Skip Headers
Oracle® Identity Manager Connector Guide for SAP Employee Reconciliation
Release 9.1.2

E11210-14
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Deploying the Connector

Deploying the connector involves the following steps:

Note:

Some of the procedures described in this chapter must be performed on the target system. To perform these procedures, you must use an SAP administrator account to which the SAP_ALL and SAP_NEW profiles have been assigned.

2.1 Preinstallation

Preinstallation information is divided across the following sections:

2.1.1 Preinstallation on Oracle Identity Manager

This section contains the following topics:

2.1.1.1 Files and Directories on the Installation Media

Table 2-1 lists the files and directories that are bundled in the deployment package on the installation media.

Table 2-1 Files and Directories on the Installation Media

File in the Installation Media Directory Description

configuration/SAPHRMS-CI.xml

This XML file contains configuration information that is used during connector installation.

lib/Common.jar

This JAR file contains the class files that are common to all connectors. During connector deployment, this file is copied to the following location:

  • For Oracle Identity Manager release 9.1.0.x:

    OIM_HOME/xellerate/ScheduleTask

  • For Oracle Identity Manager release 11.1.x: Oracle Identity Manager database

lib/SAPCommon.jar

This JAR file contains the class files that are common to all SAP connectors. During connector deployment, this file is copied to the following location:

  • For Oracle Identity Manager release 9.1.0.x:

    OIM_HOME/xellerate/ScheduleTask

  • For Oracle Identity Manager release 11.1.x: Oracle Identity Manager database

lib/SAPER.jar

This JAR file contains the class files that are specific to the SAP Employee Reconciliation connector. During connector deployment, this file is copied to the following location:

  • For Oracle Identity Manager release 9.1.0.x:

    OIM_HOME/xellerate/ScheduleTask

  • For Oracle Identity Manager release 11.1.x: Oracle Identity Manager database

Files in the resources directory

Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the following location:

  • For Oracle Identity Manager release 9.1.0.x:

    OIM_HOME/xellerate/connectorResources

  • For Oracle Identity Manager release 11.1.x: Oracle Identity Manager database

Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.

xml/SAPHRMS-ConnectorConfig.xml

This XML file contains definitions for the connector components. These components include the following:

  • Resource objects

  • IT resource types

  • Process form

  • Process definition

  • Lookup definitions

  • Scheduled tasks


2.1.1.2 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

Note:

If you are using Oracle Identity Manager release 9.1.0.x, then the procedure described in this section is optional.

If you are using Oracle Identity Manager release 11.1.x, then skip this section.

  1. In a temporary directory, extract the contents of the connector JAR file that is in the OIM_HOME/xellerate/ScheduleTask directory.

  2. Open the Manifest.mf file in a text editor. The Manifest.mf file is one of the files bundled inside the connector JAR file.

    In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.

2.1.1.3 Creating a Backup of the Existing Common.jar File

The Common.jar file is in the deployment package of each release 9.1.x connector. With each new release, code corresponding to that particular release is added to the existing code in this file. For example, the Common.jar file shipped with Connector Y on 12-July contains:

  • Code specific to Connector Y

  • Code included in the Common.jar files shipped with all other release 9.1.x connectors that were released before 12-July.

If you have already installed a release 9.1.x connector that was released after current release of the SAP Employee Reconciliation connector, back up the existing Common.jar file, install the SAP Employee Reconciliation connector, and then restore the Common.jar file. The steps to perform this procedure are as follows:

Caution:

If you do not perform this procedure, then your release 9.1.x connectors might not work.

  1. Determine the release date of your existing release 9.1.x connector as follows:

    1. Extract the contents of the following file in a temporary directory:

      OIM_HOME/xellerate/ScheduleTask/Common.jar

      Note:

      On Oracle Identity Manager release 11.1.x, use either DownloadJars utility to download the common.jar file from the database, and then extract the contents of this file into a temporary directory. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for instructions.

    2. Open the Manifest.mf file in a text editor.

    3. Note down the Build Date and Build Version values.

  2. Determine the release date of the SAP Employee Reconciliation release 9.1.1 connector as follows:

    1. On the installation media for the connector, extract the contents of the lib/Common.jar and then open the Manifest.mf file in a text editor.

    2. Note down the Build Date and Build Version values.

  3. If the Build Date and Build Version values for the SAP Employee Reconciliation connector are less than the Build Date and Build Version values for the connector that is already installed, then:

    • If you are using Oracle Identity Manager release 9.1.x, then:

      1. Copy the OIM_HOME/xellerate/ScheduleTask/Common.jar to a temporary location.

      2. After you perform the procedure described in Section 2.2, "Installation" overwrite the new Common.jar file in the OIM_HOME/xellerate/ScheduleTask directory with the Common.jar file that you backed up in the preceding step.

    • If you are using Oracle Identity Manager release 11.1.x, then run the Oracle Identity Manager Upload JARs utility to post the Common.jar file to the Oracle Identity Manager database. This utility is copied to the following location when you install Oracle Identity Manager:

      Note:

      Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

      For Microsoft Windows:

      OIM_HOME/server/bin/UploadJars.bat

      For UNIX:

      OIM_HOME/server/bin/UploadJars.sh

      When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.

      See Also:

      Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utility

2.1.2 Preinstallation on the Target System

Preinstallation on the target system involves performing the following procedures:

2.1.2.1 Creating a Target System User Account for Connector Operations

The connector uses a target system account to connect to the target system during reconciliation. This target system account must be a CPIC user to whom you assign a customized role with the S_IDOC_ALL profile, S_RFC authorization object, and PLOG authorization object.

For the target system account that is to be created, the Roles tab of the Display User form is displayed in the following screenshot:

Profiles tab of the Maintain User form

The following screenshot displays the S_IDOC_ALL profile:

Details of the S_IDOC_ALL profile

The following screenshot displays details of the SRFC authorization object:

Surrounding text describes min_rights_srfc.gif.

The following is a screenshot of the first half of the Display User form displaying details of the ZHR_ORG role along with the PLOG authorization object:

Note:

You must configure the PLOG authorization object so that the values assigned to this object match the ones shown in the screenshot. Only the Plan Version (PLVAR) object can be set according to your requirements.

Details of the PLOG authorization object

The following is a screenshot of the second half of the Display User form displaying details of the ZHR_ORG role along with the PLOG authorization object:

Surrounding text describes min_rights_plog2.gif.

2.1.2.2 Downloading and Installing the SAP JCo

Note:

To download files from the SAP Web site, you must have access to the SAP service marketplace with Software Download authorization.

In an Oracle Identity Manager cluster, copy the JAR files and the contents of the connectorResources directory to the corresponding directories on each node of the cluster.

To download and copy the external code files to the required locations:

  1. Download the SAP Java connector file from the SAP Web site as follows:

    1. Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.

    2. On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCO release that you want to download.

    3. In the dialog box that is displayed, specify the path of the directory in which you want to save the file.

  2. Extract the contents of the file that you download.

  3. Copy the sapjco3.jar and sapidoc3.jar files into the OIM_HOME/Xellerate/ThirdParty directory.

    Note:

    Ensure that you are using version 3.0 of the sapjco.jar file.

    In an Oracle Identity Manager cluster, copy these JAR files to each node of the cluster.

  4. Copy the RFC files into the required directory on the Oracle Identity Manager host computer, and then modify the appropriate environment variable so that it includes the path to this directory:

    • On Microsoft Windows:

      Copy the sapjco3.dll into the WINDOWS_HOME\system32 directory. Alternatively, you can copy these files into any directory and then add the path to the directory in the java.library.path environment variable.

    • On Solaris and Linux:

      Copy the sapjco3.so file into the /usr/local/jco directory, and then add the path to this directory in the LD_LIBRARY_PATH environment variable.

