of 90 /90
Tivoli ® Identity Manager Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide Version 4.6 SC32-1194-11

Tivoli Identity Manager - IBMpublib.boulder.ibm.com/tividd/td/ITIM/add_adapters/en_US/HTML/sap... · Tivoli ® Identity Manager Adapter for SAP NetWeaver AS ... Web at: vi IBM Tivoli

  • Author
    hatram

  • View
    227

  • Download
    1

Embed Size (px)

Text of Tivoli Identity Manager -...

  • Tivoli Identity Manager

    Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

    Version 4.6

    SC32-1194-11

  • Tivoli Identity Manager

    Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

    Version 4.6

    SC32-1194-11

  • Note Before using this information and the product it supports, read the information in Appendix F, Notices, on page 71

    Eleventh Edition (November, 2006)

    This edition applies to version 4.6.6 of the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP and to all subsequent releases and modifications until otherwise indicated in new editions. This edition replaces all previous editions.

    Copyright International Business Machines Corporation 2004, 2005, 2006. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

  • Contents

    Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Who should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Publications and related information . . . . . . . . . . . . . . . . . . . . . . . . . . . v

    Tivoli Identity Manager library . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Prerequisite Product Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

    Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

    Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Operating system differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Definitions for HOME directory variables . . . . . . . . . . . . . . . . . . . . . . . . . x

    Chapter 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    Chapter 2. Adapter Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Step 1: Testing Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Step 2: Installing the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Step 3: Importing the Transport Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Step 4: Activating the Adapter as a Service . . . . . . . . . . . . . . . . . . . . . . . . . 13 Step 5: Configuring the Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Step 6: Installing the Adapters Certificate . . . . . . . . . . . . . . . . . . . . . . . . . 13 Step 7: Installing the Adapters Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Step 8: Configuring the Adapters Forms . . . . . . . . . . . . . . . . . . . . . . . . . 14

    Chapter 3. Adapter Profile Installation . . . . . . . . . . . . . . . . . . . . . . 17 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Installing the Adapter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Verifying the Adapter Profile is Installed . . . . . . . . . . . . . . . . . . . . . . . . . 18

    Chapter 4. Adapter Parameters Modification . . . . . . . . . . . . . . . . . . . . 19 Accessing the Adapter Configuration Tool Main Menu . . . . . . . . . . . . . . . . . . . . . 19 Viewing Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Changing Protocol Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . 21

    Adding a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Removing a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

    Setting Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Setting Attributes to be Reconciled . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Modifying an Event Notification Context . . . . . . . . . . . . . . . . . . . . . . . . 27

    Changing the Configuration Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Changing Activity Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Changing Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

    Modifying Non-encrypted Registry Settings . . . . . . . . . . . . . . . . . . . . . . . 31 Modifying Encrypted Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . 31 Multi-instance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

    Changing Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Viewing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Changing code page settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Accessing Help and Additional Options . . . . . . . . . . . . . . . . . . . . . . . . . . 34

    Copyright IBM Corp. 2004, 2005, 2006 iii

  • Chapter 5. Certificate Installation . . . . . . . . . . . . . . . . . . . . . . . . 37 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Overview of SSL and Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 37

    Basic Configuration for Server-to-Adapter SSL . . . . . . . . . . . . . . . . . . . . . . . 38 Clustered Tivoli Identity Manager Configuration . . . . . . . . . . . . . . . . . . . . . . 39

    Accessing the Certificate Configuration Tool Main Menu . . . . . . . . . . . . . . . . . . . . 39 Generating a Private Key and Certificate Request . . . . . . . . . . . . . . . . . . . . . . . 41

    Example of Certificate Request Script . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Example of request.pem File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

    Installing the Certificate from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Installing the Certificate and Key from a PKCS12 File . . . . . . . . . . . . . . . . . . . . . 43 Viewing Installed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Viewing CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Installing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Deleting a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Viewing Registered Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Registering a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Unregistering a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Exporting a certificate and key to PKCS12 file . . . . . . . . . . . . . . . . . . . . . . . . 45

    Appendix A. Adapter Variables . . . . . . . . . . . . . . . . . . . . . . . . . 47 Variable Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Variables Used by Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Actions . . . . . . . . . 53

    System Login Add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 System Login Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 System Login Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 System Login Suspend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 System Login Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

    Appendix B. SAP Account Requirements . . . . . . . . . . . . . . . . . . . . . 59 SAP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 SAP User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

    Appendix C. Additional Installation Options . . . . . . . . . . . . . . . . . . . . 63 Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

    Setup Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Adapter Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

    Appendix D. Example Deployment Scenarios . . . . . . . . . . . . . . . . . . . 65 Tivoli Identity Manager for non-Unicode SAP non-CUA with HR Linking . . . . . . . . . . . . . . 65 Tivoli Identity Manager for non-Unicode SAP CUA with HR Linking . . . . . . . . . . . . . . . . 66

    Appendix E. Support information . . . . . . . . . . . . . . . . . . . . . . . . 67 Searching knowledge bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

    Search the information center on your local system or network . . . . . . . . . . . . . . . . . 67 Search the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

    Contacting IBM Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Determine the business impact of your problem . . . . . . . . . . . . . . . . . . . . . . 68 Describe your problem and gather background information . . . . . . . . . . . . . . . . . . 69 Submit your problem to IBM Software Support . . . . . . . . . . . . . . . . . . . . . . 69

    Appendix F. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

    iv IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Preface

    The IBM Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP

    enables connectivity between the IBM and a network of systems running SAP NetWeaver AS ABAP. This document describes the procedural steps that are required to install and configure the adapter.

    This document assumes that both Tivoli Identity Manager and SAP NetWeaver AS ABAP are installed, configured and running on your network. No details are provided regarding the installation and configuration of these products, except where necessary to achieve integration.

    Who should read this book This manual is intended for security administrators responsible for installing software on their sites computer systems. Readers are expected to understand security administration concepts.

    The person completing the installation procedure should also be familiar with their sites system standards. Readers should be able to perform routine security administration tasks.

    Publications and related information Read the descriptions of the Tivoli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite Product Publications on page vii and the Related Publications on page viii. After you determine the publications you need, refer to the instructions in Accessing publications online on page viii.

    Tivoli Identity Manager library The publications in the Tivoli Identity Manager technical documentation library are organized into the following categories: v Release information v Online user assistance v Server installation and configuration v Problem determination v Technical supplements v Adapter installation and configuration

    Release Information:

    v IBM Tivoli Identity Manager Release Notes Provides software and hardware requirements for Tivoli Identity Manager, and additional fix, patch, and other support information.

    v IBM Tivoli Identity Manager Documentation Read This First Card Lists the Tivoli Identity Manager publications.

    Online user assistance:

    Copyright IBM Corp. 2004, 2005, 2006 v

  • Provides online help topics and an information center for all Tivoli Identity Manager administrative tasks. The information center includes information that was previously provided in the IBM Tivoli Identity Manager Configuration Guide and the IBM Tivoli Identity Manager Policy and Organization Administration Guide.

    Server installation and configuration:

    IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments provides installation and configuration information for Tivoli Identity Manager.

    Configuration information that was previously provided in the IBM Tivoli Identity Manager Configuration Guide is now included in either the installation guide or in the IBM Tivoli Identity Manager Information Center.

    Problem determination:

    IBM Tivoli Identity Manager Problem Determination Guide provides problem determination, logging, and message information for the Tivoli Identity Manager product.

