Release notes - IBM® Security® Identity Adapter 7.1.26 for SAP NetWeaver

IBM Security Identity adapter for SAP NetWeaver 7.1.26 is available. Compatibility, installation, and other getting-started issues are addressed.

 

Contents

                                                                                                                                          

Preface

These Release Notes contain information for the following products that was not available when the IBM Security Identity Server manuals was printed:

Adapter Features and Purpose                                                 

The IBM Security Identity Adapter for SAP NetWeaver is designed to create and manage accounts on a target SAP NetWeaver ABAP server. The adapter runs in "agentless" mode and communicates using standards BAPI and RFC methods supplied with the SAP server. Communication to these BAPI and RFC methods is enabled by the SAP Java Connector (Jco) API.

IBM recommends the installation of this adapter (and the prerequisite IBM Security Directory Integrator, previously known as IBM Tivoli Directory Integrator) on each node of an IBM Security Identity Server WAS cluster. A single copy of the adapter can handle multiple IBM Security Identity Server Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Security Identity Server Provisioning Policies and Approval Workflow process. Please refer to the IBM Knowledge Centre for a discussion of these topics.

The IBM Security Identity Server adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Identity Server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.

License Agreement

Review and agree to the terms of the IBM Security Identity Server Adapter License prior to using this product. The license can be viewed from the "license" folder included in the product package.

Contents of this Release

Adapter Version

Component

Version

Build Date

2017 September 12 01.26.30

Adapter Version

7.1.26

Component Versions

Adapter build: 7.1.26.188

Profile:  7.1.26.188

Connector:  7.1.26.188

Dispatcher 7.0.32 and above

Documentation

The following guides are available in the IBM Knowledge Centre:

·  SAP NetWeaver Adapter Installation and Configuration Guide

New Features

Enhancement # (FITS)

Description

 

Items included in current release(7.1.26)

 

None

 

Items included in 7.1.25 release

 

None

 

Items included in 7.1.24 release

Internal

SAP Authorization roles issue - SAP complexAttribute handler should set ID value for ComplexAttributeValue

 

Items included in 7.1.23 release

RTC 153839

Added support for JCo 3.0.16.

Bug 2160 - Test connection issue on SAP NW adapter service failing with 'Password decryption failed'

Bug 2262 - SAP NetWeaver CTGDIK220E Communication error with SAP R/3

 

Items included in 7.1.22 release

RTC 151783

Add Support for Identity Governance and Intelligence (IGI) v5.2.2

This adapter is now designed for use with IBM security Identity manager, Privileged Identity Manager and Identity Governance and Intelligence

 

Note – SAPNetWeaver adapter does not support adapter inside VA functionality. It can’t be install inside the identity Governance and Intelligence VA.

 

 

Items included in 7.0.21 release

 

None

 

Items included in 7.0.20 release

RTC 142424

Support for SAP NW 750

96511 (46480)

 

Support for Complex attribute handler for SAP

Note: In order to use this feature, upgrade to IBM Security Identity Manager Version 7.0.1.

RTC 142424

Support for SAP NW 750

 

Items included in 7.0.19 release

Internal

Changes for IGI 5.2 release

Note: This change is applicable only to SAP NW adapter

Change multi-value attributes to add/delete instead of replace:ersapnwprofile ,ersapnwgroup ,ersapnwusergroups

 

Items included in 7.0.18 release

Internal

Role-only changes for IGI 5.2 release

Note: This change is applicable only to SAP NW adapter

 

Items included in 7.0.17 release

 

Initial Release.

Closed Issues

CMVC#

APAR#

PMR# / Description

 

 

Items included in current release(7.1.26)

 

 

None

 

 

Items included in 7.1.25 release

 RTC 161746

 

AGC - Connector/Adapter SAP Remove Permission system SAP CUA

 

 

Items included in 7.1.24 release

 RTC 158750

IV94659/Bug 2302

PMR 03339,070,724 SAP Authorization Profiles with no description are not reconciled.

 

See “Support data reconciliation as the language given on service form” for more details.

 

 

Items included in 7.1.23 release

RTC 155022

IV90363/Bug 2193

PMR 18847,130,702/ ISIM SAP reconciliation retrieves only a subset of all roles that are in SAP

 

 

Items included in 7.1.22 release

 

IV87049/Bugz 2103, Bugz 2109

PMR 47462, 100,838/ PMR 74041, 000,834/SAP Roles with no description are not reconciled.

 

This version of adapter is modified to reconcile all the role names and will reconcile role description for role names in the language specified on the service form.

 

 

IV90363/Bugz 2193

 

PMR 18847,130,702/ISIM SAP reconciliation retrieves only a subset of all roles that are in SAP.

 

This version of adapter is modified to reconcile child role names also which are not present on parent system.

 

 

Internal/Bug 2177

PMR 00519,070,724/ Confusing documentation about the support for the HR Linking extension

 

 

Items included in 7.0.21 release

 

 IV87049/Bugz 2103, Bugz 2109

PMR 47462, 100,838/ PMR 74041, 000,834/SAP Roles with no description are not reconciled.

 

IV89133/Bugz 2155

 

PMR 62668,004,000/question about ersapnwusergroups attribute modify behavior

 

 

Items included in 7.0.20 release

 

 

None

 

 

Items included in 7.0.19 release

 IV77638/Bugz1856

SAP NW Adapter modify role request fail, but ISIM LDAP entries updated with role info anyway.

 

 

Items included in 7.0.18 release

 

 

None

 

 

Items included in 7.0.17 release

 

 

Initial Release.

Known Issues

CMVC#

APAR#

PMR# / Description

 

 

 

 

SAP GRC option is only available for ISIM 6.0 now. This adapter does not support SAP GRC at this time on ISIM 7.0 and IGI.

It will be supported in future version.

 

 

 

 

 

The Adapter for SAP NetWeaver does not retrieve descriptive text from SAP for most support data classes.

 

 

 

 

Language Attribute under both Communication and Default tabs can be search only by language key, e.g. EN.

 

 

 

 

Modifying an account by reassigning a group that has been previously removed from the account is not working correctly. This appears to be a problem with standard SAP functionality.

 

 

 

 

Invalid email format (described in 4.1.7 Email Address) is not reported as error during add and modify operations

 

 

 

 

It is possible to change attributes on the non-CUA/CUA Master License Data tab only if the attribute "Contractual User Type" (ersapnwlicutype) is supplied in the Add or Modify operation request.

 

 

 

 

Recon with filter (eruid=*) is case sensitive due to RMI dispatcher limitation.

 

 

 

 

If custom extension xsl file is missing the operation hangs.

 

 

 

 

After modifying adapter service parameters in the IBM Security Identity Manager server, the dispatcher process hosting the adapter must be restarted.

 

 

 

 

The adapter reports error or failure status to IBM Security Identity Manager for all provisioning operations if a BAPI/RFC executed during the operation reports an error or failure. There are some cases when a SAP BAPI/RFC may report an error incorrectly. The BAPI/RFC actually executes successfully. One specific example is on user creation. If no user company addresses have been defined in SAP, the BAPI function BAPI_USER_CREATE1 reports an error to the adapter, but actually creates the user account in SAP. When the adapter reports the error to IBM Security Identity Manager, IBM Security Identity Manager server will not update the account in its repository resulting in an inconsistency between IBM Security Identity Manager and SAP. The incorrect error status indicator cases are reported to SAP support as they are identified, to be corrected by SAP in support packs. In the meantime, IBM Security Identity Manager users should leverage the full or filtered reconciliation features of IBM Security Identity Manager to maintain consistency between IBM Security Identity Manager and SAP repositories.

 

 

 

 

IBM Security Identity Manager converts date values to the local time zone of the user. As a result, there can be cases where dates returned from SAP via the adapter to IBM Security Identity Manager server appear to lose or gain a day. This occurs when any account attribute is modified in IBM Security Identity Manager. IBM Security Identity Manager will perform the time zone conversion as the modified account is being saved back into the IBM Security Identity Manager request queue for subsequent provisioning.

 

Known Limitations for SAP NW adapter

CMVC#

APAR#

PMR# / Description

 

 

RTC 161745

 

 

Limitations in Changing Password in CUA system:

 

Adapter uses BAPI_USER_CHANGE to set and change user’s password in the CUA’s central system.

The initial password is distributed to the child systems when a user is created. However, for password change, the adapter changes existing passwords only locally and will not change them in the central system i.e. the password change is not propagated to the child system due to BAPI limitation.

 

 

 

 

Limitations on Switching between Productive (Permanent) and Initial (Temporary) password

 

During modify operation; the existing password of the account will be modified to Productive if "Set Password as Productive" is checked. A modify operation is needed before a password change operation to change the status of “Set Password as Productive" flag. This is a send only attribute. The value of the flag won’t be stored in ITIM/ISIM.

 

 

 

 

Limitations on support for SAP Productive Passwords

 

1.     SAP versions supported by the adapter require SNC to be enabled to set productive passwords.

2.     In a CUA environment, the adapter cannot set the password to be productive due to a limitation in the SAP interface.

 

 

 

 

In CUA deployments, the adapter must be configured against the CUA master system. All attributes of accounts are managed via the master system. For all attributes except roles and profiles, the adapter will manage and synchronize account attribute state against the CUA master.

 

 

 

 

When assigning a CUA child system to a user account, if the user account has group assignments, and at least one of those groups does not exist on the CUA child, then the account will not be created on the child. This is a limitation with SAP CUA implementation, and is reproducible using the native SAP user management transaction SU01.

 

 

 

 

Country attribute under Person Tab depends on attribute Company from the same tab. After recon value of attribute Country might be changed to correspond to Company address.

 

 

 

 

In CUA environments, when assigning role/profile from master or child systems to user without system assignment, SAP automatically creates an associated CUA system assignment. IBM Security Identity Manager will not have visibility of the automatically assigned CUA system assignment until next reconciliation for the user.

 

 

 

 

When performing a filtered reconciliation, the filter value must be defined in uppercase (e.g.(eruid=USER1) ). This is due to an inconsistency within the BAPI methods for user management provided by SAP. This limitation affects retrieval of CUA profiles assigned to the requested user account.

 

 

 

 

In CUA environments there is no known method for distinguishing a composite role from a noncomposite role. This means that reconciliation will return all roles from a CUA implementation.

 

 

 

 

SAP allows different telephone numbers to be set as the "Primary telephone number", such as the Mobile Phone number. During reconciliation, SAP will return the Mobile phone number as the Primary telephone number if a Telephone number has not been defined for an account in SAP.

 

 

 

 

Role assignment modification does not work when attempting to simultaneously add a directly assigned single role while removing a composite role which also contains the given single role. It is recommended to perform this operation as two separate steps, i.e. remove the composite role, then add the single role.

 

 

 

 

The HR Personnel number attribute is no longer supported. This attribute is present on the account form to allow adoption of the sample ABAP extension for HR Linking.

 

 

 

 

The ABAP extension for password management is no longer supported. As a result, the adapter manages account passwords in accordance with the default features and constraints supported by SAP. Further to this, SAP does not enable external code components, such as this adapter, to distribute productive password changes within a CUA environment.

Please refer to the following SAP notes for additional background, details and limitations: 376856, 830493, 1287410, 991968, 1300104.

 

 

 

Last Logged in Date attribute will always be on the same time zone, as of SAP NetWeaver Server’s time zone.

 

Support data reconciliation as the language given on service form

 

This version of adapter is modified to reconcile support data as per the language given on service form. The details are as below:-

·         There are some support data for which language is not a barrier. So adapter will reconcile such support data as earlier.

E.g. Academic title, Company, User group, Menu, Output device, Parameter, User type.

·         There are some support data for which adapter reconcile the name and description as per the language given on service form and reconcile the name only for other languages. In this case, description will be same as name.

E.g. Roles and Profiles.

·         There are some support data for which we reconcile the name and description as per the language given on service form and ignore the data for other languages.

E.g. Timezone, Country, Language, Security Policy, Special version, Title, Type.

 

Multi Byte Character Support Limitations

All character data transferred between IBM Security Identity Manager Server, the adapter, and SAP ABAP server are encoded as UTF-8. The adapter supports provisioning of multi byte characters to and from a directly connected SAP ABAP Unicode server. Provisioning of ASCII characters is supported for Non-Unicode SAP ABAP servers. The adapter does not support provisioning of multi byte characters to any Non-Unicode ABAP server. Extended ASCII characters are not tested or supported for Non-Unicode SAP ABAP servers.

Non Transactional Provisioning

The adapter does not execute provisioning operations within a transactional context. Some provisioning operations require multiple steps to be executed against the SAP server. A consequence of this situation is that errors or warnings which occur after the first step may result in a partially complete provisioning operation. A possible method to handle for this limitation is to use the IBM Security Identity Manager workflow features to execute compensating actions. For example, issue a filter reconciliation for the given user account in order to synchronize the account state between IBM Security Identity Manager and the target server.

Enable Deactivated Password on Modify Limitation

The "Deactivate password" attribute is supported by both the Add and Modify operation. Enabling this attribute on the account form will cause the password for an account to be deactivated in SAP. However, disabling the "Deactivate password" flag is NOT supported in the modify operation. The adapter will not enable the password for an account if the "Deactivate password" flag is unchecked on a modify operation. To re-enable a deactivated password for an account, a request to change the password for the account must be made instead. The state of the disable password flag in IBM Security Identity Manager will not be synchronized until reconciliation is performed.

SAP Adapter Extension Function for HR Linking is no longer supported

Earlier version of SAP adapter had included optional ABAP extension functions for HR Linking, Account Locking, and Productive Password setting and synchronization. Since there are no BAPIs or APIs to do the HR link, adapter code used to directly access SAP tables.  However SAP does not recommended accessing SAP tables directly.  Therefore even though the source code sample versions of the extensions are included in adapter package, support for HR linking has been stopped.

SAP Connection parameters not marked as required in the Service form

SAP connection parameters are not marked as required because, SAP adapter can create connection with SAP Netweaver server using either the provided service form attributes or by using the optional RFC parameter attribute present in service form.

Installation and Configuration Notes

See the Installation and Configuration guide for IBM Security Identity Adapter for SAPNetWeaver for detailed instructions.

Corrections to Installation guide:

SAPNW install guide corrections:

The following corrections to install guide apply to this release      

None

Configuration Notes

The following configuration notes apply to this release:

 

             IBM Security Identity adapter for SAP NetWeaver does not install inside the Identity Governance and Intelligence VA.

             Installing the adapter language pack

The adapters use a separate language package from the IBM Security Identity Management. See the IBM Security Identity Management library and search for information about installing the adapter language pack at

IBM Knowledge Centre.

 

 

Customizing or Extending Adapter Features

The IBM Security Identity Server adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.

Getting Started

Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:

·         IBM Security Identity Server administration

·         IBM Security Directory Integrator management

·         IBM Security Directory Integrator assembly line development

·         LDAP schema management

·         Working knowledge of Java scripting language

·         Working knowledge of LDAP object classes and attributes

·         Working knowledge of XML document structure

Note: If the customization requires a new IBM Security Directory Integrator connector, the developer must also be familiar with IBM Security Directory Integrator connector development and working knowledge of Java programming language.

IBM Security Identity Server Resources:

            Check the "Training" section of the IBM Security Identity Server for links to training, publications, and demos.

IBM Security Directory Integrator Resources:

            Check the "Training" section of the IBM Security Directory Integrator Support web site for links to training, publications, and demos.

Support for Customized Adapters

The integration to the IBM Security Identity server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.

 

Supported Configurations

Installation Platform

The IBM Security Identity Adapter for SapNetWeaver adapter was built and tested on the following product versions.

Adapter Installation Platform: 

Due to continuous Java security updates that may be applied to your ISIM or PIM servers, the following TDI/SDI releases are the officially supported versions:

Earlier versions of TDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your TDI/SDI releases to the officially supported versions by the adapters

 

Note:  The adapter supports IBM Security Directory Integrator 7.2, which is available only to customers who have the correct entitlement. Contact your IBM representative to find out if you have the entitlement to download IBM Security Directory Integrator 7.2.

Managed Resource:

The following SAP ABAP Basis versions running anywhere on the network are supported:

·         SAP NW 700 (NetWeaver 2004s)

·         SAP NW 710

·         SAP NW 730 (see the "Limitations on support for SAP Productive Passwords" topic in the "Known Issues" section of this document for important functional restrictions)

·         SAP NW 740

·         SAP NW 750

 

            Note: Support for SAP GRC resource is only available for ISIM 6.0 now. This adapter does not support SAP GRC at this time on ISIM 7.0 and IGI. It will be supported in future version.

 

The adapter supports SAP CUA environments. If CUA is configured the adapter must be deployed against the central CUA master system.

Refer to section "Multi Byte Character Support Limitations" above regarding unicode support limitations.

SAP PATCHES:

The following minimum patch levels, by SAP release version, are required:

SAP Release      Software Component                                Support Package

700                         SAP_BASIS                                           SAPKB70026

701                         SAP_BASIS                                           SAPKB70111

702                         SAP_BASIS                                           SAPKB70210

710                         SAP_BASIS                                           SAPKB71014

730                         SAP_BASIS                                           SAPKB73007

731                         SAP_BASIS                                           SAPKB73102

Specifically, the SAP system must be patched with corrections from SAP notes 992375, 994415, 1101858 and 1636845.

SAP JCo certified:

JCo 3.0.17

Note: SAP NW Adapter was tested and certified using JCo v3.0.17. SAP may release a newer version of JCo since then and for reasons unknown, SAP may not make JCo v3.0.17 available for download. The newer version of JCo may work as is with the adapter.  However, if there are any issues related directly to the newer version of JCo, it will be addressed in the next release of the adapter.


IBM Security Identity Manager:

IBM Security Identity Manager v7.0

     

IBM Security Privileged Identity Manager (PIM):

        ISPIM v2.0

        ISPIM v2.1

Identity Governance and Intelligence (IGI):

         IGI v5.2.1

         IGI v5.2.2

         IGI v5.2.3

 

Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY  10504-1785  U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758  U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marks of others.