How to Install SAP Identity Management 8.0 as a Distributed System with Software Provisioning Manager 1.0
If installing SAP Identity Management (IdM) 8.0 as a distributed system is a challenge, let’s go for it.
In a distributed system, every instance can run on a separate host, thus ensuring scalability of the system and load sharing of the processing.
This blog post will focus on installing IdM Core on one host and IdM Runtime, IdM deployables on AS Java and Virtual Directory Server on a second host. To achieve this, we will use the Software Provisioning Manager (SWPM) 1.0 installation tool (the only available and supported installation option for new IdM installations). The operating system is Windows and the database system – MS SQL Server. For more information about a standard system installation on one host, see How to Install SAP Identity Management 8.0 with Software Provisioning Manager 1.0
Beforehand, we assume that all required prerequisites are fulfilled, as described in the IdM installation guide.
Note that, when an SAP system, such as IdM, is to be distributed across more than one machine, SAP strongly recommends that you perform a domain installation (all machines belong to the same domain) to avoid authorization problems.
Installing IdM Core Component on the First Host
- Log on to the first installation host using an account with the required user authorization to run the installer. This is the host where IdM Core component is to be installed. It is called SAP Global Host.
- Start SWPM by executing sapinst.exe from the directory to which you unpacked the latest version of SWPM10SP<Support_Package_Number>_<Version_Number>.SAR file.
Use Google Chrome. - Choose SAP Identity Management 8.0 -> Installation -> Distributed System -> SAP Identity Management Core Component.
- Run the installation in a Typical mode.
- Enter the SAP System ID.
- Enter the master password for all users.
- Provide the path to all required SAR archives. You can either download them to a local directory before you start the installation or do it right away from the specified locations on the SAP Software Download Center.
- Choose to upgrade SAP Host Agent and provide the path to it.
- Select the database system.
- Enter the database host and port of the server where the IdM database is to run.
- Enter the credentials for the IdM database.
- Enter the prefix of the IdM database and the base-qualified name that is used for the IdM packages.
- Enter the parameters for the IdM database users.
- The master password that you provided in Step 6 is populated in the password fields for the IdM database users. You can keep it and proceed further or provide individual passwords.
- Enter the name of the developer administrator user. This is the name of the initial developer administrator that is used to log on to the Identity Management Developer Studio. The initial developer administrator user must be named the same in the database and the UME.
- Select the encryption and hash algorithm.
- Review your parameters. If you want to change a parameter, select it and choose Revise. Then, choose Next to run the installation.
- When the message “Execution of Service has been completed successfully.” appears, choose OK and then Exit.
The IdM Core component that contains the IdM database is now installed on the SAP Global host. The global directory usr\sap\<SAPSID>\SYS, which physically exists only once for each SAP system, is created. It has the following subdirectories:
- global – globally shared data
This is where the Keys.ini file resides. During the installation, SWPM places the Keys.ini file into the /usr/sap/<SAPSID>/SYS/global/security/data directory on the database host, that is the SAP Global host. Then the Keys.ini file is shared with the network share sapmnt and distributed to every IdM Runtime instance.
Later, whenever you need to specify the path to Keys.ini file, make sure you give the following one: \\<SAPGLOBALHOST>\sapmnt\<SAPSID>\SYS\global\security\data\Key\Keys.ini - profile – the profiles for all instances
- exe – executable replication directory for all instances and platforms
Installing IdM Runtime, Deployable Components and VDS on the Second Host
Installing IdM Runtime
- Log on to the second installation host using an account with the required user authorization to run the installer.
- Start SWPM by executing sapinst.exe from the directory to which you unpacked the SWPM archive.
Use Google Chrome. - Choose SAP Identity Management 8.0 -> Installation -> Distributed System -> SAP Identity Management Dispatcher Instance.
- Run the installation in a Typical mode.
- Enter the profile directory of your IdM system, where <SAPGLOBALHOST> is the host of the IdM Core installation and <SAPSID> is SAP system ID of IdM.
- Enter the master password for all users that you have provided when installing IdM Core.
- Provide the path to all required SAR archives. You can either download them to a local directory before you start the installation or do it right away from the specified locations on the SAP Software Download Center.
- Choose to upgrade SAP Host Agent and provide the path to it.
- Enter the instance number that is assigned to the IdM Dispatcher instance or use the one that is set automatically.
- Browse for the JDBC driver path and enter the JDBC driver class name.
- Enter the passwords for the <prefix>_admin and <prefix>_rt users.
Remember the passwords you have provided while installing IdM Core (step 13).- If you have set a master password for all users, provide it here.
- If you have set individual passwords for those users, provide them here.
- Review your parameters and choose Next to run the installation.
- When the installation completed successfully, choose OK and then Exit.
The IdM Runtime is now installed on the second host.The initial dispatcher is created and set as the default one. All dispatcher settings are defined, including the connection strings to access the IdM database with your <prefix>_admin user and the <prefix>_rt user.
Installing Deployable Components on AS Java
- Log on to the second installation host and start again SWPM.
- Choose SAP Identity Management 8.0 -> Installation -> Distributed System -> SAP Identity Management Components on SAP NetWeaver AS Java.
- Run the installation in a Typical mode and then enter the profile directory of your IdM system.
- Enter the passwords of the OS users.
This is the master password for all users that you have already provided. - Enter the SAP system ID of the SAP NW Java system to be used for IdM deployable components.
- Confirm or enter your SAP NetWeaver release and Support Package.
- Enter the credentials of the administrator of the AS Java.
- Select the IdM components that you want to deploy.
- Provide the path to all required SAR archives, review your parameters and run the installation.
The IdM deployable components on SAP NetWeaver AS Java are now installed. You can proceed with installing the Identity Management Developer Studio (available as an Eclipse plugin) and the initial configuration of all components, described in the post-installation section.
Installing Virtual Directory Server
- Log on to the second installation host and start again SWPM.
- Choose SAP Identity Management 8.0 -> Installation -> Additional Components -> SAP Identity Management Virtual Directory Server.
- Run the installation in a Typical mode and then enter the profile directory of your IdM system.
- Enter the master password for all users.
- Provide the path to all required SAR archives.
- Enter the instance number that is assigned to the VDS instance or use the one that is set automatically.
- Review your parameters and run the installation.
- When the installation completed successfully, choose OK and then Exit.
The Virtual Directory server is now installed. You can proceed with starting the VDS and its initial configuration, described in the post-installation section.
Hi Ivelina,
Your screen capture were excellent and I have one quick question, before asking my question let me tell you what I did so far,
thanks and best regards for your links. Any suggestions on above question will be greatly appreciated..
Hi Kannan,
In a distributed system, you can install IDM components on separate hosts. See Distributed System where it is recommended that the AS Java system runs on a host different from SAP Identity Management Core Component.
Back to your question, it depends on what your database server is and what you want to achieve:
You can install the Core component on the host where the database server is installed.
You can also install the Core component on the host where SAP NetWeaver AS Java is installed, but if your database server is Oracle or SAP ASE, have in mind the following limitation:
Installing IDM and NW AS Java on the same Oracle or SAP ASE database server is not supported. You must install IDM and NW AS Java on different Oracle or SAP ASE database servers.
Best Regards,
Ivelina
Dear Ivelina,
Thanks for your reply.
Based on my requirement, my understanding is needed two set of databases one oracle DB for Java instance and another Oracle DB for IDM, Both databases will have different <SIDs> and Seperate SAP instances will be running one for JAVA and one for IDM. Is these(below) configs correct?
As JAVA:
SAP server - IDMDEV01
DB server - DBDEV01
<sap>SID - IDJ
<db>SID - IDJ
SCS - 01
PAS - 00
DAA - 97
As IDM:
SAP server - IDMDEV01
DB server - DBDEV01
<sap>SID - ID1
<db>SID - ID1
PAS - 02
thanks again for your help on this....
KK
Hello IDM experts,
Opened up a ticket with SAP and SAP responses were different. Below is their responses. Any idea what I am missing here? It seems like I have to follow SAP's direction.....
Hello Kannan,
According to https://help.sap.com/viewer/bb5dd5b844d046ea97fa6b328e0fda1d/8.0/en-US/571119cc37ce465b93de726fc0408427.html
Installing SAP Identity Management and SAP NetWeaver AS Java on the same Oracle database server is not supported. You must install SAP Identity Management and SAP NetWeaver AS Java on different Oracle database servers.
So, the answer is no, IdM and NW DB schema can not be installed on one and the same DB server even for non-productive landscape.
Hope this clarifies your query.
Kind Regards,
Mary,
SAP Product Support
Hi Ivelina,
This is a bit misleading. You can install IDM and NW AS Java on the same database server, but in two _seperate_ databases. We use Exadata appliances without any issues.
