Upload
hatram
View
257
Download
1
Embed Size (px)
Citation preview
Tivoli® Identity Manager
Adapter for SAP NetWeaver AS ABAP
Installation and Configuration Guide
Version 4.6
SC32-1194-11
���
Tivoli® Identity Manager
Adapter for SAP NetWeaver AS ABAP
Installation and Configuration Guide
Version 4.6
SC32-1194-11
���
Note
Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 71
Eleventh Edition (November, 2006)
This edition applies to version 4.6.6 of the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP and to all
subsequent releases and modifications until otherwise indicated in new editions. This edition replaces all previous
editions.
© Copyright International Business Machines Corporation 2004, 2005, 2006. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Who should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Publications and related information . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Tivoli Identity Manager library . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Prerequisite Product Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Operating system differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Definitions for HOME directory variables . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2. Adapter Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 1: Testing Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Step 2: Installing the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Step 3: Importing the Transport Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Step 4: Activating the Adapter as a Service . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 5: Configuring the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 6: Installing the Adapter’s Certificate . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 7: Installing the Adapter’s Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 8: Configuring the Adapter’s Forms . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 3. Adapter Profile Installation . . . . . . . . . . . . . . . . . . . . . . 17
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installing the Adapter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Verifying the Adapter Profile is Installed . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 4. Adapter Parameters Modification . . . . . . . . . . . . . . . . . . . . 19
Accessing the Adapter Configuration Tool Main Menu . . . . . . . . . . . . . . . . . . . . . 19
Viewing Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Changing Protocol Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . 21
Adding a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Removing a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Setting Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Setting Attributes to be Reconciled . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Modifying an Event Notification Context . . . . . . . . . . . . . . . . . . . . . . . . 27
Changing the Configuration Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Changing Activity Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Changing Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Modifying Non-encrypted Registry Settings . . . . . . . . . . . . . . . . . . . . . . . 31
Modifying Encrypted Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . 31
Multi-instance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Changing Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Viewing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Changing code page settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Accessing Help and Additional Options . . . . . . . . . . . . . . . . . . . . . . . . . . 34
© Copyright IBM Corp. 2004, 2005, 2006 iii
Chapter 5. Certificate Installation . . . . . . . . . . . . . . . . . . . . . . . . 37
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Overview of SSL and Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 37
Basic Configuration for Server-to-Adapter SSL . . . . . . . . . . . . . . . . . . . . . . . 38
Clustered Tivoli Identity Manager Configuration . . . . . . . . . . . . . . . . . . . . . . 39
Accessing the Certificate Configuration Tool Main Menu . . . . . . . . . . . . . . . . . . . . 39
Generating a Private Key and Certificate Request . . . . . . . . . . . . . . . . . . . . . . . 41
Example of Certificate Request Script . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Example of request.pem File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Installing the Certificate from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Installing the Certificate and Key from a PKCS12 File . . . . . . . . . . . . . . . . . . . . . 43
Viewing Installed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Viewing CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Installing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Deleting a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Viewing Registered Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Registering a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Unregistering a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Exporting a certificate and key to PKCS12 file . . . . . . . . . . . . . . . . . . . . . . . . 45
Appendix A. Adapter Variables . . . . . . . . . . . . . . . . . . . . . . . . . 47
Variable Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Variables Used by Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Actions . . . . . . . . . 53
System Login Add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
System Login Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
System Login Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
System Login Suspend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
System Login Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Appendix B. SAP Account Requirements . . . . . . . . . . . . . . . . . . . . . 59
SAP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
SAP User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Appendix C. Additional Installation Options . . . . . . . . . . . . . . . . . . . . 63
Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Setup Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Adapter Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Appendix D. Example Deployment Scenarios . . . . . . . . . . . . . . . . . . . 65
Tivoli Identity Manager for non-Unicode SAP non-CUA with HR Linking . . . . . . . . . . . . . . 65
Tivoli Identity Manager for non-Unicode SAP CUA with HR Linking . . . . . . . . . . . . . . . . 66
Appendix E. Support information . . . . . . . . . . . . . . . . . . . . . . . . 67
Searching knowledge bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Search the information center on your local system or network . . . . . . . . . . . . . . . . . 67
Search the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Contacting IBM Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Determine the business impact of your problem . . . . . . . . . . . . . . . . . . . . . . 68
Describe your problem and gather background information . . . . . . . . . . . . . . . . . . 69
Submit your problem to IBM Software Support . . . . . . . . . . . . . . . . . . . . . . 69
Appendix F. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
iv IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Preface
The IBM® Tivoli® Identity Manager Adapter for SAP® NetWeaver AS ABAP®
enables connectivity between the IBM and a network of systems running SAP
NetWeaver AS ABAP. This document describes the procedural steps that are
required to install and configure the adapter.
This document assumes that both Tivoli Identity Manager and SAP NetWeaver AS
ABAP are installed, configured and running on your network. No details are
provided regarding the installation and configuration of these products, except
where necessary to achieve integration.
Who should read this book
This manual is intended for security administrators responsible for installing
software on their site’s computer systems. Readers are expected to understand
security administration concepts.
The person completing the installation procedure should also be familiar with their
site’s system standards. Readers should be able to perform routine security
administration tasks.
Publications and related information
Read the descriptions of the Tivoli Identity Manager library. To determine which
additional publications you might find helpful, read the “Prerequisite Product
Publications” on page vii and the “Related Publications” on page viii. After you
determine the publications you need, refer to the instructions in “Accessing
publications online” on page viii.
Tivoli Identity Manager library
The publications in the Tivoli Identity Manager technical documentation library are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v IBM Tivoli Identity Manager Release Notes
Provides software and hardware requirements for Tivoli Identity Manager, and
additional fix, patch, and other support information.
v IBM Tivoli Identity Manager Documentation Read This First Card
Lists the Tivoli Identity Manager publications.
Online user assistance:
© Copyright IBM Corp. 2004, 2005, 2006 v
Provides online help topics and an information center for all Tivoli Identity
Manager administrative tasks. The information center includes information that
was previously provided in the IBM Tivoli Identity Manager Configuration Guide and
the IBM Tivoli Identity Manager Policy and Organization Administration Guide.
Server installation and configuration:
IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere
Environments provides installation and configuration information for Tivoli Identity
Manager.
Configuration information that was previously provided in the IBM Tivoli Identity
Manager Configuration Guide is now included in either the installation guide or in
the IBM Tivoli Identity Manager Information Center.
Problem determination:
IBM Tivoli Identity Manager Problem Determination Guide provides problem
determination, logging, and message information for the Tivoli Identity Manager
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
v IBM Tivoli Identity Manager Performance Tuning Guide
Provides information needed to tune Tivoli Identity Manager Server for a
production environment, available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the Tivoli Identity
Manager link. Browse the information center for the Technical Supplements
section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Adapter installation and configuration:
The Tivoli Identity Manager Server technical documentation library also includes
an evolving set of platform-specific installation documents for the adapter
components of a Tivoli Identity Manager Server implementation. Locate adapters
on the Web at:
vi IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Other resources, and click the link for the current inventory of
adapters.
Skills and training:
The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html
Prerequisite Product Publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for Tivoli Identity Manager Server. Publications are
available from the following locations:
v Operating systems
– IBM AIX®
http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm
– Sun Solaris
http://docs.sun.com/db?q=solaris+9
– Red Hat Linux®
http://www.redhat.com/docs/
– Microsoft® Windows Server 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers
– IBM DB2®
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
- DB2 product family: http://www.ibm.com/software/data/db2
- Fix packs: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
- System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html
– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server 2000
Preface vii
http://www.msdn.com/library/
http://www.microsoft.com/sql/v Directory server applications
– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory
– Sun ONE Directory Server
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v WebSphere Application Server
Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related Publications
Information that is related to Tivoli Identity Manager Server is available in the
following publications:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web
address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z list, and then click the Tivoli Identity Manager
link to access the product library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your local paper.
Accessibility
The product documentation includes the following features to aid accessibility:
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
viii IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v Searching knowledge bases: You can search across a large collection of known
problems and workarounds, Technotes, and other information.
v Obtaining fixes: You can locate the latest fixes that are already available for your
product.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix E,
“Support information,” on page 67.
Conventions used in this book
This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
This guide uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system differences
This guide uses the UNIX® convention for specifying environment variables and
for directory notation.
Preface ix
When using the Windows command line, replace $variable with %variable% for
environment variables and replace each forward slash (/) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME directory variables
The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path for the Windows operating system is drive:\Program Files. The
value of path for the AIX operating system is /usr. The value of path is /opt for
other UNIX and Linux operating systems.
Path Variable Default Definition Description
DB_INSTANCE_HOME Windows:
path\IBM\SQLLIB
UNIX and Linux:
v AIX, Linux: /home/dbinstancename
v Solaris: /export/home/dbinstancename
The directory that
contains the database
for Tivoli Identity
Manager.
LDAP_HOME v IBM Directory Server
Windows:
path\IBM\LDAP
UNIX:
path/IBM/LDAP
v Sun ONE Directory Server
Windows:
path\Sun\MPS
UNIX:
/var/Sun/mps
The directory that
contains the directory
server code.
HTTP_HOME Windows:
path\IBMHttpServer
UNIX and Linux:
path/IBMHttpServer
The directory that
contains the IBM HTTP
Server code.
ITIM_HOME Windows:
path\IBM\itim
UNIX and Linux:
path/IBM/itim
The base directory that
contains the Tivoli
Identity Manager code,
configuration, and
documentation.
x IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Path Variable Default Definition Description
WAS_HOME Windows:
path\WebSphere\AppServer
UNIX and Linux:
path/WebSphere/AppServer
The WebSphere
Application Server
home directory
WAS_MQ_HOME Windows:
path\IBM\WebSphereMQ
UNIX and Linux:
path/mqm
The directory that
contains the
WebSphere MQ code.
WAS_NDM_HOME Windows:
path\WebSphere\DeploymentManager
UNIX and Linux:
path/WebSphere/DeploymentManager
The home directory on
the deployment
manager
Tivoli_Common_Directory Windows:
path\IBM\Tivoli\Common\CTGIM
UNIX and Linux:
path/IBM/Tivoli/Common/CTGIM
The central location for
all serviceability-related
files, such as logs and
first-failure capture
data
Preface xi
xii IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 1. Overview
This installation guide provides all of the basic information necessary to install and
configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. On
successful installation, the adapter enables IBM Tivoli Identity Manager to
provision access to your network’s SAP NetWeaver AS ABAP resources.
The basic procedures required to install, configure, and run the adapter are as
follows:
v Install the adapter software.
v Activate the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP as a
service on the adapter’s system.
v Configure the adapter’s communication protocols to enable the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP to communicate with the Tivoli
Identity Manager Server.
v Install the adapter’s profile on the Tivoli Identity Manager Server.
v Configure the Tivoli Identity Manager Server to recognize the adapter as a
service.
© Copyright IBM Corp. 2004, 2005, 2006 1
2 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 2. Adapter Installation
This chapter describes the steps required to install and configure the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP software. You must complete the
steps in the order they are listed.
This chapter has the following sections:
v “Requirements”
v “Step 1: Testing Network Connectivity” on page 8
v “Step 2: Installing the Adapter” on page 9
v “Step 3: Importing the Transport Files” on page 11
v “Step 4: Activating the Adapter as a Service” on page 13
v “Step 5: Configuring the Adapter” on page 13
v “Step 6: Installing the Adapter’s Certificate” on page 13
v “Step 7: Installing the Adapter’s Profile” on page 13
v “Step 8: Configuring the Adapter’s Forms” on page 14
Requirements
The following sections identify the hardware, software, and authorization
requirements to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP. Verify that all of the requirements have been met before installing the Tivoli
Identity Manager Adapter for SAP NetWeaver AS ABAP.
System
The adapter must be installed on a server with a 32-bit x86-based
microprocessor (486 minimum), at least 512 MB of memory, and at least
300 MB of free disk space.
Operating System
Windows NT 4.0 with SP6 or Windows 2000 workstation with SP2.Solaris version 2.8AIX 5.x
SAP NetWeaver AS ABAP Software
SAP 4.6C, 4.6D, 6.10, 6.20, 6.40 or 7.00 must be installed and operational on
a system that is accessible from the machine where the adapter is installed.
The adapter will work with the SAP system even if the Central User
Administration (CUA) feature is installed and configured.
Note: Each SAP NetWeaver AS ABAP 4.6 system must be patched to at the
following levels or higher:
v ABA Support Package 22 for 4.6C
v R/3 Support Package 21 for 4.6C
v Basis Support Package 31 for 4.6C
v R/3 HR Support Package 27
Each SAP NetWeaver AS ABAP 6.20 system should be patched at
the following levels or higher:
v SAP_BASIS 620 0042 SAPKB62043
v SAP_ABA 620 0042 SAPKA62043
© Copyright IBM Corp. 2004, 2005, 2006 3
Each SAP NetWeaver AS ABAP 6.40 system should be patched at
the following levels or higher:
v SAP_BASIS 640 0000
v SAP_ABA 640 0000
Each SAP NetWeaver AS ABAP 700 system should be patched at the
following levels or higher:
v SAP_BASIS SAPKB70000
v SAP_ABA SAPKA70000
The adapter also requires the 32 bit SAP SDK runtime library (for
Win32 it is librfc32.dll, for Solaris it is librfccm.so, for AIX it
is librfccm.o). Get this library from the SAP presentation CDs or
download it from SAP Market Place Web site. After installation of
the adapter place this library in the adapter’s lib directory or set
your path to make it accessible.For Solaris, export the environment variable LD_LIBRARY_PATH to
include the adapter’s lib directory with a command such as the
following:
export LD_LIBRARY_PATH=Adapter_Install_dir/
lib:$LD_LIBRARY_PATH
For AIX, export the environment variable LIBPATH to include the
Agent’s lib directory with a command such as the following:
export LIBPATH=Agent_Install_dir/
lib:$LIBPATH
For Windows, place the library in the either the system32 directory,
the adapter’s bin directory, or set the Path environment variable to
make it accessible.
