2 Deploying the Connector

Deploying the connector involves the following steps:

• Step 1: Verifying Deployment Requirements

• Step 2: Copying the Connector Files and External Code

• Step 3: Configuring the Target System

• Step 4: Importing the Connector XML File

• Step 5: Configuring Reconciliation

• Step 6: Compiling Adapters

• Step 7: Changing the SAP Password Behavior

• Step 8: Configuring the Connector to Use SNC

Step 1: Verifying Deployment Requirements

The following table lists the deployment requirements for the connector.

Item	Requirement
Oracle Identity Manager	Oracle Identity Manager release 8.5.3 or later
Target system host platforms	SAP 4.6C, SAP 4.7, SAP BIW 3.1, SAP CRM 4.0, SEM BCS on BIW3.1
External code	SAP custom code (sapjco.jar, librfc32.dll, and sapjcorfc.dll)
Other systems	SAP JCO
SAP JCO	Version 2.0.10

Step 2: Copying the Connector Files and External Code

Create the SAP, xml, lib, and docs, and xlsapcar directories in the paths indicated, and then copy the files to the destinations specified in the following table:

File to Be Copied	Destination
xml\sapbiwresourceobject.xml xml\sapcrmresourceobject.xml xml\sapr3resourceobject.xml xml\SAPBIWXLResourceObject.xml xml\SAPCRMXLResourceObject.xml xml\SAPR3XLResourceObject.xml	OIM_HOME\Xellerate\SAP\xml
lib\SAPAdapter.jar	OIM_HOME\Xellerate\SAP\lib OIM_HOME\Xellerate\JavaTasks\
BAPI\xlsapcar.sar	C:\xlsapcar\
docs\B31137_01.pdf docs\html	OIM_HOME\Xellerate\SAP\docs

See Also:

Files and Directories That Comprise the Connector

To copy the external code into the correct location:

1. Download the SAP Java connectors file from the SAP Web site.

   To do this:

   1. Open the following page in a Web browser:

      https://websmp104.sap-ag.de/connectors

   2. Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.

   3. On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCo release that you want to download.

   4. In the dialog box that is displayed, specify that you want to save the file with the following name and path:

      OIM_HOME\Xellerate\SAP\lib\SAP_JCO.zip
      
      

2. Extract the SAP_JCO.zip file in the C:\xlsapcar\ directory.

3. Check if the sapjco.jar, librfc32.dll, and sapjco.dll files are extracted in the directory.

4. Copy the OIM_HOME\Xellerate\SAP\lib\sapjco.jar file into the OIM_HOME\Xellerate\JavaTasks directory.

5. To set the path to the system variables:

   • On Microsoft Windows:

     • To enable access to the SAP DLLs at run time, add OIM_HOME\Xellerate\SAP\lib\ to the system PATH variable.

   • On Solaris:

     • To enable access to the SAP DLLs at run time, add OIM_HOME\Xellerate\SAP\lib\ to the system LD_LIBRARY_PATH variable.

Step 3: Configuring the Target System

This section provides instructions for configuring the target system. You need the following information to configure the target system to deploy the SAP connector:

• Login ID (administration user) having the full authorizations to import the request.

• Client Number on which connector to be deployed

• System number

• System IP address

• Server name

• Login ID of the application server

• Password for the application server login

Manual Entry in SAP

This section discusses tasks that need to be performed manually in the SAP system.

Table Maintenance for BAPIF4T

The following entry is required on the SAP system for viewing F4 values of User Groups. F4 values are applicable values of a field that you can view as a drop-down list and select from. User Group is one of the fields available in the login data of user. To view the valid User Groups for a user, follow these instructions:

1. Run transaction code SM30 on the SAP system.

2. Enter BAPIF4T as the table name and click Maintain. Ignore any warnings or messages.

3. Click New Entries.

4. On the following screen, enter XUCLASS as the Data element and ZXL_PARTNER_BAPI_F4_AUTHORITY as the Function name.

5. Save and exit.

Note:

If an entry already exists for the XUCLASS Data element, then do not change this value.

Transport System Method

This section discusses the transport system method.

SAP Transport Request

The SAP deployment is done by SAP transport request (PACK) with the help of the SAP Basis consultant (administrator).

The connector files are compressed using the SAPCAR utility. The two files, Data and Cofile, of the SAP connector transport request are compressed into a single file named xlsapcar.sar.

