Oracle® Identity Manager Connector Guide for SAP Employee Reconciliation Release 9.0.1 Part Number B31135-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
Note:
This connector does not have any resource adapter dependencies.The following table lists the deployment requirements for the connector.
Copy the following connector files to the destinations indicated in the following table:
To copy the external code into the correct location:
Download the SAP Java connectors file from the SAP Web site.
To do this:
Open the following page in a Web browser:
Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.
On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCO release that you want to download.
In the dialog box that is displayed, specify that you want to save the file with the following name and path:
OIM_HOME\Xellerate\SAP\lib\SAP_JCO.zip
Extract the SAP_JCO.zip
file in the directory in which you downloaded it.
Copy the sapjco.jar
file into the OIM_HOME
\Xellerate\JavaTasks
directory.
On Solaris and Linux, copy the librfccm.so
and libsapjcorfc.so
files to the /usr/local/jco
directory, and set the path to LD_LIBRARY_PATH
.
On Microsoft Windows, copy the librfccm.dll
and libsapjcorfc.dll
files to the winnt\system32
directory.
This section provides instructions for configuring the target system. You need the following information to configure the target system to deploy the SAP connector:
Login ID (administration user) having the full authorizations to import the request.
Client Number on which connector to be deployed
System number
System IP address
Server name
Login ID of the application server
Password for the application server login
This section discusses tasks that need to be performed manually in the SAP system.
Table Maintenance for BAPIF4T
The following entry is required on the SAP system for viewing F4 values of User Groups. F4 values are applicable values of a field that you can view as a drop-down list and select from. User Group is one of the fields available in the login data of user. To view the valid User Groups for a user, follow these instructions:
Run transaction code SM30
on the SAP system.
Enter BAPIF4T
as the table name and click Maintain. Ignore any warnings or messages.
Click New Entries.
On the following screen, enter XUCLASS
as the Data element and ZXL_PARTNER_BAPI_F4_AUTHORITY
as the Function name.
Save and exit.
Note:
If an entry already exists for theXUCLASS
Data element, then do not change this value.This section discusses the transport system method.
SAP Transport Request
The SAP deployment is done by SAP transport request (PACK) with the help of the SAP Basis consultant (administrator).
The connector files are compressed using the SAPCAR utility. The two files, Data
and Cofile
, of the SAP connector transport request are compressed into a single file named xlsapcar.sar.
To download the SAPCAR utility from the SAP Help Web site:
Log on to the SAP Web site at
Select a digital certificate.
Enter your SAP user name and password to connect to the SAP service marketplace.
Click Downloads, SAP Support Packages, Entry by Application Group, and Additional Components.
Select SAPCAR, SAPCAR 6.20, and the operating system. This displays the download object.
Select the Object check box, and then click Add to Download Basket.
To install the SAPCAR utility and extract the SAP connector files:
On the local computer, create the C:\xlsapcar\
directory.
Copy the sapcar.exe
and xlsapcar.sar
files on the local computer in the C:\xlsapcar\
directory from the connector installation media.
Run the sapcar
utility to extract the xlsapcar.sar
file. To do this:
Click Start, and then run the cmd
command.
In the command window, open the c:\xlsapcar
directory.
Use the dir
command to verify that the two downloaded files, sapcar.exe
and xlsapcar.sar
, are in the directory.
Enter the following command to extract the xlsapcar
file:
sapcar -xvf xlsapcar.sar
This command extracts the K900208.I46
(Cofile) and R900208.I46
(Data file) files into this directory.
The SAP Basis administrator must copy these files to the SAP server in their respective locations, and then import these requests in SAP like other transport requests.
Check the log file to determine whether or not the transport was successful by clicking on the request number in transaction code STMS. Check the error codes in the log file. If the return code is 4, then the import ended with warnings. This usually happens if the object is overwritten or already exists in SAP system. If the return code is 8 or greater, then it means that there are errors in the imports. To view error details, click on the detail log. This log is useful for analyzing any issues related to transport.
Alternatively, you can confirm the transport of objects by using SAP transaction code SE80 and checking Package ZXLH in the ABAP objects.
After the successful import of the transport request, the SAP system is ready for use.
To import the connector XML file into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the SAPHRResourceObject.xml
file, which is in the OIM_HOME
\xellerate\XLIntegrations\saphrms\xml\
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the SAP HRMS IT resource is displayed.
Specify values for the parameters of the SAP HRMS IT resource. Refer to the table in the Defining IT Resources section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the SAP EP
IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. You must remove these nodes. To do this, right-click each such node and then select Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
If you plan to use the connector in trusted source reconciliation mode, then perform the same procedure to import the SAPHRXLResourceObject.xml
file. This file is in the OIM_HOME
\xellerate\XLIntegrations\saphrms\xml\
directory.
Caution:
Only one connector can be configured as a trusted source. If you import theSAPHRResourceObject.xml
file while you have another trusted source configured, then both connector reconciliations would stop working.After importing the connector XML file, proceed to Step 5: Configuring Reconciliation.
