2 Deploying the Connector

The procedure to deploy the connector can be divided into the following stages:

Section 2.1, "Preinstallation"
Section 2.2, "Installation"
Section 2.3, "Postinstallation"

Note:

Some of the procedures described in this chapter must be performed on the target system. To perform these procedures, you must use an SAP administrator account to which the SAP_ALL and SAP_NEW profiles have been assigned.

2.1 Preinstallation

Preinstallation information is divided across the following sections:

Section 2.1.1, "Preinstallation on Oracle Identity Manager"
Section 2.1.2, "Preinstallation on the Target System"

2.1.1 Preinstallation on Oracle Identity Manager

This section contains the following topics:

Section 2.1.1.1, "Files and Directories on the Installation Media"
Section 2.1.1.2, "Determining the Release Number of the Connector"

2.1.1.1 Files and Directories on the Installation Media

Table 2-1 describes the files and directories on the installation media.

Table 2-1 Files and Directories On the Installation Media

File in the Installation Media Directory	Description
configuration/SAPCUA-CI.xml	This XML file contains configuration information that is used during connector installation.
lib/Common.jar	This JAR file contains the class files that are common to all connectors. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/JavaTasks
lib/SAPCommon.jar	This JAR file contains the class files that are common to all SAP connectors. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/JavaTasks
lib/SAPCUA.jar	This JAR file contains the class files that are specific to the SAP Employee Reconciliation connector. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/JavaTasks
Files in the resources directory	Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/connectorResources Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.
test/Troubleshoot/TroubleShootingUtility.class	This utility is used to test connector functionality.
test/Troubleshoot/global.properties	The testing utility uses this file to specify the parameters and settings required for connecting to the target system.
test/Troubleshoot/log.properties	This file is used to specify the log level and the directory in which the log file is to be created when you run the testing utility.
xml/ SAP-CUA-Main-ConnectorConfig.xml	This XML file contains definitions for the following components of the connector: IT resource type Process form Process task and adapters (along with their mappings) Resource object Provisioning process Prepopulate rules Reconciliation process Lookup definitions
xml/SAP-CUA-RequestApproval-ConnectorConfig.xml	This file contains information required to enable request-based provisioning. See Section 2.3.1.1, "Enabling Request-Based Provisioning" for instructions on importing this file.
xml/SAPCUATrusted.xml	This XML file is not used by the connector. It will be removed in a future release.

2.1.1.2 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

In a temporary directory, extract the contents of the connector JAR file that is in the OIM_HOME/xellerate/JavaTasks directory.
Open the Manifest.mf file in a text editor. The Manifest.mf file is one of the files bundled inside the connector JAR file.

In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.

2.1.2 Preinstallation on the Target System

Preinstallation on the target system involves performing the following procedures:

Section 2.1.2.1, "Creating a Target System User Account for Connector Operations"
Section 2.1.2.2, "Using External Code Files"

2.1.2.1 Creating a Target System User Account for Connector Operations

Note:

You provide the credentials of this user account while configuring the IT resource. The procedure is described later in the guide.

The connector uses a target system account to connect to the target system during reconciliation. For minimum authorization, create a user account and assign the S_CUS_CMP profile and SAP_BC_USER_ADMIN role to it. The User type must be set to Communication. This is the default setting for user accounts.

The S_CUS_CMP profile is displayed in the following screenshot:

The SAP_BC_USER_ADMIN role is displayed in the following screenshot:

The following screenshot shows the Communications user type selected:

If you are not able to find the profiles or role for minimum authorization, then create a user account and assign it to the SAP_ALL and SAP_NEW groups. These groups are used for full authorization.

If this target system user account is not assigned the specified rights, then the following error message may be displayed during connector operations:

SAP Connection JCO Exception: User TEST_USER has no RFC authorization for function group SYST

2.1.2.2 Using External Code Files

Note:

To download files from the SAP Web site, you must have access to the SAP service marketplace with Software Download authorization.

In a clustered environment, copy the JAR files and the contents of the connector Resources directory to the corresponding directories on each node of the cluster.

To download and copy the external code files to the required locations:

Download the SAP Java connector file from the SAP Web site as follows:
1. Open the following page in a Web browser:
  
  https://websmp104.sap-ag.de/connectors
2. Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.
3. On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCo release that you want to download.
4. In the dialog box that is displayed, specify the path of the directory in which you want to save the file.
Extract the contents of the file that you download.
Copy the sapjco3.jar file into the OIM_HOME/Xellerate/ThirdParty directory.

Note:
Ensure that you are using version 3.0 of the sapjco.jar file.
Copy the RFC files into the required directory on the Oracle Identity Manager host computer, and then modify the appropriate environment variable so that it includes the path to this directory:
- On Microsoft Windows:
  
  Copy the sapjco3.dll file into the winnt\system32 directory. Alternatively, you can copy these files into any directory and then add the path to the directory in the PATH environment variable.
- On Solaris and Linux:
  
  Copy the sapjco3.so file into the /usr/local/jco directory, and then add the path to this directory in the LD_LIBRARY_PATH environment variable.
Restart the server for the changes in the environment variable to take effect.

Note:
You can either restart the server now or after the connector is installed.
To check if SAP JCo is correctly installed, in a command window, run one of the following commands:
```
java –jar JCO_DIRECTORY/sapjco3.jar
java –classpath JCO_DIRECTORY/sapjco3.jar com.sap.conn.jco.rt.About
```
Figure 2-1 shows the dialog box that is displayed. The JCo classes and JCo library paths must be displayed in this dialog box.