    Technical supplements:

    The following technical supplements are provided by developers or by other groups who are interested in this product: v IBM Tivoli Identity Manager Performance Tuning Guide

    Provides information needed to tune Tivoli Identity Manager Server for a production environment, available on the Web at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z product list, and then, click the Tivoli Identity Manager link. Browse the information center for the Technical Supplements section.

    v Redbooks and white papers are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link.

    v Technotes are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/

    v Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

    v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web address: http://www.ibm.com/developerworks/

    Adapter installation and configuration:

    The Tivoli Identity Manager Server technical documentation library also includes an evolving set of platform-specific installation documents for the adapter components of a Tivoli Identity Manager Server implementation. Locate adapters on the Web at:

    vi IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

    http://publib.boulder.ibm.com/tividd/td/tdprodlist.htmlhttp://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.redbooks.ibm.com/redbooks.nsf/tips/http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.htmlhttp://www.ibm.com/developerworks/

  • http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

    Browse to the Other resources, and click the link for the current inventory of adapters.

    Skills and training:

    The following additional skills and technical training information were available at the time that this manual was published: v Virtual Skills Center for Tivoli Software on the Web at:

    http://www.cgselearning.com/tivoliskills/ v Tivoli Education Software Training Roadmaps on the Web at:

    http://www.ibm.com/software/tivoli/education/eduroad_prod.html v Tivoli Technical Exchange on the Web at:

    http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

    Prerequisite Product Publications To use the information in this book effectively, you must have knowledge of the products that are prerequisites for Tivoli Identity Manager Server. Publications are available from the following locations: v Operating systems

    IBM AIX

    http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm Sun Solaris

    http://docs.sun.com/db?q=solaris+9 Red Hat Linux

    http://www.redhat.com/docs/ Microsoft Windows Server 2003

    http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers

    IBM DB2

    - Support: http://www.ibm.com/software/data/db2/udb/support.html - Information center: http://publib.boulder.ibm.com/infocenter/db2help/

    index.jsp - Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/

    winos2unix/support/v8pubs.d2w/en_main - DB2 product family: http://www.ibm.com/software/data/db2 - Fix packs: http://www.ibm.com/software/data/db2/udb/support/

    downloadv8.html - System requirements: http://www.ibm.com/software/data/db2/udb/

    sysreqs.html Oracle

    http://www.oracle.com/technology/documentation/index.html http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html

    Microsoft SQL Server 2000

    Preface vii

    http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.htmlhttp://www.cgselearning.com/tivoliskills/http://www.cgselearning.com/tivoliskills/http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.htmlhttp://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.htmlhttp://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htmhttp://docs.sun.com/db?q=solaris+9http://www.redhat.com/docs/http://www.microsoft.com/windowsserver2003/proddoc/default.mspxhttp://www.ibm.com/software/data/db2/udb/support.htmlhttp://publib.boulder.ibm.com/infocenter/db2help/index.jsphttp://publib.boulder.ibm.com/infocenter/db2help/index.jsphttp://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_mainhttp://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_mainhttp://www.ibm.com/software/data/db2http://www.ibm.com/software/data/db2/udb/support/downloadv8.htmlhttp://www.ibm.com/software/data/db2/udb/support/downloadv8.htmlhttp://www.ibm.com/software/data/db2/udb/sysreqs.htmlhttp://www.ibm.com/software/data/db2/udb/sysreqs.htmlhttp://www.oracle.com/technology/documentation/index.htmlhttp://otn.oracle.com/tech/index.htmlhttp://otn.oracle.com/tech/linux/index.html

  • http://www.msdn.com/library/ http://www.microsoft.com/sql/

    v Directory server applications IBM Directory Server

    http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory

    Sun ONE Directory Server http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52

    v WebSphere Application Server Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/

    v WebSphere embedded messaging http://www.ibm.com/software/integration/wmq/

    v IBM HTTP Server http://www.ibm.com/software/webservers/httpservers/library.html

    Related Publications Information that is related to Tivoli Identity Manager Server is available in the following publications: v The Tivoli Software Library provides a variety of Tivoli publications such as

    white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/literature/

    v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available from the Glossary link of the Tivoli Software Library Web page at: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

    Accessing publications online IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center Web site. Access the Tivoli software information center at the following Web address:

    http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

    Click the I character in the A-Z list, and then click the Tivoli Identity Manager link to access the product library.

    Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper.

    Accessibility The product documentation includes the following features to aid accessibility: v Documentation is available in convertible PDF format to give the maximum

    opportunity for users to apply screen-reader software.

    viii IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

    http://www.msdn.com/library/http://www.microsoft.com/sql/http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htmhttp://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htmhttp://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryServer.htmlhttp://docs.sun.com/app/docs/coll/S1_DirectoryServer_52http://publib.boulder.ibm.com/infocenter/ws51help/index.jsphttp://www.redbooks.ibm.com/http://www.ibm.com/software/integration/wmq/http://www-3.ibm.com/software/webservers/httpservers/library.htmlhttp://www.ibm.com/software/tivoli/literature/http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htmhttp://publib.boulder.ibm.com/tividd/td/tdprodlist.html

  • v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images.

    Support information If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: v Searching knowledge bases: You can search across a large collection of known

    problems and workarounds, Technotes, and other information. v Obtaining fixes: You can locate the latest fixes that are already available for your

    product. v Contacting IBM Software Support: If you still cannot solve your problem, and

    you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support.

    For more information about these ways to resolve problems, see Appendix E, Support information, on page 67.

    Conventions used in this book This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths.

    Typeface conventions This guide uses the following typeface conventions:

    Bold

    v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text

    v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:)

    v Keywords and parameters in textItalic

    v Words defined in text v Emphasis of words (words as words) v New terms in text (except in a definition list) v Variables and values you must provide

    Monospace

    v Examples and code examples v File names, programming keywords, and other elements that are difficult

    to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options

    Operating system differences This guide uses the UNIX convention for specifying environment variables and for directory notation.

    Preface ix

  • When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equivalent to $tmp in a UNIX operating system.

    Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.

    Definitions for HOME directory variables The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table.

    The value of path for the Windows operating system is drive:\Program Files. The value of path for the AIX operating system is /usr. The value of path is /opt for other UNIX and Linux operating systems.

    Path Variable Default Definition Description

    DB_INSTANCE_HOME Windows:

    path\IBM\SQLLIB

    UNIX and Linux:

    v AIX, Linux: /home/dbinstancename v Solaris: /export/home/

    dbinstancename

    The directory that contains the database for Tivoli Identity Manager.

    LDAP_HOME v IBM Directory Server Windows:

    path\IBM\LDAP

    UNIX:

    path/IBM/LDAP

    v Sun ONE Directory Server Windows:

    path\Sun\MPS

    UNIX:

    /var/Sun/mps

    The directory that contains the directory server code.

    HTTP_HOME Windows:

    path\IBMHttpServer

    UNIX and Linux:

    path/IBMHttpServer

    The directory that contains the IBM HTTP Server code.

    ITIM_HOME Windows:

    path\IBM\itim

    UNIX and Linux:

    path/IBM/itim

    The base directory that contains the Tivoli Identity Manager code, configuration, and documentation.

    x IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Path Variable Default Definition Description

    WAS_HOME Windows:

    path\WebSphere\AppServer

    UNIX and Linux:

    path/WebSphere/AppServer

    The WebSphere Application Server home directory

    WAS_MQ_HOME Windows:

    path\IBM\WebSphereMQ

    UNIX and Linux:

    path/mqm

    The directory that contains the WebSphere MQ code.

