This chapter contains the following sections:
Note:
Some of the procedures described in this chapter must be performed on the target system. To perform these procedures, you must use an SAP administrator account to which the SAP_ALL and SAP_NEW profiles have been assigned.
Preinstallation for the SAP UM connector involves performing a series of tasks on the target system.
Preinstallation information is divided across the following sections:
The SAP Java Connector file is a middleware component that enables the development of SAP-compatible components and applications in Java. This component is required to support inbound and outbound SAP server communication during runtime.
Note:
Ensure that you are using version 3.0.2 or later of the sapjco3.jar file.
To download files from the SAP Web site, you must have access to the SAP service marketplace with Software Download authorization.
To download and copy the external code files to the required locations:
Download the SAP Java connector file from the SAP Web site as follows:
Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.
On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCo release that you want to download.
In the dialog box that is displayed, specify the path of the directory in which you want to save the file.
Extract the contents of the file that you download.
Create a directory called sap-11.1.1.7.0 for the SAP User Management connector in the following directory:
OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/
The files in this directory are not shared with any other connectors, which avoids version conflicts among shared libraries.
Copy the sapjco3.jar file into the OIM_HOME/server/ThirdParty directory. Then, add its path to the DOMAIN_HOME\bin\startWebLogic file as follows:
On Microsoft Windows:
In a text editor, open the DOMAIN_HOME/bin/startWebLogic.cmd file and add the following path:
set CLASSPATH=MIDDLEWARE_HOME_PATH\Oracle_IDM1\server\ThirdParty\sapjco3.jar;%SAVE_CLASSPATH%
Save and close the file. Restart the server for the changes in the CLASSPATH variable to take effect.
On Linux:
In a text editor, open the DOMAIN_HOME/bin/startWebLogic.sh file and add the following path:
CLASSPATH=MIDDLEWARE_HOME_PATH/Oracle_IDM1/server/ThirdParty/sapjco3.jar:"${SAVE_CLASSPA
TH}"
For example, CLASSPATH=/home/shareuser/SYR2PS1BP2O7/Middleware/Oracle_IDM1/server/ThirdParty/sapjco3.jar:"${SAVE_CLASSPATH}"
Save and close the file. Restart the server for the changes in the CLASSPATH variable to take effect.
Copy the RFC files into the required directory on the Oracle Identity Manager host computer, and then modify the appropriate environment variable so that it includes the path to this directory:
On Microsoft Windows:
Copy the sapjco3.dll file into the winnt\system32 directory. Alternatively, you can copy these files into any directory and then add the path to the directory in the PATH environment variable.
On Solaris and Linux:
Copy the libsapjco3.so file into the /usr/local/jco directory, and then add the path to this directory in the LD_LIBRARY_PATH environment variable.
On a Microsoft Windows platform, ensure that the msvcr80.dll and msvcp80.dll files are in the c:\WINDOWS\system32 directory. If required, both files can be downloaded from various sources on the Internet.
Note:
If you are using Cluster setup, add CLASSPATH and LD_LIBRARY_PATH to each node.If you are using IBM WebSphere Application Server, perform the following steps:
Copy the following files to WEBSPHERE_HOME/AppServer/lib:
libsapjco3.so
sapidoc3.jar
sapjco3.jar
For example, copy the preceding files to /home/shareuser/R2PS1ST1WAS/IBM/WebSphere/AppServer/lib
Update the PROFILE_HOME/bin/setupCmdLine.sh file as shown in the following example:
WAS_CLASSPATH="$WAS_HOME"/properties:"$WAS_HOME"/lib/startup.jar:"$WAS_HOME"/lib/bootstrap.jar:"$WAS_HOME"/lib/lmproxy.jar:"$WAS_HOME"/lib/urlprotocols.jar:"$WAS_HOME"/lib/sapjco3.jar:"$WAS_HOME"/lib/sapidoc3.jar:"$JAVA_HOME"/lib/tools.jar
Restart the server for the changes in the environment variable to take effect.
Note:
You can either restart the server now or after the connector is installed.
To check if SAP JCo is correctly installed, in a command window, run one of the following commands:
java –jar JCO_DIRECTORY/sapjco3.jar java –classpath JCO_DIRECTORY/sapjco3.jar com.sap.conn.jco.rt.About
The JCo classes and JCo library paths must be displayed in this dialog box.
The connector uses a target system account to connect to the target system during each connector operation.
This target system account must be one of the following:
If you are using a target system in which the SAP HRMS module is enabled, then the target system account must be a user to whom you assign a customized role (for example, ZHR_ORG_UM) with the PLOG and P_ORIGIN authorization objects. Note that the P_ORIGIN authorization object is related to the SAP HRMS module. Therefore, you can assign a customized role with the P_ORIGIN authorization object only if the SAP HRMS module is enabled.
If you are using a target system in which the SAP HRMS module is not enabled, then the target system account must be a user to whom you assign a customized role (for example, ZHR_ORG_UM) with the following authorization objects:
PLOG
Authorization objects that run BAPIs corresponding to each provisioning function.
For example, consider a provisioning function that adds a multivalued attribute (such as role) to a user. If you want the connector to perform this provisioning operation, then you must create a target system user account to which you assign a customized role with the PLOG authorization object and an authorization object that runs the BAPIs to create, modify, or display roles.
This section provides information on the following topics:
Oracle Identity Governance requires a target system user account to access the target system during connector operations.
To create a target system user account for the SAP UM target:
The connector uses a target system account to connect to the target system during reconciliation. This target system account must be a CPIC user to whom you assign a customized role with the S_IDOC_ALL profile, S_RFC authorization object, and PLOG authorization object.
Create user of type CPIC with the following privileges:
Note:
You must configure the PLOG authorization object so that the values assigned to this object match the ones shown in Step 2 through 6. Only the Plan Version (PLVAR) object can be set according to your requirements.You can perform connector operations such as Access Request Management and Access Risk Analysis through the SAP Business Objects Access Control system.
Note:
The naming convention of the connector name created in SAP Business Objects Access Control system should be synchronized with the logical name of the system to be integrated. To achieve this, a standard naming convention like <SID>CLNT<XXX> can be followed.
The below figure illustrates an example of the naming convention to be followed. According to this example, when a connector is created while integrating any system like ECC, CRM, SRM, or S/4 HANA with SAP Business Objects Access Control system, ensure to create an RFC destination of the system by following the standard naming convention which is synchronized with the logical name of the system.
Figure 2-1 Naming Convention For Connector Created in SAP Business Objects Access Control System
If you want to perform connector operations such as Access Request Management and Access Risk Analysis through the SAP Business Objects Access Control system, then assign the following minimum set of roles to a user account in SAP Business Objects Access Control:
Role Name | Description |
---|---|
SAP_BC_WEBSERVICE_CONSUMER |
Web Service Consumer |
SAP_GRC_NWBC |
Governance, Risk, and Compliance |
SAP_GRAC_ACCESS_APPROVER |
Role for Access Request Approver |
SAP_GRAC_RISK_OWNER |
Risk Maintenance and Risk Analysis |
SAP_GRAC_ROLE_MGMT_ROLE_OWNER |
Role Owner |
Apart from the default roles provided by SAP in the preceding table, you must add the additional authorizations to the user.
