ac53 installation guide

SAP GRCAccess Control 5.3

Document Version 1.20 - December 2008

SAP AGNeurottstraße 16

69190 Walldorf

Germany

T +49/18 05/34 34 24

F +49/18 05/34 34 20www.sap.com

Installation Guide

http://www.sap.com/

© Copyright 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced ortransmitted in any form or for any purpose without theexpress permission of SAP AG. The information containedherein may be changed without prior notice.

Some software products marketed by SAP AG and itsdistributors contain proprietary software components ofother software vendors.

Microsoft, Windows, Outlook, and PowerPoint areregistered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, ParallelSysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,Intelligent Miner, WebSphere, Netfinity, Tivoli, andInformix are trademarks or registered trademarks of IBMCorporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registeredtrademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,WinFrame, VideoFrame, and MultiWin are trademarks orregistered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks orregistered trademarks of W3C®, World Wide WebConsortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,Inc., used under license for technology invented andimplemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAPNetWeaver, and other SAP products and servicesmentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world.All other product and service names mentioned are thetrademarks of their respective companies. Data containedin this document serves informational purposes only.National product specifications may vary.

These materials are subject to change without notice.These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposesonly, without representation or warranty of any kind, andSAP Group shall not be liable for errors or omissions withrespect to the materials. The only warranties for SAPGroup products and services are those that are set forth inthe express warranty statements accompanying suchproducts and services, if any. Nothing herein should beconstrued as constituting an additional warranty.

SAP Library document classification: PUBLIC

Disclaimer

Some components of this product are based on Java™.Any code change in these components may causeunpredictable and severe malfunctions and is therefore

expressively prohibited, as is any decompilation of thesecomponents.

Any Java™ Source Code delivered with this product isonly to be used by SAP’s Support Services and may not bemodified or altered in any way.

Documentation in the SAP Service Marketplace

You can find this documentation at the following Internetaddress:service.sap.com/instguides

SAP Library document classification: PUBLIC

Terms for IncludedOpen Source SoftwareThis SAP software contains also the third party open source

software products listed below. Please note that for these third

party products the following special terms and conditions shall

apply.

This software was developed using ANTLR.

SAP License Agreement for STLport

SAP License Agreement for STLport

between

SAP Aktiengesellschaft

Systems, Applications, Products in Data Processing

Neurottstrasse 16

69190 Walldorf

Germany

( hereinafter: SAP )

and

you

( hereinafter: Customer )

1. Subject Matter of the Agreement

a. SAP grants Customer a non-exclusive, non-

transferable, royalty-free license to use the STLport.org

C++ library (STLport) and its documentation without

fee.

b. By downloading, using, or copying STLport or any

portion thereof Customer agrees to abide by the

intellectual property laws, and to all of the terms and

conditions of this Agreement.

c. The Customer may distribute binaries compiled with

STLport (whether original or modified) without any

royalties or restrictions.

d. Customer shall maintain the following copyright and

permission notices on STLport sources and its

documentation unchanged:

Copyright 2008 SAP AG

e. The Customer may distribute original or modified

STLport sources, provided that:

The conditions indicated in the above permission

notice are met;

The following copyright notices are retained

when present, and conditions provided in

accompanying permission notices are met:

Copyright 1994 Hewlett-Packard Company

Copyright 1996,97 Silicon Graphics Computer

Systems, Inc.

Copyright 1997 Moscow Center for SPARC

Technology.

Copyright 1999,2000 Boris Fomitchev

Copyright 2001 SAP AG

Permission to use, copy, modify, distribute and

sell this software and its documentation for any

purpose is hereby granted without fee, provided

that the above copyright notice appear in all

copies and that both that copyright notice and

this permission notice appear in supporting

documentation. Hewlett-Packard Company

makes no representations about the suitability of

this software for any purpose. It is provided "as

is" without express or implied warranty.





copies and that both that copyright notice and

this permission notice appear in supporting

documentation. Silicon Graphics makes no

representations about the suitability of this

software for any purpose. It is provided "as is"

without express or implied warranty.





copies and that both that copyright notice and this

permission notice appear in supporting

documentation. Moscow Center for SPARC

Technology makes no representations about the

suitability of this software for any purpose. It is

provided "as is" without express or implied

warranty.

Boris Fomitchev makes no representations about

the suitability of this software for any purpose.

This material is provided "as is", with absolutely

no warranty expressed or implied. Any use is at

your own risk. Permission to use or copy this

software for any purpose is hereby granted

without fee, provided the above notices are

retained on all copies. Permission to modify the

code and to distribute modified code is granted,

provided the above notices are retained, and a

notice that the code was modified is included with

the above copyright notice.





copies and that both that copyright notice and this

permission notice appear in supporting

documentation. SAP makes no representations

about the suitability of this software for any

purpose. It is provided with a limited warranty

and liability as set forth in the License Agreement

distributed with this copy. SAP offers this liability

and warranty obligations only towards its

customers and only referring to its modifications.

2. Support and Maintenance

SAP does not provide software maintenance for the STLport.

Software maintenance of the STLport therefore shall be not

included.

All other services shall be charged according to the rates for

services quoted in the SAP List of Prices and Conditions

and shall be subject to a separate contract.

3. Exclusion of warranty

As the STLport is transferred to the Customer on a loan

basis and free of charge, SAP cannot guarantee that the

STLport is error-free, without material defects or suitable

for a specific application under third-party rights. Technical

data, sales brochures, advertising text and quality

descriptions produced by SAP do not indicate any assurance

of particular attributes.

4. Limited Liability

a. Irrespective of the legal reasons, SAP shall only be

liable for damage, including unauthorized operation, if

this (i) can be compensated under the Product Liability

Act or (ii) if caused due to gross negligence or intent

by SAP or (iii) if based on the failure of a guaranteed

attribute.

b. If SAP is liable for gross negligence or intent caused

by employees who are neither agents or managerial

employees of SAP, the total liability for such damage

and a maximum limit on the scope of any such damage

shall depend on the extent to which its occurrence

ought to have anticipated by SAP when concluding the

contract, due to the circumstances known to it at that

point in time representing a typical transfer of the

software.

c. In the case of Art. 4.2 above, SAP shall not be liable

for indirect damage, consequential damage caused by

a defect or lost profit.

d. SAP and the Customer agree that the typical

foreseeable extent of damage shall under no

circumstances exceed EUR 5,000.

e. The Customer shall take adequate measures for the

protection of data and programs, in particular by

making backup copies at the minimum intervals

recommended by SAP. SAP shall not be liable for the

loss of data and its recovery, notwithstanding the other

limitations of the present Art. 4 if this loss could have

been avoided by observing this obligation.

f. The exclusion or the limitation of claims in accordance

with the present Art. 4 includes claims against

employees or agents of SAP.

Typographic Conventions

Type Style Represents

Example Text Words or characters that appearon the screen. These includefield names, screen titles,pushbuttons as well as menunames, paths and options.

Cross-references to otherdocumentation

Example text Emphasized words or phrases inbody text, titles of graphics andtables

EXAMPLE TEXT Names of elements in thesystem. These include reportnames, program names,transaction codes, table names,and individual key words of aprogramming language, whensurrounded by body text, forexample, SELECT andINCLUDE.

Example text Screen output. This includes fileand directory names and theirpaths, messages, names ofvariables and parameters, sourcecode as well as names ofinstallation, upgrade anddatabase tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation.

<Example text> Variable user entry. Pointedbrackets indicate that youreplace these words andcharacters with appropriateentries.

EXAMPLE TEXT Keys on the keyboard, forexample, function keys (such asF2) or the ENTER key.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

SAP GRC Access Control 5.3 Installation Guide

December 2008

Document HistoryThis guide is regularly updated on SAP Service Marketplace at http://service.sap.com/instguides-> SAP Business Objects-> SAP Solutions for GRC -> SAP GRC Access Control -> SAP GRC AccessControl 5.3.

Make sure you have the latest version of this guide by checking SAP Service Marketplace beforestarting the installation.

The following table provides an overview of the most important changes that were made in the latestversions.