The adapter will not run without this library!
SAP Authority
The administrator installing the Tivoli Identity Manager Adapter must
have general SAP Basis resources to perform a transport import of RFC
(Remote Function Call) and related objects as well as setup OS specific
directories and authorizations. The Security Administrator must create the
CPIC (Common Programming Interface for Communications) or System
user for use by the adapter to connect to the SAP NetWeaver AS ABAP
system via the external RFC interface.
SAP User
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP user
must be authorized to perform user account administration:
v Add
v Modify
v Delete
v Lock
v Unlock
v Retrieve user detail
v Retrieve supporting data
v Set, unset and retrieve HR infotype 0105 (Communication) subtypes only
if the SAP HR module is installed on a SAP system in your SAP
environment.
4 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
To perform these tasks, at a minimum, a Role should be assigned with at
least these SAP authorization objects assigned to it. You may wish to create
a specific Role only for use by this SAP user account. This can be
accomplished using transaction SU02 via the SAP GUI.
v S_RFC (SAP R/3 6.20)
v S_RFCACL (SAP R/3 6.20)
v S_TABU_DIS
v S_USER_GRP
v S_USER_AGR
v S_USER_PRO
v S_USER_SYS
v P_ORGIN (Required for HR linking only)
In addition, the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP user type should be set to Communication (CPIC) or System and
not Dialog.
SAP Transport Files
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
requires custom RFCs and BAPIs. These custom RFCs and BAPIs are
provided in transport files packaged with the adapter and are therefore
only available after adapter installation. These transport file packages must
be imported into your SAP system prior to running the adapter. The
transport files you must import into your SAP system vary depending on
your site’s configuration of SAP. The adapter will not function without one
of these transport files in place. Select the transport file based on the
version of your SAP system.
The transport files WITHOUT HR Linking are as follows:
v For NON-CUA (4.6C, 4.6D and 6.10):
– TV2K900065 (cofile = K900065.TV2, data = R900065.TV2)v For NON-CUA (6.20 and 6.40):
– Non-unicode:
- TV2K900069 (cofile = K900069.TV2, data = R900069.TV2)– Unicode:
- TV1K900228 (cofile = K900228.TV1, data = R900228.TV1)v For CUA (4.6C, 4.6D and 6.10) :
TV2K900067 (cofile = K900067.TV2, data = R900067.TV2)
v For CUA (6.20 and 6.40) :
– Non-unicode:
- TV2K900071 (cofile = K900071.TV2, data = R900071.TV2)– Unicode:
- TV1K900230 (cofile = K900230.TV1, data = R900230.TV1)v For HR InfoType 0105 Support, import one of the transport files below
into the targeted SAP HR system. These transports contain the
functionality to link the HR Personnel record to the SAP user account by
assigning the account an SAP HR Personnel Number. You can link the
HR record in both CUA and non-CUA SAP environments. If your HR
system is a child system in a CUA environment, three actions are
required for the adapter to link HR personnel records:
Chapter 2. Adapter Installation 5
1. Import one of TV2K900100 or TV1K900411 into the CUA Master
system. Then import the CUA Master transport into the CUA master
system.
2. Import the non-CUA transport into your child system.
3. An RFC destination of type R3 Connection must exist in the CUA
master system. This RFC destination will connect to your HR system.
The Gateway services file on the CUA Master system most be
configured for the gateway service of your HR system. There should
already be and RFC Destination to the child HR System which is
used as part of the CUA configuration. If you don not wish to use
this RFC destination then you can create one. An RFC destination
requires the following details:
– SAP user account on HR system with HR authorization.
– SAP user account password on HR system.
– HR system’s host name or IP address.
– HR system’s SAP system number.
Use the SAP GUI transaction SM59 to create RFC destinations.
The transports WITH HR linking are as follows:
v For NON-CUA (4.6C, 4.6D and 6.10):
– TV2K900096 (cofile = K900096.TV2, data = R900096.TV2)v For NON-CUA (6.20 and 6.40):
– Non-unicode:
- TV2K900098 (cofile = K900098.TV2, data = R900098.TV2)– Unicode:
- TV1K900409 (cofile = K900409.TV1, data = R900409.TV1)v For CUA (4.6C, 4.6D and 6.10) :
TV2K900100 (cofile = K900100.TV2, data = R900100.TV2)
TV2K900097 (cofile = K900097.TV2, data = R900097.TV2)
v For CUA (6.20 and 6.40) :
– Non-unicode:
- TV2K900100 (cofile = K900100.TV2, data = R900100.TV2)
- TV2K900099 (cofile = K900099.TV2, data = R900099.TV2)– Unicode:
- TV1K900411 (cofile = K900411.TV1, data = R900411.TV1)
- TV1K900410 (cofile = K900410.TV1, data = R900410.TV1)
These transport files contain custom RFCs (BAPIs), data elements and
tables used by the adapter in various operations:
Table 1. Transport Identifiers and Contents
Transport
Identifier
Uni
code HR CUA Transport Contents
TV2K900065 NO NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_46C (RFC)
/TIVSECTY/TIM_USER_PWD_46C (RFC)
/TIVSECTY/TIM_USER_ADD_46C (RFC)
6 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 1. Transport Identifiers and Contents (continued)
Transport
Identifier
Uni
code HR CUA Transport Contents
TV2K900096 NO YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_46C (RFC)
/TIVSECTY/TIM_USER_PWD_46C (RFC)
/TIVSECTY/TIM_USER_ADD_46C (RFC)/TIVSECTY/TIM_USER_HR_620 (RFC)
TV2K900067 NO NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)
/TIVSECTY/TIM_USER_CHG_46C (RFC)
/TIVSECTY/TIM_USER_PWD_46C (RFC)
/TIVSECTY/TIM_USER_ADD_46C (RFC)
/TIVSECTY/TIM_USER_SUBSYS_46C (RFC)
/TIVSECTY/TIM_SYSTEMS (Structure)
TV2K900097 NO YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)
/TIVSECTY/TIM_USER_CHG_46C (RFC)
/TIVSECTY/TIM_USER_PWD_46C (RFC)
/TIVSECTY/TIM_USER_ADD_46C (RFC)
/TIVSECTY/TIM_USER_SUBSYS_46C (RFC)
/TIVSECTY/TIM_SYSTEMS (Structure)
/TIVSECTY/TIM_USER_CUAHR_620 (RFC)
/TIVSECTY/TIM_READ_TABLE_620
TV2K900069 NO NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)
/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)
TV2K900098 NO YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)
/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)
/TIVSECTY/TIM_USER_HR_620 (RFC)
TV2K900071 NO NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)
/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)
/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)
/TIVSECTY/TIM_SYSTEMS (Structure)
TV2K900099 NO YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)
/TIVSECTY/TIM_SYSTEMS (Structure)
/TIVSECTY/TIM_USER_CUAHR_620 (RFC)
/TIVSECTY/TIM_READ_TABLE_620 (RFC)
TV2K900100 NO YES YES /TIVSECTY/HRDELIMITDATE (Data Element)
/TIVSECTY/P0105NL (Table)
Chapter 2. Adapter Installation 7
Table 1. Transport Identifiers and Contents (continued)
Transport
Identifier
Uni
code HR CUA Transport Contents
TV1K900228 YES NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)
TV1K900409 YES YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)
/TIVSECTY/TIM_USER_HR_620 (RFC)
TV1K900230 YES NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)
/TIVSECTY/TIM_SYSTEMS (Structure)
TV1K900410 YES YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC)
/TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC)
/TIVSECTY/TIM_USER_PWD_620 (RFC)
/TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC)
/TIVSECTY/TIM_SYSTEMS (Structure)
/TIVSECTY/TIM_USER_CUAHR_620 (RFC)
/TIVSECTY/TIM_READ_TABLE_620 (RFC)
TV1K900411 YES YES YES /TIVSECTY/HRDELIMITDATE (Data Element)
/TIVSECTY/P0105NL (Table)
Network Connectivity
The adapter must be installed on a system that can communicate with the
Tivoli Identity Manager Server through a TCP/IP network.
System Administrator Authority
The person completing the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP installation procedure must have system
administrator authority to complete the steps in this chapter.
Server Communication
Communication between the Tivoli Identity Manager Server and the Tivoli
Identity Manager Adapter for SAP NetWeaver AS ABAP should be tested
with a low-level communication ping before installing any IBM software.
This makes troubleshooting easier if you encounter installation problems.
Step 1: Testing Network Connectivity
This step tests basic network connectivity and file transfer capability. Testing is
done between the Windows workstation where the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP will be installed, and the workstation where
the Tivoli Identity Manager Server is or will be located.
8 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
You must issue a ping command from the Tivoli Identity Manager to the
designated adapter workstations to verify communication.
1. Log on to the host running the SAP NetWeaver AS ABAP Adapter.
2. Test communication between the Tivoli Identity Manager Server and the host
running the SAP NetWeaver AS ABAP Adapter:
# ping ITIM_Server_host_name/IP_address
3. Test communication between the host running the SAP NetWeaver AS ABAP
Adapter and the host running SAP NetWeaver AS ABAP Server. You will need
to know the SAP instance number for this step (default SAP NetWeaver AS
ABAP installations have the instance number 00). If the instance number is
different, make the port number below 33<instance_number>. If the instance
number was 80, then the port would become 3380 in the telnet command:
telnet SAP_NetWeaver_AS_ABAP_Server_host_name/IP_address 3300
Step 2: Installing the Adapter
An executable installation program is provided for the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP. When you run the installation program,
you can accept the default settings or select new values.
The Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP installation files are available for download from IBM’s Web site. Contact
your IBM account representative for the Web address and download instructions.
To install the adapter, do the following:
1. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
installation zip file from IBM’s Web site.
2. Extract the contents of the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP installation zip file into a temporary directory.
3. Complete one of the following:
For a Tivoli Identity Manager Adapter installed on a UNIX platform:
a. Change the working directory to the temporary directory where
you extracted the profile installation file.
# cd /tmp
where tmp is the path of the directory containing the adapter
installation file.
b. Run the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP adapter installation binary that is appropriate for your
operating system.
# ./SapAgent/install/Agent/SAPAgentSetup_operating system.bin
where operating system is the name of your operating system, such
as aix or solaris.
For a Tivoli Identity Manager Adapter installed on Windows:
Select Run... from the Start menu and type the path to the temporary
directory followed by SapAgent\install\agent\SapAgentSetup_win32.exe. For example:
C:\Temp\SapAgent\install\agent\SapAgentSetup_win32.exe
The Welcome dialog window appears. 4. Click Next.
Chapter 2. Adapter Installation 9
The License dialog window appears.
5. Read the License agreement and select the I accept option to continue.
6. Click Next.
The Select Destination Directory dialog window appears.
7. Accept the default or select an alternate destination path and click Next.
The Install Summary dialog window appears.
8. Click Next.
The SAP NetWeaver AS ABAP Instance Setup dialog is displayed.
9. In the respective fields, type the SAP NetWeaver AS ABAP instance name and
the password for the CPIC SAP user account that the adapter will use and
click Next.
The SAP NetWeaver AS ABAP enter more instances dialog is displayed. To
enter more instances select Yes and repeat this step for as many SAP
NetWeaver AS ABAP instances as required. Otherwise select No.
10. Click Finish.
11. Check the installation directory has been created as specified in step 7. Make
the SAP SDK shared library accessible by the adapter.
For Solaris:
Copy the SAP SDK library (librfccm.so) into the adapter’s lib
directory, and then export the environment variable LD_LIBRARY_PATH
to include the adapter’s lib directory with a command such as this.
export LD_LIBRARY_PATH=adapter_install_dir/lib:$LD_LIBRARY_PATH
For AIX:
Copy the SAP SDK library (librfccm.o) into the adapter’s lib
directory, and then export the environment variable LIBPATH to include
the adapter’s lib directory with a command such as this.
Installer
< Back CancelNext >
Browse...
Click Next to install < > to this directory, orclick Browse to install to a different directory
agentname
InstallShieldInstallShield
C:\tivoli\agents\< >agentname
Directory Name:
Figure 1. Select Destination Directory dialog window
10 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
export LIBPATH=adapter_install_dir/lib:$LIBPATH
For Windows:
Copy the SAP SDK library (librfc32.dll) into either the system32
directory, the adapter’s bin directory, or set the Path environment
variable to make it accessible. If you already have the SAP GUI
installed on this Windows host, a version of the SAP SDK library
should already exist in the system32 directory.12. Locate the transport files in the adapter’s transports directory. Give the
COFILES and the DATA files to your SAP BASIS administrator to import into
all targeted SAP NetWeaver AS ABAP systems. As these transports are client
independent, ensure that your transport landscape allows for this before
importing. The next section describes the transport import procedure.
Note: By setting the transport landscape up appropriately, you will be sure not to
import the transports into clients that do not need them (even though
importing the transports files into other clients will not have any impact on
them). The imported function modules and data structures can be removed
via a new transport/change request if required.
Step 3: Importing the Transport Files
Note: IBM recommends that these imports be performed by a SAP Basis
Administrator.
For the adapter to function, it is necessary to import one of the transport files sets
described above. You must first copy the transports set to the transport directory in
each mySAP.com landscape, so that the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP can communicate with your target SAP systems. For
demonstration purposes the following instructions refer to the transport
TV2K900045 as an example. You will need to repeat these steps for each transport
in your required transport file set as defined in the table above.
