how to setting up an identity management dispatcher on a unix

SAP NetWeaver How-To Guide

How to... Setting up An Identity Management Dispatcher On A UNIX Host Flavor

Applicable Releases:

SAP NetWeaver Identity Management 7.1

Topic Area: Security and Identity Management

Capability: Identity and Access Management

Version 1.0

October 2009

© Copyright 2009 SAP AG. All rights reserved.

No part of this publication may be reproduced or

transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its

distributors contain proprietary software components of

other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel

Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,

OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,

Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,

i5/OS, POWER, POWER5, OpenPower and PowerPC are

trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader

are either trademarks or registered trademarks of Adobe

Systems Incorporated in the United States and/or other

countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered

trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,

WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or

registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,

Inc., used under license for technology invented and

implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP

NetWeaver, and other SAP products and services

mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in

Germany and in several other countries all over the world.

All other product and service names mentioned are the

trademarks of their respective companies. Data contained

in this document serves informational purposes only.

National product specifications may vary.

These materials are subject to change without notice.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only,

without representation or warranty of any kind, and SAP

Group shall not be liable for errors or omissions with

respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in

the express warranty statements accompanying such

products and services, if any. Nothing herein should be

construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of

any kind, either express or implied, including but not

limited to, the implied warranties of merchantability,

fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including

without limitation direct, special, indirect, or consequential

damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the

information, text, graphics, links or other items contained

within these materials. SAP has no control over the

information that you may access through the use of hot

links contained in these materials and does not endorse

your use of third party web pages nor provide any warranty

whatsoever relating to third party web pages.

SAP NetWeaver “How-to” Guides are intended to simplify

the product implementation. While specific product

features and procedures typically are explained in a

practical business context, it is not implied that those

features and procedures are the only approach in solving a

specific business problem using SAP NetWeaver. Should

you wish to receive additional information, clarification or

support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (“Code”)

included in this documentation are only examples and are

not intended to be used in a productive system

environment. The Code is only intended better explain and

visualize the syntax and phrasing rules of certain coding.

SAP does not warrant the correctness and completeness of

the Code given herein, and SAP shall not be liable for

errors or damages caused by the usage of the Code, except

if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java™. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only

to be used by SAP’s Support Services and may not be

modified or altered in any way.

Document History Document Version Description

1.00 First official release of this guide

Typographic Conventions Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

Example text File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text>

Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Icons Icon Description

Caution

Note or Important

Example

Recommendation or Tip

Table of Contents

1. Business Scenario............................................................................................................... 1

2. Background Information..................................................................................................... 1

3. Prerequisites ........................................................................................................................ 2

4. Step-by-Step Procedure...................................................................................................... 3

4.1 Java Runtime Environment .......................................................................................... 3

4.2 Java Cryptography Extension Jurisdiction Policy......................................................... 3

4.3 SAP NW IdM Runtime .................................................................................................. 3

4.4 SAP Java Connector .................................................................................................... 6

4.5 Database Driver............................................................................................................ 6

4.6 Script & Property File.................................................................................................... 7

4.7 Start & Test Run ........................................................................................................... 9

4.8 Startup/Shutdown Service .......................................................................................... 10

5. Congratulation ................................................................................................................... 10

How to Setting up an Identity Management Dispatcher on a UNIX host flavor

1. Business Scenario You have just finished setting up a SAP NW Identity Management landscape. Now you are planning for the future, you decided to scale up your environment to support the mount of provisioning jobs that you are planning for your company. This would require you to add another SAP NW IdM Dispatcher to your landscape, and you are planning to run this on an UNIX platform. This How-To will help you with setting it up in conjunction with the SAP NW IdM installation guide.

2. Background Information With SAP NW Identity Management, the application gives you the flexibility to mix and match certain component on various supported Operating System. Please check the Product Availability Matrix homepage for current supported OS for the release of SAP NW IdM that you are using.

For this How-To, we will assume that the other major components are running on a single system using MS SQL for its Identity Center Database. We will install, configure, and test the Dispatcher Runtime engine onto another operating system.

October 2009 1

https://service.sap.com/pam


3. Prerequisites • This How-To will assume that you have already got the SAP NW IdM Center setup and running

correctly already.

• SAP NW IdM Runtime component software – this should be part of your download/media that you got from SAP.

• Java Cryptography Extension Jurisdiction Policy file – use note 1240081 to obtain the required file.

