IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration GuideInstallation and Configuration Guide
Installation and Configuration Guide
Note
Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 71
Eleventh Edition (November, 2006)
This edition applies to version 4.6.6 of the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP and to all
subsequent releases and modifications until otherwise indicated in new editions. This edition replaces all previous
editions.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Publications and related information . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Tivoli Identity Manager library . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Prerequisite Product Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Chapter 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 3: Importing the Transport Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Step 4: Activating the Adapter as a Service . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 5: Configuring the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 6: Installing the Adapter’s Certificate . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 7: Installing the Adapter’s Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 8: Configuring the Adapter’s Forms . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 3. Adapter Profile Installation . . . . . . . . . . . . . . . . . . . . . . 17
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Verifying the Adapter Profile is Installed . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 4. Adapter Parameters Modification . . . . . . . . . . . . . . . . . . . . 19
Accessing the Adapter Configuration Tool Main Menu . . . . . . . . . . . . . . . . . . . . . 19
Viewing Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Adding a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Removing a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Setting Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Changing the Configuration Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Changing Activity Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Changing Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Multi-instance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Accessing Help and Additional Options . . . . . . . . . . . . . . . . . . . . . . . . . . 34
© Copyright IBM Corp. 2004, 2005, 2006 iii
Chapter 5. Certificate Installation . . . . . . . . . . . . . . . . . . . . . . . . 37
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Basic Configuration for Server-to-Adapter SSL . . . . . . . . . . . . . . . . . . . . . . . 38
Clustered Tivoli Identity Manager Configuration . . . . . . . . . . . . . . . . . . . . . . 39
Accessing the Certificate Configuration Tool Main Menu . . . . . . . . . . . . . . . . . . . . 39
Generating a Private Key and Certificate Request . . . . . . . . . . . . . . . . . . . . . . . 41
Example of Certificate Request Script . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Example of request.pem File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Installing the Certificate from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Installing the Certificate and Key from a PKCS12 File . . . . . . . . . . . . . . . . . . . . . 43
Viewing Installed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Viewing CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Viewing Registered Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Registering a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Unregistering a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Appendix A. Adapter Variables . . . . . . . . . . . . . . . . . . . . . . . . . 47
Variable Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Variables Used by Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Actions . . . . . . . . . 53
System Login Add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
System Login Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
System Login Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
System Login Suspend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
System Login Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
SAP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
SAP User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Setup Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Adapter Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Appendix D. Example Deployment Scenarios . . . . . . . . . . . . . . . . . . . 65
Tivoli Identity Manager for non-Unicode SAP non-CUA with HR Linking . . . . . . . . . . . . . . 65
Tivoli Identity Manager for non-Unicode SAP CUA with HR Linking . . . . . . . . . . . . . . . . 66
Appendix E. Support information . . . . . . . . . . . . . . . . . . . . . . . . 67
Searching knowledge bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Search the information center on your local system or network . . . . . . . . . . . . . . . . . 67
Search the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Determine the business impact of your problem . . . . . . . . . . . . . . . . . . . . . . 68
Describe your problem and gather background information . . . . . . . . . . . . . . . . . . 69
Submit your problem to IBM Software Support . . . . . . . . . . . . . . . . . . . . . . 69
Appendix F. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
iv IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Preface
The IBM® Tivoli® Identity Manager Adapter for SAP® NetWeaver AS ABAP®
enables connectivity between the IBM and a network of systems running SAP
NetWeaver AS ABAP. This document describes the procedural steps that are
required to install and configure the adapter.
This document assumes that both Tivoli Identity Manager and SAP NetWeaver AS
ABAP are installed, configured and running on your network. No details are
provided regarding the installation and configuration of these products, except
where necessary to achieve integration.
Who should read this book
This manual is intended for security administrators responsible for installing
software on their site’s computer systems. Readers are expected to understand
security administration concepts.
The person completing the installation procedure should also be familiar with their
site’s system standards. Readers should be able to perform routine security
administration tasks.
Publications and related information
Read the descriptions of the Tivoli Identity Manager library. To determine which
additional publications you might find helpful, read the “Prerequisite Product
Publications” on page vii and the “Related Publications” on page viii. After you
determine the publications you need, refer to the instructions in “Accessing
publications online” on page viii.
Tivoli Identity Manager library
The publications in the Tivoli Identity Manager technical documentation library are
organized into the following categories:
v Release information
v Problem determination
v Technical supplements
Release Information:
Provides software and hardware requirements for Tivoli Identity Manager, and
additional fix, patch, and other support information.
v IBM Tivoli Identity Manager Documentation Read This First Card
Lists the Tivoli Identity Manager publications.
Online user assistance:
© Copyright IBM Corp. 2004, 2005, 2006 v
Provides online help topics and an information center for all Tivoli Identity
Manager administrative tasks. The information center includes information that
was previously provided in the IBM Tivoli Identity Manager Configuration Guide and
the IBM Tivoli Identity Manager Policy and Organization Administration Guide.
Server installation and configuration:
IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere
Environments provides installation and configuration information for Tivoli Identity
Manager.
Configuration information that was previously provided in the IBM Tivoli Identity
Manager Configuration Guide is now included in either the installation guide or in
the IBM Tivoli Identity Manager Information Center.
Problem determination:
determination, logging, and message information for the Tivoli Identity Manager
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
v IBM Tivoli Identity Manager Performance Tuning Guide
Provides information needed to tune Tivoli Identity Manager Server for a
production environment, available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the Tivoli Identity
Manager link. Browse the information center for the Technical Supplements
section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
http://www.redbooks.ibm.com/redbooks.nsf/tips/
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
The Tivoli Identity Manager Server technical documentation library also includes
an evolving set of platform-specific installation documents for the adapter
components of a Tivoli Identity Manager Server implementation. Locate adapters
on the Web at:
vi IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
adapters.
the time that this manual was published:
v Virtual Skills Center for Tivoli Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html
Prerequisite Product Publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for Tivoli Identity Manager Server. Publications are
available from the following locations:
v Operating systems
– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/ en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory
– Sun ONE Directory Server
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52 v WebSphere Application Server
v WebSphere embedded messaging
Related Publications
Information that is related to Tivoli Identity Manager Server is available in the
following publications:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web
address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z list, and then click the Tivoli Identity Manager
