SAP Security Note

1414256 - Changing TMSADM password is too complex Language English

Header Data
Released On Release Status Component Other Components 17.03.2011 10:35:38 Released for Customer BC-CTS-TMS Transport Management System BC-MID-RFC RFC

Priority Correction with high priority Category Special development Externally Reported Yes

Symptom
This security note has been updated. For more detailed information, see Security Note 1515926. It should be as simple as possible to change the password of the user TMSADM.

Other Terms

Reason and Prerequisites

Solution
The solution contained in Note 761637 requires many manual steps. However, it is the prerequisite for the solution provided in this note up to and including Release 6.40. Use the report contained in the Support Package or in the correction instructions. The report automates manual steps that are described in Note 761637. The passwords of the user account TMSADM can be changed only if the executing user has administration authorizations in all systems of the landscape. After successful completion of the report, all of the TMSADM user accounts of the landscape have the same new password in client 000 and its destinations. Known limitations: You must deactivate the SNC protection option before you change the TMSADM password. In systems with the highest Quality of Protection (QoP) level, you must reduce the QoP level so that non-secure connections are allowed. After you change the TMSADM password, you can activate the SNC protection option again. Afterwards, you can set the QoP level back to the highest protection level if required. Preparation: Import the attached Support Packages or implement the correction instructions in all of the systems of the relevant system landscape. Depending on the release, you are required to carry out manual pre-implementation steps to implement the correction instructions. All of the systems of the transport domain must be available at the time of the password change. Execution: The password can be changed only from the domain controller by the Transport Management System (TMS) administrator. Start the report TMS_UPDATE_PWD_OF_TMSADM in client 000. On the selection screen, the report offers three different options for changing the TMSADM password:
l

Enter your own password.

Note the following conditions that restrict the selection (also see Note 1023437):

Compatibility between the password rules of the systems Version of the generation of the password hash values maximum password length

Important: The report does not support domain links.

Set the standard password that is set in newly configured TMS domains by the TMS when you implement Note 761637.

The password contains uppercase and lowercase letters, numbers, and special characters. Caution: Depending on the system setting, this is incompatible with older releases.

Reset the password to the original TMSADM standard password (used since Release 3.1I).

This is the return path if unexpected problems occur when you change the password. This works only if all of the systems still accept the simple password. Otherwise, you must find a suitable password. The report offers the connection test across all systems and a log display of the changes as additional functions. After you select one of the password options, you can choose "Execute". The system then requests logons in client 000 of every system of the TMS domain. The connections to all systems of the landscape are then set up for the entire run of the report. The report executes three phases:
l

Creating test users and test destinations in all systems Checking the test users and test destinations Setting the required entries in the table TMSCROUTE, changing the TMSADM user accounts and the TMSADM destinations

Errors in phases 1 and 2 cause the report to terminate. If the first two phases are successful, the system continues with the third phase in all systems without taking the errors into account. The system then displays a log for all actions, which you can display again at any time. Troubleshooting:
l

Locked systems are ignored when changing the password. You should unlock all of the systems before you execute the report. Otherwise, the incorrect destinations of these systems may cause the user account TMSADM to be locked in all systems. If there is no other way, you must subsequently change the password in locked systems as soon as possible. You can either use the report described in this note or proceed as described in Note 761637.

-----------------------------------------------------------------------|Manual Pre-Implement. | -----------------------------------------------------------------------|VALID FOR | |Software Component SAP_BASISSAP Basis compo...| | Release 610All Support Package Levels| | Release 46DFrom SAPKB46D21 | | Release 620All Support Package Levels| -----------------------------------------------------------------------Create the following objects in the package STMA in this sequence: - Report TMS_UPDATE_PWD_OF_TMSADM - 4 function modules in the function group TMSC_I with the following interfaces: TMS_SEC_CHANGE_PWD " remote enabled module *"*"local interface: *"IMPORTING *" VALUE(STAGE) TYPEFLAG *" VALUE(LOCAL_DOMAIN) TYPEFLAG OPTIONAL *" VALUE(TMS_PWD) TYPECHAR100 OPTIONAL *" VALUE(TEST_USER_LEN) TYPEINT4 DEFAULT 12 *"EXPORTING *" VALUE(RETURN) TYPEBAPIRET2 *" VALUE(LOG) TYPESPROT_U_TAB *"EXCEPTIONS *"NO_AUTHORITY *"WRONG_CLIENT TMS_SEC_MANAGE_TEST_DEST *"*"local interface: *"IMPORTING *" REFERENCE(FUNCTION) TYPECHAR10 *" REFERENCE(LOCALDOMAIN) TYPETMSDOMNAM OPTIONAL *" REFERENCE(DESTINATIONS) TYPETMSCDESS *"CHANGING *" REFERENCE(LOG) TYPESPROT_U_TAB OPTIONAL *"EXCEPTIONS *"NO_AUTHORITY *"FAILED TMS_SEC_SET_PWD_IN_DOMAIN *"*"local interface: *"IMPORTING *" VALUE(LOCAL_DOMAIN) TYPEFLAG DEFAULT 'X' *" VALUE(RESETPWD) TYPEFLAG OPTIONAL *" REFERENCE(PASSWORD) TYPECHAR100 *"EXPORTING

*" REFERENCE(RETURN) TYPEBAPIRET2 *"CHANGING *" REFERENCE(LOG) TYPESPROT_U_TAB *"EXCEPTIONS *"READ_CONFIG_FAILED *"NOT_ON_CONTROLLER TMS_SEC_UPDATE_DESTINATIONS *"*"local interface: *"IMPORTING *" REFERENCE(LOCALDOMAIN) TYPETMSDOMNAM OPTIONAL *" REFERENCE(PASSWORD) TYPERFCAUTH *"EXPORTING *" REFERENCE(RETURN) TYPEBAPIRET2 *"CHANGING *" REFERENCE(LOG) TYPESPROT_U_TAB OPTIONAL *"EXCEPTIONS *"NO_AUTHORITY *"FAILED

-----------------------------------------------------------------------|Manual Pre-Implement. | -----------------------------------------------------------------------|VALID FOR | |Software Component SAP_BASISSAP Basis compo...| | Release 46DAll Support Package Levels| -----------------------------------------------------------------------Create the following objects in the package STMA in this sequence: - Report TMS_UPDATE_PWD_OF_TMSADM - 4 function modules in the function group TMSC_I with the following interfaces: TMS_SEC_CHANGE_PWD " remote enabled module *"*"local interface: *"IMPORTING *" VALUE(STAGE) TYPEFLAG *" VALUE(LOCAL_DOMAIN) TYPEFLAG OPTIONAL *" VALUE(TMS_PWD) TYPECHAR100 OPTIONAL *" VALUE(TEST_USER_LEN) TYPEINT4 DEFAULT 12 *"EXPORTING *" VALUE(RETURN) TYPEBAPIRET2 *" VALUE(LOG) TYPESPROT_U_TAB *"EXCEPTIONS *"NO_AUTHORITY *"WRONG_CLIENT TMS_SEC_MANAGE_TEST_DEST *"*"local interface: *"IMPORTING *" REFERENCE(FUNCTION) TYPECHAR10 *" REFERENCE(LOCALDOMAIN) TYPETMSDOMNAM OPTIONAL *" REFERENCE(DESTINATIONS) TYPETMSCDESS *"CHANGING *" REFERENCE(LOG) TYPESPROT_U_TAB OPTIONAL *"EXCEPTIONS *"NO_AUTHORITY *"FAILED TMS_SEC_SET_PWD_IN_DOMAIN *"*"local interface: *"IMPORTING *" VALUE(LOCAL_DOMAIN) TYPEFLAG DEFAULT 'X' *" VALUE(RESETPWD) TYPEFLAG OPTIONAL *" REFERENCE(PASSWORD) TYPECHAR100 *"EXPORTING *" REFERENCE(RETURN) TYPEBAPIRET2 *"CHANGING *" REFERENCE(LOG) TYPESPROT_U_TAB *"EXCEPTIONS *"READ_CONFIG_FAILED *"NOT_ON_CONTROLLER TMS_SEC_UPDATE_DESTINATIONS *"*"local interface: *"IMPORTING *" REFERENCE(LOCALDOMAIN) TYPETMSDOMNAM OPTIONAL *" REFERENCE(PASSWORD) TYPERFCAUTH *"EXPORTING *" REFERENCE(RETURN) TYPEBAPIRET2 *"CHANGING *" REFERENCE(LOG) TYPESPROT_U_TAB OPTIONAL *"EXCEPTIONS *"NO_AUTHORITY *"FAILED

Validity
Software Component From Rel. To Rel. And Subsequent SAP_BASIS 46C 46D

610 700 710

640 702 730

Correction Instructions
Correction Instructions

Software Component Valid from SAP_BASIS 46D 46D 610 610 620 620 640 640 640 700 700 701 701 702 702 710 710 711 711 720 720

Valid to 46D 46D 610 610 620 620 640 640 640 700 700 701 701 702 702 710 710 711 711 720 720

Number 1188513 1169343 1188512 1173765 1188511 1167983 1188510 1174090 1169346 1169347 1188304 1169348 1188303 1169479 1188302 1169480 1188301 1188300 1169481 1188299 1169482

Support Packages & Patches

Software Component Release Support Package SAP_BASIS 710 SAPKB71010 711 SAPKB71105 46C SAPKB46C60 620 SAPKB62068 640 SAPKB64026 720 SAPKB72003 702 SAPKB70203 700 SAPKB70022 701 SAPKB70107

References
This document refers to:
SAP Notes 1023437 ABAP syst: Downwardly incompatible passwords (since NW2004s) 1412609 DUPREC when configuring the transport domain 1486759 Blocking unauthorized access to system using TMSADM to 4.6B 1488406 Handling the generated user TMSADM 1504652 Consulting: Secure Configuration of Application Server ABAP 1515926 Update #1 to Security Note 1414256 1801805 EinfhrungneuerDestinationenimTMS_UPDATE_PWD_OF_TMSADM 761637 Logon restrictions prevent TMSADM logon 888889 Automatic checks for security notes using RSECNOTE

This document is referenced by:

888889 Automatic checks for security notes using RSECNOTE 1023437 ABAP syst: Downwardly incompatible passwords (since NW2004s) 1486759 Blocking unauthorized access to system using TMSADM to 4.6B 1488406 Handling the generated user TMSADM 1504652 Consulting: Secure Configuration of Application Server ABAP 1412609 DUPREC when configuring the transport domain