August 29, 2018 7 minute read

How to Install SAP Identity Management 8.0 as a Distributed System with Software Provisioning Manager 1.0

If installing SAP Identity Management (IdM) 8.0 as a distributed system is a challenge, let’s go for it.

In a distributed system, every instance can run on a separate host, thus ensuring scalability of the system and load sharing of the processing.

This blog post will focus on installing IdM Core on one host and IdM Runtime, IdM deployables on AS Java and Virtual Directory Server on a second host. To achieve this, we will use the Software Provisioning Manager (SWPM) 1.0 installation tool (the only available and supported installation option for new IdM installations). The operating system is Windows and the database system – MS SQL Server. For more information about a standard system installation on one host, see How to Install SAP Identity Management 8.0 with Software Provisioning Manager 1.0

Beforehand, we assume that all required prerequisites are fulfilled, as described in the IdM installation guide.

Note that, when an SAP system, such as IdM, is to be distributed across more than one machine, SAP strongly recommends that you perform a domain installation (all machines belong to the same domain) to avoid authorization problems.

Installing IdM Core Component on the First Host

Log on to the first installation host using an account with the required user authorization to run the installer. This is the host where IdM Core component is to be installed. It is called SAP Global Host.
Start SWPM by executing sapinst.exe from the directory to which you unpacked the latest version of SWPM10SP<Support_Package_Number>_<Version_Number>.SAR file.
Use Google Chrome.
Choose SAP Identity Management 8.0 -> Installation -> Distributed System -> SAP Identity Management Core Component.
Run the installation in a Typical mode.
Enter the SAP System ID.
Enter the master password for all users.
Provide the path to all required SAR archives. You can either download them to a local directory before you start the installation or do it right away from the specified locations on the SAP Software Download Center.
Choose to upgrade SAP Host Agent and provide the path to it.
Select the database system.
Enter the database host and port of the server where the IdM database is to run.
Enter the credentials for the IdM database.
Enter the prefix of the IdM database and the base-qualified name that is used for the IdM packages.
Enter the parameters for the IdM database users.
1. The master password that you provided in Step 6 is populated in the password fields for the IdM database users. You can keep it and proceed further or provide individual passwords.
2. Enter the name of the developer administrator user. This is the name of the initial developer administrator that is used to log on to the Identity Management Developer Studio. The initial developer administrator user must be named the same in the database and the UME.
Select the encryption and hash algorithm.
Review your parameters. If you want to change a parameter, select it and choose Revise. Then, choose Next to run the installation.
When the message “Execution of Service has been completed successfully.” appears, choose OK and then Exit.

The IdM Core component that contains the IdM database is now installed on the SAP Global host. The global directory usr\sap\<SAPSID>\SYS, which physically exists only once for each SAP system, is created. It has the following subdirectories:

global – globally shared data
This is where the Keys.ini file resides. During the installation, SWPM places the Keys.ini file into the /usr/sap/<SAPSID>/SYS/global/security/data directory on the database host, that is the SAP Global host. Then the Keys.ini file is shared with the network share sapmnt and distributed to every IdM Runtime instance.
Later, whenever you need to specify the path to Keys.ini file, make sure you give the following one: \\<SAPGLOBALHOST>\sapmnt\<SAPSID>\SYS\global\security\data\Key\Keys.ini
profile – the profiles for all instances
exe – executable replication directory for all instances and platforms

Installing IdM Runtime, Deployable Components and VDS on the Second Host

Installing IdM Runtime

Log on to the second installation host using an account with the required user authorization to run the installer.
Start SWPM by executing sapinst.exe from the directory to which you unpacked the SWPM archive.
Use Google Chrome.
Choose SAP Identity Management 8.0 -> Installation -> Distributed System -> SAP Identity Management Dispatcher Instance.
Run the installation in a Typical mode.
Enter the profile directory of your IdM system, where <SAPGLOBALHOST> is the host of the IdM Core installation and <SAPSID> is SAP system ID of IdM.
Enter the master password for all users that you have provided when installing IdM Core.
Provide the path to all required SAR archives. You can either download them to a local directory before you start the installation or do it right away from the specified locations on the SAP Software Download Center.
Choose to upgrade SAP Host Agent and provide the path to it.
Enter the instance number that is assigned to the IdM Dispatcher instance or use the one that is set automatically.
Browse for the JDBC driver path and enter the JDBC driver class name.
Enter the passwords for the <prefix>_admin and <prefix>_rt users.
Remember the passwords you have provided while installing IdM Core (step 13).
1. If you have set a master password for all users, provide it here.
2. If you have set individual passwords for those users, provide them here.
Review your parameters and choose Next to run the installation.
When the installation completed successfully, choose OK and then Exit.

The IdM Runtime is now installed on the second host.The initial dispatcher is created and set as the default one. All dispatcher settings are defined, including the connection strings to access the IdM database with your <prefix>_admin user and the <prefix>_rt user.

Installing Deployable Components on AS Java

Log on to the second installation host and start again SWPM.
Choose SAP Identity Management 8.0 -> Installation -> Distributed System -> SAP Identity Management Components on SAP NetWeaver AS Java.
Run the installation in a Typical mode and then enter the profile directory of your IdM system.
Enter the passwords of the OS users.
This is the master password for all users that you have already provided.
Enter the SAP system ID of the SAP NW Java system to be used for IdM deployable components.
Confirm or enter your SAP NetWeaver release and Support Package.
Enter the credentials of the administrator of the AS Java.
Select the IdM components that you want to deploy.
Provide the path to all required SAR archives, review your parameters and run the installation.

The IdM deployable components on SAP NetWeaver AS Java are now installed. You can proceed with installing the Identity Management Developer Studio (available as an Eclipse plugin) and the initial configuration of all components, described in the post-installation section.

Installing Virtual Directory Server

Log on to the second installation host and start again SWPM.
Choose SAP Identity Management 8.0 -> Installation -> Additional Components -> SAP Identity Management Virtual Directory Server.
Run the installation in a Typical mode and then enter the profile directory of your IdM system.
Enter the master password for all users.
Provide the path to all required SAR archives.
Enter the instance number that is assigned to the VDS instance or use the one that is set automatically.
Review your parameters and run the installation.
When the installation completed successfully, choose OK and then Exit.

The Virtual Directory server is now installed. You can proceed with starting the VDS and its initial configuration, described in the post-installation section.

10 Comments

You must be Logged on to comment or reply to a post.

Kannan Kannappan

February 8, 2019 at 2:31 pm

Hi Ivelina,

Your screen capture were excellent and I have one quick question, before asking my question let me tell you what I did so far,

Installed NW 7.50 JAVA (Distributed) - Database on one server and SCS, PAS on a different one server.
Now planning to install IDM 8.0 - Where should I install the core components - Core components includes DB, Identity store, business logic, keys, utilities and other configuration packages. Should I start core component install on DB server or the other server(that SCS and PAS installed)

thanks and best regards for your links. Any suggestions on above question will be greatly appreciated..

Ivelina Kiryakova

Blog Post Author

February 11, 2019 at 11:20 am

Hi Kannan,

In a distributed system, you can install IDM components on separate hosts. See Distributed System where it is recommended that the AS Java system runs on a host different from SAP Identity Management Core Component.

Back to your question, it depends on what your database server is and what you want to achieve:

You can install the Core component on the host where the database server is installed.

You can also install the Core component on the host where SAP NetWeaver AS Java is installed, but if your database server is Oracle or SAP ASE, have in mind the following limitation:

Installing IDM and NW AS Java on the same Oracle or SAP ASE database server is not supported. You must install IDM and NW AS Java on different Oracle or SAP ASE database servers.

Best Regards,

Ivelina

Kannan Kannappan

February 13, 2019 at 6:33 pm

Dear Ivelina,

Thanks for your reply.

Based on my requirement, my understanding is needed two set of databases one oracle DB for Java instance and another Oracle DB for IDM, Both databases will have different <SIDs> and Seperate SAP instances will be running one for JAVA and one for IDM. Is these(below) configs correct?

As JAVA:

SAP server - IDMDEV01
DB server - DBDEV01
<sap>SID - IDJ
<db>SID - IDJ
SCS - 01
PAS - 00
DAA - 97

As IDM:
SAP server - IDMDEV01

DB server - DBDEV01
<sap>SID - ID1
<db>SID - ID1
PAS - 02

thanks again for your help on this....

Kannan Kannappan

February 14, 2019 at 1:55 pm

Hello IDM experts,

Opened up a ticket with SAP and SAP responses were different. Below is their responses. Any idea what I am missing here? It seems like I have to follow SAP's direction.....

Hello Kannan,

According to https://help.sap.com/viewer/bb5dd5b844d046ea97fa6b328e0fda1d/8.0/en-US/571119cc37ce465b93de726fc0408427.html

Installing SAP Identity Management and SAP NetWeaver AS Java on the same Oracle database server is not supported. You must install SAP Identity Management and SAP NetWeaver AS Java on different Oracle database servers.

So, the answer is no, IdM and NW DB schema can not be installed on one and the same DB server even for non-productive landscape.

Hope this clarifies your query.

Kind Regards,

Mary,
SAP Product Support

Kay-Uwe Siebers

February 13, 2019 at 3:08 am

Hi Ivelina,

Installing IDM and NW AS Java on the same Oracle or SAP ASE database server is not supported. > You must install IDM and NW AS Java on different Oracle or SAP ASE database servers.

