Skip Headers
Oracle® Identity Manager Connector Guide for SAP User Management
Release 9.0.4

E10444-10
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Deploying the Connector

Deploying the connector involves the following steps:

2.1 Verifying Deployment Requirements

The following table lists the deployment requirements for the connector.

Item Requirement
Oracle Identity Manager Oracle Identity Manager release 9.1.0.1 or later

Note: From release 9.0.4.5 onward, the connector supports SAP JCo 3.0, and SAP JCo 3.0 supports JDK 1.5 and later. Therefore, you must verify that the Oracle Identity Manager and application server combination that you use supports JDK 1.5.

See the following Oracle Technology Network page for information about certified configurations of Oracle Identity Manager:

http://www.oracle.com/technology/software/products/ias/files/idm_certification_101401.html

Target systems The target system can be any one of the following:
  • SAP R/3 4.6C (running on Basis 4.6C)

  • SAP R/3 4.7 (running on WAS 6.20)

  • mySAP ERP 2004 ECC 5.0 (running on WAS 6.40)

  • mySAP ERP 2005 ECC 6.0 (running on WAS 7.00)

Note: From version 6.40 onward, SAP WAS is also known as "SAP NetWeaver."

External code The following SAP custom code files:

sapjco3.jar version 3.0

Additional file for Microsoft Windows:

sapjco3.dll version: 3.0

Additional file for Solaris and Linux:

libsapjco3.so version: 3.0

Target system user account Oracle Identity Manager uses this user account to connect to and communicate with the target system.

For minimum authorization, create a user account and assign the S_CUS_CMP profile, P_ALL profile, and SAP_BC_USER_ADMIN role to it. The User type must be set to Communication. This is the default setting for user accounts.

If you are not able to find the profiles or role for minimum authorization, then you need to create a user account and assign it to the SAP_ALL and SAP_NEW groups. These are used for full authorization.

You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide.

If this target system user account is not assigned the specified rights, then the following error message may be displayed during connector operations:

SAP Connection JCO Exception: User TEST_USER has no RFC authorization for function group SYST

JDK JDK 1.4.2

2.2 Using External Code Files

Note:

In a clustered environment, copy the JAR files and the contents of the connectorResources directory to the corresponding directories on each node of the cluster.

To download and copy the external code files to the required locations:

  1. Download the SAP Java connector file from the SAP Web site as follows:

    1. Open the following page in a Web browser:

      https://websmp104.sap-ag.de/connectors

    2. Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.

    3. On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCO release that you want to download.

    4. In the dialog box that is displayed, specify the path of the directory in which you want to save the file.

  2. Extract the contents of the file that you download.

  3. Copy the sapjco3.jar file into the OIM_HOME/Xellerate/ThirdParty directory.

  4. Copy the RFC files into the required directory, and then modify the appropriate environment variable so that it includes the path to this directory:

    • On Microsoft Windows:

      Copy the sapjco3.dll file into the winnt\system32 directory. Alternatively, you can copy these files into any directory and then add the path to the directory in the PATH environment variable.

    • On Solaris and Linux:

      Copy the libsapjco3.so file into the /usr/local/jco directory, and then add the path to this directory in the LD_LIBRARY_PATH environment variable.

  5. Restart the server for the changes in the environment variable to take effect.

2.3 Installing the Connector

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

Installing the connector involves the following procedures:

2.3.1 Running the Connector Installer

To run the Connector Installer:

  1. Copy the contents of the connector installation media into the following directory:

    OIM_HOME/xellerate/ConnectorDefaultDirectory
    
  2. Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Identity Manager Administrative and User Console.

  3. Click Deployment Management, and then click Install Connector.

  4. From the Connector List list, select one of the following options:

    • SAP R3 RELEASE_NUMBER

    • SAP BIW RELEASE_NUMBER

    • SAP CRM RELEASE_NUMBER

    The Connector List list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory:

    OIM_HOME/xellerate/ConnectorDefaultDirectory 
    

    If you have copied the installation files into a different directory, then:

    1. In the Alternative Directory field, enter the full path and name of that directory.

    2. To repopulate the list of connectors in the Connector List list, click Refresh.

    3. From the Connector List list, select one of the following options:

      • SAP R3 RELEASE_NUMBER

      • SAP BIW RELEASE_NUMBER

      • SAP CRM RELEASE_NUMBER

  5. Click Load.

  6. To start the installation process, click Continue.

    The following tasks are performed in sequence:

    1. Configuration of connector libraries

    2. Import of the connector XML files (by using the Deployment Manager)

    3. Compilation of adapters

    On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

    • Retry the installation by clicking Retry.

    • Cancel the installation and begin again from Step 0.

  7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:

    1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. Refer to "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.

      There are no prerequisites for some predefined connectors.

    2. Configuring the IT resource for the connector

      Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.

    3. Configuring the scheduled tasks that are created when you installed the connector

      Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.

  8. Copy the files from the test directory on the installation media to the following directory:

    c/xellerate/SAP/test
    

Note:

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 1-1.

Installing the Connector in an Oracle Identity Manager Cluster

While installing Oracle Identity Manager in a clustered environment, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. See "Files and Directories on the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.

2.3.2 Configuring the IT Resource

Note:

Perform this procedure if you are installing the connector on Oracle Identity Manager release 9.1.0 or later.

You must specify values for the parameters of the SAP UM IT Resource IT resource as follows:

  1. Log in to the Administrative and User Console.

  2. Expand Resource Management.

  3. Click Manage IT Resource.

  4. In the IT Resource Name field on the Manage IT Resource page, enter SAP UM IT Resource and then click Search.

  5. Click the edit icon for the IT resource.

  6. From the list at the top of the page, select Details and Parameters.

  7. Specify values for the parameters of the IT resource. The following table describes each parameter:

    Parameter Description Sample Value
    SAPClient SAP client ID 800
    SAPHost SAP host IP address 172.20.70.204
    SAPLanguage SAP language EN
    SAPUser SAP user of the target SAP system xellerate
    SAPPassword Password of SAP user changethis
    SAPsnc_lib Path where the crypto library is placed

    This is required only if Secure Network Communication (SNC) is enabled.

    c://usr//sap/sapcrypto.dll
    SAPsnc_mode If SNC is enabled on the SAP server, then set this field to 1. Otherwise, set it to 0.

    Note: It is recommended that you enable SNC to secure communication with the target system.

    0
    SAPsnc_myname SNC system name

    This is required only if SNC is enabled.

    p:CN=TST,OU=SAP, O=ORA,c=IN
    SAPsnc_partnername Domain name of the SAP server

    This is required only if SNC is enabled.

    p:CN=I47,OU=SAP, O=ORA, c=IN
    SAPsnc_qop Specifies the protection level (quality of protection, QOP) at which data is transferred

    The default value is 3. The value can be any one of the following:

    • 1: Secure authentication only

    • 2: Data integrity protection

    • 3: Data privacy protection

    • 8: Use value from the parameter

    • 9: Use maximum value available

    This is required only if SNC is enabled.

    3
    SAPSystemNo SAP system number 00
    SAPType Type of SAP system

    For example, R3, BIW, and CRM.

    This is optional.

    R3
    TimeStamp For the first reconciliation run, the timestamp value is not set. For subsequent rounds of reconciliation, the time at which the previous round of reconciliation was completed is stored in this parameter. The following are sample timestamp values:

    English: Jun 01, 2006 at 10:00:00 GMT+05:30

    French: juin. 01, 2006 at 10:00:00 GMT+05:30

    Japanese: 6 01, 2006 at 10:00:00 GMT+05:30

    CustomizedReconQuery Query condition on which reconciliation must be based

    If you specify a query condition for this parameter, then the target system records are searched based on the query condition.

    If you want to reconcile all the target system records, then do not specify a value for this parameter.

    The query can be composed with the AND (&) and OR (|) logical operators.

    For more information about this parameter, refer to the "Partial Reconciliation" section.

    firstname=John
    TimeoutRetryCount Enter the number of times the connector method that is trying to add a role to a user must be retried. 0
    TimeoutCount Enter the delay in milliseconds that the connector method must wait after a timeout is encountered. 0

  8. To save the values, click Update.

2.4 Configuring the Oracle Identity Manager Server

Configuring the Oracle Identity Manager server involves performing the following procedures:

Note:

In a clustered environment, you must perform this step on each node of the cluster.

2.4.1 Changing to the Required Input Locale

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

2.4.2 Clearing Content Related to Connector Resource Bundles from the Server Cache

The Connector Installer copies resource bundles into the OIM_home/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

  1. In a command window, change to the OIM_home/xellerate/bin directory.

    Note:

    You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:
    OIM_home/xellerate/bin/batch_file_name
    
  2. Enter one of the following commands:

    • On Microsoft Windows:

      PurgeCache.bat ConnectorResourceBundle
      
    • On UNIX:

      PurgeCache.sh ConnectorResourceBundle
      

    Note:

    You can ignore the exception that is thrown when you perform Step 2.

    In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:

    OIM_home/xellerate/config/xlConfig.xml
    

2.4.3 Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

  • ALL

    This level enables logging for all events.

  • DEBUG

    This level enables logging of information about fine-grained events that are useful for debugging.

  • INFO

    This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.

  • WARN

    This level enables logging of information about potentially harmful situations.

  • ERROR

    This level enables logging of information about error events that may still allow the application to continue running.

  • FATAL

    This level enables logging of information about very severe error events that could cause the application to stop functioning.

  • OFF

    This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

  • Oracle WebLogic

    To enable logging:

    1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.XL_INTG.SAPUSERMANAGEMENT=log_level
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.XL_INTG.SAPUSERMANAGEMENT=INFO
      

    After you enable logging, log information is displayed on the server console.

  • IBM WebSphere

    To enable logging:

    1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.XL_INTG.SAPUSERMANAGEMENT=log_level
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.XL_INTG.SAPUSERMANAGEMENT=INFO
      

    After you enable logging, log information is written to the following file:

    WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log
    
  • JBoss Application Server

    To enable logging:

    1. In the JBoss_home/server/default/conf/log4j.xml file, add the following lines if they are not already present in the file:

      <category name="XELLERATE">
         <priority value="log_level"/>
      </category>
      
      <category name="XL_INTG.SAPUSERMANAGEMENT">
         <priority value="log_level"/>
      </category>
      
    2. In the second XML code line of each set, replace log_level with the log level that you want to set. For example:

      <category name="XELLERATE">
         <priority value="INFO"/>
      </category>
      
      <category name="XL_INTG.SAPUSERMANAGEMENT">
         <priority value="INFO"/>
      </category>
      

    After you enable logging, the log information is written to the following file:

    JBOSS_HOME/server/default/log/server.log
    
  • Oracle Application Server

    To enable logging:

    1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.XL_INTG.SAPUSERMANAGEMENT=log_level
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.XL_INTG.SAPUSERMANAGEMENT=INFO
      

    After you enable logging, the log information is written to the following file:

    ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log
    

2.5 Configuring the Target System

This section describes the procedures involved in configuring the target system. You may need the assistance of the SAP Basis administrator to perform some of these procedures.

Configuring the target system involves the following tasks:

2.5.1 Gathering Required Information

The following information is required to configure the target system:

Note:

During SAP installation, a system number and client number are assigned to the server on which the installation is carried out. These items are mentioned in the following list.
  • Login details of an admin user having the permissions required to import requests

  • Client number of the server on which the request is to be imported

  • System number

  • Server IP address

  • Server name

  • User ID of the account to be used for connecting to the SAP application server

  • Password of the account to be used for connecting to the SAP application server

2.5.2 Creating an Entry in the BAPIF4T Table

The User Group field is one of the fields that hold user data in SAP. F4 values are values of a field that you can view and select from a list. You must create an entry in the BAPIF4T table to be able to view F4 values of the User Group field. To create this entry in the BAPIF4T table:

  1. Run the SM30 transaction on the SAP system.

  2. Enter BAPIF4T as the table name, and then click Maintain. Ignore any warnings or messages that may be displayed.

  3. Click New Entries.

  4. Enter XUCLASS as the data element and ZXL_PARTNER_BAPI_F4_AUTHORITY as the function name.

    Note:

    If an entry already exists for the XUCLASS data element, then do not change its value.
  5. Save the entry that you create, and then exit.

2.5.3 Enabling the SAP Change Log

SAP HRMS can maintain a log of changes made to the users' master data in a history table. Oracle Identity manager uses this change log to fetch changes made to the users' master data.

Enabling the change log involves making changes in three configuration tables: T585A, T585B, and T585C.

Note:

If the change log has already been enabled, then you need not perform the procedure described in this section.

To enable the change log:

  1. Run the SPRO transaction on the SAP system.

  2. Select Personnel Management, Personal Administration, Tools, Revision, and Set up Change Document.

  3. To specify the infotypes for which you want to log changes, make the required entry in the T585A table as follows:

    1. Open the HR documents: Infotypes to be logged activity.

    2. Suppose you want to make an entry for the infotype 0002 (Personal Data). Enter the following information:

      • Tr Class: A

      • Infotype: 0002

    Perform Step b for all the infotypes for which you want to log changes.

  4. To specify the fields of infotypes for which you want to log changes, make the required entry in the T585B table as follows:

    1. Open the HR documents: Field group definition activity.

    2. Suppose you want to make an entry for the infotype 0002 (Personal Data). Enter the following information:

      • Infotype: 0002

      • Field Group: 01

      • Field name: * (the asterisk indicates all fields in the infotype)

    Perform Step b for all the fields of infotypes for which you want to log changes.

  5. To specify the type of document (short-term or long-term) to be generated for an infotype, and make the required entry in the T585C table:

    1. Open the HR documents: Field group characteristics activity.

    2. Suppose you want to make an entry for the infotype 0002 (Personal Data). Enter the following information:

      • Tr Class: A

      • Infotype: 0002

      • Field Group: 01

      • Doc Type: S or L

    Perform Step b for all the infotypes for which you want to log changes.

2.5.4 Importing the Request

You must import the request to create the following custom objects in the SAP system.

Object Type Object Name
Package ZBAPI
Function Group ZXLGROUP

ZXLHELPVALUES

ZXLPROFILE

ZXLROLE

ZXLUSER

Message class ZXLBAPI
Program ZF4HLP_DATA_DEFINITIONS

ZMS01CTCO

ZMS01CTCO1

ZMS01CTP2

ZXLGROUP

ZXLHELPVALUES

ZXLPROFILE

ZXLROLE

ZXLUSER

Business object types ZXLGROUP

ZXLHELP

ZXLPROFILE

ZXLROLE

ZXLUSER

Table ZXLBAPIMODE

ZXLBAPIMODM

ZXLSTRING


The xlsapcar.sar file contains the definitions for these objects. When you import the request represented by the contents of the xlsapcar.sar file, these objects are automatically created in SAP. This procedure does not result in any change in the existing configuration of SAP.

Importing the request into SAP involves the following steps:

2.5.4.1 Downloading the SAPCAR Utility

The two files, Data file and Cofile, that constitute the request are compressed in the xlsapcar.sar. You can use the SAPCAR utility to extract these files.

To download the SAPCAR utility from the SAP Help Web site:

  1. Log on to the SAP Web site at

    https://service.sap.com/swdc

  2. Click OK to confirm that the certificate displayed is the certificate assigned for your SAP installation.

  3. Enter your SAP user name and password to connect to the SAP service marketplace.

  4. Click Downloads, SAP Support Packages, Entry by Application Group, and Additional Components.

  5. Select SAPCAR, SAPCAR 6.20, and the operating system. The download object is displayed.

  6. Select the Object check box, and then click Add to Download Basket.

  7. Specify the directory in which you want to download the SAPCAR utility. For example: C:/xlsapcar

2.5.4.2 Extracting the Request Files

To extract the Data file and Cofile components of the request:

  1. Copy the xlsapcar.sar file into the directory in which you download the SAPCAR utility.

    The xlsapcar.sar file is in the BAPI directory inside the installation media directory.

  2. In a command window, change to the directory in which you store the SAPCAR utility and the xlsapcar.sar file.

  3. Enter the following command to extract the Data file and Cofile components of the request:

    sapcar -xvf xlsapcar.sar
    

    The format of the extracted files is similar to the following:

    K900863.I47 (Cofile)

    R900863.I47 (Data file)

2.5.4.3 Performing the Request Import Operation

To perform the request import operation:

Note:

You would need the SAP Basis administrator's assistance to perform the following steps.
  1. Copy the Data file and Cofile to the required locations on the SAP server.

  2. Import the request into SAP.

  3. Check the log file to determine whether or not the import was successful.

    To display the log file:

    1. Run the STMS transaction.

      The list of transport requests is displayed.

    2. Select the transport request number corresponding to the request that you import.

      The transport request number is the same as the numeric part of the Cofile or Data file names. In Step 3 of the preceding procedure, for the sample Cofile (K900863.I47) and Data file (R900863.I47), the transport request number is 900863.

    3. Click the log file icon.

      If the return code displayed in the log file is 4, then it indicates that the import ended with warnings. This may happen if the object is overwritten or already exists in the SAP system. If the return code is 8 or a higher number, then there were errors during the import.

  4. Confirm the import of the request by running the SE80 transaction, and checking the ZBAPI package in the ABAP objects.

2.6 Configuring the SAP Change Password Function

You can configure the Change Password function to modify password behavior in scenarios such as when a user profile on the target system gets locked or expires. For such scenarios, you can configure the system so that the administrator is not able to reset the password for a locked or expired user profile. This helps prevent discrepancies between data in Oracle Identity Manager and the target system.

To configure the Change Password function:

See Also:

Oracle Identity Manager Design Console Guide
  1. Open the Oracle Identity Manager Design Console.

  2. Expand the Process Management folder.

  3. Open the Process Definition form.

  4. Select the SAP R3 Process process definition.

  5. Double-click the Password Updated task.

  6. On the Integration tab, specify values for the following parameters:

    • validityChange: This is a flag that can be assigned the value true or false.

      • true: If the user's validity period has expired, then it is extended to the date specified in the validityDate parameter.

      • false: If the user's validity period has expired, then it is not extended and the user's password cannot be changed.

    • lockChange: This is a flag that can be assigned the value true or false.

      • true: If the user is locked (not by the administrator), then the user is unlocked before the password is changed. If the user is locked by the administrator, then the password cannot be changed.

      • false: If the user is locked, then the password cannot be changed.

    • validityDate: This is the date up to which the user's validity must be extended. The date must be in the following format:

      Dec 28, 2005 at 11:25:00 GMT+05:30
      

      If this field is empty, then the user will be valid for an indefinite period.

    • userGroupCheck: This is a string literal with the following format:

      user_group_to_check, flag(1|0), user_group_to_be_updated_after_reset_password
      

      This parameter can be an empty string if there are no groups to check when the password is reset.

      If the password is to be changed and if the user belongs to that group, then the value of the flag is 1. If the password is not to be changed and if the user belongs to that group, then the value of the flag is 0.

      To check multiple users, add the record for each user to this string. Use the semicolon (;) as the delimiter. For example:

      user_group_to_check, flag(1|0), user_group_to_be_updated_after_reset_password;
      user_group_to_check, flag(1|0), user_group_to_be_updated_after_reset_password
      

      For example, if there is a user group named Inactive that is to be checked when a password is changed and if the user is assigned to this group, then the user must be moved to the Active group after the password change.

      Given the preceding scenario, the setting of the userGroupCheck parameter is as follows:

      INACTIVE,1,ACTIVE;
      

      If there is a group named Terminated that is to be checked when a password is changed and if the user is assigned to this group, then the password change must not be permitted. Given this scenario, the setting of the userGroupCheck parameter is as follows:

      TERMINATED,0,;
      

      The userGroupCheck configuration parameter has only two types of user group records:

      • User group for which password change is to be done along with user group update:

        INACTIVE,1,ACTIVE;
        
      • User group for which password change is not to be done:

        TERMINATED,0,;
        

      If the user is assigned to a group that is not in the userGroupCheck parameter, then the password is changed. Password change would be permitted for all user groups that are not mentioned in the configuration parameter value.

    Note:

    The values specified are case-sensitive and must match the case in the SAP system.

2.7 Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System

Oracle Identity Manager uses a Java application server. To connect to the SAP system application server, this Java application server uses the Java connector (sapjco.jar) and RFC (librfccm and libsapjcorfc files). If required, you can use Secure Network Communication (SNC) to secure such connections.

Note:

The Java application server used by Oracle Identity Manager can be IBM WebSphere, Oracle WebLogic, or JBoss Application Server.

This section discusses the following topics:

2.7.1 Prerequisites for Configuring the Connector to Use SNC

The following are prerequisites for configuring the connector to use SNC:

  • SNC must be activated on the SAP application server.

  • You must be familiar with the SNC infrastructure. You must know which Personal Security Environment (PSE) the application server uses for SNC.

2.7.2 Installing the Security Package

To install the security package on the Java application server used by Oracle Identity Manager:

  1. Extract the contents of the SAP Cryptographic Library installation package.

    The SAP Cryptographic Library installation package is available for authorized customers on the SAP Service Marketplace Web site at

    http://service.sap.com/download

    This package contains the following files:

    • SAP Cryptographic Library (sapcrypto.dll for Microsoft Windows or libsapcrypto.ext for UNIX)

    • A corresponding license ticket (ticket)

    • The configuration tool, sapgenpse.exe

  2. Copy the library and the sapgenpse.exe file into a local directory. For example: C:/usr/sap

  3. Check the file permissions. Ensure that the user under which the Java application server runs is able to run the library functions in the directory into which you copy the library and the sapgenpse.exe file.

  4. Create the sec directory inside the directory into which you copy the library and the sapgenpse.exe file.

    Note:

    You can use any names for the directories that you create. However, creating the C:\usr\sap\sec (or /usr/sap/sec) directory is an SAP recommendation.
  5. Copy the ticket file into the sec directory. This is also the directory in which the Personal Security Environment (PSE) and credentials of the Java application server are generated.

    See Also:

    The "Configuring SNC" section
  6. Set the SECUDIR environment variable for the Java application server user to the sec directory.

    Note:

    From this point onward, the term SECUDIR directory is used to refer to the directory whose path is defined in SECUDIR environment variable.

    For Oracle Application Server:

    1. Remove the SECUDIR entry from the Windows environment variables, if it has been set.

    2. Edit the ORACLE_HOME\opmn\config\opmn.xml file as follows:

      Change the following:

      <ias-instance id="home.BMPHKTF120" name="home.BMPHKTF120">
        <environment>
          <variable id="TMP" value="C:\DOCUME~1\login user\LOCALS~1\Temp"/>
        </environment>
      

      To

      <ias-instance id="home.BMPHKTF120" name="home.BMPHKTF120">
        <environment>
          <variable id="TMP" value="C:\DOCUME~1\login user\LOCALS~1\Temp"/>
          <variable id="SECUDIR" value="D:\snc\usr\sec"/>
        </environment>
      

      Note:

      Oracle Application Server automatically creates the temporary folder based on the operating system of the computer on which it is installed.
    3. Restart Oracle Application Server.

  7. Set the SNC_LIB and PATH environment variables for the user of the Java application server to the cryptographic library directory, which is the parent directory of the sec directory.

2.7.3 Configuring SNC

To configure SNC:

  1. Either create a PSE or copy the SNC PSE of the SAP application server to the SECUDIR directory. To create the SNC PSE for the Java application server, use the sapgenpse.exe command-line tool as follows:

    1. To determine the location of the SECUDIR directory, run the sapgenpse command without specifying any command options. The program displays information such as the library version and the location of the SECUDIR directory.

    2. Enter a command similar to the following to create the PSE:

      sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
      

      The following is a sample distinguished name:

      CN=SAPJ2EE, O=MyCompany, C=US 
      

      The sapgenpse command creates a PSE in the SECUDIR directory.

  2. Create credentials for the Java application server.

    The Java application server must have active credentials at run time to be able to access its PSE. To check whether or not this condition is met, enter the following command in the parent directory of the SECUDIR directory:

    Sapgenpse seclogin
    

    Then, enter the following command to open the PSE of the server and create the credentials.sapgenpse file:

    seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID 
    

    The user_ID that you specify must have administrator rights. PSE_NAME is the name of the PSE file.

    The credentials file, cred_v2, for the user specified with the -O option is created in the SECUDIR directory.

  3. Exchange the public key certificates of the two servers as follows:

    Note:

    If you are using individual PSEs for each certificate of the SAP server, then you must perform this procedure once for each SAP server certificate. This means that the number of times you must perform this procedure is equal to the number of PSEs.
    1. Export the Oracle Identity Manager certificate by entering the following command:

      sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
      
    2. Import the Oracle Identity Manager certificate into the SAP application server. You may require the SAP administrator's assistance to perform this step.

    3. Export the certificate of the SAP application server. You may require the SAP administrator's assistance to perform this step.

    4. Import the SAP application server certificate into Oracle Identity Manager by entering the following command:

      sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
      
  4. Configure the following parameters in the SAP R3 IT Resource IT resource object:

    • SAPsnc_lib

    • SAPsnc_mode

    • SAPsnc_myname

    • SAPsnc_partnername

    • SAPsnc_qop

    See Also:

    Information about parameters of the IT resource given earlier in this chapter