Deploying the connector involves the following steps:
The following table lists the deployment requirements for the connector.
| Item | Requirement |
|---|---|
| Oracle Identity Manager | Oracle Identity Manager release 9.1.0.1 or later
Note: From release 9.0.4.5 onward, the connector supports SAP JCo 3.0, and SAP JCo 3.0 supports JDK 1.5 and later. Therefore, you must verify that the Oracle Identity Manager and application server combination that you use supports JDK 1.5. See the following Oracle Technology Network page for information about certified configurations of Oracle Identity Manager:
|
| Target systems | The target system can be any one of the following:
Note: From version 6.40 onward, SAP WAS is also known as "SAP NetWeaver." |
| External code | The following SAP custom code files:
Additional file for Microsoft Windows:
Additional file for Solaris and Linux:
|
| Target system user account | Oracle Identity Manager uses this user account to connect to and communicate with the target system.
For minimum authorization, create a user account and assign the If you are not able to find the profiles or role for minimum authorization, then you need to create a user account, and assign it to the You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide. If this target system user account is not assigned the specified rights, then the following error message may be displayed during connector operations:
|
| JDK | JDK 1.4.2 |
Note:
In a clustered environment, copy the JAR files and the contents of theconnectorResources directory to the corresponding directories on each node of the cluster.To download and copy the external code files to the required locations:
Download the SAP Java connector file from the SAP Web site as follows:
Open the following page in a Web browser:
Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.
On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCO release that you want to download.
In the dialog box that is displayed, specify the path of the directory in which you want to save the file.
Extract the contents of the file that you download.
Copy the sapjco3.jar file into the OIM_HOME/Xellerate/ThirdParty directory.
Copy the RFC files into the required directory, and then modify the appropriate environment variable so that it includes the path to this directory:
On Microsoft Windows:
Copy the sapjco3.dll file into the winnt\system32 directory. Alternatively, you can copy these files into any directory and then add the path to the directory in the PATH environment variable.
On Solaris and Linux:
Copy the libsapjco3.so file into the /usr/local/jco directory, and then add the path to this directory in the LD_LIBRARY_PATH environment variable.
Restart the server for the changes in the environment variable to take effect.
Note:
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.Installing the connector on Oracle Identity Manager release 9.1.0 or later involves the following procedures:
To run the Connector Installer:
Copy the contents of the connector installation media into the following directory:
OIM_HOME/xellerate/ConnectorDefaultDirectory
Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Identity Manager Administrative and User Console.
Click Deployment Management, and then click Install Connector.
From the Connector List list, select SAP CUA RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory:
OIM_HOME/xellerate/ConnectorDefaultDirectory
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select SAP CUA RELEASE_NUMBER.
Click Load.
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries
Import of the connector XML files (by using the Deployment Manager)
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 0.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:
At this stage, run thePurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. Refer to "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.
There are no prerequisites for some predefined connectors.
Configuring the IT resource for the connector
Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled tasks that are created when you installed the connector
Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.
Copy the files from the test directory on the installation media to the following directory:
OIM_HOME/xellerate/sapcua/test
Note:
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 1-1.Installing the Connector in an Oracle Identity Manager Cluster
While installing Oracle Identity Manager in a clustered environment, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. See "Files and Directories on the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.
Note:
Perform this procedure if you are installing the connector on Oracle Identity Manager release 9.1.0 or later.You must specify values for the parameters of the SAP CUA IT Resource IT resource as follows:
Log in to the Administrative and User Console.
Expand Resource Management.
