Novell Doc: Identity Manager 3.6.1 Driver for SAP User Management Implementation Guide

A.1 Driver Configuration

In Designer:

Open a project in the Modeler.
Right-click the driver icon or line, then select click Properties > Driver Configuration.

In iManager:

In iManager, click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit. To do so:
1. In the Administration list, click Identity Manager Overview.
2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.
3. Click the driver set to open the Driver Set Overview page.
Locate the Sentinel driver icon, then click the upper right corner of the driver icon to display the Actions menu.
Click Edit Properties to display the driver’s properties page.

By default, the properties page opens with the Driver Configuration tab displayed.

The Driver Configuration options are divided into the following sections:

A.1.1 Driver Module

The driver module changes the driver from running locally to running remotely or the reverse.

Table A-1 Driver Modules

Option	Description
Java	Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally. The name of the Java class is: com.novell.nds.dirxml.driver.sapusershim.SAPDriverShim
Native	This option is not used with the SAP User driver.
Connect to Remote Loader	Used when the driver is connecting remotely to the connected system. Designer includes two suboptions: Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim. Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the Delimited Text driver.

Option

Description

Java

Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally.

The name of the Java class is: com.novell.nds.dirxml.driver.sapusershim.SAPDriverShim

Native

This option is not used with the SAP User driver.

Connect to Remote Loader

Used when the driver is connecting remotely to the connected system. Designer includes two suboptions:

Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim.
Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the Delimited Text driver.

A.1.2 Driver Object Password (iManager Only)

Table A-2 Driver Object Password

Option	Description
Driver Object Password	Use this option to set a password for the driver object. If you are using the Remote Loader, you must enter a password on this page or the remote driver does not run. This password is used by the Remote Loader to authenticate itself to the remote driver shim.

A.1.3 Authentication

The authentication section stores the information required to authenticate to the connected system.

Table A-3 Authentication Options

Option	Description
Authentication ID	Specify an SAP account that the driver can use to authenticate to the SAP system. Example: SAPUser
Authentication Context or Connection Information	Specify the IP address or name of the SAP server the driver should communicate with.
Remote Loader Connection Parameters or Host name Port KMO Other parameters	Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the host name is the IP address of the application server running the Remote Loader server and the port is the port the remote loader is listening on. The default port for the Remote Loader is 8090. The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine. Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate
Driver Cache Limit (kilobytes) or Cache limit (KB)	Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. Click Unlimited to set the file size to unlimited in Designer.
Application Password or Set Password	Specify the password for the user object listed in the Authentication ID field.
Remote Loader Password or Set Password	Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

Option

Description

Authentication ID

Specify an SAP account that the driver can use to authenticate to the SAP system.

Example: SAPUser

Authentication Context

Connection Information

Specify the IP address or name of the SAP server the driver should communicate with.

Remote Loader Connection Parameters

Host name

Port

KMO

Other parameters

Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the host name is the IP address of the application server running the Remote Loader server and the port is the port the remote loader is listening on. The default port for the Remote Loader is 8090.

The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine.

Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate

Driver Cache Limit (kilobytes)

Cache limit (KB)

Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited.

Click Unlimited to set the file size to unlimited in Designer.

Application Password

Set Password

Specify the password for the user object listed in the Authentication ID field.

Remote Loader Password

Set Password

Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

A.1.4 Startup Option

The Startup Option allows you to set the driver state when the Identity Manager server is started.

Table A-4 Startup Options

Option	Description
Auto start	The driver starts every time the Identity Manager server is started.
Manual	The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager.
Disabled	The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start.
Do not automatically synchronize the driver	This option only applies if the driver is deployed and was previously disabled. If this is not selected, the driver re-synchronizes the next time it is started.

A.1.5 Driver Parameters

The Driver Parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.

The parameters are presented by category:

Table A-5 Driver Settings

Parameter	Description
SAP System Number	Specify the SAP system number of the SAP application server. This is referred to as the System Number in the SAP logon properties. The default value is 00.
SAP User Client Number	Specify the client number to be used on the SAP application server. This is referred to as the Client in the SAP logon screen.
SAP User Language	Specify the language code this driver will use for the SAP session. This is referred to as the Language in the SAP logon screen.
Character Set Encoding	The code for the character set to translate IDoc byte-string data into Unicode* strings. An empty value causes the driver to use the host JVM* default.
Publish all Communication Table Values	Set this to Publish Primary if only the primary value of Communicate tables should be synchronized. or Set this to Publish All if all values should be synchronized.
Publish Company Address Data	By default, an SAP User record does not include Company Address information. That data is kept in a related table. Use this parameter to specify if you want the driver to retrieve the data from the appropriate company record. Regardless of the option you specify, Company Address information cannot be updated in SAP. Set this to Include Company Address to populate User Company Address information for the Publisher and Subscriber channel queries. or Set this to Ignore Company Address if you do not want this functionality. For additional information, see Section 7.3, Obtaining Company Address Data for User Objects.

