SAP Note

Header Data

Symptom

You want to change the passwords of the PI service users in PI Release 7.10 and higher.

Other Terms

PI service users, PIISUSER, PIDIRUSER, PIREPUSER, PIAFUSER, PILDUSER, PIRWBUSER, PIPPUSER, PI_JCO_RFC,

Reason and Prerequisites

During the PI installation, the PI service users are created in the R/3 System with names and passwords set during the installation and are added to the exchange profile. During the post installation steps (template installer), the users are maintained in different connections and transactions. If you want to change the passwords, you have to change the password for all these connections and transactions consistently.

Solution

Important Note:Password changes should not be done during normal operation of your dual-stack PI system. Reason for this is that therelevant user information required to communicate from the Adapter Engine (AE)to the ABAP Integration Engine (IE)arepersisted as part of the message itself. Hence if you have currently processing messages or a backlog of outbound messages (from AE to IE)during the password change, it might be that these messages fail and the user gets locked due to retries to send the message to IE. Also messages alreadyin error on your system will refer to the wrong credentials and can cause issues after the password change when/if they are restarted. Therefore we recommend to isolate the system during the change (stop all incoming messages as described in Note 870864) and ensure no outbound messages in error arepresent on your system.We arein the process of evaluating improvements in this area to avoid suchissues and will update the Noteonce a solution is available. This issue does not occur on Java only PI installations (AEX or PO) or for ICo scenarios running on your PI dual-stack.

Procedure:

First of all, compile a list of the names of the relevant users. To do this, we recommend to go through points 2 to 12 and to note down the users used there. If you also want to change the user for the sending business systems (PIAPPLUSER or a copy of this user) you have to be aware that you will have to change the password in all sending systems/adapters. The passwords must be changed at the following places:

1. Transaction SU01 in the R/3 system

Here, you must change the passwords on the R/3 ABAP side.

2. Exchange Profile - Server Settings

Call the PI exchange profile using:

http://: /dir/start/index.jsp

--> Administration --> Exchange Profile

Press the 'Connection' button and adjust the password accordingly for the user used here.

Important: If the system issues the error message 'Password logon no longer possible - too many failed attempts', check in transaction SU01 whether the user used under 'Connection' has already been locked, and unlock that user if necessary.

3. Exchange Profile

999962 - PI 7.10 and higher: Change passwords of PI service users

Version 9 Validity: 01.04.2014 - active Language English (Master)

Released On 01.04.2014 15:32:27 Release Status Released for Customer Component BC-XI Please use a sub-component Priority Recommendations / Additional Info Category Consulting

You must now change the passwords in all parameters of the exchange profile to make them available for the PI Java applications.

To do this, start the exchange profile as described in section 2, and adjust the changed passwords in all parameters.

4. SLDAPICUST

If a PI* user is set in transaction SLDAPICUST adjust the password for this user.

5. SM59 Destination INTEGRATION_DIRECTORY_HMI

In transaction SM59, adjust the password of the user used in HTTP destination to an ABAP system INTEGRATION_DIRECTORY_HMI.

6. SM59 Destination SAPXIPP*

In transaction SM59, adjust the passwords of the users used in the ABAP connections SAPXIPP*.

7. SLD Data Supplier in the J2EE

Log on to the SAP NetWeaver Administrator (http://:/nwa). Under "Configuration Management --> Infrastructure --> Destinations", check the user in destinations SLD_Client and SLD_DataSupplier. Only if a PI* user is set here change the password for the relevant user.

8. PMI store destination in the J2EE

Log on to the SAP NetWeaver Administrator (http://:/nwa). Under "Configuration Management --> Infrastructure --> Destinations", change the relevant user password in HTTP destination pmistore.

9. RFC destinations in J2EE

Log on to the SAP NetWeaver Administrator (http://:/nwa). Under "Configuration Management --> Infrastructure --> JCo RFC Provider" change the password in the RFC destinations AII_RUNTIME*, LCRSAPRFC* and SAPSLDAPI* if a PI* user is set there. Choose 'Save' to transfer the changes.

Important: If user SAPJSF is used here, do not change the password of this user, because it is also used in several J2EE applications. In this case, create a copy of user SAPJSF in transaction SU01 and use this copy in the JCo RFC Provider.

10. Destination in J2EE for secure communication ABAP-Java

Log on to the SAP NetWeaver Administrator (http://:/nwa). Under "Configuration Management --> Infrastructure --> JCo RFC Provider" check if the destination XI_EXCHANGE_PROFILE exists. If available change the password if a PI* user is set there. Choose 'Save' to transfer the changes.

11. SM59 connections for end-to-end monitoring

In transaction SM59, adjust the user password in all connections that start with PMI*. You have to adjust the connections both under 'ABAP Connections' and 'HTTP Connections to External Server'.

In addition, adjust the passwords in the systems where the destinations are pointing to, if this is not the PI itself.

12. SM59 connections for GRMG monitoring

In SM59, change the user password in all connections that start with XI_GRMG*. You have to adjust the connections under 'HTTP Connections to ABAP Systems' and under 'HTTP Connections to External Server'.

In addition, adjust the passwords in the systems where the destinations are pointing to, if this is not the PI itself.

13. Now restart the J2EE Engine.

14. Connections from sending business systems

In all sending systems, you must check whether you are using one of the service users to log on to the PI system, and change the passwords if necessary (PIAPPLUSER).

For this purpose, check the relevant SM59 destinations and logon data in the sending adapters.

If the sending system is a system with a release version < 7.00, note that you need to set the password in the XI system in accordance with the instructions in Note 807895 so that it is downward compatible. Alternatively, you can create a copy of the relevant service user for this special connection, assign the downward-compatible password to this user, and use this user for the connection.

Then check in transaction SU01 whether any users were locked during the changes as a result of failed logon attempts, and unlock these users if necessary.

Check Service Connections

After you have implemented the changes, carry out the Basic Checks from XI Readiness Check using Note 817920.

Validity

References

This document refers to:

SAP Notes

This document is referenced by:

SAP Notes (1)

Software Component From Rel. To Rel. And Subsequent

SAP_ABA 701 702

710 711

730 730

731 731

740 740

1309239 Configuration Wizard: PI NetWeaver initial setup

1309239 Configuration Wizard: PI NetWeaver initial setup