48
Tivoli ® Identity Manager Adapter for SAP Netweaver AS Java Integration and Configuration Guide Version 4.6 GC32-1590-05

Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/add_adapters/.../SAPNWASJAVA.pdfTivoli ® Identity Manager Adapter for SAP Netweaver AS Java Integration and Configuration

Embed Size (px)

Citation preview

  • Tivoli Identity Manager

    Adapter for SAP Netweaver AS Java Integration and Configuration Guide

    Version 4.6

    GC32-1590-05

  • Tivoli Identity Manager

    Adapter for SAP Netweaver AS Java Integration and Configuration Guide

    Version 4.6

    GC32-1590-05

  • Note Before using this information and the product it supports, read the information in Appendix C, Notices, on page 29

    Third Edition (November 2006)

    This edition applies to version 4.6 of the Tivoli Identity Manager Adapter for SAP Netweaver AS Java and to all subsequent releases and modifications until otherwise indicated in new editions.

    Copyright International Business Machines Corporation 2004, 2005. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

  • Contents

    Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Who should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Publications and related information . . . . . . . . . . . . . . . . . . . . . . . . . . . v

    Tivoli Identity Manager library . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Prerequisite Product Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

    Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

    Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Operating system differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Definitions for HOME directory variables . . . . . . . . . . . . . . . . . . . . . . . . . x

    Chapter 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    Chapter 2. Adapter Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Step 1: Testing Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Step 2: Installing the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Step 3: Deploying the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Step 4: Enabling User Mapping Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

    Configure the Agent for User Mapping . . . . . . . . . . . . . . . . . . . . . . . . . 7 Configure the System Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

    Step 5: Installing the Adapters Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Step 6: Configuring the Adapters Forms . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    Chapter 3. Adapter Profile Installation . . . . . . . . . . . . . . . . . . . . . . . 9 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Upgrading from the SAP EP6 Agent Profile to the SAP AS Java Agent Profile . . . . . . . . . . . . . 9 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Importing the Adapter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 User Mapping Data Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Enabling SSL between SAP and Tivoli Identity Manager . . . . . . . . . . . . . . . . . . . . 11

    Chapter 4. Adapter Profile User Mapping Data Activation Installation . . . . . . . . . 13 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Installing the Adapter Profile User Mapping Activation . . . . . . . . . . . . . . . . . . . . . 14 Enabling Adapter User Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Verifying the Adapter Profile User Mapping Activation is Installed . . . . . . . . . . . . . . . . . 15

    Chapter 5. Uninstalling the Adapter . . . . . . . . . . . . . . . . . . . . . . . 17

    Appendix A. Adapter Variables . . . . . . . . . . . . . . . . . . . . . . . . . 19 Adapter Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Adapter User Mapping System Aliases Configuration . . . . . . . . . . . . . . . . . . . . . 19 Variable Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Variables by Tivoli Identity Manager Adapter for SAP Netweaver AS Java Actions . . . . . . . . . . . 21

    System Login Add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 System Login Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 System Login Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 System Login Suspend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 System Login Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

    Copyright IBM Corp. 2004, 2005 iii

  • Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    Check Adapter Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Check Console Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    Appendix B. Support information . . . . . . . . . . . . . . . . . . . . . . . . 25 Searching knowledge bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

    Search the information center on your local system or network . . . . . . . . . . . . . . . . . 25 Search the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

    Obtaining fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Contacting IBM Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

    Determine the business impact of your problem . . . . . . . . . . . . . . . . . . . . . . 27 Describe your problem and gather background information . . . . . . . . . . . . . . . . . . 27 Submit your problem to IBM Software Support . . . . . . . . . . . . . . . . . . . . . . 27

    Appendix C. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

    iv IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Preface

    The IBM Tivoli Identity Manager Adapter for SAP Netweaver AS Java enables connectivity between the Tivoli Identity Manager server and SAP Netweaver Java WAS (SP9 and above) User Management Engine (UME). After the agent is installed and prepared, Tivoli Identity Manager manages user accounts resources on your SAP Netweaver Java server system. This manual describes how to install and prepare the adapter.

    This document assumes that both Tivoli Identity Manager and SAP Netweaver AS Java are installed, configured and running on your network. No details are provided regarding the installation and configuration of these products, except where necessary to achieve integration.

    Who should read this book This manual is intended for security administrators responsible for installing software on their sites computer systems. Readers are expected to understand security administration concepts.

    The person completing the installation procedure should also be familiar with their sites system standards. Readers should be able to perform routine security administration tasks.

    Publications and related information Read the descriptions of the Tivoli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite Product Publications on page vii and the Related Publications on page viii. After you determine the publications you need, refer to the instructions in Accessing publications online on page viii.

    Tivoli Identity Manager library The publications in the Tivoli Identity Manager technical documentation library are organized into the following categories: v Release information v Online user assistance v Server installation and configuration v Problem determination v Technical supplements v Adapter installation and configuration

    Release Information:

    v IBM Tivoli Identity Manager Release Notes Provides software and hardware requirements for Tivoli Identity Manager, and additional fix, patch, and other support information.

    v IBM Tivoli Identity Manager Documentation Read This First Card Lists the Tivoli Identity Manager publications.

    Online user assistance:

    Copyright IBM Corp. 2004, 2005 v

  • Provides online help topics and an information center for all Tivoli Identity Manager administrative tasks. The information center includes information that was previously provided in the IBM Tivoli Identity Manager Configuration Guide and the IBM Tivoli Identity Manager Policy and Organization Administration Guide.

    Server installation and configuration:

    IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments provides installation and configuration information for Tivoli Identity Manager.

    Configuration information that was previously provided in the IBM Tivoli Identity Manager Configuration Guide is now included in either the installation guide or in the IBM Tivoli Identity Manager Information Center.

    Problem determination:

    IBM Tivoli Identity Manager Problem Determination Guide provides problem determination, logging, and message information for the Tivoli Identity Manager product.

    Technical supplements:

    The following technical supplements are provided by developers or by other groups who are interested in this product: v IBM Tivoli Identity Manager Performance Tuning Guide

    Provides information needed to tune Tivoli Identity Manager Server for a production environment, available on the Web at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z product list, and then, click the Tivoli Identity Manager link. Browse the information center for the Technical Supplements section.

    v Redbooks and white papers are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link.

    v Technotes are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/

    v Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

    v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web address: http://www.ibm.com/developerworks/

    Adapter installation and configuration:

    The Tivoli Identity Manager Server technical documentation library also includes an evolving set of platform-specific installation documents for the adapter components of a Tivoli Identity Manager Server implementation. Locate adapters on the Web at:

    vi IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

    http://publib.boulder.ibm.com/tividd/td/tdprodlist.htmlhttp://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.redbooks.ibm.com/redbooks.nsf/tips/http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.htmlhttp://www.ibm.com/developerworks/

  • http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

    Browse to the Other resources, and click the link for the current inventory of adapters.

