| Oracle® Waveset 8.1.1 Connector Reference Release 8.1.1 E25959-06 |
|
|
PDF · Mobi · ePub |
| Oracle® Waveset 8.1.1 Connector Reference Release 8.1.1 E25959-06 |
|
|
PDF · Mobi · ePub |
This chapter includes the following information about the SAP User Management Engine (UME) connector for Oracle Waveset:
The SAP UME connector for Oracle Waveset provides provisioning and reconciliation for SAP UME target systems. The connector uses the Service Provisioning Markup Language (SPML) to access these data sources on SAP UME target systems:
System database of Application Server (AS) for Java (AS Java database)
User Management of Application Server (AS) Advanced Business Application Programming (ABAP) database (AS ABAP database)
Lightweight Directory Access Protocol (LDAP) directory service (LDAP directory service}
The SAP UME connector also supports remote role assignment in a Federated Portal Network (FPN) configuration. FPN allows organizations with multiple portals, both SAP and non-SAP, to share content between independent portals. In FPN, the producers hold and run the applications. The consumer manages the redirect to producer portals. Remote role assignment enables the consumer administrator to assign complete roles offered by an SAP producer.
The SAP UME connector is implemented using the Identity Connector Framework (ICF). The ICF provides a container that separates the connector bundle from the application. The ICF also provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. For more information about the ICF, see Chapter 1, "Identity Connectors Overview".
The SAP UME connector supersedes the SAP Enterprise Portal resource adapter. To migrate from a resource adapter deployment, see Migrating to the SAP UME Connector From a SAP Enterprise Portal Resource Adapter.
This section provides the following additional information about the SAP UME connector:
The following figure shows the SAP UME connector architecture.
Figure 11-1 SAP UME Connector Architecture
The SAP UME connector architecture includes these components:
Oracle Waveset includes the connector integration files. These files are XML files that provide the configuration information necessary to transform data from a resource to Oracle Waveset. Integration files are sometimes called the connector "glue" code.
The Identity Connector Framework (ICF) provides basic provisioning, logging, and other functions that Oracle Waveset (and Oracle Identity Manager) connectors can use.
The SAP UME connector uses the OpenSPML Toolkit to send requests to the SPML service running on the SAP UME target system.
On the SAP UME target system, the SPML Service provides the provisioning and reconciliation capabilities for the specific data source. The SAP UME connector supports these data sources:
AS Java database
AS ABAP database
LDAP directory service
The SAP UME connector supports agentless target deployment; that is, an agent is not required.
If you are installing the SAP UME connector in the Connector Server, see also SAP UME Connector Deployment Architecture With the Connector Server.
The SAP UME connector for Oracle Waveset supports these operations:
Table 11-1 SAP UME Connector Operations
| Operation | Description |
|---|---|
|
Account provisioning |
Operations include:
|
|
Reconciliation |
Only full and incremental reconciliation are supported. Active sync is not supported. |
The SAP UME connector for Oracle Waveset supports the resource configuration parameters shown in the following table. These attributes must be defined in the SAP UME connector resource configuration (that is, SAPUMEConfiguration.java). The first column includes both the display name and field name for each parameter.
