Installing IdM User Interface UI

SAP NetWeaver® Identity Management

Identity Center

Installing and configuring the IdentityManagement User Interface

Version 7.1 Rev 14

© Copyright 2009 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10,System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400,S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5,POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli andInformix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of AdobeSystems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented andimplemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, WebIntelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products andservices, if any. Nothing herein should be construed as constituting an additional warranty.

i


Preface

The productSAP NetWeaver Identity Management Identity Center is a high-end identity managementsolution, capable of handling a large amount of repositories containing an unlimited amount ofinformation. The Identity Center offers a robust, flexible and scalable high-availability solutionfor workflow, provisioning, data synchronization and joining for a large number of datarepositories. The Identity Center provides a framework for a number of jobs.

The readerThis manual is written for people who are to use the Identity Center and the IdentityManagement User Interface.

PrerequisitesBefore you can install the Identity Management User Interface, make sure that the followingprerequisites are present:

SAP NetWeaver AS Java as of Release 7.0 SP14 or higher, or Enhancement Package 1 forSAP NetWeaver Composition Environment 7.1, must be correctly installed and licensed.

SAP NetWeaver Identity Management Identity Center version 7.1 SP2, or newer, correctlyinstalled and licensed.

Basic knowledge about the SAP NetWeaver AS Java and its tools.

When giving certain accesses to the Identity Management User Interface, basic knowledgeabout the Identity Center is required.

The manualThis tutorial describes how you install the Identity Management User Interface and perform theinitial configuration.

Related documentsYou can find useful information in the following documents:

SAP NetWeaver Identity Management Identity Center: Installation overview

SAP NetWeaver Identity Management Identity Center: Installing the Management Console

SAP NetWeaver Identity Management Identity Center: Installing the Runtime Components

SAP NetWeaver Identity Management Identity Center: Installing the database (MicrosoftSQL Server/Oracle)

SAP NetWeaver Identity Management Identity Center: User management for the IdentityManagement User Interface

ii


SAP NetWeaver Identity Management Identity Center Implementation Guide: GeneratingReports using Crystal Reports.

For Visual Administrator seehttp://help.sap.com/saphelp_nw70/helpdata/EN/39/83682615cd4f8197d0612529f2165f/frameset.htm.

For SAP NetWeaver Administrator (NWA) seehttp://help.sap.com/saphelp_nw70/helpdata/EN/8f/106d42ab7fd142e10000000a1550b0/frameset.htm.

For Software Deployment Manager (SDM) seehttp://help.sap.com/saphelp_nw70/helpdata/EN/22/a7663bb3808c1fe10000000a114084/frameset.htm.

For deploying of applications on EHP 1 for SAP NetWeaver CE 7.1 seehttp://help.sap.com/saphelp_nwce10/helpdata/en/45/5821c52d251feee10000000a1553f7/frameset.htm.

For more information on SAP NetWeaver see http://help.sap.com.

http://help.sap.com/saphelp_nw70/helpdata/EN/39/83682615cd4f8197d0612529f2165f/frameset.htm


http://help.sap.com/saphelp_nw70/helpdata/EN/8f/106d42ab7fd142e10000000a1550b0/frameset.htm


http://help.sap.com/saphelp_nw70/helpdata/EN/22/a7663bb3808c1fe10000000a114084/frameset.htm


http://help.sap.com/saphelp_nwce10/helpdata/en/45/5821c52d251feee10000000a1553f7/frameset.htm

http://help.sap.com/saphelp_nwce10/helpdata/en/45/5821c52d251feee10000000a1553f7/frameset.htm

http://help.sap.com/

iii


Table of contentsIntroduction .................................................................................................................................. 1Defining the JDBC connection for the JMX layer....................................................................... 2

SAP NetWeaver AS Java as of Release 7.0 ...........................................................................................2EHP 1 for SAP NetWeaver CE 7.1......................................................................................................10

Deploying the Identity Management User Interface.................................................................. 25SAP NetWeaver AS Java as of Release 7.0 .........................................................................................25EHP 1 for SAP NetWeaver CE 7.1......................................................................................................27

Upgrading the Identity Management User Interface ................................................................ 28Deploying on an existing SAP NetWeaver AS Java installation................................................ 29Configuring the JMX layer......................................................................................................... 30

SAP NetWeaver AS Java as of Release 7.0 .........................................................................................30EHP 1 for SAP NetWeaver CE 7.1......................................................................................................33