    WAS_NDM_HOME Windows:

    path\WebSphere\DeploymentManager

    UNIX and Linux:

    path/WebSphere/DeploymentManager

    The home directory on the deployment manager

    Tivoli_Common_Directory Windows:

    path\IBM\Tivoli\Common\CTGIM

    UNIX and Linux:

    path/IBM/Tivoli/Common/CTGIM

    The central location for all serviceability-related files, such as logs and first-failure capture data

    Preface xi

  • xii IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Chapter 1. Overview

    This installation guide provides all of the basic information necessary to install and configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. On successful installation, the adapter enables IBM Tivoli Identity Manager to provision access to your networks SAP NetWeaver AS ABAP resources.

    The basic procedures required to install, configure, and run the adapter are as follows: v Install the adapter software. v Activate the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP as a

    service on the adapters system. v Configure the adapters communication protocols to enable the Tivoli Identity

    Manager Adapter for SAP NetWeaver AS ABAP to communicate with the Tivoli Identity Manager Server.

    v Install the adapters profile on the Tivoli Identity Manager Server. v Configure the Tivoli Identity Manager Server to recognize the adapter as a

    service.

    Copyright IBM Corp. 2004, 2005, 2006 1

  • 2 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Chapter 2. Adapter Installation

    This chapter describes the steps required to install and configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP software. You must complete the steps in the order they are listed.

    This chapter has the following sections: v Requirements v Step 1: Testing Network Connectivity on page 8 v Step 2: Installing the Adapter on page 9 v Step 3: Importing the Transport Files on page 11 v Step 4: Activating the Adapter as a Service on page 13 v Step 5: Configuring the Adapter on page 13 v Step 6: Installing the Adapters Certificate on page 13 v Step 7: Installing the Adapters Profile on page 13 v Step 8: Configuring the Adapters Forms on page 14

    Requirements The following sections identify the hardware, software, and authorization requirements to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. Verify that all of the requirements have been met before installing the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP.

    System The adapter must be installed on a server with a 32-bit x86-based microprocessor (486 minimum), at least 512 MB of memory, and at least 300 MB of free disk space.

    Operating System Windows NT 4.0 with SP6 or Windows 2000 workstation with SP2.Solaris version 2.8AIX 5.x

    SAP NetWeaver AS ABAP Software SAP 4.6C, 4.6D, 6.10, 6.20, 6.40 or 7.00 must be installed and operational on a system that is accessible from the machine where the adapter is installed. The adapter will work with the SAP system even if the Central User Administration (CUA) feature is installed and configured.

    Note: Each SAP NetWeaver AS ABAP 4.6 system must be patched to at the following levels or higher: v ABA Support Package 22 for 4.6C v R/3 Support Package 21 for 4.6C v Basis Support Package 31 for 4.6C v R/3 HR Support Package 27Each SAP NetWeaver AS ABAP 6.20 system should be patched at the following levels or higher: v SAP_BASIS 620 0042 SAPKB62043 v SAP_ABA 620 0042 SAPKA62043

    Copyright IBM Corp. 2004, 2005, 2006 3

  • Each SAP NetWeaver AS ABAP 6.40 system should be patched at the following levels or higher: v SAP_BASIS 640 0000 v SAP_ABA 640 0000Each SAP NetWeaver AS ABAP 700 system should be patched at the following levels or higher: v SAP_BASIS SAPKB70000 v SAP_ABA SAPKA70000The adapter also requires the 32 bit SAP SDK runtime library (for Win32 it is librfc32.dll, for Solaris it is librfccm.so, for AIX it is librfccm.o). Get this library from the SAP presentation CDs or download it from SAP Market Place Web site. After installation of the adapter place this library in the adapters lib directory or set your path to make it accessible.For Solaris, export the environment variable LD_LIBRARY_PATH to include the adapters lib directory with a command such as the following: export LD_LIBRARY_PATH=Adapter_Install_dir/

    lib:$LD_LIBRARY_PATH

    For AIX, export the environment variable LIBPATH to include the Agents lib directory with a command such as the following: export LIBPATH=Agent_Install_dir/

    lib:$LIBPATH

    For Windows, place the library in the either the system32 directory, the adapters bin directory, or set the Path environment variable to make it accessible. The adapter will not run without this library!

    SAP Authority The administrator installing the Tivoli Identity Manager Adapter must have general SAP Basis resources to perform a transport import of RFC (Remote Function Call) and related objects as well as setup OS specific directories and authorizations. The Security Administrator must create the CPIC (Common Programming Interface for Communications) or System user for use by the adapter to connect to the SAP NetWeaver AS ABAP system via the external RFC interface.

    SAP User The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP user must be authorized to perform user account administration: v Add v Modify v Delete v Lock v Unlock v Retrieve user detail v Retrieve supporting data v Set, unset and retrieve HR infotype 0105 (Communication) subtypes only

    if the SAP HR module is installed on a SAP system in your SAP environment.

    4 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • To perform these tasks, at a minimum, a Role should be assigned with at least these SAP authorization objects assigned to it. You may wish to create a specific Role only for use by this SAP user account. This can be accomplished using transaction SU02 via the SAP GUI. v S_RFC (SAP R/3 6.20) v S_RFCACL (SAP R/3 6.20) v S_TABU_DIS v S_USER_GRP v S_USER_AGR v S_USER_PRO v S_USER_SYS v P_ORGIN (Required for HR linking only)In addition, the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP user type should be set to Communication (CPIC) or System and not Dialog.

    SAP Transport Files The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP requires custom RFCs and BAPIs. These custom RFCs and BAPIs are provided in transport files packaged with the adapter and are therefore only available after adapter installation. These transport file packages must be imported into your SAP system prior to running the adapter. The transport files you must import into your SAP system vary depending on your sites configuration of SAP. The adapter will not function without one of these transport files in place. Select the transport file based on the version of your SAP system.

    The transport files WITHOUT HR Linking are as follows: v For NON-CUA (4.6C, 4.6D and 6.10):

    TV2K900065 (cofile = K900065.TV2, data = R900065.TV2)v For NON-CUA (6.20 and 6.40):

    Non-unicode: - TV2K900069 (cofile = K900069.TV2, data = R900069.TV2)

    Unicode: - TV1K900228 (cofile = K900228.TV1, data = R900228.TV1)

    v For CUA (4.6C, 4.6D and 6.10) : TV2K900067 (cofile = K900067.TV2, data = R900067.TV2)

    v For CUA (6.20 and 6.40) : Non-unicode:

    - TV2K900071 (cofile = K900071.TV2, data = R900071.TV2) Unicode:

    - TV1K900230 (cofile = K900230.TV1, data = R900230.TV1)v For HR InfoType 0105 Support, import one of the transport files below

    into the targeted SAP HR system. These transports contain the functionality to link the HR Personnel record to the SAP user account by assigning the account an SAP HR Personnel Number. You can link the HR record in both CUA and non-CUA SAP environments. If your HR system is a child system in a CUA environment, three actions are required for the adapter to link HR personnel records:

    Chapter 2. Adapter Installation 5

  • 1. Import one of TV2K900100 or TV1K900411 into the CUA Master system. Then import the CUA Master transport into the CUA master system.

