Download pdf - SAP NetWeaver Identity Management Identity Management for SAP System Landscapes Upgrading From Identity Management 7.1 to 7.2

SAP NetWeaver Identity Management 7.2

Identity Management for SAP System Landscapes: Upgrading from Identity Management 7.1 to 7.2

Document Version 7.2 Rev 8

June 2013

2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Apple, App Store, FaceTime, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. Bluetooth is a registered trademark of Bluetooth SIG Inc. Citrix, ICA, Program Neighborhood, MetaFrame now XenApp, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. Edgar Online is a registered trademark of EDGAR Online Inc., an R.R. Donnelley & Sons Company. Facebook, the Facebook and F logo, FB, Face, Poke, Wall, and 32665 are trademarks of Facebook. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik, and Android are trademarks or registered trademarks of Google Inc. HP is a registered trademark of the Hewlett-Packard Development Company L.P. HTML, XML, XHTML, and W3C are trademarks, registered trademarks, or claimed as generic terms by the Massachusetts Institute of Technology (MIT), European Research Consortium for Informatics and Mathematics (ERCIM), or Keio University. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. INTERMEC is a registered trademark of Intermec Technologies Corporation. IOS is a registered trademark of Cisco Systems Inc. The Klout name and logos are trademarks of Klout Inc.

Linux is the registered trademark of Linus Torvalds in the United States and other countries. Motorola is a registered trademark of Motorola Trademark Holdings LLC. Mozilla and Firefox and their logos are registered trademarks of the Mozilla Foundation. Novell and SUSE Linux Enterprise Server are registered trademarks of Novell Inc. OpenText is a registered trademark of OpenText Corporation. Oracle and Java are registered trademarks of Oracle and its affiliates. QR Code is a registered trademark of Denso Wave Incorporated. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry AppWorld are trademarks or registered trademarks of Research in Motion Limited. SAVO is a registered trademark of The Savo Group Ltd. The Skype name is a trademark of Skype or related entities. Twitter and Tweet are trademarks or registered trademarks of Twitter. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Wi-Fi is a registered trademark of Wi-Fi Alliance. SAP, R/3, ABAP, BAPI, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, Sybase, Adaptive Server, Adaptive Server Enterprise, iAnywhere, Sybase 365, SQL Anywhere, Crossgate, B2B 360 and B2B 360 Services, m@gic EDDY, Ariba, the Ariba logo, Quadrem, b-process, Ariba Discovery, SuccessFactors, Execution is the Difference, BizX Mobile Touchbase, It's time to love work again, SuccessFactors Jam and BadAss SaaS, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany or an SAP affiliate company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Typographic Conventions Type Style Represents

Example Text Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, titles of graphics and tables

EXAMPLE TEXT Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.

Example text Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

EXAMPLE TEXT Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax


4 2013-06


2013-06 5

Contents 1 Introduction .............................................................................. 7

1.1 Prerequisites ........................................................................... 7 1.2 Background ............................................................................. 7

2 Process Timeline ..................................................................... 7 3 Process Description ................................................................ 9 4 Task Lists ............................................................................... 13

4.1 Task List - DEV Environment ............................................... 13 4.2 Task List QA Environment ................................................ 15 4.3 Task List PROD Environment ........................................... 16

5 Emptying the Provisioning Queue ....................................... 18 5.1 Running the Database Updates ........................................... 18

5.1.1 Running the Database Updates on Microsoft SQL Server .... 18 5.1.2 Running the Database Updates on Oracle ............................. 19

5.2 Importing the Jobs ................................................................ 19 5.3 Handling Remaining Approvals ........................................... 19

5.3.1 Notifying Approvers ................................................................. 20 5.3.2 Rejecting Pending Approvals .................................................. 20

5.4 Reducing the Queue Size ..................................................... 21 5.4.1 Reporting the Contents of the Provisioning Queue .............. 21 5.4.2 Preventing Adding Entries to the Provisioning Queue ......... 22 5.4.3 Reducing the Processing Time ............................................... 22 5.4.4 Removing Access to the Identity Management User Interface ................................................................................................... 22 5.4.5 Turning off Internal Reconciliation ......................................... 22

6 Deleting the Provisioning Queue ......................................... 23 7 Disabling the Provisioning Framework 7.1 ......................... 23 8 Converting the Identity Store Data to use the Provisioning Framework 7.2 ............................................................................. 23

8.1 Importing the Jobs ................................................................ 24 8.2 Running the Database Updates ........................................... 26

8.2.1 Running the Database Updates on Microsoft SQL Server .... 26 8.2.2 Running the Database Updates on Oracle ............................. 26

8.3 Running the Upgrade Jobs .................................................. 27 8.3.1 Handling System Landscapes with AS Java with an LDAP Backend ................................................................................................. 27