Initial configuration .................................................................................................................... 38Adding user to the identity store..........................................................................................................38General access ("Self Services" tab)....................................................................................................40Access to Monitoring ("Monitoring" tab) ............................................................................................47Configuring the language settings for the Identity Management User Interface....................................48Accessing the Identity Management User Interface .............................................................................48Access to "To Do", "Manage", "View Reports" and "History" tabs......................................................50

Integrating Identity Management User Interface in the SAP NetWeaver Portal .................... 57Importing predefined contents for the SAP NetWeaver Portal .............................................................57Verifying the Portal integration of the Identity Management User Interface.........................................57

iv


1IntroductionSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


IntroductionThis document describes how to install and configure the Identity Management User Interface.When installing and configuring the User Interface you need to complete the following steps:

Define the JDBC connection for the JMX layer

Deploy the Identity Management User Interface

Configure the JMX layer

Perform the initial configuration

Integrate the User Interface in the SAP NetWeaver Portal

2Defining the JDBC connection for the JMX layer

SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


Defining the JDBC connection for the JMX layerIn order to be able to retrieve data from the identity store, the JMX Layer of the IdentityManagement User Interface needs a JDBC data source pointing to the Identity Center database.

Before creating the JDBC data source, make sure that a database driver is installed.

Note:If operating with multiple Java nodes the driver needs to be installed on all these.

The procedure will be different, depending on what database system you are using. There areseparate sections for each database system.

The procedure is also different, depending on your version of SAP NetWeaver:

SAP NetWeaver AS Java as of Release 7.0

Enhancement Package 1 for SAP NetWeaver Composition Environment 7.1

SAP NetWeaver AS Java as of Release 7.0To set up the connection for SAP NetWeaver AS Java 7.0 use Visual Administrator.

Start and login to the Visual Administrator (the J2EE Engine administration tool):

1. To start the Visual Administrator, run\usr\sap\<System ID>\<INSTANCE_NAME>\j2ee\admin\go.bat (e.g.C:\usr\sap\F21\JC30\j2ee\admin\go.bat) on Microsoft Windows(/usr/sap/<System ID>/<INSTANCE_NAME>/j2ee/admin/go on Unix).

The SAP J2EE Engine – Administration screen with the "Connect to SAP J2EE Engine"dialog box will appear:

2. To connect choose "Connect" to use the Default login.


3Defining the JDBC connection for the JMX layerSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


3. Enter the password for the Administrator user of the SAP J2EE engine and choose"Connect".

This completes the login to Visual Administrator.

Microsoft SQL ServerInstalling the driver

1. In Visual Administrator, select Server\Services\JDBC Connector in the "Cluster" tab.

2. Select "Drivers" in the "Runtime" tab.

3. Choose to create new driver.

4. Give the driver a logical name, SQL2005 for instance, and choose "Ok".

5. Locate the driver – select sqljdbc.jar file (installed with the SQL 2005 JDBC driver).

6. Choose "OK".

This has defined the SQL2005 driver on the server.

Note:On the server, verify that the file exists in the location\usr\sap\<System ID>\<INSTANCE_NAME>\j2ee\cluster\server0\bin\ext\<name of the driver>(e.g. C:\usr\sap\F21\JC30\j2ee\cluster\server0\bin\ext\SQL2005). Sometimes an empty file iscreated. If this is the case, copy the file manually into the location then restart the server.

Adding the Identity Center database as a data sourceThe driver is uploaded and we can now create the data source:


2. Select "DataSources" in the "Runtime" tab.

3. Choose to define new data source.




4. In the "Main" tab, fill in the following:

NameName the data source "IDM_DataSource" (must be in this exact casing).

Driver NameSelect the created driver in the "Driver Name" field (in this example "SQL2005").

JDBC VersionMake sure that the 1.x JDBC version is selected.

Driver ClassFill in the driver class com.microsoft.sqlserver.jdbc.SQLServerDriver (for MSSQL 2005).

Database URLProvide the correct database URL, e.g. jdbc:sqlserver://<host>;database=<databaseprefix>_db (for example jdbc:sqlserver://trd90500010.example.com;database=mxmc_db).

Note:Port for a non-default JDBC connection is a part of the JDBC URL, e.g.jdbc:sqlserver://<host>:<port>;database=<database prefix>_db.

Provide the credentials:

UserProvisioning user in the "User" field, e.g. <database prefix>_prov (for examplemxmc_prov).

PasswordPassword of the provisioning user in the "Password" field.



5. Select the "Additional" tab and fill in the following:

Default Connection IsolationIn the "Default Connection Isolation" field select"TRANSACTION_READ_COMMITTED".

SQL EngineSelect "Native SQL" as SQL engine.

6. Choose to save the changes and create the data source.




7. If the service (the created data source) is not started:

Select the created data source.

8. Choose to start the data source.

OracleInstalling the driver


2. Select "Drivers" in the "Runtime" tab.

3. Choose to create new driver.

4. Give the driver a logical name, "ORACLE" for instance, and choose "Ok".

5. Locate the driver (ojdbc14.jar) and select it.

6. Choose "OK".

This has defined the Oracle driver on the server.



Note:Verify that the file exists in the location\usr\sap\<SID>\<INSTANCE_NAME>\j2ee\cluster\server0\bin\ext\<name of the driver> (e.g.C:\usr\sap\F21\JC30\j2ee\cluster\server0\bin\ext\ORACLE). Sometimes an empty file iscreated. If this is the case, copy the file manually into the location then restart the server.

Adding the Identity Center database as a data sourceThe driver is uploaded and we can now create the data source:


2. Select "DataSources" in the "Runtime" tab.

3. Choose to define new data source.

4. In the "Main" tab, fill in the following:

NameName the data source "IDM_DataSource" (must be in this exact casing).

Driver NameSelect the created driver in the "Driver Name" field (in this example "ORACLE").

JDBC VersionMake sure that the 1.x JDBC version is selected.




Driver ClassFill in the driver class oracle.jdbc.driver.OracleDriver.

Database URLProvide the correct database URL, e.g. jdbc:oracle:thin:@<host>:<port>:<database SID>(for example jdbc:oracle:thin:@10.55.165.63:1521:orcl).


UserProvisioning user in the "User" field, e.g. <database prefix>_prov (for examplemxmc_prov).


5. Select the "Additional" tab.

Fill in the following:

Default Connection IsolationIn the "Default Connection Isolation" field select"TRANSACTION_READ_COMMITTED".

SQL EngineSelect "Vendor SQL" as SQL engine.

6. Choose to save the changes and create the data source.

7. If not started, select the created data source and choose to start it.



Updating the data source (both Microsoft SQL Server and Oracle)If you need to update the data source information (e.g. changes in server, database, passwordetc), do the following:


2. Select "DataSources" in the "Runtime" tab, and navigate to the data source you need toupdate.

3. Update the data and choose to save the changes in the data source. The followingwarning will appear:

4. Choose "Yes" to confirm and save the changes.

After updating, the server needs to be restarted – the application must be stopped and startedagain. Do the following:

5. Select Server\Services\Deploy in the "Cluster" tab.

6. In the bottom of the "Runtime" tab select "Application" (the radio button).

7. Select "sap.com/tc~idm~jmx~app" in the list of the deployed components, and then choose"Stop Application" from the menu on the right.




8. Choose "OK" to confirm.

9. Now choose "Start Application" from the menu on the right to restart the application, andchoose "OK" to confirm.

The server is now restarted and ready to use.

EHP 1 for SAP NetWeaver CE 7.1To set up the connection for Enhancement package 1 for SAP NetWeaver CompositionEnvironment 7.1 use SAP NetWeaver Administrator (NWA).

To access the NWA do the following:

1. Enter http://<host>:<port> in your browser, which will take you to your index page:




2. Then select SAP NetWeaver Administrator. Or you can just enter http://<host>:<port>/nwain your browser. Both procedures will display the login page for the NWA.

Enter the credentials, the correct user ID and the password.

3. Choose "Log On".




4. Select the "Configuration Management" tab and then the "Infrastructure" sub-tab.



5. Select "Application Resources".




Microsoft SQL ServerInstalling the driver

To install the driver for the Microsoft SQL Server, do the following:

1. In Application Resources, choose "Create New Resource".

2. Select "Deploy New JDBC Driver".

Give the driver a logical name, SQL2005 for instance (in the "JDBC Driver Name" field).



3. Choose "Add New Driver File".

Locate the driver – select sqljdbc.jar file (installed with the SQL 2005 JDBC driver).

4. Choose "OK".

The file is added in the "File Name" section.