Click Manage IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter SAP CUA IT Resource and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource. The following table describes each parameter:
| Parameter | Description | Default/Sample Value |
|---|---|---|
SAPChangePasswordSystem |
Flag that accepts the value X or ' '
If the value is |
X
Note: If you want to enter |
SAPClient |
SAP client ID | 800 |
SAPHost |
SAP host IP address | 172.20.70.204 |
SAPLanguage |
SAP language
The value can be any one of the following:
|
EN |
SAPMasterSystem |
SAP CUA master system | CUA47 |
SAPPassword |
Password of the SAP user | changethis |
SAPsnc_lib |
Path where the crypto library is placed
This is required only if Secure Network Communication (SNC) is enabled. |
c://usr//sap//sapcrypto.dll |
SAPsnc_mode |
Specifies whether or not SNC is to be used to secure communication between Oracle Identity Manager and the target system
The value is 1 if SNC is enabled. Otherwise, it is 0. Other SNC values are required only if this parameter is set to 1. Note: It is recommended that you enable SNC to secure communication with the target system. |
0 |
SAPsnc_myname |
SNC system name
This is required only if SNC is enabled. |
p:CN=TST,OU=SAP, O=ORA,c=IN |
SAPsnc_partnername |
Domain name of the SAP server
This is required only if SNC is enabled. |
p:CN=I47,OU=SAP, O=ORA, c=IN |
SAPsnc_qop |
Protection level (quality of protection, QOP) at which data is transferred
The default value is
This is required only if SNC is enabled. |
3 |
SAPSystemNo |
SAP system number | 00 |
SAPType |
Type of SAP system | CUA |
SAPUser |
SAP user | Xellerate |
TimeStamp |
For the first reconciliation run, the timestamp value is not set. For subsequent rounds of reconciliation, the time at which the previous round of reconciliation was completed is stored in this parameter. | The following are sample timestamp values:
English: French: Japanese: |
CustomizedReconQuery |
Query condition on which reconciliation must be based
If you specify a query condition for this parameter, then the target system records are searched based on the query condition. If you want to reconcile all the target system records, then do not specify a value for this parameter. The query can be composed with the AND (&) and OR (|) logical operators. For more information about this parameter, refer to the "Partial Reconciliation" section. |
firstname=Test&lastname=CUAuser |
To save the values, click Update.
Configuring the Oracle Identity Manager server involves performing the following procedures:
Note:
In a clustered environment, you must perform this step on each node of the cluster.Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
You may require the assistance of the system administrator to change to the required input locale.
The Connector Installer copies resource bundles into the OIM_HOME/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, change to the OIM_HOME/xellerate/bin directory.
Note:
You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:OIM_HOME/xellerate/bin/batch_file_name
Enter one of the following commands:
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2.In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
OIM_HOME/xellerate/config/xlConfig.xml
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may still allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
Oracle WebLogic
To enable logging:
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.SAPCUA=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.SAPCUA=INFO
After you enable logging, log information is displayed on the server console.
IBM WebSphere
To enable logging:
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.SAPCUA=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.SAPCUA=INFO
After you enable logging, log information is written to the following file:
WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log
JBoss Application Server
To enable logging:
In the JBoss_home/server/default/conf/log4j.xml file, add the following lines if they are not already present in the file:
<category name="XELLERATE">
<priority value="log_level"/>
</category>
<category name="XL_INTG.SAPCUA">
<priority value="log_level"/>
</category>
In the second XML code line of each set, replace log_level with the log level that you want to set. For example:
<category name="XELLERATE"> <priority value="INFO"/> </category>
<category name="XL_INTG.SAPCUA"> <priority value="INFO"/> </category>
After you enable logging, the log information is written to the following file:
JBoss_home/server/default/log/server.log
Oracle Application Server
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.SAPCUA=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.SAPCUA=INFO
After you enable logging, the log information is written to the following file:
ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log
This section describes the procedures involved in configuring the target system. You may need the assistance of the SAP Basis administrator to perform some of these procedures.
Configuring the target system involves the following tasks:
The following information is required to configure the target system:
Note:
During SAP installation, a system number and client number are assigned to the server on which the installation is carried out. These items are mentioned in the following list.Login details of an admin user having the permissions required to import requests
Client number of the server on which the request is to be imported
System number
Server IP address
Server name
User ID of the account to be used for connecting to the SAP application server
Password of the account to be used for connecting to the SAP application server
The User Group field is one of the fields that hold user data in SAP. F4 values are values of a field that you can view and select from a list. You must create an entry in the BAPIF4T table to be able to view F4 values of the User Group field. To create this entry in the BAPIF4T table:
Run the SM30 transaction on the SAP system.
