(formerly IBM Tivoli® Service Desk) helps you meet these ... a core component of
IBM Service. Management ..... Agency which is now part of the Office of.
Jun 30, 2005 - Application Server are trademarks or registered trademarks of ... Microsoft, Windows, Windows NT, and the
Creating the Tivoli Identity Manager database. . 25. Chapter 3. Installing and
configuring a directoryserver. . . . . . . . . . . 27. Before you install the directory
server ...
Jun 30, 2005 - Application Server are trademarks or registered trademarks of International .... IBM WebSphere Applicatio
Oracle Data Integrator: Getting Started with SAP ABAP ERP Adapter, 10g
Release 3 (10.1.3) ... is subject to change without notice and is not warranted to
be error-free. ..... The connector supports two transfer modes for transferring data
from SAP
▫Secure Configuration SAP NW ABAP. >Services. >What can be configured,
what is ... ▫SAP Web Services with ABAP ... Insecure Direct Object References.
A5.
Tuning storage pool migration . . . . . . . 15. Improving storage agent performance .
. . . . 16. Modifying the IBM Tivoli Monitoring environment file for reporting ...
Tivoli Storage Manager Server, 5608-ISM. Tivoli Storage .... 70. 3.5.3 High
availability SAP system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 ... 4.3.1 Integration
of Data Protection for SAP with SAP . ... 5.3 CommonStore for
2012, 2013 iii ... Upgrading Windows Active Directory in silent mode by using ....
Use the adapter to create an Active Directory account on Windows 2008.
FREE eTips at dummies.com® ... SAP®. NetWeaver™. FOR. DUMmIES‰.
568833 FM.qxd 3/31/04 12:41 PM Page i ... product or vendor mentioned in this
book.
Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man
... such a book could really help tell the SAP NetWeaver story, the authors would.
Note: Before using this information and the product it supports, read the
information in “Notices” on page 115. This edition applies to Version 6.3.3 of IBM
Tivoli ...
Microsoft SQL Server 2012 protection. . . . . . 16. AlwaysOn Availability Groups . . .
. . . . 16. Deployment of Data Protection for SQL on. Windows Server Core .
This edition applies to Version 6.3.0 of IBM Tivoli Storage Manager for Enterprise
Resource Planning, Data. Protection for SAP (product number 5608-E05) and ...
Database and recovery-log management. . . . 35. Sources of information about
the server . . . . 35. Tivoli Storage Manager server networks . . . . 36. Exporting and
...
This edition applies to Version 6.3 IBM Tivoli Storage Manager for Enterprise
Resource Planning (product number. 5608-E05), available as a licensed
program ...
IBM Tivoli Storage Manager for AIX. Version 6.3.4. Installation Guide ..... You can
download PDF versions of publications from the Tivoli Storage Manager.
Note: Before using this information and the product it supports, read the
information in “Notices” on page 95. This edition applies to Version 6.2 of IBM
Tivoli ...
management of MSMQ servers on Tivoli-managed nodes and installed ...
Microsoft Message Queue (MSMQ) server, their status, and a list of tasks that can
be ...
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP ...
Appendix D. Example Deployment Scenarios . . . . . . . . . . . . . . . . . . . 65 Tivoli Identity Manager for non-Unicode SAP non-CUA with HR Linking Tivoli Identity Manager for non-Unicode SAP CUA with HR Linking . .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 65 . 66
Appendix E. Support information . . . . . . . . . . . . . . . . . . . . . . . . 67 Searching knowledge bases . . . . . . . . . . . . . Search the information center on your local system or network Search the Internet . . . . . . . . . . . . . . . Contacting IBM Software Support . . . . . . . . . . . Determine the business impact of your problem . . . . . Describe your problem and gather background information . Submit your problem to IBM Software Support . . . . .
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
.
.
.
.
. 72
Preface The IBM® Tivoli® Identity Manager Adapter for SAP® NetWeaver AS ABAP® enables connectivity between the IBM and a network of systems running SAP NetWeaver AS ABAP. This document describes the procedural steps that are required to install and configure the adapter. This document assumes that both Tivoli Identity Manager and SAP NetWeaver AS ABAP are installed, configured and running on your network. No details are provided regarding the installation and configuration of these products, except where necessary to achieve integration.
Who should read this book This manual is intended for security administrators responsible for installing software on their site’s computer systems. Readers are expected to understand security administration concepts. The person completing the installation procedure should also be familiar with their site’s system standards. Readers should be able to perform routine security administration tasks.
Publications and related information Read the descriptions of the Tivoli Identity Manager library. To determine which additional publications you might find helpful, read the “Prerequisite Product Publications” on page vii and the “Related Publications” on page viii. After you determine the publications you need, refer to the instructions in “Accessing publications online” on page viii.
Tivoli Identity Manager library The publications in the Tivoli Identity Manager technical documentation library are organized into the following categories: v Release information v Online user assistance v v v v
Server installation and configuration Problem determination Technical supplements Adapter installation and configuration
Release Information: v IBM Tivoli Identity Manager Release Notes Provides software and hardware requirements for Tivoli Identity Manager, and additional fix, patch, and other support information. v IBM Tivoli Identity Manager Documentation Read This First Card Lists the Tivoli Identity Manager publications. Online user assistance:
Provides online help topics and an information center for all Tivoli Identity Manager administrative tasks. The information center includes information that was previously provided in the IBM Tivoli Identity Manager Configuration Guide and the IBM Tivoli Identity Manager Policy and Organization Administration Guide. Server installation and configuration: IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments provides installation and configuration information for Tivoli Identity Manager. Configuration information that was previously provided in the IBM Tivoli Identity Manager Configuration Guide is now included in either the installation guide or in the IBM Tivoli Identity Manager Information Center. Problem determination: IBM Tivoli Identity Manager Problem Determination Guide provides problem determination, logging, and message information for the Tivoli Identity Manager product. Technical supplements: The following technical supplements are provided by developers or by other groups who are interested in this product: v IBM Tivoli Identity Manager Performance Tuning Guide Provides information needed to tune Tivoli Identity Manager Server for a production environment, available on the Web at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z product list, and then, click the Tivoli Identity Manager link. Browse the information center for the Technical Supplements section. v Redbooks and white papers are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. v Technotes are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ v Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web address: http://www.ibm.com/developerworks/ Adapter installation and configuration: The Tivoli Identity Manager Server technical documentation library also includes an evolving set of platform-specific installation documents for the adapter components of a Tivoli Identity Manager Server implementation. Locate adapters on the Web at:
vi
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html Browse to the Other resources, and click the link for the current inventory of adapters. Skills and training: The following additional skills and technical training information were available at the time that this manual was published: v Virtual Skills Center for Tivoli Software on the Web at: http://www.cgselearning.com/tivoliskills/ v Tivoli Education Software Training Roadmaps on the Web at: http://www.ibm.com/software/tivoli/education/eduroad_prod.html v Tivoli Technical Exchange on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html
Prerequisite Product Publications To use the information in this book effectively, you must have knowledge of the products that are prerequisites for Tivoli Identity Manager Server. Publications are available from the following locations: v Operating systems – IBM AIX® http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm – Sun Solaris http://docs.sun.com/db?q=solaris+9 – Red Hat Linux® http://www.redhat.com/docs/ – Microsoft® Windows Server 2003 http://www.microsoft.com/windowsserver2003/proddoc/default.mspx v Database servers – IBM DB2® - Support: http://www.ibm.com/software/data/db2/udb/support.html - Information center: http://publib.boulder.ibm.com/infocenter/db2help/ index.jsp - Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/ winos2unix/support/v8pubs.d2w/en_main - DB2 product family: http://www.ibm.com/software/data/db2 - Fix packs: http://www.ibm.com/software/data/db2/udb/support/ downloadv8.html - System requirements: http://www.ibm.com/software/data/db2/udb/ sysreqs.html – Oracle http://www.oracle.com/technology/documentation/index.html http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html – Microsoft SQL Server 2000 Preface
vii
http://www.msdn.com/library/ http://www.microsoft.com/sql/ v Directory server applications – IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/ en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory – Sun ONE Directory Server http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52 v WebSphere Application Server Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/ v WebSphere embedded messaging http://www.ibm.com/software/integration/wmq/ v IBM HTTP Server http://www.ibm.com/software/webservers/httpservers/library.html
Related Publications Information that is related to Tivoli Identity Manager Server is available in the following publications: v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/literature/ v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available from the Glossary link of the Tivoli Software Library Web page at: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center Web site. Access the Tivoli software information center at the following Web address: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z list, and then click the Tivoli Identity Manager link to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File → Print window that allows Adobe Reader to print letter-sized pages on your local paper.
Accessibility The product documentation includes the following features to aid accessibility: v Documentation is available in convertible PDF format to give the maximum opportunity for users to apply screen-reader software.
viii
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images.
Support information If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: v Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. v Obtaining fixes: You can locate the latest fixes that are already available for your product. v Contacting IBM Software Support: If you still cannot solve your problem, and you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support. For more information about these ways to resolve problems, see Appendix E, “Support information,” on page 67.
Conventions used in this book This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths.
Typeface conventions This guide uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text Italic v v v v
Words defined in text Emphasis of words (words as words) New terms in text (except in a definition list) Variables and values you must provide
Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options
Operating system differences This guide uses the UNIX® convention for specifying environment variables and for directory notation. Preface
ix
When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equivalent to $tmp in a UNIX operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.
Definitions for HOME directory variables The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table. The value of path for the Windows operating system is drive:\Program Files. The value of path for the AIX operating system is /usr. The value of path is /opt for other UNIX and Linux operating systems. Path Variable DB_INSTANCE_HOME
Default Definition Windows: path\IBM\SQLLIB UNIX and Linux:
Description The directory that contains the database for Tivoli Identity Manager.
v AIX, Linux: /home/dbinstancename v Solaris: /export/home/ dbinstancename LDAP_HOME
v IBM Directory Server Windows:
The directory that contains the directory server code.
path\IBM\LDAP UNIX: path/IBM/LDAP v Sun ONE Directory Server Windows: path\Sun\MPS UNIX: /var/Sun/mps
HTTP_HOME
Windows: path\IBMHttpServer
The directory that contains the IBM HTTP Server code.
UNIX and Linux: path/IBMHttpServer ITIM_HOME
Windows: path\IBM\itim UNIX and Linux: path/IBM/itim
x
The base directory that contains the Tivoli Identity Manager code, configuration, and documentation.
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Description The WebSphere Application Server home directory
UNIX and Linux: path/WebSphere/AppServer WAS_MQ_HOME
Windows: path\IBM\WebSphereMQ
The directory that contains the WebSphere MQ code.
UNIX and Linux: path/mqm WAS_NDM_HOME
Windows: path\WebSphere\DeploymentManager
The home directory on the deployment manager
UNIX and Linux: path/WebSphere/DeploymentManager Tivoli_Common_Directory
Windows: path\IBM\Tivoli\Common\CTGIM UNIX and Linux: path/IBM/Tivoli/Common/CTGIM
The central location for all serviceability-related files, such as logs and first-failure capture data
Preface
xi
xii
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 1. Overview This installation guide provides all of the basic information necessary to install and configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. On successful installation, the adapter enables IBM Tivoli Identity Manager to provision access to your network’s SAP NetWeaver AS ABAP resources. The basic procedures required to install, configure, and run the adapter are as follows: v Install the adapter software. v Activate the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP as a service on the adapter’s system. v Configure the adapter’s communication protocols to enable the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP to communicate with the Tivoli Identity Manager Server. v Install the adapter’s profile on the Tivoli Identity Manager Server. v Configure the Tivoli Identity Manager Server to recognize the adapter as a service.
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 2. Adapter Installation This chapter describes the steps required to install and configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP software. You must complete the steps in the order they are listed. This chapter has the following sections: v “Requirements” v “Step 1: Testing Network Connectivity” on page 8 v “Step 2: Installing the Adapter” on page 9 v “Step 3: Importing the Transport Files” on page 11 v v v v v
“Step “Step “Step “Step “Step
4: Activating the Adapter as a Service” on page 13 5: Configuring the Adapter” on page 13 6: Installing the Adapter’s Certificate” on page 13 7: Installing the Adapter’s Profile” on page 13 8: Configuring the Adapter’s Forms” on page 14
Each SAP NetWeaver AS ABAP 6.40 system should be patched at the following levels or higher: v SAP_BASIS 640 0000 v SAP_ABA 640 0000 Each SAP NetWeaver AS ABAP 700 system should be patched at the following levels or higher: v SAP_BASIS SAPKB70000 v SAP_ABA SAPKA70000 The adapter also requires the 32 bit SAP SDK runtime library (for Win32 it is librfc32.dll, for Solaris it is librfccm.so, for AIX it is librfccm.o). Get this library from the SAP presentation CDs or download it from SAP Market Place Web site. After installation of the adapter place this library in the adapter’s lib directory or set your path to make it accessible. For Solaris, export the environment variable LD_LIBRARY_PATH to include the adapter’s lib directory with a command such as the following: export LD_LIBRARY_PATH=Adapter_Install_dir/ lib:$LD_LIBRARY_PATH
For AIX, export the environment variable LIBPATH to include the Agent’s lib directory with a command such as the following: export LIBPATH=Agent_Install_dir/ lib:$LIBPATH
For Windows, place the library in the either the system32 directory, the adapter’s bin directory, or set the Path environment variable to make it accessible. The adapter will not run without this library! SAP Authority The administrator installing the Tivoli Identity Manager Adapter must have general SAP Basis resources to perform a transport import of RFC (Remote Function Call) and related objects as well as setup OS specific directories and authorizations. The Security Administrator must create the CPIC (Common Programming Interface for Communications) or System user for use by the adapter to connect to the SAP NetWeaver AS ABAP system via the external RFC interface. SAP User The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP user must be authorized to perform user account administration: v Add v Modify v Delete v Lock v Unlock v Retrieve user detail v Retrieve supporting data v Set, unset and retrieve HR infotype 0105 (Communication) subtypes only if the SAP HR module is installed on a SAP system in your SAP environment.
4
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
To perform these tasks, at a minimum, a Role should be assigned with at least these SAP authorization objects assigned to it. You may wish to create a specific Role only for use by this SAP user account. This can be accomplished using transaction SU02 via the SAP GUI. v S_RFC (SAP R/3 6.20) v S_RFCACL (SAP R/3 6.20) v S_TABU_DIS v v v v v
S_USER_GRP S_USER_AGR S_USER_PRO S_USER_SYS P_ORGIN (Required for HR linking only)
In addition, the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP user type should be set to Communication (CPIC) or System and not Dialog. SAP Transport Files The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP requires custom RFCs and BAPIs. These custom RFCs and BAPIs are provided in transport files packaged with the adapter and are therefore only available after adapter installation. These transport file packages must be imported into your SAP system prior to running the adapter. The transport files you must import into your SAP system vary depending on your site’s configuration of SAP. The adapter will not function without one of these transport files in place. Select the transport file based on the version of your SAP system. The transport files WITHOUT HR Linking are as follows: v For NON-CUA (4.6C, 4.6D and 6.10): – TV2K900065 (cofile = K900065.TV2, data = R900065.TV2) v For NON-CUA (6.20 and 6.40): – Non-unicode: - TV2K900069 (cofile = K900069.TV2, data = R900069.TV2) – Unicode: - TV1K900228 (cofile = K900228.TV1, data = R900228.TV1) v For CUA (4.6C, 4.6D and 6.10) : TV2K900067 (cofile = K900067.TV2, data = R900067.TV2) v For CUA (6.20 and 6.40) : – Non-unicode: - TV2K900071 (cofile = K900071.TV2, data = R900071.TV2) – Unicode: - TV1K900230 (cofile = K900230.TV1, data = R900230.TV1) v For HR InfoType 0105 Support, import one of the transport files below into the targeted SAP HR system. These transports contain the functionality to link the HR Personnel record to the SAP user account by assigning the account an SAP HR Personnel Number. You can link the HR record in both CUA and non-CUA SAP environments. If your HR system is a child system in a CUA environment, three actions are required for the adapter to link HR personnel records:
Chapter 2. Adapter Installation
5
1. Import one of TV2K900100 or TV1K900411 into the CUA Master system. Then import the CUA Master transport into the CUA master system. 2. Import the non-CUA transport into your child system. 3. An RFC destination of type R3 Connection must exist in the CUA master system. This RFC destination will connect to your HR system. The Gateway services file on the CUA Master system most be configured for the gateway service of your HR system. There should already be and RFC Destination to the child HR System which is used as part of the CUA configuration. If you don not wish to use this RFC destination then you can create one. An RFC destination requires the following details: – SAP user account on HR system with HR authorization. – SAP user account password on HR system. – HR system’s host name or IP address. – HR system’s SAP system number. Use the SAP GUI transaction SM59 to create RFC destinations. The transports WITH HR linking are as follows: v For NON-CUA (4.6C, 4.6D and 6.10): – TV2K900096 (cofile = K900096.TV2, data = R900096.TV2) v For NON-CUA (6.20 and 6.40): – Non-unicode: - TV2K900098 (cofile = K900098.TV2, data = R900098.TV2) – Unicode: - TV1K900409 (cofile = K900409.TV1, data = R900409.TV1) v For CUA (4.6C, 4.6D and 6.10) : TV2K900100 (cofile = K900100.TV2, data = R900100.TV2) TV2K900097 (cofile = K900097.TV2, data = R900097.TV2) v For CUA (6.20 and 6.40) : – Non-unicode: - TV2K900100 (cofile = K900100.TV2, data = R900100.TV2) - TV2K900099 (cofile = K900099.TV2, data = R900099.TV2) – Unicode: - TV1K900411 (cofile = K900411.TV1, data = R900411.TV1) - TV1K900410 (cofile = K900410.TV1, data = R900410.TV1) These transport files contain custom RFCs (BAPIs), data elements and tables used by the adapter in various operations: Table 1. Transport Identifiers and Contents
Network Connectivity The adapter must be installed on a system that can communicate with the Tivoli Identity Manager Server through a TCP/IP network. System Administrator Authority The person completing the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP installation procedure must have system administrator authority to complete the steps in this chapter. Server Communication Communication between the Tivoli Identity Manager Server and the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP should be tested with a low-level communication ping before installing any IBM software. This makes troubleshooting easier if you encounter installation problems.
Step 1: Testing Network Connectivity This step tests basic network connectivity and file transfer capability. Testing is done between the Windows workstation where the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP will be installed, and the workstation where the Tivoli Identity Manager Server is or will be located.
8
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
You must issue a ping command from the Tivoli Identity Manager to the designated adapter workstations to verify communication. 1. Log on to the host running the SAP NetWeaver AS ABAP Adapter. 2. Test communication between the Tivoli Identity Manager Server and the host running the SAP NetWeaver AS ABAP Adapter: # ping ITIM_Server_host_name/IP_address
3. Test communication between the host running the SAP NetWeaver AS ABAP Adapter and the host running SAP NetWeaver AS ABAP Server. You will need to know the SAP instance number for this step (default SAP NetWeaver AS ABAP installations have the instance number 00). If the instance number is different, make the port number below 33. If the instance number was 80, then the port would become 3380 in the telnet command: telnet SAP_NetWeaver_AS_ABAP_Server_host_name/IP_address 3300
Step 2: Installing the Adapter An executable installation program is provided for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. When you run the installation program, you can accept the default settings or select new values. The Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP installation files are available for download from IBM’s Web site. Contact your IBM account representative for the Web address and download instructions. To install the adapter, do the following: 1. Download the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP installation zip file from IBM’s Web site. 2. Extract the contents of the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP installation zip file into a temporary directory. 3. Complete one of the following: For a Tivoli Identity Manager Adapter installed on a UNIX platform: a. Change the working directory to the temporary directory where you extracted the profile installation file. # cd /tmp
where tmp is the path of the directory containing the adapter installation file. b. Run the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP adapter installation binary that is appropriate for your operating system. # ./SapAgent/install/Agent/SAPAgentSetup_operating system.bin
where operating system is the name of your operating system, such as aix or solaris. For a Tivoli Identity Manager Adapter installed on Windows: Select Run... from the Start menu and type the path to the temporary directory followed by SapAgent\install\agent\ SapAgentSetup_win32.exe. For example: C:\Temp\SapAgent\install\agent\SapAgentSetup_win32.exe
The License dialog window appears. 5. Read the License agreement and select the I accept option to continue. 6. Click Next. The Select Destination Directory dialog window appears.
Installer Click Next to install to this directory, or click Browse to install to a different directory
7. Accept the default or select an alternate destination path and click Next. The Install Summary dialog window appears. 8. Click Next. The SAP NetWeaver AS ABAP Instance Setup dialog is displayed. 9. In the respective fields, type the SAP NetWeaver AS ABAP instance name and the password for the CPIC SAP user account that the adapter will use and click Next. The SAP NetWeaver AS ABAP enter more instances dialog is displayed. To enter more instances select Yes and repeat this step for as many SAP NetWeaver AS ABAP instances as required. Otherwise select No. 10. Click Finish. 11. Check the installation directory has been created as specified in step 7. Make the SAP SDK shared library accessible by the adapter. For Solaris: Copy the SAP SDK library (librfccm.so) into the adapter’s lib directory, and then export the environment variable LD_LIBRARY_PATH to include the adapter’s lib directory with a command such as this. export LD_LIBRARY_PATH=adapter_install_dir/lib:$LD_LIBRARY_PATH
For AIX: Copy the SAP SDK library (librfccm.o) into the adapter’s lib directory, and then export the environment variable LIBPATH to include the adapter’s lib directory with a command such as this.
10
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
export LIBPATH=adapter_install_dir/lib:$LIBPATH
For Windows: Copy the SAP SDK library (librfc32.dll) into either the system32 directory, the adapter’s bin directory, or set the Path environment variable to make it accessible. If you already have the SAP GUI installed on this Windows host, a version of the SAP SDK library should already exist in the system32 directory. 12. Locate the transport files in the adapter’s transports directory. Give the COFILES and the DATA files to your SAP BASIS administrator to import into all targeted SAP NetWeaver AS ABAP systems. As these transports are client independent, ensure that your transport landscape allows for this before importing. The next section describes the transport import procedure. Note: By setting the transport landscape up appropriately, you will be sure not to import the transports into clients that do not need them (even though importing the transports files into other clients will not have any impact on them). The imported function modules and data structures can be removed via a new transport/change request if required.
Step 3: Importing the Transport Files Note: IBM recommends that these imports be performed by a SAP Basis Administrator. For the adapter to function, it is necessary to import one of the transport files sets described above. You must first copy the transports set to the transport directory in each mySAP.com landscape, so that the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP can communicate with your target SAP systems. For demonstration purposes the following instructions refer to the transport TV2K900045 as an example. You will need to repeat these steps for each transport in your required transport file set as defined in the table above. Before you begin the transport import process, complete the following steps: 1. Locate the transport files in the transports installation subdirectory for the adapter. For example, on a Windows installation this would be C:\Tivoli\Agents\SapAgent\transports. 2. Copy the transport files to the application server that will be used to execute the import: a. Copy all files in the cofiles subdirectory (K900045.TV2) in ASCII format to the /usr/sap/trans/cofiles directory. Ensure that the files have write permission. b. Copy all files in the data subdirectory (R900045.TV2) in binary format to the /usr/sap/trans/data directory. Ensure that the files have write permission. c. Ensure that the files are owned by the group sapsys. 3. Perform the following prerequisite checks before beginning the import process: a. The transport and correction system must be already configured and functioning. b. The target system must be properly defined within a transport domain. You can now perform the transport import. This procedure can be performed from either the command line or by using the Transport Managing System. Using the Transport Managing System: Chapter 2. Adapter Installation
11
1. Log into the SAP GUI with a mySAP.com SAP GUI administrator account. 2. Display the Transport Management System. Either: v Run transaction STMS, or
3.
4.
5.
