Performing Postconfiguration Tasks for the SAP User Management Connector

4 Performing Postconfiguration Tasks for the SAP User Management Connector

These are the tasks that you can perform after creating an application in Oracle Identity Governance.

4.1 Configuring Ports on the Target System

You can configure ports to enable communication between the target system and Oracle Identity Governance.

To enable communication between the target system and Oracle Identity Governance, you must ensure that the ports listed in Table 4-1 are open.

Table 4-1 Ports for SAP Services

Service	Port Number Format	Default Port
Dispatcher	32SYSTEM_NUMBER	3200
Gateway (for non-SNC communication)	33SYSTEM_NUMBER	3300
Gateway (for SNC communication)	48SYSTEM_NUMBER	4800
Message server	36SYSTEM_NUMBER	3600

To check if these ports are open, you can, for example, try to establish a Telnet connection from Oracle Identity Governance to these ports.

4.2 Configuring the Target System to Enable Propagation of User Password Changes

This section describes the procedures involved in configuring the target system to enable propagation of user password changes from the SAP CUA parent system to its child systems. You may need the assistance of the SAP Basis administrator to perform some of these procedures.

Configuring the target system involves the following tasks:

4.2.1 Gathering Required Information

The following information is required to configure the target system:

Note:

During SAP installation, a system number and client number are assigned to the server on which the installation is carried out. These items are mentioned in the following list.

Login details of an admin user having the permissions required to import requests
Client number of the server on which the request is to be imported
System number
Server IP address
Server name
User ID of the account to be used for connecting to the SAP application server
Password of the account to be used for connecting to the SAP application server

4.2.2 Creating an Entry in the BAPIF4T Table

The User Group field is one of the fields that holds user data in SAP. F4 values are values of a field that you can view and select from a list. To view F4 values of the User Group field, you must create an entry in the BAPIF4T table by running the SM30 transaction. Ensure that the entry in the table includes XUCLASS as the data element and ZXL_PARTNER_BAPI_F4_AUTHORITY as the function name.

4.2.3 Importing the Request

You must import the request to create the following custom objects in the SAP system.

Object Type	Object Name
Package	ZXLC
Function Group	ZXLCGRP ZXLCHLPVALUES ZXLCPRF ZXLCRL ZXLCUSR
Message class	ZXLCBAPI
Program	ZLCF4HLP_DATA_DEFINITIONS ZLCMS01CTCO ZLCMS01CTCO1 ZLCMS01CTP2 ZXLCGRP ZXLCHLPVALUES ZXLCPRF ZXLCRL ZXLCUSR
Search Help	ZXLC_ROLE ZXLC_SYS
Business object types	ZXLCGRP ZXLCHLP ZXLCPRF ZXLCRL ZXLCUSR
Table	ZXLCBAPIMODE ZXLCBAPIMODM ZXLCGROUPS ZXLCPRF ZXLCROLE ZXLCSTRING ZXLCSYSNAME

The xlsapcar.sar file contains the definitions for these objects. When you import the request represented by the contents of the xlsapcar.sar file, these objects are automatically created in SAP. This procedure does not result in any change in the existing configuration of SAP.

Importing the request into SAP involves extracting the request files and performing the request import operation as follows:

Using SAPCAR utility, extract the Cofile and Data file from "xlsapcar.sar" as:
xlsapcar.sar file location <Connecter Binaries>/sar
- K900397.G10
- R900397.G10
Import the request in both parent and child SAP system.

Note:
After importing the transport request, ensure the user details maintained while configuring CUA has the following authorizations in the child system. User details can be verified from the partner profile configured in WE20 for CUA.
For Authorization Object S_RFC:
- ACTVT: 16
- RFC_NAME:ZXLCRFC_ZXLCUSR_PW_CHANG
- RFC_TYPE: FUNC

4.3 Configuring Oracle Identity Governance

During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.

Note:

Perform the procedures described in this section only if you did not choose to create the default form during creating the application.

The following topics describe the procedures to configure Oracle Identity Governance:

4.3.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.3.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.

See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.

While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.

4.3.3 Publishing a Sandbox

Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.

In Identity System Administration, deactivate the sandbox.
Log out of Identity System Administration.
Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
In the Catalog, ensure that the application instance form for your resource appears with correct fields.
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.3.4 Creating an Application Instance

Create an application instance as follows.

In the left pane of the Identity System Administration, under Configuration, click Application Instances. The Application Instances page appears.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page appears.
Specify values for the following fields:
- Name: The name of the application instance.
- Display Name: The display name of the application instance.
- Description: A description of the application instance.
- Resource Object: The resource object name. Click the search icon next to this field to search for and Select SAP UM Resource Object.
- IT Resource Instance: The IT resource instance name. Click the search icon next to this field to search for and select SAP UM ITResource.
- Form: Select the form name (Creating a New UI Form).
Click Save.
The application instance is created.
Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See Managing Organizations Associated With Application Instances in Oracle Fusion Middleware Administering Oracle Identity Governance for detailed instructions.

4.3.5 Updating an Existing Application Instance with a New Form

For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

Create and activate a sandbox.
Create a new UI form for the resource.
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox.

4.4 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

Run the scheduled jobs for lookup field synchronization.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
Run the Catalog Synchronization Job scheduled job.

4.5 Setting Up the Advanced Configuration Values in Oracle Identity Governance

The Advanced Configuration settings are entered in Oracle Identity Governance when you create an application.

The following sections provide information on the entries in Advanced Configuration:

4.5.1 Linking of SAP HRMS and SAP ERP or SAP CUA Accounts

An SAP HRMS account created for a particular user can be linked with the SAP ERP or SAP CUA account created for the same user. For a particular user, an attribute of SAP HRMS holds the user ID of the corresponding SAP ERP or SAP CUA account.

You can duplicate this link in Oracle Identity Governance by using the following parameters of the Advanced Settings section:

validatePERNR: You enter yes as the value if your operating environment contains multiple SAP HRMS installations. If there is only one SAP HRMS installation, then enter no.
overwriteLink: You enter yes as the value if you want existing links in SAP to be overwritten by the ones set up through provisioning operations.

The following topics provide detailed information about the linking process:

4.5.1.1 About the Linking Process

An SAP HRMS account created for a particular user can be linked with the SAP R/3 or SAP CUA account created for the same user. For a particular user, an attribute of SAP HRMS holds the user ID of the corresponding SAP R/3 or SAP CUA account.

The following example describes the manner in which the linking process is performed:

An OIM User record is created for user John Doe through trusted source reconciliation with SAP HRMS. During creation, the user ID value is put in the User ID and Personnel Number attributes of the record.

Note:

The Personnel Number field is a hidden UDF on the OIM User form.
To provision an SAP R/3 or SAP CUA account for John, you enter and submit the required data on Oracle Identity System Administration.
The connector looks for the user's SAP HRMS account. If you entered yes as the value of validatePERNR attribute, then the connector checks for a match for the Personnel Number attribute on SAP HRMS.
After a match is found with an existing SAP HRMS account, the connector performs one of the following steps:
- If the value of overwriteLink advanced settings parameter is yes, then the connector posts the User ID value of the SAP R/3 or SAP CUA account into the 0001 subtype in the Communication (0105) infotype of the SAP HRMS account. This is regardless of whether that infotype contains a value.
- If the value of overwriteLink advanced settings parameter is no, then the connector posts the User ID value of the SAP R/3 or SAP CUA account into the 0001 subtype in the Communication (0105) infotype of the SAP HRMS account only if that subtype does not hold a value.

The Create Link task is one of the tasks that are run during the Create User provisioning operation. You can, if required, remove this task so that it is not displayed in the list of tasks that are run. Use the Design Console for this operation.

4.5.1.2 Enabling Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts

To enable linking of SAP HRMS and SAP R/3 or SAP CUA accounts, perform the following steps:

In the Design Console, expand Process Management and then double-click Process Definition.
Search for and open the SAP UM Process form.
Double-click the Create User task to open the Editing Task:Create User dialog box.
In the Responses tab, select the SUCCESS response, as shown in the following screenshot.

Description of the illustration link_ac1.gif
Click Assign.
In the new dialog box, select the Create Link task, as shown in the following screenshot.

