SAP S/4 Hana

General information

SAP S/4 Hana connector gives you ability to manage user and their attributes and memberships(roles, profiles and groups) in SAP system. The operations that could be performed by using OpenIAM are - create, modify, remove, suspend, resume. This connector supports also connection with older version of SAP known as SAP R/3

Requirements

Current version of connector can be deployed to Linux box as jar file. Docker version of the connector is not available yet. Connection will be established on port 3300, please make sure it is available from connector box.

Installation and connection to OpenIAM

use sh script to start the connector. Important is to provide path where SAP library is stored. example of startup script.

#!/bin/bash
. /usr/local/openiam/env.conf
export LD_LIBRARY_PATH=/usr/local/openiam/conf/connectors/sap/
export LIBPATH=/usr/local/openiam/conf/connectors/sap/
export VAULT_CERTS="$HOME_DIR/vault/certs/"
export JAVA_HOME="$HOME_DIR/jdk"
setenforce 0
JAVA_OPTS="$2"
JAR_FILE="$1"
$JAVA_HOME/bin/java -Dlogging.level.root=WARN -Dlogging.level.org.openiam=INFO -Dspring.config.location=/usr/local/openiam/conf/connectors/sap/application.properties -Dconfpath=$HOME_DIR -jar $JAVA_OPTS $HOME_DIR/connectors/bin/saps4hana-connector-rabbitmq.jar > $HOME_DIR/logs/saps4hana-connector-rabbitmq.log &

Installation and connection to OpenIAM when OpenIAM deployed in docker

Open port 8200 on vault container by adding in openiam-docker-compose/3.2/infrastructure/vault/docker-compose.yaml ports: - "8200:8200" Open port 5672 on rabbitmq container by uncommenting ports configuration in openiam-docker-compose/3.2/infrastructure/rabbitmq/docker-compose.yaml Restart OpenIAM. If Sap connector will be deployed on other box, please make sure firewall is not blocking these ports.

firewall-cmd --add-port=8200/tcp --permanent
firewall-cmd --add-port=5672/tcp --permanent
firewall-cmd --reload

Download connector and put it in some directory, for ex.: your_directory. in your_directory create sap_application.properties file with similar content:

org.openiam.connector.queue=SAP_Connector_1_Request
org.openiam.connector.queueResponseName=SAP_Connector_1_Response
org.openiam.connector.name=SAPS4HANA
org.openiam.connector.type=SAP Connector
org.openiam.connector.broadcast.binding.connector.key=52
spring.application.name=saps4hana-connector-rabbitmq
org.openiam.health.check.sweeptime=30000
management.health.elasticsearch.enabled=false
management.health.redis.enabled=false
spring.jmx.enabled=false
sap.property.date.format=yyyy-MM-dd
sap.general.checkIfUserHasPwdAlreadySet=false
CIPHER_sap.general.dummyPassword={rym2+zCJlbSuPzuFl2p2T4foDlleyNAL}

Install Java 11. Copy vault certificate vault.crt and import it and then you can drop this file from the box.

keytool -noprompt -import -v -trustcacerts -alias vault_$(pwgen -s 13 1) -file path_to_vault.crt -keystore /usr/lib/jvm/java-11-openjdk-11.0.11.0.9-1.el7_9.x86_64/lib/security/cacerts -keypass changeit -storepass changeit

In your_folder and two files in it: rabbitmq.properties

spring.rabbitmq.host=rabbitmq_host_name
spring.rabbitmq.port=5672
org.openiam.rabbitmq.hosts=${spring.rabbitmq.host}:${spring.rabbitmq.port}
spring.rabbitmq.username=openiam
org.openiam.rabbitmq.concurrent.consumers=20
org.openiam.rabbitmq.max.concurrent.consumers=50
org.openiam.rabbitmq.prefetch.count=2
org.openiam.rabbitmq.channelTransacted=true
org.openiam.rabbitmq.channelCacheSize=10
org.openiam.mq.broker.encryption.key=ff808181670838e0016708610547001b

vault.properties

vault.uri=https://rabbitmq_host_name:8200
vault.authentication=CERT
vault.ssl.key-store=file://path_to_vault.jks
vault.ssl.key-store-password=passwd00

Create 'your_directory/conf/vault/client' directory in your_folder and put vault.jks (you have to grab it from OpenIAM box) in it.

Download libsapjco3.so and locate in your_directory. Create sap_startup.sh with a similar content

#!/bin/bash
kill -9 $(pgrep -f saps4hana-connector-rabbitmq)
export LD_LIBRARY_PATH=full path to your_directory
export LIBPATH=full path to your_directory
setenforce 0
/usr/bin/java -Dlogging.level.root=WARN -Dlogging.level.org.openiam=INFO -Dspring.config.location=sap_application.properties -Dconfpath=full path to your_directory -jar saps4hana-connector-rabbitmq.jar > saps4hana-connector-rabbitmq.log &

General usage

Service account information:

During Managed System configuration you should provide login (service account username), password, host or IP address where SAP is hosted. Also would be needed SAP instance specific parameters:

Parameter nameDescription
JCO_CLIENTSpecifies the SAP client. Three-digit client number; preserve leading zeros if they appear in the number
JCO_LANGSpecifies a login language. ISO two-character language code (for example, EN, DE, FR), or SAP-specific single-character language code.
JCO_SYSNRIndicates the SAP system number. SAP system number

Define an attribute provisioning rules

Out of the box configuration of SAP managed system provides rules for writing into following SAP fields of the user object:

  • USERNAME
  • BAPIPWD:PASSWORD
  • E_MAIL:ADDRESS
  • FIRSTNAME:ADDRESS
  • LASTNAME:ADDRESS
  • PROFILE:PROFILES
  • ROLE:ROLES

Synchronization

Instruction how to set up synchronization is provided in a separate document. But OpenIAM provides out of the box sync configurations for SAP. Example of search query: USERNAME LIKE 'TEST.USERSAP' or USERNAME LIKE '%'. Basically this is what is supposed to work in SAP search forms.

Connector Troubleshooting and Tips

Connector troubleshooting could be done by raising logging level to DEBUG mode (-Dlogging.level.org.openiam=DEBUG)

Video tutorial