8.4 Inspecting the Log ................................................................ 28


6 2013-06

9 Upgrading the Configuration ................................................ 29 9.1 Changes in the Provisioning Framework ........................... 29

9.1.1 Split in Two Parts ..................................................................... 29 9.1.2 Privilege Handling .................................................................... 30 9.1.3 Hook Tasks ............................................................................... 30 9.1.4 E-mail Notification .................................................................... 30 9.1.5 Event Handling ......................................................................... 30

9.2 New Features in Identity Management 7.2 .......................... 31 9.3 Re-implementing Customizations ....................................... 31

10 Removing the Provisioning Framework 7.1 ...................... 32 11 Reconciling the System ...................................................... 32

1 Introduction

1.1 Prerequisites

2013-06 7

1 Introduction You can use SAP NetWeaver Identity Management for processing identity information in a variety of ways, depending on your system landscape. You can use it in homogeneous or heterogeneous landscapes, either with or without SAP systems.

The SAP provisioning framework provides mechanisms to integrate SAP NetWeaver Identity Management with other SAP systems.

The provisioning framework for SAP system for Identity Management 7.2 is described in the documents Identity Management for SAP System Landscapes: Architectural Overview, we described a number of use cases where you can use SAP NetWeaver Identity Management for identity provisioning with SAP systems.

The document Identity Management for SAP System Landscapes: Configuration Guide describes how you install and configure the framework and implement the specified use cases.

Make sure to read through the whole document before starting the process.

1.1 Prerequisites This document is based on the following prerequisites:

SAP NetWeaver Identity Management 7.1 SP5 with a running provisioning framework for SAP systems.

The jobs and templates used in the upgrade process can be downloaded from the SDN.

1.2 Background Due to changed database structure and to be able to utilize the improvements and new features in Identity Management 7.2, the provisioning framework for SAP Systems has been completely rewritten for Release 7.2. Thus, it is not possible to do a direct upgrade of the framework from Identity Management 7.1 to 7.2. This document describes the process of how to upgrade a framework from Release 7.1 to Release 7.2.

2 Process Timeline This illustration shows a timeline for the three systems involved (Dev, QA and Production) and which tasks are performed on each system.

The timeline is just an indication of the sequence of the activities that must be completed. It does not reflect the actual time needed for the different activities. The timeline also shows which activities are performed in parallel on each system.

Process Timeline

Background

8 2013-06

Timeline: Dev QA Prod Create migration jobs

Notify approvers Reject approvals Force queue exec.

Export migration jobs Import migration jobs Upgrade to IdM 7.2 Test migration jobs Delete prov queue Export migration jobs Import migration jobs Disable SAP PF 7.1 Mail to approvers Install SAP PF 7.2 Convert IdS to PF 7.2 Re-implement extensions

Upgrade to IdM 7.2 Test Delete prov queue Export config (A) Import config (A) Convert IdS to PF 7.2 Delete PF 7.1 Start Test Fix Test Export config (B) Import config (B) Test Delete PF 7.1 Export config (X) Import config (X) Start Reconcile Stop load/reconcile jobs Verify Force queue execution Stop IdM UI Reject approvals Upgrade to IdM 7.2 Delete prov queue Initial transport (export) Initial transport (import) Convert IdS to PF 7.2 Start Reconcile Verify Production

The color in the first column shows the status of the system:

Green The system is operative

Yellow The system is partly operative

Red The system is stopped

Rep

eat

3 Process Description

1.2 Background

2013-06 9

3 Process Description The following section describes the process of upgrading the SAP provisioning framework from Identity Management 7.1 to 7.2. Each step in the process is outlined, and if a more detailed description is needed, there is a reference to a separate section.

Make sure that you take regular backups of the system throughout the process.

Make sure that you manage the keys.ini file in all systems. For more information, see section 8 in the document SAP NetWeaver Identity Management Security Guide.

See SAP Note 1634988 for information about upgrading the database on Oracle.

1 Initial landscape

The initial landscape consists of a Development (Dev), QA and Production (Prod) system.

Changes from the Dev to the QA system are transferred using the Configuration Copy Tool (export/import).

The Prod environment is updated based on staging (the whole configuration is transferred) according to the document SAP NetWeaver Identity Management Implementation Guide Staging Environment.

All three systems are running Identity Management 7.1 with the SAP provisioning framework 7.1.

PR

OD

Staging

QA

DE

V

Sync

2 Prepare for upgrade (Dev) Start by preparing to update the Dev environment.

Ensure that:

No updates from Dev to QA take place during the process

The QA and Production environments work as normal during the upgrade of the DEV environment.

You should start early to inform the organization and start preparing to empty the provisioning queue. See section 5 for details.

