ingo.dressler

    4 Posts

    With IBM Tivoli Identity Manager (ITIM) companies can manage their users and accounts centrally accross all their heterogeneous IT environment including SAP ressources. ITIM can do user provisioning to SAP systems, connected via SAP CUA or standalone or a combination of both.

    For SAP user management, SAP provides tools in the form of transactions like "SU01" for user master record creation and maintenance. For large and complex environments, especially when spanned in different business units, managing users and following company policies is difficult because each SAP instance has its own user repository (which again is necessary to gain access to a specific SAP system). To avoid duplicated effort, users can either be managed centrally or get synchronized across all instances. To achieve this on SAP only, SAP customers can use the SAP module Central User Administration (CUA).

    Some SAP CUA characteristics

       
    • available with SAP R/3 release 4.6
      •  
    • should be a separate SAP instance for the sole purpose of user administration for all other R/3 instances
      •  
    • uses a standard SAP R/3 transaction-based user interface
      •  
    • suffered initially from stability issues in its first releases, but SAP has improved its quality and it is now a more robust utility (so you can confidently use the latest version)
      •  
    • requires that a person have the same user ID on all managed instances (in some cases company policy prohibits the use of the same user ID across all instances)

    Before implementing CUA the customer needs to decide

        
    • whether or not to enable local user management at the instance level. Once the decision has been made to grant local administration privileges to a certain field, it cannot be managed centrally, and vice versa.
      •   
    • if SAP HR should be used to drive user administration based on HR roles. Using CUA and HR for position-based user administration can lead to system conflicts and unpredictable system behaviour when installing and using CUA.

    However, creation of a flexible environment, in which users of several instances are managed centrally and local administrators still have full control over their instances for certain user management tasks, cannot be solved with CUA.

    With ITIM one can manage such an combined environment, having CUA in place for some SAP systems and managing local SAP systems that can't be connected via CUA.

     

    image

     

     

    Pros and Conns of having CUA in an ITIM environment

    Implementing CUA in an environment with ITIM has some advantages:

        
    • it reduces the number of ITIM Adapters (without CUA an adapter is required for every SAP instance)
      •   
    • it performs central SAP role management (like creating roles; ITIM just uses existing roles) 

    Reasons for not having CUA for certain SAP systems in an ITIM environment might include:

        
    • requirements for different user IDs on specific SAP instance,
      •   
    • local user administration required on certain SAP instances,
      •   
    • when the target system is running SAP HR and entries are to be managed as infotype 105,
      •   
    • being flexible, for future changes.

    With ITIM, one has the flexibility of deciding whether to have CUA in place or not.

     

    ITIM vs Transaction SU01

    The decision to use ITIM vs SAP transaction SU01 for user management (in an SAP only environment!) comes down to 2 behaviours:

     

    1. Conn for ITIM, Pro for SAP Transaction SU01

    The ITIM Adapter for SAP R/3 currently does not support all possible SAP user account attributes. But it supports the majority, and has attempted to cater for all critical attributes. The attributes that are not supported, are usually not important, none are mandatory, and they are only available in SAP transaction SU01 via sub-forms under transaction SU01.

     

    2. Pro for ITIM, conn for SAP Transaction SU01

    Using ITIM allows password synchronization, whereas SAP transaction SU01 doesn't. The only password that transaction SU01 will distribute in a CUA environment is the initial password. What this means is that after every password change, the user must change their password on the first log-on after the change. If the password is changed via ITIM, this password reset functionality is disabled.

    In a SAP CUA environment, when a password change is made by the administrator using transaction SU01, it is distributed to the logical systems assigned to that user account. In fact the SAP password change dialog lets you select which logical systems you want the password distributed to. The password that is distributed is what SAP terms the "initial password". SAP forces the user to change the password again on the first log-on to an assigned logical system, after the distributed password change.

     

    ITIM with CUA or non-CUA - a decision based on flexibility requirements

    Still, this doesn't really come into play when deciding to use SAP CUA or SAP non-CUA. The key point is that ITIM allows the customer to run whatever SAP configuration they want to. They could set up a maze of SAP CUA and non-CUA environments, and ITIM would manage all of them. ITIM would allow the same Identity/Person to use the same Log-on ID or  different Log-on IDs across all the SAP systems, and still be able to synchronize the password. The only systems ITIM would not manage directly are the SAP CUA child systems, although ITIM manages these systems indirectly via the SAP CUA master system.

    From an ITIM perspective, each ITIM entitlement (in the Provisioning Policy) matches directly to a SAP non-CUA system, or a SAP CUA Master system. Using multiple ITIM provisioning policies - each assigned to a specific ITIM Role, each with its target ITIM entitlements (SAP systems) - gives the end ITIM administrator a lot of power and flexibility to control account assignment for any SAP environment. For example, assigning a single ITIM Role to an ITIM Identity/Person can cause an account to be created in every SAP system in the managed SAP environment.

     

     

    More on IBM Tivoli Identity Manager can be found at

    http://www.ibm.com/software/tivoli/products/identity-mgr/

     

     

    IBM Tivoli Identity Manager (ITIM)

    IBM Tivoli Identity Manager provides a secure, automated and policy-based user management and provisioning solution. It supports central user administration and automation of user data. ITIM can integrate and automate business processes through workflow, central management, self-service interfaces and password management.

    ITIM supports more than 70 target systems and applications to integrate with its identity management functions. To connect with these systems, ITIM  typically use an XML based protocol, Directory Services Markup Language (DSML), as a communications mechanism.

    IBM Tivoli Identity Manager can also integrate mySAP applications in a corporate user administration environment. To integrate with SAP there are two adapters available: the ITIM Adapter for SAP R/3 and the ITIM Adapter for  SAP UME (e.g. used for SAP Enterprise Portal user administration).

    IBM Tivoli Identity Manager is SAP certified.

     

    ITIM Adapter for SAP R/3

    The SAP R/3 Adapter is designed to perform user management from an ITIM server to a SAP R/3 system. The adapter supports SAP Central User Administration (CUA) and non-CUA systems.

    Using traditional ITIM agent architecture, based on ADK (Agent Development Kit), the adapter is deployed as a service on Windows systems or as a daemon on Unix systems.

    The adapter uses C implementation of SAP’s RFC API to access SAP R/3 systems. For actions where standard RFC is not available, custom RFC’s are implemented and packaged in SAP transport file format. Those transport files must be installed on the SAP systems as part of the installation process. The communication between the ITIM server and SAP R/3 Adapter are assured through DAML over SSL, with the x509 based client authentication.

    With SAP NetWeaver components like SAP Enterprise Portal you will find the User Management Engine (UME) that handles user registry related information. UME can be configured to store common user data to an external LDAP directory. In the past SAP delivered pre-configured XML configuration files for several directories. Since the list of directory servers shipped with EP did not get updated, it does not reflect the current state of supported and certified LDAP directory servers. This is important to know since IBM and other vendors have certified their products for use with UME and SAP Enterprise Portal.

    Also SAP have changed the behavior of some values in UME . To avoid conflicts with specific settings, especially with encryption settings, only the attribute mapping and the private section in the XML configuration file should be configured by the customer respectively by the integration consultant. So this weblog is about how to configure UME for use with Tivoli Directory Server as its external user repository.


     


    * IBM Tivoli Directory Server supported and certified by SAP *


    IBM Tivoli Directory Server (ITDS), now certified for SAP BC-LDAP-USR 6.30, provides a powerful Lightweight Directory Access Protocol (LDAP) identity infrastructure that is the foundation for deploying comprehensive identity management applications and advanced software architectures like Web services.    


    The IBM Tivoli Directory Server certification listed on the SAP partner directory:


    [http://www.sap.com/softwarepartnerdir/companyname/company.asp?partnerid=22700 | http://www.sap.com/softwarepartnerdir/companyname/company.asp?partnerid=22700]


     


    * IBM Tivoli Directory Server (ITDS)*


    ITDS is a powerful, security-rich and standards-compliant enterprise directory for corporate intranets and the Internet. Directory Server is built to serve as the identity data foundation for rapid development and deployment of your Web applications and security and identity management initiatives by including strong management, replication and security features.


     

    see http://www.ibm.com/software/tivoli/products/directory-server/


     


    * General Overview about the SAP Basic Component LDAP interface BC-LDAP-USR 6.30 (UME 4.0) *


    SAP UME LDAP specification for BC-LDAP-USR 6.30 describes the general UME LDAP capabilities and requirements like stated below.


    Consistent user management requires the integration of the numerous data repositories scattered through the enterprise. SAP User Management Engine (UME) enables you to leverage your existing system infrastructure by accessing user-related data on an existing corporate directory, a database, or an SAP system.


    With UME you can connect to an LDAP directory server using an LDAP persistence adapter. You can even read data from and write data to multiple different physical LDAP directory servers, or different branches of the same LDAP directory server.


    Entries in an LDAP directory server are organized in a tree-like structure called the Directory Information Tree (DIT). UME supports certain methods of arranging users and groups in a DIT in the LDAP directory server, which are:



      • Groups as tree (deep hierarchy)




      • Flat hierarchy




    You can configure secure connections using the Secure Sockets Layer (SSL) protocol between UME and an LDAP directory server. When SSL is used, the data transferred between the two parties (client and server) is encrypted.


    UME also supports data partitioning. This means that you can use different data sources for different user sets or attribute sets. You can partition data in two ways:




      2.  

    User-based data partitioning: Different sets of users are written to different data sources. For example, in a collaboration scenario, where both users internal to your company and users from other companies work together in the same application, the external users need a user account as well. In this case you can configure the persistence manager to store company internal users in the corporate directory, whereas external users are stored in a separate directory.




     

    Attribute-based data partitioning: Different sets of attributes are written to different data sources. For example, global user attributes, such as telephone number, email address, and so on, are written to a corporate directory while SAP-specific data is written to a database.




    To guarantee interoperability with the SAP software, the external directory product has to be certified for the BC-LDAP-USR 6.30 interface.


     


    How to set up the UME configuration XML (general description of the XML configuration file sections)


    In a customer installation, the first step is to identify the scenario that is to be used (e.g. read-only or not) and to extract a default configuration XML for this scenario from the customer’s UME installation.


    This default XML contains basic settings for the UME as well as parameters that are specific to the LDAP directory that is used. The certified vendor provides a list of the directory-specific values of these latter parameters that have to be adapted in the configuration XML. The customer enters these values in the XML.


    As for the basic settings of the UME, they are independent of the LDAP directory and out of the scope of this description.


     


    XML Configuration Structure




    General Structure




     


     

    Root level
       
           
             
             
             
         







    We only consider the section within the <dataSource> tags that correspond to the LDAP directory.


     

    The only parts of this section that have to be adapted for the specific LDAP directory are <attributeMapping> and <privateSection>. In the section <responsibleFor>, no changes have to be made for the directory, but it provides information needed for configuring the <attributeMapping> section.


     


    ResponsibleFor Section


    This section describes which UME data objects (principal types) will be stored in the LDAP directory. Furthermore it gives the UME attributes of these data objects that will be stored there.


     

    This section will not have to be changed for the LDAP directory, but it provides useful information for <privateSection> and the <attributeMapping> section.
       
             
             
             
                 
            This section has the same structure as the <responsibleFor> section. However, it might contain attributes that were not in the <responsibleFor> section and there is an additional tag + +within the <attribute> tags. The value for the name has to be taken from the list provided by the vendor. If there is no physical attribute for a UME attribute (e.g. because it is not in the section), the value “null” should be used.


     


     

    Example:
               
                         
               

    <physicalAttribute name="null"/>  
                 
                         
                         
                         
                         
               

    <physicalAttribute name="null"/>          
                         
                         
                         
                         
                         
                         
                         
                <physicalAttribute name="null"/>  
                 
                         
                     
                     
               

    <physicalAttribute name="null"/>      
      <physicalAttribute name="null"/>



















     


    List of possible attributes for the different object types:


    *  *


    * User account: * 






















    * Attribute *



    * Remark *


    j_user

    If the same object class is used for user accounts and users, the physical attribute for this should coincide with the one for uniquename .

    j_password

    Password of the user account.

    userid

    Corresponding user id if different object classes are used for users and user accounts

    certificatehash

     

    This attribute has to be mapped to null, as directory servers cannot handle hashed certificates. This prevents the hash value from being stored.
      null





    certificatehash

     

    null











    javax.servlet.request.X509Certificate

    usercertificate

    certificate

    usercertificate


      


    * User: *





























    * Attribute *

    * Value *

    firstname

    givenname

    displayname

    displayname

    lastname

    sn

    fax

    facsimiletelephonenumber

    uniquename

    uid

    loginid

     

    null





































    email

    mail

    mobile

    mobile

    telephone

    telephonenumber

    department

    ou

    description

    description

    streetaddress

    postaladdress

    pobox

    postofficebox

    preferredlanguage

    preferredlanguage

    PRINCIPAL_RELATION_PARENT_ATTRIBUTE

     

    null




      


    * Group: * 

























    * Attribute *

    * Value *

    displayName

    displayName

    description

    description

    uniquename

    uniquename

    PRINCIPAL_RELATION_MEMBER_ATTRIBUTE

    member

    PRINCIPAL_RELATION_PARENT_ATTRIBUTE

     

    null





    dn

     

    null




     


    Private section







































































    * Attribute *

    * Value *

    ume.ldap.access.server_type

    IBM-Tivoli

    ume.ldap.access.user_as_account

    true

    ume.ldap.access.objectclass.user

    inetOrgPerson

    ume.ldap.access.objectclass.uacc

    inetOrgPerson

    ume.ldap.access.objectclass.grup

    groupofnames

    ume.ldap.access.auxiliary_objectclass.user

     

    ume.ldap.access.auxiliary_objectclass.uacc

     

    ume.ldap.access.auxiliary_objectclass.grup

     

    ume.ldap.access.naming_attribute.user

    cn

    ume.ldap.access.auxiliary_naming_attribute.user

    uid

    ume.ldap.access.naming_attribute.uacc

    cn

    ume.ldap.access.auxiliary_naming_attribute.uacc

    uid

    ume.ldap.access.naming_attribute.grup

     

    ume.ldap.access.auxiliary_naming_attribute.grup

    cn

    ume.ldap.default_group_member.enabled

    true

    ume.ldap.default_group_member

    cn=DUMMY_MEMBER_FOR_UME


     


    This configuration has been tested with IBM Tivoli Directory Server v5.2 and SAP Enterprise Portal v6.0 SP10 (UME 4.0).


     


     

     

    In recent times, I have been asked from several sides if IBM supports SAP 6.40. For those who would need an official statement about that, it now can be answered in a positive way:

    The GA release of version 4.5.9 of the ITIM Agent for SAP R/3 is now available (as of GA Announcement of May 31, 2005 ) and, in addition to previous releases, the ITIM Agent for SAP R/3 Release 4.5.9 now supports

    - SAP ECC5

    - SAP 6.40 CUA unicode

    - SAP 6.40 Basis

    - SAP 6.40 and 6.20 unicode and non-unicode

     

    The Agent now uses ITIM ADK4.38 (Agent Development Kit).

     

    The Agent image is available and can be obtained from IBM Support pages on www.ibm.com like all other Integration Solutions published by the IBM Tivoli Security Integration Factory.

     

    Also, some modifications made include:

    - Account Valid to date can not have year set to 9999.

    Profile has been changed to allow year values up to 2999 by default. Allowing 9999 has performance issues when loading the form. If access to the year 9999 is required, this can be achieved by a simple modification of the profile SAP account form (erSAPAccount.xml), and reconfiguring the SAP Profile on the ITIM server host. Refer to section 7.9 for detailed steps.

     

    - German translation for attribute values/descriptions.

    German translation for values and/or descriptions has been allowed for the Title attribute, and also for the Country, Language (both default and communication), Time Zone, SAP User Type, Parameters, Contractual User Type, and Special Version attributes.

    To enable this you must select German for the ITIM Service language attribute.

     

    - Company attribute supported by default.

    Support data is now available for this attribute. The core address components are visible in the display values for the Company names.

     

    - Output Device attribute support data now available.

     

    Some specific advice for configuration and handling:

    SAP 4.6C allows 10 characters for the value of the cost center attribute. SAP 6.20 and 6.40 only allow

    8 characters. Do not enter more than 8 characters for a SAP 6.20 or SAP 6.40 account because the SAP system will truncate the value by default. If you do not have SAP 4.6C you may lower the maximum length of this attribute back to 8 using the ITIM Server Console Account form Customization functionality.

     

    For your information, here are some facts about the ITIM product:

     

    IBM Tivoli Identity Manager (ITIM)

    ITIM provides a secure, automated and policy- based user management and provisioning solution. It supports central user administration (CUA) and automation of user data. ITIM can integrate and automate business processes through workflow, central management , self-service interfaces and password management.

    ITIM supports more than 70 target systems and applications to integrate with its identity management functions. To connect with these systems ITIM supports both the “agent approach” as well as the “agentless approach”.

    The agent approach typically uses an XML-based protocol, Directory Services Markup Language (DSML), as a communications mechanism. Also there is IBM Tivoli Directory Integrator (ITDI) solution that can be used as the data bus that transports information and data to/from the services.

    IBM Tivoli Identity Manager can also integrate mySAP applications in a corporate user administration environment. In order to integrate with SAP, there are two agents available: the ITIM Agent for SAP R/3 and the ITIM Agent for SAP Enterprise Portal.

    IBM Tivoli Identity Manager is SAP-certified.

     

    ITIM Agent for SAP R/3

    The SAP R/3 Agent is designed to perform user management from an ITIM server to a SAP R/3 system. The Agent supports SAP Central User Administration (CUA) and non-CUA systems.

    Using traditional ITIM agent architecture, based on ADK (Agent Development Kit), the Agent is deployed as a service on Windows systems or as a daemon on Unix systems.

    The Agent uses the C implementation of SAP's RFC API to access SAP R/3 systems. For actions where standard RFC is not available custom RFC are implemented and packaged up in an SAP transport file format. Those transport files must be installed on the SAP system as part of installation process. The communication between the ITIM server and SAP R/3 Agent are DAML over SSL, with the x509-based client authentication.

     

    More on IBM Tivoli Identity Manager can be found at

    http://www.ibm.com/software/tivoli/products/identity-mgr/

    Tivoli Security Management for SAP solutions can be categorized in Identity Management (User Management), Access Management (Single Sign On) and Privacy management. These disciplines mostly rely on a directory server infrastructure, which can be IBM Tivoli Directory Server (ITDS). Tivoli Directory Integrator completes this environment, where multiple data repositories can be integrated and synchronised. Tivoli Identity Manager and Tivoli Access Manager are SAP certified. ITDS Certification will be finalized soon.

    Most of the security scenarios used in enterprises can be integrated with standard out-of-the-box Tivoli functionality. For user management there are more than 70 connectors and adapters with Tivoli Identity Manager and Tivoli Directory Integrator to integrate 3rd party components to manage users and roles with a central instance. To connect applications for use with authentication and single sign-on capabilities this can be done using the WebSeal or WebPIug-in components of Tivoli Access Manager.

    This week we will focus on Identity Management using IBM Tivoli Identity Manager (ITIM) 4.5 Agent for SAP R/3

    The ITIM Agent for SAP R/3 uses the RFC SDK to connect to SAP as an RFC client. The agent maps and responds to ITIM server requests for the purpose of managing users in SAP R/3.

    This functionality works in both cases: CUA and non-CUA. The only difference is that a flag must been set to tell the agent the presence of CUA or not .

    The agent management functions include user creation, deletion, modification, and listing. In support of this, the agent is able to read and assign users to SAP authorization roles, profiles, and groups.

    The IBM Tivoli Identity Manager is certified for SAP NetWeaver, on the component BC-SEC-USR. The following certified functions could be leveraged with SAP R/3 Enerprise 4.7 either using Central User Administration (CUA) or not, based on SAP Web Application Server 6.20.

    * Reconcile users and/or support data

    * Create, change and delete users

    * Lock and unlock users

    * Activity group assignment for CUA and non-CUA

    * Profile assignment for CUA and non-CUA

    * CUA subsystem assignment

    More information at http://www50.sap.com/global/scripts/softwarepartnerdir/companyname/company.asp?partnerid=22495

    More on ITIM at http://www.ibm.com/software/tivoli/products/identity-mgr/