Version Date Important Changes

x June 2008 Initial release to customers.

x September 2008 Quality updates.

1.20 December 2008 Host Machine Requirements ->Software RequirementsUpdated Linux Enterprise Server toversion 5.0.

Connecting a Standalone J2EESystem to a Server, step 3.Changed apgw00 3300/tcp to sapgw003300/tcp.


September 2008

Contents

1 INTRODUCTION ........................................................................................................................................... 11

1.1 IMPLEMENTATION CONSIDERATIONS ............................................................................................................ 111.2 NAMING CONVENTIONS ............................................................................................................................... 121.3 NAME CHANGES .......................................................................................................................................... 12

2 INSTALLATION PLANNING ....................................................................................................................... 14

2.1 INSTALLATION CHECKLISTS ......................................................................................................................... 14

3 INSTALLATION PREPARATION ................................................................................................................ 15

3.1 SOFTWARE REQUIREMENTS.......................................................................................................................... 153.2 DOCUMENTATION REQUIREMENTS ............................................................................................................... 163.3 SAP NOTE REQUIREMENTS .......................................................................................................................... 16

If SAP_HR is Installed .................................................................................................................................. 17If SAP_HR is Not Installed ............................................................................................................................ 17

3.4 HOST MACHINE REQUIREMENTS .................................................................................................................. 183.5 INFORMATION ON THE SAP SERVICE MARKETPLACE .................................................................................... 19

4 INSTALLING THE SOFTWARE .................................................................................................................. 21

4.1 INSTALLING FROM DOWNLOADED FILES OR CDS .......................................................................................... 214.2 INSTALLING THE REAL TIME AGENT ............................................................................................................. 214.3 RUNNING JAVA SERVICE PROGRAM MANAGER (JSPM) ................................................................................. 224.4 TROUBLESHOOTING ..................................................................................................................................... 24

4.4.1 Using the JSPM Log Viewer ................................................................................................................. 244.4.2 Tips for Troubleshooting in JSPM ........................................................................................................ 244.4.3 What To Do If the Installation Is Interrupted......................................................................................... 254.4.4 What To Do If the Installation Does Not Complete Successfully ............................................................ 25

4.5 COMPLETING THE INSTALLATION ................................................................................................................. 25

5 POST-INSTALLATION CONFIGURATION ............................................................................................... 26

5.1 SAP GRC RISK ANALYSIS AND REMEDIATION CONFIGURATION ................................................................... 265.1.1 Creating JCo Connections to Backend Systems ..................................................................................... 265.1.2 Importing Connector Data .................................................................................................................... 275.1.3 Importing Risk Analysis and Remediation Roles .................................................................................... 305.1.4 Defining a Master User Source ............................................................................................................. 325.1.5 Configuring the Background Job Daemon ............................................................................................ 32

5.2 SAP GRC COMPLIANT USER PROVISIONING CONFIGURATION ....................................................................... 345.2.1 Importing SAP GRC Compliant User Provisioning Roles ...................................................................... 345.2.2 Assigning the Administrator Role .......................................................................................................... 345.2.3 Importing Configuration Data .............................................................................................................. 35

5.3 SAP GRC ENTERPRISE ROLE MANAGEMENT CONFIGURATION...................................................................... 365.3.1 Importing SAP GRC Enterprise Role Management Roles ...................................................................... 365.3.2 Defining the Administrator. .................................................................................................................. 375.3.3 Importing Configuration Data .............................................................................................................. 37

5.4 SAP GRC SUPERUSER PRIVILEGE MANAGEMENT CONFIGURATION ............................................................... 385.4.1 Creating the Administrator Role ........................................................................................................... 38


September 2008

5.4.2 Assigning the Administrator Role to a User........................................................................................... 385.5 LAUNCH PAD ............................................................................................................................................... 395.6 CONNECTING A STANDALONE J2EE SYSTEM TO A SERVER ............................................................................ 40

6 POST-SYSTEM COPY CONFIGURATION ................................................................................................. 42

6.1 SAP GRC RISK ANALYSIS AND REMEDIATION ............................................................................................. 426.2 UME ACTIVITIES......................................................................................................................................... 426.3 SAP GRC COMPLIANT USER PROVISIONING ................................................................................................. 446.4 SAP GRC ENTERPRISE ROLE MANAGEMENT CONFIGURATION...................................................................... 446.5 SAP GRC SUPERUSER PRIVILEGE MANAGEMENT CONFIGURATION ............................................................... 44

APPENDIX ......................................................................................................................................................... 45

A. SAP GRC ACCESS CONTROL 5.3 COMPONENT CONTENTS.............................................................................. 45B. USING THE VISUAL ADMINISTRATOR TO CONFIGURE AN SLD DATA SUPPLIER ................................................ 47C. CONFIGURING THE INTERNET GRAPHICS SERVER ........................................................................................... 48D. SYSTEM LANDSCAPE..................................................................................................................................... 52E. USING JAVA SERVICE PROGRAM MANAGER (JSPM) ....................................................................................... 53


September 2008

1 IntroductionSAP GRC Access Control is an enterprise application that provides end-to-end automation fordocumenting, detecting, remediating, mitigating, and preventing access and authorization risk across theenterprise, resulting in proper segregation of duties (SoD), lower costs, reduced risk, and better businessperformance.

The Access Control application includes the following four capabilities:

Risk Analysis and Remediation supports real time compliance to detect, remove, and prevent accessand authorization risk by preventing security and control violations before they occur.

SAP GRC Compliant User Provisioning automates provisioning, tests for SoD risks, and streamlinesapprovals to unburden IT staff and provide a complete history of user access.

SAP GRC Enterprise Role Management standardizes and centralizes role creation and maintenance.

Superuser Privilege Management enables users to perform emergency activities outside their roles as a“privileged user” in a controlled and auditable environment.

SAP GRC Access Control supports companies in complying with Sarbanes-Oxley and other regulatorymandates by enabling organizations to rapidly identify and remove authorization risks from IT systems.It identifies and prevents SoD violations from being introduced without proper approval and mitigationby embedding preventive controls into business processes.

1.1 Implementation ConsiderationsAs of SAP NetWeaver Release 2004s, Java Support Package Manager (JSPM) is used to implementsupport package stacks, Java support packages, and to install additional components such as SAP ERP,SAP Customer Relationship Management, and SAP Supplier Relationship Management.

Note: The Software Deployment Manager (SDM) is no longer used; however, if you have a previousversion of SAP GRC Access Control installed, you must uninstall it with the SDM before you can install SAPGRC Access Control 5.3. For more information see the SAP GRC Access Control 5.3 Upgrade Guide.

If you want to install SAP GRC Access Control 5.3 in the context of the implementation of an SAPBusiness Suite or one of its business scenarios, you must familiarize yourself with the that solution’sMaster Guide before you begin the installation. The Master Guide is the central document for implementingSAP Business Suite solutions and scenarios. It lists the components and third-party applications that arerequired by each business scenario and refers to the appropriate installation and upgrade guides. It alsodefines the installation sequence for the business scenarios.


September 2008

1.2 Naming ConventionsIn this documentation, the following naming conventions apply:

Terminology and Variables

Variables Description

<SAPSID> SAP system ID in uppercase letters

<sapsid> SAP system ID in lowercase letters

<DBSID> Database system ID in uppercase letters

<dbsid> Database system ID in lowercase letters

< JSPM_INSTDIR> Installation directory for the SAP installation tool JSPM

<INSTDIR> Installation directory for SAP system

<CD-DIR> Directory on which a CD is mounted

<OS> Operating system name within a path

<installation_CD>. The CD from which you are installing

The following examples show how the variables are used:

Log on as user <sapsid>adm and change to the directory /usr/sap/<SAPSID>.If your SAP system ID is C11, log on as user c11adm and change to the directory/usr/sap/C11.Change to the directory <CD-DIR>/UNIX/<OS>.If the CD is mounted on /sapcd1 and your operating system is AIX, change to/sapcd1/UNIX/AIX_64.

1.3 Name ChangesThe names of the SAP GRC Access Control 5.3 components have changed from the previous release. Seethe table below for the new names.

Previous Name SAP GRC Access Control 5.3 Name

Compliance Calibrator SAP GRC Risk Analysis and Remediation


September 2008

Access Enforcer SAP GRC Compliant User Provisioning

Role Expert SAP GRC Enterprise Role Management

Firefighter SAP GRC Superuser Privilege Management


September 2008

2 Installation PlanningThis guide describes the four phases for installing your SAP system: planning, preparation, installation,and post-installation configuration.

2.1 Installation ChecklistsYou can use the following checklists to track your installation progress. Follow the steps sequentially andcheck off each item as you complete it.

Installation Planning Checklist

Acquire and read the documentation required for this installation.

Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation.

Verify that you have the hardware required for this installation.

Installation Preparation

Installation Preparation Checklist

Download the files to be installed or

Obtain the installation CD.

Installation Process

Installation Process Checklist

Run JSPM to install the components.

Post-Installation

Post-Installation Checklist

Configure the installation as described in Chapter 5: Post-Installation Configuration


September 2008

3 Installation Preparation

3.1 Software Requirements

Note: SAP GRC Access Control communicates with multiple systems; therefore, we highlyrecommend that you use HTTPS communication protocol for secure communications.

You install the following software by either downloading the files or by using a CD that SAP supplies:

Software Files Required/Optional

Comment

SAP NetWeaver 7.0 (2004s) SP 12 R

SAP Internet Graphics Service (SAP IGS) R Used for graphs that displayon management reports

Enterprise Portal R/O Enterprise Portal is anoptional component of SAPNetWeaver 7.0 (2004s) SP 12.It is required if you install theEnterprise Portal RTA(VIREPRTA00_0.sca).

VIRCC00_0.SCA –SAP GRC Risk Analysis and Remediation

VIRAE00_0.SCA - SAP GRC Compliant User Provisioning

VIRRE00_0.SCA - Enterprise Role Manager

VIRFF00_0.SCA - Superuser Privilege Management

R These files contain the fourSAP GRC Access Control 5.3capabilities. All are required.

VIRSANH and VIRSAHR R These are the SAP GRCAccess Control Real TimeAgent (RTA) components.You install one or both ofthem depending on whetheror not you have SAP_HRinstalled on your system.

For more information, seesection 2.1.

VIREPRTA00_0.sca O The Enterprise Portal RTA,which resides in this file,must be installed to enabledata extraction for SAP GRCRisk Analysis andRemediation and SAP GRCCompliant User Provisioning.


September 2008

If you install this file, youmust also install theEnterprise Portal, NetWeaver7.0 SP 12

VIRACLP00_0.sca O Launch Pad

VIRACCNTNT.SAR R SAP GRC Access Controlcontent file. Contains themaster data for post-installation configuration.

VIRACLP00_0.SCA O Launch Pad

The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 5.3 Real Time Agents (RTAs):

If your SAP ERP system is atrelease:

The support pack level must be at:

4.6C SAP BASIS Support Pack Stack level 55

4.70 SAP BASIS Support Pack Stack level 63

04 SAP BASIS Support Pack Stack level 21

6.0 SAP BASIS Support Pack Stack level 13

3.2 Documentation RequirementsYou need the following documentation for the installation:

SAP RTA Installation Notes

Information from the SAP Service Marketplace (see section 3.5 for more information).

3.3 SAP Note RequirementsThis section lists the SAP Notes that you will need for your installation. Read them before you startinstalling because they contain the most recent implementation information as well as any corrections tothis installation documentation.

Note: You can find the current version of each SAP Note on the SAP Service Marketplaceat service.sap.com/notes.

You use a different set of SAP Notes depending on whether or not you have SAP_HR on your system.Refer to the tables below to determine the appropriate notes for your system.


September 2008

If SAP_HR is Installed

You use the notes in the table below when SAP_HR is installed.

SAP NoteNumber

Title Description

1133162 Install / Delta Upgrade on SAP R/3 4.6C Use this information when installing orupgrading any SAP GRC Access Controlapplication on an SAP R/3 4.6C system.

1133164 Install / Delta Upgrade on SAP R/3 Enterprise4.7

Use this information when installing any SAPGRC Access Control application on an SAP R/3Enterprise 4.7 system.

1133166 Install / Delta Upgrade on SAP ECC 500 Use this information when installing any SAPGRC Access Control application on an SAPECC 500 system.

1133168 Install / Delta Upgrade on SAP ECC 6.0 Use transaction SAINT to install an add-on onRelease SAP ERP Central Component ECC600 (SAP ECC 600).

1133161 Install / Delta Upgrade on SAP_BASIS 46C Use this information when installing orupgrading any SAP GRC Access Controlapplication on your SAP_BASIS 46C system.

1133163 Install / Delta Upgrade on SAP_BASIS 620 Use this information when installing orupgrading any SAP GRC Access Controlapplications on an SAP_BASIS 620 system

1133165 Install / Delta Upgrade on SAP_BASIS 640 Use this information when installing orupgrading any SAP GRC Access Controlapplications on your SAP_BASIS 640 system.

1133167 Install / Delta Upgrade on SAP_BASIS 700 Use this information when installing orupgrading any SAP GRC Access Controlapplications on an SAP_BASIS 700 system.

If SAP_HR is Not InstalledWhen SAP_HR is not installed, you only use the notes below.

SAP NoteNumber

Title Description

1133161 Install / Delta Upgrade on SAP_BASIS 46C Use this information when installing orupgrading any SAP GRC Access Controlapplication on your SAP_BASIS 46C system.

1133163 Install / Delta Upgrade on SAP_BASIS 620 Use this information when installing orupgrading any SAP GRC Access Controlapplications on an SAP_BASIS 620 system


September 2008

1133165 Install / Delta Upgrade on SAP_BASIS 640 Use this information when installing orupgrading any SAP GRC Access Controlapplications on your SAP_BASIS 640 system.

1133167 Install / Delta Upgrade on SAP_BASIS 700 Use this information when installing orupgrading any SAP GRC Access Controlapplications on an SAP_BASIS 700 system.

Support Pack Notes

Read the following notes before starting your installation. The notes for VIRSAHR apply if you haveSAP_HR on your system; the ones for VIRSANH apply if you do not have SAP_HR on your system.

Note Number Description

1174625 Access Control 5.3 Java Support Pack Installation

1138015 VIRSANH 530_46C Support Packages for 46C

1138019 VIRSAHR 530_46C Support Packages for 46C

1138016 VIRSANH 530_620 Support Packages for 620

1138020 VIRSAHR 530_620 Support Packages for 620

1138017 VIRSANH 530_640 Support Packages for 640 (ECC 500)

1138041 VIRSAHR 530_640 Support Packages for 640 (ECC 500)

1138018 VIRSANH 530_700 Support Packages for 700 ( ECC 600)

1138042 VIRSAHR 530_700 Support Packages for 700 ( ECC 600)

3.4 Host Machine Requirements

The host machine must meet the following requirements:

RequirementType

Requirement

HardwareRequirements

• Machine = Server based

• Dual Processors = 2.4–3.2 GHz or faster

• RAM = 4 GB

• Hard Disk = 40 GB Minimum (120 GB Recommended)

Note: For hard disk capacity, 40 GB is adequate. However, depending on how many usersand requests you process, SAP GRC Access Control 5.3 can consume 40 GB of storage inapproximately one year. Once the drive is full, you need to either archive the data or migrateto a larger drive. For this reason, we recommend that you install SAP GRC Access Control 5.3on a drive of at least 120 GB or larger.


September 2008

SoftwareRequirements

Operating Systems:

• Windows 2000 Server

• Windows 2000 Advanced Server

• Windows 2003 Server (Standard/Enterprise/Web)

• Red Hat Linux Enterprise Server 5.0

• Unix

Java Runtime Environment = JRE version 1.4

Web/Application server = SAP Web Application Server 700 – SP12 or above, with Java/J2EEStack

Configuration

Requirements

In addition to the basic hardware and software requirements, the SAP GRC Access Control5.3 installation also requires certain configuration settings. After you have completedinstalling, read the section Post Installation Activities and follow the steps there to configureSAP GRC Access Control 5.3.

MemorySettings

To ensure that the SAP GRC Access Control 5.3 installation does not encounter an out-of-memory condition, you must set your memory parameters. You do this using the Config Toolthat is installed along with SAP NetWeaver 7.0 (2004s) SP12. The command you use to launchthe Config Tool depends on your operating system:

• If you are running the Unix or Linux operating systems, use:

/usr/sap/<SID>/DVEBMGS00/j2ee/configtool/configtool.sh

• If you are running the Windows operating system, use:

\usr\sap\JSA\JC00\j2ee\configtool\configtool.bat

1. In the Config Tool, navigate to the server instance for which you wish to set the memoryparameters and select the server by its server number.

2. Under the General tab, add or change memory parameters as required. For additionaldetails on memory settings, refer to SAP Note 723909.

3.5 Information on the SAP Service MarketplaceGo to the SAP Service Marketplace for information on the following topics:

Description Internet Address

SAP Notes service.sap.com/notes

Released platforms service.sap.com/platforms


September 2008

Technical infrastructure –configuration scenarios and relatedaspects such as security, loadbalancing, availability, and caching

service.sap.com/ti

Network infrastructure service.sap.com/network

System sizing service.sap.com/sizing

Front-end installation service.sap.com/instguides

Security service.sap.com/security


September 2008

4 Installing the Software

4.1 Installing From Downloaded Files or CDs

You may install SAP GRC Access Control 5.3 either from CDs that you obtain from SAP or from files thatyou download from the SAP Service Marketplace. If you want to install from CDs, obtain the CDs fromSAP:

If you want to download the files, follow the steps below:

1. Go to the SAP Service Marketplace at service.sap.com.2. Under SAP Support Portal, select Software Download.3. In the left navigation bar, click Download to expand the menu.4. Click Installations and Upgrades to expand the menu.5. Click Entry by Application Group.6. Click SAP Solutions for Governance, Risk and Compliance.7. Click SAP GRC Access Control.8. Click SAP GRC Access Control.9. Click SAP GRC Access Control 5.3.10. Click Install and Upgrade.11. Select the platform for your server.12. Select the appropriate database component for your installation.13. Select SAP GRC Access Control 5.3 and click Add to Download Basket.14. Follow the online system’s instructions to complete the download process.

Note: See the Appendix for a list of the individual SAP GRC Access Control 5.3 files that are containedin the download.

4.2 Installing the Real Time AgentThe SAP GRC Access Control Real Time Agent (RTA) is contained in the files VIRSANH and VIRSAHR.You install one or both of the files depending on whether or not you have the SAP_HR component onyour system.

If SAP_HR is installed, first install the file VIRSANH 5.3 RTA and then install VIRSAHR 5.3RTA.

Note: You must also so install all support packages for VIRSANH and VIRSAHR.


September 2008

If SAP_HR is not installed, only install VIRSANH 5.3 RTA.

Note: You must also so install all support packages for VIRSANH.

Do not install VIRSAHR on a system that does not have SAP_HR.

Once you have downloaded the files that you need to install SAP GRC Access Control 5.3, you must placethem in a specific folder so the JSPM installer can find them.

1. Copy the .sca files to /usr/sap/trans/EPS/in/.

Once you have done this, you are ready to begin installing SAP GRC Access Control 5.3.

4.3 Running Java Service Program Manager (JSPM)This section tells you how to run JSPM to install one or more SAP instances.

Note: JSPM must be run as <sid>adm user

Note: In versions prior to 5.3, SAP GRC Access Control used the Software DeploymentManager (SDM) to install and uninstall the software components. As of version 5.3, SAPGRC Access Control uses Java Service Package Manager (JSPM) to install (deploy in JSPMterms) but it still uses SDM to uninstall.

Prerequisite

You have downloaded the SAP GRC Access Control 5.3 installation files and placed them in the JSPMInbox in the directory /usr/sap/trans/EPS/in/.

The Installation ProcessLaunch the JSPM which is found in the following directory: /usr/sap/<SID>/<CI>/j2ee/JSPM/go.bat. JSPMwill scan the directory that contains the installation files (/usr/sap/trans/EPS/in/).

Using the JSPM Installer, follow the steps below:

1. Select Package Type. Click New Software components. Click the radio button to specifythe system role and whether or not the system is under NWDI .Click Next.

2. Specify Queue. Select the software components that you want to install from the tablebelow. You install them in the order in which they occur in the table.

Software Files Required/Optional

Comment


September 2008

SAP NetWeaver 7.0 (2004s) SP 12 R

SAP Internet Graphics Service (SAP IGS) R SAP IGS is included in SAPNetWeaver and is used forgraphs that display onmanagement reports.

Enterprise Portal R/O Enterprise Portal is anoptional component of SAPNetWeaver 7.0 (2004s) SP 12.It is required if you install thefile VIREPRTA00_0.sca.

VIRCC00_0.SCA –SAP GRC Risk Analysis and Remediation

VIRAE00_0.SCA - SAP GRC Compliant User Provisioning

VIRRE00_0.SCA - Enterprise Role Manager

VIRFF00_0.SCA - Superuser Privilege Management

R These files contain the fourSAP GRC Access Control 5.3capabilities. All are required.

VIRSANH and VIRSAHR R These are the SAP GRCAccess Control Real TimeAgent (RTA) components.You install one or both ofthem depending on whetheror not you have SAP_HRinstalled on your system.

For more information, seesection 2.1.

VIREPRTA00_0.sca O The Enterprise Portal RTA,which resides in this file,must be installed to enabledata extraction for SAP GRCRisk Analysis andRemediation and for SAP GRCCompliant User Provisioning.

If you install this file, youmust also install theEnterprise Portal, NetWeaver7.0 SP 12

VIRACLP00_0.sca O

VIRACCNTNT.SAR R SAP GRC Access Controlcontent file. Contains themaster data for post-installation configuration.

VIRACLP00_0.SCA O Launch Pad


September 2008

Click Next.

3. Check Queue. Monitor the installation.

4. Finished.

Repeat this procedure for each of the four SAP GRC Access Control 5.3 capabilities and for the LaunchPad. The Launch Pad acts as a home page for SAP GRC Access Control 5.3; from here, you can launchany of the four capabilities.

4.4 TroubleshootingIf an error occurs, the first step in troubleshooting is to look at the JSPM logs to see what went wrong. Thelogs are stored in the directory /usr/sap/<SID>/<CI>/j2ee/JSPM/log. Use the Logs tab in the JSPM window toview the logs.

There are two kinds of JSPM logs:

*.LOG - contain log messages*.OUT & *.ERR – contain standard output and error streams from external processes

4.4.1 Using the JSPM Log Viewer

You have the option of using a standalone log viewer that you launch with the log viewer script in:/usr/sap/<SID>/<CI>/j2ee/admin/logviewer-standalone.

Launch the script, then choose File > Add a File and browse for the desired log file. You may need to selectAll Files in the file type filter to view the files.

For more information about the standalone log viewer, see the Logviewer_Userguide.pdf in the samedirectory.

4.4.2 Tips for Troubleshooting in JSPM

The primary causes of problems in JSPM are:

J2EE engine runs out of memory

The J2EE engine administrator password has been changed

JSPM hangs during deployment

You can use the following SAP Notes to help research installation issues.

SAP Notes Concerning Installation Problems

Note Title

129813 NT: Problems due to address space fragmentation

736462 Problems increasing Xmx on Windows 32 bit platforms


September 2008

861215 Recommended Settings for the Linux on AMD64/EM64T JVM

851251 SAP NetWeaver 2004s Installation on UNIX Java - JSPM: sapstart cannot be found

723909 Java VM settings for J2EE 6.30/6.40/7.0

709140 Recommended JDK and VM Settings for the WebAS630/640/7.0

764417 Information for troubleshooting of the SAP J2EE Engine 6.40

870445 SAPJup J2EE Engine Password Does Not Change After an Upgrade

701654 Deployment aborts due to wrong J2EE Engine login information

891895 JSPM: required disk space

893946 SunJCE provider inconsistency

904074 Broken deployment, check versions of deployed components

903609 CAF 7. 0 SP5 Deployment problem over SP4 using JSPM

710966 DEPLOY_LOCK error during upgrade

739190 Timeout when starting or stopping the J2EE engine

4.4.3 What To Do If the Installation Is Interrupted

If for any reason the installation is interrupted, by a power failure for instance, you must restart theinstallation process.