This is a bit misleading. You can install IDM and NW AS Java on the same database server, but in two _seperate_ databases. We use Exadata appliances without any issues.

I hope SAP will clarify this in the install guide...

kind regards,

Kay Siebers

Georg Thome

April 9, 2019 at 10:13 am

Hello IDM experts,

while following the installation procudere I had to deal with a couple of difficulties.

The first was due to our “strange” distribution of server roles:

one Linux instance for the Java Netweaver Instance
one Linux instance for the IDM Core instance
one SUN Solaris Sparc holding the two separate Oracle DB’s for the above

while the installation of the NW Java and the oracle instances was possible w/o issues,
I was first stuck when Installing the core with IDM core with SWPM.
It was not possible to use the SWPM because it was trying to execute locally Oracle-OS-sqlplus command called from the SWPM Java routines.
Even after enabling the local users (root, adm-user) to call the sqlplus (necessary env variables have been set in the shell profiles) the error of the SWPM stayed the same.

Though I found and switched to the method described @
http://forum.fandezhi.com/index.php?u=/topic/159/sap-idm-8-0-step-by-step-guide/1

where it is described to install the core by calling the Database scripts.
After installing the Scripts from the SP5, I applied those which were in SP6 (from sar icc6…).

I manually copied the Key-generation directory and copied the Key file to the shared directory

/sapmnt/<Inst>/global/security/data/Key/Keys.ini

In the IDM directory
/usr/sap/<Inst>/IDM00/Identity_Center/
I created appropriate soft-links with all potentiall writing types (key/keys/Key/Keys) for the directory.

Nevertheless, when calling the gui for the Dispatcher I get an error while trying to start the dispatcher:

[09.04.2019 10:22:59-088] - INFO - Prelog - First prelog line
[09.04.2019 10:23:00-153] - INFO - Prelog - Initialization done
[09.04.2019 10:23:00-153] - INFO - Prelog - Full dispatcher identifier:DZPB_IDM_T@dlli2t02t/10.32.65.88:1554798180153:183916
[09.04.2019 10:23:00-153] - INFO - Prelog - Dispatcher identifier prefix:DZPB_IDM_T@dlli2t02t/10.32.65.88
[09.04.2019 10:23:00-220] - TRACE - Prelog - Executing: GET_DISPATCHER #FieldsToReturn:null #Params:[DZPB_IDM_T] #InClause:[DZPB_IDM_T] #OrderBy:null
[09.04.2019 10:23:00-221] - DEBUG - Prelog - STATEMENT PREPARED: SELECT * FROM MC_DISPATCHER WHERE MACHINE=? PARAMETERS: DZPB_IDM_T
[09.04.2019 10:23:00-229] - TRACE - Prelog - Succesfull execution: GET_DISPATCHER
[09.04.2019 10:23:00-229] - INFO - Prelog - No dispatchers with this name (DZPB_IDM_T) appear to be running!
Cleaning all existing semaphores (starting with null)
[09.04.2019 10:23:00-230] - TRACE - Prelog - Calling SP: MC_CLRX_OWN_SEMA #InputParams:[441, ]
[09.04.2019 10:23:00-230] - TRACE - Prelog - Preparing SP: MC_CLRX_OWN_SEMA
[09.04.2019 10:23:00-242] - TRACE - Prelog - Executing SP: MC_CLRX_OWN_SEMA
[09.04.2019 10:23:00-247] - ERROR - Prelog - Key:MC_CLRX_OWN_SEMA - Exception: ORA-06550: line 1, column 7:
PLS-00201: identifier 'MC_CLRX_OWN_SEMA' must be declared
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored

[09.04.2019 10:23:00-248] - FATAL - Prelog - Preparing dispatcher failed: ORA-06550: line 1, column 7:
PLS-00201: identifier 'MC_CLRX_OWN_SEMA' must be declared
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored

What I added to the prop file of the dispatcher is the class for the odbc driver:

DSECLASSPATH=%DSE_HOME%/Java/*:%DSE_HOME%/Java/runtime/*:/oracle/I2T/lib/ojdbc14.jar

In the log files of the core - scripts I found further those errors:

ERROR at line 1:
ORA-01921: role name 'MXMC_ADMIN_ROLE' conflicts with another user or role name

create role MXMC_USER_ROLE
*
ERROR at line 1:
ORA-01921: role name 'MXMC_USER_ROLE' conflicts with another user or role name

create role MXMC_RT_ROLE
*
ERROR at line 1:
ORA-01921: role name 'MXMC_RT_ROLE' conflicts with another user or role name

create role MXMC_PROV_ROLE
*
ERROR at line 1:
ORA-01921: role name 'MXMC_PROV_ROLE' conflicts with another user or role name

create role MXMC_DELTA_RW_ROLE
*
ERROR at line 1:
ORA-01921: role name 'MXMC_DELTA_RW_ROLE' conflicts with another user or role
name

create role MXMC_DELTA_R_ROLE
*
ERROR at line 1:
ORA-01921: role name 'MXMC_DELTA_R_ROLE' conflicts with another user or role
name


GRANT SELECT ON MXPV_PROV_VIEWS TO MXMC_admin_role
*
ERROR at line 1:
ORA-01720: grant option does not exist for 'SYS.USER_VIEWS'


GRANT SELECT ON MXPV_PROV_VIEWS TO MXMC_user_role
*
ERROR at line 1:
ORA-01720: grant option does not exist for 'SYS.USER_VIEWS'


GRANT SELECT ON MXPV_PROV_VIEWS TO MXMC_user_role
*
ERROR at line 1:
ORA-01720: grant option does not exist for 'SYS.USER_VIEWS'


mxpv_test_procedures
GRANT SELECT ON mxpv_test_procedures TO MXMC_admin_role
*
ERROR at line 1:
ORA-01720: grant option does not exist for 'SYS.ALL_OBJECTS'


GRANT SELECT ON mxpv_test_procedures TO MXMC_user_role
*
ERROR at line 1:
ORA-01720: grant option does not exist for 'SYS.ALL_OBJECTS'


GRANT SELECT ON mxpv_test_procedures TO MXMC_user_role
*
ERROR at line 1:
ORA-01720: grant option does not exist for 'SYS.ALL_OBJECTS'



I appropriate for any hints.
Thanks 
Georg

Georg Thome

April 10, 2019 at 12:08 pm

Has been solved… wrong user was choosen for the dispatcher RT.

The above mentioned errors have been manually resolved by giving the MXMC_admin user the “with grant option” to the system views by the sysdba user.

Anton Stanev

April 15, 2019 at 7:26 am

Hello Georg,

The Core component installation performed by you and described in the above blog is not supported since IdM SP04 release. It's not supported by SAP and most probably you will have some further issues when you try to update the Core component.

In order to install IdM Core component, you should run SWPM on the the DB host. Remote installations are not allowed. Please refer to official documentation for more details.

Kind regards,

Anton

Georg Thome

February 6, 2020 at 1:01 pm

Hi Anton,

meanwhile I did a lot of SP updates for IDM Core in the configuration above.
There is no problem doing this with a remote DB.

The only difficulty was to get (in case of oracle) a local sqlplus interface.

The documentation for the core update refers only to the mxmc-update.sh script.
The installation of the Dispatcher is working also w/o any problem.

I didn't find any explicit hint for the ban of remote DB.
I don't see any reason why this shouldn't be allowed.

Best regards

Georg

Anil Jaiswal

November 14, 2019 at 8:22 am

Hello Lvalina,

While installing sap IDM 8.0, i am getting error (EXIT /B 1 The database installation has failed on phase "Create database".)

below is log db_install_out

DB2_create_users.cmd

Prefix: MC

**********************************************************
*** Creating users for MC_db
**********************************************************
*** Creating MC_OPER
MC_OPER already exists
Setting password for MC_OPER
Setting description for MC_OPER
MC_OPER is already member of DB2USERS
MC_OPER is already member of DB2ADMNS
*** Creating MC_ADMIN
MC_ADMIN already exists
Setting password for MC_ADMIN
Setting description for MC_ADMIN
MC_ADMIN is already member of DB2USERS
MC_ADMIN is already member of DB2ADMNS
*** Creating MC_USER
MC_USER already exists
Setting password for MC_USER
Setting description for MC_USER
MC_USER is already member of DB2USERS
*** Creating MC_RT
MC_RT already exists
Setting password for MC_RT
Setting description for MC_RT
MC_RT is already member of DB2USERS
*** Creating MC_PROV
MC_PROV already exists
Setting password for MC_PROV
Setting description for MC_PROV
MC_PROV is already member of DB2USERS
DB2_create_database.cmd

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>set MC_PREFIX=MC

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>set MC_STORAGEPATH=D:/IDMDB2

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>set MC_TEMPORARYTABLESPACE=USERTEMP

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>set MC_OPERPWD=ddi6pD2325

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo.

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo **********************************************************
**********************************************************

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo *** DB2 registry settings
*** DB2 registry settings

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo **********************************************************
**********************************************************

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>db2 disconnect all
'db2' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>if 9009 GEQ 4 goto ERROR

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo DB2_create_database.cmd script has failed.
DB2_create_database.cmd script has failed.

C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>EXIT /B 1
The database installation has failed on phase "Create database". For more information, please check the installation logs.

How to Install SAP Identity Management 8.0 as a Distributed System with Software Provisioning Manager 1.0

Assigned Tags