To download the SAPCAR utility from the SAP Help Web site:

1. Log on to the SAP Web site at

   https://service.sap.com/swdc

2. Select a digital certificate.

3. Enter your SAP user name and password to connect to the SAP service marketplace.

4. Click Downloads, SAP Support Packages, Entry by Application Group, and Additional Components.

5. Select SAPCAR, SAPCAR 6.20, and the operating system. This displays the download object.

6. Select the Object check box, and then click Add to Download Basket.

To install the SAPCAR utility and extract the SAP connector files:

1. On the local computer, create the C:\xlsapcar\ directory.

2. Copy the sapcar.exe and xlsapcar.car files on the local computer in the C:\xlsapcar\ directory from the connector installation media.

3. Run the sapcar utility to extract the xlsapcar.sar file. To do this:

   1. Click Start, and then run the cmd command.

   2. In the command window, open the c:\xlsapcar directory.

   3. Use the dir command to verify that the two downloaded files, sapcar.exe and xlsapcar.sar, are in the directory.

   4. Enter the following command to extract the xlsapcar file:

      sapcar -xvf xlsapcar.sar
      
      

      This command extracts the K900208.I46 (Cofile) and R900208.I46 (Data file) files into this directory.

4. The SAP Basis administrator must copy these files to the SAP server in their respective locations, and then import these requests in SAP like other transport requests.

5. Check the log file to determine whether or not the transport was successful by clicking on the request number in transaction code STMS. Check the error codes in the log file. If the return code is 4, then the import ended with warnings. This usually happens if the object is overwritten or already exists in SAP system. If the return code is 8 and greater then it means that there are errors in the imports. To view error details, click on the detail log. This log is useful for analyzing any issues related to transport.

   Alternatively, you can confirm the transport of objects by using SAP transaction code SE80 and checking Package ZBAPI in the ABAP objects.

After the successful import of the transport request, the SAP system is ready for use.

Step 4: Importing the Connector XML File

To import the connector XML file into Oracle Identity Manager:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

4. Locate and open the xml file.

   • If the Target system is R3 locate SAPR3ResourceObject.xml file

   • If the Target system is BIW locate SAPBIWResourceObject.xml file

   • If the Target system is CRM locate SAPCRMResourceObject.xml file

   which is in the OIM_HOME\Xellerate\SAP\xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Next. The Provide IT Resource Instance Data page for the SAP OIM_HOME IT resource is displayed.

8. Specify values for the parameters of the SAP R3 IT resource. Refer to the table in the Defining IT Resources section for information about the values to be specified.

9. Click Next. The Provide IT Resource Instance Data page for a new instance of the SAP IT resource type is displayed.

10. Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.

11. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. You must remove these nodes. To do this, right-click each such node and then select Remove.

12. Click Import. The connector file is imported into Oracle Identity Manager.

13. If you plan to use the connector in trusted source reconciliation mode, then perform the same procedure to import the SAPR3XLResourceObject.xml file. This file is in the OIM_HOME\Xellerate\sap\xml directory.

Caution:

Only one connector can be configured as a trusted source. If you import the SAPR3XLResourceObject.xml, SAPBIWXLResourceObject.xml, or SAPCRMXLResourceObject.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

After importing the connector XML file, proceed to Step 6: Compiling Adapters.

Defining IT Resources

You need to specify values for the SAP R3 IT resource parameters listed in the following table.

Parameter	Sample Value	Description and Sample Values
SAPClient	800	SAP client ID
SAPHost	172.20.70.204	SAP host IP address
SAPLanguage	EN	SAP language
SAPUser	xellerate	SAP user of the target SAP system
SAPPassword	changethis	Password of SAP user
SAPsnc_lib	c:\\usr\\sap\\sapcrypto.dll	Path where the crypto library is placed. This is required only if Secure Network Communication (SNC) is enabled.
SAPsnc_mode	0	If SNC is enabled on the SAP server, then set this field to 1. Otherwise, set it to 0.
SAPsnc_myname	p:CN=TST,OU=SAP, O=ORA,c=IN	SNC system name This is required only if SNC is enabled.
SAPsnc_partnername	p:CN=I47,OU=SAP, O=ORA, c=IN	Domain name of the SAP server This is required only if SNC is enabled.
SAPsnc_qop	3	This parameter controls the protection level (quality of protection, QOP) at which data is transferred. The default value is 3. Valid values are: 1: Secure authentication only 2: Data integrity protection 3: Data privacy protection 8: Use value from the parameter 9: Use maximum value available This is required only if SNC is enabled.
SAPSystemNo	00	SAP system number
SAPType	R3	Type of SAP system.For example, R3, BIW, CRM. This is optional.
TimeStamp	Nov 16, 2004 at 11:35:00 IST	For the first reconciliation run, the timestamp value is not set. For subsequent rounds of reconciliation, the time at which the previous round of reconciliation was completed is stored in this parameter.

After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.

Step 5: Configuring Reconciliation

Configuring reconciliation involves creating scheduled tasks for lookup fields and user reconciliations. To create these scheduled tasks:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Xellerate Administration folder.