I hope SAP will clarify this in the install guide...
kind regards,
Kay Siebers
Hello IDM experts,
while following the installation procudere I had to deal with a couple of difficulties.
The first was due to our “strange” distribution of server roles:
while the installation of the NW Java and the oracle instances was possible w/o issues,
I was first stuck when Installing the core with IDM core with SWPM.
It was not possible to use the SWPM because it was trying to execute locally Oracle-OS-sqlplus command called from the SWPM Java routines.
Even after enabling the local users (root, adm-user) to call the sqlplus (necessary env variables have been set in the shell profiles) the error of the SWPM stayed the same.
Though I found and switched to the method described @
http://forum.fandezhi.com/index.php?u=/topic/159/sap-idm-8-0-step-by-step-guide/1
where it is described to install the core by calling the Database scripts.
After installing the Scripts from the SP5, I applied those which were in SP6 (from sar icc6…).
I manually copied the Key-generation directory and copied the Key file to the shared directory
/sapmnt/<Inst>/global/security/data/Key/Keys.ini
In the IDM directory
/usr/sap/<Inst>/IDM00/Identity_Center/
I created appropriate soft-links with all potentiall writing types (key/keys/Key/Keys) for the directory.
What I added to the prop file of the dispatcher is the class for the odbc driver:
DSECLASSPATH=%DSE_HOME%/Java/*:%DSE_HOME%/Java/runtime/*:/oracle/I2T/lib/ojdbc14.jar
Has been solved… wrong user was choosen for the dispatcher RT.
The above mentioned errors have been manually resolved by giving the MXMC_admin user the “with grant option” to the system views by the sysdba user.
Hello Georg,
The Core component installation performed by you and described in the above blog is not supported since IdM SP04 release. It's not supported by SAP and most probably you will have some further issues when you try to update the Core component.
In order to install IdM Core component, you should run SWPM on the the DB host. Remote installations are not allowed. Please refer to official documentation for more details.
Kind regards,
Anton
Hi Anton,
meanwhile I did a lot of SP updates for IDM Core in the configuration above.
There is no problem doing this with a remote DB.
The only difficulty was to get (in case of oracle) a local sqlplus interface.
The documentation for the core update refers only to the mxmc-update.sh script.
The installation of the Dispatcher is working also w/o any problem.
I didn't find any explicit hint for the ban of remote DB.
I don't see any reason why this shouldn't be allowed.
Best regards
Georg
Hello Lvalina,
While installing sap IDM 8.0, i am getting error (EXIT /B 1 The database installation has failed on phase "Create database".)
below is log db_install_out
DB2_create_users.cmd
Prefix: MC
**********************************************************
*** Creating users for MC_db
**********************************************************
*** Creating MC_OPER
MC_OPER already exists
Setting password for MC_OPER
Setting description for MC_OPER
MC_OPER is already member of DB2USERS
MC_OPER is already member of DB2ADMNS
*** Creating MC_ADMIN
MC_ADMIN already exists
Setting password for MC_ADMIN
Setting description for MC_ADMIN
MC_ADMIN is already member of DB2USERS
MC_ADMIN is already member of DB2ADMNS
*** Creating MC_USER
MC_USER already exists
Setting password for MC_USER
Setting description for MC_USER
MC_USER is already member of DB2USERS
*** Creating MC_RT
MC_RT already exists
Setting password for MC_RT
Setting description for MC_RT
MC_RT is already member of DB2USERS
*** Creating MC_PROV
MC_PROV already exists
Setting password for MC_PROV
Setting description for MC_PROV
MC_PROV is already member of DB2USERS
DB2_create_database.cmd
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>set MC_PREFIX=MC
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>set MC_STORAGEPATH=D:/IDMDB2
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>set MC_TEMPORARYTABLESPACE=USERTEMP
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>set MC_OPERPWD=ddi6pD2325
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo.
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo **********************************************************
**********************************************************
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo *** DB2 registry settings
*** DB2 registry settings
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo **********************************************************
**********************************************************
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>db2 disconnect all
'db2' is not recognized as an internal or external command,
operable program or batch file.
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>if 9009 GEQ 4 goto ERROR
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>echo DB2_create_database.cmd script has failed.
DB2_create_database.cmd script has failed.
C:\Program Files\sapinst_instdir\IDM80\SYSTEM\CENTRAL\STD\DatabaseSchema\DB2>EXIT /B 1
The database installation has failed on phase "Create database". For more information, please check the installation logs.