90
Tivoli ® Identity Manager Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide Version 4.6 SC32-1194-11

IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

  • Upload
    others

  • View
    16

  • Download
    0

Embed Size (px)

Citation preview

Page 1: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Tivoli® Identity Manager

Adapter for SAP NetWeaver AS ABAP

Installation and Configuration Guide

Version 4.6

SC32-1194-11

���

Page 2: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration
Page 3: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Tivoli® Identity Manager

Adapter for SAP NetWeaver AS ABAP

Installation and Configuration Guide

Version 4.6

SC32-1194-11

���

Page 4: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Note

Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 71

Eleventh Edition (November, 2006)

This edition applies to version 4.6.6 of the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP and to all

subsequent releases and modifications until otherwise indicated in new editions. This edition replaces all previous

editions.

© Copyright International Business Machines Corporation 2004, 2005, 2006. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

Page 5: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Who should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Publications and related information . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Tivoli Identity Manager library . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Prerequisite Product Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Operating system differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Definitions for HOME directory variables . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. Adapter Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Step 1: Testing Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Step 2: Installing the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Step 3: Importing the Transport Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Step 4: Activating the Adapter as a Service . . . . . . . . . . . . . . . . . . . . . . . . . 13

Step 5: Configuring the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Step 6: Installing the Adapter’s Certificate . . . . . . . . . . . . . . . . . . . . . . . . . 13

Step 7: Installing the Adapter’s Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Step 8: Configuring the Adapter’s Forms . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 3. Adapter Profile Installation . . . . . . . . . . . . . . . . . . . . . . 17

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installing the Adapter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Verifying the Adapter Profile is Installed . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 4. Adapter Parameters Modification . . . . . . . . . . . . . . . . . . . . 19

Accessing the Adapter Configuration Tool Main Menu . . . . . . . . . . . . . . . . . . . . . 19

Viewing Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Changing Protocol Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . 21

Adding a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Removing a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Setting Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Setting Attributes to be Reconciled . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Modifying an Event Notification Context . . . . . . . . . . . . . . . . . . . . . . . . 27

Changing the Configuration Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Changing Activity Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Changing Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Modifying Non-encrypted Registry Settings . . . . . . . . . . . . . . . . . . . . . . . 31

Modifying Encrypted Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . 31

Multi-instance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Changing Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Viewing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Changing code page settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Accessing Help and Additional Options . . . . . . . . . . . . . . . . . . . . . . . . . . 34

© Copyright IBM Corp. 2004, 2005, 2006 iii

Page 6: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Chapter 5. Certificate Installation . . . . . . . . . . . . . . . . . . . . . . . . 37

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Overview of SSL and Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 37

Basic Configuration for Server-to-Adapter SSL . . . . . . . . . . . . . . . . . . . . . . . 38

Clustered Tivoli Identity Manager Configuration . . . . . . . . . . . . . . . . . . . . . . 39

Accessing the Certificate Configuration Tool Main Menu . . . . . . . . . . . . . . . . . . . . 39

Generating a Private Key and Certificate Request . . . . . . . . . . . . . . . . . . . . . . . 41

Example of Certificate Request Script . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Example of request.pem File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Installing the Certificate from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Installing the Certificate and Key from a PKCS12 File . . . . . . . . . . . . . . . . . . . . . 43

Viewing Installed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Viewing CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Installing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Deleting a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Viewing Registered Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Registering a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Unregistering a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Exporting a certificate and key to PKCS12 file . . . . . . . . . . . . . . . . . . . . . . . . 45

Appendix A. Adapter Variables . . . . . . . . . . . . . . . . . . . . . . . . . 47

Variable Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Variables Used by Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Actions . . . . . . . . . 53

System Login Add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

System Login Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

System Login Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

System Login Suspend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

System Login Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Appendix B. SAP Account Requirements . . . . . . . . . . . . . . . . . . . . . 59

SAP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

SAP User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Appendix C. Additional Installation Options . . . . . . . . . . . . . . . . . . . . 63

Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Setup Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Adapter Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Appendix D. Example Deployment Scenarios . . . . . . . . . . . . . . . . . . . 65

Tivoli Identity Manager for non-Unicode SAP non-CUA with HR Linking . . . . . . . . . . . . . . 65

Tivoli Identity Manager for non-Unicode SAP CUA with HR Linking . . . . . . . . . . . . . . . . 66

Appendix E. Support information . . . . . . . . . . . . . . . . . . . . . . . . 67

Searching knowledge bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Search the information center on your local system or network . . . . . . . . . . . . . . . . . 67

Search the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Contacting IBM Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Determine the business impact of your problem . . . . . . . . . . . . . . . . . . . . . . 68

Describe your problem and gather background information . . . . . . . . . . . . . . . . . . 69

Submit your problem to IBM Software Support . . . . . . . . . . . . . . . . . . . . . . 69

Appendix F. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

iv IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 7: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Preface

The IBM® Tivoli® Identity Manager Adapter for SAP® NetWeaver AS ABAP®

enables connectivity between the IBM and a network of systems running SAP

NetWeaver AS ABAP. This document describes the procedural steps that are

required to install and configure the adapter.

This document assumes that both Tivoli Identity Manager and SAP NetWeaver AS

ABAP are installed, configured and running on your network. No details are

provided regarding the installation and configuration of these products, except

where necessary to achieve integration.

Who should read this book

This manual is intended for security administrators responsible for installing

software on their site’s computer systems. Readers are expected to understand

security administration concepts.

The person completing the installation procedure should also be familiar with their

site’s system standards. Readers should be able to perform routine security

administration tasks.

Publications and related information

Read the descriptions of the Tivoli Identity Manager library. To determine which

additional publications you might find helpful, read the “Prerequisite Product

Publications” on page vii and the “Related Publications” on page viii. After you

determine the publications you need, refer to the instructions in “Accessing

publications online” on page viii.

Tivoli Identity Manager library

The publications in the Tivoli Identity Manager technical documentation library are

organized into the following categories:

v Release information

v Online user assistance

v Server installation and configuration

v Problem determination

v Technical supplements

v Adapter installation and configuration

Release Information:

v IBM Tivoli Identity Manager Release Notes

Provides software and hardware requirements for Tivoli Identity Manager, and

additional fix, patch, and other support information.

v IBM Tivoli Identity Manager Documentation Read This First Card

Lists the Tivoli Identity Manager publications.

Online user assistance:

© Copyright IBM Corp. 2004, 2005, 2006 v

Page 8: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Provides online help topics and an information center for all Tivoli Identity

Manager administrative tasks. The information center includes information that

was previously provided in the IBM Tivoli Identity Manager Configuration Guide and

the IBM Tivoli Identity Manager Policy and Organization Administration Guide.

Server installation and configuration:

IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere

Environments provides installation and configuration information for Tivoli Identity

Manager.

Configuration information that was previously provided in the IBM Tivoli Identity

Manager Configuration Guide is now included in either the installation guide or in

the IBM Tivoli Identity Manager Information Center.

Problem determination:

IBM Tivoli Identity Manager Problem Determination Guide provides problem

determination, logging, and message information for the Tivoli Identity Manager

product.

Technical supplements:

The following technical supplements are provided by developers or by other

groups who are interested in this product:

v IBM Tivoli Identity Manager Performance Tuning Guide

Provides information needed to tune Tivoli Identity Manager Server for a

production environment, available on the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list, and then, click the Tivoli Identity

Manager link. Browse the information center for the Technical Supplements

section.

v Redbooks and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks Web address:

http://www.ibm.com/developerworks/

Adapter installation and configuration:

The Tivoli Identity Manager Server technical documentation library also includes

an evolving set of platform-specific installation documents for the adapter

components of a Tivoli Identity Manager Server implementation. Locate adapters

on the Web at:

vi IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 9: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Other resources, and click the link for the current inventory of

adapters.

Skills and training:

The following additional skills and technical training information were available at

the time that this manual was published:

v Virtual Skills Center for Tivoli Software on the Web at:

http://www.cgselearning.com/tivoliskills/

v Tivoli Education Software Training Roadmaps on the Web at:

http://www.ibm.com/software/tivoli/education/eduroad_prod.html

v Tivoli Technical Exchange on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

Prerequisite Product Publications

To use the information in this book effectively, you must have knowledge of the

products that are prerequisites for Tivoli Identity Manager Server. Publications are

available from the following locations:

v Operating systems

– IBM AIX®

http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm

– Sun Solaris

http://docs.sun.com/db?q=solaris+9

– Red Hat Linux®

http://www.redhat.com/docs/

– Microsoft® Windows Server 2003

http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers

– IBM DB2®

- Support: http://www.ibm.com/software/data/db2/udb/support.html

- Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

- DB2 product family: http://www.ibm.com/software/data/db2

- Fix packs: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html

- System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html

– Oracle

http://www.oracle.com/technology/documentation/index.html

http://otn.oracle.com/tech/index.html

http://otn.oracle.com/tech/linux/index.html

– Microsoft SQL Server 2000

Preface vii

Page 10: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

http://www.msdn.com/library/

http://www.microsoft.com/sql/v Directory server applications

– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory

– Sun ONE Directory Server

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v WebSphere Application Server

Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/

v WebSphere embedded messaging

http://www.ibm.com/software/integration/wmq/

v IBM HTTP Server

http://www.ibm.com/software/webservers/httpservers/library.html

Related Publications

Information that is related to Tivoli Identity Manager Server is available in the

following publications:

v The Tivoli Software Library provides a variety of Tivoli publications such as

white papers, datasheets, demonstrations, redbooks, and announcement letters.

The Tivoli Software Library is available on the Web at:

http://www.ibm.com/software/tivoli/literature/

v The Tivoli Software Glossary includes definitions for many of the technical terms

related to Tivoli software. The Tivoli Software Glossary is available from the

Glossary link of the Tivoli Software Library Web page at:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become

available and whenever they are updated, to the Tivoli software information center

Web site. Access the Tivoli software information center at the following Web

address:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z list, and then click the Tivoli Identity Manager

link to access the product library.

Note: If you print PDF documents on other than letter-sized paper, set the option

in the File → Print window that allows Adobe Reader to print letter-sized

pages on your local paper.

Accessibility

The product documentation includes the following features to aid accessibility:

v Documentation is available in convertible PDF format to give the maximum

opportunity for users to apply screen-reader software.

viii IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 11: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Support information

If you have a problem with your IBM software, you want to resolve it quickly. IBM

provides the following ways for you to obtain the support you need:

v Searching knowledge bases: You can search across a large collection of known

problems and workarounds, Technotes, and other information.

v Obtaining fixes: You can locate the latest fixes that are already available for your

product.

v Contacting IBM Software Support: If you still cannot solve your problem, and

you need to work with someone from IBM, you can use a variety of ways to

contact IBM Software Support.

For more information about these ways to resolve problems, see Appendix E,

“Support information,” on page 67.

Conventions used in this book

This reference uses several conventions for special terms and actions and for

operating system-dependent commands and paths.

Typeface conventions

This guide uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwise

difficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spin

buttons, fields, folders, icons, list boxes, items inside list boxes,

multicolumn lists, containers, menu choices, menu names, tabs, property

sheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Words defined in text

v Emphasis of words (words as words)

v New terms in text (except in a definition list)

v Variables and values you must provide

Monospace

v Examples and code examples

v File names, programming keywords, and other elements that are difficult

to distinguish from surrounding text

v Message text and prompts addressed to the user

v Text that the user must type

v Values for arguments or command options

Operating system differences

This guide uses the UNIX® convention for specifying environment variables and

for directory notation.

Preface ix

Page 12: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

When using the Windows command line, replace $variable with %variable% for

environment variables and replace each forward slash (/) with a backslash (\) in

directory paths. The names of environment variables are not always the same in

Windows and UNIX. For example, %TEMP% in the Windows operating system is

equivalent to $tmp in a UNIX operating system.

Note: If you are using the bash shell on a Windows system, you can use the UNIX

conventions.

Definitions for HOME directory variables

The following table contains the default definitions that are used in this guide to

represent the HOME directory level for various product installation paths. You can

customize the installation directory and HOME directory for your specific

implementation. If this is the case, you need to make the appropriate substitution

for the definition of each variable represented in this table.

The value of path for the Windows operating system is drive:\Program Files. The

value of path for the AIX operating system is /usr. The value of path is /opt for

other UNIX and Linux operating systems.

Path Variable Default Definition Description

DB_INSTANCE_HOME Windows:

path\IBM\SQLLIB

UNIX and Linux:

v AIX, Linux: /home/dbinstancename

v Solaris: /export/home/dbinstancename

The directory that

contains the database

for Tivoli Identity

Manager.

LDAP_HOME v IBM Directory Server

Windows:

path\IBM\LDAP

UNIX:

path/IBM/LDAP

v Sun ONE Directory Server

Windows:

path\Sun\MPS

UNIX:

/var/Sun/mps

The directory that

contains the directory

server code.

HTTP_HOME Windows:

path\IBMHttpServer

UNIX and Linux:

path/IBMHttpServer

The directory that

contains the IBM HTTP

Server code.

ITIM_HOME Windows:

path\IBM\itim

UNIX and Linux:

path/IBM/itim

The base directory that

contains the Tivoli

Identity Manager code,

configuration, and

documentation.

x IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 13: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Path Variable Default Definition Description

WAS_HOME Windows:

path\WebSphere\AppServer

UNIX and Linux:

path/WebSphere/AppServer

The WebSphere

Application Server

home directory

WAS_MQ_HOME Windows:

path\IBM\WebSphereMQ

UNIX and Linux:

path/mqm

The directory that

contains the

WebSphere MQ code.

WAS_NDM_HOME Windows:

path\WebSphere\DeploymentManager

UNIX and Linux:

path/WebSphere/DeploymentManager

The home directory on

the deployment

manager

Tivoli_Common_Directory Windows:

path\IBM\Tivoli\Common\CTGIM

UNIX and Linux:

path/IBM/Tivoli/Common/CTGIM

The central location for

all serviceability-related

files, such as logs and

first-failure capture

data

Preface xi

Page 14: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

xii IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 15: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Chapter 1. Overview

This installation guide provides all of the basic information necessary to install and

configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. On

successful installation, the adapter enables IBM Tivoli Identity Manager to

provision access to your network’s SAP NetWeaver AS ABAP resources.

The basic procedures required to install, configure, and run the adapter are as

follows:

v Install the adapter software.

v Activate the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP as a

service on the adapter’s system.

v Configure the adapter’s communication protocols to enable the Tivoli Identity

Manager Adapter for SAP NetWeaver AS ABAP to communicate with the Tivoli

Identity Manager Server.

v Install the adapter’s profile on the Tivoli Identity Manager Server.

v Configure the Tivoli Identity Manager Server to recognize the adapter as a

service.

© Copyright IBM Corp. 2004, 2005, 2006 1

Page 16: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

2 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 17: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Chapter 2. Adapter Installation

This chapter describes the steps required to install and configure the Tivoli Identity

Manager Adapter for SAP NetWeaver AS ABAP software. You must complete the

steps in the order they are listed.