Table A-6 Subscriber Settings

Parameter	Description
Communication Table Comments	The communication table comment is a text comment the driver adds to all Communication table entries added by the Subscriber channel. This is a useful method for determining where an entry originated from when viewing values via the SAP GUI. Leaving this field blank provides no comment to the table entries.
Require User to Change Set Passwords	This parameter specifies the methodology used by the driver to set User account passwords. Passwords can be set by the driver's administrative User account or by the affected User's account (this sets a password on new accounts or modifies passwords for existing Users.) Select Change Required if passwords must be changed immediately at the user’s next login. or Select No Change Required if you do not want user’s to change passwords immediately at login.
Password Set Method (Conditional)	If you select the No Change Required option above, you should specify a Password Set Method: Administrator Set or User Set. Administrator Set: Passwords are set by the driver's administrative User account. This method is deprecated and does not comply with SAP security best practices. The method works only for SAP systems that are version 4.6c or older. User Set: Passwords are supplied by the affected users. The following parameters must be set if you select User Set: Default Reset Password: This parameter specifies a default password reset value. It is used as a temporary value during a two-phase password set procedure. There is an 8-character size limit for this value (SAP 7.0 does not require an 8-character size limit on passwords.). If this field is left blank or if the configuration parameter is removed, the driver generates a random temporary password during each password set operation. Force Passwords to Uppercase: This option defines if passwords are forced to uppercase. Uppercase is the default value, however, SAP 7.0 allows for mixed-case passwords.

Parameter

Description

Communication Table Comments

The communication table comment is a text comment the driver adds to all Communication table entries added by the Subscriber channel. This is a useful method for determining where an entry originated from when viewing values via the SAP GUI. Leaving this field blank provides no comment to the table entries.

Require User to Change Set Passwords

This parameter specifies the methodology used by the driver to set User account passwords. Passwords can be set by the driver's administrative User account or by the affected User's account (this sets a password on new accounts or modifies passwords for existing Users.)

Select Change Required if passwords must be changed immediately at the user’s next login.

Select No Change Required if you do not want user’s to change passwords immediately at login.

Password Set Method (Conditional)

If you select the No Change Required option above, you should specify a Password Set Method: Administrator Set or User Set.

Administrator Set: Passwords are set by the driver's administrative User account. This method is deprecated and does not comply with SAP security best practices. The method works only for SAP systems that are version 4.6c or older.

User Set: Passwords are supplied by the affected users. The following parameters must be set if you select User Set:

Default Reset Password: This parameter specifies a default password reset value. It is used as a temporary value during a two-phase password set procedure. There is an 8-character size limit for this value (SAP 7.0 does not require an 8-character size limit on passwords.). If this field is left blank or if the configuration parameter is removed, the driver generates a random temporary password during each password set operation.
Force Passwords to Uppercase: This option defines if passwords are forced to uppercase. Uppercase is the default value, however, SAP 7.0 allows for mixed-case passwords.

Table A-7 Publisher Settings

Parameter	Description
Publisher Channel Enabled	Select whether or not you want to enable the driver’s Publisher channel.
Publisher Channel Port Type	Set to TRFC if the driver will instantiate a JCO Server to receive data distribution broadcasts from the SAP ALE system. Set to FILE if the driver will consume text file IDocs distributed by the SAP ALE system.
Poll Interval (seconds)	Specify how often the Publisher channel polls for unprocessed IDocs. The default value is 10 seconds.
Future-dated Event Handling Option	The behavior of this option is based on the values of the User record’s Logon Data “Valid From” date (LOGONDATA:GLTGV) when IDocs are processed by the Publisher channel. This field does not need to be in the Publisher filter for this processing to occur. Choose one of the following options: Publish Immediately: Indicates that all attributes are processed by the driver when the IDoc is available. No future-dated processing is performed. Publish on Future Date: Indicates that only attributes that have a current or past time stamp are processed by the driver when the IDoc is available. Future-dated infotype attributes are cached in a .futr file to be processed at a future date. Publish Immediately and on Future Date: Indicates that the driver blends the first two options. All attributes with a current or past time stamp are processed at the time the IDoc is available. All future-dated infotype attributes are cached in a .futr file to be processed at a future date. Publish Immediately and Daily through Future Date: Indicates that the driver processes all events at the time the IDoc is made available. All future-dated infotype attributes are cached in a .futr file to be processed again on the next calendar day. This continues until the attributes are sent for a final time on the future date.
Publisher IDoc Directory	Specify the file system location where the SAP User IDoc files are placed by the SAP ALE system (FILE port configuration) or by the driver (TRFC configuration.) This setting is only used if the Publisher channel is enabled.
Publisher Heartbeat Interval	Specify how many minutes of inactivity can elapse before this channel sends a heartbeat document. In practice, more than the number of minutes specified can elapse. That is, this parameter defines a lower bound.