4.4.4 What To Do If the Installation Does Not Complete SuccessfullyIf installation did not complete successfully, select the View Logs tab in the JSPM GUI and read the errormessages to determine what failed and what you need to do to correct the problem. Once you havecorrected the problem, run the installation process again.

The most common problem with installs is that not enough disk space is available. A full install of SAPGRC Access Control 5.3 takes approximately 200MB. If this space is not available, the install will abort.You must then make enough space available and re-run the installation.

4.5 Completing the InstallationOnce the installation is finished you will get a message in JSPM saying that the installation is complete.


September 2008

5 Post-Installation ConfigurationThis section explains how to configure the four SAP GRC Access Control 5.3 capabilities after you havecompleted the installation process.

5.1 SAP GRC Risk Analysis and Remediation ConfigurationOnce you have successfully installed SAP GRC Risk Analysis and Remediation, you must perform thefollowing procedures before you can use it.

1. Create JCo Connections to the backend.

2. Import model data and metadata for each JCo destination using the SAP NetWeaver ContentAdministrator that is included in the Web Dynpro tools.

3. Create an SAP User Management Engine (UME) role and assign it to a user.

4. Create a Master User Source.

5. Start the background job daemon.

5.1.1 Creating JCo Connections to Backend SystemsTo create JCo connections, follow the procedure below.

Setting up JCo Connections

In order for SAP GRC Risk Analysis and Remediation to communicate, you must establish one or morebackend server connections. You can connect to as many as:

Three SAP Risk Analysis and Remediation 5.3 RTA backend SAP HR systems

Three SAP GRC Risk Analysis and Remediation 5.3 RTA non-HR backend systems such as SAPCustomer Relationship Management, SAP Product Lifecycle Management, and SAP SupplyChain Management.

Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)


September 2008

To connect multiple backend systems to your installation, you establish a separate JCo destination thatincludes model data and metadata for each of those systems.

Note: The first HR MODEL and METADATA files in the following table do not include an instancenumber (01). Make sure you observe this naming difference when you set up your JCodestinations.

Table 1 JCo Destinations for SAP GRC Risk Analysis and Remediation Systems

To Connect... Use These JCo Destinations:

An SAP GRC Risk Analysis and Remediation 5.3RTA to an SAP_HR backend

Connection limit: Three systems

VIRSAHR_MODEL & VIRSAHR_METADATA

VIRSAHR_01_MODEL & VIRSAHR_01_METADATA

VIRSAHR_02_MODEL & VIRSAHR_02_METADATA

An SAP GRC Risk Analysis and Remediation 5.3RTA to a non-HR SAP backend

Connection limit: Three systems

VIRSAR3_01_MODEL & VIRSAR3_01_METADATA



An SAP GRC Risk Analysis and Remediation 5.3Real Time Agent (RTA).

Connection limit: Fifteen systems

VIRSAXSR3_01_MODEL & VIRSAXSR3_01_METADATA



SAP GRC Access Control 5.3 gives you the option of setting up SAPJCO connections instead of JCo(adaptive RFC) connections. We recommend that you use JCos for your first 21 connectors because theyare more efficient than SAP JCo connectors. If you need more than 21 connectors, use SAP JCo for theadditional connections. We also recommend that you use the 21 adaptive JCos for your highest volume orproduction environments.

Note: For instructions on how to configure JCo and SAPJCO connections, see the SAP GRC AccessControl 5.3 Configuration Guide under Defining Connectors for Risk Analysis and Remediation .

5.1.2 Importing Connector DataAfter you install SAP GRC Risk Analysis and Remediation, you must import model data and metadatafor each backend connection that you want to establish.

Before you import model data and metadata, have your system administrator verify that your ABAPsystem:

• Is configured in the System Landscape Directory (SLD)

• Has a default logon group


September 2008

• Can be accessed by the J2EE system services file

To import connector model data and metadata:

1. Open an internet browser and enter the following address:

http://<server_name>:50000/index.html

For example:

http://10.48.122.210:53000/index.html

The SAP NetWeaver Startup page appears.

2. In the SAP NetWeaver Web Application Server window, click Web Dynpro.

3. Under Web Dynpro Tool Applications, click Content Administrator.

4. In the User Management Engine logon window, enter your user ID and password. The Web Dynpro Content Administrator window appears.

5. Click Maintain JCo Destination.

Note: If the buttons Create JCo Destination and Maintain JCo Destination are not enabled, theSLD Bridge has not been properly configured.

The JCo Destination Details page appears.

Important: While performing the following steps, do not rename the SAP GRC Risk Analysis andRemediation model data and metadata files or the connectors that you create will not function.

6. From the JCo Destination Details list menu in the right pane, locate the data file that corresponds tothe backend system that you are connecting to and click Create.

Use the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect.

7. Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD).

8. Click Next. The Create New JCo Destination J2EE Cluster pane appears.

Note: Perform Steps 6 through Step 20 twice for each backend system that you plan to connect:once to import the connector MODEL DATA file and once to import the connector METADATA file.

9. Select the local J2EE engine or select your remote J2EE engine from the dropdown menu; clickNext.

10. Select the appropriate option for the type of data you are generating:

http://10.48.122.210:53000/index.html


September 2008

For METADATA files, select the Dictionary Meta Data option.

For MODEL data files, select the Application Data option.

11. Click Next.

Important: If you do not select the correct Connection Type for the data you are importing, yoursystem will fail when you attempt to perform a risk analysis.

12. From the Message Server dropdown menu, select the backend system for this connection.

The Message Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory. If the server you want to connect to does not appear in thisdropdown menu, use the Visual Administrator tool to verify the server configuration in the SLD.

13. In the Logon Group dropdown menu, select the default logon group.

14. Click Next.

Note When you are configuring model data (the second time), there will be a dropdown menuthat allows you to select Authentication Method. Currently, User/Password is the only supportedsetting for this option.

15. In the Name and Password fields, enter the user name and password for the backend system thatthis SAP GRC Risk Analysis and Remediation installation will use.

16. Click Next.

17. Verify the information that you have entered and click Finish.

Note: When configuring data in Step 15, do not change the Language setting. English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 5.3.

18. After the process has completed, scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created.

Even if the connector status shows a green light, you still need to test the connector to verify thatit is functional.

19. For the connector you have just created, click Test.

The message at the bottom of the window indicates whether the test was successful. If the test isunsuccessful, click the Log Viewer tab to view information about where the connection problemoccurs.

20. Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20.


September 2008

Remember to properly specify the Connection Type during in Step 10. To import model data, enablethe Application Data option under the heading Data Type. To import metadata, enable the DictionaryMeta Data option under the heading Data Type.

Once you have created model data and metadata connections for each backend server connection,you must create an administrative role using the User Management Engine (UME).

Note When you want to reconfigure a JCo destination, for example, if you originally connected itto an SAP Compliance Calibrator v. 4.0 SP2 or greater backend and now want to connect it to anSAP GRC Risk Analysis and Remediation Version 5.3 RTA, you must restart your J2EE engine afteryou reconfigure the JCo destinations.

5.1.3 Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaver J2EEserver, SAP GRC Risk Analysis and Remediation is installed and running. However, before you can useit, you must import user roles and create an initial user account

Note: Predefined roles for SAP GRC Access Control 5.3 components are bundled in theSAP GRC Access Control 5.3 download from the SAP Service Marketplace(service.sap.com) and are also included in the install CD in the file VIRACCNTNT_0.sar.

For more information about the roles and how to use them, see the SAP GRC AccessControl 5.3 Security Guide.

You use UME to import the Risk Analysis and Remediation user roles.

To import Risk Analysis and Remediation user roles:

1. Start the UME.

Use a Web browser to connect to and log into the SAP NetWeaver J2EE.

2. Click Import.

3. Browse to the directory into which you extracted the Risk Analysis and Remediation installationfile.

4. Select cc_ume_roles.txt

5. Click Upload.

Create a user

If you need to create an administrative user, use the UME.

Assign the administrative role to a user

Use the following procedure to assign the administrative role to a user.

1. In the left navigation pane of the UME window, click Roles.


September 2008

2. In the Get dropdown list, select Role.

3. Enter VIRSA_CC** and click Go to display the Roles List. In the Roles List, find and select theVIRSA_CC_ADMINISTRATOR role.

4. Click the Assigned Users tab, and then click Modify to assign that role to your user.

5. In the Available Users pane, type the user name in the Get field and click Go. Select the user towhom you will assign Risk Analysis and Remediation Administration privileges.

The administrative role has now been assigned to the user you selected.

Test your installation

Once you have completed your data and user setup, you are ready to test your installation.

Log on to SAP GRC Risk Analysis and Remediation

Follow the steps below to log on to SAP GRC Risk Analysis and Remediation.1. Enter the following address into your web browser:

http//<server_name>:5<instance>00/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator

Where:

server_name is the name of your J2EE system.

instance is the instance of your J2EE engine.

Example:

http://10.48.122.210:53000/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator

2. Enter the account information for the user you created and click Logon.

Note If the administrator using this account will also be assigning JCo destinations, you can add theSAP built-in administrator role to provision the user account for setting up connectors.

The SAP GRC Risk Analysis and Remediation main screen will appear showing the Informer tab. Becausedata has not yet been pulled into the system, the graphic display shows a broken pie chart and indicates a“Graphics Rendering Problem.”

Importing error messages

You must copy the error message file CC53_MESSAGES.txt that is shipped with the product to a localdirectory and then import it into SAP GRC Access Control 5.3 using the following menu path:

Configuration -> Utilities -> Import


September 2008

Note: Be sure to confirm the override.

Configuring your J2EE connectors

In order to communicate to backend systems using the connectors that you created during installation,you must configure them for SAP GRC Risk Analysis and Remediation. For more information, see theSAP GRC Access Control 5.3 Configuration Guide which is located at service.sap.com/instguides -> SAPSolution Extensions -> SAP Solutions for GRC -> SAP GRC Access Control -> SAP GRC Access Control 5.3.

5.1.4 Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 5.3 to usefor user ID, e-mail address, and other account information that is used for audit reporting. When youdefine a Master User Source, the JCo connectors that you created do not appear in the dropdown menuuntil you have refreshed the web browser.

Use the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 5.3 installation.

1. From the SAP GRC Risk Analysis and Remediation 5.3 Configuration tab, select Define Master UserSource.

2. Click the Configure System option.

Note: Using the UME as a Master User Source is not currently a supported configuration.

3. From the Select System dropdown menu, select the connector for the system that SAP GRC RiskAnalysis and Remediation 5.3 will use for user information.

4. Click Save.

The status bar indicates whether or not the connection was successful.

Once you have configured the connectors, you must start the background job daemon before you canperform background tasks such as risk analysis.

Note Whenever you restart the Java engine, you must also restart the background job daemon.Instructions for starting this background job are provided in the next section.

5.1.5 Configuring the Background Job Daemon

Apply SAP Note: 999785 to configure the background job daemon and restart the J2ee Engine server.

To monitor the background job daemon, enter the following addresses into your web browser

http://<server_name>:<port>/sap/CCBgStatus.jsp

http://<server_name>:<port>/sap/CCADStatus.jsp


September 2008

Where:

server_name is the J2EE application server name

port is 5<xx>00

xx is the J2EE instance

For example, if the J2EE instance were 35, then the port assignment would be 53500.


September 2008

5.2 SAP GRC Compliant User Provisioning ConfigurationThe configuration procedures in this chapter are all required and are listed sequentially. You shouldperform them in the order that they appear.

SAP GRC Compliant User Provisioning post-installation configuration includes:

Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)

Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administrator

Importing Initial SAP GRC Compliant User Provisioning Configuration Data

5.2.1 Importing SAP GRC Compliant User Provisioning Roles Once you have completed the installation and restarted the SAP NetWeaver J2EE server, SAP GRCCompliant User Provisioning5.3 is installed and running. Before you can use it, however, you mustimport user roles and create an initial user account. The first step is to use UME to import the SAP GRCCompliant User Provisioning user roles.

To import SAP GRC Compliant User Provisioning user roles:

1. Start the UME.

Use a Web browser to connect to and log on to SAP NetWeaver J2EE.

2. Click Import.

3. Browse to the directory into which you extracted the SAP GRC Compliant User Provisioninginstallation file.

4. Go to the folder ACROLES.

5. Select AE_ume_roles.txt

6. Click Upload.

Note: Predefined roles for SAP GRC Access Control 5.3 components are bundled in the downloadfrom the SAP Service Marketplace (service.sap.com) and are also included in the install CD in thefile VIRACCNTNT_0.sar.

5.2.2 Assigning the Administrator RoleOnce you have imported or manually created the SAP GRC Compliant User Provisioning user roles, youmust define the SAP GRC Compliant User Provisioning administrator. You use this administrator role toperform certain tasks, to create other administrators and users, and to assign roles to them.


September 2008

The SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning. At some point in the future, you might decide to create other userswith the same permissions and perhaps to delete this initial administrator.

To assign the SAP GRC Compliant User Provisioning Admin Role to a User:

1. Start the UME.

Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server. On the Indexpage, click User Management. Log on to the UME.


3. Enter AE* and click Go to display the Roles list. In the Roles list, find and select the AEADMIN role,click the Assigned Users tab, and then click Modify to assign that role to your user.

4. In the Available Users pane, type the user name in the Get field and click Go. Select the user towhom you will assign SAP GRC Compliant User Provisioning admin privileges.

5.2.3 Importing Configuration DataThe final task is to import initial configuration data for SAP GRC Compliant User Provisioning. You dothis from within SAP GRC Compliant User Provisioning.

To import SAP GRC Compliant User Provisioning configuration data:

1. Using a Web browser, connect to the SAP NetWeaver J2EE server.

2. Type the application URL in your internet browser: http://<hostname>:<portnumber>/AE

Where

hostname = the name or IP address of the system on which NetWeaver runs.

portnumber = the port on which SAP GRC Compliant User Provisioning has beenconfigured to listen. The default is 50000.

For example, if the SAP GRC Compliant User Provisioning server resides on host10.48.122.210:50000 and it has the default port number, the correct URL would be: http://10.48.122.210:50000/AE

You see the initial SAP GRC Compliant User Provisioning screen.

3. Click User Login to display the Login screen. Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created.

4. Click the Configuration tab.

5. In the navigation pane, click Initial System Data.


September 2008

6. In the content pane, click Browse, and navigate to the directory into which you extracted the SAPGRC Compliant User Provisioning installation files.

7. In the Browse window, double-click the appropriate .xml file, and then in the SAP GRCCompliant User Provisioning content pane, click Import.

The files that you import are:

AE_init_append_data.xml - select the Append option.

AE_init_clean_and_insert_data.xml - select the Clean and Insert option.

5.3 SAP GRC Enterprise Role Management ConfigurationThe configuration procedures in this chapter are all required and are listed sequentially. You shouldperform them in the order they appear. SAP GRC Enterprise Role Management post-installationconfiguration includes:

• Importing the SAP GRC Enterprise Role Management roles

• Assigning the ERM Admin Role to the administrator

• Importing Initial SAP GRC Enterprise Role Management configuration data

•Connecting a Standalone J2EE System to the remote SAP Server

5.3.1 Importing SAP GRC Enterprise Role Management RolesOnce you have completed the installation procedures and restarted the SAP NetWeaver J2EE server, SAPGRC Enterprise Role Management is installed and running. However, before you can use it, you mustimport user roles and create an initial user account. The first step is to use UME to import the SAP GRCEnterprise Role Management user roles.

To import SAPGRC Enterprise Role Management user roles

1. Start the UME. Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server.On the Index page, click User Management. Log into the UME.

2. Click Batch Import.

3. Go to the directory into which you extracted the SAP GRC Enterprise Role Managementinstallation files, and, using any text editor, open the file re_ume_roles.txt (This file is availablefrom the Best Practices section of the SAP Help.sap.com at help.sap.com). Select and copy theentire contents of the file.

4. Go back to the UME, and then in the blank area, paste the contents of re_ume_roles.txt.

5. Click Upload.

Note: Predefined roles for SAP GRC Access Control 5.3 capabilities are included with the softwareand are also included in the install CD in the file VIRACCNTNT_0.sar.


September 2008

5.3.2 Defining the Administrator.Once you have imported the SAP GRC Enterprise Role Management user roles, you must define theinitial SAP GRC Enterprise Role Management administrator. You use this user to perform certaintasks, to create other administrators and users, and to assign roles to them.

The SAP GRC Enterprise Role Management administrator has permission to perform any task in SAPGRC Enterprise Role Manager. At some point in the future, you may decide to create other users withthe same permissions and perhaps to delete this initial administrator.

To assign the SAP GRC Enterprise Role Management admin role to a user1. Start the UME.

Use a Web browser to connect to and log on to the NetWeaver J2EE server. On the Index page,click User Management. Log into the UME.


3. Enter RE* and click Go to display the Roles list. In the Roles list, find and select the RE Admin role,click the Assigned Users tab, and then click Modify to assign that role to the specified user.

4. In the Available Users pane, type the user name in the Get field and click Go. Select the user towhom you will assign RE Admin privileges.

5.3.3 Importing Configuration DataThe final task is to import initial configuration data for SAP GRC Enterprise Role Management. This datais the default, out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly. You import this data fromwithin SAP GRC Enterprise Role Management.

To import SAP GRC Enterprise Role Management configuration data

1. Using a Web browser, connect to the SAP NetWeaver J2EE server.

2. Type the application URL in your internet browser: http://<hostname>:<portnumber>/REWhere

hostname = the name or IP address of the system on which NetWeaver runs.portnumber = the port on which SAP GRC Enterprise Role Management has beenconfigured to listen. The default is 50000.

For example, if the SAP GRC Enterprise Role Management server resides on host 10.48.122.210 and has

the port number 50000, the correct URL would be: http:// 10.48.122.210:50000/RE

The initial SAP GRC Enterprise Role Management page appears.

3. Click User Login to display the Login screen:

Use the user name and password of the REAdmin user you just created.


September 2008

4. Click the Configuration tab.

5. In the navigation pane, click Initial System Data.

6. In the content pane, click Browse, and navigate to the directory into which you extracted the SAPGRC Enterprise Role Management installation files.

7. In the Browse window, double-click the appropriate .xml file, and then in the SAP GRC EnterpriseRole Management content pane, click Import. The files that you import are:

a. RE_init_clean_and_insert_data.xml: select the Clean and Insert option.

b. RE_init_append_data.xml: select the Append option.

c. RE_init_methodology_data.xml: select the Append option. This step is only required for afresh installation or if you want to reload the default process that was originally shippedwith SAP GRC Enterprise Role Manager.

5.4 SAP GRC Superuser Privilege Management ConfigurationThe configuration procedures detailed in this chapter are all required and are listed sequentially. Youshould perform them in the order in which they appear. SAP GRC Superuser Privilege Managementconfiguration includes:

Creating the SAP GRC Superuser Privilege Management Administrator

Assigning the Administrator Role to the administrator user

5.4.1 Creating the Administrator Role

To create the SAP GRC Superuser Privilege Management administrator role:

1. Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server; on the Indexpage, click User Management.

2. In the Get dropdown list, select Role and then select Create Role.

3. Enter FF_ADMIN as the role name and enter a short description on the General Information Tab.

4. Select the desired Action tab and then search for all the SAP GRC Superuser PrivilegeManagement -related UME actions by entering *FF* in the Get field. Choose Get.

5. Choose Select All and then choose Add.

6. Choose Save.

5.4.2 Assigning the Administrator Role to a User

Once you have imported the SAP GRC Superuser Privilege Management administrator role, you mustconfigure a user to be the initial administrator and assign the administrator role to this user. You will usethis user to perform certain tasks, to create other administrators and users, and to assign roles to them.


September 2008

The administrator has permission to perform any task in SAP GRC Superuser Privilege Management. Atsome point in the future, you may decide to create other users with the same permissions and perhaps todelete this initial administrator.

To assign the administrator role to a user:

1. Start the UME. Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server.On the Index page, click User Management.


3. Enter #FF*# and click Go to display the Roles list. In the Roles list, find and select the FF_ADMINrole, click the Assigned Users tab, and then click Modify to assign that role to your specified user.

4. In the Available Users pane, type the user name in the Get field and click Go. Select the user towhom you will assign SAP GRC Superuser Privilege Management admin privileges.

5. Choose Save.

6. Verify that you can access the component using the URL below:

http://<hostname>:<port>/webdynpro/dispatcher/sap.com/grc~ffappcomp/Firefighter

5.5 Launch PadNo additional steps are required to configure the Launch Pad.

Launch Pad is an application that allows you to launch the four SAP GRC Access Control 5.3 capabilitiesfrom a common home page. You can get the URL for Launch Pad from SAP NetWeaver 7.0 (2004s) SP 12once the SAP GRC Access Control 5.3 installation is complete and the capabilities are configured. Untilyou have assigned users to each capability, their links in Launch Pad will be grayed out.

To start Launch Pad, follow these steps:

1. Log in to the J2EE server as an administrator

2. Click the Web Dynpro link.

3. Under the Browse tag, find the application name sap.com/grc~acappcomp.

4. Expand the tree view of the application and click AC.

5. In the right panel, click the Run button. A new window will be launched and you can get theURL, which will be in the following format:

http://<server_name>:5<instance>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC


September 2008

5.6 Connecting a Standalone J2EE System to a ServerIf you are performing a standalone J2EE system installation, you must connect it to the backend SAPserver. Use the following procedures to connect your J2EE system to a remote SAP server.

Note The following steps are for Windows installations. For UNIX installations, open your etc/servicesfile with a text editor, and add an entry as described in Step 2 below. Also add the following entry:sapgw00 3200/tcp.

Note: You do not need to restart your UNIX system after performing this procedure.

1. Open the Windows services file in a text editor such as WordPad. Use the following path and filename: c:\WINDOWS\system32\drivers\etc\services

The services file opens as illustrated in the screenshot below:

2. Add an entry in the services file in the following format: sapms<sap_sid> 36<instance>/tcp

Where:


September 2008

sapms identifies the SAP message service

sap_sid is the name of your SAP server (always uppercase)

36 is the standard message port for SAP

instance is the SAP server instance number

tcp is the message protocol

For example:

sapmsSNW 3600/tcp

3. Add the following entry:

sapgw00 3300/tcp

Note: Do not forget to terminate each line (and also the last one) with a CR (carriage return) whenyou edit the services file.

4. Save your changes and close the services file.

5. Restart Windows.

For more information regarding the services file, see SAP Notes 723562 and 52959.

This completes SAP GRC Superuser Privilege Management configuration. SAP GRC Superuser PrivilegeManagement is now running and ready for use. The next step is to integrate SAP GRC EnterpriseManagement and SAP GRC Compliant User Provisioning for role approval. For more information, referto the section, Integrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAPGRC Access Control 5.3 Configuration Guide.


September 2008

6 Post-System Copy ConfigurationIf you have used system copy to install SAP GRC Access Control 5.3, use the information in this section toconfirm the configuration information is correctly maintained.

6.1 SAP GRC Risk Analysis and RemediationVerify the following configuration information:

Ensure all the JCO’s reference the new JCO names.

Ensure the Workflow Service URL references the new server address.

In the Configuration page > Custom tab, ensure all the server addresses reference the new serveraddress.

6.2 UME ActivitiesAfter a system copy and refresh, the connectors are normally not set. Verify the following configurationinformation:

1. Verify JCo information for VIRSAXSR3_01_METADATA is set to the new server.

General data:

o ERP system client (i.e. change from 000 to 800 – to matches the ERP client)

o JCO Pool Configuration (i.e. set to 50 for the pool size, 100 max connections)

o Connection Timeout (i.e. from 10 ms to 900,000 ms)

o Maximum Waiting Time (i.e. from 20 ms to 900,000ms)

J2EE Cluster

o Accept local

o Connection Type

o For metadata – select dictionary meta data

o For model – select application data

Application Server Connection

o System


September 2008

o Logon group. (i.e. ‘SPACE’)

o All other default data

Security:

o Name – must match the name in the ERP (with appropriate access)

o Password – must match password on user in ERP (need to have same user/pwfor all adaptors/connectors for AC suite)

2. On the main screen, click Test to validate the User ID, password, and connection information.

Note If you do not connect, verify that the Logon Group (i.e. ‘SPACE’) is a defined user group onthe ERP system (use Transaction SMLG).

3. Verify the following for VIRSAXSR3_01_MODEL:

Test each JCO Destinations and JCO Metadata

Test the JCO Model

4. Verify the JCO’s and references to the back end references the new Host Name and Gateway.

5. Verify the adaptor is working with the Risk Analysis and Remediation Server.

a. Log onto the Risk Analysis and Remediation Server, select the Configuration tab andselect SAP Adapter.

Note If the Icon (square) is colored Red and not Green, select to activate it.

b. Verify the Host Name and Gateway is correct.

c. Verify that the Program ID is the same as the Program ID on the back end ERP RFCDestination.


September 2008

6.3 SAP GRC Compliant User ProvisioningVerify the following configuration information:

The Risk Analysis web service URI references the new server address.

The Mitigation service URI references the new server address.

The Application Server Host references the connector information or the new server.

The Exit URIs for all the workflow types reference the new server.

The URI for the Custom Approver Determinator references the host name for the new web service.

6.4 SAP GRC Enterprise Role Management ConfigurationVerify the following configuration information:

Ensure all web service URIs reference the new server information.

Ensure the Application Server Host for the Connectors references the new connector.

6.5 SAP GRC Superuser Privilege Management Configuration Verify the following configuration information:

Ensure the Application Server Host for the Connectors references the new connector.


September 2008

Appendix

A. SAP GRC Access Control 5.3 Component Contents

Enterprise Portal - VIREPRTA00_0.sca

grc~ccsapeprta.sda

grc~aeeprta.sda

grc~ccsapeprta.sda

grc~aeeprta.sda

Launch Pad - VIRACLP00_0.SCA

grc~acappcomp.sda

SAP GRC Risk Analysis and Remediation - VIRCC00_0.SCA

grc~ccxsysws.sda

grc~ccxsyssodws.sda

grc~ccxsysejbear.sda

grc~ccxsysdb.sda

grc~ccxsysbgear.sda

grc~ccxsysbehr.sda

grc~ccxsysbe.sda

grc~ccxsysactionws.sda

grc~ccume.sda

grc~cclib.sda

grc~ccappcomp.sda

SAP GRC Compliant User Provisioning - VIRAE00_0.SCA

grc~aewsejbear.sda

grc~aewfrqwsejbear.sda

grc~aeume.sda


September 2008

grc~aelib.sda

grc~aeear.sda

grc~aedict.sda

SAP GRC Enterprise Role Management - VIRRE00_0.SCA

grc~reworkflowexitwsear.sda

grc~reume.sda

grc~rejarslib.sda

grc~reintflib.sda

grc~reear.sda

grc~redictionary.sda

grc~reapprswsear.sda

SAP GRC Superuser Privilege Management - VIRFF00_0.SCA

grc~ffume.sda

grc~ffext.sda

grc~ffdb.sda

grc~ffappcomp.sda


September 2008

B. Using the Visual Administrator to Configure an SLD Data Supplier

Use the following procedure to configure the System Landscape Directory (SLD).

1. Execute the Visual Administrator tool script or batch file.

See Visual Administrator Tool Scripts and Batch Files in Appendix C for the path and file name.

2. Select an SAP J2ee Engine from the connection screen and click Connect.

3. Enter the password for the J2EE administrator.

4. Expand the navigation menu under your J2EE server name then expand the Services list item.

5. Click SLD Data Supplier.

6. Click the HTTP Settings tab.

7. Enter the host name and port number for the J2EE engine, then enter the user name and password foryour system connection.

Important Do not enter the Fully Qualified Domain Name for the SLD server. Enter thehost name only and make sure that the host is registered in the Domain Name Service(DNS).

The SLD uses port 5<instance>00

Where:

instance is the J2EE engine instance

For example, if the J2EE instance were 35, then the SLD message port assignment would be53500.

8. Click Save.

9. Click the CIM Client Generation Settings tab.

10. Enter the same host, port and user information that you entered in Step 7 above.

11. Click Save.

12. Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLDserver.


September 2008

A dialog box displays the message Trigger SLD data transfer?

13. Click Yes.

A dialog box informs you that the data has been transferred successfully.

C. Configuring the Internet Graphics Server

The Internet Graphics Server (IGS) is included with your NetWeaver software. You configure the IGSURL using the Visual Administrator tool.

To specify the URL for the Internet Graphics Server

1. Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment.

The name and location of the file that you use to launch the Visual Administrator depend on youroperating environment as shown in Table 2.

Table 2 Visual Administrator Tool Scripts and Batch Files

Operating

Environment

Directory Path File Name

UNIX with Java only /usr/sap/<SAP_SID>/JC<instance>/J2ee/admin/

Example

/usr/sap/sap_system1/JC00/J2ee/admin/

Go.sh

UNIX with Java and

ABAP add on

/usr/sap/<SAP_SID>/DVEBMGS<instance>/J2ee/admin/

Example

/usr/sap/sap_system1/DVEBMGS00/J2ee/admin/

Go.sh

Windows with Java only c:\usr\sap\<SAP_SID>\JC<instance>\j2ee\admin\

Example

c:\usr\sap\sap_system1\JC00\j2ee\admin\

Go.bat

Windows with Java and c:\usr\sap\<SAP_SID>\DVEBMGS<instance>\J2ee\admin\ Go.bat


September 2008

ABAP add-on Example

c:\usr\sap\sap_system1\DVEBMGS00\J2ee\admin\

In the preceding table:

• SAP_SID is the system ID for your SAP server

• instance is the instance ID of your J2EE engine

2. Under the Services item in the (left) navigation pane, click Configuration Adapter as illustrated in thescreenshot below.

3. Under the Display Configuration tab, expand the Web Dynpro navigation list item; expand sap.com;expand tc-wd~disprwda; click the Edit Mode (pencil) icon that is above the navigation list.

A dialog box warns that you are about to enter Edit Mode and requests you to confirm that you wantto proceed.


September 2008

4. Click Yes.

5. In the navigation menu list, double-click Property sheet default.

The Change Configuration window appears.

6. In the Name column, click the IGSUrl list item as illustrated in the screenshot below.

7. In the Custom field, enter the IGS server name and port number using the following format:<server_name> :<port>

Where

server_name is the name of your IGS server.

port is the IGS server port, in the format 4<instance>80.

The default port assignment is 40080.

8. Click Apply custom, and then click OK.


September 2008

9. Exit the Visual Administrator.


September 2008

D. System Landscape


September 2008

E. Using Java Service Program Manager (JSPM)1. Open the JSPM folder which is located at [drive]\usr\sap\A29\JC29\j2ee\JSPM.

2. Launch JSPM by clicking on the file Go.bat as illustrated in the screenshot below.


September 2008

3. Select New Software Components and click Next as illustrated in the screenshot below.


September 2008

4. Select the software components that you wish to deploy and click Next as illustrated below.


September 2008

1. Verify that you have selected the correct software and click Next.

2. JSPM will install the software you selected and display the message Update of deployed components inprogress... as illustrated below.


September 2008

3. When JSPM has finished deploying the software, click Exit. The system displays the messageDeployment has finished as illustrated below.

ac53 installation guide

Documents

background

sda grc aeeprta

standalone

master user

remote sap

visual administrator

sap service

standalone