Novell Doc: Identity Manager 3.6.1 Driver for SAP GRC Access Control Implementation Guide

A.1 Driver Configuration

In Designer:

Open a project in the Modeler.
Right-click the driver icon or line, then select click Properties > Driver Configuration.

In iManager:

In iManager, click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit:
1. In the Administration list, click Identity Manager Overview.
2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.
3. Click the driver set to open the Driver Set Overview page.
Locate the SAP GRC Access Control driver icon, then click the upper right corner of the driver icon to display the Actions menu.
Click Edit Properties to display the driver’s properties page.

By default, the properties page opens with the Driver Configuration tab displayed.

The Driver Configuration options are divided into the following sections:

A.1.1 Driver Module

The driver module changes the driver from running locally to running remotely or the reverse.

Table A-1 Driver Modules

Option	Description
Java	Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally. The name of the Java class is: com.novell.nds.dirxml.driver.sap.grcas.SAPGRCACShim
Native	This option is not used with the SAP GRC Access Control driver.
Connect to Remote Loader	Used when the driver is connecting remotely to the connected system. Designer includes two suboptions: Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim. Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the SAP GRC Access Control driver.

Option

Description

Java

Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally.

The name of the Java class is: com.novell.nds.dirxml.driver.sap.grcas.SAPGRCACShim

Native

This option is not used with the SAP GRC Access Control driver.

Connect to Remote Loader

Used when the driver is connecting remotely to the connected system. Designer includes two suboptions:

Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim.
Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the SAP GRC Access Control driver.

A.1.2 Authentication

The authentication section stores the information required to authenticate to the connected system.

Table A-2 Authentication Options

Option	Description
Authentication ID	Specify an SAP account that the driver can use to authenticate to the SAP system. Example: SAPUser
Authentication Context or Connection Information	Specify the IP address or name of the SAP server the driver should communicate with.
Remote Loader Connection Parameters or Host name Port KMO Other parameters	Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the host name is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090. The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine. Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate
Driver Cache Limit (kilobytes) or Cache limit (KB)	Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. Click Unlimited to set the file size to unlimited in Designer.
Application Password or Set Password	Specify the password for the user object listed in the Authentication ID field.
Remote Loader Password or Set Password	Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

Option

Description

Authentication ID

Specify an SAP account that the driver can use to authenticate to the SAP system.

Example: SAPUser

Authentication Context

Connection Information

Specify the IP address or name of the SAP server the driver should communicate with.

Remote Loader Connection Parameters

Host name

Port

KMO

Other parameters

Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the host name is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090.

The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine.

Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate

Driver Cache Limit (kilobytes)

Cache limit (KB)

Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited.

Click Unlimited to set the file size to unlimited in Designer.

Application Password

Set Password

Specify the password for the user object listed in the Authentication ID field.

Remote Loader Password

Set Password

Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

A.1.3 Startup Option

The startup options allow you to set the driver state when the Identity Manager server is started.

Table A-3 Startup Options

Option	Description
Auto start	The driver starts every time the Identity Manager server is started.
Manual	The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager.
Disabled	The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start.
Do not automatically synchronize the driver	This option only applies if the driver is deployed and was previously disabled. If this is not selected, the driver re-synchronizes the next time it is started.

A.1.4 Driver Parameters

The driver parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.

The parameters are presented by category:

Table A-4 Driver Settings

Parameter	Description
There are no driver parameters.	NA

Table A-5 Subscriber Settings

Parameter	Description
SAP GRC Web Service URL	Specify the GRC Web Service URL on the SAP NetWeaver server. Leave this field blank when the Subscriber channel is not active.
Authentication ID	Specify the ID of the GRC user that is defined as the requestor id for all request in GRC.
Authentication Password	Specify the password of the authentication ID.
Show advanced connection options	Select show to the advanced connection options.
Show advanced connection options > Truststore file	When the remote server is configured to provide server authentication, this is the path and the name of the keystore file which contains trusted certificates. For example: C:\security\truststore. Leave this field blank when server authentication is not used.
Show advanced connection options > Proxy host and port	When a proxy host and port are used, specify the host address and the host port. For example: 192.10.1.3:18180. Choose an unused port number on your server.

Table A-6 Publisher Settings

Parameter	Description
Listening IP address and port	Specify the IP address of the server where this driver is installed and the port that this driver listens on for Web Service requests from GRC. You can specify 127.0.0.1 if there is only one network card installed in the server. Choose an unused port number on your server. For example, 127.0.0.1:18180. The driver listens on this address for requests, processes the requests, and returns a result.
Authentication ID	Specify the authentication ID to validate incoming requests.
Authentication Password	Specify the password of the authentication ID.
Publisher Heartbeat Interval	Specify how many minutes of inactivity can elapse before this channel sends a heartbeat document. In practice, more than the number of minutes specified can elapse. That is, this parameter defines a lower bound.
Show advanced connection options	Select show to display the advanced connection options.
Show advanced connection options > KMO name	Specify the KMO name in the Identity Vault, when this server is configured to accept HTTPS connections. The KMO name is the name before - in the RDN. Leave this field blank when a keystore file is used or when HTTPS connections are not used.
Show advanced connection options > keystore file	Specify the path and name of the keystore file, when the server is configured to accept HTTPS connections. For example: C:\security\keystore. Leave this field blank when a KMO name is used or when HTTPS connections are not used.
Show advanced connection options > Keystore password	Specify the keystore file password, when the server is configured to accept HTTPS connections. Leave this field blank when a KMO name is used or when HTTPS connections are not used.
Show advanced connection options > Server key alias	Specify the key alias, when this server is configured to accept HTTPS connections. Leave this field blank when a KMO name is used or when HTTPS connections are not used.
Show advanced connection options > Server key password	Specify the key alias password (not the keystore password), when the server is configured to accept HTTPS connections. Leave this field blank when a KMO name is used or when HTTPS connections are not used.
Show advanced connection options > Require mutual authentication	When using SSL, it is common to do only server authentication. However, if you want to force both client and server to present certificates during the handshake process, select Required.