SAP NetWeaver Identity Management Configuration Guide ...a248.g.akamai.net/n/248/420835/d5cf5f6bdfd8c0a774...permission of SAP AG. The information contained herein may be changed without

SAP NetWeaver® Identity Management

Configuration Guide - VDS-UME Integration

Version 7.2 Rev 1

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10,System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400,S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5,POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli andInformix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of AdobeSystems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented andimplemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, WebIntelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products andservices, if any. Nothing herein should be construed as constituting an additional warranty.

i


Preface

The productThe SAP NetWeaver Identity Management VDS-UME Integration consists of a set ofconfiguration templates for the Virtual Directory Server and User Management Engine. Usingthis solution, the SAP NetWeaver Identity Management's Virtual Directory Server acts as aback-end for User Management Engine exposing the Identity Center's identity store, enablingUser Management Engine to view, create, delete and modify users and groups in identity store.

The readerThis manual is intended for people who are to perform the VDS-UME integration.

PrerequisitesTo get the most benefit from this manual, you should have the following knowledge:

Knowledge of the Identity Center.

Knowledge of the Virtual Directory Server.

Basic knowledge about the SAP NetWeaver AS Java and its tools.

SAP NetWeaver Identity Management Virtual Directory Server 7.2 is correctly installedand licensed.

SAP NetWeaver Identity Management Identity Center 7.2 is correctly installed andlicensed.

SAP NetWeaver AS Java as of Release 7.0 SP14 or higher, Enhancement Package 1 forSAP NetWeaver Composition Environment 7.1 or SAP NetWeaver CompositionEnvironment 7.2, must be correctly installed and licensed.

The manualThis document describes how you use the configuration templates to configure VirtualDirectory Server and User Management Engine and complete the VDS-UME integration.

Related documentsYou can find useful information in the following documents:

The tutorials for the Identity Center.

The tutorials for the Virtual Directory Server.

Relevant documentation for SAP NetWeaver AS Java and its tools (UME).

ii


iii


Table of contentsIntroduction .................................................................................................................................. 1

The configuration process ..................................................................................................................... 1Adding the Virtual Directory Server configuration .................................................................... 2

Starting the server ................................................................................................................................. 5Testing the configuration ...................................................................................................................... 6

Configuring the data source in User Management Engine ......................................................... 9Uploading the data source configuration template file ......................................................................... 11Configuring the LDAP server data ...................................................................................................... 13Performing a search ............................................................................................................................ 15

iv


1IntroductionSAP NetWeaver Identity Management Configuration Guide - VDS-UME Integration


IntroductionThis document describes the necessary steps needed to integrate SAP NetWeaver IdentityManagement's Virtual Directory Server (VDS) and User Management Engine (UME). It showshow to add the configuration to the Virtual Directory and adapt it and how to configure the datasource in the User Management Engine.

Both the configuration in the Virtual Directory Server and the data source configuration in UserManagement Engine are based on templates. When implementing a solution, the templates canbe extended/modified.

This document describes the integration scenario where User Management Engine is the leadingprovisioning system. It provisions to multiple target systems controlled by SAP NetWeaverIdentity Management by sending requests via Virtual Directory Server, used as a back-end forUME exposing the identity store.

The components of SAP NetWeaver Identity Management are used in the following way:

The Virtual Directory Server:

Back-end for User Management Engine, exposing the Identity Center's identity store.

Deals with all connection to/from UME.

The Identity Center:

Contains the workflow tasks and the necessary jobs that drive the provisioning.

Communicates with the Virtual Directory Server (VDS) using the LDAP protocol.

The configuration processThe configuration process described in this document consists of:

Creating a configuration in the Virtual Directory Server based on a template.

Configuring the data source in User Management Engine using a template.

2Adding the Virtual Directory Server configuration

SAP NetWeaver Identity Management Configuration Guide - VDS-UME Integration


Adding the Virtual Directory Server configurationThe first step is to create the server configuration in the Virtual Directory Server. The VirtualDirectory Server contains a template that can be used to create this configuration:

To create the configuration:

1. Choose File/New… to open the "New configuration" dialog box.

Select "SAP NetWeaver" in the "Group" list. Select "Idm VDS UME 72.xml" in the"Template" list.

3Adding the Virtual Directory Server configurationSAP NetWeaver Identity Management Configuration Guide - VDS-UME Integration


2. Choose "OK".

Fill in the following values:

PortEnter the port number that will be used for Virtual Directory Server (when deployed asLDAP server).

It is recommended to test and verify the configuration (especially if additional tailoring ofthe template is done) using an LDAP client, before using it together with the IdentityCenter.

Display nameEnter the display name for the data source, i.e. the identity store. Default name is "ICIdentity store".

Identity Center URLEnter the connection string to the Identity Center database. It is recommended that you usethe JDBC URL wizard. It is the <prefix>_rt user in the Identity Center database that shouldbe used.

Identity Store IDEnter the ID of the identity store that will be exposed. The template supports only oneidentity store, but this can be extended in the configuration.




Path to Keys.iniEnter the path to the Keys.ini file, located in <Identity Center install directory>\Key bydefault.