PRO

D

Staging

QA

DE

V

Sync

Process Description

Background

10 2013-06

3 Upgrade to Identity Management 7.2 (Dev)

Empty the provisioning queue. See section 5 for details, but you can omit some of the steps needed in the Production environment.

Upgrade the Dev environment to Identity Management 7.2:

Follow the upgrade procedure described in the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Issues in the provisioning framework 7.1 reported by Configuration Analyzer can normally be ignored, as this is kept for reference only and will not run. Only issues with identity store data need to be fixed.

Delete the provisioning queue. See section 6.

Install the provisioning framework 7.2 in the Dev environment.

Disable the provisioning framework 7.1. See section 7 for more information.

PF 7.1

PR

OD

Staging

QA

DE

V

Sync

4 Convert the identity store data (Dev)

A Dev system with Identity Management 7.2/provisioning framework 7.2 system is now available.

Convert the identity store data to use the provisioning framework 7.2. See section 8.

PR

OD

StagingQ

AD

EV

Sync

PF 7.1

5 Upgrade the configuration (Dev)

Re-implement the customizations of the provisioning framework 7.1 in the provisioning framework 7.2:

The provisioning framework 7.1 is available as a reference system.

Use the provisioning framework 7.1 as basis for re-implementing the customizations of the provisioning framework.

For important considerations when re-implementing the customizations, see section 9.

PR

OD

Staging

QA

DE

V

Sync

PF 7.1

3 Process Description

1.2 Background

2013-06 11

6 Test the configuration (Dev)

Perform tests in the Dev environment to ensure that all functionality works.

Remove the provisioning framework 7.1. See section 10.

Export the configuration.

PR

OD

Staging

QA

DE

V

Sync

7 Upgrade the QA environment

Upgrade the QA environment to Identity Management 7.2:

Stop the system

Empty the provisioning queue. See section 5 for details, but you can omit some of the steps needed in the Production environment.

Upgrade to Identity Management 7.2 according to the upgrade procedure described in the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Delete the provisioning queue, see section 6.


Import the configuration from Dev.

Remove the Provisioning Framework 7.1 See section 10.

Reconcile inconsistencies as a result of deleting the provisioning queue. See section 11.

Test.

Fix issues in Dev and repeat import and test until all issues are resolved.

PR

OD

Staging

DE

V

Sync

QA

Process Description

Background

12 2013-06

8 Upgrade the Production environment

The QA environment is now running Identity Management 7.2 with the provisioning framework 7.2.

Disable load/reconcile jobs in the Production environment to prepare for emptying the provisioning queue. See section 5.

Stop the Identity Management User Interface. See section 5.

Empty the provisioning queue. See section 5.

Upgrade the Production environment to Identity Management 7.2 as described in the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Delete the provisioning queue. See section 6.

Perform an initial transport of the configuration. See the document SAP NetWeaver Identity Management Implementation Guide: Transport.


Start the Production system.

Reconcile inconsistencies as a result of deleting the provisioning queue. See section 11.

Verify that the system works as expected

PRO

D

Transport

QA

DE

V

Sync

4 Task Lists

4.1 Task List - DEV Environment

2013-06 13

4 Task Lists The following section contains tasks lists for the three environments with references to where you find the relevant documentation.

Make sure to read through the whole document before starting the process.

4.1 Task List - DEV Environment Activity Reference

Prevent adding entries to the provisioning queue

See section 5.4.2.

Run database updates See section 5.1.

Import the pre-migration jobs See section 5.2.

Run the pre-migration jobs See section 5.4.1 and 5.4.3.

Stop and uninstall dispatchers See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Run the Configuration Analyzer See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Back up EMSConfig.xml See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Back up Keys.ini See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Back up the Identity Center \jobs folder See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Upgrade the Identity Center Management Console (uninstall/install)

See the document SAP NetWeaver Identity Management Identity Center Installing the Management Console.

Copy EMSConfig.xml, Keys.ini and the \jobs folder to the new installation.

See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Upgrade the Identity Center Runtime Components (uninstall/install)

See the document SAP NetWeaver Identity Management Identity Center Installing the Runtime Components.

Upgrade the Identity Center database See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Run MigrateDB BASIC See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Task Lists

Task List - DEV Environment

14 2013-06

Activity Reference

Upgrade the Identity Center database again


Upgrade the Identity Management User Interface


Delete the provisioning queue See section 6.

Disable the SAP PF 7.1 See section 7.

Create dispatcher scripts and install dispatchers


Install and configure the SAP PF 7.2 See the document SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide

Run the database update to convert the identity store

See section 8.2.

Import the job to convert the identity store See section 8.1.

Run the job to convert the identity store See section 8.3.

Fix issues reported by the Configuration Analyzer


Run the Configuration Analyzer again See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Fix issues reported by the Configuration Analyzer


Run MigrateDB PURE See the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Upgrade/re-implement customizations See section 9.