    2. Import the non-CUA transport into your child system. 3. An RFC destination of type R3 Connection must exist in the CUA

    master system. This RFC destination will connect to your HR system. The Gateway services file on the CUA Master system most be configured for the gateway service of your HR system. There should already be and RFC Destination to the child HR System which is used as part of the CUA configuration. If you don not wish to use this RFC destination then you can create one. An RFC destination requires the following details: SAP user account on HR system with HR authorization. SAP user account password on HR system. HR systems host name or IP address. HR systems SAP system number.

    Use the SAP GUI transaction SM59 to create RFC destinations.

    The transports WITH HR linking are as follows: v For NON-CUA (4.6C, 4.6D and 6.10):

    TV2K900096 (cofile = K900096.TV2, data = R900096.TV2)v For NON-CUA (6.20 and 6.40):

    Non-unicode: - TV2K900098 (cofile = K900098.TV2, data = R900098.TV2)

    Unicode: - TV1K900409 (cofile = K900409.TV1, data = R900409.TV1)

    v For CUA (4.6C, 4.6D and 6.10) : TV2K900100 (cofile = K900100.TV2, data = R900100.TV2) TV2K900097 (cofile = K900097.TV2, data = R900097.TV2)

    v For CUA (6.20 and 6.40) : Non-unicode:

    - TV2K900100 (cofile = K900100.TV2, data = R900100.TV2) - TV2K900099 (cofile = K900099.TV2, data = R900099.TV2)

    Unicode: - TV1K900411 (cofile = K900411.TV1, data = R900411.TV1) - TV1K900410 (cofile = K900410.TV1, data = R900410.TV1)

    These transport files contain custom RFCs (BAPIs), data elements and tables used by the adapter in various operations:

    Table 1. Transport Identifiers and Contents

    Transport Identifier

    Uni code HR CUA Transport Contents

    TV2K900065 NO NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_46C (RFC) /TIVSECTY/TIM_USER_PWD_46C (RFC) /TIVSECTY/TIM_USER_ADD_46C (RFC)

    6 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Table 1. Transport Identifiers and Contents (continued)

    Transport Identifier

    Uni code HR CUA Transport Contents

    TV2K900096 NO YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_46C (RFC) /TIVSECTY/TIM_USER_PWD_46C (RFC) /TIVSECTY/TIM_USER_ADD_46C (RFC)/TIVSECTY/TIM_USER_HR_620 (RFC)

    TV2K900067 NO NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC) /TIVSECTY/TIM_USER_CHG_46C (RFC) /TIVSECTY/TIM_USER_PWD_46C (RFC) /TIVSECTY/TIM_USER_ADD_46C (RFC) /TIVSECTY/TIM_USER_SUBSYS_46C (RFC) /TIVSECTY/TIM_SYSTEMS (Structure)

    TV2K900097 NO YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC) /TIVSECTY/TIM_USER_CHG_46C (RFC) /TIVSECTY/TIM_USER_PWD_46C (RFC) /TIVSECTY/TIM_USER_ADD_46C (RFC) /TIVSECTY/TIM_USER_SUBSYS_46C (RFC) /TIVSECTY/TIM_SYSTEMS (Structure) /TIVSECTY/TIM_USER_CUAHR_620 (RFC) /TIVSECTY/TIM_READ_TABLE_620

    TV2K900069 NO NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC) /TIVSECTY/TIM_USER_CHG_620 (RFC) /TIVSECTY/TIM_USER_PWD_620 (RFC) /TIVSECTY/TIM_USER_ADD_620 (RFC)

    TV2K900098 NO YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC) /TIVSECTY/TIM_USER_CHG_620 (RFC) /TIVSECTY/TIM_USER_PWD_620 (RFC) /TIVSECTY/TIM_USER_ADD_620 (RFC) /TIVSECTY/TIM_USER_HR_620 (RFC)

    TV2K900071 NO NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC) /TIVSECTY/TIM_USER_CHG_620 (RFC) /TIVSECTY/TIM_USER_PWD_620 (RFC) /TIVSECTY/TIM_USER_ADD_620 (RFC) /TIVSECTY/TIM_USER_SUBSYS_620 (RFC) /TIVSECTY/TIM_SYSTEMS (Structure)

    TV2K900099 NO YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC) /TIVSECTY/TIM_USER_PWD_620 (RFC) /TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC) /TIVSECTY/TIM_SYSTEMS (Structure) /TIVSECTY/TIM_USER_CUAHR_620 (RFC) /TIVSECTY/TIM_READ_TABLE_620 (RFC)

    TV2K900100 NO YES YES /TIVSECTY/HRDELIMITDATE (Data Element) /TIVSECTY/P0105NL (Table)

    Chapter 2. Adapter Installation 7

  • Table 1. Transport Identifiers and Contents (continued)

    Transport Identifier

    Uni code HR CUA Transport Contents

    TV1K900228 YES NO NO /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC) /TIVSECTY/TIM_USER_PWD_620 (RFC) /TIVSECTY/TIM_USER_ADD_620 (RFC)

    TV1K900409 YES YES NO /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC) /TIVSECTY/TIM_USER_PWD_620 (RFC) /TIVSECTY/TIM_USER_ADD_620 (RFC) /TIVSECTY/TIM_USER_HR_620 (RFC)

    TV1K900230 YES NO YES /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC) /TIVSECTY/TIM_USER_PWD_620 (RFC) /TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC) /TIVSECTY/TIM_SYSTEMS (Structure)

    TV1K900410 YES YES YES /TIVSECTY/TIM_USER_LIST_620 (RFC) /TIVSECTY/TIM_USER_USR02_620 (RFC)/TIVSECTY/TIM_USER_CHG_620 (RFC) /TIVSECTY/TIM_USER_PWD_620 (RFC) /TIVSECTY/TIM_USER_ADD_620 (RFC)/TIVSECTY/TIM_USER_SUBSYS_620 (RFC) /TIVSECTY/TIM_SYSTEMS (Structure) /TIVSECTY/TIM_USER_CUAHR_620 (RFC) /TIVSECTY/TIM_READ_TABLE_620 (RFC)

    TV1K900411 YES YES YES /TIVSECTY/HRDELIMITDATE (Data Element) /TIVSECTY/P0105NL (Table)

    Network Connectivity The adapter must be installed on a system that can communicate with the Tivoli Identity Manager Server through a TCP/IP network.

    System Administrator Authority The person completing the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP installation procedure must have system administrator authority to complete the steps in this chapter.

    Server Communication Communication between the Tivoli Identity Manager Server and the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP should be tested with a low-level communication ping before installing any IBM software. This makes troubleshooting easier if you encounter installation problems.

    Step 1: Testing Network Connectivity This step tests basic network connectivity and file transfer capability. Testing is done between the Windows workstation where the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP will be installed, and the workstation where the Tivoli Identity Manager Server is or will be located.

    8 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • You must issue a ping command from the Tivoli Identity Manager to the designated adapter workstations to verify communication. 1. Log on to the host running the SAP NetWeaver AS ABAP Adapter. 2. Test communication between the Tivoli Identity Manager Server and the host

    running the SAP NetWeaver AS ABAP Adapter: # ping ITIM_Server_host_name/IP_address

    3. Test communication between the host running the SAP NetWeaver AS ABAP Adapter and the host running SAP NetWeaver AS ABAP Server. You will need to know the SAP instance number for this step (default SAP NetWeaver AS ABAP installations have the instance number 00). If the instance number is different, make the port number below 33. If the instance number was 80, then the port would become 3380 in the telnet command: telnet SAP_NetWeaver_AS_ABAP_Server_host_name/IP_address 3300

    Step 2: Installing the Adapter An executable installation program is provided for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. When you run the installation program, you can accept the default settings or select new values.

    The Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP installation files are available for download from IBMs Web site. Contact your IBM account representative for the Web address and download instructions.

    To install the adapter, do the following: 1. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP

    installation zip file from IBMs Web site. 2. Extract the contents of the Tivoli Identity Manager Adapter for SAP

    NetWeaver AS ABAP installation zip file into a temporary directory. 3. Complete one of the following:

    For a Tivoli Identity Manager Adapter installed on a UNIX platform:

    a. Change the working directory to the temporary directory where you extracted the profile installation file. # cd /tmp

    where tmp is the path of the directory containing the adapter installation file.

    b. Run the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP adapter installation binary that is appropriate for your operating system. # ./SapAgent/install/Agent/SAPAgentSetup_operating system.bin

    where operating system is the name of your operating system, such as aix or solaris.

    For a Tivoli Identity Manager Adapter installed on Windows: Select Run... from the Start menu and type the path to the temporary directory followed by SapAgent\install\agent\SapAgentSetup_win32.exe. For example: C:\Temp\SapAgent\install\agent\SapAgentSetup_win32.exe

    The Welcome dialog window appears. 4. Click Next.

    Chapter 2. Adapter Installation 9

  • The License dialog window appears. 5. Read the License agreement and select the I accept option to continue.

    6. Click Next. The Select Destination Directory dialog window appears.

    7. Accept the default or select an alternate destination path and click Next. The Install Summary dialog window appears.

    8. Click Next. The SAP NetWeaver AS ABAP Instance Setup dialog is displayed.

    9. In the respective fields, type the SAP NetWeaver AS ABAP instance name and the password for the CPIC SAP user account that the adapter will use and click Next. The SAP NetWeaver AS ABAP enter more instances dialog is displayed. To enter more instances select Yes and repeat this step for as many SAP NetWeaver AS ABAP instances as required. Otherwise select No.

    10. Click Finish. 11. Check the installation directory has been created as specified in step 7. Make

    the SAP SDK shared library accessible by the adapter.

    For Solaris: Copy the SAP SDK library (librfccm.so) into the adapters lib directory, and then export the environment variable LD_LIBRARY_PATH to include the adapters lib directory with a command such as this. export LD_LIBRARY_PATH=adapter_install_dir/lib:$LD_LIBRARY_PATH

    For AIX: Copy the SAP SDK library (librfccm.o) into the adapters lib directory, and then export the environment variable LIBPATH to include the adapters lib directory with a command such as this.

    Installer

    < Back CancelNext >

    Browse...

    Click Next to install < > to this directory, orclick Browse to install to a different directory

    agentname

    InstallShieldInstallShield

    C:\tivoli\agents\< >agentname

    Directory Name:

    Figure 1. Select Destination Directory dialog window

    10 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • export LIBPATH=adapter_install_dir/lib:$LIBPATH

    For Windows: Copy the SAP SDK library (librfc32.dll) into either the system32 directory, the adapters bin directory, or set the Path environment variable to make it accessible. If you already have the SAP GUI installed on this Windows host, a version of the SAP SDK library should already exist in the system32 directory.

    12. Locate the transport files in the adapters transports directory. Give the COFILES and the DATA files to your SAP BASIS administrator to import into all targeted SAP NetWeaver AS ABAP systems. As these transports are client independent, ensure that your transport landscape allows for this before importing. The next section describes the transport import procedure.

    Note: By setting the transport landscape up appropriately, you will be sure not to import the transports into clients that do not need them (even though importing the transports files into other clients will not have any impact on them). The imported function modules and data structures can be removed via a new transport/change request if required.

    Step 3: Importing the Transport Files

    Note: IBM recommends that these imports be performed by a SAP Basis Administrator.

    For the adapter to function, it is necessary to import one of the transport files sets described above. You must first copy the transports set to the transport directory in each mySAP.com landscape, so that the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP can communicate with your target SAP systems. For demonstration purposes the following instructions refer to the transport TV2K900045 as an example. You will need to repeat these steps for each transport in your required transport file set as defined in the table above.

    Before you begin the transport import process, complete the following steps: 1. Locate the transport files in the transports installation subdirectory for the

    adapter. For example, on a Windows installation this would be C:\Tivoli\Agents\SapAgent\transports.

    2. Copy the transport files to the application server that will be used to execute the import: a. Copy all files in the cofiles subdirectory (K900045.TV2) in ASCII format to

    the /usr/sap/trans/cofiles directory. Ensure that the files have write permission.

    b. Copy all files in the data subdirectory (R900045.TV2) in binary format to the /usr/sap/trans/data directory. Ensure that the files have write permission.

    c. Ensure that the files are owned by the group sapsys.3. Perform the following prerequisite checks before beginning the import process:

    a. The transport and correction system must be already configured and functioning.

    b. The target system must be properly defined within a transport domain.

    You can now perform the transport import. This procedure can be performed from either the command line or by using the Transport Managing System.

    Using the Transport Managing System:

    Chapter 2. Adapter Installation 11

  • 1. Log into the SAP GUI with a mySAP.com SAP GUI administrator account.

    2. Display the Transport Management System. Either: v Run transaction STMS, or v Select Tools then Administration, then Transport, then Transport

    Management System.3. Display the available mySAP.com system import queues. Either:

    v Click the Import Overview icon, then click Display Import Queue, or

    v Double-click the target system in the Import Overview window.4. Add the transport to the buffer. If the transports already exist in the

    buffer, proceed to the next step. If the buffer does not exist, perform the following steps: a. From the Extras menu, select Other Requests then Add to display

    the Add Transport Request to Import Queue dialog. b. In the Transp. request field, enter the transport name that you want

    to add, such as TV2K900045. Click the icon with the green check on it and then click Yes on the confirmation dialog.

    5. Import the transport as follows: a. From the Import Queue window, select the transport. b. From the Request menu, select Import to display the Import

    Transport Request dialog. c. In the Target client field, select the target client from the drop-down

    list. Click the icon with the green check on it and then click Yes on the confirmation dialog.

    6. Verify that the import was successful. To do this, log into the SAP GUI and go to the Function builder transaction (se37) and check that the Function Modules (RFCs) listed in the transport description table above (see Table 1 on page 6) are installed and active. If the Function Modules (RFCs) are not active, activate the objects.

    Note: A mySAP.com developer key is required to activate the objects.

    Using the command line:

    1. Log on to the target SAP system host machine as the mySAP.com administrator and change to the /usr/sap/trans/bin directory.

    2. Show the current contents of the transport buffer: tp showbuffer sid

    where sid is the three-character identifier of your mySAP.com system. 3. Verify that there are no other transports included in the transport

    buffer. 4. Add the transport to the buffer:

    tp addtobuffer TV2K900045 sid

    5. Verify that the transport has been placed in the buffer: tp showbuffer sid

    6. Import the transport: tp import TV2K900045 sid

    7. Verify that the import was successful. To do this, log into the SAP GUI and go to the Function builder transaction (se37) and check that the Function Modules (RFCs) listed in the transport description table above

    12 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • (see Table 1 on page 6) are installed and active. If the Function Modules (RFCs) are not active, activate the objects.

    Step 4: Activating the Adapter as a Service If the Tivoli Identity Manager Agent for SAP NetWeaver AS ABAP was installed on a Windows host, a service is created for starting and stopping the agent.

    On UNIX platforms, the agent is deployed with script files to start and stop the agent. The following scripts are located in the bin directory of the agent installation: v StopAgent.sh v StartAgent.sh

    Use the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP service or scripts to start the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP software on the target platform.

    Step 5: Configuring the Adapter The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uses the DAML protocol to ensure secure communication with the Tivoli Identity Manager Server. Default protocol values are provided. However, you must configure the DAML protocol for your sites systems. Refer to Changing Protocol Configuration Settings on page 21 for more information.

    Step 6: Installing the Adapters Certificate A certificate must also be installed for the DAML protocol. You must obtain a production certificate from a well-known Certificate Authority or create your own certificate using your own Certificate Authority. The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP does not come prepackaged with a certificate. Refer to Chapter 5, Certificate Installation, on page 37 for more information about installing certificates.

    When you install the new certificate, you will also need to install the new Certificate Authority on the Tivoli Identity Manager Server. For more information, refer to the IBM Tivoli Identity Manager Server Installation and Configuration Guide, specifically the sections marked Preparing to install adapters.

    Note: You must configure the DAML protocol before installing your certificate. Stop and restart the adapter after the certificate is installed.

    Step 7: Installing the Adapters Profile Before an adapter can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the adapter as a service. See Chapter 3, Adapter Profile Installation, on page 17 for more information on installing the adapters profile on the Tivoli Identity Manager Server.

    Note: If this is an upgrade of an existing adapter, the new adapter schema will not be reflected immediately. The Tivoli Identity Manager system stores the adapter schema in memory. However, this cache is periodically refreshed

    Chapter 2. Adapter Installation 13

  • and the new adapter schema will be reflected after the cache is refreshed. Re-boot the Tivoli Identity Manager system to refresh the adapter schema immediately.

    Step 8: Configuring the Adapters Forms Configure the adapters service maintenance and account maintenance forms on the Tivoli Identity Manager Server. Refer to the IBM Tivoli Identity Manager Information Center for more information.

    When adding the adapter as a Tivoli Identity Manager Service to the Tivoli Identity Manager Server, the following SAP connection parameters must be defined:

    Table 2. Service Attributes

    ITIM Service Attribute Name ITIM Service Attribute Description

    SAP System Version Legacy Service attribute. The adapter officially only supports 4.6C to WAS 6.20. Recommend value is 46C+.

    SAP Client Instance Name Required Service Attribute. This is the SAP instance name for the SAP instance your connecting to.

    Interface with CUA? Optional Service Attribute. Check this radio button if the adapter is provisioning to a Central User Administration (CUA) SAP client.

    Do Not Force Password Change? Optional Service Attribute. Check this radio button if you want to disable SAPs password reset functionality. Required to synchronize passwords across other Tivoli Identity Manager accounts for this identity.

    Disable Admin Unlock On Restore? By default users will not be allowed to restore their account if the account was locked by an administrator. Check this radio button if you want to allow users to restore their account after it has been locked by an administrator.

    Unlock Account On Password Change? Optional Service Attribute. Check this radio button if you want the adapter to perform a secondary unlock action on a password change request. If activated, the account will be unlocked if the reason for its lock state was to many failed login attempts.

    Display Indirectly Assigned Roles? Optional Service Attribute. Check this radio button if you want an to have Roles assigned indirectly reconciled for accounts. Roles are assigned indirectly as a result of Composite Role assignment.

    Enable HR infotype 105 Link? Optional Service Attribute. Check this radio button if you want to allow the adapter to Link SAP accounts to HR Personnel Records using infotype 105 (Communication).

    RFC Destination for HR System (CUA only)

    Optional Service Attribute. This option requires a value when you have selected the option above Enable HR infotype 105 Link?, and your SAP System uses the CUA configuration.

    14 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Table 2. Service Attributes (continued)

    ITIM Service Attribute Name ITIM Service Attribute Description

    Role Default End Date Optional Service Attribute. This is the default Role End Date.

    Role Date Max Year Optional Service Attribute. This is the maximum year value for the Role start and end date widgets. Default value is 9999.

    Span Role Date Years? Optional Service Attribute. Check this radio button if you want to Span the Role End Date Year field (that is, display all years from 1990 to the defined Role Date Max Year above).

    Target Client Required Service Attribute. This is the SAP instance client number.

    Login ID Required Service Attribute. This is the CPIC SAP User account login ID that the adapter will use to connect to the SAP client.

    Language Required Service Attribute. This is the SAP login language parameter.

    Mode (only NetWeaver AS ABAP supported now)

    Legacy Service attribute. The adapter officially only supports the NetWeaver AS ABAP mode.

    SAP System (DNS hostname or IP) Required Service Attribute. Hostname of the SAP server host machine only if DNS is set up correctly. Otherwise use the IP address. Test the connection using the ping command from the command line on the host running the adapter.

    SAP System Number Required Service Attribute. The SAP server system number. Default SAP install has system number 00.

    SAP Gateway (DNS hostname or IP) Required Service Attribute. Hostname of the SAP gateway host machine only if DNS is set up correctly. Otherwise use the IP address. Test the connection using the ping command from the command line on the host running the adapter. Usually this is the same host that contains the SAP server

    SAP Gateway Service Name Required Service Attribute. The SAP gateway service string. Default SAP install has system number sapgw00.

    Enable RFC Trace? Optional Service Attribute. Set to ON to enable RFC trace files for debug purposes. If you find a problem with the adapter, ensure you re-produce the request with Trace enabled and capture the trace file. The logs are created in the directory where the RFCSDK runtime library is located.

    Enable Extended RFC Logon? Optional Service Attribute. Check this radio button to enable use of entended RFC logon. Define the extended logon attributes by creating unencryped registry values. Note: This SAP functionality does not currently support AIX in a reliable fashion. Therefore it is recommended that this setting not be used for Agents running on AIX with the SAP RFCSDK 6.40 AIX library.

    Chapter 2. Adapter Installation 15

  • Figure 2. Configuring the Adapters Forms

    16 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Chapter 3. Adapter Profile Installation

    This chapter has the following sections: v Introduction v Requirements v Installing the Adapter Profile v Verifying the Adapter Profile is Installed on page 18

    Introduction Before an adapter can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the adapter as a service. The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP comes packaged with a JAR file which represents the adapters profile. This JAR file is then imported into the Tivoli Identity Manager Server, making SAP NetWeaver AS ABAP available as an ITIM Server service option.

    This chapter describes the procedure to install and configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile on the Tivoli Identity Manager Server. Each step includes a short procedure that completes one aspect of the overall profile installation process. You must complete the steps in the order they are listed.

    Note: If you are upgrading the adapter software, you must also upgrade the adapter profile on the Tivoli Identity Manager Server.

    Requirements The following table identifies hardware, software, and authorization requirements to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile on the Tivoli Identity Manager Server. Verify that all the requirements have been met before installing the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile.

    Table 3. Requirements before installing an adapter profile

    Server The Tivoli Identity Manager Server must be installed and running before the adapters profile can be installed.

    System Administrator Authority The person completing the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile installation must have root access to the Tivoli Identity Manager Server to complete the procedures in this chapter.

    Installing the Adapter Profile 1. Log in to any host machine that has a supported browser and can connect to

    the Tivoli Identity Manager Server Console. You may wish to just log directly into your Tivoli Identity Manager Server, but the profile can also be installed remotely if desired.

    2. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP package from the IBM Web site and extract the profile JAR file SapProfile.jar. Place the JAR file into a temporary directory.

    Copyright IBM Corp. 2004, 2005, 2006 17

  • Note: Contact your IBM account representative for the Web address and download instructions for adapter installation files.

    3. Start a browser session and log into the Tivoli Identity Manager Console with an administrator account.

    4. Using the Tivoli Identity Manager tabs and menus, browse to Configuration > Import/Export and select the Import tab.

    5. Use the Browse button to locate the temporary directory that contains the JAR file, SapProfile.jar.

    6. Select the correct profile JAR file, then select the Import data into Identity Manager button (which is directly beneath the browse widget).

    7. When the import is complete you will see a message such as: Uploading file C:\temp\SapAgent\install\profile\SapProfile.jar

    Profile installation complete.

    8. Although not essential in all instances, it is a good idea to restart the enrole WebSphere Enterprise Application using the WebSphere Administration Console (http://ITIM_server:9090/admin) , or by restarting the WebSphere Application Server itself.

    Verifying the Adapter Profile is Installed To ensure that the adapter profile has been installed correctly: 1. Using the Administrator Console, navigate to the Provisioning main tab. 2. Create a service of type SAP NetWeaver AS ABAP.

    Note: If you do not have the correct SAP system details, enter in dummy values for the SAP CONNECTION DETAILS. You must however have a running SAP NetWeaver AS ABAP adapter, and correct AGENT CONNECTION DETAILS.

    3. Submit the service for creation. 4. Once the service has been created, create a provisioning policy entitlement for

    the new service. You can use an existing Provisioning policy, or create a new one.

    18 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Chapter 4. Adapter Parameters Modification

    This chapter describes how to use agentCfg, the provided adapter configuration program, to view or modify Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters. All modifications made to settings with this tool take effect immediately.

    This chapter has the following sections: v Accessing the Adapter Configuration Tool Main Menu v Viewing Configuration Settings on page 20 v Changing Protocol Configuration Settings on page 21 v Setting Event Notification on page 24 v Changing the Configuration Key on page 28 v Changing Activity Logging Settings on page 28 v Changing Registry Settings on page 30 v Changing Advanced Settings on page 32 v Viewing Statistics on page 33 v Changing code page settings on page 34 v Accessing Help and Additional Options on page 34

    Accessing the Adapter Configuration Tool Main Menu The following procedure describes how to access the main menu of the agentCfg tool for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters. 1. Change to the adapters bin directory.

    At the prompt, type the following, if the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP directory is in the default location: agentCfg -agent SAPAgent

    The following prompt is displayed: Enter configuration key for Agent SAPAgent:

    The default password is agent. This should be changed at the first opportunity. You can also use agentCfg to view or change configuration settings from a remote computer. See the table in Accessing Help and Additional Options on page 34 for procedures on using the -hostname argument.

    2. Type the configuration key for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. The default configuration key is agent. See Changing Protocol Configuration Settings on page 21 for procedures to change the configuration key. The Main Configuration menu appears.

    Copyright IBM Corp. 2004, 2005, 2006 19

  • SAPAgent 4.6.xxxx Agent Main Configuration Menu ------------------------------------------- A. Configuration Settings B. Protocol Configuration C. Event Notification D. Change Configuration Key E. Activity Logging F. Registry Settings G. Advanced Settings H. Statistics I. Codepage Support

    X. Done

    Select menu option:

    This chapter includes a section for each of the following main functions: v For option A, see Viewing Configuration Settings v For option B, see Changing Protocol Configuration Settings on page 21 v For option C, see Setting Event Notification on page 24 v For option D, see Changing the Configuration Key on page 28 v For option E, see Changing Activity Logging Settings on page 28 v For option F, see Changing Registry Settings on page 30 v For option G, see Changing Advanced Settings on page 32 v For option H, see Viewing Statistics on page 33 v For option I, see Changing code page settings on page 34

    Viewing Configuration Settings The following procedure describes how to view the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP configuration settings. 1. Type option A (Configuration Settings) at the main menu prompt.

    The configuration settings for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP appear. The following is a sample of the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP configuration settings.

    Configuration Settings ------------------------------------------- Name : SAPAgent Version : 4.6.xxxx ADK Version : 4.36 ERM Version : 4.36 enRole Version : 4.0 License : NONE Asynchronous ADD Requests : TRUE (Max.Threads:3) Asynchronous MOD Requests : TRUE (Max.Threads:3) Asynchronous DEL Requests : TRUE (Max.Threads:3) Asynchronous SEA Requests : TRUE (Max.Threads:3) Available Protocols : DAML, FTP Configured Protocols : DAML Logging Enabled : TRUE Logging Directory : C:\Tivoli\Agents\SAPAgent\Log Log File Name : SAPAgent.log Max. log files : 3 Max.log file size (Mbytes) : 1 Debug Logging Enabled : TRUE Detail Logging Enabled : FALSE

    Press any key to continue

    2. Press any key to return to the main menu.

    20 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Changing Protocol Configuration Settings The adapter can communicate with the Tivoli Identity Manager Server using DAML or FTP. By default, agents are configured to use DAML as the communication protocol. Procedures provided in this section contain instructions for modifying DAML protocol configuration settings. Configuring the adapter to use FTP requires additional configuration not provided in this section.

    The following procedure describes how to change the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP protocol configuration settings. This section also describes the purpose of the provided functions. 1. Type B (Protocol Configuration) at the main menu prompt.

    The Protocol Configuration menu appears. The configured and available protocols for your server display above the menu options. The DAML protocol is configured and available by default for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP.

    Agent Protocol Configuration Menu ----------------------------------- Available Protocols: DAML, FTP Configured Protocols: DAML A. Add Protocol. B. Remove Protocol. C. Configure Protocol.

    X. Done

    Select menu option

    2. See the following procedure that corresponds with the option that you want to select: v For option A, see Adding a Protocol v For option B, see Removing a Protocol v For option C, see Configuring a Protocol on page 22 Type X to return to the main menu.

    Adding a Protocol 1. Type A (Add Protocol) at the Protocol Configuration menu prompt.

    The Add New Protocol menu appears and displays protocols that are available on your server. If there are no protocols to add, the Protocol Configuration menu reappears.

    2. Type the menu option letter of the protocol that you want to add. The Protocol Configuration menu reappears. The protocol that you added appears as a Configured Protocol. See the procedure for Configuring a Protocol on page 22 to modify the default configuration settings for the protocol that you added.

    Removing a Protocol 1. Type B (Remove Protocol) at the Protocol Configuration menu prompt.

    The Remove Protocol menu appears and displays all protocols that have been added. If there are no protocols to remove, the Protocol Configuration menu reappears.

    2. Type the menu option letter of the protocol that you want to remove.

    Chapter 4. Adapter Parameters Modification 21

  • The Protocol Configuration menu reappears and the protocol that you removed is no longer listed as a configured protocol. However, the protocol remains as an available protocol that can be added again.

    Configuring a Protocol 1. Type C (Configure Protocol) at the Protocol Configuration menu prompt.

    The Configure Protocol menu appears. 2. Type the menu option letter of the protocol that you want to configure.

    The Protocol Properties menu for the configured protocol appears with protocol properties.

