SAP Note 669848 - Unlocking the Administrator User on the J2EE Engine/AS Java

Symptom The administrator user cannot log on to the J2EE Engine using the Visual Administrator. Other terms SAP J2EE Engine, users, administrator, SDM, password Reason and Prerequisites The administrator user cannot log on to the J2EE Engine because it has been locked, for example, due to numerous unsuccessful logon attempts. If you have not yet created any additional administrator user(s), then you cannot log on to the J2EE Engine/AS Java to perform administrative tasks. Solution To correct this situation, you have to use an emergency user. The corresponding emergency user depends on the installtion:

If you use the User Management Engine (UME) with an AS ABAP as the data source, then log on to the corresponding AS ABAP system and unlock the administrator user (default user ID: J2EE_ADMIN) using the user maintenance transaction SU01. As of SAP NetWeaver '04 (J2EE Engine Release 6.30 SP 4), the emergency user is pre- defined as SAP*. Prior to SP4, you have to set up your own emergency user.

The procedures according to each release / SP level are described below. SAP NetWeaver Composition Environment 7.1 and Other SAP NetWeaver 7.1 Products For information about how to activate the emergency user SAP*, see the SAP NetWeaver CE Library at: http://help.sap.com/saphelp_nwce10/helpdata/en/3a/4a0640d7b28f5ce 10000000a155106/frameset.htm

Log on to the SAP NetWeaver Administrator using the emergency user and unlock the Administrator user. Afterwards, deactivate the emergency user. The information available at this location also applies to other SAP NetWeaver 7.1 products that run on AS Java. SAP NetWeaver 7.0 (2004s) For information about how to activate the emergency user SAP*, see the SAP NetWeaver SAP Library documentation at: http://help.sap.com/saphelp_nw70/helpdata/en/3a/4a0640d7b28f5ce 10000000a155106/frameset.htm Log on to the Visual Administrator using the emergency user and unlock the Administrator user. Afterwards, deactivate the emergency user. SAP NetWeaver '04 / SAP J2EE Engine Release 6.30 SP >= SP4 For information about how to activate the emergency user SAP*, see the SAP NetWeaver SAP Library documentation at http://help.sap.com/nw04. Choose the desired language. In the SAP Library, use the following path: "SAP Library -> SAP NetWeaver > Security -> Identity Management -> User Management Engine -> UME User Administration -> Activating the Emergency User". Log on to the Visual Administrator using the emergency user and unlock the Administrator user. Afterwards, deactivate the emergency user. SAP J2EE Engine Release 6.30 SP <= SP3 Prior to SP4, you have to set up your own emergency administrator user. Also, because you cannot log on to the J2EE Engine as an administrator using the Visual Administrator, you have to use the Shell Console Administrator tool. Therefore, stop the SAP J2EE Engine and restart it in console mode. See the procedures below. Stopping the SAP J2EE Engine First you have to stop the SAP J2EE Engine. Under Windows, you can use

the Microsoft Management Console for SAP Systems (SAPMMC). As an alternative or for UNIX systems, use the tool jcmon, which is located in the engine's /usr/sap/<SID>/sys/exe/run directory. Note: You only need to stop a single server. You do not need to stop the dispatcher. To stop the server using jcmon: 1. Start a shell or command prompt. 2. Switch to the directory /usr/sap/<SID>/<j2eeinstance>/j2ee/os_libs. 3. Execute the command jcmon pf=../../../SYS/profile/<sid>_<j2ee-instance>_<host> 4. Enter 20 to start the local administration menu. 5. Enter 4 and then the process index number (not the PID) to stop the server. Starting the SAP J2EE Engine in Console Mode To start the server in console mode: 1. View the server's property file:/usr/sap/<SID>/<j2eeinstance>/j2ee/cluster/instance.properties This file contains the server properties in the form <key>=<value>, whereby each key is prefixed with an indicator. For example, for the key ID169739450.MaxHeapSize=128, the prefix is ID169739450. 2. Search for the entry <prefix>.Type=server and note the prefix. We refer to this indicator as <prefix-server> below. 3. Start a new shell or command prompt. 4. Switch to the directory /usr/sap/<SID>/<j2eeinstance>/j2ee/os_libs. 5. Set the library path to this directory. The name of the environment variable to use depends on your operating system (LD_LIBRARY_PATH for most UNIX systems,SHLIB_PATH for HP-UX, LIBPATH for AIX, PATH for Windows). You can find the name and value to use in the developer trace file /usr/sap/<SID>/<j2eeinstance>/work/dev_jcontrol; search for "lib path" for the node for <prefixserver>. For HP-UX, also set the environment variable LD_PRELOAD to the base name of the Java VM shared library. In this case, the name to use depends on your CPU type; use either "LD_PRELOAD=libjvm.sl" for PA-RISC or "LD_PRELOAD=libjvm.so" for HPIA64. 6. To start the server, execute the command: jlaunch file=../cluster/instance.properties -nodeName=<prefixserver> pf=../../../SYS/profile/<sid>_<j2ee-

