This patch is applicable for SAP User drivers running Identity Manager 4.6.x or Identity Manager 4.7.x. The driver version will be changed to 4.0.4.0 after the patch is applied.

• Identity Manager 4.7 or later

  Or

• Identity Manager 4.6 or later
• Driver with SAP JCO3 at a minimum
• Driver with latest base package is recommended

The driver upgrade process involves the following tasks:

• Upgrading the driver packages
• Updating the driver files

1. Download the following packages:
• SAP User Management Base package


• Package Name: NOVLSAPUBASE
• Version: 2.2.3
• Build Date: 20190315
• Build Number: 140220


• SAP User Management Entitlements and Fanout Support package


• Package Name: NOVLSAPUFENT
• Version: 2.3.4
• Build Date: 20190403
• Build Number: 132229


2. Open the project containing the driver.


3. Right-click the driver for which you want to upgrade an installed package, then click Driver > Properties.


4. Click Packages.

A check mark indicates a newer version of a package in the Upgrades column.

5. Click Select Operation for the package that indicates there is an upgrade available.


6. From the drop-down list, click Upgrade.


7. Select the version that you want to upgrade to, then click OK.

NOTE: Designer lists all versions available for upgrade.

8. Click Apply.


9. (Conditional) Fill in the fields with appropriate information to upgrade the package, then click Next.

Depending on which package you selected to upgrade, you must fill in the required information to upgrade the package.

10. Read the summary of the packages that will be installed, then click Finish.


11. Review the upgraded package, then click OK to close the Package Management page.

The driver upgrade process involves updating the driver files.

1. Take a back-up of the current driver configuration.


2. (Conditional) If the driver is running locally, stop the driver instance and the Identity Vault.


3. (Conditional) If the driver is running with a Remote Loader instance, stop the driver and the Remote Loader instance.


4. Download and unzip the contents of the IDM_SAPUM_4040.zip file to a temporary location on your computer.


5. (Conditional) To update the driver files as a root user:


1. On the server where you want to apply the driver patch, log in as root/administrator.


2. Navigate to the <extracted IDM_SAPUM_4040.zip> directory and perform one of the following actions for your platform:


• Linux: Install the new novell-DXMLsapus.rpm in your driver installation directory by running the following command in a terminal window:

rpm -Uvh (patch-path)/linux/novell-DXMLsapus.rpm

3. Windows: Copy the sapumshim.jar file to your driver installation folder. For example, \NetIQ\IdentityManager\NDS\lib, if the driver is locally installed with the Identity Manager engine or \Novell\RemoteLoader\lib if the driver is installed with the Remote Loader.


6. (Conditional) To update the driver files as a non-root user:


1. Verify that <non-root edirectory="" location="">/rpm directory exists and contains _db.* file.

The _db.* file is created during a non-root installation of the Identity Manager engine. Absence of this file might indicate that Identity Manager is not properly installed. Reinstall Identity Manager to correctly place the file in the directory.

2. To set the root directory to the location of non-root Identity Vault, enter the following command in the command prompt:

ROOTDIR=<non-root eDirectory location>

This will set the environmental variables to the directory where Identity Vault is installed as a non-root user.

3. To install the driver files, enter the following command:

For example, to install the SAP User driver RPM, use this command:

rpm --dbpath $ROOTDIR/rpm -Uvh --relocate=/usr=$ROOTDIR/opt/novell/eDirectory --relocate=/etc=$ROOTDIR/etc --relocate=/opt/novell/eDirectory=$ROOTDIR/opt/novell/eDirectory --relocate=/opt/novell/dirxml=$ROOTDIR/opt/novell/dirxml --relocate=/var=$ROOTDIR/var --badreloc --nodeps --replacefiles /home/user/novell-DXMLsapus.rpm

where /opt/novell/eDirectory is the location where non-root eDirectory is installed and /home/user/ is the home directory of the non-root user.

7. (Conditional) If the driver is running locally, start the Identity Vault and the driver instance.


8. (Conditional) If the driver is running with a Remote Loader instance, start the Remote Loader instance and the driver instance.

Issues Fixed in This Release

• Bug 1113437 - The SAP User Management Entitlements and Fanout Support package shipped with the driver contains the correct driver policies and places them in a correct order with appropriate weights
• Bug 1123153 - Multiple attributes are succesfully changed in a single modify command
• Bug 1123162 - The Fax Number attribute (ADDFAX) is successfully synchronized on the Subscriber channel
• Bug 1129298 - Ability to properly handle and synchronize the ß special character
• Bug 1076976 - Ability to send a detailed exception and reason when a change password operation fails on the Subscriber channel
• Bug 1110138 - Provides new options to override the SNC parameters for secondary connections

Issue Fixed in Driver 4.0.3.2

• Bug 1115373 - Correctly processes operations involving roles that contain "error" in the role name
• Bug 1121454 - Makes successful connections to SAP child instances

• Bug 1098760 - Driver shim no longer changes the case of character ß (LATIN SMALL LETTER SHARP S)

• Bug 816350 - Issue with two polling loop parameters fixed
• Bug 894294 - Driver honors the force password change setting on secondary connections
• Bug 976607 - Added support for SUSR_GET_ADMIN_USER_LOGIN_INFO
• Bug 977228 - ADDSMTP Attribute is correctly handled
• Bug 1005552 - Ability to set values for DESCRIPTION:RESPONSIBLE and DESCRIPTION:TECHDESC
• Bug 1043660 - Processes removal of ADDFAX with multiple values
• Bug 800443 - Provides a way to allow JCO set the password as productive password
• Bug 1006747 - Ability to set up SAP SSL encrypted connection by using SNC
• Bug 1029869 - UserJOC3test.class is updated with SNC related information
• Security fix - CVE-2016-1603
• Bug 839079 - Corrected role assignment entitlemnt configuration
• Bug 874081 - Common policy and GCV's are moved out of default driver configuration
• Bug 888949 - User is no longer automatically unlocked in the Identity Vault during Publisher modify operation
• Bug 889712 - Corrected the SAP UserActGroupsAssign error handling
• Bug 894311 - Merge operation works correctly
• Bug 896603 - No multiple orphaned policies are left behind
• Bug 896754 - "Account IDs in the Managed Systems Current State" report correctly displays "Identity Vault Account Status" for a couple of Account Identifiers
• Bug 934602 - Assigning a non-existing role to SAP correctly reports an error instead of "Role xyz does not exist" warming
• Bug 937266 - ADMIN_SET option is removed from packages
• Bug 973780 - Correctly sets the Company attribute during an Add operation
• Bug 992978 - SETGRANULARLOCKS correctly locks the user
• Bug 893437 - SAP Fanout driver successfully processes a Merge event with an E-mail address empty
• Bug 794036 - Support extended to SAP Netweaver 7.31
• Bug 791499 - SAP Netweaver 7.30 correctly produces iDoc files when a user is added to a SAP Role
• Bug 801771 - Correct information is provided when a role is added or removed
• Bug 816165 - RoleProfileAssignmentPoller no longer goes into an infinite loop on every second when the SAP server is unavailable
• Bug 818322 - Correct processing of role or profile modification of multiple users belonging to CUA Central
• Bug 819609 - Publisher channel role and profile assignment polling is stopped when the channel is disabled
• Bug 824032 - Publisher Channel role or profile assignment for bulk users correctly processes for all users
• Bug 824543 - iDoc files are no longer re-processed on the Publisher channel when the driver is configured using the Remote Loader
• Bug 815959 - RPM and trace contents show the correct driver version
• Bug 819607 - Typc corrected in Publisher channel driver trace for Role and Profile Assignment polling
• Bug 824865 - Updated SAP User Management Base v2.1.0.20130424175903 Designer package readme
• Bug 818328 - Publisher channel no longer processes unnecessary additional iDoc files when a user's address and profiles/roles are modified
• Bug 786810 - No NullPointerException reported when the driver Publisher channel receives an iDoc with TRFC Jcoserver
• Bug 767479 - Returns correct information when locking a user
• Bug 764922 - Returns descriptive and meaningful error messages
• Bug 678610 - Returns an error when you try to add a role without sufficient rights
• Bug 603829 - Returns an error when you try to add a role that does not exist
• Bug 624137 - Returns descriptive and meaningful error messages
• Bug 620671 - Forces a user to change password on subsequent login despite the driver is set to no change
• Bug 615135 - issue fixed that was caused by SAP software patch that sent 'E' instead of 'S' or 'W' and caused the driver to fail
• Bug 631130 - USER_SET/ADMIN_SET password mode selection is no longer reversed for secondary connections