IBM Tivoli Identity Manager SAP NetWeaver Adapter 5.1.16 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Tivoli Identity Manager SAP NetWeaver Adapter.
These Release Notes contain information for the following products that was not available when the IBM Tivoli Identity Manager manuals were printed:
The SAP NetWeaver Adapter is designed to create and manage accounts on a target SAP NetWeaver ABAP server. The adapter runs in "agentless" mode and communicates using standard BAPI and RFC methods supplied with the SAP server. Communication to these BAPI and RFC methods is enabled by the SAP Java Connector (Jco) API.
IBM recommends the installation of this adapter (and the prerequisite Tivoli Directory Integrator) on each node of an Identity Manager WAS cluster. A single copy of the adapter can handle multiple Identity Manager Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity Manager Provisioning Policies and Approval Workflow process. Please refer to the Identity Manager Information Center for a discussion of these topics.
The Identity Manager adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Adapter Version
|
Component |
Version |
|
Build Date |
2014 December 26 09.10.19 |
|
Adapter Version |
5.1.16 |
|
Component Versions |
Adapter build: 5.1.16.115 Profile: 5.1.16.115 Connector: 5.1.16.115 Dispatcher 5.1.27 and above |
|
Documentation |
IBM Tivoli SAP NetWeaver Adapter Installation and Configuration Guide SC23-9660-02 |
New Features
|
Enhancement # (FITS) |
Description |
|
|
Items included in 5.1.16 release |
|
56603 (30577) |
Support for JCo 3.0.11 and JCo 3.0.12 |
|
|
|
|
|
Items included in 5.1.15 release |
|
30827 (17639) |
Need SAP adapter to support the choice between permanent and temp passwords. See "RFE: 30827 (17639) Need SAP adapter to support the choice between permanent and temp passwords" and "Known Limitation" sections for more details. |
|
44533 (26530) |
ISIM - SAP Adapter Force Password change on first Login. See "44533 (26530) ISIM - SAP Adapter Force Password change on first Login:" and "Known Limitation" sections for more details. |
|
29172 (16477) |
Additional provisioning attributes in SAP Adapters (Full Name). See “RFE: 29172 (16477) Additional provisioning attributes in SAP Adapters (Full Name)” section for more details. |
|
43484 (25795) |
Support for SAP RFCs using COMMIT in SAP NW Adapter. See “RFE: 43484 (25795) Executing multiple BAPI module with State-full connection” in configuration notes section. |
|
34287 (19692) |
Need the capability to encrypt the passwords in SAPNotify.props file for SAP NetWeaver Adapter. See “34287 (19692)- Need the capability to encrypt the passwords in SAPNotify.props file for SAP NetWeaver Adapter” section for more details. |
|
|
|
|
|
Items included in 5.1.14 release |
|
41916 (24746) |
Support for Type B connection |
|
42849 (25385) |
Support for SAP NW 740 |
|
|
|
|
Items included in 5.1.13 release |
|
|
|
No items included. |
|
|
|
|
Items included in 5.1.12 release |
|
|
INT75752 |
Support for productive password change over SNC. See "Productive Password Support" and "Known Limitation" sections for more detail. |
|
RFE30855 |
Request Justification should be passed in SAP GRC Adapter Extensions for suspend / restore |
|
|
|
|
|
Items included in 5.1.11 release |
|
INT67835 |
Support for JCo 3.0.9 |
|
INT63625 |
Support for SAP 7.3 |
|
|
|
|
|
Items included in 5.1.10 release |
|
INT67111 |
The adapter no longer supports SAP Basis version v620 and v640. |
|
|
|
|
|
Items included in 5.1.9 release |
|
RFE25044 |
Modify Request Details web service call in GRC10 Notification component. The notifier was rejecting legitimately approved requests because incorrect item status was being returned by the Request Details web service. The functionality to inspect individual item status was removed and calls to the Request Details web service have been removed from the notifier. The side-effect is that it is now possible to attempt to provision an approved request from GRC 10.0 that contains no approved accounts or roles. |
|
RFE23969 |
SAP NW - SAP GRC 10 Adapter has hardcoded values for ersapgrcpriority. Previously, the adapter supported a default set of GRC 10.0 priorities only. The adapter can now support customised GRC 10.0 priority codes by use of the ITIM Form Designer. |
|
|
|
|
|
Items included in 5.1.8 release |
|
INT56285 |
SAP GRC Notification component authentication change. Due to new authentication method provided in ISIM 6.0 an authentication factory was added that determines which client authentication method to use depending upon the version of ITIM or ISIM. |
|
INT59356 |
GRC Configuration guide update to include how to enable debug logging for GRC workflow configuration. |
|
|
|
|
|
Items included in 5.1.7 release |
|
MR0915114459 |
SAP GRC: Support for SAP GRC V10 |
|
MR022311456 |
SAP GRC: Support for SAP GRC V10 |
|
MR0719116529 |
SAP NW - SAP Attribute "PARAMETER" limited to 18
characters. According to SAP the data structure of the BAPI is limited to 18
characters for each parameter value. SAP increased the length of the values
to 40 characters and extended the BAPI by adding another data table. By
default, the adapter supports PARAMETER. However PARAMETER1 can be
incorporated into the adapter by making XSL modifications. A technote
entitled "Using ITIM Adapter for SAP NetWeaver to Manager 'PARAMETER1'
attribute" that describes how to make use of PARAMETER1 instead of
PARAMETER has been created and is available here: |
|
INT51074 |
Support for JCo 3.0.8 |
|
|
|
|
|
Items included in 5.1.6 release |
|
MR033011116 |
SAP GRC adapter to action risk approval from SAP. Customer would like the SAP GRC adapter profile to ship with workflows that action risk approval data sent from SAP. To implement this MR an additional "NetWeaver + GRC" profile has been created that reuses the NetWeaver attributes (where possible) on a SAP GRC (Access Control 5.3) request. A workflow component has been developed to give the adapter the ability to submit requests to GRC for the purpose of performing a "Separation Of Duty" check prior to provisioning the account using the NetWeaver adapter. A notification component has been developed for the purpose of updating PENDING ITIM workflows with the result of completed GRC requests. The GRC and NetWeaver components of the adapter integrate at the ITIM workflow level, and require workflow enhancement in ITIM. For more details, check the SAP NetWeaver Adapter Installation Guide. |
|
MR0627115334 |
ITIM SAP GRC Adapter: Reconciliation of risk analysis result. Make it possible for SAP GRC to return the outcome of the risk analysis and possible approval back to TIM. While "reconciliation" of risk analysis results from SAP GRC to ITIM can not be done, the work done to address MR033011116 means that it is now possible to return GRC request completion results to an ITIM workflow using the "Blocking" GRC workflow extensions provided with this release and running the notification service to update PENDING ITIM workflows with the outcome of completed GRC requests. |
|
|
|
|
|
Items included in 5.1.5 release |
|
MR052710291 |
The NetWeaver Adapter did not have a option to hide indirectly assigned SAP roles. The adapter no longer returns single roles which are part of a composite role during reconciliation. |
|
MR1130102136 |
When an account modify operation was performed the default setting of the NetWeaver adapter was to replace all roles in SAP with roles that have been specified for an account in ITIM. This had the effect of removing any roles in SAP that had not yet been reconciled into ITIM. The default behavior of the modify operation has been changed. Now when an account modify operation is performed the adapter looks up the list of roles in SAP and adds any roles that do not exist in ITIM to the list of roles that will be sent to SAP, in addition to adding/removing roles for that account. The outcome is that all pre-existing roles for an account in SAP will remain unless they have been explicitly marked for deletion by the account modify operation in ITIM. |
|
N/A |
Support for TDI 7.1 |
|
N/A |
Support for JCo 3.0.7 |
|
|
|
|
|
Items included in 5.1.4 release |
|
MR0211083748 |
The performance of the reconciliation process has been improved. In previous releases of the adapter, a connection was opened between the adapter and the target SAP systems at the start of the reconciliation. This same connection was used to read account details for all users. The connection was then closed at the completion of the reconciliation. In some cases, this resulted in a measurable resource leak on the target SAP server with associated performance degradation. In order to remedy this situation, the adapter now resets its connection to SAP on every 300 uses of the connection. This has the effect of freeing resources on the target SAP system and maintaining overall performance. |
|
|
Items included in 5.1.3 release |
|
N/A |
New extension feature added. The account locking optional extension prevents the adapter from unlocking SAP accounts which have been locked by a local SAP administrator outside of ITIM. With the locking extension deployed and enabled, the adapter will only unlock accounts which have been locked due to maximum number of failed password logon attempts. The locking extension also enables the adapter to propagate unlock attempts to CUA child systems, while still preserving administrator set locks. This propagation enables the adapter to unlock an account a CUA child system which has been locked due to failed login attempts.
|
|
N/A |
Support for TDI 7.0 |
|
|
Items included in 5.1.1 release |
|
MR090408134 |
Adapter ability to communicate with multiple SAP message servers. The adapter can connect to SAP ABAP target servers via a SAP message server per adapter service. This can be enabled by defining Optional RFC Connection Parameters for the adapter service in ITIM. |
|
|
Items included in 5.1.0 release |
|
|
Initial release
|
Closed Issues
|
INTERNAL# |
APAR# |
PMR# / Description |
|
|
|
Items included in 5.1.16 release |
|
|
IV64712 |
Add clear error message if "SAP Logon Language" service parameter is missing. |
|
|
|
|
|
|
|
Items included in 5.1.15 release |
|
|
|
No items included. |
|
|
|
|
|
|
|
Items included in 5.1.14 release |
|
|
IV58070 |
SAP GRC Adapter 10: SAP GRC AC Notfier not handling "Partially Approved" requests |
|
|
IV56777 |
Adapter is dumping user data into log file when level set to INFO |
|
10333,756,000 |
SAP GRC Adapter 10: Additional system line generated with access request to GRC |
|
|
|
IV60566 |
SAP GRC Adapter 5.3: Notifier was not able to handle “REJECTED” and “CANCELED” message status from GRC. |
|
|
|
|
|
|
|
Items included in 5.1.13 release |
|
|
IV44432 |
Changed the optional RFC parameter delimiter from space to
"|" to support spaces in cert DN etc. |
|
|
IV27993 |
Dispatcher doesn't single thread SAP requests when max connection set to 1. |
|
|
IV47023 |
ITIM SAP Netweaver adapter's GRC extensions does not interpret Decimal Notation appropriately. |
|
INT89710 |
|
User modify removed all ersapgroup values. |
|
|
|
|
|
|
|
Items included in 5.1.12 release |
|
|
|
No items included. |
|
|
|
|
|
|
|
Items included in 5.1.11 release |
|
|
IV29517 |
Role modification requests to GRC 10.0 do not contain add/retain/delete identifiers. The workflow extension that calls the GRC 10.0 UserAccessRequest web service has been modified to place ASSIGN, RETAIN or REMOVE provisioning actions for a set of roles in GRC 10.0, depending on the operations performed on the corresponding set of roles in ITIM. |
|
INT71459 |
|
Set GRC10 role provisioning action to REMOVE on account DELETE operation. |
|
INT70342 |
|
Logon lanuguage not sent to GRC 10.0. The value of the LogonLang parameter was corrected to map to ersapnwdefaultlang instead of ersapnwllanguage. |
|
INT67599 |
|
The GRC Notification component was updated to handle a change made to the name and location of the enrole.encryption.password property in ISIM 6.0. |
|
|
|
|
|
|
|
Items included in 5.1.10 release |
|
INT62775 |
|
The password extension function of the SAP NW has been completely
rewritten. The extension has been redesigned around the productive password
functions of SAP and is needed only for propagation of productive password
resets to CUA child systems. Being based on standard SAP functions, all
constraints and limitations of the SAP implementation and design are
inherited by the adapter. Review the profile parameters
for logon and password of your SAP ABAP server to ensure they
match and support the password handling expectations of your IdM deployment
requirements. Please refer to the following SAP notes for details: 862937,
1301479, 376856, 830493, 991968, 1287410, 1300104. |
|
|
|
|
|
|
|
Items included in 5.1.9 release |
|
|
IV25892 |
During provisioning of a SAP Account the fields "Valid From" (ersapnwdatefrom) and "Valid To" (ersapnwdateuntil) are incorrectly shown in SAP GRC 10.0. "Valid From" contains value specified for "Valid To". "Valid To" value is shown as 31.12.1999. The Access Request workflow extension was modified to correctly set the "Valid From" and "Valid To" fields on a GRC 10.0 Access Request. |
|
INT65329 |
|
Error message misleading when an invalid email address is entered. The GRC 10.0 Access Request WFE catches email addresses entered on the Communications tab that do not abide by the syntax described in the "Special Attributes" section of the NetWeaver installation guide. |
|
|
|
|
|
|
|
Items included in 5.1.8 release |
|
|
IV19858 |
SAP Child system not being updated with License data. A tab for CUA Systems License Data was added to the account form to enable multi-valued license data for CUA systems to be edited by the adapter. |
|
|
IV21357 |
Wrong steps listed for GRC10 workflow setup in ITIM_SAPGRC.pdf document. The workflow setup instructions have been corrected. |
|
|
IV21521 |
Issue with runNotifierWAS7.sh results in WAS connection failure. The GRC notification component scripts were edited to add the CLIENTSSL environment variable. |
|
INT57316 |
|
The SAPGRC10UpdateAccountAttributesExtension and all non-blocking WFEs for both the GRC 5.3 and GRC 10.0 integrations return ActivityResult 'RS' instead of 'SS', if workflow activity completion is successful. For consistency with the other WFEs provided for the SAP GRC integration, the return code that these workflow extensions use to indicate success has been modified to 'SS'. |
|
|
|
|
|
|
|
Items included in 5.1.7 release |
|
|
IV09405 |
The following error message was being received when modifying a substituters account -- "CTGDIK219E Unable to execute RFC 'BAPI_USER_CHANGE'. The message is: 'CTGDIK210E Length of supplied value for field 'SUBSTITUTE_FROM' exceeds maximum length '8'.'. (0)" To correct this issue the templates that populate the attributes SUBSTITUTE_FROM and SUBSTITUTE_UNTIL in sapnw_bapi_user_change_licensedata.xsl were reformatted from "YYYYMMDDhhmmZ" to "YYYYMMDD". |
|
|
IV11818 |
sapnw_bapi_user_system_assign.xsl was edited to ignore CUA systems that have empty names. The HR Transport ABAP code was modified to force SAP to commit a HR record after it had been altered to prevent the occurrence of intermittent and unreproducible HR record locks. The installation guide documentation was updated in order to clarify the difference between XSL advance mappings for CUA and non-CUA systems. The RFC debug option was removed from the service form due to JCO RFC trace no longer working. |
|
INT52428 |
|
The service.def file contained an invalid service group definition "erSAPagrname". To correct the problem the service group name has been removed from service.def. |
|
|
IV02652 |
Initialisation steps were not being performed for the ersapnwllanguage attribute in the SAPNWAssemblyLines.xml. The value of the attribute was formerly hard-coded in the assembly line to "EN". |
|
INT49087 |
|
Edit release notes to address using TDI and SAP JCO on 64-bit AIX. |
|
|
|
|
|
|
|
Items closed in 5.1.6 version |
|
|
IV03677 |
SAP NW - Email address set by SAP NW adapter is unusable for SAP standard program to generate mails. SAP support has been involved, and concluded that the issue is ITIM SAP adapter sets "01" to CONSUMER column of ADR6 table, but it should be "001". While this problem only affects the ADK adapter, example text in the SAP NetWeaver Adapter installation and configuration guide was updated to reflect this change. |
|
|
|
|
|
|
|
Items closed in 5.1.5 version |
|
|
IZ64088 |
Overcoming the error when the user supplies an advanced filter when executing a recon operation. The Assembly Line was updated to include handling for complex recon filters. |
|
|
IZ72594 |
Unable to successfully import the SAP NW adapter. The adapter installation guide has been updated to specify the minimum supported version of Tivoli Directory Server as Version 6.0 or greater. |
|
|
IZ72625 |
Allow to set SAP NetWeaver Role End Date to 9999. The Profile has been modified such that the End Date of SAP Authorization Roles can now be selected as the year 9999. |
|
|
IZ76265 |
The ersapnwdisablepwd attribute is set to TRUE or FALSE through add and modify operations, but CODVN is not being set correctly in the call to SAP. The attribute is now handled in such a way that the account is updated in SAP to disable the account password instead of locking the account. |
|
|
IZ80739 |
"Valid To" attribute of SAP account only up to 31 Dec 2010. The maximum year for the "Valid To" attribute has been changed to the year 2099. |
|
|
IZ83000 |
The attribute erlastaccessdate is longer returned by the adapter during reconciliations. SAP does not provide a supported method to read the time component of this value which ITIM server requires for the attribute. |
|
|
IZ86193 |
Automatic account creation from ITIM for an account that already existed in SAP. As expected the account add shows a failure as the user already existed is SAP, but the add operation changed the existing permissions for the account in SAP. This issue has been rectified so that the permissions are not changed. |
|
|
IZ86887 |
SAP adapter encounters CTGDIS792I error indicating SAP HR personnel records are locked and can't be updated. To address this issue the advance mappings for HR have been updated to include an RFC call to SAP that performs a commit prior to performing the HR operation. |
|
|
IZ87568 |
SAP adapter cannot set timezone on add but can on modify request. The sapnw_bapi_user_create.xsl stylesheet was modified to correct how the time zone element is handled. |
|
|
IZ89229 |
SAP adapter HR extension delimiting personnel number on account modifies. When using the HR extension and modifying an account attribute, the HR linking end date was being set to the current date. This was causing the personnel number to be delimited. |
|
|
IZ92787 |
SAP account deletion fails with "CTGDIK210E Length of supplied value for field 'USERNAME' exceeds maximum length of '12'". The relevant XSLs have been modified to correct this issue with account deletion. |
|
|
IZ96579 |
Call to SUSR_ZBV_LANDSCAPE_GET function module returns ERROR & WARNING on non-CUA systems. The logging mechanism now logs these particular CUA-related messages at the DEBUG logging level. |
|
|
IZ98248 |
The SAP NetWeaver Adapter attribute ersapnwusergroups is defined as multi-value in ITIM although it is single-value in SAP. So the join behavior is 'Union' by default. To be able to create Provisioning Policy Entitlements for this attribute, the Join Behavior will need to be manually changed to 'Priority'. And this needs to be done again after each adapter profile upgrade. In SAP this attribute called "User Group" is single-value. To resolve this issue the ersapnwusergroups attribute has been changed from multi-value to single-value in schema.dsml. |
|
|
IZ99374 |
The ersapnwsncflag attribute is not set correctly on user create or change. The relevant XSL transforms were modified to handle this attribute correctly, such that the "Unsecure Communication Permitted" box in SAP reflects the setting in ITIM. |
|
|
IV01146 |
ITIM SAPNW ersapnwprntdelete attribute is empty after recon when it has been set in SAP. The sapnw_bapi_user_getdetail_postcall.xsl stylesheet was patched so that the value of the SPDA element returned by SAP becomes the value of ersapnwprntdelete during recon. |
|
CMVC 101781 |
|
Update the documentation in regards to the deployment instructions for the SAP NetWeaver Adapter. |
|
CMVC 103525 |
|
Added the following RMI Dispatcher service attributes to the SAP adapter, which can be accessed through the Dispatcher Attributes tab of the service form: ersapnwalfilesystempath, ersapnwmaxconnectioncount and ersapnwdisablealcache These map to the dispatcher parameters ALFileSystemPath, MaxConnectionCnt and disablealcachperservice in the service definition. |
|
CMVC 104664 |
|
Change standard email receives a warning message "W: (319)". The relevant XSL now indicates the set of modified email address(es) in TIM with the correct flag, thereby suppressing this particular warning message from being issued by SAP NetWeaver and then passed into the ITIM log. |
|
|
IV02041 |
A newline and space characters are appended to ersapnwdateuntil (and other date fields) during reconciliation. The relevant stylesheets were modified to remove the newline and space characters from the affected date fields. |
|
|
|
|
|
|
|
Items closed in 5.1.4 version |
|
|
|
Previous versions of the adapter incorrectly returned generated profile assignments during reconciliation or lookup of SAP user accounts. This error has been corrected. By default, generated profile assignments will be returned to ITIM. If the previous incorrect behaviour is required, simply make copies of sapnw_bapi_user_getdetail_postcall.xsl and sapnw_tivsecty_bapi_user_getdetail_postcall.xsl.
Edit these copies replacing the following line; <xsl:apply-templates select="BAPIPROF" /> |
|
|
|
63353,019,866 06602,422,000 If the adapter is unable to locate an account which has been selected for reconciliation, the account will be skipped and the reconciliation process will continue. If any other error conditions occur, the reconciliation will abort with an error status. If any ABAP warnings are detected during retrieval of an account, the account will be included in the reconciliation result and marked as successful. |
|
|
IZ59253 |
07459,6X1,760 During high concurrent request loads, the TDI parameter values for connectors changed state. This resulted in intermittent connection errors due to incorrect connection parameter value usage in the SAP Netweaver Adapter Connectors. The Connectors now manage all parameter values internally.