Delete the SAP PF 7.1 See section 10.

Disable unused scripts See the help file for details.

Delete unused scripts See the help file for details.

Test

Export the configuration

4 Task Lists

4.2 Task List QA Environment

2013-06 15

4.2 Task List QA Environment Activity Reference


See section 5.4.2.





















Disable the SAP PF 7.1 See section 7.



Task Lists

Task List PROD Environment

16 2013-06

Activity Reference

Import SAP PF 7.2 from the DEV environment


See section 8.2.




Delete the SAP PF 7.1 See section 10.

Disable unused scripts See the help file for details.

Delete unused scripts See the help file for details.


Fix and test remaining issues in the DEV environment


Import final configuration from the DEV environment

Perform an initial transport (export) to the PROD environment

See the document SAP NetWeaver Identity Management Implementation Guide: Transport.

4.3 Task List PROD Environment Activity Reference


See section 5.4.2.

Notify approvers See section 5.3.1.




Reject pending approvals See section 5.3.2.



4 Task Lists

4.3 Task List PROD Environment

2013-06 17

Activity Reference
















Perform an initial import from the QA environment using Transport

See the document SAP NetWeaver Identity Management Implementation Guide: Transport.




See section 8.2.





Reconcile inconsistencies See section 11.

Go live

Emptying the Provisioning Queue

Running the Database Updates

18 2013-06

5 Emptying the Provisioning Queue Before you can upgrade the (production) system, the provisioning queue of the 7.1 system must be emptied as much as possible. This is necessary as the tasks referenced from the queue no longer will be there after the upgrade.

The queue consists of various elements:

Approval requests

Tasks waiting for specific events

Tasks waiting for a specific point in time

Before the system can be upgraded the number of elements should be reduced as much as possible.

To empty the queue you must:

Handle the remaining approval requests

Prevent entries to be added to the queue

After you upgrade to Identity Management 7.2, you must:

Delete the provisioning queue

Reconcile the system

5.1 Running the Database Updates In order to run the jobs to reduce the queue size, you must run some database updates. The procedure is different for the two database systems.

5.1.1 Running the Database Updates on Microsoft SQL Server To run the database updates on Microsoft SQL Server:

1. Copy the folder \7.1\Procedures corresponding to your database system.

2. Open a command prompt in the folder where the .sql files are located.

3. Run the database update:

mxmc-createmigration71procs.cmd

to update a database with the default prefix (mxmc).

Or:

mxmc-xcreatemigration71procs.cmd

to update a database with a custom prefix and provide the necessary information on the command line.

The necessary procedures are now added to the Identity Center database.

5 Emptying the Provisioning Queue

5.2 Importing the Jobs

2013-06 19

5.1.2 Running the Database Updates on Oracle To run the database updates on Oracle:

1. Copy the folder \7.1\Procedures to the system.

2. Open the include.sql file in a text editor.

3. Change DEFINE PREFIX from the prefix of your Identity Center database. The default value is MXMC.

4. Open a command prompt in the folder where the files are located.

5. Run the script to grant additional authorizations to the _oper user. The script must be run as database administrator.

Microsoft Windows: grant-oper-rights.cmd

Unix: grant-oper-rights.sh

6. Run the following script file:

Microsoft Windows: install-pre-migration.cmd

Unix: install-pre-migration.sh

5.2 Importing the Jobs The ZIP file contains jobs that you can import to your Identity Management 7.1 system:

1. Copy the folder 7.1\Jobs corresponding to your database to the system.

2. Import the job folder PreMigration71Jobs.mcc.

5.3 Handling Remaining Approvals To be able to empty the queue, the whole organization must be involved and informed, and the planning should be started early on. As many approvals as possible should be processed by the organization while the Identity Management 7.1 system is available.

There are two jobs that you can use to handle approvals in the provisioning queue:

Notify approvers

Reject pending approvals

Import the templates to your Identity Management 7.1 environment.


Handling Remaining Approvals

20 2013-06

5.3.1 Notifying Approvers The first thing in the process is to notify the approvers that have approvals in the provisioning queue.

1. Create a job based on the job template.

2. Fill in the job constants in the wizard.

3. The template contains a suggested subject and content of the message that are sent to the approvers. You can modify these texts on the Destination tab of the pass:

4. You can run this job to send the e-mail as many times as you want in the period before the

upgrade of the production environment.

The job updates the log table (mc_migration_log) (see section 8.4), and you can inspect the log after the job has completed. The component ID for this job is -200.

5.3.2 Rejecting Pending Approvals If there still are approvals left in the approval queue when you have to remove access to the Identity Management User Interface, you can force a decline for all remaining approvals.