3. Select Task Scheduler.

4. Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.

5. Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager should attempt to complete the task before assigning the ERROR status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are cleared.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

   • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

     If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

   • To set the task to run only once, select the Once option.

9. Provide values for the attributes of the scheduled task. Refer to the appropriate table in the Specifying Values for the Scheduled Task Attributessection for information about the values to be specified.

   See Also:

   Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

11. Repeat Steps 5 through 10 to create the second scheduled task.

After you create both scheduled tasks, proceed to the Step 6: Compiling Adapters section.

Specifying Values for the Scheduled Task Attributes

This section provides information about the values to be specified for the following scheduled tasks:

• Lookup Fields Reconciliation Scheduled Task

• User Reconciliation Scheduled Task

Lookup Fields Reconciliation Scheduled Task

You must specify values for the following attributes of the lookup fields reconciliation scheduled task.

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

Attribute	Sample Value	Description
Password	Dummy	Default password taken while creating the Xellerate User
Organization	Xellerate Users	Default organization assigned to a new user
Role	Consultant	Default role assigned to a new user
Xellerate Type	End-User Administrator	Default type assigned to a new user
ITResource	SAP R3 IT Resource	Name of the IT Resource for setting up a connection with the SAP system
ResourceObject	SAP R3 Resource Object	Resource object name into which users need to be reconciled
Server	R3	SAP Server Type (R3, BIW, CRM)

After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.

User Reconciliation Scheduled Task

You must specify values for the following attributes of the user reconciliation scheduled task.

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

Attribute Name	Sample Value	Description
Password	Dummy	Default password taken while creating the Xellerate User
Organization	Xellerate Users	Default organization assigned to a new user
Role	Consultant	Default role assigned to a new user
Xellerate Type	End-User Administrator	Default type assigned to a new user
ITResource	SAP R3 IT Resource	Name of the IT Resource for setting up a connection to SAP
ResourceObject	SAP R3 Resource Object	Resource object name into which users need to be reconciled
IsTrusted	False	Configuration for a trusted or nontrusted target If it is set to true, then the target is a trusted target. If it is set to false, then the target is a nontrusted target. The default value is false.
FirstTimeReconRecords	5000	Number of records to be fetched during first-time reconciliation, if reconciliation scheduled task times out. Initially, OIM tries to fetch all records. If process times out, then it tries to fetch the number of records specified by this parameter. If the task times out with this number also, OIM tries to fetch records by recursively dividing this number by 2 in event of time out, until all records have been fetched from the target system.
Server	R3	SAP Server Type (R3, BIW, CRM)

After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.

See Also:

Reconciliation Module

Step 6: Compiling Adapters

The following adapters are imported into Oracle Identity Manager when the connector XML file is deployed. You must compile these adapters before you can use them to provision accounts on the target system.

• SAP R3 Create User

• SAP R3 Modify User

• SAP R3 Modify UserX

• SAP R3 Password Change

• SAP R3 Lock UnLock User

• SAP R3 Delete User

• SAP R3 Add Role

• SAP R3 Delete Role

• SAP R3 Add Profile

• SAP R3 Remove Profile

• PrePopulate SAP Form

Note:

To compile multiple adapters simultaneously, use the Adapter Manager form. To compile one adapter at a time, use the Adapter Factory form.

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you import into the current database, select the Compile All option.

   To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select the Compile Selected option.

   Note:

   Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.

3. Click Start. Oracle Identity Manager compiles the adapters that you specify.

See Also:

Oracle Identity Manager Design Console Guide for instructions on how to use these forms

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

Step 7: Changing the SAP Password Behavior

This connector has the following configuration parameters that affect the behavior of the Change Password functionality:

• validityChange: This is a flag that can be assigned the value true or false.

  • true: If the user's validity period has expired, then it is extended to the date specified in the validityDate parameter. The password is changed after this date.

  • false: If the user's validity period has expired, then it is not extended and the user's password cannot be changed.

• lockChange: This is a flag that can be assigned the value true or false.

  • true: If the user is locked (not by the administrator), then the user will be unlocked before the password is changed. If user is locked by the administrator, then the password cannot be changed.

  • false: If the user is locked, then the password cannot be changed.

• validityDate: Date up to which the user's validity must be extended. The date must be in the following format:

  Dec 28, 2005 at 11:25:00 GMT+05:30
  
  

  If this field is empty, then the user will be valid for an indefinite period.

• userGroupCheck: This is a string literal with the following format:

  user group to check, flag(1|0), user group to be updated after reset password
  
  

  This parameter can be an empty string if there are no groups to check when the password is reset.

