Oracle® Identity Manager Connector Guide for SAP User Management Release 9.0.1 Part Number B31137-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
The following table lists the deployment requirements for the connector.
Create the SAP,
xml,
lib,
and docs
, and xlsapcar
directories in the paths indicated, and then copy the files to the destinations specified in the following table:
To copy the external code into the correct location:
Download the SAP Java connectors file from the SAP Web site.
To do this:
Open the following page in a Web browser:
Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.
On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCo release that you want to download.
In the dialog box that is displayed, specify that you want to save the file with the following name and path:
OIM_HOME\Xellerate\SAP\lib\SAP_JCO.zip
Extract the SAP_JCO.zip
file in the C:\xlsapcar\
directory.
Check if the sapjco.jar,
librfc32.dll,
and sapjco.dll
files are extracted in the directory.
Copy the OIM_HOME
\Xellerate\SAP\lib\sapjco.jar
file into the OIM_HOME
\Xellerate\JavaTasks
directory.
To set the path to the system variables:
On Microsoft Windows:
To enable access to the SAP DLLs at run time, add OIM_HOME
\Xellerate\SAP\lib\
to the system PATH
variable.
On Solaris:
To enable access to the SAP DLLs at run time, add OIM_HOME
\Xellerate\SAP\lib\
to the system LD_LIBRARY_PATH
variable.
This section provides instructions for configuring the target system. You need the following information to configure the target system to deploy the SAP connector:
Login ID (administration user) having the full authorizations to import the request.
Client Number on which connector to be deployed
System number
System IP address
Server name
Login ID of the application server
Password for the application server login
This section discusses tasks that need to be performed manually in the SAP system.
Table Maintenance for BAPIF4T
The following entry is required on the SAP system for viewing F4 values of User Groups. F4 values are applicable values of a field that you can view as a drop-down list and select from. User Group is one of the fields available in the login data of user. To view the valid User Groups for a user, follow these instructions:
Run transaction code SM30 on the SAP system.
Enter BAPIF4T as the table name and click Maintain. Ignore any warnings or messages.
Click New Entries.
On the following screen, enter XUCLASS
as the Data element and ZXL_PARTNER_BAPI_F4_AUTHORITY
as the Function name.
Save and exit.
Note:
If an entry already exists for theXUCLASS
Data element, then do not change this value.This section discusses the transport system method.
SAP Transport Request
The SAP deployment is done by SAP transport request (PACK) with the help of the SAP Basis consultant (administrator).
The connector files are compressed using the SAPCAR utility. The two files, Data
and Cofile
, of the SAP connector transport request are compressed into a single file named xlsapcar.sar.
To download the SAPCAR utility from the SAP Help Web site:
Log on to the SAP Web site at
Select a digital certificate.
Enter your SAP user name and password to connect to the SAP service marketplace.
Click Downloads, SAP Support Packages, Entry by Application Group, and Additional Components.
Select SAPCAR, SAPCAR 6.20, and the operating system. This displays the download object.
Select the Object check box, and then click Add to Download Basket.
To install the SAPCAR utility and extract the SAP connector files:
On the local computer, create the C:\xlsapcar\
directory.
Copy the sapcar.exe
and xlsapcar.car
files on the local computer in the C:\xlsapcar\
directory from the connector installation media.
Run the sapcar
utility to extract the xlsapcar.sar
file. To do this:
Click Start, and then run the cmd
command.
In the command window, open the c:\xlsapcar
directory.
Use the dir
command to verify that the two downloaded files, sapcar.exe
and xlsapcar.sar
, are in the directory.
Enter the following command to extract the xlsapcar
file:
sapcar -xvf xlsapcar.sar
This command extracts the K900208.I46
(Cofile) and R900208.I46
(Data file) files into this directory.
The SAP Basis administrator must copy these files to the SAP server in their respective locations, and then import these requests in SAP like other transport requests.