link to access the product library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your local paper.
Accessibility
The product documentation includes the following features to aid accessibility:
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
viii IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
with vision impairments can understand the contents of the images.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v Searching knowledge bases: You can search across a large collection of known
problems and workarounds, Technotes, and other information.
v Obtaining fixes: You can locate the latest fixes that are already available for your
product.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix E,
“Support information,” on page 67.
Conventions used in this book
This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system differences
This guide uses the UNIX® convention for specifying environment variables and
for directory notation.
Preface ix
When using the Windows command line, replace $variable with %variable% for
environment variables and replace each forward slash (/) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME directory variables
The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path for the Windows operating system is drive:\Program Files. The
value of path for the AIX operating system is /usr. The value of path is /opt for
other UNIX and Linux operating systems.
Path Variable Default Definition Description
DB_INSTANCE_HOME Windows:
Windows:
Windows:
documentation.
x IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Path Variable Default Definition Description
WAS_HOME Windows:
UNIX and Linux:
first-failure capture
Preface xi
xii IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 1. Overview
This installation guide provides all of the basic information necessary to install and
configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. On
successful installation, the adapter enables IBM Tivoli Identity Manager to
provision access to your network’s SAP NetWeaver AS ABAP resources.
The basic procedures required to install, configure, and run the adapter are as
follows:
v Install the adapter software.
v Activate the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP as a
service on the adapter’s system.
v Configure the adapter’s communication protocols to enable the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP to communicate with the Tivoli
Identity Manager Server.
v Install the adapter’s profile on the Tivoli Identity Manager Server.
v Configure the Tivoli Identity Manager Server to recognize the adapter as a
service.
© Copyright IBM Corp. 2004, 2005, 2006 1
2 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 2. Adapter Installation
This chapter describes the steps required to install and configure the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP software. You must complete the
steps in the order they are listed.
This chapter has the following sections:
v “Requirements”
v “Step 3: Importing the Transport Files” on page 11
v “Step 4: Activating the Adapter as a Service” on page 13
v “Step 5: Configuring the Adapter” on page 13
v “Step 6: Installing the Adapter’s Certificate” on page 13
v “Step 7: Installing the Adapter’s Profile” on page 13
v “Step 8: Configuring the Adapter’s Forms” on page 14
Requirements
The following sections identify the hardware, software, and authorization
requirements to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP. Verify that all of the requirements have been met before installing the Tivoli
Identity Manager Adapter for SAP NetWeaver AS ABAP.
System
The adapter must be installed on a server with a 32-bit x86-based
microprocessor (486 minimum), at least 512 MB of memory, and at least
300 MB of free disk space.
Operating System
Windows NT 4.0 with SP6 or Windows 2000 workstation with SP2. Solaris version 2.8 AIX 5.x
SAP NetWeaver AS ABAP Software
SAP 4.6C, 4.6D, 6.10, 6.20, 6.40 or 7.00 must be installed and operational on
a system that is accessible from the machine where the adapter is installed.
The adapter will work with the SAP system even if the Central User
Administration (CUA) feature is installed and configured.
Note: Each SAP NetWeaver AS ABAP 4.6 system must be patched to at the
following levels or higher:
v R/3 HR Support Package 27
Each SAP NetWeaver AS ABAP 6.20 system should be patched at
the following levels or higher:
v SAP_BASIS 620 0042 SAPKB62043
v SAP_ABA 620 0042 SAPKA62043
Each SAP NetWeaver AS ABAP 6.40 system should be patched at
the following levels or higher:
v SAP_BASIS 640 0000
v SAP_ABA 640 0000
Each SAP NetWeaver AS ABAP 700 system should be patched at the
following levels or higher:
v SAP_BASIS SAPKB70000
v SAP_ABA SAPKA70000
The adapter also requires the 32 bit SAP SDK runtime library (for
Win32 it is librfc32.dll, for Solaris it is librfccm.so, for AIX it
is librfccm.o). Get this library from the SAP presentation CDs or
download it from SAP Market Place Web site. After installation of
the adapter place this library in the adapter’s lib directory or set
your path to make it accessible. For Solaris, export the environment variable LD_LIBRARY_PATH to
include the adapter’s lib directory with a command such as the
following:
For AIX, export the environment variable LIBPATH to include the
Agent’s lib directory with a command such as the following:
export LIBPATH=Agent_Install_dir/
lib:$LIBPATH
For Windows, place the library in the either the system32 directory,
the adapter’s bin directory, or set the Path environment variable to
make it accessible.
SAP Authority
The administrator installing the Tivoli Identity Manager Adapter must
have general SAP Basis resources to perform a transport import of RFC
(Remote Function Call) and related objects as well as setup OS specific
directories and authorizations. The Security Administrator must create the
CPIC (Common Programming Interface for Communications) or System
user for use by the adapter to connect to the SAP NetWeaver AS ABAP
system via the external RFC interface.
SAP User
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP user
must be authorized to perform user account administration:
v Add
v Modify
v Delete
v Lock
v Unlock
v Retrieve user detail
v Retrieve supporting data
v Set, unset and retrieve HR infotype 0105 (Communication) subtypes only
if the SAP HR module is installed on a SAP system in your SAP
environment.
To perform these tasks, at a minimum, a Role should be assigned with at
least these SAP authorization objects assigned to it. You may wish to create
a specific Role only for use by this SAP user account. This can be
accomplished using transaction SU02 via the SAP GUI.
v S_RFC (SAP R/3 6.20)
v S_RFCACL (SAP R/3 6.20)
v S_TABU_DIS
v S_USER_GRP
v S_USER_AGR
v S_USER_PRO
v S_USER_SYS
v P_ORGIN (Required for HR linking only)
In addition, the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP user type should be set to Communication (CPIC) or System and
not Dialog.
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
requires custom RFCs and BAPIs. These custom RFCs and BAPIs are
provided in transport files packaged with the adapter and are therefore
only available after adapter installation. These transport file packages must
be imported into your SAP system prior to running the adapter. The
transport files you must import into your SAP system vary depending on
your site’s configuration of SAP. The adapter will not function without one
of these transport files in place. Select the transport file based on the
version of your SAP system.
The transport files WITHOUT HR Linking are as follows:
v For NON-CUA (4.6C, 4.6D and 6.10):
– TV2K900065 (cofile = K900065.TV2, data = R900065.TV2) v For NON-CUA (6.20 and 6.40):
– Non-unicode:
- TV2K900069 (cofile = K900069.TV2, data = R900069.TV2) – Unicode:
- TV1K900228 (cofile = K900228.TV1, data = R900228.TV1) v For CUA (4.6C, 4.6D and 6.10) :
TV2K900067 (cofile = K900067.TV2, data = R900067.TV2)
v For CUA (6.20 and 6.40) :
– Non-unicode:
- TV1K900230 (cofile = K900230.TV1, data = R900230.TV1) v For HR InfoType 0105 Support, import one of the transport files below
into the targeted SAP HR system. These transports contain the
functionality to link the HR Personnel record to the SAP user account by
assigning the account an SAP HR Personnel Number. You can link the
HR record in both CUA and non-CUA SAP environments. If your HR
system is a child system in a CUA environment, three actions are
required for the adapter to link HR personnel records:
Chapter 2. Adapter Installation 5
1. Import one of TV2K900100 or TV1K900411 into the CUA Master
system. Then import the CUA Master transport into the CUA master
system.
2. Import the non-CUA transport into your child system.
3. An RFC destination of type R3 Connection must exist in the CUA
master system. This RFC destination will connect to your HR system.
The Gateway services file on the CUA Master system most be
configured for the gateway service of your HR system. There should
already be and RFC Destination to the child HR System which is
used as part of the CUA configuration. If you don not wish to use
this RFC destination then you can create one. An RFC destination
requires the following details:
– SAP user account password on HR system.
– HR system’s host name or IP address.
– HR system’s SAP system number.
Use the SAP GUI transaction SM59 to create RFC destinations.
The transports WITH HR linking are as follows:
v For NON-CUA (4.6C, 4.6D and 6.10):
– TV2K900096 (cofile = K900096.TV2, data = R900096.TV2) v For NON-CUA (6.20 and 6.40):
– Non-unicode:
- TV1K900409 (cofile = K900409.TV1, data = R900409.TV1) v For CUA (4.6C, 4.6D and 6.10) :
v For CUA (6.20 and 6.40) :
– Non-unicode:
- TV1K900411 (cofile = K900411.TV1, data = R900411.TV1)
- TV1K900410 (cofile = K900410.TV1, data = R900410.TV1)
These transport files contain custom RFCs (BAPIs), data elements and
tables used by the adapter in various operations:
