Changing Service Users

For security-sensitive customers, it is recommended to change either the password of a certain service user or even the service user itself.

If an attacker makes a denial-of-service attack, which locks a certain service user and thus disables certain internal communication, this user must be changed so that the attacker no longer knows the user.

As explained under Service Users for Internal Communication, the service users are declared in the exchange profile and must exist in the user administration of the Integration Server with the appropriate role. In addition, logon data of the following users may have to be maintained at the following locations, too:

?     PILDUSER

0     Connection settings for accessing the exchange profile for each host where PI is installed (Integration Server, non-central Adapter Engines). These connection settings are maintained with the user interface of the exchange profile which can be accessed at http://<host:port>/webdynpro/dispatcher/sap.com/com.sap.xi.exprofui/XIProfileApp.

?     PIISUSER

0     SLD configuration with transaction SLDAPICUST.

0     SM59 destination INTEGRATION_DIRECTORY_HMI on the Integration Server.

0     SM59 destination of the logical port of the Web service proxy class CO_WSSEWEPROCESSOR_VI_DOCUMEN as described in Security Configuration at Message Level.

0     SM59 destinations for IDoc metadata (see transaction IDX1).

In this case, the user is maintained in an IDoc business system, and it is not necessary to use PIISUSER here.

?     PIRWBUSER

0     J2EE destination PMISTORE on J2EE servers with Adapter Engines.

0     SM59 destinations PMI* on the central monitoring server.

0     SM59 destinations maintained for GRMG scenarios (beginning with XI_* in transaction GRMG) on the central monitoring sever. See also SAP Note 634771.

?     PIAPPLUSER or any other messaging user identifying a sender system

0     Destination AI_INTEGRATION_SERVER in the sender system

Therefore, whenever you have to change the password of a service user, you must change it in the corresponding com.sap.aii.<component>.serviceuser.pwd entry in the exchange profile and also in the ABAP user administration (transaction SU01).

If you want to change the user itself, you must change both entries com.sap.aii.<component_A>.serviceuser.name and com.sap.aii.<component_A>.serviceuser.pwd in the exchange profile, and use transaction SU01 to copy the old service user to the new one with the corresponding password.

Finally, you must change the user name and password at the additional locations mentioned above. For more information about changing the password, see also SAP Note 721548.