Before you begin the transport import process, complete the following steps:
1. Locate the transport files in the transports installation subdirectory for the
adapter. For example, on a Windows installation this would be
C:\Tivoli\Agents\SapAgent\transports.
2. Copy the transport files to the application server that will be used to execute
the import:
a. Copy all files in the cofiles subdirectory (K900045.TV2) in ASCII format to
the /usr/sap/trans/cofiles directory. Ensure that the files have write
permission.
b. Copy all files in the data subdirectory (R900045.TV2) in binary format to the
/usr/sap/trans/data directory. Ensure that the files have write permission.
c. Ensure that the files are owned by the group sapsys.3. Perform the following prerequisite checks before beginning the import process:
a. The transport and correction system must be already configured and
functioning.
b. The target system must be properly defined within a transport domain.
You can now perform the transport import. This procedure can be performed from
either the command line or by using the Transport Managing System.
Using the Transport Managing System:
Chapter 2. Adapter Installation 11
1. Log into the SAP GUI with a mySAP.com SAP GUI administrator
account.
2. Display the Transport Management System. Either:
v Run transaction STMS, or
v Select Tools then Administration, then Transport, then Transport
Management System.3. Display the available mySAP.com system import queues. Either:
v Click the Import Overview icon, then click Display Import Queue,
or
v Double-click the target system in the Import Overview window.4. Add the transport to the buffer. If the transports already exist in the
buffer, proceed to the next step. If the buffer does not exist, perform the
following steps:
a. From the Extras menu, select Other Requests then Add to display
the Add Transport Request to Import Queue dialog.
b. In the Transp. request field, enter the transport name that you want
to add, such as TV2K900045. Click the icon with the green check on
it and then click Yes on the confirmation dialog.5. Import the transport as follows:
a. From the Import Queue window, select the transport.
b. From the Request menu, select Import to display the Import
Transport Request dialog.
c. In the Target client field, select the target client from the drop-down
list. Click the icon with the green check on it and then click Yes on
the confirmation dialog.6. Verify that the import was successful. To do this, log into the SAP GUI
and go to the Function builder transaction (se37) and check that the
Function Modules (RFCs) listed in the transport description table above
(see Table 1 on page 6) are installed and active. If the Function Modules
(RFCs) are not active, activate the objects.
Note: A mySAP.com developer key is required to activate the objects.
Using the command line:
1. Log on to the target SAP system host machine as the mySAP.com
administrator and change to the /usr/sap/trans/bin directory.
2. Show the current contents of the transport buffer:
tp showbuffer sid
where sid is the three-character identifier of your mySAP.com system.
3. Verify that there are no other transports included in the transport
buffer.
4. Add the transport to the buffer:
tp addtobuffer TV2K900045 sid
5. Verify that the transport has been placed in the buffer:
tp showbuffer sid
6. Import the transport:
tp import TV2K900045 sid
7. Verify that the import was successful. To do this, log into the SAP GUI
and go to the Function builder transaction (se37) and check that the
Function Modules (RFCs) listed in the transport description table above
12 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
(see Table 1 on page 6) are installed and active. If the Function Modules
(RFCs) are not active, activate the objects.
Step 4: Activating the Adapter as a Service
If the Tivoli Identity Manager Agent for SAP NetWeaver AS ABAP was installed
on a Windows host, a service is created for starting and stopping the agent.
On UNIX platforms, the agent is deployed with script files to start and stop the
agent. The following scripts are located in the bin directory of the agent
installation:
v StopAgent.sh
v StartAgent.sh
Use the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP service or
scripts to start the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
software on the target platform.
Step 5: Configuring the Adapter
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uses the
DAML protocol to ensure secure communication with the Tivoli Identity Manager
Server. Default protocol values are provided. However, you must configure the
DAML protocol for your site’s systems. Refer to “Changing Protocol Configuration
Settings” on page 21 for more information.
Step 6: Installing the Adapter’s Certificate
A certificate must also be installed for the DAML protocol. You must obtain a
production certificate from a well-known Certificate Authority or create your own
certificate using your own Certificate Authority. The Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP does not come prepackaged with a
certificate. Refer to Chapter 5, “Certificate Installation,” on page 37 for more
information about installing certificates.
When you install the new certificate, you will also need to install the new
Certificate Authority on the Tivoli Identity Manager Server. For more information,
refer to the IBM Tivoli Identity Manager Server Installation and Configuration Guide,
specifically the sections marked ″Preparing to install adapters″.
Note: You must configure the DAML protocol before installing your certificate.
Stop and restart the adapter after the certificate is installed.
Step 7: Installing the Adapter’s Profile
Before an adapter can be added as a service to the Tivoli Identity Manager Server,
the server must have a service profile to recognize the adapter as a service. See
Chapter 3, “Adapter Profile Installation,” on page 17 for more information on
installing the adapter’s profile on the Tivoli Identity Manager Server.
Note: If this is an upgrade of an existing adapter, the new adapter schema will not
be reflected immediately. The Tivoli Identity Manager system stores the
adapter schema in memory. However, this cache is periodically refreshed
Chapter 2. Adapter Installation 13
and the new adapter schema will be reflected after the cache is refreshed.
Re-boot the Tivoli Identity Manager system to refresh the adapter schema
immediately.
Step 8: Configuring the Adapter’s Forms
Configure the adapter’s service maintenance and account maintenance forms on
the Tivoli Identity Manager Server. Refer to the IBM Tivoli Identity Manager
Information Center for more information.
When adding the adapter as a Tivoli Identity Manager Service to the Tivoli
Identity Manager Server, the following SAP connection parameters must be
defined:
Table 2. Service Attributes
ITIM Service Attribute Name ITIM Service Attribute Description
SAP System Version Legacy Service attribute. The adapter officially
only supports 4.6C to WAS 6.20. Recommend
value is 46C+.
SAP Client Instance Name Required Service Attribute. This is the SAP
instance name for the SAP instance your
connecting to.
Interface with CUA? Optional Service Attribute. Check this radio
button if the adapter is provisioning to a Central
User Administration (CUA) SAP client.
Do Not Force Password Change? Optional Service Attribute. Check this radio
button if you want to disable SAP’s password
reset functionality. Required to synchronize
passwords across other Tivoli Identity Manager
accounts for this identity.
Disable Admin Unlock On Restore? By default users will not be allowed to restore
their account if the account was locked by an
administrator. Check this radio button if you
want to allow users to restore their account after
it has been locked by an administrator.
Unlock Account On Password Change? Optional Service Attribute. Check this radio
button if you want the adapter to perform a
secondary unlock action on a password change
request. If activated, the account will be unlocked
if the reason for its lock state was to many failed
login attempts.
Display Indirectly Assigned Roles? Optional Service Attribute. Check this radio
button if you want an to have Roles assigned
indirectly reconciled for accounts. Roles are
assigned indirectly as a result of Composite Role
assignment.
Enable HR infotype 105 Link? Optional Service Attribute. Check this radio
button if you want to allow the adapter to Link
SAP accounts to HR Personnel Records using
infotype 105 (Communication).
RFC Destination for HR System (CUA
only)
Optional Service Attribute. This option requires a
value when you have selected the option above
Enable HR infotype 105 Link?, and your SAP
System uses the CUA configuration.
14 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 2. Service Attributes (continued)
ITIM Service Attribute Name ITIM Service Attribute Description
Role Default End Date Optional Service Attribute. This is the default
Role End Date.
Role Date Max Year Optional Service Attribute. This is the maximum
year value for the Role start and end date
widgets. Default value is 9999.
Span Role Date Years? Optional Service Attribute. Check this radio
button if you want to Span the Role End Date
Year field (that is, display all years from 1990 to
the defined Role Date Max Year above).
Target Client Required Service Attribute. This is the SAP
instance client number.
Login ID Required Service Attribute. This is the CPIC SAP
User account login ID that the adapter will use to
connect to the SAP client.
Language Required Service Attribute. This is the SAP login
language parameter.
Mode (only NetWeaver AS ABAP
supported now)
Legacy Service attribute. The adapter officially
only supports the NetWeaver AS ABAP mode.
SAP System (DNS hostname or IP) Required Service Attribute. Hostname of the SAP
server host machine only if DNS is set up
correctly. Otherwise use the IP address. Test the
connection using the ping command from the
command line on the host running the adapter.
SAP System Number Required Service Attribute. The SAP server
system number. Default SAP install has system
number 00.
SAP Gateway (DNS hostname or IP) Required Service Attribute. Hostname of the SAP
gateway host machine only if DNS is set up
correctly. Otherwise use the IP address. Test the
connection using the ping command from the
command line on the host running the adapter.
Usually this is the same host that contains the
SAP server
SAP Gateway Service Name Required Service Attribute. The SAP gateway
service string. Default SAP install has system
number sapgw00.
Enable RFC Trace? Optional Service Attribute. Set to ON to enable
RFC trace files for debug purposes. If you find a
problem with the adapter, ensure you re-produce
the request with Trace enabled and capture the
trace file. The logs are created in the directory
where the RFCSDK runtime library is located.
Enable Extended RFC Logon? Optional Service Attribute. Check this radio
button to enable use of entended RFC logon.
Define the extended logon attributes by creating
unencryped registry values.
Note: This SAP functionality does not currently
support AIX in a reliable fashion. Therefore it is
recommended that this setting not be used for
Agent’s running on AIX with the SAP RFCSDK
6.40 AIX library.
Chapter 2. Adapter Installation 15
Figure 2. Configuring the Adapter’s Forms
16 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 3. Adapter Profile Installation
This chapter has the following sections:
v “Introduction”
v “Requirements”
v “Installing the Adapter Profile”
v “Verifying the Adapter Profile is Installed” on page 18
Introduction
Before an adapter can be added as a service to the Tivoli Identity Manager Server,
the server must have a service profile to recognize the adapter as a service. The
Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP comes packaged
with a JAR file which represents the adapter’s profile. This JAR file is then
imported into the Tivoli Identity Manager Server, making SAP NetWeaver AS
ABAP available as an ITIM Server service option.
This chapter describes the procedure to install and configure the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP profile on the Tivoli Identity
Manager Server. Each step includes a short procedure that completes one aspect of
the overall profile installation process. You must complete the steps in the order
they are listed.
Note: If you are upgrading the adapter software, you must also upgrade the
adapter profile on the Tivoli Identity Manager Server.
Requirements
The following table identifies hardware, software, and authorization requirements
to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile
on the Tivoli Identity Manager Server. Verify that all the requirements have been
met before installing the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP profile.
Table 3. Requirements before installing an adapter profile
Server The Tivoli Identity Manager Server must be installed and
running before the adapter’s profile can be installed.
System Administrator Authority The person completing the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP profile installation
must have root access to the Tivoli Identity Manager
Server to complete the procedures in this chapter.
Installing the Adapter Profile
1. Log in to any host machine that has a supported browser and can connect to
the Tivoli Identity Manager Server Console. You may wish to just log directly
into your Tivoli Identity Manager Server, but the profile can also be installed
remotely if desired.
2. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
package from the IBM Web site and extract the profile JAR file SapProfile.jar.
Place the JAR file into a temporary directory.
© Copyright IBM Corp. 2004, 2005, 2006 17
Note: Contact your IBM account representative for the Web address and
download instructions for adapter installation files.
3. Start a browser session and log into the Tivoli Identity Manager Console with
an administrator account.
4. Using the Tivoli Identity Manager tabs and menus, browse to Configuration >
Import/Export and select the Import tab.
5. Use the Browse button to locate the temporary directory that contains the JAR
file, SapProfile.jar.
6. Select the correct profile JAR file, then select the Import data into Identity
Manager button (which is directly beneath the browse widget).
7. When the import is complete you will see a message such as:
Uploading file C:\temp\SapAgent\install\profile\SapProfile.jar
Profile installation complete.
8. Although not essential in all instances, it is a good idea to restart the enrole
WebSphere Enterprise Application using the WebSphere Administration
Console (http://ITIM_server:9090/admin) , or by restarting the WebSphere
Application Server itself.
Verifying the Adapter Profile is Installed
To ensure that the adapter profile has been installed correctly:
1. Using the Administrator Console, navigate to the Provisioning main tab.
2. Create a service of type SAP NetWeaver AS ABAP.
Note: If you do not have the correct SAP system details, enter in dummy
values for the SAP CONNECTION DETAILS. You must however have a
running SAP NetWeaver AS ABAP adapter, and correct AGENT
CONNECTION DETAILS.
3. Submit the service for creation.
4. Once the service has been created, create a provisioning policy entitlement for
the new service. You can use an existing Provisioning policy, or create a new
one.
18 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 4. Adapter Parameters Modification
This chapter describes how to use agentCfg, the provided adapter configuration
program, to view or modify Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP parameters. All modifications made to settings with this tool take effect
immediately.
This chapter has the following sections:
v “Accessing the Adapter Configuration Tool Main Menu”
v “Viewing Configuration Settings” on page 20
v “Changing Protocol Configuration Settings” on page 21
v “Setting Event Notification” on page 24
v “Changing the Configuration Key” on page 28
v “Changing Activity Logging Settings” on page 28
v “Changing Registry Settings” on page 30
v “Changing Advanced Settings” on page 32
v “Viewing Statistics” on page 33
v “Changing code page settings” on page 34
v “Accessing Help and Additional Options” on page 34
Accessing the Adapter Configuration Tool Main Menu
The following procedure describes how to access the main menu of the agentCfg
tool for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters.
1. Change to the adapter’s bin directory.
At the prompt, type the following, if the Tivoli Identity Manager Adapter for
SAP NetWeaver AS ABAP directory is in the default location:
agentCfg -agent SAPAgent
The following prompt is displayed:
Enter configuration key for Agent ’SAPAgent’:
The default password is ’agent’. This should be changed at the first
opportunity.