instance>_<host>-traceFile= <trace_file> -startMode=console Enter the command in a single line. Note that the parameter pf does not have minus sign as a prefix. This is correct. 7. Wait until the server has started. (The prompt '>' appears.) Create an Emergency User, Unlock Administrator, Delete Emergency User 1. Once the server is running, enter the following commands to create the emergency user and assign it to the administrators group: add user create_user emergency password emergency <password> group_user emergency administrators 2. Log on to the Visual Administrator as this emergency user. 3. Under <Cluster> > Server > Services > Security Provider, choose the "User Management" tab page. Unlock the user Administrator and provide a new password. 4. Log off from the Visual Administrator. 5. Log on as the user Administrator. 6. Delete the emergency user. 7. Log off from the Visual Administrator. 8. In the command prompt where the server is running, enter the command shutdown to shut down the server that you started in console mode. 9. In SAPMMC (or using jcmon), restart the server. Result The user Administrator can now log on to the J2EE Engine.

JControl and JLaunch

JControl Java Instance Controller

JControl: A native program that starts, stops, and monitors the processes of a Java instance
(usually a dispatcher and several server processes). The program implements the SAP signal handling to stop the instance. JControl starts the JLaunch processes. JControl controls J2EE processes JControl is the master process of all J2EE worker processes Controls the lifecycle of the J2EE instance Restart of crashed processed Termination of hanging processes Sends shutdown signal to instance processes responsible for starting the processes in the right order (bootstrapping..) integration of different processes into one J2EE instance (SDM, ICM, ...) provides the monitoring information in a shared memory segment supports SAP profiles to share configurations with the ABAP Stack

JLaunch Java Program Launcher

JLaunch has following tasks: Read the properties of the program to host Read the VM properties from the database during startup process Attach to the administration shared memory segment Load the shared library of the Java VM

JLaunch starts a Java program. It loads the JVM into its own address space and then
represents the required cluster element. The program can receive from notification from the JControl process via named pipes to stop the cluster element, and terminates, if the JControl stops running (fork emulation under Windows).

JCMon Monitor Program

Command line tool Overview about the instance and process state Local administration menu for the local instance and their processes Cluster administration menu for remote operations -----------------------------------------------------------SAP System Name : C11 SAP System : 00 MS Host : pcj2ee01 MS Port : 3601 Process Count : 4

PID of JControl : 7244 State of JControl : All processes running State inside MS : All processes running Admin URL : -----------------------------------------------------------|Idx |Name |PID |State |Error|Restart| |--- |------------------- |--------|--------------------|----- |------- | | 0 |server0 | 5784 |Running | 0 |yes | | 1 |server1 | 2216 |Running | 0 |yes | | 2 |dispatcher | 4748 |Running | 0 |yes | | 3 |SDM | 436 |Running | 0 |yes | -----------------------------------------------------------Jcmon is a J2EE instance monitor program. To start jcmon enter with the adm user (a) jcmon pf=/usr/sap//sys/profile/__. (b) Enter command 20 to display the main menu.

Start/Stop of Java Engine processes in ICM Monitor

You can use the ICM to manage the Java Engine as well. You can find the functions in the ICM monitor (Transaction SMICM or by choosing Administration System Management Monitor System Monitoring Internet Communication Manager) choose Administration J2EE Server on the initial screen. The following functions are available:

-> Sending a Soft Shutdown (With or Without a Restart): The (ABAP) dispatcher of the SAP Web Application Server sets the restart flag for the J2EE Engine and sends the SOFTSHUTDOWN message to the J2EE Engine. The dispatcher does not actively close the connection, the J2EE Engine must close itself instead. If the application server is restarted, the J2EE Engine is restarted by the dispatcher. -> Sending a Hard Shutdown (With or Without a Restart): The (ABAP) dispatcher of the SAP Web Application Server sets the restart flag for the J2EE Engine and sends the HARDTSHUTDOWN message to the J2EE Engine. The dispatcher does not actively close the connection, the J2EE Engine must close itself instead. If the application server is restarted, the J2EE Engine is restarted by the (ABAP) dispatcher. -> Ending the Process (With or Without a Restart): The SAP Web Application Servers dispatcher sets the restart flag for the J2EE Engine and sends a signal to the process (shell or Java process). If the application server is restarted, the J2EE Engine is restarted by the dispatcher. -> Restart Yes/No This sets the J2EE Engines restart flag.

Starting and Stopping SAP with scripts (UNIX & Windows)

Starting the SAP System startsap [db|r3|j2ee|ccms|all|check] [] [] Examples startsap - to start the whole system startsap j2ee DVEBMGS00 - to start the J2EE-Engine of the instance DVEBMGS00. The instance name is required if more than one instance is configured. startsap r3 - to start only the ABAP part of the system Stopping the SAP System stopsap [db|r3|j2ee|ccms|all|check] [] [] Examples stopsap - to stop the whole system stopsap j2ee DVEBMGS00 - to stop the J2EE-Engine of the instance DVEBMGS00. The instance name is required if more than one instance is configured. stopsap r3 - to stop only the ABAP part of the system

The start and stop of the SAP system are done using the scripts startsap and stopsap in the exe directory. You have to be logged on to the SAP system hosts as user adm.

 If there are multiple SAP instances on one host for example, a central instance and a dialog instance you have to add an extra parameter to the scripts: startsap ; stopsap For example, enter: startsap DVEBMGS00 SAP Web AS J2EE only system: The instance name (instance ID) of the central instance is JC, the instance name of a J2EE dialog instance is J. To view all the processes use command: ps -ef | grep jlaunch

J2EE Startup Framework

The J2EE Startup and Control Framework is an infrastructure, situated between the operating system and the Java VM is used to start, stop, and monitor a Java Instance loads the JVM and restarts processes, which have died/crashed comprises the programs Jcontrol, Jlaunch and Jcmon The Java startup and control framework comprises the programs JControl and Jlaunch. JLaunch is started by JControl and itself starts the bootstrap Java program or an element of the Java Instance (dispatcher or server process). Whereas the Jcmon is a command line monitor program and is used to administrate the framework. Java startup and control framework is used to start, monitor, and stop a Java instance: Integration of Java Processes into the SAP instance concept Inherit all management concepts from the ABAP stack Integration into existing SAP instance management Control and Restart functionality of J2EE processes (Watchdog) Daemons for NT (sapserv.exe) Remote Control of all J2EE instances in the cluster Cluster wide management (shutdown, restart ...) Integration of the Startup Framework Client into the IDE Preparation of Remote Debugging Support

J2EE Engine - Profile Parameters

icm/HTTP/j2ee_ Determines the ICMs communication with the J2EE Engine. Exe/j2ee full path to JControl rdisp/j2ee_error Number of incorrect attempts to start a J2EE Engine before the restart is deactivated. rdisp/j2ee_start Activates or deactivates starting the J2EE Engine. rdisp/j2ee_start_lazy - If 1 and if the rdisp/j2ee_start is set - the J2EE Engine it is not started until the ABAP runtime environment has been fully initialized. This avoids problems that are caused by a long initialization phase. - If 0 (default) the J2EE Engine can be started without waiting for the ABAP initialization. rdisp/j2ee_timeout Time span, the J2EE Engine must log on to the Web Dispatcher.

SDM Instance

Software Deployment Manager (SDM)

SDM Server

 started automatically as part of WEB AS 6.40 one SDM Server per WEB AS 6.40 with J2EE Engine is necessary SDM Interfaces 1) Commandline Interface (sdm.bat or sdm.sh) (a) A new SDM process is started each time a command is executed (b) No SDM Server may run at the same time (this is checked). 2) JAVA API (SDMclient.sda) needs a running SDM Server 3) SDM Gui (sdmgui.bat or sdmgui.sh) needs a running SDM Server

Another special instance is the one that installed the SDM (Software Deployment Manager). This one usually runs with the database and Central Services on the same machine and is then indicated as the central instance. The Software Deployment Manager (SDM) is a tool with which you can manage and deploy software packages that you receive from SAP or created with NetWeaver Developer Studio. The Software Deployment Manager (SDM) groups several different deployment types in a single network interface for the deployment of any software that you develop with the SAP NetWeaver Developer Studio. In all modes SDM is only able to handle one access at a time.

Java Instance Server Process

Server Process components:

Connection request handler receives the first request from a client. From this time point on, the client has a fixed connection to the dispatcher.

Session level services are services that are assigned to a session. Application-level services or the actual application program.

1) The Server Processes of the J2EE Engine actually execute the J2EE application. Each server process is multi-threaded, and can therefore process a large number of requests simultaneously. Java Dispatcher assigns requests to the server processes.

