SAP S/4 Hana
General information
The SAP S/4 Hana connector provides the ability to manage users, their attributes, and memberships (roles, profiles and groups) in the SAP system. The operations that can be performed by using OpenIAM include create, modify, remove, suspend and resume. This connector also supports connection with an older versions of SAP known as SAP R/3.
Requirements
The current version of the connector can be deployed to a Linux box as a JAR file. The Docker version of the connector is not available as of yet. Connection will be established on port 3300 -- please make sure it is available from the connector box.
Installation and connection to OpenIAM
Use an .sh script to start the connector. It is important is to provide the path to where the SAP library is stored.
Example of a startup script:
#!/bin/bash. /usr/local/openiam/env.confexport LD_LIBRARY_PATH=/usr/local/openiam/conf/connectors/sap/export LIBPATH=/usr/local/openiam/conf/connectors/sap/export VAULT_CERTS="$HOME_DIR/vault/certs/"export JAVA_HOME="$HOME_DIR/jdk"setenforce 0JAVA_OPTS="$2"JAR_FILE="$1"$JAVA_HOME/bin/java -Dlogging.level.root=WARN -Dlogging.level.org.openiam=INFO -Dspring.config.location=/usr/local/openiam/conf/connectors/sap/application.properties -Dconfpath=$HOME_DIR -jar $JAVA_OPTS $HOME_DIR/connectors/bin/saps4hana-connector-rabbitmq.jar > $HOME_DIR/logs/saps4hana-connector-rabbitmq.log &
Installation and connection to OpenIAM when OpenIAM is deployed in Docker
- Open port 8200 in the vault container by adding in openiam-docker-compose/3.2/infrastructure/vault/docker-compose.yaml
ports:"8200:8200" - Open port 5672 on rabbitmq container by uncommenting the ports configuration in openiam-docker-compose/3.2/infrastructure/rabbitmq/docker-compose.yaml
- Restart OpenIAM. If the SAP connector will be deployed on other box, please make sure a firewall is not blocking these ports.
firewall-cmd --add-port=8200/tcp --permanentfirewall-cmd --add-port=5672/tcp --permanentfirewall-cmd --reload
Download the connector to a directory which, for this document, will be referred to as your_folder. In your_folder, create a file entitled sap_application.properties with the following contents:
org.openiam.connector.queue=SAP_Connector_1_Requestorg.openiam.connector.queueResponseName=SAP_Connector_1_Responseorg.openiam.connector.name=SAPS4HANAorg.openiam.connector.type=SAP Connectororg.openiam.connector.broadcast.binding.connector.key=52spring.application.name=saps4hana-connector-rabbitmqorg.openiam.health.check.sweeptime=30000management.health.elasticsearch.enabled=falsemanagement.health.redis.enabled=falsespring.jmx.enabled=falsesap.property.date.format=yyyy-MM-ddsap.general.checkIfUserHasPwdAlreadySet=falseCIPHER_sap.general.dummyPassword={rym2+zCJlbSuPzuFl2p2T4foDlleyNAL}
Install Java 11. Copy the vault certificate entitled vault.crt and import it. you can then can drop this file from the box.
keytool -noprompt -import -v -trustcacerts -alias vault_$(pwgen -s 13 1) -file path_to_vault.crt -keystore /usr/lib/jvm/java-11-openjdk-11.0.11.0.9-1.el7_9.x86_64/lib/security/cacerts -keypass changeit -storepass changeit
In your_folder we will add two files. The first will be entitled: rabbitmq.properties
spring.rabbitmq.host=rabbitmq_host_namespring.rabbitmq.port=5672org.openiam.rabbitmq.hosts=${spring.rabbitmq.host}:${spring.rabbitmq.port}spring.rabbitmq.username=openiamorg.openiam.rabbitmq.concurrent.consumers=20org.openiam.rabbitmq.max.concurrent.consumers=50org.openiam.rabbitmq.prefetch.count=2org.openiam.rabbitmq.channelTransacted=trueorg.openiam.rabbitmq.channelCacheSize=10org.openiam.mq.broker.encryption.key=ff808181670838e0016708610547001b
Next, create vault.properties
vault.uri=https://rabbitmq_host_name:8200vault.authentication=CERTvault.ssl.key-store=file://path_to_vault.jksvault.ssl.key-store-password=passwd00
Create a directory entitled 'your_directory/conf/vault/client' in your_folder and put vault.jks (you have to grab it from the OpenIAM box) in it.
Download libsapjco3.so and add it to your_directory. Create a file entitled sap_startup.sh with the following content:
#!/bin/bashkill -9 $(pgrep -f saps4hana-connector-rabbitmq)export LD_LIBRARY_PATH=full path to your_directoryexport LIBPATH=full path to your_directorysetenforce 0/usr/bin/java -Dlogging.level.root=WARN -Dlogging.level.org.openiam=INFO -Dspring.config.location=sap_application.properties -Dconfpath=full path to your_directory -jar saps4hana-connector-rabbitmq.jar > saps4hana-connector-rabbitmq.log &
General usage
Service account information:
During the Managed System configuration you should provide login (service account username), password, host or IP address where SAP is hosted. We will also need the following SAP instance specific parameters:
| Parameter name | Description |
|---|---|
| JCO_CLIENT | Specifies the SAP client. Three-digit client number; preserve leading zeros if they appear in the number |
| JCO_LANG | Specifies the login language. ISO two-character language code (for example, EN, DE, FR), or SAP-specific single-character language code. |
| JCO_SYSNR | Indicates the SAP system number. |
Define attribute provisioning rules
The out-of-the-box configuration of the SAP managed system provides rules for writing into the following SAP fields of the user object:
- USERNAME
- BAPIPWD:PASSWORD
- E_MAIL:ADDRESS
- FIRSTNAME:ADDRESS
- LASTNAME:ADDRESS
- PROFILE:PROFILES
- ROLE:ROLES
Synchronization
Instructions on how to set up synchronization is provided in a separate section. However, OpenIAM provides out-of-the-box sync configurations for SAP. An example of a search query: USERNAME LIKE 'TEST.USERSAP' or USERNAME LIKE '%'.
Connector troubleshooting and tips
Connector troubleshooting could be done by raising logging level to DEBUG mode: -Dlogging.level.org.openiam=DEBUG
Video tutorial
How to find and validate user in SAP
Login to SAP logon system. Name of the transaction is SU01. Type and press enter, you will be moved to User Maintenance window, there you can search for user. When find a user click on glass icon to see the details. Address, role and other tabs contain data that OpenIAM could manage by provisioning.