    Skills and training:

    The following additional skills and technical training information were available at the time that this manual was published: v Virtual Skills Center for Tivoli Software on the Web at:

    http://www.cgselearning.com/tivoliskills/ v Tivoli Education Software Training Roadmaps on the Web at:

    http://www.ibm.com/software/tivoli/education/eduroad_prod.html v Tivoli Technical Exchange on the Web at:

    http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

    Prerequisite Product Publications To use the information in this book effectively, you must have knowledge of the prerequisite products. Publications are available from the following locations: v Operating systems

    IBM AIX

    http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm Sun Solaris

    http://docs.sun.com/db?q=solaris+9 Red Hat Linux

    http://www.redhat.com/docs/ Microsoft Windows Server 2003

    http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers

    IBM DB2

    - Support: http://www.ibm.com/software/data/db2/udb/support.html - Information center: http://publib.boulder.ibm.com/infocenter/db2help/

    index.jsp - Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/

    winos2unix/support/v8pubs.d2w/en_main - DB2 product family: http://www.ibm.com/software/data/db2 - Fix packs: http://www.ibm.com/software/data/db2/udb/support/

    downloadv8.html - System requirements: http://www.ibm.com/software/data/db2/udb/

    sysreqs.html Oracle

    http://www.oracle.com/technology/documentation/index.html http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html

    Microsoft SQL Server 2000 http://www.msdn.com/library/

    Preface vii

    http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.cgselearning.com/tivoliskills/http://www.cgselearning.com/tivoliskills/http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.htmlhttp://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.htmlhttp://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htmhttp://docs.sun.com/db?q=solaris+9http://www.redhat.com/docs/http://www.microsoft.com/windowsserver2003/proddoc/default.mspxhttp://www.ibm.com/software/data/db2/udb/support.htmlhttp://publib.boulder.ibm.com/infocenter/db2help/index.jsphttp://publib.boulder.ibm.com/infocenter/db2help/index.jsphttp://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_mainhttp://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_mainhttp://www.ibm.com/software/data/db2http://www.ibm.com/software/data/db2/udb/support/downloadv8.htmlhttp://www.ibm.com/software/data/db2/udb/support/downloadv8.htmlhttp://www.ibm.com/software/data/db2/udb/sysreqs.htmlhttp://www.ibm.com/software/data/db2/udb/sysreqs.htmlhttp://www.oracle.com/technology/documentation/index.htmlhttp://otn.oracle.com/tech/index.htmlhttp://otn.oracle.com/tech/linux/index.htmlhttp://www.msdn.com/library/

  • http://www.microsoft.com/sql/v Directory server applications

    IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory

    Sun ONE Directory Server http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52

    v WebSphere Application Server Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/

    v WebSphere embedded messaging http://www.ibm.com/software/integration/wmq/

    v IBM HTTP Server http://www.ibm.com/software/webservers/httpservers/library.html

    Related Publications Information that is related to Tivoli Identity Manager Server is available in the following publications: v The Tivoli Software Library provides a variety of Tivoli publications such as

    white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/literature/

    v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available from the Glossary link of the Tivoli Software Library Web page at: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

    Accessing publications online IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center Web site. Access the Tivoli software information center at the following Web address:

    http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

    Click the I character in the A-Z list, and then click the Tivoli Identity Manager link to access the product library.

    Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper.

    Accessibility The product documentation includes the following features to aid accessibility: v Documentation is available in convertible PDF format to give the maximum

    opportunity for users to apply screen-reader software.

    viii IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

    http://www.microsoft.com/sql/http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htmhttp://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htmhttp://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryServer.htmlhttp://docs.sun.com/app/docs/coll/S1_DirectoryServer_52http://publib.boulder.ibm.com/infocenter/ws51help/index.jsphttp://www.redbooks.ibm.com/http://www.ibm.com/software/integration/wmq/http://www-3.ibm.com/software/webservers/httpservers/library.htmlhttp://www.ibm.com/software/tivoli/literature/http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htmhttp://publib.boulder.ibm.com/tividd/td/tdprodlist.html

  • v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images.

    Support information If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: v Searching knowledge bases: You can search across a large collection of known

    problems and workarounds, Technotes, and other information. v Obtaining fixes: You can locate the latest fixes that are already available for your

    product. v Contacting IBM Software Support: If you still cannot solve your problem, and

    you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support.

    For more information about these ways to resolve problems, see Appendix B, Support information, on page 25.

    Conventions used in this book This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths.

    Typeface conventions This guide uses the following typeface conventions:

    Bold

    v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text

    v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:)

    v Keywords and parameters in textItalic

    v Words defined in text v Emphasis of words (words as words) v New terms in text (except in a definition list) v Variables and values you must provide

    Monospace

    v Examples and code examples v File names, programming keywords, and other elements that are difficult

    to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options

    Operating system differences This guide uses the UNIX convention for specifying environment variables and for directory notation.

    Preface ix

  • When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equivalent to $tmp in a UNIX operating system.

    Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.

    Definitions for HOME directory variables The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table.

    The value of path for the Windows operating system is drive:\Program Files. The value of path for the AIX operating system is /usr. The value of path is /opt for other UNIX and Linux operating systems.

    Path Variable Default Definition Description

    DB_INSTANCE_HOME Windows:

    path\IBM\SQLLIB

    UNIX and Linux:

    v AIX, Linux: /home/dbinstancename v Solaris: /export/home/

    dbinstancename

    The directory that contains the database for Tivoli Identity Manager.

    LDAP_HOME v IBM Directory Server Windows:

    path\IBM\LDAP

    UNIX:

    path/IBM/LDAP

    v Sun ONE Directory Server Windows:

    path\Sun\MPS

    UNIX:

    /var/Sun/mps

    The directory that contains the directory server code.

    HTTP_HOME Windows:

    path\IBMHttpServer

    UNIX and Linux:

    path/IBMHttpServer

    The directory that contains the IBM HTTP Server code.

    ITIM_HOME Windows:

    path\IBM\itim

    UNIX and Linux:

    path/IBM/itim

    The base directory that contains the Tivoli Identity Manager code, configuration, and documentation.

    x IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Path Variable Default Definition Description

    WAS_HOME Windows:

    path\IBM\WebSphere\AppServer

    UNIX and Linux:

    path/IBM/WebSphere/AppServer

    The WebSphere Application Server home directory

    WAS_MQ_HOME Windows:

    path\IBM\WebSphereMQ

    UNIX and Linux:

    path/mqm

    The directory that contains the WebSphere MQ code.

    WAS_NDM_HOME Windows:

    path\WebSphere\DeploymentManager

    UNIX and Linux:

    path/WebSphere/DeploymentManager

    The home directory on the deployment manager

    Tivoli_Common_Directory Windows:

    path\IBM\Tivoli\Common\CTGIM

    UNIX and Linux:

    path/IBM/Tivoli/Common/CTGIM

    The central location for all serviceability-related files, such as logs and first-failure capture data

    Preface xi

  • xii IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Chapter 1. Overview

    This installation guide provides all of the basic information necessary to install and configure the SAP Netweaver AS Java Adapter components.