Check the log file to determine whether or not the transport was successful by clicking on the request number in transaction code STMS. Check the error codes in the log file. If the return code is 4, then the import ended with warnings. This usually happens if the object is overwritten or already exists in SAP system. If the return code is 8 and greater then it means that there are errors in the imports. To view error details, click on the detail log. This log is useful for analyzing any issues related to transport.
Alternatively, you can confirm the transport of objects by using SAP transaction code SE80 and checking Package ZBAPI in the ABAP objects.
After the successful import of the transport request, the SAP system is ready for use.
To import the connector XML file into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the xml file.
If the Target system is R3 locate SAPR3ResourceObject.xml file
If the Target system is BIW locate SAPBIWResourceObject.xml file
If the Target system is CRM locate SAPCRMResourceObject.xml file
which is in the OIM_HOME
\Xellerate\SAP\xml
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the SAP OIM_HOME IT resource is displayed.
Specify values for the parameters of the SAP R3 IT resource. Refer to the table in the Defining IT Resources section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the SAP IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. You must remove these nodes. To do this, right-click each such node and then select Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
If you plan to use the connector in trusted source reconciliation mode, then perform the same procedure to import the SAPR3XLResourceObject.xml
file. This file is in the OIM_HOME
\Xellerate\sap\xml
directory.
Caution:
Only one connector can be configured as a trusted source. If you import theSAPR3XLResourceObject.xml
, SAPBIWXLResourceObject.xml
, or SAPCRMXLResourceObject.xml
file while you have another trusted source configured, then both connector reconciliations would stop working.After importing the connector XML file, proceed to Step 6: Compiling Adapters.
You need to specify values for the SAP R3 IT resource parameters listed in the following table.
Parameter | Sample Value | Description and Sample Values |
---|---|---|
SAPClient |
800 |
SAP client ID |
SAPHost |
172.20.70.204 |
SAP host IP address |
SAPLanguage |
EN |
SAP language |
SAPUser |
xellerate |
SAP user of the target SAP system |
SAPPassword |
changethis |
Password of SAP user |
SAPsnc_lib |
c:\\usr\\sap\\sapcrypto.dll |
Path where the crypto library is placed. This is required only if Secure Network Communication (SNC) is enabled. |
SAPsnc_mode |
0 |
If SNC is enabled on the SAP server, then set this field to 1. Otherwise, set it to 0. |
SAPsnc_myname |
p:CN=TST,OU=SAP, O=ORA,c=IN |
SNC system name
This is required only if SNC is enabled. |
SAPsnc_partnername |
p:CN=I47,OU=SAP, O=ORA, c=IN |
Domain name of the SAP server
This is required only if SNC is enabled. |
SAPsnc_qop |
3 |
This parameter controls the protection level (quality of protection, QOP) at which data is transferred. The default value is 3. Valid values are:
This is required only if SNC is enabled. |
SAPSystemNo |
00 |
SAP system number |
SAPType |
R3 |
Type of SAP system.For example, R3, BIW, CRM.
This is optional. |
TimeStamp |
Nov 16, 2004 at 11:35:00 IST |
For the first reconciliation run, the timestamp value is not set. For subsequent rounds of reconciliation, the time at which the previous round of reconciliation was completed is stored in this parameter. |
After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.
Configuring reconciliation involves creating scheduled tasks for lookup fields and user reconciliations. To create these scheduled tasks:
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.
Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager should attempt to complete the task before assigning the ERROR
status to the task.
Ensure that the Disabled and Stop Execution check boxes are cleared.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.
In the Interval region, set the following schedule parameters:
To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.
To set the task to run only once, select the Once option.
Provide values for the attributes of the scheduled task. Refer to the appropriate table in the Specifying Values for the Scheduled Task Attributessection for information about the values to be specified.
See Also:
Oracle Identity Manager Design Console Guide for information about adding and removing task attributesClick Save. The scheduled task is created. The INACTIVE
status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
Repeat Steps 5 through 10 to create the second scheduled task.
After you create both scheduled tasks, proceed to the Step 6: Compiling Adapters section.