    Note: The properties on your menu may be different from the ones shown. The following is an example of the DAML protocol properties:

    DAML Protocol Properties -------------------------------------------------------------------- A. USERNAME ****** ;Authorized user name. B. PASSWORD ****** ;Authorized user password. C. MAX_CONNECTIONS 100 ;Max Connections. D. PORTNUMBER 45580 ;Protocol Server port number. E. USE_SSL FALSE ;Use SSL secure connection F. SRV_NODENAME 192.168.6.40 ;Event Notif. Server name. G. SRV_PORTNUMBER 443 ;Event Notif. Server port number. H. HOSTADDR ANY ;Listen on address ( or "ANY" ) I. VALIDATE_CLIENT_CE FALSE ;Require client certificate. J. REQUIRE_CERT_REG FALSE ;Require registered certificate.

    X. Done

    Select menu option:

    3. Type the menu option letter of the protocol property that you want to configure. See the table below for additional information about the menu options for the DAML protocol.

    Table 4. Menu options for the DAML protocol

    Type this Option To Accomplish this

    A (USERNAME) The following prompt appears:

    Modify Property USERNAME:

    Type a username, for example, admin

    This is the username the Tivoli Identity Manager Server uses to connect to the adapter.

    B (PASSWORD) The following prompt appears:

    Modify Property PASSWORD:

    Type a password, for the username the Tivoli Identity Manager Server uses to connect to the adapter.

    C (MAX_CONNECTIONS) The following prompt appears:

    Modify Property MAX_CONNECTIONS:

    Type a different number of allowed connections to the Agent.

    22 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Table 4. Menu options for the DAML protocol (continued)

    Type this Option To Accomplish this

    D (PORTNUMBER) The following prompt appears:

    Modify Property PORTNUMBER:

    Type a different port number, for example, 7004. This is the port number the Tivoli Identity Manager Server uses to connect to the adapter.

    E (USE_SSL) The following prompt appears:

    Modify Property USE_SSL:

    Type TRUE to require the Tivoli Identity Manager Server to use HTTPS.Type FALSE to allow the Tivoli Identity Manager Server to use HTTP. Note: You must installed a certificate using the CertTool utility if you set this option to TRUE. You must also make sure the CA that created the certificate is registered with the Tivoli Identity Manager Server Web Application Server.

    F (SRV_NODENAME) The following prompt appears:

    Modify Property SRV_NODENAME:

    Type a server name, for example, 192.168.6.152

    This is the DNS name or IP address of the Tivoli Identity Manager Server.

    G (SRV_PORTNUMBER) The following prompt appears:

    Modify Property SRV_PORTNUMBER:

    Type a different port number to access the Tivoli Identity Manager Server, for example, 7004

    This is the port number the adapter uses to connect to the Tivoli Identity Manager Server.

    H (SRV_USERNAME) The following prompt appears:

    Modify Property SRV_USERNAME:

    Type a different username, for example, admin

    This is the username the adapter uses to connect to the Tivoli Identity Manager Server.

    I (VALIDATE_CLIENT_CE) The following prompt appears:

    Modify Property VALIDATE_CLIENT_CE:

    Type TRUE to require the Tivoli Identity Manager Server to send a certificate when communicating with the adapter.

    Type FALSE to allow the Tivoli Identity Manager Server to communicate with the adapter without a certificate. Note: You must configure options D through H of the CertTool if you set this option to TRUE.

    Chapter 4. Adapter Parameters Modification 23

  • Table 4. Menu options for the DAML protocol (continued)

    Type this Option To Accomplish this

    J. (REQUIRE_CERT_REG) The following prompt appears:

    Modify Property REQUIRE_CERT_REG:

    Type TRUE to require the use of a registered certificate.Type FALSE to allow use of a non-registered certificate. Note: You must configure options D through H of the CertTool if you set this option to TRUE.

    4. Change the value and press Enter. The Protocol Properties menu reappears and displays your new settings.

    Note: Press Enter to return to the Protocol Properties menu without modifying the selected value.

    Setting Event Notification The following procedure describes how to set Event Notification for the Tivoli Identity Manager Server. Event Notification updates the Tivoli Identity Manager Server with changes to the Tivoli Identity Manager Server at set intervals.

    Note: The example menu shows all the options displayed when Event Notification is enabled. If Event Notification is disabled, not all of the options are displayed.

    1. Type C (Event Notification) at the main menu prompt. The Event Notification Menu appears.

    Event Notification Menu -------------------------------------------------------------- * Reconciliation interval : 1 day(s) * Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s). * Configured Contexts : Jupiter, dd309 A. Enabled B. Time interval between reconciliations. C. Set Processing cache size. (currently: 50 Mbytes) D. Start event notification now. E. Set attributes to be reconciled. F. Reconciliation process priority. (current: 1) G. Add Event Notification Context. H. Modify Event Notification Context. I. Remove Event Notification Context. J. List Event Notification Contexts.

    X. Done

    Select menu option:

    2. Type the menu option letter of the Event Notification option that you want to change.

    Note: Option A must be enabled in order for the values of the other options to take affect.

    24 IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide

  • Table 5. Event notification options

    Type this Option To Accomplish this

    A If this option is enabled, the adapter updates the Tivoli Identity Manager Server with changes to the adapter at regular intervals.

    When the option is set to:

    v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled

    B (Time interval between reconciliations)

    The following prompt appears:

    Enter new interval ([ww:dd:hh:mm:ss]) [00:01:00:00:00]:

    Type a different reconciliation interval.

    Press Enter to return to the Agent Activity Logging menu without changing the value.

    C (Set processing cache size)

    The following prompt appears:

    Enter new cache size[5]:

    Type a different value to change the processing cache size.

    Press Enter to return to the Agent Activity Logging menu without changing the value.

    D (Start event notification now)

    If this option is selected, event notification is started.

    E (Set attributes to be reconciled)

    The Event Notification Entry Types menu appears. See Setting Attributes to be Reconciled on page 26 for more information.

    F (Reconciliation process priority)

    The following prompt appears:

    Enter new thread priority [1-10]:

    Type a different thread value to change reconciliation process priority.

    Press Enter to return to the Agent Activity Logging menu without changing the value.

    G (Add Event Notification Context)

    The following prompt appears:

    Context name :

    Type the new context name and press Enter. The new context is added.

    H (Modify Event Notification Context)

    A menu listing the available contexts appears. See Modifying an Event Notification Context on page 27 for more information.

    I (Remove Event Notification Context)

    The Remove Context menu appears. Select the context to remove and the following prompt appears:

    Delete context context1? [no]:

    Press Enter to exit without deleting the context or type Yes and press Enter to delete the context.

    Chapter 4. Adapter Parameters Modification 25

  • Table 5. Event notification options (continued)

    Type this Option To Accomplish this

    J (List Event Notification Contexts)

    The Event Notification Contexts are displayed in the following format:

    Context Name : Context1 Target DN : erservicename=context1,o=IBM, ou=IBM,dc=com --- Attributes for search request --- {search attributes listed} -----------------------------------------------

    3. Press Enter if you changed the value for option B, C, E or F. The Event Notification menu reappears and displays your new settings.

    Note: The other options are changed automatically when you type the corresponding menu option letter.

    Setting Attributes to be Reconciled Setting attributes to be reconciled consists of selecting attributes that will trigger event notifications when their values change. Attributes that change frequently (password age or last successful logon, for example) can be omitted. 1. Type E (Set attributes to be reconciled) at the Event Notification Menu.

    The Event Notification Entry Types menu appears.

    Event Notification En