Figure 2-1 Dialog Box Displayed on Running the SAP JCo Test

Description of "Figure 2-1 Dialog Box Displayed on Running the SAP JCo Test"
Ensure that the msvcr80.dll and msvcp80.dll files are in the c:\WINDOWS\system32 directory. If required, both files can be downloaded from various sources on the Internet.

2.2 Installation

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

Direct provisioning is automatically enabled after you run the Connector Installer. If required, you can enable request-based provisioning in the connector. Direct provisioning is automatically disabled when you enable request-based provisioning. See Section 2.3.1.1, "Enabling Request-Based Provisioning" if you want to use the request-based provisioning feature for this target system.

To run the Connector Installer:

Copy the contents of the connector installation media into the following directory:
```
OIM_HOME/xellerate/ConnectorDefaultDirectory
```
Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Identity Manager Administrative and User Console Guide.
Click Deployment Management, and then click Install Connector.
From the Connector List list, select SAP CUA 9.1.0.0. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory:
```
OIM_HOME/xellerate/ConnectorDefaultDirectory 
```
If you have copied the installation files into a different directory, then:
1. In the Alternative Directory field, enter the full path and name of that directory.
2. To repopulate the list of connectors in the Connector List list, click Refresh.
3. From the Connector List list, select SAP CUA 9.1.0.0.
Click Load.

The following screenshot shows this Administrative and User Console page:
To start the installation process, click Continue.

The following tasks are performed in sequence:
1. Configuration of connector libraries
2. Import of the connector XML files (by using the Deployment Manager)
3. Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
- Retry the installation by clicking Retry.
- Cancel the installation and begin again from Step 3.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. The following screenshot shows this Administrative and User Console page:

In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
1. Ensuring that the prerequisites for using the connector are addressed
  
  Note:
  At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.3.1.4, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.
  There are no prerequisites for some predefined connectors.
2. Configuring the IT resource for the connector
  
  Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
3. Configuring the scheduled tasks that are created when you installed the connector
  
  Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.
Restart Oracle Identity Manager.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.

Installing the Connector in an Oracle Identity Manager Cluster

While installing Oracle Identity Manager in a clustered environment, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. Then, restart each node. See Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.

2.3 Postinstallation

Postinstallation steps are divided across the following sections:

Section 2.3.1, "Postinstallation on Oracle Identity Manager"
Section 2.3.2, "Postinstallation on the Target System"
Section 2.3.3, "Configuring SoD"
Section 2.3.4, "Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System"
Section 2.3.5, "Configuring the IT Resource"

2.3.1 Postinstallation on Oracle Identity Manager

Configuring Oracle Identity Manager involves performing the following procedures:

Note:

In a clustered environment, you must perform this step on each node of the cluster. Then, restart each node.

Section 2.3.1.1, "Enabling Request-Based Provisioning"
Section 2.3.1.2, "Modifying Dependent Lookup Query Properties for Lookup Fields on Microsoft SQL Server"
Section 2.3.1.3, "Changing to the Required Input Locale"
Section 2.3.1.4, "Clearing Content Related to Connector Resource Bundles from the Server Cache"
Section 2.3.1.5, "Enabling Logging"

2.3.1.1 Enabling Request-Based Provisioning

Note:

Do not configure the connector for request-based provisioning if you also want to use the connector for direct provisioning.

In request-based provisioning, an end user creates a request for a resource or entitlement by using the Administrative and User Console. Administrators or other users cannot create requests for a particular user. Requests for a particular resource or entitlement on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.

The following are features of request-based provisioning:

A user can be provisioned only one resource (account) on the target system.
Direct provisioning cannot be used if you enable request-based provisioning.

Prerequisites

You must run Oracle Identity Manager in INFO mode when you import the XML file for request-based provisioning. If Oracle Identity Manager is running in DEBUG mode when you import the XML file, then the import operation does not work correctly.

Set your browser to use JRE version 1.6.0_07. If you try to import the XML file with your browser set to any other JRE version, then the browser stops responding.

To enable request-based provisioning:

Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for opening files is displayed.
Locate and open the SAP-CUA-RequestApproval-ConnectorConfig.xml file, which is in the xml directory on the installation media. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Import.

At this stage, the Deployment Manager Import page shows an error because the process form version for request-based provisioning is the same as the process form version for direct provisioning. The following screenshot shows the Deployment Manager Import page:

To work around this issue, perform the remaining steps of this procedure.
Note down the names of the forms that show errors, which is, the red cross sign against their names.
On the left pane, click Add.

The Add link is under Substitutions on the left pane as shown in the following screenshot:
In the pop-up window that is displayed, enter new version names for process forms that had name conflicts, as shown in the following screenshot:
Click Next. The forms for which you enter new form versions are displayed, as shown in the following screenshot:
Click View Selections.

At this stage, the Deployment Manager Import page should not show an error. See the following screenshot:
Click Import.

In the message that is displayed, click Import to confirm that you want to import the XML file, and then click OK.

To suppress the Standard Approval process definition:

Note:

The Standard Approval process is common to all resource objects. If you enable request-based provisioning, then you must suppress this process definition.

On the Design Console, expand Process Management and double-click Process Definition.
Search for and open the Standard Approval process definition.
On the Tasks tab, double-click the Approve task.
On the Integration tab of the Editing Task dialog box, click Add.
In the Handler Selection dialog box:

Select System.

Select the tcCompleteTask handler.

Click the Save icon, and then close the dialog box.
In the Editing Task dialog box, click the Save icon, and close the dialog box.
Click the Save icon to save changes made to the process definition.

2.3.1.2 Modifying Dependent Lookup Query Properties for Lookup Fields on Microsoft SQL Server

Note:

Perform the procedure described in this section only if your Oracle Identity Manager installation is running on Microsoft SQL Server.

In this connector, the child forms of a resource implement the dependent lookup feature of Oracle Identity Manager. By default, the queries for synchronization of lookup field's values from the target system are based on Oracle Database SQL. If your Oracle Identity Manager installation is running on Microsoft SQL Server, then you must modify the lookup queries for synchronization of lookup definitions as follows:

On the Design Console, expand Development Tools and double-click Form Designer.
From this point onward, the procedure depends on the type of form that you are modifying:
- For child forms:
  
  The following are the child forms shipped with this connector:
  - UD_SAPCUARL
  - UD_SAPCUAPR
  - UD_SPCURC_O
  - UD_SPCUPC_O
  - UD_SPCUPC_P
  - UD_SPCURC_P
  - UD_SPCURL_O
  - UD_SPCUPR_O
  Perform the following procedure for the child forms:
  1. Search for and open the parent form of the child form.
  2. On the Additional Columns tab for the Parent form, search for the row containing the ITResourceLookupField field type and note down the value in the Name column for the row.
  3. Search for and open the child form.
  4. Click Create New Version.
  5. Enter a version for the form, click the Save icon, and then close the dialog box.
  6. On the Properties tab, double-click Lookup Query in the list of components.
  7. From the Edit Property dialog box, copy the contents of the Property Value field for the Lookup Query property name into a text file. The contents of the Property Value field are the SQL query for Oracle Database.
    
    The following is a sample Oracle Database query for child form's system name:
```
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key  and lku_type_string_key='Lookup.SAP.CUA.ChildSystem' and substr(lkv_encoded, 1, length(concat('$Form data.UD_SPCURP_P_SERVER$','~')))= concat('$Form data.UD_SPCURP_P_SERVER$','~')
```
  8. Note down the value of the lku_type_string_key column from the Oracle Database query. In the sample Oracle Database query, the value of the lku_type_string_key column is Lookup.SAP.CUA.ChildSystem.
  9. Delete the contents of the Property Value field.
  10. Copy the following query into the Property Value field:
```
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='LOOKUP_DEFINITION_NAME' and CHARINDEX('$Form data. IT_RESOURCE_COLUMN_NAME$' + '~' , lkv_encoded)>0
```
    In this query:
    
    Replace LOOKUP_DEFINITION_NAME with the lookup definition name that you copy in Step h.
    
    Replace IT_RESOURCE_COLUMN_NAME with the name of the value that you note down in Step g.
    
    The following is a sample Oracle Database query for child forms role:
```
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.SAP.CUA.Roles' and instr(lkv_encoded,concat('$Form data.UD_SPCURC_P_SYSTEMNAME$','~'))>0
```
  11. On the Additional Columns tab, search for the lookup containing the System Name field label. Note down the value in the Name column.
  12. Note down the value of the lku_type_string_key column from the Oracle Database query. In the sample Oracle Database query, the value of the lku_type_string_key column is Lookup.SAP.CUA.Roles.
  13. Delete the contents of the Property Value field.
  14. Copy the following query into the Property Value field:
```
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.SAP.CUA.Roles' and CHARINDEX('$Form data.SYSTEM_NAME_COLUMN_NAME$' + '~' , lkv_encoded)>0
```
    In this query:
    
    Replace LOOKUP_DEFINITION_NAME with the lookup definition name that you copy in Step l.
    
    Replace SYSTEM NAME_COLUMN_NAME with the name of the value that you note down in Step k.
  15. In the Edit Property dialog box, click the Save icon and then close the dialog box.
  16. Click the Save icon to save changes to the process form.
  17. From the Current Version list, select the version that you modified.
  18. Click Make Version Active.
  19. Click the Save icon.
- For parent forms:
  
  Perform the following procedure for the UD_SAPCUA and UD_SAPCUA_O forms:
  1. Search for and open the form.
  2. Click Create New Version.
  3. Enter a version for the form, click the Save icon, and then close the dialog box.
  4. On the Additional Columns subtab of the Properties tab, search for the row containing the ITResourceLookupField field type.
  5. Note down the value in the Name column for the row containing the ITResourceLookupField field type.
  6. On the Child Tables subtab of the Properties tab, double-click Lookup Query in the list of components.
  7. From the Edit Property dialog box, copy the contents of the Property Value field for the Lookup Query property name into a text file. The contents of the Property Value field are the SQL query for Oracle Database.
    
    The following is a sample Oracle Database query for parent forms:
```
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.SAP.CUA.LangComm' and substr(lkv_encoded, 1, length(concat((select svr_key from svr where svr_name='$Form data.UD_SAPCUA_RESOURCETYPE$'),'~')))=concat((select svr_key from svr where svr_name='$Form data.UD_SAPCUA_RESOURCETYPE$'),'~')
```
  8. Note down the value of the lku_type_string_key column from the Oracle Database query. In the sample Oracle Database query, the value of the lku_type_string_key column is Lookup.SAP.CUA.LangComm.
  9. Delete the contents of the Property Value field.
  10. Copy the following query into the Property Value field:
```
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='LOOKUP_DEFINITION_NAME' and CHARINDEX( (select CONVERT(varchar,svr_key)  from svr where svr_name='$Form data.IT_RESOURCE_COLUMN_NAME$') + '~' , lkv_encoded)>0
```
    In this query:
    
    Replace LOOKUP_DEFINITION_NAME with the lookup definition name that you copy in Step h.
    
    Replace IT_RESOURCE_COLUMN_NAME with the name of the value that you note down in Step e.
  11. In the Edit Property dialog box, click the Save icon and then close the dialog box.
  12. Click the Save icon to save changes to the process form.
  13. From the Current Version list, select the version that you modified.
  14. Click Make Version Active.
  15. Click the Save icon.

2.3.1.3 Changing to the Required Input Locale

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

2.3.1.4 Clearing Content Related to Connector Resource Bundles from the Server Cache

During the connector deployment procedure, files are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

In a command window, change to the OIM_HOME/xellerate/bin directory.
Note:
You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:
```
OIM_HOME/xellerate/bin/batch_file_name
```
Enter one of the following commands:
- On Microsoft Windows:
```
PurgeCache.bat ConnectorResourceBundle
```
- On UNIX:
```
PurgeCache.sh ConnectorResourceBundle
```
Note:
You can ignore the exception that is thrown when you perform Step 2.

In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
```
OIM_HOME/xellerate/config/xlConfig.xml
```

2.3.1.5 Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

ALL

This level enables logging for all events.
DEBUG

This level enables logging of information about fine-grained events that are useful for debugging.
INFO

This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN

This level enables logging of information about potentially harmful situations.
ERROR

This level enables logging of information about error events that may allow the application to continue running.
FATAL

This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF

This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use. Perform the procedure given in one of the following sections:

Section 2.3.1.5.1, "Enabling Logging on IBM WebSphere Application Server"
Section 2.3.1.5.2, "Enabling Logging on JBoss Application Server"
Section 2.3.1.5.3, "Enabling Logging on Oracle Application Server"
Section 2.3.1.5.4, "Enabling Logging on Oracle WebLogic Server"

2.3.1.5.1 Enabling Logging on IBM WebSphere Application Server

To enable logging:

Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
```
log4j.logger.XELLERATE=log_level
log4j.logger.XL_INTG.SAPCUA=log_level
```
In these lines, replace log_level with the log level that you want to set.

For example:
```
log4j.logger.XELLERATE=INFO
log4j.logger.XL_INTG.SAPCUA=INFO
```

After you enable logging, log information is written to the following file:

WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log

2.3.1.5.2 Enabling Logging on JBoss Application Server

To enable logging:

In the JBOSS_HOME/server/default/conf/jboss-log4j.xml file, locate or add the following lines:

<category name="XELLERATE">
   <priority value="log_level"/>
</category>

<category name="XL_INTG.SAPCUA">
   <priority value="log_level"/>
</category>

In the second XML code line of each set, replace log_level with the log level that you want to set. For example:

<category name="XELLERATE">
   <priority value="INFO"/>
</category>

<category name="XL_INTG.SAPCUA">
   <priority value="INFO"/>
</category>

After you enable logging, log information is written to the following file:

JBOSS_HOME/server/default/log/server.log

2.3.1.5.3 Enabling Logging on Oracle Application Server

Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
```
log4j.logger.XELLERATE=log_level
log4j.logger.XL_INTG.SAPCUA=log_level
```
In these lines, replace log_level with the log level that you want to set.

For example:
```
log4j.logger.XELLERATE=INFO
log4j.logger.XL_INTG.SAPCUA=INFO
```

After you enable logging, log information is written to the following file:

OAS_HOME/opmn/logs/default_group~home~default_group~1.log

2.3.1.5.4 Enabling Logging on Oracle WebLogic Server

To enable logging:

Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
```
log4j.logger.XELLERATE=log_level
log4j.logger.XL_INTG.SAPCUA=log_level
```
In these lines, replace log_level with the log level that you want to set.

For example:
```
log4j.logger.XELLERATE=INFO
log4j.logger.XL_INTG.SAPCUA=INFO
```

After you enable logging, log information is displayed on the server console.

2.3.2 Postinstallation on the Target System

This section describes the procedures involved in configuring the target system. You may need the assistance of the SAP Basis administrator to perform some of these procedures.

Configuring the target system involves the following tasks:

Section 2.3.2.1, "Creating a Target System User Account for Connector Operations"
Section 2.3.2.2, "Creating an Entry in the BAPIF4T Table"
Section 2.3.2.3, "Importing the Request,"
Section 2.3.2.4, "Configuring SAP Ports for Communication with Oracle Identity Manager"

2.3.2.1 Creating a Target System User Account for Connector Operations

The connector uses a target system account to connect to the target system during reconciliation. To give the minimum required authorization to this user account, assign the S_CUS_CMP profile and SAP_BC_USER_ADMIN role to it. The User type must be set to Communication. This is the default setting for user accounts.

If you are not able to find the profiles or role for minimum authorization, then you must create a user account and assign the SAP_ALL and SAP_NEW profiles to the account. These profiles are used for full authorization.

If this target system user account is not assigned the specified rights, then the following error message may be displayed during connector operations:

SAP Connection JCO Exception: User TEST_USER has no RFC authorization for function group SYST

You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide.

2.3.2.2 Creating an Entry in the BAPIF4T Table

The User Group field is one of the fields that hold user data in SAP. F4 values are values of a field that you can view and select from a list. You must create an entry in the BAPIF4T table to be able to view F4 values of the User Group field. To create this entry in the BAPIF4T table:

Run the SM30 transaction on the SAP system.

Note:
SM30 is a mandatory transaction required to maintain tables in the SAP system.
Enter BAPIF4T as the table name, and then click Maintain. Ignore any warnings or messages that may be displayed. The following screenshot shows the BAPIF4T table:
Click New Entries.
Enter XUCLASS as the data element and ZXL_PARTNER_BAPI_F4_AUTHORITY as the function name, as shown in the following screenshot:

Note:
If an entry already exists for the XUCLASS data element, then do not change its value.
Save the entry that you create, and then exit.

2.3.2.3 Importing the Request

Custom BAPI are used during lookup field synchronization, reconciliation, and provisioning. You must import the request that contains the components of these BAPIs. When you import the request, the following custom objects are created on the SAP system:

Object Type	Object Name
Package	ZXLC
Function Group	ZXLCGRP ZXLCHLPVALUES ZXLCPRF ZXLCRL ZXLCUSR
Message Class	ZXLCBAPI
Program	ZLCF4HLP_DATA_DEFINITIONS ZLCMS01CTCO ZLCMS01CTCO1 ZLCMS01CTP2 ZXLCGRP ZXLCHLPVALUES ZXLCPRF ZXLCRL ZXLCUSR
Search Help	ZXLC_ROLE ZXLC_SYS
Business Object Types	ZXLCGRP ZXLCHLP ZXLCPRF ZXLCRL ZXLCUSR
Table	ZXLCBAPIMODE ZXLCBAPIMODM ZXLCGROUPS ZXLCPRF ZXLCROLE ZXLCSTRING ZXLCSYSNAME

The xlsapcar.sar file contains the definitions for these objects. When you import the request represented by the contents of the xlsapcar.sar file, these objects are automatically created in SAP. This procedure does not result in any change in the existing configuration of SAP.

Importing the request into SAP involves the following steps:

Section 2.3.2.3.1, "Downloading the SAPCAR Utility"
Section 2.3.2.3.2, "Extracting the Request Files"
Section 2.3.2.3.3, "Performing the Request Import Operation"

2.3.2.3.1 Downloading the SAPCAR Utility

Note:

To download files from the SAP Web site, you must have access to the SAP service marketplace with Software Download authorization.

Every SAR file contains two files, Datafile and Cofile. These files contain the requests that are transported to the SAP system. These files constitute the xlsapcar.sar. You can use the SAPCAR utility to extract these files.

To download the SAPCAR utility from the SAP Help Web site:

Log on to the SAP Web site at

https://service.sap.com/swdc
Click OK to confirm that the certificate displayed is the certificate assigned for your SAP installation.
Enter your SAP user name and password to connect to the SAP service marketplace.
Click Downloads, SAP Support Packages, Entry by Application Group, and Additional Components.
Select SAPCAR, SAPCAR 7.0, and the operating system. The download object is displayed.
Select the Object check box, and then click Add to Download Basket.
Specify the directory in which you want to download the SAPCAR utility. For example: C:/xlsapcar

2.3.2.3.2 Extracting the Request Files

To extract the Datafile and Cofile components of the request:

Copy the xlsapcar.sar file into the directory in which you download the SAPCAR utility.

The xlsapcar.sar file is in the BAPI directory inside the installation media directory.
In a command window, change to the directory in which you stored the SAPCAR utility and the xlsapcar.sar file.
Enter the following command to extract the Datafile and Cofile components of the request:
```
sapcar -xvf xlsapcar.sar
```
The format of the extracted files is similar to the following:

R999999..I47 (data)

K999999.I47 (cofile)

The list of extracted files is displayed in the command window.

2.3.2.3.3 Performing the Request Import Operation

To perform the request import operation:

Note:

You would need the SAP Basis administrator's assistance to perform the following steps.

Copy the data and cofile into the SAP_HOME/trans/data and SAP_HOME/trans/cofiles directories, respectively.
Log in to SAP, and run transaction STMS.
To display the list of import queues, click the truck-shaped icon, as shown in the following screenshot:
Double-click the appropriate queue.

Details of the queue are displayed, as shown in the following screenshot:
From the Extras menu, select Other requests and then select Add.
In the Transp. request field of the Add Transport Request to Import Queue dialog box as shown in the following screenshot, enter the transport request number, and then press Enter.
When the request is added to the queue, select the request in the queue and then click the Import Request (half-truck-shaped) icon, as shown in the following screenshot:
On the Date tab of the Import Transport Request dialog box, enter the number of the client into which you are importing the request and then select Immediate. The following screenshot shows the Import Transport Request dialog box:
On the Execution tab, select Synchronous, as shown in the following screenshot:
On the Options tab, select import options according to your requirement. The following screenshot shows the import options:

Note:
It is recommended that you select the first four options displayed on the tab.
Press Enter.

The request is imported to the specified system.
Check the log file to determine whether or not the import was successful.

To display the log file:
1. Run transaction STMS.
  
  Note:
  The STMS needed transaction is used to transport requests to the SAP system. SAR files that contain customized BAPI code are imported using the STMS transaction.
2. Click Import overview, and double-click the appropriate transport queue on the next page.
  
  The list of transport requests is displayed.
3. Select the transport request number corresponding to the request that you import.
  
  The transport request number is the same as the numeric part of the Cofile or Datafile names. In Step 3 of the preceding procedure, for the sample Cofile (K900863.I47) and Datafile (R900863.I47), the transport request number is 900863.
4. Click the log file icon.
  
  If the return code displayed in the log file is 4, then it indicates that the import ended with warnings. This may happen if the object is overwritten or already exists in the SAP system. If the return code is 8 or a higher number, then there were errors during the import.
Confirm the import of the request by running the SE80 transaction, and checking the ZBAPI package in the ABAP objects.

2.3.2.4 Configuring SAP Ports for Communication with Oracle Identity Manager

To enable communication between the target system and Oracle Identity Manager, you must ensure that ports listed in Table 2-2.

Table 2-2 Ports for SAP Services

Service	Port Number Format	Default Port
Dispatcher	32SYSTEM_NUMBER	3200
Gateway (for non-SNC communication)	33SYSTEM_NUMBER	3300
Gateway (for SNC communication)	48SYSTEM_NUMBER	4800
Message server	36SYSTEM_NUMBER	3600

To check if these ports are open, you can, for example, try to establish a Telnet connection from Oracle Identity Manager to these ports.

2.3.3 Configuring SoD

This section discusses the following procedures:

2.3.3.1 Configuring the SAP GRC As the SoD Engine

See the "Configuring SAP GRC" section in the "Segregation of Duties (SoD) in Oracle Identity Manager" chapter in Oracle Identity Manager Tools Reference for Release 9.1.0.2 for information about this procedure.

2.3.3.2 Specifying Values for SoD-Related Entries in the Lookup.SAP.CUA.Configuration Lookup Definition

You must specify values for the following entries in the Lookup.SAP.R3.Configuration lookup definition:

GRC Version

Enter the version of SAP GRC that you are using. Depending on the version of SAP GRC that you are using, the value can be either 5.2 or 5.3.
Risk Level

In SAP GRC, each business risk is assigned a criticality level. You can control the risk analysis data returned by SAP GRC by specifying a risk level.

When you specify a risk level, SAP GRC will only check for violations that are at that level or higher levels.

You can specify one of the following risk levels:
- The number 3 stands for Critical. If you specify 3 as the risk level, then SAP GRC returns only risk violations that are assigned the Critical level during the SoD validation process.
- The number 2 stands for High. If you specify 2 as the risk level, then risk violations at both the Critical and High levels are returned by SAP GRC during the SoD validation process.
- The number 1 stands for Low. If you specify 1 as the risk level, then risk violations at the Critical, High, and Low levels are returned by SAP GRC during the SoD validation process.
- The number 0 stands for All. If you specify 0 as the risk level, then SAP GRC returns risk violations at all the levels during the SoD validation process.

To specify values for the Risk Level and GRC Version entries in the Lookup.SAP.CUA.Configuration lookup definition:

On the Design Console, expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.SAP.CUA.Configuration lookup definition.
Click Add.
In the Decode column for the Risk Level Code Key, enter 0, 1, 2, or 3 as the value.
In the Decode column for the GRC Version Code Key, enter 5.2 or 5.3 as the value depending on the version of SAP GRC that you are using.
Click the Save icon.

2.3.3.3 Specifying the System Name in the Lookup.SAP.CUA.Systems Lookup Definition

Enter the system name of the SAP CUA installation in the Lookup.SAP.CUA.Systems lookup definition as follows:

On the Design Console, expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.SAP.CUA.Systems lookup definition.
Click Add.
In the Code Key and Decode columns, enter the system name of the SAP CUA installation. You must enter the same value in both columns.
Click the Save icon.

2.3.3.4 Specifying a Value for the TopologyName IT Resource Parameter

The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation of entitlement provisioning operations:

Oracle Identity Manager installation
SAP GRC installation
SAP CUA installation

The value that you specify for the TopologyName parameter must be the same as the value of the topologyName element in the SILConfig.xml file.

See the "Segregation of Duties (SoD) in Oracle Identity Manager" chapter in Oracle Identity Manager Tools Reference for Release 9.1.0.2 for information about this element.

See Section 2.3.5, "Configuring the IT Resource" section for information about specifying values for parameters of the IT resource.

2.3.3.5 Disabling and Enabling SoD

This section describes the procedures to disable and enable SoD.

To disable SoD :

Note:

The SoD feature is disabled by default. Perform the following procedure only if the SoD feature is currently enabled and you want to disable it.

Log in to the Design Console.
Set the XL.SoDCheckRequired system property to FALSE as follows:
1. Expand Administration, and double-click System Configuration.
2. Search for and open the XL.SoDCheckRequired system property.
3. Set the value of the system property to FALSE.
  
  Note:
  You need not change the values of the XL.SIL.Home.Dir and Triggers Synchronous SoD checks offline system properties.
4. Click the Save icon.
Disable the Holder andSODChecker process tasks as follows:
1. Expand Process Management, and double-click Process Definition.
2. Search for and open the SAP R3 Process process definition.
3. On the Tasks tab, double-click the Holder task.
4. On the Integration tab of the Editing Task dialog box, click Add.
5. In the Handler Selection dialog box:
  
  Select System.
  
  Select the tcCompleteTask handler.
  
  Click the Save icon, and then close the dialog box.
6. In the Editing Task dialog box, click the Save icon and close the dialog box.
7. On the Tasks tab, double-click SODChecker.
8. On the Integration tab of the Editing Task dialog box, click Remove and then click the save icon.
9. Click Add.
10. In the Handler Selection dialog box:
  
  Select System.
  
  Select the tcCompleteTask handler.
  
  Click the Save icon, and then close the dialog box.
11. Click the Save icon in the Editing Task dialog box, and then close the dialog box.
12. Click the Save icon to save the changes made to the process definition.
If you are going to perform the procedure described in Section 2.3.1.1, "Enabling Request-Based Provisioning", then in the SAP CUA Process Approval, SAP CUA Profiles Approval, and SAP CUA Roles Approval process definitions, the human approval tasks must be made unconditional as follows:
- On the Design Console.
- Expand Process Management, and then double-click Process Definition.
- Search for and open the approval-type process definition for the connector that you are using.
- On the Task tab, search for the Approval task.
- Make this task unconditional by deselecting the Conditional check box. See the following screenshot:
- Save the changes to the process definition.
Restart Oracle Identity Manager.

To enable SoD :

Note:

If you are enabling SoD for the first time, then see Oracle Identity Manager Readme for Release 9.1.0.2 for detailed information.

Log in to the Design Console.
Expand Administration, and double-click System Configuration.
Set the XL.SoDCheckRequired system property to TRUE as follows:
1. Search for and open the XL.SoDCheckRequired system property.
2. Set the value of the system property to TRUE.
3. Click the Save icon.
Search for and open the XL.SIL.Home.Dir system property. Verify that the value of this system property is set to the full path and name of the SIL_HOME directory.
Enable the Holder andSODChecker process tasks as follows:
1. Expand Process Management and double-click Process Definition.
2. Search for and open the SAP R3 Process process definition.
3. On the Tasks tab, double-click the Holder task.
4. On the Integration tab of the Editing Task dialog box, click Remove to remove the tcCompleteTask handler
5. Click the Save icon, and then close the dialog box.
6. On the Tasks tab, double-click SODChecker.
7. On the Integration tab of the Editing Task dialog box, click Add.
8. In the Handler Selection dialog box:
  
  Select System.
  
  Select the InitiateSODCheck handler.
  
  Click the Save icon, and then close the dialog box.
9. Click the Save icon in the Editing Task dialog box, and then close the dialog box.
10. Click the Save icon to save the changes made to the process definition.
If you are going to perform the procedure described in Section 2.3.1.1, "Enabling Request-Based Provisioning", then in the SAP CUA Process Approval, SAP CUA Profiles Approval, and SAP CUA Roles Approval process definitions, the human approval tasks must be made conditional as follows:
- On the Design Console.
- Expand Process Management, and then double-click Process Definition.
- Search for and open the approval-type process definition for the connector that you are using.
- On the Task tab, search for the Approval task.
- Make this task conditional by selecting the Conditional check box. See the following screenshot:
- Save the changes to the process definition.
Restart Oracle Identity Manager.

2.3.4 Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System

Oracle Identity Manager uses a Java application server. To connect to the SAP system application server, this Java application server uses the Java connector (sapjco.jar) and RFC (librfccm and libsapjcorfc files). If required, you can use Secure Network Communication (SNC) to secure such connections.

Note:

The Java application server used by Oracle Identity Manager can be IBM WebSphere Application Server, Oracle WebLogic Server, or JBoss Application Server.

This section discusses the following topics:

Section 2.3.4.1, "Prerequisites for Configuring the Connector to Use SNC"
Section 2.3.4.2, "Installing the Security Package"
Section 2.3.4.3, "Configuring SNC"

2.3.4.1 Prerequisites for Configuring the Connector to Use SNC

The following are prerequisites for configuring the connector to use SNC:

SNC must be activated on the SAP application server.
You must be familiar with the SNC infrastructure. You must know which Personal Security Environment (PSE) the application server uses for SNC.

2.3.4.2 Installing the Security Package

To install the security package on the Java application server used by Oracle Identity Manager:

Extract the contents of the SAP Cryptographic Library installation package.

The SAP Cryptographic Library installation package is available for authorized customers on the SAP Service Marketplace Web site at

http://service.sap.com/download

This package contains the following files:
- SAP Cryptographic Library (sapcrypto.dll for Microsoft Windows or libsapcrypto.ext for UNIX)
- A corresponding license ticket (ticket)
- The configuration tool, sapgenpse.exe
Copy the library and the sapgenpse.exe file into a local directory. For example: C:/usr/sap
Check the file permissions. Ensure that the user under which the Java application server runs is able to run the library functions in the directory into which you copy the library and the sapgenpse.exe file.
Create the sec directory inside the directory into which you copy the library and the sapgenpse.exe file.

Note:
You can use any names for the directories that you create. However, creating the C:\usr\sap\sec (or /usr/sap/sec) directory is SAP recommendation.
Copy the ticket file into the sec directory. This is also the directory in which the Personal Security Environment (PSE) and credentials of the Java application server are generated.

See Also:
Section 2.3.4.3, "Configuring SNC"
Set the SECUDIR environment variable for the Java application server user to the sec directory.

Note:
From this point onward, the term SECUDIR directory is used to refer to the directory whose path is defined in SECUDIR environment variable.

For Oracle Application Server:
1. Remove the SECUDIR entry from the Windows environment variables, if it has been set.
2. Edit the ORACLE_HOME\opmn\config\opmn.xml file as follows:
  
  Change the following:
```
<ias-instance id="home.BMPHKTF120" name="home.BMPHKTF120">
  <environment>
    <variable id="TMP" value="C:\DOCUME~1\login user\LOCALS~1\Temp"/>
  </environment>
```
  To
```
<ias-instance id="home.BMPHKTF120" name="home.BMPHKTF120">
  <environment>
    <variable id="TMP" value="C:\DOCUME~1\login user\LOCALS~1\Temp"/>
    <variable id="SECUDIR" value="D:\snc\usr\sec"/>
  </environment>
```
  Note:
  Oracle Application Server automatically creates the temporary folder based on the operating system of the computer on which it is installed.
3. Restart Oracle Application Server.
Set the SNC_LIB environment variable for the user of the Java application server to the cryptographic library directory, which is the parent directory of the sec directory.

2.3.4.3 Configuring SNC

To configure SNC:

Either create a PSE or copy the SNC PSE of the SAP application server to the SECUDIR directory. To create the SNC PSE for the Java application server, use the sapgenpse.exe command-line tool as follows:
1. To determine the location of the SECUDIR directory, run the sapgenpse command without specifying any command options. The program displays information such as the library version and the location of the SECUDIR directory.
2. Enter a command similar to the following to create the PSE:
```
sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
```
  The following is a sample distinguished name:
```
CN=SAPJ2EE, O=MyCompany, C=US 
```
  The sapgenpse command creates a PSE in the SECUDIR directory.
Create credentials for the Java application server.

The Java application server must have active credentials at run time to be able to access its PSE. To check whether or not this condition is met, enter the following command in the parent directory of the SECUDIR directory:
```
seclogin
```
Then, enter the following command to open the PSE of the server and create the credentials.sapgenpse file:
```
seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID 
```
The user_ID that you specify must have administrator rights. PSE_NAME is the name of the PSE file.

The credentials file, cred_v2, for the user specified with the -O option is created in the SECUDIR directory.
Exchange the public key certificates of the two servers as follows:

Note:
If you are using individual PSEs for each certificate of the SAP server, then you must perform this procedure once for each SAP server certificate. This means that the number of times you must perform this procedure is equal to the number of PSEs.
1. Export the Oracle Identity Manager certificate by entering the following command:
```
sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
```
2. Import the Oracle Identity Manager certificate into the SAP application server. You may require the SAP administrator's assistance to perform this step.
3. Export the certificate of the SAP application server. You may require the SAP administrator's assistance to perform this step.
4. Import the SAP application server certificate into Oracle Identity Manager by entering the following command:
```
sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
```
Configure the following parameters in the SAP CUA IT resource object:
- SAPsnc_lib
- SAPsnc_mode
- SAPsnc_myname
- SAPsnc_partnername
- SAPsnc_qop

2.3.5 Configuring the IT Resource

Note:

The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the default IT resource. This is to ensure that end users can select the IT resource during request-based provisioning. If you create another IT resource, then you must assign INSERT, UPDATE, and DELETE permissions for the ALL USERS group on the IT resource.

You must specify values for the parameters of the SAP CUA IT Resource IT resource as follows:

Log in to the Administrative and User Console.
Expand Resource Management.
Click Manage IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter SAP CUA IT Resource and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.

Specify values for the parameters of the IT resource. The following table describes each parameter:

Parameter	Description	Default/Sample Value
MasterPasswordUpdateOnly	Flag that accepts the value `yes` or `no`. If the value is `yes`, then the password is changed only in the master system. If the value is `no`, then the password is changed in both master and child systems. This parameter is used by the Reset Password function.	`yes`
SAPClient	SAP client ID	`800`
SAPHost	SAP host IP address	`172.20.70.204`
SAPLanguage	SAP language The value can be any one of the following: `EN` (for English) `JA` (for Japanese) `FR` (for French)	`EN`
SAPMasterSystem	SAP CUA master system	`CUA47`
SAPPassword	Password of the target system user account that you create for connector operations See Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" for more information.	`passw0rd1`
SAPsnc_lib	Path where the crypto library is placed This is required only if Secure Network Communication (SNC) is enabled.	`c://usr//sap//sapcrypto.dll`
SAPsnc_mode	Specifies whether or not SNC is to be used to secure communication between Oracle Identity Manager and the target system The value is 1 if SNC is enabled. Otherwise, it is 0. Other SNC values are required only if this parameter is set to 1. Note: It is recommended that you enable SNC to secure communication with the target system.	`0`
SAPsnc_myname	SNC system name Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager.	`p:CN=TST,OU=SAP, O=ORA,c=IN`
SAPsnc_partnername	Domain name of the SAP server Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager.	`p:CN=I47,OU=SAP, O=ORA, c=IN`
SAPsnc_qop	Protection level (quality of protection, QOP) at which data is transferred The default value is `3.` Valid values are: `1`: Secure authentication only `2`: Data integrity protection `3`: Data privacy protection `8`: Use value from the parameter `9`: Use maximum value available Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager.	`3`
SAPSystemNo	SAP system number	`00`
SAPType	Type of SAP system	`CUA`
SAPUser	User ID of the target system user account that you create for connector operations See Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" for more information.	`oimuser`
TimeStamp	For the first reconciliation run, the timestamp value is not set. For subsequent rounds of reconciliation, the time at which the previous round of reconciliation was completed is stored in this parameter.	The following are sample timestamp values: English: `Jun 01, 2006 at 10:00:00 GMT+05:30` French: `juin. 01, 2006 at 10:00:00 GMT+05:30` Japanese: `6 01, 2006 at 10:00:00 GMT+05:30`
TopologyName	Value of the Topology Name element in the SIL configuration file See Oracle Identity Manager Tools Reference for Release 9.1.0.2 for more information.
TimeoutRetryCount	Enter the number of times the connector method that is trying to add a role or profile to a user must be retried.	`0`
TimeoutCount	Enter the delay in milliseconds that the connector method that is trying to add a role or profile to a user must wait after a timeout is encountered.	`0`

To save the values, click Update.