How does Authentication work in MDM4A?
All authentication between the MDM server and the ABAP system via the MDM4A requires a Server Trust relationship. The SAP NetWeaver MDM Server(s) must trust their AS-ABAP counterparts. Trusting is configured via two files on the SAP NetWeaver MDM server - allow.ip and deny.ip This files contain the IP addresses of the AS-ABAP systems that you want to control access from.
The Files allow.ip and deny.ip should normally be placed directly into the same folder that holds your mds.ini (MDM Server Configuration) file. However if you need to place them in a different location (perhaps a centralized network share) you can configure their location in the mds.ini file. Use the entry TrustFiles Dir=<directory> to specify this location.
Allow.ip and deny.ip must be flat, text only files.
It is possible to wildcard the entries in allow.ip and deny.ip using the * character. You can NOT just specify * to allow all possible IP addresses. You must at least specify one subnet --ie. at least 10.*
Instead of listing each IP address directly, users will most likely take advantage of the wildcard. If you want to allow access from all but a few IP address you can combine the allow.ip and deny.ip entries. For instance you may wish to allow all servers from the 192.168.0.* range. However their may be a single "unsafe" machine in this subnet. You could then place the IP address of this "unsafe" machine within the deny.ip file. This can be useful to keep development or test servers from accidentally updating data in a production repository.
Any IP address not found in the allow.ip file (or if no allow.ip file can be read) will cause all requests will be refused.
Comments can be placed in the allow.ip and deny.ip files using the # character in the first column.
Once the server trust relationship is established, authentication is quite simple. Because there is a trusting relationship, no passwords must be passed through MDM4A. The AS-ABAP user identity (SY-UNAME) will automatically be passed through the MDM4A interface. A repository user with the same ID must exist on the SAP NetWeaver MDM server side for a role to be assigned to the request. Alternatively, User Mapping is possible using the LDAP Connectivity of the SAP NetWeaver MDM Server.
