and Configura tion Guidepublic.dhe.ibm.com/software/security/products/isim/adapters/igi/igi... · certificate into the Person Security Envir onment of the adapter ..... . 44 Allowing

IBM Security Identity Governance and Intelligence

SAP NetWeaver Adapter Installationand Configuration Guide

IBM

IBM Security Identity Governance and Intelligence

SAP NetWeaver Adapter Installationand Configuration Guide

IBM

ii IBM Security Identity Governance and Intelligence: SAP NetWeaver Adapter Installation and Configuration Guide

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Chapter 1. Overview . . . . . . . . . 1Features . . . . . . . . . . . . . . . . 1Architecture . . . . . . . . . . . . . . 1Supported configurations . . . . . . . . . . 2

Chapter 2. Planning. . . . . . . . . . 5Roadmap for IBM Tivoli Directory Integrator basedadapters, for IBM Security Identity Governance andIntelligence . . . . . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Installation worksheet . . . . . . . . . . . 7

Chapter 3. Installing . . . . . . . . . 9Pre-installation tasks . . . . . . . . . . . . 9Installing the dispatcher . . . . . . . . . . 10Installing the adapter style sheets . . . . . . . 10Installing the adapter binaries or connector . . . . 11Installing the SAP Java Connector (JCo) . . . . . 11Enabling the SAP Java Connector (JCo) trace . . . 12Adapter profile . . . . . . . . . . . . . 13Enabling Unicode . . . . . . . . . . . . 14CUA configuration settings . . . . . . . . . 15Verifying the adapter installation . . . . . . . 15Restarting the adapter service . . . . . . . . 16Importing the adapter profile . . . . . . . . 17Importing attribute mapping file . . . . . . . 18Adding a connector . . . . . . . . . . . 18Enabling connectors . . . . . . . . . . . 20Reviewing and setting channel modes for each newconnector . . . . . . . . . . . . . . . 21Attribute Mapping . . . . . . . . . . . . 22Service/Target form details . . . . . . . . . 23

ADAPTER DETAILS TAB . . . . . . . . 23SAP CONNECTION DETAILS TAB . . . . . 24SAP ROLE DETAILS TAB . . . . . . . . 26ADD ADVANCED MAPPING TAB . . . . . 26MODIFY ADVANCED MAPPING TAB . . . . 26DELETE ADVANCED MAPPING TAB . . . . 26SUSPEND ADVANCED MAPPING TAB . . . 26RESTORE ADVANCED MAPPING TAB . . . . 27CHANGE PASSWORD ADVANCED MAPPINGTAB . . . . . . . . . . . . . . . . 27RECONCILIATION ADVANCED MAPPING TAB 27DISPATCHER ATTRIBUTES TAB . . . . . . 27

Connection test . . . . . . . . . . . . . 28

Verifying that the adapter is working correctly . . 28

Chapter 4. Upgrading . . . . . . . . 29Upgrade of the adapter from version 5.1.4 or older 29SAP JCo upgrade . . . . . . . . . . . . 29

Chapter 5. Configuring . . . . . . . . 31Customizing the adapter profile . . . . . . . 31XSL style sheets . . . . . . . . . . . . . 32BAPI method execution with stateful connection . . 39Customizing the SAP NetWeaver Adapter . . . . 39Support for SAP productive passwords . . . . . 40Configuring Secure Network Communicationbetween the adapter and SAP NetWeaver AS ABAP . 41

Installing the SAP Cryptographic Library . . . 41Creating a Person Security Environment for theadapter . . . . . . . . . . . . . . . 42Importing the public certificate of the adapterinto the SAP NetWeaver AS ABAP PersonSecurity Environment . . . . . . . . . . 43Importing the SAP NetWeaver AS ABAP publiccertificate into the Person Security Environmentof the adapter . . . . . . . . . . . . 44Allowing the user account of the adapter toconnect to SAP NetWeaver AS ABAP by usingSecure Network Communication . . . . . . 44Setting optional RFC connection parameters forthe adapter . . . . . . . . . . . . . 45Verifying the Secure Network Communicationsetup . . . . . . . . . . . . . . . 46

Configuring the adapter to send only the role nameto SAP . . . . . . . . . . . . . . . . 47

Chapter 6. Troubleshooting . . . . . . 49Techniques for troubleshooting problems . . . . 49Logs . . . . . . . . . . . . . . . . . 51Error messages and problem solving . . . . . . 51Reconciliation of supporting data . . . . . . . 54Improving reconciliation operation performance . . 55

Chapter 7. Uninstalling . . . . . . . . 57

Chapter 8. Reference . . . . . . . . 59Adapter attributes and object classes . . . . . . 59Special attributes . . . . . . . . . . . . 62Adapter configuration properties . . . . . . . 64

Index . . . . . . . . . . . . . . . 65

iii

iv IBM Security Identity Governance and Intelligence: SAP NetWeaver Adapter Installation and Configuration Guide

Figures

1. The architecture of the SAP NetWeaver Adapter 22. Example of a single server configuration . . . 3

3. Example of multiple server configuration 3

v

vi IBM Security Identity Governance and Intelligence: SAP NetWeaver Adapter Installation and Configuration Guide

Tables

1. Prerequisites to install the adapter . . . . . 62. Required information to install the adapter 83. Adapter components . . . . . . . . . 154. Prerequisites for enabling a connector . . . . 205. Names supported by SAP RFC API . . . . 256. SAP version support . . . . . . . . . 41

7. Attributes and values . . . . . . . . . 478. XSL file names for a non-CUA system. . . . 479. XSL file names for a CUA system . . . . . 48

10. Error messages and problem descriptions 5211. Supported account attributes . . . . . . . 59

vii

viii IBM Security Identity Governance and Intelligence: SAP NetWeaver Adapter Installation and Configuration Guide

Chapter 1. Overview

An adapter is an interface between a managed resource and the IBM® SecurityIdentity server. The SAP NetWeaver Adapter uses the functionality of Tivoli®

Directory Integrator to enable communication between the IBM Security Identityserver and the SAP NetWeaver Application Server ABAP server.

Adapters can be installed on the managed resource. The IBM Security Identityserver manages access to the resource by using the security system. Adaptersfunction as trusted virtual administrators on the target operating system. Theadapter creates, suspends, restores user accounts, and other functions thatadministrators run manually. The adapter runs as a service, independently ofwhether you are logged on to the IBM Security Identity server.

FeaturesThe adapter automates several administrative and management tasks.v Creating users and groupsv Modifying users' attributesv Changing user account passwordsv Suspending, restoring, and deleting user accountsv Reconciling users and user attributes

In some cases, the standard features and functionality of SAP may not satisfybusiness requirements. The adapter supports configurable extension andcustomization for you to map the adapter to your desired requirements. Theprimary mechanism enabling this is XSL stylesheets, which can be installed withthe adapter.

ArchitectureSeveral components are involved in running and using the adapter. Install all thesecomponents so that the adapter can function correctly.

communicates with the SAP NetWeaver Adapter to manage SAP NetWeaver ASABAP user accounts.

You can perform the following actions on an account:v Addv Change Passwordv Deletev Modifyv Restorev Searchv Suspend

The SAP NetWeaver Adapter consists of Tivoli Directory Integrator AssemblyLines.When an initial request is made by IBM Security Identity server to the adapter, theAssemblyLines are loaded into the . As a result, subsequent service requests do notrequire those same AssemblyLines to be reloaded.

1

The AssemblyLines use the Tivoli Directory Integrator SAP User connector andRFC functional component to enable user management-related tasks on the SAPNetWeaver AS ABAP. It does this enablement remotely by using the login ID andpassword of a user that has administrator privileges.

The following figure describes the components that work together to complete theuser account management tasks in a Tivoli Directory Integrator environment.

Supported configurationsThe adapter supports both single and multiple server configurations.

The fundamental components of the SAP NetWeaver Adapter environment are:v An IBM Security Identity serverv An IBM Tivoli Directory Integratorv The SAP NetWeaver Adapter

Forming part of each configuration, the SAP NetWeaver Adapter must physicallyreside on the machine that is running the IBM Tivoli Directory Integrator Server.

The SAP Java™ Connector (JCo) component must also be installed on the same JavaRuntime Environment (JRE) as used by IBM Tivoli Directory Integrator. See theappropriate SAP JCo guides for instructions on how to install and configure theSAP JCo Runtime Environment.

Single server configurationIn a single server configuration, install the IBM Security Identity server, theIBM Tivoli Directory Integrator server, and the SAP NetWeaver Adapter onone server to establish communication with the SAP NetWeaverApplication Server ABAP server. The SAP NetWeaver Application ServerABAP server is installed on a different server as described Figure 2 onpage 3.

Tivoli DirectoryIntegrator Server

IBMSecurityIdentityServer

RMI CallsDispacher

Assembly Lines

SAP Connector/FunctionalComponent

SAPNetWeaveAS ABAP

SAP Jco

Figure 1. The architecture of the SAP NetWeaver Adapter

2 IBM Security Identity Governance and Intelligence: SAP NetWeaver Adapter Installation and Configuration Guide

Multiple server configurationIn multiple server configuration, the IBM Security Identity server, the SAPNetWeaver Adapter, and the SAP NetWeaver Application Server ABAPserver are installed on different servers. Install the IBM Tivoli DirectoryIntegrator server and the SAP NetWeaver Adapter on the same server asdescribed Figure 3.

The SAP NetWeaver Adapter is both highly configurable and highly customizable.Note that support can only extend to the configuration of the adapter such asadding mapping for additional attributes and XSL stylesheets. Support cannotextend to customization by way of changes, additions or modifications to its IBMTivoli Directory Integrator Assembly Line scripts for example.

IBM SecurityIdentity Server

Tivoli DirectoryIntegrator Server

Adapter

Managedresource

Figure 2. Example of a single server configuration

IBM SecurityIdentity Managerserver

Security DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of multiple server configuration

Chapter 1. Overview 3


Chapter 2. Planning

Installing and configuring the adapter involves several steps that you mustcomplete in a specific sequence. Follow the roadmap for the main tasks.

Roadmap for IBM Tivoli Directory Integrator based adapters, for IBMSecurity Identity Governance and Intelligence

Follow this section when using the guide to install, configure, troubleshoot, oruninstall the adapter.

Note: There is a separate instruction for installing, upgrading or uninstallingadapters from the IBM Security Identity Governance and Intelligence virtualappliance.

Pre-installation

Complete these tasks.1. Verify that your environment meets the software and hardware requirements

for the adapter. See Prerequisites.2. Obtain the installation software. See Software downloads.3. Obtain the necessary information for the installation and configuration. See

Installation worksheet.

Installation

Complete these tasks.1. Install the dispatcher.2. Install the adapter binaries or connector.3. Install 3rd party client libraries.4. Set up the adapter environment.5. Restart the adapter service.6. Import the adapter profile.7. Load attribute mapping.8. Set account defaults.9. Create an adapter service/target.

10. Install the adapter language package.11. Verify that the adapter is working correctly.

Upgrade

To upgrade the adapter, do a full installation of the adapter. Follow the Installationroadmap.

Configuration

Complete these tasks.1. Configure secure communication between the IBM Security Identity server and

the adapter.

5

a. Configure 1-way authentication.b. Configure 2-way authentication.

2. Configure secure communication between the adapter and the managed target.a. Configure 1-way authentication.b. Configure 2-way authentication.

3. Configure the adapter.4. Modify the adapter profiles.5. Customize the adapter.

Troubleshooting

See the following topics.v Techniques for troubleshooting problemsv Configure debuggingv Logsv Error messages and problem solving

Uninstallation

Complete these tasks.1. Stop the adapter service.2. Remove the adapter binaries or connector.3. Remove 3rd party client libraries.4. Delete the adapter service/target.5. Delete the adapter profile.

Reference

See the following topics.v Adapter attributes and object classesv Adapter attributes by operationsv Special attributes

PrerequisitesVerify that your environment meets the software and hardware requirements forthe adapter.

Table 1 identifies the software and operating system prerequisites for the adapterinstallation.

Ensure that you install the adapter on the same workstation as the IBM TivoliDirectory Integrator server.

Table 1. Prerequisites to install the adapter

Prerequisite Description

Operating System The SAP NetWeaver Adapter can be used onany operating system that is supported byTivoli Directory Integrator.

Network Connectivity TCP/IP network


Table 1. Prerequisites to install the adapter (continued)

Prerequisite Description

System Administrator authority To complete the adapter installationprocedure, you must have systemadministrator authority.

Directory Integrator v IBM Tivoli Directory Integrator Version7.1.1 + 7.1.1-TIV-TDI-FP0004 +7.2.0-ISS-SDI-LA0008

v IBM Security Directory Integrator Version7.2

Note:

v Earlier versions of IBM Tivoli DirectoryIntegrator that are still supported mightfunction properly. However, to resolveany communication errors, you mustupgrade your Directory Integrator releaseto the versions that the adapter officiallysupports.

v The adapter supports IBM SecurityDirectory Integrator 7.2, which is availableonly to customers who have the correctentitlement. Contact your IBMrepresentative to find out whether youhave the entitlement to download IBMSecurity Directory Integrator 7.2.