GRFN_CONN
GRAC_SYS
GRAC_ROLER
GRAC_RISK
GRAC_REQ
GRAC_RA
S_USER_GRP
GRFN_USER
GRAC_ROLED
GRAC_ROLEP
GRAC_EMPLY
GRAC_USER
S_CTS_ADMI
S_CTS_SADM
GRAC_ACTN
GRAC_FFOWN
Modify the parameter values as follows:
ACTVT: 16
GRCFN_CONN: *
ACTVT: 01, 02, 03, 78
GRAC_APPTY: *
GRAC_ENVRM: *
GRAC_SYSID: *
ACTV: 16
GRAC_OUNIT: *
GRAC_ROLE: *
GRAC_ROTYP: *
GRAC_SYSID: *
ACTVT: 16
GRAC_BPROC: *
GRAC_RISK: *
GRAC_RLVL: *
GRAC_RSET: *
GRAC_RTYPE: *
ACTVT: 01, 02, 03
GRAC_BPROC: *
GRAC_FNCAR: *
GRAC_RQFOR: *
GRAC_RQINF: *
GRAC_RQTYPE: *
ACTVT: 16, 70
GRAC_OTYPE: *
GRAC_RAMOD: 1, 2, 3, 4, 5
GRAC_REPT: 01, 02, 03, 04, 05
ACTVT: 03
CLASS: *
ACTVT: *
GRAC_ACTRD: 03, FS
GRAC_BPROC: *
GRAC_LDSCP: *
GRAC_RLSEN: *
GRAC_RLTYP: *
GRAC_ROLE: *
ACTVT: 78
GRAC_BPROC: *
GRAC_OUNIT: *
GRAC_RLTYP: *
GRAC_ROLE: *
GRAC_SYSID: *
ACTVT: 01, 02, 03
GRAC_CLASS: *
GRAC_OUNIT: *
GRAC_SYSID: *
GRAC_USER: *
GRAC_UTYPE: *
ACTVT: 01, 02, 03
GRAC_COMP: *
GRAC_COSTC: *
GRAC_DEPT: *
GRAC_LOCTN: *
ACTVT: *
GRAC_OWN_T: *
GRAC_SYSID: *
GRAC_USER: *
GRAC_ACTN: HOLD
GRFNMW_PRC: *
CTS_ADMFC: *
DESTSYS: *
DOMAIN: *
CTS_ADMFCT: *
You must install the connector in Oracle Identity Manager. If necessary, you can also deploy the connector in a Connector Server.
The following topics provide details on installing the SAP UM connector:
To run the connector code locally in Oracle Identity Manager, perform the procedure described in Installing the Connector in Oracle Identity Manager.
To run the connector code remotely in a Connector Server, perform the procedures described in Installing the Connector in Oracle Identity Manager and Deploying the Connector Bundle in a Connector Server.
In this scenario, you install the connector in Oracle Identity Manager using the Connector Installer:
Note:
Direct provisioning is automatically enabled after you run the Connector Installer. If required, you can enable request-based provisioning in the connector. Direct provisioning is automatically disabled when you enable request-based provisioning. See Enabling Request-Based Provisioning if you want to use the request-based provisioning feature for this target system.
To run the Connector Installer:
Download the connector package (ZIP file) from Oracle Technology Network and extract the connector package. Then, copy the contents into the following directory:
OIM_HOME/server/ConnectorDefaultDirectory
If you are using Oracle Identity Manager release 11.1.1.x, perform the following steps:
Log in to Oracle Identity System Administration by using the user account described in Creating the User Account for Installing Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.
If you are using Oracle Identity Manager release 11.1.2.x, perform the following steps:
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Manage Connector.
In the Manage Connector page, click Install.
From the Connector List list, select SAP UM RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select SAP UM RELEASE_NUMBER.
Click Load.
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries
Import of the connector XML files (by using the Deployment Manager)
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. If a task fails, then make the required correction and perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 5.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed.
In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:
At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.
There are no prerequisites for some predefined connectors.
Configuring the IT resource for the connector
The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled jobs
The procedure to configure these scheduled tasks is described later in this guide.
You can deploy the connector either locally in Oracle Identity Manager or remotely in the Connector Server. A Connector Server is an application that enables remote execution of an Identity Connector, such as the SAP User Management connector.
Note:
To deploy the connector bundle remotely in a Connector Server, you must first deploy the connector in Oracle Identity Manager, as described in Installing the Connector in Oracle Identity Manager.
See Configuring the IT Resource for the Connector Server for related information.
This procedure can be divided into the following stages:
Connector servers are available in two implementations:
As a .Net implementation that is used by Identity Connectors implemented in .Net
As a Java implementation that is used by Java-based Identity Connectors
The SAP User Management connector is implemented in Java, so you must deploy this connector to a Java Connector Server.
Use the following steps to install and configure the Java Connector Server:
Note:
Before you deploy the Java Connector Server, ensure that you install the JDK or JRE on the same computer where you are installing the Java Connector Server and that your JAVA_HOME or JRE_HOME environment variable points to this installation.
Note:
Oracle Identity Manager has no built-in support for testing the Connector Server configuration.
See Also:
Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about installing and configuring connector server and running the connector server.
To deploy the SAP User Management connector into the Java Connector Server:
Postinstallation for the connector involves configuring Oracle Identity Manager, enabling logging to track information about all connector events, and configuring SoD. It also involves performing some optional configurations such as configuring ports on the target system, enabling the reset password option in OIM, setting up the configuration lookup definitions in OIM, changing the required input locale and so on.
Postinstallation steps are divided across the following sections:
Configuring the Target System to Enable Propagation of User Password Changes
Enabling the Reset Password Option in Oracle Identity Manager 11.1.2.1.0 or Later
Setting Up the Configuration Lookup Definition in Oracle Identity Manager
Clearing Content Related to Connector Resource Bundles from the Server Cache
Configuring the Access Request Management Feature of the Connector
Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System
Synchronizing the SAPUM Process Form Field Length Needs with the Target Field Length
Note:
The field length of the values of an attribute coming from the SAPUM Process form should be in bounds of the length of values of attributes in the target system.
You can configure ports to enable communication between the target system and Oracle Identity Manager.
To enable communication between the target system and Oracle Identity Manager, you must ensure that the ports listed in Table 2-1 are open.
Table 2-1 Ports for SAP Services
Service | Port Number Format | Default Port |
---|---|---|
Dispatcher |
32SYSTEM_NUMBER |
3200 |
Gateway (for non-SNC communication) |
33SYSTEM_NUMBER |
3300 |
Gateway (for SNC communication) |
48SYSTEM_NUMBER |
4800 |
Message server |
36SYSTEM_NUMBER |
3600 |
To check if these ports are open, you can, for example, try to establish a Telnet connection from Oracle Identity Manager to these ports.
This section describes the procedures involved in configuring the target system to enable propagation of user password changes from the SAP CUA parent system to its child systems. You may need the assistance of the SAP Basis administrator to perform some of these procedures.
Configuring the target system involves the following tasks:
The following information is required to configure the target system:
Note:
During SAP installation, a system number and client number are assigned to the server on which the installation is carried out. These items are mentioned in the following list.
Login details of an admin user having the permissions required to import requests
Client number of the server on which the request is to be imported
System number
Server IP address
Server name
User ID of the account to be used for connecting to the SAP application server
Password of the account to be used for connecting to the SAP application server
The User Group field is one of the fields that holds user data in SAP. F4 values are values of a field that you can view and select from a list. To view F4 values of the User Group field, you must create an entry in the BAPIF4T table by running the SM30 transaction. Ensure that the entry in the table includes XUCLASS as the data element and ZXL_PARTNER_BAPI_F4_AUTHORITY as the function name.
You must import the request to create the following custom objects in the SAP system.
Object Type | Object Name |
---|---|
Package |
ZXLC |
Function Group |
ZXLCGRP ZXLCHLPVALUES ZXLCPRF ZXLCRL ZXLCUSR |
Message class |
ZXLCBAPI |
Program |
ZLCF4HLP_DATA_DEFINITIONS ZLCMS01CTCO ZLCMS01CTCO1 ZLCMS01CTP2 ZXLCGRP ZXLCHLPVALUES ZXLCPRF ZXLCRL ZXLCUSR |
Search Help |
ZXLC_ROLE ZXLC_SYS |
Business object types |
ZXLCGRP ZXLCHLP ZXLCPRF ZXLCRL ZXLCUSR |
Table |
ZXLCBAPIMODE ZXLCBAPIMODM ZXLCGROUPS ZXLCPRF ZXLCROLE ZXLCSTRING ZXLCSYSNAME |
The xlsapcar.sar file contains the definitions for these objects. When you import the request represented by the contents of the xlsapcar.sar file, these objects are automatically created in SAP. This procedure does not result in any change in the existing configuration of SAP.
Importing the request into SAP involves extracting the request files and performing the request import operation as follows:
You must create an UI form and an application instance for the resource against which you want to perform reconciliation and provisioning operations. In addition, you must run entitlement and catalog synchronization jobs.
These procedures are described in the following sections:
You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.
See Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for instructions on creating and activating a sandbox.
You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.
See Managing Forms in Oracle Fusion Middlware Administering Oracle Identity Manager for instructions on creating a new UI form. While creating the UI form, ensure that you select the resource object corresponding to the Concur connector that you want to associate the form with. In addition, select the Generate Entitlement Forms check box..
Create an application instance as follows. For detailed instructions, see Managing Application Instances in Oracle Fusion Middlware Administering Oracle Identity Manager.
Before publishing a sandbox, perform the following procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published:
To harvest entitlements and sync catalog:
For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:
In Oracle Identity Manager release 11.1.2.1.0 or later, you can reset password for an account after logging in as the user by navigating to My Access, Accounts tab.
The Reset Password option is enabled for only those accounts that follow the UD_FORMNAME_PASSWORD naming convention for the password field. Otherwise, this option would be disabled as shown in the following sample screenshot:
To enable the Reset Password option in Oracle Identity Manager release 11.1.2.1.0 or later:
When you deploy the connector, configuration lookup definitions are created in Oracle Identity Manager.
The following sections discuss the entries in the Lookup.SAPABAP.UM.Configuration lookup definition:
An SAP HRMS account created for a particular user can be linked with the SAP R/3 or SAP CUA account created for the same user. For a particular user, an attribute of SAP HRMS holds the user ID of the corresponding SAP R/3 or SAP CUA account.
You can duplicate this link in Oracle Identity Manager by using the following parameters of the Advanced Settings section:
validatePERNR: You enter yes
as the value if your operating environment contains multiple SAP HRMS installations. If there is only one SAP HRMS installation, then enter no.
overwriteLink: You enter yes
as the value if you want existing links in SAP to be overwritten by the ones set up through provisioning operations.
The following topics provide detailed information about the linking process:
An SAP HRMS account created for a particular user can be linked with the SAP R/3 or SAP CUA account created for the same user. For a particular user, an attribute of SAP HRMS holds the user ID of the corresponding SAP R/3 or SAP CUA account.
The following example describes the manner in which the linking process is performed:
An OIM User record is created for user John Doe through trusted source reconciliation with SAP HRMS. During creation, the user ID value is put in the User ID and Personnel Number attributes of the record.
Note:
The Personnel Number field is a hidden UDF on the OIM User form.
To provision an SAP R/3 or SAP CUA account for John, you enter and submit the required data on Oracle Identity System Administration.
The connector looks for the user's SAP HRMS account. If you entered yes
as the value of validatePERNR attribute, then the connector checks for a match for the Personnel Number attribute on SAP HRMS.
After a match is found with an existing SAP HRMS account, the connector performs one of the following steps:
If the value of overwriteLink advanced settings parameter is yes
, then the connector posts the User ID value of the SAP R/3 or SAP CUA account into the 0001 subtype in the Communication (0105) infotype of the SAP HRMS account. This is regardless of whether that infotype contains a value.
If the value of overwriteLink advanced settings parameter is no
, then the connector posts the User ID value of the SAP R/3 or SAP CUA account into the 0001 subtype in the Communication (0105) infotype of the SAP HRMS account only if that subtype does not hold a value.
The Create Link task is one of the tasks that are run during the Create User provisioning operation. You can, if required, remove this task so that it is not displayed in the list of tasks that are run. Use the Design Console for this operation.
When you log in to SAP by using a newly created account, you are prompted to change your password at first logon. For accounts created through Oracle Identity Governance, password management can be configured by using the changePasswordAtNextLogon parameter of the Advanced Settings section.
You can apply one of the following approaches:
Configure the connector so that users with newly created accounts are prompted to change their passwords at first logon.
To achieve this, set the changePasswordAtNextLogon parameter to yes
. With this setting, the password entered on the process form for a new user account is used to set the password for the new account on the target system. When the user logs in to the target system, the user is prompted to change the password.
Configure the connector so that the password set while creating the account on Oracle Identity Governance is set as the new password on the target system. The user is not prompted to change the password at first logon.
To achieve this, set the value of changePasswordAtNextLogon parameter to no
and enter a string in the dummyPassword parameter of the Basic Configuration Section. With these settings, when you create a user account through Oracle Identity Governance, the user is first created with the dummy password. Immediately after that, the connector changes the password of the user to the one entered on the process form. When the user logs in to the target system, the user is not prompted to change the password.
By default, this connector uses the ICF connection pooling. Table 2-2 lists the connection pooling properties, their description, and default values set in ICF:
Table 2-2 Connection Pooling Properties
Property | Description |
---|---|
Pool Max Idle |
Maximum number of idle objects in a pool. Default value: |
Pool Max Size |
Maximum number of connections that the pool can create. Default value: |
Pool Max Wait |
Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: |
Pool Min Evict Idle Time |
Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: |
Pool Min Idle |
Minimum number of idle objects in a pool. Default value: |
If you want to modify the connection pooling properties to use values that suit requirements in your environment, then:
In request-based provisioning, an end user creates a request for a resource or entitlement by using Oracle Identity System Administration. Administrators or other users cannot create requests for a particular user. Requests can be viewed and approved by approvers designated in Oracle Identity Manager.
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1.x.
Do not enable request-based provisioning if you want to use the direct provisioning feature of the connector.
The following are features of request-based provisioning:
A user can be provisioned only one resource (account) on the target system.
Direct provisioning cannot be used if you enable request-based provisioning.
The following sections discuss the steps to be performed to enable request-based provisioning:
The following are steps performed by the approver in a request-based provisioning operation:
A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation.
To import a request dataset XML file by using the Deployment Manager:
The following steps are performed by the end user in a request-based provisioning operation:
To enable the Auto Save Form feature:
Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Clearing Content Related to Connector Resource Bundles from the Server Cache for instructions.
The procedure to enable enabling request-based provisioning ends with this step.
Note:
In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.
You may require the assistance of the system administrator to change to the required input locale.
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.
To clear content related to connector resource bundles from the server cache:
Oracle Identity Manager uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.
The following topics provide detailed information about logging:
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.
Oracle Identity Manager release 11.1.x uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These message types are mapped to ODL message type and level combinations as shown in Table 2-3.
Table 2-3 Log Levels and ODL Message Type:Level Combinations
Java Level | ODL Message Type:Level |
---|---|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
SEVERE |
ERROR:1 |
WARNING |
WARNING:1 |
INFO |
NOTIFICATION:1 |
CONFIG |
NOTIFICATION:16 |
FINE |
TRACE:1 |
FINER |
TRACE:16 |
FINEST |
TRACE:32 |
The configuration file for OJDL is logging.xml, which is located at the following path:
DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml
Here, DOMAIN_HOME and OIM_SEVER are the domain name and server name specified during the installation of Oracle Identity Manager.
To enable logging in Oracle WebLogic Server:
Edit the logging.xml file as follows:
Add the following blocks in the file:
<log_handler name='sap-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="ORG.IDENTITYCONNECTORS.SAP" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="sap-handler"/>
<handler name="console-handler"/>
</logger>
If you are using SAP BusinessObjects AC, then add the following block:
<logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="[Log_LEVEL]" useParentHandlers="false">
<handler name="sap-handler"/>
<handler name="console-handler"/>
</logger>
Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-3 lists the supported message type and level combinations.
Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.
The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:
<log_handler name='sap-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="ORG.IDENTITYCONNECTORS.SAP" level="NOTIFICATION:1" useParentHandlers="false">
<handler name="sap-handler"/>
<handler name="console-handler"/>
</logger>
If you are using SAP BusinessObjects AC, then add the following block:
<logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="NOTIFICATION:1" useParentHandlers="false">
<handler name="sap-handler"/>
<handler name="console-handler"/>
</logger>
With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.
Save and close the file.
Set the following environment variable to redirect the server logs to a file:
For Microsoft Windows:
set WLS_REDIRECT_LOG=FILENAME
For UNIX:
export WLS_REDIRECT_LOG=FILENAME
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.
Note:
In an Oracle Identity Governance cluster, perform this step on each node of the cluster.Access Request Management is a module in the SAP BusinessObjects AC suite. In an SAP environment, you can set up Access Request Management as the front end for receiving account creation and modification provisioning requests. In Access Request Management, workflows for processing these requests can be configured and users designated as approvers act upon these requests.
Oracle Identity Manager can be configured as the medium for sending provisioning requests to SAP BusinessObjects AC Access Request Management. A request from Oracle Identity Manager is sent to Access Request Management, which forwards the provisioning data contained within the request to the target system (SAP R/3 or SAP CUA). The outcome is the creation of or modification to the user's account on the target system.
Note:
Before you configure the Access Request Management feature, it is recommended that you read the guidelines described in Guidelines on Using a Deployment Configuration
The following sections provide information about configuring the Access Request Management feature:
The GRC-ITRes IT resource holds information that is used during communication with SAP BusinessObjects AC Access Request Management. To set values for the parameters of this IT resource:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to Oracle Identity System Administration.
For Oracle Identity Manager release 11.1.2.x:
Log in to Oracle Identity System Administration.
If you are using Oracle Identity Manager release 11.1.1.x, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x, then, in the left pane under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter GRC-ITRes
and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource.
Table 2-4 lists the parameters of the GRC-ITRes IT resource.
Table 2-4 Parameters of the GRC-ITRes IT Resource
Parameter | Description |
---|---|
Configuration Lookup |
Enter the name of the configuration lookup definition. For SAP BusinessObjects AC 10: |
language |
Enter the two-letter code for the language set on the target system. Sample value: |
Connector Server Name |
Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server. Note: Enter a value for this parameter only if you have deployed the SAP User Management connector in the Connector Server. |
password |
Enter the password of the account created on Access Request Management system. |
port |
Enter the number of the port at which Access Request Management system is listening. Sample value: |
server |
Enter the IP address of the host computer on which Access Request Management system is listening. Sample value: |
username |
Enter the user name of an account created on Access Request Management system. This account is used to call Access Request Management system APIs that are used during request validation. Sample value: |
To save the values, click Update.
SoD is a process that ensures that every individual is given access to only one module of a business process and will not be able to access other modules to reduce risk of fraud and error.
This section discusses the following procedures:
Verifying Entries Created in the Lookup.SAPABAP.System Lookup Definition
Specifying a Value for the TopologyName IT Resource Parameter
Note:
The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the UD_SAP, UD_SAPRL, and UD_SPUM_PRO process forms. This is required to enable the following process:
During SoD validation of an entitlement request, data first moves from a dummy object form to a dummy process form. From there data is sent to the SoD engine for validation. If the request clears the SoD validation, then data is moved from the dummy process form to the actual process form. Because the data is moved to the actual process forms through APIs, the ALL USERS group must have INSERT, UPDATE, and DELETE permissions on the three process forms.
In the Lookup.SAPABAP.Configuration lookup definition, you must change the Decode value of the SOD Configuration lookup entry.
By default, the Decode value of this entry is Lookup.SAPAC10ABAP.Configuration.
To configure SAP BusinessObjects AC to act as the SoD engine, see Using Segregation of Duties in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager at for 11g Release 1 (11.1.2).
The GRC-ITRes IT resource holds information that is used by the connector during SoD operations. This IT resource is the same as the one used by the Access Request Management feature for both Oracle Identity Manager.
See Specifying Values for the GRC-ITRes IT Resource for the procedure to set values for the parameters of this IT resource.
The Lookup.SAPABAP.System lookup definition is automatically populated with system names when you run lookup field synchronization. After synchronization, you must open this lookup definition and ensure that only entries for systems that you want to use for the SoD validation process are retained in this table.
The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation:
Oracle Identity Manager installation
SAP BusinessObjects AC installation
SAP ERP installation
Enter sodgrc as the value of the TopologyName parameter.
For more inofmration about this element, see Using Segregation of Duties in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for 11g Release 1 (11.1.2.0).
See Configuring the IT Resource for information about specifying values for parameters of the IT resource.
This section describes the procedure to disable and enable SoD on Oracle Identity Governance.
To disable SoD:
If you are using the Oracle Identity Manager release 11.1.1.x, then perform the following steps:
Log in to Oracle Identity System Administration.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management tab, click System Configuration.
If you are using the Oracle Identity Manager release 11.1.2.x, then perform the following steps:
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click System Configuration.
In the Search System Configuration box, enter XL.SoDCheckRequired
and then click Search.
A list that matches your search criteria is displayed in the search results table.
Click the XL.SoDCheckRequired property name.
System properties for SoD are displayed on the right pane.
In the Value box, enter FALSE
to disable SoD.
Click Save.
Restart Oracle Identity Manager.
To enable SoD:
If you are using Oracle Identity Manager release 11.1.1.x, then perform the following steps:
Log in to Oracle Identity System Administration.
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management tab, click System Configuration.
If you are using Oracle Identity Manager release 11.1.2.x, then perform the following steps:
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click System Configuration.
In the Search System Configuration box, enter XL.SoDCheckRequired
and then click Search.
A list that matches your search criteria is displayed in the search results table.
Click the XL.SoDCheckRequired property name.
System properties for SoD are displayed on the right pane.
In the Value box, enter TRUE
to enable SoD.
Click Save.
Restart Oracle Identity Manager.
Oracle Identity Manager uses a Java application server. To connect to the SAP system application server, this Java application server uses the SAP Java connector (JCo). If required, you can use Secure Network Communication (SNC) to secure communication between Oracle Identity Manager and the SAP system.
Note:
For more information, see the SAP SNC Documentation.This section discusses the following topics:
The following are prerequisites for configuring the connector to use SNC:
SNC must be activated on the SAP application server.
You must be familiar with the SNC infrastructure. You must know which Personal Security Environment (PSE) the application server uses for SNC.
To install the security package on the Java application server used by Oracle Identity Manager:
To configure SNC:
Either create a PSE or copy the SNC PSE of the SAP application server to the SECUDIR directory. To create the SNC PSE for the Java application server, use the sapgenpse.exe command-line tool as follows:
To determine the location of the SECUDIR directory, run the sapgenpse command without specifying any command options. The program displays information such as the library version and the location of the SECUDIR directory.
Enter a command similar to the following to create the PSE:
sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
The following is a sample distinguished name:
CN=SAPJ2EE, O=MyCompany, C=US
The sapgenpse command creates a PSE in the SECUDIR directory.
Create credentials for the Java application server.
The Java application server must have active credentials at run time to be able to access its PSE. To check whether or not this condition is met, enter the following command in the parent directory of the SECUDIR directory:
Sapgenpse seclogin
Then, enter the following command to open the PSE of the server and create the credentials.sapgenpse file:
seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID
The user_ID
that you specify must have administrator rights. PSE_NAME
is the name of the PSE file.
The credentials file, cred_v2, for the user specified with the -O
option is created in the SECUDIR directory.
Exchange the public key certificates of the two servers as follows:
Note:
If you are using individual PSEs for each certificate of the SAP server, then you must perform this procedure once for each SAP server certificate. This means that the number of times you must perform this procedure is equal to the number of PSEs.
Export the Oracle Identity Manager certificate by entering the following command:
sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
Import the Oracle Identity Manager certificate into the SAP application server. You may require the SAP administrator's assistance to perform this step.
Use one of the following ways to set up SNC on the SAP application server:
If you do not want to map each user with the certificate and use batch processing, define a general rule-based certificate mapping to enable NetWeaver map user certificates automatically.
Export the certificate of the SAP application server. You may require the SAP administrator's assistance to perform this step.
Import the SAP application server certificate into Oracle Identity Manager by entering the following command:
sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
Configure the following parameters in the SAP UM ITResource IT resource object:
sncLib
sncName
sncPartnerName
sncProtectionLevel
useSNC
An IT resource for your target system is created after you install the connector. You configure this IT resource to let the connector connect Oracle Identity Manager with your target system.
The following sections provide information about features that can be enabled using the IT resource:
The following section describes the parameters of the IT resource:
In SAP, a logon group is used as a load-sharing mechanism. When a user logs in to a logon group, the system internally routes the connection request to the logon group member with the least load.
The following parameters of the IT resource are used to enable this feature. These parameters are explained in Table 2-5.
jcoGroup
loadBalance
msHost
msServ
In addition, perform the procedure described in Enabling SAP JCo Connectivity on the Oracle Identity Manager host computer to enable SAP JCo connectivity.
Secure Network Communication (SNC) is the SAP-proprietary mechanism for securing communication between SAP and applications with which SAP interacts. See Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System for detailed information to enable SNC-based communication. The names of the SNC parameters are prefixed with SNC
.
During provisioning operations, there is a possibility that more than one user tries to update the multivalued attribute (for example, a role) of a particular user. The following parameters of the IT resource are used to automatically manage simultaneous update attempts:
Timeout count: Enter the time (in milliseconds) for which the connector must wait before retrying the operation to update a multivalued attribute on the target system.
Timeout retry count: Enter the maximum number of retry attempts for updating a multivalued attribute on the target system.
The SAP UM ITResource IT resource is automatically created when you run the Connector Installer. You must specify values for the parameters of the IT resource.
Note:
The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the default IT resource. This is to ensure that end users can select the IT resource during request-based provisioning. If you create another IT resource, then you must assign INSERT, UPDATE, and DELETE permissions for the ALL USERS group on the IT resource.
You must use Oracle Identity System Administration to configure the IT resource. Values set for the connection pooling parameters will not take effect if you use the Design Console to configure the IT resource.
To specify values for the parameters of the IT resource:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to Oracle Identity System Administration.
For Oracle Identity Manager release 11.1.2.x:
Log in to Oracle Identity System Administration.
If you are using Oracle Identity Manager release 11.1.1.x, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x, then, in the left pane under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter SAP UM ITResource
and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource. Table 2-5 describes the parameters of the SAP UM IT resource and Table 2-6 describes the parameters of the SAP AC UM IT resource.
Table 2-5 Parameters of the SAP UM IT Resource
Parameter | Description | Mandatory? |
---|---|---|
client |
SAP client setting Default value: |
Yes |
Configuration Lookup |
Name of the lookup definition containing configuration information Default value: |
Yes |
configureConnectionTuning |
Allows the connection properties to be customized when the SAP Destination is configured Default value: |
No |
connectionMaxGetTime |
Maximum time to wait for a connection (specified in milliseconds) |
No |
connectionPoolActiveTime |
Maximum number of active connections that can be created for a destination simultaneously |
No |
connectionPoolCapacity |
Maximum number of idle connections that can be kept open by the destination |
No |
connectionPoolExpirationPeriod |
Released connections are checked for expiration after waiting for this time period (specified in milliseconds) |
No |
connectionPoolExpirationTime |
Freed connections held by the destination that can be closed after this amount of time (specified in milliseconds) |
No |
Connector Server Name |
Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server. Note: Enter a value for this parameter only if you have deployed the SAP User Management connector in the Connector Server. |
No |
destination |
This value must be unique. This is a mandatory connection parameter needed for SAPJCo to interact with the SAP System. Sample value: The value specified has to be unique to each instance of the IT Resource. |
Yes |
dummyPassword |
Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form. See Configuring Password Changes for Newly Created Accounts for more information about this parameter. |
Mandatory |
host |
Host name of the resource |
Mandatory |
jcoGroup |
Group of SAP application servers |
Optional |
jcoSAPRouter |
SAP router string to be used for a system protected by a firewall |
Optional |
jcoTrace |
Level of SAP JCO tracing to enable. Enter 0 or any positive integer up to and including 10. Default value: |
Optional |
jcoTraceDir |
Absolute path to the directory where the trace files will be created |
Optional |
language |
Enter the two-letter code for the language set on the target system Default value: |
Optional |
loadBalance |
Enter Default value: |
Optional |
masterSystem |
Enter the RFC Destination value that is used for identification of the SAP system. This value must be same as that of the Logical System name. Sample value: Here the sample value is based on the following format used in SAP system: <SYSTEM_ID>CLNT<CLIENT_NUM> In this sample value, EH6 is the System ID of the target system and 001 is the client number. |
Mandatory |
maxBAPIRetries |
Maximum Number retries for BAPI execution Default value: |
Optional |
msHost |
Enter the host name of the message server |
Optional |
msServ |
(Optional) SAP message server port to be used instead of the default sapms |
Optional |
password |
When using normal authentication, password of the User account |
Mandatory |
r3Name |
Enter the host name of the SAP R/3 or SAP CUA system |
Optional |
retryWaitTime |
Connection retry wait time Default value: |
Optional |
sncLib |
Enter the full path and name of the crypto library on the target system host computer This is required only if SNC is enabled. Sample value: |
Optional |
sncName |
SNC system name Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Sample value: |
Optional |
sncPartnerName |
Enter the domain name of the target system host computer Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Sample value: |
Optional |
sncProtection Level |
Enter the protection level (quality of protection, QOP) at which data is transferred The value can be any one of the following numbers:
Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Default value: |
Optional |
sncX509Cert |
The X509 certificate that does not contain the BEGIN CERTIFICATE or END CERTIFICATE strings when using SNC Note: You must remove all new line characters from the certificate. |
Optional |
systemNumber |
SAP system number Default value: |
Mandatory |
TopologyName |
Name of the topology of the target system host computer Default value: |
Optional |
user |
When using normal authentication, a user name that has permissions to create new accounts |
Mandatory |
useSNC |
Enter Default value: |
Optional |
Table 2-6 Parameters of the SAP AC UM IT Resource
Parameter | Description |
---|---|
client |
SAP client setting Default value: |
Configuration Lookup |
Name of the lookup definition containing configuration information Default value: |
configureConnectionTuning |
Allows the connection properties to be customized when the SAP Destination is configured Default value: |
connectionMaxGetTime |
Maximum time to wait for a connection (specified in milliseconds) |
connectionPoolActiveTime |
Maximum number of active connections that can be created for a destination simultaneously |
connectionPoolCapacity |
Maximum number of idle connections that can be kept open by the destination |
connectionPoolExpirationPeriod |
Released connections are checked for expiration after waiting for this time period (specified in milliseconds) |
connectionPoolExpirationTime |
Freed connections held by the destination that can be closed after this amount of time (specified in milliseconds) |
Connector Server Name |
Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server. Note: Enter a value for this parameter only if you have deployed the SAP User Management connector in the Connector Server. |
destination |
This value must be unique. This is a mandatory connection parameter needed for SAPJCo to interact with the SAP System. Sample value: The value specified has to be unique to each instance of the IT Resource. |
dummyPassword |
Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form. See Configuring Password Changes for Newly Created Accounts for more information about this parameter. |
grcLanguage |
Enter the two-letter code for the language set on the GRC system. Sample value: |
grcPassword |
Enter Password of the GRC System. |
grcUsername |
Enter User name of the GRC System. |
host |
Host name of the resource |
jcoGroup |
Group of SAP application servers |
jcoSAPRouter |
SAP router string to be used for a system protected by a fire wall |
jcoTrace |
Level of SAP JCO tracing to enable. Enter 0 or any positive integer up to and including 10. Default value: |
jcoTraceDir |
Absolute path to the directory where the trace files will be created |
language |
Enter the two-letter code for the language set on the target system Default value: |
loadBalance |
Enter Default value: |
masterSystem |
Enter the RFC Destination value that is used for identification of the SAP system. This value must be same as that of the Logical System name. Sample value: Here the sample value is based on the following format used in SAP system: <SYSTEM_ID>CLNT<CLIENT_NUM> In this sample value, EH6 is the System ID of the target system and 001 is the client number. |
maxBAPIRetries |
Maximum Number retries for BAPI execution. Default value: |
msHost |
Enter the host name of the message server |
msServ |
(Optional) SAP message server port to be used instead of the default sapms |
password |
When using normal authentication, password of the User account |
r3Name |
Enter the host name of the SAP R/3 or SAP CUA system |
retryWaitTime |
Connection retry wait time Default value: |
sncLib |
Enter the full path and name of the crypto library on the target system host computer This is required only if SNC is enabled. Sample value: |
sncName |
SNC system name Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Sample value: |
sncPartnerName |
Enter the domain name of the target system host computer Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Sample value: |
sncProtection Level |
Enter the protection level (quality of protection, QOP) at which data is transferred The value can be any one of the following numbers:
Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Default value: |
sncX509Cert |
The X509 certificate that does not contain the BEGIN CERTIFICATE or END CERTIFICATE strings when using SNC Note: You must remove all new line characters from the certificate. |
systemNumber |
SAP system number Default value: |
TopologyName |
Name of the topology of the target system host computer Default value: |
user |
When using normal authentication, a user name that has permissions to create new accounts |
useSNC |
Enter Default value: |
To save the values, click Update.
During the installation of the connector, a default IT resource for the connector server for SAP UM is created with the name, SAP UM IT Resource.
To create the IT resource for the Connector Server:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to Oracle Identity System Administration.
For Oracle Identity Manager release 11.1.2.x:
Log in to Oracle Identity System Administration.
If you are using Oracle Identity Manager release 11.1.1.x, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Create IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x, then:
In the left pane under Configuration, click IT Resource.
In the Manage IT Resource page, click Create IT Resource.
On the Step 1: Provide IT Resource Information page, perform the following steps:
IT Resource Name: Enter a name for the IT resource.
IT Resource Type: Select Connector Server from the IT Resource Type list.
Remote Manager: Do not enter a value in this field.
Click Continue. Figure 2-2 shows the IT resource values added on the Create IT Resource page.
Figure 2-2 Step 1: Provide IT Resource Information
On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource and then click Continue. Figure 2-3 shows the Step 2: Specify IT Resource Parameter Values page.
Figure 2-3 Step 2: Specify IT Resource Parameter Values
Table 2-7 provides information about the parameters of the IT resource.
Note:
See Step 8 of Installing and Configuring the Connector Server for the values to be specified for the parameters of the IT resource.
Table 2-7 Parameters of the IT Resource for the Connector Server
Parameter | Description |
---|---|
Host |
Enter the host name or IP address of the computer hosting the connector server. Sample value: |
Key |
Enter the key for the connector server. |
Port |
Enter the number of the port at which the connector server is listening. Default value: |
Timeout |
Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out. Sample value: A value of 0 means that the connection never times out. |
UseSSL |
Enter Default value: Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL between Oracle Identity Manager and Connector Server, see Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System. |
On the Step 3: Set Access Permission to IT Resource page, the SYSTEM ADMINISTRATORS
group is displayed by default in the list of groups that have Read, Write, and Delete permissions on the IT resource that you are creating.
Note:
This step is optional.
If you want to assign groups to the IT resource and set access permissions for the groups, then:
Click Assign Group.
For the groups that you want to assign to the IT resource, select Assign and the access permissions that you want to set. For example, if you want to assign the ALL USERS
group and set the Read and Write permissions to this group, then you must select the respective check boxes in the row, as well as the Assign check box, for this group.
Click Assign.
On the Step 3: Set Access Permission to IT Resource page, if you want to modify the access permissions of groups assigned to the IT resource, then:
Note:
This step is optional.
You cannot modify the access permissions of the SYSTEM ADMINISTRATORS
group. You can modify the access permissions of only other groups that you assign to the IT resource.
Click Update Permissions.
Depending on whether you want to set or remove specific access permissions for groups displayed on this page, select or deselect the corresponding check boxes.
Click Update.
On the Step 3: Set Access Permission to IT Resource page, if you want to unassign a group from the IT resource, then:
Note:
This step is optional.
You cannot unassign the SYSTEM ADMINISTRATORS
group. You can unassign only other groups that you assign to the IT resource.
Select the Unassign check box for the group that you want to unassign.
Click Unassign.
Click Continue. Figure 2-4 shows the Step 3: Set Access Permission to IT Resource page.
Figure 2-4 Step 3: Set Access Permission to IT Resource
On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.
To proceed with the creation of the IT resource, click Continue. Figure 2-5 shows Step 4: Verify IT Resource Details page.
Figure 2-5 Step 4: Verify IT Resource Details
The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource information. If the test is successful, then click Continue. If the test fails, then you can perform one of the following steps:
Click Back to revisit the previous pages and then make corrections in the IT resource creation information.
Click Cancel to stop the procedure, and then begin from the first step onward.
Figure 2-6 shows the Step 5: IT Resource Connection Result page.
Figure 2-6 Step 5: IT Resource Connection Result
Click Finish. Figure 2-7 shows the IT Resource Created Page.
In SAP BusinessObjects AC 10, you need to download the WSDL files from SAP BusinessObjects AC before configuring the web services.
Since the connector only supports basic authentication, select the User ID/Password check box for the following web services supported from OIM:
WSDL | Description |
---|---|
GRAC_AUDIT_LOGS_WS |
Audit log web service |
GRAC_LOOKUP_WS |
Lookup service |
GRAC_REQUEST_STATUS_WS |
Request status web service |
GRAC _RISK_ANALYSIS_WOUT_NO_WS |
Risk analysis without request number. Note: For this WSDL, ReportFormat is a mandatory field from SP17. |
GRAC_SELECT_APPL_WS |
Select application web service |
GRAC_USER_ACCES_WS |
User access request service |
GRAC_SEARCH_ROLES_W |
Search role web service |
When you download the WSDL file, ensure to save it with the same name as mentioned in the SOA Management page. In addition, ensure that the folder containing WSDL files have read permission.
You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation media.
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.
To localize field label that is added to the UI forms:
Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open one of the following files in a text editor:
For Oracle Identity Manager 11g Release 2 PS2 and later (11.1.2.2.0):
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf
For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
Edit the BizEditorBundle.xlf file in the following manner:
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Replace with the following text:
<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Search for the application instance code. This procedure shows a sample edit for SAP User Management application instance. The original code is:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAP_TITLE__c_description']}"> <source>Title</source> </target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.umform.entity.umformEO.UD_SAP_TITLE__c_LABEL"> <source>Title</source> </target> </trans-unit>
Open the resource file from the connector package, for example SAPUM_ja.properties, and get the value of the attribute from the file, for example, global.udf. UD_SAP_TITLE = \u5F79\u8077.
Replace the original code shown in Step 6.b with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAP_TITLE__c_description']}"> <source>Title</source> <target>\u5F79\u8077</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.umform.entity.umformEO.UD_SAP_TITLE__c_LABEL"> <source>Title</source> <target>\u5F79\u8077</target> </trans-unit>
Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.
Sample file name: BizEditorBundle_ja.xlf.
Repackage the ZIP file and import it into MDS.
See Also:
Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager, for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.
If you have already deployed an earlier release of this connector, then upgrade the connector to the current release.
You can upgrade the SAP User Management connector while in production, and with no downtime. Your customizations will remain intact and the upgrade will be transparent to your users. All form field names are preserved from the legacy connector.
To upgrade the SAP User Management connector, perform the procedures described in the following sections:
Note:
Before you perform the upgrade procedure, it is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.
As a best practice, first perform the upgrade procedure in a test environment.
Direct upgrade to release 11.1.1.7.0 or later from release 9.x of the connector is not supported. You must first upgrade to release 11.1.1.6.0 from release 9.x and then upgrade to release 11.1.1.7.0 or later.
Before you perform an upgrade operation or any of the upgrade procedures, you must perform the following actions:
Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.
Define the source connector (an earlier release of the connector that must be upgraded) in Oracle Identity Manager. You define the source connector to update the Deployment Manager XML file with all customization changes made to the connector.
Run the Oracle Identity Manager Delete JARs utility to delete the old connector bundle to the Oracle Identity Manager database.
See Also:
Delete JAR Utility in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about the Delete JARs utility
Depending on the environment in which you are upgrading the connector, perform one of the following steps:
Staging Environment
Perform the upgrade procedure by using the wizard mode.
Production Environment
Perform the upgrade procedure by using the silent mode.
See Also:
Managing Connector Lifecycle of Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about the wizard and silent modes
Perform the procedure described in this section to complete the steps that are required to post-upgrade.
See Also:
Upload JAR Utility in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for detailed information about the Upload JARs utility
If the connector is deployed on a Connector Server, then:
Stop the Connector Server.
Replace the existing connector bundle and lib JARs located in the CONNECTOR_SERVER_HOME/bundles and CONNECTOR_SERVER_HOME/lib directories respectively with the new connector bundles (bundle/org.identityconnectors.sapacum-12.3.0.jar and bundle/org.identityconnectors.sapum-12.3.0.jar) and lib JARs ( lib/sapac-oim-integration.jarlib/sapum-oim-integration.jar) from the connector installation media.
Start the Connector Server.
Reconfigure the IT resource of the connector.
When you run this utility, you are prompted to enter the login credentials of the Oracle Identity manager administrator, and the logger level, and log file location.
Create a new version of the process form.
Log in to Oracle Identity System Administration.
Create and activate a sandbox. See Creating and Activating a Sandbox.
Create a new UI form to view the upgraded fields. See Creating a New UI Form.
Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in the preceding step), and then save the application instance.
Publish the sandbox. Publishing a Sandbox.
Perform full reconciliation.
This operation updates the Unique Id resource object field and the lock status of the users. The lock status will be updated as per the value specified in the fvc.properties file for Release 9.x through Release 11.1.1.5.0 of the connector.
See Full and Incremental Reconciliationfor more information about this step.
Perform the postupgrade procedure in Managing Connector Lifecycle of Oracle Fusion Middlware Administering Oracle Identity Governance.
After upgrading the connector, you can perform delete reconciliation.
See Reconciliation Scheduled Jobs for the SAP UM Connector for more information about delete reconciliation.
Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation.
To do so, in a text editor, open the fvc.properties file located in the OIM_DC_HOME directory.
If you are using the connector release 9x, include the following entries:
ResourceObject;SAPUM Resource Object FormName;UD_SAP FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE Parent;UD_SAPUSER
Example:
ResourceObject;SAPUM Resource Object FormName;UD_SAP FromVersion;V_9.1.2.6 ToVersion;v_11.1.1.5.0 Parent;UD_SAPUSER
If you are using the connector release 11.1.1.x, include the following entries:
ResourceObject;SAPUM Resource Object FormName;UD_SAP FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE Parent;UD_SAPUSER
Example:
ResourceObject;SAPUM Resource Object FormName;UD_SAP FromVersion;V_11.1.1.5.0 ToVersion;v_11.1.1.6.0 Parent;UD_SAPUSER
Depending on the type of connector that you choose to upgrade, perform one of the following procedures:
Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so, in a text editor, open the fvc.properties file located in the OIM_DC_HOME directory.
If you are using the connector release 11.1.1.6.0, include the following entries:
ResourceObject;SAPUM Resource Object FormName;UD_SAP FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
Example:
ResourceObject;SAPUM Resource Object FormName;UD_SAP FromVersion;V_11.1.1.6.0 ToVersion;v_11.1.1.7.0
Note:
While upgrading the connector, the following information will display. You must manually delete the following adapters and Event handlers:
The "sapacum ac remove child" and "sapacum add child" Adapters.
The "adpSAPACUMREMOVECHILD" and "adpSAPACUMADDCHILD" EventHandlers.
Perform the procedure described in this section to complete the postupgrade steps for the SoD validation of SAP BusinessObjects AC Access Risk Analysis:
Perform the procedure described in this section to complete the postupgrade steps for the SAP BusinessObjects AC Access Request Management:
Re-configure the SAPUM IT Resource IT resource.
You must manually update the decode value to None
for the following entries in the "Lookup.SAPAC10ABAP.Configuration" lookup definition:
roleLookupAccessURL
otherLookupAccessURL
auditLogsAccessURL
appLookupAccessURL
wsdlFilePath
userAccessAccessURL
requestStatusAccessURL
Run the PostUpgradeScript_SAPUM.sql script as follows:
Log into the Oracle Identity Manager database using the OIM DB User credentials.
Run the PostUpgradeScript_SAPUM.sql. This script is located in the Upgrade directory on the installation media.
Note:
You must change the task name of the bulk adapter after upgrade. For example, replace the task name "UD_SAPACUM Updated" with "UD_SAPUM Updated."
Run the following lookups:
SAP AC UM BusinessProcess Lookup Reconciliation
SAP AC UM CommType Lookup Reconciliation
SAP AC UM Company Lookup Reconciliation
SAP AC UM ContractUserType Lookup Reconciliation
SAP AC UM DateFormat Lookup Reconciliation
SAP AC UM DecimalNot Lookup Reconciliation
SAP AC UM FunctionalArea Lookup Reconciliation
SAP AC UM ItemProvAction Lookup Reconciliation
SAP AC UM LangComm Lookup Reconciliation
SAP AC UM Parameter Lookup Reconciliation
SAP AC UM Priority Lookup Reconciliation
SAP AC UM ReqInitSystem Lookup Reconciliation
SAP AC UM RequestType Lookup Reconciliation
SAP AC UM Role Lookup Reconciliation
SAP AC UM TimeZone Lookup Reconciliation
SAP AC UM Title Lookup Reconciliation
SAP AC UM UserGroup Lookup Reconciliation
SAP AC UM UserType Lookup Reconciliation
Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so, in a text editor, open the fvc.properties file located in the OIM_DC_HOME directory. If you are using the connector release 11.1.1.6.0, include the following entries:
ResourceObject;SAP AC UM Resource Object FormName;UD_SAP FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE FromVersion;V_11.1.1.6.0 ToVersion;v_11.1.1.7.0 ParentParent;UD_SAP_AC_MANAGER_FIRST_NAME;UD_SAP_AC_MNGR_FIRSTNAME ParentParent;UD_SAP_AC_MANAGER_LAST_NAME;UD_SAP_AC_MNGR_LASTNAME ParentParent;UD_SAP_AC_MANAGER_EMAIL;UD_SAP_AC_MNGR_EMAIL
Example:
ResourceObject;SAP AC UM Resource Object FormName;UD_SAP FromVersion;V_11.1.1.6.0 ToVersion;v_11.1.1.7.0 ParentParent;UD_SAP_AC_MANAGER_FIRST_NAME;UD_SAP_AC_MNGR_FIRSTNAME ParentParent;UD_SAP_AC_MANAGER_LAST_NAME;UD_SAP_AC_MNGR_LASTNAME ParentParent;UD_SAP_AC_MANAGER_EMAIL;UD_SAP_AC_MNGR_EMAIL
You can clone this connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.
Note:
Managing Connector Lifecycle in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about cloning connectors and the postcloning steps.
After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:
IT Resource
The cloned connector has its own set of IT resources. You must configure both the cloned connector IT resources and ensure you use the configuration lookup definition of the cloned connector.
Scheduled Job
The values of the Resource Object Name and IT Resource scheduled job attributes in the cloned connector refer to the values of the base connector. Therefore, these values (values of the Resource Object Name and IT resource scheduled job attributes that refer to the base connector) must be replaced with the new cloned connector artifacts.
Adapter
You must change the itResourceFieldName (Literal Value) in the Variable list of “sapum update” Adapter.For example UD_SAP_ITRESOURCECLONE To be the cloned IT Resource name , After Clone Update the itResourceFieldName (Literal Value) with Form name (e.g.: UD_SAP_ITRESOURCECLONE).
Lookup Definition
The cloned lookup definition (for example, Lookup.SAPABAP.ConfigurationCLONE) corresponding to the Lookup.SAPABAP.Configuration lookup definition has Code Key or Decode Key entries related to child form fields that still map to the old child form fields. You must change the values of these Code Key entries so that they map to the cloned child form fields.
For example, consider UD_CloneSAPRL and UD_CloneSAP_PRO to be the cloned child forms of the UD_SAPRL and UD_SAP_ PRO child forms respectively. After cloning, the Lookup.SAPABAP.ConfigurationCLONE lookup definition contains Code Key entries that correspond to the fields of the old child form UD_SAPRL and UD_SAP_ PRO respectively. To ensure that the Code Key entries point to the fields of the cloned child form (UD_CloneSAPRL and UD_CloneSAP_PRO), specify the following values in the corresponding Code Key or Decode Key columns:
UD_SPUMPC_P; UD_CloneSAP_PRO
UD_SPUMRC_P; UD_CloneSAPRL
Note:
You must update the respective child form field names manually in the required lookup definitions. For example, Lookup.SAPABAP.UM.ProvAttrMapClone.Process Tasks
You must change the literal value of the childTableName adapter variable from UD_SAPRL and UD_SAP_PRO to the cloned form names UD_CLONESAPRL anUD_CLONESAP_PRO, respectively in the following process tasks:
Add Role
Update Role
Remove Role
Add Profile
Remove Profile
Add Group
Remove Group
Add Parameter
Remove Parameter
Update Parameter
You must change the literal value of the parent form from UD_SAP to the cloned form name UD_SAPCLONED in the UD_SAP in the Bulk adapter process task.
Localization Properties
You must update the resource bundle of a user locale with new names of the process form attributes for proper translations after cloning the connector. You can modify the properties file of your locale in the resources directory of the connector bundle.
For example, the process form (UD_SAP) attributes are referenced in the Japanese properties file, SAPUM_ja.properties, as global.udf.UD_SAP_FIRST_NAME. During cloning, if you change the process form name from UD_SAPCL to global.udf.UD_SAPCL_FIRST_NAME, then you must add the process form attributes to global.udf.UD_SAP_FIRST_NAME.
Replicate changes made to the form designer to a new UI form
To do so, perform the procedure described in Postupgrade Steps for Release 11.1.1.6.0 of the Connector.