  5. On a Microsoft Windows platform, ensure that the msvcr80.dll and msvcp80.dll files are in the c:\WINDOWS\system32 directory. If required, both files can be downloaded from various sources on the Internet.

  6. Restart the server for the changes in the environment variable to take effect.

    Note:

    You can either restart the server now or after the connector is installed.

  7. To check if SAP JCo is correctly installed, in a command window, run one of the following commands:

    java –jar JCO_DIRECTORY/sapjco3.jar
    java –classpath JCO_DIRECTORY/sapjco3.jar com.sap.conn.jco.rt.About
    

    Figure 2-1 shows the dialog box that is displayed. The JCo classes and JCo library paths must be displayed in this dialog box.

    Figure 2-1 Dialog Box Displayed on Running the SAP JCo Test

    Description of Figure 2-1 follows
    Description of "Figure 2-1 Dialog Box Displayed on Running the SAP JCo Test"

2.2 Installation

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

Installing the connector involves the following procedures:

2.2.1 Running the Connector Installer

To run the Connector Installer:

  1. Copy the contents of the connector installation media into the following directory:

    Note:

    In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster.

    • For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorDefaultDirectory

    • For Oracle Identity Manager release 11.1.x: OIM_HOME/server/ConnectorDefaultDirectory

  2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

  3. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 9.1.0.x:

      Click Deployment Management, and then click Install Connector.

    • For Oracle Identity Manager release 11.1.1:

      On the Welcome to Identity Manager Advanced Administration page, under the System Management section, click Install Connector.

    • For Oracle Identity Manager release 11.1.2:

      In the Manage Connector page, click Install.

  4. From the Connector List list, select SAP ER RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory:

    For Oracle Identity Manager release 9.1.0.x:

    OIM_HOME/xellerate/ConnectorDefaultDirectory

    For Oracle Identity Manager release 11.1.x:

    OIM_HOME/server/ConnectorDefaultDirectory

    If you have copied the installation files into a different directory, then:

    1. In the Alternative Directory field, enter the full path and name of that directory.

    2. To repopulate the list of connectors in the Connector List list, click Refresh.

    3. From the Connector List list, select SAP ER RELEASE_NUMBER.

  5. Click Load.

    The following screenshot shows this Administrative and User Console page for Oracle Identity Manager release 9.1.0.x:

    Connector Installer after clicking Load
  6. To start the installation process, click Continue.

    The following tasks are performed in sequence:

    1. Configuration of connector libraries

    2. Import of the connector XML files (by using the Deployment Manager)

    3. Compilation of adapters

    On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

    • Retry the installation by clicking Retry.

    • Cancel the installation and begin again from Step 3.

  7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. The following screenshot shows this Administrative and User Console page for Oracle Identity Manager release 9.1.0.x:

    Installation success message

    In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:

    1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. Refer to Section 2.3.6, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.

      There are no prerequisites for some predefined connectors.

    2. Configuring the IT resource for the connector

      Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.

    3. Configuring the scheduled tasks that are created when you installed the connector

      Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.

  8. Restart Oracle Identity Manager.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.

Installing the Connector in an Oracle Identity Manager Cluster

While installing Oracle Identity Manager in a cluster, copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. Then, restart each node. See Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.

Restoring the Common.jar File

If required, restore the Common.jar file that you had backed up by following the procedure described in Section 2.1.1.3, "Creating a Backup of the Existing Common.jar File."

2.3 Postinstallation

Postinstallation steps are divided across the following sections:

2.3.1 Setting Up the Lookup.SAP.HRMS.Configuration Lookup Definition in Oracle Identity Manager

The Lookup.SAP.HRMS.Configuration lookup definition is used to capture information about the following items:

  • Message type and IDoc type used for communication between the target system and Oracle Identity Manager

  • Connector components used during reconciliation

Table 2-2 lists the entries in this lookup definition. The procedure to set or modify a Decode value is given after this table.

Table 2-2 Entries in the Lookup.SAP.HRMS.Configuration Lookup Definition

Code Key Description Decode

Information about message type and IDoc type

   

Message Type

Message type to be used for person record

Note: You must not change the Decode value.

HRMD_A

Class Name

Name of the parser class

Note: If you develop your own parser, then you can replace the default value of the Class Name entry with the name of your custom parser class.

oracle.iam.connectors.sap.common.parser.HRMDAParser

IDoc Type

IDoc type that you want to use

You can specify either a predefined IDoc type or the name of a custom IDoc type.

HRMD_A05

IDoc Type Extension

If you have extended a predefined IDoc type, then enter the name of the IDoc type extension.

See Also: Appendix A, "Creating IDoc Extensions"

NONE

Note: The entries listed in the remaining rows of this table must be changed only if you use a custom IDoc type. The default Decode values are correct for all predefined HRMD_A* IDoc types.

   

Root Segment

Root segment in IDoc, which will be used to identify new employees

Note: You must not change the Decode value.

E2PLOGI001

Segment Name Length

Number of characters in the file that denotes the segment name

30

Object Type

Segment details of object type

The Decode value is used to filter person records.

E2PLOGI001;OTYPE;66;67;P

User ID

Object ID that indicates the personnel number in a person record

E2PLOGI001;OBJID;68;75

Delete Indicator

Segment details of the indicator that identifies whether or not the employee is deleted

E2PLOGI001;OPERA;77;77;D

Event Begin Date

Segment details for the begin date of events (hire, terminate, and other events)

E2P0000001;BEGDA;91;98

Event End Date

Segment details for the end date of events (hire, terminate, and other events)

E2P0000001;ENDDA;83;90

Actions Event

Segment to indicate actions

E2P0000001

Event

Segment details for event

E2P0000001;MASSN;138;139

Group

Segment details for employee group

E2P0001001;PERSG;146;146

Sub Group

Segment details for employee subgroup

E2P0001001;PERSK;147;148

Group Segment

Infotype containing Employee Group and Employee Subgroup attributes

E2P0001001

Information about connector components

   

Employee Type Lookup

Name of the lookup definition that is used to map combinations of Employee Group and Employee Subgroup of the target system with the employee type in Oracle Identity Manager

Lookup.SAP.HRMS.EmployeeType

Hire Events Lookup

Name of the lookup definition that is used to store the list of all Hire events

For example, name of the lookup definition that stores event IDs corresponding to employees joining the company for the first time.

Lookup.SAP.HRMS.HireEvents

Terminate Events Lookup

Name of the lookup definition that is used to store the list of all Terminate events

For example, name of the lookup definition that stores events IDs corresponding to employees on long leave or terminated employees.

Lookup.SAP.HRMS.TerminateEvents

Rehire Events Lookup

Name of the lookup definition that is used to store the list of all Rehire events

For example, name of the lookup definition that stores events IDs corresponding to employees who re-join the company.

Lookup.SAP.HRMS.RehireEvents

Transform Lookup For Recon

Name of the lookup definition that is used to configure transformation of user attribute values fetched from the target system during reconciliation

Lookup.SAP.HRMS.ReconTransformation

Validation Lookup For Recon

Name of the lookup definition that is used to configure validation of user attribute values fetched from the target system during reconciliation

Lookup.SAP.HRMS.ReconValidation

Organization

Default organization in Oracle Identity Manager

Xellerate Users

Employee Type

Default employee type in Oracle Identity Manager

Note: The Decode value is used as the default user type in the Lookup.SAP.HRMS.EmployeeType lookup definition.

