Novell Doc: Identity Manager 3.6.1 Fan-Out Driver for SAP User Managment Implementation Guide

A.1 Driver Configuration

In Designer:

Open a project in the Modeler.
Right-click the driver icon or line, then select click Properties > Driver Configuration.

In iManager:

In iManager, click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit:
1. In the Administration list, click Identity Manager Overview.
2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.
3. Click the driver set to open the Driver Set Overview page.
Locate the SAP User Management Fan-Out driver icon, then click the upper right corner of the driver icon to display the Actions menu.
Click Edit Properties to display the driver’s properties page.

By default, the properties page opens with the Driver Configuration tab displayed.

The Driver Configuration options are divided into the following sections:

A.1.1 Driver Module

The driver module changes the driver from running locally to running remotely or the reverse.

Table A-1 Driver Modules

Option	Description
Java	Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally. The name of the Java class is: com.novell.nds.dirxml.driver.sapumshim.SAPDriverShim
Native	This option is not used with the SAP User Management driver.
Connect to Remote Loader	Used when the driver is connecting remotely to the connected system. Designer includes two suboptions: Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim. Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the SAP User Management Fan-Out driver.

Option

Description

Java

Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally.

The name of the Java class is: com.novell.nds.dirxml.driver.sapumshim.SAPDriverShim

Native

This option is not used with the SAP User Management driver.

Connect to Remote Loader

Used when the driver is connecting remotely to the connected system. Designer includes two suboptions:

Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim.
Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the SAP User Management Fan-Out driver.

A.1.2 Authentication

The authentication section stores the information required to authenticate to the connected system.

Table A-2 Authentication Options

Option	Description
Authentication ID	Specify an SAP account that the driver can use to authenticate to the SAP system. Example: SAPUser
Authentication Context or Connection Information	Specify the IP address or name of the SAP server the driver should communicate with.
Remote Loader Connection Parameters or Host name Port KMO Other parameters	Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the hostname is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090. The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine. Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate
Driver Cache Limit (kilobytes) or Cache limit (KB)	Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. Click Unlimited to set the file size to unlimited in Designer.
Application Password or Set Password	Specify the password for the user object listed in the Authentication ID field.
Remote Loader Password or Set Password	Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

Option

Description

Authentication ID

Specify an SAP account that the driver can use to authenticate to the SAP system.

Example: SAPUser

Authentication Context

Connection Information

Specify the IP address or name of the SAP server the driver should communicate with.

Remote Loader Connection Parameters

Host name

Port

KMO

Other parameters

Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the hostname is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090.

The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine.

Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate

Driver Cache Limit (kilobytes)

Cache limit (KB)

Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited.

Click Unlimited to set the file size to unlimited in Designer.

Application Password

Set Password

Specify the password for the user object listed in the Authentication ID field.

Remote Loader Password

Set Password

Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

A.1.3 Startup Option

The startup option allows you to set the driver state when the Identity Manager server is started.

Table A-3 Startup Options

Option	Description
Auto start	The driver starts every time the Identity Manager server is started.
Manual	The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager.
Disabled	The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start.
Do not automatically synchronize the driver	This option applies only if the driver is deployed and was previously disabled. If this option is not selected, the driver re-synchronizes the next time it is started.

A.1.4 Driver Parameters

The Driver Parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.

The parameters are presented by category:

Table A-4 Driver Settings

Parameter	Description
System ID	Specify the SAP system ID of the SAP application server. The system ID is found in the SAP GUI status bar located in the lower right corner of the main window. This parameter is used to generate the realm for Account Tracking. The system ID is usually a three-character string that uniquely identifies a SAP system in the SAP system landscape. The realm must be unique per application type. For example: \<system ID>\<system number>\<client number> \S71\00\800
SAP System Number	Specify the SAP system number of the SAP application server. This is referred to as the System Number in the SAP logon properties. The default value is 00.
SAP User Client Number	Specify the client number to be used on the SAP application server. This is referred to as the Client in the SAP logon screen.
SAP Client Type	Select the client type the driver is connecting to: Non-CUA Client: If the client you are connecting to is not a CUA central client and is it not CUA child client, select this option. CUA Central: If you are connecting to the CUA central client, select this option. CUA Child: If you are connecting to a CUA child client, select this option. The fan-out policies must know what type of client they are communicating to so they can generate the correct events. For example, most of the attributes in a CUA child client are synchronized through the CUA central client.
SAP Client Type > CUA Child > Logical System Name of CUA Central Client	This option is only displayed if you select CUA Child. Specify the logical system name of the CUA central client that manages this client. The fan-out policies must know which client is the central client of a CUA child client, so that they can generate correct events. For example, most of the attributes in a CUA child client are synchronized through the CUA central client.
SAP Client Type > CUA Child > Filter	This option is only displayed if you select CUA Child. Add an attribute name in the Identity Vault namespace that you want to synchronize directly to the CUA child client, instead of sending it to the CUA central client. This filter is evaluated after the driver’s Subscriber filter is applied. For an attribute to encounter this filter, it must also be set to Subscribe or Notify in the regular driver filter. This filter is implemented in the Event Transformation policy set. For most deployments, you should leave the two default attributes of Login Disabled and nspmDistributionPassword in the filter. The fan-out policies must know which attributes to send directly to a CUA child client.
Logical System Name	Specify the Logic System Name for the client as it appears in the SAP system, if the SAP client is the central client in a CUA landscape. Otherwise, specify a unique name for this system. The driver uses the logical system names from both the primary connection and all of the secondary connections to uniquely identify a connection. The driver looks up the connection information based on this value.
SAP User Language	Specify the language code this driver will use for the SAP session. This is referred to as the Language in the SAP logon screen.
Available Languages	Specify all of the languages installed on your SAP system. All of the languages you specify in the list are made available to the Role Mapping Administrator, so that Role Mapping Administrator can render the UI accordingly.
Character Set Encoding	The code for the character set to translate IDoc byte-string data into Unicode strings. An empty value causes the driver to use the host JVM* default.
Publish all Communication Table Values	Set this to Publish Primary if only the primary value of Communicate tables should be synchronized. or Set this to Publish All if all values should be synchronized.
Publish Company Address Data	Select whether the driver populates the User Company Address data for the Publisher channel and for the Subscriber queues.
Change retry status to error on Subscriber events	Select Yes to have the driver shim issue an error instead of a retry on Subscriber operation results. Use this setting when running the driver in fan-out mode. If you are not using the fan-out mode, select No to disable this feature. If you are using the standard mode, select Yes to enable this.

Table A-5 Subscriber Settings

Parameter	Description
Communication Table Comments	The communication table comment is a text comment the driver adds to all Communication table entries added by the Subscriber channel. This is a useful method for determining where an entry originated from when viewing values via the SAP GUI. Leaving this field blank provides no comment to the table entries.
Require User to Change Set Passwords	This parameter specifies the methodology used by the driver to set User account passwords. Passwords can be set by the driver's administrative User account or by the affected User's account (this sets a password on new accounts or modifies passwords for existing Users.) Select Change Required if passwords must be changed immediately at the user’s next login. or Select No Change Required if you do not want users to change passwords immediately at login.
Password Set Method (Conditional)	If you select the No Change Required option above, you should specify a Password Set Method: Administrator Set or User Set. Administrator Set: Passwords are set by the driver's administrative User account. This method is deprecated and does not comply with SAP security best practices. The method works only for SAP systems that are version 4.6c or older. User Set: Passwords are supplied by the affected users. The following parameters must be set if you select User Set: Default Reset Password: This parameter specifies a default password reset value. It is set during password changes if the user-supplied password is not accepted by the SAP server. There is an 8-character size limit for this value. (SAP 7.0 does not require an 8-character size limit on passwords.) Reset Password Delay (seconds): Specify the number of seconds between the setting of the administrative default password and the setting of the user’s new password. Force Passwords to Uppercase: This option defines if passwords are forced to uppercase. Uppercase is the default value; however, SAP 7.0 allows for mixed-case passwords.
Support Password Set for Non-Dialog Users	Select whether to allow the driver to set password for non-dialog user types, such as Communications, System, Service, and Reference on the Subscriber channel.
Use local locking	Select Yes to lock accounts locally in the client. Local locking requires additional configuration in the SAP system. Select No to lock accounts globally, which locks all accounts in the CUA child clients if the account in the CUA central client is locked. For more information, see Section G.0, Setting and Clearing Granular Locks.
SAP Server Secondary Connection Information	If you are configuring the driver for fan-out, click the plus icon , then add the information for the additional SAP system. The information requested is listed in Table A-4, Driver Settings. Repeat this process for each system you want to fan out to from this driver.

Table A-6 Publisher Settings

Parameter	Description
Publisher Channel Enabled	Select whether or not you want to enable the driver’s Publisher channel.
Publisher Channel Port Type	Select TRFC if the driver instantiates a JCo 3 Server to receive data distribution broadcasts from the SAP ALE system. Select FILE if the driver consumes text file IDocs distributed by the SAP ALE system.
SAP Gateway ID	Specify the SAP Gateway ID that distributes user data to the driver.
TRFC Program ID	Specify the registered program ID that is used by the driver. This value is specified in the SAP port definition.
Generate TRFC Trace Files	Select whether the JCo 3 server TRFC tracing is enabled.
Logical System for User Distribution	Specify the logical system name configured in the SAP system for user distribution to the Identity Manager driver. Publication only works if the Publisher channel is enabled and the driver’s primary connection is to a CUA central client.
Poll Interval (seconds)	Specify how often the Publisher channel polls for unprocessed IDocs. The default value is 10 seconds.
Future-dated Event Handling Option	The behavior of this option is based on the values of the User record’s Logon Data “Valid From” date (LOGONDATA:GLTGV) when IDocs are processed by the Publisher channel. This field does not need to be in the Publisher filter for this processing to occur. Choose one of the following options: Publish Immediately: Indicates that all attributes are processed by the driver when the IDoc is available. No future-dated processing is performed. Publish on Future Date: Indicates that only attributes that have a current or past time stamp are processed by the driver when the IDoc is available. Future-dated infotype attributes are cached in a .futr file to be processed at a future date. Publish Immediately and on Future Date: Indicates that the driver blends the first two options. All attributes with a current or past time stamp are processed at the time the IDoc is available. All future-dated infotype attributes are cached in a .futr file to be processed at a future date. Publish Immediately and Daily through Future Date: Indicates that the driver processes all events at the time the IDoc is made available. All future-dated infotype attributes are cached in a .futr file to be processed again on the next calendar day. This continues until the attributes are sent for a final time on the future date.
Publisher IDoc Directory	Specify the file system location where the SAP User IDoc files are placed by the SAP ALE system (file port configuration) or by the driver (TRFC configuration.) This setting is only used if the Publisher channel is enabled.
Publisher Heartbeat Interval	Specify how many minutes of inactivity can elapse before this channel sends a heartbeat document. In practice, more than the number of minutes specified can elapse. That is, this parameter defines a lower bound.