Table 1. Transport Identifiers and Contents
Transport
Identifier
Uni
TV2K900065 NO NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC) /TIVSECTY/TIM_USER_CHG_46C (RFC)
/TIVSECTY/TIM_USER_PWD_46C (RFC)
/TIVSECTY/TIM_USER_ADD_46C (RFC)
Table 1. Transport Identifiers and Contents (continued)
Transport
Identifier
Uni
TV2K900096 NO YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC) /TIVSECTY/TIM_USER_CHG_46C (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)
/TIVSECTY/TIM_USER_CHG_46C (RFC)
/TIVSECTY/TIM_USER_SUBSYS_46C (RFC)
/TIVSECTY/TIM_SYSTEMS (Structure)
/TIVSECTY/TIM_USER_CHG_46C (RFC)
/TIVSECTY/TIM_USER_SUBSYS_46C (RFC)
/TIVSECTY/TIM_USER_CUAHR_620 (RFC)
/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)
/TIVSECTY/TIM_USER_HR_620 (RFC)
/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC) /TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/P0105NL (Table)
Table 1. Transport Identifiers and Contents (continued)
Transport
Identifier
Uni
TV1K900228 YES NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/P0105NL (Table)
Network Connectivity
The adapter must be installed on a system that can communicate with the
Tivoli Identity Manager Server through a TCP/IP network.
System Administrator Authority
The person completing the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP installation procedure must have system
administrator authority to complete the steps in this chapter.
Server Communication
Communication between the Tivoli Identity Manager Server and the Tivoli
Identity Manager Adapter for SAP NetWeaver AS ABAP should be tested
with a low-level communication ping before installing any IBM software.
This makes troubleshooting easier if you encounter installation problems.
Step 1: Testing Network Connectivity
This step tests basic network connectivity and file transfer capability. Testing is
done between the Windows workstation where the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP will be installed, and the workstation where
the Tivoli Identity Manager Server is or will be located.
You must issue a ping command from the Tivoli Identity Manager to the
designated adapter workstations to verify communication.
1. Log on to the host running the SAP NetWeaver AS ABAP Adapter.
2. Test communication between the Tivoli Identity Manager Server and the host
running the SAP NetWeaver AS ABAP Adapter:
# ping ITIM_Server_host_name/IP_address
3. Test communication between the host running the SAP NetWeaver AS ABAP
Adapter and the host running SAP NetWeaver AS ABAP Server. You will need
to know the SAP instance number for this step (default SAP NetWeaver AS
ABAP installations have the instance number 00). If the instance number is
different, make the port number below 33<instance_number>. If the instance
number was 80, then the port would become 3380 in the telnet command:
telnet SAP_NetWeaver_AS_ABAP_Server_host_name/IP_address 3300
Step 2: Installing the Adapter
An executable installation program is provided for the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP. When you run the installation program,
you can accept the default settings or select new values.
The Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP installation files are available for download from IBM’s Web site. Contact
your IBM account representative for the Web address and download instructions.
To install the adapter, do the following:
1. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
installation zip file from IBM’s Web site.
2. Extract the contents of the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP installation zip file into a temporary directory.
3. Complete one of the following:
For a Tivoli Identity Manager Adapter installed on a UNIX platform:
a. Change the working directory to the temporary directory where
you extracted the profile installation file.
# cd /tmp
where tmp is the path of the directory containing the adapter
installation file.
b. Run the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP adapter installation binary that is appropriate for your
operating system.
# ./SapAgent/install/Agent/SAPAgentSetup_operating system.bin
where operating system is the name of your operating system, such
as aix or solaris.
For a Tivoli Identity Manager Adapter installed on Windows:
Select Run... from the Start menu and type the path to the temporary
directory followed by SapAgent\install\agent\ SapAgentSetup_win32.exe. For example:
C:\Temp\SapAgent\install\agent\SapAgentSetup_win32.exe
The Welcome dialog window appears. 4. Click Next.
The License dialog window appears.
5. Read the License agreement and select the I accept option to continue.
6. Click Next.
The Select Destination Directory dialog window appears.
7. Accept the default or select an alternate destination path and click Next.
The Install Summary dialog window appears.
8. Click Next.
The SAP NetWeaver AS ABAP Instance Setup dialog is displayed.
9. In the respective fields, type the SAP NetWeaver AS ABAP instance name and
the password for the CPIC SAP user account that the adapter will use and
click Next.
The SAP NetWeaver AS ABAP enter more instances dialog is displayed. To
enter more instances select Yes and repeat this step for as many SAP
NetWeaver AS ABAP instances as required. Otherwise select No.
10. Click Finish.
11. Check the installation directory has been created as specified in step 7. Make
the SAP SDK shared library accessible by the adapter.
For Solaris:
Copy the SAP SDK library (librfccm.so) into the adapter’s lib
directory, and then export the environment variable LD_LIBRARY_PATH
to include the adapter’s lib directory with a command such as this.
export LD_LIBRARY_PATH=adapter_install_dir/lib:$LD_LIBRARY_PATH
For AIX:
Copy the SAP SDK library (librfccm.o) into the adapter’s lib
directory, and then export the environment variable LIBPATH to include
the adapter’s lib directory with a command such as this.
Installer
Browse...
Click Next to install < > to this directory, or click Browse to install to a different directory
agentname
InstallShieldInstallShield
Figure 1. Select Destination Directory dialog window
export LIBPATH=adapter_install_dir/lib:$LIBPATH
Copy the SAP SDK library (librfc32.dll) into either the system32
directory, the adapter’s bin directory, or set the Path environment
variable to make it accessible. If you already have the SAP GUI
installed on this Windows host, a version of the SAP SDK library
should already exist in the system32 directory. 12. Locate the transport files in the adapter’s transports directory. Give the
COFILES and the DATA files to your SAP BASIS administrator to import into
all targeted SAP NetWeaver AS ABAP systems. As these transports are client
independent, ensure that your transport landscape allows for this before
importing. The next section describes the transport import procedure.
Note: By setting the transport landscape up appropriately, you will be sure not to
import the transports into clients that do not need them (even though
importing the transports files into other clients will not have any impact on
them). The imported function modules and data structures can be removed
via a new transport/change request if required.
Step 3: Importing the Transport Files
Note: IBM recommends that these imports be performed by a SAP Basis
Administrator.
For the adapter to function, it is necessary to import one of the transport files sets
described above. You must first copy the transports set to the transport directory in
each mySAP.com landscape, so that the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP can communicate with your target SAP systems. For
demonstration purposes the following instructions refer to the transport
TV2K900045 as an example. You will need to repeat these steps for each transport
in your required transport file set as defined in the table above.
Before you begin the transport import process, complete the following steps:
1. Locate the transport files in the transports installation subdirectory for the
adapter. For example, on a Windows installation this would be
C:\Tivoli\Agents\SapAgent\transports.
2. Copy the transport files to the application server that will be used to execute
the import:
a. Copy all files in the cofiles subdirectory (K900045.TV2) in ASCII format to
the /usr/sap/trans/cofiles directory. Ensure that the files have write
permission.
b. Copy all files in the data subdirectory (R900045.TV2) in binary format to the
/usr/sap/trans/data directory. Ensure that the files have write permission.
c. Ensure that the files are owned by the group sapsys. 3. Perform the following prerequisite checks before beginning the import process:
a. The transport and correction system must be already configured and
functioning.
b. The target system must be properly defined within a transport domain.
You can now perform the transport import. This procedure can be performed from
either the command line or by using the Transport Managing System.
Using the Transport Managing System:
1. Log into the SAP GUI with a mySAP.com SAP GUI administrator
account.
v Run transaction STMS, or
v Select Tools then Administration, then Transport, then Transport
Management System. 3. Display the available mySAP.com system import queues. Either:
v Click the Import Overview icon, then click Display Import Queue,
or
v Double-click the target system in the Import Overview window. 4. Add the transport to the buffer. If the transports already exist in the
buffer, proceed to the next step. If the buffer does not exist, perform the
following steps:
a. From the Extras menu, select Other Requests then Add to display
the Add Transport Request to Import Queue dialog.
b. In the Transp. request field, enter the transport name that you want
to add, such as TV2K900045. Click the icon with the green check on
it and then click Yes on the confirmation dialog. 5. Import the transport as follows:
a. From the Import Queue window, select the transport.
b. From the Request menu, select Import to display the Import
Transport Request dialog.
c. In the Target client field, select the target client from the drop-down
list. Click the icon with the green check on it and then click Yes on
the confirmation dialog. 6. Verify that the import was successful. To do this, log into the SAP GUI
and go to the Function builder transaction (se37) and check that the
Function Modules (RFCs) listed in the transport description table above
(see Table 1 on page 6) are installed and active. If the Function Modules
(RFCs) are not active, activate the objects.
Note: A mySAP.com developer key is required to activate the objects.
Using the command line:
1. Log on to the target SAP system host machine as the mySAP.com
administrator and change to the /usr/sap/trans/bin directory.
2. Show the current contents of the transport buffer:
tp showbuffer sid
where sid is the three-character identifier of your mySAP.com system.
3. Verify that there are no other transports included in the transport
buffer.
tp addtobuffer TV2K900045 sid
5. Verify that the transport has been placed in the buffer:
tp showbuffer sid
6. Import the transport:
tp import TV2K900045 sid
7. Verify that the import was successful. To do this, log into the SAP GUI
and go to the Function builder transaction (se37) and check that the
Function Modules (RFCs) listed in the transport description table above
(see Table 1 on page 6) are installed and active. If the Function Modules
(RFCs) are not active, activate the objects.
Step 4: Activating the Adapter as a Service
If the Tivoli Identity Manager Agent for SAP NetWeaver AS ABAP was installed
on a Windows host, a service is created for starting and stopping the agent.
On UNIX platforms, the agent is deployed with script files to start and stop the
agent. The following scripts are located in the bin directory of the agent
installation:
v StopAgent.sh
v StartAgent.sh
Use the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP service or
scripts to start the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
software on the target platform.
Step 5: Configuring the Adapter
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uses the
DAML protocol to ensure secure communication with the Tivoli Identity Manager
Server. Default protocol values are provided. However, you must configure the
DAML protocol for your site’s systems. Refer to “Changing Protocol Configuration
Settings” on page 21 for more information.
Step 6: Installing the Adapter’s Certificate
A certificate must also be installed for the DAML protocol. You must obtain a
production certificate from a well-known Certificate Authority or create your own
certificate using your own Certificate Authority. The Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP does not come prepackaged with a
certificate. Refer to Chapter 5, “Certificate Installation,” on page 37 for more
information about installing certificates.
When you install the new certificate, you will also need to install the new
Certificate Authority on the Tivoli Identity Manager Server. For more information,
refer to the IBM Tivoli Identity Manager Server Installation and Configuration Guide,
specifically the sections marked ″Preparing to install adapters″.
Note: You must configure the DAML protocol before installing your certificate.
Stop and restart the adapter after the certificate is installed.
Step 7: Installing the Adapter’s Profile
Before an adapter can be added as a service to the Tivoli Identity Manager Server,
the server must have a service profile to recognize the adapter as a service. See
Chapter 3, “Adapter Profile Installation,” on page 17 for more information on
installing the adapter’s profile on the Tivoli Identity Manager Server.
Note: If this is an upgrade of an existing adapter, the new adapter schema will not
be reflected immediately. The Tivoli Identity Manager system stores the
adapter schema in memory. However, this cache is periodically refreshed
and the new adapter schema will be reflected after the cache is refreshed.
Re-boot the Tivoli Identity Manager system to refresh the adapter schema
immediately.
Step 8: Configuring the Adapter’s Forms
Configure the adapter’s service maintenance and account maintenance forms on
the Tivoli Identity Manager Server. Refer to the IBM Tivoli Identity Manager
Information Center for more information.
When adding the adapter as a Tivoli Identity Manager Service to the Tivoli
Identity Manager Server, the following SAP connection parameters must be
defined:
SAP System Version Legacy Service attribute. The adapter officially
only supports 4.6C to WAS 6.20. Recommend
value is 46C+.
SAP Client Instance Name Required Service Attribute. This is the SAP
instance name for the SAP instance your
connecting to.
User Administration (CUA) SAP client.
Do Not Force Password Change? Optional Service Attribute. Check this radio
button if you want to disable SAP’s password
reset functionality. Required to synchronize
passwords across other Tivoli Identity Manager
accounts for this identity.
Disable Admin Unlock On Restore? By default users will not be allowed to restore
their account if the account was locked by an
administrator. Check this radio button if you
want to allow users to restore their account after
it has been locked by an administrator.
Unlock Account On Password Change? Optional Service Attribute. Check this radio
button if you want the adapter to perform a
secondary unlock action on a password change
request. If activated, the account will be unlocked
if the reason for its lock state was to many failed
login attempts.
Display Indirectly Assigned Roles? Optional Service Attribute. Check this radio
button if you want an to have Roles assigned
indirectly reconciled for accounts. Roles are
assigned indirectly as a result of Composite Role
assignment.
Enable HR infotype 105 Link? Optional Service Attribute. Check this radio
button if you want to allow the adapter to Link
SAP accounts to HR Personnel Records using
infotype 105 (Communication).
only)
value when you have selected the option above
Enable HR infotype 105 Link?, and your SAP
System uses the CUA configuration.
Table 2. Service Attributes (continued)
ITIM Service Attribute Name ITIM Service Attribute Description
Role Default End Date Optional Service Attribute. This is the default
Role End Date.
Role Date Max Year Optional Service Attribute. This is the maximum
year value for the Role start and end date
widgets. Default value is 9999.
Span Role Date Years? Optional Service Attribute. Check this radio
button if you want to Span the Role End Date
Year field (that is, display all years from 1990 to
the defined Role Date Max Year above).
Target Client Required Service Attribute. This is the SAP
instance client number.
Login ID Required Service Attribute. This is the CPIC SAP
User account login ID that the adapter will use to
connect to the SAP client.
Language Required Service Attribute. This is the SAP login
language parameter.
supported now)
only supports the NetWeaver AS ABAP mode.
SAP System (DNS hostname or IP) Required Service Attribute. Hostname of the SAP
server host machine only if DNS is set up
correctly. Otherwise use the IP address. Test the
connection using the ping command from the
command line on the host running the adapter.
SAP System Number Required Service Attribute. The SAP server
system number. Default SAP install has system
number 00.
SAP Gateway (DNS hostname or IP) Required Service Attribute. Hostname of the SAP
gateway host machine only if DNS is set up
correctly. Otherwise use the IP address. Test the
connection using the ping command from the
command line on the host running the adapter.
Usually this is the same host that contains the
SAP server
SAP Gateway Service Name Required Service Attribute. The SAP gateway
service string. Default SAP install has system
number sapgw00.
Enable RFC Trace? Optional Service Attribute. Set to ON to enable
RFC trace files for debug purposes. If you find a
problem with the adapter, ensure you re-produce
the request with Trace enabled and capture the
trace file. The logs are created in the directory
where the RFCSDK runtime library is located.
Enable Extended RFC Logon? Optional Service Attribute. Check this radio
button to enable use of entended RFC logon.
Define the extended logon attributes by creating
unencryped registry values.
support AIX in a reliable fashion. Therefore it is
recommended that this setting not be used for
Agent’s running on AIX with the SAP RFCSDK
6.40 AIX library.
Figure 2. Configuring the Adapter’s Forms
Chapter 3. Adapter Profile Installation
This chapter has the following sections:
v “Introduction”
v “Requirements”
v “Verifying the Adapter Profile is Installed” on page 18
Introduction
Before an adapter can be added as a service to the Tivoli Identity Manager Server,
the server must have a service profile to recognize the adapter as a service. The
Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP comes packaged
with a JAR file which represents the adapter’s profile. This JAR file is then
imported into the Tivoli Identity Manager Server, making SAP NetWeaver AS
ABAP available as an ITIM Server service option.
This chapter describes the procedure to install and configure the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP profile on the Tivoli Identity
Manager Server. Each step includes a short procedure that completes one aspect of
the overall profile installation process. You must complete the steps in the order
they are listed.
Note: If you are upgrading the adapter software, you must also upgrade the
adapter profile on the Tivoli Identity Manager Server.
Requirements
The following table identifies hardware, software, and authorization requirements
to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile
on the Tivoli Identity Manager Server. Verify that all the requirements have been
met before installing the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP profile.
Server The Tivoli Identity Manager Server must be installed and
running before the adapter’s profile can be installed.
System Administrator Authority The person completing the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP profile installation
must have root access to the Tivoli Identity Manager
Server to complete the procedures in this chapter.
Installing the Adapter Profile
1. Log in to any host machine that has a supported browser and can connect to
the Tivoli Identity Manager Server Console. You may wish to just log directly
into your Tivoli Identity Manager Server, but the profile can also be installed
remotely if desired.
2. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
package from the IBM Web site and extract the profile JAR file SapProfile.jar.
Place the JAR file into a temporary directory.
Note: Contact your IBM account representative for the Web address and
download instructions for adapter installation files.
3. Start a browser session and log into the Tivoli Identity Manager Console with
an administrator account.
4. Using the Tivoli Identity Manager tabs and menus, browse to Configuration >
Import/Export and select the Import tab.
5. Use the Browse button to locate the temporary directory that contains the JAR
file, SapProfile.jar.
6. Select the correct profile JAR file, then select the Import data into Identity
Manager button (which is directly beneath the browse widget).
7. When the import is complete you will see a message such as:
Uploading file C:\temp\SapAgent\install\profile\SapProfile.jar
Profile installation complete.
8. Although not essential in all instances, it is a good idea to restart the enrole
WebSphere Enterprise Application using the WebSphere Administration
Console (http://ITIM_server:9090/admin) , or by restarting the WebSphere
Application Server itself.
To ensure that the adapter profile has been installed correctly:
1. Using the Administrator Console, navigate to the Provisioning main tab.
2. Create a service of type SAP NetWeaver AS ABAP.
Note: If you do not have the correct SAP system details, enter in dummy
values for the SAP CONNECTION DETAILS. You must however have a
running SAP NetWeaver AS ABAP adapter, and correct AGENT
CONNECTION DETAILS.
3. Submit the service for creation.
4. Once the service has been created, create a provisioning policy entitlement for
the new service. You can use an existing Provisioning policy, or create a new
one.
Chapter 4. Adapter Parameters Modification
This chapter describes how to use agentCfg, the provided adapter configuration
program, to view or modify Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP parameters. All modifications made to settings with this tool take effect
immediately.
v “Accessing the Adapter Configuration Tool Main Menu”
v “Viewing Configuration Settings” on page 20
v “Changing Protocol Configuration Settings” on page 21
v “Setting Event Notification” on page 24
v “Changing the Configuration Key” on page 28
v “Changing Activity Logging Settings” on page 28
v “Changing Registry Settings” on page 30
v “Changing Advanced Settings” on page 32
v “Viewing Statistics” on page 33
v “Changing code page settings” on page 34
v “Accessing Help and Additional Options” on page 34
Accessing the Adapter Configuration Tool Main Menu
The following procedure describes how to access the main menu of the agentCfg
tool for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters.
1. Change to the adapter’s bin directory.
At the prompt, type the following, if the Tivoli Identity Manager Adapter for
SAP NetWeaver AS ABAP directory is in the default location:
agentCfg -agent SAPAgent
Enter configuration key for Agent ’SAPAgent’:
The default password is ’agent’. This should be changed at the first
opportunity.
You can also use agentCfg to view or change configuration settings from a
remote computer. See the table in “Accessing Help and Additional Options” on
page 34 for procedures on using the -hostname argument.
2. Type the configuration key for the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP.
The default configuration key is agent. See “Changing Protocol Configuration
Settings” on page 21 for procedures to change the configuration key.
The Main Configuration menu appears.
SAPAgent 4.6.xxxx Agent Main Configuration Menu
-------------------------------------------
Select menu option:
This chapter includes a section for each of the following main functions:
v For option A, see “Viewing Configuration Settings”
v For option B, see “Changing Protocol Configuration Settings” on page 21
v For option C, see “Setting Event Notification” on page 24
v For option D, see “Changing the Configuration Key” on page 28
v For option E, see “Changing Activity Logging Settings” on page 28
v For option F, see “Changing Registry Settings” on page 30
v For option G, see “Changing Advanced Settings” on page 32
v For option H, see “Viewing Statistics” on page 33
v For option I, see “Changing code page settings” on page 34
Viewing Configuration Settings
The following procedure describes how to view the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP configuration settings.
1. Type option A (Configuration Settings) at the main menu prompt.
The configuration settings for the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP appear. The following is a sample of the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP configuration settings.
Configuration Settings
Available Protocols : DAML, FTP
Log File Name : SAPAgent.log
Max. log files : 3
Debug Logging Enabled : TRUE
Detail Logging Enabled : FALSE
2. Press any key to return to the main menu.
Changing Protocol Configuration Settings
The adapter can communicate with the Tivoli Identity Manager Server using
DAML or FTP. By default, agents are configured to use DAML as the
communication protocol. Procedures provided in this section contain instructions
for modifying DAML protocol configuration settings. Configuring the adapter to
use FTP requires additional configuration not provided in this section.
The following procedure describes how to change the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP protocol configuration settings. This section
also describes the purpose of the provided functions.
1. Type B (Protocol Configuration) at the main menu prompt.
The Protocol Configuration menu appears. The configured and available
protocols for your server display above the menu options. The DAML protocol
is configured and available by default for the Tivoli Identity Manager Adapter
for SAP NetWeaver AS ABAP.
Agent Protocol Configuration Menu
Select menu option
2. See the following procedure that corresponds with the option that you want to
select:
v For option A, see “Adding a Protocol”
v For option B, see “Removing a Protocol”
v For option C, see “Configuring a Protocol” on page 22
Type X to return to the main menu.
Adding a Protocol
1. Type A (Add Protocol) at the Protocol Configuration menu prompt.
The Add New Protocol menu appears and displays protocols that are available
on your server. If there are no protocols to add, the Protocol Configuration
menu reappears.
2. Type the menu option letter of the protocol that you want to add.
The Protocol Configuration menu reappears. The protocol that you added
appears as a Configured Protocol. See the procedure for “Configuring a
Protocol” on page 22 to modify the default configuration settings for the
protocol that you added.
Removing a Protocol
1. Type B (Remove Protocol) at the Protocol Configuration menu prompt.
The Remove Protocol menu appears and displays all protocols that have been
added. If there are no protocols to remove, the Protocol Configuration menu
reappears.
2. Type the menu option letter of the protocol that you want to remove.
Chapter 4. Adapter Parameters Modification 21
The Protocol Configuration menu reappears and the protocol that you removed
is no longer listed as a configured protocol. However, the protocol remains as
an available protocol that can be added again.
Configuring a Protocol
1. Type C (Configure Protocol) at the Protocol Configuration menu prompt.
The Configure Protocol menu appears.
2. Type the menu option letter of the protocol that you want to configure.
The Protocol Properties menu for the configured protocol appears with protocol
properties.
Note: The properties on your menu may be different from the ones shown.
The following is an example of the DAML protocol properties:
DAML Protocol Properties
D. PORTNUMBER 45580 ;Protocol Server port number.
E. USE_SSL FALSE ;Use SSL secure connection
F. SRV_NODENAME 192.168.6.40 ;Event Notif. Server name.
G. SRV_PORTNUMBER 443 ;Event Notif. Server port number.
H. HOSTADDR ANY ;Listen on address ( or "ANY" )
I. VALIDATE_CLIENT_CE FALSE ;Require client certificate.
J. REQUIRE_CERT_REG FALSE ;Require registered certificate.
X. Done
Select menu option:
3. Type the menu option letter of the protocol property that you want to
configure.
See the table below for additional information about the menu options for the
DAML protocol.
Type this Option To Accomplish this
A (USERNAME) The following prompt appears:
Modify Property ’USERNAME’:
This is the username the Tivoli Identity Manager
Server uses to connect to the adapter.
B (PASSWORD) The following prompt appears:
Modify Property ’PASSWORD’:
Manager Server uses to connect to the adapter.
C (MAX_CONNECTIONS) The following prompt appears:
Modify Property ’MAX_CONNECTIONS’:
Agent.
Table 4. Menu options for the DAML protocol (continued)
D (PORTNUMBER) The following prompt appears:
Modify Property ’PORTNUMBER’:
uses to connect to the adapter.
E (USE_SSL) The following prompt appears:
Modify Property ’ USE_SSL’:
Type TRUE to require the Tivoli Identity Manager
Server to use HTTPS. Type FALSE to allow the Tivoli Identity Manager