You must specify values for the SAP HRMS IT resource parameters listed in the following table.
Parameter | Description |
---|---|
SAPClient |
Port number to connect to the target system.
For example: |
SAPHost |
Server address of the target system.
For example: |
SAPLanguage |
Language of communication. The default is English (EN ). |
SAPPassword |
Password to connect to the target system |
SAPSystemNo |
SAP system number (for example, 00 ) |
SAPType |
SAP system name (R3 , for example) |
SAPUser |
SAP User (for example, xellerate ) |
TimeStamp |
The value is empty for the first reconciliation run. After the first run, the time at which the last reconciliation was completed is stored in this parameter.
For example: |
SAPsnc_mode |
This value shows if SNC is enabled or not(0 or 1 ). Other SNC values are required only if this is set to 1 . |
snc_lib |
The location of the SNC library file.
For example: |
snc_myname |
This is the SNC system name.
For example |
snc_partnername |
This is partner system name.
For example. |
snc_qop |
This parameter controls the protection level (quality of protection, QOP) at which data is transferred. The default value is 3. Valid values are:
This is required only if SNC is enabled. |
After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.
Configuring reconciliation involves creating scheduled tasks for lookup fields and user reconciliations. To create these scheduled tasks:
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.
Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager should attempt to complete the task before assigning the ERROR
status to the task.
Ensure that the Disabled and Stop Execution check boxes are cleared.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.
In the Interval region, set the following schedule parameters:
To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.
To set the task to run only once, select the Once option.
Provide values for the attributes of the scheduled task. Refer to the appropriate table in the Specifying Values for the Scheduled Task Attributessection for information about the values to be specified.
See Also:
Oracle Identity Manager Design Console Guide for information about adding and removing task attributesClick Save. The scheduled task is created. The INACTIVE
status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
Repeat Steps 5 through 10 to create the second scheduled task.
After you create both scheduled tasks, proceed to the Step 6: Configuring the Connector to Use SNC section.
This section provides information about the values to be specified for the user reconciliation scheduled task:
You must specify values for the following attributes of the user reconciliation scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.
See Also:
Reconciliation ModuleTo connect to an SAP system application server, the Java Application Server uses the Java Connector and RFC. If you want to secure these connections, you can use Secure Network Communication (SNC).
The following are the prerequisites for configuring the connector to use SNC:
The external security product must be installed on the server.
You should be familiar with the SNC infrastructure. You must know which Personal Security Environment (PSE) the application server uses for SNC. You must also know whether you are using the same PSE for both communication partners or individual ones.
SNC must be activated on the SAP application server.
To install the security package on the Java Application Server:
Extract the contents of the SAP Cryptographic Library installation package.
The SAP Cryptographic Library installation package is available for authorized customers at the SAP Service Marketplace at
http://service.sap.com/download
This package contains the following files:
SAP Cryptographic Library (sapcrypto.dll
for Microsoft Windows NT or libsapcrypto.ext
for UNIX)
A corresponding license ticket (ticket)
he configuration tool, sapgenpse.exe
Copy the library and the sapgenpse.exe
configuration tool to a local directory. For example, the C:\
install_dir
\SAPCryptolib
directory.
Check the file permissions. The user under which the Java Application Server runs must be able to run the library functions in the SAPCryptolib
.
Create the sec
directory in the SAPCryptolib
directory.
Copy the ticket file to the sec
directory. This is also the directory in which the PSE and credentials of the Java Application Server are to be stored.
Set the SECUDIR
environment variable for the user of the Java Application Server user to the sec
directory.
Set the SNC_LIB
environment variable for the user of the Java Application Server to the cryptographic library. In this case, the directory is C:\
install_dir
\SAPCryptolib.
To configure the connector to use SNC:
Either create a PSE or copy the SNC PSE of the application server to the SECUDIR
directory of the Java Application Server. To create the SNC PSE for the Java Application Server, use the command-line tool sapgenpse.exe
as follows:
To check the location of the SECUDIR
directory, run sapgenpse
without including any command options. The program displays information such as the library version and the location of SECUDIR.
Enter a command similar to the following to create the PSE:
sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
The following is a sample distinguished name:
CN=SAPJ2EE, O=MyCompany, C=US
The sapgenpse
command creates a PSE in the SECUDIR
directory of the Java Application Server.
Create credentials for the Java Application Server.
The Java Application Server must have active credentials at run time to be able to access its PSE. Therefore, use the command-line seclogin
of the configuration tool to "open" the PSE.
Enter the following command to open the server's PSE and create the credentials.sapgenpse
file:
seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID
The credentials file, cred_v2,
for the user specified with the -O
option is created in the SECUDIR
directory.
If you are using individual PSEs, then exchange the public-key certificates of the two servers as follows:
Export your own certificate in the file by entering the following command:
sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
Import the certificate file into the SAP application server. Obtain the certificate of the SAP application server.
Import the certificate of the SAP application server by entering the following command:
sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
Set the SNC parameters in the IT Resource.
You must configure the following parameters in the IT Resource object: