2 Deploying the Connector

Deploying the connector involves the following steps:

• Step 1: Verifying Deployment Requirements

• Step 2: Copying the Connector Files and the External Code

• Step 3: Configuring the Target System

• Step 4: Importing the Connector XML File

• Step 5: Configuring Reconciliation

• Step 6: Configuring the Connector to Use SNC

Note:

This connector does not have any resource adapter dependencies.

Step 1: Verifying Deployment Requirements

The following table lists the deployment requirements for the connector.

Item	Requirement
Oracle Identity Manager	Oracle Identity Manager release 8.5.3 or later
Target system host platform	SAP R3 4.7
External Code	sapjco.jar, librfccm.so, libsapjcorfc.so, librfccm.dll, and libsapjcorfc.dll
Sap JCO	Version 2.0.10

Step 2: Copying the Connector Files and the External Code

Copy the following connector files to the destinations indicated in the following table:

Files	Destination
xml\SAPHRResourceObject.xml xml\SAPHRXLResourceObject.xml	OIM_HOME\xellerate\XLIntegrations\saphrms\xml\
lib\xliSAPHR.jar lib\sapjco.jar	OIM_HOME\Xellerate\JavaTasks\
BAPI\xlsapcar.sar	C:\xlsapcar\
troubleshoot\*.*	C:\connector_test_directory
docs\B31135_01.pdf docs\html	OIM_HOME\Xellerate\saphrms\docs\

To copy the external code into the correct location:

1. Download the SAP Java connectors file from the SAP Web site.

   To do this:

   1. Open the following page in a Web browser:

      https://websmp104.sap-ag.de/connectors

   2. Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.

   3. On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCO release that you want to download.

   4. In the dialog box that is displayed, specify that you want to save the file with the following name and path:

      OIM_HOME\Xellerate\SAP\lib\SAP_JCO.zip
      
      

2. Extract the SAP_JCO.zip file in the directory in which you downloaded it.

3. Copy the sapjco.jar file into the OIM_HOME\Xellerate\JavaTasks directory.

4. On Solaris and Linux, copy the librfccm.so and libsapjcorfc.so files to the /usr/local/jco directory, and set the path to LD_LIBRARY_PATH.

   On Microsoft Windows, copy the librfccm.dll and libsapjcorfc.dll files to the winnt\system32 directory.

See Also:

Files and Directories That Comprise the Connector

Step 3: Configuring the Target System

This section provides instructions for configuring the target system. You need the following information to configure the target system to deploy the SAP connector:

• Login ID (administration user) having the full authorizations to import the request.

• Client Number on which connector to be deployed

• System number

• System IP address

• Server name

• Login ID of the application server

• Password for the application server login

Manual Entry in SAP

This section discusses tasks that need to be performed manually in the SAP system.

Table Maintenance for BAPIF4T

The following entry is required on the SAP system for viewing F4 values of User Groups. F4 values are applicable values of a field that you can view as a drop-down list and select from. User Group is one of the fields available in the login data of user. To view the valid User Groups for a user, follow these instructions:

1. Run transaction code SM30 on the SAP system.

2. Enter BAPIF4T as the table name and click Maintain. Ignore any warnings or messages.

3. Click New Entries.

4. On the following screen, enter XUCLASS as the Data element and ZXL_PARTNER_BAPI_F4_AUTHORITY as the Function name.

5. Save and exit.

Note:

If an entry already exists for the XUCLASS Data element, then do not change this value.

Transport System Method

This section discusses the transport system method.

SAP Transport Request

The SAP deployment is done by SAP transport request (PACK) with the help of the SAP Basis consultant (administrator).

The connector files are compressed using the SAPCAR utility. The two files, Data and Cofile, of the SAP connector transport request are compressed into a single file named xlsapcar.sar.

To download the SAPCAR utility from the SAP Help Web site:

1. Log on to the SAP Web site at

   https://service.sap.com/swdc

2. Select a digital certificate.

3. Enter your SAP user name and password to connect to the SAP service marketplace.

4. Click Downloads, SAP Support Packages, Entry by Application Group, and Additional Components.

5. Select SAPCAR, SAPCAR 6.20, and the operating system. This displays the download object.

6. Select the Object check box, and then click Add to Download Basket.

To install the SAPCAR utility and extract the SAP connector files:

1. On the local computer, create the C:\xlsapcar\ directory.

2. Copy the sapcar.exe and xlsapcar.sar files on the local computer in the C:\xlsapcar\ directory from the connector installation media.

3. Run the sapcar utility to extract the xlsapcar.sar file. To do this:

   1. Click Start, and then run the cmd command.

   2. In the command window, open the c:\xlsapcar directory.

   3. Use the dir command to verify that the two downloaded files, sapcar.exe and xlsapcar.sar, are in the directory.

   4. Enter the following command to extract the xlsapcar file:

      sapcar -xvf xlsapcar.sar
      
      

      This command extracts the K900208.I46 (Cofile) and R900208.I46 (Data file) files into this directory.

4. The SAP Basis administrator must copy these files to the SAP server in their respective locations, and then import these requests in SAP like other transport requests.

5. Check the log file to determine whether or not the transport was successful by clicking on the request number in transaction code STMS. Check the error codes in the log file. If the return code is 4, then the import ended with warnings. This usually happens if the object is overwritten or already exists in SAP system. If the return code is 8 or greater, then it means that there are errors in the imports. To view error details, click on the detail log. This log is useful for analyzing any issues related to transport.

   Alternatively, you can confirm the transport of objects by using SAP transaction code SE80 and checking Package ZXLH in the ABAP objects.

After the successful import of the transport request, the SAP system is ready for use.

Step 4: Importing the Connector XML File

To import the connector XML file into Oracle Identity Manager:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

4. Locate and open the SAPHRResourceObject.xml file, which is in the OIM_HOME\xellerate\XLIntegrations\saphrms\xml\ directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Next. The Provide IT Resource Instance Data page for the SAP HRMS IT resource is displayed.

8. Specify values for the parameters of the SAP HRMS IT resource. Refer to the table in the Defining IT Resources section for information about the values to be specified.

9. Click Next. The Provide IT Resource Instance Data page for a new instance of the SAP EP IT resource type is displayed.

10. Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.

11. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. You must remove these nodes. To do this, right-click each such node and then select Remove.

12. Click Import. The connector file is imported into Oracle Identity Manager.

13. If you plan to use the connector in trusted source reconciliation mode, then perform the same procedure to import the SAPHRXLResourceObject.xml file. This file is in the OIM_HOME\xellerate\XLIntegrations\saphrms\xml\ directory.

    Caution:

    Only one connector can be configured as a trusted source. If you import the SAPHRResourceObject.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

After importing the connector XML file, proceed to Step 5: Configuring Reconciliation.

Defining IT Resources

You must specify values for the SAP HRMS IT resource parameters listed in the following table.

Parameter	Description
SAPClient	Port number to connect to the target system. For example: 800
SAPHost	Server address of the target system. For example: 172.20.30.267
SAPLanguage	Language of communication. The default is English (EN).
SAPPassword	Password to connect to the target system
SAPSystemNo	SAP system number (for example, 00)
SAPType	SAP system name (R3, for example)
SAPUser	SAP User (for example, xellerate)
TimeStamp	The value is empty for the first reconciliation run. After the first run, the time at which the last reconciliation was completed is stored in this parameter. For example: Oct 27, 2005 at 16:14:00 GMT+05:30
SAPsnc_mode	This value shows if SNC is enabled or not(0 or 1). Other SNC values are required only if this is set to 1.
snc_lib	The location of the SNC library file. For example: c:\\usr\\sap\\sapcrypto.dll.
snc_myname	This is the SNC system name. For example p:CN=TST, OU=SAP, O=ORA, C=IN
snc_partnername	This is partner system name. For example. p:CN=I47, OU=SAP, O=ORA, C=IN
snc_qop	This parameter controls the protection level (quality of protection, QOP) at which data is transferred. The default value is 3. Valid values are: 1: Secure authentication only 2: Data integrity protection 3: Data privacy protection 8: Use value from the parameter 9: Use maximum value available This is required only if SNC is enabled.

After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.

Step 5: Configuring Reconciliation

Configuring reconciliation involves creating scheduled tasks for lookup fields and user reconciliations. To create these scheduled tasks:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Xellerate Administration folder.

3. Select Task Scheduler.

4. Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.

5. Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager should attempt to complete the task before assigning the ERROR status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are cleared.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

   • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

     If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

   • To set the task to run only once, select the Once option.

9. Provide values for the attributes of the scheduled task. Refer to the appropriate table in the Specifying Values for the Scheduled Task Attributessection for information about the values to be specified.