Server to use HTTP.
CertTool utility if you set this option to TRUE. You
must also make sure the CA that created the
certificate is registered with the Tivoli Identity
Manager Server Web Application Server.
F (SRV_NODENAME) The following prompt appears:
Modify Property ’SRV_NODENAME’:
Type a server name, for example, 192.168.6.152
This is the DNS name or IP address of the Tivoli
Modify Property ’SRV_PORTNUMBER’:
Identity Manager Server, for example, 7004
This is the port number the adapter uses to connect to
the Tivoli Identity Manager Server.
H (SRV_USERNAME) The following prompt appears:
Modify Property ’SRV_USERNAME’:
This is the username the adapter uses to connect to
the Tivoli Identity Manager Server.
I (VALIDATE_CLIENT_CE) The following prompt appears:
Modify Property ’VALIDATE_CLIENT_CE’:
the adapter.
certificate.
Note: You must configure options D through H of the
CertTool if you set this option to TRUE.
Table 4. Menu options for the DAML protocol (continued)
J. (REQUIRE_CERT_REG) The following prompt appears:
Modify Property ’REQUIRE_CERT_REG’:
certificate.
Note: You must configure options D through H of the
CertTool if you set this option to TRUE.
4. Change the value and press Enter.
The Protocol Properties menu reappears and displays your new settings.
Note: Press Enter to return to the Protocol Properties menu without modifying
the selected value.
Setting Event Notification
The following procedure describes how to set Event Notification for the Tivoli
Identity Manager Server. Event Notification updates the Tivoli Identity Manager
Server with changes to the Tivoli Identity Manager Server at set intervals.
Note: The example menu shows all the options displayed when Event Notification
is enabled. If Event Notification is disabled, not all of the options are
displayed.
1. Type C (Event Notification) at the main menu prompt.
The Event Notification Menu appears.
Event Notification Menu
* Configured Contexts : Jupiter, dd309
C. Set Processing cache size. (currently: 50 Mbytes)
D. Start event notification now.
E. Set attributes to be reconciled.
F. Reconciliation process priority. (current: 1)
G. Add Event Notification Context.
H. Modify Event Notification Context.
I. Remove Event Notification Context.
J. List Event Notification Contexts.
X. Done
Select menu option:
2. Type the menu option letter of the Event Notification option that you want to
change.
Note: Option A must be enabled in order for the values of the other options to
take affect.
Table 5. Event notification options
A If this option is enabled, the adapter updates the Tivoli Identity
Manager Server with changes to the adapter at regular intervals.
When the option is set to:
v disabled, it automatically changes to enabled
v enabled, it automatically changes to disabled
B (Time interval
Press Enter to return to the Agent Activity Logging menu
without changing the value.
C (Set processing cache
Type a different value to change the processing cache size.
E (Set attributes to be
reconciled)
Attributes to be Reconciled” on page 26 for more information.
F (Reconciliation
process priority)
Type a different thread value to change reconciliation process
priority.
Context name :
Type the new context name and press Enter. The new context is
added.
A menu listing the available contexts appears. See “Modifying an
Event Notification Context” on page 27 for more information.
I (Remove Event
The Remove Context menu appears. Select the context to remove
and the following prompt appears:
Delete context context1? [no]:
Press Enter to exit without deleting the context or type Yes and
press Enter to delete the context.
Table 5. Event notification options (continued)
J (List Event
format:
-----------------------------------------------
3. Press Enter if you changed the value for option B, C, E or F.
The Event Notification menu reappears and displays your new settings.
Note: The other options are changed automatically when you type the
corresponding menu option letter.
Setting Attributes to be Reconciled
Setting attributes to be reconciled consists of selecting attributes that will trigger
event notifications when their values change. Attributes that change frequently
(password age or last successful logon, for example) can be omitted.
1. Type E (Set attributes to be reconciled) at the Event Notification Menu.
The Event Notification Entry Types menu appears.
Event Notification Entry Types
Select menu option:
2. Type A for attributes returned during a user reconciliation or type B for
attributes returned during a group reconciliation.
The Event Notification Attribute Listing for the selected reconciliation type
appears.
Note: The default setting lists all attributes the adapter supports.
Event Notification Attribute Listing
-----------------------------
Select menu option:
3. Type the letter option of the attribute to exclude from an event notification.
Attributes that are marked with the asterisks are returned during the event
notification. Attributes that are not marked with asterisks are not returned
during the event notification.
Modifying an Event Notification Context
1. Type H (Modify Event Notification Context) at the Event Notification menu.
The Modify Context Menu appears.
Modify Context Menu
The Modify Context menu for the selected context appears.
A. Set attributes for search
B. Target DN:
See “Adding Search Attributes for Event Notification” for option A.
See “Configuring the Target DN for Event Notification Contexts” for option B.
See “Removing the Baseline Database for Event Notification Contexts” on page
28 for option C.
Adding Search Attributes for Event Notification
1. Type A (Set attributes for search) at the desired context’s Modify Context menu.
The Reconciliation Attribute Passed to Agent menu appears.
Reconciliation Attributes Passed to Agent for Context: Context1
----------------------------------------------------
----------------------------------------------------
Select menu option:
2. Select the desired option and complete the requested information at the
prompts.
The Reconciliation Attributes Passed to Agent menu reappears with the
changes displayed.
Configuring the Target DN for Event Notification Contexts
1. Type B (Target DN) at the desired context’s Modify Context menu.
The following prompt appears:
Enter Target DN:
2. Type the target DN for the context and press Enter.
The target DN for the event notification context must be in the following
format:
Each element of the DN is defined as follows:
erservicename
Name of the target service used by the product name.
o Name of the organization in the product name.
ou Name of the tenant in which the organization is located. If the product
name is an enterprise installation, this is the name of the organization.
dc=com
Root of the directory tree.
The selected context’s Modify Context menu reappears with the new target DN
listed.
Removing the Baseline Database for Event Notification Contexts
This option is only available after a context is created and a reconciliation is run on
the context to create a Baseline Database file.
Type C (Delete Baseline Database) at the desired context’s Modify Context menu.
The selected context’s Modify Context menu reappears with the Delete Baseline
Database option removed.
Changing the Configuration Key
Adapter for SAP NetWeaver AS ABAP configuration key. You use this key as a
password to access the configuration tool from the selected adapter.
1. Type D (Change Configuration Key) at the main menu prompt.
Enter new configuration key for Agent ’SAPAgent 4.6.xxxx’:
Press Enter to return to the Main Configuration menu without changing the
configuration key. The default configuration key is agent.
Note: Enter a configuration key that you can easily remember.
A message appears:
Changing Activity Logging Settings
Adapter for SAP NetWeaver AS ABAP activity logging settings. When you enable
logging, Tivoli Identity Manager maintains a log file of all transactions in a dated
archive log file, SAPAgent.log.
1. Type E (Activity Logging) at the main menu prompt.
The Agent Activity Logging menu appears. The following sample shows the
default activity logging settings.
Agent Activity Logging Menu
C. Activity Log File Name (current: SAPAgent.log).
D. Activity Logging Max. File Size ( 1 mbytes)
E. Activity Logging Max. Files ( 3 )
F. Debug Logging (Enabled).
G. Detail Logging (Disabled).
H. Base Logging (Disabled).
I. Thread Logging (Disabled).
Select menu option:
2. Type the menu option letter of the activity logging option that you want to
change.
Note: Option A (Activity Logging) must be enabled in order for the values of
the other options to take effect.
Table 6. Event notification options
A (Activity Logging) Set this option to enabled and Tivoli Identity Manager maintains
a log file of all transactions in a dated archive log file.
B (Logging Directory) Type a different value for the logging directory, for example,
C:\Log. When the logging option is enabled, details about each
access request are stored in the logging file that is located in this
directory.
C (Activity Log File
Name)
Type a different value for the log file name. When the logging
option is enabled, details about each access request are stored in
the logging file.
D (Activity Logging
Max File Size)
Type a new value, for example, 10. The oldest data is archived
when the log file reaches the maximum file size. File size is
measured in megabytes. Activity log file size can exceed disk
capacity.
E (Activity Logging Max
Files)
Type a new value up to 100, for example, 5. The agent
automatically deletes the oldest activity logs beyond the
specified limit.
Table 6. Event notification options (continued)
F (Debug Logging) If this option is set to enabled, the agent includes the debug
statements in the log file of all transactions.
G (Detail Logging) If this option is set to enabled, the agent maintains a detailed log
file of all transactions.
