IBM Security Verify Governance Adapter for SAP Netweaver (R/3) with optional GRC support 10.0.6 is available. Compatibility, installation, and other getting-started issues are addressed.
Copyright
International Business Machines Corporation 2008, 2024. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance manuals was printed:
The IBM Security Verify Governance Adapter for SAP Netweaver (R/3) with optional GRC support is designed to create and manage accounts on a target SAP NetWeaver ABAP server. The adapter runs in "agentless" mode and communicates using standards BAPI and RFC methods supplied with the SAP server. Communication to these BAPI and RFC methods is enabled by the SAP Java Connector (Jco) API.
The IBM Security Verify Governance adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Security Verify Governance server and IBM Security Verify Governance Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.
Adapter Version
Component |
Version |
Build Date |
2024 June 26 21.36.58 |
Adapter Version |
10.0.6 |
Component Versions |
Adapter build: 10.0.6.15 Profile: 10.0.6.15 Connector: 10.0.6.15 Dispatcher 7.1.39 and above (packaged separately) |
Documentation |
The following guides are available in the IBM Knowledge Centre:
|
New Features
Internal # |
Enhancement # (RFE) |
Description |
|
|
Items included in current release (10.0.6) |
|
|
None |
|
|
Items included in release (10.0.5) |
SVGAD-234 |
ADAPT-130 |
Support for SAP S/4 HANA On-Premises 2022 |
RTC 191012 |
ADAPT-I-187 |
Support for SAP NetWeaver 756 |
|
|
Items included in release (10.0.4) |
|
|
None |
|
|
Items included in release (10.0.3) |
|
|
None |
|
|
Items included in release (10.0.2) |
|
|
None |
|
|
Items included in release (10.0.1) |
|
|
Added support for JCo 3.1.4 |
|
|
Added support for JCo 3.0.21 |
|
|
Items included in 7.1.33 release |
RTC 185234 |
RFE 135338 (59543) |
SAP S/4 Adapter Note: Added support for SAP S/4 HANA On-premise |
|
|
Items included in 7.1.32 release |
RTC 181518 |
|
Attribute Values lookup Support -SAPNW Adapter added for IGI 5.2.5
See Limitation on to pick-up the value form drop-down list section for more information. |
|
|
Items included in 7.1.31 release |
|
|
Added support for JCo 3.0.18 |
|
|
Items included in 7.1.30 release |
RTC 174562 |
|
Support for SAP NW 752 |
RTC 162832 |
|
SAPGRC support on ISIMVA 7.0 . |
|
|
Items included in 7.1.29 release |
|
|
None |
|
|
Items included in 7.1.28 release |
|
|
None |
|
|
Items included in 7.1.27 release |
Internal |
|
Addition of the special flag attribute in targetProfile.json |
|
|
Items included in 7.1.26 release |
|
|
None |
|
|
Items included in 7.1.25 release |
|
|
None |
|
|
Items included in 7.1.24 release |
Internal |
|
SAP Authorization roles issue - SAP complexAttribute handler should set ID value for ComplexAttributeValue |
|
|
Items included in 7.1.23 release |
RTC 153839 |
|
Added support for JCo 3.0.16. Bug 2160 - Test connection issue on SAP NW adapter service failing with 'Password decryption failed' Bug 2262 - SAP NetWeaver CTGDIK220E Communication error with SAP R/3 |
|
|
Items included in 7.1.22 release |
RTC 151783 |
|
Add Support for Identity Governance and Intelligence (IGI) v5.2.2 This adapter is now designed for use with IBM Security Verify Governance Identity Manager, Privileged Identity Manager and Identity Governance and Intelligence
Note - SAPNetWeaver adapter does not support adapter inside VA functionality. It can't be install inside the identity Governance and Intelligence VA.
