test

Sun Identity Manager 8.1 Resources Reference

Changing Productive Passwords in a CUA Environment

SAP considers a password a secret shared between the account on the system where the account resides. In a CUA landscape, this means that every CUA client maintains its own copy of a password for a user. The standard password change methods in a CUA landscape do not allow you to set a productive password on a client system. (A productive password is a password that has not expired and that does not require changing on the next logon.) They will allow you to set an initial password for the user on all systems in the landscape, clients and the central system.

The function module for changing a password must be executable remotely. In a CUA landscape, you must set the SCUM settings for the initial password to 'global' or 'everywhere'. In all other cases, the CUA central system can not reset passwords on the clients, which will cause failures of password changes under certain circumstances. The adapter will allow you to set a productive password in a CUA landscape on all systems on which the user exists. You can do this only by changing the password on each system separately. To enable this feature, you must install a special Function Module on the CUA central system that is executed for all client systems. The module is provided in source form in InstallDir\idm\sample\other and must be installed on the SAP central system. The name of the Function Module must be set in the “CUA Child Password Change Function Module” resource attribute.

When a password is changed in a CUA landscape and the module is used, multiple failures for one password change can occur: one for each client and one for the central system. Each system keeps its own password policies. A password that complies to the rules on one system could cause a policy failure on another. A failure on one system does not mean that the other systems will not be changed. This accords with how SAP defines and works with passwords in a CUA landscape.

When CUA is configured on the adapter, but the module is not installed on the central system or the attribute is not configured on the adapter, then productive password changes will be applied to the central system only. Setting initial passwords or performing a password reset, in other words password which are expired, is not affected by this configuration change.