1. Create a job based on the template.

2. Fill in the job constants.

3. Run the job.

When the approvals are rejected, there may be new items added to the provisioning queue. Make sure that you provide some time to let the system process these new log entries before you stop the system.

The job updates the log table (mc_migration_log) (see section 8.4), and you can inspect the log after the job has completed.

The component ID for this job is -201.

5 Emptying the Provisioning Queue

5.4 Reducing the Queue Size

2013-06 21

5.4 Reducing the Queue Size Before migrating, you should try to limit the size of the queue as much as possible, by preventing new entries to be added to the queue.

You can view the number of entries in the queue and the number of approvals in the queue on the Statistics tab of the identity store properties in the Identity Center Management Console.

There are several ways to reduce the queue:

Preventing external events adding entries to the provisioning queue.

Reducing the processing time.

Removing access to the Identity Management User Interface.

Turning off internal reconciliation.

Although there are no external events taking place, the queue may still increase in size, due to internal events adding entries to the queue.

5.4.1 Reporting the Contents of the Provisioning Queue At any time in the process, you can run a job that writes the contents of the provisioning queue to the database table mc_migration_remainingQueue.

To run the jobs:

1. If necessary, start the Identity Center Management Console and select the location in the console tree where you want to import the jobs.

2. Import the file Migration_7_2_Queue_report.mcc.

3. The file contains a job folder with one job.

4. Run the job at any time to write the entries in the queue to the table.

You can use this table to see which entries are in the queue and if you need to take some manual steps to process them. The table has the following columns:

Column Description

Mskey The entry's (user's) unique ID (MSKEY).

TaskID The ID of the task that should be processed.

AuditRef The AuditID of the current queue entry.

RepositoryID The ID of the repository to where the user should be provisioned.

rep_type Type of repository.

privMskey The MSKEY of the referenced privilege.

Mskeyvalue The name of the user.

TaskName The name of the root task.

aMsg Message from or name of a subtask currently ready to run.

privMSKEYVALUE The name of the privilege given to/removed from the user (if available).

Rep_name The name of the repository.

Aud_StartedBy The AuditID of the initiating queue entry.


Reducing the Queue Size

22 2013-06

5.4.2 Preventing Adding Entries to the Provisioning Queue You should limit the number of entries added to the provisioning queue as much as possible:

Any load or reconcile jobs for the repositories should be disabled to prevent entries to be added to the provisioning queue.

Configure the dispatchers to only run tasks, and not jobs.

Stop any Virtual Directory Servers.

5.4.3 Reducing the Processing Time To speed up processing time of the entries in the provisioning queue you can run two jobs that:

Reduces the retry count for jobs that fail.

Reduces the execution time offset of jobs to force them to be executed earlier.

To run the jobs:


2. Import the file Migration_7_2_Queue_process.mcc.

3. The file contains a job folder with the two jobs.

4. Both jobs can be run several times to speed up the processing of the queue before it is deleted.

The jobs update the log table (mc_migration_log) (see section 8.4), and you can inspect the log after the jobs have completed.

The component IDs for these jobs are -202 and -203.

To view the contents of the queue, see section 5.4.1.

5.4.4 Removing Access to the Identity Management User Interface When all approvals that can be processed manually are performed, the access to the Identity Management User Interface can be removed.

This can be done in several ways, depending on the version of the SAP NetWeaver AS Java. For instance, for EHP 1 for SAP NetWeaver CE 7.1, you can stop the IDM_DataSource from the SAP NetWeaver Administrator.

5.4.5 Turning off Internal Reconciliation Turn off internal reconciliation to prevent further entries in the provisioning log added by this process.

Set the global configuration constant MX_RECONCILE to False.

6 Deleting the Provisioning Queue

5.4 Reducing the Queue Size

2013-06 23

6 Deleting the Provisioning Queue The queue size was reduced as much as possible while still running Identity Management 7.1. The remaining entries in the provisioning queue after upgrading to Identity Management 7.2.

After the queue is deleted the system must be reconciled, see section 11.

Make sure that you back up your system before you proceed.

To delete the remaining entries in the provisioning queue:

1. Select the identity store in the Identity Center Management Console.

2. Choose Management/Delete provisioning queue from the context menu.

For details, see the topic Deleting the provisioning queue in the help file for the Identity Center.

7 Disabling the Provisioning Framework 7.1

When you upgrade the QA environment from Release 7.1 to Release 7.2, the existing provisioning framework 7.1 must be disabled.

1. If necessary, open the configuration in the Identity Center Management Console.

2. Disable the provisioning folder SAP Provisioning Framework containing the provisioning framework 7.1.

3. Disable the job folder containing the jobs for the provisioning framework 7.1. The recommended name is SAP_Master, but this folder was created manually when installing the provisioning framework 7.1.