• SAP Java Connector (SAP JCO) file – this can be obtained from Service Market Place.

• Database JDBC Driver – Please use the installation guide to find the correct driver for your database (Installation Overview).

• Java Runtime Environment – I would recommend SAP JVM for better support. You can use the installation guide for the supported release.

• Access to SAP NW IdM Center – we will use this to create the dispatcher property and script files.

• An account on the UNIX system with permission to create directories, files, and account.

October 2009 2

https://service.sap.com/connectors


4. Step-by-Step Procedure Now, we have got everything that we will need to start the installation for the new dispatcher for SAP NW IdM, the sequence below may not follow the installation guide. But it will cover all the requirements. For this How-To installation, I will be working on SUSE Linux.

4.1 Java Runtime Environment ...

1. I will be using the SAP JVM 5.1. Go to Service Market Place perform a software download search for the “JVM”. The file that you download should have a naming convention of: SAPJVM5_xx-xxxxxxxx.SAR

2. Extract the file content to your UNIX host where you would like to run the new dispatcher. For this example, I will be extracting it to “/opt”. This will create a directory “sapjvm_5” so the java home for this JVM is “/opt/ sapjvm_5”.

3. Setup your environment so that you can use the JVM above. For this example: the end result would be as follow.

Executable Path: /opt/sapjvm_5/bin

JAVA_HOME: /opt/sapjvm_5

4.2 Java Cryptography Extension Jurisdiction Policy ...

1. Take look at the 1240081 note to obtain the correct policy file

2. Once you obtain the policy file (zip format), unzip the content so that the 2 jar files are placed in “/opt/sapjvm_5/jre/lib/security” directory (you may need to move them out of the jce directory).

4.3 SAP NW IdM Runtime ...

1. Upload the SAP NW IdM Runtime component installation software to your UNIX host into a temporary directory. We will just need the content inside the “Setup” directory.

2. Change the file permission so that the setup file is executable for the operating host (if it is not already). Execute this command inside the temporary source directory for the installation file. “chmod +x *.bin”

3. Now just execute the correct file for your operating system. Since I am on SUSE Linux, I will use “setuplinux.bin”.

Your operating system will need to be able to display the GUI setup console or you will get an error message similar to the one below.

Error Message: “The installer is unable to run in graphical mode. Try running the installer with the -console or -silent flag.”

October 2009 3

https://service.sap.com/


4. Just follow the wizard GUI console to complete the installation of the Runtime component.

a.

b.

c.

I would suggest that you remove the space between “identity center” and replace the “opt” with “sap” to follow normal SAP standard. This will help you with the executable later on. So the new path will be: “/usr/sap/idm/identitycenter”

October 2009 4


d.

e.

f. Verify the content in “/usr/sap/idm/identitycenter” directory. You should have 2 directories and 1 shell file. (Java _uninst postinst.sh)

g. Run the post installation step to complete the setup. This will create an account user and group so that the new dispatcher can run under that ID. Execute: “sh postinst.sh”. Execute this command inside the “/usr/sap/idm/identitycenter" so that the script can setup the home directory for the “idmadm” account correctly.

October 2009 5


Please use the strong password setting. This setup that I am using is only for a demonstration purpose so I did not create a strong password.

4.4 SAP Java Connector ...

1. Go to Service Market Place under “Download” and “SAP Connectors”, download the SAP JCO for your operating system

2. Extract the content and follow the instruction (<extract dir/javadoc/installation.html>) on how to install the software.

3. Set the ownership to the file so that "idmadm" is the owner and "sapadm" is the group

4. Remember the patch to the SAP JCO jar file so we can use it later on or you copy the jar to the “/usr/sap/idm/identitycenter/Java”

4.5 Database Driver ...

1. Please follow the installation instruction guide for SAP NW IdM to download the correct JDBC driver for your installation.

2. Once you have the JDBC driver, you can place this driver anywhere on the system but it is recommended that you place it inside the Java IdM installation directory (Example: “/usr/sap/idm/identitycenter/Java”) so it is in a central location.

3. Set the ownership to the file so that “idmadm” is the owner and “sapadm” is the group

October 2009 6

https://service.sap.com/

https://service.sap.com/connectors


4.6 Script & Property File ...

1. Access your SAP NW IdM Center and create a new dispatcher in MMC.

2. Give the new dispatchers a unique name. It is recommended to name a dispatcher after the host it is running on. I.e. dispatcher name = <hostname>. This will eases configuration and debugging.

3. On the “Options” screen, uncheck all the “Windows runtime engine” jobs.

October 2009 7


We do not need these options since we are running on a UNIX OS.

4. Create the script for the new dispatcher.

Keeps the default setting for the path

5. Navigate to the script installation directory (on your SAP NW IdM Center) and copy the files for your new dispatcher to your UNIX host. The 2 files that you will need are “Dispatcher_Service_<name>.sh” and “Dispatcher_Service_<name>.prop”

6. Place these files into your new dispatcher directory (UNIX Host). You can create a new directory or just place them directly into the “/usr/sap/idm/identitycenter” directory.

7. On these 2 files, change the ownership so that “idmadm” is the owner and “sapadm” is the group (example command: chown idmadm:sapadm Dispatcher_Service_*). Set the executable bit to the shell file so that we can execute it (command: chmod +x Dispatcher_Service*.sh).

8. Update the dispatcher property file (Dispatcher_Service*.prop) so that it has the correct path to your SAP JCO library file.

“DSECLASSPATH” – check to ensure all the class path is correct and make change where it‘s appropriate

9. Update the dispatcher shell file (Dispatcher_Service*.sh) so that it has the correct path to your installation library files. Use your text editor to change the content inside the file and set the correct path for:

“JAVA_HOME” – for this demo, the value will be “/opt/sapjvm_5”

“MXDRIVERJAR” – for this demo, the value will be “/usr/sap/idm/identitycenter/Java/sqljdbc.jar”

October 2009 8


4.7 Start & Test Run Now that we have everything in place, we should be able to startup the dispatcher to see if everything is in place for test. ...

1. Execute the Dispatcher_Service*.sh script

You may encounter some errors due to various error or missing library

a. Script error due to copying the file between different OS.

Error message:

“………./bin/sh^M: bad interpreter: No such file or directory”

This can be fixed by following the command below:

(a) Rename the current “Dispatcher_Service*.sh” to “Dispatcher_Service*.sh_bak”

(b) Execute: “tr -d '\r' < { Dispatcher_Service*.sh_bak } > { Dispatcher_Service*.sh}”

(c) Execute: “chmod +x Dispatcher_Service_*.sh”

b. Missing JCE policy

Error message:

“.… java.lang.NoClassDefFoundError: javax/crypto/SunJCE_b : ……”

“…. java.lang.SecurityException: Cannot set up certs for trusted CAs…..”

“….java.lang.SecurityException: Cannot locate policy or framework files! ……“

Ensure the JCE policy version is install correctly for your landscape

2. If everything is working correctly then you should see something similar to screen below.

3. Now, you can schedule a job to use this dispatcher in your SAP NW IdM Center

If you have any jobs that access a file base content then you must ensure that your new dispatcher host can access the file

October 2009 9


4.8 Startup/Shutdown Service Now, you have everything that is working, but you would like this application to startup/shutdown automatically upon the OS restart. This can be done by creating your own service for the UNIX host. Below is an example of the script that you can use with a little bit of tweak to ensure that the path is setup correctly for your landscape. For this demo, I am working on a Linux host so your setup may be a little bit similar.

October 2009 10

#!/bin/sh # IC_Runtime_HOME=/usr/sap/idm/identitycenter IC_Runtime=$IC_Runtime_HOME/Dispatcher_Service_<NAME>.sh case "$1" in 'start') if test -x $IC_Runtime; then echo "Starting IdM Dispatcher...." su idmadm -c $IC_Runtime > /dev/null 2>&1 & fi ;; 'stop') pid=`ps -ef | grep $IC_Runtime_HOME | grep -i dispatcher | awk '{print \$2}'` #/bin/kill -TERM $pid /bin/kill -HUP $pid ;; *) echo "usage: /etc/init.d/test {start|stop}" ;; esac

...

1. Create a file (/etc/init.d/IdM_Dispatcher) with the script content above in it

2. Change the “IC_Runtime_HOME” and “IC_Runtime” value accordingly

3. Change the executable bit on the file

4. Add the service to the system runlevel

5. Congratulation You have just finished setting up a SAP NW IdM Dispatcher on an UNIX platform.

www.sdn.sap.com/irj/sdn/howtoguides

how to setting up an identity management dispatcher on a unix

Documents