5. Choose "Save" to save and create the driver.




6. An information dialog box appears confirming that the new driver is created successfully.Choose "Close" to close the dialog box.

The driver is now created and added to the list of JDBC drivers.



Adding the Identity Center database as a data source

To create the data source, do the following:


2. Select "New JDBC Custom DataSource".

3. In the "Settings" tab, do the following:




Data Source NameName the data source "IDM_DataSource". If you choose to name the data sourcedifferently, then you must create alias "IDM_DataSource" (must be in this exact casing) forthe data source. To do this select the "JDBC Data Source Aliases" tab, choose "Add NewAlias" and enter "IDM_DataSource". You can then return to the "Settings" tab.

Driver NameSelect the created driver in the "Driver Name" field (in this example "SQL2005").

SQL EngineSelect "Native SQL" as SQL engine.

Isolation LevelSelect "Transaction Read Commited".

JDBC VersionMake sure that the 1.x JDBC version is selected – 1x (without XA support).

Driver Class NameFill in the driver class com.microsoft.sqlserver.jdbc.SQLServerDriver (for MSSQL 2005).

Database URLProvide the correct database URL, e.g. jdbc:sqlserver://<host>;database=<databaseprefix>_db (for example jdbc:sqlserver://trd90500010.example.com;database=mxmc_db).

Note:Port for a non-default JDBC connection is a part of the JDBC URL, e.g.jdbc:sqlserver://<host>:<port>;database=<database prefix>_db.


User NameProvisioning user, <database prefix>_prov (for example mxmc_prov).


4. Choose "Save".

5. An information dialog box appears confirming that the new data source is createdsuccessfully. Choose "Close" to close the dialog box.



OracleInstalling the driver

To install the driver, do the following:

1. In Application Resources choose "Create New Resource", and then select "Deploy NewJDBC Driver".

2. Give the driver a logical name, "ORACLE" for instance.

3. Choose "Add New Driver File".

4. Locate the driver (ojdbc14.jar) and select it.




5. Choose "OK".

The file is added in the "File Name" section.

6. Choose "Save" to save and create the driver.

7. An information dialog box appears confirming that the new driver is created successfully.Choose "Close" to close the dialog box.

The driver is now created and added to the list of JDBC drivers.



Adding the Identity Center database as a data source

To create the data source, do the following:


2. Select "New JDBC Custom DataSource".

3. In the "Settings" tab, do the following:




Data Source NameName the data source "IDM_DataSource". If you choose to name the data sourcedifferently, then you must create alias "IDM_DataSource" (must be in this exact casing) forthe data source. To do this select the "JDBC Data Source Aliases" tab, choose "Add NewAlias" and enter "IDM_DataSource". You can then return to the "Settings" tab.

Driver NameSelect the created driver in the "Driver Name" field (in this example "ORACLE").

SQL EngineSelect "Vendor SQL" as SQL engine.

Isolation LevelSelect "Transaction Read Commited".

JDBC VersionMake sure that the 1.x JDBC version is selected – 1x (without XA support).

Driver Class NameFill in the driver class oracle.jdbc.driver.OracleDriver.

Database URLProvide the correct database URL, e.g. jdbc:oracle:thin:@<host>:<port>:<database SID>(for example jdbc:oracle:thin:@10.55.165.63:1521:orcl).


User NameProvisioning user, <database prefix>_prov (for example mxmc_prov).


4. Choose "Save".

5. An information dialog box appears confirming that the new data source is createdsuccessfully. Choose "Close" to close the dialog box.



Updating the data source (both Microsoft SQL Server and Oracle)If you need to update the data source information (e.g. changes in server, database, passwordetc), do the following:

1. In the NetWeaver Administrator, go to ConfigurationManagement/Infrastructure/Application Resources.




2. Select "JDBC Custom DataSources" in the "Show" field to list all created data sources:

Find and select the data source you need to update. This will display the resource details inthe "Resource Details" section (below the "Resource List" section).

3. Update the data and choose "Save" to save the changes.

4. An information dialog box appears confirming that the data source has been savedsuccessfully. Choose "Close" to close the dialog box.

25Deploying the Identity Management User InterfaceSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


Deploying the Identity Management User InterfaceThe deployment procedure is different, depending on your version of SAP NetWeaver:

SAP NetWeaver AS Java as of Release 7.0

Enhancement Package 1 for SAP NetWeaver Composition Environment 7.1

Start by downloading the .SCA file (the Identity Management User Interface) which is to bedeployed:

1. Navigate to the download area of SAP NetWeaver Identity Management 7.1 on SAPService Marketplace (SMP) and download the .SCA file (Identity Management UserInterface).

Note:For deploying of the User Interface on AS Java 7.0, download the .SCA file stored underNW IDM IC UIS 7.00\OSINDEP. For deploying of the User Interface on the SAP NW 7.1(EHP 1 for SAP NW CE 7.1), download the .SCA file stored underNW IDM IC UIS 7.10\OSINDEP.

2. If necessary unpack the file.

The .SCA file is now ready to be deployed.

SAP NetWeaver AS Java as of Release 7.0You deploy the Identity Management User Interface from SDM (Software DeploymentManager):

1. Start SDM by executing the following script file in theusr\sap\<System ID>\<INSTANCE_NAME>\SDM\program directory (e.g.C:\usr\sap\F21\JC30\SDM\program): RemoteGui.bat for Microsoft Windows hosts orRemoteGui.sh for Unix hosts.

2. Connect to the SDM server – choose to open a connection dialog box and enter theSDM server password, hostname and port before choosing "Login".

Note:The following convention applies for the port: 5<J2EEinstance_number>18. For example,if your J2EE instance number is 15, the port is 51518. The SDM Server accepts only oneuser at a time. If somebody has already connected to it, you will receive an error message.



26Deploying the Identity Management User Interface



3. Select the "Deployment" tab.

4. Choose , navigate to and select the downloaded .SCA file for AS Java 7.0.

27Deploying the Identity Management User InterfaceSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


5. Choose the "Choose" button to close the dialog box and add the .SCA file for thedeployment.

6. Choose the "Next" button twice.

7. Finally choose "Start Deployment". The deployment information and status are displayed inthe pane.

8. When installed, choose "Confirm" and close the SDM application (choose to exit).

The Identity Management User Interface is now deployed.

EHP 1 for SAP NetWeaver CE 7.1The SAP NetWeaver 7.1 uses a server side Deploy Controller to manage the IdentityManagement User Interface deployment.

The Deploy Controller enables client applications to use APIs to enable deployment of softwarecomponents on the AS Java server process.

For more information, see the deployment documentation in the SAP NetWeaver CEdeveloper's guide found on the Help Portal (http://help.sap.com) under SAP NetWeaver SAP NetWeaver CE Development Developer's Guide in SAP Library.

Note:For deploying of the User Interface on the SAP NW 7.1 (EHP 1 for SAP NW CE 7.1), use the.SCA file downloaded from the SMP download area of SAP NetWeaver Identity Management7.1, under NW IDM IC UIS 7.10\OSINDEP.

http://help.sap.com/

28Upgrading the Identity Management User Interface



Upgrading the Identity Management User InterfaceAn upgrade is performed by deploying the Identity Management User Interface as described onpage 25.

29Deploying on an existing SAP NetWeaver AS Java installationSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


Deploying on an existing SAP NetWeaver AS Java installationIf you wish to run the Identity Management User Interface on a previously installed and alreadyin use SAP NetWeaver AS Java, you need to make sure that the required environment is inplace. Deploying on an existing SAP NetWeaver AS Java is done using the same procedures aswhen installing the Identity Management User Interface.

1. Verify that the JDBC driver for your database system is present. If necessary, add the JDBCdriver as described on page 2.

2. Add the Identity Center database as a data source as described on page 2.

3. Download the .SCA file from the download area of SAP NetWeaver Identity Management7.1 on SAP Service Marketplace (for AS Java 7.0 download the .SCA file stored underNW IDM IC UIS 7.00\OSINDEP, while for EHP 1 for SAP NW CE 7.1 download the.SCA file stored under NW IDM IC UIS 7.10\OSINDEP) and unpack if necessary.

4. Deploy the Identity Management User Interface as described on page 25.

30Configuring the JMX layer



Configuring the JMX layerThis section shows how to change the settings, like configuring the cache, defining whichidentity store you are working on and configuring the encryption key-file.

The procedure is different depending on your version of SAP NetWeaver.

SAP NetWeaver AS Java as of Release 7.0To alter the configuration, you do the following:

1. Start the Visual Administrator.

2. Select the "Cluster" tab.

3. Go to Server\Services\Configuration Adapter.

4. In the right pane, go to apps\sap.com\tc~idm~jmx~app\appcfg and open

Propertysheet application.global.properties. Use , or just double-click, to open andview.

com.sap.idm.jmx.cache.ttlThis is time-to-live for the elements in the cache. Set to 60 minutes by default.

Note:The cache property set to 60 minutes is recommended for the production systems. Toachieve more reactive system behaviour in a development/test system, set the value to 1 or 2minutes.

com.sap.idm.jmx.crypt.keyfileA file holding the 3DES keys, i.e. the keys.ini file. See the SAP NetWeaver IdentityManagement Security Guide for details.

31Configuring the JMX layerSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


com.sap.idm.jmx.idstoreidIdentifier of the IDStore to log into.

Close Propertysheet application.global.properties by choosing "OK".

5. To make changes to the configuration you need to enter the edit mode. To switch between

view and edit mode choose . A dialog box will appear warning you that you are about toswitch to edit mode:

Choose "Yes".

6. When in edit mode, open Propertysheet application.global.properties either by choosing

or by double-clicking.

7. Select and open the property you wish to edit and change, e.g. com.sap.idm.jmx.idstoreid. A"Change property entry" dialog box opens:

Enter the correct value into the "Custom" field.




8. Choose "Apply custom".

The new value is now inserted into the configuration.

9. Choose "OK" to apply changes.



EHP 1 for SAP NetWeaver CE 7.1To alter the configuration, do the following:

1. In the NWA, go to Configuration Management/Infrastructure.




2. Select "Java System Properties" (on the bottom of the list to the right).



3. Select the "Applications" tab in the "Details" section.

4. Find and select the "tc~idm~jmx~app". In the "Extended Details" section, you can see thefollowing properties:

com.sap.idm.jmx.cache.ttlThis is time-to-live for the elements in the cache. Set to 60 minutes by default.

Note:The cache property set to 60 minutes is recommended for the production systems. Toachieve more reactive system behaviour in a development/test system, set the value to 1 or 2minutes.

com.sap.idm.jmx.crypt.keyfileA file holding the 3DES keys, i.e. the keys.ini file. See the SAP NetWeaver IdentityManagement Security Guide for details.

com.sap.idm.jmx.idstoreidIdentifier of the IDStore to log into.




5. To make changes to the configuration, select the property you wish to edit and change (e.g.com.sap.idm.jmx.idstoreid), and choose "Modify".

6. Enter the custom value and choose "Set" to change it.



The new value is now inserted:

7. Choose "Save As" to confirm the change.

38Initial configuration



Initial configurationAuthentication of the users logging on to the Identity Management User Interface is done by theUser Management Engine (UME). The Identity Management User Interface contains thefollowing tabs:

Self Services: giving general access (access to the self service tasks).

To Do: for handling of approvals.

Manage: for search and managing of entries.

View Reports: for viewing of the generated reports.

History: providing the status and history of the tasks executed.

Monitoring: for system monitoring purposes.

What parts of the Identity Management User Interface are available depends on which UMEactions are assigned to the user. The UME action sap.com_tc~idm~jmx~ump.idm_authenticatedgives general access to the application and enables the tab "Self Services".

Before running the User Interface a role needs to be created, giving any authenticated user ageneral access to the Identity Management User Interface. To do so, you must have a user thathas a permission to create and assign roles when logged-on the UME.

For details, see SAP NetWeaver Identity Management Security Guide.

Adding user to the identity storeTo be able to use the tabs "Self Services", "To Do", "Manage", "View Reports" and "History" inthe Identity Management User Interface, the user must be defined in both UME and in theIdentity Center's identity store. This is not necessary for access to the "Monitoring" tab, i.e. it issufficient that the user exists in UME.

The link between the users is the UME "User ID" and the user's MSKEYVALUE in the identitystore. These must match (casing is ignored). Whether this user is created in the Identity Centerbefore or after the role creation is not of importance.

Note:Any user can be added using the below described procedure. However, typically only adminusers (and/or some test users) are created this way (manually) to get started, while end-usersusually are imported and synchronized using for instance SAP provisioning framework or,independently of the SAP provisioning framework, as described in document SAP NetWeaverIdentity Management Identity Center User management for the Identity Management UserInterface.

39Initial configurationSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


To create an admin user (user with manager privileges) in the Identity Center's identity store, dothe following:

1. In the Identity Center, select the identity store in the console tree and view the identity storeproperties.

2. Select the "General" tab and choose "Add user…".

This will open "Add Identity store user" dialog box.

