SAP S/4 Hana
SAP S/4 Hana connector gives you ability to manage user and their attributes and memberships(roles, profiles and groups) in SAP system. The operations that could be performed by using OpenIAM are - create, modify, remove, suspend, resume. This connector supports also connection with older version of SAP known as SAP R/3
Current version of connector can be deployed to Linux box as jar file. Docker version of the connector is not available yet. Connection will be established on port 3300, please make sure it is available from connector box.
Installation and connection to OpenIAM
use sh script to start the connector. Important is to provide path where SAP library is stored. example of startup script.
#!/bin/bash. /usr/local/openiam/env.confexport LD_LIBRARY_PATH=/usr/local/openiam/conf/connectors/sap/export LIBPATH=/usr/local/openiam/conf/connectors/sap/export VAULT_CERTS="$HOME_DIR/vault/certs/"export JAVA_HOME="$HOME_DIR/jdk"setenforce 0JAVA_OPTS="$2"JAR_FILE="$1"$JAVA_HOME/bin/java -Dlogging.level.root=WARN -Dlogging.level.org.openiam=INFO -Dspring.config.location=/usr/local/openiam/conf/connectors/sap/application.properties -Dconfpath=$HOME_DIR -jar $JAVA_OPTS $HOME_DIR/connectors/bin/saps4hana-connector-rabbitmq.jar > $HOME_DIR/logs/saps4hana-connector-rabbitmq.log &
Installation and connection to OpenIAM when OpenIAM deployed in docker
Open port 8200 on vault container by adding in openiam-docker-compose/3.2/infrastructure/vault/docker-compose.yaml ports: - "8200:8200" Open port 5672 on rabbitmq container by uncommenting ports configuration in openiam-docker-compose/3.2/infrastructure/rabbitmq/docker-compose.yaml Restart OpenIAM. If Sap connector will be deployed on other box, please make sure firewall is not blocking these ports.
firewall-cmd --add-port=8200/tcp --permanentfirewall-cmd --add-port=5672/tcp --permanentfirewall-cmd --reload
Download connector and put it in some directory, for ex.: your_directory. in your_directory create sap_application.properties file with similar content:
Install Java 11. Copy vault certificate vault.crt and import it and then you can drop this file from the box.
keytool -noprompt -import -v -trustcacerts -alias vault_$(pwgen -s 13 1) -file path_to_vault.crt -keystore /usr/lib/jvm/java-11-openjdk-22.214.171.124.9-1.el7_9.x86_64/lib/security/cacerts -keypass changeit -storepass changeit
In your_folder and two files in it: rabbitmq.properties
Create 'your_directory/conf/vault/client' directory in your_folder and put vault.jks (you have to grab it from OpenIAM box) in it.
Download libsapjco3.so and locate in your_directory. Create sap_startup.sh with a similar content
#!/bin/bashkill -9 $(pgrep -f saps4hana-connector-rabbitmq)export LD_LIBRARY_PATH=full path to your_directoryexport LIBPATH=full path to your_directorysetenforce 0/usr/bin/java -Dlogging.level.root=WARN -Dlogging.level.org.openiam=INFO -Dspring.config.location=sap_application.properties -Dconfpath=full path to your_directory -jar saps4hana-connector-rabbitmq.jar > saps4hana-connector-rabbitmq.log &
Service account information:
During Managed System configuration you should provide login (service account username), password, host or IP address where SAP is hosted. Also would be needed SAP instance specific parameters:
|JCO_CLIENT||Specifies the SAP client. Three-digit client number; preserve leading zeros if they appear in the number|
|JCO_LANG||Specifies a login language. ISO two-character language code (for example, EN, DE, FR), or SAP-specific single-character language code.|
|JCO_SYSNR||Indicates the SAP system number. SAP system number|
Define an attribute provisioning rules
Out of the box configuration of SAP managed system provides rules for writing into following SAP fields of the user object:
Instruction how to set up synchronization is provided in a separate document. But OpenIAM provides out of the box sync configurations for SAP. Example of search query: USERNAME LIKE 'TEST.USERSAP' or USERNAME LIKE '%'. Basically this is what is supposed to work in SAP search forms.
Connector Troubleshooting and Tips
Connector troubleshooting could be done by raising logging level to DEBUG mode (-Dlogging.level.org.openiam=DEBUG)