Full-time

User Type

Enter the role that must be set for OIM Users created through reconciliation. You must select one of the following values:

  • End-User

  • End-User Administrator

Default value: End-User

End-User

IT Resource Mapping

Name of the lookup definition that holds mappings between the connection properties accepted by the SAP JCo API and the names of IT resource parameters

Lookup.SAP.HRMS.ITResourceMapping

Miscellaneous Variables

   

Batch Size

Enter the number of lines that you want the parser to process at a time from the flat file containing IDocs. This flat file is generated when you perform the procedure described in the Section 3.4, "Performing Full Reconciliation".

5

Remove Leading Zero from Personnel Number

Enter yes if you want leading zeros to be removed from personnel numbers fetched from the target system. Enter no if you do not want leading zeros to be removed.

no

Reconcile First Time Disabled Users

Enter yes to specify that you want to reconcile records that are currently in the Disabled state and that have not been reconciled earlier. Otherwise, enter no.

yes

Constants Lookup

Name of the lookup definition that holds constants

Lookup.SAP.HRMS.Constants

Manager Lookup Name

Name of the lookup definition in which manager IDs of managers of the various target system organizations must be populated

Lookup.SAP.HRMS.OrgManager

Create deferred event for future dated hire

Enter Yes if you want the connector to create a reconciliation event (containing the future-dated infotype attributes) and apply the Event Deferred state in the reconciliation manager. Note that the OIM User will be created only when the future date matches the current date.

Enter No if you want the connector to create an OIM User and set the Start Provisioning date to the future date in the Action infotype in the target system record. Note that this OIM User remains in the Disabled until start date status until the current date matches the future-dated hire event date.

No

Create deferred event for terminate event

Enter Yes if you want the connector to create for the terminate event a separate recon event to which the Event Deferred state is applied in the reconciliation manager. Otherwise, enter No.

Note: If you set the value of this entry to Yes, then the OIM start date field and OIM end date field entries (which are described later in this table) must contain the values Start date and End date, respectively.

No

OIM start date field

Enter Start date if you want to reconcile the start date value from the target system into the Start date process form field in Oracle Identity Manager. Otherwise, enter None.

Start date

OIM end date field

Enter End date if you want to reconcile the end date value from the target system into the End date process form field in Oracle Identity Manager. Otherwise, enter None.

End date

Use Validation For Recon

Enter Yes if you want to configure validation of user attributes that are brought into Oracle Identity Manager during reconciliation. Otherwise, enter No.

See Section 4.4, "Configuring Validation of Data During Reconciliation"for more information about this feature.

No

Use Transformation For Recon

Enter Yes if you want to configure transformation of user attributes that are brought into Oracle Identity Manager during reconciliation. Otherwise, enter No.

See Section 4.5, "Configuring Transformation of Data During User Reconciliation"for more information about this feature.

No

Organization Hierarchy Lookup Name

Name of the lookup definition containing details of organization hierarchies on the target system

Lookup.SAP.HRMS.OrgHierarchy

Get Manager ID During Recon

Enter Yes if you want to reconcile the Manager ID attribute values along with other user records. Otherwise, enter No.

No


To set or modify a Decode value in the lookup definition:

  1. On the Design Console, expand Administration, and then double-click Lookup Definition.

  2. Search for and open the Lookup.SAP.HRMS.Configuration lookup definition.

  3. In the Decode column for the Code Key, enter a value.

  4. Click the Save icon.

2.3.2 Verifying Segment Details in Lookup Definitions

The Lookup.SAP.HRMS.Configuration and Lookup.SAP.HRMS.AttributeMapping lookup definitions hold segment details of target system attributes. Segment details are in the following format:

E2P<INFO_TYPE><SEGMENT_VERSION>

For example, in the E2P0000001 segment, 0000 is the infotype and 001 is the version of the segment.

The segment version is different for different versions of the target system. For the HRMD_A05 IDoc type, E2P0001001 is the segment name in SAP R/3 4.7 and E2P0001002 is the segment name in ECC 6.0.

You must verify and, if required, correct segment details in the Lookup.SAP.HRMS.Configuration and Lookup.SAP.HRMS.AttributeMapping lookup definitions.

To determine and if required change the segment version:

  1. Run transaction WE60 on the target system.

  2. In the Find dialog box, enter E2P0001 and then click the Search icon.

    In the results that are displayed, if the version component of the segment is 001, then you need not perform the remaining steps of this procedure. The following screenshot shows this page:

    Surrounding text describes segment_ver_found.gif.
  3. If the if the version component is anything other than 001, then:

    1. On the Design Console, expand Administration and then double-click Lookup Definition.

    2. Search for and open the lookup definition.

    3. For values in the Decode column that contain segment details, change the segment version (last three digits) to the version that you determined in the preceding step.

    4. Click the Save icon after you modify all relevant Decode values.

2.3.3 Configuring Reconciliation of Manager ID Attribute Values

See Also:

Section 1.4.7, "Reconciliation of the Manager ID Attribute" for information about the sequence of steps involved in this process

To configure reconciliation of manager ID attribute values:

  1. In the Lookup.SAP.HRMS.TopmostOrganization lookup definition, enter details of the top-most organization for each organization hierarchy.

    There may be multiple organization hierarchies defined on the target system. Each hierarchy has one top-most organization and other member organizations. In the Lookup.SAP.HRMS.TopmostOrganization lookup definition, you must manually create entries for all top-most organizations.

    Note:

    The value of this lookup definition is specified as the value of the Top most organization lookup entry in the Lookup.SAP.HRMS.Configuration lookup definition.

    To create entries for the top-most organizations:

    • On the target system:

      1. Run transaction PPOSE.

      2. For each hierarchy displayed in the list of hierarchies on the left pane:

        i. Double-click the hierarchy.

        ii. In the Staff Assignments region, the first organization is the topmost organization. Write down the ID of the organization.

        Surrounding text describes topmost_org.gif.

        The following screenshot shows the manager ID of the organization selected in the earlier screenshot:

        Surrounding text describes manager_id.gif.
    • On Oracle Identity Manager:

      See Also:

      Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about this procedure

      1. Open the Lookup.SAP.HRMS.TopmostOrganization lookup definition.

      2. For each topmost organization that you identify:

        i. Click Add.

        ii. In the Code Key and Decode columns, enter the organization ID of the topmost organization.

        The following table shows sample entries in the Lookup.SAP.HRMS.TopmostOrganization lookup definition:

        Code Decode

        00000001

        00000001

        00000100

        00000100


        Both sample entries represent topmost organizations defined on the target system.

      3. After you create entries for all topmost organizations, click the Save icon.

  2. Configure and run the SAP HRMS Manager Lookup Recon scheduled task.

    This scheduled task performs the following functions:

    • Reads entries for the topmost organization defined in the Lookup.SAP.HRMS.TopmostOrganization lookup definition.

    • Populates the Lookup.SAP.HRMS.OrgHierarchy lookup definition with entries representing the other organizations within each hierarchy on the target system. In the entries created by the scheduled task, the Code Key column is the ID of an organization and the Decode column is the ID of the corresponding parent organization.

    • Populates the Lookup.SAP.HRMS.OrgManager lookup definition with organization and manager mappings. The Code Key column holds the IDs of organizations and the Decode column holds the personnel numbers of the corresponding managers.

    Table 2-3 describes the attributes of this scheduled task.

    Table 2-3 Attributes of the SAP HRMS Manager Lookup Recon Scheduled Task

    Attribute Description

    Schedule Task Name

    This attribute holds the name of the scheduled task.

    Default value: SAP HRMS Manager Lookup Recon

    Note: For this scheduled task, you must not change the value of this attribute. However, if you create a copy of this scheduled task, then you must enter the unique name of that scheduled task as the value of the attribute in that scheduled task.

    IT Resource

    Enter the name of the IT resource that you configure by performing the procedure described in Section 2.3.12.2, "Configuring the IT Resource".

    Default value: SAP HR IT Resource

    Configuration Lookup

    This attribute holds the name of the lookup definition that holds configuration data for the connector.

    Default value: Lookup.SAP.HRMS.Configuration

    Note: You must not change this value for this instance of the connector. However, if you create a copy of the Lookup.SAP.HRMS.Configuration lookup definition, then you can specify the name of that lookup definition as the value of the Configuration Lookup attribute.

    Top Most Organization Lookup

    This attribute holds the name of the lookup definition that stores the organization IDs of top-most organizations in each organization hierarchy on the target system.

    Default value: Lookup.SAP.HRMS.TopmostOrganization

    Note: You must not change this value for this instance of the connector. However, if you create a copy of the Lookup.SAP.HRMS.TopmostOrganization lookup definition, then you can specify the name of that lookup definition as the value of the Top Most Organization Lookup attribute.


2.3.4 Configuring the Target System for Generation of IDocs

User data is moved from the target system to Oracle Identity Manager through "push" technology. The Application Link Enabling (ALE) feature of SAP is the foundation of this mode of data transfer.

This section describes procedures involved in configuring the target system. You may need the assistance of an SAP Basis administrator to perform some of these procedures.

The following sections describe procedures to create the ALE components that are used during generation of IDocs:

Note:

This section does not describe in detail the various ALE components that must be defined and are used in connector operations. For detailed information about ALE, see the SAP Help documentation at

http://help.sap.com

2.3.4.1 Checking Whether a Sender Logical System Already Exists

You must create a sender logical system to represent SAP and a receiver logical system to represent Oracle Identity Manager.

If there is an existing sender logical system to represent SAP, then you need not define another sender logical system. Similarly, if a client is assigned to the existing sender logical system, then you need not assign another client.

To check if the sender logical system has been defined and if a client has been associated with it:

  1. Run transaction SCC4.

  2. Use the Table View menu to switch to the change mode.

  3. For each client in the list of clients displayed:

    1. Select the client.

    2. From the Goto menu, click Details. The details of the client are displayed.

      Surrounding text describes select_client_details.gif.
    3. In the Logical System field, check if a logical system has been selected. If a logical system is selected for a particular client, then you know that a sender logical system with a client associated with it already exists. You need not define a sender logical system, and you need not associate a client with the sender logical system.

      Surrounding text describes client_associated.gif.

2.3.4.2 Defining the Sending and Receiver Logical Systems

You must create a sender logical system to represent SAP and a receiver logical system to represent Oracle Identity Manager.

If there is an existing sender logical system to represent SAP, then you need not define another sender logical system. Similarly, if a client is assigned to the existing sender logical system, then you need not assign another client.

If you determined that a sender logical system does not exist, then you must create the sender logical system. In addition, you must create the receiver logical system.

To create the sending or receiver logical system:

  1. Run transaction BD54.

  2. Click New Entries. A new row is added.

  3. Enter a name for the logical system.

    To specify a name for the sender logical system, you can use the <SYSTEM_ID>CLNT<CLIENT_NUMBER> format, for example, P23CLNT800.

    Surrounding text describes logical_sys_name.gif.

    To specify a name for the receiver logical system, you can use a name like OIMIDOC. This is to help distinguish between the receiver logical system created for Oracle Identity Manager and other receiver logical systems.

    Surrounding text describes receiving_logical_sys.gif.
  4. Click the Save icon.

If the sender logical system has been created, then repeat the procedure to create the receiver logical system.

2.3.4.3 Assigning a Client to the Sender Logical System

The sender logical system must have a client associated with it. If there is an existing client associated with the sender logical system, then you need not associate another client.

Note:

A logical system can have only one client associated with it.

To associate a client with the sender logical system:

  1. Run transaction SCC4.

  2. Use the Table View menu to switch to the change mode.

  3. From the list of clients displayed, select the client that you want to associate with the sender logical system.

    Surrounding text describes select_client.gif.
  4. From the Goto menu, click Details. The details of the client are displayed.

    Surrounding text describes client_details.gif.
  5. In the Logical System field, select the sender logical system.

    Surrounding text describes select_sending_log_sys.gif.
  6. Click the Save icon.

2.3.4.4 Defining the Distribution Model

The distribution model holds information about the sending and receiver logical systems that you define and the message type that flows between them.

To define the distribution model:

  1. Run transaction BD64.

  2. Switch to the Edit mode.

  3. From the Edit mode, select Model View, and then select Create.

    Surrounding text describes model_view.gif.
  4. In the Create Model View dialog box, enter values for the Short Text and Technical Name fields, and accept the default Start date and End date values.

    Surrounding text describes model_view_dates.gif.
  5. Click the Save icon.

  6. From the list of views, select the created view, and then click Add message type.

    Surrounding text describes add_message_type.gif.
  7. In the Add Message Type dialog box, specify the names of the sending and receiver logical systems and then specify HRMD_A as the message type.

    Surrounding text describes hrmd_a_message_type.gif.
  8. Save the entry.

2.3.4.5 Creating the File Port

The file port is a definition of the directory location and name of the file in which IDocs are recorded. In full reconciliation, IDocs for all existing target system users is generated and written to flat files. The file port holds the directory location and name of these flat files.

To create the file port:

  1. Run transaction WE21.

  2. Expand Ports, select File, and then click Create.

    Surrounding text describes select_file_option.gif.
  3. Enter the following details:

    • Port: Enter a name for the file port.

    • Description: Enter a description for the port.

    • Version: Select "IDoc record types SAP Release 4.x."

    • System Setting: Select Unicode format.

    • On the Outbound file tab:

      • Physical directory: Specify the path of the directory in which you want the file containing IDocs to be placed.

      • Function module: Select a naming convention for the flat file, for example, EDI PATH CREATE DATE TIME.

      • Outbound file: This is the alternative to the Function Module (preceding field) approach to naming the flat file. You use the Outbound file field to specify a fixed name for the flat file. It is recommended that you specify a function module instead of entering a fixed name for the flat file in the Outbound file field. The advantage of the Function Module approach is that the name of the generated file will be time stamped.

        Surrounding text describes outbound_file_tab.gif.
  4. Click the Save icon.

2.3.4.6 Defining the Partner Profile

A partner profile is a mapping of the receiver logical system, ports used by the receiver logical system, and IDoc collection mode.

Note:

When you start using the connector to reconcile user data from the target system, you use the partner profile to switch between full and incremental reconciliation. When you switch to full reconciliation, the scheduled task for incremental recon continues to run. However, IDocs are not sent to Oracle Identity Manager.

To define the partner profile:

  1. Run transaction WE20.

  2. Expand Partner Profiles, select Partner Type LS, click the Create icon, and then enter the following details:

    • In the Partner no. field, enter the name that you specify for the receiver logical system while performing the procedure described in Section 2.3.4.2, "Defining the Sending and Receiver Logical Systems".

    • In the Outbound Parameters table, double-click HRMD_A in the Message Type column.

      Surrounding text describes partner_profile1.gif.
    • On the Outbound Options tab:

      • In the Receiver port field, select the file port that you define by performing the procedure described in Section 2.3.4.5, "Creating the File Port".

      • In the Output Mode region, select Collect IDocs. By selecting this option, you specify that IDocs must not be transferred to the file port as and when they are created. Instead, the job that you schedule on the target system will be used to transfer IDocs in flat-file format to the file port.

      • In the IDoc Type region, specify an IDoc type in the Basic type field. It is recommended that you select the latest IDoc type available in the system. In addition, if you want to use an existing extension to an IDoc type, then specify the extension in the Extension field.

        Surrounding text describes outbound_options_tab.gif.
  3. Save the entry.

2.3.4.7 Registering the Listener with the SAP Gateway (tRFC)

To register the listener with the SAP gateway, create an RFC destination as follows:

  1. Run transaction SM59.

  2. Select TCP/IP connections, and then click the Create icon.

  3. In the RFC destination field, enter a name for the listener, for example OIMIDOC.

  4. In the Connection type field, select T to specify that this is a TCP/IP connection.

  5. In the Description region, enter a description for the listener.

    Surrounding text describes listener_description.gif.
  6. On the Technical settings tab, in the Activation Type region, select Registered Server Program.

  7. In the Program ID field, enter the program ID that you want to set for the listener, for example, IDOCLISTEN.

    Note:

    While performing the procedure described in Section 2.3.12.2, "Configuring the IT Resource," you specify the same program ID as the value of the Program ID parameter of the IT resource.

    Surrounding text describes listener_program_id.gif.
  8. The target (Oracle Identity Manager) is a Unicode system. On the MDMP & Unicode tab, select the Unicode option to configure the port for Unicode.

  9. Use the Test connection and Unicode Test features to run the connectivity and Unicode tests as follows:

    1. Run transaction SM59.

    2. In the RFC Destination field, enter the name of the RFC destination that you create.

    3. In the Connection type field, select TCP/IP connections.

      Surrounding text describes select_tcp_ip.gif.
    4. Click Test connection.

      Connection test data must be displayed.

      Surrounding text describes test_connection.gif.
    5. Click Unicode Test.

      A message stating that the target is a Unicode system is displayed.

      Surrounding text describes unicode_target.gif.

2.3.4.8 Creating the tRFC Port

Transactional RFC (tRFC) on SAP is a variant of the Remote Function Call feature. The tRFC port on SAP is used by the listener, which is a scheduled task running on Oracle Identity Manager. The listener picks up IDocs delivered at the tRFC port. These IDocs are in the form of Java objects; there is no exchange of physical files at the tRFC port.

To create the tRFC port:

  1. Run transaction WE21.

  2. Select Transactional RFC, and then click the Create icon.

    Surrounding text describes select_trfc.gif.
  3. In the Ports in IDoc Processing dialog box, either select Generate port name or specify a port name.

  4. In the RFC destination field, enter the RFC destination that you defined by performing the procedure described in Section 2.3.4.7, "Registering the Listener with the SAP Gateway (tRFC)".

    Surrounding text describes enter_rfc_destination.gif.
  5. Click the Save icon.

2.3.4.9 Activating Change Pointers

Change pointers are used to record updates to user data on the target system. These records are stored in special tables, and they are called change docs.

Note:

During incremental reconciliation, a change doc contains only data from attributes of infotypes in which at least one attribute has been modified. For example, consider the 0001 infotype. This infotype holds the MSTBR attribute and some other attributes. If this attribute is modified, then during the next incremental reconciliation run, all the attributes of the 0001 infotype are copied into the change doc that is created to track the change in the MSTBR attribute.

To activate change pointers:

  1. Run transaction BD61.

  2. Select the Change pointers activate – generally check box.

    Surrounding text describes select_change_pointers.gif.
  3. Run transaction BD50.

  4. In the list that is displayed, select the check box for the HRMD_A message type.

    Surrounding text describes select_hrmd_a.gif.
  5. Click the Save icon.

2.3.4.10 Configuring Segment Filtering

Note:

The procedure described in this section is optional. Segment filtering is not a requirement for using the ALE feature.

On the target system, multiple attributes of the same type are grouped under an infotype. Multiple infotypes are grouped under a segment. There are more than 100 predefined segments on the target system.

The Lookup.SAP.HRMS.AttributeMapping lookup definition maps attributes of the target system with OIM User fields. Only data from mapped attributes is reconciled into Oracle Identity Manager, regardless of the segments (that is, attributes) in the IDocs received by Oracle Identity Manager. This is illustrated by the following example:

Suppose there are 14 attribute mappings in the Lookup.SAP.HRMS.AttributeMapping lookup definition. If the IDocs contain data for 30 attributes, then only data from the 14 mapped attributes is reconciled into Oracle Identity Manager. Data for the remaining 16 attributes is not used at all.

The segment filtering feature of the target system enables you to specify the segments that must not be included in IDocs. By configuring segment filtering, you ensure that attribute data that is not required in Oracle Identity Manager is not brought to Oracle Identity Manager.

Segment filtering is applied at the IDoc creation stage. Change docs are created for a change in any attribute of infotypes in any segment.

Note:

When you configure segment filtering, you must ensure that the E1P0000, E1P0001, E1P0002, E1P0006 and E1P0105 segments are always included. Some attributes from infotypes in these segments are configured as predefined attributes that are mapped to OIM User attributes. See Appendix B for information about the structure of a sample IDoc.

You can configure and then reconfigure segment filtering at any time after deployment. While configuring segment filtering, you must ensure that mandatory attributes defined in the target system and Oracle Identity Manager are always included.

To configure segment filtering:

  1. Run transaction code BD56.

  2. In the Determine Work Area: Entry dialog box, select the HRMD_A message type.

    Surrounding text describes select_hrmd_a_2.gif.
  3. Click New Entries.

  4. Click the first row of the Segment Type column, and then press F4.

    Surrounding text describes segment_type_column.gif.
  5. From the Segment Type list, select the segments that you want to exclude using segment filtering.

    Surrounding text describes segment_type_list.gif.
  6. Click the Save icon.

2.3.4.11 Configuring SAP Ports for Communication with Oracle Identity Manager

To enable communication between the target system and Oracle Identity Manager, you must ensure that the ports listed in Table 2-4 are open.

Table 2-4 Ports for SAP Services

Service Port Number Format Default Port

Dispatcher

32SYSTEM_NUMBER

3200

Gateway (for non-SNC communication)

33SYSTEM_NUMBER

3300

Gateway (for SNC communication)

48SYSTEM_NUMBER

4800

Message server

36SYSTEM_NUMBER

3600


To check if these ports are open, you can, for example, try to establish a Telnet connection from Oracle Identity Manager to these ports.

2.3.5 Changing to the Required Input Locale on Oracle Identity Manager

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

2.3.6 Clearing Content Related to Connector Resource Bundles from the Server Cache

Note:

In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory for Oracle Identity Manager release 9.1.0.x and Oracle Identity Manager database for Oracle Identity Manager release 11.1.x. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

  1. In a command window, perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then switch to the OIM_HOME/xellerate/bin directory.

    • If you are using Oracle Identity Manager release 11.1.x, then switch to the OIM_HOME/server/bin directory.

    Note:

    You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

    For Oracle Identity Manager release 9.1.0.x:

    OIM_HOME/xellerate/bin/SCRIPT_FILE_NAME
    

    For Oracle Identity Manager release 11.1.x:

    OIM_HOME/server/bin/SCRIPT_FILE_NAME
    
  2. Enter one of the following commands:

    Note:

    You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

    For example, the following commands purge Metadata entries from the server cache:

    PurgeCache.bat MetaData

    PurgeCache.sh MetaData

    • For Oracle Identity Manager release 9.1.0.x:

      On Microsoft Windows: PurgeCache.bat ConnectorResourceBundle

      On UNIX: PurgeCache.sh ConnectorResourceBundle

      Note:

      You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.

      In this command, ConnectorResourceBundle is one of the content categories that you can delete from the server cache. See the following file for information about the other content categories:

      OIM_HOME/xellerate/config/xlconfig.xml

    • For Oracle Identity Manager release 11.1.x:

      On Microsoft Windows: PurgeCache.bat All

      On UNIX: PurgeCache.sh All

      When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

      t3://OIM_HOST_NAME:OIM_PORT_NUMBER
      

      In this format:

      • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

      • Replace OIM_PORT_NUMBER with the port Oracle Identity Manager is listening.

    See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

2.3.7 Copying Resource Bundle Entries for UDFs

If you are using a non-English locale, then copy entries for the UDFs from the connector resource bundle to the customResources_LOCALE.properties file.

The following example illustrates this procedure:

Suppose you are using the French locale. When you install Oracle Identity Manager, the customResources_fr.properties file is copied into the OIM_HOME/xellerate/customResources directory for Oracle Identity Manager release 9.1.0.x and Oracle Identity Manager database for Oracle Identity Manager release 11.1.x.

  1. Open the OIM_HOME/xellerate/customResources/customResources_fr.properties file in a text editor.

  2. Copy the following lines present in the SAP-ER_fr.properties file:

    global.udf.USR_UDF_DEPARTMENT=Service

    global.udf.USR_UDF_CITY=Ville

    global.udf.USR_UDF_STREET=Rue

    global.udf.USR_UDF_DISTRICT=District

    global.udf.USR_UDF_COUNTRY=Pays

    global.udf.USR_UDF_POSTALCODE=Code postal

    global.udf.USR_UDF_TELEPHONE=Num\u00E9ro de t\u00E9l\u00E9phone

    global.udf.USR_UDF_LINKED_USER_ID=ID d'utilisateur SAP li\u00E9

    global.udf.USR_UDF_POSITION=Fonction

    global.udf.USR_UDF_COST_CENTER=Centre de co\u00FBts

  3. Paste these lines in the following section of the OIM_HOME/xellerate/customResources/customResources_fr.properties file:

    # For UDF Label addition:

    # global.udf.UDF_COLUMN_NAME=UNICODED_LABEL_STRING

  4. Save and close the customResources_fr.properties file.

2.3.8 Enabling Logging on Oracle Identity Manager

Depending on the Oracle Identity Manager release you are using, perform instructions in one of the following sections:

2.3.8.1 Enabling Logging on Oracle Identity Manager Release 9.1.0.x

Note:

In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

  • ALL

    This level enables logging for all events.

  • DEBUG

    This level enables logging of information about fine-grained events that are useful for debugging.

  • INFO

    This level enables logging of messages that highlight the progress of the application at a coarse-grained level.

  • WARN

    This level enables logging of information about potentially harmful situations.

  • ERROR

    This level enables logging of information about error events that might allow the application to continue running.

  • FATAL

    This level enables logging of information about very severe error events that could cause the application to stop functioning.

  • OFF

    This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

  • Oracle WebLogic Server

    To enable logging:

    1. Add the following lines in the OIM_HOME/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.OIMCP.SAPH=log_level
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.OIMCP.SAPH=INFO
      

    After you enable logging, log information is displayed on the server console.

  • IBM WebSphere Application Server

    To enable logging:

    1. Add the following lines in the OIM_HOME/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.OIMCP.SAPH=log_level
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.OIMCP.SAPH=INFO
      

    After you enable logging, log information is written to the following file:

    WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log

  • JBoss Application Server

    To enable logging:

    1. In the JBOSS_HOME/server/default/conf/jboss-log4j.xml file, locate or add the following lines:

      <category name="XELLERATE">
         <priority value="log_level"/>
      </category>
      
      <category name="OIMCP.SAPH">
         <priority value="log_level"/>
      </category>
      
    2. In the second XML code line of each set, replace log_level with the log level that you want to set. For example:

      <category name="XELLERATE">
         <priority value="INFO"/>
      </category>
      
      <category name="OIMCP.SAPH">
         <priority value="INFO"/>
      </category>
      

    After you enable logging, log information is written to the following file:

    JBOSS_HOME/server/default/log/server.log

  • Oracle Application Server

    To enable logging:

    1. Add the following lines in the OIM_HOME/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.OIMCP.SAPH=log_level
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.OIMCP.SAPH=INFO
      

    After you enable logging, log information is written to the following file:

    ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log

2.3.8.2 Enabling Logging on Oracle Identity Manager Release 11.1.x

Note:

In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.

Oracle Identity Manager release 11.1.x uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

  • SEVERE.intValue()+100

    This level enables logging of information about fatal errors.

  • SEVERE

    This level enables logging of information about errors that may allow Oracle Identity Manager to continue running.

  • WARNING

    This level enables logging of information about potentially harmful situations.

  • INFO

    This level enables logging of messages that highlight the progress of the application.

  • CONFIG

    This level enables logging of information about fine-grained events that are useful for debugging.

  • FINE, FINER, FINEST

    These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in Table 2-5.

Table 2-5 Log Levels and ODL Message Type:Level Combinations

Java Level ODL Message Type:Level

SEVERE.intValue()+100

INCIDENT_ERROR:1

SEVERE

ERROR:1

WARNING

WARNING:1

INFO

NOTIFICATION:1

CONFIG

NOTIFICATION:16

FINE

TRACE:1

FINER

TRACE:16

FINEST

TRACE:32


The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SEVER are the domain name and server name specified during the installation of Oracle Identity Manager.

To enable logging in Oracle WebLogic Server:

  1. Edit the logging.xml file as follows:

    1. Add the following blocks in the file:

      <log_handler name='sap-er-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='[FILE_NAME]'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      
      <logger name="OIMCP.SAPH" level="[LOG_LEVEL]" useParentHandlers="false">
           <handler name="sap-er-handler"/>
           <handler name="console-handler"/>
         </logger>
      
    2. Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-5 lists the supported message type and level combinations.

      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:

      <log_handler name='sap-er-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      
      <logger name="OIMCP.SAPH" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="sap-er-handler"/>
           <handler name="console-handler"/>
         </logger>
      

      With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

  2. Save and close the file.

  3. Set the following environment variable to redirect the server logs to a file:

    For Microsoft Windows:

    set WLS_REDIRECT_LOG=FILENAME
    

    For UNIX:

    export WLS_REDIRECT_LOG=FILENAME
    

    Replace FILENAME with the location and name of the file to which you want to redirect the output.

  4. Restart the application server.

2.3.9 Configuring Reconciliation of Effective-Dated Target System Events

Note:

If you do not perform the procedure described in this section, then support for effective-dated events is disabled. In other words, an event is brought to Oracle Identity Manager, regardless of the effective date of the infotype.

See Section 1.4.4, "Reconciliation of Effective-Dated Lifecycle Events" for information about how future-dated events are processed

On the target system, events IDs are assigned to all employee lifecycle events. The connector can distinguish between current-dated and future-dated lifecycle events related to hiring employees and terminating the services of employees.

To enable this feature of the connector, define the event IDs as follows:

  1. Run transaction SE37.

  2. In the Function Module field, enter BAPI_HELPVALUES_GET, and then press Enter.

    Surrounding text describes se37.gif.
  3. Enter the following as values for the import parameters of the standard BAPI_HELPVALUES_GET BAPI:

    Note:

    You need not specify values for the parameters that are not listed in the table.

    Import Parameter Value

    OBJTYPE

    EMPLOYEET

    METHOD

    GETPASSWORD

    PARAMETER

    STATUSINFO

    EXPLICIT_SHLP-SHLPNAME

    H_T529A

    EXPLICIT_SHLP-SHTYPE

    SH

    MAX_OF_ROWS

    0


  4. Run the BAPI.

  5. Open the HELPVALUES table. This table lists the event ID for each event defined on the target system.

    Surrounding text describes event_ids.gif.
  6. Write down the events IDs for all Hire and Terminate events that you want to define in Oracle Identity Manager.

  7. In the Lookup.SAP.HRMS.HireEvents lookup definition on Oracle Identity Manager, enter the events IDs for all hire events (events that occur when an employee is hired for the first time). In each row that you add, enter the same event ID in the Code Key and Decode columns.