IBM Security Identity server The following servers are supported:

v IBM Security Identity Manager serverVersion 6.0

v IBM Security Identity Manager serverVersion 7.0

v IBM Security Privileged Identity ManagerVersion 2.0

v IBM Security Identity Governance andIntelligence server Version 5.2.2

Dispatcher For Tivoli Directory Integrator Server 7.1,obtain the dispatcher installer from the IBMPassport Advantage® Web site:http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm.

SAP NetWeaver Application Server ABAPwith SAP Basis Component

See the Adapter for SAP NetWeaver AS ABAPRelease Notes®.

SAP JCo 3.0.9

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.1: Administrator Guide.

Installation worksheetThe installation worksheet lists the information that is required to install andconfigure the adapter. Complete this worksheet before you start the installationprocedure for ease of reference. Make a copy of the worksheet for each adapterinstance you install.

Chapter 2. Planning 7

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm


Table 2. Required information to install the adapter

Required information Description

Administrator account on themanaged resource for running theSAP NetWeaver Adapter.

An administrator account on the managed resource thathas administrative rights. For example, you want tomanage Resource1 and the SAP NetWeaver Adapter isinstalled on Resource1, then Admin1 account must havea Role containing the following SAP authorizationobjects:

v S_RFC

v S_RFCACL

v S_TABU_DIS

v S_USER_GRP

v S_USER_AGR

v S_USER_PRO

v S_USER_SYS


Chapter 3. Installing

Installing the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.

Pre-installation tasksBefore you install the adapter, ensure that you complete the preliminary tasks.v Verify that your site meets all the prerequisite requirements.v Obtain a copy of the installation software.v Obtain system administrator authority.

You must also perform the following tasks:

Download the SAP Java Connector (JCo)The adapter requires access to the SAP Java Connector (JCo) API at runtime. This API must be downloaded from the SAP support portal.

Access to this website requires authentication with a valid SAP support ID(S-ID). Contact your SAP marketing representative to obtain one of theseIDs.

Check JCo dependencies in current Tivoli Directory Integrator environment

The adapter supports JCo 3.0.9, 3.0.11 and 3.0.12. The version of JCo usedby the adapter is updated to 3.0.x.x. The adapter no longer works with JCo2.1.x. If the adapter is used in the same Tivoli Directory Integrator JVMinstance as the SAP connectors that are provided with Tivoli DirectoryIntegrator, you need to have both 3.0.x.x and 2.1.x versions of the JCoinstalled. If the adapter is used in a single Tivoli Directory Integrator JVMinstance, remove the existing JCO 2.1.x package and then install the JCo3.0.x.x package.

Remove JCo 2.1.x from Tivoli Directory IntegratorIf there are no dependencies on an earlier version of JCo such as Version2.1.8 by other connectors in the Tivoli Directory Integrator environment,the following files can be removed.

WindowsITDI_HOME/jars/3rdparty/others/sapjco.jarITDI_HOME/libs/sapjcorfc.dllITDI_HOME/libs/librfc32.dll

Unix/LinuxITDI_HOME/jars/3rdparty/others/sapjco.jar

Create a SAP Service User Account on the target SAP NetWeaver ApplicationServer ABAP

The adapter requires a service account on the target SAP NetWeaverApplication Server ABAP to perform account provisioning operations. Logon to the target SAP NetWeaver Application Server ABAP. Create a useraccount of type “SERVICE”, which can be used by the adapter when it iscommunicating with SAP.

9

http://service.sap.com

The SAP user account that is used by IBM Security Identity Governanceand Intelligence to connect to your SAP system must have authorization toperform the following user administration tasks:1. Add, Modify, Delete, Lock, Unlock, and Search SAP user accounts.2. Retrieve supporting data through the SAP system database tables.

At a minimum, this account requires assignment of roles that contain thefollowing SAP authorization objects:v S_RFCv S_RFCACLv S_TABU_DISv S_USER_GRPv S_USER_AGRv S_USER_PROv S_USER_SYSv P_ORGIN(If HR linking extensions are used)

Within the Authorization Objects, assign the wildcard “*” so that allActivities are possible.

CUA Configuration settingsIf the adapter is to be deployed against a CUA master server, usetransaction SCUM on the target CUA master system to set the followingdistribution parameters.v Logon data -> Initial password == “Everywhere”v Lock -> Unlock globally == “Global”v Lock -> Lock globally == “Global”

Installing the dispatcherIf this is the first Tivoli Directory Integrator-based adapter installation, you mustinstall the RMI Dispatcher before you install the adapter. Install the RMIDispatcher on the same Tivoli Directory Integrator server where you want to installthe adapter.

If you already installed the RMI Dispatcher for another adapter, you do not needto reinstall it.

If you have not yet installed the RMI Dispatcher in the Tivoli Directory Integratorenvironment, download the Dispatcher installer from the IBM Passport Advantagewebsite. For more information about the installation, see the Dispatcher Installationand Configuration Guide.

Installing the adapter style sheetsThe SAP NetWeaver Adapter requires a set of style sheets, which are used by theadapter’s IBM Tivoli Directory Integrator assembly lines.

About this task

The adapter style sheets must be copied from the SAP NetWeaver Adapter packageto an xsl directory as follows:



Procedure1. If the Dispatcher is installed on solution directory (for example, timsol),

navigate to that directory. Otherwise, navigate to the ITDI_HOME directory.2. Create a directory with the name xsl, if one does not already exist.3. Copy the files from the tdi/xsl directory of the adapter package to the xsl

directory of the IBM Tivoli Directory Integrator solution directory, orITDI_HOME directory, depending on your Dispatcher installation.

Installing the adapter binaries or connectorThe SAP NetWeaver Adapter ships with additional IBM Tivoli Directory Integratorcomponents.

About this task

These are specific to the SAP NetWeaver Adapter, not general-purpose IBM TivoliDirectory Integrator components. Install these components as follows:

Procedure1. Copy tdi/connectors/*.jar from the adapter package to the

ITDI_HOME/jars/connectors directory.2. Copy tdi/functions/*.jar from the adapter package to the

ITDI_HOME/jars/functions directory.

Installing the SAP Java Connector (JCo)The connector might or might not be available with the base Tivoli DirectoryIntegrator or Security Directory Integrator product. The connector is required toestablish communication between the adapter and the Dispatcher. After youdownload the JCo package, unpack the contents and then follow these instructions.

About this task

The SAP NetWeaver Adapter is tested and certified by using Java Connector,version 3.0.13. It is the same JCo version that SAP made available at the time whenthis adapter was released.

Note: SAP might release a newer version of JCo before the next release of theadapter and might remove JCo version 3.0.13 from download. The newer versionof JCo might work as is with the adapter. If there are any issues that are relateddirectly to the newer version of JCo, it will be addressed in the next release of theadapter.

Procedurev Windows:

1. Copy the sapjco3.jar file into ITDI_HOME/jars/3rdparty/others.2. Copy the sapjco3.dll file into ITDI_HOME/libs. On Windows, JCo 3 requires

additional Microsoft Visual C++ 2005 libraries to be installed. Installationdetails for the package that contains these libraries are specified in MicrosoftKnowledge Base article 973544.

3. Restart the adapter service.v UNIX or Linux:

Chapter 3. Installing 11

1. Create a symbolic link to the sapjco3.jar file in ITDI_HOME/jars/3rdparty/others:ln -s <sapjco_install_dir>/sapjco3.jar

ITDI_HOME/jars/3rdparty/others/sapjco3.jar

2. Add the SAP JCo installation directory to the dynamic library path:export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<sapjco_install_dir>export LIBPATH=$LIBPATH:<sapjco_install_dir>

3. Restart the Dispatcher. For assistance, see “Restarting the adapter service” onpage 16.

Note: These steps ensure that the sapjco3 libraries are included in theexecutable path and in the loadable library path, when required. Theenvironment variable for dynamic library path and the command forrestarting the Dispatcher might vary on different UNIX operation systems.

v Linux on System z 64-bit architecture (s390x)

1. Create a symbolic link to the sapjco3.jar file in ITDI_HOME/jars/3rdparty/others:ln -s <sapjco_install_dir>/sapjco3.jar

ITDI_HOME/jars/3rdparty/others/sapjco3.jar

2. Add the SAP JCo installation directory to the dynamic library path:export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<sapjco_install_dir>export LIBPATH=$LIBPATH:<sapjco_install_dir>

3. SAP JCo is supported on Linux on System z only for 64-bit architecture. TheIBM Tivoli Directory Integrator is packaged only with the 31-bit version ofJava. Additionally, it must be configured to run with the 64-bit version ofJava. The following steps change the JVM for the complete IBM TivoliDirectory Integrator instance, not only for the Dispatcher.a. Stop the Dispatcher:

/etc/init.d/ITIMAd stop

b. Install the IBM Java 1.5 64-bit release (for exampleibm-java2-s390x-5.0.9.rpm)

4. Change the IBM Tivoli Directory Integrator JRE to become 64 bit:mv ITDI_HOME/jvm/jre ITDI_HOME/jvm/jre32ln -s JAVA_1.5_64BIT_HOME/jre ITDI_HOME/jvm/jre

5. Start the Dispatcher:/etc/init.d/ITIMAd start

Enabling the SAP Java Connector (JCo) traceActivate traces to get more information that can help you analyze errors that arerelated to connection issues.

Procedure1. Navigate to the IBM Tivoli Directory Integrator adapters solution directory. For

example, ITDI_HOME\timsol.2. Open the file in an editor.

For Windows operating systemsOpen the file ibmdiservice.props

For UNIX or Linux operating systemsOpen the file ibmdisrv

3. Edit the following property:


v For Windows operating systemsjvmcmdoptions=-Djco.trace_level=10 -Djco.trace_path=E:\jco_trace\ -Djco.rfc=1

Where:

-Djco.trace_level=NThe trace level can be 0 - 10, where 10 being the most detailed trace.

-Djco.trace_path=<PATH>If a trace path is set, the JCo traces are written to one or multiple filesthat are named JCO<date>_<time>.<no>.trc in thespecified PATH directory. Otherwise, the JCo traces are written to thestandard output stream, where, by default is an output to the console.

Note: The jco_trace directory must be available.

-Djco.jrfc=1If set to 1, JCo trace is enabled for all connections. This configurationshould be the last resort.

v For UNIX or Linux operating systems-Djco.trace_level=10 -Djco.trace_path=/opt/jco_trace/ -Djco.rfc=1

Where:

-Djco.trace_level=NThe trace level can either be 0 or 10, where 10 being the most detailedtrace.

-Djco.trace_path=<PATH>If a trace path is set, the JCo traces are written to one or multiple filesthat are named JCO<date>_<time>.<no>.trc in thespecified PATH directory. Otherwise, the JCo traces are written to thestandard output stream, where, by default is an output to the console.

Note: The jco_trace directory must be available.

-Djco.jrfc=1If set to 1, JCo trace is enabled for all connections. This configurationshould be the last resort.

For example:"%TDI_JAVA_PROGRAM%" -Xdebug -Xnoagent -Djava.compiler=NONE -Djco.trace_level=10-Djco.trace_path=/opt/jco_trace/ -Djco.rfc=1-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5555 -classpath"%TDI_HOME_DIR%\IDILoader.jar" %ENV_VARIABLES% com.ibm.di.loader.ServerLauncher %*set RC=%ERRORLEVEL%

4. Save your changes.5. Restart the adapter service.

Adapter profileThere are two adapter profiles included in the SAP NetWeaver Adapterdistribution package: SapNWProfile.jar and SapGRCNWProfile.jar.

The difference between the two profiles is that the SapGRCNWProfile.jar containsadditional attributes that allow the adapter to be configured with either SAP GRCAccess Control 5.3 or SAP GRC Access Control 10.0.

If only the SAP NetWeaver Adapter is to be used, then use SapNWProfile.jar.


If SAP GRC is to be used as part of the SAP NetWeaver account provisioningprocess, then use SapGRCNWProfile.jar.

If IBM Security Identity Governance and Intelligence contains an existing SAP NWprofile and the SAP NW GRC profile is to be imported, the SAP NW GRC profilewill overwrite the SAP NW profile. The SAP NW GRC profile contains both theSAP GRC attributes and the SAP NW attributes in the one profile. It is not possiblefor both a SAP NW profile and SAP NW GRC profile to exist in the same IBMSecurity Identity Governance and Intelligence instance.

Enabling UnicodeTo support multibyte character encoding, you must configure the Dispatcher JVMproperties.

About this task

The Dispatcher process is a running instance of the IBM Tivoli Directory Integratorserver.