2) The identification of the jlaunch processes can be easy done with their PID, the PID is also represented in the monitoring tools as the SAP Management Console.

Java Instance Java Dispatcher

Java Dispatcher components: Connection request handler receives the first request from a client. From this time point on, the client has a fixed connection to the dispatcher. Connection manager manages the existing connections to the clients. Session level services are services that are assigned to a session. Communication handler forwards the request to the server process. Accumulating requests are stored in the request queue. 1) A Java instance is a unit in the SAP Web Java cluster, which can be started, stopped, and monitored separately. It runs on a physical server; but it is also possible to run several instances on one server. An instance is identified by the system ID (SID) and the instance number.

2) One Java instance contains at least one Dispatcher and one Server Process, the Central Services (Message, Enqueue) and the SDM.

3) A Java instance is started and stopped by the Java Startup and Control Framework.

4) The Java dispatcher receives the client request and forwards it to the server process with the lowest capacity usage. If there is already a connection to the client, the request goes to the server process that processes this client.

5) Dispatcher processes are represented by a jlaunch processes

6) The Java Dispatchers do not communicate to each other, they are light applications used for load balancing to the local servers only.

7) Interprocess communication Dispatcher on one box Server on other box is not possible.

Locking Adapter in the Visual Administrator

With the Locking Adapter checks and tests of the Enqueue Service can be done. The locking adapter service establishes the interface between the J2EE Engine and the enqueue service. You can display and manage locks, carry out tests, and display statistics. The locking adapter service is available on each server process, but it is not available on the dispatcher. It connects to the Enqueue Service and fetches requested data or sends changed data to it. As there is only one enqueue server in the system, all the locking services of the various server processes have the same information. Therefore it is not important on which server process you use the locking adapter service. Locks are used for example during deployment of applications. The configuration manager requests a lock from the Locking Manager. The Locking Manager in turn requests the lock from the Enqueue Service. The relevant area in the database is locked To look into the Locking Adapter use the following path: 1. Start the SAP J2EE Engine visual administrator. 2. Choose Cluster -> Server 0 -> Services 3. Choose Locking Adapter Choose the Runtime tab page to see a list of the functions offered in the locking adapter service: To display existing locks; choose Display Locks. To set and release locks, choose Create/Release Lock. To delete existing locks, select the locks and choose Delete Selected Locks. To run test programs, choose Run Tests. To run functional tests choose Execute Functional Tests, and to load tests choose Execute Load Tests). To display files, choose View Files. You can view the profile data or the trace file of the

lowest layer of the enqueue service. This is useful for looking for errors. To display statistics, choose Time Statistics.

Central Service - Enqueue Service

Enqueue Service manages logical database locks, which are set by the executed application program in a server process. Enqueue Service synchronizes data across the cluster.

The Enqueue service runs on the Central Services instance of the Java cluster. It manages the lock table in the main memory and receives requests for setting or releasing locks. It also maps the logical locks to the database. The Enqueue service can be configured for high availability, by setting it up with the replication server and a platform-independent high availability solution. The status of the Enqueue service are made accessible to the administrator via the Locking Adapter Service in the Visual Administrator. The terms Enqueue server and Enqueue service are used synonymously. The correct expression is that the Enqueue server is the program or process that provides the Enqueue service. Enqueue Service is represented by an en.sap process

Message Info Service in the Visual Administrator

The message info service is the interface between the J2EE Engine and the Message Service, it is used it to monitor and administrate the message server. The message service doesnt communicate direct to the Message Server, but it is using the cluster manager, which has a direct connection to the message server. The message info service is not automatically started when the J2EE Engine is started.

It should be started manually: Using the SAP J2EE Engine visual administrator. 1. Choose Cluster Server 0 Services 2. Choose Message Info 3. Choose Start Service in the toolbar

Using the telnet console. 1.In the console where the server process is running, enter the command: startservice msp The Message Info Service data should be used mostly for supportability purposes, be careful

Web AS Java Cluster Architecture

One Java Engine installation consists of: One or more Java instances (Java Dispatcher, Server) and the Software Deployment Manager (SDM) The Central Services (Messaging Service, Enqueue Service), which also create an instance (Central Instance) Ax external database. Changes in architecture of J2EE Engine are made since 6.20 A J2EE Cluster now consists of an Central Service Instance. One Central Service Instance is required in the J2EE Cluster.

 The Configuration of the J2EE Engines are now stored in a Database. Not any more stored in XML-Files in the file system. A database for the J2EE Cluster is required. An Startup and Stop Framework is used. In a large Java cluster installation, the load is distributed from a load balancer onto the different Java dispatchers.

Central Service - Message Service

Tasks of the Message service: Notification of events that arise in the cluster. Communication between different services Forwarding of messages and requests to all participants (broadcast) Prepare logon information for the SAP Web Dispatcher Support for message server failover Guaranteed message transmission Exchange of cache information in the cluster

The Central Services run on one physical server and are one Java instance. They comprise the Message service and the Enqueue service. The Central Services form the basis of communication and synchronization for the Java cluster. Central Services are always required when a Java cluster is installed. They are started on a server with their own system number and the system ID (SID) of the whole system. When Central Services are running, further Java instances (Dispatcher, Server) are started with the program JControl

 The message service is a separate program used for communication between the elements of a Java cluster. It keeps a list of all processes (dispatchers and server) of the Java cluster. It represents the infrastructure for data exchange (small datasets only) between the participating nodes. The message service also supplies information to the SAP Web Dispatcher about Load Balancing. Processes on Operating system level NT : msg_server.exe UNIX: msg_server Trace file: dev_ms in work directory of Central Service Instance The settings and the status of the message service are made accessible to the administrator via the message Info Service in Visual Administrator described bellow. Message server and Message Service are used synonymously. The correct expression would be that the Message Server is a process or program that provides the Message Service.

Activating the Emergency User SAP* in AS Java

1. Activate the SAP* user: a. b. Start the config tool. Set the following UME properties:
Property ume.superadmin.activated ume.superadmin.password Value true <password> Comment This activates the SAP* user. Enter any password of your choice. This defines the password for the SAP* user.

c.

Restart the AS Java.

The SAP* user is now activated. While it is activated, all other users are deactivated. You can only log on with the SAP* user.

2 2. Fix your configuration as required, logging on with the user ID SAP*and the password you specified. Log on to identity management to unlock users or create a new administrator user.

3. When you have fixed your configuration, deactivate the SAP* user again. a. b. c. Start the config tool. Set the property ume.superadmin.activated to false. Restart the AS Java.

Activating emergency user in java only system This article answers the following queries: How to unlock, if administrator user id got locked in a standalone java alone system? How to activate emergency user in java only system? How to handle, if administrator user id got locked in dual stack system? What are the scenarios in which emergency user SAP* to be activated? In some cases, you might have configured user management incorrectly and can no longer logon to any application or all administrator users got locked. In these cases, you can activate emergency user SAP* which enables you to logon to application. Process to be followed to activate emergency user SAP* Start the config tool Set the following User Management Engine(UME) properties

Property ume.superadmin.activated ume.superadmin.password

Value True <password>

Remarks This activates SAP* user Enter the new password for SAP* user. This option is provided by SAP to ensure more security so that system is not accessible with default password

Restart the AS Java The SAP* user will now get activated and all others user will get deactivated. You can log on with the SAP* user and fix your configuration as per the requirement in cases of incorrect user management configuration. After that, go to identity management to unlock all the locked users. After fixing the configuration issue, SAP* user should be deactivated again as mentioned below: Start the config tool Set the property ume.superadmin.activated to false Restart the AS Java. Please note all the above process to activate emergency user is for standalone java system. How to handle, if administrator user id got locked in dual stack system? In case of dual stack installation i.e. ABAP + JAVA stack it is very easy. Please proceed as mentioned below to resolve the issue: i) Logon to ABAP system with any administrator user or the SAP* user ii) Either create a new administrator user for java stack or unlock the locked administrator user using SUo1 SAP Web Dispatcher and its functions

SAP WEB DISPATCHER : SAP web dispatcher is used to distribute web requests. It is based on the same technology as SAP ICM(Internet Communication Manager). Please note that apart from web dispatcher, web requests can also be distributed through message server or ICM. However, these have only limited functionality and some disadvantages and is therefore not recommended by SAP. SAP web dispatcher is the SAP recommended process/method of distributing web requests as it has some advantages and additional functionality. Demilitarized Zone (DMZ) : In computer networks, a DMZ is a computer or a small network inserted as a neutral zone between a companys private network and the outside public. It prevents external users from directly accessing the companys server and thus provides security. In SAP scenario, DMZ is a neutral zone inserted between internet and SAP Netweaver Application server so that external users from internet cannot directly access SAP netweaver application server. SAP Web Dispatcher runs within the DMZ Functions of SAP Web Dispatcher :

Distribution of requests to both ABAP or Java application instances Denial of unwanted requests (i.e. request filtering) Buffering of web requests Ensures that customers can access the SAP system via one address Provides security as it runs in DMZ (Demilitarized zone) Handles distribution of both http and https requests.