You can also use agentCfg to view or change configuration settings from a
remote computer. See the table in “Accessing Help and Additional Options” on
page 34 for procedures on using the -hostname argument.
2. Type the configuration key for the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP.
The default configuration key is agent. See “Changing Protocol Configuration
Settings” on page 21 for procedures to change the configuration key.
The Main Configuration menu appears.
© Copyright IBM Corp. 2004, 2005, 2006 19
SAPAgent 4.6.xxxx Agent Main Configuration Menu
-------------------------------------------
A. Configuration Settings
B. Protocol Configuration
C. Event Notification
D. Change Configuration Key
E. Activity Logging
F. Registry Settings
G. Advanced Settings
H. Statistics
I. Codepage Support
X. Done
Select menu option:
This chapter includes a section for each of the following main functions:
v For option A, see “Viewing Configuration Settings”
v For option B, see “Changing Protocol Configuration Settings” on page 21
v For option C, see “Setting Event Notification” on page 24
v For option D, see “Changing the Configuration Key” on page 28
v For option E, see “Changing Activity Logging Settings” on page 28
v For option F, see “Changing Registry Settings” on page 30
v For option G, see “Changing Advanced Settings” on page 32
v For option H, see “Viewing Statistics” on page 33
v For option I, see “Changing code page settings” on page 34
Viewing Configuration Settings
The following procedure describes how to view the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP configuration settings.
1. Type option A (Configuration Settings) at the main menu prompt.
The configuration settings for the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP appear. The following is a sample of the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP configuration settings.
Configuration Settings
-------------------------------------------
Name : SAPAgent
Version : 4.6.xxxx
ADK Version : 4.36
ERM Version : 4.36
enRole Version : 4.0
License : NONE
Asynchronous ADD Requests : TRUE (Max.Threads:3)
Asynchronous MOD Requests : TRUE (Max.Threads:3)
Asynchronous DEL Requests : TRUE (Max.Threads:3)
Asynchronous SEA Requests : TRUE (Max.Threads:3)
Available Protocols : DAML, FTP
Configured Protocols : DAML
Logging Enabled : TRUE
Logging Directory : C:\Tivoli\Agents\SAPAgent\Log
Log File Name : SAPAgent.log
Max. log files : 3
Max.log file size (Mbytes) : 1
Debug Logging Enabled : TRUE
Detail Logging Enabled : FALSE
Press any key to continue
2. Press any key to return to the main menu.
20 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Changing Protocol Configuration Settings
The adapter can communicate with the Tivoli Identity Manager Server using
DAML or FTP. By default, agents are configured to use DAML as the
communication protocol. Procedures provided in this section contain instructions
for modifying DAML protocol configuration settings. Configuring the adapter to
use FTP requires additional configuration not provided in this section.
The following procedure describes how to change the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP protocol configuration settings. This section
also describes the purpose of the provided functions.
1. Type B (Protocol Configuration) at the main menu prompt.
The Protocol Configuration menu appears. The configured and available
protocols for your server display above the menu options. The DAML protocol
is configured and available by default for the Tivoli Identity Manager Adapter
for SAP NetWeaver AS ABAP.
Agent Protocol Configuration Menu
-----------------------------------
Available Protocols: DAML, FTP
Configured Protocols: DAML
A. Add Protocol.
B. Remove Protocol.
C. Configure Protocol.
X. Done
Select menu option
2. See the following procedure that corresponds with the option that you want to
select:
v For option A, see “Adding a Protocol”
v For option B, see “Removing a Protocol”
v For option C, see “Configuring a Protocol” on page 22
Type X to return to the main menu.
Adding a Protocol
1. Type A (Add Protocol) at the Protocol Configuration menu prompt.
The Add New Protocol menu appears and displays protocols that are available
on your server. If there are no protocols to add, the Protocol Configuration
menu reappears.
2. Type the menu option letter of the protocol that you want to add.
The Protocol Configuration menu reappears. The protocol that you added
appears as a Configured Protocol. See the procedure for “Configuring a
Protocol” on page 22 to modify the default configuration settings for the
protocol that you added.
Removing a Protocol
1. Type B (Remove Protocol) at the Protocol Configuration menu prompt.
The Remove Protocol menu appears and displays all protocols that have been
added. If there are no protocols to remove, the Protocol Configuration menu
reappears.
2. Type the menu option letter of the protocol that you want to remove.
Chapter 4. Adapter Parameters Modification 21
The Protocol Configuration menu reappears and the protocol that you removed
is no longer listed as a configured protocol. However, the protocol remains as
an available protocol that can be added again.
Configuring a Protocol
1. Type C (Configure Protocol) at the Protocol Configuration menu prompt.
The Configure Protocol menu appears.
2. Type the menu option letter of the protocol that you want to configure.
The Protocol Properties menu for the configured protocol appears with protocol
properties.
Note: The properties on your menu may be different from the ones shown.
The following is an example of the DAML protocol properties:
DAML Protocol Properties
--------------------------------------------------------------------
A. USERNAME ****** ;Authorized user name.
B. PASSWORD ****** ;Authorized user password.
C. MAX_CONNECTIONS 100 ;Max Connections.
D. PORTNUMBER 45580 ;Protocol Server port number.
E. USE_SSL FALSE ;Use SSL secure connection
F. SRV_NODENAME 192.168.6.40 ;Event Notif. Server name.
G. SRV_PORTNUMBER 443 ;Event Notif. Server port number.
H. HOSTADDR ANY ;Listen on address ( or "ANY" )
I. VALIDATE_CLIENT_CE FALSE ;Require client certificate.
J. REQUIRE_CERT_REG FALSE ;Require registered certificate.
X. Done
Select menu option:
3. Type the menu option letter of the protocol property that you want to
configure.
See the table below for additional information about the menu options for the
DAML protocol.
Table 4. Menu options for the DAML protocol
Type this Option To Accomplish this
A (USERNAME) The following prompt appears:
Modify Property ’USERNAME’:
Type a username, for example, admin
This is the username the Tivoli Identity Manager
Server uses to connect to the adapter.
B (PASSWORD) The following prompt appears:
Modify Property ’PASSWORD’:
Type a password, for the username the Tivoli Identity
Manager Server uses to connect to the adapter.
C (MAX_CONNECTIONS) The following prompt appears:
Modify Property ’MAX_CONNECTIONS’:
Type a different number of allowed connections to the
Agent.
22 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 4. Menu options for the DAML protocol (continued)
Type this Option To Accomplish this
D (PORTNUMBER) The following prompt appears:
Modify Property ’PORTNUMBER’:
Type a different port number, for example, 7004. This
is the port number the Tivoli Identity Manager Server
uses to connect to the adapter.
E (USE_SSL) The following prompt appears:
Modify Property ’ USE_SSL’:
Type TRUE to require the Tivoli Identity Manager
Server to use HTTPS.Type FALSE to allow the Tivoli Identity Manager
Server to use HTTP.
Note: You must installed a certificate using the
CertTool utility if you set this option to TRUE. You
must also make sure the CA that created the
certificate is registered with the Tivoli Identity
Manager Server Web Application Server.
F (SRV_NODENAME) The following prompt appears:
Modify Property ’SRV_NODENAME’:
Type a server name, for example, 192.168.6.152
This is the DNS name or IP address of the Tivoli
Identity Manager Server.
G (SRV_PORTNUMBER) The following prompt appears:
Modify Property ’SRV_PORTNUMBER’:
Type a different port number to access the Tivoli
Identity Manager Server, for example, 7004
This is the port number the adapter uses to connect to
the Tivoli Identity Manager Server.
H (SRV_USERNAME) The following prompt appears:
Modify Property ’SRV_USERNAME’:
Type a different username, for example, admin
This is the username the adapter uses to connect to
the Tivoli Identity Manager Server.
I (VALIDATE_CLIENT_CE) The following prompt appears:
Modify Property ’VALIDATE_CLIENT_CE’:
Type TRUE to require the Tivoli Identity Manager
Server to send a certificate when communicating with
the adapter.
Type FALSE to allow the Tivoli Identity Manager
Server to communicate with the adapter without a
certificate.
Note: You must configure options D through H of the
CertTool if you set this option to TRUE.
Chapter 4. Adapter Parameters Modification 23
Table 4. Menu options for the DAML protocol (continued)
Type this Option To Accomplish this
J. (REQUIRE_CERT_REG) The following prompt appears:
Modify Property ’REQUIRE_CERT_REG’:
Type TRUE to require the use of a registered
certificate.Type FALSE to allow use of a non-registered
certificate.
Note: You must configure options D through H of the
CertTool if you set this option to TRUE.
4. Change the value and press Enter.
The Protocol Properties menu reappears and displays your new settings.
Note: Press Enter to return to the Protocol Properties menu without modifying
the selected value.
Setting Event Notification
The following procedure describes how to set Event Notification for the Tivoli
Identity Manager Server. Event Notification updates the Tivoli Identity Manager
Server with changes to the Tivoli Identity Manager Server at set intervals.
Note: The example menu shows all the options displayed when Event Notification
is enabled. If Event Notification is disabled, not all of the options are
displayed.
1. Type C (Event Notification) at the main menu prompt.
The Event Notification Menu appears.
Event Notification Menu
--------------------------------------------------------------
* Reconciliation interval : 1 day(s)
* Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s).
* Configured Contexts : Jupiter, dd309
A. Enabled
B. Time interval between reconciliations.
C. Set Processing cache size. (currently: 50 Mbytes)
D. Start event notification now.
E. Set attributes to be reconciled.
F. Reconciliation process priority. (current: 1)
G. Add Event Notification Context.
H. Modify Event Notification Context.
I. Remove Event Notification Context.
J. List Event Notification Contexts.
X. Done
Select menu option:
2. Type the menu option letter of the Event Notification option that you want to
change.
Note: Option A must be enabled in order for the values of the other options to
take affect.
24 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 5. Event notification options
Type this Option To Accomplish this
A If this option is enabled, the adapter updates the Tivoli Identity
Manager Server with changes to the adapter at regular intervals.
When the option is set to:
v disabled, it automatically changes to enabled
v enabled, it automatically changes to disabled
B (Time interval
between reconciliations)
The following prompt appears:
Enter new interval
([ww:dd:hh:mm:ss])
[00:01:00:00:00]:
Type a different reconciliation interval.
Press Enter to return to the Agent Activity Logging menu
without changing the value.
C (Set processing cache
size)
The following prompt appears:
Enter new cache size[5]:
Type a different value to change the processing cache size.
Press Enter to return to the Agent Activity Logging menu
without changing the value.
D (Start event
notification now)
If this option is selected, event notification is started.
E (Set attributes to be
reconciled)
The Event Notification Entry Types menu appears. See “Setting
Attributes to be Reconciled” on page 26 for more information.
F (Reconciliation
process priority)
The following prompt appears:
Enter new thread priority [1-10]:
Type a different thread value to change reconciliation process
priority.
Press Enter to return to the Agent Activity Logging menu
without changing the value.
G (Add Event
Notification Context)
The following prompt appears:
Context name :
Type the new context name and press Enter. The new context is
added.
H (Modify Event
Notification Context)
A menu listing the available contexts appears. See “Modifying an
Event Notification Context” on page 27 for more information.
I (Remove Event
Notification Context)
The Remove Context menu appears. Select the context to remove
and the following prompt appears:
Delete context context1? [no]:
Press Enter to exit without deleting the context or type Yes and
press Enter to delete the context.
Chapter 4. Adapter Parameters Modification 25
Table 5. Event notification options (continued)
Type this Option To Accomplish this
J (List Event
Notification Contexts)
The Event Notification Contexts are displayed in the following
format:
Context Name : Context1
Target DN :
erservicename=context1,o=IBM,
ou=IBM,dc=com
--- Attributes for search request ---
{search attributes listed}
-----------------------------------------------
3. Press Enter if you changed the value for option B, C, E or F.
The Event Notification menu reappears and displays your new settings.
Note: The other options are changed automatically when you type the
corresponding menu option letter.
Setting Attributes to be Reconciled
Setting attributes to be reconciled consists of selecting attributes that will trigger
event notifications when their values change. Attributes that change frequently
(password age or last successful logon, for example) can be omitted.
1. Type E (Set attributes to be reconciled) at the Event Notification Menu.
The Event Notification Entry Types menu appears.
Event Notification Entry Types
-------------------------------------------
A. USER
B. GROUP
X. Done
Select menu option:
2. Type A for attributes returned during a user reconciliation or type B for
attributes returned during a group reconciliation.
The Event Notification Attribute Listing for the selected reconciliation type
appears.
Note: The default setting lists all attributes the adapter supports.
Event Notification Attribute Listing
-------------------------------------
(a) ** (b) ** (c) **
(d) ** (e) ** (f) **
(g) ** (h) ** (i) **
(j) ** (k) ** (l) **
(m) ** (o) ** (q) **
(r) ** (s) ** (t) **
(p)rev page 1 of 3 (n)ext
-----------------------------
X. Done
Select menu option:
3. Type the letter option of the attribute to exclude from an event notification.
Attributes that are marked with the asterisks are returned during the event
notification. Attributes that are not marked with asterisks are not returned
during the event notification.
26 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Modifying an Event Notification Context
1. Type H (Modify Event Notification Context) at the Event Notification menu.
The Modify Context Menu appears.
Modify Context Menu
------------------------------
A. Context1
B. Context2
C. Context3
X. Done
Select menu option:
2. Select the desired context.
The Modify Context menu for the selected context appears.
A. Set attributes for search
B. Target DN:
C. Delete Baseline Database
X. Done
Select menu option:
See “Adding Search Attributes for Event Notification” for option A.
See “Configuring the Target DN for Event Notification Contexts” for option B.
See “Removing the Baseline Database for Event Notification Contexts” on page
28 for option C.
Adding Search Attributes for Event Notification
1. Type A (Set attributes for search) at the desired context’s Modify Context menu.
The Reconciliation Attribute Passed to Agent menu appears.
Reconciliation Attributes Passed to Agent for Context: Context1
----------------------------------------------------
----------------------------------------------------
A. Add new attribute
B. Modify attribute value
C. Remove attribute
X. Done
Select menu option:
2. Select the desired option and complete the requested information at the
prompts.
The Reconciliation Attributes Passed to Agent menu reappears with the
changes displayed.
Configuring the Target DN for Event Notification Contexts
1. Type B (Target DN) at the desired context’s Modify Context menu.
The following prompt appears:
Enter Target DN:
2. Type the target DN for the context and press Enter.
The target DN for the event notification context must be in the following
format:
erservicename=nameofservice,o=organizationname,ou=tenantname,dc=com
Each element of the DN is defined as follows:
erservicename
Name of the target service used by the product name.
o Name of the organization in the product name.
Chapter 4. Adapter Parameters Modification 27
ou Name of the tenant in which the organization is located. If the product
name is an enterprise installation, this is the name of the organization.
dc=com
Root of the directory tree.
The selected context’s Modify Context menu reappears with the new target DN
listed.
Removing the Baseline Database for Event Notification Contexts
This option is only available after a context is created and a reconciliation is run on
the context to create a Baseline Database file.
Type C (Delete Baseline Database) at the desired context’s Modify Context menu.
The selected context’s Modify Context menu reappears with the Delete Baseline
Database option removed.
Changing the Configuration Key
The following procedure describes how to change the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP configuration key. You use this key as a
password to access the configuration tool from the selected adapter.
1. Type D (Change Configuration Key) at the main menu prompt.
2. Change the value and press Enter.
Enter new configuration key for Agent ’SAPAgent 4.6.xxxx’:
Press Enter to return to the Main Configuration menu without changing the
configuration key. The default configuration key is agent.
Note: Enter a configuration key that you can easily remember.
A message appears:
Configuration key successfully changed.
The configuration program exits and the main prompt reappears.
Changing Activity Logging Settings
The following procedure describes how to change the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP activity logging settings. When you enable
logging, Tivoli Identity Manager maintains a log file of all transactions in a dated
archive log file, SAPAgent.log.
1. Type E (Activity Logging) at the main menu prompt.
The Agent Activity Logging menu appears. The following sample shows the
default activity logging settings.
28 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Agent Activity Logging Menu
-------------------------------------
A. Activity Logging (Enabled).
B. Logging Directory (current: C:\Tivoli\Agents\SAPAgent\Log).
C. Activity Log File Name (current: SAPAgent.log).
D. Activity Logging Max. File Size ( 1 mbytes)
E. Activity Logging Max. Files ( 3 )
F. Debug Logging (Enabled).
G. Detail Logging (Disabled).
H. Base Logging (Disabled).
I. Thread Logging (Disabled).
X. Done
Select menu option:
2. Type the menu option letter of the activity logging option that you want to
change.
Note: Option A (Activity Logging) must be enabled in order for the values of
the other options to take effect.
Table 6. Event notification options
Type this Option To Accomplish this
A (Activity Logging) Set this option to enabled and Tivoli Identity Manager maintains
a log file of all transactions in a dated archive log file.
When the option is set to:
v disabled, it automatically changes to enabled
v enabled, it automatically changes to disabled
B (Logging Directory) Type a different value for the logging directory, for example,
C:\Log. When the logging option is enabled, details about each
access request are stored in the logging file that is located in this
directory.
Press Enter to return to the Agent Activity Logging menu
without changing the value.
C (Activity Log File
Name)
Type a different value for the log file name. When the logging
option is enabled, details about each access request are stored in
the logging file.
Press Enter to return to the Agent Activity Logging menu
without changing the value.
D (Activity Logging
Max File Size)
Type a new value, for example, 10. The oldest data is archived
when the log file reaches the maximum file size. File size is
measured in megabytes. Activity log file size can exceed disk
capacity.
Press Enter to return to the Agent Activity Logging menu
without changing the value.
E (Activity Logging Max
Files)
Type a new value up to 100, for example, 5. The agent
automatically deletes the oldest activity logs beyond the
specified limit.
Press Enter to return to the Agent Activity Logging menu
without changing the value.
Chapter 4. Adapter Parameters Modification 29
Table 6. Event notification options (continued)
Type this Option To Accomplish this
F (Debug Logging) If this option is set to enabled, the agent includes the debug
statements in the log file of all transactions.
When the option is set to:
v disabled, it automatically changes to enabled
v enabled, it automatically changes to disabled
G (Detail Logging) If this option is set to enabled, the agent maintains a detailed log
file of all transactions.
Note: The detail logging option should be used for diagnostic
purposes only. When the detail logging option is on, the
application’s performance can be adversely affected.
When the option is set to:
v disabled, it automatically changes to enabled
v enabled, it automatically changes to disabled
H (Base Logging)
If this option is set to enabled, the agent maintains a log file of
all transactions in the ADK and library files.
When the option is set to:
v disabled, it automatically changes to enabled
v enabled, it automatically changes to disabled
I (Thread Logging) If this option is set to enabled, the agent maintains a log file with
entries that specify the thread that caused the log.
When the option is set to:
v disabled, pressing the I key changes the value to enabled.
v enabled, pressing the I key changes the value to disabled.
3. Press Enter if you changed the value for option B, C, D, or E.
The Agent Activity Logging menu reappears and displays your new settings.
Note: The other options are changed automatically when you type the
corresponding menu option letter.
Changing Registry Settings
The following procedure describes how to change the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP registry settings.
1. Type F (Registry Settings) at the main menu prompt.
The Registry menu appears.
SAPAgent 4.6.xxxx Agent Registry Menu
-------------------------------------------
A. Modify Non-encrypted registry settings.
B. Modify encrypted registry settings.
C. Multi-instance settings.
X. Done
Select menu option:
2. See the following procedures on modifying registry settings.
Note: There are no encrypted registry settings for this adapter.
30 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Modifying Non-encrypted Registry Settings
1. Type A (Modifying Non-encrypted Registry Settings) at the Registry menu
prompt.
The Non-encrypted Registry settings menu appears.
Agent Registry Items
---------------------------
01. ENROLE_Version ’4.0’
02. ExecTimeout ’6000’
03. ManageHomeDirs ’TRUE’
04. ReconBufferSize ’-1’
05. ReconHomeDirSecurity ’FALSE’
06. ReconLastLogon ’FALSE’
07. ReconLastLogonAllowErrors ’FALSE’
08. WtsEnable ’FALSE’
--------------------------------
Page 1 of 1
A. Add new attribute
B. Modify attribute value
C. Remove attribute
X. Done
Select menu option:
2. Type one of the following options:
v A) Add new attribute
v B) Modify attribute value
v C) Remove attribute
v X) Done3. Type the registry item name, and press Enter.
4. Type the registry item value, if you selected option A or B, and press Enter.
The non-encrypted registry settings menu reappears and displays your new
setting(s).
Modifying Encrypted Registry Settings
To access registry settings, do the following:
1. Type B (Modifying Encrypted Registry Settings) at the Registry menu prompt.
The Encrypted Registry settings menu appears.
Encrypted Registry Items
-------------------------------------------
01. PASSWORD ’*****’
Page 1 of 1
A. Add new attribute
B. Modify attribute value.
C. Remove attribute.
X. Done
Select menu option:
2. Type one of the following options:
v A) Add new attribute
v B) Modify attribute value
v C) Remove attribute
v X) Done3. Type the registry item name, and press Enter.
Chapter 4. Adapter Parameters Modification 31
4. Type the registry item value, if you selected option A or B, and press Enter.
The encrypted registry settings menu reappears and displays your new
settings.
Multi-instance Settings
This option allows you to configure multi-instance settings.
Note: This option is only valid if the agent can support multi-instances.
1. Type C (Multi-instance Settings) at the Registry Menu prompt.
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Instance
Class Menu appears.
SAPAgent 4.6.xxxx Agent Instance Class Menu
-------------------------------------------------------
-------------------------------------------------------
A. Select instance class.
X. Done.
2. Type one of the available options.
3. Type the requested information and press Enter.
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Instance
Class Menu reappears and displays your new settings.
Changing Advanced Settings
The following procedure describes how to change the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP thread count settings for the following
types of requests:
v System Login Add
v System Login Change
v System Login Delete
v Reconciliation
These settings determine the maximum number of requests that the Tivoli Identity
Manager Adapter for SAP NetWeaver AS ABAP processes concurrently.
1. Type G (Advanced Settings) at the main menu prompt.
The Advanced Settings menu appears. The following sample shows the default
thread count settings.
SAPAgent 4.6.xxxx Advanced Settings Menu
-------------------------------------------
A. Single Thread Agent (current:TRUE)
B. ADD max. thread count. (current:3)
C. MODIFY max. thread count. (current:3)
D. DELETE max. thread count. (current:3)
E. SEARCH max. thread count. (current:3)
F. Allow User EXEC procedures (current:FALSE)
G. Archive Request Packets (current:FALSE)
H. UTF8 Conversion support (current:TRUE)
I. Pass search filter to agent (current:FALSE)
J. Thread Priority Level (1-10) (current:4)
X. Done
Select menu option:
2. Type the menu option letter of the advanced setting that you want to change.
32 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Note: The UTF8 Conversion support setting must be set to FALSE to support
Western European character sets.
Table 7. Menu options for the DAML protocol
Type this Option To Accomplish this
A (Single Thread Agent) Forces the adapter to allow only one request at a
time.
B (ADD max. thread count) Controls how many simultaneous ADD requests can
run at one time.
C (MODIFY max. thread count) Controls how many simultaneous MODIFY requests
can run at one time.
D (DELETE max. thread count) Controls how many simultaneous DELETE requests
can run at one time.
E (SEARCH max. thread count) Controls how many simultaneous SEARCH requests
can run at one time.
F (Allow User EXEC procedures) Determines whether the adapter allows pre- and
post-exec functions. Enabling this option is a potential
security risk. This option is disabled by default.
G (Archive Request Packets) Instructs the adapter to retain copies of the request
packets in an archive. This option is specific to the
FTP protocol and is used primarily for debugging
purposes. By default, request packets are deleted once
they have been read unless this option is enabled.
H (UTF8 Conversion support) This option is no longer used.
I (Pass search filter to agent) Provides filtering functionality for search requests by
issuing a full search to the agent and then filtering
the objects as they are pipelined back to the server.
Currently, this adapter does not support processing
filters directly. This option should always be FALSE.
J (Thread Priority Level (1-10)) Sets the thread priority level for the agent.
3. Change the value and press Enter.
The Advanced Settings menu reappears and displays your new settings.
Viewing Statistics
The following procedures describes how to view an event log for the Tivoli
Identity Manager Adapter for SAP NetWeaver AS ABAP.
1. Type H (Statistics) at the main menu prompt.
The activity history for the adapter is displayed.
SAPAgent 4.6.xxxx Agent Request Statistics
--------------------------------------------------------------------
Date Add Mod Del Ssp Res Rec
-----------------------------------------------------------------
11/15/02 000001 000000 000000 000000 000000 000001
-----------------------------------------------------------------
X. Done
2. Type X to return to the Main Configuration Menu.
Chapter 4. Adapter Parameters Modification 33
Changing code page settings
In order to list the supported code page information for the RACF Adapter, the
adapter must be running. Run the following command to view the code page
information:
agentCfg -agent [adapter_name] -codepages
In order to change the code page settings for the RACF Adapter, complete the
following steps:
1. At the Main Menu prompt, type I.
The code page support menu for the adapter is displayed.
SAPAgent 4.6 Codepage Support Menu
-------------------------------------------
* Configured codepage: US-ASCII
-------------------------------------------
*
*******************************************
* Restart Agent After Configuring Codepages
*******************************************
A. Codepage Configure.
X. Done
Select menu option:
2. Type A to configure a code page.
Note: The SAPAgent uses unicode, therefore this option is not applicable.
3. Type X to return to the Main Configuration Menu.
Accessing Help and Additional Options
The following describes how to access the agentCfg help menu and use the help
arguments.
1. Return to the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP
bin directory by completing one of the following:
v Type X from the Main Configuration menu prompt.
v Complete procedures 1 and 2 of “Accessing the Adapter Configuration Tool
Main Menu” on page 19.2. Type agentCfg -help at the prompt to view the help menu.
The following list of possible commands appears:
-version ;Show version
-hostname < value> ;Target nodename to connect to (Default:127.0.0.1)
-findall ;Find all agents on target node
-list ;List available agents on target node
-agent <value> ;Name of agent
-tail ;Display agent’s activity log
-portnumber <value> ;Specified agent’s TCP/IP port number
-netsearch <value> ;Lookup agents hosted on specified subnet
-confidencetest ;Confidence test
-setup ;Confidence test setup
-codepages ;Display list of available codepages
-help ;Display this help screen
34 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
The following table describes the purpose of the provided arguments.
Table 8. Command argument purposes
-version Use this argument to display the agentCfg version.
-hostname <value> Use the -hostname argument with any of the following
commands to specify a different host:
v -findall
v -list
v -tail
v -agent
Enter a hostname or IP address as the value.
-findall Use this argument to search and display all possible port
addresses for all agents. Must be used with the -list
argument. Add the -hostname argument to search a remote
host.
-list Use this argument to search and display agents found at
default ports. By default, the argument searches the local host
of the Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP. Use the -hostname argument to search a different
host.
-agent <value> Use this argument to specify the agent that you want to
configure. Enter an agent name as the value. Use this
argument with the -hostname argument to modify the
configuration setting from a remote host. You can also use
this argument with the -tail argument.
