A.1 Driver Configuration

In Designer:

  1. Open a project in the Modeler.

  2. Right-click the driver icon or line, then select click Properties > Driver Configuration.

In iManager:

  1. In iManager, click to display the Identity Manager Administration page.

  2. Open the driver set that contains the driver whose properties you want to edit:

    1. In the Administration list, click Identity Manager Overview.

    2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    3. Click the driver set to open the Driver Set Overview page.

  3. Locate the Sentinel driver icon, then click the upper right corner of the driver icon to display the Actions menu.

  4. Click Edit Properties to display the driver’s properties page.

    By default, the properties page opens with the Driver Configuration tab displayed.

The Driver Configuration options are divided into the following sections:

A.1.1 Driver Module

The driver module changes the driver from running locally to running remotely or the reverse.

Java: Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally.

The name of the Java class is: com.novell.nds.dirxml.driver.sapumshim.SAPDriverShim

Native: This option is not used with the SAP User Management driver.

Connect to Remote Loader: Used when the driver is connecting remotely to the connected system. Designer includes two suboptions:

  • Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the SAP User Management driver.

  • Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim.

A.1.2 Driver Object Password

Driver Object Password: Use this option to set a password for the driver object. If you are using the Remote Loader, you must enter a password on this page or the remote driver does not run. This password is used by the Remote Loader to authenticate itself to the remote driver shim.

A.1.3 Authentication

The authentication section stores the information required to authenticate to the connected system.

Authentication ID: Specify an SAP account that the driver can use to authenticate to the SAP system.

Example: SAPUser

Authentication Context: Specify the IP address or name of the SAP server the driver should communicate with.

Remote Loader Connection Parameters: Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the hostname is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090.

The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Identity Manager engine.

Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate

Application Password: Specify the password for the user object listed in the Authentication ID field.

Remote Loader Password: Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

Cache limit (KB): Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. Click Unlimited to set the file size to unlimited in Designer.

A.1.4 Startup Option

The Startup Option allows you to set the driver state when the Identity Manager server is started.

Auto start: The driver starts every time the Identity Manager server is started.

Manual: The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager.

Disabled: The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start.

Do not automatically synchronize the driver: This option only applies if the driver is deployed and was previously disabled. If this is not selected, the driver re-synchronizes the next time it is started.

A.1.5 Driver Parameters

The Driver Parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.

The parameters are presented by category:

Driver Options

Connection Type: Specify the connection that this driver will use. The options are MSGServer and APPServer. By default, APPServer is selected. This allows the driver to directly connect to the SAP application server. MSGServer allows the driver to use the load balancing feature of SAP.

SAP System Number: This option is displayed only if you select APPServer as the connection type.

Specify the SAP system number of the SAP application server. This is referred to as the System Number in the SAP logon properties. The default value is 00.

Logon Group: This option is displayed only if you select MSGServer as the connection type.

Specify the logon group to which your application server instance is assigned. The assignment can be found using SMLG transaction.

SAP System ID: Specify the SAP system ID of the SAP application server. The system ID is found in the SAP GUI status bar located in the lower right corner of the main window.

This option is used to generate the realm for Account Tracking. The system ID is usually a three-character string that uniquely identifies a SAP system in the SAP system landscape. The realm must be unique per application type.

For example:

\<system ID>\<system number>\<client number>
\S71\00\800

SAP User Client Number: Specify the client number to be used on the SAP application server. This is referred to as the Client in the SAP logon screen.

SAP Client Type: Select the client type the driver is connecting to:

  • Non-CUA Client: If the client you are connecting to is not a CUA Central client and is it not a CUA Child client, select this option.

  • CUA Central: If you are connecting to the CUA Central client, select this option.

  • CUA Child: If you are connecting to a CUA Child client, select this option.

The fan-out policies must know what type of client they are communicating to so they can generate the correct events. For example, most of the attributes in a CUA Child client are synchronized through the CUA Central client.

Logical System Name (of CUA Central Client): This option is displayed only if you select CUA Child. Specify the logical system name of the CUA Central client that manages this client.

The fan-out policies must know which client is the Central client of a CUA Child client, so that they can generate correct events. For example, most of the attributes in a CUA Child client are synchronized through the CUA Central client.

Logical System Name: This value must match the Logical System Name for the client as configured in SAP if this SAP client is the central client in the CUA landscape. Otherwise, the value can be chosen freely with the one constraint that must be unique.

SAP User Language: Specify the language code this driver will use for the SAP session. This is referred to as the Language in the SAP logon screen.

Available Languages: Specify a list of all of the languages installed on your SAP system. All the languages you specify into this list are made available in external application like Identity Applications, so that the application can render the UI accordingly.

Character Set Encoding: The code for the character set to translate IDoc byte-string data into Unicode strings. An empty value causes the driver to use the host JVM default.

Publish all Communication Table Values: Set this to Publish Primary if only the primary value of Communicate tables should be synchronized. Set it to Publish All if all values should be synchronized.

Publish Company Address Data: By default, an SAP User record does not include Company Address information. That data is kept in a related table. Use this parameter to specify if you want the driver to retrieve the data from the appropriate company record. Regardless of the option you specify, Company Address information cannot be updated in SAP.

Set this to Include Company Address to populate User Company Address information for the Publisher and Subscriber channel queries. Set it to Ignore Company Address if you do not want this functionality.

For additional information, see Obtaining Company Address Data for User Objects.

Change retry status to error on subscriber events: When this option is set to Yes, the driver shim issues an error instead of a retry on Subscriber operation results. Use this setting with caution. When you run the driver in fan-out mode, it is strongly recommended to turn this feature on; otherwise, leave it off.

SAP SNC mode: By default, the driver does not use Secured Network Connection (SNC) enabled communication with the SAP system. When you select this option, the SAP system knows that an SNC environment is in operation and it opens a secured port where it accepts a SNC protected connection from the driver. For information about SNC, see Configuring Secure Network Communications.

Path to library which provides SNC service: When using SNC, you must set the path to the SAP Cryptographic Library you are using to provide the secure network connection service. For example: C:\secude.dll

SNC name: Specifies the SNC name of the driver’s Personal Security Environment (PSE) that was created for RFC connections while configuring SNC in the SAP system. For example, p:CN=RFC, OU=IT, O=CSW, C=DE.

SNC partner name: Specifies the SNC name of the SAP system (Server PSE). For example, p:CN=IDS, OU=IT, O=CSW, C=DE.

The driver uses this value to verify and authenticate the SAP system, and to store public-private key pairs and public-key certificates. This is the value of the snc/identity/as parameter in the SAP system profile.

SNC level of security: Specifies the level of data protection for secure network connections initiated between the driver and the SAP system. Security level support is provided by SAP Cryptographic Library. By, default, the value is 9.

Subscriber Options

Communication Table Comments: The communication table comment is a text comment the driver adds to all Communication Table entries added by the Subscriber channel. This is a useful method for determining where an entry originated from when viewing values via the SAP GUI. Leaving this field blank provides no comment to the table entries.

Require User To Change Set Passwords: This parameter specifies the methodology used by the driver to set User account passwords. Passwords can be set only by the affected User's account (this sets a password on new accounts or modifies passwords for existing Users.

Select Change Required if passwords must be changed immediately at the user’s next login. Select No Change Required if you do not want user’s to change passwords immediately at login.

  • Password Set Method: Select the methodology used by the driver to set the user account passwords. The options are Administrator Set and User Set.

  • Default Reset Password: Specify a default password reset value. It is set during the password changes if the user-supplied password is not accepted by the SAP server. There is an 8-character size limit for this value.

  • Reset Password Delay (seconds): Specify the number of seconds between setting the Administrative default password and setting the user’s new password.

  • Force Password to Upper Case: Select an option to determine if passwords are forced to be uppercase. mySAP 2005 and later allow mixed-case passwords.

Support Password Set for Non-Dialog Users: Select if the driver sets passwords for non-Dialog user types (Communication, System, Service, and Reference) via the Subscriber channel.

Use Local Locking: Select Yes to lock accounts locally in this client. Local locking requires additional configuration in the SAP system. Select No to lock accounts globally, which locks all accounts in the CUA Child clients if the account in the CUA Central client is locked.

In a non-CUA environment, ensure that this option is set to No.

SAP Server Secondary Connection Information: If you are using a fan-out configuration, use this setting to add secondary connection profiles here. For more information, see the NetIQ Identity Manager Driver for SAP User Management Fan-Out Implementation Guide.

Publisher Options

Publisher Channel Enabled: Select whether or not you want to enable the driver’s Publisher channel.

Publisher Channel Port Type: Set this to TRFC if the driver will instantiate a JCO Server to receive data distribution broadcasts from the SAP ALE system. Set it to FILE if the driver will consume text file IDocs distributed by the SAP ALE system.

  • SAP Gateway ID: Specify the SAP Gateway that distributes user data to the driver.

  • TRFC Program ID: Specify the Registered Program ID that is used by the driver. This value is specified in the SAP port definition.

  • Generate TRFC Trace Files: Select whether the JCO server TRFC tracing is enabled.

Logical System for User Distribution: Specify the logical system name configured in SAP for user distribution to the Identity Manager driver. Publication works only if the Publisher channel is enabled and the driver’s primary connection goes to a CUA Central client.

Poll Interval (seconds): Specify how often the Publisher channel polls for unprocessed IDocs. The default value is 10 seconds.

Future-dated Event Handling Option: Select one of the options to determine when future-dated data is published by the driver.

Publisher IDoc Directory: Specify the file system location where the SAP User IDoc files are placed by the SAP ALE system (for FILE port) or by the driver (for TRFC port).

Role and Profile Assignment Polling Interval: Specify how often the Publisher channel polls for the latest Role and Profile assignment changes. The default value is 2 minutes. To turn off this option, set it to zero.

IMPORTANT:This option is applicable only for SAP NetWeaver 7.3 or later. When this option is set, ensure that Identity Manager and the SAP system time is synchronized. Setting this option may cause extra polling on the Publisher channel for an unassociated SAP user's role or profile changes. However, the driver detects if the Publisher channel is enabled, connected to the correct SAP system, and has a valid polling interval before starting polling.

Publisher heartbeat interval: Configures the driver shim to send a periodic status message on the Publisher channel when there has been no Publisher traffic for the given number of minutes.

A.1.6 ECMAScript

Displays an ordered list of ECMAScript resource files. The files contain extension functions for the driver that Identity Manager loads when the driver starts. You can add additional files, remove existing files, or change the order the files are executed.

A.1.7 Global Configurations

Displays an ordered list of Global Configuration objects. The objects contain extension GCV definitions for the driver that Identity Manager loads when the driver is started. You can add or remove the Global Configuration objects, and you can change the order in which the objects are executed.