Skip to Content
At Australia Post we are looking toward an easier and more efficient user provisioning tool for our rapidly increasing landscape. It seems that SCUA no longer cuts it for us. 

In this BLOG I will outline the AusPost proof on concept for the recently GA Identity Management 7.1 offering from SAP. 

 

Our mission:

Deploy a Proof of Concept IdM 7.1 system re-using existing systems where possible. 

image

Our landscape:

  • IdM database (DB) – Oracle 10.2.0.2, AIX 6.1 (wpar)
  • User Interface (UI) – EP7.01, Oracle 10.2.0.4, AIX 5.3RunTime
  • Components (RT) – AIX5.3 Solution Manager System
  • Management Console (MC) – Windows XP LapTop 

Our initial problems:

We found there was not much documentation around on creating the Runtime Components (dispatcher) for UNIX systems.  

Our steps:

IdM Database

We installed Oracle 10.2.0.2 with an empty database on an AIX 6.1 WPAR using the (IDM 71 Oracle Install guide.pdf). We then imported the Identity center database schema using (include.sql) into this database.  

TIPS:         

  • Define a table and include this in the include.sql.
  • Ensure you install the updates.sql to get the latest version of the schema.
  • Ensure ulimits are set to unlimited.

Runtime Components and JCO connector

We installed this on an existing AIX 5.3 LPAR sharing with Solution Manager using the (IDM 71 Runtime Component Install Guide.pdf). 

TIPS:

  • Set JAVA_HOME and PATH to SAPJVM
  • Download and install SAPJVM_5. 

IDM Management Console

We installed this on the local XP Laptop of the Security Administrator using the (Initial Configuration.pdf).First Oracle database client this then allowed the Identity center configuration to be able to choose ‘Oracle Provider for OLE DB” and also the Netsevice (listener) connection to our IDM database schema above.Then we run the MMC install for Identity Center and implemented the Identity center initial configuration (Initial Configuration.pdf) 

TIPS:        

  • The ‘create dispatcher’ step creates Dispatcher_Service,server.sh and Dispatcher_Service.prop.-          Copy these from the Management Console to the Runtime Component
  •  Edited with JDBC driver connection to the IDM Database, pointer to the JDBC driver, PATH to DSE.jar, JAVA_HOME (sapjvm) and DISPATCHER NAME.
  • Create Key.ini happens in the Management Console, and copied to the AIX Runtime environment and User Interface as per IDM 7.1 Runtime Component Install Guide.pdf 

User interface

We deployed this to our existing Enterprise Portal 7.01 SP19.This was deployed via the SDM as per IDM 71 User Interface Install Guide.pdf. This guide also explains how to configure the JMX Layer, adding a user to the Identity store, accessing the IDM user interface, importing predefined contents for SAP NetWeaver Portal and Verifying the portal. 

TIPS:

  • Create the identity store first manually
  • Add the pcd:portal_content/com.sap.idm.identity_managment_folder portal role to the user. 

Our next steps:        

  • Install IdM Database and Run Time on a single AIX 6.1 LPAR.
  • Install the Management Console on a central Windows 2007 server
  • Install the User Interface on NetWeaver CE 7.1
  •  Determine the applicability of a VDS (Virtual Directory Server)
To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Bernhard Escherich
    Hello Dave,

    thanks for sharing the information with us.
    I would be very interested to know which scenarios and systems you will include in your POC.

    I have presented some work with another customer (KMD) at the last SAPPHIRE. Perhaps this could help you in your POC.

    Best regards,
    Bernhard

    (0) 
    1. Dave Bedford Post author
      Hi Bernhard

      Thanks for taking a look at this. I’m the technical guy working with our security team on this POC.

      Below are our goals for the POC.

      1. Successfully install & document a SAP IdM 7.1 Sandbox system.
      2. Integrate IDM into the Sandbox Portal.
      3. Identify likely IdM “Use Case” for AusPost.
      4. Set-up IdM system to have CORPDEV (LDAP) as user source.
      5. Connect IdM system to following Sandbox systems:
      Portal
      ERP
      SCM
      BI
      6. Configure EMPT “Business roles” in SAP IdM.
      Configure process for provisioning EMPT access to Sandbox system.
      7. Create/Change/Delete EMPT user-id role assignments via IdM.
      8. Confirm user-id maintenance using both IdM and SU01 can co-exist.
      9. Confirm successful logon of an EMPT test user, provisioned via SAP IdM, to the Sandbox Portal & backend systems (i.e. ERP, BI, ERP)
      10. Configure a process for provisioning a user to ERP with SOD checking built-in.
      11. Determine how to manage System Administration & Non-Dialog user-ids (e.g. SAP*, DDIC, batch user-ids, etc).
      12. Review IdM Reporting/audit tools.

      (0) 
  2. John Parker
    Do you have any updates on your POC? My company has an expanding SAP footprint and we were looking at IDM to help provision users across all those landscapes too.

    -John

    (0) 

Leave a Reply