|
|
|
Items included in 7.0.21 release |
|
|
None |
|
|
Items included in 7.0.20 release |
RTC 142424 |
|
Support for SAP NW 750 |
96511 (46480) |
|
Support for Complex attribute handler for SAP Note: In order to use this feature, upgrade to IBM Security Verify Governance Identity Manager Version 7.0.1. |
RTC 142424 |
|
Support for SAP NW 750 |
|
|
Items included in 7.0.19 release |
Internal |
|
Changes for IGI 5.2 release Note: This change is applicable only to SAP NW adapter Change multi-value attributes to add/delete instead of replace:ersapnwprofile ,ersapnwgroup ,ersapnwusergroups |
|
|
Items included in 7.0.18 release |
Internal |
|
Role-only changes for IGI 5.2 release Note: This change is applicable only to SAP NW adapter |
|
|
Items included in 7.0.17 release |
|
|
Initial Release. |
Closed Issues
Internal# |
APAR# / Case# |
Description |
|
|
Items included in current release (10.0.6) |
SVGAD-1812 / Bug 4269 |
DT259225 / TS015170027 |
SAP NW Adapter updates the start date assigned from ISIM to the role to current date during the add account operation |
|
|
Items included in release (10.0.5) |
RTC 191157 / Bug 3997 |
APAR IJ45020 / TS011039530 |
CTGDIK219E Unable to execute RFC 'BAPI_USER_GET_DETAIL'. |
RTC 191178 / Bug 4005 |
APAR IJ45075 / TS011258133 |
SAP date mismatch |
RTC 191200 |
Internal-The supportingDataAttributeMapping is missing for SapNWProfileRole |
|
RTC 191262 / Bug 4027 |
TS011547968 |
Mail propagation to SAP in ISVG (Refer "Enforce User email attribute value to SAP account email attribute" under of Configuration section of this release notes) |
RTC 191094 / Bug 3981 |
TS010814849 |
SAP agent problem (Refer "Error messages and problem solving" under Troubleshooting section of this release notes) |
RTC 191339 / Bug 4042 |
TS012085411 |
Issue with semicolon being part of actual group/role values (Refer "Error messages and problem solving" under Troubleshooting section of this release notes) |
RTC 191351 / Bug 4045 |
TS012060252 |
Semicolon appended supporting data. (Refer "Error messages and problem solving" under Troubleshooting section of this release notes) |
|
|
Items included in release (10.0.4) |
RTC 190866 / Bug 3678 |
APAR IJ39958 |
TS007716657-ISIM SAP Netweaver Adapter touching all Person Roles |
RTC 190859 / Bug 3846 |
TS009093181-Conflict between SAP Netweaver Adapter 10.0.3.224 and SDI 7.2.0-ISS-SDI-LA0013 |
|
|
|
Items included in release (10.0.3) |
Bug 3679 |
TS007716127-ISIM SAP NetWeaver Adapter no more working with SAP Release SAPKB750PL22 |
|
Bug 3699 |
APAR IJ38186 |
TS007872092-SAP Netweaver adapter RFC_READ_TABLE error |
Bug 3683 |
TS007708821-SAP recons failing after SAP SP installed |
|
Bug 3684 |
TS007502136-IB connector fails to sync completely post clearing the cache |
|
Bug 3701 |
TS007665062-CTGDIK219E Unable to execute RFC 'RFC_READ_TABLE |
|
Bug 3705 |
TS007825681-SAP adapter Reconciliation failure |
|
Bug 3728 |
TS008140183-SAP Adapter and SAP note 382318 - RFC_READ_TABLE |
|
Bug 3678 |
TS007716657-ISIM SAP Netweaver Adapter touching all Person Roles |
|
Bug 3685 |
APAR IJ36581 |
TS007716687-SAP NetWeaver ISIM SAP NetWeaver Adapter using wrong query for security policies |
|
|
Items included in release (10.0.2) |
RTC 189316 Bug 3506 TS005321828 |
APAR IJ33437 |
SAPNW adapter reconciliation handled empty Title text values |
RTC 189593 Bug 3582 TS006202956 |
APAR IJ34206 |
ISIM adapter is not removing the ersapnwgroup attribute's value on SAP Target |
|
|
Items included in release (10.0.1) |
RTC 186645 Bug 3223 TS003587391 |
APAR IJ24818 |
SAP account modify fails See Configure adapter to send only role name section for more information. |
RTC 186958 Bug 3212 TS003621735 |
APAR IJ25031 |
ISIM SAP adapter - missing xsl |
|
|
Items included in 7.1.33 release |
RTC 185813 Bug 2826 TS001794649 |
APAR IJ22247 |
Instable connection to our SAP-Instances. |
RTC 185399 Bug 3097 TS002868452 |
Change xsl files to use PARAMETER1 instead of PARAMETER, where ever required.
|
|
|
|
Items included in 7.1.32 release |
RTC 177771 |
Bug 2533 |
PMR TS000088851 SAP NW Adapter: Warning is logged when modifying account more than 6 attributes |
RTC 181544 |
|
Internal : Modify SAPNWMapping.def file for identity_uid=identity_uid mapping |
|
|
Items included in 7.1.31 release |
RTC 178407 |
Bug 2678 |
IGI 5.2.4 SAP NetWeaver Code [4203] attribute should be multivalued |
RTC 173823 |
Bug 2682 |
Start and end date of SAP authorization roles is ignored while joining provisioning policies |
|
|
Items included in 7.1.30 release |
RTC 176181 |
IJ06626/BUG 2536
|
PMR TS000093857 Frequent error on multiple suspends to SAP instances.
D - As a SAP NW adapter developer I need to prevent frequent error on multiple suspends to SAP instances, Bugz 2536, APAR IJ06626 |
|
|
Items included in 7.1.29 release |
RTC 171786 |
IJ03346/BUG 2531
|
PMR TS000079006 SAP Adapter: Request is not retried and fails immediately when SAP server is not available
US - As a SAP NW adapter developer, I need to provide correct error messages |
|
IJ05019/ Bug 2573 |
PMR TS000134773 SAP Provisioning doesn't work for email attribute |
|
|
Items included in 7.1.28 release |
RTC 171627 |
IJ03216/Bug 2518 |
PMR TS000078215 End date of role is not set to SAP server. As a SAP NW adapter developer, I must ensure properly handling of '|' characters.
|
|
|
Items included in 7.1.27 release |
RTC 168608 |
Bug 2443 |
PMR 18368,035,649 Adapter password is missing As a SAP NW adapter developer, I must ensure the adapter properly handles SAP JCo caching |
|
|
Items included in 7.1.26 release |
|
|
None |
|
|
Items included in 7.1.25 release |
RTC 161746 |
|
AGC - Connector/Adapter SAP Remove Permission system SAP CUA |
|
|
Items included in 7.1.24 release |
RTC 158750 |
IV94659/Bug 2302 |
PMR 03339,070,724 SAP Authorization Profiles with no description are not reconciled.
See Support data reconciliation as the language given on service form for more details. |
|
|
Items included in 7.1.23 release |
RTC 155022 |
IV90363/Bug 2193 |
PMR 18847,130,702/ ISIM SAP reconciliation retrieves only a subset of all roles that are in SAP |
|
|
Items included in 7.1.22 release |
|
IV87049/Bugz 2103, Bugz 2109 |
PMR 47462, 100,838/ PMR 74041, 000,834/SAP Roles with no description are not reconciled.
This version of adapter is modified to reconcile all the role names and will reconcile role description for role names in the language specified on the service form.
|
|
IV90363/Bugz 2193
|
PMR 18847,130,702/ISIM SAP reconciliation retrieves only a subset of all roles that are in SAP.
This version of adapter is modified to reconcile child role names also which are not present on parent system.
|
|
Internal/Bug 2177 |
PMR 00519,070,724/ Confusing documentation about the support for the HR Linking extension |
|
|
Items included in 7.0.21 release |
|
IV87049/Bugz 2103, Bugz 2109 |
PMR 47462, 100,838/ PMR 74041, 000,834/SAP Roles with no description are not reconciled. |
|
IV89133/Bugz 2155
|
PMR 62668,004,000/question about ersapnwusergroups attribute modify behavior |
|
|
Items included in 7.0.20 release |
|
|
None |
|
|
Items included in 7.0.19 release |
IV77638/Bugz1856 |
SAP NW Adapter modify role request fail, but ISIM LDAP entries updated with role info anyway. |
|
|
|
Items included in 7.0.18 release |
|
|
None |
|
|
Items included in 7.0.17 release |
|
|
Initial Release. |
Internal# |
APAR# |
Case# / Description |
SVGAD-2572
|
|
Full name attribute cannot be added / updated using the adapter because the Full name attribute is read only field in the target as well.
|
|
|
To use IGI with SAP GRC install the ARCS-SAP adapter agent on SAP resource. For more information, visit Introduction to the ARCS-SAP adapter agent at https://www.ibm.com/docs/en/sig-and-i/10.0.1?topic=sap-introduction-arcs-adapter-agent
|
|
|
The Adapter for SAP NetWeaver does not retrieve descriptive text from SAP for most support data classes.
|
|
|
Language Attribute under both Communication and Default tabs can be search only by language key, e.g. EN.
|
|
|
Modifying an account by reassigning a group that has been previously removed from the account is not working correctly. This appears to be a problem with standard SAP functionality.
|
|
|
Invalid email format (described in 4.1.7 Email Address) is not reported as error during add and modify operations
|
|
|
It is possible to change attributes on the non-CUA/CUA Master License Data tab only if the attribute "Contractual User Type" (ersapnwlicutype) is supplied in the Add or Modify operation request.
|
|
|
Recon with filter (eruid=*) is case sensitive due to RMI dispatcher limitation.
|
|
|
If custom extension xsl file is missing the operation hangs.
|
|
|
After modifying adapter service parameters in the IBM Security Verify Governance Identity Manager server, the dispatcher process hosting the adapter must be restarted.
|
|
|
The adapter reports error or failure status to IBM Security Verify Governance Identity Manager for all provisioning operations if a BAPI/RFC executed during the operation reports an error or failure. There are some cases when a SAP BAPI/RFC may report an error incorrectly. The BAPI/RFC actually executes successfully. One specific example is on user creation. If no user company addresses have been defined in SAP, the BAPI function BAPI_USER_CREATE1 reports an error to the adapter, but actually creates the user account in SAP. When the adapter reports the error to IBM Security Verify Governance Identity Manager, IBM Security Verify Governance Identity Manager server will not update the account in its repository resulting in an inconsistency between IBM Security Verify Governance Identity Manager and SAP. The incorrect error status indicator cases are reported to SAP support as they are identified, to be corrected by SAP in support packs. In the meantime, IBM Security Verify Governance Identity Manager users should leverage the full or filtered reconciliation features of IBM Security Verify Governance Identity Manager to maintain consistency between IBM Security Verify Governance Identity Manager and SAP repositories.
|
|
|
IBM Security Verify Governance Identity Manager converts date values to the local time zone of the user. As a result, there can be cases where dates returned from SAP via the adapter to IBM Security Verify Governance Identity Manager server appear to lose or gain a day. This occurs when any account attribute is modified in IBM Security Verify Governance Identity Manager. IBM Security Verify Governance Identity Manager will perform the time zone conversion as the modified account is being saved back into the IBM Security Verify Governance Identity Manager request queue for subsequent provisioning.
|
RTC 181535 |
|
Limitation on to pick-up the value form drop-down list
Currently, value for Attribute ersapnwusergroups (user group) cannot be picked from a drop-down list. We need to provide value for this attribute manually.
|
RTC 161745 |
|
Limitations in Changing Password in CUA system:
Adapter uses BAPI_USER_CHANGE to set and change user's password in the CUA's central system. The initial password is distributed to the child systems when a user is created. However, for password change, the adapter changes existing passwords only locally and will not change them in the central system i.e. the password change is not propagated to the child system due to BAPI limitation.
|
|
|
Limitations on Switching between Productive (Permanent) and Initial (Temporary) password
During modify operation; the existing password of the account will be modified to Productive if "Set Password as Productive" is checked. A modify operation is needed before a password change operation to change the status of "Set Password as Productive" flag. This is a send only attribute. The value of the flag won't be stored in ITIM/ISIM.
|
|
|
Limitations on support for SAP Productive Passwords
1. SAP versions supported by the adapter require SNC to be enabled to set productive passwords. 2. In a CUA environment, the adapter cannot set the password to be productive due to a limitation in the SAP interface.
|
|
|
In CUA deployments, the adapter must be configured against the CUA master system. All attributes of accounts are managed via the master system. For all attributes except roles and profiles, the adapter will manage and synchronize account attribute state against the CUA master.
|
|
|
When assigning a CUA child system to a user account, if the user account has group assignments, and at least one of those groups does not exist on the CUA child, then the account will not be created on the child. This is a limitation with SAP CUA implementation, and is reproducible using the native SAP user management transaction SU01.
|
|
|
Country attribute under Person Tab depends on attribute Company from the same tab. After recon value of attribute Country might be changed to correspond to Company address.
|
|
|
In CUA environments, when assigning role/profile from master or child systems to user without system assignment, SAP automatically creates an associated CUA system assignment. IBM Security Verify Governance Identity Manager will not have visibility of the automatically assigned CUA system assignment until next reconciliation for the user.
|
|
|
When performing a filtered reconciliation, the filter value must be defined in uppercase (e.g.(eruid=USER1) ). This is due to an inconsistency within the BAPI methods for user management provided by SAP. This limitation affects retrieval of CUA profiles assigned to the requested user account.
|
|
|
In CUA environments there is no known method for distinguishing a composite role from a noncomposite role. This means that reconciliation will return all roles from a CUA implementation.
|
|
|
SAP allows different telephone numbers to be set as the "Primary telephone number", such as the Mobile Phone number. During reconciliation, SAP will return the Mobile phone number as the Primary telephone number if a Telephone number has not been defined for an account in SAP.
|
|
|
Role assignment modification does not work when attempting to simultaneously add a directly assigned single role while removing a composite role which also contains the given single role. It is recommended to perform this operation as two separate steps, i.e. remove the composite role, then add the single role.
|
|
|
The HR Personnel number attribute is no longer supported. This attribute is present on the account form to allow adoption of the sample ABAP extension for HR Linking.
|
|
|
The ABAP extension for password management is no longer supported. As a result, the adapter manages account passwords in accordance with the default features and constraints supported by SAP. Further to this, SAP does not enable external code components, such as this adapter, to distribute productive password changes within a CUA environment. Please refer to the following SAP notes for additional background, details and limitations: 376856, 830493, 1287410, 991968, 1300104.
|
|
|
Last Logged in Date attribute will always be on the same time zone, as of SAP NetWeaver Server's time zone. |
This version of adapter is modified to reconcile support data as per the language given on service form. The details are as below: -
E.g. Academic title, Company, User group, Menu, Output device, Parameter, User type.
E.g. Roles and Profiles.
E.g. Timezone, Country, Language, Security Policy, Special version, Title, Type.
Multi Byte Character Support Limitations
All character data transferred between IBM Security Verify Governance Identity Manager Server, the adapter, and SAP ABAP server are encoded as UTF-8. The adapter supports provisioning of multi byte characters to and from a directly connected SAP ABAP Unicode server. Provisioning of ASCII characters is supported for Non-Unicode SAP ABAP servers. The adapter does not support provisioning of multi byte characters to any Non-Unicode ABAP server. Extended ASCII characters are not tested or supported for Non-Unicode SAP ABAP servers.
Non Transactional Provisioning
The adapter does not execute provisioning operations within a transactional context. Some provisioning operations require multiple steps to be executed against the SAP server. A consequence of this situation is that errors or warnings which occur after the first step may result in a partially complete provisioning operation. A possible method to handle for this limitation is to use the IBM Security Verify Governance Identity Manager workflow features to execute compensating actions. For example, issue a filter reconciliation for the given user account in order to synchronize the account state between IBM Security Verify Governance Identity Manager and the target server.
Enable Deactivated Password on Modify Limitation
The "Deactivate password" attribute is supported by both the Add and Modify operation. Enabling this attribute on the account form will cause the password for an account to be deactivated in SAP. However, disabling the "Deactivate password" flag is NOT supported in the modify operation. The adapter will not enable the password for an account if the "Deactivate password" flag is unchecked on a modify operation. To re-enable a deactivated password for an account, a request to change the password for the account must be made instead. The state of the disable password flag in IBM Security Verify Governance Identity Manager will not be synchronized until reconciliation is performed.
SAP Adapter Extension Function for HR Linking is no longer supported
Earlier version of SAP adapter had included optional ABAP extension functions for HR Linking, Account Locking, and Productive Password setting and synchronization. Since there are no BAPIs or APIs to do the HR link, adapter code used to directly access SAP tables. However, SAP does not recommended accessing SAP tables directly. Therefore even though the source code sample versions of the extensions are included in adapter package, support for HR linking has been stopped.
SAP Connection parameters not marked as required in the Service form
SAP connection parameters are not marked as required because, adapter can create connection with SAP Netweaver server using either the provided service form attributes or by using the optional RFC parameter attribute present in service form.
See the Installation and Configuration guide for IBM Security Verify Adapter for for detailed instructions.
Corrections to Installation guide:
No updates for the current release
Please consult the release notes for the currently supported versions of the below products
Directory Integrator:
Remove 7.2 + FP6 + 7.2.0-ISS-SDI-LA0019 from the description
Identity server Verify
Governance Server:
Update description as below:
The following servers are supported:
- IBM Security Verify Governance Identity Manager
- IBM Security Verify Governance
SAP JCo:
Remove the description
You can install an IBM Security Verify Governance Adapter or a custom adapter on the built-in Security Directory Integrator in the virtual appliance instead of installing the adapter externally. As such, there is no need to manage a separate virtual machine or system.
About this task
This procedure is applicable to install this adapter on the virtual appliance.
Procedure
1. Download
the adapter package from the IBM Passport Advantage.
For example, Adapter-<Adaptername>.zip.
The adapter package includes the following files:
Table 1. Adapter package contents |
|
Files |
Descriptions |
bundledefinition.json |
The adapter definition file. It specifies the content of the package, and the adapter installation and configuration properties that are required to install and update the adapter. |
Adapter JAR profile |
A Security Directory Integrator adapter always include a JAR profile which contains: · targetProfile.json o Service provider configuration o Resource type configuration o SCIM schema extensions o List of assembly lines · A set of assembly lines in XML files · A set of forms in XML files · Custom properties that include labels and messages for supported languages.
Use the Target Administration module to import the target profile. |
Additional adapter specific files |
Examples of adapter specific files: · Connector jar files · Configuration files · Script files · Properties files
The file names are specified in the adapter definition file along with the destination directory in the virtual appliance. |
2. From the top-level menu of the Appliance Dashboard, click Configure > SDI Management.
3. Select
the instance of the Security Directory Integrator for which you want to manage
the adapters and click Manage > SDI Adapters
The SDI Adapters window is displayed with a table that list the name, version,
and any comments about the installed adapters.
4. On the SDI Adapters window, click Install.
5. On
the File Upload window, click Browse to locate the adapter package and
then click OK.
For example, Adapter-<Adaptername>.zip.
6. Provide the missing 3rd party libraries when prompted.
a. On
the File Upload for Pre-requisite files window, click Select Files.
A new File Upload window is displayed.
b. Browse and select all the missing libraries. For example, sapjco3.jar
c. Click
Open.
The selected files are listed in the File Upload for Pre-requisite files
window.
d. Click
OK.
The missing files are uploaded and the adapter package is updated with the 3rd
party libraries.
7. Enable secure communication.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Edit.
c. Click the Enable SSL check box.
d. Click Save Configuration.
8. Import the SSL certificate to the IBM® Security Directory Integrator server.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Manage > Certificates.
c. Click the Signer tab.
d. Click
Import.
The Import Certificate window is displayed.
e. Browse for the certificate file.
f. Specify a label for the certificate. It can be any name.
g. Click Save.
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.
About this task (Corrections to existing details)
The SAP NetWeaver Adapter is tested
and certified by using Java Connector, version 3.0.13 (Refer SAP JCo
certified versions details in the release notes).
Note: SAP might release a
newer version of JCo before the next release of the adapter and might remove
JCo version 3.0.13, listed in SAP JCo Certified versions of the Adapter
release notes, from download. The newer version of JCo might work as is with
the adapter. If there are any issues that are related directly to the newer
version of JCo, it will be addressed in the next release of the adapter.
Procedure (Corrections to existing details)
Windows:
On Windows, JCo 3 requires
additional Microsoft Visual C++ 2005 libraries to be installed. Installation
details for the package that contains these libraries are specified in
Microsoft Knowledge Base article 973544. On Windows platform, JCo requires
Visual Studio runtime libraries to be installed on the system. Consult the
release notes for the currently required versions.
Before you begin:
The Dispatcher must be installed
Procedure:
Copy the files from ILMT-Tags folder to the specified location:
1. Windows: <SDI-HOME>\swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
Take backup of adapter binaries or connector
Procedure:
Take backup of below files before performing upgrade:
<SDI-HOME>/jars/connectors/SapNWSupport.jar
<SDI-HOME>/jars/connectors/SapNWUserConnector.jar
<SDI-HOME>/jars/functions/SapNWRfc.jar
Note: Stop the dispatcher service before the upgrading the connector and start it again after the upgrade is complete.
Upgrade adapter binaries or connector
Procedure:
Copy tdi/connectors/*.jar from the adapter package to the <SDI-HOME>/jars/connectors directory
Copy tdi/functions/*.jar from the adapter package to the <SDI-HOME>/jars/functions directory
Take backup of xsl files
Procedure:
Take backup of below directory before performing upgrade:
<SDI-HOME>/timsol/xsl
Upgrade xsl files
Procedure:
Copy tdi/xsl directory from the adapter package to the <SDI-HOME>/timsol directory.
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
There are two adapter profiles included in the SAP NetWeaver Adapter distribution package: SapNWProfile.jar and SapGRCNWProfile.jar.
The difference between the two profiles is that the SapGRCNWProfile.jar contains additional attributes that allow the adapter to be configured with SAP GRC Access Control (Refer release notes for supported version details).
If only the SAP NetWeaver Adapter is to be used, then use SapNWProfile.jar.If SAP GRC is to be used as part of the SAP NetWeaver account provisioning process, then use SapGRCNWProfile.jar.
If IBM Security Verify Governance Identity Manager contains an existing SAP NW profile and the SAP NW GRC profile is to be imported, the SAP NW GRC profile will overwrite the SAP NW profile.
The SAP NW GRC profile contains both the SAP GRC attributes and the SAP NW attributes in the one profile. It is not possible for both a SAP NW profile and SAP NW GRC profile to exist in the same IBM
Security Identity Manager instance.
Note: Restart the Dispatcher service after importing the profile. Restarting the Dispatcher clears the assembly lines cache and ensures that the dispatcher runs the assembly lines from the updated adapter profile.
This step is only applicable only if you are using ISIM or ISVGIM
Take backup of SAPHandler.jar files
Procedure:
Take backup of below file before performing upgrade:
<ISIM-HOME>/lib/SAPHandler.jar
Upgrade xsl files
Procedure:
Copy SAPHandler.jar file from the adapter package to the <ISIM-HOME>/lib directory.
Procedure:
1. Apply recommended fix packs and limited availability (LA) versions on the Security Directory Integrator. See Recommended fixes for IBM Tivoli Directory Integrator (TDI) & IBM Security Directory Integrator (SDI).
2. After applying the appropriate updates, modify the /solution.properties file by appending the following text to the bottom of the file:
#####################
# # Protocols to enforce SSL protocols in a SDI Server
# # Optional values for com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a multi-valued comma separated property
# # Optional values for com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2, TLSv1,TLSv11,TLSv12).
# # This is a single value property.
#####################
-
com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1
com.ibm.jsse2.overrideDefaultTLS=true
#####################
There could be roles assigned to users through the HR Organization Management and indicated by ORG_FLAG='C'. The adapter does not return these role assignments by default. To configure the adapter to return these assigned roles, follow the steps below:
1. On the system running the Dispatcher, local file xsl\ns_bapi_user_getdetail_postcall.xsl under timsol folder.
2. Modify file xsl\ns_bapi_user_getdetail_postcall.xsl as follow:
FROM:
<ersapnwagrname>
<xsl:apply-templates select="./item[string-length(./ORG_FLAG) = 0]" />
</ersapnwagrname>
TO:
<ersapnwagrname>
<xsl:apply-templates select="./item"/" />
</ersapnwagrname>
3. Restart the Dispatcher
Enforce User email attribute value to SAP account email attribute (This section is applicable only for IBM Security Verify Governance Product)
Note: The attribute ersapnwemailaddress is defined as a multi-value attribute in SAP NW Account attribute and hence User email attribute value cannot be enforced to it. To enforce User email attribute value to ersapnwemailaddress attribute, ensure that you will always have only single email address in SAP target.
1. Extract targetProfile.json, schema.dsml and ersapnwaccount.xml files from SapNWProfile.jar file:
jar xf SapNWProfile.jar SapNWProfile/targetProfile.json SapNWProfile/schema.dsml SapNWProfile/ersapnwaccount.xml
2. Update targetProfile.json file as below:
*********************************************************
From:
"name": "ersapnwemailaddress",
"type": "string",
"multiValued": true,
To:
"name": "ersapnwemailaddress",
"type": "string",
"multiValued": false,
*********************************************************
3. Update schema.dsml file as below:
*********************************************************
From:
<attribute-type single-value = "false" >
<name>ersapnwemailaddress</name>
To:
<attribute-type single-value = "true" >
<name>ersapnwemailaddress</name>
*********************************************************
4. Update ersapnwaccount.xml file as below:
*********************************************************
From:
<formElement direction="inherit" label="$ersapnwemailaddress" name="data.ersapnwemailaddress">
<editableTextList><comboItem label="$ersapnwemailaddress" name="data.ersapnwemailaddress"><size></size><width>300</width></comboItem></editableTextList>
</formElement>
To:
<formElement direction="inherit" label="$ersapnwemailaddress" name="data.ersapnwemailaddress">
<input type="text" name="data.ersapnwemailaddress"/>
</formElement>
*********************************************************
5. Update targetProfile.json, schema.dsml and ersapnwaccount.xml files into SapNWProfile.jar file:
jar uf SapNWProfile.jar SapNWProfile/targetProfile.json SapNWProfile/schema.dsml SapNWProfile/ersapnwaccount.xml
6. Login to IBM Security Verify Governance and import updated SapNWProfile.jar
7. Navigate to Enterprise Connectors --> Manage --> Connectors --> SAP Service Instance --> Driver Attributes List --> Actions --> Automatic Add
8. Navigate to Access Governance Core --> Account Configurations --> SAP Service Instance --> Target Attributes --> Remove existing ersapnwemailaddress attribute and add it again. (This is required to update the attribute from multi-valued to single-valued.)
9. Enforce user email attribute to ersapnwemailaddress attribute.
Note: Default value for ersapnwemailaddress attribute needs to be set in "X|{Email}|X|001" format as ersapnwemailaddress is a complex attribute. Please refer Special Attributes section for more details about ersapnwemailaddress attribute.
The adapters can be customized or extended or both. The type and method of this customization varies depending on the adapter.
Customizing and extending adapters requires several skills. The developer must be familiar with the following concepts and skills:
- IBM Security Verify Governance Identity Manager administration
- IBM Security Verify Governance administration
- IBM Security Directory Integrator management
- Security Directory Integrator Assembly Line development
- LDAP schema management
- Working knowledge of Java scripting language
- Working knowledge of LDAP object classes and attributes
- Working knowledge of XML document structure
Note: If the customization requires a new Security Directory Integrator connector, the developer must also be familiar with Security Directory Integrator connector development and working knowledge of Java programming language.
Support for custom adapters
The integration to IBM Security Verify Governance servers "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a Support Case is opened.
Procedure: (Update the steps as below)
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011 (To enable TCB block in debug)
4. Append the line com.ibm.di.logging.close=false in the <SDI_HOME >/etc/global.properties file.
5. Start the SDI Server process
6. Re-create the problem and collect the /logs/ibmdi.log
(Add another entry in the "Table 1. Error messages and problem descriptions")
Error messages |
Problem descriptions |
Reconciliation fails with " CTGDIK219E Unable to execute RFC 'RFC_READ_TABLE'. The message is: 'OPTION_NOT_VALID'" error in ibmdi.log file
OR
Reconciliation fails with "java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 2" error in ibmdi.log file
OR
Reconciliation is successful but SAP permissions are returned with semicolon (;)
OR
Reconciliation is successful but SAP permissions are returned with permission name and description in incorrect sequence |
Below SNOTE should be applied in the given sequence in the SAP Target: SNOTE 2246160 SNOTE 3139000 |
Chapter 7: Reference
No updates for the current release
Installation Platform
The IBM Security Verify Governance Adapter for was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your IBM Security Verify Governance server and IBM Security Verify Governance Identity Manager server, the following SDI releases are the officially supported versions:
· Security Directory Integrator 7.2 + FP12
· Security Verify Directory Integrator 10.0 + FP1 (Only on-prem version is currently supported)
Note: Earlier SDI supported versions may function properly, however, to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions.
Managed Resource:
The following SAP ABAP Basis versions running anywhere on the network are supported:
Following SAP S/4 HANA On-Premise version running anywhere on the network are supported:
The adapter supports SAP CUA environments. If CUA is configured the adapter must be deployed against the central CUA master system.
Refer to section "Multi Byte Character Support Limitations" above regarding unicode support limitations.
SAP PATCHES:
The following minimum patch levels, by SAP release version, are required:
SAP Release Software Component Support Package
750 SAP_BASIS SAPK-75022INSAPBASIS (with SNOTE 2246160 and 3139000)
756 SAP_BASIS - (Initial release with SNOTE 2246160 and 3139000)
757 SAP_BASIS SAPK-75701INSAPBASIS
Below versions haven't been explicitly certified with this adapter release, however these are expected to work with this adapter release. If you experience a problem with below versions, you can open a PMR with IBM:
SAP Release Software Component Support Package
700 SAP_BASIS SAPKB70040
701 SAP_BASIS SAPKB70125
702 SAP_BASIS SAPKB70225
731 SAP_BASIS SAPKB73133
740 SAP_BASIS SAPKB74030
750 SAP_BASIS SAPK-75028INSAPBASIS
751 SAP_BASIS SAPK-75116INSAPBASIS
752 SAP_BASIS SAPK-75212INSAPBASIS
753 SAP_BASIS SAPK-75310INSAPBASIS
754 SAP_BASIS SAPK-75408INSAPBASIS
755 SAP_BASIS SAPK-75506INSAPBASIS
756 SAP_BASIS SAPK-75604INSAPBASIS
757 SAP_BASIS SAPK-75701INSAPBASIS
Specifically, the SAP system must be patched with corrections from SAP notes 992375, 994415, 1101858 and 1636845.
SAP JCo certified:
JCo 3.1.7
Note: SAP NW Adapter was tested and certified using JCo v3.1.7. SAP may release
a newer version of JCo since then and for reasons unknown, SAP may not make JCo
v3.1.7 available for download. The newer version of JCo may work as is with the
adapter. However, if there are any issues related directly to the newer
version of JCo, it will be addressed in the next release of the adapter. On
Windows platforms, JCo 3.1 requires the Visual Studio 2013 C/C++ runtime
libraries to be installed on the system. If not present, download and install
the "Visual C++ 2013 Redistributable Package" from the Microsoft
knowledge base article 4032938 and choose the package, which corresponds to the
used Locale and JVM bit-width (x64 for 64-bit or x86 for 32-bit).
SAP GRC Access Control certified:
SAP GRC Access Control 10.0
Supported IBM Security Verify servers:
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could
include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated
in new editions of the publication. IBM may make improvements and/or changes in
the product(s) and/or the program(s) described in this publication at any time
without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM
Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to
appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM,
the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes