Вы находитесь на странице: 1из 62

Sol ut i on Oper at i on Gui de

SAP Net Weaver


I dent i t y
Management 7.2
Doc ument Ver si on 7.2 Rev 17 - J ul y 2014
2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any formor for
any purpose without the express permission of SAP AG. The information
contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual
Studio are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System
p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise,
PowerVM, Power Architecture, Power Systems, POWER7, POWER6+,
POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System
Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and
Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and
other countries.
Oracle and J ava are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open
Group.
Citrix, ICA, ProgramNeighborhood, MetaFrame, WinFrame, VideoFrame, and
MultiWin are trademarks or registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of
W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch,
Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered
trademarks of Apple Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry
Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry
PlayBook, and BlackBerry App World are trademarks or registered trademarks
of Research in Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API,
Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile,
Google Store, Google Sync, Google Updater, Google Voice, Google Mail,
Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks
of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies
Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings
LLC.
Computop is a registered trademark of Computop Wirtschaftsinformatik
GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP
products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of SAP AG in Germany and
other countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other
Business Objects products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of
Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
and other Sybase products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of Sybase
Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are
registered trademarks of Crossgate AG in Germany and other countries.
Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are
provided by SAP AG and its affiliated companies ("SAP Group") for
informational purposes only, without representation or warranty of any kind,
and SAP Group shall not be liable for errors or omissions with respect to the
materials. The only warranties for SAP Group products and services are those
that are set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
Documentation in the SAP Service Marketplace
You can find this documentation at the following Internet address:
ser vi c e.sap.c om/i nst gui des
Typographi c Convent i ons
Type Style Represents
Example Text Words or characters that
appear on the screen. These
include field names, screen
titles, pushbuttons as well as
menu names, paths and
options.
Cross-references to other
documentation
Example text Emphasized words or phrases
in body text, titles of graphics
and tables
EXAMPLE TEXT Names of elements in the
system. These include report
names, program names,
transaction codes, table
names, and individual key
words of a programming
language, when surrounded by
body text, for example,
SELECT and INCLUDE.
Example text Screen output. This includes
file and directory names and
their paths, messages, names
of variables and parameters,
source code as well as names
of installation, upgrade and
database tools.
Example text Exact user entry. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example text> Variable user entry. Pointed
brackets indicate that you
replace these words and
characters with appropriate
entries.
EXAMPLE TEXT
Keys on the keyboard, for
example, function keys (such
as F2) or the ENTER key.
I c ons
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Solution Operation Guide for SAP NetWeaver Identity Management
2014-07 5
Cont ent s
1 Getting Started ......................................................................... 9
1.1 Global Definitions ........................................................................... 9
1.2 Important SAP Notes .................................................................... 10
1.3 History of Changes ....................................................................... 10
2 Technical System Landscape .............................................. 11
2.1 Scenario/Component Matrix ........................................................ 11
2.2 URLs to the Identity Management User Interface ...................... 12
2.3 Related Documentation ................................................................ 12
3 Defi ni ng the System Landscape Directory i nformati on
(opti onal ) ...................................................................................... 13
3.1 Identity Center............................................................................... 13
3.1.1 SAP NetWeaver AS Java as of Release 7.0 ...................................... 13
3.1.2 EHP 1 for SAP NetWeaver CE 7.1/SAP NetWeaver Composition
Environment 7.2/SAP NetWeaver 7.3 ............................................................ 16
3.2 Virtual Directory Server ................................................................ 24
3.2.1 Deployed Configuration ..................................................................... 24
3.2.2 Standalone mode ................................................................................ 24
4 Monitori ng of Identi ty Management ..................................... 25
4.1 Monitoring the Identity Center ..................................................... 25
4.1.1 Viewing the dispatcher status ........................................................... 26
4.1.2 Viewing the job status ........................................................................ 26
4.1.3 Viewing the system log ...................................................................... 26
4.1.4 Viewing the job log ............................................................................. 27
4.1.5 Viewing the provisioning queue ........................................................ 27
4.1.6 Viewing the provisioning audit .......................................................... 27
4.1.7 Viewing the approval queue .............................................................. 28
4.1.8 Setting up a SAP JCo-Trace .............................................................. 28
4.1.9 Viewing the logs from the Identity Management User Interface...... 28
4.1.10 Viewing the traces from the Identity Management User Interface 28
4.1.11 Using the System diagnostics report for problem analysis .......... 29
4.1.12 Providing access to the configuration for problem analysis ........ 29
4.2 Monitoring of the Virtual Directory Server ................................. 29
4.2.1 Viewing the logs on SAP NetWeaver AS Java .................................. 29
4.2.2 Viewing the traces on SAP NetWeaver AS Java ............................... 29
4.2.3 Viewing the logs when running in standalone mode ....................... 30
4.2.4 Verifying that the server is available ................................................. 30
4.3 Monitoring of Identity Management Identity Federation ........... 30
4.4 Monitoring Performance with Wily Introscope ........................... 30
4.4.1 Monitoring SAP NetWeaver AS Java ................................................. 31
Solution Operation Guide for SAP NetWeaver Identity Management
6 2014-07
4.4.2 Monitoring SAP NetWeaver Identity Management Virtual Directory
Server (Standalone mode) ............................................................................. 32
4.4.2.1 Updating the .bat/.sh file (Java 1.3/1.4) .................................................... 32
4.4.2.2 Updating the .bat/.sh file (Java 1.5/1.6) .................................................... 32
4.4.3 Troubleshooting ................................................................................. 32
4.5 Configuring and Viewing the Entry Trace .................................. 33
4.5.1 Configuring the Entry Trace .............................................................. 33
4.5.2 Viewing the Trace Log ........................................................................ 34
4.5.3 Reading the Trace Log ....................................................................... 34
4.6 Analyzi ng Statement Execution .................................................. 35
4.6.1 Enabling the Statement Execution Analysis..................................... 35
4.6.2 Viewing the Log .................................................................................. 36
4.6.3 Reading the Log ................................................................................. 36
5 Management of SAP NetWeaver Identity Management ..... 37
5.1 Starting and Stopping .................................................................. 37
5.1.1 Starting and stopping the Identity Center ......................................... 37
5.1.2 Starting and stopping the Virtual Directory Server .......................... 37
5.2 Software Configuration ................................................................ 37
5.2.1 Software Configuration Identity Center ......................................... 37
5.2.2 Software Configuration Virtual Directory Server ........................... 37
5.3 Admi nistration Tools .................................................................... 38
5.4 Backup and Restore ..................................................................... 38
5.4.1 Backing up and restoring an Identity Center database
(Microsoft SQL Server) .................................................................................. 38
5.4.1.1 Backing up a database ............................................................................. 38
5.4.1.2 Restoring a database................................................................................ 38
5.4.2 Backing up and restoring an Identity Center database (Oracle) ..... 40
5.4.2.1 Backing up a database ............................................................................. 40
5.4.2.2 Restoring a database................................................................................ 40
5.4.3 Backing up and restoring an Identity Center database (IBM DB2) .. 41
5.4.4 Backing up and restoring a Virtual Directory Server configuration 41
5.5 Application Copy .......................................................................... 41
5.6 Periodic Tasks .............................................................................. 41
5.6.1 Manual tasks for the Identity Center ................................................. 41
5.6.2 Manual tasks for Transport/Configuration Management ................. 42
5.6.3 Cleaning up the audit information ..................................................... 42
5.6.4 Cleaning up the table job_execution ................................................. 43
5.6.5 Clean up the table AuditTrail ............................................................. 43
5.6.6 Cleaning up historic values in the identity store .............................. 43
5.6.7 Rebuilding database indexes ............................................................ 43
5.6.8 Viewing Changes to the Configuration ............................................. 43
5.6.9 Changing Global or Repository Constants ....................................... 44
5.6.9.1 Modifying Assignment Grouping Repository Constants ........................ 45
5.6.10 Adding a Repository to the Productive System ............................. 45
Solution Operation Guide for SAP NetWeaver Identity Management
2014-07 7
5.7 Load Balancing ............................................................................. 45
5.7.1 Load Balancing Identity Center ...................................................... 45
5.7.2 Load Balancing Virtual Directory Server ....................................... 45
5.8 User Management ......................................................................... 46
5.9 Maintaining Message Templates ................................................. 46
5.9.1 Initial Configuration ............................................................................ 46
5.9.2 Listing Message Templates ............................................................... 46
5.9.3 Editing a Message Template .............................................................. 47
5.9.3.1 Available Parameters................................................................................ 48
5.9.4 Adding a Language Version of a Message Template ....................... 49
5.9.5 Removing a Language Version of a Message Template .................. 49
5.9.6 Creating a Message Template ........................................................... 50
5.9.7 Removing a Message Template ......................................................... 50
5.10 Managing Approvals .................................................................... 51
5.10.1 Listing Pending Approvals .............................................................. 51
5.10.2 Finding Approvals Using Advanced Search .................................. 52
5.10.3 Declining a Pending Approval ......................................................... 52
5.10.4 Escalating a Pending Approval ....................................................... 53
5.10.5 Exporting the Pending Approvals ................................................... 53
6 High Avail abilit y ..................................................................... 53
6.1 High Availability for the Identity Center ...................................... 53
6.2 High Availability for the Virtual Directory Server ....................... 53
6.2.1 High Availability for Standalone Virtual Directory Server................ 53
7 Software Change Management ............................................ 54
7.1 Software Change Management.................................................... 54
7.2 Support Packages and Patch Implementation ........................... 54
7.3 Upgrading the Identity Center ..................................................... 54
7.4 Upgrading the Virtual Directory Server ...................................... 54
8 Troubleshooting..................................................................... 55
8.1 Identity Center: Dispatcher fails to start ..................................... 55
8.1.1 Problem Description........................................................................... 55
8.1.2 Solution ............................................................................................... 55
8.2 Identity Center: Timeout issues .................................................. 56
8.2.1 Problem Description........................................................................... 56
8.2.2 Solution ............................................................................................... 56
8.3 Identity Center: Insufficient memory .......................................... 56
8.3.1 Problem Description........................................................................... 56
8.3.2 Solution ............................................................................................... 56
8.4 Identity Center: Codepage <number> not supported by JAVA-
environment ............................................................................................. 57
8.4.1 Problem Description........................................................................... 57
8.4.2 Solution ............................................................................................... 57
Solution Operation Guide for SAP NetWeaver Identity Management
8 2014-07
8.5 Identity Center: Error messages from jobs accessing ABAP
systems .................................................................................................... 58
8.5.1 Problem Description........................................................................... 58
8.5.2 Solution ............................................................................................... 58
8.6 Identity Management User Interface: Java runtime exception
when logging in ....................................................................................... 58
8.6.1 Problem Description........................................................................... 58
8.6.2 Solution ............................................................................................... 58
8.7 Identity Management User Interface: Error message about
missing database columns or procedures ............................................ 58
8.7.1 Problem description ........................................................................... 58
8.7.2 Solution ............................................................................................... 58
8.8 Virtual Directory Server: The Windows service starts, but later
fails with " No driver for database" ......................................................... 59
8.8.1 Problem Description........................................................................... 59
8.8.2 Solution ............................................................................................... 59
8.9 Virtual Directory Server: Application starts, but later fails with
" No driver for database" ......................................................................... 59
8.9.1 Problem Description........................................................................... 59
8.9.2 Solution ............................................................................................... 59
8.10 Virtual Directory Server: Server doesnt start ............................ 59
8.10.1 Problem Description ........................................................................ 59
8.10.2 Solution ............................................................................................. 59
8.11 Virtual Directory Server: Configuration successfully deployed
on SAP NetWeaver, but the first attempt to contact the database
fails 60
8.11.1 Problem Description ........................................................................ 60
8.11.2 Solution ............................................................................................. 60
9 Support Desk Management .................................................. 60
9.1 Remote Support Setup ................................................................. 60
9.1.1 Defining a support user ..................................................................... 61
9.2 Problem Message Handover ........................................................ 61
1 Getting Started
1.1 Global Definitions
2014-07 9
1 Getting Started
This guide does not replace the daily operations handbook that we recommend
customers create for their specific production operations.
