Novell Doc: Novell Identity Manager Driver 3.5.1 for User Management of SAP Software Guide

2.4 Importing the Driver

After the driver is installed, it must be imported and configured. You can import the driver through Designer or iManager.

2.4.1 Importing the Driver Configuration File in Designer

Designer allows you to import the basic driver configuration file for the SAP User application. This file creates and configures the objects and policies needed to make the driver work properly. The following instructions explain how to create the driver and import the driver’s configuration.

There are many different ways of importing the driver configuration file. This procedure only documents one way.

Open a project in Designer. In the Modeler, right-click the driver set and select New > Driver.
From the drop-down list, select SAP User Management, then click Run.
Configure the driver by filling in the fields. Specify information for your environment. For information on the settings, see Section 2.4.3, Configuration Information.
After specifying parameters, click Finish to import the driver.
After the driver is imported, customize and test the driver.
After the driver is fully tested, deploy the driver into the Identity Vault. See Deploying a Driver to an Identity Vault in the Designer 2.1 for Identity Manager 3.5.1.

2.4.2 Importing the Driver Configuration File in iManager

The Create Driver Wizard helps you import the basic driver configuration file. This file creates and configures the objects and policies needed to make the driver work properly.

The following instructions explain how to create the driver and import the driver’s configuration.

In Novell iManager, click Identity Manager Utilities > Import Configurations.
Select a driver set, then click Next.

If you place this driver in a new driver set, you must specify a driver set name, context, and associated server.
Select how you want the driver configurations sorted:
- All configurations
- Identity Manager 3.5 configurations
- Identity Manager 3.0 configurations
- Configurations not associated with an IDM version
Select SAP User Management, then click Next.
Specify the driver’s parameters (refer to Section 2.4.3, Configuration Information for details), then click Next to import the driver.
Define security equivalences using a user object that has the rights that the driver needs to have on the server, then click OK.

The tendency is to use the Admin user object for this task. However, you might want to create a DriversUser (for example) and assign security equivalence to that user. Whatever rights that the driver needs to have on the server, the DriversUser object must have the same security rights.
Identify all objects that represent administrative roles and exclude them from replication, then click OK.

Exclude the security-equivalence object (for example, DriversUser) that you specified in Step 6. If you delete the security-equivalence object, you have removed the rights from the driver, and the driver can’t make changes to Identity Manager.
Review the driver objects in the Summary page, then click Finish.

2.4.3 Configuration Information

As you import the driver configuration file, you will be prompted for the following information, depending on the configuration selections you made.

Parameter Name	Parameter Description
Driver name	The actual name you want to use for the driver.
SAP Application Server	The host name or IP address for connecting to the appropriate SAP application server. This is referred to as the “Application Server” in the SAP logon properties.
SAP System Number	The SAP system number of the SAP application server. This is referred to as the “System Number” in the SAP logon properties. The default value is 00.
SAP Client Number	The client number to be used on the SAP application server. This is referred to as the “Client” in the SAP logon screen.
SAP Session Language Code	The language code this driver will use for the SAP session. This is referred to as the “Language” in the SAP logon screen.
SAP User ID	The ID of the user this driver will use for the SAP system logon. This is referred to as the “User” in the SAP logon screen.
SAP User Password	The User password this driver will use for the SAP system logon. This is referred to as the “Password” in the SAP logon screen.
Publisher Channel Enabled	Select whether or not you want to enable the driver’s Publisher channel.
User Object Container (Conditional)	The name of the eDirectory Organizational Unit object where Users from the SAP system will be placed. This is only used if the Publisher channel is enabled.
Publisher Channel Port Type (Conditional)	Set to TRFC if the driver will instantiate a JCO Server to receive data distribution broadcasts from the SAP ALE system. Set to FILE if the driver will consume text file IDocs distributed by the SAP ALE system. This is only used if the Publisher channel is enabled.
Publisher IDoc File Directory (Conditional)	The file system location where the SAP User IDoc files are placed by the SAP ALE system (FILE port configuration) or by the driver (TRFC configuration.) This setting is only used if the Publisher channel is enabled.
SAP Gateway ID (Conditional)	If the Publisher channel port type is TRFC, this parameter specifies the gateway that distributes User data to the driver. This setting is only used if the Publisher channel port type is TRFC. The default form of this parameter is sapgw<SAP System Number>. The default value is sapgw00.
TRFC Program ID (Conditional)	If the Publisher channel port type is TRFC, this parameter identifies the JCO server program in the driver for the SAP gateway. This setting is only used if the Publisher channel port type is TRFC. The program ID is a case-sensitive text identifier.
Install Driver as Remote/Local	Configure the driver for use with the Remote Loader service by selecting the Remote option, or select Local to configure the driver for local use. If Local is selected, you can skip the remaining parameters.
Remote Host Name and Port (Conditional)	Specify the host name or IP address and port number for where the Remote Loader service has been installed and is running for this driver. The default port is 8090. This setting is only used if you are using the Remote Loader to run the driver.
Driver Password (Conditional)	The driver object password is used by the Remote Loader to authenticate itself to the Identity Manager server. It must be the same password that is specified as the driver object password on the Remote Loader. This setting is only used if you are using the Remote Loader to run the driver.
Remote Password (Conditional)	The Remote Loader password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the Identity Manager Remote Loader. This setting is only used if you are using the Remote Loader to run the driver.

The following additional driver parameters are set to default values during the import process, but they can be modified in iManager (by clicking the Driver Configuration tab on the driver object.)

Parameter name	Parameter Description
Character Set Encoding	The code for the character set to translate IDoc byte-string data into Unicode* strings. An empty value causes the driver to use the host JVM* default.
Publish all Communication Table Values	Set this to Publish Primary if only the primary value of Communicate tables should be synchronized. or Set this to Publish All if all values should be synchronized.
Publish Company Address Data	By default, an SAP User record does not include Company Address information. That data is kept in a related table. Use this parameter to specify if you want the driver to retrieve the data from the appropriate company record. Regardless of the option you specify, Company Address information cannot be updated in SAP. Set this to Include Company Address to populate User Company Address information for the Publisher and Subscriber channel queries. or Set this to Ignore Company Address if you do not want this functionality.
Communication Table Comments	The communication table comment is a text comment the driver adds to all Communication table entries added by the Subscriber channel. This is a useful method for determining where an entry originated from when viewing values via the SAP GUI. Leaving this field blank provides no comment to the table entries.
Require User to Change Set Passwords	This parameter specifies the methodology used by the driver to set User account passwords. Passwords can be set by the driver's administrative User account or by the affected User's account (this sets a password on new accounts or modifies passwords for existing Users.) Select Change Required if passwords must be changed immediately at the user’s next login. or Select No Change Required if you do not want user’s to change passwords immediately at login.
(Conditional) Password Set Method	If you select the No Change Required option above, you should specify a Password Set Method: Administrator Set or User Set. Administrator Set: Passwords are set by the driver's administrative User account. This method is depricated and does not comply with SAP security best practices. The method works only for SAP systems that are version 4.6c or older. User Set: Passwords are supplied by the affected users. The following parameters must be set if you select User Set: Default Reset Password: This parameter specifies a default password reset value. It is set during password changes if the User-supplied password is not accepted by the SAP server. There is an 8-character size limit for this value. (SAP 7.0 does not require an 8-character size limit on passwords.) Force Passwords to Uppercase: This option defines if passwords are forced to uppercase. Uppercase is the default value, however, SAP 7.0 allows for mixed-case passwords.
Poll Interval (seconds)	Specifies how often the Publisher channel polls for unprocessed IDocs. The default value is 10 seconds.
Future-dated Event Handling Option	The behavior of this option is based on the values of the User record’s Logon Data “Valid From” date (LOGONDATA:GLTGV) when IDocs are processed by the Publisher channel. This field does not need to be in the Publisher filter for this processing to occur. There are four possible values for this parameter: 0 - Indicates that all attributes are processed by the driver when the IDoc is available. No future-dated processing is performed. 1 - Indicates that only attributes that have a current or past time stamp are processed by the driver when the IDoc is available. Future-dated infotype attributes are cached in a .futr file to be processed at a future date. 2 - Indicates that the driver blends options 1 and 2. All attributes are processed, with a time stamp, at the time the IDoc is available. All future-dated infotype attributes are cached in a .futr file to be processed at a future date. 3 - Indicates that the driver processes all events at the time the IDoc is made available. All future-dated infotype attributes are cached in a .futr file to be processed again on the next calendar day. This continues until the attributes are sent for a final time on the future date.
Generate TRFC Trace Files	If a TRFC port is configured for use by the Publisher channel, this option allows the driver to turn on the SAP JCO tracing capability. Enter Disable if you do not desire this functionality, or enter Enable to activate it. Trace files are generated in either the Identity Manager or Remote Loader root directory and are identified by a .trc extension. The default value is Disabled.

2.4.4 Extending the Schema

If you want to use the default configuration, you need to extend the eDirectory schema. This provides greater abilities to administrate the User Management functions of SAP R/3 and Enterprise R/3 systems. We recommend applying a set of schema extensions to the eDirectory tree that will synchronize with the SAP system.

During SAP’s development of their own LDAP-based User Administration utilities, a standard set of schema extensions was developed for use with Novell eDirectory. These extensions are contained in the R3-Novell-Ldif-Schema-extension.ldif file. This file is designed to be applied to eDirectory by using the Novell Import Conversion Export (ICE) utility.

In addition to the ldif-format schema extension file, the schema extensions are also available in the sapuser.sch file (the eDirectory standard).

NOTE:Starting with version 1.0.5 of the driver, the sapUsername attribute is no longer a required attribute of the sapAddOnUM auxiliary class in the sapuser.sch file. Because the R3-Novell-Ldif-Schema-extension.ldif file was created by SAP, this attribute remains a required attribute in that file. It is recommended that sapuser.sch should be used for all new deployments requiring schema extension.

IMPORTANT:If you are upgrading an existing driver deployment, the sapuserupgrade.sch or sapuserupgrade.ldif files contain only the updated schema for new functionality provided with driver version 1.0.5 and later.

If you want to extend the schema using the LDIF file, the following instructions help you use the ICE utility. For additional information, refer to the Import Conversion Export utility documentation.

Open the NDS Import/Export Wizard.
Select Import LDIF File, then click Next.
Browse to R3-Novell-Ldif-Schema-extension.ldif, then click Next.
Fill in the appropriate LDAP connection information for the Novell LDAP service, then click Next.
Click Finish to begin the extension process.