6.
v Select Tools then Administration, then Transport, then Transport Management System. Display the available mySAP.com system import queues. Either: v Click the Import Overview icon, then click Display Import Queue, or v Double-click the target system in the Import Overview window. Add the transport to the buffer. If the transports already exist in the buffer, proceed to the next step. If the buffer does not exist, perform the following steps: a. From the Extras menu, select Other Requests then Add to display the Add Transport Request to Import Queue dialog. b. In the Transp. request field, enter the transport name that you want to add, such as TV2K900045. Click the icon with the green check on it and then click Yes on the confirmation dialog. Import the transport as follows: a. From the Import Queue window, select the transport. b. From the Request menu, select Import to display the Import Transport Request dialog. c. In the Target client field, select the target client from the drop-down list. Click the icon with the green check on it and then click Yes on the confirmation dialog. Verify that the import was successful. To do this, log into the SAP GUI and go to the Function builder transaction (se37) and check that the Function Modules (RFCs) listed in the transport description table above (see Table 1 on page 6) are installed and active. If the Function Modules (RFCs) are not active, activate the objects. Note: A mySAP.com developer key is required to activate the objects.
Using the command line: 1. Log on to the target SAP system host machine as the mySAP.com administrator and change to the /usr/sap/trans/bin directory. 2. Show the current contents of the transport buffer: tp showbuffer sid
where sid is the three-character identifier of your mySAP.com system. 3. Verify that there are no other transports included in the transport buffer. 4. Add the transport to the buffer: tp addtobuffer TV2K900045 sid
5. Verify that the transport has been placed in the buffer: tp showbuffer sid
6. Import the transport: tp import TV2K900045 sid
7. Verify that the import was successful. To do this, log into the SAP GUI and go to the Function builder transaction (se37) and check that the Function Modules (RFCs) listed in the transport description table above
12
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
(see Table 1 on page 6) are installed and active. If the Function Modules (RFCs) are not active, activate the objects.
Step 4: Activating the Adapter as a Service If the Tivoli Identity Manager Agent for SAP NetWeaver AS ABAP was installed on a Windows host, a service is created for starting and stopping the agent. On UNIX platforms, the agent is deployed with script files to start and stop the agent. The following scripts are located in the bin directory of the agent installation: v StopAgent.sh v StartAgent.sh Use the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP service or scripts to start the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP software on the target platform.
Step 5: Configuring the Adapter The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uses the DAML protocol to ensure secure communication with the Tivoli Identity Manager Server. Default protocol values are provided. However, you must configure the DAML protocol for your site’s systems. Refer to “Changing Protocol Configuration Settings” on page 21 for more information.
Step 6: Installing the Adapter’s Certificate A certificate must also be installed for the DAML protocol. You must obtain a production certificate from a well-known Certificate Authority or create your own certificate using your own Certificate Authority. The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP does not come prepackaged with a certificate. Refer to Chapter 5, “Certificate Installation,” on page 37 for more information about installing certificates. When you install the new certificate, you will also need to install the new Certificate Authority on the Tivoli Identity Manager Server. For more information, refer to the IBM Tivoli Identity Manager Server Installation and Configuration Guide, specifically the sections marked ″Preparing to install adapters″. Note: You must configure the DAML protocol before installing your certificate. Stop and restart the adapter after the certificate is installed.
Step 7: Installing the Adapter’s Profile Before an adapter can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the adapter as a service. See Chapter 3, “Adapter Profile Installation,” on page 17 for more information on installing the adapter’s profile on the Tivoli Identity Manager Server. Note: If this is an upgrade of an existing adapter, the new adapter schema will not be reflected immediately. The Tivoli Identity Manager system stores the adapter schema in memory. However, this cache is periodically refreshed
Chapter 2. Adapter Installation
13
and the new adapter schema will be reflected after the cache is refreshed. Re-boot the Tivoli Identity Manager system to refresh the adapter schema immediately.
Step 8: Configuring the Adapter’s Forms Configure the adapter’s service maintenance and account maintenance forms on the Tivoli Identity Manager Server. Refer to the IBM Tivoli Identity Manager Information Center for more information. When adding the adapter as a Tivoli Identity Manager Service to the Tivoli Identity Manager Server, the following SAP connection parameters must be defined: Table 2. Service Attributes
14
ITIM Service Attribute Name
ITIM Service Attribute Description
SAP System Version
Legacy Service attribute. The adapter officially only supports 4.6C to WAS 6.20. Recommend value is 46C+.
SAP Client Instance Name
Required Service Attribute. This is the SAP instance name for the SAP instance your connecting to.
Interface with CUA?
Optional Service Attribute. Check this radio button if the adapter is provisioning to a Central User Administration (CUA) SAP client.
Do Not Force Password Change?
Optional Service Attribute. Check this radio button if you want to disable SAP’s password reset functionality. Required to synchronize passwords across other Tivoli Identity Manager accounts for this identity.
Disable Admin Unlock On Restore?
By default users will not be allowed to restore their account if the account was locked by an administrator. Check this radio button if you want to allow users to restore their account after it has been locked by an administrator.
Unlock Account On Password Change?
Optional Service Attribute. Check this radio button if you want the adapter to perform a secondary unlock action on a password change request. If activated, the account will be unlocked if the reason for its lock state was to many failed login attempts.
Display Indirectly Assigned Roles?
Optional Service Attribute. Check this radio button if you want an to have Roles assigned indirectly reconciled for accounts. Roles are assigned indirectly as a result of Composite Role assignment.
Enable HR infotype 105 Link?
Optional Service Attribute. Check this radio button if you want to allow the adapter to Link SAP accounts to HR Personnel Records using infotype 105 (Communication).
RFC Destination for HR System (CUA only)
Optional Service Attribute. This option requires a value when you have selected the option above Enable HR infotype 105 Link?, and your SAP System uses the CUA configuration.
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 2. Service Attributes (continued) ITIM Service Attribute Name
ITIM Service Attribute Description
Role Default End Date
Optional Service Attribute. This is the default Role End Date.
Role Date Max Year
Optional Service Attribute. This is the maximum year value for the Role start and end date widgets. Default value is 9999.
Span Role Date Years?
Optional Service Attribute. Check this radio button if you want to Span the Role End Date Year field (that is, display all years from 1990 to the defined Role Date Max Year above).
Target Client
Required Service Attribute. This is the SAP instance client number.
Login ID
Required Service Attribute. This is the CPIC SAP User account login ID that the adapter will use to connect to the SAP client.
Language
Required Service Attribute. This is the SAP login language parameter.
Mode (only NetWeaver AS ABAP supported now)
Legacy Service attribute. The adapter officially only supports the NetWeaver AS ABAP mode.
SAP System (DNS hostname or IP)
Required Service Attribute. Hostname of the SAP server host machine only if DNS is set up correctly. Otherwise use the IP address. Test the connection using the ping command from the command line on the host running the adapter.
SAP System Number
Required Service Attribute. The SAP server system number. Default SAP install has system number 00.
SAP Gateway (DNS hostname or IP)
Required Service Attribute. Hostname of the SAP gateway host machine only if DNS is set up correctly. Otherwise use the IP address. Test the connection using the ping command from the command line on the host running the adapter. Usually this is the same host that contains the SAP server
SAP Gateway Service Name
Required Service Attribute. The SAP gateway service string. Default SAP install has system number sapgw00.
Enable RFC Trace?
Optional Service Attribute. Set to ON to enable RFC trace files for debug purposes. If you find a problem with the adapter, ensure you re-produce the request with Trace enabled and capture the trace file. The logs are created in the directory where the RFCSDK runtime library is located.
Enable Extended RFC Logon?
Optional Service Attribute. Check this radio button to enable use of entended RFC logon. Define the extended logon attributes by creating unencryped registry values. Note: This SAP functionality does not currently support AIX in a reliable fashion. Therefore it is recommended that this setting not be used for Agent’s running on AIX with the SAP RFCSDK 6.40 AIX library.
Chapter 2. Adapter Installation
15
Figure 2. Configuring the Adapter’s Forms
16
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 3. Adapter Profile Installation This chapter has the following sections: v “Introduction” v “Requirements” v “Installing the Adapter Profile” v “Verifying the Adapter Profile is Installed” on page 18
Introduction Before an adapter can be added as a service to the Tivoli Identity Manager Server, the server must have a service profile to recognize the adapter as a service. The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP comes packaged with a JAR file which represents the adapter’s profile. This JAR file is then imported into the Tivoli Identity Manager Server, making SAP NetWeaver AS ABAP available as an ITIM Server service option. This chapter describes the procedure to install and configure the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile on the Tivoli Identity Manager Server. Each step includes a short procedure that completes one aspect of the overall profile installation process. You must complete the steps in the order they are listed. Note: If you are upgrading the adapter software, you must also upgrade the adapter profile on the Tivoli Identity Manager Server.
Requirements The following table identifies hardware, software, and authorization requirements to install the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile on the Tivoli Identity Manager Server. Verify that all the requirements have been met before installing the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile. Table 3. Requirements before installing an adapter profile Server
The Tivoli Identity Manager Server must be installed and running before the adapter’s profile can be installed.
System Administrator Authority The person completing the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP profile installation must have root access to the Tivoli Identity Manager Server to complete the procedures in this chapter.
Note: Contact your IBM account representative for the Web address and download instructions for adapter installation files. Start a browser session and log into the Tivoli Identity Manager Console with an administrator account. Using the Tivoli Identity Manager tabs and menus, browse to Configuration > Import/Export and select the Import tab. Use the Browse button to locate the temporary directory that contains the JAR file, SapProfile.jar. Select the correct profile JAR file, then select the Import data into Identity Manager button (which is directly beneath the browse widget). When the import is complete you will see a message such as: Uploading file C:\temp\SapAgent\install\profile\SapProfile.jar Profile installation complete.
8. Although not essential in all instances, it is a good idea to restart the enrole WebSphere Enterprise Application using the WebSphere Administration Console (http://ITIM_server:9090/admin) , or by restarting the WebSphere Application Server itself.
Verifying the Adapter Profile is Installed To ensure that the adapter profile has been installed correctly: 1. Using the Administrator Console, navigate to the Provisioning main tab. 2. Create a service of type SAP NetWeaver AS ABAP. Note: If you do not have the correct SAP system details, enter in dummy values for the SAP CONNECTION DETAILS. You must however have a running SAP NetWeaver AS ABAP adapter, and correct AGENT CONNECTION DETAILS. 3. Submit the service for creation. 4. Once the service has been created, create a provisioning policy entitlement for the new service. You can use an existing Provisioning policy, or create a new one.
18
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 4. Adapter Parameters Modification This chapter describes how to use agentCfg, the provided adapter configuration program, to view or modify Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters. All modifications made to settings with this tool take effect immediately. This chapter has the following sections: v “Accessing the Adapter Configuration Tool Main Menu” v “Viewing Configuration Settings” on page 20 v “Changing Protocol Configuration Settings” on page 21 v v v v v v v v
“Setting Event Notification” on page 24 “Changing the Configuration Key” on page 28 “Changing Activity Logging Settings” on page 28 “Changing Registry Settings” on page 30 “Changing Advanced Settings” on page 32 “Viewing Statistics” on page 33 “Changing code page settings” on page 34 “Accessing Help and Additional Options” on page 34
Accessing the Adapter Configuration Tool Main Menu The following procedure describes how to access the main menu of the agentCfg tool for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters. 1. Change to the adapter’s bin directory. At the prompt, type the following, if the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP directory is in the default location: agentCfg -agent SAPAgent
The following prompt is displayed: Enter configuration key for Agent ’SAPAgent’:
The default password is ’agent’. This should be changed at the first opportunity. You can also use agentCfg to view or change configuration settings from a remote computer. See the table in “Accessing Help and Additional Options” on page 34 for procedures on using the -hostname argument. 2. Type the configuration key for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. The default configuration key is agent. See “Changing Protocol Configuration Settings” on page 21 for procedures to change the configuration key. The Main Configuration menu appears.
SAPAgent 4.6.xxxx Agent Main Configuration Menu ------------------------------------------A. Configuration Settings B. Protocol Configuration C. Event Notification D. Change Configuration Key E. Activity Logging F. Registry Settings G. Advanced Settings H. Statistics I. Codepage Support X. Done Select menu option:
This chapter includes a section for each of the following main functions: v v v v v v v v v
For For For For For For For For For
option A, see “Viewing Configuration Settings” option B, see “Changing Protocol Configuration Settings” on page 21 option C, see “Setting Event Notification” on page 24 option D, see “Changing the Configuration Key” on page 28 option E, see “Changing Activity Logging Settings” on page 28 option F, see “Changing Registry Settings” on page 30 option G, see “Changing Advanced Settings” on page 32 option H, see “Viewing Statistics” on page 33 option I, see “Changing code page settings” on page 34
Viewing Configuration Settings The following procedure describes how to view the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP configuration settings. 1. Type option A (Configuration Settings) at the main menu prompt. The configuration settings for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP appear. The following is a sample of the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP configuration settings. Configuration Settings ------------------------------------------Name : SAPAgent Version : 4.6.xxxx ADK Version : 4.36 ERM Version : 4.36 enRole Version : 4.0 License : NONE Asynchronous ADD Requests : TRUE (Max.Threads:3) Asynchronous MOD Requests : TRUE (Max.Threads:3) Asynchronous DEL Requests : TRUE (Max.Threads:3) Asynchronous SEA Requests : TRUE (Max.Threads:3) Available Protocols : DAML, FTP Configured Protocols : DAML Logging Enabled : TRUE Logging Directory : C:\Tivoli\Agents\SAPAgent\Log Log File Name : SAPAgent.log Max. log files : 3 Max.log file size (Mbytes) : 1 Debug Logging Enabled : TRUE Detail Logging Enabled : FALSE Press any key to continue
2. Press any key to return to the main menu.
20
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Changing Protocol Configuration Settings The adapter can communicate with the Tivoli Identity Manager Server using DAML or FTP. By default, agents are configured to use DAML as the communication protocol. Procedures provided in this section contain instructions for modifying DAML protocol configuration settings. Configuring the adapter to use FTP requires additional configuration not provided in this section. The following procedure describes how to change the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP protocol configuration settings. This section also describes the purpose of the provided functions. 1. Type B (Protocol Configuration) at the main menu prompt. The Protocol Configuration menu appears. The configured and available protocols for your server display above the menu options. The DAML protocol is configured and available by default for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. Agent Protocol Configuration Menu ----------------------------------Available Protocols: DAML, FTP Configured Protocols: DAML A. Add Protocol. B. Remove Protocol. C. Configure Protocol. X. Done Select menu option
2. See the following procedure that corresponds with the option that you want to select: v For option A, see “Adding a Protocol” v For option B, see “Removing a Protocol” v For option C, see “Configuring a Protocol” on page 22 Type X to return to the main menu.
Adding a Protocol 1. Type A (Add Protocol) at the Protocol Configuration menu prompt. The Add New Protocol menu appears and displays protocols that are available on your server. If there are no protocols to add, the Protocol Configuration menu reappears. 2. Type the menu option letter of the protocol that you want to add. The Protocol Configuration menu reappears. The protocol that you added appears as a Configured Protocol. See the procedure for “Configuring a Protocol” on page 22 to modify the default configuration settings for the protocol that you added.
Removing a Protocol 1. Type B (Remove Protocol) at the Protocol Configuration menu prompt. The Remove Protocol menu appears and displays all protocols that have been added. If there are no protocols to remove, the Protocol Configuration menu reappears. 2. Type the menu option letter of the protocol that you want to remove.
Chapter 4. Adapter Parameters Modification
21
The Protocol Configuration menu reappears and the protocol that you removed is no longer listed as a configured protocol. However, the protocol remains as an available protocol that can be added again.
Configuring a Protocol 1. Type C (Configure Protocol) at the Protocol Configuration menu prompt. The Configure Protocol menu appears. 2. Type the menu option letter of the protocol that you want to configure. The Protocol Properties menu for the configured protocol appears with protocol properties. Note: The properties on your menu may be different from the ones shown. The following is an example of the DAML protocol properties: DAML Protocol Properties -------------------------------------------------------------------A. USERNAME ****** ;Authorized user name. B. PASSWORD ****** ;Authorized user password. C. MAX_CONNECTIONS 100 ;Max Connections. D. PORTNUMBER 45580 ;Protocol Server port number. E. USE_SSL FALSE ;Use SSL secure connection F. SRV_NODENAME 192.168.6.40 ;Event Notif. Server name. G. SRV_PORTNUMBER 443 ;Event Notif. Server port number. H. HOSTADDR ANY ;Listen on address ( or "ANY" ) I. VALIDATE_CLIENT_CE FALSE ;Require client certificate. J. REQUIRE_CERT_REG FALSE ;Require registered certificate. X. Done Select menu option:
3. Type the menu option letter of the protocol property that you want to configure. See the table below for additional information about the menu options for the DAML protocol. Table 4. Menu options for the DAML protocol Type this Option
To Accomplish this
A (USERNAME)
The following prompt appears: Modify Property ’USERNAME’: Type a username, for example, admin This is the username the Tivoli Identity Manager Server uses to connect to the adapter.
B (PASSWORD)
The following prompt appears: Modify Property ’PASSWORD’: Type a password, for the username the Tivoli Identity Manager Server uses to connect to the adapter.
C (MAX_CONNECTIONS)
The following prompt appears: Modify Property ’MAX_CONNECTIONS’: Type a different number of allowed connections to the Agent.
22
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 4. Menu options for the DAML protocol (continued) Type this Option
To Accomplish this
D (PORTNUMBER)
The following prompt appears: Modify Property ’PORTNUMBER’: Type a different port number, for example, 7004. This is the port number the Tivoli Identity Manager Server uses to connect to the adapter.
E (USE_SSL)
The following prompt appears: Modify Property ’ USE_SSL’: Type TRUE to require the Tivoli Identity Manager Server to use HTTPS. Type FALSE to allow the Tivoli Identity Manager Server to use HTTP. Note: You must installed a certificate using the CertTool utility if you set this option to TRUE. You must also make sure the CA that created the certificate is registered with the Tivoli Identity Manager Server Web Application Server.
F (SRV_NODENAME)
The following prompt appears: Modify Property ’SRV_NODENAME’: Type a server name, for example, 192.168.6.152 This is the DNS name or IP address of the Tivoli Identity Manager Server.
G (SRV_PORTNUMBER)
The following prompt appears: Modify Property ’SRV_PORTNUMBER’: Type a different port number to access the Tivoli Identity Manager Server, for example, 7004 This is the port number the adapter uses to connect to the Tivoli Identity Manager Server.
H (SRV_USERNAME)
The following prompt appears: Modify Property ’SRV_USERNAME’: Type a different username, for example, admin This is the username the adapter uses to connect to the Tivoli Identity Manager Server.
I (VALIDATE_CLIENT_CE)
The following prompt appears: Modify Property ’VALIDATE_CLIENT_CE’: Type TRUE to require the Tivoli Identity Manager Server to send a certificate when communicating with the adapter. Type FALSE to allow the Tivoli Identity Manager Server to communicate with the adapter without a certificate. Note: You must configure options D through H of the CertTool if you set this option to TRUE.
Chapter 4. Adapter Parameters Modification
23
Table 4. Menu options for the DAML protocol (continued) Type this Option
To Accomplish this
J. (REQUIRE_CERT_REG)
The following prompt appears: Modify Property ’REQUIRE_CERT_REG’: Type TRUE to require the use of a registered certificate. Type FALSE to allow use of a non-registered certificate. Note: You must configure options D through H of the CertTool if you set this option to TRUE.
4. Change the value and press Enter. The Protocol Properties menu reappears and displays your new settings. Note: Press Enter to return to the Protocol Properties menu without modifying the selected value.
Setting Event Notification The following procedure describes how to set Event Notification for the Tivoli Identity Manager Server. Event Notification updates the Tivoli Identity Manager Server with changes to the Tivoli Identity Manager Server at set intervals. Note: The example menu shows all the options displayed when Event Notification is enabled. If Event Notification is disabled, not all of the options are displayed. 1. Type C (Event Notification) at the main menu prompt. The Event Notification Menu appears. Event Notification Menu -------------------------------------------------------------* Reconciliation interval : 1 day(s) * Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s). * Configured Contexts : Jupiter, dd309 A. Enabled B. Time interval between reconciliations. C. Set Processing cache size. (currently: 50 Mbytes) D. Start event notification now. E. Set attributes to be reconciled. F. Reconciliation process priority. (current: 1) G. Add Event Notification Context. H. Modify Event Notification Context. I. Remove Event Notification Context. J. List Event Notification Contexts. X. Done Select menu option:
2. Type the menu option letter of the Event Notification option that you want to change. Note: Option A must be enabled in order for the values of the other options to take affect.
24
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 5. Event notification options Type this Option
To Accomplish this
A
If this option is enabled, the adapter updates the Tivoli Identity Manager Server with changes to the adapter at regular intervals. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled
B (Time interval The following prompt appears: between reconciliations) Enter new interval ([ww:dd:hh:mm:ss]) [00:01:00:00:00]: Type a different reconciliation interval. Press Enter to return to the Agent Activity Logging menu without changing the value. C (Set processing cache size)
The following prompt appears: Enter new cache size[5]: Type a different value to change the processing cache size. Press Enter to return to the Agent Activity Logging menu without changing the value.
D (Start event notification now)
If this option is selected, event notification is started.
E (Set attributes to be reconciled)
The Event Notification Entry Types menu appears. See “Setting Attributes to be Reconciled” on page 26 for more information.
F (Reconciliation process priority)
The following prompt appears: Enter new thread priority [1-10]: Type a different thread value to change reconciliation process priority. Press Enter to return to the Agent Activity Logging menu without changing the value.
G (Add Event Notification Context)
The following prompt appears: Context name : Type the new context name and press Enter. The new context is added.
H (Modify Event Notification Context)
A menu listing the available contexts appears. See “Modifying an Event Notification Context” on page 27 for more information.
I (Remove Event Notification Context)
The Remove Context menu appears. Select the context to remove and the following prompt appears: Delete context context1? [no]: Press Enter to exit without deleting the context or type Yes and press Enter to delete the context.
Chapter 4. Adapter Parameters Modification
25
Table 5. Event notification options (continued) Type this Option
To Accomplish this
J (List Event Notification Contexts)
The Event Notification Contexts are displayed in the following format: Context Name : Context1 Target DN : erservicename=context1,o=IBM, ou=IBM,dc=com --- Attributes for search request --{search attributes listed} -----------------------------------------------
3. Press Enter if you changed the value for option B, C, E or F. The Event Notification menu reappears and displays your new settings. Note: The other options are changed automatically when you type the corresponding menu option letter.
Setting Attributes to be Reconciled Setting attributes to be reconciled consists of selecting attributes that will trigger event notifications when their values change. Attributes that change frequently (password age or last successful logon, for example) can be omitted. 1. Type E (Set attributes to be reconciled) at the Event Notification Menu. The Event Notification Entry Types menu appears. Event Notification Entry Types ------------------------------------------A. USER B. GROUP X. Done Select menu option:
2. Type A for attributes returned during a user reconciliation or type B for attributes returned during a group reconciliation. The Event Notification Attribute Listing for the selected reconciliation type appears. Note: The default setting lists all attributes the adapter supports. Event Notification Attribute Listing ------------------------------------(a) ** (b) ** (c) ** (d) ** (e) ** (f) ** (g) ** (h) ** (i) ** (j) ** (k) ** (l) ** (m) ** (o) ** (q) ** (r) ** (s) ** (t) ** (p)rev page 1 of 3 (n)ext ----------------------------X. Done Select menu option:
3. Type the letter option of the attribute to exclude from an event notification. Attributes that are marked with the asterisks are returned during the event notification. Attributes that are not marked with asterisks are not returned during the event notification.
26
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Modifying an Event Notification Context 1. Type H (Modify Event Notification Context) at the Event Notification menu. The Modify Context Menu appears. Modify Context Menu -----------------------------A. Context1 B. Context2 C. Context3 X. Done Select menu option:
2. Select the desired context. The Modify Context menu for the selected context appears. A. Set attributes for search B. Target DN: C. Delete Baseline Database X. Done Select menu option:
See “Adding Search Attributes for Event Notification” for option A. See “Configuring the Target DN for Event Notification Contexts” for option B. See “Removing the Baseline Database for Event Notification Contexts” on page 28 for option C.
Adding Search Attributes for Event Notification 1. Type A (Set attributes for search) at the desired context’s Modify Context menu. The Reconciliation Attribute Passed to Agent menu appears. Reconciliation Attributes Passed to Agent for Context: Context1 ------------------------------------------------------------------------------------------------------A. Add new attribute B. Modify attribute value C. Remove attribute X. Done Select menu option:
2. Select the desired option and complete the requested information at the prompts. The Reconciliation Attributes Passed to Agent menu reappears with the changes displayed.
Configuring the Target DN for Event Notification Contexts 1. Type B (Target DN) at the desired context’s Modify Context menu. The following prompt appears: Enter Target DN:
2. Type the target DN for the context and press Enter. The target DN for the event notification context must be in the following format: erservicename=nameofservice,o=organizationname,ou=tenantname,dc=com
Each element of the DN is defined as follows: erservicename Name of the target service used by the product name. o
Name of the organization in the product name. Chapter 4. Adapter Parameters Modification
27
Name of the tenant in which the organization is located. If the product name is an enterprise installation, this is the name of the organization.
ou dc=com
Root of the directory tree. The selected context’s Modify Context menu reappears with the new target DN listed.
Removing the Baseline Database for Event Notification Contexts This option is only available after a context is created and a reconciliation is run on the context to create a Baseline Database file. Type C (Delete Baseline Database) at the desired context’s Modify Context menu. The selected context’s Modify Context menu reappears with the Delete Baseline Database option removed.
Changing the Configuration Key The following procedure describes how to change the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP configuration key. You use this key as a password to access the configuration tool from the selected adapter. 1. Type D (Change Configuration Key) at the main menu prompt. 2. Change the value and press Enter. Enter new configuration key for Agent ’SAPAgent 4.6.xxxx’:
Press Enter to return to the Main Configuration menu without changing the configuration key. The default configuration key is agent. Note: Enter a configuration key that you can easily remember. A message appears: Configuration key successfully changed.
The configuration program exits and the main prompt reappears.
Changing Activity Logging Settings The following procedure describes how to change the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP activity logging settings. When you enable logging, Tivoli Identity Manager maintains a log file of all transactions in a dated archive log file, SAPAgent.log. 1. Type E (Activity Logging) at the main menu prompt. The Agent Activity Logging menu appears. The following sample shows the default activity logging settings.
28
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Agent Activity Logging Menu ------------------------------------A. Activity Logging (Enabled). B. Logging Directory (current: C:\Tivoli\Agents\SAPAgent\Log). C. Activity Log File Name (current: SAPAgent.log). D. Activity Logging Max. File Size ( 1 mbytes) E. Activity Logging Max. Files ( 3 ) F. Debug Logging (Enabled). G. Detail Logging (Disabled). H. Base Logging (Disabled). I. Thread Logging (Disabled). X. Done Select menu option:
2. Type the menu option letter of the activity logging option that you want to change. Note: Option A (Activity Logging) must be enabled in order for the values of the other options to take effect. Table 6. Event notification options Type this Option
To Accomplish this
A (Activity Logging)
Set this option to enabled and Tivoli Identity Manager maintains a log file of all transactions in a dated archive log file. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled
B (Logging Directory)
Type a different value for the logging directory, for example, C:\Log. When the logging option is enabled, details about each access request are stored in the logging file that is located in this directory. Press Enter to return to the Agent Activity Logging menu without changing the value.
C (Activity Log File Name)
Type a different value for the log file name. When the logging option is enabled, details about each access request are stored in the logging file. Press Enter to return to the Agent Activity Logging menu without changing the value.
D (Activity Logging Max File Size)
Type a new value, for example, 10. The oldest data is archived when the log file reaches the maximum file size. File size is measured in megabytes. Activity log file size can exceed disk capacity. Press Enter to return to the Agent Activity Logging menu without changing the value.
E (Activity Logging Max Type a new value up to 100, for example, 5. The agent Files) automatically deletes the oldest activity logs beyond the specified limit. Press Enter to return to the Agent Activity Logging menu without changing the value.
Chapter 4. Adapter Parameters Modification
29
Table 6. Event notification options (continued) Type this Option
To Accomplish this
F (Debug Logging)
If this option is set to enabled, the agent includes the debug statements in the log file of all transactions. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled
G (Detail Logging)
If this option is set to enabled, the agent maintains a detailed log file of all transactions. Note: The detail logging option should be used for diagnostic purposes only. When the detail logging option is on, the application’s performance can be adversely affected. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled
H (Base Logging)
If this option is set to enabled, the agent maintains a log file of all transactions in the ADK and library files. When the option is set to: v disabled, it automatically changes to enabled v enabled, it automatically changes to disabled
I (Thread Logging)
If this option is set to enabled, the agent maintains a log file with entries that specify the thread that caused the log. When the option is set to: v disabled, pressing the I key changes the value to enabled. v enabled, pressing the I key changes the value to disabled.
3. Press Enter if you changed the value for option B, C, D, or E. The Agent Activity Logging menu reappears and displays your new settings. Note: The other options are changed automatically when you type the corresponding menu option letter.
Changing Registry Settings The following procedure describes how to change the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP registry settings. 1. Type F (Registry Settings) at the main menu prompt. The Registry menu appears. SAPAgent 4.6.xxxx Agent Registry Menu ------------------------------------------A. Modify Non-encrypted registry settings. B. Modify encrypted registry settings. C. Multi-instance settings. X. Done Select menu option:
2. See the following procedures on modifying registry settings. Note: There are no encrypted registry settings for this adapter.
30
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Modifying Non-encrypted Registry Settings 1. Type A (Modifying Non-encrypted Registry Settings) at the Registry menu prompt. The Non-encrypted Registry settings menu appears. Agent Registry Items --------------------------01. ENROLE_Version 02. ExecTimeout 03. ManageHomeDirs 04. ReconBufferSize 05. ReconHomeDirSecurity 06. ReconLastLogon 07. ReconLastLogonAllowErrors 08. WtsEnable -------------------------------Page 1 of 1
A. Add new attribute B. Modify attribute value C. Remove attribute X. Done Select menu option:
2. Type one of the following options: v A) Add new attribute v B) Modify attribute value v C) Remove attribute v X) Done 3. Type the registry item name, and press Enter. 4. Type the registry item value, if you selected option A or B, and press Enter. The non-encrypted registry settings menu reappears and displays your new setting(s).
Modifying Encrypted Registry Settings To access registry settings, do the following: 1. Type B (Modifying Encrypted Registry Settings) at the Registry menu prompt. The Encrypted Registry settings menu appears. Encrypted Registry Items ------------------------------------------01. PASSWORD ’*****’ Page 1 of 1 A. Add new attribute B. Modify attribute value. C. Remove attribute. X. Done Select menu option:
2. Type one of the following options: v A) Add new attribute v B) Modify attribute value v C) Remove attribute v X) Done 3. Type the registry item name, and press Enter. Chapter 4. Adapter Parameters Modification
31
4. Type the registry item value, if you selected option A or B, and press Enter. The encrypted registry settings menu reappears and displays your new settings.
Multi-instance Settings This option allows you to configure multi-instance settings. Note: This option is only valid if the agent can support multi-instances. 1. Type C (Multi-instance Settings) at the Registry Menu prompt. The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Instance Class Menu appears. SAPAgent 4.6.xxxx Agent Instance Class Menu ------------------------------------------------------------------------------------------------------------A. Select instance class. X. Done.
2. Type one of the available options. 3. Type the requested information and press Enter. The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Instance Class Menu reappears and displays your new settings.
Changing Advanced Settings The following procedure describes how to change the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP thread count settings for the following types of requests: v v v v
System Login Add System Login Change System Login Delete Reconciliation
These settings determine the maximum number of requests that the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP processes concurrently. 1. Type G (Advanced Settings) at the main menu prompt. The Advanced Settings menu appears. The following sample shows the default thread count settings. SAPAgent 4.6.xxxx Advanced Settings Menu ------------------------------------------A. Single Thread Agent (current:TRUE) B. ADD max. thread count. (current:3) C. MODIFY max. thread count. (current:3) D. DELETE max. thread count. (current:3) E. SEARCH max. thread count. (current:3) F. Allow User EXEC procedures (current:FALSE) G. Archive Request Packets (current:FALSE) H. UTF8 Conversion support (current:TRUE) I. Pass search filter to agent (current:FALSE) J. Thread Priority Level (1-10) (current:4) X. Done Select menu option:
2. Type the menu option letter of the advanced setting that you want to change.
32
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Note: The UTF8 Conversion support setting must be set to FALSE to support Western European character sets. Table 7. Menu options for the DAML protocol Type this Option
To Accomplish this
A (Single Thread Agent)
Forces the adapter to allow only one request at a time.
B (ADD max. thread count)
Controls how many simultaneous ADD requests can run at one time.
C (MODIFY max. thread count)
Controls how many simultaneous MODIFY requests can run at one time.
D (DELETE max. thread count)
Controls how many simultaneous DELETE requests can run at one time.
E (SEARCH max. thread count)
Controls how many simultaneous SEARCH requests can run at one time.
F (Allow User EXEC procedures)
Determines whether the adapter allows pre- and post-exec functions. Enabling this option is a potential security risk. This option is disabled by default.
G (Archive Request Packets)
Instructs the adapter to retain copies of the request packets in an archive. This option is specific to the FTP protocol and is used primarily for debugging purposes. By default, request packets are deleted once they have been read unless this option is enabled.
H (UTF8 Conversion support)
This option is no longer used.
I (Pass search filter to agent)
Provides filtering functionality for search requests by issuing a full search to the agent and then filtering the objects as they are pipelined back to the server. Currently, this adapter does not support processing filters directly. This option should always be FALSE.
J (Thread Priority Level (1-10))
Sets the thread priority level for the agent.
3. Change the value and press Enter. The Advanced Settings menu reappears and displays your new settings.
Viewing Statistics The following procedures describes how to view an event log for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. 1. Type H (Statistics) at the main menu prompt. The activity history for the adapter is displayed. SAPAgent 4.6.xxxx Agent Request Statistics -------------------------------------------------------------------Date Add Mod Del Ssp Res Rec
2. Type X to return to the Main Configuration Menu. Chapter 4. Adapter Parameters Modification
33
Changing code page settings In order to list the supported code page information for the RACF Adapter, the adapter must be running. Run the following command to view the code page information: agentCfg -agent [adapter_name] -codepages
In order to change the code page settings for the RACF Adapter, complete the following steps: 1. At the Main Menu prompt, type I. The code page support menu for the adapter is displayed. SAPAgent 4.6 Codepage Support Menu ------------------------------------------* Configured codepage: US-ASCII ------------------------------------------* ******************************************* * Restart Agent After Configuring Codepages ******************************************* A.
Codepage Configure.
X.
Done
Select menu option:
2. Type A to configure a code page. Note: The SAPAgent uses unicode, therefore this option is not applicable. 3. Type X to return to the Main Configuration Menu.
Accessing Help and Additional Options The following describes how to access the agentCfg help menu and use the help arguments. 1. Return to the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP bin directory by completing one of the following: v Type X from the Main Configuration menu prompt. v Complete procedures 1 and 2 of “Accessing the Adapter Configuration Tool Main Menu” on page 19. 2. Type agentCfg -help at the prompt to view the help menu. The following list of possible commands appears: -version -hostname < value> -findall -list -agent -tail -portnumber -netsearch -confidencetest -setup -codepages -help
34
;Show version ;Target nodename to connect to (Default:127.0.0.1) ;Find all agents on target node ;List available agents on target node ;Name of agent ;Display agent’s activity log ;Specified agent’s TCP/IP port number ;Lookup agents hosted on specified subnet ;Confidence test ;Confidence test setup ;Display list of available codepages ;Display this help screen
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
The following table describes the purpose of the provided arguments. Table 8. Command argument purposes -version
Use this argument to display the agentCfg version.
-hostname
Use the -hostname argument with any of the following commands to specify a different host: v -findall v -list v -tail v -agent Enter a hostname or IP address as the value.
-findall
Use this argument to search and display all possible port addresses for all agents. Must be used with the -list argument. Add the -hostname argument to search a remote host.
-list
Use this argument to search and display agents found at default ports. By default, the argument searches the local host of the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. Use the -hostname argument to search a different host.
-agent
Use this argument to specify the agent that you want to configure. Enter an agent name as the value. Use this argument with the -hostname argument to modify the configuration setting from a remote host. You can also use this argument with the -tail argument.
-tail
Use this argument with the -agent argument to display an agent’s activity log. Add the -hostname argument to display the log file for an agent on a different host.
-portnumber
Use this argument with the -agent argument to specify an agent’s TCP/IP port number.
-netsearch
Use this argument with the -agent argument to display all agents installed on the system.
-confidencetest
Use this argument to run a test to add, modify, search and delete a request to the agent. This allows you to verify the agent connection to the managed resource without the Tivoli Identity Manager Server.
-setup
Use this argument to configure the confidence test.
-codepages
Display the codepages configured for the Agent.
-help
Display the help menu for agentCfg.
3. Type agentCfg and one or more of the supported arguments at the prompt. You must type agentCfg before every argument to run the agent configuration tool.
Chapter 4. Adapter Parameters Modification
35
Table 9. Arguments Argument Syntax
Argument Example
-argument
For example, type agentCfg -list This example lists all agents on the local host IP address. Note that the default node for the Tivoli Identity Manager Server is 44970. Agent(s) installed on node ’127.0.0.1’ ----------------------SAPAgent (44970)
-argument
For example, type agentCfg -agent SAPAgent This example displays the main menu of the agentCfg tool which is used to view or modify the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters.
-argument -argument
For example, type agentCfg -list -hostname 192.9.200.7
or -argument -argument
This example lists agents on a host whose IP address is 192.9.200.7. Note that the default node for the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP is 44970. Agent(s) installed on node ’192.9.200.7’ -----------------SAPAgent (44970)
-argument -argument
For example, type agentCfg -agent SAPAgent -hostname 192.9.200.7 This example displays the main menu of the agentCfg tool for a host whose IP address is 192.9.200.7. Use the menu options to view or modify the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP parameters.
36
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Chapter 5. Certificate Installation This chapter has the following sections: v “Introduction” v “Overview of SSL and Digital Certificates” v “Accessing the Certificate Configuration Tool Main Menu” on page 39 v “Generating a Private Key and Certificate Request” on page 41 v “Installing the Certificate from a File” on page 42 v “Installing the Certificate and Key from a PKCS12 File” on page 43 v “Viewing Installed Certificates” on page 43 v v v v v v v
“Viewing CA Certificates” on page 43 “Installing a CA Certificate” on page 44 “Deleting a CA Certificate” on page 44 “Viewing Registered Certificates” on page 44 “Registering a Certificate” on page 44 “Unregistering a Certificate” on page 45 “Exporting a certificate and key to PKCS12 file” on page 45
Introduction This chapter describes how to use the provided certificate management tool (CertTool) to install and configure digital certificates for a Tivoli Identity Manager Adapter. The industry-standard Secure Sockets Layer (SSL) mechanism, which uses digital certificates for authentication, is used for secure communication between the Tivoli Identity Manager Server and an Adapter. For a production environment, you must obtain and use a signed production certificate from a well-known Certificate Authority, or from your own Certificate Authority, to ensure secure communications. The adapter does not come prepackaged with a certificate. This chapter provides information for managing digital certificates on the Tivoli Identity Manager Adapter only. Please refer to the ″Managing Digital Certificates″ chapter in the IBM Tivoli Identity Manager System Configuration Guide for information about configuring the Tivoli Identity Manager Server for SSL. Note: If you install, modify, or delete a certificate, you must stop and restart the adapter before the changes will take affect.
a server (one-way) to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient. Features of SSL include the following concepts: v SSL provides a mechanism for one application to authenticate itself to another application. v One-way SSL allows one application to be certain of the identity of the other application. v The application that assumes the ″server″ role possesses and uses a server-side certificate to prove its identity to the client application. v The application that is presented with a certificate must have in its possession the root certificate (or certificate chain) of the Certificate Authority (CA) that signed the certificate being presented. The root CA certificate, or chain, validates the certificate being presented. v In client connections, the client browser alerts the user when presented with a certificate that is not issued by a recognized Certificate Authority. Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no longer supports two-way authentication.
Basic Configuration for Server-to-Adapter SSL The following information pertains to a Tivoli Identity Manager deployment on either the WebSphere or the WebLogic application server. In this scenario, the Tivoli Identity Manager Server initiates communication with the adapter (server-to-adapter) to complete a transaction originating from the browser. Deployment summary: v The Tivoli Identity Manager Server and the adapter use one-way authentication over SSL. v RSA SSL-C or Open SSL is used. The Tivoli Identity Manager Adapter must have a valid signed certificate; the Tivoli Identity Manager Server must have the corresponding CA certificate. Note: In the diagram below, ″ITIM Server″ refers to the IBM Tivoli Identity Manager Server.
38
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
ITIM Application Server WebSphere or WebLogic
ITIM Server
CA Cert A
Cert A
One-way SSL Agent
Resource
Figure 3. Configuration for Server-to-Adapter SSL
Clustered Tivoli Identity Manager Configuration In a clustered configuration, the Tivoli Identity Manager System uses one Web Server to manage and load balance multiple Tivoli Identity Manager Servers. Each Tivoli Identity Manager Server must have a valid CA certificate. All agents must have associated CA and signed certificates.
Accessing the Certificate Configuration Tool Main Menu The following procedure describes how to access the main menu of the CertTool utility for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP certificate parameters. 1. Select Programs from the Start menu, select Accessories, and then select Command Prompt. The Microsoft Windows DOS Command Prompt window appears. 2. Change to the adapter’s bin directory. If the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP directory is in the default location, type cd \Tivoli\Agents\SAPAgent\bin. 3. Type CertTool -agent SAPAgent at the prompt. The Main Configuration menu appears:
Chapter 5. Certificate Installation
39
Main menu - Configuring agent: SAPAgent -----------------------------A. B. C. D.
Generate private key and certificate request Install certificate from file Install certificate and key from PKCS12 file View current installed certificate
E. List CA certificates F. Install a CA certificate G. Delete a CA certificate H. List registered certificates I. Register certificate J. Unregister a certificate K. Export certificate and key to PKCS12 file X. Quit Choice:
Obtaining and installing a signed certificate: The first set of options allows you to generate a Certificate Signing Request (CSR) and install the returned signed certificate for the adapter itself. The options here are: A
Generate a Certificate Signing Request (CSR) that is sent to the Certificate Authority (CA), and the associated private key.
B
Install a certificate from a file. This file must be the signed certificate returned by the CA in response to the CSR generated by option A.
C
Install a certificate from a PKCS12 format file that includes both the public certificate and a private key. If options A and B are not used to obtain a certificate, the certificate used must be in PKCS12 format.
D View all certificates installed on the system. Additional configuration for two-way SSL: The remaining options only apply if client validation (two-way authentication) is required and enabled. Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no longer supports two-way authentication. The second set of options allows installing root CA certificates. The CA certificates are used by the Tivoli Identity Manager Adapter to validate the associated certificates presented by the Tivoli Identity Manager Servers. E
Show the installed CA certificates. The adapter only communicates with Tivoli Identity Manager Servers whose certificates are validated by one of the installed CA certificates.
F
Install a new CA certificate so that certificates generated by this CA can be validated. The CA certificate file can be either in X.509, binary, or PEM encoded formats.
G Remove one of the installed CA certificates. Registering a signed certificate for two-way SSL: The remaining options only apply if client validation (two-way authentication) is required and enabled.
40
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Note: Although the adapter supports two-way SSL, Tivoli Identity Manager no longer supports two-way authentication. The third set of options allows the adapter to register the Tivoli Identity Manager Server signed certificate. The Tivoli Identity Manager Server’s signed certificate is then validated by the adapter when two-way SSL communication is established. If the Tivoli Identity Manager Server’s signed certificate is validated by one of the Adapter’s CA certificates but not registered with the Adapter, the Adapter will refuse to communicate with the Tivoli Identity Manager Server. H
List all registered certificates that will be accepted for communications.
I
Register a new certificate. The certificate to be registered should be in Base 64 encoded X.509 format.
J
Unregister (remove) a certificate from the registered list.
K
Export certificate and key to PKCS12 file.
This chapter includes a section for each of the following main functions: v For option A, see “Generating a Private Key and Certificate Request.” v For option B, see “Installing the Certificate from a File” on page 42. v For option C, see “Installing the Certificate and Key from a PKCS12 File” on page 43. v For option D, see “Viewing Installed Certificates” on page 43. v For option E, see “Viewing CA Certificates” on page 43. v For option F, see “Installing a CA Certificate” on page 44. v For option G, see “Deleting a CA Certificate” on page 44. v For option H, see “Viewing Registered Certificates” on page 44. v For option I, see “Registering a Certificate” on page 44. v For option J, see “Unregistering a Certificate” on page 45. v For option K, see “Exporting a certificate and key to PKCS12 file” on page 45. Type X to return to the main menu.
Generating a Private Key and Certificate Request The following procedure describes how to view the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP configuration settings. 1. Type option A (Generate a private key and certificate request) at the main menu prompt. Enter values for certificate request (press enter to skip value) -------------------------------------------------------------------------
2. Type your organization name and press Enter. Organization:
3. Type the desired organizational unit and press Enter. Organizational Unit:
4. Type the name of the adapter you are requesting a certificate for and press Enter. Agent Name:
5. Type the contact email address and press Enter. Email:
6. Type the country in which the adapter resides and press Enter. Chapter 5. Certificate Installation
41
Country:
7. Type the state in which the adapter resides (if the adapter is located in the United States) and press Enter. State:
Note: Some certificate authorities do not accept two letter abbreviations for states. 8. Type the name of the city in which the adapter resides and press Enter. Locality:
9. Type Y to accept the values displayed or type N to re-enter the values and press Enter. Accept these values (y/n)?
The key pair and certificate request are generated once the values are accepted. 10. Type the name of the file to store the PEM certificate request and press Enter. Enter name of file to store PEM cert request (Enter to cancel):
11. Press Enter. The main menu reappears. You must now request a certificate from a trusted certificate authority.
Example of Certificate Request Script The following is an example of a certificate request: Enter values for certificate request (press enter to skip value) ----------------------------------------------------------------Organization: ibm Organizational Unit: engineering Agent Name: ntagent Email: [email protected] Country: US State: California Locality: Irvine Accept these values (y/n)? y Generating key pair and certificate request ... Enter name of file to store PEM cert request (Enter to cancel) : request.pem Certificate request written to request.pem. Press Enter to continue.
Example of request.pem File -----BEGIN CERTIFICATE REQUEST----MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n aW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdl bnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju aWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA mR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7 UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr 6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3 DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2 -----END CERTIFICATE REQUEST-----
Installing the Certificate from a File The following procedure describes how to install a certificate in the adapter registry. This is the certificate you receive from your trusted certificate authority after submitting your certificate request.
42
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Note: If you received the certificate as part of an e-mail message, copy the text of the certificate to a text file and copy the certificate file (the text file you just created) to the adapter’s bin directory. 1. Type B (Install certificate from file) at the main menu prompt. A prompt appears: Enter name of certificate file:
2. Type the name of the certificate file and press Enter. The certificate is installed in the adapter registry and the main menu reappears.
Installing the Certificate and Key from a PKCS12 File The following procedure describes how to install the certificate and the private key in the adapter registry from a PKCS12 (.pfx) file. This format includes both the certificate and private key in a password protected file. Note: Be sure to copy the certificate file to the adapter’s bin directory. For example, C:\Tivoli\Agents\\bin 1. Type C (Install certificate and key from PKCS12 file) at the main menu prompt. 2. Type the name of the PKCS12 file that has the certificate and private key information and press Enter. Enter name of PKCS12 file:
For example, DamlSrvr.pfx 3. Type the password to access the file and press Enter. Enter password:
The certificate and private key are installed in the adapter registry.
Viewing Installed Certificates You can list all of the certificates installed on your system using option D (View currently installed certificates). Type D (View currently installed certificates) at the main menu prompt. The installed certificates are listed and the main menu reappears. The following is an example of an installed certificate: The following certificate is currently installed. Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAML Server
Viewing CA Certificates The following procedure describes how to list all CA certificates installed on the adapter. Type E (List CA certificates) at the main menu prompt. The installed CA certificates are listed and the main menu reappears. The following is an example only. Subject: o=IBM,ou=SampleCACert,cn=TestCA Valid To: Wed Jul 26 23:59:59 2006
Chapter 5. Certificate Installation
43
Installing a CA Certificate The following procedure describes how to install a CA certificate. 1. Type F (Install a CA certificate) at the main menu prompt. A prompt appears: Enter name of certificate file:
2. Type the name of the certificate file and press Enter. The certificate file is opened and a prompt appears: [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng Install the CA? (Y/N)
3. Type Y to install the certificate and press Enter. The CA certificate file is installed in the CACerts.pem file.
Deleting a CA Certificate The following procedures describe how to delete a CA certificate from the adapter directories. 1. Type G (Delete a CA certificate) at the main menu prompt. A list of all CA certificates installed on the adapter is displayed. 0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng 1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support Enter number of CA certificate to remove:
2. Type the number of the CA certificate you want to remove and press Enter. The CA certificate is deleted from the CACerts.pem file and the main menu reappears.
Viewing Registered Certificates The following procedures describe how to view a list of all registered certificates available to the adapter. Only requests that present a registered certificate will be accepted by the adapter when client validation is enabled. Type H (List registered certificates) at the main menu prompt. The registered certificates are displayed and the main menu reappears. The following is an example only. 0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng 1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
Registering a Certificate The following procedures describe how to register a certificate for the adapter. 1. Type I (Register certificate) at the main menu prompt. A prompt appears: Enter name of certificate file:
2. Type the name of the certificate file to be registered and press Enter. The subject of the certificate is displayed and a prompt appears. [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng Register this CA? (Y/N)
3. Type Y to register the certificate and press Enter. The certificate is registered to the adapter and the main menu reappears.
44
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Unregistering a Certificate The following procedures describe how to unregister a certificate for the adapter. 1. Type J (Unregister a certificate) at the main menu prompt. The registered certificates are displayed. The following is an example only. 0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng 1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
2. Type the number of the certificate file to be unregistered and press Enter. The subject of the selected certificate is displayed. 3. Type Y to unregister the certificate and press Enter. The certificate is removed from the registered certificate list for the adapter and the main menu reappears.
Exporting a certificate and key to PKCS12 file In order to export a certificate and key to a PKCS12 file for the adapter, complete the following steps: 1. At the Main Menu prompt, type K. The following prompt is displayed: Enter name of PKCS12 file:
2. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file for the installed certificate or private key, and press Enter. 3. At the Enter Password prompt, type the password for the PKCS12 file, and press Enter. 4. At the Confirm Password prompt, type the password again, and press Enter. The certificate or private key are transported to the PKCS12 file, and the Main Menu is displayed.
Chapter 5. Certificate Installation
45
46
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix A. Adapter Variables As part of the adapter implementation, a dedicated account for Tivoli Identity Manager to access SAP Server is created on SAP Server. The Adapter for SAP NetWeaver AS ABAP consists of files and directories owned by the Tivoli Identity Manager account. The Tivoli Identity Manager-owned files establish communication with the Tivoli Identity Manager Server.
Variable Descriptions The Tivoli Identity Manager Server communicates with the Adapter for SAP NetWeaver AS ABAP using variables included in transmission packets sent over a network. The combination of variables, included in the packets, depends on the type of action the Tivoli Identity Manager Server requests from the Adapter for SAP NetWeaver AS ABAP. The following table is an alphabetical listing of the variables used by the Adapter for SAP NetWeaver AS ABAP. The table gives a brief description and the data format associated with the variable. Table 10. Variable descriptions Variable
Directory Server Attribute
Description
Data Type
ACADEMIC
erSAPacademic
Dr., Prof., and so on
SAP predefined value
ACCOUNT
erSAPaccount
User account identification
Character or numeric string, which is not SAP predefined
ADDRESSTYPE
erSAPaddresstype
Form of address: Mr., Mrs., Ms
Character or numeric string
AGR_NAME
erSAPagrname
Activity group name Character or numeric string
ALIAS
erSAPalias
Internet user alias
String
BUILDING
erSAPbuilding
Building number
Character or numeric string
CATT
erSAPcatt
CATT test status
Yes or No
COMPANY
erSAPcompany
Company address number
SAP predefined value
COSTCENTER
erSAPcostcenter
User cost center
Character or numeric string
COUNTRY
c
Country key code of Character or numeric user string, SAP country key
CREATEON
erSAPcreateon
Creation date of user Character or numeric master record string
If true, disable user’s Boolean. password (for SAP 6.1 and higher)
EMAILADDRESS
erSAPemailaddress
E-mail address. This attribute is a multi-value attribute. If one or more e-mail addresses are defined, one e-mail address must be designated as the Standard e-mail address.
Character or numeric string
FAXEXT
erSAPfaxext
Fax number and extension
Character or numeric string
FLOOR
erSAPfloor
Floor in building
Character or numeric string
FUNCTION
erSAPfunction
Function of user
Character or numeric string
GIVENNAME
givenname
First name
Character or numeric string
GROUP
erSAPgroup
User group
SAP predefined value
L_LOGON_TIME
erSAPllogontime
Last logon time
Character or numeric string
language
erSAPlanguage
Language set in the String user’s address record
LANGUAGELOGIN
erSAPlanguagelogingiso
User’s login language
LANGUP
erSAPlangkey
User’s login String language key. This attribute is not case sensitive. Therefore, uppercase language keys must be flagged with the ∧ delimiter.
last_access
erLastAccessDate
Last logon date
Character or numeric string
lClient
erSAPlClient
SAP organizational unit
SAP predefined value
String
Required for all requests.
48
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
If set to true, the Boolean adapter will assume that the SAP client is CUA enabled.
lDestination
erSAPlDestination
SAP destination machine name
SAP predefined value
Required for all requests. lGwHost
erSAPlGhost
Fully qualified IP address of gatehost
SAP predefined value
The SAP gateway is a group of processes that allow communication between R/2 systems, NetWeaver AS ABAP systems, and external applications based on the CPIC protocol. Required for all requests. lGwservice
erSAPlGwservice
SAP gateware service
SAP predefined value
The SAP gateway service is the interface between SAP and the Tivoli Identity Manager adapter. Required for all requests. lHostname
erSAPlHostname
Fully qualified IP address of system where SAP is installed
SAP predefined value
Required for all requests. lLanguage
erSAPllanguage
Adapter for SAP NetWeaver AS ABAP account login language
If set to true, on a Boolean successful password change, if the account was locked from too many failed login attempts, then the account is unlocked.
REGION
l
Region
String
ROOM
erSAProom
Room number
Character or numeric string
SAP_INSTANCE
erSAPinstance
Adapter instance String name selected on the Service Profile
SNC Name
erSAPsncName
Printable SNC name
String
SNC FLAG
erSAPsncFlag
Flag that allows non-secure communiation
SAP Boolean
SORRT1_P
erSAPsorrt1p
Search term 1
String
STREET
erSAPstreet
Street address
String
SURNAME
sn
Last name
Input supplied
TEL01
erSAPtel01
First telephone number extension
String
TEL02
erSAPtel02
Second telephone number extension
String
TELEFAX
facsimileTelephoneNumber
Telefax number
Character or numeric string
TELEPHONEEXT
erSAPtelephoneext
Telephone number: extension
Character or numeric string
TELTX
erSAPteltx
Teletex number
String
TELX1
erSAPtelx1
Teletex number
String
TIMEZONE
erSAPtimezone
Timezone
SAP predefined value, existing timezone remains if a conflict is noted
TYPE
erSAPtype
User type (A=online, SAP predefined value, C=CPIC, D=BDC, between 1 and 4, defaults O=ODC) to dialog user
UserName
eruid
User’s login ID
String
UserStatus
erAccountStatus
User lock status
Character or numeric string
52
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Variables Used by Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP Actions The following lists are typical Adapter for SAP NetWeaver AS ABAP actions by their functional transaction group. The lists include more information about required and optional variables sent to the Adapter for SAP NetWeaver AS ABAP to complete that action.
System Login Add A Login Add is a request to create a new user account in the domain with the specified attributes. Table 11. Add function attributes Required Variables
System Login Change Use the Change function to change one or more attributes for the specified users. Table 12. Change function attributes Required Variables
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
System Login Suspend Use the Suspend function to disable a user account. The user is neither removed nor are their attributes modified. Table 14. Suspend function Required Variables
System Login Restore Use the Restore function to re-activate a user account that was previously suspended. After Restoring, the user can access the system with the same attributes as those before the Suspend function is called.
Reconciliation The Reconciliation function synchronizes user account information between Tivoli Identity Manager and the adapter. The following is a full set of access attributes returned by reconciliation. An asterisk (*) denotes attributes that are for informational purposes only.
56
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 16. Reconciliation function Attributes Returned During Reconciliation ACADEMIC
FLOOR
ACCOUNT
FUNCTION
ADDRESSTYPE
GIVENNAME
AGR_NAME
GROUP
ALIAS
LIC_TYPE
BNAME_CHARGEABLE
L_LOGON_TIME
BUILDING
LANGUAGE
CATT
LANGUAGELOGIN_ISO
COMM. METHOD
LANGUP
COMPANY
LOCNT
COSTCENTER
MENU
COUNTRY
NAME1
COUNTRY_SURCHARGE
NAME2
CLIENT
NAME3
CREATE_ON
NAME4
CREATOR
NAMEFORMAT
DATEFORMAT
ORT01
DATEFROM
ORT02
DATEUNTIL
OUTPUTDEVICE
DECIMALPOINT
PHONEMAIN
DEPARTMENT
PID
EMAILADDRES
POBOX
FAXEXT
POSTAL PREFIX1 PRNTDELETE PRNTIMMEDIATE PROFILE RCVSYSTEM REGION ROOM SNC Flag SNC Name SORRT1_P SPEC_VERS STREET SUBSTITUTE_FROM SUBSTITUTE_UNTIL SURNAME SYSID TEL01 TEL02 TELEFAX TELEPHONEEXT TELTX TELX1 TIMEZONE TYPE USER UserName UserStatus
Note: When modifying the Contractual license type, some types require either the special version, or the country surcharge, but not both. If you are switching from a special version value to a country surcharge, be sure to set the
Appendix A. Adapter Variables
57
special version to the value ″No Special Version″. If you are switching from a county surcharge to a special version, be sure to set the country surcharge to ″0″.
58
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix B. SAP Account Requirements This chapter describes the requirements of the SAP account used by the IBM Tivoli Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP and the SAP objects installed on the SAP Server.
SAP Objects The IBM Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP calls built-in SAP objects and custom SAP objects designed by IBM Tivoli. Table 17 shows all the objects accessed by the IBM Tivoli Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP. Note that custom object names are prefixed with a “Z_”.
SAP User The IBM Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uses an SAP user to connect to the SAP server. The user name is supplied on the Tivoli Identity Manager adapter service profile, and the user password is supplied on the adapter configuration. The SAP user must have permission to perform the following user administration tasks: v Add v Modify v Delete v Lock v Unlock v Retrieve user detail v Retrieve supporting data In addition, the SAP user must have the proper access to all the objects listed in Table 17 based on the SAP version and whether CUA and HR Info Type are enabled or not. It is recommended that the SAP user type be set to System and not Dialog. Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP BAPI Objects
Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP (continued) BAPI Objects
Description
Access Type
SAP Versions
6
BAPI_USER_GET_DETAIL
Mod, Search
Read
Y
Y
Y
Y
Y
7
BAPI_USER_LOCK
Mod.
Write
Y
Y
Y
Y
Y
8
BAPI_USER_PROFILES_ASSIGN
Add, Mod: Write NON-CUA (Profiles)
Y
Y
Y
Y
Y
9
BAPI_USER_UNLOCK
Mod.
Write
Y
Y
Y
Y
Y
10
RFC_READ_TABLE: AGR_DEFINE
Search: NON-CUA (List of Valid Roles)
Read
N
Y
Y
Y
Y
11
RFC_READ_TABLE: PA0105
Search: HR OnlyInfo Type 105 (User’s Employee No.)
Read
N
N
Y
Y
Y
12
RFC_READ_TABLE: T002
Search: List of Valid Language Codes
Read
N
Y
Y
Y
Y
13
RFC_READ_TABLE: T002T
Search: List of Valid Language Descriptions
Read
N
Y
Y
Y
Y
14
RFC_READ_TABLE: T005T
Search: List of Valid Country Codes
Read
N
Y
Y
Y
Y
15
RFC_READ_TABLE: TBDLS
Search: CUA Only (List of Valid Subsystems)
Read
N
N
Y
Y
Y
16
RFC_READ_TABLE: TPARA
Search: List of Valid Parameters ID
Read
N
Y
Y
Y
Y
17
RFC_READ_TABLE: TSAD2
Search: List of Valid Academic Titles
Read
N
Y
Y
Y
Y
18
RFC_READ_TABLE: TSAD3T
Search: List of Valid Titles
Read
N
Y
Y
Y
Y
19
RFC_READ_TABLE: TTREE
Search: List of Valid Menus
Read
N
Y
Y
Y
Y
20
RFC_READ_TABLE: TZONE
Search: List of Valid Time Zones
Read
N
Y
Y
Y
Y
21
RFC_READ_TABLE: USER_GROUPS
Mod, Search
Read
N
Y
Y
Y
Y
22
RFC_READ_TABLE: USGRP
Search: List of Valid Groups
Read
N
Y
Y
Y
Y
23
RFC_READ_TABLE: USGRP_USER
Search: User’s Groups
Read
N
Y
Y
Y
Y
24
RFC_READ_TABLE: USL04
Search: CUA Only (User’s Profiles)
Read
N
N
Y
Y
Y
25
RFC_READ_TABLE: USLA04
Search: CUA Only (User’s Roles)
Read
N
N
Y
Y
Y
60
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Table 17. SAP Objects used by the IBM Tivoli Identity Manager Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP (continued) Access Type
SAP Versions
Search: NON-CUA (List of Valid Profiles)
Read
N
Y
Y
Y
Y
RFC_READ_TABLE: USRSYSACT
Search: CUA Only (List of Valid Roles)
Read
N
N
Y
Y
Y
28
RFC_READ_TABLE: USRSYSPRF
Search: CUA Only (List of Valid Profiles)
Read
N
N
Y
Y
Y
29
RFC_READ_TABLE: USZBVSYS
Search: CUA Only (User’s Subsystems)
Read
N
N
Y
Y
Y
30
/TIVSECTY/TIM_USER_SUBSYS_620
Add, Mod: CUA Only (Subsystems, Roles and Profiles)
Write
N
Y
Y
Y
Y
31
/TIVSECTY/TIM_USER_SUBSYS_46C
Add, Mod: CUA Only (Subsystems, Roles and Profiles)
Write
N
N
Y
Y
Y
32
/TIVSECTY/TIM_USER_HR_620
Add, Mod, Del: HR Only- Info Type 105 (Employee No.)
Write
N
Y
Y
Y
Y
33
/TIVSECTY/TIM_USER_LIST_620
Search
Read
Y
Y
Y
Y
Y
34
/TIVSECTY/TIM_USER_PWD_620
Mod: CUA
Write
N
N
Y
Y
Y
35
/TIVSECTY/TIM_USER_PWD_46C
Mod: CUA
Write
N
N
Y
Y
Y
36
/TIVSECTY/TIM_USER_USR02_620
Search
Read
Y
Y
Y
Y
Y
37
/TIVSECTY/TIM_USER_CHG_620
Mod
Write
N
N
Y
Y
Y
38
/TIVSECTY/TIM_USER_CHG_46C
Mod
Write
N
N
Y
Y
Y
39
BAPI_USER_LOCACTGROUPS_READ
Search: CUA (Roles) Write
N
N
Y
Y
Y
40
BAPI_USER_LOCACTGROUPS_ASSIGN
Add, Mod: CUA (Roles)
Write
N
N
Y
Y
Y
41
BAPI_USER_LOCPROFILES_READ
Search: CUA (Profiles)
Write
N
N
Y
Y
Y
42
BAPI_USER_LOCPROFILES_ASSIGN
Add, Mod: CUA (Profiles)
Write
N
N
Y
Y
Y
43
/TIVSECTY/TIM_USER_CUAHR_620
Add, Mod, Del: HR Only- Info Type 105 (Employee No.)
Write
N
N
Y
Y
Y
44
/TIVSECTY/TIM_USER_ADD-620
Add
Write
N
N
Y
Y
Y
45
/TIVSECTY/TIM_USER_ADD_46C
Add
Write
N
N
Y
Y
Y
BAPI Objects
Description
26
RFC_READ_TABLE: USR10
27
Appendix B. SAP Account Requirements
61
62
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix C. Additional Installation Options This chapter describes installation options available when installing the adapter. In addition to installation information, instructions are provided to uninstall the adapter. Each step includes a short procedure that completes one aspect of the overall adapter uninstall process. You must complete the steps in the order they are listed.
Installation Options Several adapter installation options are provided to account for disparate environments and preferences.
Setup Arguments This section details arguments that can be used with the adapter and adapter profile installation executables. All of the arguments described here can be used with the -is:javaconsole -console option to use a command line text interface instead of a GUI. .exe -options-record This command records the options that were selected during the install into a file. .exe -options-template This command creates a template file that has fields for all of the options that may be selected during installation. This file can then be edited to include the desired responses and played back with the option below. .exe -silent -options This command plays back the previously recorded file during a silent installation where installation is performed with no user interaction.
Adapter Removal This section describes the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP uninstall procedures. Give users advance warning that the resource will be unavailable prior to removing the adapter. If the server is taken offline, Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP requests that are not completed may not be recoverable when the server is back online. Complete the following procedure to remove the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP and directories. 1. Stop the Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP service. 2. Execute the uninstall binary: On a Windows host: Open Windows Explorer and execute the uninstaller: C:\Tivoli\Agents\SAPAgent\_uninst\uninstaller.exe
On a UNIX host: Run the following command: .../Tivoli/Agents/SAPAgent/_uninst/uninstaller.bin
3. Click Next. The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP components are deleted. 4. Click Finish. You will be prompted to reboot your system. Note: Inspect the directory tree for Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP directories, subdirectories, and files to verify that uninstall is complete. The Tivoli Identity Manager Adapter for SAP NetWeaver AS ABAP should no longer appear in the Services dialog window.
64
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix D. Example Deployment Scenarios This chapter provides diagrams illustrating a few deployment scenarios, to give you a better understanding of your environment from end-to-end.
Tivoli Identity Manager for non-Unicode SAP non-CUA with HR Linking ITIM Agent for SAP NetWeaver AS ABAP
ITIM Server
librfc32.dll
ITIMProvision Policy for SAP non-CUA HR System
ITIM Provision Policy For SAP non-CUA HR System
ITIMService for SAP 6.20 non-CUA HR System
ITIMService for SAP 4.6C non-CUA HR System
SAP NetWeaver AS ABAP System v 4.6C non-CUA
SAP NetWeaver AS ABAP System v 6.20 non-CUA
SAP HR Module
SAP HR Module
TV2K900096
TV2K900098
Figure 4. Tivoli Identity Manager for SAP non-CUA with HR Linking
Tivoli Identity Manager for non-Unicode SAP CUA with HR Linking
ITIM Agent for SAP NetWeaver AS ABAP
ITIM Server
librfc32.dll
ITIMProvision Policy for SAP CUA HR System
SAP NetWeaver AS ABAP System v 6.20 Child 3
ITIMService for SAP 6.20 CUA HR System
SAP NetWeaver AS ABAP System v 6.20 Child 2
SAP NetWeaver AS ABAP System v 6.20 Child 1
SAP NetWeaver AS ABAP System v 6.20 CUA Master
SAP HR Module
TV2K900063 TV2K900069
TV2K900100
TV2K900069
TV2K900099
Figure 5. Tivoli Identity Manager for SAP CUA with HR Linking
66
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix E. Support information This section describes the following options for obtaining support for IBM products: v “Searching knowledge bases” v “Contacting IBM Software Support”
Searching knowledge bases If you have a problem with your IBM software, you want it resolved quickly. Begin by searching the available knowledge bases to determine whether the resolution to your problem is already documented.
Search the information center on your local system or network IBM provides extensive documentation that can be installed on your local computer or on an intranet server. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents.
Search the Internet If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resolve your problem. To locate Internet resources for your product, open one of the following Web sites: v Performance and tuning information Provides information needed to tune your production environment, available on the Web at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z product list to locate Tivoli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. v Redbooks and white papers are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. v Technotes are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ v Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web address: http://www.ibm.com/developerworks/
Before contacting IBM Software Support, your company must have an active IBM software maintenance contract, and you must be authorized to submit problems to IBM. The type of software maintenance contract that you need depends on the type of product you have: v For IBM distributed software products (including, but not limited to, Tivoli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows or UNIX operating systems), enroll in Passport Advantage in one of the following ways: – Online: Go to the Passport Advantage Web page (http://www.lotus.com/ services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How to Enroll – By phone: For the phone number to call in your country, go to the IBM Software Support Web site (http://techsupport.services.ibm.com/guides/ contacts.html) and click the name of your geographic region. v For IBM eServer software products (including, but not limited to, DB2 and WebSphere products that run in zSeries, pSeries, and iSeries environments), you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. For more information about support for eServer software products, go to the IBM Technical Support Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html). If you are not sure what type of software maintenance contract you need, call 1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to the contacts page of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region for phone numbers of people who provide support for your location. Follow the steps in this topic to contact IBM Software Support: 1. Determine the business impact of your problem. 2. Describe your problem and gather background information. 3. Submit your problem to IBM Software Support.
Determine the business impact of your problem When you report a problem to IBM, you are asked to supply a severity level. Therefore, you need to understand and assess the business impact of the problem you are reporting. Use the following criteria:
68
Severity 1
Critical business impact: You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution.
Severity 2
Significant business impact: The program is usable but is severely limited.
Severity 3
Some business impact: The program is usable with less significant features (not critical to operations) unavailable.
Severity 4
Minimal business impact: The problem causes little impact on operations, or a reasonable circumvention to the problem has been implemented.
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Describe your problem and gather background information When explaining a problem to IBM, be as specific as possible. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently. To save time, know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. v Can the problem be re-created? If so, what steps led to the failure? v Have any changes been made to the system? (For example, hardware, operating system, networking software, and so on.) v Are you currently using a workaround for this problem? If so, please be prepared to explain it when you report the problem.
Submit your problem to IBM Software Support You can submit your problem in one of two ways: v Online: Go to the ″Submit and track problems″ page on the IBM Software Support site (http://www.ibm.com/software/support/probsub.html). Enter your information into the appropriate problem submission tool. v By phone: For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook on the Web (http:// techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region. If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround for you to implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolutions. For more information about problem resolution, see Searching knowledge bases.
Appendix E. Support information
69
70
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Appendix F. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM IBM logo ibm.com AIX AS/400 DB2 Domino Informix iSeries Linux Lotus Lotus Notes MQSeries Notes OS/400 Power PC Tivoli
72
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
Tivoli logo Universal Database WebSphere Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
Appendix F. Notices
73
74
IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration Guide
![Certification Study Guide: IBM Tivoli Access Manager ... - IBM Redbooks [PDF]](https://m.moam.info/img/260x300/certification-study-guide-ibm-tivoli-access-manage_64903b46098a9e2b5e8b4611.jpg)
![Certification Study Guide: IBM Tivoli Access Manager ... - IBM Redbooks [PDF]](https://m.moam.info/img/260x300/certification-study-guide-ibm-tivoli-access-manage_64903b3e098a9e541a8b465f.jpg)