The IBM Tivoli Directory Integrator is a Java application that is running its ownJVM. You can supply standard JVM properties to the Dispatcher such as:v Encodingv Memory allocation initial sizev Memory allocation maximum size

As an example, to set up the dispatcher encoding to UTF-8, perform the followingsteps:

Procedurev On Windows operating systems

1. Stop the IBM Tivoli Directory Integrator (Security Adapters) service.2. Navigate to the adapter timsol directory.3. Open the ibmdiservice.props file with a text editor.4. Set the value of the jvmcmdoptions property to the Java property value that

you want to change to. For example, if you want the Dispatcher JVM to runwith UTF-8 encoding, then set jvmcmdoptions=- Dfile.encoding=UTF-8.

Note: When you set multiple properties, separate two properties with aspace.

5. Save and close the ibmdiservice.props file.6. Start the IBM Tivoli Directory Integrator (Security Adapters) service.

v On UNIX or Linux operating systems

1. Navigate to the ITDI_HOME installation directory.2. Run the following command:

vi ibmdisrv

3. Modify the string value in the following format:"$JRE_PATH/java" -cp "/opt/IBM/TDI/V7.1/jars/3rdparty/IBM/db2jcc_license_c.jar" "-Dlog4j.configuration=file:etc/log4j.properties" -jar "/opt/IBM/TDI/V7.1/IDILoader.jar"com.ibm.di.server.RS "$@"


For example, if you want the JVM to use UTF-8 encoding, then modify thecommand as:"$JRE_PATH/java" -cp "/opt/IBM/TDI/V7.1/jars/3rdparty/IBM/db2jcc_license_c.jar" "-Dfile.encoding=UTF-8" "-Dlog4j.configuration=file:etc/log4j.properties" -jar"/opt/IBM/TDI/V7.1/IDILoader.jar" com.ibm.di.server.RS "$@"

4. Restart the dispatcher service. Run one of the following commands to restartthe process:– On AIX® operating systems:

/opt/IBM/TDI/V7.1/timsol/ITIMAd restartsrc

– On Linux, Solaris, and HP-UX operating systems:/opt/IBM/TDI/V7.1/timsol/ITIMAd restart

v Enabling UTF-8 encoding for the Dispatcher and adapter log file is suggested.Logging capabilities are provided by IBM Tivoli Directory Integrator. Encodingsettings can be enabled as follows:1. Open the file ITDI_HOME/solution/etc/log4j.properties in a text editor.2. After the line log4j.appender.Default.file=logs/ibmdi.log, add the

following setting:log4j.appender.Default.file.encoding=UTF-8

3. The resulting entry looks like the following example:log4j.appender.Default=org.apache.log4j.FileAppenderlog4j.appender.Default.file=logs/ibmdi.loglog4j.appender.Default.file.encoding=UTF8log4j.appender.Default.layout=org.apache.log4j.PatternLayoutlog4j.appender.Default.layout.ConversionPattern=%d{ISO8601} %-5p [%c] - %m%nlog4j.appender.Default.append=false

4. Restart the adapter service.

CUA configuration settingsIf the adapter is to be deployed against a CUA master server, use the transactionSCUM on the target CUA master system to set the distribution parameters.

You must set the following distribution parameters:v Logon data -> Initial password == "Everywhere"v Lock -> Unlock globally == "Global"v Lock -> Lock globally == "Global"

Verifying the adapter installationAfter the adapter is installed, you must verify the adapter components on the IBMTivoli Directory Integrator server.

These adapter components must exist on the IBM Tivoli Directory Integratorserver.

Table 3. Adapter components

Directory Adapter component

ITDI_HOME/jars/connectors SapNWUserConnector.jar, SapNWSupport.jar

ITDI_HOME/jars/functions SapNWRfc.jar

ITDI_HOME/jars/3rdparty/other sapjco3.jar

ITDI_HOME/libs sapjco3.dll


Table 3. Adapter components (continued)

Directory Adapter component

ITDI_HOME/solution/xsl v sapnw_bapi_errors.properties

v sapnw_bapi_user_actgroups_assign.xsl

v sapnw_bapi_user_actgroups_delete.xsl

v sapnw_bapi_user_change.xsl

v sapnw_bapi_user_change_licensedata.xsl

v sapnw_bapi_user_create.xsl

v sapnw_bapi_user_delete.xsl

v sapnw_bapi_user_disablepassword.xsl

v sapnw_bapi_user_getdetail_postcall.xsl

v sapnw_bapi_user_getdetail_precall.xsl

v sapnw_bapi_user_getlist_postcall.xsl

v sapnw_bapi_user_getlist_precall.xsl

v sapnw_bapi_user_locactgroups_assign.xsl

vsapnw_bapi_user_locactgroups_read_postcall.xsl

v sapnw_bapi_user_locactgroups_read_precall.xsl

v sapnw_bapi_user_lock.xsl

v sapnw_bapi_user_locprofiles_assign.xsl

v sapnw_bapi_user_locprofiles_read_postcall.xsl

v sapnw_bapi_user_locprofiles_read_precall.xsl

v sapnw_bapi_user_profiles_assign.xsl

v sapnw_bapi_user_profiles_delete.xsl

v sapnw_bapi_user_system_assign.xsl

v sapnw_bapi_user_unlock.xsl

If the adapter is installed correctly, these dispatcher components exist on the IBMTivoli Directory Integrator server.

If this installation is to upgrade a connector, send a request from IBM SecurityIdentity Governance and Intelligence and verify that the version number in theibmdi.log matches the version of the connector.

Restarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.

See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.


Importing the adapter profileYou can import a profile definition file, which creates a profile in IBM SecurityIdentity Governance and Intelligence server. Use this option for importing adapterprofiles.

Before you beginv The IBM Security Identity Governance and Intelligence server is installed and

running.v You have administrator authority on the IBM Security Identity Governance and

Intelligence server.v The file to be imported must be a Java archive (JAR) file. The

<Adapter>Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. Ifnecessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.

About this task

Target definition files are also called adapter profile files. The profile definition filesare provided with the various IBM Security Identity Adapter. The adapter profilemust be imported because it defines the types of resources that the IdentityGovernance and Intelligence server can manage.

The adapter profile definition file is used to create a target profile on the IdentityGovernance and Intelligence server and to establish communication with theadapter. If the adapter profile is not imported, you cannot create a connector forthat adapter type.

An upload error might occur when no file is selected, or when the file is empty, ordue to any upload operation error, such as a timeout or connection error. If theadapter profile is not installed correctly, the adapter cannot function correctly. Youcannot create a connector with the adapter profile or open and account on theservice. You must import the adapter profile again.

This task can be completed from the Enterprise Connectors module in theAdministration Console. To import an adapter target profile, complete these steps:

Procedure1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Profiles.4. Optional: Click Filter to toggle the filter on to refine your search results, or

click Hide Filter to toggle the filter off. When the filter is visible, you canspecify search criteria for your requests, and then click Search.

5. Click Actions > Import.6. On the Import page, complete these steps:

a. Select Profile.b. Click Browse to locate the JAR file that you want to import.c. Click Upload file. A message indicates that you successfully imported a

profile.7. Click Close. The new profile is displayed in the list of profiles.


Results

The upload is synchronous but has a timeout. The progress bar on the Import pageaccurately indicates the upload status. However, when a timeout is reached, thefollowing message occurs: "The import is still in progress and will completeshortly. Close this window to proceed." If you see that message, allow a fewminutes for the upload to complete and for the profile to be available.

What to do next

After the target profile is imported successfully, complete these tasks.v Import the attribute mapping file. See “Importing attribute mapping file.”v Create a connector that uses the target profile. See “Adding a connector.”

Importing attribute mapping fileAfter importing the adapter profile, you must import an attribute map from aprofile mapping definition file.

About this task

This task involves importing an account attribute mapping definition file, which isincluded in the adapter package. The imported file must be a DEF file.

Procedure1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Profiles.4. Optional: Click Filter to toggle the filter on to refine your search results, or


5. Click Actions > Import.6. On the Import page, complete these steps:

a. Select Attribute Mapping.b. Click Browse to locate the attribute mapping file that you want to import.c. Click Upload file. A message indicates that you successfully imported the

file.7. Click Close.

Adding a connectorAfter you import the adapter profile on the Identity Governance and Intelligenceserver, add a connector so that Identity Governance and Intelligence server cancommunicate with the managed resource.

Before you begin

Complete “Importing the adapter profile” on page 17.


Note: If you migrated from Identity Governance and Intelligence V5.2.2 or V5.2.2.1and want to add or configure a connector, see Adding and configuring a connector foreach target in the IBM Security Identity Governance and Intelligence productdocumentation.

About this task

The connectors consolidate, extract, and reconcile user identities, organizationunits, permissions, and user entitlements with the most common enterpriseapplications. Configure a connector to keep the Access Governance Core repositorysynchronized with the target system.

This task can be completed from the Enterprise Connectors module in theAdministration Console.

Procedure

To add a connector, complete these steps.1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the

Connectors tab.4. Optional: Click Filter to toggle the filter on to refine your search results, or


5. Optional: To view all of the columns in the list of connectors, expand theConnectors pane.

6. Click Actions > Add. The Connector Details pane is enabled for your input.7. On the Connector Details tab, complete these steps:

a. Assign a name and description for the connector.b. Select the target profile type as Identity Brokerage and its corresponding

target profile.c. Select the entity, such as Account or User. Depending on the connector

type, this field might be preselected.d. Optional: Select Trace ON and the corresponding Trace Level to enable

trace logs. The available trace levels are DEBUG, INFO, and ERROR.e. Optional: Select History ON to save and track the connector usage.f. Click Save. The fields for enabling the channels for sending and receiving

data are now visible.g. Select and set the connector properties in the Global Config accordion

pane. For information about the global configuration properties, see GlobalConfig accordion pane.

h. Click Save. The fields for enabling the channels for sending and receivingdata are now visible.

Results

The connector is saved and added to the list of connectors in the Connectors pane.

If you cannot create a connector with the target profile or open an account on anexisting connector, the target profile was not installed correctly during the import.You must import the target profile again.


https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.3/com.ibm.igi.doc/CrossIdeas_Topics/ECONN/configureConnectorDriver.htm

https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.3/com.ibm.igi.doc/CrossIdeas_Topics/ECONN/configureConnectorDriver.htm

What to do next

Enable the channel modes to synchronize the data between the target systems andIdentity Governance and Intelligence. For more information, see “Enablingconnectors.”

Enabling connectorsAfter you create a connector, by default it is in a disabled state. You must enable aconnector to use it.

Before you begin

Table 4. Prerequisites for enabling a connector

Prerequisite Find more information

A connector must exist in IdentityGovernance and Intelligence.

“Adding a connector” on page 18.

Ensure that you enabled the appropriatechannel modes for the connector.

“Reviewing and setting channel modes foreach new connector” on page 21.

Procedure

To enable a connector, complete these steps:1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the




6. Select the connector that you want to enable.7. On the Connector Details tab, complete these steps:

a. Select the channel modes that you want to enable, and then click Save.Depending on the channels that you enable, the corresponding Channeltabs are displayed.

Enable write-to channelPropagates every change in the Access Governance Core repositoryinto the target system.

For connectors that are not HR feed, the check boxes for enablingthe read-from channel and the write-to channel are available.

Enable read-from channelReads the INPUT EVENTS and USER DATA from the target system.Imports data from the target system to the Access Governance Corerepository.

For HR feed connectors, only the check box for enabling theread-from channel is available.


Enable reconciliationSynchronizes the modified data between the Access GovernanceCore repository and the target system.

Results

The connector is enabled

What to do next

Enable the channel modes to synchronize the data between the target systems andIdentity Governance and Intelligence.

Reviewing and setting channel modes for each new connectorUse this procedure to set up the read-from and write-to channels and to set thesynchronization schedule for each new connector.

About this task

Note: Legacy Identity Governance and Intelligence Enterprise connectors useReconciliation channel, whereas Identity Brokerage Enterprise connectors useRead From Channel and Change Log Sync.

For more information about any of tasks in the following steps, see the IBM®

Security Identity Governance and Intelligence product documentation.

Procedure

To enable the read-from and write-to channels, and to set the change logsynchronization schedule for each new connector, complete these steps in IdentityGovernance and Intelligence V5.2.3:1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the




6. Select the connector that you want to enable.7. On the Connector Details tab, complete these steps:

a. Select the channel modes that you want to enable, and then click Save.Depending on the channels that you enable, the corresponding Channeltabs are displayed, in which you can do more configuration, such asmapping attributes and setting up rules.

Enable write-to channelPropagates every change in the Access Governance Core repositoryinto the target system.


Enable read-from channelReads the INPUT EVENTS and USER DATA from the targetsystem. Imports data from the target system to the AccessGovernance Core repository.

Enable reconciliationSynchronizes the modified data between the Access GovernanceCore repository and the target system.

8. Select Monitor > Change Log Sync Status. A list of connectors is displayed.9. On the Change Log Sync Status tab, complete these steps:

a. Optional: Click Filter to toggle the filter on to refine your search results, orclick Hide Filter to toggle the filter off. When the filter is visible, you canspecify search criteria for your requests, and then click Search.

b. Select a connector, and click Actions > Sync Now. The synchronizationprocess begins.

c. Optional: To view the status of the synchronization request, select SyncHistory in the right pane. Information about the synchronization isdisplayed in the Sync History tab.