Note:User credentials to log on to the Virtual Directory Server are not displayed in the template.These are ume (user)/ume (password) by default in the template, but this can be modified inthe configuration.

3. Choose "OK".

Enter a name of the new configuration (for instance, UmeVdsIntegration.xml) and save theconfiguration.

The expanded virtual tree looks like this:



Starting the serverThe server can now be started, to see that it starts without errors:

1. Display the operation log (choose the "Operation" button).

2. Start the server. If the run-time environment is correct, the Virtual Directory Server willstart listening on the configured port.

Verify that the server starts in the operation log.

Some typical errors:

The JDBC driver for the Microsoft SQL Server is not in the class path for the VirtualDirectory Server. See the Help File for the Virtual Directory Server for information abouthow to extend/configure the class path.

The selected port is occupied. It can be changed by viewing the properties ofDeployments\LDAP deployments\main_listener.




Testing the configurationBefore you proceed with the configuration in User Management Engine, it is recommended totest the VDS configuration and connectivity using an LDAP client. For that purpose you can useany LDAP client (for instance LDP, Softerra, JXplorer), when the server has startedsuccessfully.

Logging in with LDP1. Start LDP.

2. Choose Connection/Connect:

Enter the host name/IP number and port number you specified for the Virtual DirectoryServer.

3. Choose "OK".

4. Choose Connection/Bind:

Enter ume (user)/ume (password) as user credentials to log on to the Virtual DirectoryServer. These are the default credentials in the template, but this can be modified in theconfiguration.

Note:Because of a known issue with LDP, this command may fail. If so, just repeat the procedure.

5. Choose "OK".



Performing a searchTo test the connectivity, perform a simple search to list entries in the identity store. Use the DNas shown below. This corresponds to a node in the Virtual Directory Server configuration asshown on page 4.

1. Choose Browse/Search.

2. Choose "Options":

Make sure that the "Attributes" field is empty. Empty value here means that LDP alwaysrequests all attributes in all subsequent searches.

To reduce the number of entries returned from the identity store and thus reduce the timewaiting for the search result, enter a "Size limit". Here we entered a limit of five (5) entries.

3. Choose "OK" to close the "Search Options" dialog box and return to the "Search" dialogbox.




4. Choose "Run" to perform the search.

The entries returned by the search may vary depending on what is available in the identitystore you are connecting to.

9Configuring the data source in User Management EngineSAP NetWeaver Identity Management Configuration Guide - VDS-UME Integration


Configuring the data source in User Management EngineWhen the Virtual Directory Server configuration is successfully done, the data source needs tobe configured in the User Management Engine. The following steps are involved:

Uploading the data source configuration file (.xml template)

Configuring the LDAP server data

Performing a search

To access the User Management Engine, do the following:

1. Enter http://<host>:<port>/index.html in your browser. This will open the SAP J2EEEngine Start Page:

10Configuring the data source in User Management Engine



2. Select "User Management", which starts the user management administration console forthe User Management Engine (UME).

3. Provide your UME credentials and choose "Log on":

You have now accessed User Management Engine.



Uploading the data source configuration template fileIn this section we upload the XML template filedataSourceConfiguration_idmvdsic_flat_not_readonly_db.xml stored in<VDS install directory>\samples. Do the following:

1. Select the "Configuration" tab:

2. Choose "Modify Configuration".




Browse (choose "Browse" for file upload) to the filedataSourceConfiguration_idmvdsic_flat_not_readonly_db.xml stored in<VDS install directory>\samples.

3. Choose "Upload File".

When the file is uploaded, it appears in the list of available data source configuration.

4. Select the file in the "Data Source" field:

A warning appears, that the data source configuration is about to change. The warning canbe ignored.

Now the template file for the data source configuration is uploaded and selected as the datasource.



Configuring the LDAP server dataThe next step is to enter the LDAP server data and complete the data source configuration. Dothe following:

1. Select the "LDAP Server" tab.

Fill in the connection data to your LDAP server: server name (IP or name) and the port, thecredentials (ume (user)/ume (password) by default), user and group path (o=idstore).

Make sure that "Use Unique Attribute for UME Unique ID" is selected and set to "uid".

Note:For testing purposes the "Cache Size" and "Cache Lifetime" can be set to zero (0).Otherwise leave the values as they are.

You may choose "Test Connection" to verify that the correct connection data is entered.Verify that the connection test has completed successfully.




2. Choose "Save All Changes".

3. The changes will take effect after the server restart.



Performing a searchTo search for users available in the LDAP server connected, do the following:

1. In the User Management Engine, select the "Identity Management" tab.

In the search criteria area, choose "User" and "LDAP" as the data source.

2. Choose "Go". This will list the users available in the LDAP you are connected to.

The integration is completed and the UME can be used to view, create, delete and modify theusers and groups in the identity store.




Documents

SAP NetWeaver Identity Management Configuration Guide ...a248.g.akamai.net/n/248/420835/d5cf5f6bdfd8c0a774...permission of SAP AG. The information contained herein may be changed without