|
|
|
IZ59250 |
07300,6X1,760 The ABAP code of the password extension incorrectly cleared all SY fields. This resulted in ABAP error message NUMBER_GET_NEXT AENDBELEG INTERVAL_MISSING. This problem has been corrected. |
|
|
IZ59472 |
07280,6X1,760 The adapter no longer returns attributes 'sapUserName' and 'entryDN' during reconciliation. These attributes were resulting in an LDAP schema violation in ITIM server. |
|
|
|
|
|
|
|
Items closed in 5.1.3 version |
|
|
|
|
|
|
|
Items closed in 5.1.1 version |
|
|
IZ37256 |
52447,SGC,724 ITIM460: password change to non-unicode SAP |
|
|
|
51863,SGC,724 TIM - authorization check on SAP CUA not correct |
|
|
IZ41724 |
Always shows "No Message" in most of the cases when requests failed or completed with warning through the SAP adapter. All available SAP ABAP errors and warnings are now returned to ITIM resulting from provisioning operations. |
|
|
IZ41550 |
Reassign or remove hr personnel number not working correctly. |
|
|
IZ41229 |
Recon with filter doesn't return HR info. Advanced mapping is not working correctly, the default file name is always loaded. When HR linking extension is enabled, the adapter now correctly returns HR link details for a filtered reconciliation. |
|
|
IZ43323 |
User Guide update -- XSL order of CUA. The order of XSL stylesheet mappings has been corrected for password management extension. |
|
|
|
Password is in clear text in logs. This has been corrected. |
|
|
IZ43747 |
SAP agent cannot recognize special characters like '&' when creating account. |
Known Issues
|
CMVC# |
APAR# |
PMR# / Description |
|
|
|
The lock extension features of the adapter return the following warning when deployed and executed against a NON-CUA server. This warning can be ignored: W: CUA configuration is invalid or not defined. Unlock operation will not be propagated to child systems (0) (C:\timsol\cusxsl\tiv_unlock.xsl); SapNWRestore
|
|
|
|
The Adapter for SAP NetWeaver does not retrieve descriptive text from SAP for most support data classes, e.g. roles and profiles.
|
|
|
|
Language Attribute under both Communication and Default tabs can be search only by language key, e.g. EN.
|
|
|
|
Modifying an account by reassigning a group that has been previously removed from the account is not working correctly. This appears to be a problem with standard SAP functionality.
|
|
|
|
Invalid email format (described in 4.1.7 Email Address) is not reported as error during add and modify operations
|
|
|
|
It is possible to change attributes on the non-CUA/CUA Master License Data tab only if the attribute "Contractual User Type" (ersapnwlicutype) is supplied in the Add or Modify operation request.
|
|
|
|
Recon with filter (eruid=*) is case sensitive due to RMI dispatcher limitation.
|
|
|
|
If custom extension xsl file is missing the operation hangs.
|
|
|
IZ38372
|
ITIM 4.6: Support data DN gets corrupted when the value has LDAP special characters
|
|
|
|
After modifying adapter service parameters in the ITIM server, the dispatcher process hosting the adapter must be restarted.
|
|
|
|
HR Linking ABAP transport imports may report warnings related to ABAP Dictionary Activation. These warnings can be ignored.
|
|
|
|
Password management ABAP transport imports may report warnings related to ABAP Dictionary Activation. These warnings can be ignored.
|
|
|
|
The adapter reports error or failure status to ITIM for all provisioning operations if a BAPI/RFC executed during the operation reports an error or failure. There are some cases when a SAP BAPI/RFC may report an error incorrectly. The BAPI/RFC actually executes successfully. One specific example is on user creation. If no user company addresses have been defined in SAP, the BAPI function BAPI_USER_CREATE1 reports an error to the adapter, but actually creates the user account in SAP. When the adapter reports the error to ITIM, ITIM server will not update the account in its repository resulting in an inconsistency between ITIM and SAP. The incorrect error status indicator cases are reported to SAP support as they are identified, to be corrected by SAP in support packs. In the meantime, ITIM users should leverage the full or filtered reconciliation features of ITIM to maintain consistency between ITIM and SAP repositories.
|
|
|
|
ITIM converts date values to the local time zone of the user. As a result, there can be cases where dates returned from SAP via the adapter to ITIM server appear to lose or gain a day. This occurs when any account attribute is modified in ITIM. ITIM will perform the time zone conversion as the modified account is being saved back into the ITIM request queue for subsequent provisioning.
|
Known Limitations for SAP NW adapter
|
CMVC# |
APAR# |
PMR# / Description |
|
|
|
Limitations on Switching between Productive (Permanent) and Initial (Temporary) password
During modify operation; the existing password of the account will be modified to Productive if "Set Password as Productive" is checked. A modify operation is needed before a password change operation to change the status of “Set Password as Productive” flag. This is a send only attribute. The value of the flag won’t be stored in ITIM/ISIM. |
|
Limitations on support for SAP Productive Passwords
1. SAP versions supported by the adapter require SNC to be enabled to set productive passwords. 2. In a CUA environment, the adapter cannot set the password to be productive due to a limitation in the SAP interface.
|
||
|
If using the password extension features of the adapter, the password will always be propagated to CUA child systems assigned to the given user account.
|
||
|
The password extension features of the adapter are not compatible with SAP Enterprise Portal or UME.
|
||
|
|
|
The extension features of the adapter are not certified by SAP.
|
|
|
|
In CUA deployments, the adapter must be configured against the CUA master system. All attributes of accounts are managed via the master system. For all attributes except roles and profiles, the adapter will manage and synchronize account attribute state against the CUA master.
|
|
|
|
The Adapter for SAP NetWeaver supports the linking of user account to SAP HR personnel infotype 0105 subtypes 0001 and 0010. When these links are removed, the adapter will delimit the records to today's date. If the personnel number is changed from ITIM for a given user, the adapter will delimit the current 0001 subtype record to yesterday’s date, and assign the 0001 subtype record to the new personnel record with a start date equal to today’s date. Note: ABAP extension for HR Linking is no longer supported. |
|
|
|
When assigning a CUA child system to a user account, if the user account has group assignments, and at least one of those groups does not exist on the CUA child, then the account will not be created on the child. This is a limitation with SAP CUA implementation, and is reproducible using the native SAP user management transaction SU01.
|
|
|
|
Country attribute under Person Tab depends on attribute Company from the same tab. After recon value of attribute Country might be changed to correspond to Company address.
|
|
|
|
In CUA environments, when assigning role/profile from master or child systems to user without system assignment, SAP automatically creates an associated CUA system assignment. ITIM will not have visibility of the automatically assigned CUA system assignment until next reconciliation for the user.
|
|
|
|
When performing a filtered reconciliation, the filter value must be defined in uppercase (e.g.(eruid=USER1) ). This is due to an inconsistency within the BAPI methods for user management provided by SAP. This limitation affects retrieval of CUA profiles assigned to the requested user account.
|
|
|
|
The minimum supported version of ITDS is version 6.0. The adapter does not work with earlier versions of ITDS because attributes that are not unique in the first 15 characters of the attribute name cannot be handled correctly.
|
|
|
|
In CUA environments there is no known method for distinguishing a composite role from a noncomposite role. This means that reconciliation will return all roles from a CUA implementation.
|
|
|
|
SAP allows different telephone numbers to be set as the "Primary telephone number", such as the Mobile Phone number. During reconciliation, SAP will return the Mobile phone number as the Primary telephone number if a Telephone number has not been defined for an account in SAP.
|
|
|
|
Role assignment modification does not work when attempting to simultaneously add a directly assigned single role while removing a composite role which also contains the given single role. It is recommended to perform this operation as two separate steps, i.e. remove the composite role, then add the single role.
|
|
|
|
SAP 7.3 - When the account locking extension attempts to unlock an admin locked account on a CUA system the admin lock is preserved but the following warning may be returned: Field GLOBAL_REM of structure SUID_ST_NODE_LOCKDATA cannot be changed in CUA child system
|
Known Limitations for SAP GRC adapter
|
CMVC# |
APAR# |
PMR# / Description |
|
|
|
|
|
SAP GRC NW adapter - CUA role assignment in GRC: If the role assignment to an account includes roles with the same name for different child CUA systems there will be only one role displayed on the request in GRC instead of multiple roles for each child CUA system. |
||
|
|
||
|
|
|
|
|
SAP GRC NW adapter - GRC AC data matching: GRC will reject a web services request containing data that does not match data that it expects for particular fields. These fields include: Role name, Function, Company, System Identifier, Employee Type, Priority, Custom Fields. For correct operation of the adapter, ensure that information in GRC matches information in the target SAP NetWeaver system prior to submitting a GRC request from ITIM. Verify that an identical request can be submitted directly from the GRC browser interface. |
||
|
|
||
|
|
|
|
|
SAP GRC NW adapter - Test Connection on the service form validates the connection to SAP NetWeaver only, it does not validate the connection to SAP GRC 5.3 or 10.0. This limitation is due to interaction with GRC being done through web service calls instead of through TDI. |
||
|
|
||
Multi Byte Character Support Limitations
All character data transferred between ITIM Server, the adapter, and SAP ABAP server are encoded as UTF-8. The adapter supports provisioning of multi byte characters to and from a directly connected SAP ABAP Unicode server. Provisioning of ASCII characters is supported for Non-Unicode SAP ABAP servers. The adapter does not support provisioning of multi byte characters to any Non-Unicode ABAP server. Extended ASCII characters are not tested or supported for Non-Unicode SAP ABAP servers.
Non Transactional Provisioning
The adapter does not execute provisioning operations within a transactional context. Some provisioning operations require multiple steps to be executed against the SAP server. A consequence of this situation is that errors or warnings which occur after the first step may result in a partially complete provisioning operation. A possible method to handle for this limitation is to use the ITIM workflow features to execute compensating actions. For example, issue a filter reconciliation for the given user account in order to synchronize the account state between ITIM and the target server.
Enable Deactivated Password on Modify Limitation
The "Deactivate password" attribute is supported by both the Add and Modify operation. Enabling this attribute on the account form will cause the password for an account to be deactivated in SAP. However, disabling the "Deactivate password" flag is NOT supported in the modify operation. The adapter will not enable the password for an account if the "Deactivate password" flag is unchecked on a modify operation. To re-enable a deactivated password for an account, a request to change the password for the account must be made instead. The state of the disable password flag in TIM will not be synchronized until reconciliation is performed.
Extension Functions Removed From Adapter Package
Previous versions of the adapter included optional ABAP extension functions for HR Linking, Account Locking, and Productive Password setting and synchronization. These extensions are not part of the supported SAP NetWeaver Adapter. Unsupported source code sample versions of the extensions are included in the adapter package under the "samples" directory.
Note: ABAP extension for HR Linking is no longer supported.
See the IBM Tivoli Identity Manager Adapter Installation Guide for detailed instructions.
SAPNW install guide corrections:
The following corrections to install guide apply to this release
RFE: 56603 (30577) Support for JCo 3.0.11 and JCo 3.0.12:
The adapter now supports JCo 3.0.11 and JCo 3.0.12. Where ever in the install guide JCo 3.0.9 is referred it now refers to JCo 3.0.9, JCo 3.0.11 and JCo 3.0.12.
RFE: 30827 (17639) Need SAP adapter to support the choice between permanent and temp passwords & 44533 (26530) ISIM - SAP Adapter Force Password change on first Login:
Add the following information to Chapter 4. Configuring the Adapter for SAP NetWeaver, section “Adapter attributes and object classes” of the install guide under “Supported account attributes”.
|
Tivoli Identity Manager Name |
Attribute Name |
Description |
Data Type |
|
Set Password as Productive |
ersapnwprodpwdflag |
This send only flag will change the Initial password to Productive password. Ref “Special Attribute” section for more details. |
True or False |
Add the following information to Chapter 4. Configuring the Adapter for SAP NetWeaver, section “Special Attributes” of the install guide after details of “CUA License Data”.
Set Password as Productive
The "Set Password as Productive" attribute is supported by both Add and Modify operation. Select this attribute to make the existing password Productive (Permanent) else the password would be Initial (Temporary). Since, this attribute is available in account form; to select between productive and initial password during Password change operation, a Modify operation need to be perform prior to Password change operation to change the above flag.
Note: This is a send only attribute; the value of the flag won’t be stored in ITIM/ISIM.
RFE: 29172 (16477) Additional provisioning attributes in SAP Adapters (Full Name)
Add the following information to Chapter 4. Configuring the Adapter for SAP NetWeaver, section “Adapter attributes and object classes” of the install guide under “Supported account attributes”.
|
Tivoli Identity Manager Name |
Attribute Name |
Description |
Data Type |
|
Full Name |
ersapnwfullname |
Full Name. Ref “Special Attribute” section for more details. |
String |
Add the following information to Chapter 4. Configuring the Adapter for SAP NetWeaver, section “Special Attributes” of the install guide after details of “Set Password as Productive”.
Full Name
Pass the full name of the user to this attribute. Full name will get reflected in NW against FORMAT attribute (in SU01), for any value string passed except blank spaces. If blank space or no value will be passed then FORMAT attribute (in SU01) will have the value as combination of First name and Last Name available in NW account.
RFE: 41916 (24746) SAP NW adapter 6.0.14 supports Type B (Load balancing) connection:
1. Add the following information to Chapter 3. SAP NetWeaver Adapter installation, section “Creating an SAP NetWeaver Adapter service” of the install guide under “Optional RFC Connection Parameters” service form attribute under “SAP CONNECTION DETAILS TAB”
SAP NW adapter 5.1.14 supports Type B (Load balancing) connection:
The mandatory attribute for Type B connection are client, user, passwd, lang, type, mshost, r3name and group.
In order to establish Type B (Load Balancing) connection; add the following value under “Optional RFC Connection Parameters?”
Type=B|mshost=<Message Server Name>|r3name=<SYSTEM ID>|group=<Name of SAP application server group>
For example,
Suppose message server name is SAPPR0 with systemID as PR0 and group SPACE, then add the following to “Optional RFC Connection Parameters?” attribute.
type=B|mshost=SAPPR0|r3name=PR0|group=SPACE
Note: As per the dispatcher behavior, dispatcher should be restarted for each change in ““Optional RFC Connection Parameters?” field.
Note: To establish Type B connection, enable RFC Load balancing in SAP system
2. Change the following information in Chapter 3. Installing the Adapter for SAP NetWeaver, section "Creating an Adapter for SAP NetWeaver service" of the install guide, under “SAP CONNECTION DETAILS TAB”, the below mentioned attribute should be replaced with-
SAP Logon Language
The language ISO identifier needs to be used by the adapter. This is mandatory, if no value is supplied for Optional RFC Connection Parameters.
Enabling JCO Trace
Add the following information to Chapter 3. SAP NetWeaver Adapter installation, section “Installation procedure” to the install guide under Installing the SAP Java Connector (JCo)
Steps to Enable JCo Trace:
In order to enable JCo trace, follow these below steps.
1. Navigate to the Tivoli Directory Integrator adapters solution directory
(ITDI_HOME\timsol).
2. Open ibmdiservice.props file in an editor.
3. Edit the following property
· For Windows operating systems
jvmcmdoptions=-Djco.trace_level=10 -Djco.trace_path=E:\jco_trace\ -Djco.rfc=1
Where
-Djco.trace_level=N (where 0 = N = 10 with 10 = most detailed trace)
-Djco.trace_path=<PATH>
If a trace path is set the JCo traces will be written to one or multiple files named JCO<date>_<time>.<no>.trc in the specified PATH directory. Otherwise the JCo traces will be written to the standard output stream (default is an output to the console).
Note: Directory jco_trace should be available.
-Djco.jrfc=1.
Please note that in this case all connections will be traced, hence this should be only the last resort.
· For UNIX or Linux operating systems
-Djco.trace_level=10 -Djco.trace_path=/opt/jco_trace/ -Djco.rfc=1
Where:
-Djco.trace_level=N
The trace level can either be 0 or 10, where 10 being the most detailed trace.
-Djco.trace_path=<PATH>
If a trace path is set, the JCo traces are written to one or multiple files that are named JCO<date>_<time>.<no>.trc in the specified PATH directory. Otherwise, the JCo traces are written to the standard output stream, where, by default is an output to the console.
Note: The jco_trace directory must be available.
-Djco.jrfc=1
If set to 1, JCo trace is enabled for all connections. This configuration should be the last resort.
For example:
"%TDI_JAVA_PROGRAM%" -Xdebug -Xnoagent -Djava.compiler=NONE -Djco.trace_level=10
-Djco.trace_path=/opt/jco_trace/ -Djco.rfc=1 -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5555 -classpath
"%TDI_HOME_DIR%\IDILoader.jar" %ENV_VARIABLES% com.ibm.di.loader.ServerLauncher %* set RC=%ERRORLEVEL%
4. Save your changes.
5. Restart the RMI dispatcher service.
IV44432: Changed the optional RFC parameter delimiter from space to "|" to support spaces in cert DN etc
Reference: Page number 18, Optional RFC Connection Parameters paragraph is replaced with-
Optional RFC Connection Parameters
This attribute allows for alternative SAP connectivity parameters to be specified. The value of this is a formatted string of name value pairs. Each pair must be separated by a single pipe "|" character. The name parts must be in lower case characters. The general format of the value of this attribute is as follows:
<name 1>=<value 1> <name 2=value 2> ... <name N>=<value N>
For example the following string value would set the SAP Message Server to messageserver.com with System ID PR0 and Group SPACE:mshost=messageserver.com|r3name=PR0|group=SPACE
INT89710: User modify removed all ersapgroup values.
Reference: Page number 24, Under MODIFY ADVANCED MAPPING TAB,below mentioned paragraphs are replaced with-
Modify User Basic Lookup Request Stylesheet
This is a single-valued attribute. The value is the file name of
an XSL transformation that will produce an RFC request. The RFC request will be
executed by the adapter to determine if the account to be modified is
present.If a value is supplied, the transformation will be executed regardless
of the CUA status of target SAP system.
If CUA is used then following additional XSL mappings are required:
xsl/sbu_getdetail_precall.xsl
xsl/sbu_locactgroups_read_precall.xsl
The value is the name of the XSL file deployed with the adapter relative to the
RMI Dispatcher solution directory.
If no value is supplied, the adapter will execute the following XSL
transformation and resulting RFC call:
xsl/sapnw_bapi_user_getdetail_precall.xsl
Modify User Basic Lookup Response Stylesheet
This is a single-valued
attribute. The value is the file name of an XSL transformation that will
process the SAP response from the RFC call executed based on the setting of
Modify User Lookup Request Stylesheet above. If a value is supplied, the
transformation will be executed regardless of the CUA status of target SAP
system.
If CUA is used then following additional XSL mappings are required:
xsl/sbu_getdetail_postcall.xsl
xsl/sbu_locactgroups_read_postcall.xsl
The value is the name of XSL file deployed with the adapter relative to the RMI
Dispatcher solution directory. If no value is supplied, the adapter will
execute the following XSL transformation and resulting RFC call:
xsl/sapnw_bapi_user_getdetail_postcall.xsl
SAP GRC installs guide corrections:
The following corrections to install guide apply to this release
Add the following information to Chapter 4. Installing and configuring SAP Governance, Risk and Compliance workflow extensions:
Section “Installing and configuring the notification component for SAP GRC AC 5.3” of the install guide between 7th and 8th step of “Install the workflow notification component for SAP GRC AC 5.3:”
&
Section “Installing and configuring the notification component for SAP GRC AC 10.0” of the install guide between 7th and 8th step of “Install the SAP GRC AC 10.0 workflow notification component:”.
Steps to encrypt the passwords in SAPNotify.props file:
The values of properties in SAPNotify.props files are in clear text format. To make it more secure, the passwords in this file can be encrypted.
Prepend “{protect}” to property name in the file, as below.
{protect}<Property Name>=<Property Value>
For example:
{protect}GRCPassword=Passw0rd
After running the notifier, the property value in the SAPNotifier.props file will change as below.
{protect}<Property Name>={encr}<Encrypted Property Value>
For example:
{protect}GRCPassword={encr}VsBnPSfYoqpSUidp1v36FkxlPvOSCGxfgvpD
To change the property value of a property, delete the encrypted string along with “{encr}” and write the new property value in clear text format after “=”.
INT 10333,756,000: New attribute “Disable SYS line” is added on service form
Add the following information to Chapter 3. Installing the Integration for SAP Governance, Risk and Compliance Access Control, section “Creating a SAP NetWeaver GRC service” of the install guide before the “GRC Version” service form attribute under “SAP GRC SERVICE ATTRIBUTES TAB”.
Disable SYS line
Select this check box if you don’t want the system line in assignment list at approval screen of GRC or vice versa.
Installation
HR Linking is no longer supported. Because, SAP has stopped providing access for the view to related BAPI module.
The
extension has been designed propagate the password change from CUA master to
CUA child systems. Being based on standard SAP functions, all constraints and
limitations of the SAP
implementation and design are inherited by the adapter. Review the profile parameters for
logon and password of your SAP ABAP server to ensure they match and support the
password handling expectations of your IdM deployment requirements. Please
refer to the following SAP notes for details: 862937, 1301479, 376856, 830493,
991968, 1287410, 1300104. In particular, review the SNC requirement in Note
1287410. In addition, refer to "Known Limitations" for limitations
around productive passwords.
The only advanced mapping required for the password extension is for
"Change Password Advanced Mapping". The mapping
is required for CUA deployment only, not standalone ABAP server. For CUA
deployments, the following advanced mapping should
be configured on the adapter service for in your ITIM server:
Change Password Basic XSL Stylesheets (Multi-valued) :
xsl/sapnw_bapi_user_change.xsl xsl/sapnw_tivsecty_distribute_pwd.xsl.
The transport files are contained within the transports/password directory of
the adapter distribution.
The transport files must be deployed onto the target SAP ABAP systems as follows in the order specified:
· On the CUA master system:
GC2K900033 {cofiles = K900033.GC2, data = R900033.GC2}
NB: Warnings related to ABAP Dictionary Activation can be ignored.
The transport files must be deployed onto the target SAP ABAP systems as follows in the order specified:
· On all standalone and CUA master and child member systems:
Unicode SAP Systems - TV1K900783 {cofiles = K900783.TV1, data = R900783.TV1}
Non-Unicode SAP Systems - TV2K900313 {cofiles = K900313.TV2, data = R900313.TV2}
NB: Warnings related to ABAP Dictionary Activation can be ignored.
Configuration Notes
RFE: 43484 (25795): Executing multiple BAPI modules with State-full connection
By default the JCo 3.x connection between SAP R3 and ISIM is not state-full. The state-ful connection is also required in case of transactional BAPI(s). To make the connection state-ful between BAPI(s) method execution, add the following tags to the XSL files as per your requirement.
To begin a state-full connection, add this tag to your XSL - <CONTEXT_BEGIN> & </CONTEXT_BEGIN> or <CONTEXT_BEGIN/>
To end a state-full connection, add this tag to your XSL - <CONTEXT_END> & </CONTEXT_END> or <CONTEXT_END/>
Note: It is not necessary to have both <CONTEXT_BEGIN/> and <CONTEXT_END/> in the same XSL. Nested <CONTEXT_BEGIN/> and <CONTEXT_END/> can also be implemented, provided the tags are nested correctly, else unexpected result may appear. State-full connection started by each <CONTEXT_BEGIN/> gets ended by its associated <CONTEXT_END/> tag. If any <CONTEXT_BEGIN/> tag do not have its associated <CONTEXT_END/> tag, then the state-full connection will get terminated at the end of JCo connection.
For example:
In sapnw_bapi_charact_create.xsl
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0"
xmlns:xalan="http://xml.apache.org/xslt">
…..
…..
<BAPI_CHARACT_CREATE>
<CONTEXT_BEGIN/>
…..
…..
</BAPI_CHARACT_CREATE>
…..
…..
</xsl:stylesheet>
In sapnw_bapi_transaction_commit.xsl
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0"
xmlns:xalan="http://xml.apache.org/xslt">
…..
…..
<BAPI_TRANSACTION_COMMIT>
…..
…..
<CONTEXT_END/>
</BAPI_TRANSACTION_COMMIT>
…..
…..
</xsl:stylesheet>
SAP GRC AC 10.0 Priority Customization
SAP GRC AC 10.0 allows priority codes and names to be customized. In the event
that the priority codes in SAP GRC AC 10.0 are different from the defaults
supported by the adapter (i.e. 006=HIGH, 007=LOW, 008=MEDIUM) or the list of
priority names has been extended, then the ersapgrcpriority element on the IBM
Tivoli Identity Manager Adapter for SAP NetWeaver account form must be edited
to match the configured priorities. Refer to the Form customization section on
the IBM Tivoli Identity Manager Information Center for further information.
SAP recently introduced the support for productive password change over the standard BAPI. In order to allow the adapter to set productive passwords, the following prerequisites must be satisfied:
· SAP AS ABAP uses SAP Cryptographic Library as its security provider for SNC.
· SAP AS ABAP has been configured to use Secure Network Communication (SNC) for RFC communications.
· SAP user account used by the adapter to communicate with SAP AS ABAP has the authorization for object S_USER_GRP with activity 'PP'.
· The adapter is configured to use SNC for its communication with SAP AS ABAP. Please refer to "Securing the Adapter to SAP AS ABAP Communication" section for more detail.
For more detail, please refer to SAP Note 1287410.
Securing the Adapter to SAP AS ABAP Communication
This section provides instructions for securing the communication between the adapter and SAP AS ABAP using Secure Network Communication (SNC).
The following instructions are based on the SAP documentation and have been verified against the following versions of SAP.
SAP Release Software
Support Package
Version
Component
700 SAP_BASIS SAPKB70019
710 SAP_BASIS SAPKB71010
730 SAP_BASIS SAPKB73000
SAP reserves right to change the required configuration for subsequent versions and patches so it is recommended to review the corresponding SAP documentation for SNC, SAP Cryptographic Library and productive password support in conjunction with the instructions provided below.
Installing SAP Cryptographic Library:
1. Download the SAP Cryptographic Library from the SAP Service Marketplace and extract it to a temporary directory.
2. Copy the library and the command line tool to a local directory on the system hosting the adapter. For example,
Windows:
C:\usr\sap\sapcrypto.dll
C:\usr\sap\sapgenpse.exe
Unix:
/usr/sap/libsapcrypto.so
/usr/sap/sapgenpse
3. Copy the license ticket (ticket) to a subdirectory "sec". For example,
Windows:
C:\usr\sap\sec\ticket
Unix:
/usr/sap/sec/ticket
4. For the user that runs the adapter, set the environment variable SECUDIR to this directory. For example,
Windows:
SECUDIR=C:\usr\sap\sec
Unix:
SECUDIR=/usr/sap/sec
If the user is the SYSTEM user, set SECUDIR as a system variable.
5. Restart the adapter (RMI dispatcher service) so the new environment variable is accessible by the adapter.
Creating a SNC Person Security Environment (PSE) for the adapter:
1. Start a command line console and change to the directory containing sapgenpse tool.
2. Create a PSE for the adapter by running the following command:
sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]
where:
-p <PSE_name>: Path and file name for the adapter's PSE
-x <PIN>: PIN that protects the PSE
DN: Distinguished Name for the adapter. The Distinguished Name is used to build the adapter's SNC name. The Distinguished Name consists of the following elements:
CN = <Common_Name>
OU = <Organizational_Unit>
O = <Organization>
C = <Country>
For example,
sapgenpse get_pse -p adapter.pse -x passw0rd "CN=adapter,OU=IdM,O=IBM,C=US"
3. Use the following command to open the adapter's PSE and create credentials:
sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O [<NT_Domain>\]<user_ID>]
where:
-p <PSE_name>: Path and file name for the adapter's PSE
-x <PIN>: PIN that protects the PSE
-O [<NT_Domain>]\<user_ID> User for which the credentials are created. (The user that runs the adapter service.). If omitted the current user.
For example,
sapgenpse seclogin -p adapter.pse -x passw0rd -O SYSTEM
Importing the adapter's public certificate into SAP AS ABAP's PSE:
1. Export the adapter's public certificate by running the following command:
sapgenpse export_own_cert -o <output_file> -p <PSE_name> [-x <PIN>]
where:
-o <output_file>: Path and file name for the exported certificate
-p <PSE_name>: Path and file name for the adapter's PSE
-x <PIN>: PIN that protects the PSE
For example,
sapgenpse export_own_cert -o adapter.crt -p adapter.pse -x passw0rd
2. Start Trust Manager from SAP GUI (transaction STRUST).
3. Select SAP AS ABAP's SNC PSE under SNC SAPCryptolib folder with a double-click.
4. Enter the PIN when prompted to do so.
5. Choose Certificate -> Import from the menu.
6. Enter the path and file name of the adapter's public certificate.
7. Select the Base64 format, and choose Enter. The certificate appears in the Certificate section of Trust Manager’s screen.
8. Click on Add to Certificate List button to add the certificate to the SAP AS ABAP’s SNC PSE.
9. Save the data.
Note: For securing Multiple SAP systems with Single SNC certificate. Repeat step 2 to step 9 for each SAP systems. Use the same certificate from step 1 while uploading to different SAP systems
Importing SAP AS ABAP's public certificate into the adapter's PSE:
1. In Trust Manager, select SAP AS ABAP's SNC PSE.
2. Select the certificate shown in the Owner field with a double-click.
3. Choose Certificate -> Export from the menu.
4. Enter the path and file name (User different file name for different SAP systems) where you want to save the file, select the Base64 format and choose Enter.
5. Copy the exported certificate to the system hosting the adapter.
6. On the adapter system, run the following command to import the AS ABAP's public certificate into the adapter's PSE:
sapgenpse maintain_pk [-a <cert_file>] -p <PSE_name> [-x <PIN>]
where:
-a <cert_file>: Path and file name of SAP AS ABAP's public certificate
-p <PSE_name> Path and file name for the adapter's PSE
-x <PIN> PIN that protects the PSE
For example,
sapgenpse maintain_pk -a sap.crt -p adapter.pse
7. Run following command to display all certificates details which were updated in .pse file.
sapgenpse maintain_pk -l -p <PSE_name> [-x <PIN>]
where:
-p <PSE_name> Path and file name for the adapter's PSE
-x <PIN> PIN that protects the PSE
For example,
sapgenpse maintain_pk -l -p adapter.pse
Note: For securing Multiple SAP systems with Single SNC certificate. Repeat step 1 to 6 for each SAP systems. Run step 6 for each crt files which were exported from different SAP systems to update the crt file entry to existing pse file
Allowing the adapter's user account to connect to SAP AS ABAP using SNC:
1. Start Table Maintenance from SAP GUI (transaction SM30)
2. Maintain the table USRACLEXT.
3. Choose New Entries.
4. Enter the following data in the corresponding fields:
User: User that the adapter uses to connect to SAP AS ABAP.
Sequence Number: Enter "000" unless the user has more than one SNC name.
SNC Name: DN associated with the adapter's PSE, e.g. "p: CN=adapter,OU=IdM,O=IBM,C=US"
5. Save the data.
Note: For securing Multiple SAP systems with Single SNC certificate. Repeat step 1 to 5 for each SAP systems.
Setting Optional RFC Connection Parameters for the Adapter:
In order for the adapter to use SNC for communicating with SAP AS ABAP, the following parameters must be added to "Optional RFC Connection Parameters" field in the service form:
snc_mode=1 snc_partnername=<as_abap_snc_name> snc_qop=3 snc_myname=<adapter_snc_name> snc_lib=<path_to_snc_lib>
where
snc_mode: SNC activation indicator. 0 = SNC disabled, 1= SNC activated.
snc_partnername: SNC name of the communication partner (SAP AS ABAP)
snc_qop: Quality of protection level. 1 = Secure authentication only, 2 = Data integrity protection, 3 = Data privacy protection, 9 = Use the value from "snc/data_protection/max"
snc_myname: adapter's SNC name
snc_lib: Path and file name of the SAP Cryptographic Library
For example,
snc_mode=1 snc_partnername=p:CN=GC8,OU=IdM,O=IBM,C=US snc_qop=3 snc_myname=p:CN=adapter,OU=IdM,O=IBM,C=US snc_lib=C:/usr/sap/sapcrypto.dll
Note: For securing Multiple SAP systems with Single SNC certificate. Pass same path value in “snc_lib=” for in service forms of all the SAP systems
These parameters directly correspond to SAP JCO properties for SNC except they do not have "jco.client." prefix. The adapter automatically prepends the string " jco.client." prior to passing these parameters to SAP JCO.
For more information about the SNC parameters, see http://help.sap.com/saphelp_nw70/helpdata/en/d9/e8a740bbaa4d8f8bee6f7b173bd99f/frameset.htm in the SAP Help Portal.
Verification steps for SNC setup:
1. Verify if, below files are present in respective folders of client system, which is having TDI running on it.
a. \usr\sap
i. sapcrypto.dll
ii. sapgenpse.exe
iii. local certificate
iv. Server certificate
b. \usr\sap\sec
i. adapter.pse
ii. cred_v2
iii. ticket
2. Make sure that all the files used from SAP cryptolibrary packages are unused.
3. The sapcrypto.dll must be a valid win32 file.
4. Verify the correctness of certificate entry in sapgenpse file using below command.
sapgenpse maintain_pk -l -p <PSE_name> [-x <PIN>]
5. The entry to USRACLEXT (table) in SM30 (t-code)
a. Must starts with “p:”.
b. Must contains, the details of local certificate.
c. Must not have any space after period “,”.
d. Canonical name must be determined.
6. Make sure that, while downloading the server certificate, server certificate name has been selected in STRUST (t-code).
7. Each parameters in “Optional RFC parameter”
a. Must be separated using pipe “|”.
b. Must not have any space after period “,”.
SAP NW Recon operation performance improvement
In order to improve the performance for SAP NW recon operation, try the following JAVA settings
1. Look for jaxp.properties in JAVA_Home/lib directory.
Initially it was jaxp.properties.sample. Need to rename it as jaxp.properties and uncomment the following property in jaxp.properties file.
javax.xml.transform.TransformerFactory=com.ibm.xtq.xslt.jaxp.compiler.TransformerFactoryImpl
javax.xml.xpath.XPathFactory=org.apache.xpath.jaxp.XPathFactoryImpl
javax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl
javax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
Check the performance of recon operation.
If it doesnot work, then try the second one.
2. Set the following system property
export IBM_JAVA_OPTIONS=-Djavax.xml.transform.TransformerFactory=
org.apache.xalan.processor.TransformerFactoryImpl
Check the performance of the recon operation.
For more details about the above settings, refer the following sites
http://xalan.apache.org/xalan-j/usagepatterns.html
http://www-03.ibm.com/systems/z/os/zos/tools/xml/perform/performjava.html
Customizing or Extending Adapter Features
The Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Getting Started
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
· IBM Tivoli Identity Manager administration
· Tivoli Directory Integrator management
· Tivoli Directory Integrations assemblyline development
· LDAP schema management
· Working knowledge of Java scripting language
· Working knowledge of LDAP object classes and attributes
· Working knowledge of XML document structure
Note: If the customization requires a new Tivoli Directory Integrator connector, the developer must also be familiar with Tivoli Directory Integrator connector development and working knowledge of Java programming language.
IBM Tivoli Identity Manager Resources:
Check the "Training" section of the IBM Tivoli Identity Manager Support web site for links to training, publications, and demos.
Tivoli Directory Integrator Resources:
Check the "Training" section of the Tivoli Directory Integrator Support web site for links to training, publications, and demos.
Support for Customized Adapters
The integration to the Identity Manager server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Installation Platform
The IBM Tivoli Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
· Tivoli Directory Integrator 7.0 with Fix Pack 6 (only non-Aix platforms)
· Tivoli Directory Integrator 7.1 with Fix Pack 5 or higher (non-Aix platforms)
· IBM Tivoli Directory Integrator v7.1 with Fix Pack 5 or higher (Aix platforms) - supported with the following tech note update: http://www-01.ibm.com/support/docview.wss?uid=swg21578565
· Tivoli Directory Integrator 7.1.1 with Fix Pack 2 or higher
Managed Resource:
The following SAP ABAP Basis versions running anywhere on the network are supported
· SAP 700 (NetWeaver 2004s)
· SAP 710
· SAP 730 (see the "Limitations on support for SAP Productive Passwords" topic in the "Known Issues" section of this document for important functional restrictions)
· SAP 740
The adapter supports SAP CUA environments. If CUA is configured the adapter must be deployed against the central CUA master system.
Refer to section "Multi Byte Character Support Limitations" above regarding unicode support limitations.
SAP PATCHES:
The following minimum patch levels, by SAP release version, are required
SAP Release SoftwareComponent Support Package
700 SAP_BASIS SAPKB70026
701 SAP_BASIS SAPKB70111
702 SAP_BASIS SAPKB70210
710 SAP_BASIS SAPKB71014
730 SAP_BASIS SAPKB73007
731 SAP_BASIS SAPKB73102
Specifically, the SAP system must be patched with corrections from SAP notes 992375, 994415, 1101858, 1636845.
IBM Tivoli Identity Manager:
· Identity Manager v5.1
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM, IBM logo, AIX, DB2, Domino, Lotus, Tivoli, Tivoli logo, Universal Database, WebSphere, i5/OS, RACF.
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Other company, product, and service names may be trademarks or service marks of others.