Note: The detail logging option should be used for diagnostic
purposes only. When the detail logging option is on, the
application’s performance can be adversely affected.
H (Base Logging)
If this option is set to enabled, the agent maintains a log file of
all transactions in the ADK and library files.
I (Thread Logging) If this option is set to enabled, the agent maintains a log file with
entries that specify the thread that caused the log.
v disabled, pressing the I key changes the value to enabled.
v enabled, pressing the I key changes the value to disabled.
3. Press Enter if you changed the value for option B, C, D, or E.
The Agent Activity Logging menu reappears and displays your new settings.
Note: The other options are changed automatically when you type the
corresponding menu option letter.
Changing Registry Settings
Adapter for SAP NetWeaver AS ABAP registry settings.
1. Type F (Registry Settings) at the main menu prompt.
The Registry menu appears.
-------------------------------------------
C. Multi-instance settings.
Note: There are no encrypted registry settings for this adapter.
Modifying Non-encrypted Registry Settings
1. Type A (Modifying Non-encrypted Registry Settings) at the Registry menu
prompt.
Agent Registry Items
v A) Add new attribute
v B) Modify attribute value
v C) Remove attribute
v X) Done 3. Type the registry item name, and press Enter.
4. Type the registry item value, if you selected option A or B, and press Enter.
The non-encrypted registry settings menu reappears and displays your new
setting(s).
To access registry settings, do the following:
1. Type B (Modifying Encrypted Registry Settings) at the Registry menu prompt.
The Encrypted Registry settings menu appears.
Encrypted Registry Items
v A) Add new attribute
v B) Modify attribute value
v C) Remove attribute
v X) Done 3. Type the registry item name, and press Enter.
4. Type the registry item value, if you selected option A or B, and press Enter.
The encrypted registry settings menu reappears and displays your new
settings.
This option allows you to configure multi-instance settings.
Note: This option is only valid if the agent can support multi-instances.
1. Type C (Multi-instance Settings) at the Registry Menu prompt.
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Instance
Class Menu appears.
-------------------------------------------------------
-------------------------------------------------------
3. Type the requested information and press Enter.
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Instance
Class Menu reappears and displays your new settings.
Changing Advanced Settings
Adapter for SAP NetWeaver AS ABAP thread count settings for the following
types of requests:
v Reconciliation
These settings determine the maximum number of requests that the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP processes concurrently.
1. Type G (Advanced Settings) at the main menu prompt.
The Advanced Settings menu appears. The following sample shows the default
thread count settings.
-------------------------------------------
B. ADD max. thread count. (current:3)
C. MODIFY max. thread count. (current:3)
D. DELETE max. thread count. (current:3)
E. SEARCH max. thread count. (current:3)
F. Allow User EXEC procedures (current:FALSE)
G. Archive Request Packets (current:FALSE)
H. UTF8 Conversion support (current:TRUE)
I. Pass search filter to agent (current:FALSE)
J. Thread Priority Level (1-10) (current:4)
X. Done
Select menu option:
2. Type the menu option letter of the advanced setting that you want to change.
Note: The UTF8 Conversion support setting must be set to FALSE to support
Western European character sets.
A (Single Thread Agent) Forces the adapter to allow only one request at a
time.
B (ADD max. thread count) Controls how many simultaneous ADD requests can
run at one time.
C (MODIFY max. thread count) Controls how many simultaneous MODIFY requests
can run at one time.
D (DELETE max. thread count) Controls how many simultaneous DELETE requests
E (SEARCH max. thread count) Controls how many simultaneous SEARCH requests
F (Allow User EXEC procedures) Determines whether the adapter allows pre- and
post-exec functions. Enabling this option is a potential
security risk. This option is disabled by default.
G (Archive Request Packets) Instructs the adapter to retain copies of the request
packets in an archive. This option is specific to the
FTP protocol and is used primarily for debugging
purposes. By default, request packets are deleted once
they have been read unless this option is enabled.
H (UTF8 Conversion support) This option is no longer used.
I (Pass search filter to agent) Provides filtering functionality for search requests by
issuing a full search to the agent and then filtering
the objects as they are pipelined back to the server.
Currently, this adapter does not support processing
filters directly. This option should always be FALSE.
J (Thread Priority Level (1-10)) Sets the thread priority level for the agent.
The Advanced Settings menu reappears and displays your new settings.
Viewing Statistics
The following procedures describes how to view an event log for the Tivoli
Identity Manager Adapter for SAP NetWeaver AS ABAP.
1. Type H (Statistics) at the main menu prompt.
The activity history for the adapter is displayed.
SAPAgent 4.6.xxxx Agent Request Statistics
--------------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
2. Type X to return to the Main Configuration Menu.
Changing code page settings
In order to list the supported code page information for the RACF Adapter, the
adapter must be running. Run the following command to view the code page
information:
agentCfg -agent [adapter_name] -codepages
In order to change the code page settings for the RACF Adapter, complete the
following steps:
The code page support menu for the adapter is displayed.
SAPAgent 4.6 Codepage Support Menu
-------------------------------------------
*******************************************
2. Type A to configure a code page.
Note: The SAPAgent uses unicode, therefore this option is not applicable.
3. Type X to return to the Main Configuration Menu.
Accessing Help and Additional Options
The following describes how to access the agentCfg help menu and use the help
arguments.
1. Return to the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
bin directory by completing one of the following:
v Type X from the Main Configuration menu prompt.
v Complete procedures 1 and 2 of “Accessing the Adapter Configuration Tool
Main Menu” on page 19. 2. Type agentCfg -help at the prompt to view the help menu.
The following list of possible commands appears:
-version ;Show version
-findall ;Find all agents on target node
-list ;List available agents on target node
-agent <value> ;Name of agent
-tail ;Display agent’s activity log
-portnumber <value> ;Specified agent’s TCP/IP port number
-netsearch <value> ;Lookup agents hosted on specified subnet
-confidencetest ;Confidence test
-help ;Display this help screen
The following table describes the purpose of the provided arguments.
Table 8. Command argument purposes
-version Use this argument to display the agentCfg version.
-hostname <value> Use the -hostname argument with any of the following
commands to specify a different host:
v -findall
v -list
v -tail
v -agent
Enter a hostname or IP address as the value.
-findall Use this argument to search and display all possible port
addresses for all agents. Must be used with the -list
argument. Add the -hostname argument to search a remote
host.
-list Use this argument to search and display agents found at
default ports. By default, the argument searches the local host
of the Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP. Use the -hostname argument to search a different
host.
-agent <value> Use this argument to specify the agent that you want to
configure. Enter an agent name as the value. Use this
argument with the -hostname argument to modify the
configuration setting from a remote host. You can also use
this argument with the -tail argument.
-tail Use this argument with the -agent argument to display an
agent’s activity log. Add the -hostname argument to display
the log file for an agent on a different host.
-portnumber <value> Use this argument with the -agent argument to specify an
agent’s TCP/IP port number.
-netsearch <value> Use this argument with the -agent argument to display all
agents installed on the system.
-confidencetest Use this argument to run a test to add, modify, search and
delete a request to the agent. This allows you to verify the
agent connection to the managed resource without the Tivoli
-codepages Display the codepages configured for the Agent.
-help Display the help menu for agentCfg.
3. Type agentCfg and one or more of the supported arguments at the prompt.
You must type agentCfg before every argument to run the agent configuration
tool.
Table 9. Arguments
This example lists all agents on the local host IP
address. Note that the default node for the Tivoli
Identity Manager Server is 44970.
Agent(s) installed on node ’127.0.0.1’
-----------------------
agentCfg tool which is used to view or modify the
Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP parameters.
192.9.200.7
address is 192.9.200.7. Note that the default node
for the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP is 44970.
Agent(s) installed on node ’192.9.200.7’
------------------
-hostname 192.9.200.7
agentCfg tool for a host whose IP address is
192.9.200.7. Use the menu options to view or
modify the Tivoli Identity Manager Adapter for
SAP NetWeaver AS ABAP parameters.
Chapter 5. Certificate Installation
v “Introduction”
v “Overview of SSL and Digital Certificates”
v “Accessing the Certificate Configuration Tool Main Menu” on page 39
v “Generating a Private Key and Certificate Request” on page 41
v “Installing the Certificate from a File” o

IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Text of IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

ABAP Objects - cdn.ttgtmedia.com · Bonn Boston Horst Keller, Sascha Krüger ABAP® Objects ABAP Programming in SAP NetWeaver™

SAP NetWeaver 7.0 - BI Systemcopy ABAP

SAP NetWeaver Application Server ABAP/Java on Oracle Cloud

SAP NetWeaver Application Server for ABAP 7a248.g.akamai.net/n/248/420835/3166e53effe53f1a2e175c89b3644d46d… · SAP NetWeaver Application Server for ABAP 7.5 ... Efficient programming

Sap netweaver as abap 7.4 overview and product highlights

SAP Certification Success Guide – ABAP With SAP NetWeaver 7.0

Identity Management with SAP NetWeaver IdM - · PDF fileIdentity Management with SAP NetWeaver IdM ... ABAP SAP XI ABAP Java SAP Java SAP HR ABAP SAP FI ABAP SAP Portal ... (HR/Org

SAP Certified Developtment Associate - ABAP With SAP NetWeaver 7.02 - Sappress_certified_developtment_associate_abap_netweaver

Sap Netweaver as Abap Administration Sample 77778

SAP NetWeaver Application Server ABAP/Java on ... - … · ABAP/Java on Oracle Cloud Infrastructure ... SAP NetWeaver Application Server ABAP/Java on Oracle Cloud Infrastructure

SAP Certified Development Associate - ABAP with SAP NetWeaver 7.40

SAP NetWeaver Upgrade Master Guide Application Development (ABAP) All areas that allow ABAP development on the SAP NetWeaver Application Server ABAP ... SAP NetWeaver Upgrade Master

SAP NetWeaver as ABAP 7.4 - Overview and Product Highlights

ABAP Objects - AWS · PDF fileBonn Boston Horst Keller, Sascha Krüger ABAP® Objects ABAP Programming in SAP NetWeaver™

Triggering NetWeaver BPM Process from ABAP...Triggering NetWeaver BPM Process from ABAP Applies to: NetWeaver CE 7.1.1 including Business Process Management, Process Composer, ECC

SAP Netweaver 7.0 - System Copy Procedures - ABAP+Java

SAP Netweaver ABAP Workbench

Curriculum Application Development SAP-ABAP · SAP Certiﬁed Deve-lopment Professional - ABAP with SAP NetWeaver 7.0 P_ABAP_70 SAP NetWeaver ABAP Programming Reports 10d SAPENGP60E

Abap Development for Sap Netweaver Bi - User Exits and Badis

Netweaver 7.0 SR3 abap java system copy guide

SAP NetWeaver AS ABAP 7.4 - Overview and Product Highlights.pdf

Abap Objects Abap Programming in Sap Netweaver 7.0

Tivoli Identity Manager - IBM · 2007-04-12 · Tivoli ® Identity Manager Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide Version 4.6 SC32-1194-11

SAP NetWeaver® Application Server ABAP/Java on Oracle ...€¦ · 2 | SAP NETWEAVER APPLICATION SERVER ABAP/JAVA ON ORACLE DATABASE EXADATA CLOUD SERVICE Disclaimer The following

SAP NetWeaver Application Server for ABAP 7.5 – Overview and

ABAP Development for SAP NetWeaver BW

Features of SAP NetWeaver AS ABAP 7.4

SAP NetWeaver 7.0 BI Upgrade Specifics for ABAP

System Copy Guide SAP Netweaver ABAP on UNIX

Security Target NetWeaver AS ABAP 7.02 SP6

Documents

IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

Text of IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration