Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C(r), World Wide Web Consortium, Massachusetts Institute of Technology.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C(r), World Wide Web Consortium, Massachusetts Institute of Technology.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C(r), World Wide Web Consortium, Massachusetts Institute of Technology.
I dent i t y Management 7.2 Doc ument Ver si on 7.2 Rev 17 - J ul y 2014 2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the United States and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Oracle and J ava are registered trademarks of Oracle and its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, ProgramNeighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. IOS is a registered trademark of Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation. Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc. Motorola is a registered trademark of Motorola Trademark Holdings LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address: ser vi c e.sap.c om/i nst gui des Typographi c Convent i ons Type Style Represents Example Text Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options. Cross-references to other documentation Example text Emphasized words or phrases in body text, titles of graphics and tables EXAMPLE TEXT Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE. Example text Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools. Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries. EXAMPLE TEXT Keys on the keyboard, for example, function keys (such as F2) or the ENTER key. I c ons Icon Meaning Caution Example Note Recommendation Syntax Solution Operation Guide for SAP NetWeaver Identity Management 2014-07 5 Cont ent s 1 Getting Started ......................................................................... 9 1.1 Global Definitions ........................................................................... 9 1.2 Important SAP Notes .................................................................... 10 1.3 History of Changes ....................................................................... 10 2 Technical System Landscape .............................................. 11 2.1 Scenario/Component Matrix ........................................................ 11 2.2 URLs to the Identity Management User Interface ...................... 12 2.3 Related Documentation ................................................................ 12 3 Defi ni ng the System Landscape Directory i nformati on (opti onal ) ...................................................................................... 13 3.1 Identity Center............................................................................... 13 3.1.1 SAP NetWeaver AS Java as of Release 7.0 ...................................... 13 3.1.2 EHP 1 for SAP NetWeaver CE 7.1/SAP NetWeaver Composition Environment 7.2/SAP NetWeaver 7.3 ............................................................ 16 3.2 Virtual Directory Server ................................................................ 24 3.2.1 Deployed Configuration ..................................................................... 24 3.2.2 Standalone mode ................................................................................ 24 4 Monitori ng of Identi ty Management ..................................... 25 4.1 Monitoring the Identity Center ..................................................... 25 4.1.1 Viewing the dispatcher status ........................................................... 26 4.1.2 Viewing the job status ........................................................................ 26 4.1.3 Viewing the system log ...................................................................... 26 4.1.4 Viewing the job log ............................................................................. 27 4.1.5 Viewing the provisioning queue ........................................................ 27 4.1.6 Viewing the provisioning audit .......................................................... 27 4.1.7 Viewing the approval queue .............................................................. 28 4.1.8 Setting up a SAP JCo-Trace .............................................................. 28 4.1.9 Viewing the logs from the Identity Management User Interface...... 28 4.1.10 Viewing the traces from the Identity Management User Interface 28 4.1.11 Using the System diagnostics report for problem analysis .......... 29 4.1.12 Providing access to the configuration for problem analysis ........ 29 4.2 Monitoring of the Virtual Directory Server ................................. 29 4.2.1 Viewing the logs on SAP NetWeaver AS Java .................................. 29 4.2.2 Viewing the traces on SAP NetWeaver AS Java ............................... 29 4.2.3 Viewing the logs when running in standalone mode ....................... 30 4.2.4 Verifying that the server is available ................................................. 30 4.3 Monitoring of Identity Management Identity Federation ........... 30 4.4 Monitoring Performance with Wily Introscope ........................... 30 4.4.1 Monitoring SAP NetWeaver AS Java ................................................. 31 Solution Operation Guide for SAP NetWeaver Identity Management 6 2014-07 4.4.2 Monitoring SAP NetWeaver Identity Management Virtual Directory Server (Standalone mode) ............................................................................. 32 4.4.2.1 Updating the .bat/.sh file (Java 1.3/1.4) .................................................... 32 4.4.2.2 Updating the .bat/.sh file (Java 1.5/1.6) .................................................... 32 4.4.3 Troubleshooting ................................................................................. 32 4.5 Configuring and Viewing the Entry Trace .................................. 33 4.5.1 Configuring the Entry Trace .............................................................. 33 4.5.2 Viewing the Trace Log ........................................................................ 34 4.5.3 Reading the Trace Log ....................................................................... 34 4.6 Analyzi ng Statement Execution .................................................. 35 4.6.1 Enabling the Statement Execution Analysis..................................... 35 4.6.2 Viewing the Log .................................................................................. 36 4.6.3 Reading the Log ................................................................................. 36 5 Management of SAP NetWeaver Identity Management ..... 37 5.1 Starting and Stopping .................................................................. 37 5.1.1 Starting and stopping the Identity Center ......................................... 37 5.1.2 Starting and stopping the Virtual Directory Server .......................... 37 5.2 Software Configuration ................................................................ 37 5.2.1 Software Configuration Identity Center ......................................... 37 5.2.2 Software Configuration Virtual Directory Server ........................... 37 5.3 Admi nistration Tools .................................................................... 38 5.4 Backup and Restore ..................................................................... 38 5.4.1 Backing up and restoring an Identity Center database (Microsoft SQL Server) .................................................................................. 38 5.4.1.1 Backing up a database ............................................................................. 38 5.4.1.2 Restoring a database................................................................................ 38 5.4.2 Backing up and restoring an Identity Center database (Oracle) ..... 40 5.4.2.1 Backing up a database ............................................................................. 40 5.4.2.2 Restoring a database................................................................................ 40 5.4.3 Backing up and restoring an Identity Center database (IBM DB2) .. 41 5.4.4 Backing up and restoring a Virtual Directory Server configuration 41 5.5 Application Copy .......................................................................... 41 5.6 Periodic Tasks .............................................................................. 41 5.6.1 Manual tasks for the Identity Center ................................................. 41 5.6.2 Manual tasks for Transport/Configuration Management ................. 42 5.6.3 Cleaning up the audit information ..................................................... 42 5.6.4 Cleaning up the table job_execution ................................................. 43 5.6.5 Clean up the table AuditTrail ............................................................. 43 5.6.6 Cleaning up historic values in the identity store .............................. 43 5.6.7 Rebuilding database indexes ............................................................ 43 5.6.8 Viewing Changes to the Configuration ............................................. 43 5.6.9 Changing Global or Repository Constants ....................................... 44 5.6.9.1 Modifying Assignment Grouping Repository Constants ........................ 45 5.6.10 Adding a Repository to the Productive System ............................. 45 Solution Operation Guide for SAP NetWeaver Identity Management 2014-07 7 5.7 Load Balancing ............................................................................. 45 5.7.1 Load Balancing Identity Center ...................................................... 45 5.7.2 Load Balancing Virtual Directory Server ....................................... 45 5.8 User Management ......................................................................... 46 5.9 Maintaining Message Templates ................................................. 46 5.9.1 Initial Configuration ............................................................................ 46 5.9.2 Listing Message Templates ............................................................... 46 5.9.3 Editing a Message Template .............................................................. 47 5.9.3.1 Available Parameters................................................................................ 48 5.9.4 Adding a Language Version of a Message Template ....................... 49 5.9.5 Removing a Language Version of a Message Template .................. 49 5.9.6 Creating a Message Template ........................................................... 50 5.9.7 Removing a Message Template ......................................................... 50 5.10 Managing Approvals .................................................................... 51 5.10.1 Listing Pending Approvals .............................................................. 51 5.10.2 Finding Approvals Using Advanced Search .................................. 52 5.10.3 Declining a Pending Approval ......................................................... 52 5.10.4 Escalating a Pending Approval ....................................................... 53 5.10.5 Exporting the Pending Approvals ................................................... 53 6 High Avail abilit y ..................................................................... 53 6.1 High Availability for the Identity Center ...................................... 53 6.2 High Availability for the Virtual Directory Server ....................... 53 6.2.1 High Availability for Standalone Virtual Directory Server................ 53 7 Software Change Management ............................................ 54 7.1 Software Change Management.................................................... 54 7.2 Support Packages and Patch Implementation ........................... 54 7.3 Upgrading the Identity Center ..................................................... 54 7.4 Upgrading the Virtual Directory Server ...................................... 54 8 Troubleshooting..................................................................... 55 8.1 Identity Center: Dispatcher fails to start ..................................... 55 8.1.1 Problem Description........................................................................... 55 8.1.2 Solution ............................................................................................... 55 8.2 Identity Center: Timeout issues .................................................. 56 8.2.1 Problem Description........................................................................... 56 8.2.2 Solution ............................................................................................... 56 8.3 Identity Center: Insufficient memory .......................................... 56 8.3.1 Problem Description........................................................................... 56 8.3.2 Solution ............................................................................................... 56 8.4 Identity Center: Codepage <number> not supported by JAVA- environment ............................................................................................. 57 8.4.1 Problem Description........................................................................... 57 8.4.2 Solution ............................................................................................... 57 Solution Operation Guide for SAP NetWeaver Identity Management 8 2014-07 8.5 Identity Center: Error messages from jobs accessing ABAP systems .................................................................................................... 58 8.5.1 Problem Description........................................................................... 58 8.5.2 Solution ............................................................................................... 58 8.6 Identity Management User Interface: Java runtime exception when logging in ....................................................................................... 58 8.6.1 Problem Description........................................................................... 58 8.6.2 Solution ............................................................................................... 58 8.7 Identity Management User Interface: Error message about missing database columns or procedures ............................................ 58 8.7.1 Problem description ........................................................................... 58 8.7.2 Solution ............................................................................................... 58 8.8 Virtual Directory Server: The Windows service starts, but later fails with " No driver for database" ......................................................... 59 8.8.1 Problem Description........................................................................... 59 8.8.2 Solution ............................................................................................... 59 8.9 Virtual Directory Server: Application starts, but later fails with " No driver for database" ......................................................................... 59 8.9.1 Problem Description........................................................................... 59 8.9.2 Solution ............................................................................................... 59 8.10 Virtual Directory Server: Server doesnt start ............................ 59 8.10.1 Problem Description ........................................................................ 59 8.10.2 Solution ............................................................................................. 59 8.11 Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first attempt to contact the database fails 60 8.11.1 Problem Description ........................................................................ 60 8.11.2 Solution ............................................................................................. 60 9 Support Desk Management .................................................. 60 9.1 Remote Support Setup ................................................................. 60 9.1.1 Defining a support user ..................................................................... 61 9.2 Problem Message Handover ........................................................ 61 1 Getting Started 1.1 Global Definitions 2014-07 9 1 Getting Started This guide does not replace the daily operations handbook that we recommend customers create for their specific production operations. About this Guide Designing, implementing, and running your SAP applications at peak performance 24 hours a day has never been more vital for your business success than now. This guide provides a starting point for managing your SAP applications and maintaining and running them optimally. It contains specific information for various tasks and lists the tools that you can use to implement them. This guide also provides references to the documentation required for these tasks, so you will sometimes also need other Guides such as the Master Guide, Technical Infrastructure Guide, and SAP Library. Target Groups Technical Consultants System Administrators Solution Consultants Business Process Owner Support Specialist 1.1 Global Definiti ons SAP Application: A SAP application is an SAP software solution that serves a specific business area like ERP, CRM, PLM, SRM, SCM. Business Scenario: From a microeconomic perspective, a business scenario is a cycle, which consists of several different interconnected logical processes in time. Typically, a business scenario includes several company departments and involves with other business partners. From a technical point of view, a business scenario needs at least one SAP application (SAP ERP, SAP SCM, or others) for each cycle and possibly other third-party systems. A business scenario is a unit which can be implemented separately and reflects the customers prospective course of business. Component: A component is the smallest individual unit considered within the Solution Development Lifecycle; components are separately produced, delivered, installed and maintained. Getting Started Important SAP Notes 10 2014-07 1.2 Important SAP Notes Check regularly for updates available for the Application Operations Guide. Important SAP Notes SAP Note Number Title Comment 1498369 Central note for SAP NetWeaver Identity Management 7.2 This is the central entry point for all SAP Notes related to Identity Management 7.2. 1.3 History of Changes Make sure you use the current version of the Application Operations Guide. The current version of the Application Operations Guide is at service.sap.com/instguides on SAP Service Marketplace. The following table provides an overview of the most important changes in prior versions. Version Important Changes Version 7.2 Revision 1 Initial version for 7.2, including links to the Identity Management User Interface Version 7.2 Revision 7 Included Trace information Version 7.2 Revision 15 Added section 5.6.9.1 describing repository constants for privilege grouping Version 7.2 Revision 16 Minor change in section 4.1.5 Viewing the Provisioning Queue Version 7.2 Revision 17 Change in section 4.1.11 Using the System diagnostics report for problem analysis 2 Techni cal System Landscape 2.1 Scenario/Component Matri x 2014-07 11 2 Technical System Landscape 2.1 Scenario/Component Matri x The following diagram shows the architecture of the SAP NetWeaver Identity Management: The Identity Center database is the core of the Identity Center. This is a single database holding two different types of information: One type is the configuration information for all items that are defined in the Identity Center, including the job configurations, the job status information (that is, what is being executed at this very moment), the log information (that is, the status of what has been done previously), as well as scheduling information (when the jobs are to be run next). The other type of information is the actual data being processed, including the Identity store that contains the entries processed by the jobs in the Identity Center, as well as the log and audit information. The Administrator manages the Identity Center configuration through the Management Console. The Identity Management User Interface is used for all end-user registration/self service, password resets and approval of tasks. It also contains monitoring information for administrators of the Identity Center. Technical System Landscape URLs to the Identity Management User Interface 12 2014-07 The Runtime Components (dispatchers, runtime engines and event agents) are responsible for processing both provisioning and synchronization tasks. They are also responsible for performing reconciliation and bootstrapping. The Dispatcher(s) are connected to the Identity Center database and check for jobs that are ready to be run. A dispatcher is running on each computer where a Runtime engine is installed. The dispatcher starts the Runtime engine that executes the job. Event agents can be configured to take action based on changes in different types of repositories such as directory servers, message queues or others. This mechanism is optional and its only purpose is to initiate synchronization based on changes in repositories in addition to the scheduled operations. The Vi rtual Directory Server can be deployed as a web service on SAP NetWeaver AS J ava to provide web service access to the identity data. When the Virtual Directory Server is deployed as an LDAP server it serves as an interface to third- party applications for the Identity Center. 2.2 URLs to the Identity Management User Interface The following URLs are used to access the Identity Management User Interface: http://<host>:<port>/idm to access the main Identity Management User Interface. http://<host>:<port>/idm/pwdreset to run the password reset task. (See the document SAP NetWeaver Identity Management Identity Center Implementation Guide: Self-service password reset for details. http://<host>:<port>/idm/admin to access the Identity Management Administration User Interface. For more information about Monitoring, see page 25. For more information about transport, see SAP NetWeaver Identity Management Identity Center Implementation Guide: Transport for details. For information about configuration, see page 37. 2.3 Related Documentati on Links to the documentation for SAP NetWeaver Identity Management can be found in the help portal: http://help.sap.com/nwidm72 Topic Guide/Tool Installation information Identity Management Master Guide Identity Center Installation Overview Virtual Directory Server Installation and Initial Configuration Security Identity Management Security Guide 3 Defi ning the System Landscape Directory informati on (optional ) 3.1 Identity Center 2014-07 13 3 Defini ng the System Landscape Directory information (optional) This section describes how to maintain the HTTP destination for the System Landscape Directory (SLD) Data Supplier and the configuration is optional, i.e. it is of relevance only when actually using the SLD. For more information about SLD, see http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/b683dd96655295e10000000a42189b/fram eset.htm. 3.1 Identity Center The procedure is different, depending on your version of SAP NetWeaver: SAP NetWeaver AS J ava as of Release 7.0 Enhancement Package 1 for SAP NetWeaver Composition Environment 7.1/SAP NetWeaver Composition Environment 7.2 There are separate sections for each SAP NetWeaver version. 3.1.1 SAP NetWeaver AS Java as of Release 7.0 To configure the SLD Data Supplier for SAP NetWeaver AS J ava 7.0 use Visual Administrator. 1. Start and login to the Visual Administrator. 2. Select Server\Services\Destinations in the "Cluster" tab. Defi ning the System Landscape Directory information (optional) Identity Center 14 2014-07 3. Select "HTTP" in the "Runtime" tab and choose "New" to create new HTTP destination. Enter "SLD_DataSupplier" as the name for the destination. 4. Choose "OK". This will open a pane where the destination can be defined further: Enter the following information: URL In the "Connection Settings" section, at least an URL needs to be defined. The URL is http://<host>:<port>, where <host>is the name of the host where the SLD bridge runs and <port>is the AS J ava HTTP standard access port of the SLD. Authentication In "Logon Data" section, select "BASIC" as the authentication method. Username Specify a J ava user that already exists on the host where the SLD bridge runs. Specified J ava user must have the role SAP_SLD_DATA_SUPPLIER. Password Enter the user's password. 3 Defi ning the System Landscape Directory informati on (optional ) 3.1 Identity Center 2014-07 15 If it is desirable to use HTTPS for the connection from the SLD, select "X509 Client Certificate" as the authentication method. The "Keystore view" field (with the "Certificate" field) is then ready for input. A key storage view contains the root certificates of the trusted roots, and checks the authentication of a received server certificate. Make sure to select "service_ssl" in the "Keystore view" field (see figure below). 5. Choose "Save and Test" to save the entries and to test the connection to the destination. To save the entries only, choose "Save". It will update the SLD when the application (tcidmjmxapp) is started and with regular intervals. Defi ning the System Landscape Directory information (optional) Identity Center 16 2014-07 3.1.2 EHP 1 for SAP NetWeaver CE 7.1/SAP NetWeaver Composition Environment 7.2/SAP NetWeaver 7.3 To configure the SLD Data Supplier for Enhancement package 1 for SAP NetWeaver Composition Environment 7.1, SAP NetWeaver Composition Environment 7.2 or SAP NetWeaver 7.3, do the following: There may be minor differences between the versions. 1. Start and login to the SAP NetWeaver Administrator. 2. Select the "Configuration Management" tab and then the "Security" sub-tab. 3 Defi ning the System Landscape Directory informati on (optional ) 3.1 Identity Center 2014-07 17 3. Select "Destinations". Defi ning the System Landscape Directory information (optional) Identity Center 18 2014-07 4. Choose "Create" and create a destination called SLD_DataSupplier of type HTTP. If such a destination already exists, check if its values suit you and use it. In "General Data" section define the following: Desti nation Name Add the name "SLD_DataSupplier". Destination Type Select type "HTTP". 3 Defi ning the System Landscape Directory informati on (optional ) 3.1 Identity Center 2014-07 19 5. Choose "Next". In "Connection and Transport" section, specify at least the URL (http://<host>:<port>), where <host>is the name of the host where the SLD bridge runs and <port>is the AS J ava HTTP standard access port of the SLD. Defi ning the System Landscape Directory information (optional) Identity Center 20 2014-07 6. Choose "Next". In "Logon Data" section, define the following data: Authentication Select "Basic (User ID and Password)". User Name Specify a J ava user that already exists on the host where the SLD bridge runs. Specified J ava user must have the role SAP_SLD_DATA_SUPPLIER. 3 Defi ning the System Landscape Directory informati on (optional ) 3.1 Identity Center 2014-07 21 Password Enter the user's password. If it is desirable to use HTTPS for the connection from the SLD, select "X509 Client Certificate with SSL" as the authentication method. The "Keystore View" field is then ready for input. A key storage view contains the root certificates of the trusted roots, and checks the authentication of a received server certificate. Select "service_ssl" in the "Keystore View" field and "ssl-credentials" in the "Certificate" field (see the figure below): You find a list of the available key storage views at Configuration Management Security Management Key Storage. 7. Choose "Finish" to finish and save the entries. Defi ning the System Landscape Directory information (optional) Identity Center 22 2014-07 If an error occurs, an error message is displayed. If the entries are saved successfully, the connection data is saved in encrypted form in the secure store in the database. 3 Defi ning the System Landscape Directory informati on (optional ) 3.1 Identity Center 2014-07 23 8. You may test the settings by sending the test data to the SLD select the sub-tab "Infrastructure" from the tab "Configuration Management" (in the SAP NetWeaver Administrator), and then "SLD Data Supplier Configuration". 9. Choose "Collect and Send Data" and wait for the response. It will update the SLD when the application (tcidmjmxapp) is started and with regular intervals. Defi ning the System Landscape Directory information (optional) Virtual Directory Server 24 2014-07 3.2 Virtual Directory Server The process is different depending on whether the configuration is deployed on SAP NetWeaver or you are running in standalone mode. 3.2.1 Deployed Configuration The process is the same as the process described for the Identity Center. Make sure to specify the correct URL and connection parameters to the server. 3.2.2 Standalone mode When running in standalone mode, you configure the SLD Data Supplier as part of the server properties: 1. View the properties of the server and select the "SLD registration" tab: Make sure not to include /sld in the URL. Select "Enable SLD Registration" and fill in "SLD URL", "SLD Username" and "SLD Password" as described on page 14. 2. Choose "OK". When you start the server, it will update the SLD when the configuration is loaded or reloaded and with regular intervals. 4 Monitoring of Identity Management 4.1 Monitoring the Identity Center 2014-07 25 4 Monitoring of Identity Management Within the management of SAP Technology, monitoring is an essential task. A section has therefore been devoted solely to this subject. 4.1 Monitori ng the Identity Center Monitoring of the Identity Center is done using the "Monitoring" tab of the Identity Management Administration User Interface. How you configure access to the "Monitoring" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface. The following information is available from the Monitoring tab: Approval queue Dispatcher status J ob log J ob status Provisioning audit System log The dispatcher status, job log, job status and system log are also available from the Management Console. The URL for accessing the "Monitoring" tab is http://<host>:<port>/idm/admin. This URL can be used for instance from Solution Manager. Monitoring of Identity Management Monitoring the Identity Center 26 2014-07 4.1.1 Viewing the dispatcher status On each server with the Runtime Components, there will be a dispatcher running. The dispatcher is responsible for starting the runtime engine when a job is ready for execution, as well as performing some basic provisioning logic. It is essential that the dispatchers are running. If the dispatcher stops, it will no longer be able to perform any logic, nor to start any jobs on the server. To view the dispatcher status, select "Dispatcher Status" from the "Show" list on the Monitoring tab. The columns show information about each dispatcher that is configured in the system. The possible states for the dispatcher are: Running Not running 4.1.2 Viewing the j ob status At a given time, a job is only being executed by one single runtime engine, i.e. a job is single-tread. When a runtime engine starts it will request the first job (i.e. the job with the oldest schedule time) which is available for execution (i.e. has state idle). The runtime engine will do the following when executing a job: Request the next available job. The job state is updated to Running. Periodically, when a job is executed, the runtime engine updates the timestamp on the job, to signal that the runtime engine is alive, as well as updating the number of processed entries. Release the job, and reschedule. The job state is set to Idle. Whenever a job is requested, the jobs are checked for any timeouts. If a timeout is detected, the job state is set to Idle and the job is rescheduled. If this is done more than a specified number of times, the job state is set to Error, and the job will no longer execute. Select "J ob Status" from the "Show" list on the Monitoring tab to display the information. Possible states are: 0: Disabled. The job will not run. 1: Idle. The job is waiting to be executed at the time indicated in the Scheduled column. 2: Running. The job is currently executing. 3: Stopping. The job has been ordered to stop. -1: Error. A fatal error has occurred, and the job will no longer execute. -2: Timeout: The defined timeout has been reached. This means that no runtime engines have requested this job for the specified amount of time. When a runtime engine requests job, this is treated as idle. 4.1.3 Viewing the system log The system log contains information from the system and the jobs and dispatchers connecting to it. You can filter the log on error level and/or by date interval. You can also search for log entries with specific texts. Which information is included in the system log is specified in the Management Console. For information about how to configure the system log, see the identity Center help file, accessible from the Identity Center Management Console or the Help Portal, http://help.sap.com. 4 Monitoring of Identity Management 4.1 Monitoring the Identity Center 2014-07 27 4.1.4 Viewing the j ob log The job log displays information about the execution of all jobs in the Identity Center. Each line in the log shows information about one execution of a job. You can filter the log on error level and/or by date interval. You can view an XML or HTML version of the job log from the "Details" view. For information about how to configure the job log, see the identity Center help file, accessible from the Identity Center Management Console or the Help Portal, http://help.sap.com. 4.1.5 Viewing the provisioning queue The provisioning queue shows all TOP level tasks where there are entries waiting to be processed. The "Queue Size" column shows how many entries are waiting for this particular task. You can also see the last time the task was executed, and the state of the job, if this is an action task. The column shows the following values: 1: Temporary failure task is set for retry and have a possible delay until running again 2: Ready to run task is ready to run if Exectime is passed 5: Waiting task is on hold. This is typical on ordered execution of tasks 11: Failed - task is finally failed 21: Expanded OK task children is expanded OK 22: OK - task is finally OK 4.1.6 Viewing the provisioning audit The provisioning audit contains one entry for each audit ID that is processed. This information is updated as the task is processed in the system. There will be one entry per root task that is executed. The "Provisioning Status" column shows the current status of the task: Task initiated OK Task not enabled for provisioning Task does not exist Loop detected Task cannot be used in externally as it is private Entry does not exist in Identity Store Database error Task OK Task Failed OK Failed The "Entry" column shows which entry was processed. The "Started by" column shows what initiated the task. This can be either an entry (person), event task. The "Details" view shows more information about each entry in the audit log. There are two tabs containing different audit information. Monitoring of Identity Management Monitoring the Identity Center 28 2014-07 The " Detailed audit" tab The "Detailed audit" shows the history of the task execution. The log is updated at certain points of the task execution, making it possible to follow the processing of a request. It is also possible to add information to the detailed audit by using the internal function uAddAuditInfo from the executing tasks. The "Trace" tab For newer installations of the Identity Center, the trace is default enabled. If you have an Identity Center that has been upgraded from previous versions, the trace must be enabled manually. This is done in the Management Console. View the properties of the Identity Center and select the "Options" tab. Select "Enable trace". The trace shows the history of the task execution and is updated after the task has completed. 4.1.7 Viewing the approval queue The approval queue contains all requests awaiting approvals. 4.1.8 Setting up a SAP JCo-Trace For information about how to set up a SAP J Co-Trace, see the following sections in the SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide: Setting up an SAP Java Connector (SAP Jco) and Related Traces Restricting the CPIC or JRFC Trace to a Specific Pass 4.1.9 Viewing the logs from the Identity Management User Interface The Identity Management User Interface runs on SAP NetWeaver AS J ava. The logs are managed in AS J avas logging framework. The log category can be identified with: /System/Security/IDM For information about how to set log levels and other details about log configuration, see http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.ht m. 4.1.10 Viewing the traces from the Identity Management User Interface The Identity Management User Interface runs on SAP NetWeaver AS J ava. The traces are managed in AS J avas logging framework. The traces are identified with: com.sap.idm.jmx For information about how to set log levels and other details about log configuration, see http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.ht m. 4 Monitoring of Identity Management 4.2 Monitoring of the Vi rtual Directory Server 2014-07 29 4.1.11 Using the System diagnostics report for problem analysis You can get an overview of the Identity Management database by using the SAP NetWeaver Identity Management Configuration Analyzer for a system diagnostics report. The SAP NetWeaver Identity Management Configuration Analyzer analyzes and gathers the information about an existing configuration, and detects and reports potential configuration issues both related to the migration process and in general. For more information how to use the Configuration Analyzer, see: SAP NetWeaver Identity Management: Using the Configuration Analyzer. 4.1.12 Provi ding access to the configuration for problem anal ysis In some cases it may be necessary or useful to provide access to the Identity Management configuration for problem analysis. This can be done by using the export feature of the Transport utility. The Identity Management Administration User Interface must be available on the system. 1. If necessary, provide access to the Export feature to the user who is going to perform the export. See the document SAP NetWeaver Identity Management Implementation guide Transport for details. 2. Perform an export and store the file in the file system. This file will contain the Identity Center configuration. If the Virtual Directory Server configuration is part of the transport into this system, that configuration will also be included in the exported file. If not, it can be included by uploading the configuration to the Identity Center database as described in the document SAP NetWeaver Identity Management Implementation guide Transport. 3. This file can then be imported to an empty system for inspection. 4.2 Monitori ng of the Virtual Directory Server 4.2.1 Viewing the logs on SAP NetWeaver AS Java When deploying a configuration on SAP NetWeaver AS J ava, the logs are managed in AS J avas logging framework. The log category is identified with: /Applications/VirtualDirectoryServer For more information, see http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.ht m. 4.2.2 Viewing the traces on SAP NetWeaver AS Java When deploying a configuration on SAP NetWeaver AS J ava, the traces are managed in AS J avas logging framework. The trace location is identified with: Monitoring of Identity Management Monitoring of Identity Management Identity Federation 30 2014-07 com.sap.idm.vds.<LogType> Where LogType is: oper Operation log audit Audit log stat Statistics For more information, see http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.ht m. 4.2.3 Viewing the logs when running in standalone mode The default location for the logs are <work area>\logs. The files are called oper at i on. t r c, oper at i on. l og, audi t . t r c and st at . t r c. You can specify different locations for the log files with the <PATH>in the st andal onel og. pr op file. The <PATH>is the complete path, including file name. Make sure you use two backslashes (\\) in the path, for instance c: \ \ t emp\ \ oper at i on. t r c. You can also use single forward slashes as on Unix, for instance c: / t emp/ oper at i on. t r c. 4.2.4 Verifying that the server is available You can verify the availability of the server both when it is running in standalone service mode on Microsoft Windows and when deployed on SAP NetWeaver AS J ava. When running in standalone mode, you use "Services" in the Control Panel to see the status of the service. The service is identified with the service name you specified for the configuration. When deploying a configuration on SAP NetWeaver AS J ava, you use the SAP NetWeaver Administrator to verify the availability of the deployed service. The service is identified with sap. com/ vds- <appl i cat i on name>, where <application name>is the name you specified when deploying the configuration. 4.3 Monitori ng of Identi ty Management Identi ty Federati on Identity Federation is an optional component of SAP NetWeaver Identity Management. Operational information is included in the relevant implementation guides for the two Identity Federation software units: SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Security Token Service Implementation Guide 4.4 Monitori ng Performance with Wi ly Introscope SAP NetWeaver Identity Management is prepared to be monitored by Wily Introscope. Wily Introscope provides mechanisms to instrument J ava code and analyze performance issues. SAP NetWeaver Identity Management requires the following version of Wily Introscope: A Wily Introscope Agent version 8.2.3.5 or higher. Follow the following link to download Wily Introscope from the Service Marketplace: 4 Monitoring of Identity Management 4.4 Moni toring Performance with Wily Introscope 2014-07 31 Support Packages and Patches ->SAP SOLUTION MANAGER ->SAP SOLUTION MANAGER 7.0 EHP 1->Entry by Component ->Agents for managed systems ->Wily Introscope Agent 8. Select one of the files: ISAGENTSTD02_3-10007435.SAR Patch for Introscope J ava Agent 8 SP02 for SAP (Standalone Agent) ISAGENT02_3-10007435.SCA PatchforIntroscopeJ avaAgent 8 SP02,deploymentvia SAPSolMgr For information about Wily Introscope, see the Solution Manager documentation: Solution Manager 7.0: http://help.sap.com/solutionmanager70 Application Help ->Root Cause Analysis ->Performance Metrics Monitoring with Introscope by Wily Direct link: http://help.sap.com/saphelp_em70/helpdata/en/3d/bdd41a171744569b0b39f141d9d2b3/fra meset.htm Solution Manager 7.1: http://help.sap.com/solutionmanager71 Application Help ->Technical Operations ->Root Cause Analysis ->Performance Metrics Monitoring with Introscope by Wily Direct link: http://help.sap.com/saphelp_sm71_sp01/helpdata/en/3d/bdd41a171744569b0b39f141d9d2 b3/frameset.htm. 4.4.1 Monitoring SAP NetWeaver AS Java The following components of SAP NetWeaver Identity Management are deployed on SAP NetWeaver AS J ava and can be monitored as part of the server: Identity Management User Interface Security Token Server Virtual Directory Server (deployed configuration) To enable instrumentation of SAP NetWeaver AS J ava, see the documentation for Wily Introscope. For each of these components, the classes to be monitored are visible in the Wily Introscope Workstation under the following nodes: Component Node Class(es) Identity Management User Interface SAP NW Identity Management|Identity Center SAP_ITSAM_IDM_Service_Impl_Impl Security Token Service SAP NW Identity Management|Security Token Service STS Virtual Directory Server (deployed configuration) SAP NW Identity Management|Virtual Directory Server MVDAddOperation MVDModifyOperation MVDSearchOperation MVDNodeSearchOperation Monitoring of Identity Management Monitoring Performance with Wily Introscope 32 2014-07 4.4.2 Monitoring SAP NetWeaver Identity Management Virtual Directory Server (Standalone mode) To be able to monitor a Virtual Directory Server configuration running in standalone mode, you have to modify the . bat / . sh file that starts the server. This . bat / . sh file is created in the configurations work area. To modify this . bat / . sh file you need the following information: The location of the Wily Introscope Agent (AGENTHOME). For J ava (1.3)/1.4: Create an AutoProbe connector . j ar file as described in the document Wily Introscope Version 7.2 Installation Guide for SAP. An agent name for the configuration (SID_INSTANCE_server0). This name is used to identify the configuration in the Wily Introscope Workstation, so make sure it is unique and meaningful. Note: The agent name has to start with a letter. The settings for Wily Introscope are added as options to java.exe, depending on which version of J ava you are using. 4.4.2.1 Updating the .bat/.sh file (Java 1.3/1.4) Open the . bat / . sh file and add the following J ava options: - Dcom. wi l y. i nt r oscope. agent Pr of i l e=<AGENTHOME>/ I nt r oscopeAgent . pr of i l e - Xboot cl asspat h/ p: AGENTHOME/ Agent . j ar ; <AGENTHOME>/ connect or s/ connect or . j ar - Dcom. wi l y. i nt r oscope. agent . agent Name=<SI D_I NSTANCE_ser ver 0> 4.4.2.2 Updating the .bat/.sh file (Java 1.5/1.6) Open the . bat / . sh file and add the following J ava options: - Dcom. wi l y. i nt r oscope. agent Pr of i l e=<AGENTHOME>/ I nt r oscopeAgent . pr of i l e - j avaagent : <AGENTHOME>/ Agent . j ar - Dcom. wi l y. i nt r oscope. agent . agent Name=<SI D_I NSTANCE_ser ver 0> The classes to be monitored are visible in the Wily Introscope Workstation under the following nodes; Node Class(es) SAP NW Identity Management|Virtual Directory Server MVDAddOperation MVDModifyOperation MVDSearchOperation MVDNodeSearchOperation Here is a sample . bat file for J ava 1.6: " D: \ J DK6\ bi n\ j ava. exe" - Dcom. wi l y. i nt r oscope. agent Pr of i l e=C: \ usr \ sap\ ccms\ AGENT\ I nt r oscopeAgent . pr of i l e - j avaagent : C: \ usr \ sap\ ccms\ AGENT\ Agent . j ar - Dcom. wi l y. i nt r osope. agent . agent Name=St andal oneVDS - cp " C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver \ l i b\ mvd. j ar ; C: \ Pr ogr amFi l es\ Mi cr osof t SQL Ser ver 2005 J DBC Dr i ver \ sql j dbc_1. 2\ enu\ sql j dbc. j ar ; C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver \ ext er nal s; C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver \ l i b\ vdst ool s. j ar ; C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver \ l i b\ vdsver i f i er . j ar " " - DMX_SERVER_HOME=C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver " com. sap. i dm. vds. MVDSer ver " C: \ usr \ SAP\ I dM\ Vi r t ual Di r ect or y Ser ver \ conf i gur at i ons\ t est 1\ t est 1. xml " 4.4.3 Troubl eshooting If you encounter problems during the configuration of Wily Introscope, please see the document Troubleshooting Guide Wily Introscope. 4 Monitoring of Identity Management 4.5 Configuring and Vi ewing the Entry Trace 2014-07 33 4.5 Configuring and Viewing the Entry Trace You can enable tracing to help debug and troubleshoot specific situations. With tracing enabled, you can follow all operations performed on a specific entry. The trace is available on the "Trace" tab in the Identity Management Administration User Interface, provided that the logged-in user has the privilege MX_PRIV:WD:TAB_TRACE. How you configure access to the "Trace" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface. The following components will add entries to the trace log: Component Informati on Database procedures Modifying attribute values Executing event tasks Dispatcher Evaluating switch tasks Evaluating conditional tasks Runtime Engine Executing a job on the entry Messages written with uInfo, uWarning and uError Note: The Windows Runtime Engine does not write to the trace log. 4.5.1 Configuring the Entry Trace To configure the entry trace: 1. Open the Identity Management Administration User Interface and select the "Trace" tab. 2. If you want to include trace information from the Runtime Components, select "Enable trace from Runtime Components". Enabling trace from the Runtime Components may affect the performance of the system. There may be a delay in the logging from the Runtime Components, as logging starts with the next reload of the dispatcher and the next restart of the runtime engine. 3. Enter the MSKEY or <MSKEYVALUE>for the entry you want to trace. 4. Choose "Save". The entry to trace is stored in the global constant MX_TRACE_ENTRY while the global constant MX_TRACE_RT is set to TRUE if you select "Enable trace from Runtime Components". Monitoring of Identity Management Configuring and Viewing the Entry Trace 34 2014-07 4.5.2 Viewing the Trace Log The "Trace log" table shows the contents of the entries in the trace log. The table contains all log entries since the log was last reset. The table contains the following columns: Column Descripti on Entry The trace log may contain the trace for more than one entry. The "Entry" column shows the ID/name of the entry being traced. Trace time The time when the log entry was added. Component Which component/process added the log entry. Event Which event triggered the log entry. Attribute The affected attribute (if any). Value The new value (if any). Change type The type of operation: Add/Modify Delete case sensitive Delete case insensitive Message A free text added by the component. You can save the trace log as a CSV file by selecting "Download trace (as CSV)". The trace log is not automatically reset, so you have to choose "Clear trace" to clear the trace log. 4.5.3 Reading the Trace Log The trace log is stored in the database table mc_trace_data and can be accessed with the view idmv_trace_data. You can create a job in the Management Console with for instance a To ASCII file pass that has this view as "Source" and where you can specify an SQL query that selects the entries you want to include. 4 Monitoring of Identity Management 4.6 Analyzi ng Statement Execution 2014-07 35 4.6 Anal yzi ng Statement Execution A configuration of an Identity Management solution normally contains a number of SQL statements, for instance: As definition of a source of a pass Access control on tasks Conditional and switch tasks Using the internal function uSelect There are some recommendations when writing SQL queries as part of the configuration, for instance: Using the indexed column searchvalue instead of avalue in SQL queries On Microsoft SQL Server, use WITH (NOLOCK) when applicable The Configuration Analyzer does some semantic analysis of the statements, but that can only be compared to a list of known issues, and may not be complete for a given configuration. To help analyze the performance of the queries, it is possible to log all SQL statements that take longer than a predefined time to execute. If the system starts slowing down, there will be an increasing number of log entries in the statement execution log. Some queries that are logged may come from frameworks or stored procedures that are part of the product, and thus cannot be changed by the customer. Please report such incidents through CSS. 4.6.1 Enabling the Statement Execution Anal ysis The statement execution analysis is available on the "Statement Execution" tab in the Identity Management Administration User Interface, provided that the logged-in user has the privilege MX_PRIV:WD:TAB_THRESHOLD. How you configure access to the "Statement Execution" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface. To enable the statement execution: 1. Open the Identity Management Administration User Interface and select the "Statement Execution" tab. 2. Select "Enable threshold" and enter the number of milliseconds that should be used as threshold. All queries taking longer than the specified value are logged. 3. Choose "Save". The threshold value is stored in the global constant MX_LOG_EXEC_THRESHOLD. Monitoring of Identity Management Analyzing Statement Execution 36 2014-07 4.6.2 Viewing the Log The "Log" table shows all SQL queries that take longer than the specified threshold. The table contains all log entries since the log was last reset. The table contains the following columns: Column Descripti on Component Which component/process added the log entry. Start time The time the query was started. Statement The SQL statement being executed. Execution time Time (in ms) to execute the statement. Entry The entry being processed (if relevant). Task ID/Task Task which was executed (if relevant). J ob ID/J ob J ob which was executed (if relevant). Per default, the table is sorted descending by "Execution time", but you can sort on any column. Use the information in the log to identify statements and analyze them to see if performance can be improved. You can search the contents of the log by entering a search criterion and choose "Search". This is a free text search in the columns "Component", "Statement", "Entry", "Task ID", "Task", "J ob ID" and "J ob". The table shows only the 500 first log entries. To see the complete log, you can save the log as a CSV file by selecting "Download (as CSV)". The statement execution log is not automatically reset, so you have to choose "Reset log" to clear the log. 4.6.3 Reading the Log The statement execution log can be accessed with the view idmv_exec_stat. You can create a job in the Management Console with for instance a To ASCII file pass that has this view as "Source" and where you can specify an SQL query that selects the entries you want to include. 5 Management of SAP NetWeaver Identity Management 5.1 Starting and Stopping 2014-07 37 5 Management of SAP NetWeaver Identity Management SAP provides you with an infrastructure to help your technical support consultants and system administrators effectively manage all SAP components and complete all tasks related to technical administration and operation. You can find more information about the underlying technology in the Technical Operations Manual in the SAP Library under SAP NetWeaver. 5.1 Starting and Stopping 5.1.1 Starting and stoppi ng the Identity Center The Identity Management User Interface is deployed on SAP NetWeaver AS J ava. The service is controlled from here. The processing of jobs and tasks in the Identity Center is controlled by the dispatchers and the event services. You can start and stop any or all of these services. If the Management Console is installed on the same server as the dispatcher/event service, the dispatcher can be started and stopped from the dispatcher properties. You can start and stop a dispatcher from the command line with the following commands: di spat cher _ser vi ce_<di spat cher name> st ar t di spat cher _ser vi ce_<di spat cher name> st op This will stop the dispatcher, but any running jobs will complete processing. 5.1.2 Starting and stoppi ng the Virtual Directory Server A Virtual Directory Server configuration can either be deployed as a web service on SAP NetWeaver AS J ava or be run locally as an LDAP server. When deployed locally, the server is started and stopped from the Virtual Directory Server user interface. When deployed on SAP NetWeaver AS J ava the service is controlled by SAP NetWeaver AS J ava. 5.2 Software Configuration 5.2.1 Software Configuration Identity Center The Identity Center configuration is managed through the Management Console. Additionally, some configuration parameters are available through the Identity Management Administration User Interface, for instance in a production environment where the Management Console is not available. See section 5.6.9 for details. 5.2.2 Software Configuration Virtual Directory Server You use the Virtual Directory Server user interface to create and maintain the configurations. If a configuration is uploaded to an Identity Center database for transport, global constants are available through the Identity Management Administration User Interface, for instance in a production environment where the Virtual Directory Server user interface is not available. See section 5.6.9 for details. Management of SAP NetWeaver Identity Management Administration Tools 38 2014-07 5.3 Administrati on Tools See Section 4 on page 54. 5.4 Backup and Restore You need to back up your system landscape regularly to ensure that you can restore and recover it in case of failure. The backup and restore strategy for your system landscape should not only consider SAP systems but should also be embedded in overall business requirements and incorporate your companys entire process flow. In addition, the backup and restore strategy must cover disaster recovery processes, such as the loss of a data center through fire. It is most important in this context that you ensure that backup devices are not lost together with normal data storage (separation of storage locations). 5.4.1 Backing up and restoring an Identity Center database (Microsoft SQL Server) This section describes how to back up and restore your Identity Center database on Microsoft SQL Server. You always back up and restore a complete Identity Center database. 5.4.1.1 Backing up a database Back up the database using the normal database procedures. See the database documentation for details. 5.4.1.2 Restoring a database Install the database schema for the database, as described in SAP NetWeaver Identity Management Identity Center: Installing the database (Microsoft SQL Server). Restore the database, using the Microsoft SQL Server database utility for restoring a backup. Select the overwrite option to overwrite the newly installed database. See the database documentation for details. Make sure there are no conflicts with the database prefixes, as the backup will always restore a database with the same prefix as the one that was backed up. In most cases, the database user/login mapping will not be correct after this restore. The exception is if the restore is done to the same database installation from which the backup was taken, in which case the internal user IDs will be the same as on the backup. If you are unable to connect to the database from the Management Console, you need to re-establish this mapping. 5 Management of SAP NetWeaver Identity Management 5.4 Backup and Restore 2014-07 39 Restoring the user/login mappings Restore the user/login mappings according to the table below: SQL Server login Database user Database roles <prefix>_oper <prefix>_oper db_owner/dbo <prefix>_admin <prefix>_admin_u <prefix>_admin_role <prefix>_delta_rw_role <prefix>_rt <prefix>_rt_u <prefix>_rt_role <prefix>_delta_rw_role <prefix>_prov <prefix>_prov_u <prefix>_prov_role <prefix>_transport_role <prefix>_user <prefix>_user_u <prefix>_user_role <prefix>_delta_r_role Recreate each of the mappings using SQL queries. Log in as sa and run the following use <pr ef i x>_db ALTER USER <pr ef i x>_oper _u WI TH LOGI N = <pr ef i x>_oper ALTER USER <pr ef i x>_admi n_u WI TH LOGI N = <pr ef i x>_admi n ALTER USER <pr ef i x>_r t _u WI TH LOGI N = <pr ef i x>_r t ALTER USER <pr ef i x>_pr ov_u WI TH LOGI N = <pr ef i x>_pr ov ALTER USER <pr ef i x>_user _u WI TH LOGI N = <pr ef i x>_user GO For more information, see the documentation of the Microsoft SQL Server Management Studio. When all users are connected to the logins, run the script mxmc_update.cmd to set the access control on all the stored procedures. The database should now be available. Verify that you are able to connect to the restored database with the Management Console and the Identity Management User Interface. Management of SAP NetWeaver Identity Management Backup and Restore 40 2014-07 5.4.2 Backing up and restoring an Identity Center database (Oracle) This section describes how to back up and restore your Identity Center database on Oracle. You always back up and restore a complete Identity Center database. 5.4.2.1 Backing up a database Back up the database using the normal database procedures. See the database documentation for details. In the Oracle database the following objects in schema must be backed up for MXMC_OPER user. Function Index Package Package body Procedure Sequence Synonym: MXMC_PROV, MXMC_ADMIN, MXMC_RT and MXMC_USER Table Trigger View The following objects must be backed up from Security: USERS MXMC_ADMIN MXMC_OPER MXMC_PROV MXMC_RT MXMC_USER ROLES MXMC_ADMIN_ROLE MXMC_DELTA_R_ROLE MXMC_DELTA_RW_ROLE MXMC_PROV_ROLE MXMC_RT_ROLE MXMC_TRANSPORT_ROLE MXMC_USER_ROLE 5.4.2.2 Restoring a database Restore the database using the normal database procedures. See the database documentation for details. 5 Management of SAP NetWeaver Identity Management 5.5 Application Copy 2014-07 41 5.4.3 Backing up and restoring an Identity Center database (IBM DB2) This section describes how to back up and restore your Identity Center database on Oracle. You always back up and restore a complete Identity Center database. Back up and restore the database using the normal database procedures. See the database documentation for details, Database Administration Guide SAP on IBM DB2 for Linux, UNIX, and Windows, (http://service.sap.com/instguidesNW73 ->Operations ->Database-Specific Guides -> SAP DBA Guide: IBM DB2 for LUW (Version 1.40)). http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000735502&_OBJ ECT=0110003 58700001449002009E. 5.4.4 Backing up and restoring a Virtual Directory Server configuration If you use version control and store the configuration file in a database, this database can be backed up using the normal database procedures. If the configuration is stored in an .XML file, use a file backup tool to back up the configuration file(s). 5.5 Application Copy How you move a configuration from a test to a production environment is described in the document SAP NetWeaver Identity Management Identity Center Implementation Guide Transport. 5.6 Periodic Tasks There are no specific periodic tasks for the Virtual Directory Server apart from what may be defined for the SAP NetWeaver AS J ava where the service is deployed. Some housekeeping tasks for the Identity Center are defined as scheduled procedures. See Configuring the scheduled procedures for housekeeping in the help file for the Identity Center Management Console for more information. The following manual periodic tasks are defined for each of the Identity Centers. 5.6.1 Manual tasks for the Identity Center Task Tool(s) supporting this task Recommended Frequency Detai led Description Verify that all services are running Monitoring tab/ User interface Daily Select "Dispatcher Status" to see that all dispatchers are running as expected. Check logs for failed jobs Monitoring tab/ User interface Daily Select "J ob Status" to verify that no jobs are in error state. Clean up the audit information Database management tool Weekly See section 5.6.3. Management of SAP NetWeaver Identity Management Periodic Tasks 42 2014-07 Task Tool(s) supporting this task Recommended Frequency Detai led Description Clean up the table job_execution Database management tool Weekly See section 5.6.4. Clean up the table AuditTrail Database management tool Weekly See section 5.6.5. Clean up historic values in the identity store Database management tool Monthly See section 5.6.6. Rebuild database indexes Database management tool Monthly See section 5.6.7 5.6.2 Manual tasks for Transport/Configurati on Management Task Tool(s) supporting this task Recommended Frequency Detai led Description View changes to the configuration Configuration History tab/ User interface On demand See section 5.6.8. Change global or repository constants System Parameters tab/ User interface On demand See section 5.6.9. Add a repository to the productive landscape Management Console (in development landscape) Transport Utility On demand See section 5.6.9.1. 5.6.3 Cleaning up the audit information The audit tables are used by the provisioning functionality for auditing every provision request and appropriate status. Further this table will link provision tasks together where typically sub tasks is started by use of OnOk, OnFail, OnChainOK, OnChainFail. Remove the entries older than a specific audit ID. To remove entries with audit ID <1000000, do as follows: del et e f r ommxi _l i nk_audi t wher e mcAudi t I D < 1000000 and mcAudi t I D <> - 1 del et e f r omMXP_Audi t _Var i abl es wher e audi t I D < 1000000 del et e f r omMXP_Ext _Audi t wher e aud_r ef < 1000000 del et e f r ommxp_audi t wher e audi t i d < 1000000 The tables MXP_Audit_Variables and MXP_Ext_Audit has audit ID columns referring to MXP_Audit.auditid, so the entries in these tables must be done before cleaning up the mxp_audit table. 5 Management of SAP NetWeaver Identity Management 5.6 Periodi c Tasks 2014-07 43 5.6.4 Cleaning up the table j ob_execution The job_execution table belongs to the delta functionality. Every time a job runs and the delta functionality is turned on, a new entry will be inserted into this table containing date/time and key information about how many entries that was added, modified, deleted, failed or not-changed. Remove the entries older than a defined date. 5.6.5 Clean up the table AuditTrail The AuditTrail table belongs to the delta functionality and will keep audit on changes either on entry level or attribute level. If Audit is not turned on, this table will be empty and not filled. If Audit is turned on, new records will be added when we have add, modify or delete of entries. In the Management Console there can be set a maximum limit of entries to keep in his audit table. If delta is being used, every execution of a job-pass is added to this table. Remove the entries older than a defined date. 5.6.6 Cleaning up histori c values in the identi ty store Any attributes and entries within the identity store which are modified or deleted will be stored in the historic values. This information is held in the table mxi_old_values. There is a configuration parameter on each attribute, which indicates for how many revisions or for how long this information is to be kept. The default value is to keep historic values for 30 days. This information is stored either in mxi_attributes.SaveDays or in mxi_attributes.SaveCopies. If you want to keep the historic values for a long time, the mxi_old_values table may grow very large. There is no automatic moving of historic data to offline storage. Since historic data is stored in a separate table, it is quite simple to implement a job which moves this information to an offline storage, by moving entries from mxi_old_values to another database or external storage. The attribute mxi_old_values.ModifyTime holds the date/time when the attribute was last modified, and can be used for selecting the oldest entries to move. 5.6.7 Rebuilding database indexes With heavy usage of the system, the database indexes will become fragmented, which may decrease performance. For further information regarding fragmented indexes and rebuilding the indexes, please refer to the documentation for you database system. 5.6.8 Viewing Changes to the Configuration The overview of changes to the configuration is available in the Identity Management Administration User Interface, using the http://<host>:<port>/idm/admin URL. If the configuration has not been transported, only changes to global constants and repository constants are available. Select the "Configuration History" tab to view the history of changes to the configuration. You can see details about the following: Management of SAP NetWeaver Identity Management Periodic Tasks 44 2014-07 Imported configuration files For imported configuration files, the date and time of the import, the ID of the user that performed the import, and the same information for the export are displayed. You can also download the configuration file that was imported. You can view the import log for each import by selecting the import entry in the list and choosing the "Import Log" tab in the details area. The columns show the "Severity", "Message" and "Time" for each log entry of the import. Changes to global constants For changes to global constants, the date and time of the change, the ID of the user that made the change, the name and description of the constant and the old and new values are displayed. Changes to repository constants For changes to repository constants, the date and time of the change, the ID of the user that made the change, details about the repository (for example, ID, name, type, and description), the name and description of the constant changed, and the old and new values are displayed. For security reasons, the history for encrypted data such as passwords is not saved for use in this view. You can see that a change was made, but the old values are not displayed. 5.6.9 Changing Global or Repository Constants To change global or repository constants in the Identity Management Administration User Interface, use the same URL as for monitoring or for viewing the configuration history, which is http://<host>:<port>/idm/admin. You can change the constants in the Identity Management Administration User Interface, but you cannot create or delete them. To create global constants or add repositories to the system, create them in the development or test/QA system using the Identity Center Management Console and transport them to the (test and) productive systems. Implement any system-specific jobs that use the repositories or constants in the development or test/QA system and transport them as well. 1. To make changes to the system parameters, choose the "System Parameters" tab from the Identity Management Administration User Interface. 2. Select "Global Constants" or "Repositories" to change the corresponding constants. 3. Change the constant values directly in the corresponding table. You can change the parameters for parameterized constants such as J DBC URLs by selecting the constant value. The parameters for these constants are then displayed separately and can be changed. If a parameterized constant contains a password parameter that is encrypted, create an encrypted global or repository constant that contains the encrypted value. Reference the password constant in the parameter value of the URL constant. This ensures that the password is encrypted and can be changed. 4. Save the data. 5 Management of SAP NetWeaver Identity Management 5.7 Load Balancing 2014-07 45 5.6.9.1 Modifying Assignment Grouping Repository Constants If assignment grouping is defined on the repository in the Identity Center Management Console (see http://help.sap.com/saphelp_nwidmic72/en/mc/dse_repository_privilege.htm), there are two repository constants that will contain this configuration. MX_PRIV_GROUPING_RULE defines the assignment grouping.The value of the constant ranges from P:-1 to P:7, corresponding to the grouping rule selected on the repository. MX_PRIV_GROUPING_ATTRIBUTE contains a reference to the grouping attribute, if any. When selecting the constant MX_PRIV_GROUPING_RULE, the row will expand to reveal a set of checkboxes and radio buttons. The value of the repository constant depends on the configuration you define. For example, choosing the No Grouping radio button results in a value of P:-1, while choosing the Grouping radio button can result in a value of P:0. Select the necessary checkboxes and radio buttons to configure the assignment grouping and to define the constants value. If you select the Separate by Privilege Attribute checkbox, you will be able to select a privilege attribute for assignment grouping from the dropdown menu. 5.6.10 Adding a Repository to the Producti ve System To add a repository to the productive identity management system, you must add the repository in the development or test/QA system and transport it to the productive system. The overview of the process is: 1. Using the Management Console on the development or test/QA system: a. Create the repository. b. Create any configuration elements that apply to the system, for example, account attributes used by the provisioning framework for SAP systems. c. Create the initial load job and any other jobs or tasks that apply to the system. 2. Using the Identity Management Administration User Interface on the development or test system, export the configuration. 3. Using the Identity Management Administration User Interface on the productive system: a. Import the configuration. b. Update the repository definition. 4. Run the initial load job or any other jobs that need to be processed. For more information on creating repositories, account attributes, and jobs, see the online help. 5.7 Load Bal anci ng 5.7.1 Load Balancing Identity Center The system landscape XL Production described in the SAP NetWeaver Identity Management Identity Center Installation overview describes how load balancing is achieved. 5.7.2 Load Balancing Virtual Directory Server Load balancing is handled by the SAP NetWeaver AS J ava where the service is deployed. Management of SAP NetWeaver Identity Management User Management 46 2014-07 5.8 User Management The Identity Center creates a number of database users as part of the database installation. This is described in the documents SAP NetWeaver Identity Management Identity Center Installing the database (Microsoft SQL Server/Oracle). How to manage users for the Identity Management User Interface is described in the document SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface. How you manage users to access the servers created by the Virtual Directory Server is part of the configuration of the server. 5.9 Maintai ning Message Templates Message templates are used when sending notifications to users with a Notification task. The Notification task can be called from an approval task to send messages to the approvers and other involved parties of the approval process. Message template editing requires Enhancement Package 1 for SAP NetWeaver Composition Environment 7.1 and newer. 5.9.1 Initial Configuration The initial configuration of the message templates is described in the topic Configuring the notification templates. The message templates can be viewed and edited in the "Message Templates" tab in the Identity Management Administration User Interface, provided that the logged-in user has the privilege MX_PRIV:WD:MSGTEMPLATE:R to be able to view the templates and MX_PRIV:WD:MSGTEMPLATE:RW to be able to edit them. How you configure access to the "Message Templates" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface. This description is based on full access to the message templates with the MX_PRIV:WD:MSGTEMPLATE:RW privilege. 5.9.2 Listing Message Templates All message templates for approvals belongs to the message category MX_APPROVALS. Each template can exist in several languages. You can get an overview of the message templates that are available in the system: 5. Open the Identity Management Administration User Interface and select the "Message Templates" tab. 6. Select a message category. Choose "MX_APPROVALS" to view approval messages. There may be other categories available. 7. Optionally, enter a search criterion and choose "Search". This will search the template names. All matching message templates are displayed in the "Available templates" list. Each template can be in several languages, which are listed in the "Available languages" list. 8. Select a language in the list to display the language specific subject and contents. 5 Management of SAP NetWeaver Identity Management 5.9 Maintaining Message Templates 2014-07 47 5.9.3 Editing a Message Template You can modify a language version of a message template in the following way: 1. Select a language in the list and choose "Edit". 2. Fill in the fields in the following way: Category/Name/Language Shows the information for the selected template. These fields cannot be changed. Localized parameters Select this toggle link to show the list of parameters that can have a specific value for each language when used in the message template. There are three parameters in the list: Approved, Declined and Timeout. The text for "Approved", "Declined" or "Timed out" will be used for the parameter PAR_REQUESTRESULT in the message template. Subject Enter the subject of the message as it will appear in the e-mail. Format Choose the format of the template. This can be either "HTML" or "Plain text". Style sheet Only available for HTML templates. Select this toggle link to show or hide the style sheet for the message template. Contents Enter the text for the template. Either valid HTML encoding or plain text, depending on the chosen format. You can insert parameters in the template by choosing a parameter in the "Attributes" list and choose "Append". For a list of available parameters, see section 5.9.3.1. The parameter will always be added to the end of the text. You have to move it (cut/paste) manually to the correct position in the text. 3. You can preview HTML messages by choosing "Preview". 4. Choose "Save". If you have chosen HTML as format for the message template, illegal HTML tags (like applet, form or script) will be automatically encoded and illegal event attributes (like onload or onselect) will be removed. Management of SAP NetWeaver Identity Management Maintaining Message Templates 48 2014-07 5.9.3.1 Avail able Parameters You can include information from the request in the message using the list of parameters. If the <parameter>is not found, the name of the parameter is displayed in the notification message. If the value of a <parameter>is not found, this will be displayed as an empty string (no value) in the message. <parameter>can have one of the following values: Parameter Descripti on APPROVALURL Direct access to the approval on the To Do tab. The URL will be on the form: %$GLB.MX_GUI_URL_PREFIX%/webdynpro/dispatcher /sap.com/tc~idm~wd~workflow/ProcessApproval?Reque stID=<request id>. The global constant MX_GUI_URL_PREFIX is imported with the notification task and must be modified for each system. The approval will be available for the logged in user if he is defined as approver for this request. Otherwise, the approval request will not be displayed. AUDITID AuditID of the approval task. CHARSET Charset encoding given by the parameter "CHARENC" in the template list file Assi gnment Not i f i cat i onsLi st . t xt . DATEASSIGNED The date the assignment was done in ISO8601 format. DELEGATEDFROMDISPLAYNAME The display name of the user that has delegated (forwarded) the approval. LASTAPPROVERDISPLAYNAME The display name of the last user to approve the request. REASON The reason provided by the approver. RECIPIENTSDISPLAYNAME Display name (or MSKEYVALUE) of the recipient of the e-mail. RECIPIENTSSALUTATION Salutation retrieved from the MX_SALUTATION attribute for the recipient of the e-mail. If the attribute is not found, it is omitted. REQUESTINGUSERDISPLAYNAME Display name of the user that requested the assignment. For self-service this will be the same as the TARGETUSERDISPLAYNAME. REQUESTREASON The reason provided when requesting the assignment. REQUESTRESULT Based on the value of REQUESTSTATUS, the corresponding value for the parameters given in the template list file Assi gnment Not i f i cat i onsLi st . t xt is used. If the parameters are not added in this file, the default values "Approved" and "Declined" are used. 5 Management of SAP NetWeaver Identity Management 5.9 Maintaining Message Templates 2014-07 49 Parameter Descripti on REQUESTSTATUS The status of the approval. 0: Declined 1: Approved 2: Timed out SYSTEMURL The URL to the Identity Management User Interface as specified in the notification task. TARGETUSERDISPLAYNAME Display name of the user that is getting the assignment. TARGETUSERMSKEY The MSKEY of the user who is getting the assignment. TARGETROLEDISPLAYNAME Display name of the role or privilege being assigned. TARGETCONTEXTDISPLAYNAME Display name of the context given for the assignment. VALIDFROM "Valid from"-date specified for the assignment. VALIDTO "Valid to"-date specified for the assignment. 5.9.4 Adding a Language Version of a Message Template You can add a language version of a message template. The template will be based on the primary language for the message template. 1. Select the message template in the "Available templates" list. 2. Choose "Add language". The "Add language to template" form is displayed. Fill in the fields in the following way: Template category Shows the category for the message template. The category cannot be changed. Language When you click the field, the "Extended Value Selector" is displayed. Select the language for the message template. Template Shows the name of the template and cannot be changed. Language specific content Fill in the fields in the same way as when modifying a template. See section 5.9.3. 5.9.5 Removing a Language Version of a Message Template To remove language versions that is no longer needed: 1. Select one or more languages in the "Available languages" list. 2. Choose "Delete language". 3. Confirm that you want to remove the language versions. If you remove all language versions of a template, the message template itself is also deleted. Management of SAP NetWeaver Identity Management Maintaining Message Templates 50 2014-07 5.9.6 Creating a Message Template You can create a message template: 1. Select the "Message Templates" tab. 2. Choose "Create". The "Create template" form is displayed. 3. Fill in the fields in the following way: Template category Select a category for the message template. All approval messages are in the category "MX_APPROVALS". Language When you click the field, the "Extended Value Selector" is displayed. Select the language for the message template. Template Enter a name for the template. Template name supports only standard ASCII characters. Language specific content Fill in the fields in the same way as when modifying a template. See section 5.9.3. 4. Choose "Save" to save the message template. 5.9.7 Removing a Message Template You can remove a message template, including all language versions: 1. Select one or more templates in the "Available templates" list. 2. Choose "Delete template". 3. Confirm that you want to remove the template and all language versions. 5 Management of SAP NetWeaver Identity Management 5.10 Managing Approvals 2014-07 51 5.10 Managi ng Approval s Role assignments or other changes to entries in the identity store may require an approval by for instance a manager, role owner. The configuration of the approval task specifies parameters like the timeout and escalation of the approval. For more information about approval processing, see the topic About approval processing in the help file for the Identity Center Management Console. While waiting for the approver to approve the request, the approval is in pending state, and it will wait until the specified timeout and then handled according to the defined timeout rule. It will then be escalated or declined. If an approval for some reason will not be approved within reasonable time, for instance if the approver is absent or unable to perform the approval, the pending approval can either be declined or escalated by a manager or administrator. Pending approvals are managed from the "Approval Management" tab in the Identity Management Administration User Interface. The logged-in user must have one of the following privileges: MX_PRIV:APPROVALS:READONLY to be able to view pending approvals MX_PRIV:APPROVALS:PROCESS to be able to decline or escalate the approval How you configure access to the "Approval Management" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface. This description is based on full access to the message templates with the MX_PRIV:APPROVALS:PROCESS privilege. 5.10.1 Listing Pending Approvals You can get an overview of the pending approvals in the system: 1. Open the Identity Management Administration User Interface and select the "Approval Management" tab. 2. Enter a search criterion in the "Find" field. This is a free-text search in the name of the user getting the assignment, the name of the role/privilege, the approver and the context. You can also use the advanced search (see below). 3. Choose "Go". All approvals matching the search criterion are displayed in the list. The color of the status indicator shows how many days are left before the approval expires. 4. Select an approval to show more information in the details view below. Select the different tabs to show all information about the approval. Management of SAP NetWeaver Identity Management Managing Approvals 52 2014-07 5.10.2 Finding Approvals Using Advanced Search If you need to narrow down the search result more than you can by using the basic search, you can use the advanced search to specify more detailed search criteria: 1. Open the Identity Management Administration User Interface and select the "Approval Management" tab. 2. Choose "Advanced" to open the advanced search panel. 3. Fill in the fields with the search criteria you want to use. Approval Type Select if you want to include all approvals, or only assignment or basic approvals. Date Enter a date range. This will find all approvals that have been changed within the period. Consignee Choose to the right of the field to open a dialog box where you can find a user you want to find approvals for. You can only find approvals for one specific user. Approver Choose to the right of the field to open a dialog box where you can find an approver you want to see approvals for. You can only find approvals for one specific approver. Assigner Choose to the right of the field to open a dialog box where you can find an assigner you want to find approvals for. You can only find approvals for one specific assigner. Context Choose to the right of the field to open a dialog box where you can find a specific context to use as search criterion. You can only find approvals for one specific context. Assignment Choose to the right of the field to open a dialog box where you can search for the role or privilege that is requested assigned. You can only search for approvals for one specific role or privilege. 4. Choose "Go". 5.10.3 Declining a Pending Approval Provided that you have the necessary privilege, you can decline a pending approval: 1. Find the approval you want to decline either with basic or advanced search. 2. Select the approval in the list. 3. Choose "Decline". 4. Optionally, enter a reason why you are declining the approval. 5. Choose "Confirm" to complete the process. When viewing the assignment details, you will see that the assignment request was declined. 6 High Availability 6.1 High Availability for the Identity Center 2014-07 53 5.10.4 Escalating a Pending Approval Provided that you have the necessary privilege, you can escalate a pending approval. In this case, the timeout rule of the given approval task is used, so the outcome of the escalation depends on how the approval task is configured. It can either: Decline the assignment Escalate to the manager(s) of the approver(s) Escalate to a new list of approvers The behavior will be exactly as if the approval had timed out, but will be processed immediately and not wait for the given timeout. To escalate the approval: 1. Find the approval you want to escalate either with basic or advanced search. 2. Select the approval in the list. 3. Choose "Escalate". 4. Optionally, enter a reason why you are escalating the approval. 5. Choose "Confirm" to complete the process. The approval will be processed further according to the configuration of the approval task. 5.10.5 Exporting the Pending Approval s The list of pending approvals can be exported to a CSV file: 1. Find the approvals either with basic or advanced search. 2. Choose "Export". The "File Download" dialog box appears. 3. Select if you want to open or save the file. The file is either opened in a text editor or saved in the specified folder in the file system. 6 High Availability 6.1 High Avail ability for the Identi ty Center The system landscape XL Production described in the SAP NetWeaver Identity Management Identity Center Installation overview describes how to achieve high availability. 6.2 High Avail ability for the Virtual Directory Server High availability for the Virtual Directory Server deployed on SAP NetWeaver is achieved through deploying the configuration on SAP NetWeaver. How to configure SAP NetWeaver for high availability is described in the documentation for SAP NetWeaver. 6.2.1 High Availability for Standalone Virtual Directory Server In order to accomplish high availability for a standalone Virtual Directory Server, configure an IP switch in front of the multiple instances of the Virtual Directory Server (multiple servers) running with the same configuration. This can be used for instance in the HCM integration scenario. Software Change Management Software Change Management 54 2014-07 7 Software Change Management 7.1 Software Change Management How you transport a configuration from a test to a production environment is described in the document SAP NetWeaver Identity Management Identity Center Implementation guide Transport. 7.2 Support Packages and Patch Implementati on Support packages and patches can be found in the following location: http://service.sap.com/sp-stacks SP Stack Information SAP NetWeaver Identity Management 7.2. 7.3 Upgrading the Identity Center This is described in the document SAP NetWeaver Identity Management Identity Center Installation overview. 7.4 Upgrading the Virtual Directory Server This is described in the document SAP NetWeaver Identity Management Virtual Directory Server Installation and initial configuration. There is no downtime involved in upgrading the software itself. An updated configuration can be deployed while the service is running. Updating the server software itself (SAP NetWeaver) must be done according to the documentation for SAP NetWeaver. 8 Troubleshooting 8.1 Identity Center: Dispatcher fai ls to start 2014-07 55 8 Troubleshooting The following problem analysis scenarios are available for SAP NetWeaver Identity Management: Identity Center: Dispatcher fails to start Identity Center: Timeout issues Identity Center: Insufficient dispatcher memory Identity Center: Codepage <number>not supported by J AVA-environment Identity Center: Error messages from jobs accessing ABAP systems Identity Management User Interface: J ava runtime exception when logging in Identity Management User Interface: Error message about missing database columns or procedures Virtual Directory Server: The Windows service starts, but later fails with "No driver for database" Virtual Directory Server: Application starts, but later fails with "No driver for database" Virtual Directory Server: Server doesnt start Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first attempt to contact the database fails To help in the problem analysis, you can enable entry trace if it is a specific entry you need to investigate. See section 4.5. To help in analyzing performance problems, you can enable statement execution to see which SQL queries take a long time to execute. See section 4.6. 8.1 Identity Center: Di spatcher fail s to start 8.1.1 Problem Descripti on The dispatcher fails to start. 8.1.2 Solution Run the following command to verify the dispatcher configuration: Di spat cher _Ser vi ce_<di spat cher name> t est checkconf i g Verify that the dispatcher finds all necessary J DBC drivers. Run the following command to start the dispatcher in test mode: Di spat cher _Ser vi ce_<di spat cher name> t est Check for error messages from the dispatcher in the console window. For Microsoft Windows: Increase the log level in the dispatcher property file to get more logging. Make sure that the J DBC connection string for the runtime engine is correct. Troubleshooting Identity Center: Timeout issues 56 2014-07 For Unix: Always use SAPJ VM 5. Make sure all values indispatcher.prop file are set correctly. 8.2 Identity Center: Timeout i ssues 8.2.1 Problem Descripti on A job fails with an error message indicating there was a timeout problem. 8.2.2 Solution Increase the Identity Center's timeout values on the "Options" tab of the Identity Center properties. If the timeout comes from a directory server, adjust the size limit, time limit or page size in the properties of the "From LDAP pass". 8.3 Identity Center: Insufficient memory 8.3.1 Problem Descripti on A job fails with an error message indicating insufficient memory. 8.3.2 Solution You need to increase the available memory by modifying the .prop file for the dispatcher. Add the following to J AVAOPTIONS: J AVAOPTI ONS=- Xmx256m Reinstall the dispatcher(s). If you need to have more than one option in the J AVAOPTIONS string, make sure that MXDISPATCHER_EXECSTRING is set to 1, for instance MXDISPATCHER_EXECSTRING=1. 8 Troubleshooting 8.4 Identity Center: Codepage <number> not supported by JAVA-environment 2014-07 57 8.4 Identity Center: Codepage <number> not supported by JAVA- environment 8.4.1 Problem Descripti on This error message appears when running a job with a SELECT statement to a Microsoft SQL Server database. 8.4.2 Solution This indicates that the current J ava Runtime Environment does not support the server collation of the database. The setting for the server collation can be found in the Microsoft SQL Server Management Studio. View the "Server Properties" of the database and select "General". The "Server Collation" property shows the current server collation of the database. You need to make sure that you have /lib/charsets.jar installed. Depending on which J ava Runtime Environment you are using, this is done in different ways. The recommended J ava Runtime Environment is SAP J VM 5 that will support most collations. If you are using Sun's J ava Runtime Environment, you need to make sure that you have lib/charsets.jar installed. For information see http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html. This extended encoding set is an installation option when installing the Sun J ava Runtime Environment. To install the /lib/charsets.jar do the following: 1. Choose Start/Settings/Control Panel/Add and Remove Programs. 2. Select the component J ava 2 Runtime Environment. 3. Choose "Change" to start the installation wizard. 4. Run through the wizard and select "Modify". 5. Add "Support for Additional Languages". 6. Complete the wizard Troubleshooting Identity Center: Error messages from jobs accessing ABAP systems 58 2014-07 8.5 Identity Center: Error messages from jobs accessi ng ABAP systems 8.5.1 Problem Descripti on A job accessing an ABAP system fails with an error message "Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC'. Possible reasons for this could be: No library found (library not referenced in shared library path) Wrong library version Wrong platform 8.5.2 Solution Check the path to the J Co library in the shared library path. For more information see the installation documentation for J CO. 8.6 Identity Management User Interface: Java runtime excepti on when l ogging i n 8.6.1 Problem Descripti on Users get a J ava runtime exception when logging in. 8.6.2 Solution Verify that all J MX settings are set correctly according to the document SAP NetWeaver Identity Management Identity Center: Installing the Identity Management User Interface. 8.7 Identity Management User Interface: Error message about missi ng database col umns or procedures 8.7.1 Problem descripti on Users get error messages about missing database columns or procedures. 8.7.2 Solution This may be due to a mismatch between the database schema and the user interface. Make sure you have upgraded the database schema to the same version as the User Interface. 8 Troubleshooting 8.8 Vi rtual Directory Server: The Windows service starts, but later fai ls with " No driver for database" 2014-07 59 8.8 Virtual Directory Server: The Wi ndows servi ce starts, but later fai ls with " No driver for database" 8.8.1 Problem Descripti on The CLASSPATH appears to be correct, but the CLASSPATH is written to registry only when the service is created. 8.8.2 Solution Uninstall and install service. 8.9 Virtual Directory Server: Application starts, but l ater fail s with " No dri ver for database" 8.9.1 Problem Descripti on The error message "No driver for database" appears in the operation log. 8.9.2 Solution Verify that all necessary database drivers are available. All back-end API J AR files must also be available. 8.10 Virtual Directory Server: Server doesnt start 8.10.1 Problem Descripti on An error message is displayed in the message pane in the user interface: Couldn't find class <class name>. This indicates that the class used by the configuration is not compiled. 8.10.2 Solution You can solve this in one of two ways: Open each of the offending classes and compile from the class editor. Choose Tools/Options and select "Compile classes on startup". Start the server to compile the classes. Turn the setting off again afterwards. Generally, it is recommended to choose Tools/Check config before you start the server. Support Desk Management Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first attempt to contact the database fails 60 2014-07 8.11 Virtual Directory Server: Confi gurati on successfull y deployed on SAP NetWeaver, but the first attempt to contact the database fail s 8.11.1 Problem Descripti on A: Typically, when testing on a local server, the IP of the server is set to localhost. B: The necessary drivers are not transported to the SAP NetWeaver server. 8.11.2 Solution A: You need to change this when deploying the configuration on a remote SAP NetWeaver server. B: Create a \lib folder in the configuration's work area. Copy all necessary drivers and J AR files here and redeploy the configuration. 9 Support Desk Management Support Desk Management enables you to set up an efficient internal support desk for your support organization that seamlessly integrates your end users, internal support employees, partners, and SAP Active Global Support specialists with an efficient problem resolution procedure. For support desk management, you need the methodology, management procedures, and tools infrastructure to run your internal support organization efficiently. 9.1 Remote Support Setup SAP support needs to be able to work remotely for highest efficiency and availability. Therefore all required support tools must be remotely accessible for SAP support, SAP uses the remote connection with SAProuter for a specific problem that you log by creating a customer message in the SAP Support Portal. Information about the setup of remote support connections to SAP, including detailed documentation is available at http://service.sap.com/access-support. For information about SAProuter, see SAP Note 486688 and the SAP Notes this SAP Note refers to for specific settings or parameters that are necessary. Further assistance provides SAP Note 812386. 9 Support Desk Management 9.2 Probl em Message Handover 2014-07 61 9.1.1 Defining a support user Authorizations are described inSAP NetWeaver Identity Management Security Guide, section 5. How you add users for the Identity Management User Interface are described in SAP NetWeaver Identity Management Identity Management User Interface Installation Guide. To add a support user, add the following UME actions to the user: idm_monitoring_support: This will give access to the "Monitoring" tab in the Administration User Interface. The idm_monitoring_support action is already part of the standard AS J ava support role SAP_J AVA_SUPPORT. Add the following Identity Center privileges: MX_PRIV:CONFIG_R: Provides read access to the configuration (repositories and global constants). Provide access to the Administration User Interface on the URL http://<host>:<port>/idm/admin. For information about how to use the Administration User Interface, see section 5.6.8 and 5.6.9. MX_PRIV:CONFIG_AUDIT: Provides access to the configuration audit, which shows the changes done to the configuration. MX_PRIV:TRANSPORT:EXPORT: Provides access to the "Transport/Export" tab in the Administration User Interface if you want the user to be able to download the complete configuration. MX_PRIV:WD:TAB_MANAGE: Gives access to the data. Provide access to the Identity Management User Interface on the URL http://<host>:<port>/idm. Which tasks and data are available is controlled with task access control as described in the Identity Center help file, accessible from the Identity Center Management Console or the Help Portal, http://help.sap.com. MX_PRIV:WD:TAB_TRACE gives access to the "Trace" tab. This tab is used to configure and view trace information that can be used for troubleshooting purposes. For more information about using the trace, see section YY. Do not assign the following privileges: MX_PRIV:CONFIG_RW. This would allow the user to modify the configuration. MX_PRIV:TRANPORT:IMPORT. This would allow the user to import a new configuration. 9.2 Problem Message Handover For sending problem messages/tickets to SAP use component BC-IAM-IDM and provide a detailed and reproducible problem description. Please see SAP Note 1497568 before submitting the ticket. Support Desk Management Problem Message Handover 62 2014-07