Enter user name and password for the user.

Select "Add manager privileges" to give access to "To Do" "Manage", "View Reports" and"History" tabs in the User Interface. See section Access to "To Do", "Manage", "ViewReports" and "History" tabs on page 50 for more.

3. Choose "OK" to close the dialog box and create user.




General access ("Self Services" tab)Self service tasks, where users can change its own user data, request the role etc, can beaccessed from the "Self Services" tab. To create a role that gives access to "Self Services" tab,do the following:

1. Enter http://<host>:<port>/index.html in your browser. This will open the SAP J2EEEngine Start Page:



2. Select "User Management", which starts the user management administration console forthe User Management Engine (UME).

3. Provide your UME credentials and choose "Log on":




4. Change search criteria to "Role", and then choose "Create Role":

In the "General Information" tab fill in the following:

Unique NameGive the role a describing name. The name "idm.authenticated" is used as example, but anyname can be used.

DescriptionShort description of the role can be added as well. This is not a mandatory field.



5. Select the "Assigned Actions" tab.

In the left pane (Available Actions):

Type "Idm" in the field "Get" and choose "Go". This will list the actions/access rights it ispossible to link to the role.




6. Select the "idm_authenticated" action and choose "Add".

The "idm_authenticated" action is now assigned to the role and this will be shown in theright pane (Assigned Actions).



7. Select the "Assigned Groups" tab:

In the "Available Groups" pane, choose "Go" to list all available groups.




8. Select the "Authenticated Users" group and choose "Add".

The "Authenticated Users" group is now given the role and this will be shown in the rightpane (Assigned Groups).

Assigning the "idm.authenticated" role to a user group is just one of several ways to givegeneral access to the User Interface. If only some of the users need access to the UserInterface, access can be given by assigning the role directly to those users.



9. Choose "Save" to confirm and create the new role, which will give a general access to theUser Interface to every authenticated user. The just created role will be displayed in the listof the roles available:

Now that the role is created, you are able to access the Identity Management User Interface.

Access to Monitoring ("Monitoring" tab)It is also possible to give access to the "Monitoring" tab to those who need it. A monitoring rolecan be created and actions "idm_monitoring_support" (giving read only access to Monitoring)or "idm_monitoring_administration" (giving read and write access to Monitoring) can beassigned by following the same procedure as for "idm_authenticated" giving access to "SelfServices" tab described on page 40. Assign the created monitoring role to "Administrators"group or a specific user who needs access to "Monitoring" tab in the User Interface.




Configuring the language settings for the IdentityManagement User InterfaceThe language settings for the Identity Management User Interface are determined by thelanguage settings for user in User Management Engine (UME):

1. Logon to UME and search for the user you want to configure the language settings for.

2. Select the user from the search list and choose "Modify" in the details pane below the list.This will open the entry detail information for editing.

3. Choose the "General Information" tab.

4. Select a language from the list in the "Language" field and choose "Save".

The language settings are now configured. The change will take effect after the next logon.

Accessing the Identity Management User InterfaceTo access the User Interface do the following:

1. Enter http://<host>:<port>/idm in your browser.

Provide the credentials in the log-in window.



2. Choose "Log on".

You are now logged on to the User Interface. The image above shows the logged-in user withaccess to only "Self Services" tab.

If the logged-in user also has access to the "Monitoring" tab, the User Interface will look likethis:




Access to "To Do", "Manage", "View Reports" and"History" tabsAccess to the other tabs in the Identity Management User Interface is controlled by assigningprivileges in the Identity Center's identity store to the person entries:

MX_PRIV:WD:TAB_TODO gives access to the "To Do" tab. In this tab, the approvals canbe handled.

MX_PRIV:WD:TAB_MANAGE gives access to the "Manage" tab. From this tab, the useris able to search for entries in the identity store and perform tasks on (manage) these. Whichtasks are available is controlled by the access control defined on each task.

MX_PRIV:WD:TAB_REPORT gives access to the "View Reports" tab. In this tab, thegenerated reports can be viewed. For more on reports, see SAP NetWeaver IdentityManagement Identity Center Implementation Guide Generating Reports using CrystalReports.

MX_PRIV:WD:TAB_HISTORY gives access to the "History" tab. This tab provides thestatus and history of the tasks executed on own entry (self service tasks), on other entries(tasks available from the "Manage" tab) and the approvals.