This section provides information about the values to be specified for the following scheduled tasks:
You must specify values for the following attributes of the lookup fields reconciliation scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.Attribute | Sample Value | Description |
---|---|---|
Password |
Dummy |
Default password taken while creating the Xellerate User |
Organization |
Xellerate Users |
Default organization assigned to a new user |
Role |
Consultant |
Default role assigned to a new user |
Xellerate Type |
End-User Administrator |
Default type assigned to a new user |
ITResource |
SAP R3 IT Resource |
Name of the IT Resource for setting up a connection with the SAP system |
ResourceObject |
SAP R3 Resource Object |
Resource object name into which users need to be reconciled |
Server |
R3 |
SAP Server Type (R3, BIW, CRM) |
After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.
You must specify values for the following attributes of the user reconciliation scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.Attribute Name | Sample Value | Description |
---|---|---|
Password |
Dummy |
Default password taken while creating the Xellerate User |
Organization |
Xellerate Users |
Default organization assigned to a new user |
Role |
Consultant |
Default role assigned to a new user |
Xellerate Type |
End-User Administrator |
Default type assigned to a new user |
ITResource |
SAP R3 IT Resource |
Name of the IT Resource for setting up a connection to SAP |
ResourceObject |
SAP R3 Resource Object |
Resource object name into which users need to be reconciled |
IsTrusted |
False |
Configuration for a trusted or nontrusted target
If it is set to |
FirstTimeReconRecords |
5000 |
Number of records to be fetched during first-time reconciliation, if reconciliation scheduled task times out.
Initially, OIM tries to fetch all records. If process times out, then it tries to fetch the number of records specified by this parameter. If the task times out with this number also, OIM tries to fetch records by recursively dividing this number by 2 in event of time out, until all records have been fetched from the target system. |
Server |
R3 |
SAP Server Type (R3, BIW, CRM) |
After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.
See Also:
Reconciliation ModuleThe following adapters are imported into Oracle Identity Manager when the connector XML file is deployed. You must compile these adapters before you can use them to provision accounts on the target system.
SAP R3 Create User
SAP R3 Modify User
SAP R3 Modify UserX
SAP R3 Password Change
SAP R3 Lock UnLock User
SAP R3 Delete User
SAP R3 Add Role
SAP R3 Delete Role
SAP R3 Add Profile
SAP R3 Remove Profile
PrePopulate SAP Form
Note:
To compile multiple adapters simultaneously, use the Adapter Manager form. To compile one adapter at a time, use the Adapter Factory form.To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select the Compile All option.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select the Compile Selected option.
Note:
Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have anOK
compilation status.Click Start. Oracle Identity Manager compiles the adapters that you specify.
See Also:
Oracle Identity Manager Design Console Guide for instructions on how to use these formsTo view detailed information about an adapter:
This connector has the following configuration parameters that affect the behavior of the Change Password functionality:
validityChange
: This is a flag that can be assigned the value true
or false.
true:
If the user's validity period has expired, then it is extended to the date specified in the validityDate
parameter. The password is changed after this date.
false:
If the user's validity period has expired, then it is not extended and the user's password cannot be changed.
lockChange
: This is a flag that can be assigned the value true
or false.
true:
If the user is locked (not by the administrator), then the user will be unlocked before the password is changed. If user is locked by the administrator, then the password cannot be changed.
false:
If the user is locked, then the password cannot be changed.
validityDate
: Date up to which the user's validity must be extended. The date must be in the following format:
Dec 28, 2005 at 11:25:00 GMT+05:30
If this field is empty, then the user will be valid for an indefinite period.
userGroupCheck
: This is a string literal with the following format:
user group to check, flag(1|0), user group to be updated after reset password
This parameter can be an empty string if there are no groups to check when the password is reset.
If change password is to be done and if the user has that group, then the value of the flag is 1.
If change password is not to be done and if the user has that group, then the value of the flag is 0
.
To check multiple users, add the record for each user to this string. Use the semicolon (;) as the delimiter. For example:
"user group to check, flag(1|0), user group to be updated after reset password; user group to check, flag(1|0), user group to be updated after reset password"
For example, if there is a user group named Inactive
that is to be checked when a password is changed and if the user is assigned to this group, then the user must be moved to the Active
group after the password change.
Given the preceding scenario, the setting of the userGroupCheck
parameter is as follows:
"INACTIVE",1,"ACTIVE;"
If there is a group named Terminated
that is to be checked when a password is changed and if the user is assigned to this group, then the password change must not be permitted. Given this scenario, the setting of the userGroupCheck
parameter is as follows:
"TERMINATED,0,;"
The userGroupCheck
configuration parameter has only two types of user group records:
User group for which password change is to be done with user group update: "INACTIVE",1,"ACTIVE"
User group for which password change is not to be done: "TERMINATED",0,""
If the user is assigned to a group that is not in the userGroupCheck
parameter, then the password is changed. Password change would be permitted for all user groups that are not mentioned in the configuration parameter value.
Note:
The values specified are case-sensitive and must match the casing on the SAP system.To connect to a SAP system application server, the Java Application Server uses the Java Connector (.jco file) and RFC (.dll files). You can use Secure Network Communication (SNC) to secure such connections.
Prerequisites to Configuring the Connector to Use SNC
The following are the prerequisites to configuring the connector to use SNC:
The external security product must be installed on the server. To install the security package on the Java Application Server:
Extract the contents of the SAP Cryptographic Library installation package.
The SAP Cryptographic Library installation package is available for authorized customers on the SAP Service Marketplace at
http://service.sap.com/download
This package contains the following files:
Copy the library and the sapgenpse.exe
configuration tool to a local directory. For example, the C:\
install_dir
\SAPCryptolib
directory.
Check the file permissions. The user under which the Java Application Server runs must be able to run the library functions.
Create the sec
directory in this directory.
Copy the ticket file to the sec
directory. This is also the directory in which the Personal Security Environment (PSE) and credentials of the Java Application Server will be generated.
Set the SECUDIR
environment variable for the user of the Java Application Server user to the sec
directory.
Set the SNC_LIB
environment variable for the user of the Java Application Server to the cryptographic library. In this case, the directory is C:\
install_dir
\SAPCryptolib.
You should be familiar with the SNC infrastructure. You must know which PSE the application server uses for SNC. You must also know whether you are using the same PSE for both communication partners or individual ones.
SNC must be activated on the SAP application server.
Configuring the Connector to Use SNC
To configure the connector to use SNC:
Either create a PSE or copy the SNC PSE of the application server to the SECUDIR
directory of the Java Application Server. To create the SNC PSE for the Java Application Server, use the command-line tool sapgenpse.exe
as follows:
To check the location of the SECUDIR
directory, run sapgenpse
without including any command options. The program displays information such as the library version and the location of the SECUDIR
directory.
Enter a command similar to the following to create the PSE:
sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
The following is a sample distinguished name:
CN=SAPJ2EE, O=MyCompany, C=US
The sapgenpse
command creates a PSE in the SECUDIR
directory of the Java Application Server.
Create credentials for the Java Application Server.
The Java Application Server must have active credentials at run time to be able to access its PSE. Therefore, use the configuration tool's command-line seclogin
to open the PSE.
Enter the following command to open the server's PSE and create the credentials.sapgenpse
file:
seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID
For the user specified with the -o
option, the credentials file, cred_v2,
is created in the SECUDIR
directory.
If you are using individual PSEs, then exchange the public-key certificates of the two servers as follows:
Export the OIM system certificate in the file by entering the following command:
sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
Import the certificate file into the SAP application server. Obtain the certificate of the SAP application server, which will need to be generated by the SAP system administrator.
Import the certificate of the SAP application server by entering the following command:
sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
Set the SNC parameters in the connector IT Resource object.
You must configure the following parameters in the IT Resource:
SAPsnc_lib
SAPsnc_mode
SAPsnc_myname
SAPsnc_partnername
SAPsnc_qop