This chapter has the following sections:

v “Requirements”

v “Step 1: Testing Network Connectivity” on page 8

v “Step 2: Installing the Adapter” on page 9

v “Step 3: Importing the Transport Files” on page 11

v “Step 4: Activating the Adapter as a Service” on page 13

v “Step 5: Configuring the Adapter” on page 13

v “Step 6: Installing the Adapter’s Certificate” on page 13

v “Step 7: Installing the Adapter’s Profile” on page 13

v “Step 8: Configuring the Adapter’s Forms” on page 14

Requirements

The following sections identify the hardware, software, and authorization

requirements to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS

ABAP. Verify that all of the requirements have been met before installing the Tivoli

Identity Manager Adapter for SAP NetWeaver AS ABAP.

System

The adapter must be installed on a server with a 32-bit x86-based

microprocessor (486 minimum), at least 512 MB of memory, and at least

300 MB of free disk space.

Operating System

Windows NT 4.0 with SP6 or Windows 2000 workstation with SP2.Solaris version 2.8AIX 5.x

SAP NetWeaver AS ABAP Software

SAP 4.6C, 4.6D, 6.10, 6.20, 6.40 or 7.00 must be installed and operational on

a system that is accessible from the machine where the adapter is installed.

The adapter will work with the SAP system even if the Central User

Administration (CUA) feature is installed and configured.

Note: Each SAP NetWeaver AS ABAP 4.6 system must be patched to at the

following levels or higher:

v ABA Support Package 22 for 4.6C

v R/3 Support Package 21 for 4.6C

v Basis Support Package 31 for 4.6C

v R/3 HR Support Package 27

Each SAP NetWeaver AS ABAP 6.20 system should be patched at

the following levels or higher:

v SAP_BASIS 620 0042 SAPKB62043

v SAP_ABA 620 0042 SAPKA62043

© Copyright IBM Corp. 2004, 2005, 2006 3

Page 18: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Each SAP NetWeaver AS ABAP 6.40 system should be patched at

the following levels or higher:

v SAP_BASIS 640 0000

v SAP_ABA 640 0000

Each SAP NetWeaver AS ABAP 700 system should be patched at the

following levels or higher:

v SAP_BASIS SAPKB70000

v SAP_ABA SAPKA70000

The adapter also requires the 32 bit SAP SDK runtime library (for

Win32 it is librfc32.dll, for Solaris it is librfccm.so, for AIX it

is librfccm.o). Get this library from the SAP presentation CDs or

download it from SAP Market Place Web site. After installation of

the adapter place this library in the adapter’s lib directory or set

your path to make it accessible.For Solaris, export the environment variable LD_LIBRARY_PATH to

include the adapter’s lib directory with a command such as the

following:

export LD_LIBRARY_PATH=Adapter_Install_dir/

lib:$LD_LIBRARY_PATH

For AIX, export the environment variable LIBPATH to include the

Agent’s lib directory with a command such as the following:

export LIBPATH=Agent_Install_dir/

lib:$LIBPATH

For Windows, place the library in the either the system32 directory,

the adapter’s bin directory, or set the Path environment variable to

make it accessible.

The adapter will not run without this library!

SAP Authority

The administrator installing the Tivoli Identity Manager Adapter must

have general SAP Basis resources to perform a transport import of RFC

(Remote Function Call) and related objects as well as setup OS specific

directories and authorizations. The Security Administrator must create the

CPIC (Common Programming Interface for Communications) or System

user for use by the adapter to connect to the SAP NetWeaver AS ABAP

system via the external RFC interface.

SAP User

The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP user

must be authorized to perform user account administration:

v Add

v Modify

v Delete

v Lock

v Unlock

v Retrieve user detail

v Retrieve supporting data

v Set, unset and retrieve HR infotype 0105 (Communication) subtypes only

if the SAP HR module is installed on a SAP system in your SAP

environment.

4 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 19: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

To perform these tasks, at a minimum, a Role should be assigned with at

least these SAP authorization objects assigned to it. You may wish to create

a specific Role only for use by this SAP user account. This can be

accomplished using transaction SU02 via the SAP GUI.

v S_RFC (SAP R/3 6.20)

v S_RFCACL (SAP R/3 6.20)

v S_TABU_DIS

v S_USER_GRP

v S_USER_AGR

v S_USER_PRO

v S_USER_SYS

v P_ORGIN (Required for HR linking only)

In addition, the Tivoli Identity Manager Adapter for SAP NetWeaver AS

ABAP user type should be set to Communication (CPIC) or System and

not Dialog.

SAP Transport Files

The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP

requires custom RFCs and BAPIs. These custom RFCs and BAPIs are

provided in transport files packaged with the adapter and are therefore

only available after adapter installation. These transport file packages must

be imported into your SAP system prior to running the adapter. The

transport files you must import into your SAP system vary depending on

your site’s configuration of SAP. The adapter will not function without one

of these transport files in place. Select the transport file based on the

version of your SAP system.

The transport files WITHOUT HR Linking are as follows:

v For NON-CUA (4.6C, 4.6D and 6.10):

– TV2K900065 (cofile = K900065.TV2, data = R900065.TV2)v For NON-CUA (6.20 and 6.40):

– Non-unicode:

- TV2K900069 (cofile = K900069.TV2, data = R900069.TV2)– Unicode:

- TV1K900228 (cofile = K900228.TV1, data = R900228.TV1)v For CUA (4.6C, 4.6D and 6.10) :

TV2K900067 (cofile = K900067.TV2, data = R900067.TV2)

v For CUA (6.20 and 6.40) :

– Non-unicode:

- TV2K900071 (cofile = K900071.TV2, data = R900071.TV2)– Unicode:

- TV1K900230 (cofile = K900230.TV1, data = R900230.TV1)v For HR InfoType 0105 Support, import one of the transport files below

into the targeted SAP HR system. These transports contain the

functionality to link the HR Personnel record to the SAP user account by

assigning the account an SAP HR Personnel Number. You can link the

HR record in both CUA and non-CUA SAP environments. If your HR

system is a child system in a CUA environment, three actions are

required for the adapter to link HR personnel records:

Chapter 2. Adapter Installation 5

Page 20: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

1. Import one of TV2K900100 or TV1K900411 into the CUA Master

system. Then import the CUA Master transport into the CUA master

system.

2. Import the non-CUA transport into your child system.

3. An RFC destination of type R3 Connection must exist in the CUA

master system. This RFC destination will connect to your HR system.

The Gateway services file on the CUA Master system most be

configured for the gateway service of your HR system. There should

already be and RFC Destination to the child HR System which is

used as part of the CUA configuration. If you don not wish to use

this RFC destination then you can create one. An RFC destination

requires the following details:

– SAP user account on HR system with HR authorization.

– SAP user account password on HR system.

– HR system’s host name or IP address.

– HR system’s SAP system number.

Use the SAP GUI transaction SM59 to create RFC destinations.

The transports WITH HR linking are as follows:

v For NON-CUA (4.6C, 4.6D and 6.10):

– TV2K900096 (cofile = K900096.TV2, data = R900096.TV2)v For NON-CUA (6.20 and 6.40):

– Non-unicode:

- TV2K900098 (cofile = K900098.TV2, data = R900098.TV2)– Unicode:

- TV1K900409 (cofile = K900409.TV1, data = R900409.TV1)v For CUA (4.6C, 4.6D and 6.10) :

TV2K900100 (cofile = K900100.TV2, data = R900100.TV2)

TV2K900097 (cofile = K900097.TV2, data = R900097.TV2)

v For CUA (6.20 and 6.40) :

– Non-unicode:

- TV2K900100 (cofile = K900100.TV2, data = R900100.TV2)

- TV2K900099 (cofile = K900099.TV2, data = R900099.TV2)– Unicode:

- TV1K900411 (cofile = K900411.TV1, data = R900411.TV1)

- TV1K900410 (cofile = K900410.TV1, data = R900410.TV1)

These transport files contain custom RFCs (BAPIs), data elements and

tables used by the adapter in various operations:

Table 1. Transport Identifiers and Contents

Transport

Identifier

Uni

code HR CUA Transport Contents

TV2K900065 NO NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_46C (RFC)

/TIVSECTY/TIM_USER_PWD_46C (RFC)

/TIVSECTY/TIM_USER_ADD_46C (RFC)

6 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 21: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 1. Transport Identifiers and Contents (continued)

Transport

Identifier

Uni

code HR CUA Transport Contents

TV2K900096 NO YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_46C (RFC)

/TIVSECTY/TIM_USER_PWD_46C (RFC)

/TIVSECTY/TIM_USER_ADD_46C (RFC)/TIVSECTY/TIM_USER_HR_620 (RFC)

TV2K900067 NO NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)

/TIVSECTY/TIM_USER_CHG_46C (RFC)

/TIVSECTY/TIM_USER_PWD_46C (RFC)

/TIVSECTY/TIM_USER_ADD_46C (RFC)

/TIVSECTY/TIM_USER_SUBSYS_46C (RFC)

/TIVSECTY/TIM_SYSTEMS (Structure)

TV2K900097 NO YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)

/TIVSECTY/TIM_USER_CHG_46C (RFC)

/TIVSECTY/TIM_USER_PWD_46C (RFC)

/TIVSECTY/TIM_USER_ADD_46C (RFC)

/TIVSECTY/TIM_USER_SUBSYS_46C (RFC)

/TIVSECTY/TIM_SYSTEMS (Structure)

/TIVSECTY/TIM_USER_CUAHR_620 (RFC)

/TIVSECTY/TIM_READ_TABLE_620

TV2K900069 NO NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)

/TIVSECTY/TIM_USER_CHG_620 (RFC)

/TIVSECTY/TIM_USER_PWD_620 (RFC)

/TIVSECTY/TIM_USER_ADD_620 (RFC)

TV2K900098 NO YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)

/TIVSECTY/TIM_USER_CHG_620 (RFC)

/TIVSECTY/TIM_USER_PWD_620 (RFC)

/TIVSECTY/TIM_USER_ADD_620 (RFC)

/TIVSECTY/TIM_USER_HR_620 (RFC)

TV2K900071 NO NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)

/TIVSECTY/TIM_USER_CHG_620 (RFC)

/TIVSECTY/TIM_USER_PWD_620 (RFC)

/TIVSECTY/TIM_USER_ADD_620 (RFC)

/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)

/TIVSECTY/TIM_SYSTEMS (Structure)

TV2K900099 NO YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)

/TIVSECTY/TIM_USER_PWD_620 (RFC)

/TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)

/TIVSECTY/TIM_SYSTEMS (Structure)

/TIVSECTY/TIM_USER_CUAHR_620 (RFC)

/TIVSECTY/TIM_READ_TABLE_620 (RFC)

TV2K900100 NO YES YES /TIVSECTY/HRDELIMITDATE (Data Element)

/TIVSECTY/P0105NL (Table)

Chapter 2. Adapter Installation 7

Page 22: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 1. Transport Identifiers and Contents (continued)

Transport

Identifier

Uni

code HR CUA Transport Contents

TV1K900228 YES NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)

/TIVSECTY/TIM_USER_PWD_620 (RFC)

/TIVSECTY/TIM_USER_ADD_620 (RFC)

TV1K900409 YES YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)

/TIVSECTY/TIM_USER_PWD_620 (RFC)

/TIVSECTY/TIM_USER_ADD_620 (RFC)

/TIVSECTY/TIM_USER_HR_620 (RFC)

TV1K900230 YES NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)

/TIVSECTY/TIM_USER_PWD_620 (RFC)

/TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)

/TIVSECTY/TIM_SYSTEMS (Structure)

TV1K900410 YES YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC)

/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)

/TIVSECTY/TIM_USER_PWD_620 (RFC)

/TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)

/TIVSECTY/TIM_SYSTEMS (Structure)

/TIVSECTY/TIM_USER_CUAHR_620 (RFC)

/TIVSECTY/TIM_READ_TABLE_620 (RFC)

TV1K900411 YES YES YES /TIVSECTY/HRDELIMITDATE (Data Element)

/TIVSECTY/P0105NL (Table)

Network Connectivity

The adapter must be installed on a system that can communicate with the

Tivoli Identity Manager Server through a TCP/IP network.

System Administrator Authority

The person completing the Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP installation procedure must have system

administrator authority to complete the steps in this chapter.

Server Communication

Communication between the Tivoli Identity Manager Server and the Tivoli

Identity Manager Adapter for SAP NetWeaver AS ABAP should be tested

with a low-level communication ping before installing any IBM software.

This makes troubleshooting easier if you encounter installation problems.

Step 1: Testing Network Connectivity

This step tests basic network connectivity and file transfer capability. Testing is

done between the Windows workstation where the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP will be installed, and the workstation where

the Tivoli Identity Manager Server is or will be located.

8 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 23: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

You must issue a ping command from the Tivoli Identity Manager to the

designated adapter workstations to verify communication.

1. Log on to the host running the SAP NetWeaver AS ABAP Adapter.

2. Test communication between the Tivoli Identity Manager Server and the host

running the SAP NetWeaver AS ABAP Adapter:

# ping ITIM_Server_host_name/IP_address

3. Test communication between the host running the SAP NetWeaver AS ABAP

Adapter and the host running SAP NetWeaver AS ABAP Server. You will need

to know the SAP instance number for this step (default SAP NetWeaver AS

ABAP installations have the instance number 00). If the instance number is

different, make the port number below 33<instance_number>. If the instance

number was 80, then the port would become 3380 in the telnet command:

telnet SAP_NetWeaver_AS_ABAP_Server_host_name/IP_address 3300

Step 2: Installing the Adapter

An executable installation program is provided for the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP. When you run the installation program,

you can accept the default settings or select new values.

The Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver

AS ABAP installation files are available for download from IBM’s Web site. Contact

your IBM account representative for the Web address and download instructions.

To install the adapter, do the following:

1. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP

installation zip file from IBM’s Web site.

2. Extract the contents of the Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP installation zip file into a temporary directory.

3. Complete one of the following:

For a Tivoli Identity Manager Adapter installed on a UNIX platform:

a. Change the working directory to the temporary directory where

you extracted the profile installation file.

# cd /tmp

where tmp is the path of the directory containing the adapter

installation file.

b. Run the Tivoli Identity Manager Adapter for SAP NetWeaver AS

ABAP adapter installation binary that is appropriate for your

operating system.

# ./SapAgent/install/Agent/SAPAgentSetup_operating system.bin

where operating system is the name of your operating system, such

as aix or solaris.

For a Tivoli Identity Manager Adapter installed on Windows:

Select Run... from the Start menu and type the path to the temporary

directory followed by SapAgent\install\agent\SapAgentSetup_win32.exe. For example:

C:\Temp\SapAgent\install\agent\SapAgentSetup_win32.exe

The Welcome dialog window appears. 4. Click Next.

Chapter 2. Adapter Installation 9

Page 24: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

The License dialog window appears.

5. Read the License agreement and select the I accept option to continue.

6. Click Next.

The Select Destination Directory dialog window appears.

7. Accept the default or select an alternate destination path and click Next.

The Install Summary dialog window appears.

8. Click Next.

The SAP NetWeaver AS ABAP Instance Setup dialog is displayed.

9. In the respective fields, type the SAP NetWeaver AS ABAP instance name and

the password for the CPIC SAP user account that the adapter will use and

click Next.

The SAP NetWeaver AS ABAP enter more instances dialog is displayed. To

enter more instances select Yes and repeat this step for as many SAP

NetWeaver AS ABAP instances as required. Otherwise select No.

10. Click Finish.

11. Check the installation directory has been created as specified in step 7. Make

the SAP SDK shared library accessible by the adapter.

For Solaris:

Copy the SAP SDK library (librfccm.so) into the adapter’s lib

directory, and then export the environment variable LD_LIBRARY_PATH

to include the adapter’s lib directory with a command such as this.

export LD_LIBRARY_PATH=adapter_install_dir/lib:$LD_LIBRARY_PATH

For AIX:

Copy the SAP SDK library (librfccm.o) into the adapter’s lib

directory, and then export the environment variable LIBPATH to include

the adapter’s lib directory with a command such as this.

Installer

< Back CancelNext >

Browse...

Click Next to install < > to this directory, orclick Browse to install to a different directory

agentname

InstallShieldInstallShield

C:\tivoli\agents\< >agentname

Directory Name:

Figure 1. Select Destination Directory dialog window

10 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 25: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

export LIBPATH=adapter_install_dir/lib:$LIBPATH

For Windows:

Copy the SAP SDK library (librfc32.dll) into either the system32

directory, the adapter’s bin directory, or set the Path environment

variable to make it accessible. If you already have the SAP GUI

installed on this Windows host, a version of the SAP SDK library

should already exist in the system32 directory.12. Locate the transport files in the adapter’s transports directory. Give the

COFILES and the DATA files to your SAP BASIS administrator to import into

all targeted SAP NetWeaver AS ABAP systems. As these transports are client

independent, ensure that your transport landscape allows for this before

importing. The next section describes the transport import procedure.

Note: By setting the transport landscape up appropriately, you will be sure not to

import the transports into clients that do not need them (even though

importing the transports files into other clients will not have any impact on

them). The imported function modules and data structures can be removed

via a new transport/change request if required.

Step 3: Importing the Transport Files

Note: IBM recommends that these imports be performed by a SAP Basis

Administrator.

For the adapter to function, it is necessary to import one of the transport files sets

described above. You must first copy the transports set to the transport directory in

each mySAP.com landscape, so that the Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP can communicate with your target SAP systems. For

demonstration purposes the following instructions refer to the transport

TV2K900045 as an example. You will need to repeat these steps for each transport

in your required transport file set as defined in the table above.

Before you begin the transport import process, complete the following steps:

1. Locate the transport files in the transports installation subdirectory for the

adapter. For example, on a Windows installation this would be

C:\Tivoli\Agents\SapAgent\transports.

2. Copy the transport files to the application server that will be used to execute

the import:

a. Copy all files in the cofiles subdirectory (K900045.TV2) in ASCII format to

the /usr/sap/trans/cofiles directory. Ensure that the files have write

permission.

b. Copy all files in the data subdirectory (R900045.TV2) in binary format to the

/usr/sap/trans/data directory. Ensure that the files have write permission.

c. Ensure that the files are owned by the group sapsys.3. Perform the following prerequisite checks before beginning the import process:

a. The transport and correction system must be already configured and

functioning.

b. The target system must be properly defined within a transport domain.

You can now perform the transport import. This procedure can be performed from

either the command line or by using the Transport Managing System.

Using the Transport Managing System:

Chapter 2. Adapter Installation 11

Page 26: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

1. Log into the SAP GUI with a mySAP.com SAP GUI administrator

account.

2. Display the Transport Management System. Either:

v Run transaction STMS, or

v Select Tools then Administration, then Transport, then Transport

Management System.3. Display the available mySAP.com system import queues. Either:

v Click the Import Overview icon, then click Display Import Queue,

or

v Double-click the target system in the Import Overview window.4. Add the transport to the buffer. If the transports already exist in the

buffer, proceed to the next step. If the buffer does not exist, perform the

following steps:

a. From the Extras menu, select Other Requests then Add to display

the Add Transport Request to Import Queue dialog.

b. In the Transp. request field, enter the transport name that you want

to add, such as TV2K900045. Click the icon with the green check on

it and then click Yes on the confirmation dialog.5. Import the transport as follows:

a. From the Import Queue window, select the transport.

b. From the Request menu, select Import to display the Import

Transport Request dialog.

c. In the Target client field, select the target client from the drop-down

list. Click the icon with the green check on it and then click Yes on

the confirmation dialog.6. Verify that the import was successful. To do this, log into the SAP GUI

and go to the Function builder transaction (se37) and check that the

Function Modules (RFCs) listed in the transport description table above

(see Table 1 on page 6) are installed and active. If the Function Modules

(RFCs) are not active, activate the objects.

Note: A mySAP.com developer key is required to activate the objects.

Using the command line:

1. Log on to the target SAP system host machine as the mySAP.com

administrator and change to the /usr/sap/trans/bin directory.

2. Show the current contents of the transport buffer:

tp showbuffer sid

where sid is the three-character identifier of your mySAP.com system.

3. Verify that there are no other transports included in the transport

buffer.

4. Add the transport to the buffer:

tp addtobuffer TV2K900045 sid

5. Verify that the transport has been placed in the buffer:

tp showbuffer sid

6. Import the transport:

tp import TV2K900045 sid

7. Verify that the import was successful. To do this, log into the SAP GUI

and go to the Function builder transaction (se37) and check that the

Function Modules (RFCs) listed in the transport description table above

12 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 27: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

(see Table 1 on page 6) are installed and active. If the Function Modules

(RFCs) are not active, activate the objects.

Step 4: Activating the Adapter as a Service

If the Tivoli Identity Manager Agent for SAP NetWeaver AS ABAP was installed

on a Windows host, a service is created for starting and stopping the agent.

On UNIX platforms, the agent is deployed with script files to start and stop the

agent. The following scripts are located in the bin directory of the agent

installation:

v StopAgent.sh

v StartAgent.sh

Use the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP service or

scripts to start the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP

software on the target platform.

Step 5: Configuring the Adapter

The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uses the

DAML protocol to ensure secure communication with the Tivoli Identity Manager

Server. Default protocol values are provided. However, you must configure the

DAML protocol for your site’s systems. Refer to “Changing Protocol Configuration

Settings” on page 21 for more information.

Step 6: Installing the Adapter’s Certificate

A certificate must also be installed for the DAML protocol. You must obtain a

production certificate from a well-known Certificate Authority or create your own

certificate using your own Certificate Authority. The Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP does not come prepackaged with a

certificate. Refer to Chapter 5, “Certificate Installation,” on page 37 for more

information about installing certificates.

When you install the new certificate, you will also need to install the new

Certificate Authority on the Tivoli Identity Manager Server. For more information,

refer to the IBM Tivoli Identity Manager Server Installation and Configuration Guide,

specifically the sections marked ″Preparing to install adapters″.

Note: You must configure the DAML protocol before installing your certificate.

Stop and restart the adapter after the certificate is installed.

Step 7: Installing the Adapter’s Profile

Before an adapter can be added as a service to the Tivoli Identity Manager Server,

the server must have a service profile to recognize the adapter as a service. See

Chapter 3, “Adapter Profile Installation,” on page 17 for more information on

installing the adapter’s profile on the Tivoli Identity Manager Server.

Note: If this is an upgrade of an existing adapter, the new adapter schema will not

be reflected immediately. The Tivoli Identity Manager system stores the

adapter schema in memory. However, this cache is periodically refreshed

Chapter 2. Adapter Installation 13

Page 28: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

and the new adapter schema will be reflected after the cache is refreshed.

Re-boot the Tivoli Identity Manager system to refresh the adapter schema

immediately.

Step 8: Configuring the Adapter’s Forms

Configure the adapter’s service maintenance and account maintenance forms on

the Tivoli Identity Manager Server. Refer to the IBM Tivoli Identity Manager

Information Center for more information.

When adding the adapter as a Tivoli Identity Manager Service to the Tivoli

Identity Manager Server, the following SAP connection parameters must be

defined:

Table 2. Service Attributes

ITIM Service Attribute Name ITIM Service Attribute Description

SAP System Version Legacy Service attribute. The adapter officially

only supports 4.6C to WAS 6.20. Recommend

value is 46C+.

SAP Client Instance Name Required Service Attribute. This is the SAP

instance name for the SAP instance your

connecting to.

Interface with CUA? Optional Service Attribute. Check this radio

button if the adapter is provisioning to a Central

User Administration (CUA) SAP client.

Do Not Force Password Change? Optional Service Attribute. Check this radio

button if you want to disable SAP’s password

reset functionality. Required to synchronize

passwords across other Tivoli Identity Manager

accounts for this identity.

Disable Admin Unlock On Restore? By default users will not be allowed to restore

their account if the account was locked by an

administrator. Check this radio button if you

want to allow users to restore their account after

it has been locked by an administrator.

Unlock Account On Password Change? Optional Service Attribute. Check this radio

button if you want the adapter to perform a

secondary unlock action on a password change

request. If activated, the account will be unlocked

if the reason for its lock state was to many failed

login attempts.

Display Indirectly Assigned Roles? Optional Service Attribute. Check this radio

button if you want an to have Roles assigned

indirectly reconciled for accounts. Roles are

assigned indirectly as a result of Composite Role

assignment.

Enable HR infotype 105 Link? Optional Service Attribute. Check this radio

button if you want to allow the adapter to Link

SAP accounts to HR Personnel Records using

infotype 105 (Communication).

RFC Destination for HR System (CUA

only)

Optional Service Attribute. This option requires a

value when you have selected the option above

Enable HR infotype 105 Link?, and your SAP

System uses the CUA configuration.

14 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 29: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 2. Service Attributes (continued)

ITIM Service Attribute Name ITIM Service Attribute Description

Role Default End Date Optional Service Attribute. This is the default

Role End Date.

Role Date Max Year Optional Service Attribute. This is the maximum

year value for the Role start and end date

widgets. Default value is 9999.

Span Role Date Years? Optional Service Attribute. Check this radio

button if you want to Span the Role End Date

Year field (that is, display all years from 1990 to

the defined Role Date Max Year above).

Target Client Required Service Attribute. This is the SAP

instance client number.

Login ID Required Service Attribute. This is the CPIC SAP

User account login ID that the adapter will use to

connect to the SAP client.

Language Required Service Attribute. This is the SAP login

language parameter.

Mode (only NetWeaver AS ABAP

supported now)

Legacy Service attribute. The adapter officially

only supports the NetWeaver AS ABAP mode.

SAP System (DNS hostname or IP) Required Service Attribute. Hostname of the SAP

server host machine only if DNS is set up

correctly. Otherwise use the IP address. Test the

connection using the ping command from the

command line on the host running the adapter.

SAP System Number Required Service Attribute. The SAP server

system number. Default SAP install has system

number 00.

SAP Gateway (DNS hostname or IP) Required Service Attribute. Hostname of the SAP

gateway host machine only if DNS is set up

correctly. Otherwise use the IP address. Test the

connection using the ping command from the

command line on the host running the adapter.

Usually this is the same host that contains the

SAP server

SAP Gateway Service Name Required Service Attribute. The SAP gateway

service string. Default SAP install has system

number sapgw00.

Enable RFC Trace? Optional Service Attribute. Set to ON to enable

RFC trace files for debug purposes. If you find a

problem with the adapter, ensure you re-produce

the request with Trace enabled and capture the

trace file. The logs are created in the directory

where the RFCSDK runtime library is located.

Enable Extended RFC Logon? Optional Service Attribute. Check this radio

button to enable use of entended RFC logon.

Define the extended logon attributes by creating

unencryped registry values.

Note: This SAP functionality does not currently

support AIX in a reliable fashion. Therefore it is

recommended that this setting not be used for

Agent’s running on AIX with the SAP RFCSDK

6.40 AIX library.

Chapter 2. Adapter Installation 15

Page 30: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Figure 2. Configuring the Adapter’s Forms

16 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 31: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Chapter 3. Adapter Profile Installation

This chapter has the following sections:

v “Introduction”

v “Requirements”

v “Installing the Adapter Profile”

v “Verifying the Adapter Profile is Installed” on page 18

Introduction

Before an adapter can be added as a service to the Tivoli Identity Manager Server,

the server must have a service profile to recognize the adapter as a service. The

Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP comes packaged

with a JAR file which represents the adapter’s profile. This JAR file is then

imported into the Tivoli Identity Manager Server, making SAP NetWeaver AS

ABAP available as an ITIM Server service option.

This chapter describes the procedure to install and configure the Tivoli Identity

Manager Adapter for SAP NetWeaver AS ABAP profile on the Tivoli Identity

Manager Server. Each step includes a short procedure that completes one aspect of

the overall profile installation process. You must complete the steps in the order

they are listed.

Note: If you are upgrading the adapter software, you must also upgrade the

adapter profile on the Tivoli Identity Manager Server.

Requirements

The following table identifies hardware, software, and authorization requirements

to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile

on the Tivoli Identity Manager Server. Verify that all the requirements have been

met before installing the Tivoli Identity Manager Adapter for SAP NetWeaver AS

ABAP profile.

Table 3. Requirements before installing an adapter profile

Server The Tivoli Identity Manager Server must be installed and

running before the adapter’s profile can be installed.

System Administrator Authority The person completing the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP profile installation

must have root access to the Tivoli Identity Manager

Server to complete the procedures in this chapter.

Installing the Adapter Profile

1. Log in to any host machine that has a supported browser and can connect to

the Tivoli Identity Manager Server Console. You may wish to just log directly

into your Tivoli Identity Manager Server, but the profile can also be installed

remotely if desired.

2. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP

package from the IBM Web site and extract the profile JAR file SapProfile.jar.

Place the JAR file into a temporary directory.

© Copyright IBM Corp. 2004, 2005, 2006 17

Page 32: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Note: Contact your IBM account representative for the Web address and

download instructions for adapter installation files.

3. Start a browser session and log into the Tivoli Identity Manager Console with

an administrator account.

4. Using the Tivoli Identity Manager tabs and menus, browse to Configuration >

Import/Export and select the Import tab.

5. Use the Browse button to locate the temporary directory that contains the JAR

file, SapProfile.jar.

6. Select the correct profile JAR file, then select the Import data into Identity

Manager button (which is directly beneath the browse widget).

7. When the import is complete you will see a message such as:

Uploading file C:\temp\SapAgent\install\profile\SapProfile.jar

Profile installation complete.

8. Although not essential in all instances, it is a good idea to restart the enrole

WebSphere Enterprise Application using the WebSphere Administration

Console (http://ITIM_server:9090/admin) , or by restarting the WebSphere

Application Server itself.

Verifying the Adapter Profile is Installed

To ensure that the adapter profile has been installed correctly:

1. Using the Administrator Console, navigate to the Provisioning main tab.

2. Create a service of type SAP NetWeaver AS ABAP.

Note: If you do not have the correct SAP system details, enter in dummy

values for the SAP CONNECTION DETAILS. You must however have a

running SAP NetWeaver AS ABAP adapter, and correct AGENT

CONNECTION DETAILS.

3. Submit the service for creation.

4. Once the service has been created, create a provisioning policy entitlement for

the new service. You can use an existing Provisioning policy, or create a new

one.

18 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 33: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Chapter 4. Adapter Parameters Modification

This chapter describes how to use agentCfg, the provided adapter configuration

program, to view or modify Tivoli Identity Manager Adapter for SAP NetWeaver

AS ABAP parameters. All modifications made to settings with this tool take effect

immediately.

This chapter has the following sections:

v “Accessing the Adapter Configuration Tool Main Menu”

v “Viewing Configuration Settings” on page 20

v “Changing Protocol Configuration Settings” on page 21

v “Setting Event Notification” on page 24

v “Changing the Configuration Key” on page 28

v “Changing Activity Logging Settings” on page 28

v “Changing Registry Settings” on page 30

v “Changing Advanced Settings” on page 32

v “Viewing Statistics” on page 33

v “Changing code page settings” on page 34

v “Accessing Help and Additional Options” on page 34

Accessing the Adapter Configuration Tool Main Menu

The following procedure describes how to access the main menu of the agentCfg

tool for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters.

1. Change to the adapter’s bin directory.

At the prompt, type the following, if the Tivoli Identity Manager Adapter for

SAP NetWeaver AS ABAP directory is in the default location:

agentCfg -agent SAPAgent

The following prompt is displayed:

Enter configuration key for Agent ’SAPAgent’:

The default password is ’agent’. This should be changed at the first

opportunity.

You can also use agentCfg to view or change configuration settings from a

remote computer. See the table in “Accessing Help and Additional Options” on

page 34 for procedures on using the -hostname argument.

2. Type the configuration key for the Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP.

The default configuration key is agent. See “Changing Protocol Configuration

Settings” on page 21 for procedures to change the configuration key.

The Main Configuration menu appears.

© Copyright IBM Corp. 2004, 2005, 2006 19

Page 34: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

SAPAgent 4.6.xxxx Agent Main Configuration Menu

-------------------------------------------

A. Configuration Settings

B. Protocol Configuration

C. Event Notification

D. Change Configuration Key

E. Activity Logging

F. Registry Settings

G. Advanced Settings

H. Statistics

I. Codepage Support

X. Done

Select menu option:

This chapter includes a section for each of the following main functions:

v For option A, see “Viewing Configuration Settings”

v For option B, see “Changing Protocol Configuration Settings” on page 21

v For option C, see “Setting Event Notification” on page 24

v For option D, see “Changing the Configuration Key” on page 28

v For option E, see “Changing Activity Logging Settings” on page 28

v For option F, see “Changing Registry Settings” on page 30

v For option G, see “Changing Advanced Settings” on page 32

v For option H, see “Viewing Statistics” on page 33

v For option I, see “Changing code page settings” on page 34

Viewing Configuration Settings

The following procedure describes how to view the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP configuration settings.

1. Type option A (Configuration Settings) at the main menu prompt.

The configuration settings for the Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP appear. The following is a sample of the Tivoli Identity

Manager Adapter for SAP NetWeaver AS ABAP configuration settings.

Configuration Settings

-------------------------------------------

Name : SAPAgent

Version : 4.6.xxxx

ADK Version : 4.36

ERM Version : 4.36

enRole Version : 4.0

License : NONE

Asynchronous ADD Requests : TRUE (Max.Threads:3)

Asynchronous MOD Requests : TRUE (Max.Threads:3)

Asynchronous DEL Requests : TRUE (Max.Threads:3)

Asynchronous SEA Requests : TRUE (Max.Threads:3)

Available Protocols : DAML, FTP

Configured Protocols : DAML

Logging Enabled : TRUE

Logging Directory : C:\Tivoli\Agents\SAPAgent\Log

Log File Name : SAPAgent.log

Max. log files : 3

Max.log file size (Mbytes) : 1

Debug Logging Enabled : TRUE

Detail Logging Enabled : FALSE

Press any key to continue

2. Press any key to return to the main menu.

20 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 35: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Changing Protocol Configuration Settings

The adapter can communicate with the Tivoli Identity Manager Server using

DAML or FTP. By default, agents are configured to use DAML as the

communication protocol. Procedures provided in this section contain instructions

for modifying DAML protocol configuration settings. Configuring the adapter to

use FTP requires additional configuration not provided in this section.

The following procedure describes how to change the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP protocol configuration settings. This section

also describes the purpose of the provided functions.

1. Type B (Protocol Configuration) at the main menu prompt.

The Protocol Configuration menu appears. The configured and available

protocols for your server display above the menu options. The DAML protocol

is configured and available by default for the Tivoli Identity Manager Adapter

for SAP NetWeaver AS ABAP.

Agent Protocol Configuration Menu

-----------------------------------

Available Protocols: DAML, FTP

Configured Protocols: DAML

A. Add Protocol.

B. Remove Protocol.

C. Configure Protocol.

X. Done

Select menu option

2. See the following procedure that corresponds with the option that you want to

select:

v For option A, see “Adding a Protocol”

v For option B, see “Removing a Protocol”

v For option C, see “Configuring a Protocol” on page 22

Type X to return to the main menu.

Adding a Protocol

1. Type A (Add Protocol) at the Protocol Configuration menu prompt.

The Add New Protocol menu appears and displays protocols that are available

on your server. If there are no protocols to add, the Protocol Configuration

menu reappears.

2. Type the menu option letter of the protocol that you want to add.

The Protocol Configuration menu reappears. The protocol that you added

appears as a Configured Protocol. See the procedure for “Configuring a

Protocol” on page 22 to modify the default configuration settings for the

protocol that you added.

Removing a Protocol

1. Type B (Remove Protocol) at the Protocol Configuration menu prompt.

The Remove Protocol menu appears and displays all protocols that have been

added. If there are no protocols to remove, the Protocol Configuration menu

reappears.

2. Type the menu option letter of the protocol that you want to remove.

Chapter 4. Adapter Parameters Modification 21

Page 36: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

The Protocol Configuration menu reappears and the protocol that you removed

is no longer listed as a configured protocol. However, the protocol remains as

an available protocol that can be added again.

Configuring a Protocol

1. Type C (Configure Protocol) at the Protocol Configuration menu prompt.

The Configure Protocol menu appears.

2. Type the menu option letter of the protocol that you want to configure.

The Protocol Properties menu for the configured protocol appears with protocol

properties.

Note: The properties on your menu may be different from the ones shown.

The following is an example of the DAML protocol properties:

DAML Protocol Properties

--------------------------------------------------------------------

A. USERNAME ****** ;Authorized user name.

B. PASSWORD ****** ;Authorized user password.

C. MAX_CONNECTIONS 100 ;Max Connections.

D. PORTNUMBER 45580 ;Protocol Server port number.

E. USE_SSL FALSE ;Use SSL secure connection

F. SRV_NODENAME 192.168.6.40 ;Event Notif. Server name.

G. SRV_PORTNUMBER 443 ;Event Notif. Server port number.

H. HOSTADDR ANY ;Listen on address ( or "ANY" )

I. VALIDATE_CLIENT_CE FALSE ;Require client certificate.

J. REQUIRE_CERT_REG FALSE ;Require registered certificate.

X. Done

Select menu option:

3. Type the menu option letter of the protocol property that you want to

configure.

See the table below for additional information about the menu options for the

DAML protocol.

Table 4. Menu options for the DAML protocol

Type this Option To Accomplish this

A (USERNAME) The following prompt appears:

Modify Property ’USERNAME’:

Type a username, for example, admin

This is the username the Tivoli Identity Manager

Server uses to connect to the adapter.

B (PASSWORD) The following prompt appears:

Modify Property ’PASSWORD’:

Type a password, for the username the Tivoli Identity

Manager Server uses to connect to the adapter.

C (MAX_CONNECTIONS) The following prompt appears:

Modify Property ’MAX_CONNECTIONS’:

Type a different number of allowed connections to the

Agent.

22 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 37: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 4. Menu options for the DAML protocol (continued)

Type this Option To Accomplish this

D (PORTNUMBER) The following prompt appears:

Modify Property ’PORTNUMBER’:

Type a different port number, for example, 7004. This

is the port number the Tivoli Identity Manager Server

uses to connect to the adapter.

E (USE_SSL) The following prompt appears:

Modify Property ’ USE_SSL’:

Type TRUE to require the Tivoli Identity Manager

Server to use HTTPS.Type FALSE to allow the Tivoli Identity Manager

Server to use HTTP.

Note: You must installed a certificate using the

CertTool utility if you set this option to TRUE. You

must also make sure the CA that created the

certificate is registered with the Tivoli Identity

Manager Server Web Application Server.

F (SRV_NODENAME) The following prompt appears:

Modify Property ’SRV_NODENAME’:

Type a server name, for example, 192.168.6.152

This is the DNS name or IP address of the Tivoli

Identity Manager Server.

G (SRV_PORTNUMBER) The following prompt appears:

Modify Property ’SRV_PORTNUMBER’:

Type a different port number to access the Tivoli

Identity Manager Server, for example, 7004

This is the port number the adapter uses to connect to

the Tivoli Identity Manager Server.

H (SRV_USERNAME) The following prompt appears:

Modify Property ’SRV_USERNAME’:

Type a different username, for example, admin

This is the username the adapter uses to connect to

the Tivoli Identity Manager Server.

I (VALIDATE_CLIENT_CE) The following prompt appears:

Modify Property ’VALIDATE_CLIENT_CE’:

Type TRUE to require the Tivoli Identity Manager

Server to send a certificate when communicating with

the adapter.

Type FALSE to allow the Tivoli Identity Manager

Server to communicate with the adapter without a

certificate.

Note: You must configure options D through H of the

CertTool if you set this option to TRUE.

Chapter 4. Adapter Parameters Modification 23

Page 38: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 4. Menu options for the DAML protocol (continued)

Type this Option To Accomplish this

J. (REQUIRE_CERT_REG) The following prompt appears:

Modify Property ’REQUIRE_CERT_REG’:

Type TRUE to require the use of a registered

certificate.Type FALSE to allow use of a non-registered

certificate.

Note: You must configure options D through H of the

CertTool if you set this option to TRUE.

4. Change the value and press Enter.

The Protocol Properties menu reappears and displays your new settings.

Note: Press Enter to return to the Protocol Properties menu without modifying

the selected value.

Setting Event Notification

The following procedure describes how to set Event Notification for the Tivoli

Identity Manager Server. Event Notification updates the Tivoli Identity Manager

Server with changes to the Tivoli Identity Manager Server at set intervals.

Note: The example menu shows all the options displayed when Event Notification

is enabled. If Event Notification is disabled, not all of the options are

displayed.

1. Type C (Event Notification) at the main menu prompt.

The Event Notification Menu appears.

Event Notification Menu

--------------------------------------------------------------

* Reconciliation interval : 1 day(s)

* Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s).

* Configured Contexts : Jupiter, dd309

A. Enabled

B. Time interval between reconciliations.

C. Set Processing cache size. (currently: 50 Mbytes)

D. Start event notification now.

E. Set attributes to be reconciled.

F. Reconciliation process priority. (current: 1)

G. Add Event Notification Context.

H. Modify Event Notification Context.

I. Remove Event Notification Context.

J. List Event Notification Contexts.

X. Done

Select menu option:

2. Type the menu option letter of the Event Notification option that you want to

change.

Note: Option A must be enabled in order for the values of the other options to

take affect.

24 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 39: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 5. Event notification options

Type this Option To Accomplish this

A If this option is enabled, the adapter updates the Tivoli Identity

Manager Server with changes to the adapter at regular intervals.

When the option is set to:

v disabled, it automatically changes to enabled

v enabled, it automatically changes to disabled

B (Time interval

between reconciliations)

The following prompt appears:

Enter new interval

([ww:dd:hh:mm:ss])

[00:01:00:00:00]:

Type a different reconciliation interval.

Press Enter to return to the Agent Activity Logging menu

without changing the value.

C (Set processing cache

size)

The following prompt appears:

Enter new cache size[5]:

Type a different value to change the processing cache size.

Press Enter to return to the Agent Activity Logging menu

without changing the value.

D (Start event

notification now)

If this option is selected, event notification is started.

E (Set attributes to be

reconciled)

The Event Notification Entry Types menu appears. See “Setting

Attributes to be Reconciled” on page 26 for more information.

F (Reconciliation

process priority)

The following prompt appears:

Enter new thread priority [1-10]:

Type a different thread value to change reconciliation process

priority.

Press Enter to return to the Agent Activity Logging menu

without changing the value.

G (Add Event

Notification Context)

The following prompt appears:

Context name :

Type the new context name and press Enter. The new context is

added.

H (Modify Event

Notification Context)

A menu listing the available contexts appears. See “Modifying an

Event Notification Context” on page 27 for more information.

I (Remove Event

Notification Context)

The Remove Context menu appears. Select the context to remove

and the following prompt appears:

Delete context context1? [no]:

Press Enter to exit without deleting the context or type Yes and

press Enter to delete the context.

Chapter 4. Adapter Parameters Modification 25

Page 40: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 5. Event notification options (continued)

Type this Option To Accomplish this

J (List Event

Notification Contexts)

The Event Notification Contexts are displayed in the following

format:

Context Name : Context1

Target DN :

erservicename=context1,o=IBM,

ou=IBM,dc=com

--- Attributes for search request ---

{search attributes listed}

-----------------------------------------------

3. Press Enter if you changed the value for option B, C, E or F.

The Event Notification menu reappears and displays your new settings.

Note: The other options are changed automatically when you type the

corresponding menu option letter.

Setting Attributes to be Reconciled

Setting attributes to be reconciled consists of selecting attributes that will trigger

event notifications when their values change. Attributes that change frequently

(password age or last successful logon, for example) can be omitted.

1. Type E (Set attributes to be reconciled) at the Event Notification Menu.

The Event Notification Entry Types menu appears.

Event Notification Entry Types

-------------------------------------------

A. USER

B. GROUP

X. Done

Select menu option:

2. Type A for attributes returned during a user reconciliation or type B for

attributes returned during a group reconciliation.

The Event Notification Attribute Listing for the selected reconciliation type

appears.

Note: The default setting lists all attributes the adapter supports.

Event Notification Attribute Listing

-------------------------------------

(a) ** (b) ** (c) **

(d) ** (e) ** (f) **

(g) ** (h) ** (i) **

(j) ** (k) ** (l) **

(m) ** (o) ** (q) **

(r) ** (s) ** (t) **

(p)rev page 1 of 3 (n)ext

-----------------------------

X. Done

Select menu option:

3. Type the letter option of the attribute to exclude from an event notification.

Attributes that are marked with the asterisks are returned during the event

notification. Attributes that are not marked with asterisks are not returned

during the event notification.

26 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 41: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Modifying an Event Notification Context

1. Type H (Modify Event Notification Context) at the Event Notification menu.

The Modify Context Menu appears.

Modify Context Menu

------------------------------

A. Context1

B. Context2

C. Context3

X. Done

Select menu option:

2. Select the desired context.

The Modify Context menu for the selected context appears.

A. Set attributes for search

B. Target DN:

C. Delete Baseline Database

X. Done

Select menu option:

See “Adding Search Attributes for Event Notification” for option A.

See “Configuring the Target DN for Event Notification Contexts” for option B.

See “Removing the Baseline Database for Event Notification Contexts” on page

28 for option C.

Adding Search Attributes for Event Notification

1. Type A (Set attributes for search) at the desired context’s Modify Context menu.

The Reconciliation Attribute Passed to Agent menu appears.

Reconciliation Attributes Passed to Agent for Context: Context1

----------------------------------------------------

----------------------------------------------------

A. Add new attribute

B. Modify attribute value

C. Remove attribute

X. Done

Select menu option:

2. Select the desired option and complete the requested information at the

prompts.

The Reconciliation Attributes Passed to Agent menu reappears with the

changes displayed.

Configuring the Target DN for Event Notification Contexts

1. Type B (Target DN) at the desired context’s Modify Context menu.

The following prompt appears:

Enter Target DN:

2. Type the target DN for the context and press Enter.

The target DN for the event notification context must be in the following

format:

erservicename=nameofservice,o=organizationname,ou=tenantname,dc=com

Each element of the DN is defined as follows:

erservicename

Name of the target service used by the product name.

o Name of the organization in the product name.

Chapter 4. Adapter Parameters Modification 27

Page 42: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

ou Name of the tenant in which the organization is located. If the product

name is an enterprise installation, this is the name of the organization.

dc=com

Root of the directory tree.

The selected context’s Modify Context menu reappears with the new target DN

listed.

Removing the Baseline Database for Event Notification Contexts

This option is only available after a context is created and a reconciliation is run on

the context to create a Baseline Database file.

Type C (Delete Baseline Database) at the desired context’s Modify Context menu.

The selected context’s Modify Context menu reappears with the Delete Baseline

Database option removed.

Changing the Configuration Key

The following procedure describes how to change the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP configuration key. You use this key as a

password to access the configuration tool from the selected adapter.

1. Type D (Change Configuration Key) at the main menu prompt.

2. Change the value and press Enter.

Enter new configuration key for Agent ’SAPAgent 4.6.xxxx’:

Press Enter to return to the Main Configuration menu without changing the

configuration key. The default configuration key is agent.

Note: Enter a configuration key that you can easily remember.

A message appears:

Configuration key successfully changed.

The configuration program exits and the main prompt reappears.

Changing Activity Logging Settings

The following procedure describes how to change the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP activity logging settings. When you enable

logging, Tivoli Identity Manager maintains a log file of all transactions in a dated

archive log file, SAPAgent.log.

1. Type E (Activity Logging) at the main menu prompt.

The Agent Activity Logging menu appears. The following sample shows the

default activity logging settings.

28 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 43: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Agent Activity Logging Menu

-------------------------------------

A. Activity Logging (Enabled).

B. Logging Directory (current: C:\Tivoli\Agents\SAPAgent\Log).

C. Activity Log File Name (current: SAPAgent.log).

D. Activity Logging Max. File Size ( 1 mbytes)

E. Activity Logging Max. Files ( 3 )

F. Debug Logging (Enabled).

G. Detail Logging (Disabled).

H. Base Logging (Disabled).

I. Thread Logging (Disabled).

X. Done

Select menu option:

2. Type the menu option letter of the activity logging option that you want to

change.

Note: Option A (Activity Logging) must be enabled in order for the values of

the other options to take effect.

Table 6. Event notification options

Type this Option To Accomplish this

A (Activity Logging) Set this option to enabled and Tivoli Identity Manager maintains

a log file of all transactions in a dated archive log file.

When the option is set to:

v disabled, it automatically changes to enabled

v enabled, it automatically changes to disabled

B (Logging Directory) Type a different value for the logging directory, for example,

C:\Log. When the logging option is enabled, details about each

access request are stored in the logging file that is located in this

directory.

Press Enter to return to the Agent Activity Logging menu

without changing the value.

C (Activity Log File

Name)

Type a different value for the log file name. When the logging

option is enabled, details about each access request are stored in

the logging file.

Press Enter to return to the Agent Activity Logging menu

without changing the value.

D (Activity Logging

Max File Size)

Type a new value, for example, 10. The oldest data is archived

when the log file reaches the maximum file size. File size is

measured in megabytes. Activity log file size can exceed disk

capacity.

Press Enter to return to the Agent Activity Logging menu

without changing the value.

E (Activity Logging Max

Files)

Type a new value up to 100, for example, 5. The agent

automatically deletes the oldest activity logs beyond the

specified limit.

Press Enter to return to the Agent Activity Logging menu

without changing the value.

Chapter 4. Adapter Parameters Modification 29

Page 44: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 6. Event notification options (continued)

Type this Option To Accomplish this

F (Debug Logging) If this option is set to enabled, the agent includes the debug

statements in the log file of all transactions.

When the option is set to:

v disabled, it automatically changes to enabled

v enabled, it automatically changes to disabled

G (Detail Logging) If this option is set to enabled, the agent maintains a detailed log

file of all transactions.

Note: The detail logging option should be used for diagnostic

purposes only. When the detail logging option is on, the

application’s performance can be adversely affected.

When the option is set to:

v disabled, it automatically changes to enabled

v enabled, it automatically changes to disabled

H (Base Logging)

If this option is set to enabled, the agent maintains a log file of

all transactions in the ADK and library files.

When the option is set to:

v disabled, it automatically changes to enabled

v enabled, it automatically changes to disabled

I (Thread Logging) If this option is set to enabled, the agent maintains a log file with

entries that specify the thread that caused the log.

When the option is set to:

v disabled, pressing the I key changes the value to enabled.

v enabled, pressing the I key changes the value to disabled.

3. Press Enter if you changed the value for option B, C, D, or E.

The Agent Activity Logging menu reappears and displays your new settings.

Note: The other options are changed automatically when you type the

corresponding menu option letter.

Changing Registry Settings

The following procedure describes how to change the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP registry settings.

1. Type F (Registry Settings) at the main menu prompt.

The Registry menu appears.

SAPAgent 4.6.xxxx Agent Registry Menu

-------------------------------------------

A. Modify Non-encrypted registry settings.

B. Modify encrypted registry settings.

C. Multi-instance settings.

X. Done

Select menu option:

2. See the following procedures on modifying registry settings.

Note: There are no encrypted registry settings for this adapter.

30 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 45: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Modifying Non-encrypted Registry Settings

1. Type A (Modifying Non-encrypted Registry Settings) at the Registry menu

prompt.

The Non-encrypted Registry settings menu appears.

Agent Registry Items

---------------------------

01. ENROLE_Version ’4.0’

02. ExecTimeout ’6000’

03. ManageHomeDirs ’TRUE’

04. ReconBufferSize ’-1’

05. ReconHomeDirSecurity ’FALSE’

06. ReconLastLogon ’FALSE’

07. ReconLastLogonAllowErrors ’FALSE’

08. WtsEnable ’FALSE’

--------------------------------

Page 1 of 1

A. Add new attribute

B. Modify attribute value

C. Remove attribute

X. Done

Select menu option:

2. Type one of the following options:

v A) Add new attribute

v B) Modify attribute value

v C) Remove attribute

v X) Done3. Type the registry item name, and press Enter.

4. Type the registry item value, if you selected option A or B, and press Enter.

The non-encrypted registry settings menu reappears and displays your new

setting(s).

Modifying Encrypted Registry Settings

To access registry settings, do the following:

1. Type B (Modifying Encrypted Registry Settings) at the Registry menu prompt.

The Encrypted Registry settings menu appears.

Encrypted Registry Items

-------------------------------------------

01. PASSWORD ’*****’

Page 1 of 1

A. Add new attribute

B. Modify attribute value.

C. Remove attribute.

X. Done

Select menu option:

2. Type one of the following options:

v A) Add new attribute

v B) Modify attribute value

v C) Remove attribute

v X) Done3. Type the registry item name, and press Enter.

Chapter 4. Adapter Parameters Modification 31

Page 46: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

4. Type the registry item value, if you selected option A or B, and press Enter.

The encrypted registry settings menu reappears and displays your new

settings.

Multi-instance Settings

This option allows you to configure multi-instance settings.

Note: This option is only valid if the agent can support multi-instances.

1. Type C (Multi-instance Settings) at the Registry Menu prompt.

The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Instance

Class Menu appears.

SAPAgent 4.6.xxxx Agent Instance Class Menu

-------------------------------------------------------

-------------------------------------------------------

A. Select instance class.

X. Done.

2. Type one of the available options.

3. Type the requested information and press Enter.

The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Instance

Class Menu reappears and displays your new settings.

Changing Advanced Settings

The following procedure describes how to change the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP thread count settings for the following

types of requests:

v System Login Add

v System Login Change

v System Login Delete

v Reconciliation

These settings determine the maximum number of requests that the Tivoli Identity

Manager Adapter for SAP NetWeaver AS ABAP processes concurrently.

1. Type G (Advanced Settings) at the main menu prompt.

The Advanced Settings menu appears. The following sample shows the default

thread count settings.

SAPAgent 4.6.xxxx Advanced Settings Menu

-------------------------------------------

A. Single Thread Agent (current:TRUE)

B. ADD max. thread count. (current:3)

C. MODIFY max. thread count. (current:3)

D. DELETE max. thread count. (current:3)

E. SEARCH max. thread count. (current:3)

F. Allow User EXEC procedures (current:FALSE)

G. Archive Request Packets (current:FALSE)

H. UTF8 Conversion support (current:TRUE)

I. Pass search filter to agent (current:FALSE)

J. Thread Priority Level (1-10) (current:4)

X. Done

Select menu option:

2. Type the menu option letter of the advanced setting that you want to change.

32 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 47: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Note: The UTF8 Conversion support setting must be set to FALSE to support

Western European character sets.

Table 7. Menu options for the DAML protocol

Type this Option To Accomplish this

A (Single Thread Agent) Forces the adapter to allow only one request at a

time.

B (ADD max. thread count) Controls how many simultaneous ADD requests can

run at one time.

C (MODIFY max. thread count) Controls how many simultaneous MODIFY requests

can run at one time.

D (DELETE max. thread count) Controls how many simultaneous DELETE requests

can run at one time.

E (SEARCH max. thread count) Controls how many simultaneous SEARCH requests

can run at one time.

F (Allow User EXEC procedures) Determines whether the adapter allows pre- and

post-exec functions. Enabling this option is a potential

security risk. This option is disabled by default.

G (Archive Request Packets) Instructs the adapter to retain copies of the request

packets in an archive. This option is specific to the

FTP protocol and is used primarily for debugging

purposes. By default, request packets are deleted once

they have been read unless this option is enabled.

H (UTF8 Conversion support) This option is no longer used.

I (Pass search filter to agent) Provides filtering functionality for search requests by

issuing a full search to the agent and then filtering

the objects as they are pipelined back to the server.

Currently, this adapter does not support processing

filters directly. This option should always be FALSE.

J (Thread Priority Level (1-10)) Sets the thread priority level for the agent.

3. Change the value and press Enter.

The Advanced Settings menu reappears and displays your new settings.

Viewing Statistics

The following procedures describes how to view an event log for the Tivoli

Identity Manager Adapter for SAP NetWeaver AS ABAP.

1. Type H (Statistics) at the main menu prompt.

The activity history for the adapter is displayed.

SAPAgent 4.6.xxxx Agent Request Statistics

--------------------------------------------------------------------

Date Add Mod Del Ssp Res Rec

-----------------------------------------------------------------

11/15/02 000001 000000 000000 000000 000000 000001

-----------------------------------------------------------------

X. Done

2. Type X to return to the Main Configuration Menu.

Chapter 4. Adapter Parameters Modification 33

Page 48: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Changing code page settings

In order to list the supported code page information for the RACF Adapter, the

adapter must be running. Run the following command to view the code page

information:

agentCfg -agent [adapter_name] -codepages

In order to change the code page settings for the RACF Adapter, complete the

following steps:

1. At the Main Menu prompt, type I.

The code page support menu for the adapter is displayed.

SAPAgent 4.6 Codepage Support Menu

-------------------------------------------

* Configured codepage: US-ASCII

-------------------------------------------

*

*******************************************

* Restart Agent After Configuring Codepages

*******************************************

A. Codepage Configure.

X. Done

Select menu option:

2. Type A to configure a code page.

Note: The SAPAgent uses unicode, therefore this option is not applicable.

3. Type X to return to the Main Configuration Menu.

Accessing Help and Additional Options

The following describes how to access the agentCfg help menu and use the help

arguments.

1. Return to the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP

bin directory by completing one of the following:

v Type X from the Main Configuration menu prompt.

v Complete procedures 1 and 2 of “Accessing the Adapter Configuration Tool

Main Menu” on page 19.2. Type agentCfg -help at the prompt to view the help menu.

The following list of possible commands appears:

-version ;Show version

-hostname < value> ;Target nodename to connect to (Default:127.0.0.1)

-findall ;Find all agents on target node

-list ;List available agents on target node

-agent <value> ;Name of agent

-tail ;Display agent’s activity log

-portnumber <value> ;Specified agent’s TCP/IP port number

-netsearch <value> ;Lookup agents hosted on specified subnet

-confidencetest ;Confidence test

-setup ;Confidence test setup

-codepages ;Display list of available codepages

-help ;Display this help screen

34 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 49: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

The following table describes the purpose of the provided arguments.

Table 8. Command argument purposes

-version Use this argument to display the agentCfg version.

-hostname <value> Use the -hostname argument with any of the following

commands to specify a different host:

v -findall

v -list

v -tail

v -agent

Enter a hostname or IP address as the value.

-findall Use this argument to search and display all possible port

addresses for all agents. Must be used with the -list

argument. Add the -hostname argument to search a remote

host.

-list Use this argument to search and display agents found at

default ports. By default, the argument searches the local host

of the Tivoli Identity Manager Adapter for SAP NetWeaver

AS ABAP. Use the -hostname argument to search a different

host.

-agent <value> Use this argument to specify the agent that you want to

configure. Enter an agent name as the value. Use this

argument with the -hostname argument to modify the

configuration setting from a remote host. You can also use

this argument with the -tail argument.

-tail Use this argument with the -agent argument to display an

agent’s activity log. Add the -hostname argument to display

the log file for an agent on a different host.

-portnumber <value> Use this argument with the -agent argument to specify an

agent’s TCP/IP port number.

-netsearch <value> Use this argument with the -agent argument to display all

agents installed on the system.

-confidencetest Use this argument to run a test to add, modify, search and

delete a request to the agent. This allows you to verify the

agent connection to the managed resource without the Tivoli

Identity Manager Server.

-setup Use this argument to configure the confidence test.

-codepages Display the codepages configured for the Agent.

-help Display the help menu for agentCfg.

3. Type agentCfg and one or more of the supported arguments at the prompt.

You must type agentCfg before every argument to run the agent configuration

tool.

Chapter 4. Adapter Parameters Modification 35

Page 50: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 9. Arguments

Argument Syntax Argument Example

-argument For example, type agentCfg -list

This example lists all agents on the local host IP

address. Note that the default node for the Tivoli

Identity Manager Server is 44970.

Agent(s) installed on node ’127.0.0.1’

-----------------------

SAPAgent (44970)

-argument <value> For example, type agentCfg -agent SAPAgent

This example displays the main menu of the

agentCfg tool which is used to view or modify the

Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP parameters.

-argument <value> -argument

or

-argument -argument <value>

For example, type agentCfg -list -hostname

192.9.200.7

This example lists agents on a host whose IP

address is 192.9.200.7. Note that the default node

for the Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP is 44970.

Agent(s) installed on node ’192.9.200.7’

------------------

SAPAgent (44970)

-argument <value>

-argument <value>

For example, type agentCfg -agent SAPAgent

-hostname 192.9.200.7

This example displays the main menu of the

agentCfg tool for a host whose IP address is

192.9.200.7. Use the menu options to view or

modify the Tivoli Identity Manager Adapter for

SAP NetWeaver AS ABAP parameters.

36 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 51: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Chapter 5. Certificate Installation

This chapter has the following sections:

v “Introduction”

v “Overview of SSL and Digital Certificates”

v “Accessing the Certificate Configuration Tool Main Menu” on page 39

v “Generating a Private Key and Certificate Request” on page 41

v “Installing the Certificate from a File” on page 42

v “Installing the Certificate and Key from a PKCS12 File” on page 43

v “Viewing Installed Certificates” on page 43

v “Viewing CA Certificates” on page 43

v “Installing a CA Certificate” on page 44

v “Deleting a CA Certificate” on page 44

v “Viewing Registered Certificates” on page 44

v “Registering a Certificate” on page 44

v “Unregistering a Certificate” on page 45

v “Exporting a certificate and key to PKCS12 file” on page 45

Introduction

This chapter describes how to use the provided certificate management tool

(CertTool) to install and configure digital certificates for a Tivoli Identity Manager

Adapter. The industry-standard Secure Sockets Layer (SSL) mechanism, which uses

digital certificates for authentication, is used for secure communication between the

Tivoli Identity Manager Server and an Adapter.

For a production environment, you must obtain and use a signed production

certificate from a well-known Certificate Authority, or from your own Certificate

Authority, to ensure secure communications. The adapter does not come

prepackaged with a certificate.

This chapter provides information for managing digital certificates on the Tivoli

Identity Manager Adapter only. Please refer to the ″Managing Digital Certificates″

chapter in the IBM Tivoli Identity Manager System Configuration Guide for

information about configuring the Tivoli Identity Manager Server for SSL.

Note: If you install, modify, or delete a certificate, you must stop and restart the

adapter before the changes will take affect.

Overview of SSL and Digital Certificates

A Tivoli Identity Manager deployment must consider the security of

communication between all configured components. The industry-standard Secure

Sockets Layer (SSL) mechanism, which uses digital certificates for authentication, is

used for secure communication in a Tivoli Identity Manager deployment.

SSL provides secure connections by allowing two applications connecting over a

network connection to authenticate each other’s identity. Additionally, SSL provides

encryption of the data exchanged between the applications. Authentication allows

© Copyright IBM Corp. 2004, 2005, 2006 37

Page 52: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

a server (one-way) to verify the identity of the application on the other end of a

network connection. Encryption makes data transmitted over the network

intelligible only to the intended recipient.

Features of SSL include the following concepts:

v SSL provides a mechanism for one application to authenticate itself to another

application.

v One-way SSL allows one application to be certain of the identity of the other

application.

v The application that assumes the ″server″ role possesses and uses a server-side

certificate to prove its identity to the client application.

v The application that is presented with a certificate must have in its possession

the root certificate (or certificate chain) of the Certificate Authority (CA) that

signed the certificate being presented. The root CA certificate, or chain, validates

the certificate being presented.

v In client connections, the client browser alerts the user when presented with a

certificate that is not issued by a recognized Certificate Authority.

Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no

longer supports two-way authentication.

Basic Configuration for Server-to-Adapter SSL

The following information pertains to a Tivoli Identity Manager deployment on

either the WebSphere or the WebLogic application server. In this scenario, the

Tivoli Identity Manager Server initiates communication with the adapter

(server-to-adapter) to complete a transaction originating from the browser.

Deployment summary:

v The Tivoli Identity Manager Server and the adapter use one-way authentication

over SSL.

v RSA SSL-C or Open SSL is used.

The Tivoli Identity Manager Adapter must have a valid signed certificate; the

Tivoli Identity Manager Server must have the corresponding CA certificate.

Note: In the diagram below, ″ITIM Server″ refers to the IBM Tivoli Identity

Manager Server.

38 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 53: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Clustered Tivoli Identity Manager Configuration

In a clustered configuration, the Tivoli Identity Manager System uses one Web

Server to manage and load balance multiple Tivoli Identity Manager Servers. Each

Tivoli Identity Manager Server must have a valid CA certificate. All agents must

have associated CA and signed certificates.

Accessing the Certificate Configuration Tool Main Menu

The following procedure describes how to access the main menu of the CertTool

utility for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP certificate

parameters.

1. Select Programs from the Start menu, select Accessories, and then select

Command Prompt.

The Microsoft Windows DOS Command Prompt window appears.

2. Change to the adapter’s bin directory.

If the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP directory

is in the default location, type cd \Tivoli\Agents\SAPAgent\bin.

3. Type CertTool -agent SAPAgent at the prompt.

The Main Configuration menu appears:

ITIMApplication Server

Agent

Resource

ITIMServer

One-way SSL

CACert

A

CertA

WebSphereor

WebLogic

Figure 3. Configuration for Server-to-Adapter SSL

Chapter 5. Certificate Installation 39

Page 54: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Main menu - Configuring agent: SAPAgent

------------------------------

A. Generate private key and certificate request

B. Install certificate from file

C. Install certificate and key from PKCS12 file

D. View current installed certificate

E. List CA certificates

F. Install a CA certificate

G. Delete a CA certificate

H. List registered certificates

I. Register certificate

J. Unregister a certificate

K. Export certificate and key to PKCS12 file

X. Quit

Choice:

Obtaining and installing a signed certificate:

The first set of options allows you to generate a Certificate Signing Request

(CSR) and install the returned signed certificate for the adapter itself. The

options here are:

A Generate a Certificate Signing Request (CSR) that is sent to the

Certificate Authority (CA), and the associated private key.

B Install a certificate from a file. This file must be the signed certificate

returned by the CA in response to the CSR generated by option A.

C Install a certificate from a PKCS12 format file that includes both the

public certificate and a private key. If options A and B are not used to

obtain a certificate, the certificate used must be in PKCS12 format.

D View all certificates installed on the system.Additional configuration for two-way SSL:

The remaining options only apply if client validation (two-way authentication)

is required and enabled.

Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no

longer supports two-way authentication.

The second set of options allows installing root CA certificates. The CA

certificates are used by the Tivoli Identity Manager Adapter to validate the

associated certificates presented by the Tivoli Identity Manager Servers.

E Show the installed CA certificates. The adapter only communicates with

Tivoli Identity Manager Servers whose certificates are validated by one

of the installed CA certificates.

F Install a new CA certificate so that certificates generated by this CA can

be validated. The CA certificate file can be either in X.509, binary, or

PEM encoded formats.

G Remove one of the installed CA certificates.Registering a signed certificate for two-way SSL:

The remaining options only apply if client validation (two-way authentication)

is required and enabled.

40 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 55: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no

longer supports two-way authentication.

The third set of options allows the adapter to register the Tivoli Identity

Manager Server signed certificate. The Tivoli Identity Manager Server’s signed

certificate is then validated by the adapter when two-way SSL communication

is established. If the Tivoli Identity Manager Server’s signed certificate is

validated by one of the Adapter’s CA certificates but not registered with the

Adapter, the Adapter will refuse to communicate with the Tivoli Identity

Manager Server.

H List all registered certificates that will be accepted for communications.

I Register a new certificate. The certificate to be registered should be in

Base 64 encoded X.509 format.

J Unregister (remove) a certificate from the registered list.

K Export certificate and key to PKCS12 file.

This chapter includes a section for each of the following main functions:

v For option A, see “Generating a Private Key and Certificate Request.”

v For option B, see “Installing the Certificate from a File” on page 42.

v For option C, see “Installing the Certificate and Key from a PKCS12 File” on

page 43.

v For option D, see “Viewing Installed Certificates” on page 43.

v For option E, see “Viewing CA Certificates” on page 43.

v For option F, see “Installing a CA Certificate” on page 44.

v For option G, see “Deleting a CA Certificate” on page 44.

v For option H, see “Viewing Registered Certificates” on page 44.

v For option I, see “Registering a Certificate” on page 44.

v For option J, see “Unregistering a Certificate” on page 45.

v For option K, see “Exporting a certificate and key to PKCS12 file” on page 45.

Type X to return to the main menu.

Generating a Private Key and Certificate Request

The following procedure describes how to view the Tivoli Identity Manager

Adapter for SAP NetWeaver AS ABAP configuration settings.

1. Type option A (Generate a private key and certificate request) at the main

menu prompt.

Enter values for certificate request (press enter to skip value)

-------------------------------------------------------------------------

2. Type your organization name and press Enter.

Organization:

3. Type the desired organizational unit and press Enter.

Organizational Unit:

4. Type the name of the adapter you are requesting a certificate for and press

Enter.

Agent Name:

5. Type the contact email address and press Enter.

Email:

6. Type the country in which the adapter resides and press Enter.

Chapter 5. Certificate Installation 41

Page 56: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Country:

7. Type the state in which the adapter resides (if the adapter is located in the

United States) and press Enter.

State:

Note: Some certificate authorities do not accept two letter abbreviations for

states.

8. Type the name of the city in which the adapter resides and press Enter.

Locality:

9. Type Y to accept the values displayed or type N to re-enter the values and

press Enter.

Accept these values (y/n)?

The key pair and certificate request are generated once the values are

accepted.

10. Type the name of the file to store the PEM certificate request and press Enter.

Enter name of file to store PEM cert request (Enter to cancel):

11. Press Enter.

The main menu reappears.

You must now request a certificate from a trusted certificate authority.

Example of Certificate Request Script

The following is an example of a certificate request:

Enter values for certificate request (press enter to skip value)

-----------------------------------------------------------------

Organization: ibm

Organizational Unit: engineering

Agent Name: ntagent

Email: [email protected]

Country: US

State: California

Locality: Irvine

Accept these values (y/n)? y

Generating key pair and certificate request ...

Enter name of file to store PEM cert request (Enter to cancel) : request.pem

Certificate request written to request.pem. Press Enter to continue.

Example of request.pem File

-----BEGIN CERTIFICATE REQUEST-----

MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n

aW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdl

bnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju

aWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

mR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7

UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr

6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3

DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb

N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK

Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2

-----END CERTIFICATE REQUEST-----

Installing the Certificate from a File

The following procedure describes how to install a certificate in the adapter

registry. This is the certificate you receive from your trusted certificate authority

after submitting your certificate request.

42 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 57: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Note: If you received the certificate as part of an e-mail message, copy the text of

the certificate to a text file and copy the certificate file (the text file you just

created) to the adapter’s bin directory.

1. Type B (Install certificate from file) at the main menu prompt.

A prompt appears:

Enter name of certificate file:

2. Type the name of the certificate file and press Enter.

The certificate is installed in the adapter registry and the main menu reappears.

Installing the Certificate and Key from a PKCS12 File

The following procedure describes how to install the certificate and the private key

in the adapter registry from a PKCS12 (.pfx) file. This format includes both the

certificate and private key in a password protected file.

Note: Be sure to copy the certificate file to the adapter’s bin directory. For

example, C:\Tivoli\Agents\<agentname>\bin

1. Type C (Install certificate and key from PKCS12 file) at the main menu prompt.

2. Type the name of the PKCS12 file that has the certificate and private key

information and press Enter.

Enter name of PKCS12 file:

For example, DamlSrvr.pfx

3. Type the password to access the file and press Enter.

Enter password:

The certificate and private key are installed in the adapter registry.

Viewing Installed Certificates

You can list all of the certificates installed on your system using option D (View

currently installed certificates).

Type D (View currently installed certificates) at the main menu prompt.

The installed certificates are listed and the main menu reappears. The following is

an example of an installed certificate:

The following certificate is currently installed.

Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAML Server

Viewing CA Certificates

The following procedure describes how to list all CA certificates installed on the

adapter.

Type E (List CA certificates) at the main menu prompt.

The installed CA certificates are listed and the main menu reappears. The

following is an example only.

Subject: o=IBM,ou=SampleCACert,cn=TestCA

Valid To: Wed Jul 26 23:59:59 2006

Chapter 5. Certificate Installation 43

Page 58: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Installing a CA Certificate

The following procedure describes how to install a CA certificate.

1. Type F (Install a CA certificate) at the main menu prompt.

A prompt appears:

Enter name of certificate file:

2. Type the name of the certificate file and press Enter.

The certificate file is opened and a prompt appears:

[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng

Install the CA? (Y/N)

3. Type Y to install the certificate and press Enter.

The CA certificate file is installed in the CACerts.pem file.

Deleting a CA Certificate

The following procedures describe how to delete a CA certificate from the adapter

directories.

1. Type G (Delete a CA certificate) at the main menu prompt.

A list of all CA certificates installed on the adapter is displayed.

0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng

1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

Enter number of CA certificate to remove:

2. Type the number of the CA certificate you want to remove and press Enter.

The CA certificate is deleted from the CACerts.pem file and the main menu

reappears.

Viewing Registered Certificates

The following procedures describe how to view a list of all registered certificates

available to the adapter. Only requests that present a registered certificate will be

accepted by the adapter when client validation is enabled.

Type H (List registered certificates) at the main menu prompt.

The registered certificates are displayed and the main menu reappears. The

following is an example only.

0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng

1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

Registering a Certificate

The following procedures describe how to register a certificate for the adapter.

1. Type I (Register certificate) at the main menu prompt.

A prompt appears:

Enter name of certificate file:

2. Type the name of the certificate file to be registered and press Enter.

The subject of the certificate is displayed and a prompt appears.

[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng

Register this CA? (Y/N)

3. Type Y to register the certificate and press Enter.

The certificate is registered to the adapter and the main menu reappears.

44 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 59: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Unregistering a Certificate

The following procedures describe how to unregister a certificate for the adapter.

1. Type J (Unregister a certificate) at the main menu prompt.

The registered certificates are displayed. The following is an example only.

0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng

1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

2. Type the number of the certificate file to be unregistered and press Enter.

The subject of the selected certificate is displayed.

3. Type Y to unregister the certificate and press Enter.

The certificate is removed from the registered certificate list for the adapter and

the main menu reappears.

Exporting a certificate and key to PKCS12 file

In order to export a certificate and key to a PKCS12 file for the adapter, complete

the following steps:

1. At the Main Menu prompt, type K.

The following prompt is displayed:

Enter name of PKCS12 file:

2. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file

for the installed certificate or private key, and press Enter.

3. At the Enter Password prompt, type the password for the PKCS12 file, and

press Enter.

4. At the Confirm Password prompt, type the password again, and press Enter.

The certificate or private key are transported to the PKCS12 file, and the Main

Menu is displayed.

Chapter 5. Certificate Installation 45

Page 60: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

46 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 61: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Appendix A. Adapter Variables

As part of the adapter implementation, a dedicated account for Tivoli Identity

Manager to access SAP Server is created on SAP Server. The Adapter for SAP

NetWeaver AS ABAP consists of files and directories owned by the Tivoli Identity

Manager account. The Tivoli Identity Manager-owned files establish

communication with the Tivoli Identity Manager Server.

Variable Descriptions

The Tivoli Identity Manager Server communicates with the Adapter for SAP

NetWeaver AS ABAP using variables included in transmission packets sent over a

network. The combination of variables, included in the packets, depends on the

type of action the Tivoli Identity Manager Server requests from the Adapter for

SAP NetWeaver AS ABAP.

The following table is an alphabetical listing of the variables used by the Adapter

for SAP NetWeaver AS ABAP. The table gives a brief description and the data

format associated with the variable.

Table 10. Variable descriptions

Variable Directory Server Attribute Description Data Type

ACADEMIC erSAPacademic Dr., Prof., and so on SAP predefined value

ACCOUNT erSAPaccount User account

identification

Character or numeric

string, which is not SAP

predefined

ADDRESSTYPE erSAPaddresstype Form of address:

Mr., Mrs., Ms

Character or numeric

string

AGR_NAME erSAPagrname Activity group name Character or numeric

string

ALIAS erSAPalias Internet user alias String

BUILDING erSAPbuilding Building number Character or numeric

string

CATT erSAPcatt CATT test status Yes or No

COMPANY erSAPcompany Company address

number

SAP predefined value

COSTCENTER erSAPcostcenter User cost center Character or numeric

string

COUNTRY c Country key code of

user

Character or numeric

string, SAP country key

CREATEON erSAPcreateon Creation date of user

master record

Character or numeric

string

CREATOR erSAPcreator Name of creator of

the user master

record

Character or numeric

string

DATEFORMAT erSAPdateformat Date format SAP predefined value, 5

date format versions

DATEFROM erSAPdatefrom Valid from date Up to 6 data format

versions

© Copyright IBM Corp. 2004, 2005, 2006 47

Page 62: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 10. Variable descriptions (continued)

Variable Directory Server Attribute Description Data Type

DATEUNTIL erSAPdateuntil Valid until date Up to 6 data format

versions

DECIMALPOINT erSAPdecimalpoint Decimal notation,

either period or

comma

Character or numeric

string

DEPARTMENT erDepartment Department Character or numeric

string

DISABLEPWD erSAPdisablePwd If true, disable user’s

password (for SAP

6.1 and higher)

Boolean.

EMAILADDRESS erSAPemailaddress E-mail address.

This attribute is a

multi-value attribute.

If one or more

e-mail addresses are

defined, one e-mail

address must be

designated as the

Standard e-mail

address.

Character or numeric

string

FAXEXT erSAPfaxext Fax number and

extension

Character or numeric

string

FLOOR erSAPfloor Floor in building Character or numeric

string

FUNCTION erSAPfunction Function of user Character or numeric

string

GIVENNAME givenname First name Character or numeric

string

GROUP erSAPgroup User group SAP predefined value

L_LOGON_TIME erSAPllogontime Last logon time Character or numeric

string

language erSAPlanguage Language set in the

user’s address record

String

LANGUAGELOGIN erSAPlanguagelogingiso User’s login

language

String

LANGUP erSAPlangkey User’s login

language key.

This attribute is not

case sensitive.

Therefore, uppercase

language keys must

be flagged with the

∧ delimiter.

String

last_access erLastAccessDate Last logon date Character or numeric

string

lClient erSAPlClient SAP organizational

unit

Required for all

requests.

SAP predefined value

48 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 63: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 10. Variable descriptions (continued)

Variable Directory Server Attribute Description Data Type

lCua erSAPCuaOption If set to true, the

adapter will assume

that the SAP client is

CUA enabled.

Boolean

lDestination erSAPlDestination SAP destination

machine name

Required for all

requests.

SAP predefined value

lGwHost erSAPlGhost Fully qualified IP

address of gatehost

The SAP gateway is

a group of processes

that allow

communication

between R/2

systems, NetWeaver

AS ABAP systems,

and external

applications based

on the CPIC

protocol.

Required for all

requests.

SAP predefined value

lGwservice erSAPlGwservice SAP gateware

service

The SAP gateway

service is the

interface between

SAP and the Tivoli

Identity Manager

adapter.

Required for all

requests.

SAP predefined value

lHostname erSAPlHostname Fully qualified IP

address of system

where SAP is

installed

Required for all

requests.

SAP predefined value

lLanguage erSAPllanguage Adapter for SAP

NetWeaver AS

ABAP account login

language

Required for all

requests.

String

Appendix A. Adapter Variables 49

Page 64: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 10. Variable descriptions (continued)

Variable Directory Server Attribute Description Data Type

SAPHRLinkUsed erSAPHRLinkUsed If set to true, the

Adapter is able to

link HR Personnel

Records to the SAP

User Account using

infotype 105.

Boolean

SAPHRrfcDest erSAPHRrfcDest If the SAP has CUA

configured, then this

RFC Destination is

required to enable a

proxy RFC call from

the CUA master

System onto the HR

System.

String

lMode erSAPlMode SAP mode

Required for all

requests.

SAP predefined value

lSelectSAPVersion erSAPVersion SAP version selected

on the Service

Profile

String

LOCNT erSAPlocnt Counter for incorrect

logons per user

Character or numeric

string

LOGSYSTEM erSAPlogicalSystem Used to add the user

to the Systems

Logical Name(s)

values passed in the

attribute.

Required for all

requests.

String

Multi-valued

lPassword erpassword Password to log into

SAP system

Required for all

requests.

SAP predefined value

lSysnr erSAPlSysnr SAP system number

Required for all

requests.

SAP predefined value

lTrace erSAPlTrace Flag that indicates

whether or not to

enable tracing

feature.

Required for all

requests.

Boolean

lUser erSAPlUser SAP login ID

Required for all

requests.

SAP predefined value

RCVSYSTEM erSAPlicRcvSys Receiving System for

CUA

String

50 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 65: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 10. Variable descriptions (continued)

Variable Directory Server Attribute Description Data Type

LIC_TYPE erSAPlicUType Contractual User

Type

String

SPEC_VERS erSAPlicSpecVer Assignment To

Special Version

String

COUNTRY_SURCHARGE erSAPlicSurChrg Country Surcharge

(+999 to -100)

String

SUBSTITUTE_FROM erSAPlicSubFrom Substitute Date From String

SUBSTITUTE_UNTIL erSAPlicSubTo Substitute Date Until String

SYSID erSAPlicSysID Chargeable User

SAP System

String

CLIENT erSAPlicClient Chargeable User

Client

String

BNAME_CHARGEABLE erSAPlicBname Chargeable User

Name

String

MENU erSAPmenu SAP start menu SAP predefined value

NAME1 erSAPname1 Additional name

field

String

NAME2 erSAPname2 Additional name

field

String

NAME3 erSAPname3 Additional name

field

String

NAME4 erSAPname4 Additional name

field

String

NAMEFORMAT erSAPnameformat User name formatted

as first last

SAP predefined value

NoPwdChange erSAPNoPwdChng If set to true, the

user will not be

forced to do a

password change.

Boolean

ORT01 erSAPort01 Town 1 String

ORT02 erSAPort02 Town 2 String

OUTPUT DEVICE erSAPoutputdevice Device SAP predefined value

PASSWORD erpassword Password String

PERSONNELNO erSAPpersonnelNo HR InfoType 105

personnel number

String

PHONEMAIN telephoneNumber Main telephone

number

Character or numeric

string

PID erSAPparid Parameter

identification

SAP predefined value

POBOX erSAPpobox Post Office box

number

Integer

POSTAL erSAPpostal Zip code Integer

PREFIX1 erSAPprefix1 Von, El, etc. SAP predefined value

PRNTDELETE erSAPprntdelete Delete after print Character or numeric

string

Appendix A. Adapter Variables 51

Page 66: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 10. Variable descriptions (continued)

Variable Directory Server Attribute Description Data Type

PRNTIMMEDIATE erSAPprntimmediate Print immediately Character or numeric

string

PROFILE erSAPprofile Authorization

Profiles

SAP predefined value

UnlockOnPwdChange erSAPpwdUnlock If set to true, on a

successful password

change, if the

account was locked

from too many failed

login attempts, then

the account is

unlocked.

Boolean

REGION l Region String

ROOM erSAProom Room number Character or numeric

string

SAP_INSTANCE erSAPinstance Adapter instance

name selected on the

Service Profile

String

SNC Name erSAPsncName Printable SNC name String

SNC FLAG erSAPsncFlag Flag that allows

non-secure

communiation

SAP Boolean

SORRT1_P erSAPsorrt1p Search term 1 String

STREET erSAPstreet Street address String

SURNAME sn Last name Input supplied

TEL01 erSAPtel01 First telephone

number extension

String

TEL02 erSAPtel02 Second telephone

number extension

String

TELEFAX facsimileTelephoneNumber Telefax number Character or numeric

string

TELEPHONEEXT erSAPtelephoneext Telephone number:

extension

Character or numeric

string

TELTX erSAPteltx Teletex number String

TELX1 erSAPtelx1 Teletex number String

TIMEZONE erSAPtimezone Timezone SAP predefined value,

existing timezone remains

if a conflict is noted

TYPE erSAPtype User type (A=online,

C=CPIC, D=BDC,

O=ODC)

SAP predefined value,

between 1 and 4, defaults

to dialog user

UserName eruid User’s login ID String

UserStatus erAccountStatus User lock status Character or numeric

string

52 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 67: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Variables Used by Tivoli Identity Manager Adapter for SAP NetWeaver

AS ABAP Actions

The following lists are typical Adapter for SAP NetWeaver AS ABAP actions by

their functional transaction group. The lists include more information about

required and optional variables sent to the Adapter for SAP NetWeaver AS ABAP

to complete that action.

System Login Add

A Login Add is a request to create a new user account in the domain with the

specified attributes.

Table 11. Add function attributes

Required Variables Optional Variables

USERNAME

PASSWORD

GIVENNAME

SURNAME

lClient

lCua

UnlockOnPwdChange

lGwHost

lGwservice

lHostname

lLanguage

lMode

lPassword

lSysnr

lTrace

lUser

All other supported attributes.

Appendix A. Adapter Variables 53

Page 68: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

System Login Change

Use the Change function to change one or more attributes for the specified users.

Table 12. Change function attributes

Required Variables Optional Variables

USERNAME

lClient

lCua

UnlockOnPwdChange

lGwHost

lGwservice

lHostname

lLanguage

lMode

lPassword

lSysnr

lTrace

lUser

All supported attributes.

System Login Delete

The Delete function removes the specified user from the active directory.

Table 13. Delete function

Required Variables Optional Variables

USERNAME

lClient

lCua

UnlockOnPwdChange

lGwHost

lGwservice

lHostname

lLanguage

lMode

lPassword

lSysnr

lTrace

lUser

None

54 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 69: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

System Login Suspend

Use the Suspend function to disable a user account. The user is neither removed

nor are their attributes modified.

Table 14. Suspend function

Required Variables Optional Variables

USERNAME

Userstatus

lClient

lCua

UnlockOnPwdChange

lGwHost

lGwservice

lHostname

lLanguage

lMode

lPassword

lSysnr

lTrace

lUser

None

System Login Restore

Use the Restore function to re-activate a user account that was previously

suspended. After Restoring, the user can access the system with the same attributes

as those before the Suspend function is called.

Appendix A. Adapter Variables 55

Page 70: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 15. Restore Function

Required Variables Optional Variables

USERNAME

lClient

lCua

UnlockOnPwdChange

lGwHost

lGwservice

lHostname

lLanguage

lMode

lPassword

lSysnr

lTrace

lUser

None

Reconciliation

The Reconciliation function synchronizes user account information between Tivoli

Identity Manager and the adapter. The following is a full set of access attributes

returned by reconciliation. An asterisk (*) denotes attributes that are for

informational purposes only.

56 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 71: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 16. Reconciliation function

Attributes Returned During Reconciliation

ACADEMIC

ACCOUNT

ADDRESSTYPE

AGR_NAME

ALIAS

BNAME_CHARGEABLE

BUILDING

CATT

COMM. METHOD

COMPANY

COSTCENTER

COUNTRY

COUNTRY_SURCHARGE

CLIENT

CREATE_ON

CREATOR

DATEFORMAT

DATEFROM

DATEUNTIL

DECIMALPOINT

DEPARTMENT

EMAILADDRES

FAXEXT

FLOOR

FUNCTION

GIVENNAME

GROUP

LIC_TYPE

L_LOGON_TIME

LANGUAGE

LANGUAGELOGIN_ISO

LANGUP

LOCNT

MENU

NAME1

NAME2

NAME3

NAME4

NAMEFORMAT

ORT01

ORT02

OUTPUTDEVICE

PHONEMAIN

PID

POBOX

POSTAL

PREFIX1

PRNTDELETE

PRNTIMMEDIATE

PROFILE

RCVSYSTEM

REGION

ROOM

SNC Flag

SNC Name

SORRT1_P

SPEC_VERS

STREET

SUBSTITUTE_FROM

SUBSTITUTE_UNTIL

SURNAME

SYSID

TEL01

TEL02

TELEFAX

TELEPHONEEXT

TELTX

TELX1

TIMEZONE

TYPE

USER

UserName

UserStatus

Note: When modifying the Contractual license type, some types require either the

special version, or the country surcharge, but not both. If you are switching

from a special version value to a country surcharge, be sure to set the

Appendix A. Adapter Variables 57

Page 72: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

special version to the value ″No Special Version″. If you are switching from

a county surcharge to a special version, be sure to set the country surcharge

to ″0″.

58 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 73: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Appendix B. SAP Account Requirements

This chapter describes the requirements of the SAP account used by the IBM Tivoli

Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP and the SAP objects

installed on the SAP Server.