Table 11-2 Resource Configuration Parameters for the SAP UME Connector
| Resource Configuration Parameter | Description |
|---|---|
|
URL ( |
SPML service URL on the SAP target system, in the following format: http(s)://sap-target-system:port-number/spml/spmlservice For SSL communication, you must use the |
|
User ID ( |
User ID used for authentication. |
|
Password ( |
Password for the user ID used for authentication. |
|
Enable Change Password ( |
Flag that specifies whether to change the password instead of resetting the password, in order to prevent users from changing the password at the first log on. Values can be Yes or No. The SAP UME target system expects the user to change the password at the next logon once the password is set by an administrator. To prevent this scenario, the first SPML request sets the password with a dummy password. Then, the second SPML request changes the password from the dummy password to the password entered in the process form. The security policy of some target systems allows changing the password only once per day. In this situation, the target system allows resetting the password and not changing the password. The target system will throw the error message "Could not update user NEW_PASSWORD_INVALID". In this situation, set this parameter value to No. |
|
Dummy Password ( |
Dummy password used if the |
|
Enable Date ( |
Maximum date to set while enabling a user, in the format: The default value is |
|
Log SPML Request ( |
To log SPML requests, set this parameter to Yes. |
|
Password Handling Support ( |
If the SAP UME is configured with an LDAP data source in writable mode, SSL configuration between the SAP UME and the LDAP data source is required for password management. With an LDAP data source configured in writable mode, if SSL is not configured between the SAP UME and the LDAP data source and the password need not be maintained from the SAP UME, set this parameter to No. Otherwise, set it to Yes. |
|
Group Datasource ( |
List of group data source names configured in the SAP UME. Default value is PRIVATE_DATASOURCE. The SAP UME does not allow adding a group from the Built-in Groups Adapter Data Source. Therefore, this data source should not be added in this configuration. To find a group data source name:
Repeat these steps to get additional group data source names. |
|
Role Datasource ( |
List of role data source names configured in the SAP UME. Default value is UME_ROLE_PERSISTENCE. To find a role data source name:
Repeat these steps to get additional role data source names. |
|
LogonName Initial Substring ( |
Entry that specifies the set of characters allowed in the UME Logon Name. During reconciliation, the SAP UME connector gets users with the Logon Name attribute beginning with any of these characters. The default value is Any characters supported from other languages must be added to this entry. Note. This parameter provides a method to get users during reconciliation because the UME SPML API does not support getting the user records in a batch operation. |
An AS ABAP data source on the SAP UME target system has the following constraints for the SAP UME connector:
Limitation when searching for users: The search considers only actions performed using the AS Java tools. Therefore, the SAP UME connector cannot search using the last modified timestamp.
List of SAP UME user attributes: The list of user attributes that can be read from or written to the SAP UME with an AS ABAP data source is fixed and cannot be extended. However, a back-end AS ABAP system can have additional attributes, but these attributes are not supported from the SAP UME.
Delay in the display of AS ABAP Roles in the SAP UME: If you create a new AS ABAP role or change the description of an existing AS ABAP role, these changes might not be visible in the SAP UME for up to 30 minutes. The SAP UME reads this data from the AS ABAP every 30 minutes. To force the SAP UME to read the data from the AS ABAP, you must restart the AS Java. Therefore, SAP UME connector reconciliation might lose roles that have been recently created.
Constraint in a Central User Administration (CUA) environment: The SAP UME can view only the roles that are present in the central system. Roles in child systems are not visible to the SAP UME. Therefore, you can view and maintain only role assignments to the central system from the SAP UME connector.
The UME does not support maintaining the Form of Address and TimeZone attributes in an ABAP data source.
You can assign ABAP users only to UME groups that represent ABAP roles.
The UME cannot show a user-group assignment when the current date is outside the validity period of the corresponding user-role assignment in the AS ABAP.
If you try to assign a UME group to a user when the user is already assigned to the corresponding ABAP role, but the current date is outside the validity period, you will receive an error message.
If a role assignment to a user in ABAP is by means of a collective role or organizational management, you cannot unassign the user from the corresponding UME group.
If a role assignment to a user in ABAP is by means of an indirect assignment through a reference user (visible in transaction SU01), you cannot unassign the user from the corresponding UME group.
If a role assignment to a user in ABAP is by means of direct and indirect assignment simultaneously, you cannot unassign the user from the corresponding UME group.
For example, a user administrator named ADMIN has assigned the user named USER1 to the roles Z_DIRECT and Z_COLLECT. Z_COLLECT is a collective role including the role Z_DIRECT. When ADMIN uses identity management of the AS Java, ADMIN cannot unassign USER1 from the UME group Z_DIRECT because this ABAP role is also assigned indirectly by the ABAP role Z_COLLECT.
New groups created with the UME are stored in the local database.