   See Also:

   Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

11. Repeat Steps 5 through 10 to create the second scheduled task.

After you create both scheduled tasks, proceed to the Step 6: Configuring the Connector to Use SNC section.

Specifying Values for the Scheduled Task Attributes

This section provides information about the values to be specified for the user reconciliation scheduled task:

You must specify values for the following attributes of the user reconciliation scheduled task.

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

Parameter Name	Sample Value	Comments
Password	Dummy	Default password, taken while creating the Xellerate User
Organization	Xellerate Users	Default organization assigned to a new user
Role	Consultant	Default role assigned to a new user
Xellerate Type	End-user administrator	Default type assigned to a new user
ITResource	SAP CUA IT resource name	Name of the IT Resource for setting up the connection to SAP CUA
ResourceObject	SAP CUA resource object name	Name of the resource object into which users need to be reconciled
Server	CUA	Optional

After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.

See Also:

Reconciliation Module

Step 6: Configuring the Connector to Use SNC

To connect to an SAP system application server, the Java Application Server uses the Java Connector and RFC. If you want to secure these connections, you can use Secure Network Communication (SNC).

Prerequisites to Configuring the Connector to Use SNC

The following are the prerequisites for configuring the connector to use SNC:

• The external security product must be installed on the server.

• You should be familiar with the SNC infrastructure. You must know which Personal Security Environment (PSE) the application server uses for SNC. You must also know whether you are using the same PSE for both communication partners or individual ones.

• SNC must be activated on the SAP application server.

Installing the Security Package

To install the security package on the Java Application Server:

1. Extract the contents of the SAP Cryptographic Library installation package.

   The SAP Cryptographic Library installation package is available for authorized customers at the SAP Service Marketplace at

   http://service.sap.com/download

   This package contains the following files:

   • SAP Cryptographic Library (sapcrypto.dll for Microsoft Windows NT or libsapcrypto.ext for UNIX)

   • A corresponding license ticket (ticket)

   • he configuration tool, sapgenpse.exe

2. Copy the library and the sapgenpse.exe configuration tool to a local directory. For example, the C:\install_dir\SAPCryptolib directory.

3. Check the file permissions. The user under which the Java Application Server runs must be able to run the library functions in the SAPCryptolib.

4. Create the sec directory in the SAPCryptolib directory.

5. Copy the ticket file to the sec directory. This is also the directory in which the PSE and credentials of the Java Application Server are to be stored.

6. Set the SECUDIR environment variable for the user of the Java Application Server user to the sec directory.

7. Set the SNC_LIB environment variable for the user of the Java Application Server to the cryptographic library. In this case, the directory is C:\install_dir\SAPCryptolib.

Configuring the Connector to Use SNC

To configure the connector to use SNC:

1. Either create a PSE or copy the SNC PSE of the application server to the SECUDIR directory of the Java Application Server. To create the SNC PSE for the Java Application Server, use the command-line tool sapgenpse.exe as follows:

   1. To check the location of the SECUDIR directory, run sapgenpse without including any command options. The program displays information such as the library version and the location of SECUDIR.

   2. Enter a command similar to the following to create the PSE:

      sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
      
      

      The following is a sample distinguished name:

      CN=SAPJ2EE, O=MyCompany, C=US 
      
      

      The sapgenpse command creates a PSE in the SECUDIR directory of the Java Application Server.

2. Create credentials for the Java Application Server.

   The Java Application Server must have active credentials at run time to be able to access its PSE. Therefore, use the command-line seclogin of the configuration tool to "open" the PSE.

   Enter the following command to open the server's PSE and create the credentials.sapgenpse file:

   seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID 
   
   

   The credentials file, cred_v2, for the user specified with the -O option is created in the SECUDIR directory.

3. If you are using individual PSEs, then exchange the public-key certificates of the two servers as follows:

   1. Export your own certificate in the file by entering the following command:

      sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
      
      

   2. Import the certificate file into the SAP application server. Obtain the certificate of the SAP application server.

   3. Import the certificate of the SAP application server by entering the following command:

      sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
      
      

4. Set the SNC parameters in the IT Resource.

   You must configure the following parameters in the IT Resource object:

   • SAPsnc_lib

   • SAPsnc_mode

   • SAPsnc_myname

   • SAPsnc_partnername

   • SAPsnc_qop