  If change password is to be done and if the user has that group, then the value of the flag is 1. If change password is not to be done and if the user has that group, then the value of the flag is 0.

  To check multiple users, add the record for each user to this string. Use the semicolon (;) as the delimiter. For example:

  "user group to check, flag(1|0), user group to be updated after reset password; user group to check, flag(1|0), user group to be updated after reset password"
  
  

  For example, if there is a user group named Inactive that is to be checked when a password is changed and if the user is assigned to this group, then the user must be moved to the Active group after the password change.

  Given the preceding scenario, the setting of the userGroupCheck parameter is as follows:

  "INACTIVE",1,"ACTIVE;"
  
  

  If there is a group named Terminated that is to be checked when a password is changed and if the user is assigned to this group, then the password change must not be permitted. Given this scenario, the setting of the userGroupCheck parameter is as follows:

  "TERMINATED,0,;"
  
  

  The userGroupCheck configuration parameter has only two types of user group records:

  • User group for which password change is to be done with user group update: "INACTIVE",1,"ACTIVE"

  • User group for which password change is not to be done: "TERMINATED",0,""

  If the user is assigned to a group that is not in the userGroupCheck parameter, then the password is changed. Password change would be permitted for all user groups that are not mentioned in the configuration parameter value.

Note:

The values specified are case-sensitive and must match the casing on the SAP system.

Step 8: Configuring the Connector to Use SNC

To connect to a SAP system application server, the Java Application Server uses the Java Connector (.jco file) and RFC (.dll files). You can use Secure Network Communication (SNC) to secure such connections.

Prerequisites to Configuring the Connector to Use SNC

The following are the prerequisites to configuring the connector to use SNC:

• The external security product must be installed on the server. To install the security package on the Java Application Server:

  1. Extract the contents of the SAP Cryptographic Library installation package.

     The SAP Cryptographic Library installation package is available for authorized customers on the SAP Service Marketplace at

     http://service.sap.com/download

     This package contains the following files:

     • SAP Cryptographic Library (sapcrypto.dll for Microsoft Windows NT or libsapcrypto.ext for UNIX)

     • A corresponding license ticket file

     • The configuration tool, sapgenpse.exe

  2. Copy the library and the sapgenpse.exe configuration tool to a local directory. For example, the C:\install_dir\SAPCryptolib directory.

  3. Check the file permissions. The user under which the Java Application Server runs must be able to run the library functions.

  4. Create the sec directory in this directory.

  5. Copy the ticket file to the sec directory. This is also the directory in which the Personal Security Environment (PSE) and credentials of the Java Application Server will be generated.

  6. Set the SECUDIR environment variable for the user of the Java Application Server user to the sec directory.

  7. Set the SNC_LIB environment variable for the user of the Java Application Server to the cryptographic library. In this case, the directory is C:\install_dir\SAPCryptolib.

• You should be familiar with the SNC infrastructure. You must know which PSE the application server uses for SNC. You must also know whether you are using the same PSE for both communication partners or individual ones.

• SNC must be activated on the SAP application server.

Configuring the Connector to Use SNC

To configure the connector to use SNC:

1. Either create a PSE or copy the SNC PSE of the application server to the SECUDIR directory of the Java Application Server. To create the SNC PSE for the Java Application Server, use the command-line tool sapgenpse.exe as follows:

   1. To check the location of the SECUDIR directory, run sapgenpse without including any command options. The program displays information such as the library version and the location of the SECUDIR directory.

   2. Enter a command similar to the following to create the PSE:

      sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
      
      

      The following is a sample distinguished name:

      CN=SAPJ2EE, O=MyCompany, C=US 
      
      

      The sapgenpse command creates a PSE in the SECUDIR directory of the Java Application Server.

2. Create credentials for the Java Application Server.

   The Java Application Server must have active credentials at run time to be able to access its PSE. Therefore, use the configuration tool's command-line seclogin to open the PSE.

   Enter the following command to open the server's PSE and create the credentials.sapgenpse file:

   seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID 
   
   

   For the user specified with the -o option, the credentials file, cred_v2, is created in the SECUDIR directory.

3. If you are using individual PSEs, then exchange the public-key certificates of the two servers as follows:

   1. Export the OIM system certificate in the file by entering the following command:

      sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
      
      

   2. Import the certificate file into the SAP application server. Obtain the certificate of the SAP application server, which will need to be generated by the SAP system administrator.

   3. Import the certificate of the SAP application server by entering the following command:

      sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
      
      

4. Set the SNC parameters in the connector IT Resource object.

   You must configure the following parameters in the IT Resource:

   • SAPsnc_lib

   • SAPsnc_mode

   • SAPsnc_myname

   • SAPsnc_partnername

   • SAPsnc_qop