The SAP UME connector supports the assignment of the following types of roles to the user:
Roles that defines what is displayed in the Portal
Portal roles - These roles are applicable to Enterprise Portal, and the connector supports the assignment of these roles to the user.
Roles that defines what authorizations the user has in the backend system
UME authorization roles - These roles support programmatic authorization checks. The connector supports assignment of these roles.
J2EE Security role - These roles support declarative authorization checks. The connector does not support assignment of these roles. These roles need to be managed from the Visual Administrator tool of the J2EE Engine.
ABAP authorization role - These roles are applicable when UME is configured with an ABAP data source. These roles will be displayed as groups in the UME. The UME instance needs to be checked whether it is supported or not. The connector will support the assignment of these roles if the UME instance supports it.
The supported connections for the SAP UME connector are:
Following the SPML programming model, a URL connection must be created for the SAP Web AS SPML service using HTTP basic authentication.
For secure communications between Oracle Waveset and the SAP Web Application Server, the SSL protocol (HTTPS) must be used. With SSL communications, data transferred is encrypted. For more information, see Configuring SSL for the SAP UME Connector.
The user that connects to the SAP UME target system must have a security role assigned with the following UME actions:
UME.Spml_Read_Action
UME.Spml_Write_Action
If the SAP UME is configured as an AS ABAP data source and Central User Administration (CUA) is enabled in the back-end ABAP system, then a system must be assigned for this user. To assign a system, use transaction SU01 from the back-end ABAP system.
The SAP UME connector for Oracle Waveset is certified with the following components:
Table 11-3 Certified Components for the SAP UME Connector
| Component | Requirement |
|---|---|
|
Oracle Waveset |
Oracle Waveset 8.1.1 with Patch 6 |
|
Target systems |
Note. When the SAP application is installed in the Java stack (such as Enterprise Portal), then the connector can connect to the UME of the SAP application. When the SAP application (such as SAP BW or SRM) is installed in the ABAP stack, SAP Enterprise Portal must be configured against the SAP application's (BW or SRM) user management. For this configuration, refer to the SAP target system documentation. The connector needs to connect to the UME of Enterprise Portal. When the SAP application (such as PI) is installed in a dual (ABAP plus Java) stack, then the connector can connect to the UME of the SAP application. However, all of the limitations for the ABAP data source will be applicable. |
|
Identity Connector Framework (ICF) |
ICF 1.0 or later |
|
OpenSPML Toolkit |
OpenSPML Toolkit v0.6 (included with the SAP UME connector bundle) |
|
JDK or JRE |
JDK or JRE 1.5 or later |
The SAP UME connector is localized in the following languages:
Arabic
Chinese (Simplified and Traditional)
Czech
Danish
Dutch
Finnish
French
German
Greek
Hebrew
Hungarian
Italian
Japanese
Korean
Norwegian
Polish
Portuguese (Brazilian)
Romanian
Russian
Slovak
Spanish
Swedish
Thai
Turkish
If you currently have the SAP Enterprise Portal resource adapter installed, this section describes how to migrate the adapter to the SAP UME connector.
To migrate a SAP Enterprise Portal resource adapter, follow these steps:
Make sure you have installed Oracle Waveset with the patch shown in Certified Components for the SAP UME Connector.
Log in to the Oracle Waveset Administrator interface.
Select the Resources tab and then the Migrate Adapters tab.
Follow the Migration Wizard to complete the migration. A script runs in the background that updates the schema map.
You can deploy the SAP UME connector either locally in Oracle Waveset or remotely in the Connector Server, as described in the following sections:
Note:
In a production environment, it is recommended that you install the SAP UME connector in the Connector Server.
This section describes the following information about installing the SAP UME connector in the Connector Server:
Note:
For the JDK requirements. see Certified Components for the SAP UME Connector. If necessary, see your JAVA_HOME environment variable to point to your specific installation.
If you install the SAP UME connector in the Connector Server, the following figure shows the distributed deployment architecture.
Figure 11-2 SAP UME Connector Deployment Architecture With the Connector Server
A SAP UME connector deployment with the Connector Server includes these components:
Machine 1 has Oracle Waveset deployed.
Machine 2 has the SAP UME connector installed in the Connector Server. The Connector Server is part of the Identity Connector Framework (ICF). The OpenSPML Toolkit is included with the SAP UME connector bundle.
Machine 3 has the SAP UME target system deployed. The SPML Service is used to access the Data Source.
To install and configure the Connector Server, follow these steps:
Create a new directory on the machine where you want to install the Connector Server. In this section, CONNECTOR_SERVER_HOME represents this directory.
Unzip the Connector Server package in your new directory from Step 1. The Connector Server package is available with the Identity Connector Framework (ICF).
In the ConnectorServer.properties file, set the following properties, as required by your deployment. The ConnectorServer.properties file is located in the conf directory.
| Property | Description |
|---|---|
|
|
Port on which the Connector Server listens for requests. The default is 8759. |
|
|
Directory where the connector bundles are deployed. The default is |
|
|
Directory in which to place dependent libraries. The default is |
|
|
If set to If you specify
See Bug 13343976: Connector Server With SSL is Not Working With the SAP UME Connector. |
|
|
Bind address. To set this property, uncomment it in the file (if necessary). The bind address can be useful if there are more NICs installed on the machine. |
|
|
Connector Server key. |
Set the properties in the ConnectorServer.properties file, as follows:
To set connectorserver.key, run the Connector Server with the setKey option.
For all other properties, edit the ConnectorServer.properties file manually.
The conf directory also contains the logging.properties file, which you can edit if required by your deployment.
To run the Connector Server on Windows systems, use the ConnectorServer.bat script as follows:
Make sure that you have set the properties required by your deployment in the ConnectorServer.properties file, as described in Installing and Configuring the Connector Server.
Change to the CONNECTOR_SERVER_HOME\bin directory and find the ConnectorServer.bat script.
The ConnectorServer.bat script supports the following options:
| Option | Description |
|---|---|
/install [serviceName] ["-J java option"] |
Installs the Connector Server as a Windows service. Optionally, you can specify a service name and Java options. If you do not specify a service name, the default name is |
/run ["-J java option"]
|
Runs the Connector Server from the console. Optionally, you can specify Java options. For example, to run the Connector Server with SSL:
ConnectorServer.bat /run
"-J-Djavax.net.ssl.keyStore=mykeystore.jks"
"-J-Djavax.net.ssl.keyStorePassword=password"
|
/setkey [key]
|
Sets the Connector Server key. The |
/uninstall [serviceName]
|
Uninstalls the Connector Server. If you do not specify a service name, the script uninstalls the |
If you need to stop the Connector Server, stop the respective Windows service.
To run the Connector Server on UNIX and Linux systems, use the connectorserver.sh script, as follows:
Make sure that you have set the properties required by your deployment in the ConnectorServer.properties file, as described in Installing and Configuring the Connector Server.
Change to the CONNECTOR_SERVER_HOME/bin directory.
Use the chmod command to set the permissions to make the connectorserver.sh script executable.
Run the connectorserver.sh script. The script supports the following options:
| Option | Description |
|---|---|
|
|
Runs the Connector Server in the console. Optionally, you can specify one or more Java options. For example, to run the Connector Server with SSL:
./connectorserver.sh /run
-J-Djavax.net.ssl.keyStore=mykeystore.jks
-J-Djavax.net.ssl.keyStorePassword=password
|
|
|
Runs the Connector Server in the background. Optionally, you can specify one or more Java options. |
/stop |
Stops the Connector Server, waiting up to 5 seconds for the process to end. |
/stop n
|
Stops the Connector Server, waiting up to |
/stop -force |
Stops the Connector Server. Waits up to 5 seconds and then uses the |
/stop n -force
|
Stops the Connector Server. Waits up to |
/setKey key
|
Sets the Connector Server key. The |
To install the SAP UME connector for Oracle Waveset in the Connector Server, follow these steps:
Make sure you have installed Oracle Waveset with the patch shown in Certified Components for the SAP UME Connector.
Stop the Connector Server.
Copy the SAP UME connector bundle into the CONNECTOR_SERVER_HOME/bundles directory.
Start the Connector Server.
For information about starting and stopping the Connector Server, see Running the Connector Server on Windows Systems or Running the Connector Server on UNIX and Linux Systems.
The SAP UME connector supports the account attributes in the following object classes:
All attributes are string data types. The first column includes both the display name and field name for each attribute.
Table 11-4 User Object Class Attributes
| Attribute Name | Required | Description |
|---|---|---|
|
Group Name ( |
No |
List of all directly assigned groups. |
|
Role Name ( |
No |
List of all directly assigned roles. |
|
Data Source ( |
No |
Home data source of the object. |
|
Department ( |
No |
Department code. |
|
Display Name ( |
No |
Display name. |
|
Email ( |
No |
Email address. |
|
Fax ( |
No |
Complete FAX number. |
|
First Name ( |
No |
First name. |
|
Unique ID ( |
No |
Back-end ID. |
|
Is user locked ( |
No |
Specifies if the user is locked. |
|
Job Title ( |
No |
Job title. |
|
Last Name ( |
Yes |
Last name. |
|
Language ( |
No |
Locale code. |
|
Logon Name ( |
Yes |
Unique name and logon ID. Note: The maximum Logon Name field length can vary on the SAP UME target system, depending on the specific data source configuration. For example, some target systems allow a maximum of 20 characters for the Logon Name field. If you specify a Logon Name field in Oracle Waveset that is greater than the number of characters allowed on the target system, the |
|
Mobile # ( |
No |
Mobile phone number. |
|
Salutation ( |
No |
Salutation. |
|
Security Policy ( |
No |
Type of security policy for the user (default, technical, or unknown). The default is |
|
Telephone ( |
No |
Complete telephone number. |
|
Time Zone ( |
No |
Time zone. |
|
Title ( |
No |
Title of the user. |
|
Valid From ( |
No |
Date the user becomes valid. |
|
Valid To ( |
No |
Date the user becomes invalid. Default is |
|
Street ( |
No |
Home address of the user. |
|
City ( |
No |
Name of the city. |
|
Zip code ( |
No |
Postal code of the city. |
|
State ( |
No |
Name of the state. |
|
Country ( |
No |
Country code following the ISO 3166 standard. |
Note:
By default, the SAP UME connector uses the password that is entered on the password reset page. To have a user wants set the password through the user form, add a new Identity System User Attribute on the account attribute page and map it to the native password attribute.
The schema details can change in different SAP NetWeaver releases. To support additional attributes, get the schema details from the schema.xml file that is provided with the AS Java.
For the Group object class configuration, the lstGroupDatasource attribute in the user form specifies the name of the data source. The default names are PRIVATE_DATASOURCE and SUPER_GROUPS_DATASOURCE. All attributes are string data types. The first column includes both the display name and field name for each attribute.
Table 11-5 Group Object Class Attributes
| Attribute Name | Required | Description |
|---|---|---|
|
Unique Name ( |
Yes |
Name of the group. |
|
Display Name ( |
No |
Display name of the group. |
|
Description ( |
No |
Description of the group. |
|
Group ID ( |
No |
Back-end ID of the group. |
|
User Members ( |
No |
Assigned members of the group. |
|
Assigned Roles ( |
No |
List of all directly assigned roles. |
|
Data Source ( |
No |
Name of the data source. |
Note:
Maintaining a group in the connector using the SPML API is based on the data source configuration, as follows:
If the UME is configured with an AS Java data source, groups are stored in the internal data source. Therefore, creating a new group using the SPML API is supported in an AS Java data source.
If UME is configured with an AS ABAP data source, you can view AS ABAP roles as groups, but you cannot modify them or create new AS ABAP roles. You can create groups in the local AS Java database, which will not be reflected in the ABAP application. Therefore, creating a new role in an AS ABAP data source is not supported.
For the Role object class configuration, the lstRoleDatasource attribute in the user form specifies the name of the data source. The default name is UME_ROLE_PERSISTENCE. All attributes are string data types. The first column includes both the display name and field name for each attribute.
Table 11-6 Role Object Class Attributes
| Attribute Name | Required | Description |
|---|---|---|
|
Unique Name ( |
Yes |
Name of the role. |
|
Display Name ( |
No |
Display name of the role. |
|
Description ( |
No |
Description of the role. |
|
User Members ( |
No |
Assigned members of the role. |
|
Role ID ( |
No |
Back-end ID of the role. |
|
Data Source ( |
No |
Name of the data source. |
Note:
The SPML API does not support creating a new role. Creating an AddRequest in the saprole object class returns an AddResponse with the error as UnsupportedOperation with the message "Creation of new roles is not supported".
The following sample forms are provided with the SAP UME connector:
| Form | File |
|---|---|
|
SAPUMEUserForm |
|
|
SAPUMEUserFormDefaultValues |
|
|
SAPUMEConnectorCreateGroupForm |
|
|
SAPUMEConnectorUpdateGroupForm |
|
|
SAPUMEConnectorUpdateRoleForm |
|
This section describes how to configure Secure Sockets Layer (SSL) for the SAP UME connector installed in Oracle Waveset.
Before you configure SSL for the SAP UME connector, consider these requirements:
On the SAP UME target system, SSL must be enabled for the specific data source. For information, see the documentation for your specific SAP UME target system.
On the server where Oracle Waveset is deployed, a JDK or the JRE is required. For the requirements. see Certified Components for the SAP UME Connector. If necessary, set your JAVA_HOME or JRE_HOME environment variable to point to your specific installation.
To configure SSL for the SAP UME connector deployed in Oracle Waveset, follow these steps:
On the SAP UME target system, import the certificate from the data source into the SPML Provider:
Login to the SPML Provider on the SAP target system by specifying the following URL in your web browser:
https://sap-target-system:port-number/spml/spmlservice
The user name you specify to log in must have the following permissions: UME.Spml_Read_Action and UME.Spml_Write_Action.
Click Certificate Error, and then on the Certificate Invalid menu, click View Certificates.
Import the certificate from the SAP UME target system by clicking Install Certificate.
Specify the location for the certificate as the Certificate Store named Trusted Root Certificate Authorities.
While still logged into the SPLM Provider, select the certificate you imported in the previous step and export the certificate to a file:
For the imported certificate, click the Details tab and then Copy to File... .
For the Export File Format, check DER encoded binary X.509 (.CER).
For the File to Export, enter the file name for the certificate. For example: sapcert.cer
After you finish copying the certificate to a file, log out of the SPLM Provider.
On the application server you are using for Oracle Waveset, determine the certificate keystore location and import the certificate into the keystore. For example:
keytool -import -alias cert-alias -keystore path-to-keystore-file -file certificate-file -storepass password
where:
cert-alias is a user-defined alias for identification of the specific certificate in the certificate store.
keystore-file is the path to the keystore file.
certificate-file is the path to the certificate file you obtained from the SAP UME target system.
password is the password for the certificate store.
For example, on a Windows system:
keytool -import -alias sap-cert1 -keystore C:\mydir\java\jre\lib\security\cacerts -file C:\mytagetcert\sapcert.cer -storepass changeit
Note:
The keytool -importcert command is supported in Java 6 or later releases. For Java 5 releases, use the keytool -import command.
Make you have set your JAVA_HOME or JRE_HOME environment variable to point to your specific JDK or JRE installation
To verify the certificate in the certificate store, use the keytool -list -keystore command.
Use the Oracle Waveset debug pages to set trace options on the following class:
org.identityconnectors.sapume
This class returns all available error messages from the SAP UME target resource.
If you configure the SAP UME connector to communicate with the Connector Server using SSL, including setting the connectorserver.usessl property to true and importing the SAP UME target system certificate into the Connector Server JDK keystore, an attempt to access the SAP UME target system or run the Connector Server returns an error.
Workaround. None. Do not use SSL to communicate with the Connector Server.
|
 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
