Skip to Content
Author's profile photo Former Member

MDM Java API 2 an introductive series part III


After a big crash of my Laptop hard drive I had to rebuild my system, so I am a little behind my time schedule now. Never the less I will try to hurry up and post my next two Blogs till the end of this year before Project work gets a hold of me again. First I hope everyone of you out there had a marry Christmas! Hope the days were very regenerating and that you will be able to take a deep breath and hold still before work will start again.

Connecting MDM Part II

Getting the Session in a SSO Scenario:

In my last Blog I showed you how to get a connection to the MDM Server. On top of this connection we set up a User Session addressing a repository and authenticated the session towards the repository.

Authenticating User Session

Thinking of a scenario like SSO where we might not want to authenticate the User towards the repository with Username and Password again, there could be a need to have an alternative method to authenticate the user session without password. If the application we build runs in an SAP Enterprise Portal, we do not have the password of the user in clear text ( only hash) unless we make a system mapping in the User Management Engine for the MDM System.
So how can we arrange to authenticate the user session without a password. This is very simple and can be done by building a trust relation between the Client (e.g. Portal Server) and the MDM Server. This trust relation is build by telling the MDM Server which IP addresses to trust. So the next question will be how to tell the MDM Server the IP addresses of the trusted clients. As usual this is done with a configuration file called “allow.ip” and the counterpart is “deny.ip”. Those two files tell the MDM Server who to trust and is a plain text file which is not present after the installation of the MDM Server.
A sample file with the name allow.ip could look like followed:

As you can see wildcards are allowed in the file. Maybe in the range specified might be a host that should not be trusted, you can place the IP address of that host in the deny.ip file and it will not be trusted then.

So where should this file be put then? The easiest way is to put the file in the same folder on the hard disk where the mds.ini file resides.
e.g. C:Program FilesSAP MDM 5.5Server

If you want to place the files in a different location you need to add a line to the mds.ini file like:
TrustFiles Dir=C:{path}something
Where both the files (allow.ip and deny.ip) should be put then.

For a detailed description please see the following link on page 9 and 10 of the document. (Source SDN)

How To identify identical master data records using SAP MDM 5.5 ABAP API’s


Also see:
Wiki entry on allow.ip


I have tested the method and it worked fine for my application.
On my project where I used the code we had the following setup. My application was running on a SAP Portal, where the username can be read from the portal context but not the password. There is the same username on portal as in the MDM Server. I used this method with the username from Portal to authenticate the users to the MDM Server / repository.
Let me show you some code you could use to authenticate a user session using a trusted connection or if the connection is not trusted fall back to normal authentication.

  * Create and authenticate a new user session  to an MDM repository.
  * @throws ConnectionException
  *              is propagated from the API
  * @throws CommandException
  *              is propagated from the API
  public  String getAuthenticatedUserSession(ConnectionAccessor mySimpleConnection)  throws ConnectionException, CommandException{

     * We need a RepositoryIdentifier to connect to  the desired repository
     * parameters for the constructor are:
     * Repository name as string as read in the MDM  Console in the "Name" field
     * DB Server name as string as used while  creating a repository
     * DBMS Type as string - Valid types are: MSQL,  ORCL, IDB2, IZOS, IIOS, MXDB
     RepositoryIdentifier  repId = new RepositoryIdentifier(RepositoryNameAsString,
     DBServerNameAsString,  DBMSTypeAsString);
     //  Create the command to get the Session
     CreateUserSessionCommand  createUserSessionCommand = new CreateUserSessionCommand(connection);
     //  Set the identifier
     //  Set the region to use for Session - (Language)
     //  Execute the command
     //  Get the session identifier
     String  session = createUserSessionCommand.getUserSession();

     // Authenticate  the user session
     try {
       // Use  command to authenticate user session on trusted connection
       TrustedUserSessionCommand  tuscTrustedUser =
       new TrustedUserSessionCommand(mySimpleConnection);
       //  Set the user name to use
       session =  tuscTrustedUser.getSession();
     } catch ( e) {
       /* In Case the Connection is  not Trusted */
       AuthenticateUserSessionCommand  authenticateUserSessionCommand =
       new AuthenticateUserSessionCommand(connection);
     //  For further information see:
     //  Create the normalization command
     SetUnicodeNormalizationCommand  setUnicodeNormalizationCommand =
     new  SetUnicodeNormalizationCommand(     mySimpleConnection);
     //  Set the session to be used
     //  Set the normalization type
     //  Execute the command
     //  Return the session identifier as string value
     return  session;

But at the end I also have to tell you the critical aspect of this method. If you create a trusted relationship between some host and the MDM Server, you have to keep in mind that any code could be executed on the MDM Server if the admin username is known. So anyone can get access with full admin privileges only by knowing the administrator name on MDM side. So you have to make sure that only authorised persons can access the host and / or deploy code to it. In my project this was not very critical, because the access to the host running my application was very restricted. Only and hand full of people were allowed to deploy applications and all of them were absolute trustworthy.

If you are in need o 

So far so good. Hope this will help you to implement an SSO szenario with MDM.

In my next Blog before I will get to data manipulation I want to give you some tip on accessing MDM System information in a SAP Portal with some very useful forum thread I found. Then I will lead to data manipulation (CRUD) with some examples. The first steps will be searching in MDM.

Best regards,


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks for so much of information...
      I have tried to test this. I have MDM and EP both running on the same sandbox instance. I have placed the allow.ip file in the C:\Program Files\SAP MDM 5.5\Server folder. In this allow.ip file I have mentioned both IP address of the sandbox system and "localhost". Next, I deployed a WS that uses new MDM API. For user authantication I have used TrustedUserSessionCommand. Finally when I execute ... I get the error message The connection is not trusted. 

      Author's profile photo Former Member
      Former Member
      Hello Vijendra,
      there are two important things to take care of!

      1. Please restart the MDM Server service before you try to access the MDM via trusted connection.

      2. please be sure to have the allow.ip file named right! (Make sure that in Windows the "Hide Extensions for known file types" Option is disabled in Windows Explorer Folder options. It could be possible that it appears to be named like allow.ip but in reality the name is allow.ip.txt because Windows hides the .txt extension.

      Please contact me again if the exception still continous to appear after checking those two options!

      Best regards,


      Author's profile photo Former Member
      Former Member
      Hi Tobi

      Thanks for the reply.

      I have restarted the MDM server and also verified the file extension. Still getting the same error when I execute my Web Service. Hey this WS... I am executing from http://localhost:50100/wsnavigator

      Author's profile photo Former Member
      Former Member
      Hi Vijendra,
      ok so let's try to get the config clear...

      the allow.ip file has to include the IP adress of the machine that is trying to acces the MDM.

      Let my put it in an example:

      The WebAS which is running the WebService for example has the IP it might be on the machine that you are working on so it also has the adress localhost but will access the MDM Server via the

      The MDM Server that will be accessed has the IP

      So the allow.ip file has to have the external IP of the WebAS ( included as a single line in the file.

      If you will make any changes to the allow.ip file please keep in mind to restart the MDM Service.

      Hope this will help to understand! If not please explain the testing environment in detail!
      Givin the IPs and the setup. (On which host is runnig the WebAS and the MDM Server)

      Best regards,


      Author's profile photo Former Member
      Former Member
      I have tried what you just suggested .. its still not working for me.
      The MDM 6.0 Patch 0 & WAS (EP 7 SP6) are on the same system. right now I have in addition to wifi internet connection also enabled a loop-back adapter.
      Start-->CMD-->IP COnfig:-

              Connection-specific DNS Suffix  . :
              IP Address. . . . . . . . . . . . :
              Subnet Mask . . . . . . . . . . . :
              Default Gateway . . . . . . . . . :

      Ethernet adapter Local Area Connection:

              Media State . . . . . . . . . . . : Media disconnected

      Ethernet adapter {F72300F5-C1F4-4C6A-8589-37D2A1A67B1E}:

              Connection-specific DNS Suffix  . :
              IP Address. . . . . . . . . . . . :
              Subnet Mask . . . . . . . . . . . :
              Default Gateway . . . . . . . . . :

      Ethernet adapter Local Area Connection 2:

              Connection-specific DNS Suffix  . :
              Autoconfiguration IP Address. . . :
              Subnet Mask . . . . . . . . . . . :
              Default Gateway . . . . . . . . . :


      Author's profile photo Former Member
      Former Member
      Hey thanks for pointing the IP's .. I have put instead of localhost in allow.ip file and it worked. Thanks a lot for your help.
      Author's profile photo Former Member
      Former Member
      I created MDM ststem in the SAP Portal and tested connection with User Mapping, it worked fine. Then I saw ur blog, put the IP address in to the allow.ip and put it in to the folder where mds.ini file exists. But when I do the test connection in to the Portal, I fails.

      Whay may be the issue?

      Warm Regards,

      Author's profile photo Former Member
      Former Member
      Hi Karan,
      as far as I know it is not possible to use the trusted connection with the MDM portal content.
      So you always have to use the User-Mapping in the portal to get the content up and running.

      As far as I know trusted Connections will be availible with MDM 7.1 but will be called Single Sign On.

      Best Regards,