Enter BAPIF4T as the table name, and then click Maintain. Ignore any warnings or messages that may be displayed.
Click New Entries.
Enter XUCLASS as the data element and ZXL_PARTNER_BAPI_F4_AUTHORITY as the function name.
Note:
If an entry already exists for theXUCLASS data element, then do not change its value.Save the entry that you create, and then exit.
You must import the request to create some custom objects in the SAP system. These objects are listed in Appendix B.
The xlsapcuacar.sar file contains the definitions for these objects. When you import the request represented by the contents of the xlsapcuacar.sar file, these objects are automatically created in SAP. This procedure does not result in any change in the existing configuration of SAP.
Importing the request involves the following steps:
The two files, Data file and Cofile, that constitute the request are compressed in the xlsapcuacar.sar file. You can use the SAPCAR utility to extract these files.
To download the SAPCAR utility from the SAP Help Web site:
Log on to the SAP Web site at
Click OK to confirm that the certificate displayed is the certificate assigned for your SAP installation.
Enter your SAP user name and password to connect to the SAP service marketplace.
Click Downloads, SAP Support Packages, Entry by Application Group, and Additional Components.
Select SAPCAR, SAPCAR 6.20, and the operating system. The download object is displayed.
Select the Object check box, and then click Add to Download Basket.
Specify the directory in which you want to download the SAPCAR utility. For example: C:/xlsapcuacar
To extract the Data file and Cofile components of the request:
Copy the xlsapcuacar.sar file into the directory in which you download the SAPCAR utility.
The xlsapcuacar.sar file is in the BAPI directory inside the installation media directory.
In a command window, change to the directory in which you store the SAPCAR utility and the xlsapcuacar.sar file.
Enter the following command to extract the Data file and Cofile components of the request:
sapcar -xvf xlsapcuacar.sar
The format of the extracted files is similar to the following:
K900866.I47 (Cofile)
R900866.I47 (Data file)
To perform the request import operation:
Note:
You would need the SAP Basis administrator's assistance to perform the following steps.Copy the Data file and Cofile to the required locations on the SAP server.
Import the request into SAP.
Check the log file to determine whether or not the import was successful.
To display the log file:
Run the STMS transaction.
The list of transport requests is displayed.
Select the transport request number corresponding to the request that you import.
The transport request number is the same as the numeric part of the Cofile or Data file names. In Step 3 of the preceding procedure, for the sample Cofile (K900866.I47) and Data file (R900866.I47), the transport request number is 900866.
Click the log file icon.
If the return code displayed in the log file is 4, then it indicates that the import ended with warnings. This may happen if the object is overwritten or already exists in the SAP system. If the return code is 8 or a higher number, then there were errors during the import.
Confirm the import of the request by running the SE80 transaction and checking the ZXLC package in the ABAP objects.
Oracle Identity Manager uses a Java application server. To connect to the SAP system application server, this Java application server uses the Java connector (sapjco.jar) and RFC (librfccm and libsapjcorfc files). If required, you can use Secure Network Communication (SNC) to secure such connections.
Note:
The Java application server used by Oracle Identity Manager can be IBM WebSphere, Oracle WebLogic, or JBoss Application Server.This section discusses the following topics:
The following are prerequisites for configuring the connector to use SNC:
SNC must be activated on the SAP application server.
You must be familiar with the SNC infrastructure. You must know which Personal Security Environment (PSE) the application server uses for SNC.
To install the security package on the Java application server used by Oracle Identity Manager:
Extract the contents of the SAP Cryptographic Library installation package.
The SAP Cryptographic Library installation package is available for authorized customers on the SAP Service Marketplace Web site at
http://service.sap.com/download
This package contains the following files:
SAP Cryptographic Library (sapcrypto.dll for Microsoft Windows or libsapcrypto.ext for UNIX)
A corresponding license ticket (ticket)
The configuration tool, sapgenpse.exe
Copy the library and the sapgenpse.exe file into a local directory. For example: C:/usr/sap
Check the file permissions. Ensure that the user under which the Java application server runs is able to run the library functions in the directory into which you copy the library and the sapgenpse.exe file.
Create the sec directory inside the directory into which you copy the library and the sapgenpse.exe file.
Note:
You can use any names for the directories that you create. However, creating theC:\usr\sap\sec (or /usr/sap/sec) directory is an SAP recommendation.Copy the ticket file into the sec directory. This is also the directory in which the Personal Security Environment (PSE) and credentials of the Java application server are generated.
See Also:
The "Configuring SNC" sectionSet the SECUDIR environment variable for the Java application server user to the sec directory.
Note:
From this point onward, the term SECUDIR directory is used to refer to the directory whose path is defined inSECUDIR environment variable.For Oracle Application Server:
Remove the SECUDIR entry from the Windows environment variables, if it has been set.
Edit the ORACLE_HOME\opmn\config\opmn.xml file as follows:
Change the following:
<ias-instance id="home.BMPHKTF120" name="home.BMPHKTF120">
<environment>
<variable id="TMP" value="C:\DOCUME~1\login user\LOCALS~1\Temp"/>
</environment>
To
<ias-instance id="home.BMPHKTF120" name="home.BMPHKTF120">
<environment>
<variable id="TMP" value="C:\DOCUME~1\login user\LOCALS~1\Temp"/>
<variable id="SECUDIR" value="D:\snc\usr\sec"/>
</environment>
Note:
Oracle Application Server automatically creates the temporary folder based on the operating system of the computer on which it is installed.Restart Oracle Application Server.
Set the SNC_LIB and PATH environment variables for the user of the Java application server to the cryptographic library directory, which is the parent directory of the sec directory.
To configure SNC:
Either create a PSE or copy the SNC PSE of the SAP application server to the SECUDIR directory. To create the SNC PSE for the Java application server, use the sapgenpse.exe command-line tool as follows:
To determine the location of the SECUDIR directory, run the sapgenpse command without specifying any command options. The program displays information such as the library version and the location of the SECUDIR directory.
Enter a command similar to the following to create the PSE:
sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
The following is a sample distinguished name:
CN=SAPJ2EE, O=MyCompany, C=US
The sapgenpse command creates a PSE in the SECUDIR directory.
Create credentials for the Java application server.
The Java application server must have active credentials at run time to be able to access its PSE. To check whether or not this condition is met, enter the following command in the parent directory of the SECUDIR directory:
Sapgenpse seclogin
Then, enter the following command to open the PSE of the server and create the credentials.sapgenpse file:
seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID
The user_ID that you specify must have administrator rights. PSE_NAME is the name of the PSE file.
The credentials file, cred_v2, for the user specified with the -O option is created in the SECUDIR directory.
Exchange the public key certificates of the two servers as follows:
Note:
If you are using individual PSEs for each certificate of the SAP server, then you must perform this procedure once for each SAP server certificate. This means that the number of times you must perform this procedure is equal to the number of PSEs.Export the Oracle Identity Manager certificate by entering the following command:
sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
Import the Oracle Identity Manager certificate into the SAP application server. You may require the SAP administrator's assistance to perform this step.
Export the certificate of the SAP application server. You may require the SAP administrator's assistance to perform this step.
Import the SAP application server certificate into Oracle Identity Manager by entering the following command:
sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
Configure the following parameters in the SAP CUA IT resource object:
SAPsnc_lib
SAPsnc_mode
SAPsnc_myname
SAPsnc_partnername
SAPsnc_qop
See Also:
Information about parameters of the IT resource given earlier in this chapter