In section Adding user to the identity store on page 38, the manager privileges(MX_PRIV:WD:TAB_TODO, MX_PRIV:WD:TAB_MANAGE,MX_PRIV:WD:TAB_REPORT and MX_PRIV:WD:TAB_HISTORY) are given the adminuser by selecting "Add manager privileges" when adding the user to the identity store. But theseprivileges can be assigned to users in several ways, for instance by creating a self service taskfor privilege assignment. This can be done in the following way:

1. In the Identity Center, select the identity store and choose New/Folder… from the contextmenu to create a new folder.

Rename the folder to "IdM UI".




2. Select the folder and choose New/Unordered task group from the context menu.

Rename the task to "Assign privilege".

3. Select the "Attributes" tab:

Entry typeSelect "MX_PERSON" entry type. Choose "…" to open a dialog box from which you selectthe entry type.



Note:A dialog box will appear asking you to confirm your choice. Choose "Yes" to confirm and toclose the dialog box.

Task attributesThe attributes MSKEYVALUE and DISPLAYNAME are already selected. Select the attribute"MXREF_MX_PRIVILEGE". Use "Up" or "Down" to list the selected attributes in thesame order as shown above.

4. Choose "Apply".

5. Select the "Access control" tab.

6. Choose "Add…" and fill in the following:




Allow access forSelect "Logged-in user or identity store entry".

ID storeSelect the correct identity store. In this example "Enterprise People" is used.

NameLeaving this field empty will make the task accessible to everyone. Name is entered whenrestricting the access to the task (e.g. enter Administrator name to give access to this taskonly to the "Administrator" user).

On behalf ofThere are two ways of creating a self service task. You either select "User or identity storeentity" or "Relation - Self". Both ways are legitimate.

7. Choose "OK".

8. Choose "Apply".



Now the self service task is created and is visible in the "Self Services" tab of the UserInterface:

To assign privileges and give access to the tabs "To Do", "Manage", "View Reports" and"History", do the following:

1. Select the task.

The task will open in a new window.

Note:If you are using Internet Explorer 7, you can open the task in a new tab instead of the newwindow. To enable this option in your browser, choose Tools/Internet Options…, and in theTabs section of the "General" tab choose "Settings" where you select the option "Alwaysopen pop-ups in a new tab".




2. Choose "Search" on the left side of the pane (under Available) to list available privileges:

Select the desired privileges (multi-select is possible).

3. Choose "Add".

4. Choose "Save" and close the task.

The privileges are now added and the tabs should be visible in the User Interface.

Note:You will need to choose the "Refresh" button before the tabs are visible.

57Integrating Identity Management User Interface in the SAP NetWeaver PortalSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface


Integrating Identity Management User Interface in the SAPNetWeaver Portal

You can integrate the Identity Management User Interface in the SAP NetWeaver Portal. Beforeit can be integrated in the SAP NetWeaver Portal, the Identity Management User Interfaceshould be installed and configured locally on the SAP NetWeaver Portal, as described in thisdocument.

You need to perform the following configuration in the SAP NetWeaver Portal:

Import the predefined content for the SAP NetWeaver Portal.

Check the Portal integration of the Identity Management User Interface.

Importing predefined contents for the SAP NetWeaverPortalTo import the contents to the Portal, do the following:

1. Log on to the Portal as system administrator.

2. Select the "System Administration" tab and its sub-tab "Transport", and then navigate toTransport Packages/Import.

3. Import the .EPA archive (role, worksets, iViews). The .EPA archive is provided in the"Misc" subdirectory in the installation kit for the Designtime Components.

Verifying the Portal integration of the IdentityManagement User InterfaceTo verify the Portal integration, do the following:

1. Log on to the SAP NetWeaver Portal with your admin user (that also exists in the identitystore you would like to access through the Portal).

2. Select the "Identity Management" tab in the Portal and verify that you have the access to theUser Interface and its contents.

Note:In order for this to work, you must have configured the Identity Management User Interfacecorrectly, giving at least a general access to the User Interface to users, as described onpage 38.

58Integrating Identity Management User Interface in the SAP NetWeaver Portal



If everything is done correctly, the contents of the Identity Management User Interface will bepresented under the "Identity Management" tab in the SAP NetWeaver Portal. The content willbe something similar to the one shown below:

Documents

Installing IdM User Interface UI