4. Disable any other provisioning or job folders used by the provisioning framework 7.1.

5. Clean up references to tasks and jobs that do not longer exist from the Management Console.

For more information about disabling a folder and cleaning up task and job references, see the help file for the Identity Center.

8 Converting the Identity Store Data to use the Provisioning Framework 7.2

After you have updated to Identity Management 7.2 with provisioning framework 7.2, the identity store must be updated to use the new version of the framework. This is done by running jobs that updates repositories, users and other entries to use the mechanisms of the new framework.

Converting the Identity Store Data to use the Provisioning Framework 7.2

Importing the Jobs

24 2013-06

8.1 Importing the Jobs The jobs are provided for download from the SDN together with this document.

1. Copy the folder 7.2\Jobs corresponding to your database to the system.

2. Import the job folder Upgrade71IdSTo72().mcc.

The import file contains the following jobs:

Job Description Outcome

Detect 7.1 provisioning framework repositories

This job identifies the repositories used by the provisioning framework 7.1 as ready for update.

The repository constant UPDATE_71_IDS is added to the repository definition and the value is set equal to the name of the repository template used to create the repository.

Upgrade repositories Upgrades the repositories marked with UPDATE_71_IDS, adding the repository constants for the provisioning framework 7.2. The job uses the repository templates from the installation that match the values of the UPDATE_71_IDS constant.

Repository constants from the 7.2 repository template corresponding to the repository type are added to the repositories.

Create repository privileges

Creates account and system privileges and enables the modify trigger attributes on system privileges.

The privileges PRIV::ONLY and PRIV:SYSTEM: are created for each repository.


8.1 Importing the Jobs

2013-06 25

Job Description Outcome

Update container objects

Updates groups and privileges. Groups: MSKEYVALUES are escaped (, and = are converted to \, and \=)

The constant ACCOUNT is set equal DN for Active Directory and SUN repositories and the constant DN is removed.

Group privileges: The constant ACCOUNT is set equal DN for Active Directory and SUN repositories and the constant DN is removed.

The task references for the Provisioning and Deprovisioning tasks are removed.

The task references for the Validate add and Validate remove tasks are disabled.

Privileges (except PRIV:SYSTEM: and PRIV::ONLY): MSKEYVALUES are escaped (, and = are converted to \, and \=)

MX_REQ_PRIV is set equal to PRIV::ONLY

MX_IS_ACCOUNT=0

The Add member task is moved to Validate add task

The Remove member task is moved to Validate remove task

The task references for the Provisioning and Deprovisioning tasks are removed.

Update users Updates all users in the identity store.

Added privileges PRIV:SYSTEM: and PRIV::ONLY.

The constant ACCOUNT is set equal DN for Active Directory and SUN repositories and the constant DN is removed.


Running the Database Updates

26 2013-06

8.2 Running the Database Updates The jobs that update the identity store use a number of database procedures that must be added to the Identity Center database. The procedure is different for the two database systems.

8.2.1 Running the Database Updates on Microsoft SQL Server To run the database updates on Microsoft SQL Server:

1. Copy the folder \7.2\Procedures to the system.

2. Open a command prompt in the folder where the .sql files are located.

3. Run the database update: mxmc-update71_72.cmd

to update a database with the default prefix (mxmc).

Or: mxmc-xupdate71_72.cmd

to update a database with a custom prefix and provide the necessary information on the command line.

The necessary procedures are now added to the Identity Center database.

8.2.2 Running the Database Updates on Oracle To run the database updates on Oracle:

1. Copy the folder \Procedures to the system.

2. Open the include.sql file in a text editor.

3. Change DEFINE PREFIX from the prefix of your Identity Center database. The default value is MXMC.

4. Open a command prompt in the folder where the files are located.

5. Run the following script file:

Microsoft Windows: install_update71_72.cmd

Unix: install_update71_72.sh


8.3 Running the Upgrade Jobs

2013-06 27

8.3 Running the Upgrade Jobs

If you are running a system landscape with AS Java with an LDAP backend, see section 8.3.1.

Run the upgrade jobs:


2. Import the file Upgrade_71_identitiy_store_to_72_.mcc.

3. The file contains a job folder with the jobs to do the necessary conversions.

4. Run all jobs in sequence to upgrade the identity store to use the provisioning framework 7.2.

Make sure that you verify the result of each job before continuing with the next.

8.3.1 Handling System Landscapes with AS Java with an LDAP Backend

In SAP NetWeaver Identity Management 7.1 the account attribute for the backend repository (Active Directory/LDAP) is samAccountName. This is replaced by distinguish name (DN) in SAP NetWeaver Identity Management 7.2.

After running the job 2. Upgrade repositories there will be created a BACKENDMAPPING=.

Since there is no ACCOUNT attribute in Identity Management 7.1, it will construct it from the ACCOUNT which is the samAccountName.

If your system has several AS Java LDAP backends you may have customized the ACCOUNT in Identity Management 7.1. You can use the BACKENDMAPPING variable to do the same.

For instance:

BACKENDMAPPING=cn=,,dc=,dc=com


Inspecting the Log

28 2013-06

8.4 Inspecting the Log When the job runs, a log table (mc_migration_log) in the Identity Center database is updated.

The table has the following columns:

Column Description

uid Unique ID of the log record.

state One of the following values:

0 Informational

1 Warning

2 Error

component One of the following values:

-200 Pre-migration notify approvers

-201 Pre-migration reject pending approvals

-202 Pre-migration reduce retry count of pending queue items

-203 Pre-migration reduce exec time of pending queue items

-300 Upgrade 7.1 IdS to 7.2 detect repositories

-301 Upgrade 7.1 IdS to 7.2 upgrade repositories

-302 Upgrade 7.1 IdS to 7.2 disable events

-303 Upgrade 7.1 IdS to 7.2 update users

-304 Upgrade 7.1 IdS to 7.2 update container objects

repository Reference to the affected repository.

timestamp When the event was logged.

text Additional text.

You can either use a job to write the contents of the log to a text file (or another output), or run SQL queries from the database tools to view the contents of the log. For instance:

To list all entries in the log:

select * from mc_migration_log

To list all errors:

select * from mc_migration_log where state=2

To list all updates for a specific MSKEY:

select * from mc_migration_log where mskey=

To list all updates for a specific repository:

select * from mc_migration_log where repository=

To list all log entries from a specific component:

select * from mc_migration_log where component = -201

To list all log entries from component -201, with the newest and most important messages first:

select * from mc_migration_log where component = -201 order by state desc,timestamp desc

9 Upgrading the Configuration

9.1 Changes in the Provisioning Framework

2013-06 29

On Oracle, to include dates in a more readable format:

select state,component,mskey,repository,to_char(mc_migration_log.timestamp,'YYYY-MM-DD HH24:MI:SS') as time,text from mc_migration_log order by state desc,timestamp desc;

9 Upgrading the Configuration When upgrading the configuration from Identity Management 7.1 to 7.2, you should be aware that the frameworks are organized differently for the two versions. Additionally, you should consider how to utilize the new features of Identity Management 7.2. The core functionality of the provisioning framework is the same in both versions, although the configuration is different. Any additional customization must be re-implemented in the provisioning framework 7.2.

The following sections describe the most important changes in the provisioning framework from 7.1 to 7.2, an overview of some new features in Identity Management 7.2 that should be considered when re-implementing the solution.

9.1 Changes in the Provisioning Framework Although the functionality of the frameworks is mostly the same, the implementation is different to utilize the new features of Identity Management 7.2. The most important changes between the SAP provisioning framework 7.1 and 7.2 are:

Split in two parts

Privilege handling

Hook tasks

E-mail notification

Event tasks

9.1.1 Split in Two Parts The framework has been split in two parts:

Core

Connector

The Core part contains common functionality that normally should not be modified. The Connector part contains repository-specific tasks that can be adapted to each repository. For more information, see the document SAP NetWeaver Identity Management for SAP System Landscapes: Technical Overview.

Upgrading the Configuration

Changes in the Provisioning Framework

30 2013-06

9.1.2 Privilege Handling There are Account and System privileges for each repository.

System privileges are for internal use by the framework.

Account privileges are used as master privileges for the repositories.

For more information, see the document SAP NetWeaver Identity Management for SAP System Landscapes: Technical Overview.

Assignments are based on pending value objects. For more information, see the topic About pending value objects in the help file for the Identity Management Identity Center Management Console.

Privileges are grouped by repository. For more information, see the document SAP NetWeaver Identity Management for SAP System Landscapes: Technical Overview.

9.1.3 Hook Tasks The hook tasks in the connector part are referenced from repository constants. For more information, see the document SAP NetWeaver Identity Management for SAP System Landscapes: Technical Overview.

9.1.4 E-mail Notification Templates for e-mail notifications are available, using the Notification repository to contain the necessary parameters to the mail server.

9.1.5 Event Handling The event tasks are reorganized to utilize the new functionality of Identity Management 7.2. The most important changes are:

The Add member task of the provisioning framework 7.1 was used to perform approvals. This is now done with the Validate add task.

The Provisioning task was used to perform the actual provisioning. This is now done by the Add member task.

Deprovisioning was handled by the Deprovisioning task. This is now done by the Remove member task.

For more information about Member event handling, see the topic About member event handling in the help file for the Identity Management Identity Center Management Console.