    The basic procedures required to install, configure, and run the agent are as follows: v Install the agent software. v Deploy the agent on the SAP server. v Install the agents profile on the Tivoli Identity Manager Server. v Configure the Tivoli Identity Manager Server to recognize the agent as a service.

    Copyright IBM Corp. 2004, 2005 1

  • 2 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Chapter 2. Adapter Installation

    This chapter describes the steps required to install and configure the Tivoli Identity Manager Adapter for SAP Netweaver AS Java software. You must complete the steps in the order they are listed.

    This chapter has the following sections: v Requirements v Step 1: Testing Network Connectivity on page 4 v Step 2: Installing the Adapter on page 4 v Step 3: Deploying the Adapter on page 5 v Step 4: Enabling User Mapping Data on page 6 v Step 5: Installing the Adapters Profile on page 7 v Step 6: Configuring the Adapters Forms on page 8

    Requirements The following table identifies hardware, software, and authorization requirements to install the Tivoli Identity Manager Adapter for SAP Netweaver AS Java. Verify that all of the requirements have been met before installing the Tivoli Identity Manager Adapter for SAP Netweaver AS Java.

    Table 1. Requirements to install the adapter

    System The adapter must be installed on a SAP server. If you have multiple SAP Netweaver Java systems in a clustered environment the synchronization mechanism will ensure the adapter is deployed to each of these systems. The adapter need only be installed on a single machine. Refer to the SAP documentation for minimum and recommended hardware requirements. The adapter installation requires and at least 10 MB of free disk space.

    Operating System Refer to the SAP documentation for minimum and recommended software requirements. The adapter deployment is dependent on the SAP J2EE installation.

    SAP Netweaver AS Java Software

    This adapter has been configured and tested with SAP Netweaver Java with the following software version:

    v SAP Netweaver Java WAS (Service Pack 9 or above)Note: Basic Authentication must be enabled on the system in order for the adapter to operate.

    ITIM SAP Netweaver AS Java Adapter

    The Tivoli Identity Manager SAP Netweaver AS Java Adapter must be installed and operational on the system where there is a SAP Netweaver Java installation. In a clustered environment, the adapter need only be deployed on a single system, allowing the SAP Netweaver synchronization to deploy the adapter to the other systems.

    Network Connectivity The adapter must be installed on a system that can communicate with the Tivoli Identity Manager Server through a TCP/IP network.

    Copyright IBM Corp. 2004, 2005 3

  • Table 1. Requirements to install the adapter (continued)

    System Administrator Authority

    The person completing the Tivoli Identity Manager Adapter for SAP Netweaver AS Java installation procedure must have root access to the Tivoli Identity Manager server to complete the steps in this chapter.

    Server Communication Communication between the Tivoli Identity Manager Server and the Tivoli Identity Manager Adapter for SAP Netweaver AS Java should be tested with a low-level communication ping before installing any IBM software. This makes troubleshooting easier if you encounter installation problems.

    Step 1: Testing Network Connectivity This step tests basic network connectivity and file transfer capability. Testing is done between the server where the Tivoli Identity Manager Adapter for SAP Netweaver AS Java will be installed, and the Tivoli Identity Manager Server.

    You must issue a ping command from the Tivoli Identity Manager to the designated adapter workstations to verify communication. 1. Log on to the SAP Netweaver Java server workstation. 2. Test communication between the Tivoli Identity Manager Server and the SAP

    Netweaver Java server: # ping host_name

    Step 2: Installing the Adapter An executable installation program is provided for the Tivoli Identity Manager Adapter for SAP Netweaver AS Java. When you run the installation program, you can accept the default settings or select new values.

    The Tivoli Identity Manager Adapter for SAP Netweaver AS Java installation files are available for download from IBMs Web site. Contact your IBM account representative for the Web address and download instructions.

    To install the adapter, do the following: 1. Download the Tivoli Identity Manager Adapter for SAP Netweaver AS Java

    installation zip file from IBMs Web site. 2. Extract the contents of the Tivoli Identity Manager Adapter for SAP Netweaver

    AS Java installation zip file into a temporary directory. 3. Start the installation wizard:

    On a Windows target: Select Run... from the Start menu and type the path to the temporary directory followed by UMEAgentSetup_win32.exe. For example: C:\Temp\UMEAgentSetup_win32.exe

    On an AIX target: Locate and execute the UMEAgentSetup_AIX.bin file in the temporary directory.

    The Welcome dialog window appears. 4. Click Next.

    The Software License Agreement dialog window appears.

    4 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • 5. Read the License Agreement, click the I accept radio button and click Next. The Select Destination Directory dialog window appears.

    6. Accept the default or select an alternate destination path and click Next. The Install Summary dialog window appears.

    7. Click Next. The SAP Netweaver AS Java Adapter is installed and a completion dialog is displayed.

    8. Click Finish.

    Step 3: Deploying the Adapter The SAP Netweaver AS Java Adapter is unlike a traditional Tivoli Identity Manager adapter. Rather than running as a service on the managed platform, the adapter resides within the SAP J2EE environment. The adapter must be deployed within the SAP J2EE environment so it can perform user management operations originating from Tivoli Identity Manager Server requests.

    After installing the adapter on the SAP system, locate the bin directory within the adapter install location.

    Using the SAP Deploy Tool, the adapter Web Archive (.war) can be added to a new Enterprise Archive (.ear) and then deployed. The following steps describe how to achieve this deployment. For further details on using the Deploy Tool and deploying applications, refer to your SAP Netweaver Java Server Documentation.

    To deploy the application in SAP, follow the steps below.

    Attention: Please follow these steps carefully. In particular, ensure that you create a new project in step 2. It is important that whenever you attempt to deploy the agent you do so from a new project. If you have un-deployed the agent and wish to re-deploy it at a later date, you should not use the same project as the last time it was deployed. A brand new project should always be created. If you attempt to use the Deploy Tool to deploy the agent from an existing project rather than a new project, your entire SAP system may become corrupted and require rebuilding from scratch. This known SAP Netweaver issue is resolved in SAP WAS SP14. 1. Open the SAP Deploy Tool:

    /usr/sap//JC/j2ee/deploying/deploytool.bat.

    2. Choose Project then New Project. The New Project window is displayed. Specify a valid project file name (for example, Test) then click OK.

    3. In the Assembler tab, select Assemble then Add Archive to import the component umeagent.war. This file will be located in the Agent_Install_Dir/bin directory: Click OK.

