How to Activating emergency user (Super Administrator User (sap*)) in JAVA Stack

Go to Config Tool -> click on the button “Switch to configuration edit mode”
Expand the tree :-
“Cluster_data -> Server -> cfg -> Services -> Propertysheet com.sap.security.core.ume.service”

When the “Super Administrator” parameter is activated to true and the password being reset, all other users will locked.
Set the parameters
ume.superadmin.activated = true
ume.superadmin.password = a new password


Restart the Java Cluster...

Logon as sap* and new password, correct the problem. then revert the change made to the parameterume.superadmin.activated to false and Restart the Java Cluster.

J2EE SSO Configuration

1. Logon to Visual Administrator -Server=>Services=>Security Provider,

a. select UserManagement tab and the pencil icon.

b. Select Manage Security Stores; highlight UME User Store and EvaluateTicketLogonModule; Click Views/Change Properties.

i. Under Options fill in the Name and Value as follows:

These parameters are in sets with each system that has a relationship to this J2EE engine. The consumer portal is 1, the production client is 2 and the system client is 3. The values for ddn and iss must match the certificates in use on the system.

Name Value

trustedsys1 , 000
trustedsys2 , 100
trustedsys3 , 000
trusteddn1 CN=, OU=J2EE
trusteddn2 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trusteddn3 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trustediss1 CN=, OU=J2EE
trustediss2 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trustediss3 CN=, OU=ABAP, O=SAP Trust Community, C=DE
ume.configuration.active true

ii. Click OK and ignore message about ‘unable to apply to SDK–XMLA Policy Configuration’

c. Select Manage Security Stores; highlight UME User Store and EvaluateAssertionTicketLogonModule; Click Views/Change Properties.

i. Under Options fill in the Name and Value as follows:

These parameters are in sets with each system that has a relationship to this J2EE engine. The consumer portal is 1, the production client is 2 and the system client is 3. The values for ddn and iss must match the certificates in use on the system.

Name Value

trustedsys1 , 000
trustedsys2 , 100
trustedsys3 , 000
trusteddn1 CN=, OU=J2EE
trusteddn2 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trusteddn3 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trustediss1 CN=, OU=J2EE
trustediss2 CN=, OU=ABAP, O=SAP Trust Community, C=DE
trustediss3 CN=, OU=ABAP, O=SAP Trust Community, C=DE

Click OK and ignore message about ‘unable to apply to SDK–XMLA Policy Configuration’

2. Choose Policy Configurations tab and highlight ticket.

a. If the fully qualified name for the login module is displayed, for example, com.sap.security.core.server.jaas.EvaluateTicketLoginModule, then remove the login module (highlight it and choose the remove button below).

b. If you removed it or it didn’t exist, now choose the add button below. You can now choose EvaluateTicketLoginModule and add/re-add it. Position it at the top of the stack (choose the modify button below and use the down arrow (for location) to move EvaluateTicketLoginModule to position 1. Verify the flag SUFFICIENT and the ACL info is correct for EvaluateTicketLoginModule.

c. Check EvaluateAssertionTicketLogonModule - may need to be modified from REQUIRED to SUFFICIENT.

3. Import Consumer Portal certificate:

a. From VA - Using the Key Storage service on the accepting server, select the TicketKeystore view. Choose Load. Select the file from the file system (.crt) and choose OK.

b. The certificate is stored in the selected view as a CERTIFICATE entry.

4. Import ABAP certificate: (same as step 7, just a different file):

a. From VA - Using the Key Storage service on the accepting server, select the TicketKeystore view. Choose Load. Select the file from the file system (_abap.crt) and choose OK.

b. The certificate is stored in the selected view as a CERTIFICATE entry.

Monitoring – JCmon

Use

The JCmon is a native monitoring program, part of the startup and control framework, which can be used to:

1. Display a list of the processes

2. Enable, disable, and restart the specified processes

3. Shutdown a specified J2EE instance

4. Enable/disable debugging for a specified process

5. Dump stack trace

6. Display a list of the ports used by the J2EE Engine

7. Activate/deactivate debug sessions

8. Increment/decrement the trace level

To start the JCmon, execute the jcmon script file from the /usr/sap///j2ee/os_libsdirectory, where is the system ID of the cluster (for example, C11) and is the instance name of the J2EE instance (for example, JC00). The instance name consists of a prefix (JC or J) and the two-digit instance number afterwards. As parameter for the jcmon script file specify the SAP instance profile:

jcmon pf=/usr/sap//sys/profile/__.

Example:

jcmon pf=/usr/sap/C11/sys/profile/C11_JC00_testpc.

Enter command ‘20’ to display the main menu.

Features

The JCmon main menu provides the following functions:

0: Exit

Returns back to the main menu.

1: Refresh list

Refreshes the process list and the menu.

2: Shutdown instance

Invokes the shutdown of the specified J2EE instance.

3: Enable process

Enables and starts a process, which is switched off. (Restart == no)

4: Disable Process

Stops a running process and switches off the restart flag.

5: Restart Process

Restarts the specified process.

6: Enable bootstrapping on restart

7: Disable bootstrapping on restart

8: Enable Debugging

Checks if the specified process is running in debug mode. If not and the process is configured for debugging, JControl will restart the process in debug mode.

9: Disable Debugging

If the process is running in debug mode, JControl will restart the process and switch off the debug mode.

10: Dump stack trace

The specified process gets an event to invoke the dump of the stack trace of the Java VM. The stack trace is stored in the stderr output file in the work directory.

11: Process list

Displays the status and additional information about all the processes.

12: Port list

Displays a list with detailed information about the ports used by the J2EE Engine.

13: Activate debug session

Activates the debug session for the specified process. To activate a debug session:

1. The process must be running in debug mode.

1. The process must be “Load Balance Restricted”.

14: Deactivate debug session

Deactivates the debug session. The process will be restarted or stopped – this depends on the process configuration.

15: Increment trace level

This increments the trace level for the developer trace file of the specified process (dev_)

16: Decrement trace level

This decrements the trace level for the developer trace file of the specified process (dev_)

17: Enable process restart

18: Disable process restart

-----

98: Synchronize instance properties

99: Extended process list on/off

Activities

For more information, see:

1. Checking that all processes are running

2. Restarting a single process