9 Upgrading the Configuration

9.2 New Features in Identity Management 7.2

2013-06 31

9.2 New Features in Identity Management 7.2 When re-implementing customizations of the provisioning framework, you should consider using some new features of Identity Management 7.2:

Member Event tasks See the topic About member event handling in the help file for the Identity Management Identity Center Management Console.

Context based assignments See the topic About context based assignments in the help file for the Identity Management Identity Center Management Console) and the document SAP NetWeaver Identity Management Identity Center Tutorial Context based assignments.

Guided activity tasks See the topic About guided activity tasks in the help file for the Identity Management Identity Center Management Console.

The MX_ASSIGNMENT attribute See the document SAP NetWeaver Identity Management Identity Center Identity store schema Technical reference for more information about the attribute.

Technical changes (See the list in the section Important changes in Identity Management 7.2 in the document SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.)

9.3 Re-implementing Customizations Customizations of the provisioning framework can be divided into some main categories:

Changes in the Connectors Re-implement changes, considering the above changes in the framework and the core product.

UI tasks UI tasks without any subtasks could be reused in Identity Management 7.2. Consider using the MX_ASSIGNMENT attribute to view and change assignments (roles and privileges). Additionally, consider using a guided activity task for instance for role requests.

Other Re-implement changes, considering the above changes in the framework and the core product.

Removing the Provisioning Framework 7.1

Re-implementing Customizations

32 2013-06

10 Removing the Provisioning Framework 7.1

After the identity store is upgraded to use the provisioning framework 7.2, the provisioning framework 7.1 can be removed:

1. If necessary, open the configuration in the Identity Center Management Console.

2. Delete the folder SAP Provisioning Framework that you disabled as described in section 7.

3. Delete the folder(s) containing the jobs for the provisioning framework 7.1 (SAP_Master and any other folder used by the provisioning framework 7.1) that were disabled as described in section 7.

4. Disable any unused global scripts by selecting the Global scripts node in the console tree and choosing Disable unused global scripts from the context menu. For more information, see the topic Disabling unused global scripts in the help file for the Identity Center Management Console.

5. Optionally, delete any unused global constants manually.

6. Optionally, delete any unused repositories manually.

Make sure that there are no related tasks/jobs in the Lost and found folder. You may need to refresh to display the Lost and found folder, and also to display the contents of the folder. Delete any tasks/jobs from the provisioning framework if there are any.

11 Reconciling the System After you have upgraded the system to Identity Management 7.2, it is recommended that you reconcile the entries that were affected when deleting the provisioning queue. There may be inconsistencies due to the removed queue entries where processing is partly done. The inconsistencies depend on the actual configuration, and the operations that were performed when the queue was deleted.

For instance:

The entry exists in the identity store, but not in target system (repository).

The entry exists in the target system but not in the identity store.

Data is not correctly updated in target system.

These inconsistencies have to be handled before you can upgrade the system. The backup table, mxp_provision_backup, that was created when you deleted the queue, contains the affected entries. You can also use the table mc_migration_remainingQueue created by the job described in section 5.4.1.
SAP NetWeaver Identity Management for SAP System Landscapes: Upgrading from Identity Management 7.1 to 72Contents1 Introduction1.1 Prerequisites1.2 Background2 Process Timeline3 Process Description4 Task Lists4.1 Task List - DEV Environment4.2 Task List QA Environment4.3 Task List PROD Environment5 Emptying the Provisioning Queue5.1 Running the Database Updates5.1.1 Running the Database Updates on Microsoft SQL Server5.1.2 Running the Database Updates on Oracle5.2 Importing the Jobs5.3 Handling Remaining Approvals5.3.1 Notifying Approvers5.3.2 Rejecting Pending Approvals5.4 Reducing the Queue Size5.4.1 Reporting the Contents of the Provisioning Queue5.4.2 Preventing Adding Entries to the Provisioning Queue5.4.3 Reducing the Processing Time5.4.4 Removing Access to the Identity Management User Interface5.4.5 Turning off Internal Reconciliation6 Deleting the Provisioning Queue7 Disabling the Provisioning Framework 7.18 Converting the Identity Store Data to use the Provisioning Framework 7.28.1 Importing the Jobs8.2 Running the Database Updates8.2.1 Running the Database Updates on Microsoft SQL Server8.2.2 Running the Database Updates on Oracle8.3 Running the Upgrade Jobs8.3.1 Handling System Landscapes with AS Java with an LDAP Backend8.4 Inspecting the Log9 Upgrading the Configuration9.1 Changes in the Provisioning Framework9.1.1 Split in Two Parts9.1.2 Privilege Handling9.1.3 Hook Tasks9.1.4 E-mail Notification9.1.5 Event Handling9.2 New Features in Identity Management 7.29.3 Re-implementing Customizations10 Removing the Provisioning Framework 7.111 Reconciling the System