10. Set the change log synchronization schedule for each new connector that youmigrated.

11. When the connector configuration is complete, enable the connector bycompleting these steps:a. Select Manage > Connectors.b. Select the connector that you want to enable, and then select the Enable

check box in the Connector Details tab.c. Click Save. For more information, see “Enabling connectors” on page 20.

For Identity Brokerage connectors that are not HR feed, the check boxes forenabling the read-from channel and the write-to channel are available.For Identity Brokerage HR feed connectors, only the check box for enablingthe read-from channel is available.

12. Start the connector by selecting Monitor > Connector Status. Select theconnector that you want to start, and then select Actions > Start.

Attribute MappingAttribute mapping is required to define which target attributes correspond to theIdentity Governance and Intelligence account attributes.

About this task

This task involves an account attribute mapping definition file, which is includedin the adapter package.

The file consists of Identity Governance and Intelligence account attributes andtheir equivalent attributes in the managed target. The file is structured as<IGI_attribute> = <target_attribute>.

The <IGI_attribute> is fixed and must not be modified. Edit only the<target_attribute>. Some <IGI_attribute> already has a fixed equivalent<target_attribute> of eraccount.

Some <IGI_attribute> do not have a defined <target_attribute> and you can assignthe mapping. For example:


USER_TYPE=USER_TYPEATTR1=ATTR1

Note:

v The default mapping is already included out-of-the box. If there are no changesto the attribute mapping, there is no need to import the attribute mapping files.

v It might take up to 10 minutes for the attribute mapping changes to take effectonce the file is imported.

Procedure1. Open the mapping definition file by using any text editor.2. Edit the mapping.3. If the target attribute has a list of predefined values, use the following syntax to

convert its values to the corresponding Identity Governance and Intelligenceattribute values.[conversion].<target_attribute>.<IGI_attribute> =[<target_attribute_value1>=<IGI_attribute_value1>;...;<target_attribute_valuen>=<IGI_attribute_valuen>]

4. For attributes that contains date and time, use the following syntax to convertits values. For example:[conversion.date].erbirthDate.BIRTHDAY=[yyyyMMdd=dd/MM/yyyy HH:mm:ss][conversion.date].ACCOUNT_EXPIRY_DATE.ACCOUNT_EXPIRY_DATE=[dd/MM/yyyy HH:mm:ss=dd/MM/yyyy HH:mm:ss]

5. Import the updated mapping definition file through the Enterprise Connectorsmodule. For more information, see Attribute-to-permission mapping service in theIBM Security Identity Governance and Intelligence product documentation.

6. Map the following attributes for Chaneel-Write To and Chaneel-Read From

Attribute Mapped Attribute

eruid CODE

erpassword PASSWORD

For more information, see Mapping attributes for a connector in the IBM SecurityIdentity Governance and Intelligence product documentation.

Service/Target form detailsComplete the service/target form fields.

ADAPTER DETAILS TABThis tab describes service details.

Service nameSpecify a name that defines this service on the IBM Security Identityserver.

Note: Slash (/) and backslash (\) characters are not allowed in the servicename.

Description Optional: Specify a description for this service.

IBM Tivoli Directory Integrator locationOptional: Specify the URL for the IBM Tivoli Directory Integrator instance.Valid syntax is rmi://ip-address:port/ITDIDispatcher, where ip-address is


the IBM Tivoli Directory Integrator host and port is the port number for theDispatcher. For example, you might specify the URL asrmi://localhost:1099/ITDIDispatcher. For information about changing theport number, see the Dispatcher Installation and Configuration Guide.

Service prerequisitePrerequisite services names.

OwnerService owner.

SAP CONNECTION DETAILS TABThis tab describes connection details.

Target ClientThe SAP instance client number. This field is mandatory if no value issupplied for Optional RFC Connection Parameters.

Login IDThe SAP User account login ID that adapter uses to connect to the SAPinstance. This field is mandatory if no value is supplied for Optional RFCConnection Parameters.

Password Password for SAP User account. This field is mandatory if no value issupplied for Optional RFC Connection Parameters.

SAP System (DNS hostname or IP)Host name of the SAP server host computer only if DNS is set up correctly.Otherwise, use the IP address. This field is mandatory if no value issupplied for Optional RFC Connection Parameters.

SAP Systems Number The SAP server system number. This field is mandatory if no value issupplied for Optional RFC Connection Parameters.

SAP Logon Language The language ISO identifier to be used by the adapter. This parameter isoptional.

SAP Gateway (DNS hostname or IP)Host name of the SAP gateway host computer only if DNS is set upcorrectly. Otherwise, use the IP address. This host is typically the samehost that contains the SAP server. This parameter is optional.

Optional RFC Connection Parameters

This attribute allows for alternative SAP connectivity parameters to bespecified. The value of this attribute is a formatted string of name-valuepairs. Each pair must be separated by a single pipe (|) character. The nameparts must be in lowercase characters. The general format of the value ofthis attribute is shown in this example:<name1>=<value1> <name2=value2> ... <nameN>=<valueN>

For example, the following string value would set the SAP Message Serverto messageserver.com with System ID PR0 and Group SPACE:mshost=messageserver.com|r3name=PR0|group=SPACE

The names and values are those supported directly by the SAP RFC API. Asummary of the names is supplied in the following table:


Table 5. Names supported by SAP RFC API

Name Description

client SAP client

user User name for logon. Set to $MYSAPSSO2$ if you are using SSO logon. Setto $X509CERT$ if you are using X509 certificates.

alias user Alias for user name

passwd Password of the user. If you are using SSO or X509 certificates, supplybase64 encode value of SSO ticket or X509 certificate.

lang Log on language to be used

sysnr System number of the target SAP system

ashost Host name of the target SAP application server

mshost Host name of message service

gwhost Host name of the SAP gateway service

gwserv Gateway service name

r3name R/3 name

group Name of SAP application server group

tpname Program Id of external RFC server program

tphost Host name of external RFC server program

trace Set to 1 to enable RFC API trace logging

codepage SAP code page

getsso2 Set to 1 to obtain SAP SSO ticket

mysapsso2 SAP Cookie version 2 as logon ticket

x509cert X509 certificate as logon ticket

snc_mode Set to 1 to enable secure network connection

snc_partnername SNC name

snc_qop SNC strength, 1 - 9

snc_myname SNC name. Overrides partner name

snc_lib Path name to SNC library implementation

extiddata External authentication (PAS) data

extidtype External authentication type

Type B (Load balancing) connection

The mandatory attributes for Type B connection are client, user, passwd,lang, type, mshost, r3name, and group.

To establish Type B (Load Balancing) connection, add the following valueunder Optional RFC Connection Parameters:type=B|mshost=<Message Server Name>|r3name=<SYSTEM ID>|group=<Name of SAP application server group>

For example: type=B|mshost=SAPPR0|r3name=PR0|group=SPACE wheremessage server name is SAPPR0 with systemID as PR0 and group SPACE.

Note:

v The dispatcher must be restarted for each change in the Optional RFCConnection Parameters? field.


v To establish a Type B (Load Balancing) connection, enable RFC Loadbalancing in SAP system.

Enable TDI DebuggingFlag to enable IBM Tivoli Directory Integrator debugging trace output.

SAP ROLE DETAILS TABThis tab describes the role end date.

Role Default End Date : Date/TimeThis is the default Role End Date.

ADD ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing add operationrequests.

The following attribute of this tab is an optional service attribute. For more details,see SAP NetWeaver Adapter configuration.v Add User Basic XSL Stylesheets

MODIFY ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing modify operationrequests.

The following attributes of this tab are all optional service attributes. For moredetails, see SAP NetWeaver Adapter configuration.v Modify User Basic XSL Stylesheetsv Modify User Basic Lookup Request Stylesheetv Modify User Basic Lookup Response Stylesheet

DELETE ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing delete operationrequests.

The following attributes of this tab are all optional service attributes. For moredetails, see SAP NetWeaver Adapter configuration.v Delete User Basic XSL Stylesheetsv Delete User Basic Lookup Request Stylesheetv Delete User Basic Lookup Response Stylesheet

SUSPEND ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing suspend operationrequests.

The following attributes of this tab are all optional service attribute.v Suspend User Basic XSL Stylesheetsv Suspend User Basic Lookup Request Stylesheetv Suspend User Basic Lookup Response Stylesheet


RESTORE ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing restore operationrequests.

The following attributes of this tab are all optional service attribute. For moredetails, see SAP NetWeaver Adapter configuration.v Restore User Basic XSL Stylesheetsv Restore User Basic Lookup Request Stylesheetv Restore User Basic Lookup Response Stylesheet

CHANGE PASSWORD ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing password operationrequests.

The following attributes of this tab are all optional service attributes. For moredetails, see SAP NetWeaver Adapter configuration.v Change Password Basic XSL Stylesheetsv Change Password Basic Lookup Request Stylesheetv Change Password Basic Lookup Response Stylesheet

RECONCILIATION ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing reconciliation andsearch operation requests.

The following attributes of this tab are all optional service attribute. For moredetails, see SAP NetWeaver Adapter configuration.v Search User Basic Select Request XSL Stylesheetsv Search User Basic Select Response Stylesheetv Search User Basic Iterate Request XSL Stylesheetsv Search User Basic Iterate Response Stylesheet

DISPATCHER ATTRIBUTES TABThis tab describes Dispatcher attributes.

Assembly Line File System PathSpecify the file path from where the dispatcher loads the assembly lines. Ifyou do not specify a file path, the dispatcher loads the assembly linesreceived from IBM Security Identity Governance and Intelligence. Forexample, you can specify the following file path to load the assembly linesfrom the profiles directory of the Windows operating system:C:\Files\IBM\TDI\V7.1\profiles or you can specify the following file pathto load the assembly lines from the profiles directory of the UNIX andLinux operating system: /opt/IBM/TDI/V7.1/profiles

Max Connection CountSpecify the maximum number of assembly lines that the dispatcher canexecute simultaneously for the service. For example, enter 10 when youwant the dispatcher to execute maximum ten assembly linessimultaneously for the service. If you enter 0 in the Max ConnectionCount field, the dispatcher does not limit the number of assembly linesthat are executed simultaneously for the service.


Disable Assembly Line CacheSelect the checkbox to disable the assembly line caching in the dispatcherfor the service. The assembly lines for the Add, Modify, Delete, and Testoperations are not cached.

Connection testAfter the service has been created, click Test to ensure that the connection to bothIBM Tivoli Directory Integrator Server and SAP NetWeaver AS ABAP can beestablished.

Configuration information for the adapter is reported in the IBM Tivoli DirectoryIntegrator log file (ibmdi.log) as a result of a successful test.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.

Procedure1. Test the connection for the service that you created on the IBM Security Identity

Governance and Intelligence server.2. Run a full reconciliation from the IBM Security Identity Governance and

Intelligence server.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the trace.log file to ensure that no errors are reported when you run an

adapter operation.


Chapter 4. Upgrading

Upgrading an IBM Tivoli Directory Integrator-based adapter involves tasks such asupgrading the dispatcher, the connector, and the adapter profile. Depending on theadapter, some of these tasks might not be applicable. Other tasks might also berequired to complete the upgrade.

For installation steps, see Installation procedure.

Upgrade of the adapter from version 5.1.4 or olderThe version of SAP JCo used by the adapter has been upgraded. See the sectionabout upgrading the SAP JCo for details.

The adapter service configuration forms have changed in the SAP NetWeaverAdapter GUI for XSL advanced mapping. The CUA and NON-CUA specificadvanced mappings for Add and Modify operations have been removed.

The following Add Advanced Mapping options have been removed:v Add User CUA XSL Stylesheets (Multi-valued)v Add User NON-CUA XSL Stylesheets (Multi-valued)

These advanced mappings have been merged into the remaining mapping optionsfor Add. Changes to your custom XSL transforms and add advanced mapping maybe required. See “ADD ADVANCED MAPPING TAB” on page 26 for more details.

The following Modify Advanced Mapping options have been removed:v Modify User CUA XSL Stylesheets (Multi-valued)v Modify User NON-CUA XSL Stylesheets (Multi-valued)

These advanced mappings have been merged into the remaining mapping optionsfor Modify. Changes to your custom XSL transforms and modify advancedmapping may be required. See “MODIFY ADVANCED MAPPING TAB” on page26 for more details.

The following Reconciliation Advance Mapping options have been removed:v Search User CUA Roles Request Lookup XSL Stylesheetv Search User CUA Roles Response Lookup XSL Stylesheetv Search User CUA Profiles Request Lookup XSL Stylesheetv Search User CUA Profile Response Lookup XSL Stylesheet

These advanced mappings have been merged into the remaining mapping optionsfor reconciliations. Changes to your custom XSL transforms and reconciliationadvanced mapping may be required. See “RECONCILIATION ADVANCEDMAPPING TAB” on page 27 for more details.

SAP JCo upgradeFrom version 6.0.8, the SAP NetWeaver Adapter only supports JCo version 3.0.9.

You must download the 3.0.9 version of the JCo for upgrading.

29

If you plan to deploy the adapter on a Windows platform, Microsoft Visual C++2005 libraries are also required. See the Microsoft Knowledge Base article 973544for instructions on obtaining and installing the required Microsoft Visual C++ 2005libraries.


Chapter 5. Configuring

After you install the adapter, configure it to function correctly. Configuration isbased on your requirements or preference.

See the IBM Security Dispatcher Installation and Configuration Guide for additionalconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Customizing the adapter profileTo customize the adapter profile, you must modify the SAP NetWeaver AdapterJAR file. You might customize the adapter profile to change the account form orthe service form. Use the Form Designer or CustomLabels.properties file tochange the labels on the forms. Each adapter has a CustomLabels.properties filefor that adapter.

About this task

The JAR file is included in the SAP NetWeaver Adapter compressed file that youdownloaded from the IBM website.

The following files are included in the SAP NetWeaver JAR file:v CustomLabels.propertiesv ersapnwaccount.xmlv ersapnwservice.xmlv SapNWAssemblyLines.xmlv schema.dsmlv service.def

Procedure1. To edit the JAR file, log on to the workstation where the SAP NetWeaver

Adapter is installed.2. Copy the JAR file into a temporary directory.3. Extract the contents of the JAR file into the temporary directory. The following

example applies to the SAP NetWeaver Adapter profile. Type the name of theJAR file for your operating system. Run the following command.#cd /tmp#jar -xvf SapNWProfile.jar

The jar command extracts the files into the SAPNWProfile directory.4. Edit the file that you want to change. After you edit the file, you must import

the file into the IBM Security Identity server for the changes to take effect.

31

5. To import the file, create a JAR file by using the files in the /tmp directory Runthe following commands:#cd /tmp#jar -cvf SapNWProfile.jar SAPNWProfile

6. Import the JAR file into the IBM Security Identity Governance and Intelligenceapplication server.

7. Stop and start the IBM Security Identity server.8. Restart the adapter service.

XSL style sheetsThe adapter can be configured by modifying the XSL style sheet advancedmappings.

Before the adapter runs an SAP RFC, it queries the CUA status of the target SAPsystem. If the CUA status is true, then the adapter runs the CUA XSLtransformations that are in the following lists. If the SAP system is NON-CUA,status false, then the adapter runs the NON-CUA XSL transformations. Thesetransformations are in the following lists.

Note: In some cases the default XSL transformations are the same for both CUAand NON-CUA systems.

The adapter functions without requiring any advanced mapping XSLtransformations to be configured. The default values for each advanced mappingin the following lists are used. However, any advanced mappings that areconfigured by the user, override the listed default XSL transformations.

ADD ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing addoperation requests.

Add User Basic XSL Stylesheets

This attribute is a multi-valued attribute where each value isseparated by a single space (‘ ‘) character. The values are filenames that represent the order in which the adapter runs XSLtransformations on the user account data. The data is sent fromIBM Security Identity Governance and Intelligence during an addoperation request. The XSL results are run as RFC calls against thetarget SAP system.

The values are the names of the XSL files that are deployed withthe adapter relative to the Dispatcher solution directory. If no valueis supplied, the adapter runs the following XSL transformationsand resulting RFC calls:

CUA:xsl/sapnw_bapi_user_create.xslxsl/sapnw_bapi_user_disablepassword.xslxsl/sapnw_bapi_user_system_assign.xslxsl/sapnw_bapi_user_change_licensedata.xslxsl/sapnw_bapi_user_locactgroups_assign.xslxsl/sapnw_bapi_user_locprofiles_assign.xsl

NON-CUA:


xsl/sapnw_bapi_user_create.xslxsl/sapnw_bapi_user_disablepassword.xslxsl/sapnw_bapi_user_change_licensedata.xslxsl/sapnw_bapi_user_actgroups_assign.xslxsl/sapnw_bapi_user_profiles_assign.xsl

MODIFY ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing modifyoperation requests.

Modify User Basic XSL Stylesheets

This attribute is a multi-valued attribute where each value isseparated by a single space (‘ ‘) character. The values are filenames that represent the order in which the adapter runs XSLtransformations on the user account data. The data is sent fromIBM Security Identity Governance and Intelligence during amodify operation request. The XSL results are run as RFC callsagainst the target SAP system.

The values are the names of XSL files that are deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformations andresulting RFC calls:

CUA:xsl/sapnw_bapi_user_change.xslxsl/sapnw_bapi_user_disablepassword.xslxsl/sapnw_bapi_user_system_assign.xslxsl/sapnw_bapi_user_change_licensedata.xslxsl/sapnw_bapi_user_locactgroups_assign.xslxsl/sapnw_bapi_user_locprofiles_assign.xsl

NON-CUA:xsl/sapnw_bapi_user_change.xslxsl/sapnw_bapi_user_disablepassword.xslxsl/sapnw_bapi_user_change_licensedata.xslxsl/sapnw_bapi_user_actgroups_assign.xslxsl/sapnw_bapi_user_profiles_assign.xsl

Modify User Basic Lookup Request Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that produces an RFC request. TheRFC request is run by the adapter to determine whether theaccount to be modified is present. If a value is supplied, thetransformation is run regardless of the CUA status of the targetSAP system. If CUA is used, the following XSL mappings arerequired:xsl/sbu_getdetail_precall.xsl xsl/sbu_locactgroups_read_precall.xsl

The value is the name of the XSL file that is deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformation andresulting RFC call:xsl/sapnw_bapi_user_getdetail_precall.xsl

Modify User Basic Lookup Response Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that will process the SAP responsefrom running the RFC call that is based on the setting of Modify

Chapter 5. Configuring 33

User Lookup Request Stylesheet. If a value is supplied, thetransformation is run regardless of the CUA status of the targetSAP system. If CUA is used, the following additional XSLmappings are required:xsl/sbu_getdetail_postcall.xsl xsl/sbu_locactgroups_read_postcall.xsl

The value is the name of XSL file that is deployed with the adapterrelative to the Dispatcher solution directory. If no value is supplied,the adapter runs the following XSL transformation and resultingRFC call:xsl/sapnw_bapi_user_getdetail_postcall.xsl

DELETE ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing deleteoperation requests.

Delete User Basic XSL Stylesheets

This attribute is a multi-valued attribute where each value isseparated by a single space (‘ ‘) character. The values are filenames that represent the order in which the adapter runs XSLtransformations on the user account data. The data is sent fromIBM Security Identity Governance and Intelligence during a deleteoperation request. The XSL results are run as RFC calls against thetarget SAP system. If a value is supplied, the transformations arerun regardless of the CUA status of target SAP system.

The values are the names of XSL files that are deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformations andresulting RFC calls:xsl/sapnw_bapi_user_delete.xsl

Delete User Basic Lookup Request Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that produces an RFC request. TheRFC request is run by the adapter to determine whether theaccount to be deleted is present. If a value is supplied, thetransformation is run regardless of the CUA status of target SAPsystem.

The value is the name of XSL file that is deployed with the adapterrelative to the Dispatcher solution directory. If no value is supplied,the adapter runs the following XSL transformation and resultingRFC call:xsl/sapnw_bapi_user_getdetail_precall.xsl

Delete User Basic Lookup Response Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that processes the SAP responsefrom the RFC call. The call is run based on the setting of DeleteUser Lookup Request Stylesheet. If a value is supplied, thetransformation is run regardless of the CUA status of target SAPsystem.

The value is the name of XSL file that is deployed with the adapterrelative to the Dispatcher solution directory. If no value is supplied,the adapter runs the following XSL transformation and resultingRFC call:


xsl/sapnw_bapi_user_getdetail_postcall.xsl

SUSPEND ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing suspendoperation requests.

Suspend User Basic XSL Stylesheets

This attribute is a multi-valued attribute where each value isseparated by a single space (‘ ‘) character. The values are filenames that represent the order in which the adapter runs XSLtransformations on the user account data. The data is sent fromIBM Security Identity Governance and Intelligence during asuspend operation request. The XSL results are run as RFC callsagainst the target SAP system. If a value is supplied, thetransformations are run regardless of the CUA status of target SAPsystem.

The values are the names of XSL files that are deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformations andresulting RFC calls:xsl/sapnw_bapi_user_lock.xsl

Suspend User Basic Lookup Request Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that produces an RFC request. TheRFC request is run by the adapter to determine whether theaccount to be suspended is present. If a value is supplied, thetransformation is run regardless of the CUA status of target SAPsystem.


Suspend User Basic Lookup Response Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that processes the SAP responsefrom the RFC call. The call is run based on the setting of SuspendUser Lookup Request Stylesheet. If a value is supplied, thetransformation is run regardless of the CUA status of target SAPsystem.

The value is the name of XSL file that is deployed with the adapterrelative to the Dispatcher solution directory. If no value is supplied,the adapter runs the following XSL transformation and resultingRFC call:xsl/sapnw_bapi_user_getdetail_postcall.xsl

RESTORE ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing restoreoperation requests.

Restore User Basic XSL Stylesheets

This attribute is a multivalued attribute where each value isseparated by a single space (‘ ‘) character. The values are file


names that represent the order in which the adapter runs XSLtransformations on the user account data. The data is sent fromIBM Security Identity Governance and Intelligence during a restoreoperation request. The XSL results are run as RFC calls against thetarget SAP system. If a value is supplied, the transformations arerun regardless of the CUA status of target SAP system.

The values are the names of XSL files that are deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformations andresulting RFC calls:xsl/sapnw_bapi_user_unlock.xsl

Restore User Basic Lookup Request Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that produces an RFC request. TheRFC request is run by the adapter to determine whether theaccount to be restored is present. If a value is supplied, thetransformation is run regardless of the CUA status of target SAPsystem.


Restore User Basic Lookup Response Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that processes the SAP responsefrom the RFC call. The call is run based on the setting of RestoreUser Basic Lookup Request Stylesheet. If a value is supplied, thetransformation is run regardless of the CUA status of target SAPsystem.

The value is the name of the XSL file that is deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformation andresulting RFC call:xsl/sapnw_bapi_user_getdetail_postcall.xsl

CHANGE PASSWORD ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processing passwordoperation requests.

Change Password Basic XSL Stylesheets

This attribute is a multi-valued attribute where each value isseparated by a single space (‘ ‘) character. The values are filenames that represent the order in which the adapter runs XSLtransformations on the user account data. The data is sent fromIBM Security Identity Governance and Intelligence during apassword operation request. The XSL results are run as RFC callsagainst the target SAP system. If a value is supplied, thetransformations are run regardless of the CUA status of target SAPsystem.


The values are the names of XSL files that are deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformations andresulting RFC calls:xsl/sapnw_bapi_user_change.xsl

Change Password Basic Lookup Request Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that produces an RFC request. TheRFC request is run by the adapter to determine whether theaccount to be modified is present. If a value is supplied, thetransformation is run regardless of the CUA status of target SAPsystem.

The value is the name of the XSL file that is deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformation andresulting RFC call:xsl/sapnw_bapi_user_getdetail_precall.xsl

Change Password Basic Lookup Response Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that processes the SAP responsefrom the RFC call. The call is run based on the setting of ChangePassword Basic Lookup Request Stylesheet. If a value is supplied,the transformation is run regardless of the CUA status of targetSAP system.

The value is the name of the XSL file that is deployed with theadapter relative to the Dispatcher solution directory. If no value issupplied, the adapter runs the following XSL transformation andresulting RFC call:xsl/sapnw_bapi_user_getdetail_postcall.xsl

RECONCILIATION ADVANCED MAPPING TABSettings of this tab apply only when the adapter is processingreconciliation and search operation requests.

Search User Basic Select Request XSL Stylesheets

This attribute is a multi-valued attribute. The value is a list of XSLtransformation file names that are separated by space (“ ”). Eachtransform is run in the defined order and produce an RFC request.Each RFC request is run by the adapter. If more than onetransform and resulting RFC is run, the result of each RFC call isappended to an XML result document with a root tag named<bapiResults>. This result list is passed to the Search User BasicSelect Response XSL Stylesheets. If only one XSL file name issupplied, the resulting RFC is run, and its response will be passeddirectly to Search User Basic Select Response XSL Stylesheets.

Each XSL transform file must be deployed with the adapter in thexsl directory relative to the Dispatcher solution directory.

If no value is supplied, the adapter runs the following XSLtransformations and resulting RFC calls:xsl/sapnw_bapi_user_getlist_precall.xsl

Search User Basic Select Response Stylesheet


This attribute is a single-valued attribute. The value is the filename of an XSL transformation that processes the SAP response orresponses from the RFC calls. The calls are run based on thesetting of Search User Basic Select Request Stylesheet. Thistransform produces the list of user names to be iterated during thereconciliation.

