As a result communication between the two domains will remain. If note 1515926 were not applied to all systems of both domains and you ran the report TMS_UPDATE_PWD_OF_TMSADMfrom one or both domain controllers then communication between DOMAIN_A and DOMAIN_B is no longer possible . This is the result of the user TMSADM locking due to too many failed logon attempts with the wrong TMSADM password. 

It is important to check (via RZ11) parameter login/password_downwards_compatibility.
As of Basis release (SAP_BASIS) 7.0, the system supports logon with passwords that can consist of up to 40 characters (previously: 8), and for which the system differentiates between upper- and lower-case (previously: system automatically converted to upper-case). All Unicode characters are also supported.
Unfortunately, this change is not backward compatible. The passwords are stored as backward incompatible hash values. If this system is operated with other systems, which only support
backward compatible password hash values, the system must react appropriately.
The values of this profile parameter define the desired behavior (Default value = 1):
0 :  No backward compatibility; system generates only new
     (backward incompatible) password hash values.
1 :  System also generates backward compatible password hash
     values internally, but does not evaluate these for logons
     (to this system) using a password; this setting is required
     if this system is the central system of a Central User
     Administration and systems that only support backward
     compatible password hash values are also connected to the
     system group.
2:   The system also generates backward compatible password hash
     values internally and evaluates these if a logon using a
     backward incompatible password failed, to check whether logo
     with the backward compatible password (truncated after eight
     characters and converted to upper-case) would have been
     accepted. This is logged in the system log; the logon
     fails.  (Identification of backward incompatibility problems).
3 :  As with 2; however, the logon is regarded as successful.
     (Avoidance of backward incompatibility problems).
4 :  As with 3, but no system log entry is written.
5 :  System only issues backward compatible password hash values. 
login/password_downwards_compatibility = 5 will not work with TMSADM using "new standard" password as this means that only downward compatible passwords are allowed, which are in uppercase and max. 8 characters long.

FINALLY : 
 There is now the addition of new destinations in TMS_UPDATE_PWD_OF_TMSADM because in large systems using the above report is a complex matter.
The TMSADM update report requires an RFC connection for each system in the landscape and if you have a very large landscape it means logging onto alot of systems. Previously, there was no option to use trusted RFC for this. As a result note # 1801805 was created. Please implement the correction instructions in the domain controller (remember if the domain controller changes, the note must be implemented there too) and follow the manual instructions in the note.
Related Content

No comments:

Post a Comment