Description of the illustration link_ac2.gif
The Create Link task will appear in the Tasks To Generate region for the SUCCESS response, as shown in the following screenshot.

Description of the illustration link_ac3.gif
Save the changes and close the dialog box.

4.5.2 Configuring Password Changes for Newly Created Accounts

For information about configuring password changes for newly created accounts, see Configuring Password Changes for Newly Created Accounts.

4.6 Managing Logging for the SAP UM Connector

Oracle Identity Governance uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

4.6.1 Understanding Log Levels

When you enable logging, Oracle Identity Governance automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.

ODL is the principle logging service used by Oracle Identity Governance and is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

SEVERE.intValue()+100

This level enables logging of information about fatal errors.
SEVERE

This level enables logging of information about errors that might allow Oracle Identity Governance to continue running.
WARNING

This level enables logging of information about potentially harmful situations.
INFO

This level enables logging of messages that highlight the progress of the application.
CONFIG

This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST

These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in Table 4-2.

Table 4-2 Log Levels and ODL Message Type:Level Combinations

Java Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SEVER are the domain name and server name specified during the installation of Oracle Identity Governance.

4.6.2 Enabling Logging

To enable logging in Oracle WebLogic Server:

Edit the logging.xml file as follows:

Add the following blocks in the file:

<log_handler name='sap-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value='[FILE_NAME]'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>

<logger name="ORG.IDENTITYCONNECTORS.SAP" level="[LOG_LEVEL]" useParentHandlers="false">
     <handler name="sap-handler"/>
     <handler name="console-handler"/>
   </logger>

If you are using SAP GRC, then add the following block:

<logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="[Log_LEVEL]" useParentHandlers="false">
     <handler name="sap-handler"/>
     <handler name="console-handler"/>
</logger>

If you are using Application onboarding, then add the following block:

<logger name='oracle.iam.application' level="[Log_LEVEL]" useParentHandlers='false'>
     <handler name='sap-handler'/>
     <handler name='console-handler'/>  
</logger>

Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 4-2 lists the supported message type and level combinations.

Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:

<log_handler name='sap-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>

<logger name="ORG.IDENTITYCONNECTORS.SAP" level="NOTIFICATION:1" useParentHandlers="false">
     <handler name="sap-handler"/>
     <handler name="console-handler"/>
   </logger>

If you are using SAP GRC, then add the following block:

<logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="NOTIFICATION:1" useParentHandlers="false">
     <handler name="sap-handler"/>
     <handler name="console-handler"/>
</logger>

If you are using Application Onboarding, then add the following block:

<logger name='oracle.iam.application' level="NOTIFICATION:1" useParentHandlers='false'>
     <handler name='sap-handler'/>
     <handler name='console-handler'/>  
</logger>
</logger>

With these sample values, when you use Oracle Identity Governance, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

Save and close the file.
Set the following environment variable to redirect the server logs to a file:

For Microsoft Windows:
```
set WLS_REDIRECT_LOG=FILENAME
```
For UNIX:
```
export WLS_REDIRECT_LOG=FILENAME
```
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.

Note:

In an Oracle Identity Governance cluster, perform this step on each node of the cluster.

4.7 Configuring the Access Request Management Feature of the Connector

Access Request Management is a module in the SAP GRC suite. In an SAP environment, you can set up Access Request Management as the front end for receiving account creation and modification provisioning requests. In Access Request Management, workflows for processing these requests can be configured and users designated as approvers act upon these requests.

Oracle Identity Governance can be configured as the medium for sending provisioning requests to SAP GRC Access Request Management. A request from Oracle Identity Governance is sent to Access Request Management, which forwards the provisioning data contained within the request to the target system (SAP ERP or SAP CUA). The outcome is the creation of or modification to the user's account on the target system.

Note:

Before you configure the Access Request Management feature, it is recommended that you read the guidelines described in Guidelines on Using a Deployment Configuration

See Configuring Request Types and Workflows on SAP GRC Access Request Management for more information about configuring the Access Request Management feature.

4.7.1 Configuring Request Types and Workflows on SAP GRC Access Request Management

You must create and configure request types and workflows on SAP GRC Access Request Management for provisioning operations.

Create a request type in SAP GRC Access Request Management.

A request type In SAP GRC Access Request Management defines the action that is performed when a request is processed. Oracle Identity Governance is a requester. It works with request types defined in SAP GRC Access Request Management. The application advanced configuration maps request types to provisioning operations submitted through Oracle Identity Governance.
Create an access request workflow using the MSMP (Multi Step Multi process) Workflow Engine.

4.8 Configuring SoD (Segregation of Duties)

SoD is a process that ensures that every individual is given access to only one module of a business process and will not be able to access other modules to reduce risk of fraud and error.

This section provides information on the following procedures:

Note:

The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the UD_SAP, UD_SAPRL, and UD_SPUM_PRO process forms. This is required to enable the following process:

During SoD validation of an entitlement request, data first moves from a dummy object form to a dummy process form. From there data is sent to the SoD engine for validation. If the request clears the SoD validation, then data is moved from the dummy process form to the actual process form. Because the data is moved to the actual process forms through APIs, the ALL USERS group must have INSERT, UPDATE, and DELETE permissions on the three process forms.

4.8.1 Specifying Values for the GRC-ITRes IT Resource

The GRC-ITRes IT resource holds information that is used during communication with SAP GRC Access Request Management. To set values for the parameters of this IT resource:

For Oracle Identity Governance 12.2.1.3.0, log in to Oracle Identity System Administration.
In the left pane under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter GRC-ITRes and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.

Specify values for the parameters of the IT resource.

Table 4-3 lists the parameters of the GRC-ITRes IT resource.

Table 4-3 Parameters of the GRC-ITRes IT Resource

Parameter	Description
language	Enter the two-letter code for the language set on the target system. Sample value: `EN`
Connector Server Name	Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server. Note: Enter a value for this parameter only if you have deployed the SAP User Management connector in the Connector Server.
password	Enter the password of the account created on Access Request Management system.
port	Enter the number of the port at which Access Request Management system is listening. Sample value: `8090`
server	Enter the IP address of the host computer on which Access Request Management system is listening. Sample value: `10.231.231.231`
username	Enter the user name of an account created on Access Request Management system. This account is used to call Access Request Management system APIs that are used during request validation. Sample value: `jdoe`

To save the values, click Update.

4.8.2 Configuring SAP GRC to Act As the SoD Engine

To configure SAP GRC to act as the SoD engine, see Using Segregation of Duties in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager at for 11g Release 1 (11.1.2).

4.8.3 Verifying Entries Created in the Lookup.SAPABAP.System Lookup Definition

The Lookup.SAPABAP.System lookup definition is automatically populated with system names when you run lookup field synchronization. After synchronization, you must open this lookup definition and ensure that only entries for systems that you want to use for the SoD validation process are retained in this table.

4.8.4 Specifying a Value for the TopologyName of Basic Configuration Parameter

The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation:

Oracle Identity Governance installation
SAP GRC installation
SAP ERP installation

Enter sodgrc as the value of the TopologyName parameter.

For more inofmration about this element, see Using Segregation of Duties in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for 11g Release 1 (11.1.2.0).

See Basic Configuration Parameters for information about specifying values for parameters of Basic Configuration.

4.8.5 Disabling and Enabling SoD

This section describes the procedure to disable and enable SoD on Oracle Identity Governance.

4.8.5.1 Disabling SoD on Oracle Identity Governance

To disable SoD:

For Oracle Identity Governance release 12.2.1.3.0, log in to Oracle Identity System Administration.
In the left pane, under System Management, click System Configuration.
In the Search System Configuration box, enter XL.SoDCheckRequired and then click Search.

A list that matches your search criteria is displayed in the search results table.
Click the XL.SoDCheckRequired property name.

System properties for SoD are displayed on the right pane.
In the Value box, enter FALSE to disable SoD.
Click Save.
Restart Oracle Identity Governance.

4.8.5.2 Enabling SoD on Oracle Identity Governance

To enable SoD:

For Oracle Identity Governance release 12.2.1.3.0, log in to Oracle Identity System Administration.
In the left pane, under System Management, click System Configuration.
In the Search System Configuration box, enter XL.SoDCheckRequired and then click Search.

A list that matches your search criteria is displayed in the search results table.
Click the XL.SoDCheckRequired property name.

System properties for SoD are displayed on the right pane.
In the Value box, enter TRUE to enable SoD.
Click Save.
Restart Oracle Identity Governance.

4.9 Configuring SNC to Secure Communication Between Oracle Identity Governance and the Target System

Oracle Identity Governance uses a Java application server. To connect to the SAP system application server, this Java application server uses the SAP Java connector (JCo). If required, you can use Secure Network Communication (SNC) to secure communication between Oracle Identity Governance and the SAP system.

This section provides information on the following topics:

4.9.1 Prerequisites for Configuring the Connector to Use SNC

The following are prerequisites for configuring the connector to use SNC:

SNC must be activated on the SAP application server.
You must be familiar with the SNC infrastructure. You must know which Personal Security Environment (PSE) the application server uses for SNC.

4.9.2 Installing the Security Package

To install the security package on the Java application server used by Oracle Identity Governance:

Download SAP Cryptolib for encrypted communication with Oracle Identity Governance.

The necessary SAP Cryptolib for the encrypted communication of third-party software can be downloaded directly from the SAP Service Marketplace.
Extract the contents of the SAP Cryptographic Library installation package. This package contains the following files:
- SAP Cryptographic Library (sapcrypto.dll for Microsoft Windows or libsapcrypto.ext for UNIX)
- A corresponding license ticket (ticket)
- The configuration tool, sapgenpse.exe
Copy the library and the sapgenpse.exe file into a local directory. For example: C:/usr/sap
Check the file permissions. Ensure that the user under which the Java application server runs is able to run the library functions in the directory into which you copy the library and the sapgenpse.exe file.
Create the sec directory inside the directory into which you copy the library and the sapgenpse.exe file.

Note:

You can use any names for the directories that you create. However, creating the C:\usr\sap\sec (or /usr/sap/sec) directory is SAP recommendation.
Copy the ticket file into the sec directory. This is also the directory in which the Personal Security Environment (PSE) and credentials of the Java application server are generated.

See Also:

Configuring SNC
Set the SECUDIR environment variable for the Oracle WebLogic Application Server user to the sec directory.

Note:

From this point onward, the term SECUDIR directory is used to refer to the directory whose path is defined in SECUDIR environment variable.
Set the SNC_LIB and PATH environment variables for the user of the Java application server to the cryptographic library directory, which is the parent directory of the sec directory.

For Linux: Export LD_LIBRARY_PATH and PATCH

4.9.3 Configuring SNC

To configure SNC:

Either create a PSE or copy the SNC PSE of the SAP application server to the SECUDIR directory. To create the SNC PSE for the Java application server, use the sapgenpse.exe command-line tool as follows:
1. To determine the location of the SECUDIR directory, run the sapgenpse command without specifying any command options. The program displays information such as the library version and the location of the SECUDIR directory.
2. Enter a command similar to the following to create the PSE:
```
sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
```
  The following is a sample distinguished name:
```
CN=SAPJ2EE, O=MyCompany, C=US 
```
  The sapgenpse command creates a PSE in the SECUDIR directory.
Create credentials for the Java application server.

The Java application server must have active credentials at run time to be able to access its PSE. To check whether or not this condition is met, enter the following command in the parent directory of the SECUDIR directory:
```
Sapgenpse seclogin
```
Then, enter the following command to open the PSE of the server and create the credentials.sapgenpse file:
```
seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID 
```
The user_ID that you specify must have administrator rights. PSE_NAME is the name of the PSE file.

The credentials file, cred_v2, for the user specified with the -O option is created in the SECUDIR directory.
Exchange the public key certificates of the two servers as follows:

Note:

If you are using individual PSEs for each certificate of the SAP server, then you must perform this procedure once for each SAP server certificate. This means that the number of times you must perform this procedure is equal to the number of PSEs.
1. Export the Oracle Identity Governance certificate by entering the following command:
```
sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
```
2. Import the Oracle Identity Governance certificate into the SAP application server. You may require the SAP administrator's assistance to perform this step.
  Use one of the following ways to set up SNC on the SAP application server:
  - Certificate or User Mapping
  - Rule based Certificate Mapping
  If you do not want to map each user with the certificate and use batch processing, define a general rule-based certificate mapping to enable NetWeaver map user certificates automatically.
3. Export the certificate of the SAP application server. You may require the SAP administrator's assistance to perform this step.
4. Import the SAP application server certificate into Oracle Identity Governance by entering the following command:
```
sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
```
Configure the following parameters in the SAP UM ITResource IT resource object:
- SAP lib
- SAP mode
- SAP myname
- SAP partnername
- SAP qop

4.10 Configuring the IT Resource for the Connector Server

If you have used the Connector Server, then you must configure values for the parameters of the Connector Server IT resource.

After you create the application for your target system, you must create an IT resource for the Connector Server as described in Creating IT Resources of Oracle Fusion Middleware Administering Oracle Identity Governance. While creating the IT resource, ensure to select Connector Server from the IT Resource Type list. In addition, specify values for the parameters of IT resource for the Connector Server listed in Table 4-4. For more information about searching for IT resources and updating its parameters, see Managing IT Resources in Oracle Fusion Middleware Administering Oracle Identity Governance.

Table 4-4 Parameters of the IT Resource for the SAP UM Connector Server

Parameter	Description
Host	Enter the host name or IP address of the computer hosting the Connector Server. Sample value: `myhost.com`
Key	Enter the key for the Connector Server.
Port	Enter the number of the port at which the Connector Server is listening. Default value: `8759`
Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the Connector Server and Oracle Identity Governance times out. If the value is zero or if no value is specified, the timeout is unlimited. Recommended value: `0`
UseSSL	Enter `true` to specify that you will configure SSL between Oracle Identity Governance and the Connector Server. Otherwise, enter `false.` Default value: `false` Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL, see Configuring SSL for Java Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.11 Downloading WSDL files from SAP GRC

In SAP GRC 10 or later, you need to download the WSDL files from SAP GRC before configuring the web services.

Since the connector only supports basic authentication, select the User ID/Password check box for the following web services supported from OIG:

WSDL	Description
GRAC_AUDIT_LOGS_WS	Audit log web service
GRAC_LOOKUP_WS	Lookup service
GRAC_REQUEST_STATUS_WS	Request status web service
GRAC _RISK_ANALYSIS_WOUT_NO_WS	Risk analysis without request number. Note: For this WSDL, ReportFormat is a mandatory field from SP17.
GRAC_SELECT_APPL_WS	Select application web service
GRAC_USER_ACCES_WS	User access request service
GRAC_SEARCH_ROLES_W	Search role web service

When you download the WSDL file, ensure to save it with the same name as mentioned in the SOA Management page. In addition, ensure that the folder containing WSDL files have read permission.

4.12 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation media.

To localize field label that is added to the UI forms:

Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive (oracle.iam.console.identity.sysadmin.ear_V2.0_metadata.zip) to the local computer.
Extract the contents of the archive, and open one of the following files in a text editor:

SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf

Note:
You will not be able to view the BizEditorBundle.xlf unless you complete creating the application for your target system or perform any customization such as creating a UDF.

Edit the BizEditorBundle.xlf file in the following manner:

Search for the following text:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Replace with the following text:

<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

<file source-language="en" target-language="ja"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for SAP User Management application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAP_TITLE__c_description']}">
<source>Title</source>
</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.umform.entity.umformEO.UD_SAP_TITLE__c_LABEL">
<source>Title</source>
</target>
</trans-unit>

Open the resource file from the connector package, for example SAPUM_ja.properties, and get the value of the attribute from the file, for example, global.udf. UD_SAP_TITLE = \u5F79\u8077.

Replace the original code shown in Step 6.b with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAP_TITLE__c_description']}">
<source>Title</source>
<target>\u5F79\u8077</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.umform.entity.umformEO.UD_SAP_TITLE__c_LABEL">
<source>Title</source>
<target>\u5F79\u8077</target>
</trans-unit>

Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

Sample file name: BizEditorBundle_ja.xlf.

Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager, for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Governance.

4.13 Synchronizing the SAPUM Process Form Field Length Needs with the Target Field Length

Ensure that the field length of the values of an attribute coming from the target system should be in bounds of the length of values of attributes in SAPUM process form.