-tail Use this argument with the -agent argument to display an
agent’s activity log. Add the -hostname argument to display
the log file for an agent on a different host.
-portnumber <value> Use this argument with the -agent argument to specify an
agent’s TCP/IP port number.
-netsearch <value> Use this argument with the -agent argument to display all
agents installed on the system.
-confidencetest Use this argument to run a test to add, modify, search and
delete a request to the agent. This allows you to verify the
agent connection to the managed resource without the Tivoli
Identity Manager Server.
-setup Use this argument to configure the confidence test.
-codepages Display the codepages configured for the Agent.
-help Display the help menu for agentCfg.
3. Type agentCfg and one or more of the supported arguments at the prompt.
You must type agentCfg before every argument to run the agent configuration
tool.
Chapter 4. Adapter Parameters Modification 35
Table 9. Arguments
Argument Syntax Argument Example
-argument For example, type agentCfg -list
This example lists all agents on the local host IP
address. Note that the default node for the Tivoli
Identity Manager Server is 44970.
Agent(s) installed on node ’127.0.0.1’
-----------------------
SAPAgent (44970)
-argument <value> For example, type agentCfg -agent SAPAgent
This example displays the main menu of the
agentCfg tool which is used to view or modify the
Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP parameters.
-argument <value> -argument
or
-argument -argument <value>
For example, type agentCfg -list -hostname
192.9.200.7
This example lists agents on a host whose IP
address is 192.9.200.7. Note that the default node
for the Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP is 44970.
Agent(s) installed on node ’192.9.200.7’
------------------
SAPAgent (44970)
-argument <value>
-argument <value>
For example, type agentCfg -agent SAPAgent
-hostname 192.9.200.7
This example displays the main menu of the
agentCfg tool for a host whose IP address is
192.9.200.7. Use the menu options to view or
modify the Tivoli Identity Manager Adapter for
SAP NetWeaver AS ABAP parameters.
36 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 5. Certificate Installation
This chapter has the following sections:
v “Introduction”
v “Overview of SSL and Digital Certificates”
v “Accessing the Certificate Configuration Tool Main Menu” on page 39
v “Generating a Private Key and Certificate Request” on page 41
v “Installing the Certificate from a File” on page 42
v “Installing the Certificate and Key from a PKCS12 File” on page 43
v “Viewing Installed Certificates” on page 43
v “Viewing CA Certificates” on page 43
v “Installing a CA Certificate” on page 44
v “Deleting a CA Certificate” on page 44
v “Viewing Registered Certificates” on page 44
v “Registering a Certificate” on page 44
v “Unregistering a Certificate” on page 45
v “Exporting a certificate and key to PKCS12 file” on page 45
Introduction
This chapter describes how to use the provided certificate management tool
(CertTool) to install and configure digital certificates for a Tivoli Identity Manager
Adapter. The industry-standard Secure Sockets Layer (SSL) mechanism, which uses
digital certificates for authentication, is used for secure communication between the
Tivoli Identity Manager Server and an Adapter.
For a production environment, you must obtain and use a signed production
certificate from a well-known Certificate Authority, or from your own Certificate
Authority, to ensure secure communications. The adapter does not come
prepackaged with a certificate.
This chapter provides information for managing digital certificates on the Tivoli
Identity Manager Adapter only. Please refer to the ″Managing Digital Certificates″
chapter in the IBM Tivoli Identity Manager System Configuration Guide for
information about configuring the Tivoli Identity Manager Server for SSL.
Note: If you install, modify, or delete a certificate, you must stop and restart the
adapter before the changes will take affect.
Overview of SSL and Digital Certificates
A Tivoli Identity Manager deployment must consider the security of
communication between all configured components. The industry-standard Secure
Sockets Layer (SSL) mechanism, which uses digital certificates for authentication, is
used for secure communication in a Tivoli Identity Manager deployment.
SSL provides secure connections by allowing two applications connecting over a
network connection to authenticate each other’s identity. Additionally, SSL provides
encryption of the data exchanged between the applications. Authentication allows
© Copyright IBM Corp. 2004, 2005, 2006 37
a server (one-way) to verify the identity of the application on the other end of a
network connection. Encryption makes data transmitted over the network
intelligible only to the intended recipient.
Features of SSL include the following concepts:
v SSL provides a mechanism for one application to authenticate itself to another
application.
v One-way SSL allows one application to be certain of the identity of the other
application.
v The application that assumes the ″server″ role possesses and uses a server-side
certificate to prove its identity to the client application.
v The application that is presented with a certificate must have in its possession
the root certificate (or certificate chain) of the Certificate Authority (CA) that
signed the certificate being presented. The root CA certificate, or chain, validates
the certificate being presented.
v In client connections, the client browser alerts the user when presented with a
certificate that is not issued by a recognized Certificate Authority.
Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no
longer supports two-way authentication.
Basic Configuration for Server-to-Adapter SSL
The following information pertains to a Tivoli Identity Manager deployment on
either the WebSphere or the WebLogic application server. In this scenario, the
Tivoli Identity Manager Server initiates communication with the adapter
(server-to-adapter) to complete a transaction originating from the browser.
Deployment summary:
v The Tivoli Identity Manager Server and the adapter use one-way authentication
over SSL.
v RSA SSL-C or Open SSL is used.
The Tivoli Identity Manager Adapter must have a valid signed certificate; the
Tivoli Identity Manager Server must have the corresponding CA certificate.
Note: In the diagram below, ″ITIM Server″ refers to the IBM Tivoli Identity
Manager Server.
38 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Clustered Tivoli Identity Manager Configuration
In a clustered configuration, the Tivoli Identity Manager System uses one Web
Server to manage and load balance multiple Tivoli Identity Manager Servers. Each
Tivoli Identity Manager Server must have a valid CA certificate. All agents must
have associated CA and signed certificates.
Accessing the Certificate Configuration Tool Main Menu
The following procedure describes how to access the main menu of the CertTool
utility for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP certificate
parameters.
1. Select Programs from the Start menu, select Accessories, and then select
Command Prompt.
The Microsoft Windows DOS Command Prompt window appears.
2. Change to the adapter’s bin directory.
If the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP directory
is in the default location, type cd \Tivoli\Agents\SAPAgent\bin.
3. Type CertTool -agent SAPAgent at the prompt.
The Main Configuration menu appears:
ITIMApplication Server
Agent
Resource
ITIMServer
One-way SSL
CACert
A
CertA
WebSphereor
WebLogic
Figure 3. Configuration for Server-to-Adapter SSL
Chapter 5. Certificate Installation 39
Main menu - Configuring agent: SAPAgent
------------------------------
A. Generate private key and certificate request
B. Install certificate from file
C. Install certificate and key from PKCS12 file
D. View current installed certificate
E. List CA certificates
F. Install a CA certificate
G. Delete a CA certificate
H. List registered certificates
I. Register certificate
J. Unregister a certificate
K. Export certificate and key to PKCS12 file
X. Quit
Choice:
Obtaining and installing a signed certificate:
The first set of options allows you to generate a Certificate Signing Request
(CSR) and install the returned signed certificate for the adapter itself. The
options here are:
A Generate a Certificate Signing Request (CSR) that is sent to the
Certificate Authority (CA), and the associated private key.
B Install a certificate from a file. This file must be the signed certificate
returned by the CA in response to the CSR generated by option A.
C Install a certificate from a PKCS12 format file that includes both the
public certificate and a private key. If options A and B are not used to
obtain a certificate, the certificate used must be in PKCS12 format.
D View all certificates installed on the system.Additional configuration for two-way SSL:
The remaining options only apply if client validation (two-way authentication)
is required and enabled.
Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no
longer supports two-way authentication.
The second set of options allows installing root CA certificates. The CA
certificates are used by the Tivoli Identity Manager Adapter to validate the
associated certificates presented by the Tivoli Identity Manager Servers.
E Show the installed CA certificates. The adapter only communicates with
Tivoli Identity Manager Servers whose certificates are validated by one
of the installed CA certificates.
F Install a new CA certificate so that certificates generated by this CA can
be validated. The CA certificate file can be either in X.509, binary, or
PEM encoded formats.
G Remove one of the installed CA certificates.Registering a signed certificate for two-way SSL:
The remaining options only apply if client validation (two-way authentication)
is required and enabled.
40 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no
longer supports two-way authentication.
The third set of options allows the adapter to register the Tivoli Identity
Manager Server signed certificate. The Tivoli Identity Manager Server’s signed
certificate is then validated by the adapter when two-way SSL communication
is established. If the Tivoli Identity Manager Server’s signed certificate is
validated by one of the Adapter’s CA certificates but not registered with the
Adapter, the Adapter will refuse to communicate with the Tivoli Identity
Manager Server.
H List all registered certificates that will be accepted for communications.
I Register a new certificate. The certificate to be registered should be in
Base 64 encoded X.509 format.
J Unregister (remove) a certificate from the registered list.
K Export certificate and key to PKCS12 file.
This chapter includes a section for each of the following main functions:
v For option A, see “Generating a Private Key and Certificate Request.”
v For option B, see “Installing the Certificate from a File” on page 42.
v For option C, see “Installing the Certificate and Key from a PKCS12 File” on
page 43.
v For option D, see “Viewing Installed Certificates” on page 43.
v For option E, see “Viewing CA Certificates” on page 43.
v For option F, see “Installing a CA Certificate” on page 44.
v For option G, see “Deleting a CA Certificate” on page 44.
v For option H, see “Viewing Registered Certificates” on page 44.
v For option I, see “Registering a Certificate” on page 44.
v For option J, see “Unregistering a Certificate” on page 45.
v For option K, see “Exporting a certificate and key to PKCS12 file” on page 45.
Type X to return to the main menu.
Generating a Private Key and Certificate Request
The following procedure describes how to view the Tivoli Identity Manager
Adapter for SAP NetWeaver AS ABAP configuration settings.
1. Type option A (Generate a private key and certificate request) at the main
menu prompt.
Enter values for certificate request (press enter to skip value)
-------------------------------------------------------------------------
2. Type your organization name and press Enter.
Organization:
3. Type the desired organizational unit and press Enter.
Organizational Unit:
4. Type the name of the adapter you are requesting a certificate for and press
Enter.
Agent Name:
5. Type the contact email address and press Enter.
Email:
6. Type the country in which the adapter resides and press Enter.
Chapter 5. Certificate Installation 41
Country:
7. Type the state in which the adapter resides (if the adapter is located in the
United States) and press Enter.
State:
Note: Some certificate authorities do not accept two letter abbreviations for
states.
8. Type the name of the city in which the adapter resides and press Enter.
Locality:
9. Type Y to accept the values displayed or type N to re-enter the values and
press Enter.
Accept these values (y/n)?
The key pair and certificate request are generated once the values are
accepted.
10. Type the name of the file to store the PEM certificate request and press Enter.
Enter name of file to store PEM cert request (Enter to cancel):
11. Press Enter.
The main menu reappears.
You must now request a certificate from a trusted certificate authority.
Example of Certificate Request Script
The following is an example of a certificate request:
Enter values for certificate request (press enter to skip value)
-----------------------------------------------------------------
Organization: ibm
Organizational Unit: engineering
Agent Name: ntagent
Email: [email protected]
Country: US
State: California
Locality: Irvine
Accept these values (y/n)? y
Generating key pair and certificate request ...
Enter name of file to store PEM cert request (Enter to cancel) : request.pem
Certificate request written to request.pem. Press Enter to continue.
Example of request.pem File
-----BEGIN CERTIFICATE REQUEST-----
MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n
aW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdl
bnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
mR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7
UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr
6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3
DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb
N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK
Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2
-----END CERTIFICATE REQUEST-----
Installing the Certificate from a File
The following procedure describes how to install a certificate in the adapter
registry. This is the certificate you receive from your trusted certificate authority
after submitting your certificate request.
42 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Note: If you received the certificate as part of an e-mail message, copy the text of
the certificate to a text file and copy the certificate file (the text file you just
created) to the adapter’s bin directory.
1. Type B (Install certificate from file) at the main menu prompt.
A prompt appears:
Enter name of certificate file:
2. Type the name of the certificate file and press Enter.
The certificate is installed in the adapter registry and the main menu reappears.
Installing the Certificate and Key from a PKCS12 File
The following procedure describes how to install the certificate and the private key
in the adapter registry from a PKCS12 (.pfx) file. This format includes both the
certificate and private key in a password protected file.
Note: Be sure to copy the certificate file to the adapter’s bin directory. For
example, C:\Tivoli\Agents\<agentname>\bin
1. Type C (Install certificate and key from PKCS12 file) at the main menu prompt.
2. Type the name of the PKCS12 file that has the certificate and private key
information and press Enter.
Enter name of PKCS12 file:
For example, DamlSrvr.pfx
3. Type the password to access the file and press Enter.
Enter password:
The certificate and private key are installed in the adapter registry.
Viewing Installed Certificates
You can list all of the certificates installed on your system using option D (View
currently installed certificates).
Type D (View currently installed certificates) at the main menu prompt.
The installed certificates are listed and the main menu reappears. The following is
an example of an installed certificate:
The following certificate is currently installed.
Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAML Server
Viewing CA Certificates
The following procedure describes how to list all CA certificates installed on the
adapter.
Type E (List CA certificates) at the main menu prompt.
The installed CA certificates are listed and the main menu reappears. The
following is an example only.
Subject: o=IBM,ou=SampleCACert,cn=TestCA
Valid To: Wed Jul 26 23:59:59 2006
Chapter 5. Certificate Installation 43
Installing a CA Certificate
The following procedure describes how to install a CA certificate.
1. Type F (Install a CA certificate) at the main menu prompt.
A prompt appears:
Enter name of certificate file:
2. Type the name of the certificate file and press Enter.
The certificate file is opened and a prompt appears:
[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
Install the CA? (Y/N)
3. Type Y to install the certificate and press Enter.
The CA certificate file is installed in the CACerts.pem file.
Deleting a CA Certificate
The following procedures describe how to delete a CA certificate from the adapter
directories.
1. Type G (Delete a CA certificate) at the main menu prompt.
A list of all CA certificates installed on the adapter is displayed.
0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
Enter number of CA certificate to remove:
2. Type the number of the CA certificate you want to remove and press Enter.
The CA certificate is deleted from the CACerts.pem file and the main menu
reappears.
Viewing Registered Certificates
The following procedures describe how to view a list of all registered certificates
available to the adapter. Only requests that present a registered certificate will be
accepted by the adapter when client validation is enabled.
Type H (List registered certificates) at the main menu prompt.
The registered certificates are displayed and the main menu reappears. The
following is an example only.
0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
Registering a Certificate
The following procedures describe how to register a certificate for the adapter.
1. Type I (Register certificate) at the main menu prompt.
A prompt appears:
Enter name of certificate file:
2. Type the name of the certificate file to be registered and press Enter.
The subject of the certificate is displayed and a prompt appears.
[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
Register this CA? (Y/N)
3. Type Y to register the certificate and press Enter.
The certificate is registered to the adapter and the main menu reappears.
44 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Unregistering a Certificate
The following procedures describe how to unregister a certificate for the adapter.
1. Type J (Unregister a certificate) at the main menu prompt.
The registered certificates are displayed. The following is an example only.
0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
2. Type the number of the certificate file to be unregistered and press Enter.
The subject of the selected certificate is displayed.
3. Type Y to unregister the certificate and press Enter.
The certificate is removed from the registered certificate list for the adapter and
the main menu reappears.
Exporting a certificate and key to PKCS12 file
In order to export a certificate and key to a PKCS12 file for the adapter, complete
the following steps:
1. At the Main Menu prompt, type K.
The following prompt is displayed:
Enter name of PKCS12 file:
2. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file
for the installed certificate or private key, and press Enter.
3. At the Enter Password prompt, type the password for the PKCS12 file, and
press Enter.
4. At the Confirm Password prompt, type the password again, and press Enter.
The certificate or private key are transported to the PKCS12 file, and the Main
Menu is displayed.
Chapter 5. Certificate Installation 45
46 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix A. Adapter Variables
As part of the adapter implementation, a dedicated account for Tivoli Identity
Manager to access SAP Server is created on SAP Server. The Adapter for SAP
NetWeaver AS ABAP consists of files and directories owned by the Tivoli Identity
Manager account. The Tivoli Identity Manager-owned files establish
communication with the Tivoli Identity Manager Server.
Variable Descriptions
The Tivoli Identity Manager Server communicates with the Adapter for SAP
NetWeaver AS ABAP using variables included in transmission packets sent over a
network. The combination of variables, included in the packets, depends on the
type of action the Tivoli Identity Manager Server requests from the Adapter for
SAP NetWeaver AS ABAP.
The following table is an alphabetical listing of the variables used by the Adapter
for SAP NetWeaver AS ABAP. The table gives a brief description and the data
format associated with the variable.
Table 10. Variable descriptions
Variable Directory Server Attribute Description Data Type
ACADEMIC erSAPacademic Dr., Prof., and so on SAP predefined value
ACCOUNT erSAPaccount User account
identification
Character or numeric
string, which is not SAP
predefined
ADDRESSTYPE erSAPaddresstype Form of address:
Mr., Mrs., Ms
Character or numeric
string
AGR_NAME erSAPagrname Activity group name Character or numeric
string
ALIAS erSAPalias Internet user alias String
BUILDING erSAPbuilding Building number Character or numeric
string
CATT erSAPcatt CATT test status Yes or No
COMPANY erSAPcompany Company address
number
SAP predefined value
COSTCENTER erSAPcostcenter User cost center Character or numeric
string
COUNTRY c Country key code of
user
Character or numeric
string, SAP country key
CREATEON erSAPcreateon Creation date of user
master record
Character or numeric
string
CREATOR erSAPcreator Name of creator of
the user master
record
Character or numeric
string
DATEFORMAT erSAPdateformat Date format SAP predefined value, 5
date format versions
DATEFROM erSAPdatefrom Valid from date Up to 6 data format
versions
© Copyright IBM Corp. 2004, 2005, 2006 47
Table 10. Variable descriptions (continued)
Variable Directory Server Attribute Description Data Type
DATEUNTIL erSAPdateuntil Valid until date Up to 6 data format
versions
DECIMALPOINT erSAPdecimalpoint Decimal notation,
either period or
comma
Character or numeric
string
DEPARTMENT erDepartment Department Character or numeric
string
DISABLEPWD erSAPdisablePwd If true, disable user’s
password (for SAP
6.1 and higher)
Boolean.
EMAILADDRESS erSAPemailaddress E-mail address.
This attribute is a
multi-value attribute.
If one or more
e-mail addresses are
defined, one e-mail
address must be
designated as the
Standard e-mail
address.
Character or numeric
string
FAXEXT erSAPfaxext Fax number and
extension
Character or numeric
string
FLOOR erSAPfloor Floor in building Character or numeric
string
FUNCTION erSAPfunction Function of user Character or numeric
string
GIVENNAME givenname First name Character or numeric
string
GROUP erSAPgroup User group SAP predefined value
L_LOGON_TIME erSAPllogontime Last logon time Character or numeric
string
language erSAPlanguage Language set in the
user’s address record
String
LANGUAGELOGIN erSAPlanguagelogingiso User’s login
language
String
LANGUP erSAPlangkey User’s login
language key.
This attribute is not
case sensitive.
Therefore, uppercase
language keys must
be flagged with the
∧ delimiter.
String
last_access erLastAccessDate Last logon date Character or numeric
string
lClient erSAPlClient SAP organizational
unit
Required for all
requests.
SAP predefined value
48 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 10. Variable descriptions (continued)
Variable Directory Server Attribute Description Data Type
lCua erSAPCuaOption If set to true, the
adapter will assume
that the SAP client is
CUA enabled.
Boolean
lDestination erSAPlDestination SAP destination
machine name
Required for all
requests.
SAP predefined value
lGwHost erSAPlGhost Fully qualified IP
address of gatehost
The SAP gateway is
a group of processes
that allow
communication
between R/2
systems, NetWeaver
AS ABAP systems,
and external
applications based
on the CPIC
protocol.
Required for all
requests.
SAP predefined value
lGwservice erSAPlGwservice SAP gateware
service
The SAP gateway
service is the
interface between
SAP and the Tivoli
Identity Manager
adapter.
Required for all
requests.
SAP predefined value
lHostname erSAPlHostname Fully qualified IP
address of system
where SAP is
installed
Required for all
requests.
SAP predefined value
lLanguage erSAPllanguage Adapter for SAP
NetWeaver AS
ABAP account login
language
Required for all
requests.
String
Appendix A. Adapter Variables 49
Table 10. Variable descriptions (continued)
Variable Directory Server Attribute Description Data Type
SAPHRLinkUsed erSAPHRLinkUsed If set to true, the
Adapter is able to
link HR Personnel
Records to the SAP
User Account using
infotype 105.
Boolean
SAPHRrfcDest erSAPHRrfcDest If the SAP has CUA
configured, then this
RFC Destination is
required to enable a
proxy RFC call from
the CUA master
System onto the HR
System.
String
lMode erSAPlMode SAP mode
Required for all
requests.
SAP predefined value
lSelectSAPVersion erSAPVersion SAP version selected
on the Service
Profile
String
LOCNT erSAPlocnt Counter for incorrect
logons per user
Character or numeric
string
LOGSYSTEM erSAPlogicalSystem Used to add the user
to the Systems
Logical Name(s)
values passed in the
attribute.
Required for all
requests.
String
Multi-valued
lPassword erpassword Password to log into
SAP system
Required for all
requests.
SAP predefined value
lSysnr erSAPlSysnr SAP system number
Required for all
requests.
SAP predefined value
lTrace erSAPlTrace Flag that indicates
whether or not to
enable tracing
feature.
Required for all
requests.
Boolean
lUser erSAPlUser SAP login ID
Required for all
requests.
SAP predefined value
RCVSYSTEM erSAPlicRcvSys Receiving System for
CUA
String
50 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 10. Variable descriptions (continued)
Variable Directory Server Attribute Description Data Type
LIC_TYPE erSAPlicUType Contractual User
Type
String
SPEC_VERS erSAPlicSpecVer Assignment To
Special Version
String
COUNTRY_SURCHARGE erSAPlicSurChrg Country Surcharge
(+999 to -100)
String
SUBSTITUTE_FROM erSAPlicSubFrom Substitute Date From String
SUBSTITUTE_UNTIL erSAPlicSubTo Substitute Date Until String
SYSID erSAPlicSysID Chargeable User
SAP System
String
CLIENT erSAPlicClient Chargeable User
Client
String
BNAME_CHARGEABLE erSAPlicBname Chargeable User
Name
String
MENU erSAPmenu SAP start menu SAP predefined value
NAME1 erSAPname1 Additional name
field
String
NAME2 erSAPname2 Additional name
field
String
NAME3 erSAPname3 Additional name
field
String
NAME4 erSAPname4 Additional name
field
String
NAMEFORMAT erSAPnameformat User name formatted
as first last
SAP predefined value
NoPwdChange erSAPNoPwdChng If set to true, the
user will not be
forced to do a
password change.
Boolean
ORT01 erSAPort01 Town 1 String
ORT02 erSAPort02 Town 2 String
OUTPUT DEVICE erSAPoutputdevice Device SAP predefined value
PASSWORD erpassword Password String
PERSONNELNO erSAPpersonnelNo HR InfoType 105
personnel number
String
PHONEMAIN telephoneNumber Main telephone
number
Character or numeric
string
PID erSAPparid Parameter
identification
SAP predefined value
POBOX erSAPpobox Post Office box
number
Integer
POSTAL erSAPpostal Zip code Integer
PREFIX1 erSAPprefix1 Von, El, etc. SAP predefined value
PRNTDELETE erSAPprntdelete Delete after print Character or numeric
string
Appendix A. Adapter Variables 51
Table 10. Variable descriptions (continued)
Variable Directory Server Attribute Description Data Type
PRNTIMMEDIATE erSAPprntimmediate Print immediately Character or numeric
string
PROFILE erSAPprofile Authorization
Profiles
SAP predefined value
UnlockOnPwdChange erSAPpwdUnlock If set to true, on a
successful password
change, if the
account was locked
from too many failed
login attempts, then
the account is
unlocked.
Boolean
REGION l Region String
ROOM erSAProom Room number Character or numeric
string
SAP_INSTANCE erSAPinstance Adapter instance
name selected on the
Service Profile
String
SNC Name erSAPsncName Printable SNC name String
SNC FLAG erSAPsncFlag Flag that allows
non-secure
communiation
SAP Boolean
SORRT1_P erSAPsorrt1p Search term 1 String
STREET erSAPstreet Street address String
SURNAME sn Last name Input supplied
TEL01 erSAPtel01 First telephone
number extension
String
TEL02 erSAPtel02 Second telephone
number extension
String
TELEFAX facsimileTelephoneNumber Telefax number Character or numeric
string
TELEPHONEEXT erSAPtelephoneext Telephone number:
extension
Character or numeric
string
TELTX erSAPteltx Teletex number String
TELX1 erSAPtelx1 Teletex number String
TIMEZONE erSAPtimezone Timezone SAP predefined value,
existing timezone remains
if a conflict is noted
TYPE erSAPtype User type (A=online,
C=CPIC, D=BDC,
O=ODC)
SAP predefined value,
between 1 and 4, defaults
to dialog user
UserName eruid User’s login ID String
UserStatus erAccountStatus User lock status Character or numeric
string
52 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Variables Used by Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP Actions
The following lists are typical Adapter for SAP NetWeaver AS ABAP actions by
their functional transaction group. The lists include more information about
required and optional variables sent to the Adapter for SAP NetWeaver AS ABAP
to complete that action.
System Login Add
A Login Add is a request to create a new user account in the domain with the
specified attributes.
Table 11. Add function attributes
Required Variables Optional Variables
USERNAME
PASSWORD
GIVENNAME
SURNAME
lClient
lCua
UnlockOnPwdChange
lGwHost
lGwservice
lHostname
lLanguage
lMode
lPassword
lSysnr
lTrace
lUser
All other supported attributes.
Appendix A. Adapter Variables 53
System Login Change
Use the Change function to change one or more attributes for the specified users.
Table 12. Change function attributes
Required Variables Optional Variables
USERNAME
lClient
lCua
UnlockOnPwdChange
lGwHost
lGwservice
lHostname
lLanguage
lMode
lPassword
lSysnr
lTrace
lUser
All supported attributes.
System Login Delete
The Delete function removes the specified user from the active directory.
Table 13. Delete function
Required Variables Optional Variables
USERNAME
lClient
lCua
UnlockOnPwdChange
lGwHost
lGwservice
lHostname
lLanguage
lMode
lPassword
lSysnr
lTrace
lUser
None
54 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
System Login Suspend
Use the Suspend function to disable a user account. The user is neither removed
nor are their attributes modified.
Table 14. Suspend function
Required Variables Optional Variables
USERNAME
Userstatus
lClient
lCua
UnlockOnPwdChange
lGwHost
lGwservice
lHostname
lLanguage
lMode
lPassword
lSysnr
lTrace
lUser
None
System Login Restore
Use the Restore function to re-activate a user account that was previously
suspended. After Restoring, the user can access the system with the same attributes
as those before the Suspend function is called.
Appendix A. Adapter Variables 55
Table 15. Restore Function
Required Variables Optional Variables
USERNAME
lClient
lCua
UnlockOnPwdChange
lGwHost
lGwservice
lHostname
lLanguage
lMode
lPassword
lSysnr
lTrace
lUser
None
Reconciliation
The Reconciliation function synchronizes user account information between Tivoli
Identity Manager and the adapter. The following is a full set of access attributes
returned by reconciliation. An asterisk (*) denotes attributes that are for
informational purposes only.
56 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 16. Reconciliation function
Attributes Returned During Reconciliation
ACADEMIC
ACCOUNT
ADDRESSTYPE
AGR_NAME
ALIAS
BNAME_CHARGEABLE
BUILDING
CATT
COMM. METHOD
COMPANY
COSTCENTER
COUNTRY
COUNTRY_SURCHARGE
CLIENT
CREATE_ON
CREATOR
DATEFORMAT
DATEFROM
DATEUNTIL
DECIMALPOINT
DEPARTMENT
EMAILADDRES
FAXEXT
FLOOR
FUNCTION
GIVENNAME
GROUP
LIC_TYPE
L_LOGON_TIME
LANGUAGE
LANGUAGELOGIN_ISO
LANGUP
LOCNT
MENU
NAME1
NAME2
NAME3
NAME4
NAMEFORMAT
ORT01
ORT02
OUTPUTDEVICE
PHONEMAIN
PID
POBOX
POSTAL
PREFIX1
PRNTDELETE
PRNTIMMEDIATE
PROFILE
RCVSYSTEM
REGION
ROOM
SNC Flag
SNC Name
SORRT1_P
SPEC_VERS
STREET
SUBSTITUTE_FROM
SUBSTITUTE_UNTIL
SURNAME
SYSID
TEL01
TEL02
TELEFAX
TELEPHONEEXT
TELTX
TELX1
TIMEZONE
TYPE
USER
UserName
UserStatus
Note: When modifying the Contractual license type, some types require either the
special version, or the country surcharge, but not both. If you are switching
from a special version value to a country surcharge, be sure to set the
Appendix A. Adapter Variables 57
special version to the value ″No Special Version″. If you are switching from
a county surcharge to a special version, be sure to set the country surcharge
to ″0″.
58 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix B. SAP Account Requirements
This chapter describes the requirements of the SAP account used by the IBM Tivoli
Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP and the SAP objects
installed on the SAP Server.
SAP Objects
The IBM Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP calls
built-in SAP objects and custom SAP objects designed by IBM Tivoli. Table 17
shows all the objects accessed by the IBM Tivoli Tivoli Identity Manager Adapter
for SAP NetWeaver AS ABAP. Note that custom object names are prefixed with a
“Z_”.
SAP User
The IBM Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uses an
SAP user to connect to the SAP server. The user name is supplied on the Tivoli
Identity Manager adapter service profile, and the user password is supplied on the
adapter configuration.
The SAP user must have permission to perform the following user administration
tasks:
v Add
v Modify
v Delete
v Lock
v Unlock
v Retrieve user detail
v Retrieve supporting data
In addition, the SAP user must have the proper access to all the objects listed in
Table 17 based on the SAP version and whether CUA and HR Info Type are
enabled or not.
It is recommended that the SAP user type be set to System and not Dialog.
Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP
BAPI Objects Description
Access
Type SAP Versions
45B 46B 46C 6.1 6.2
1 BAPI_USER_ACTGROUPS_ASSIGN Add, Mod:
NON-CUA (Roles)
Write Y Y Y Y Y
2 BAPI_USER_CHANGE Mod Write Y Y Y Y Y
3 BAPI_USER_CREATE Add Write Y N N N N
4 BAPI_USER_CREATE1 Add. Write N Y Y Y Y
5 BAPI_USER_DELETE Del Write Y Y Y Y Y
© Copyright IBM Corp. 2004, 2005, 2006 59
Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP (continued)
BAPI Objects Description
Access
Type SAP Versions
6 BAPI_USER_GET_DETAIL Mod, Search Read Y Y Y Y Y
7 BAPI_USER_LOCK Mod. Write Y Y Y Y Y
8 BAPI_USER_PROFILES_ASSIGN Add, Mod:
NON-CUA (Profiles)
Write Y Y Y Y Y
9 BAPI_USER_UNLOCK Mod. Write Y Y Y Y Y
10 RFC_READ_TABLE: AGR_DEFINE Search: NON-CUA
(List of Valid Roles)
Read N Y Y Y Y
11 RFC_READ_TABLE: PA0105 Search: HR Only-
Info Type 105
(User’s Employee
No.)
Read N N Y Y Y
12 RFC_READ_TABLE: T002 Search: List of Valid
Language Codes
Read N Y Y Y Y
13 RFC_READ_TABLE: T002T Search: List of Valid
Language
Descriptions
Read N Y Y Y Y
14 RFC_READ_TABLE: T005T Search: List of Valid
Country Codes
Read N Y Y Y Y
15 RFC_READ_TABLE: TBDLS Search: CUA Only
(List of Valid
Subsystems)
Read N N Y Y Y
16 RFC_READ_TABLE: TPARA Search: List of Valid
Parameters ID
Read N Y Y Y Y
17 RFC_READ_TABLE: TSAD2 Search: List of Valid
Academic Titles
Read N Y Y Y Y
18 RFC_READ_TABLE: TSAD3T Search: List of Valid
Titles
Read N Y Y Y Y
19 RFC_READ_TABLE: TTREE Search: List of Valid
Menus
Read N Y Y Y Y
20 RFC_READ_TABLE: TZONE Search: List of Valid
Time Zones
Read N Y Y Y Y
21 RFC_READ_TABLE: USER_GROUPS Mod, Search Read N Y Y Y Y
22 RFC_READ_TABLE: USGRP Search: List of Valid
Groups
Read N Y Y Y Y
23 RFC_READ_TABLE: USGRP_USER Search: User’s
Groups
Read N Y Y Y Y
24 RFC_READ_TABLE: USL04 Search: CUA Only
(User’s Profiles)
Read N N Y Y Y
25 RFC_READ_TABLE: USLA04 Search: CUA Only
(User’s Roles)
Read N N Y Y Y
60 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver
AS ABAP (continued)
BAPI Objects Description
Access
Type SAP Versions
26 RFC_READ_TABLE: USR10 Search: NON-CUA
(List of Valid
Profiles)
Read N Y Y Y Y
27 RFC_READ_TABLE: USRSYSACT Search: CUA Only
(List of Valid Roles)
Read N N Y Y Y
28 RFC_READ_TABLE: USRSYSPRF Search: CUA Only
(List of Valid
Profiles)
Read N N Y Y Y
29 RFC_READ_TABLE: USZBVSYS Search: CUA Only
(User’s Subsystems)
Read N N Y Y Y
30 /TIVSECTY/TIM_USER_SUBSYS_620 Add, Mod: CUA
Only (Subsystems,
Roles and Profiles)
Write N Y Y Y Y
31 /TIVSECTY/TIM_USER_SUBSYS_46C Add, Mod: CUA
Only (Subsystems,
Roles and Profiles)
Write N N Y Y Y
32 /TIVSECTY/TIM_USER_HR_620 Add, Mod, Del: HR
Only- Info Type 105
(Employee No.)
Write N Y Y Y Y
33 /TIVSECTY/TIM_USER_LIST_620 Search Read Y Y Y Y Y
34 /TIVSECTY/TIM_USER_PWD_620 Mod: CUA Write N N Y Y Y
35 /TIVSECTY/TIM_USER_PWD_46C Mod: CUA Write N N Y Y Y
36 /TIVSECTY/TIM_USER_USR02_620 Search Read Y Y Y Y Y
37 /TIVSECTY/TIM_USER_CHG_620 Mod Write N N Y Y Y
38 /TIVSECTY/TIM_USER_CHG_46C Mod Write N N Y Y Y
39 BAPI_USER_LOCACTGROUPS_READ Search: CUA (Roles) Write N N Y Y Y
40 BAPI_USER_LOCACTGROUPS_ASSIGN Add, Mod: CUA
(Roles)
Write N N Y Y Y
41 BAPI_USER_LOCPROFILES_READ Search: CUA
(Profiles)
Write N N Y Y Y
42 BAPI_USER_LOCPROFILES_ASSIGN Add, Mod: CUA
(Profiles)
Write N N Y Y Y
43 /TIVSECTY/TIM_USER_CUAHR_620 Add, Mod, Del: HR
Only- Info Type 105
(Employee No.)
Write N N Y Y Y
44 /TIVSECTY/TIM_USER_ADD-620 Add Write N N Y Y Y
45 /TIVSECTY/TIM_USER_ADD_46C Add Write N N Y Y Y
Appendix B. SAP Account Requirements 61
62 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix C. Additional Installation Options
This chapter describes installation options available when installing the adapter.
In addition to installation information, instructions are provided to uninstall the
adapter. Each step includes a short procedure that completes one aspect of the
overall adapter uninstall process. You must complete the steps in the order they
are listed.
Installation Options
Several adapter installation options are provided to account for disparate
environments and preferences.
Setup Arguments
This section details arguments that can be used with the adapter and adapter
profile installation executables. All of the arguments described here can be used
with the -is:javaconsole -console option to use a command line text interface
instead of a GUI.
<adapter or profile install>.exe -options-record <filename>
This command records the options that were selected during the install
into a file.
<adapter or profile install>.exe -options-template <filename>
This command creates a template file that has fields for all of the options
that may be selected during installation. This file can then be edited to
include the desired responses and played back with the option below.
<adapter or profile install>.exe -silent -options<filename>
This command plays back the previously recorded file during a silent
installation where installation is performed with no user interaction.
Adapter Removal
This section describes the Tivoli Identity Manager Adapter for SAP NetWeaver AS
ABAP uninstall procedures. Give users advance warning that the resource will be
unavailable prior to removing the adapter. If the server is taken offline, Tivoli
Identity Manager Adapter for SAP NetWeaver AS ABAP requests that are not
completed may not be recoverable when the server is back online.
Complete the following procedure to remove the Tivoli Identity Manager Adapter
for SAP NetWeaver AS ABAP and directories.
1. Stop the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP service.
2. Execute the uninstall binary:
On a Windows host:
Open Windows Explorer and execute the uninstaller:
C:\Tivoli\Agents\SAPAgent\_uninst\uninstaller.exe
On a UNIX host:
Run the following command:
.../Tivoli/Agents/SAPAgent/_uninst/uninstaller.bin
The Uninstaller welcome dialog window appears.
© Copyright IBM Corp. 2004, 2005, 2006 63
3. Click Next.
The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP components
are deleted.
4. Click Finish.
You will be prompted to reboot your system.
Note: Inspect the directory tree for Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP directories, subdirectories, and files to verify that
uninstall is complete. The Tivoli Identity Manager Adapter for SAP
NetWeaver AS ABAP should no longer appear in the Services dialog
window.
64 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix D. Example Deployment Scenarios
This chapter provides diagrams illustrating a few deployment scenarios, to give
you a better understanding of your environment from end-to-end.
Tivoli Identity Manager for non-Unicode SAP non-CUA with HR Linking
ITIM Server
ITIMProvision Policyfor SAP non-CUA
HR System
SAP NetWeaverAS ABAP Systemv 4.6C non-CUA
ITIMServicefor SAP 6.20
non-CUAHR System
ITIM Provision PolicyFor SAP non-CUA
HR System
ITIMServicefor SAP 4.6C
non-CUAHR System
ITIM Agentfor SAP NetWeaver
AS ABAP
SAP NetWeaverAS ABAP Systemv 6.20 non-CUA
librfc32.dll
SAP HR Module
TV2K900096
SAP HR Module
TV2K900098
Figure 4. Tivoli Identity Manager for SAP non-CUA with HR Linking
© Copyright IBM Corp. 2004, 2005, 2006 65
Tivoli Identity Manager for non-Unicode SAP CUA with HR Linking
ITIM Server
ITIMProvision Policyfor SAP CUAHR System
SAP NetWeaverAS ABAP System
v 6.20 Child 1
ITIMServicefor SAP 6.20
CUA HR System
ITIM Agentfor SAP NetWeaver
AS ABAP
SAP NetWeaverAS ABAP System
v 6.20 CUA Master
librfc32.dll
SAP HR Module
TV2K900100
TV2K900063
SAP NetWeaverAS ABAP System
v 6.20 Child 2
SAP NetWeaverAS ABAP System
v 6.20 Child 3
TV2K900069TV2K900069 TV2K900099
Figure 5. Tivoli Identity Manager for SAP CUA with HR Linking
66 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix E. Support information
This section describes the following options for obtaining support for IBM
products:
v “Searching knowledge bases”
v “Contacting IBM Software Support”
Searching knowledge bases
If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or
network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet
If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate Tivoli Identity Manager
products. Click the link for your product, and then browse the information
center for the Technical Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Contacting IBM Software Support
IBM Software Support provides assistance with product defects.
© Copyright IBM Corp. 2004, 2005, 2006 67
Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus, and Rational products, as well as DB2 and WebSphere products that run
on Windows or UNIX operating systems), enroll in Passport Advantage in one
of the following ways:
– Online: Go to the Passport Advantage Web page (http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How
to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.
v For IBM eServer software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries, pSeries, and iSeries environments), you
can purchase a software maintenance agreement by working directly with an
IBM sales representative or an IBM Business Partner. For more information
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:
1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem
When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
68 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
Submit your problem to IBM Software Support
You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your
geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see Searching knowledge bases.
Appendix E. Support information 69
70 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix F. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2004, 2005, 2006 71
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
ibm.com
AIX
AS/400
DB2
Domino
Informix
iSeries
Linux
Lotus
Lotus Notes
MQSeries
Notes
OS/400
Power PC
Tivoli
72 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Tivoli logo
Universal Database
WebSphere
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix F. Notices 73
74 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide