User Store

The standard installation of SAP NetWeaver usage type Process Integration (PI) assumes that users are maintained in the ABAP user store. If required, PI can be integrated with an LDAP-based user administration as described under Integration of User Management in Your System Landscape in the SAP NetWeaver Security Guide.

This applies to both service users and dialog users.

If you want a user MILLER to be authorized to define interfaces, you have to create this user in SAP NetWeaver usage type Application Server ABAP (AS-ABAP) on which the Integration Repository is deployed, and assign the role SAP_XI_DEVELOPER to this user. After logging on to the Integration Builder (which is implemented in Java), SAP NetWeaver usage type Application Server Java (AS-Java) authenticates user MILLER against AS-ABAP.

General principle for user administration:

·        Each PI component that resides on SAP NetWeaver AS refers to the ABAP user management of the SAP NetWeaver AS of the Integration Server. PI Java applications that run on an SAP NetWeaver AS authenticate against the users maintained in the ABAP user management.

There are two exceptions to this rule, in which SAP user administration cannot be used:

·        Plain J2SE Adapter Engine

The Plain J2SE Adapter Engine keeps user information in property files. Although sensitive data such as passwords is stored in an obfuscated form, we recommend that you also secure these property files by using the functions of your operating system.

For more information, see Adapters Running in the Plain J2SE Adapter Engine.

The Plain J2SE Adapter Engine is only supported for compatibility reasons. It hosts only a subset of the adapter functionality and does not support standard security features as security logs or integrated user management. You should only use the Plain J2SE Adapter Engine if it is a precondition in your environment.

·        Users for logging on to receiver systems

In order to deliver an XML message to a receiver business system, the Integration Server has to log on to the receiver system. The Integration Directory informs the Integration Server and Adapter Engines about the user and authentication method to use for logging on. Back-end users are kept in the database of the Integration Directory and are occasionally transferred to the directory cache of the Integration Server. Confidential data such as passwords is stored in the secure store of the directory server and in an obfuscated form in the persistent cache on the Integration Server. In order to secure the communication between the Integration Directory and the Integration Server as well, it is recommended that you configure SSL for this communication.