The XSL transform file must be deployed with the adapter in thexsl directory relative to the Dispatcher solution directory.

If no value is supplied, the adapter runs the following XSLtransformation and resulting RFC call:xsl/sapnw_bapi_user_getlist_postcall.xsl

Search User Basic Iterate Request XSL Stylesheets

This attribute is a multi-valued attribute. The value is a list of XSLtransformation file names that are separated by space (“ ”). Eachtransform is run in the defined order and produce an RFC request.Each RFC request is run by the adapter. Each RFC that is run isresponsible for returning parts of the user account details. If morethan one transform and resulting RFC is run, the result of eachRFC call is appended to an XML result document with a root tagnamed <bapiResults>. This result list is passed to the Search UserBasic Iterate Response XSL Stylesheets. If only one XSL file nameis supplied, the resulting RFC is run. The response is passeddirectly to Search User Basic Select Response XSL Stylesheets.

Each XSL transform file must be deployed with the adapter in thexsl directory relative to the Dispatcher solution directory.

If no value is supplied, the adapter runs the following XSLtransformations and resulting RFC calls:

CUA:xsl/sapnw_bapi_user_getdetail_precall.xslxsl/sapnw_bapi_user_locactgroups_read_precall.xslxsl/sapnw_bapi_user_locprofiles_read_precall.xsl

RFC

NON-CUA:xsl/sapnw_bapi_user_getdetail_precall.xsl

Search User Basic Iterate Response Stylesheet

This attribute is a single-valued attribute. The value is the filename of an XSL transformation that processes the SAP response orresponses from the RFC calls. The calls are run based on thesetting of Search User Basic Iterate Request Stylesheet. The resultof running this transform is sent to the IBM Security Identityserver.

The XSL transform file must be deployed with the adapter in thexsl directory relative to the Dispatcher solution directory.

If no value is supplied, the adapter runs the following XSLtransformation and resulting RFC call:xsl/sapnw_bapi_user_getdetail_postcall.xsl


BAPI method execution with stateful connectionThe SAP JCo 3.x connection between SAP R3 and ISIM, by default, is not stateful.The stateful connection is also required in case of transactional BAPIs. To make theconnection stateful between Business Application Programming Interfaces (BAPIs)method execution, add the following tags to the XSL files according to yourrequirement.

To begin a stateful connection, add this tag to your XSL:<CONTEXT_BEGIN> & </CONTEXT_BEGIN> or <CONTEXT_BEGIN/>

To end a stateful connection, add this tag to your XSL:<CONTEXT_END> & </CONTEXT_END> or <CONTEXT_END/>

It is not necessary to have both <CONTEXT_BEGIN/> and <CONTEXT_END/> tags in thesame XSL. Nested <CONTEXT_BEGIN/> and <CONTEXT_END/> tags can also beimplemented, provided that the tags are nested correctly, else unexpected resultcan occur. Stateful connection started by each <CONTEXT_BEGIN/> tag gets ended byits associated <CONTEXT_END/> tag.

Note: Stateful connection that is started by each <CONTEXT_BEGIN/> tag gets endedby its associated <CONTEXT_END/> tag. If the <CONTEXT_BEGIN/> tag does not haveits associated <CONTEXT_END/> tag, the stateful connection gets terminated at theend of JCo connection.

For example, the <CONTEXT_BEGIN/> and <CONTEXT_END/> tags are added to thefollowing files:v sapnw_bapi_charact_create.xsl file

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"version="1.0"xmlns:xalan="http://xml.apache.org/xslt">

.....

.....<BAPI_CHARACT_CREATE><CONTEXT_BEGIN/>..........</BAPI_CHARACT_CREATE>..........</xsl:stylesheet>

v sapnw_bapi_transaction_commit.xsl file<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

version="1.0"xmlns:xalan="http://xml.apache.org/xslt">

.....

.....<BAPI_TRANSACTION_COMMIT>..........<CONTEXT_BEGIN/></BAPI_TRANSACTION_COMMIT>..........</xsl:stylesheet>

Customizing the SAP NetWeaver AdapterYou can customize the adapter to suit your needs.


About this task

You can increase the range of years on IBM Security Identity Governance andIntelligence for the "Valid From" and "Valid To" calendar widget.

Procedure1. Use your preferred LDAP browser to locate the following entry:

erformname=erITIMService,ou=formTemplates,ou=itim,<tenant>,<rootsuffix>

2. Find the erXML attribute in the entry.3. Update the erXML attribute to have the following formElement: Set the

MIN_YEAR and MAX_YEAR to the year range you want the calendar todisplay (e.g. from 1900 to 2099). Use the spanYearRange option to show theyear values between MIN_YEAR and MAX_YEAR.<formElement direction="inherit" label="$ersapnwdatefrom"name="data.ersapnwdatefrom"><dateInput mixYear="MIN_YEAR" maxYear="MAX_YEAR"spanYearRange="Yes" hoursAndMinutes="false"/></formElement>

<formElement direction="inherit" label="$ersapnwdateuntil"name="data.ersapnwdateuntil"><dateInput mixYear="MIN_YEAR" maxYear="MAX_YEAR"spanYearRange="Yes" hoursAndMinutes="false"/></formElement>

For instance, the following example will have the calendar widget contains allthe values from 1900 to 2099.<formElement direction="inherit" label="$ersapnwdatefrom"name="data.ersapnwdatefrom"><dateInput mixYear="1900" maxYear="2099" spanYearRange="Yes"hoursAndMinutes="false"/></formElement>

Note:

v It is NOT recommended to combine spanYearRange and a maxYear of 9999.Because this will significantly increase the amount of data that must be sentto the browser for the page to be displayed, and will hurt performance.

v If you want to include years earlier than 1990, then use the minYearattribute. For example, <dateInput minYear="1974"/>.

v Any customization done through the IBM Security Identity Governance andIntelligence UI (Form Editor Applet) MUST be done prior to adding anymanual date attribute modifications. The Form Editor UI is not equipped tohandle these additional date attribute customizations. When edited, the FormEditor UI will write out standard Date attributes regardless of any manualmodification previously added. Thus, the manual updates must be redone, ortheir functionality will be not be effective.

4. Save the updated erXML attribute to the LDAP.

Support for SAP productive passwordsSAP provides support for the use of productive passwords with the standardBusiness Application Programming Interface (BAPI). A productive password is asingle password that can be used on heterogeneous SAP systems.

To allow the SAP NetWeaver Adapter to set productive passwords:v SAP NetWeaver AS ABAP uses SAP Cryptographic Library as its security

provider for Secure Network Communication (SNC).


v SAP NetWeaver AS ABAP is configured to use Secure Network Communicationfor RFC communications.

v The SAP user account that is used by the adapter to communicate with SAPNetWeaver AS ABAP has the authorization for object S_USER_GRP with activityPP.

v The adapter is configured to use Secure Network Communication for itscommunication with SAP NetWeaver AS ABAP.

Refer to SAP note 1287410. You must have S-user credentials that are provided bySAP to access this website.

Configuring Secure Network Communication between the adapter andSAP NetWeaver AS ABAP

Use Secure Network Communication (SNC) to secure the communication betweenthe adapter and SAP NetWeaver AS ABAP.

Complete the following tasks:v “Installing the SAP Cryptographic Library”v “Creating a Person Security Environment for the adapter” on page 42v “Importing the public certificate of the adapter into the SAP NetWeaver AS

ABAP Person Security Environment” on page 43v “Importing the SAP NetWeaver AS ABAP public certificate into the Person

Security Environment of the adapter” on page 44v “Allowing the user account of the adapter to connect to SAP NetWeaver AS

ABAP by using Secure Network Communication” on page 44v “Setting optional RFC connection parameters for the adapter” on page 45v “Verifying the Secure Network Communication setup” on page 46

These configuration tasks have been verified against the following SAP versions:

Table 6. SAP version support

SAP release and version Software component Support package

700 SAP_BASIS SAPKB70019






For information on required configuration changes to subsequent versions, reviewthe SAP documentation for Secure Network Communication, SAP CryptographicLibrary, and productive password support at http://help.sap.com.

Installing the SAP Cryptographic LibraryYou can use these steps to install the SAP Cryptographic Library.

Procedure1. Download the SAP Cryptographic Library from the SAP Service Marketplace

and extract it to a temporary directory.


https://service.sap.com/sap/support/notes/1287410

http://help.sap.com

2. Copy the library and the command line tool to a local directory on the systemthat hosts the adapter. For example:

Windows systemsC:\usr\sap\sapcrypto.dllC:\usr\sap\sapgenpse.exe

UNIX systems/usr/sap/libsapcrypto.so/usr/sap/sapgenpse

3. Copy the license ticket (ticket) to a subdirectory that is named sec. Forexample:

Windows systemsC:\usr\sap\sec\ticket

UNIX systems/usr/sap/sec/ticket

4. For the user that runs the adapter, set the environment variable SECUDIR to thisdirectory. For example:

Windows systemsSECUDIR=C:\usr\sap\sec

UNIX systemsSECUDIR=/usr/sap/sec

If the user is the SYSTEM user, set SECUDIR as a system variable.5. Restart the adapter (RMI dispatcher service) so that the new environment

variable is accessible by the adapter.

Creating a Person Security Environment for the adapterYou can use these steps to create a Person Security Environment for the adapter.

Procedure1. Start a command line console and change to the directory that contains the

sapgenpse tool.2. Create a Person Security Environment for the adapter. Running this command:

sapgenpse get_pse [-p PSE_name] [-x PIN] [DN]

Where:

-p PSE_namePath and file name for Person Security Environment for the adapter.

-x PINPIN value that protects the Person Security Environment.

DN Distinguished Name for the adapter. The Distinguished Name is usedto build the Secure Network Communication name for the adapter. TheDistinguished Name has the following elements:v CN = Common_Name

v OU = Organizational_Unit

v O = Organization

v C = Country

For example:sapgenpse get_pse -p adapter.pse -x passw0rd "CN=adapter,OU=IdM,O=IBM,C=US"


3. Use the following command (on one line) to open the adapter's Person SecurityEnvironment and create credentials:sapgenpse seclogin [-p PSE_name] [-x PIN] [-O [NT_Domain\]user_ID]

Where:

-p PSE_namePath and file name for the Person Security Environment for the adapter.


-O [NT_Domain\[user_ID\User for whom the credentials are created. Specify the user that runsthe adapter service. Omitting this value specifies the current user.

For example:sapgenpse seclogin -p adapter.pse -x passw0rd -O SYSTEM

Importing the public certificate of the adapter into the SAPNetWeaver AS ABAP Person Security Environment

You can use these steps to import the public certificate of the adapter into the SAPNetWeaver AS ABAP Person Security Environment.

Procedure1. Export the public certificate of the adapter. Run the following command:

sapgenpse export_own_cert [-o output_file] [-p PSE_name] [-x PIN] [DN]

Where:

-o output_filePath and file name for the exported certificate.



For example:sapgenpse export_own_cert -o adapter.crt -p adapter.pse -x passw0rd

2. Start Trust Manager from SAP graphical user interface (transaction STRUST).3. Select (double-click) the SAP Person Security Environment under the

SAPCryptolib folder.4. When prompted, enter the PIN value.5. Select Certificate > Import from the menu.6. Enter the path and file name of the public certificate of the adapter.7. Select the Base64 format and choose Enter. The certificate appears in the

Certificate section of Trust Manager panel.8. Click Add to Certificate List button to add the certificate to the Person Security

Environment.9. Save the data.

Note: For securing multiple SAP systems with a single Secure NetworkCommunication certificate, repeat steps 2 - 9 for each SAP system. Use thesame certificate from step 1 to upload to different SAP systems.


Importing the SAP NetWeaver AS ABAP public certificate intothe Person Security Environment of the adapter

You can use these steps to import the SAP NetWeaver AS ABAP public certificateinto the Person Security Environment of the adapter.

Procedure1. In Trust Manager, select the SAP NetWeaver AS ABAP Secure Network

Communication Person Security Environment.2. Select (double-click) the certificate in the Owner field.3. Select Certificate -> Export from the menu.4. Specify the path and file name to save the file; select the Base64 format and

choose Enter. Use a different file name for each SAP system.5. Copy the exported certificate to the system that hosts the adapter.6. On the adapter system, run the following command on one line to import the

SAP NetWeaver AS ABAP public certificate into the Person SecurityEnvironment of the adapter:sapgenpse maintain_pk [-a cert_file] [-p PSE_name] [-x PIN] [DN]

Where:

-a cert_filePath and file name for the SAP NetWeaver AS ABAP public certificate.



For example:sapgenpse maintain_pk -a sap.crt -p adapter.pse

7. Run the following command to display all the certificate details that wereupdated in the .pse file.sapgenpse maintain_pk -l -p PSE_name [-x PIN]

Where:



For example:sapgenpse maintain_pk -l -p adapter.pse

Note: For securing multiple SAP systems with a single Secure NetworkCommunication certificate, repeat steps 1 to 6 for each SAP system. To updatethe file entry of the certificates that were exported from different SAP systemsto the existing .pse file, run step 6 for each of the certificates.

Allowing the user account of the adapter to connect to SAPNetWeaver AS ABAP by using Secure NetworkCommunication

You can allow the user account of the adapter to connect to SAP NetWeaver ASABAP.


Procedure1. In the SAP graphical user interface, start Table Maintenance (transaction

SM30).2. Maintain the table USRACLEXT.3. Select New Entries.4. Enter the following data in the corresponding fields:

User Specify the user that the adapter uses to connect to SAP NetWeaver ASABAP.

Sequence NumberEnter 000 unless the user has more than one Secure NetworkCommunication name.

SNC NameSpecify the DN that is associated with the Person Security Environmentof the adapter. For example:p: CN=adapter,OU=IdM,O=IBM,C=US

5. Save the data.

Note: For securing multiple SAP systems with a single Secure NetworkCommunication certificate, repeat steps 1 - 5 for each SAP system.

Setting optional RFC connection parameters for the adapterTo enable the adapter to use Secure Network Communication to communicate withSAP NetWeaver AS ABAP, you must add parameters to the service form.

Procedure

Add these parameters on one line to the Optional RFC Connection Parametersfield in the service form:snc_mode=1|snc_partnername=as_abap_snc_name|snc_qop=3|snc_myname=adapter_snc_name|snc_lib=path_to_snc_lib

Where:

snc_modeSecure Network Communication activation indicator. Use these values:

0 Secure Network Communication is disabled.

1 Secure Network Communication is activated.

snc_partnernameSecure Network Communication name of the communication partner (SAPNetWeaver AS ABAP).

snc_qopQuality of protection level.

1 Secure authentication only.

2 Data integrity protection.

3 Data privacy protection.

9 Use the value from snc/data_protection/max.

snc_mynameSecure Network Communication name of the adapter.


For example (on one line):snc_mode=1|snc_partnername=p:CN=GC8,OU=IdM,O=IBM,C=US|snc_qop=3|snc_myname=p:CN=adapter,OU=IdM,O=IBM,C=US|snc_lib=C:/usr/sap/sapcrypto.dll

Note: For securing multiple SAP systems with single Secure NetworkCommunication certificate, pass same path value for snc_lib in the service formsof all the SAP systems.

Note: These parameters directly correspond to SAP JCO properties for SecureNetwork Communication except that they do not have the jco.client. prefix. Theadapter automatically prepends the string jco.client. before the adapter passesthese parameters to SAP JCO.For more information about the Secure Network Communication parameters, seethe SAP Help Portal.

Verifying the Secure Network Communication setupVerify if you have a proper setup of the Secure Network Communication to ensuresecure communication between the adapter and SAP NetWeaver AS ABAP and toavoid possible configuration issues.

Procedure1. Make sure the following files are in their corresponding folders in the client

system, where the IBM Security Directory Integrator is running.

Folder Files

\usr\sap v sapcrypto.dll

v sapgenpse.exe

v local certificate

v server certificate

\usr\sap\sec v adapter.pse

v cred_v2

v ticket

2. Make sure all the files used from the SAP cryptolibrary packages are unused.3. Make sure the sapcrypto.dll file is a Win32 file. Otherwise, you are prompted

that the sapcrypto.dll file is not a valid Win32 application.4. Use the following command to check the certificate entry in the sapgenpse file:

sapgenpse maintain_pk -l -p <PSE_name> [-x <PIN>]

Where:

-l Returns the list of existing certificates.

-p <PSE_name>Specifies the path and file name for the server's PSE.

-x <PIN>Specifies the PIN that protects the PSE

5. Make sure the entry to USRACLEXT (table) in SM30 (t-code) complies with thefollowing requirements:v Starts with "p"v Contains the details of the local certificatev Does not have any space after a period "."v Includes the canonical name


http://help.sap.com/saphelp_nw70/helpdata/en/d9/e8a740bbaa4d8f8bee6f7b173bd99f/frameset.htm

6. The server certificate name must be selected in STRUST (t-code) when youdownload it.

7. Make sure each parameter in the Optional RFC parameter complies with thefollowing requirements:v Separated using a pipe "|"v Does not have any space after a period "."

Configuring the adapter to send only the role name to SAPSee this topic if you want to send only the role names.

About this task

SAP sets the default start and end date for the role. The start date is the currentdate and the end date is 12-31-9999.

Procedure1. Import the SapNWProfile.jar file on IBM Security Identity Governance and

Intelligence.2. From the Design form, modify the account attribute ersapnwagrname to List box.

Specify the following values.

Table 7. Attributes and values

Attribute Value

searchbase context

attribute erSAPagrname

source attribute erSAPagrname

objectclass erSAProleList

filter (objectclass=erSAProleList )

3. Specify the XSL file names.

Note: Do not change the sequence of the XSL files.

Table 8. XSL file names for a non-CUA systemTable Name Label Name XSL

Reconciliation AdvancedMapping

Search User Basic Iterate Response XSLStylesheet (Single-valued)

v xsl/sapnw_bapi_user_getdetail_postcall_role_only.xsl

Add Advanced Mapping Add User Basic XSL Stylesheets(Multi-valued)

v xsl/sapnw_bapi_user_create.xsl

v xsl/sapnw_bapi_user_disablepassword.xsl

v xsl/sapnw_bapi_user_system_assign.xsl

v xsl/sapnw_bapi_user_change_licensedata.xsl

v xsl/sapnw_bapi_noncua_r_only_assign.xsl

v xsl/sapnw_bapi_user_profiles_assign.xsl

Modify Advanced Mapping Modify User Basic XSL Stylesheets(Multi-valued)

v xsl/sapnw_bapi_user_change.xsl




v xsl/sapnw_bapi_noncua_r_only_assign.xsl

v xsl/sapnw_bapi_user_profiles_assign.xsl

Modify User Basic Lookup Response XSLStylesheet (Single-valued)



Table 9. XSL file names for a CUA systemTabe Name Label Name XSL

Reconciliation AdvancedMapping

Search User Basic Iterate Response XSLStylesheet (Single-valued)


Add Advanced Mapping Add User Basic XSL Stylesheets(Multi-valued)

v xsl/sapnw_bapi_user_create.xsl




v xsl/sapnw_bapi_cua_r_only_assign.xsl

v xsl/sapnw_bapi_user_locprofiles_assign.xsl

Modify Advanced Mapping Modify User Basic XSL Stylesheets(Multi-valued)

v xsl/sapnw_bapi_user_change.xsl




v xsl/sapnw_bapi_cua_r_only_assign.xsl

v xsl/sapnw_bapi_user_locprofiles_assign.xsl

Modify User Basic Lookup Response XSLStylesheet (Single-valued)



Chapter 6. Troubleshooting

Troubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur during the adapter installation.

Techniques for troubleshooting problemsCertain common techniques can help with the task of troubleshooting. The firststep in the troubleshooting process is to describe the problem completely.

Problem descriptions help you and the IBM technical-support representative findthe cause of the problem. This step includes asking yourself basic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When you start to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one operating system, or is it common across multiple

operating systems?v Is the current environment and configuration supported?v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

49

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.

When does the problem occur?

Develop a detailed timeline of events that lead up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you use the first suspicious event that you find in adiagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being done?v Is a certain sequence of events required for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might occur around the same time, the problems arenot necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Problems that you canreproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?


v Do multiple users or applications have the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

LogsLogs added to the log file for the adapter or the Dispatcher have a specific format.<Log Level> [<Assembly Line_ProfileName>_<Request Id>]_[<Connector Name>] - <message>

Log LevelSpecifies the logging level that you configured for the adapter. The optionsare DEBUG, ERROR, INFO, and WARN. For information about using thelog4j.properties file to configure logging, see the Dispatcher Installationand Configuration Guide.

Assembly LineSpecifies the name of the assembly line that is logging the information.

ProfileNameSpecifies the name of the profile. Profile names may vary based on theadapter that is running or the operating system.

Request IDSpecifies the number of the request. The Request ID is used to uniquelyidentify a specific request.

Connector NameSpecifies the adapter connector.

MessageSpecifies the informational message .

When the Test button on the SAP NetWeaver Adapter service form is clicked,service, environment and configuration values are sent to the IBM Tivoli DirectoryIntegrator log during the test. The information collected during the test may assistin diagnosing issues.

Error messages and problem solvingA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.

This table describes the error messages displayed during run time andcorresponding problem descriptions.

Chapter 6. Troubleshooting 51

Table 10. Error messages and problem descriptions

Error messages Problem descriptions

Test Connection Fails: CTGIMU107WThe connection to the specified service cannotbe established. Verify the service information,and try again.

ibmdi.logCTGIMT401E An error occurred while startingthe AssemblyLines/SapNWTest_SAP -TV2_test-no-requestid_9dbf1884-29b1-11b2-689a-00000a020011 agent. Error:java.lang.ExceptionInInitializerError: Errorgetting the version of the native layer:java.lang.UnsatisfiedLinkError: sapjco3 (Notfound in java.library.path) operation on theIBM Tivoli Directory Integrator server. Error:{1}

Microsoft Visual C++ 2005libraries are not installed, orpermissions for .dll file are notcorrect. Verify installation stepsand permissions.


ibmdi.logCTGDIS067E Unable to find configuration forAssemblyLine SapNWTest_SAP_R/3_NW_test-no-requestid_c41b1d60-28f8-11b2-e832-00001ff87342.]

The service name might containspecial characters that IBM TivoliDirectory Integrator can nothandle, for example “/”.


ibmdi.logCTGDIS809E handleException - cannot handleexception , scriptjava.lang.NoClassDefFoundError:com.sap.conn.jco.ext.DestinationDataProvider

SAP JCo is not installed, orpermissions for .jar file are notcorrect. Verify installation stepsand permissions.

Test Connection Fails: CTGIMU107W The connection to the specified service cannotbe established. Verify the service information,and try again.

ibmdi.logCaused by: java.io.FileNotFoundException:app/itdi611/solution/xsl/sapnw_bapi_errors.properties (No such file ordirectory)

Property and .xsl files are copiedto the wrong directory during theadapter installation, or filepermissions are not correct. Verifyinstallation steps and permissions.


Table 10. Error messages and problem descriptions (continued)



ibmdi.logCTGDIS809E handleException - cannot handleexception , scriptjava.lang.ExceptionInInitializerError: Errorgetting the version of the native layer:java.lang.UnsatisfiedLinkError: sapjco3 (Notfound in java.library.path)

Path for SAP JCo dynamic libraryis not correct. Correct it andrestart the adapter service.


ibmdi.log

Exception Class:org.xml.sax.SAXParseExceptionorg.xml.sax.SAXParseException:Invalid byte 1 of 1-byteUTF-8 sequence.

Java property“–Dfile.encoding=UTF-8” needsto be added. Add the property asdescribed in the InstallationGuide and Release Notes, andrestart the adapter service.


Table 10. Error messages and problem descriptions (continued)


Reconciliation doesn't return all SAP accounts.Reconciliation is successful but some accounts aremissing.

For the adapter to reconcile alarge number of accountssuccessfully, you might need toincrease Websphere's JVMmemory. To do so, complete thefollowing steps on theWebSphere® host machine:Note: The JVM memory shouldnot be increased to a value higherthan the System memory.

1. Login to the WebSphereAdministrative Console.

2. From the left menu, selectServers and then ApplicationServers.

3. A table displays the names ofknown application servers onyour system. Click the link foryour primary applicationserver.

4. On the Configuration tab,select Process Definition.

5. Select the Java VirtualMachine property.

6. Enter a new value forMaximum Heap Size. Thedefault value is 256 MB.

If the allocated JVM memory isnot large enough, an attempt toreconcile a large number ofaccounts using the IBM SecurityAccess Manager Adapter willresult in log file errors, and thereconciliation process will notcomplete successfully. TheAdapter log files will containentries stating ErmPduAddEntryfailed. TheWebSphere_install_dir/logs/itim.log file will containjava.lang.OutOfMemoryErrorexceptions.

Reconciliation of supporting dataAll supporting data can be reconciled through the use of the search filter in thereconciliation query.

To reconcile supporting data only, use the following search filter:(!(objectclass=ersapnwaccount))


The SAP systems can have tens of thousands of roles, profiles, and other supportdata entries. To reconcile accounts only, use the following search filter:(objectclass=ersapnwaccount)

Improving reconciliation operation performanceUse Java settings to improve the performance of reconciliation operation.

Procedure1. Navigate to the JAVA_Home/lib directory.2. Rename jaxp.properties.sample to jaxp.properties.3. In the jaxp.properties file, remove the comment tags for the following

properties:javax.xml.transform.TransformerFactory=

com.ibm.xtq.xslt.jaxp.compiler.TransformerFactoryImpljavax.xml.xpath.XPathFactory=

org.apache.xpath.jaxp.XPathFactoryImpljavax.xml.parsers.SAXParserFactory=

org.apache.xerces.jaxp.SAXParserFactoryImpljavax.xml.parsers.DocumentBuilderFactory=

org.apache.xerces.jaxp.DocumentBuilderFactoryImpl

4. Check the performance of reconciliation operation. If it fails, continue to step 5.5. Set the following system property:

export IBM_JAVA_OPTIONS=-Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImpl

6. Check the performance of reconciliation operation again.For more information about the earlier settings, see the following resources:http://xalan.apache.org/xalan-j/usagepatterns.htmlhttp://www-03.ibm.com/systems/z/os/zos/tools/xml/perform/performjava.htmlhttp://publib.boulder.ibm.com/infocenter/javasdk/v1r4m2/index.jsp?topic=%2Fcom.ibm.java.doc.user.aix64.142%2Fhtml%2Fsdkguide.aix64.htm


http://xalan.apache.org/xalan-j/usagepatterns.html

http://www-03.ibm.com/systems/z/os/zos/tools/xml/perform/performjava.html

http://www-03.ibm.com/systems/z/os/zos/tools/xml/perform/performjava.html

http://publib.boulder.ibm.com/infocenter/javasdk/v1r4m2/index.jsp?topic=%2Fcom.ibm.java.doc.user.aix64.142%2Fhtml%2Fsdkguide.aix64.htm

http://publib.boulder.ibm.com/infocenter/javasdk/v1r4m2/index.jsp?topic=%2Fcom.ibm.java.doc.user.aix64.142%2Fhtml%2Fsdkguide.aix64.htm


Chapter 7. Uninstalling

To remove an adapter from the IBM Security Identity server for any reason, youmust remove all the components that were added during installation. Uninstallingan IBM Tivoli Directory Integrator based adapter mainly involves removing theconnector file, and the adapter profile from the IBM Security Identity server.Depending on the adapter, some of these tasks might not be applicable, or therecan be other tasks.

Procedure1. Stop the IBM Security Identity Manager (Dispatcher) Service.2. Remove the SAP NetWeaver Adapter JAR files.

a. Delete SapNWSupport.jar and and SapNWUserConnector.jar from theITDI_HOME/jars/connectors directory.

b. Delete SapNWRfc.jar from the ITDI_HOME/jars/functions directory.3. Remove the adapter stylesheets from the ITDI_HOME/solution/xsl directory.4. Delete the adapter profile from the IBM Security Identity Manager server.

Note: The Dispatcher component must be installed on your system foradapters to function correctly in a IBM Tivoli Directory Integrator environment.When you delete the adapter profile for the SAP NetWeaver Adapter, do notuninstall the Dispatcher.

57


Chapter 8. Reference

Reference information is organized to help you locate particular facts quickly, suchas adapter attributes, registry settings, and environment variables.

Adapter attributes and object classesAdapter attributes and object classes are required for customization, creatingprovisioning rules, and understanding what service/target attributes are supportedby the adapter. The IBM Security Identity server communicates with the adapterby using attributes, which are included in transmission packets that are sent over anetwork.

After you install the adapter profile, the SAP NetWeaver Adapter supports astandard set of attributes.

The following table lists the standard attributes supported by the SAP NetWeaverAdapter.

Table 11. Supported account attributes

IBM SecurityIdentityGovernance andIntelligence Name Attribute Name Description Data Type

Academic title ersapnwacademic Dr., Prof., andso on

SAPpredefinedvalue

Account ersapnwldaccount User accountidentification

Character ornumericstring, whichis not SAPpredefined

AuthorizationProfiles

ersapnwprofile AuthorizationProfiles

SAPpredefinedvalue

Authorization Roles ersapnwagrname Role name Character ornumeric string

Building ersapnwbuilding Buildingnumber

Character ornumeric string

CATT Status ersapnwcatt CATT test status Yes or No

Company ersapnwcompany Company Name String

Cost Center ersapnwcostcenter User cost center Character ornumeric string

Country ersapnwcountry Country keycode of user

Character ornumericstring, SAPcountry key

59

Table 11. Supported account attributes (continued)


Date Format ersapnwdateformat Date format SAPpredefinedvalue, 5 dateformatversions

Decimal Notation ersapnwdecimalpoint Decimalnotation, eitherperiod orcomma


Delete After Print ersapnwprntdelete Delete afterprint


Department ersapnwdepartment Department Character ornumeric string

Email Address ersapnwemailaddress A user can havemore than oneemail address.Refer to theE-mail sectionunder “Specialattributes” onpage 62 formoreinformation.


Fax Number ersapnwprimaryfaxnumber Telefax number Character ornumeric string

Fax extension ersapnwprimaryfaxextension Fax number:extension


Full Name ersapnwfullname Full Name

See “Specialattributes” onpage 62 formore details.

String

Function ersapnwfunction Function of user Character ornumeric string

Given Name ersapnwgivenname First name Character ornumeric string

Group ersapnwusergroups User group SAPpredefinedvalue

InsecureCommunicationPermitted?

ersapnwsncflag Flag that allowsnon-securecommuniation

SAP Boolean

Internet User Alias ersapnwalias Internet useralias

String

Language ersapnwcommlang Language set inthe user'saddress record

String




Last Logged in Date ersapnwlastlogondate Last Logged inDate and timeof SAP User inZULU format.For example,YYYYMMDDHHMMZ.This isread-only

The date andtime is based onthe time zoneused in the SAPNetWeaverserver.Thisattribute will besupported forSAP NetWeaver730 and above.

Character orNumericstring, whichis not SAPpredefined

Logon Language ersapnwdefaultlang User's defaultlogin language

String

Output Device ersapnwoutputdevice Device SAPpredefinedvalue

Password erpassword Password to loginto SAP systemRequired for allrequests.

SAPpredefinedvalue

Personal Time Zone ersapnwtimezone Timezone SAPpredefinedvalue, existingtimezoneremains if aconflict isnoted

Print Immediately ersapnwprntimmediate Printimmediately


Room Number ersapnwroom Room number Character ornumeric string

Security Policy ersapnwsecuritypolicyname Security Policy

This attribute issupported forSAP NetWeaver740 and later.

SAPpredefinedvalue

Set Parameter|value ersapnwparid Parameteridentification

SAPpredefinedvalue

Chapter 8. Reference 61



Set Password asProductive

ersapnwprodpwdflagThis send onlyflag changes theinitial passwordto productivepassword.

See “Specialattributes” formore details.

True or False

Start Menu ersapnwmenu SAP start menu SAPpredefinedvalue

SNC Name ersapnwsncname Printable SNCname

String

Surname ersapnwsurname Last name Input supplied

Telephone Number ersapnwprimaryphonenumber Main telephonenumber


Telephone Extension ersapnwprimaryphoneextension Telephonenumber:extension


Title ersapnwtitle Form ofaddress: Mr.,Mrs., Ms


User Type ersapnwtype User type(A=online,C=CPIC,D=BDC,O=ODC)

SAPpredefinedvalue, between1 and 4,defaults todialog user

UserName eruid User's login ID String

Valid From ersapnwdatefrom Valid from date Up to 6 dataformatversions

Special attributesThe SAP NetWeaver Adapter supports some special attributes that are specific tothe adapter.

Email Address

The SAP email is a multi-valued attribute, which means a user can have more thanone email address. You must designate one email address as the user's "Standard"email. In addition, you can designate an email address to be the "Home" email. Ifonly one email address is to be assigned to the account, ensure that you set boththe "Standard" email and "Home" email options.


To enter an email address on the IBM Security Identity Governance andIntelligence form, you must follow this syntax:a|b|c|da= X for Standard email, or space for not Standard.b= is the email address.c= X for home email, or space for not home.d= is the sequence number, must consist of three digits.

For example, to enter three email addresses for user Jon Doe:X|[email protected]| |001 (standard email)|[email protected]|X|002 (home email)|[email protected]| |003 (other email)

Or, to enter one email address as the standard and home:X|[email protected]|X|001

CUA License Data

To edit license data for CUA systems, the adapter schema supports an attributenamed "ersapnwliccuadata". This attribute is a multivalued attribute that enablesthe management of CUA License Data. This attribute is exposed on the CUASystems License Data tab. The ersapnwliccuadata attribute consists of nine valuesthat are delimited by pipes and contains no white space. Any data input by theCUA Systems License Data tab overwrites the CUA license data in SAP NetWeaverfor the account.

The format of the ersapnwliccuadata attribute is:<CUA System Name>|<ersapnwlicutype>|<ersapnwlicspecver>|<ersapnwlicsurchrg>|<ersapnwlicsubfrom>|<ersapnwlicsubto>|<ersapnwlicsysid>|<ersapnwlicclient>|<ersapnwlicbname>|

The previous values have the following meanings:v CUA System Name: CUA Logical system namev ersapnwlicutype: Contractual User Typev ersapnwlicspecver: Assignment to special versionv ersapnwlicsurchrg: Country surchargev ersapnwlicsubfrom: Substitute date fromv ersapnwlicsubto: Substitute date tov ersapnwlicsysid: Chargeable user SAP systemv ersapnwlicclient: Chargeable user clientv ersapnwlicbname: Chargeable user name

CUA license data must be input in the CUA Systems License Data tab by using theformat that is specified for the ersapnwliccuadata attribute. Some examples ofindividual entries are:AA1CLNT100|11||0|||AA2|300|HSMITH|AA5CLNT110|01|91|0||||||

Set Password as Productive

This attribute is supported by both Add and Modify operation. Select this attributeto make the existing password Productive (Permanent). Otherwise, the password isInitial (Temporary). This attribute is available in account form. As such, to select

Chapter 8. Reference 63

between productive and initial password during the Password change operation,complete a Modify operation prior to the Password change operation to change theflag.

Note: This is a send only attribute. The value of the flag is not stored in IBMSecurity Identity Governance and Intelligence.

Full Name

Pass the full name of the user to this attribute. The full name is reflected in NWagainst the FORMAT attribute (in SU01) for any string value that is passed exceptfor blank spaces. If the value is blank space or empty, then the FORMAT attribute(in SU01) combines the First name and Last Name that are available in the NWaccount.

Adapter configuration propertiesFor guidance on setting IBM Tivoli Directory Integrator configuration propertiesfor the operation of the SAP NetWeaver Adapter, see the Dispatcher Installation andConfiguration Guide.


Index

Aadapter

attribute 59details tab, attributes 23features 1installation 9installation worksheet 8JAR files 11profile

differences 13style sheets 10supported configurations 2uninstall 57

add advanced mapping tab, attribute 26after installation 31architecture of the adapter 1

Ccertificate

public, adapter 43change password advanced mapping tab,

attributes 27components 11configuration

information 28productive password 41properties 64Secure Network Communication 41settings 15

connection test 28CUA

master server 15status 32

customizing adapter profile 31

Ddelete advanced mapping tab,

attribute 26dispatcher

attributes tab 27installation 10location 10

Dispatcher JVM properties 14

Eerror messages 51

Ffirst steps 31

Hheterogeneous SAP systems

productive password 40

heterogeneous SAP systems (continued)Secure Network Communication 40

Iinstallation

adapter 9preparation 5, 9troubleshooting 49uninstall 57verify 15worksheet 8

JJAR file 31JCo pachage 11

Llog level 51logging information format 51

Mmodify advanced mapping tab,

attributes 26

Oobject classes 59operating system prerequisites 6overview of the adapter 1

Ppassword

heterogeneous SAP systems 40productive 40

performance 55Person Security Environment,

adapter 42prerequisite requirements 9productive password

adapter public certificate,importing 43

configuration 41heterogeneous SAP systems 40Person Security Environment,

adapter 42public certificate, adapter 43SAP Cryptographic Library 41Secure Network Communication 41service form parameters 45user account, adapter 45

Rreconciliation

advanced mapping tab, serviceattribute 27

operation 55supporting data 54

restore advanced mapping tab,attributes 27

runtime 51

SSAP connection details tab, attributes 24SAP Cryptographic Library 41SAP Java Connector (JCo) 11SAP JCo upgrade 29SAP NetWeaver Adapter

architecture 1customizing 40overview 1properties 64special attributes 62upgrade 29

SAP NWGRC profile 13profile 13

SAP RFC 32SAP role details tab, attribute 26service

restart 16start 16stop 16

service form parameters, productivepassword 45

softwarerequirements 6

supported configurationsadapter 2overview 2

supporting data 54suspend advanced mapping tab,

attribute 26

Ttroubleshooting

adapter installation 49identifying problems 49techniques for 49

troubleshooting and supporttroubleshooting techniques 49

Uunicode 14uninstallation 57upgrade

adapter 29service configuration form 29

65

user account, adapter 45

Vverification

dispatcher installation 10installation 15operating system

prerequisites 6requirements 6

softwareprerequisites 6requirements 6

XXSL style sheets 32


IBM®

Printed in USA

Documents

and Configura tion Guidepublic.dhe.ibm.com/software/security/products/isim/adapters/igi/igi... · certificate into the Person Security Envir onment of the adapter ..... . 44 Allowing