About this Guide
Designing, implementing, and running your SAP applications at peak performance 24 hours a day
has never been more vital for your business success than now.
This guide provides a starting point for managing your SAP applications and maintaining and
running them optimally. It contains specific information for various tasks and lists the tools that you
can use to implement them. This guide also provides references to the documentation required for
these tasks, so you will sometimes also need other Guides such as the Master Guide, Technical
Infrastructure Guide, and SAP Library.
Target Groups
Technical Consultants
System Administrators
Solution Consultants
Business Process Owner
Support Specialist
1.1 Global Definiti ons
SAP Application:
A SAP application is an SAP software solution that serves a specific business area like ERP, CRM,
PLM, SRM, SCM.
Business Scenario:
From a microeconomic perspective, a business scenario is a cycle, which consists of several
different interconnected logical processes in time. Typically, a business scenario includes several
company departments and involves with other business partners. From a technical point of view, a
business scenario needs at least one SAP application (SAP ERP, SAP SCM, or others) for each
cycle and possibly other third-party systems. A business scenario is a unit which can be
implemented separately and reflects the customers prospective course of business.
Component:
A component is the smallest individual unit considered within the Solution Development Lifecycle;
components are separately produced, delivered, installed and maintained.
Getting Started
Important SAP Notes
10 2014-07
1.2 Important SAP Notes
Check regularly for updates available for the Application Operations Guide.
Important SAP Notes
SAP Note
Number
Title Comment
1498369 Central note for SAP NetWeaver
Identity Management 7.2
This is the central entry point for all
SAP Notes related to Identity
Management 7.2.
1.3 History of Changes
Make sure you use the current version of the Application Operations Guide.
The current version of the Application Operations Guide is at service.sap.com/instguides
on SAP Service Marketplace.
The following table provides an overview of the most important changes in prior versions.
Version Important Changes
Version 7.2
Revision 1
Initial version for 7.2, including links to the Identity Management User
Interface
Version 7.2
Revision 7
Included Trace information
Version 7.2
Revision 15
Added section 5.6.9.1 describing repository constants for privilege
grouping
Version 7.2
Revision 16
Minor change in section 4.1.5 Viewing the Provisioning Queue
Version 7.2
Revision 17
Change in section 4.1.11 Using the System diagnostics report for
problem analysis
2 Techni cal System Landscape
2.1 Scenario/Component Matri x
2014-07 11
2 Technical System Landscape
2.1 Scenario/Component Matri x
The following diagram shows the architecture of the SAP NetWeaver Identity Management:
The Identity Center database is the core of the Identity Center. This is a single database holding
two different types of information:
One type is the configuration information for all items that are defined in the Identity Center,
including the job configurations, the job status information (that is, what is being executed at this
very moment), the log information (that is, the status of what has been done previously), as well as
scheduling information (when the jobs are to be run next).
The other type of information is the actual data being processed, including the Identity store that
contains the entries processed by the jobs in the Identity Center, as well as the log and audit
information.
The Administrator manages the Identity Center configuration through the Management Console.
The Identity Management User Interface is used for all end-user registration/self service,
password resets and approval of tasks. It also contains monitoring information for administrators of
the Identity Center.
Technical System Landscape
URLs to the Identity Management User Interface
12 2014-07
The Runtime Components (dispatchers, runtime engines and event agents) are responsible for
processing both provisioning and synchronization tasks. They are also responsible for performing
reconciliation and bootstrapping.
The Dispatcher(s) are connected to the Identity Center database and check for jobs that are ready
to be run. A dispatcher is running on each computer where a Runtime engine is installed. The
dispatcher starts the Runtime engine that executes the job.
Event agents can be configured to take action based on changes in different types of repositories
such as directory servers, message queues or others. This mechanism is optional and its only
purpose is to initiate synchronization based on changes in repositories in addition to the scheduled
operations.
The Vi rtual Directory Server can be deployed as a web service on SAP NetWeaver AS J ava to
provide web service access to the identity data.
When the Virtual Directory Server is deployed as an LDAP server it serves as an interface to third-
party applications for the Identity Center.
2.2 URLs to the Identity Management User Interface
The following URLs are used to access the Identity Management User Interface:
http://<host>:<port>/idm to access the main Identity Management User Interface.
http://<host>:<port>/idm/pwdreset to run the password reset task. (See the document SAP
NetWeaver Identity Management Identity Center Implementation Guide: Self-service
password reset for details.
http://<host>:<port>/idm/admin to access the Identity Management Administration User
Interface. For more information about Monitoring, see page 25. For more information about
transport, see SAP NetWeaver Identity Management Identity Center Implementation Guide:
Transport for details. For information about configuration, see page 37.
2.3 Related Documentati on
Links to the documentation for SAP NetWeaver Identity Management can be found in the help
portal:
http://help.sap.com/nwidm72
Topic Guide/Tool
Installation information Identity Management Master Guide
Identity Center Installation Overview
Virtual Directory Server Installation and Initial Configuration
Security Identity Management Security Guide
3 Defi ning the System Landscape Directory informati on (optional )
3.1 Identity Center
2014-07 13
3 Defini ng the System Landscape
Directory information (optional)
This section describes how to maintain the HTTP destination for the System Landscape Directory
(SLD) Data Supplier and the configuration is optional, i.e. it is of relevance only when actually using
the SLD.
For more information about SLD, see
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/b683dd96655295e10000000a42189b/fram
eset.htm.
3.1 Identity Center
The procedure is different, depending on your version of SAP NetWeaver:
SAP NetWeaver AS J ava as of Release 7.0
Enhancement Package 1 for SAP NetWeaver Composition Environment 7.1/SAP
NetWeaver Composition Environment 7.2
There are separate sections for each SAP NetWeaver version.
3.1.1 SAP NetWeaver AS Java as of Release 7.0
To configure the SLD Data Supplier for SAP NetWeaver AS J ava 7.0 use Visual Administrator.
1. Start and login to the Visual Administrator.
2. Select Server\Services\Destinations in the "Cluster" tab.
Defi ning the System Landscape Directory information (optional)
Identity Center
14 2014-07
3. Select "HTTP" in the "Runtime" tab and choose "New" to create new HTTP destination.
Enter "SLD_DataSupplier" as the name for the destination.
4. Choose "OK". This will open a pane where the destination can be defined further:
Enter the following information:
URL
In the "Connection Settings" section, at least an URL needs to be defined. The URL is
http://<host>:<port>, where <host>is the name of the host where the SLD bridge runs and
<port>is the AS J ava HTTP standard access port of the SLD.
Authentication
In "Logon Data" section, select "BASIC" as the authentication method.
Username
Specify a J ava user that already exists on the host where the SLD bridge runs. Specified J ava
user must have the role SAP_SLD_DATA_SUPPLIER.
Password
Enter the user's password.
3 Defi ning the System Landscape Directory informati on (optional )
3.1 Identity Center
2014-07 15
If it is desirable to use HTTPS for the connection from the SLD, select "X509 Client
Certificate" as the authentication method. The "Keystore view" field (with the
"Certificate" field) is then ready for input. A key storage view contains the root
certificates of the trusted roots, and checks the authentication of a received server
certificate. Make sure to select "service_ssl" in the "Keystore view" field (see figure
below).
5. Choose "Save and Test" to save the entries and to test the connection to the destination. To
save the entries only, choose "Save".
It will update the SLD when the application (tcidmjmxapp) is started and with regular intervals.
Defi ning the System Landscape Directory information (optional)
Identity Center
16 2014-07
3.1.2 EHP 1 for SAP NetWeaver CE 7.1/SAP NetWeaver Composition
Environment 7.2/SAP NetWeaver 7.3
To configure the SLD Data Supplier for Enhancement package 1 for SAP NetWeaver Composition
Environment 7.1, SAP NetWeaver Composition Environment 7.2 or SAP NetWeaver 7.3, do the
following:
There may be minor differences between the versions.
1. Start and login to the SAP NetWeaver Administrator.
2. Select the "Configuration Management" tab and then the "Security" sub-tab.
3 Defi ning the System Landscape Directory informati on (optional )
3.1 Identity Center
2014-07 17
3. Select "Destinations".
Defi ning the System Landscape Directory information (optional)
Identity Center
18 2014-07
4. Choose "Create" and create a destination called SLD_DataSupplier of type HTTP.
If such a destination already exists, check if its values suit you and use it.
In "General Data" section define the following:
Desti nation Name
Add the name "SLD_DataSupplier".
Destination Type
Select type "HTTP".
3 Defi ning the System Landscape Directory informati on (optional )
3.1 Identity Center
2014-07 19
5. Choose "Next".
In "Connection and Transport" section, specify at least the URL (http://<host>:<port>), where
<host>is the name of the host where the SLD bridge runs and <port>is the AS J ava HTTP
standard access port of the SLD.
Defi ning the System Landscape Directory information (optional)
Identity Center
20 2014-07
6. Choose "Next".
In "Logon Data" section, define the following data:
Authentication
Select "Basic (User ID and Password)".
User Name
Specify a J ava user that already exists on the host where the SLD bridge runs. Specified J ava
user must have the role SAP_SLD_DATA_SUPPLIER.
3 Defi ning the System Landscape Directory informati on (optional )
3.1 Identity Center
2014-07 21
Password
Enter the user's password.
If it is desirable to use HTTPS for the connection from the SLD, select "X509 Client
Certificate with SSL" as the authentication method. The "Keystore View" field is
then ready for input. A key storage view contains the root certificates of the trusted
roots, and checks the authentication of a received server certificate. Select
"service_ssl" in the "Keystore View" field and "ssl-credentials" in the "Certificate"
field (see the figure below):
You find a list of the available key storage views at Configuration Management Security
Management Key Storage.
7. Choose "Finish" to finish and save the entries.
Defi ning the System Landscape Directory information (optional)
Identity Center
22 2014-07
If an error occurs, an error message is displayed. If the entries are saved successfully, the
connection data is saved in encrypted form in the secure store in the database.
3 Defi ning the System Landscape Directory informati on (optional )
3.1 Identity Center
2014-07 23
8. You may test the settings by sending the test data to the SLD select the sub-tab "Infrastructure"
from the tab "Configuration Management" (in the SAP NetWeaver Administrator), and then
"SLD Data Supplier Configuration".
9. Choose "Collect and Send Data" and wait for the response.
It will update the SLD when the application (tcidmjmxapp) is started and with regular intervals.
Defi ning the System Landscape Directory information (optional)
Virtual Directory Server
24 2014-07
3.2 Virtual Directory Server
The process is different depending on whether the configuration is deployed on SAP NetWeaver or
you are running in standalone mode.
3.2.1 Deployed Configuration
The process is the same as the process described for the Identity Center.
Make sure to specify the correct URL and connection parameters to the server.
3.2.2 Standalone mode
When running in standalone mode, you configure the SLD Data Supplier as part of the server
properties:
1. View the properties of the server and select the "SLD registration" tab:
Make sure not to include /sld in the URL.
Select "Enable SLD Registration" and fill in "SLD URL", "SLD Username" and "SLD Password"
as described on page 14.
2. Choose "OK".
When you start the server, it will update the SLD when the configuration is loaded or reloaded and
with regular intervals.
4 Monitoring of Identity Management
4.1 Monitoring the Identity Center
2014-07 25
4 Monitoring of Identity Management
Within the management of SAP Technology, monitoring is an essential task. A section has
therefore been devoted solely to this subject.
4.1 Monitori ng the Identity Center
Monitoring of the Identity Center is done using the "Monitoring" tab of the Identity Management
Administration User Interface. How you configure access to the "Monitoring" tab is described in the
document SAP NetWeaver Identity Management Identity Center: Installing and configuring the
Identity Management User Interface.
The following information is available from the Monitoring tab:
Approval queue
Dispatcher status
J ob log
J ob status
Provisioning audit
System log
The dispatcher status, job log, job status and system log are also available from the Management
Console.
The URL for accessing the "Monitoring" tab is http://<host>:<port>/idm/admin. This URL can be
used for instance from Solution Manager.
Monitoring of Identity Management
Monitoring the Identity Center
26 2014-07
4.1.1 Viewing the dispatcher status
On each server with the Runtime Components, there will be a dispatcher running. The dispatcher is
responsible for starting the runtime engine when a job is ready for execution, as well as performing
some basic provisioning logic.
It is essential that the dispatchers are running. If the dispatcher stops, it will no longer be able to
perform any logic, nor to start any jobs on the server.
To view the dispatcher status, select "Dispatcher Status" from the "Show" list on the Monitoring tab.
The columns show information about each dispatcher that is configured in the system.
The possible states for the dispatcher are:
Running
Not running
4.1.2 Viewing the j ob status
At a given time, a job is only being executed by one single runtime engine, i.e. a job is single-tread.
When a runtime engine starts it will request the first job (i.e. the job with the oldest schedule time)
which is available for execution (i.e. has state idle).
The runtime engine will do the following when executing a job:
Request the next available job. The job state is updated to Running.
Periodically, when a job is executed, the runtime engine updates the timestamp on the job,
to signal that the runtime engine is alive, as well as updating the number of processed
entries.
Release the job, and reschedule. The job state is set to Idle.
Whenever a job is requested, the jobs are checked for any timeouts. If a timeout is detected, the
job state is set to Idle and the job is rescheduled. If this is done more than a specified number of
times, the job state is set to Error, and the job will no longer execute.
Select "J ob Status" from the "Show" list on the Monitoring tab to display the information.
Possible states are:
0: Disabled. The job will not run.
1: Idle. The job is waiting to be executed at the time indicated in the Scheduled column.
2: Running. The job is currently executing.
3: Stopping. The job has been ordered to stop.
-1: Error. A fatal error has occurred, and the job will no longer execute.
-2: Timeout: The defined timeout has been reached. This means that no runtime engines
have requested this job for the specified amount of time. When a runtime engine requests
job, this is treated as idle.
4.1.3 Viewing the system log
The system log contains information from the system and the jobs and dispatchers connecting to it.
You can filter the log on error level and/or by date interval. You can also search for log entries with
specific texts.
Which information is included in the system log is specified in the Management Console. For
information about how to configure the system log, see the identity Center help file, accessible from
the Identity Center Management Console or the Help Portal, http://help.sap.com.
4 Monitoring of Identity Management
4.1 Monitoring the Identity Center
2014-07 27
4.1.4 Viewing the j ob log
The job log displays information about the execution of all jobs in the Identity Center. Each line in
the log shows information about one execution of a job. You can filter the log on error level and/or
by date interval.
You can view an XML or HTML version of the job log from the "Details" view.
For information about how to configure the job log, see the identity Center help file, accessible from
the Identity Center Management Console or the Help Portal, http://help.sap.com.
4.1.5 Viewing the provisioning queue
The provisioning queue shows all TOP level tasks where there are entries waiting to be processed.
The "Queue Size" column shows how many entries are waiting for this particular task. You can also
see the last time the task was executed, and the state of the job, if this is an action task. The
column shows the following values:
1: Temporary failure task is set for retry and have a possible delay until running again
2: Ready to run task is ready to run if Exectime is passed
5: Waiting task is on hold. This is typical on ordered execution of tasks
11: Failed - task is finally failed
21: Expanded OK task children is expanded OK
22: OK - task is finally OK
4.1.6 Viewing the provisioning audit
The provisioning audit contains one entry for each audit ID that is processed. This information is
updated as the task is processed in the system. There will be one entry per root task that is
executed.
The "Provisioning Status" column shows the current status of the task:
Task initiated OK
Task not enabled for provisioning
Task does not exist
Loop detected
Task cannot be used in externally as it is private
Entry does not exist in Identity Store
Database error
Task OK
Task Failed
OK
Failed
The "Entry" column shows which entry was processed.
The "Started by" column shows what initiated the task. This can be either an entry (person), event
task.
The "Details" view shows more information about each entry in the audit log. There are two tabs
containing different audit information.
Monitoring of Identity Management
Monitoring the Identity Center
28 2014-07
The " Detailed audit" tab
The "Detailed audit" shows the history of the task execution. The log is updated at certain points of
the task execution, making it possible to follow the processing of a request. It is also possible to
add information to the detailed audit by using the internal function uAddAuditInfo from the executing
tasks.
The "Trace" tab
For newer installations of the Identity Center, the trace is default enabled. If you have an Identity
Center that has been upgraded from previous versions, the trace must be enabled manually. This
is done in the Management Console. View the properties of the Identity Center and select the
"Options" tab. Select "Enable trace".
The trace shows the history of the task execution and is updated after the task has completed.
4.1.7 Viewing the approval queue
The approval queue contains all requests awaiting approvals.
4.1.8 Setting up a SAP JCo-Trace
For information about how to set up a SAP J Co-Trace, see the following sections in the SAP
NetWeaver Identity Management for SAP System Landscapes: Configuration Guide:
Setting up an SAP Java Connector (SAP Jco) and Related Traces
Restricting the CPIC or JRFC Trace to a Specific Pass
4.1.9 Viewing the logs from the Identity Management User Interface
The Identity Management User Interface runs on SAP NetWeaver AS J ava. The logs are managed
in AS J avas logging framework. The log category can be identified with:
/System/Security/IDM
For information about how to set log levels and other details about log configuration, see
http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.ht
m.
4.1.10 Viewing the traces from the Identity Management User
Interface
The Identity Management User Interface runs on SAP NetWeaver AS J ava. The traces are
managed in AS J avas logging framework. The traces are identified with:
com.sap.idm.jmx
For information about how to set log levels and other details about log configuration, see
http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.ht
m.
4 Monitoring of Identity Management
4.2 Monitoring of the Vi rtual Directory Server
2014-07 29
4.1.11 Using the System diagnostics report for problem analysis
You can get an overview of the Identity Management database by using the SAP NetWeaver
Identity Management Configuration Analyzer for a system diagnostics report.
The SAP NetWeaver Identity Management Configuration Analyzer analyzes and gathers the
information about an existing configuration, and detects and reports potential configuration issues
both related to the migration process and in general.
For more information how to use the Configuration Analyzer, see: SAP NetWeaver Identity
Management: Using the Configuration Analyzer.
4.1.12 Provi ding access to the configuration for problem anal ysis
In some cases it may be necessary or useful to provide access to the Identity Management
configuration for problem analysis. This can be done by using the export feature of the Transport
utility.
The Identity Management Administration User Interface must be available on the
system.
1. If necessary, provide access to the Export feature to the user who is going to perform the
export. See the document SAP NetWeaver Identity Management Implementation guide
Transport for details.
2. Perform an export and store the file in the file system. This file will contain the Identity Center
configuration. If the Virtual Directory Server configuration is part of the transport into this
system, that configuration will also be included in the exported file. If not, it can be included by
uploading the configuration to the Identity Center database as described in the document SAP
NetWeaver Identity Management Implementation guide Transport.
3. This file can then be imported to an empty system for inspection.
4.2 Monitori ng of the Virtual Directory Server
4.2.1 Viewing the logs on SAP NetWeaver AS Java
When deploying a configuration on SAP NetWeaver AS J ava, the logs are managed in AS J avas
logging framework. The log category is identified with:
/Applications/VirtualDirectoryServer
For more information, see
http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.ht
m.
4.2.2 Viewing the traces on SAP NetWeaver AS Java
When deploying a configuration on SAP NetWeaver AS J ava, the traces are managed in AS J avas
logging framework. The trace location is identified with:
Monitoring of Identity Management
Monitoring of Identity Management Identity Federation
30 2014-07
com.sap.idm.vds.<LogType>
Where LogType is:
oper Operation log
audit Audit log
stat Statistics
For more information, see
http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.ht
m.
4.2.3 Viewing the logs when running in standalone mode
The default location for the logs are <work area>\logs. The files are called oper at i on. t r c,
oper at i on. l og, audi t . t r c and st at . t r c. You can specify different locations for the log files
with the <PATH>in the st andal onel og. pr op file.
The <PATH>is the complete path, including file name. Make sure you use two
backslashes (\\) in the path, for instance c: \ \ t emp\ \ oper at i on. t r c. You can
also use single forward slashes as on Unix, for instance
c: / t emp/ oper at i on. t r c.
4.2.4 Verifying that the server is available
You can verify the availability of the server both when it is running in standalone service mode on
Microsoft Windows and when deployed on SAP NetWeaver AS J ava.
When running in standalone mode, you use "Services" in the Control Panel to see the status of the
service. The service is identified with the service name you specified for the configuration.
When deploying a configuration on SAP NetWeaver AS J ava, you use the SAP NetWeaver
Administrator to verify the availability of the deployed service. The service is identified with
sap. com/ vds- <appl i cat i on name>, where <application name>is the name you specified
when deploying the configuration.
4.3 Monitori ng of Identi ty Management Identi ty Federati on
Identity Federation is an optional component of SAP NetWeaver Identity Management. Operational
information is included in the relevant implementation guides for the two Identity Federation
software units:
SAP NetWeaver Identity Management Identity Provider Implementation Guide
SAP NetWeaver Identity Management Security Token Service Implementation Guide
4.4 Monitori ng Performance with Wi ly Introscope
SAP NetWeaver Identity Management is prepared to be monitored by Wily Introscope. Wily
Introscope provides mechanisms to instrument J ava code and analyze performance issues.
SAP NetWeaver Identity Management requires the following version of Wily Introscope:
A Wily Introscope Agent version 8.2.3.5 or higher.
Follow the following link to download Wily Introscope from the Service Marketplace:
4 Monitoring of Identity Management
4.4 Moni toring Performance with Wily Introscope
2014-07 31
Support Packages and Patches ->SAP SOLUTION MANAGER ->SAP SOLUTION MANAGER
7.0 EHP 1->Entry by Component ->Agents for managed systems ->Wily Introscope Agent 8.
Select one of the files:
ISAGENTSTD02_3-10007435.SAR
Patch for Introscope J ava Agent 8 SP02 for SAP (Standalone Agent)
ISAGENT02_3-10007435.SCA
PatchforIntroscopeJ avaAgent 8 SP02,deploymentvia SAPSolMgr
For information about Wily Introscope, see the Solution Manager documentation:
Solution Manager 7.0:
http://help.sap.com/solutionmanager70
Application Help ->Root Cause Analysis ->Performance Metrics Monitoring with Introscope
by Wily
Direct link:
http://help.sap.com/saphelp_em70/helpdata/en/3d/bdd41a171744569b0b39f141d9d2b3/fra
meset.htm
Solution Manager 7.1:
http://help.sap.com/solutionmanager71
Application Help ->Technical Operations ->Root Cause Analysis ->Performance Metrics
Monitoring with Introscope by Wily
Direct link:
http://help.sap.com/saphelp_sm71_sp01/helpdata/en/3d/bdd41a171744569b0b39f141d9d2
b3/frameset.htm.
4.4.1 Monitoring SAP NetWeaver AS Java
The following components of SAP NetWeaver Identity Management are deployed on SAP
NetWeaver AS J ava and can be monitored as part of the server:
Identity Management User Interface
Security Token Server
Virtual Directory Server (deployed configuration)
To enable instrumentation of SAP NetWeaver AS J ava, see the documentation for Wily Introscope.
For each of these components, the classes to be monitored are visible in the Wily Introscope
Workstation under the following nodes:
Component Node Class(es)
Identity Management User
Interface
SAP NW Identity
Management|Identity Center
SAP_ITSAM_IDM_Service_Impl_Impl
Security Token Service SAP NW Identity
Management|Security Token
Service
STS
Virtual Directory Server
(deployed configuration)
SAP NW Identity
Management|Virtual Directory
Server
MVDAddOperation
MVDModifyOperation
MVDSearchOperation
MVDNodeSearchOperation
Monitoring of Identity Management
Monitoring Performance with Wily Introscope
32 2014-07
4.4.2 Monitoring SAP NetWeaver Identity Management Virtual
Directory Server (Standalone mode)
To be able to monitor a Virtual Directory Server configuration running in standalone mode, you
have to modify the . bat / . sh file that starts the server. This . bat / . sh file is created in the
configurations work area.
To modify this . bat / . sh file you need the following information:
The location of the Wily Introscope Agent (AGENTHOME).
For J ava (1.3)/1.4: Create an AutoProbe connector . j ar file as described in the document
Wily Introscope Version 7.2 Installation Guide for SAP.
An agent name for the configuration (SID_INSTANCE_server0). This name is used to
identify the configuration in the Wily Introscope Workstation, so make sure it is unique and
meaningful. Note: The agent name has to start with a letter.
The settings for Wily Introscope are added as options to java.exe, depending on which version of
J ava you are using.
4.4.2.1 Updating the .bat/.sh file (Java 1.3/1.4)
Open the . bat / . sh file and add the following J ava options:
- Dcom. wi l y. i nt r oscope. agent Pr of i l e=<AGENTHOME>/ I nt r oscopeAgent . pr of i l e
- Xboot cl asspat h/ p: AGENTHOME/ Agent . j ar ; <AGENTHOME>/ connect or s/ connect or . j ar
- Dcom. wi l y. i nt r oscope. agent . agent Name=<SI D_I NSTANCE_ser ver 0>
4.4.2.2 Updating the .bat/.sh file (Java 1.5/1.6)
Open the . bat / . sh file and add the following J ava options:
- Dcom. wi l y. i nt r oscope. agent Pr of i l e=<AGENTHOME>/ I nt r oscopeAgent . pr of i l e
- j avaagent : <AGENTHOME>/ Agent . j ar
- Dcom. wi l y. i nt r oscope. agent . agent Name=<SI D_I NSTANCE_ser ver 0>
The classes to be monitored are visible in the Wily Introscope Workstation under the following
nodes;
Node Class(es)
SAP NW Identity Management|Virtual Directory Server MVDAddOperation
MVDModifyOperation
MVDSearchOperation
MVDNodeSearchOperation
Here is a sample . bat file for J ava 1.6:
" D: \ J DK6\ bi n\ j ava. exe" -
Dcom. wi l y. i nt r oscope. agent Pr of i l e=C: \ usr \ sap\ ccms\ AGENT\ I nt r oscopeAgent . pr of i l e -
j avaagent : C: \ usr \ sap\ ccms\ AGENT\ Agent . j ar -
Dcom. wi l y. i nt r osope. agent . agent Name=St andal oneVDS - cp " C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y
Ser ver \ l i b\ mvd. j ar ; C: \ Pr ogr amFi l es\ Mi cr osof t SQL Ser ver 2005 J DBC
Dr i ver \ sql j dbc_1. 2\ enu\ sql j dbc. j ar ; C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y
Ser ver \ ext er nal s; C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y
Ser ver \ l i b\ vdst ool s. j ar ; C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver \ l i b\ vdsver i f i er . j ar " " -
DMX_SERVER_HOME=C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver " com. sap. i dm. vds. MVDSer ver
" C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver \ conf i gur at i ons\ t est 1\ t est 1. xml "
4.4.3 Troubl eshooting
If you encounter problems during the configuration of Wily Introscope, please see the document
Troubleshooting Guide Wily Introscope.
4 Monitoring of Identity Management
4.5 Configuring and Vi ewing the Entry Trace
2014-07 33
4.5 Configuring and Viewing the Entry Trace
You can enable tracing to help debug and troubleshoot specific situations. With tracing enabled,
you can follow all operations performed on a specific entry. The trace is available on the "Trace"
tab in the Identity Management Administration User Interface, provided that the logged-in user has
the privilege MX_PRIV:WD:TAB_TRACE. How you configure access to the "Trace" tab is
described in the document SAP NetWeaver Identity Management Identity Center: Installing and
configuring the Identity Management User Interface.
The following components will add entries to the trace log:
Component Informati on
Database procedures Modifying attribute values
Executing event tasks
Dispatcher Evaluating switch tasks
Evaluating conditional tasks
Runtime Engine Executing a job on the entry
Messages written with uInfo, uWarning and uError
Note: The Windows Runtime Engine does not write to the trace
log.
4.5.1 Configuring the Entry Trace
To configure the entry trace:
1. Open the Identity Management Administration User Interface and select the "Trace" tab.
2. If you want to include trace information from the Runtime Components, select "Enable trace
from Runtime Components".
Enabling trace from the Runtime Components may affect the performance of the
system.
There may be a delay in the logging from the Runtime Components, as logging
starts with the next reload of the dispatcher and the next restart of the runtime
engine.
3. Enter the MSKEY or <MSKEYVALUE>for the entry you want to trace.
4. Choose "Save".
The entry to trace is stored in the global constant MX_TRACE_ENTRY while the global constant
MX_TRACE_RT is set to TRUE if you select "Enable trace from Runtime Components".
Monitoring of Identity Management
Configuring and Viewing the Entry Trace
34 2014-07
4.5.2 Viewing the Trace Log
The "Trace log" table shows the contents of the entries in the trace log. The table contains all log
entries since the log was last reset. The table contains the following columns:
Column Descripti on
Entry The trace log may contain the trace for more than one entry. The "Entry"
column shows the ID/name of the entry being traced.
Trace time The time when the log entry was added.
Component Which component/process added the log entry.
Event Which event triggered the log entry.
Attribute The affected attribute (if any).
Value The new value (if any).
Change type The type of operation:
Add/Modify
Delete case sensitive
Delete case insensitive
Message A free text added by the component.
You can save the trace log as a CSV file by selecting "Download trace (as CSV)".
The trace log is not automatically reset, so you have to choose "Clear trace" to clear the trace log.
4.5.3 Reading the Trace Log
The trace log is stored in the database table mc_trace_data and can be accessed with the view
idmv_trace_data. You can create a job in the Management Console with for instance a To ASCII
file pass that has this view as "Source" and where you can specify an SQL query that selects the
entries you want to include.
4 Monitoring of Identity Management
4.6 Analyzi ng Statement Execution
2014-07 35
4.6 Anal yzi ng Statement Execution
A configuration of an Identity Management solution normally contains a number of SQL statements,
for instance:
As definition of a source of a pass
Access control on tasks
Conditional and switch tasks
Using the internal function uSelect
There are some recommendations when writing SQL queries as part of the configuration, for
instance:
Using the indexed column searchvalue instead of avalue in SQL queries
On Microsoft SQL Server, use WITH (NOLOCK) when applicable
The Configuration Analyzer does some semantic analysis of the statements, but that can only be
compared to a list of known issues, and may not be complete for a given configuration.
To help analyze the performance of the queries, it is possible to log all SQL statements that take
longer than a predefined time to execute.
If the system starts slowing down, there will be an increasing number of log entries
in the statement execution log.
Some queries that are logged may come from frameworks or stored procedures
that are part of the product, and thus cannot be changed by the customer. Please
report such incidents through CSS.
4.6.1 Enabling the Statement Execution Anal ysis
The statement execution analysis is available on the "Statement Execution" tab in the Identity
Management Administration User Interface, provided that the logged-in user has the privilege
MX_PRIV:WD:TAB_THRESHOLD. How you configure access to the "Statement Execution" tab is
described in the document SAP NetWeaver Identity Management Identity Center: Installing and
configuring the Identity Management User Interface.
To enable the statement execution:
1. Open the Identity Management Administration User Interface and select the "Statement
Execution" tab.
2. Select "Enable threshold" and enter the number of milliseconds that should be used as
threshold. All queries taking longer than the specified value are logged.
3. Choose "Save".
The threshold value is stored in the global constant MX_LOG_EXEC_THRESHOLD.
Monitoring of Identity Management
Analyzing Statement Execution
36 2014-07
4.6.2 Viewing the Log
The "Log" table shows all SQL queries that take longer than the specified threshold. The table
contains all log entries since the log was last reset.
The table contains the following columns:
Column Descripti on
Component Which component/process added the log entry.
Start time The time the query was started.
Statement The SQL statement being executed.
Execution time Time (in ms) to execute the statement.
Entry The entry being processed (if relevant).
Task ID/Task Task which was executed (if relevant).
J ob ID/J ob J ob which was executed (if relevant).
Per default, the table is sorted descending by "Execution time", but you can sort on any column.
Use the information in the log to identify statements and analyze them to see if performance can be
improved.
You can search the contents of the log by entering a search criterion and choose "Search". This is
a free text search in the columns "Component", "Statement", "Entry", "Task ID", "Task", "J ob ID"
and "J ob".
The table shows only the 500 first log entries. To see the complete log, you can save the log as a
CSV file by selecting "Download (as CSV)".
The statement execution log is not automatically reset, so you have to choose "Reset log" to clear
the log.
4.6.3 Reading the Log
The statement execution log can be accessed with the view idmv_exec_stat. You can create a job
in the Management Console with for instance a To ASCII file pass that has this view as "Source"
and where you can specify an SQL query that selects the entries you want to include.
5 Management of SAP NetWeaver Identity Management
5.1 Starting and Stopping
2014-07 37
5 Management of SAP NetWeaver Identity
Management
SAP provides you with an infrastructure to help your technical support consultants and system
administrators effectively manage all SAP components and complete all tasks related to technical
administration and operation.
You can find more information about the underlying technology in the Technical Operations Manual
in the SAP Library under SAP NetWeaver.
5.1 Starting and Stopping
5.1.1 Starting and stoppi ng the Identity Center
The Identity Management User Interface is deployed on SAP NetWeaver AS J ava. The service is
controlled from here.
The processing of jobs and tasks in the Identity Center is controlled by the dispatchers and the
event services. You can start and stop any or all of these services.
If the Management Console is installed on the same server as the dispatcher/event service, the
dispatcher can be started and stopped from the dispatcher properties.
You can start and stop a dispatcher from the command line with the following commands:
di spat cher _ser vi ce_<di spat cher name> st ar t
di spat cher _ser vi ce_<di spat cher name> st op
This will stop the dispatcher, but any running jobs will complete processing.
5.1.2 Starting and stoppi ng the Virtual Directory Server
A Virtual Directory Server configuration can either be deployed as a web service on SAP
NetWeaver AS J ava or be run locally as an LDAP server.
When deployed locally, the server is started and stopped from the Virtual Directory Server user
interface.
When deployed on SAP NetWeaver AS J ava the service is controlled by SAP NetWeaver AS J ava.
5.2 Software Configuration
5.2.1 Software Configuration Identity Center
The Identity Center configuration is managed through the Management Console. Additionally,
some configuration parameters are available through the Identity Management Administration User
Interface, for instance in a production environment where the Management Console is not
available. See section 5.6.9 for details.
5.2.2 Software Configuration Virtual Directory Server
You use the Virtual Directory Server user interface to create and maintain the configurations.
If a configuration is uploaded to an Identity Center database for transport, global constants are
available through the Identity Management Administration User Interface, for instance in a
production environment where the Virtual Directory Server user interface is not available. See
section 5.6.9 for details.
Management of SAP NetWeaver Identity Management
Administration Tools
38 2014-07
5.3 Administrati on Tools
See Section 4 on page 54.
5.4 Backup and Restore
You need to back up your system landscape regularly to ensure that you can restore and recover it
in case of failure.
The backup and restore strategy for your system landscape should not only consider SAP systems
but should also be embedded in overall business requirements and incorporate your companys
entire process flow.
In addition, the backup and restore strategy must cover disaster recovery processes, such as the
loss of a data center through fire. It is most important in this context that you ensure that backup
devices are not lost together with normal data storage (separation of storage locations).
5.4.1 Backing up and restoring an Identity Center database
(Microsoft SQL Server)
This section describes how to back up and restore your Identity Center database on Microsoft SQL
Server.
You always back up and restore a complete Identity Center database.
5.4.1.1 Backing up a database
Back up the database using the normal database procedures. See the database documentation for
details.
5.4.1.2 Restoring a database
Install the database schema for the database, as described in SAP NetWeaver Identity
Management Identity Center: Installing the database (Microsoft SQL Server).
Restore the database, using the Microsoft SQL Server database utility for restoring a backup.
Select the overwrite option to overwrite the newly installed database. See the database
documentation for details.
Make sure there are no conflicts with the database prefixes, as the backup will
always restore a database with the same prefix as the one that was backed up.
In most cases, the database user/login mapping will not be correct after this restore. The exception
is if the restore is done to the same database installation from which the backup was taken, in
which case the internal user IDs will be the same as on the backup. If you are unable to connect to
the database from the Management Console, you need to re-establish this mapping.
5 Management of SAP NetWeaver Identity Management
5.4 Backup and Restore
2014-07 39
Restoring the user/login mappings
Restore the user/login mappings according to the table below:
SQL Server login Database user Database roles
<prefix>_oper <prefix>_oper db_owner/dbo
<prefix>_admin <prefix>_admin_u <prefix>_admin_role
<prefix>_delta_rw_role
<prefix>_rt <prefix>_rt_u <prefix>_rt_role
<prefix>_delta_rw_role
<prefix>_prov <prefix>_prov_u <prefix>_prov_role
<prefix>_transport_role
<prefix>_user <prefix>_user_u <prefix>_user_role
<prefix>_delta_r_role
Recreate each of the mappings using SQL queries. Log in as sa and run the following
use <pr ef i x>_db
ALTER USER <pr ef i x>_oper _u WI TH LOGI N = <pr ef i x>_oper
ALTER USER <pr ef i x>_admi n_u WI TH LOGI N = <pr ef i x>_admi n
ALTER USER <pr ef i x>_r t _u WI TH LOGI N = <pr ef i x>_r t
ALTER USER <pr ef i x>_pr ov_u WI TH LOGI N = <pr ef i x>_pr ov
ALTER USER <pr ef i x>_user _u WI TH LOGI N = <pr ef i x>_user
GO
For more information, see the documentation of the Microsoft SQL Server Management Studio.
When all users are connected to the logins, run the script mxmc_update.cmd to set the access
control on all the stored procedures. The database should now be available.
Verify that you are able to connect to the restored database with the Management Console and the
Identity Management User Interface.
Management of SAP NetWeaver Identity Management
Backup and Restore
40 2014-07
5.4.2 Backing up and restoring an Identity Center database (Oracle)
This section describes how to back up and restore your Identity Center database on Oracle.
You always back up and restore a complete Identity Center database.
5.4.2.1 Backing up a database
Back up the database using the normal database procedures. See the database documentation for
details.
In the Oracle database the following objects in schema must be backed up for MXMC_OPER user.
Function
Index
Package
Package body
Procedure
Sequence
Synonym: MXMC_PROV, MXMC_ADMIN, MXMC_RT and MXMC_USER
Table
Trigger
View
The following objects must be backed up from Security:
USERS
MXMC_ADMIN
MXMC_OPER
MXMC_PROV
MXMC_RT
MXMC_USER
ROLES
MXMC_ADMIN_ROLE
MXMC_DELTA_R_ROLE
MXMC_DELTA_RW_ROLE
MXMC_PROV_ROLE
MXMC_RT_ROLE
MXMC_TRANSPORT_ROLE
MXMC_USER_ROLE
5.4.2.2 Restoring a database
Restore the database using the normal database procedures. See the database documentation for
details.
5 Management of SAP NetWeaver Identity Management
5.5 Application Copy
2014-07 41
5.4.3 Backing up and restoring an Identity Center database (IBM DB2)
This section describes how to back up and restore your Identity Center database on Oracle.
You always back up and restore a complete Identity Center database.
Back up and restore the database using the normal database procedures. See the database
documentation for details, Database Administration Guide SAP on IBM DB2 for Linux, UNIX, and
Windows, (http://service.sap.com/instguidesNW73 ->Operations ->Database-Specific Guides ->
SAP DBA Guide: IBM DB2 for LUW (Version 1.40)).
http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000735502&_OBJ ECT=0110003
58700001449002009E.
5.4.4 Backing up and restoring a Virtual Directory Server
configuration
If you use version control and store the configuration file in a database, this database can be
backed up using the normal database procedures.
If the configuration is stored in an .XML file, use a file backup tool to back up the configuration
file(s).
5.5 Application Copy
How you move a configuration from a test to a production environment is described in the
document SAP NetWeaver Identity Management Identity Center Implementation Guide Transport.
5.6 Periodic Tasks
There are no specific periodic tasks for the Virtual Directory Server apart from what may be defined
for the SAP NetWeaver AS J ava where the service is deployed.
Some housekeeping tasks for the Identity Center are defined as scheduled procedures. See
Configuring the scheduled procedures for housekeeping in the help file for the Identity Center
Management Console for more information.
The following manual periodic tasks are defined for each of the Identity Centers.
5.6.1 Manual tasks for the Identity Center
Task Tool(s)
supporting
this task
Recommended
Frequency
Detai led Description
Verify that all
services are running
Monitoring tab/
User interface
Daily Select "Dispatcher Status" to see
that all dispatchers are running as
expected.
Check logs for failed
jobs
Monitoring tab/
User interface
Daily Select "J ob Status" to verify that
no jobs are in error state.
Clean up the audit
information
Database
management
tool
Weekly See section 5.6.3.
Management of SAP NetWeaver Identity Management
Periodic Tasks
42 2014-07
Task Tool(s)
supporting
this task
Recommended
Frequency
Detai led Description
Clean up the table
job_execution
Database
management
tool
Weekly See section 5.6.4.
Clean up the table
AuditTrail
Database
management
tool
Weekly See section 5.6.5.
Clean up historic
values in the identity
store
Database
management
tool
Monthly See section 5.6.6.
Rebuild database
indexes
Database
management
tool
Monthly See section 5.6.7
5.6.2 Manual tasks for Transport/Configurati on Management
Task Tool(s)
supporting
this task
Recommended
Frequency
Detai led Description
View changes to the
configuration
Configuration
History tab/
User interface
On demand See section 5.6.8.
Change global or
repository constants
System
Parameters tab/
User interface
On demand See section 5.6.9.
Add a repository to
the productive
landscape
Management
Console (in
development
landscape)
Transport Utility
On demand See section 5.6.9.1.
5.6.3 Cleaning up the audit information
The audit tables are used by the provisioning functionality for auditing every provision request and
appropriate status. Further this table will link provision tasks together where typically sub tasks is
started by use of OnOk, OnFail, OnChainOK, OnChainFail.
Remove the entries older than a specific audit ID.
To remove entries with audit ID <1000000, do as follows:
del et e f r ommxi _l i nk_audi t wher e mcAudi t I D < 1000000 and mcAudi t I D <> - 1
del et e f r omMXP_Audi t _Var i abl es wher e audi t I D < 1000000
del et e f r omMXP_Ext _Audi t wher e aud_r ef < 1000000
del et e f r ommxp_audi t wher e audi t i d < 1000000
The tables MXP_Audit_Variables and MXP_Ext_Audit has audit ID columns referring to
MXP_Audit.auditid, so the entries in these tables must be done before cleaning up the mxp_audit
table.
5 Management of SAP NetWeaver Identity Management
5.6 Periodi c Tasks
2014-07 43
5.6.4 Cleaning up the table j ob_execution
The job_execution table belongs to the delta functionality. Every time a job runs and the delta
functionality is turned on, a new entry will be inserted into this table containing date/time and key
information about how many entries that was added, modified, deleted, failed or not-changed.
Remove the entries older than a defined date.
5.6.5 Clean up the table AuditTrail
The AuditTrail table belongs to the delta functionality and will keep audit on changes either on entry
level or attribute level. If Audit is not turned on, this table will be empty and not filled.
If Audit is turned on, new records will be added when we have add, modify or delete of entries. In
the Management Console there can be set a maximum limit of entries to keep in his audit table.
If delta is being used, every execution of a job-pass is added to this table.
Remove the entries older than a defined date.
5.6.6 Cleaning up histori c values in the identi ty store
Any attributes and entries within the identity store which are modified or deleted will be stored in the
historic values. This information is held in the table mxi_old_values. There is a configuration
parameter on each attribute, which indicates for how many revisions or for how long this
information is to be kept. The default value is to keep historic values for 30 days. This information is
stored either in mxi_attributes.SaveDays or in mxi_attributes.SaveCopies.
If you want to keep the historic values for a long time, the mxi_old_values table may grow very
large. There is no automatic moving of historic data to offline storage.
Since historic data is stored in a separate table, it is quite simple to implement a job which moves
this information to an offline storage, by moving entries from mxi_old_values to another database
or external storage. The attribute mxi_old_values.ModifyTime holds the date/time when the
attribute was last modified, and can be used for selecting the oldest entries to move.
5.6.7 Rebuilding database indexes
With heavy usage of the system, the database indexes will become fragmented, which may
decrease performance.
For further information regarding fragmented indexes and rebuilding the indexes, please refer to
the documentation for you database system.
5.6.8 Viewing Changes to the Configuration
The overview of changes to the configuration is available in the Identity Management
Administration User Interface, using the http://<host>:<port>/idm/admin URL. If the configuration
has not been transported, only changes to global constants and repository constants are available.
Select the "Configuration History" tab to view the history of changes to the configuration. You can
see details about the following:
Management of SAP NetWeaver Identity Management
Periodic Tasks
44 2014-07
Imported configuration files
For imported configuration files, the date and time of the import, the ID of the user that
performed the import, and the same information for the export are displayed. You can also
download the configuration file that was imported.
You can view the import log for each import by selecting the import entry in the list and
choosing the "Import Log" tab in the details area. The columns show the "Severity",
"Message" and "Time" for each log entry of the import.
Changes to global constants
For changes to global constants, the date and time of the change, the ID of the user that
made the change, the name and description of the constant and the old and new values are
displayed.
Changes to repository constants
For changes to repository constants, the date and time of the change, the ID of the user that
made the change, details about the repository (for example, ID, name, type, and
description), the name and description of the constant changed, and the old and new values
are displayed.
For security reasons, the history for encrypted data such as passwords is not saved
for use in this view. You can see that a change was made, but the old values are
not displayed.
5.6.9 Changing Global or Repository Constants
To change global or repository constants in the Identity Management Administration User Interface,
use the same URL as for monitoring or for viewing the configuration history, which is
http://<host>:<port>/idm/admin.
You can change the constants in the Identity Management Administration User
Interface, but you cannot create or delete them. To create global constants or add
repositories to the system, create them in the development or test/QA system using
the Identity Center Management Console and transport them to the (test and)
productive systems. Implement any system-specific jobs that use the repositories or
constants in the development or test/QA system and transport them as well.
1. To make changes to the system parameters, choose the "System Parameters" tab from the
Identity Management Administration User Interface.
2. Select "Global Constants" or "Repositories" to change the corresponding constants.
3. Change the constant values directly in the corresponding table.
You can change the parameters for parameterized constants such as J DBC URLs
by selecting the constant value. The parameters for these constants are then
displayed separately and can be changed.
If a parameterized constant contains a password parameter that is encrypted,
create an encrypted global or repository constant that contains the encrypted value.
Reference the password constant in the parameter value of the URL constant. This
ensures that the password is encrypted and can be changed.
4. Save the data.
5 Management of SAP NetWeaver Identity Management
5.7 Load Balancing
2014-07 45
5.6.9.1 Modifying Assignment Grouping Repository Constants
If assignment grouping is defined on the repository in the Identity Center Management Console
(see http://help.sap.com/saphelp_nwidmic72/en/mc/dse_repository_privilege.htm), there are two
repository constants that will contain this configuration.
MX_PRIV_GROUPING_RULE defines the assignment grouping.The value of the constant
ranges from P:-1 to P:7, corresponding to the grouping rule selected on the repository.
MX_PRIV_GROUPING_ATTRIBUTE contains a reference to the grouping attribute, if any.
When selecting the constant MX_PRIV_GROUPING_RULE, the row will expand to reveal a set of
checkboxes and radio buttons.
The value of the repository constant depends on the configuration you define. For example,
choosing the No Grouping radio button results in a value of P:-1, while choosing the Grouping radio
button can result in a value of P:0.
Select the necessary checkboxes and radio buttons to configure the assignment grouping and to
define the constants value.
If you select the Separate by Privilege Attribute checkbox, you will be able to select a privilege
attribute for assignment grouping from the dropdown menu.
5.6.10 Adding a Repository to the Producti ve System
To add a repository to the productive identity management system, you must add the repository in
the development or test/QA system and transport it to the productive system. The overview of the
process is:
1. Using the Management Console on the development or test/QA system:
a. Create the repository.
b. Create any configuration elements that apply to the system, for example, account attributes
used by the provisioning framework for SAP systems.
c. Create the initial load job and any other jobs or tasks that apply to the system.
2. Using the Identity Management Administration User Interface on the development or test
system, export the configuration.
3. Using the Identity Management Administration User Interface on the productive system:
a. Import the configuration.
b. Update the repository definition.
4. Run the initial load job or any other jobs that need to be processed.
For more information on creating repositories, account attributes, and jobs, see the online help.
5.7 Load Bal anci ng
5.7.1 Load Balancing Identity Center
The system landscape XL Production described in the SAP NetWeaver Identity Management
Identity Center Installation overview describes how load balancing is achieved.
5.7.2 Load Balancing Virtual Directory Server
Load balancing is handled by the SAP NetWeaver AS J ava where the service is deployed.
Management of SAP NetWeaver Identity Management
User Management
46 2014-07
5.8 User Management
The Identity Center creates a number of database users as part of the database installation. This is
described in the documents SAP NetWeaver Identity Management Identity Center Installing the
database (Microsoft SQL Server/Oracle).
How to manage users for the Identity Management User Interface is described in the document
SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity
Management User Interface.
How you manage users to access the servers created by the Virtual Directory Server is part of the
configuration of the server.
5.9 Maintai ning Message Templates
Message templates are used when sending notifications to users with a Notification task. The
Notification task can be called from an approval task to send messages to the approvers and other
involved parties of the approval process.
Message template editing requires Enhancement Package 1 for SAP NetWeaver
Composition Environment 7.1 and newer.
5.9.1 Initial Configuration
The initial configuration of the message templates is described in the topic Configuring the
notification templates.
The message templates can be viewed and edited in the "Message Templates" tab in the Identity
Management Administration User Interface, provided that the logged-in user has the privilege
MX_PRIV:WD:MSGTEMPLATE:R to be able to view the templates and
MX_PRIV:WD:MSGTEMPLATE:RW to be able to edit them.
How you configure access to the "Message Templates" tab is described in the document SAP
NetWeaver Identity Management Identity Center: Installing and configuring the Identity
Management User Interface.
This description is based on full access to the message templates with the
MX_PRIV:WD:MSGTEMPLATE:RW privilege.
5.9.2 Listing Message Templates
All message templates for approvals belongs to the message category MX_APPROVALS. Each
template can exist in several languages.
You can get an overview of the message templates that are available in the system:
5. Open the Identity Management Administration User Interface and select the "Message
Templates" tab.
6. Select a message category. Choose "MX_APPROVALS" to view approval messages. There
may be other categories available.
7. Optionally, enter a search criterion and choose "Search". This will search the template names.
All matching message templates are displayed in the "Available templates" list.
Each template can be in several languages, which are listed in the "Available languages" list.
8. Select a language in the list to display the language specific subject and contents.
5 Management of SAP NetWeaver Identity Management
5.9 Maintaining Message Templates
2014-07 47
5.9.3 Editing a Message Template
You can modify a language version of a message template in the following way:
1. Select a language in the list and choose "Edit".
2. Fill in the fields in the following way:
Category/Name/Language
Shows the information for the selected template. These fields cannot be changed.
Localized parameters
Select this toggle link to show the list of parameters that can have a specific value for each
language when used in the message template. There are three parameters in the list:
Approved, Declined and Timeout.
The text for "Approved", "Declined" or "Timed out" will be used for the parameter
PAR_REQUESTRESULT in the message template.
Subject
Enter the subject of the message as it will appear in the e-mail.
Format
Choose the format of the template. This can be either "HTML" or "Plain text".
Style sheet
Only available for HTML templates. Select this toggle link to show or hide the style sheet for the
message template.
Contents
Enter the text for the template. Either valid HTML encoding or plain text, depending on the
chosen format.
You can insert parameters in the template by choosing a parameter in the "Attributes" list and
choose "Append". For a list of available parameters, see section 5.9.3.1.
The parameter will always be added to the end of the text. You have to move it
(cut/paste) manually to the correct position in the text.
3. You can preview HTML messages by choosing "Preview".
4. Choose "Save".
If you have chosen HTML as format for the message template, illegal HTML tags
(like applet, form or script) will be automatically encoded and illegal event attributes
(like onload or onselect) will be removed.
Management of SAP NetWeaver Identity Management
Maintaining Message Templates
48 2014-07
5.9.3.1 Avail able Parameters
You can include information from the request in the message using the list of parameters.
If the <parameter>is not found, the name of the parameter is displayed in the notification message.
If the value of a <parameter>is not found, this will be displayed as an empty string (no value) in the
message.
<parameter>can have one of the following values:
Parameter Descripti on
APPROVALURL Direct access to the approval on the To Do tab. The URL
will be on the form:
%$GLB.MX_GUI_URL_PREFIX%/webdynpro/dispatcher
/sap.com/tc~idm~wd~workflow/ProcessApproval?Reque
stID=<request id>.
The global constant MX_GUI_URL_PREFIX is imported
with the notification task and must be modified for each
system.
The approval will be available for the logged in user if he
is defined as approver for this request. Otherwise, the
approval request will not be displayed.
AUDITID AuditID of the approval task.
CHARSET Charset encoding given by the parameter "CHARENC" in
the template list file
Assi gnment Not i f i cat i onsLi st . t xt .
DATEASSIGNED The date the assignment was done in ISO8601 format.
DELEGATEDFROMDISPLAYNAME The display name of the user that has delegated
(forwarded) the approval.
LASTAPPROVERDISPLAYNAME The display name of the last user to approve the request.
REASON The reason provided by the approver.
RECIPIENTSDISPLAYNAME Display name (or MSKEYVALUE) of the recipient of the
e-mail.
RECIPIENTSSALUTATION Salutation retrieved from the MX_SALUTATION attribute
for the recipient of the e-mail. If the attribute is not found,
it is omitted.
REQUESTINGUSERDISPLAYNAME Display name of the user that requested the assignment.
For self-service this will be the same as the
TARGETUSERDISPLAYNAME.
REQUESTREASON The reason provided when requesting the assignment.
REQUESTRESULT Based on the value of REQUESTSTATUS, the
corresponding value for the parameters given in the
template list file
Assi gnment Not i f i cat i onsLi st . t xt is used. If the
parameters are not added in this file, the default values
"Approved" and "Declined" are used.
5 Management of SAP NetWeaver Identity Management
5.9 Maintaining Message Templates
2014-07 49
Parameter Descripti on
REQUESTSTATUS The status of the approval.
0: Declined
1: Approved
2: Timed out
SYSTEMURL The URL to the Identity Management User Interface as
specified in the notification task.
TARGETUSERDISPLAYNAME Display name of the user that is getting the assignment.
TARGETUSERMSKEY The MSKEY of the user who is getting the assignment.
TARGETROLEDISPLAYNAME Display name of the role or privilege being assigned.
TARGETCONTEXTDISPLAYNAME Display name of the context given for the assignment.
VALIDFROM "Valid from"-date specified for the assignment.
VALIDTO "Valid to"-date specified for the assignment.
5.9.4 Adding a Language Version of a Message Template
You can add a language version of a message template. The template will be based on the primary
language for the message template.
1. Select the message template in the "Available templates" list.
2. Choose "Add language". The "Add language to template" form is displayed. Fill in the fields in
the following way:
Template category
Shows the category for the message template. The category cannot be changed.
Language
When you click the field, the "Extended Value Selector" is displayed. Select the language for
the message template.
Template
Shows the name of the template and cannot be changed.
Language specific content
Fill in the fields in the same way as when modifying a template. See section 5.9.3.
5.9.5 Removing a Language Version of a Message Template
To remove language versions that is no longer needed:
1. Select one or more languages in the "Available languages" list.
2. Choose "Delete language".
3. Confirm that you want to remove the language versions.
If you remove all language versions of a template, the message template itself is
also deleted.
Management of SAP NetWeaver Identity Management
Maintaining Message Templates
50 2014-07
5.9.6 Creating a Message Template
You can create a message template:
1. Select the "Message Templates" tab.
2. Choose "Create". The "Create template" form is displayed.
3. Fill in the fields in the following way:
Template category
Select a category for the message template. All approval messages are in the category
"MX_APPROVALS".
Language
When you click the field, the "Extended Value Selector" is displayed. Select the language for
the message template.
Template
Enter a name for the template.
Template name supports only standard ASCII characters.
Language specific content
Fill in the fields in the same way as when modifying a template. See section 5.9.3.
4. Choose "Save" to save the message template.
5.9.7 Removing a Message Template
You can remove a message template, including all language versions:
1. Select one or more templates in the "Available templates" list.
2. Choose "Delete template".
3. Confirm that you want to remove the template and all language versions.
5 Management of SAP NetWeaver Identity Management
5.10 Managing Approvals
2014-07 51
5.10 Managi ng Approval s
Role assignments or other changes to entries in the identity store may require an approval by for
instance a manager, role owner. The configuration of the approval task specifies parameters like
the timeout and escalation of the approval. For more information about approval processing, see
the topic About approval processing in the help file for the Identity Center Management Console.
While waiting for the approver to approve the request, the approval is in pending state, and it will
wait until the specified timeout and then handled according to the defined timeout rule. It will then
be escalated or declined.
If an approval for some reason will not be approved within reasonable time, for instance if the
approver is absent or unable to perform the approval, the pending approval can either be declined
or escalated by a manager or administrator.
Pending approvals are managed from the "Approval Management" tab in the Identity Management
Administration User Interface. The logged-in user must have one of the following privileges:
MX_PRIV:APPROVALS:READONLY to be able to view pending approvals
MX_PRIV:APPROVALS:PROCESS to be able to decline or escalate the approval
How you configure access to the "Approval Management" tab is described in the document SAP
NetWeaver Identity Management Identity Center: Installing and configuring the Identity
Management User Interface.
This description is based on full access to the message templates with the
MX_PRIV:APPROVALS:PROCESS privilege.
5.10.1 Listing Pending Approvals
You can get an overview of the pending approvals in the system:
1. Open the Identity Management Administration User Interface and select the "Approval
Management" tab.
2. Enter a search criterion in the "Find" field. This is a free-text search in the name of the user
getting the assignment, the name of the role/privilege, the approver and the context.
You can also use the advanced search (see below).
3. Choose "Go".
All approvals matching the search criterion are displayed in the list. The color of the status
indicator shows how many days are left before the approval expires.
4. Select an approval to show more information in the details view below. Select the different tabs
to show all information about the approval.
Management of SAP NetWeaver Identity Management
Managing Approvals
52 2014-07
5.10.2 Finding Approvals Using Advanced Search
If you need to narrow down the search result more than you can by using the basic search, you can
use the advanced search to specify more detailed search criteria:
1. Open the Identity Management Administration User Interface and select the "Approval
Management" tab.
2. Choose "Advanced" to open the advanced search panel.
3. Fill in the fields with the search criteria you want to use.
Approval Type
Select if you want to include all approvals, or only assignment or basic approvals.
Date
Enter a date range. This will find all approvals that have been changed within the period.
Consignee
Choose to the right of the field to open a dialog box where you can find a user you want to
find approvals for. You can only find approvals for one specific user.
Approver
Choose to the right of the field to open a dialog box where you can find an approver you
want to see approvals for. You can only find approvals for one specific approver.
Assigner
Choose to the right of the field to open a dialog box where you can find an assigner you
want to find approvals for. You can only find approvals for one specific assigner.
Context
Choose to the right of the field to open a dialog box where you can find a specific context to
use as search criterion. You can only find approvals for one specific context.
Assignment
Choose to the right of the field to open a dialog box where you can search for the role or
privilege that is requested assigned. You can only search for approvals for one specific role or
privilege.
4. Choose "Go".
5.10.3 Declining a Pending Approval
Provided that you have the necessary privilege, you can decline a pending approval:
1. Find the approval you want to decline either with basic or advanced search.
2. Select the approval in the list.
3. Choose "Decline".
4. Optionally, enter a reason why you are declining the approval.
5. Choose "Confirm" to complete the process.
When viewing the assignment details, you will see that the assignment request was declined.
6 High Availability
6.1 High Availability for the Identity Center
2014-07 53
5.10.4 Escalating a Pending Approval
Provided that you have the necessary privilege, you can escalate a pending approval. In this case,
the timeout rule of the given approval task is used, so the outcome of the escalation depends on
how the approval task is configured. It can either:
Decline the assignment
Escalate to the manager(s) of the approver(s)
Escalate to a new list of approvers
The behavior will be exactly as if the approval had timed out, but will be processed immediately and
not wait for the given timeout.
To escalate the approval:
1. Find the approval you want to escalate either with basic or advanced search.
2. Select the approval in the list.
3. Choose "Escalate".
4. Optionally, enter a reason why you are escalating the approval.
5. Choose "Confirm" to complete the process.
The approval will be processed further according to the configuration of the approval task.
5.10.5 Exporting the Pending Approval s
The list of pending approvals can be exported to a CSV file:
1. Find the approvals either with basic or advanced search.
2. Choose "Export". The "File Download" dialog box appears.
3. Select if you want to open or save the file.
The file is either opened in a text editor or saved in the specified folder in the file system.
6 High Availability
6.1 High Avail ability for the Identi ty Center
The system landscape XL Production described in the SAP NetWeaver Identity Management
Identity Center Installation overview describes how to achieve high availability.
6.2 High Avail ability for the Virtual Directory Server
High availability for the Virtual Directory Server deployed on SAP NetWeaver is achieved through
deploying the configuration on SAP NetWeaver. How to configure SAP NetWeaver for high
availability is described in the documentation for SAP NetWeaver.
6.2.1 High Availability for Standalone Virtual Directory Server
In order to accomplish high availability for a standalone Virtual Directory Server, configure an IP
switch in front of the multiple instances of the Virtual Directory Server (multiple servers) running
with the same configuration. This can be used for instance in the HCM integration scenario.
Software Change Management
Software Change Management
54 2014-07
7 Software Change Management
7.1 Software Change Management
How you transport a configuration from a test to a production environment is described in the
document SAP NetWeaver Identity Management Identity Center Implementation guide Transport.
7.2 Support Packages and Patch Implementati on
Support packages and patches can be found in the following location:
http://service.sap.com/sp-stacks SP Stack Information SAP NetWeaver Identity
Management 7.2.
7.3 Upgrading the Identity Center
This is described in the document SAP NetWeaver Identity Management Identity Center Installation
overview.
7.4 Upgrading the Virtual Directory Server
This is described in the document SAP NetWeaver Identity Management Virtual Directory Server
Installation and initial configuration.
There is no downtime involved in upgrading the software itself. An updated configuration can be
deployed while the service is running. Updating the server software itself (SAP NetWeaver) must
be done according to the documentation for SAP NetWeaver.
8 Troubleshooting
8.1 Identity Center: Dispatcher fai ls to start
2014-07 55
8 Troubleshooting
The following problem analysis scenarios are available for SAP NetWeaver Identity Management:
Identity Center: Dispatcher fails to start
Identity Center: Timeout issues
Identity Center: Insufficient dispatcher memory
Identity Center: Codepage <number>not supported by J AVA-environment
Identity Center: Error messages from jobs accessing ABAP systems
Identity Management User Interface: J ava runtime exception when logging in
Identity Management User Interface: Error message about missing database columns or
procedures
Virtual Directory Server: The Windows service starts, but later fails with "No driver for
database"
Virtual Directory Server: Application starts, but later fails with "No driver for database"
Virtual Directory Server: Server doesnt start
Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the
first attempt to contact the database fails
To help in the problem analysis, you can enable entry trace if it is a specific entry
you need to investigate. See section 4.5.
To help in analyzing performance problems, you can enable statement execution to
see which SQL queries take a long time to execute. See section 4.6.
8.1 Identity Center: Di spatcher fail s to start
8.1.1 Problem Descripti on
The dispatcher fails to start.
8.1.2 Solution
Run the following command to verify the dispatcher configuration:
Di spat cher _Ser vi ce_<di spat cher name> t est checkconf i g
Verify that the dispatcher finds all necessary J DBC drivers.
Run the following command to start the dispatcher in test mode:
Di spat cher _Ser vi ce_<di spat cher name> t est
Check for error messages from the dispatcher in the console window.
For Microsoft Windows:
Increase the log level in the dispatcher property file to get more logging.
Make sure that the J DBC connection string for the runtime engine is correct.
Troubleshooting
Identity Center: Timeout issues
56 2014-07
For Unix:
Always use SAPJ VM 5.
Make sure all values indispatcher.prop file are set correctly.
8.2 Identity Center: Timeout i ssues
8.2.1 Problem Descripti on
A job fails with an error message indicating there was a timeout problem.
8.2.2 Solution
Increase the Identity Center's timeout values on the "Options" tab of the Identity Center
properties.
If the timeout comes from a directory server, adjust the size limit, time limit or page size in
the properties of the "From LDAP pass".
8.3 Identity Center: Insufficient memory
8.3.1 Problem Descripti on
A job fails with an error message indicating insufficient memory.
8.3.2 Solution
You need to increase the available memory by modifying the .prop file for the dispatcher.
Add the following to J AVAOPTIONS:
J AVAOPTI ONS=- Xmx256m
Reinstall the dispatcher(s).
If you need to have more than one option in the J AVAOPTIONS string, make sure
that MXDISPATCHER_EXECSTRING is set to 1, for instance
MXDISPATCHER_EXECSTRING=1.
8 Troubleshooting
8.4 Identity Center: Codepage <number> not supported by JAVA-environment
2014-07 57
8.4 Identity Center: Codepage <number> not supported by JAVA-
environment
8.4.1 Problem Descripti on
This error message appears when running a job with a SELECT statement to a Microsoft SQL
Server database.
8.4.2 Solution
This indicates that the current J ava Runtime Environment does not support the server collation of
the database. The setting for the server collation can be found in the Microsoft SQL Server
Management Studio. View the "Server Properties" of the database and select "General". The
"Server Collation" property shows the current server collation of the database.
You need to make sure that you have /lib/charsets.jar installed. Depending on which J ava Runtime
Environment you are using, this is done in different ways.
The recommended J ava Runtime Environment is SAP J VM 5 that will support most
collations.
If you are using Sun's J ava Runtime Environment, you need to make sure that you have
lib/charsets.jar installed. For information see
http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.
This extended encoding set is an installation option when installing the Sun J ava Runtime
Environment. To install the /lib/charsets.jar do the following:
1. Choose Start/Settings/Control Panel/Add and Remove Programs.
2. Select the component J ava 2 Runtime Environment.
3. Choose "Change" to start the installation wizard.
4. Run through the wizard and select "Modify".
5. Add "Support for Additional Languages".
6. Complete the wizard
Troubleshooting
Identity Center: Error messages from jobs accessing ABAP systems
58 2014-07
8.5 Identity Center: Error messages from jobs accessi ng ABAP
systems
8.5.1 Problem Descripti on
A job accessing an ABAP system fails with an error message "Could not load middleware layer
'com.sap.mw.jco.rfc.MiddlewareRFC'. Possible reasons for this could be:
No library found (library not referenced in shared library path)
Wrong library version
Wrong platform
8.5.2 Solution
Check the path to the J Co library in the shared library path. For more information see the
installation documentation for J CO.
8.6 Identity Management User Interface: Java runtime excepti on
when l ogging i n
8.6.1 Problem Descripti on
Users get a J ava runtime exception when logging in.
8.6.2 Solution
Verify that all J MX settings are set correctly according to the document SAP NetWeaver Identity
Management Identity Center: Installing the Identity Management User Interface.
8.7 Identity Management User Interface: Error message about
missi ng database col umns or procedures
8.7.1 Problem descripti on
Users get error messages about missing database columns or procedures.
8.7.2 Solution
This may be due to a mismatch between the database schema and the user interface. Make sure
you have upgraded the database schema to the same version as the User Interface.
8 Troubleshooting
8.8 Vi rtual Directory Server: The Windows service starts, but later fai ls with " No driver for database"
2014-07 59
8.8 Virtual Directory Server: The Wi ndows servi ce starts, but
later fai ls with " No driver for database"
8.8.1 Problem Descripti on
The CLASSPATH appears to be correct, but the CLASSPATH is written to registry only when the
service is created.
8.8.2 Solution
Uninstall and install service.
8.9 Virtual Directory Server: Application starts, but l ater fail s with
" No dri ver for database"
8.9.1 Problem Descripti on
The error message "No driver for database" appears in the operation log.
8.9.2 Solution
Verify that all necessary database drivers are available. All back-end API J AR files must also be
available.
8.10 Virtual Directory Server: Server doesnt start
8.10.1 Problem Descripti on
An error message is displayed in the message pane in the user interface: Couldn't find class
<class name>.
This indicates that the class used by the configuration is not compiled.
8.10.2 Solution
You can solve this in one of two ways:
Open each of the offending classes and compile from the class editor.
Choose Tools/Options and select "Compile classes on startup". Start the server to
compile the classes. Turn the setting off again afterwards.
Generally, it is recommended to choose Tools/Check config before you start the server.
Support Desk Management
Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first
attempt to contact the database fails
60 2014-07
8.11 Virtual Directory Server: Confi gurati on successfull y deployed
on SAP NetWeaver, but the first attempt to contact the
database fail s
8.11.1 Problem Descripti on
A: Typically, when testing on a local server, the IP of the server is set to localhost.
B: The necessary drivers are not transported to the SAP NetWeaver server.
8.11.2 Solution
A: You need to change this when deploying the configuration on a remote SAP NetWeaver server.
B: Create a \lib folder in the configuration's work area. Copy all necessary drivers and J AR files
here and redeploy the configuration.
9 Support Desk Management
Support Desk Management enables you to set up an efficient internal support desk for your support
organization that seamlessly integrates your end users, internal support employees, partners, and
SAP Active Global Support specialists with an efficient problem resolution procedure.
For support desk management, you need the methodology, management procedures, and tools
infrastructure to run your internal support organization efficiently.
9.1 Remote Support Setup
SAP support needs to be able to work remotely for highest efficiency and availability. Therefore all
required support tools must be remotely accessible for SAP support, SAP uses the remote
connection with SAProuter for a specific problem that you log by creating a customer message in
the SAP Support Portal.
Information about the setup of remote support connections to SAP, including detailed
documentation is available at http://service.sap.com/access-support.
For information about SAProuter, see SAP Note 486688 and the SAP Notes this SAP Note refers
to for specific settings or parameters that are necessary. Further assistance provides SAP Note
812386.
9 Support Desk Management
9.2 Probl em Message Handover
2014-07 61
9.1.1 Defining a support user
Authorizations are described inSAP NetWeaver Identity Management Security Guide, section 5.
How you add users for the Identity Management User Interface are described in SAP NetWeaver
Identity Management Identity Management User Interface Installation Guide.
To add a support user, add the following UME actions to the user:
idm_monitoring_support: This will give access to the "Monitoring" tab in the Administration
User Interface. The idm_monitoring_support action is already part of the standard AS J ava
support role SAP_J AVA_SUPPORT.
Add the following Identity Center privileges:
MX_PRIV:CONFIG_R: Provides read access to the configuration (repositories and global
constants). Provide access to the Administration User Interface on the URL
http://<host>:<port>/idm/admin. For information about how to use the Administration User
Interface, see section 5.6.8 and 5.6.9.
MX_PRIV:CONFIG_AUDIT: Provides access to the configuration audit, which shows the
changes done to the configuration.
MX_PRIV:TRANSPORT:EXPORT: Provides access to the "Transport/Export" tab in the
Administration User Interface if you want the user to be able to download the complete
configuration.
MX_PRIV:WD:TAB_MANAGE: Gives access to the data. Provide access to the Identity
Management User Interface on the URL http://<host>:<port>/idm. Which tasks and data are
available is controlled with task access control as described in the Identity Center help file,
accessible from the Identity Center Management Console or the Help Portal,
http://help.sap.com.
MX_PRIV:WD:TAB_TRACE gives access to the "Trace" tab. This tab is used to configure
and view trace information that can be used for troubleshooting purposes. For more
information about using the trace, see section YY.
Do not assign the following privileges:
MX_PRIV:CONFIG_RW. This would allow the user to modify the configuration.
MX_PRIV:TRANPORT:IMPORT. This would allow the user to import a new configuration.
9.2 Problem Message Handover
For sending problem messages/tickets to SAP use component BC-IAM-IDM and provide a detailed
and reproducible problem description.
Please see SAP Note 1497568 before submitting the ticket.
Support Desk Management
Problem Message Handover
62 2014-07