  8. In the Lookup.SAP.HRMS.TerminateEvents lookup definition on Oracle Identity Manager, enter events IDs for the events (for example, events created when an employee resigns, is terminated, or is on long leave) that disable employees (records) in Oracle Identity Manager. In each row that you add, enter the same event ID in the Code Key and Decode columns.

  9. In the Lookup.SAP.HRMS.RehireEvents lookup definition on Oracle Identity Manager, enter events IDs for the events (for example, events created when an employee re-joins the company or returns from long leave) that enable employees (records) in Oracle Identity Manager that are in the disabled state. In each row that you add, enter the same event ID in the Code Key and Decode columns.

2.3.10 Recovering from Failed Communication Between the Target System and Oracle Identity Manager

What Happens When the Listener Becomes Unavailable

When an IDoc is sent to the listener running on Oracle Identity Manager during incremental reconciliation, the status of the IDoc on the target system is changed to "Transferred to Destination." This status change takes place regardless of whether or not the listener is available.

If you determine that the listener was unavailable for some time, then you can reset the status of the IDocs on the target system and then resend them to Oracle Identity Manager.

What Happens When the Target System Becomes Unavailable

The listener receives an exception, which is recorded in the log file. When the target system becomes available again, the listener starts receiving IDocs again.

2.3.11 Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System

Oracle Identity Manager uses a Java application server. To connect to the SAP system application server, this Java application server uses the SAP Java connector (JCo). If required, you can use Secure Network Communication (SNC) to secure such connections.

Note:

The Java application server used by Oracle Identity Manager can be IBM WebSphere Application Server, Oracle WebLogic Server, or JBoss Application Server.

This section discusses the following topics:

2.3.11.1 Verifying That SNC Is Activated on the Target System Application Server

To verify that SNC is activated on the target system application server:

  1. Run transaction RZ11.

  2. In the Profile parameter maintenance region, click Display.

    Surrounding text describes profile_param_maint.gif.
  3. If the value of the Current value field is 1, then SNC is enabled. If the value is 0, then SNC is disabled.

    Surrounding text describes snc_enable_disable.gif.

2.3.11.2 Installing the Security Package

To install the security package on the Oracle Identity Manager host computer:

  1. Download SAP Cryptolib for encrypted communication with Oracle Identity Manager.

    The necessary SAP Cryptolib for the encrypted communication of third-party software such as Oracle Identity Manager can be ordered from SAP official software partners listed at the SAP Service Marketplace.

  2. Extract the contents of the SAP Cryptographic Library installation package. This package contains the following files:

    This package contains the following files:

    • SAP Cryptographic Library (sapcrypto.dll for Microsoft Windows or libsapcrypto.ext for UNIX)

    • A corresponding license ticket (ticket)

    • The configuration tool, sapgenpse.exe

  3. Copy the library and the sapgenpse.exe file into a local directory, for example, /usr/sap.

  4. Check the file permissions. Ensure that the user under which the application server runs is able to run the library functions in the directory into which you copy the library and the sapgenpse.exe file.

  5. Create the sec directory inside the directory into which you copy the library and the sapgenpse.exe file.

    Note:

    You can use any names for the directories that you create. However, creating the /usr/sap/sec (or C:\usr\sap\sec) directory is an SAP recommendation.

  6. Copy the ticket file into the sec directory. This is also the directory in which the Personal Security Environment (PSE) and credentials of the Java application server are generated.

  7. Set the SECUDIR environment variable for the Java application server user to the sec directory.

    Note:

    From this point onward, the term SECUDIR directory is used to refer to the directory whose path is defined in SECUDIR environment variable.

    For Oracle Application Server:

    1. Remove the SECUDIR entry from the Windows environment variables, if it has been set.

    2. Edit the ORACLE_HOME\opmn\config\opmn.xml file as follows:

      Change the following:

      <ias-instance id="home.BMPHKTF120" name="home.BMPHKTF120">
        <environment>
          <variable id="TMP" value="C:\DOCUME~1\login user\LOCALS~1\Temp"/>
        </environment>
      

      To:

      <ias-instance id="home.BMPHKTF120" name="home.BMPHKTF120">
        <environment>
          <variable id="TMP" value="C:\DOCUME~1\login user\LOCALS~1\Temp"/>
          <variable id="SECUDIR" value="D:\snc\usr\sec"/>
        </environment>
      

      Note:

      Oracle Application Server automatically creates the temporary folder based on the operating system of the computer on which it is installed.

    3. Restart Oracle Application Server.

  8. Set the SNC_LIB and PATH environment variables for the user of the Java application server to the cryptographic library directory, which is the parent directory of the sec directory.

2.3.11.3 Setting Up SNC

To set up SNC:

  1. Either create a PSE or copy the SNC PSE of the SAP application server to the SECUDIR directory. To create the SNC PSE for the Java application server, use the sapgenpse.exe command-line tool as follows:

    1. To determine the location of the SECUDIR directory, run the sapgenpse command without specifying any command options. The program displays information such as the library version and the location of the SECUDIR directory.

    2. Enter a command similar to the following to create the PSE:

      sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
      

      The following is a sample distinguished name:

      CN=SAPJ2EE, O=MyCompany, C=US 
      

      The sapgenpse command creates a PSE in the SECUDIR directory.

  2. Create credentials for the Java application server.

    The Java application server must have active credentials at run time to be able to access its PSE. To check whether or not this condition is met, enter the following command in the parent directory of the SECUDIR directory:

    Sapgenpse seclogin
    

    Then, enter the following command to open the PSE of the server and create the credentials.sapgenpse file:

    seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID 
    

    The user_ID that you specify must have administrator rights. PSE_NAME is the name of the PSE file.

    The credentials file, cred_v2, for the user specified with the -O option is created in the SECUDIR directory.

  3. Exchange the public key certificates of the two servers as follows:

    Note:

    If you are using individual PSEs for each certificate of the SAP server, then you must perform this procedure once for each SAP server certificate. This means that the number of times you must perform this procedure is equal to the number of PSEs.

    1. Export the Oracle Identity Manager certificate by entering the following command:

      sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
      
    2. Import the Oracle Identity Manager certificate into the SAP application server. You may require the SAP administrator's assistance to perform this step.

    3. Export the certificate of the SAP application server. You may require the SAP administrator's assistance to perform this step.

    4. Import the SAP application server certificate into Oracle Identity Manager by entering the following command:

      sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
      
  4. Set values for the following parameters in the SAP HRMS IT resource object:

    • SAPsnc_lib

    • SAPsnc_mode

    • SAPsnc_myname

    • SAPsnc_partnername

    • SAPsnc_qop

2.3.12 Specifying Values for the Connection Properties (IT Resource Configuration)

The IT resource holds connection properties that are used by SAP JCo. These connection properties are the ones accepted by the SAP JCo. The Lookup.SAP.HRMS.ITResourceMapping lookup definition holds mappings between the connection properties accepted by the SAP JCo API and the names of IT resource parameters.

Note:

The IT resource is used only during incremental reconciliation. In full reconciliation, you manually copy the flat file containing user data to the Oracle Identity Manager host computer.

See the Javadocs shipped with SAP JCo 3.0 for detailed information about connection properties used by the target system.

This section discusses the following topics:

2.3.12.1 Mapping New Connection Properties

See Also:

One of the following guides for more information about this procedure:

To map a new connection property:

  1. Add the connection property as a parameter in the SAP HR IT resource type definition as follows:

    1. On the Design Console, expand Resource Management, and then click IT Resources Type Definition.

    2. Search for and open the SAP HR IT resource type.

    3. Click Add.

      A new row is displayed in the IT Resource Type Parameter table.

    4. In the Field Name column, enter a name for the parameter.

    5. Do not enter values in any other field.

    6. Click the Save icon.

  2. Specify a value for the new parameter in the IT resource. See the Section 2.3.12.2, "Configuring the IT Resource" for instructions.