    4. You must add additional libraries found on the SAP system to the Ear. Three of the required library files can be found on the Tivoli Identity Manager 4.6 environment, while the remaining library files are installed on the SAP system. Each of the libraries listed below must be added as Files to the Enterprise Archive:

    Library files required from the SAP system: usr/sap//JC/j2ee/admin/lib/logging.jar usr/sap//JC/j2ee/cluster/server0/bin/ext

    /com.sap.security.api.sda/com.sap.security.api.jar

    Chapter 2. Adapter Installation 5

  • Library files required from the Tivoli Identity Manager 4.6 system: xercesImpl.jar regexp.jar xml-apis.jar

    By default, these library files are located in the following directory on the Tivoli Identity Manager 4.6 server machine: WAS_HOME/installedApps//enRole.ear

    To add the files to the Ear, highlight the project ear file in the left hand panel and then select the Files tab from the right window of the Assembler tab. Then enter the path to the library File and then click Add. The library files must be added one at a time until all are done.

    5. Save the project. 6. Select Assemble then Make Ear. 7. In the Deployer tab, click Deploy then Connect. Verify the connection details

    then click the Connect button to connect to the SAP Netweaver Java system. 8. Once you have connected successfully, you can try to deploy the EAR. In the

    Deployer tab, click on the project name and select Deploy then Deployment then Deploy Ear.

    Notes:

    1. You must take note of the deployment URL for the adapter as this is required to be entered when configuring the SAP Netweaver AS Java Adapter profile. The URL will take the form http(s)://SAP_hostname:port/umeagent/umeagent.

    2. Please note that the adapter does not currently support filtered searches or reconciliation with more than one condition (such as: and, not, or, etc), or an attribute other than erUid (such as: erep6city, erep6email, etc).

    3. Ensure that Basic Authentication is enabled on the SAP Netweaver AS Java system to allow the adapter to function correctly.

    4. SAP Clustering and Load Balancing:

    When the adapter is to be deployed on a SAP cluster, it need only be installed on a single cluster node. The SAP cluster synchronization will ensure the adapter is then deployed on all other nodes in the cluster. The adapter will continue to function if a load balancer is used, provided that the adapter servlet has been synchronized to all cluster nodes accessible from the load balancer. If the adapter servlet has not been synchronized, it will not be accessible from the load balancer. Refer to the SAP documentation for details on clustering and cluster node synchronization.

    Step 4: Enabling User Mapping Data If you have SAP EP6 installed on the SAP Netweaver AS Java system and your deployment includes User Mapping Data for users, you must follow these additional instructions to enable User Mapping in the adapter.

    User Mapping Data is only supported for Users, not Roles and Groups. It is possible to have only one set of user mapping data credentials for each system alias.

    6 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Configure the Agent for User Mapping User Mapping Data Functionality will be disabled by default. In order to enable User Mapping, you must modify the adapter web.xml file. The default location of this file will be: /usr/sap//JC/j2ee/cluster/server0/apps/sap.com

    //servlet_jsp/umeagent/root/WEB-INF/web.xml

    By default the adapter web.xml file on the SAP system will contain the following entry:

    itim.agent.user.mapping false

    To enable User Mapping you should set the param_value to true. The modified entry would be as follows:

    itim.agent.user.mapping true

    Any changes to the web.xml file must be saved, and the application restarted, for these changes to take effect.

    Configure the System Aliases 1. Locate the systemAliases.properties file in the etc directory (created during

    the install of the adapter). For example: Agent_Install_Dir/etc/systemAliases.properties

    2. Copy this file to the root directory of the SAP server. For example: SAP_installation_dir/cluster/server0

    3. Modify the file to include all the configured System Aliases of the SAP server and remove the hash (#) comment character from the beginning of the line. For example aliasServer1=someSystemAlias

    aliasServer2=anotherSystemAlias

    Note: The alias names are the same as those that appear in the System drop down list in the User Mapping menu of User Administration. Where more aliases are required, add further lines with incremental alias numbers.

    User Mapping must also be activated on the Tivoli Identity Manager server by installing the User Mapping Data Activation package. For detailed instructions on installing the adapters Profile User Mapping Activation on the Tivoli Identity Manager server, see Chapter 4, Adapter Profile User Mapping Data Activation Installation, on page 13.

    Step 5: Installing the Adapters Profile Before an adapter can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the adapter as a service. For more information on installing the adapters profile on the Tivoli Identity Manager Server, see Chapter 3, Adapter Profile Installation, on page 9.

    Chapter 2. Adapter Installation 7

  • Note: If this is an upgrade of an existing SAP EP6 adapter, the new adapter schema will not be reflected immediately. The Tivoli Identity Manager system stores the adapter schema in memory. However, this cache is periodically refreshed and the new adapter schema will be reflected after the cache is refreshed. Reboot the Tivoli Identity Manager system to refresh the adapter schema immediately. The profile from a previous release of the Tivoli SAP EP6 adapter can be used for this SAP AS Java adapter release, as there are only slight differences between the two profiles. For further details, see Chapter 3, Adapter Profile Installation, on page 9.

    Step 6: Configuring the Adapters Forms Configure the adapters service maintenance and account maintenance forms on the Tivoli Identity Manager Server. Refer to the IBM Tivoli Identity Manager Information Center for more information.

    When configuring the SAP Netweaver AS Java Adapter profile, in the URL field, enter the full URL to the adapter servlet on the SAP server (including the protocol, fully qualified host name and the path). The adapter can be accessed via HTTP or HTTPS, depending on whether the SAP server has SSL enabled. For greater security, it is recommended that SSL be configured on the SAP WAS server and used to access the Tivoli Identity Manager AS Java Agent. HTTP access should be denied to the servlet as a safeguard.

    Refer to the SAP documentation for enabling SSL.

    Authentication is provided to the adapter through Basic Authentication in the HTTP headers. In the User ID and Password fields, enter the account details for a valid SAP account.

    To increase security, it is suggested that the user account details entered are used solely for adapter authentication. To achieve this, ensure that the account has no assigned SAP roles or groups and the account is suspended (locked). This ensures that the adapter can authenticate the Tivoli Identity Manager server and that, if the account details are compromised, they cannot be used to log on to the SAP Web interface.

    Create a new user in the SAP user registry that is used solely for adapter authentication. Remove all role and group membership as mentioned above.

    8 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Chapter 3. Adapter Profile Installation

    This chapter has the following sections: v Introduction v Requirements on page 10 v Importing the Adapter Profile on page 10 v User Mapping Data Tab on page 11 v Enabling SSL between SAP and Tivoli Identity Manager on page 11

    Introduction Before an adapter can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the adapter as a service. The Tivoli Identity Manager Adapter for SAP Netweaver AS Java comes with a second installation script that installs the adapters profile on the Tivoli Identity Manager Server as a service profile.

    This chapter describes the procedure to install and configure the Tivoli Identity Manager Adapter for SAP Netweaver AS Java profile on the Tivoli Identity Manager Server. Each step includes a short procedure that completes one aspect of the overall profile installation process. You must complete the steps in the order they are listed.

