Passwords (Without Single Sign-On)

When the administrator creates individual users for the SAP MI Server Component, the system generates a password for the initial logon. The end user then has to log onto the server(SAP NetWeaver AS) once directly and change the password (see Changing the Initial Password).

The SAP MI Client Component supports the technical difference between the synchronization password and the local logon password.

?     The local logon password is used for offline authentication on the SAP MI Client Component.

?     The synchronization password is used for online authentication on the SAP MI Server Component (SAP NetWeaver AS).

The online authentication takes place at the beginning of the synchronization cycle. The user ID and the synchronization password are transferred to the server and verified there.

In the configuration file mobileengine.config, the administrator can define how the synchronization password and the local logon password are to be handled (see Predefining and Setting Parameters for All Users).

Parameters for the Local Logon Password

?     Resetting the Password

You use the parameter MobileEngine.Security.ResetLocalLogonPassword to determine whether the user can reset the password if he or she forgets it, for example. The possible values are true and false.

An online connection to the server is required to reset the logon password.

?     Determining the Number of Permitted Failed Logons

With the parameter MobileEngine.Security.AllowedLogonFailuresUntil­UserLock you can define the number of permitted local logon failures.

?     Authentication Using System Logon (Bypass Option)

You use the parameter MobileEngine.Security.BypassLocalLogonPassword to determine if the local logon on the client can be bypassed. In this case, the user’s system logon is considered to be sufficient authentication. The possible values are true and false.

You can use the bypass option only in conjunction with the atSync and once handling options for the synchronization password (see below).

If the mobile application offers its own control element (pushbutton or link) to start synchronization, this application must support the atSync and once handling options for the synchronization password.

Parameters for the Synchronization Password

You use the parameter MobileEngine.Security.SynchronizationPasswordHandlingOption to determine how the synchronization password is handled. Possible values are:

?     atSync – Synchronization password does not correspond to the local logon password and must be entered for each synchronization (default value).

?     local – Synchronization password corresponds to the local logon password and need not be entered at synchronization.

You cannot use the setting local together with the bypass option (MobileEngine.Security.BypassLocalLogonPassword=true).

?     once – Synchronization password does not correspond to the local logon password and must be entered once for each logon.

The synchronization option Timed Sync cannot be combined with the setting atSync. It is only possible with the setting once after the end user has entered the synchronization password once, for example, from the user settings. With the setting local, the synchronization option Timed Sync can be used without restrictions.

The SAP MI Client Component does not store the synchronization password for the settings atSync and once. Instead, the user must enter it for each synchronization or once per logon, depending on the setting.

The end user must manually synchronize the user ID and synchronization password on the mobile device with the settings used on the server. If multiple users are using the same mobile device, they all need their own user IDs and must keep the ID and synchronization password synchronous with the settings used on the server.

The SAP MI Client Component distinguishes between uppercase and lowercase.

See also:

Encryption of Database Password

Security Measures Related to Password Rules