  3. In the Lookup.SAP.HRMS.ITResourceMapping lookup definition, create a mapping between the connection property and the IT resource parameter as follows:

    1. On the Design Console, expand Administration, and then double-click Lookup Definition.

    2. Search for and open the Lookup.SAP.HRMS.ITResourceMapping lookup definition.

    3. Click Add.

    4. In the Code Key column, enter the connection property defined in the ServerDataProvider or DestinationDataProvider interface of SAP JCo 3.0

    5. In the Decode column, enter the name of the IT resource parameter

    6. Click the Save icon.

2.3.12.2 Configuring the IT Resource

You must specify values for the parameters of the SAP HRMS IT resource as follows:

  1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 9.1.0.x or 11.1.1:

      Log in to the Administrative and User Console

    • For Oracle Identity Manager release 11.1.2:

      Log in to Oracle Identity System Administration

  2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage IT Resource.

    • If you are using Oracle Identity Manager release 11.1.1, then:

      1. On the Welcome to Oracle Identity Manager Self Service page, click Advanced.

      2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

    • If you are using Oracle Identity Manager release 11.1.2, then:

      1. Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see the "Managing Sandboxes" section of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

      2. In the left pane under Configuration, click IT Resource.

  3. In the IT Resource Name field on the Manage IT Resource page, enter SAP HRMS and then click Search.

  4. Click the edit icon for the IT resource.

  5. From the list at the top of the page, select Details and Parameters.

  6. Specify values for the parameters of the IT resource. Table 2-6 lists the parameters of the IT resource.

    The target system supports the following types of connections:

    • Direct connection to an SAP instance

    • Load-balancing connection to a group of SAP instances

    Some connection properties are mandatory for a specific type of connection. This is highlighted in the table.

    Note:

    As mentioned earlier, most of the IT resource parameters correspond to connection properties used by the SAP JCo. See SAP JCo Javadocs for detailed descriptions of these parameters.

    Table 2-6 IT Resource Parameters

    Parameter Description

    App server host

    IP address of the R/3 application server host computer

    This parameter is mandatory for both direct and load-balancing connections.

    Client logon

    Client logon

    This parameter is mandatory for both direct and load-balancing connections.

    Sample value: 800

    Gateway host

    Host name of the target system message server

    Typically, the gateway is installed on the same application server (central instance). However, the gateway can be installed on a separate host computer that is connected to the central instance.

    This parameter is mandatory for a load-balancing connection.

    Sample value: examplesap08.corp.example.com

    Gateway service

    Gateway service

    Default value: 3300

    Language

    Logon language

    This parameter is mandatory for both direct and load-balancing connections.

    Sample value: EN

    Password

    Logon password

    This parameter is mandatory for both direct and load-balancing connections.

    Peak limit

    Maximum number of active connections that can be created for a destination simultaneously

    Default value: 10

    Pool capacity

    Maximum number of idle connections kept open by the destination. A value of 0 has the effect that there is no connection pooling.

    Default value: 3

    Program ID

    Program ID used in SAP to register the listener

    Default value: IDOCLISTEN

    This program ID must be the same as the program ID you specify when you perform the procedure described in Section 2.3.4.7, "Registering the Listener with the SAP Gateway (tRFC)."

    Note: The program ID is case-sensitive. Use the same case (uppercase and lowercase) when you enter the program ID as the value of this parameter.

    Repository destination

    Name of the repository destination (jcoDestination)

    You can enter any string value as the repository destination.

    Default value: BCE

    SNC lib

    Path to SNC library

    Sample value: C://usr/sap

    SNC mode

    Specifies whether or not SNC is to be used to secure communication between Oracle Identity Manager and the target system The value is Yes if SNC is enabled. Otherwise, it is No. Other SNC values are required only if this parameter is set to Yes.

    This parameter is mandatory for both direct and load-balancing connections.

    Sample value: No

    SNC my name

    Name of the SNC system

    SNC partner name

    Name of the partner system, the system on which SAP is installed

    Default value: p:CN=I47,OU=SAP,O=ORA, C=IN

    SNC qop

    This parameter controls the protection level (quality of protection, QOP) at which data is transferred. You can specify one of the following numbers as the value of this parameter:

    • 1: Secure authentication only

    • 2: Data integrity protection

    • 3: Data privacy protection

    • 8: Use value from the parameter

    • 9: Use maximum value available

    This is required only if SNC is enabled.

    Default value: 3

    Server name

    Unique name that identifies the server

    You can enter any string value as the server name.

    Default value: SERVER

    System number

    R/3 system number

    This parameter is mandatory for a direct connection.

    Sample value: 00

    Unicode mode

    Specifies whether or not the connection with the target system must be established in Unicode mode

    The value can be Yes or No.

    Default value: No

    User logon

    User logon

    This parameter is mandatory for both direct and load-balancing connections.

    Sample value: remote_user

    Connection Count

    Maximum number of connections that can be opened on a server

    Default value: 2

    R3 Name

    System ID of the SAP system

    Group Name

    Group of SAP application servers

    Message Server

    Host name of the message server


  7. To save the values, click Update.

2.3.12.3 Parameters for Enabling the Use of a Logon Group

In SAP, a logon group is used as a load-sharing mechanism. When a user logs in to a logon group, the system internally routes the connection request to the logon group member with the least load.

The following parameters of the IT resource are used to enable this feature. These parameters are explained in Table 2-6.

  • Group name

  • Message server

  • R3 name

In addition, perform the following procedure on the Oracle Identity Manager host computer to enable SAP JCo connectivity:

  1. Open the following file in a text editor:

    For Microsoft Windows:

    C:\WINDOWS\system32\drivers\etc\services

    For Solaris or Linux, open the following file:

    /etc/services

  2. Add an entry in the following format:

    Note:

    Ensure that you add the entry in the correct ascending order of the port number as shown in the example.

    sapmsSYSTEM_ID          36SYSTEM_NUMBER/tcp
    

    For example:

    . . . 
    ipx               213/udp                           #IPX over IP
    sapmsE60          3600/tcp
    ldap              389/tcp                           #Lightweight Directory Access Protocol
    . . .
    
  3. Save and close the file.

  4. Create the sapmsg.ini file and add the following lines in the file:

    [Message Server]
    o01=oss001.wdf.sap-ag.de
    SYSTEM_ID=HOST_NAME
    

    For example:

    [Message Server]
    o01=oss001.wdf.sap-ag.de
    E60=mysap08.corp.example.com
    
  5. Save and close the file.

  6. On the Oracle Identity Manager host computer, copy the file into the C:\Windows directory or the root directory (depending on the operating system running on the host).

2.3.13 Creating an Authorization Policy

Note:

TThe procedure described in this section is applicable only if you are using Oracle Identity Manager release 11.1.x.

On Oracle Identity Manager release 11.1.x, to create an authorization policy, see the instructions given in the "Managing Authorization Policies" chapter of Oracle Fusion Middleware User's Guide for Oracle Identity Manager. The following instructions are specific to individual steps of the procedure described in the "Creating an Authorization Policy for User Management" section of that chapter:

  • When you reach Step 3, then:

    In the Policy Name field, enter a name for the policy. For example: Personnel Number Authorization Policy

  • When you reach Step 4, then:

    In the Description field, enter a description for the policy. For example: Personnel Number Authorization Policy

  • When you reach Step 7:

    In the Permissions table, select the following check boxes in the Enable column:

    • Modify User Profile

    • Search User

    • View User Details

    Click Edit Attributes.

    On the Attribute Settings page, clear all the check boxes, select Personnel Number, User created from HRMS, and Manager. Then, click Save.