    Upgrading from the SAP EP6 Agent Profile to the SAP AS Java Agent Profile

    If you have an existing installation of the Tivoli SAP EP6 agent profile on the Tivoli Identity Manager server, you do not have to upgrade the adapter profile. The profile for the SAP AS Java adapter will function in the same manner as that of Tivoli SAP EP6 agent, although the labels displayed in Tivoli Identity Manager will be slightly different.

    One other minor difference between the two profiles is the length of the allowed erUid for provisioned accounts. The SAP EP6 agent profile enforces a minimum length of 6 characters. However, the SAP AS Java agent profile enforces a minimum length of 5 characters, which is the same as the default minimum length required by the SAP UME Web interface for creating users.

    If you do choose to upgrade to the new SAP AS Java agent profile from an existing SAP EP6 adapter profile, the new adapter schema will not be reflected immediately. The Tivoli Identity Manager system stores the adapter schema in memory: the cache is periodically refreshed and the new adapter schema will be reflected after the cache is refreshed. Reboot the Tivoli Identity Manager system if you wish to refresh the adapter schema immediately.

    Note: While the functionality of the SAP EP6 agent and SAP AS Java agent profiles are comparable, the functionality of the User Mapping Data Activation installation software is different for the two different agents. You can use an existing installation of a SAP EP6 agent profile with this SAP AS Java agent release, but you cannot use an existing installation of the SAP EP6 User Mapping Data Activation software with the SAP AS Java agent.

    Copyright IBM Corp. 2004, 2005 9

  • The User Mapping Data Activation configuration for previous releases of the SAP EP6 agent is not compatible with the SAP AS Java agent. Therefore, you must install the SAP AS Java Agent User Mapping Data Activation if you wish to use user mapping functionality with the SAP AS Java agent. For more informations, please refer to Chapter 4, Adapter Profile User Mapping Data Activation Installation, on page 13.

    Requirements The following table identifies hardware, software, and authorization requirements to install the Tivoli Identity Manager Adapter for SAP Netweaver AS Java profile on the Tivoli Identity Manager Server. Verify that all the requirements have been met before installing the Tivoli Identity Manager Adapter for SAP Netweaver AS Java profile.

    Table 2. Requirements before installing an adapter profile

    Server The Tivoli Identity Manager Server must be installed and running before the adapters profile can be installed.

    System Administrator Authority The person completing the Tivoli Identity Manager Adapter for SAP Netweaver AS Java profile installation must have root access to the Tivoli Identity Manager Server to complete the procedures in this chapter.

    Importing the Adapter Profile An adapter profile defines the types of resources that the Tivoli Identity Manager Server can manage. You must import the adapter profile onto the Tivoli Identity Manager Server before using the SAP Netweaver AS Java Adapter. The profile is used to create a SAP EP6 Adapter service on the Tivoli Identity Manager Server and to communicate with the adapter.

    Before you begin to import the adapter profile, verify that the following conditions are met: v The Tivoli Identity Manager Server must be installed and running. v In order to configure the SAP Netweaver AS Java Adapter profile, you must

    have root or Administrator authority on the Tivoli Identity Manager Server.

    To import the adapter profile, complete the following steps: 1. Log in to the Tivoli Identity Manager Server using an account that has the

    authority to perform administrative tasks. 2. From the Main Menu Navigation Bar, select the Configuration tab. 3. On the Configuration window, select the Import/Export tab then the Import

    tab. 4. On the Import window, in the File to Upload field, type the location of the

    ep6profile.jar file, or click Browse to locate the file. 5. Click the Import data into Identity manager link to import the adapter profile

    into the Tivoli Identity Manager Server. v If the adapter profile import completes successfully, the following message is

    displayed: Profile installation complete.

    v If the adapter profile import fails, the following message is displayed: Profile installation failed.

    10 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • When you import the adapter profile, if you receive an error related to the schema, the trace.log file will contain information about that error. The trace.log file location is specified by the handle.file.fileDir property. This is defined in the Tivoli Identity Manager enRoleLogging.properties file, which is located in the Tivoli Identity Manager \data directory.

    User Mapping Data Tab By default, the profile installer will configure the complete Adapter Profile, which includes the Forms for User Mapping Data.

    If User Mapping Data is required, an additional installation step is also required. For details, see Chapter 4, Adapter Profile User Mapping Data Activation Installation, on page 13.

    If User Mapping Data is not required, the tab can be removed from the Account forms by accessing the Adapter Profile User Interface Customization as follows: v Go to the Configuration Tab on the Tivoli Identity Manager GUI and select

    Form Customization. v Double click on Account to list the available accounts. v Select the ep6account option. v Select the $erep6tabumd tab. v Locate and click the Delete Tab button from the menu bar. v Locate and click the Save Form Template button (under Form in the menu bar). v A dialog box will be displayed indicating that the Form Template was saved

    successfully. Click OK. v Restart the enRole application on the WebSphere Application Server.

    If User Mapping is required at a later stage, simply reinstall the Adapter Profile.

    Enabling SSL between SAP and Tivoli Identity Manager In order to utilize an SSL connection between the adapter and the IBM Tivoli Identity Manager server: v SSL must be enabled on the SAP system, and v the SAP Certificate must be imported into the Keystore for the JVM used by the

    WebSphere Application server, and v the SAP Certificate must be imported into the WebSphere Application server key

    file.

    To configure SSL between the adapter and the IBM Tivoli Identity Manager server: 1. Export the certificate from the SAP server.

    2. Copy the certificate to a temporary location on the IBM Tivoli Identity Manager Server. For example: $TMP\sap.cer

    3. Log on the WebSphere Application Server Console. For example: http://itimserver:9090/admin

    4. Open the SSL configuration by clicking Security then SSL. 5. Click on Tivoli Identity Manager_server_name/DefaultSSLSettings.

    6. Note the Key File Name location. For example: ${USER_INSTALL_ROOT}/etc/DummyServerTrustFile.jks

    Chapter 3. Adapter Profile Installation 11

  • This is the file that the SAP Certificate will be imported to. 7. Change to the root directory of the WebSphere Application server (WAS_HOME).

    Note: You must use the Java version supplied with WebSphere for this process.

    8. Import the SAP Certificate into the WebSphere Key: java\jre\bin\keytool -import -file $TMP\sap.cer -keystore

    etc\DummyServerTrustFile.jks -alias "SAP" -trustcacerts

    9. Supply the password for the DummyServerTrustFile.jks (the default password is WebAS).

    10. Type yes and press Enter to accept and trust the certificate.

    Next, import the SAP certificate into the list of trusted certificates for the WebSphere JVM. 1. In the same directory,

    java\jre\bin\keytool -import -file $TMP\sap.cer -keystore java\jre\lib\ security\cacerts -alias "SAP" -trustcacerts

    2. Supply the password for the DummyServerTrustFile.jks (the default password is changeit).

    3. Type yes and press Enter to accept and trust the certificate.

    If you have installed a JVM to a different location and are using this for WebSphere Application Server, then you must also import the SAP certificate into the cacerts file for that JVM. Repeat the steps above using the correct Java location and keyfiles.

    Finally, restart the WebSphere Application Server.

    12 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Chapter 4. Adapter Profile User Mapping Data Activation Installation

    This chapter has the following sections: v Introduction v Requirements v Installing the Adapter Profile User Mapping Activation on page 14 v Enabling Adapter User Mapping on page 15 v Verifying the Adapter Profile User Mapping Activation is Installed on page 15

    Introduction Before an adapter can manage User Mapping Data, an additional library and servlet must be added to the Web Application Server where Tivoli Identity Manager is installed. This provides the Custom Widget that is required.

    This chapter describes the procedure to install and configure the Tivoli Identity Manager Adapter for SAP Netweaver AS Java Profile User Mapping Activation on the Tivoli Identity Manager server. Each step includes a short procedure that completes one aspect of the overall profile installation process. You must complete the steps in the order they are listed.

    The instructions here are only relevant to Tivoli Identity Manager running on WebSphere Application Server. For other Web Application Servers, you must manually extract the required files, copy the library and create a new servlet and servlet-mapping. Refer to your Web Application Server documentation for details.

    Notes:

    1. If you are upgrading the adapter software, you may also choose to upgrade the Adapter Profile on the Tivoli Identity Manager Server. Functionality of the Tivoli Identity Manager Adapter profile for SAP AS Java is essentially the same as the functionality of the Tivoli Identity Manager profile for SAP EP6. For further details, please refer to Chapter 3, Adapter Profile Installation, on page 9.

    2. If you apply a fix pack for Identity Manager that makes changes to the Web Application Server, you must also reinstall the User Mapping Activation.

    3. User Mapping functionality is only available on Netweaver AS Java systems that have SAP EP6 installed.

    Requirements The following table identifies hardware, software, and authorization requirements to install the SAP Netweaver AS Java Adapter Profile on the Tivoli Identity Manager server. Verify that all the requirements have been met before installation.

    Table 3. Requirements for installing the Adapter Profile User Mapping Activation

    Server The Tivoli Identity Manager server must be installed and running before the Adapter Profile User Mapping Activation can be installed.

    Copyright IBM Corp. 2004, 2005 13

  • Table 3. Requirements for installing the Adapter Profile User Mapping Activation (continued)

    System Administrator Authority The person completing the SAP Netweaver AS Java Adapter profile User Mapping Activation installation must have root access to the Tivoli Identity Manager server to complete the procedures in this chapter.

    Installing the Adapter Profile User Mapping Activation To install the Adapter Profile User Mapping Activation: 1. Log in to the Tivoli Identity Manager server as root. 2. Download the SAP Netweaver AS Java Adapter installation zip file from IBMs

    Web site and extract the contents of the zip file into a temporary directory.

    Note: Contact your IBM account representative for the Web address and download instructions for adapter installation files.

    3. Complete one of the following:

    For a Tivoli Identity Manager server installed on a UNIX platform:

    a. Change the working directory to the temporary directory where you extracted the User Mapping Activation installation file: # cd /tmp

    where tmp is the path of the directory containing the User Mapping Activation installation file.

    b. Run the SAP Netweaver AS Java Adapter profile installation script that is appropriate for your operating system: /umeprofile_umda_operating system.bin

    where operating system is the name of your operating system, such as aix, solaris, or hpxxxx. A graphical user interface appears.

    For Tivoli Identity Manager servers installed on Windows:

    a. Select Run from the Start menu. b. Type the path to the temporary directory where you extracted the

    User Mapping Activation installation file, followed by umeprofileumda.exe. For example: C:\temp\umeprofileumda.exe

    The Welcome dialog window is displayed.4. Click Next.

    The Select Tivoli Identity Manager SAP Netweaver AS Java Adapter Profile User Mapping Activation screen appears.

    5. Type the WebSphere Application Server home directory in the text field and click Next. You can also select the directory by clicking Browse and browsing to the correct directory. You must install the activation in the same home directory in which WebSphere Application server is installed. For example: C:\IBM\WebSphere\AppServer

    or:

    14 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • /opt/IBM/WebSphere/AppServer

    The WebSphere Node screen appears. 6. In the text field, type the Node name of the server on which the Tivoli Identity

    Manager application is installed. Then click Next. The Node name can be determined by looking at the directory name found under the installedApps directory of the WebSphere home directory. The Install Summary dialog window is displayed.

    7. Click Next. The Installation Progress dialog window appears. Once installation is complete, the Install Complete dialog window is displayed.

    8. Click Finish to conclude the installation process.

    Enabling Adapter User Mapping User Mapping must be enabled on the SAP server where the adapter has been installed. Please ensure you have followed the instructions described in Step 4: Enabling User Mapping Data on page 6.

    Verifying the Adapter Profile User Mapping Activation is Installed To ensure that the Adapter Profile User Mapping Activation installed correctly, navigate to the WebSphere home directory.

    If the Adapter Profile User Mapping Activation installation was successful, the following file changes should be observed: v umeagent.jar should be located in

    WAS_HOME/installedApps/Node_name/enRole.ear

    v web.xml should be located in both the following directories: WAS_HOME/installedApps/Node_name/enRole.ear/

    app_web.war/WEB-INF WAS_HOME/config/cells/Node_name/applications/enRole.ear/

    deployments/enRole/app_web.war/WEB-INF

    v both web.xml files should contain the blocks and .

    v MANIFEST.MF should be located in both the following directories: WAS_HOME/installedApps/Node_name/enRole.ear/

    app_web.war/META-INF WAS_HOME/config/cells/Node_name/applications/enRole.ear/

    deployments/enRole/app_web.war/META-INF

    v Both MANIFEST.MF files should contain umeagent.jar

    A log file for the installation will be created in the WebSphere home directory.

    To remove the User Mapping Activation, run the uninstall application that is located in the _uninst_umda directory of the WebSphere home directory.

    If a Tivoli Identity Manager patch is applied that makes changes to the Web Application Server, the User Mapping Activation installer must be executed again. For example, if a Page Cannot be Displayed error message is displayed when the User Mapping Data window is opened in the Account form of the profile, this is a sign that the User Mapping Activation requires re-installation.

    Chapter 4. Adapter Profile User Mapping Data Activation Installation 15

  • 16 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Chapter 5. Uninstalling the Adapter

    This section describes the Tivoli Identity Manager Adapter for SAP Netweaver AS Java uninstall procedures. Give users advance warning that the resource will be unavailable prior to removing the adapter. If the server is taken offline, Tivoli Identity Manager Adapter for SAP Netweaver AS Java requests that are not completed may not be recoverable when the server is back online.

    Complete the following procedure to remove the Tivoli Identity Manager Adapter for SAP Netweaver AS Java and directories. 1. Run the SAP Deploy Tool and follow the SAP documentation for removing a

    deployed application. 2. Open Windows Explorer and execute the uninstaller:

    Agent_Install_Dir/_uninst/uninstaller.exe

    The Welcome dialog window appears. 3. Click Next.

    The Tivoli Identity Manager Adapter for SAP Netweaver AS Java components are deleted.

    4. Click Finish. You will be prompted to reboot your system.

    Note: Inspect the directory tree for Tivoli Identity Manager Adapter for SAP Netweaver AS Java directories, subdirectories, and files to verify that uninstall is complete. The Tivoli Identity Manager Adapter for SAP Netweaver AS Java should no longer appear in the Services dialog window.

    Copyright IBM Corp. 2004, 2005 17

  • 18 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Appendix A. Adapter Variables

    The Tivoli Identity Manager Adapter for SAP Netweaver AS Java consists of files and directories owned by the Tivoli Identity Manager account. The Tivoli Identity Manager-owned files establish communication with the Tivoli Identity Manager Server.

    Adapter Logging By default, the adapter logs to the SAP console, which is also written to file by SAP. The default logging level is set to warning, which occurs when the adapter encounters an error during processing.

    This setting can be overridden by modifying the itim.agent.log.severity parameter, found in the adapters web.xml file. The default location for this file is: /usr/sap//JC/j2ee/cluster/server0/apps/sap.com /

    /servlet_jsp/umeagent/root/WEB-INF/web.xml

    If you modify the severity, you must save the changes then restart the application for the changes to take affect. For example:

    itim.agent.log.severity INFO

    where allowable severities include the following:

    Severity Detail

    INFO Debugging detail level, including the entry of each method and setting of attributes.

    CAUTION: When INFO is specified, all data is logged, including any passwords. This severity is intended for debugging only. Care should be taken to ensure log files containing passwords are secured following organizational procedures.

    WARNING The default level. The error or message does not normally affect the operation.

    FATAL Unrecoverable error that causes an exception within the adapter.

    Adapter User Mapping System Aliases Configuration To enable User Mapping Data functionality of the adapter, the system aliases of SAP must be configured (see Step 4: Enabling User Mapping Data on page 6).

    The default path is systemAliases.properties in the root directory of the SAP server. To change this path, you must modify the adapter web.xml file with the updated filename and path and ensure the file is located in the new path.

    For example to specify a filename of usermapping.properties in the WEB-INF directory of the irj application (the same directory as the web.xml file), the following changes would be required in the adapter web.xml file:

    Copyright IBM Corp. 2004, 2005 19

  • itim.agent.systemalias.file

    services\servlet_jsp\work\jspTemp\irj\root\WEB-INF\ usermapping.properties

    Any changes to the web.xml file must be saved, then the application restarted, for the changes to take effect.

    Variable Descriptions The Tivoli Identity Manager Server communicates with the Tivoli Identity Manager Adapter for SAP Netweaver AS Java using variables included in transmission packets sent over a network. The combination of variables, included in the packets, depends on the type of action the Tivoli Identity Manager Server requests from the Tivoli Identity Manager Adapter for SAP Netweaver AS Java.

    The following table is an alphabetical listing of the variables used by the Tivoli Identity Manager Adapter for SAP Netweaver AS Java. The table gives a brief description and the data format associated with the variable.

    Table 4. Variable descriptions

    Variable Directory Server Attribute Description Data Type

    Last Name erep6lastname User Last Name

    String

    First Name erep6firstname User First Name

    String

    E-mail Address epep6email User email address (must have @ symbol in the address)

    String

    Language erep6language User Language Drop down list

    erPassword erPassword User account Password (must be less than or equal to 10 characters)

    Character String Password

    User id erUid User account used to log on to SAP (must be at least 6 characters)

    String

    User Mapping Data erep6umds User Mapping Data from SAP

    Custom Widget

    Telephone erep6phone User telephone String

    Fax erep6fax User fax String

    Mobile erep6mobile User mobile/cell

    String

    Street erep6street Street address String

    City erep6city City String

    State/Province erep6state State/Province String

    20 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Table 4. Variable descriptions (continued)

    Variable Directory Server Attribute Description Data Type

    Zip/Postal Code erep6zip Zip/Postal Code

    String

    Country erep6country Country Drop down list

    Timezone erep6timezone Timezone Drop down list

    Position erep6position Position String

    Department erep6department Department String

    Roles erep6roles Assigned roles List section

    Role ID erep6roleid Unique Role ID from SAP

    String

    Role Name erep6rolename Role Name from SAP

    String

    Groups erep6groups Group memberships

    List selection

    Group ID erep6groupid Unique group ID from SAP

    String

    Group Name erep6groupname Group name from SAP

    String

    Active Accessibility Features erep6accessibility Accessibility functionality (screen reader, etc)

    Boolean (checkbox)

    Variables by Tivoli Identity Manager Adapter for SAP Netweaver AS Java Actions

    The following lists are typical Tivoli Identity Manager Adapter for SAP Netweaver AS Java actions by their functional transaction group. The lists include more information about required and optional variables sent to the Tivoli Identity Manager Adapter for SAP Netweaver AS Java to complete that action.

    System Login Add A Login Add is a request to create a new user account in the domain with the specified attributes.

    Table 5. Add function attributes

    Required Variables Optional Variables

    User Id All other supported attributes.

    First Name

    Last Name

    E-mail address

    Password

    Appendix A. Adapter Variables 21

  • System Login Modify Use the Change function to change one or more attributes for the specified users.

    Table 6. Modify function attributes

    Required Variables Optional Variables

    User Id Note: User Id cannot be modified.

    All other supported attributes.

    System Login Delete The Delete function removes the specified user from the active directory.

    Table 7. Delete function

    Required Variables Optional Variables

    User Id None

    System Login Suspend Use the Suspend function to disable a user account. The user is neither removed nor are their attributes modified.

    Table 8. Suspend function

    Required Variables Optional Variables

    User Id None

    System Login Restore Use the Restore function to re-activate a user account that was previously suspended. After Restoring, the user can access the system with the same attributes as those before the Suspend function is called.

    Table 9. Suspend function

    Required Variables Optional Variables

    User Id None

    Reconciliation The Reconciliation function synchronizes user account information between Tivoli Identity Manager and the adapter. The following is a full set of access attributes returned by reconciliation. An asterisk (*) denotes attributes that are for informational purposes only.

    Table 10. Reconciliation function

    Attributes Returned During Reconciliation

    All supported attributes

    Note: The adapter does not currently support filtered searches or reconciliation with more than one condition (such as: and, not, or, etc), or an attribute other than erUid (such as: erep6city, erep6email, etc).

    22 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Troubleshooting This section contains information that may be of assistance when troubleshooting any problems with the adapter.

    Check Adapter Deployment If you are unable to connect to the adapter servlet though an Identity Manager server request, ensure the adapter has been successfully deployed and that SAP server has started.

    To do this: 1. Open a Web Browser. 2. Enter the URL to the adapter servlet (as noted when deploying the servlet). 3. Ensure that the Agent Error page is displayed. Seeing this error message

    ensures the adapter has accepted the request and identified that it is not a valid Tivoli Identity Manager server request.

    If you receive an error other than this, check the deployment of the adapter on the SAP server. After you have checked this, ensure you have copied the URL to the adapter servlet correctly. Repeat the above check as necessary. Once successful, enter the correct URL in the Adapter Profile configuration.

    Check Console Output Currently all output from the adapter is displayed on the SAP console where the adapter is executed (in the case of a SAP Clustered environment).

    Check the console error messages for details on any fatal errors.

    For all other errors, check the error messages associated with failed requests on the Identity Manager server.

    Appendix A. Adapter Variables 23

  • 24 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

  • Appendix B. Support information

    This section describes the following options for obtaining support for IBM products: v Searching knowledge bases v Obtaining fixes on page 26 v Contacting IBM Software Support on page 26

    Searching knowledge bases If you have a problem with your IBM software, you want it resolved quickly. Begin by searching the available knowledge bases to determine whether the resolution to your problem is already documented.

    Search the information center on your local system or network

    IBM provides extensive documentation that can be installed on your local computer or on an intranet server. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents.

    Search the Internet If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resolve your problem. To locate Internet resources for your product, open one of the following Web sites: v IBM Tivoli Identity Manager Performance Tuning Guide

    Provides information needed to tune Tivoli Identity Manager Server for a production environment, available on the Web at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z product list, and then, click the Tivoli Identity Manager link. Browse the information center for the Technical Supplements section.

    v Redbooks and white papers are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link.

    v Technotes are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/

    v Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

    v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web address: http://www.ibm.com/developerworks/

    Copyright IBM Corp. 2004, 2005 25

    http://publib.boulder.ibm.com/tividd/td/tdprodlist.htmlhttp://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.redbooks.ibm.com/redbooks.nsf/tips/http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.htmlhttp://www.ibm.com/developerworks/

  • Obtaining fixes A product fix might be available to resolve your problem. You can determine what fixes are available for your IBM software product by checking the product support Web site: 1. Go to the IBM Software Support Web site (http://www.ibm.com/software/

    support). 2. Under Products support pages A to Z, select the letter for your product name. 3. In the list of specific products, click IBM Tivoli Identity Manager. 4. Under Self help, you find a list of fixes, fix packs, and other service updates

    for your product. 5. Click the name of a fix to read the description and optionally download the fix.

    To receive weekly e-mail notifications about fixes and other news about IBM products, follow these steps: 1. From the support page for any IBM product, click My support in the upper-left

    corner of the page. 2. If you have already registered, skip to the next step. If you have not registered,

    click register in the upper-right corner of the support page to establish your user ID and password.

    3. Sign in to My support. 4. On the My support page, click Edit profiles in the left navigation pane, and

    scroll to Select Mail Preferences. Select a product family and check the appropriate boxes for the type of information you want.

    5. Click Submit. 6. For e-mail notification for other products, repeat Steps 4 and 5.

    For more information about types of fixes, see the Software Support Handbook (http://techsupport.services.ibm.com/guides/handbook.html).

    Contacting IBM Software Support IBM Software Support provides assistance with product defects.

    Before contacting IBM Software Support, your company must have an active IBM software maintenance contract, and you must be authorized to submit problems to IBM. The type of software maintenance contract that you need depends on the type of product you have: v For IBM distributed software products (including, but not limited to, Tivoli,

    Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows or UNIX operating systems), enroll in Passport Advantage in one of the following ways: Online: Go to the Passport Advantage Web page (http://www.lotus.com/

    services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How to Enroll

    By phone: For the phone number to call in your country, go to the IBM Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.

    v For IBM eServer software products (including, but not limited to, DB2 and WebSphere products that run in zSeries, pSeries, and iSeries environments), you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. For more information

    26 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

    http://www.ibm.com/software/supporthttp://www.ibm.com/software/supporthttp://techsupport.services.ibm.com/guides/handbook.htmlhttp://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Homehttp://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Homehttp://techsupport.services.ibm.com/guides/contacts.htmlhttp://techsupport.services.ibm.com/guides/contacts.html

  • about support for eServer software products, go to the IBM Technical Support Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).

    If you are not sure what type of software maintenance contract you need, call 1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to the contacts page of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region for phone numbers of people who provide support for your location.

    Follow the steps in this topic to contact IBM Software Support: 1. Determine the business impact of your problem. 2. Describe your problem and gather background information. 3. Submit your problem to IBM Software Support.

    Determine the business impact of your problem When you report a problem to IBM, you are asked to supply a severity level. Therefore, you need to understand and assess the business impact of the problem you are reporting. Use the following criteria:

    Severity 1 Critical business impact: You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution.

    Severity 2 Significant business impact: The program is usable but is severely limited.

    Severity 3 Some business impact: The program is usable with less significant features (not critical to operations) unavailable.

    Severity 4 Minimal business impact: The problem causes little impact on operations, or a reasonable circumvention to the problem has been implemented.

    Describe your problem and gather background information When explaining a problem to IBM, be as specific as possible. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently. To save time, know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs, traces, and messages that are related to the problem

    symptoms? IBM Software Support is likely to ask for this information. v Can the problem be re-created? If so, what steps led to the failure? v Have any changes been made to the system? (For example, hardware, operating

    system, networking software, and so on.) v Are you currently using a workaround for this problem? If so, please be

    prepared to explain it when you report the problem.

    Submit your problem to IBM Software Support You can submit your problem in one of two ways: v Online: Go to the Submit and track problems page on the IBM Software

    Support site (http://www.ibm.com/software/support/probsub.html). Enter your information into the appropriate problem submission tool.

    Appendix B. Support information 27

    http://www.ibm.com/servers/eserver/techsupport.htmlhttp://techsupport.services.ibm.com/guides/contacts.htmlhttp://www.ibm.com/software/support/probsub.html

  • v By phone: For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.

    If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround for you to implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolutions.

    For more information about problem resolution, see Searching knowledge bases and Obtaining fixes.

    28 IBM Tivoli Identity Manager: Adapter for SAP Netweaver AS Java Integration and Configuration Guide

    http://techsupport.services.ibm.com/guides/contacts.htmlhttp://techsupport.services.ibm.com/guides/contacts.html

  • Appendix C. Notices

    This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

    IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

    IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

    For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

    IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan

    The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

    This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

    Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

    Copyright IBM Corp. 2004, 2005 29

  • Licensees of this program who