SAP Objects

The IBM Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP calls

built-in SAP objects and custom SAP objects designed by IBM Tivoli. Table 17

shows all the objects accessed by the IBM Tivoli Tivoli Identity Manager Adapter

for SAP NetWeaver AS ABAP. Note that custom object names are prefixed with a

“Z_”.

SAP User

The IBM Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uses an

SAP user to connect to the SAP server. The user name is supplied on the Tivoli

Identity Manager adapter service profile, and the user password is supplied on the

adapter configuration.

The SAP user must have permission to perform the following user administration

tasks:

v Add

v Modify

v Delete

v Lock

v Unlock

v Retrieve user detail

v Retrieve supporting data

In addition, the SAP user must have the proper access to all the objects listed in

Table 17 based on the SAP version and whether CUA and HR Info Type are

enabled or not.

It is recommended that the SAP user type be set to System and not Dialog.

Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver

AS ABAP

BAPI Objects Description

Access

Type SAP Versions

45B 46B 46C 6.1 6.2

1 BAPI_USER_ACTGROUPS_ASSIGN Add, Mod:

NON-CUA (Roles)

Write Y Y Y Y Y

2 BAPI_USER_CHANGE Mod Write Y Y Y Y Y

3 BAPI_USER_CREATE Add Write Y N N N N

4 BAPI_USER_CREATE1 Add. Write N Y Y Y Y

5 BAPI_USER_DELETE Del Write Y Y Y Y Y

© Copyright IBM Corp. 2004, 2005, 2006 59

Page 74: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver

AS ABAP (continued)

BAPI Objects Description

Access

Type SAP Versions

6 BAPI_USER_GET_DETAIL Mod, Search Read Y Y Y Y Y

7 BAPI_USER_LOCK Mod. Write Y Y Y Y Y

8 BAPI_USER_PROFILES_ASSIGN Add, Mod:

NON-CUA (Profiles)

Write Y Y Y Y Y

9 BAPI_USER_UNLOCK Mod. Write Y Y Y Y Y

10 RFC_READ_TABLE: AGR_DEFINE Search: NON-CUA

(List of Valid Roles)

Read N Y Y Y Y

11 RFC_READ_TABLE: PA0105 Search: HR Only-

Info Type 105

(User’s Employee

No.)

Read N N Y Y Y

12 RFC_READ_TABLE: T002 Search: List of Valid

Language Codes

Read N Y Y Y Y

13 RFC_READ_TABLE: T002T Search: List of Valid

Language

Descriptions

Read N Y Y Y Y

14 RFC_READ_TABLE: T005T Search: List of Valid

Country Codes

Read N Y Y Y Y

15 RFC_READ_TABLE: TBDLS Search: CUA Only

(List of Valid

Subsystems)

Read N N Y Y Y

16 RFC_READ_TABLE: TPARA Search: List of Valid

Parameters ID

Read N Y Y Y Y

17 RFC_READ_TABLE: TSAD2 Search: List of Valid

Academic Titles

Read N Y Y Y Y

18 RFC_READ_TABLE: TSAD3T Search: List of Valid

Titles

Read N Y Y Y Y

19 RFC_READ_TABLE: TTREE Search: List of Valid

Menus

Read N Y Y Y Y

20 RFC_READ_TABLE: TZONE Search: List of Valid

Time Zones

Read N Y Y Y Y

21 RFC_READ_TABLE: USER_GROUPS Mod, Search Read N Y Y Y Y

22 RFC_READ_TABLE: USGRP Search: List of Valid

Groups

Read N Y Y Y Y

23 RFC_READ_TABLE: USGRP_USER Search: User’s

Groups

Read N Y Y Y Y

24 RFC_READ_TABLE: USL04 Search: CUA Only

(User’s Profiles)

Read N N Y Y Y

25 RFC_READ_TABLE: USLA04 Search: CUA Only

(User’s Roles)

Read N N Y Y Y

60 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 75: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver

AS ABAP (continued)

BAPI Objects Description

Access

Type SAP Versions

26 RFC_READ_TABLE: USR10 Search: NON-CUA

(List of Valid

Profiles)

Read N Y Y Y Y

27 RFC_READ_TABLE: USRSYSACT Search: CUA Only

(List of Valid Roles)

Read N N Y Y Y

28 RFC_READ_TABLE: USRSYSPRF Search: CUA Only

(List of Valid

Profiles)

Read N N Y Y Y

29 RFC_READ_TABLE: USZBVSYS Search: CUA Only

(User’s Subsystems)

Read N N Y Y Y

30 /TIVSECTY/TIM_USER_SUBSYS_620 Add, Mod: CUA

Only (Subsystems,

Roles and Profiles)

Write N Y Y Y Y

31 /TIVSECTY/TIM_USER_SUBSYS_46C Add, Mod: CUA

Only (Subsystems,

Roles and Profiles)

Write N N Y Y Y

32 /TIVSECTY/TIM_USER_HR_620 Add, Mod, Del: HR

Only- Info Type 105

(Employee No.)

Write N Y Y Y Y

33 /TIVSECTY/TIM_USER_LIST_620 Search Read Y Y Y Y Y

34 /TIVSECTY/TIM_USER_PWD_620 Mod: CUA Write N N Y Y Y

35 /TIVSECTY/TIM_USER_PWD_46C Mod: CUA Write N N Y Y Y

36 /TIVSECTY/TIM_USER_USR02_620 Search Read Y Y Y Y Y

37 /TIVSECTY/TIM_USER_CHG_620 Mod Write N N Y Y Y

38 /TIVSECTY/TIM_USER_CHG_46C Mod Write N N Y Y Y

39 BAPI_USER_LOCACTGROUPS_READ Search: CUA (Roles) Write N N Y Y Y

40 BAPI_USER_LOCACTGROUPS_ASSIGN Add, Mod: CUA

(Roles)

Write N N Y Y Y

41 BAPI_USER_LOCPROFILES_READ Search: CUA

(Profiles)

Write N N Y Y Y

42 BAPI_USER_LOCPROFILES_ASSIGN Add, Mod: CUA

(Profiles)

Write N N Y Y Y

43 /TIVSECTY/TIM_USER_CUAHR_620 Add, Mod, Del: HR

Only- Info Type 105

(Employee No.)

Write N N Y Y Y

44 /TIVSECTY/TIM_USER_ADD-620 Add Write N N Y Y Y

45 /TIVSECTY/TIM_USER_ADD_46C Add Write N N Y Y Y

Appendix B. SAP Account Requirements 61

Page 76: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

62 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 77: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Appendix C. Additional Installation Options

This chapter describes installation options available when installing the adapter.

In addition to installation information, instructions are provided to uninstall the

adapter. Each step includes a short procedure that completes one aspect of the

overall adapter uninstall process. You must complete the steps in the order they

are listed.

Installation Options

Several adapter installation options are provided to account for disparate

environments and preferences.

Setup Arguments

This section details arguments that can be used with the adapter and adapter

profile installation executables. All of the arguments described here can be used

with the -is:javaconsole -console option to use a command line text interface

instead of a GUI.

<adapter or profile install>.exe -options-record <filename>

This command records the options that were selected during the install

into a file.

<adapter or profile install>.exe -options-template <filename>

This command creates a template file that has fields for all of the options

that may be selected during installation. This file can then be edited to

include the desired responses and played back with the option below.

<adapter or profile install>.exe -silent -options<filename>

This command plays back the previously recorded file during a silent

installation where installation is performed with no user interaction.

Adapter Removal

This section describes the Tivoli Identity Manager Adapter for SAP NetWeaver AS

ABAP uninstall procedures. Give users advance warning that the resource will be

unavailable prior to removing the adapter. If the server is taken offline, Tivoli

Identity Manager Adapter for SAP NetWeaver AS ABAP requests that are not

completed may not be recoverable when the server is back online.

Complete the following procedure to remove the Tivoli Identity Manager Adapter

for SAP NetWeaver AS ABAP and directories.

1. Stop the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP service.

2. Execute the uninstall binary:

On a Windows host:

Open Windows Explorer and execute the uninstaller:

C:\Tivoli\Agents\SAPAgent\_uninst\uninstaller.exe

On a UNIX host:

Run the following command:

.../Tivoli/Agents/SAPAgent/_uninst/uninstaller.bin

The Uninstaller welcome dialog window appears.

© Copyright IBM Corp. 2004, 2005, 2006 63

Page 78: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

3. Click Next.

The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP components

are deleted.

4. Click Finish.

You will be prompted to reboot your system.

Note: Inspect the directory tree for Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP directories, subdirectories, and files to verify that

uninstall is complete. The Tivoli Identity Manager Adapter for SAP

NetWeaver AS ABAP should no longer appear in the Services dialog

window.

64 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 79: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Appendix D. Example Deployment Scenarios

This chapter provides diagrams illustrating a few deployment scenarios, to give

you a better understanding of your environment from end-to-end.

Tivoli Identity Manager for non-Unicode SAP non-CUA with HR Linking

ITIM Server

ITIMProvision Policyfor SAP non-CUA

HR System

SAP NetWeaverAS ABAP Systemv 4.6C non-CUA

ITIMServicefor SAP 6.20

non-CUAHR System

ITIM Provision PolicyFor SAP non-CUA

HR System

ITIMServicefor SAP 4.6C

non-CUAHR System

ITIM Agentfor SAP NetWeaver

AS ABAP

SAP NetWeaverAS ABAP Systemv 6.20 non-CUA

librfc32.dll

SAP HR Module

TV2K900096

SAP HR Module

TV2K900098

Figure 4. Tivoli Identity Manager for SAP non-CUA with HR Linking

© Copyright IBM Corp. 2004, 2005, 2006 65

Page 80: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Tivoli Identity Manager for non-Unicode SAP CUA with HR Linking

ITIM Server

ITIMProvision Policyfor SAP CUAHR System

SAP NetWeaverAS ABAP System

v 6.20 Child 1

ITIMServicefor SAP 6.20

CUA HR System

ITIM Agentfor SAP NetWeaver

AS ABAP

SAP NetWeaverAS ABAP System

v 6.20 CUA Master

librfc32.dll

SAP HR Module

TV2K900100

TV2K900063

SAP NetWeaverAS ABAP System

v 6.20 Child 2

SAP NetWeaverAS ABAP System

v 6.20 Child 3

TV2K900069TV2K900069 TV2K900099

Figure 5. Tivoli Identity Manager for SAP CUA with HR Linking

66 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 81: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Appendix E. Support information

This section describes the following options for obtaining support for IBM

products:

v “Searching knowledge bases”

v “Contacting IBM Software Support”

Searching knowledge bases

If you have a problem with your IBM software, you want it resolved quickly. Begin

by searching the available knowledge bases to determine whether the resolution to

your problem is already documented.

Search the information center on your local system or

network

IBM provides extensive documentation that can be installed on your local

computer or on an intranet server. You can use the search function of this

information center to query conceptual information, instructions for completing

tasks, reference information, and support documents.

Search the Internet

If you cannot find an answer to your question in the information center, search the

Internet for the latest, most complete information that might help you resolve your

problem. To locate Internet resources for your product, open one of the following

Web sites:

v Performance and tuning information

Provides information needed to tune your production environment, available on

the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list to locate Tivoli Identity Manager

products. Click the link for your product, and then browse the information

center for the Technical Supplements section.

v Redbooks and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks Web address:

http://www.ibm.com/developerworks/

Contacting IBM Software Support

IBM Software Support provides assistance with product defects.

© Copyright IBM Corp. 2004, 2005, 2006 67

Page 82: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Before contacting IBM Software Support, your company must have an active IBM

software maintenance contract, and you must be authorized to submit problems to

IBM. The type of software maintenance contract that you need depends on the

type of product you have:

v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus, and Rational products, as well as DB2 and WebSphere products that run

on Windows or UNIX operating systems), enroll in Passport Advantage in one

of the following ways:

– Online: Go to the Passport Advantage Web page (http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How

to Enroll

– By phone: For the phone number to call in your country, go to the IBM

Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.

v For IBM eServer software products (including, but not limited to, DB2 and

WebSphere products that run in zSeries, pSeries, and iSeries environments), you

can purchase a software maintenance agreement by working directly with an

IBM sales representative or an IBM Business Partner. For more information

about support for eServer software products, go to the IBM Technical Support

Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).

If you are not sure what type of software maintenance contract you need, call

1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to

the contacts page of the IBM Software Support Handbook on the Web

(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of

your geographic region for phone numbers of people who provide support for

your location.

Follow the steps in this topic to contact IBM Software Support:

1. Determine the business impact of your problem.

2. Describe your problem and gather background information.

3. Submit your problem to IBM Software Support.

Determine the business impact of your problem

When you report a problem to IBM, you are asked to supply a severity level.

Therefore, you need to understand and assess the business impact of the problem

you are reporting. Use the following criteria:

Severity 1 Critical business impact: You are unable to use the program,

resulting in a critical impact on operations. This condition

requires an immediate solution.

Severity 2 Significant business impact: The program is usable but is

severely limited.

Severity 3 Some business impact: The program is usable with less

significant features (not critical to operations) unavailable.

Severity 4 Minimal business impact: The problem causes little impact on

operations, or a reasonable circumvention to the problem has

been implemented.

68 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 83: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Describe your problem and gather background information

When explaining a problem to IBM, be as specific as possible. Include all relevant

background information so that IBM Software Support specialists can help you

solve the problem efficiently. To save time, know the answers to these questions:

v What software versions were you running when the problem occurred?

v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.

v Can the problem be re-created? If so, what steps led to the failure?

v Have any changes been made to the system? (For example, hardware, operating

system, networking software, and so on.)

v Are you currently using a workaround for this problem? If so, please be

prepared to explain it when you report the problem.

Submit your problem to IBM Software Support

You can submit your problem in one of two ways:

v Online: Go to the ″Submit and track problems″ page on the IBM Software

Support site (http://www.ibm.com/software/support/probsub.html). Enter

your information into the appropriate problem submission tool.

v By phone: For the phone number to call in your country, go to the contacts page

of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your

geographic region.

If the problem you submit is for a software defect or for missing or inaccurate

documentation, IBM Software Support creates an Authorized Program Analysis

Report (APAR). The APAR describes the problem in detail. Whenever possible,

IBM Software Support provides a workaround for you to implement until the

APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the

IBM product support Web pages daily, so that other users who experience the

same problem can benefit from the same resolutions.

For more information about problem resolution, see Searching knowledge bases.

Appendix E. Support information 69

Page 84: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

70 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 85: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Appendix F. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 2004, 2005, 2006 71

Page 86: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

IBM

IBM logo

ibm.com

AIX

AS/400

DB2

Domino

Informix

iSeries

Linux

Lotus

Lotus Notes

MQSeries

Notes

OS/400

Power PC

Tivoli

72 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 87: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Tivoli logo

Universal Database

WebSphere

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation

in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other

countries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

Java and all Java-based trademarks are trademarks of Sun

Microsystems, Inc. in the United States, other countries, or

both.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix F. Notices 73

Page 88: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

74 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

Page 89: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration
Page 90: IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

����

Printed in USA

SC32-1194-11