IDM Operations Guide

40
Solution Operation Guide SAP NetWeaver ® Identity Management 7.1 Document Version 7.1 Rev 7 - June 2009

Transcript of IDM Operations Guide

Page 1: IDM Operations Guide

Solution Operation Guide

SAP NetWeaver®

Identity Management 7.1

Document Version 7.1 Rev 7 - June 2009

Page 2: IDM Operations Guide

SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

© Copyright 2009 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way. Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address: service.sap.com/instguides In order to make your document available under this alias, contact GBU AI.

Page 3: IDM Operations Guide

Typographic Conventions Icons Type Style Represents

Example Text Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, titles of graphics and tables

EXAMPLE TEXT Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.

Example text Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

EXAMPLE TEXT Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Page 4: IDM Operations Guide

Solution Operation Guide for SAP NetWeaver Identity Management

Contents 1 Getting Started........................................................................7

1.1 Global Definitions ...................................................................7 1.2 Important SAP Notes ..............................................................8 1.3 History of Changes .................................................................8

2 Technical System Landscape................................................9 2.1 Scenario/Component Matrix ..................................................9 2.2 Related Documentation ........................................................10

3 Defining the System Landscape Directory information (optional) .....................................................................................11

3.1 Identity Center .......................................................................11 3.1.1 SAP NetWeaver AS Java as of Release 7.0............................11 3.1.2 EHP 1 for SAP NetWeaver CE 7.1 ...........................................14

3.2 Virtual Directory Server ........................................................22 3.2.1 Deployed Configuration...........................................................22 3.2.2 Standalone mode .....................................................................22

4 Monitoring of Identity Management ....................................23 4.1 Monitoring the Identity Center .............................................23

4.1.1 Viewing the dispatcher status.................................................23 4.1.2 Viewing the job status..............................................................23 4.1.3 Viewing the system log............................................................24 4.1.4 Viewing the job log...................................................................24 4.1.5 Viewing the provisioning queue .............................................24 4.1.6 Viewing the provisioning audit ...............................................25 4.1.7 Viewing the approval queue ....................................................25 4.1.8 Setting up a SAP JCo-Trace ....................................................26 4.1.9 System diagnostics report ......................................................26

4.2 Monitoring of the Virtual Directory Server .........................26 4.2.1 Viewing the logs on SAP NetWeaver AS Java .......................26 4.2.2 Viewing the logs when running in standalone mode ............27 4.2.3 Verifying that the server is available ......................................27

5 Management of SAP NetWeaver Identity Management.....28 5.1 Starting and Stopping...........................................................28

5.1.1 Starting and stopping the Identity Center ..............................28 5.1.2 Starting and stopping the Virtual Directory Server ...............28

5.2 Software Configuration ........................................................28 5.2.1 Software Configuration – Identity Center...............................28 5.2.2 Software Configuration – Virtual Directory Server................28

4 2009-06

Page 5: IDM Operations Guide

Solution Operation Guide for SAP NetWeaver Identity Management

5.3 Administration Tools ............................................................28 5.4 Backup and Restore .............................................................29

5.4.1 Backing up and restoring an Identity Center database (Microsoft SQL Server) .........................................................................29

5.4.1.1 Backing up a database ............................................................................... 29 5.4.1.2 Restoring a database .................................................................................. 29

5.4.2 Backing up and restoring an Identity Center database (Oracle)...................................................................................................30

5.4.2.1 Backing up a database ............................................................................... 30 5.4.2.2 Restoring a database .................................................................................. 31

5.4.3 Backing up and restoring a Virtual Directory Server configuration .........................................................................................31

5.5 Application Copy...................................................................31 5.6 Periodic Tasks.......................................................................31

5.6.1 Cleaning up the table mxp_audit ............................................32 5.6.2 Cleaning up the table job_execution ......................................32 5.6.3 Clean up the table AuditTrail...................................................32 5.6.4 Cleaning up historic values in the identity store...................32 5.6.5 Rebuilding database indexes ..................................................32

5.7 Load Balancing .....................................................................33 5.7.1 Load Balancing – Identity Center............................................33 5.7.2 Load Balancing – Virtual Directory Server.............................33

5.8 User Management .................................................................33

6 High Availability....................................................................33 6.1 High availability for the Identity Center ..............................33 6.2 High availability for the Virtual Directory Server ...............33

7 Software Change Management ...........................................34 7.1 Software Change Management for the Identity Center .....34 7.2 Upgrading the Identity Center..............................................34 7.3 Upgrading the Virtual Directory Server ..............................34

8 Troubleshooting ...................................................................35 8.1 Identity Center: Dispatcher fails to start.............................35

8.1.1 Problem Description ................................................................35 8.1.2 Solution.....................................................................................35

8.2 Identity Center: Timeout issues...........................................36 8.2.1 Problem Description ................................................................36 8.2.2 Solution.....................................................................................36

8.3 Identity Center: Insufficient memory...................................36 8.3.1 Problem Description ................................................................36 8.3.2 Solution.....................................................................................36

2009-06 5

Page 6: IDM Operations Guide

Solution Operation Guide for SAP NetWeaver Identity Management

8.4 Identity Center: Codepage <number> not supported by JAVA-environment..........................................................................37

8.4.1 Problem Description ................................................................37 8.4.2 Solution.....................................................................................37

8.5 Identity Center: Error messages from jobs accessing ABAP systems.................................................................................38

8.5.1 Problem Description ................................................................38 8.5.2 Solution.....................................................................................38

8.6 Identity Management User Interface: Java runtime exception when logging in .............................................................38

8.6.1 Problem Description ................................................................38 8.6.2 Solution.....................................................................................38

8.7 Identity Management User Interface: Error message about missing database columns or procedures ........................38

8.7.1 Problem description.................................................................38 8.7.2 Solution.....................................................................................38

8.8 Virtual Directory Server: The Windows service starts, but later fails with "No driver for database" .......................................39

8.8.1 Problem Description ................................................................39 8.8.2 Solution.....................................................................................39

8.9 Virtual Directory Server: Application starts, but later fails with "No driver for database" ........................................................39

8.9.1 Problem Description ................................................................39 8.9.2 Solution.....................................................................................39

8.10 Virtual Directory Server: Server doesn’t start..................39 8.10.1 Problem Description................................................................39 8.10.2 Solution ....................................................................................39

8.11 Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first attempt to contact the database fails ............................................................................40

8.11.1 Problem Description................................................................40 8.11.2 Solution ....................................................................................40

6 2009-06

Page 7: IDM Operations Guide

1 Getting Started

1.1 Global Definitions

1 Getting Started

This guide does not replace the daily operations handbook that we recommend customers create for their specific production operations.

About this Guide

Designing, implementing, and running your SAP applications at peak performance 24 hours a day has never been more vital for your business success than now.

This guide provides a starting point for managing your SAP applications and maintaining and running them optimally. It contains specific information for various tasks and lists the tools that you can use to implement them. This guide also provides references to the documentation required for these tasks, so you will sometimes also need other Guides such as the Master Guide, Technical Infrastructure Guide, and SAP Library.

Target Groups

• Technical Consultants

• System Administrators

• Solution Consultants

• Business Process Owner

• Support Specialist

1.1 Global Definitions SAP Application:

A SAP application is an SAP software solution that serves a specific business area like ERP, CRM, PLM, SRM, SCM.

Business Scenario:

From a microeconomic perspective, a business scenario is a cycle, which consists of several different interconnected logical processes in time. Typically, a business scenario includes several company departments and involves with other business partners. From a technical point of view, a business scenario needs at least one SAP application (SAP ERP, SAP SCM, or others) for each cycle and possibly other third-party systems. A business scenario is a unit which can be implemented separately and reflects the customer’s prospective course of business.

Component:

A component is the smallest individual unit considered within the Solution Development Lifecycle; components are separately produced, delivered, installed and maintained.

2009-06 7

Page 8: IDM Operations Guide

Getting Started

Important SAP Notes

8 2009-06

1.2 Important SAP Notes

Check regularly for updates available for the Application Operations Guide.

Important SAP Notes

SAP Note Number

Title Comment

1253778 Central note for SAP NetWeaver Identity Management 7.1

This is the central entry point for all SAP Notes related to Identity Management 7.1.

1.3 History of Changes

Make sure you use the current version of the Application Operations Guide.

The current version of the Application Operations Guide is at service.sap.com/instguides on SAP Service Marketplace.

The following table provides an overview of the most important changes in prior versions.

Version Important Changes

Version 7.1 Revision 4

First version of SAP NetWeaver Identity Management 7.1 Operations Guide using the SAP template.

Version 7.1 Revision 5

Minor changes based on feedback

Version 7.1 Revision 6

Included section about defining the System Landscape Directory Information

Version 7.1 Revision 7

Added sub-section to Troubleshooting

Page 9: IDM Operations Guide

2 Technical System Landscape

2.1 Scenario/Component Matrix

2 Technical System Landscape 2.1 Scenario/Component Matrix The following diagram shows the architecture of the SAP NetWeaver Identity Management:

The Identity Center database is the core of the Identity Center. This is a single database holding two different types of information:

One type is the configuration information for all items that are defined in the Identity Center, including the job configurations, the job status information (that is, what is being executed at this very moment), the log information (that is, the status of what has been done previously), as well as scheduling information (when the jobs are to be run next).

The other type of information is the actual data being processed, including the Identity store that contains the entries processed by the jobs in the Identity Center, as well as the log and audit information.

The Administrator manages the Identity Center configuration through the Management Console.

The Identity Management User Interface is used for all end-user registration/self service, password resets and approval of tasks. It also contains monitoring information for administrators of the Identity Center.

2009-06 9

Page 10: IDM Operations Guide

Technical System Landscape

Related Documentation

10 2009-06

The Runtime Components (dispatchers, runtime engines and event agents) are responsible for processing both provisioning and synchronization tasks. They are also responsible for performing reconciliation and bootstrapping.

The Dispatcher(s) are connected to the Identity Center database and check for jobs that are ready to be run. A dispatcher is running on each computer where a Runtime engine is installed. The dispatcher starts the Runtime engine that executes the job.

Event agents can be configured to take action based on changes in different types of repositories such as directory servers, message queues or others. This mechanism is optional and its only purpose is to initiate synchronization based on changes in repositories in addition to the scheduled operations.

The Virtual Directory Server can be deployed as a web service on SAP NetWeaver AS Java to provide web service access to the identity data.

When the Virtual Directory Server is deployed as an LDAP server it serves as an interface to third-party applications for the Identity Center.

2.2 Related Documentation Links to the documentation for SAP NetWeaver Identity Management can be found in the help portal:

http://help.sap.com/content/documentation/netweaver/docu_nw_71_design.htm#idm71

Topic Guide/Tool

Installation information Identity Center Installation Overview

Virtual Directory Server Installation and Initial Configuration

Security Identity Management Security Guide

Page 11: IDM Operations Guide

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

3 Defining the System Landscape Directory information (optional)

This section describes how to maintain the HTTP destination for the System Landscape Directory (SLD) Data Supplier and the configuration is optional, i.e. it is of relevance only when actually using the SLD.

3.1 Identity Center The procedure is different, depending on your version of SAP NetWeaver:

• SAP NetWeaver AS Java as of Release 7.0

• Enhancement Package 1 for SAP NetWeaver Composition Environment 7.1

There are separate sections for each SAP NetWeaver version.

3.1.1 SAP NetWeaver AS Java as of Release 7.0 To configure the SLD Data Supplier for SAP NetWeaver AS Java 7.0 use Visual Administrator.

1. Start and login to the Visual Administrator.

2. Select Server\Services\Destinations in the "Cluster" tab.

2009-06 11

Page 12: IDM Operations Guide

Defining the System Landscape Directory information (optional)

Identity Center

12 2009-06

3. Select "HTTP" in the "Runtime" tab and choose "New" to create new HTTP destination.

Enter "SLD_DataSupplier" as the name for the destination.

4. Choose "OK". This will open a pane where the destination can be defined further:

Enter the following information:

URL In the "Connection Settings" section, at least an URL needs to be defined. The URL is http://<host>:<port>, where <host> is the name of the host where the SLD bridge runs and <port> is the AS Java HTTP standard access port of the SLD.

Authentication In "Logon Data" section, select "BASIC" as the authentication method.

Username Specify a Java user that already exists on the host where the SLD bridge runs. Specified Java user must have the role SAP_SLD_DATA_SUPPLIER.

Password Enter the user's password.

Page 13: IDM Operations Guide

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

If it is desirable to use HTTPS for the connection from the SLD, select "X509 Client Certificate" as the authentication method. The "Keystore view" field (with the "Certificate" field) is then ready for input. A key storage view contains the root certificates of the trusted roots, and checks the authentication of a received server certificate. Make sure to select "service_ssl" in the "Keystore view" field (see figure below).

5. Choose "Save and Test" to save the entries and to test the connection to the destination. To

save the entries only, choose "Save".

It will update the SLD when the application (tc˜idm˜jmx˜app) is started and with regular intervals.

2009-06 13

Page 14: IDM Operations Guide

Defining the System Landscape Directory information (optional)

Identity Center

14 2009-06

3.1.2 EHP 1 for SAP NetWeaver CE 7.1 To configure the SLD Data Supplier for Enhancement package 1 for SAP NetWeaver Composition Environment 7.1, do the following:

1. Start and login to the SAP NetWeaver Administrator.

2. Select the "Configuration Management" tab and then the "Security" sub-tab.

Page 15: IDM Operations Guide

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

3. Select "Destinations".

2009-06 15

Page 16: IDM Operations Guide

Defining the System Landscape Directory information (optional)

Identity Center

16 2009-06

4. Choose "Create…" and create a destination called SLD_DataSupplier of type HTTP.

If such a destination already exists, check if its values suit you and use it.

In "General Data" section define the following:

Destination Name Add the name "SLD_DataSupplier".

Destination Type Select type "HTTP".

Page 17: IDM Operations Guide

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

5. Choose "Next".

In "Connection and Transport" section, specify at least the URL (http://<host>:<port>), where <host> is the name of the host where the SLD bridge runs and <port> is the AS Java HTTP standard access port of the SLD.

2009-06 17

Page 18: IDM Operations Guide

Defining the System Landscape Directory information (optional)

Identity Center

18 2009-06

6. Choose "Next".

In "Logon Data" section, define the following data:

Authentication Select "Basic (User ID and Password)".

User Name Specify a Java user that already exists on the host where the SLD bridge runs. Specified Java user must have the role SAP_SLD_DATA_SUPPLIER.

Page 19: IDM Operations Guide

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

Password Enter the user's password.

If it is desirable to use HTTPS for the connection from the SLD, select "X509 Client Certificate with SSL" as the authentication method. The "Keystore View" field is then ready for input. A key storage view contains the root certificates of the trusted roots, and checks the authentication of a received server certificate. Select "service_ssl" in the "Keystore View" field and "ssl-credentials" in the "Certificate" field (see the figure below):

You find a list of the available key storage views at Configuration Management → Security Management → Key Storage.

7. Choose "Finish" to finish and save the entries.

2009-06 19

Page 20: IDM Operations Guide

Defining the System Landscape Directory information (optional)

Identity Center

20 2009-06

If an error occurs, an error message is displayed. If the entries are saved successfully, the connection data is saved in encrypted form in the secure store in the database.

Page 21: IDM Operations Guide

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

8. You may test the settings by sending the test data to the SLD select the sub-tab "Infrastructure" from the tab "Configuration Management" (in the SAP NetWeaver Administrator), and then "SLD Data Supplier Configuration".

9. Choose "Collect and Send Data" and wait for the response.

It will update the SLD when the application (tc˜idm˜jmx˜app) is started and with regular intervals.

2009-06 21

Page 22: IDM Operations Guide

Defining the System Landscape Directory information (optional)

Virtual Directory Server

22 2009-06

3.2 Virtual Directory Server The process is different depending on whether the configuration is deployed on SAP NetWeaver or you are running in standalone mode.

3.2.1 Deployed Configuration The process is the same as the process described for the Identity Center.

Make sure to specify the correct URL and connection parameters to the server.

3.2.2 Standalone mode When running in standalone mode, you configure the SLD Data Supplier as part of the server properties:

1. View the properties of the server and select the "SLD registration" tab:

Make sure not to include /sld in the URL.

Select "Enable SLD Registration" and fill in "SLD URL", "SLD Username" and "SLD Password" as described on page 12.

2. Choose "OK".

When you start the server, it will update the SLD when the configuration is loaded or reloaded and with regular intervals.

Page 23: IDM Operations Guide

4 Monitoring of Identity Management

4.1 Monitoring the Identity Center

4 Monitoring of Identity Management Within the management of SAP Technology, monitoring is an essential task. A section has therefore been devoted solely to this subject.

4.1 Monitoring the Identity Center Monitoring of the Identity Center is done using the "Monitoring" tab of the Identity Management User Interface. How you configure access to the "Monitoring" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface.

The following information is available from the Monitoring tab:

• Approval queue

• Dispatcher status

• Job log

• Job status

• Provisioning audit

• System log

The dispatcher status, job log, job status and system log are also available from the Management Console.

4.1.1 Viewing the dispatcher status On each server with the Runtime Components, there will be a dispatcher running. The dispatcher is responsible for starting the runtime engine when a job is ready for execution, as well as performing some basic provisioning logic.

It is essential that the dispatchers are running. If the dispatcher stops, it will no longer be able to perform any logic, nor to start any jobs on the server.

To view the dispatcher status, select "Dispatcher Status" from the "Show" list on the Monitoring tab. The columns show information about each dispatcher that is configured in the system.

The possible states for the dispatcher are:

• Running

• Not running

4.1.2 Viewing the job status At a given time, a job is only being executed by one single runtime engine, i.e. a job is single-tread. When a runtime engine starts it will request the first job (i.e. the job with the oldest schedule time) which is available for execution (i.e. has state idle).

The runtime engine will do the following when executing a job:

• Request the next available job. The job state is updated to Running.

• Periodically, when a job is executed, the runtime engine updates the timestamp on the job, to signal that the runtime engine is alive, as well as updating the number of processed entries.

• Release the job, and reschedule. The job state is set to Idle.

2009-06 23

Page 24: IDM Operations Guide

Monitoring of Identity Management

Monitoring the Identity Center

24 2009-06

Whenever a job is requested, the jobs are checked for any timeouts. If a timeout is detected, the job state is set to Idle and the job is rescheduled. If this is done more than a specified number of times, the job state is set to Error, and the job will no longer execute.

Select "Job Status" from the "Show" list on the Monitoring tab to display the information.

Possible states are:

• 0: Disabled. The job will not run.

• 1: Idle. The job is waiting to be executed at the time indicated in the Scheduled column.

• 2: Running. The job is currently executing.

• 3: Stopping. The job has been ordered to stop.

• -1: Error. A fatal error has occurred, and the job will no longer execute.

• -2: Timeout: The defined timeout has been reached. This means that no runtime engines have requested this job for the specified amount of time. When a runtime engine requests job, this is treated as idle.

4.1.3 Viewing the system log The system log contains information from the system and the jobs and dispatchers connecting to it.

You can filter the log on error level and/or by date interval. You can also search for log entries with specific texts.

Which information is included in the system log is specified in the Management Console.

4.1.4 Viewing the job log The job log displays information about the execution of all jobs in the Identity Center. Each line in the log shows information about one execution of a job. You can filter the log on error level and/or by date interval.

You can view an XML or HTML version of the job log from the "Details" view.

4.1.5 Viewing the provisioning queue The provisioning queue shows all tasks where there are entries waiting to be processed. The "Queue Size" column shows how many entries are waiting for this particular task. You can also see the last time the task was executed, and the state of the job, if this is an action task. The column shows the following values:

• 1: Temporary failure – task is set for retry and have a possible delay until running again

• 2: Ready to run – task is ready to run if Exectime is passed

• 5: Waiting – task is on hold. This is typical on ordered execution of tasks

• 11: Failed - task is finally failed

• 21: Expanded OK – task children is expanded OK

• 22: OK - task is finally OK

Page 25: IDM Operations Guide

4 Monitoring of Identity Management

4.1 Monitoring the Identity Center

4.1.6 Viewing the provisioning audit The provisioning audit contains one entry for each audit ID that is processed. This information is updated as the task is processed in the system. There will be one entry per root task that is executed.

The "Provisioning Status" column shows the current status of the task:

• Task initiated OK

• Task not enabled for provisioning

• Task does not exist

• Loop detected

• Task cannot be used in externally as it is private

• Entry does not exist in Identity Store

• Database error

• Task OK

• Task Failed

• OK

• Failed

The "Entry" column shows which entry was processed.

The "Started by" column shows what initiated the task. This can be either an entry (person), event task.

The "Details" view shows more information about each entry in the audit log. There are two tabs containing different audit information.

The "Detailed audit" tab

The "Detailed audit" shows the history of the task execution. The log is updated at certain points of the task execution, making it possible to follow the processing of a request. It is also possible to add information to the detailed audit by using the internal function uAddAuditInfo from the executing tasks.

The "Trace" tab

For newer installations of the Identity Center, the trace is default enabled. If you have an Identity Center that has been upgraded from previous versions, the trace must be enabled manually. This is done in the Management Console. View the properties of the Identity Center and select the "Options" tab. Select "Enable trace".

The trace shows the history of the task execution and is updated after the task has completed.

4.1.7 Viewing the approval queue The approval queue contains all requests awaiting approvals.

2009-06 25

Page 26: IDM Operations Guide

Monitoring of Identity Management

Monitoring of the Virtual Directory Server

26 2009-06

4.1.8 Setting up a SAP JCo-Trace In order to analyze JCo exceptions from the Runtime Components it is necessary to activate traces to get more information. In order to set up a SAP JCo Trace you have to do following:

Find the location of the dispatcher scripts. On Microsoft Windows the default location is:

C:\Program Files\SAP\IdM\Identity Center\Service-Scripts

Open the property file of the dispatcher:

Dispatcher_Service_<dispatcher_name>.prop

Enter following lines:

MXDISPATCHER_EXECSTRING=1

JAVAOPTIONS=-Djco.trace_path=C:\\Temp -Djco.trace_level=10

Specify an existing directory for the trace_path. In the above example the trace file will be written into directory C:\Temp. For further information regarding JCo Analysis Scenario see also:

http://help.sap.com/saphelp_nw70/helpdata/en/f6/daea401675752ae10000000a155106/frameset.htm

Restart the dispatcher from the Management Console to have the change take effect.

Make sure you de-activate the trace again when you are finished with your analysis because the trace file might influence performance.

4.1.9 System diagnostics report To get an overview of the Identity Center database, there is a system diagnostics report available as a job template in the Management Console.

The generated report is an HTML file containing key data about the system.

Create a job by using the job wizard and select the template corresponding to your database system located in the folder Jobs/System report.

The pass Index fragmentation requires <prefix>_oper login while the pass Index statistics requires SA login. Before enabling these passes you need to configure the job constants JDBC_URL_OPER and JDBC_URL_SA.

The job can be run on demand or scheduled to run with specific intervals.

4.2 Monitoring of the Virtual Directory Server

4.2.1 Viewing the logs on SAP NetWeaver AS Java When deploying a configuration on SAP NetWeaver AS Java, the logs are managed in AS Java’s logging framework. The logs are identified with:

• com.sap.idm.vds.<LogType>

Where LogType is:

• oper Operation log

• audit Audit log

• stat Statistics

For more information, see http://help.sap.com/saphelp_nw70/helpdata/EN/e2/f410409f088f5ce10000000a155106/frameset.htm.

Page 27: IDM Operations Guide

4 Monitoring of Identity Management

4.2 Monitoring of the Virtual Directory Server

4.2.2 Viewing the logs when running in standalone mode When running the server in standalone mode, the logs can be redirected to a file that can be viewed using the SAP Standalone Log Viewer.

If there is a file named standalonelog.prop in the work area, together with the configuration file of the running configuration, the Virtual Directory Server will log to local files.

The file contains the following settings:

LEVEL=<LEVEL>

EXTENSIONLEVEL=<LEVEL>

OPERLOGLOCATION=<PATH>

AUDITLOGLOCATION=<PATH>

STATLOGLOCATION=<PATH>

You can specify log levels both from the service itself (LEVEL) and from the Java classes (EXTENSIONLEVEL).

<LEVEL> can have one of the following values:

• NONE

• FATAL

• ERROR

• WARNING

• INFO

• DEBUG

• ALL

The default location for the logs are <work area>\logs. The files are called operation.trc, audit.trc and stat.trc. You can specify different locations for the log files with the <PATH> in the standalonelog.prop file.

The <PATH> is the complete path, including file name. Make sure you use two backslashes (\\) in the path, for instance c:\\temp\\operation.trc. You can also use single forward slashes as on Unix, for instance c:/temp/operation.trc.

4.2.3 Verifying that the server is available You can verify the availability of the server both when it is running in standalone service mode on Microsoft Windows and when deployed on SAP NetWeaver AS Java.

When running in standalone mode, you use "Services" in the Control Panel to see the status of the service. The service is identified with the service name you specified for the configuration.

When deploying a configuration on SAP NetWeaver AS Java, you use the SAP NetWeaver Administrator to verify the availability of the deployed service. The service is identified with sap.com/vds-<application name>, where <application name> is the name you specified when deploying the configuration.

2009-06 27

Page 28: IDM Operations Guide

Management of SAP NetWeaver Identity Management

Starting and Stopping

28 2009-06

5 Management of SAP NetWeaver Identity Management

SAP provides you with an infrastructure to help your technical support consultants and system administrators effectively manage all SAP components and complete all tasks related to technical administration and operation.

You can find more information about the underlying technology in the Technical Operations Manual in the SAP Library under SAP NetWeaver.

5.1 Starting and Stopping

5.1.1 Starting and stopping the Identity Center The Identity Management User Interface is deployed on SAP NetWeaver AS Java. The service is controlled from here.

The processing of jobs and tasks in the Identity Center is controlled by the dispatchers and the event services. You can start and stop any or all of these services.

If the Management Console is installed on the same server as the dispatcher/event service, the dispatcher can be started and stopped from the dispatcher properties.

You can start and stop a dispatcher from the command line with the following commands:

dispatcher_service_<dispatcher name> start

dispatcher_service_<dispatcher name> stop

This will stop the dispatcher, but any running jobs will complete processing.

5.1.2 Starting and stopping the Virtual Directory Server A Virtual Directory Server configuration can either be deployed as a web service on SAP NetWeaver AS Java or be run locally as an LDAP server.

When deployed locally, the server is started and stopped from the Virtual Directory Server user interface.

When deployed on SAP NetWeaver AS Java the service is controlled by SAP NetWeaver AS Java.

5.2 Software Configuration

5.2.1 Software Configuration – Identity Center The Identity Center configuration is managed through the Management Console.

5.2.2 Software Configuration – Virtual Directory Server You use the Virtual Directory Server user interface to create and maintain the configurations.

5.3 Administration Tools See Section 4 on page 34.

Page 29: IDM Operations Guide

5 Management of SAP NetWeaver Identity Management

5.4 Backup and Restore

5.4 Backup and Restore You need to back up your system landscape regularly to ensure that you can restore and recover it in case of failure.

The backup and restore strategy for your system landscape should not only consider SAP systems but should also be embedded in overall business requirements and incorporate your company’s entire process flow.

In addition, the backup and restore strategy must cover disaster recovery processes, such as the loss of a data center through fire. It is most important in this context that you ensure that backup devices are not lost together with normal data storage (separation of storage locations).

5.4.1 Backing up and restoring an Identity Center database (Microsoft SQL Server)

This section describes how to back up and restore your Identity Center database on Microsoft SQL Server.

5.4.1.1 Backing up a database Back up the database using the normal database procedures. See the database documentation for details.

5.4.1.2 Restoring a database Install the database schema for the database, as described in SAP NetWeaver Identity Management Identity Center: Installing the database (Microsoft SQL Server).

Restore the database, using the Microsoft SQL Server database utility for restoring a backup. Select the overwrite option to overwrite the newly installed database. See the database documentation for details.

Make sure there are no conflicts with the database prefixes, as the backup will always restore a database with the same prefix as the one that was backed up.

In most cases, the database user/login mapping will not be correct after this restore. The exception is if the restore is done to the same database installation from which the backup was taken, in which case the internal user IDs will be the same as on the backup. If you are unable to connect to the database from the Management Console, you need to re-establish this mapping.

Restoring the user/login mappings

Restore the user/login mappings according to the table below:

SQL Server login Database user Database roles

<prefix>_oper Db_owner

<prefix>_admin <prefix>_admin_u <prefix>_admin_role

<prefix>_delta_rw_role

<prefix>_rt <prefix>_rt_u <prefix>_rt_role

<prefix>_delta_rw_role

<prefix>_prov <prefix>_prov_u <prefix>_prov_role

<prefix>_user <prefix>_user_u <prefix>_user_role

<prefix>_delta_r_role

2009-06 29

Page 30: IDM Operations Guide

Management of SAP NetWeaver Identity Management

Backup and Restore

30 2009-06

When all users are connected to the logins, run the script mxmc_update.cmd to set the access control on all the stored procedures. The database should now be available.

Verify that you are able to connect to the restored database with the Management Console and the Identity Management User Interface.

5.4.2 Backing up and restoring an Identity Center database (Oracle)

5.4.2.1 Backing up a database Back up the database using the normal database procedures. See the database documentation for details.

In the Oracle database the following objects in schema must be backed up for MXMC_OPER user.

• Function

• Index

• Package

• Package body

• Procedure

• Sequence

Synonym: MXMC_PROV, MXMC_ADMIN, MXMC_RT and MXMC_USER

• Table

• Trigger

• View

The following objects must be backed up from Security

• USERS

• MXMC_ADMIN

• MXMC_OPER

• MXMC_PROV

• MXMC_RT

• MXMC_USER

• ROLES

• MXMC_ADMIN_ROLE

• MXMC_DELTA_R_ROLE

• MXMC_DELTA_RW_ROLE

• MXMC_PROV_ROLE

• MXMC_RT_ROLE

• MXMC_USER_ROLE

Page 31: IDM Operations Guide

5 Management of SAP NetWeaver Identity Management

5.5 Application Copy

5.4.2.2 Restoring a database Restore the database using the normal database procedures. See the database documentation for details.

5.4.3 Backing up and restoring a Virtual Directory Server configuration

If you use version control and store the configuration file in a database, this database can be backed up using the normal database procedures.

If the configuration is stored in an .XML file, use a file backup tool to back up the configuration file(s).

5.5 Application Copy How you move a configuration from a test to a production environment is described in the document SAP NetWeaver Identity Management Identity Center Implementation Guide Staging environment.

5.6 Periodic Tasks There are no scheduled periodic tasks for Identity Management.

There are no specific periodic tasks for the Virtual Directory Server apart from what may be defined for the SAP NetWeaver AS Java where the service is deployed.

The following manual periodic tasks are defined for each of the Identity Center.

Manual tasks for the Identity Center

Task Tool(s) supporting this task

Recommended Frequency

Detailed Description

Verify that all services are running

Monitoring tab/ User interface

Daily Select "Dispatcher Status" to see that all dispatchers are running as expected.

Check logs for failed jobs

Monitoring tab/ User interface

Daily Select "Job Status" to verify that no jobs are in error state.

Clean up the table mxp_audit

Database management tool

Weekly See section 5.6.1.

Clean up the table job_execution

Database management tool

Weekly See section 5.6.2.

Clean up the table AuditTrail

Database management tool

Weekly See section 5.6.3.

Clean up historic values in the identity store

Database management tool

Monthly See section 5.6.4.

Rebuild database indexes

Database management tool

Monthly See section 5.6.5

2009-06 31

Page 32: IDM Operations Guide

Management of SAP NetWeaver Identity Management

Periodic Tasks

32 2009-06

5.6.1 Cleaning up the table mxp_audit The mxp_audit table is used by the provisioning functionality for auditing every provision request and appropriate status. Further this table will link provision tasks together where typically sub tasks is started by use of OnOk, OnFail, OnChainOK, OnChainFail.

Remove the entries older than a defined date.

5.6.2 Cleaning up the table job_execution The job_execution table belongs to the delta functionality. Every time a job runs and the delta functionality is turned on, a new entry will be inserted into this table containing date/time and key information about how many entries that was added, modified, deleted, failed or not-changed.

Remove the entries older than a defined date.

5.6.3 Clean up the table AuditTrail The AuditTrail table belongs to the delta functionality and will keep audit on changes either on entry level or attribute level. If Audit is not turned on, this table will be empty and not filled.

If Audit is turned on, new records will be added when we have add, modify or delete of entries. In the Management Console there can be set a maximum limit of entries to keep in his audit table.

If delta is being used, every execution of a job-pass is added to this table.

Remove the entries older than a defined date.

5.6.4 Cleaning up historic values in the identity store Any attributes and entries within the identity store which are modified or deleted will be stored in the historic values. This information is held in the table mxi_old_values. There is a configuration parameter on each attribute, which indicates for how many revisions or for how long this information is to be kept. The default value is to keep historic values for 30 days. This information is stored either in mxi_attributes.SaveDays or in mxi_attributes.SaveCopies.

If you want to keep the historic values for a long time, the mxi_old_values table may grow very large. There is no automatic moving of historic data to offline storage.

Since historic data is stored in a separate table, it is quite simple to implement a job which moves this information to an offline storage, by moving entries from mxi_old_values to another database or external storage. The attribute mxi_old_values.ModifyTime holds the date/time when the attribute was last modified, and can be used for selecting the oldest entries to move.

5.6.5 Rebuilding database indexes With heavy usage of the system, the database indexes will become fragmented, which may decrease performance.

For further information regarding fragmented indexes and rebuilding the indexes, please refer to the documentation for you database system.

Page 33: IDM Operations Guide

6 High Availability

5.7 Load Balancing

5.7 Load Balancing

5.7.1 Load Balancing – Identity Center The system landscape XL – Production described in the SAP NetWeaver Identity Management Identity Center Installation overview describes how load balancing is achieved.

5.7.2 Load Balancing – Virtual Directory Server Load balancing is handled by the SAP NetWeaver AS Java where the service is deployed.

5.8 User Management The Identity Center creates a number of database users as part of the database installation. This is described in the documents SAP NetWeaver Identity Management Identity Center Installing the database (Microsoft SQL Server/Oracle).

How to manage users for the Identity Management User Interface is described in the document SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface.

How you manage users to access the servers created by the Virtual Directory Server is part of the configuration of the server.

6 High Availability 6.1 High availability for the Identity Center The system landscape XL – Production described in the SAP NetWeaver Identity Management Identity Center Installation overview describes how to achieve high availability.

6.2 High availability for the Virtual Directory Server High availability for the Virtual Directory Server is achieved through deploying the configuration on SAP NetWeaver. How to configure SAP NetWeaver for high availability is described in the documentation for SAP NetWeaver.

2009-06 33

Page 34: IDM Operations Guide

Software Change Management

Software Change Management for the Identity Center

34 2009-06

7 Software Change Management 7.1 Software Change Management for the Identity Center How you move a configuration from a test to a production environment is described in the document SAP NetWeaver Identity Management Identity Center Implementation guide – Staging environment.

7.2 Upgrading the Identity Center This is described in the document SAP NetWeaver Identity Management Identity Center Installation overview.

7.3 Upgrading the Virtual Directory Server This is described in the document SAP NetWeaver Identity Management Virtual Directory Server Installation and initial configuration.

There is no downtime involved in upgrading the software itself. An updated configuration can be deployed while the service is running. Updating the server software itself (SAP NetWeaver) must be done according to the documentation for SAP NetWeaver.

Page 35: IDM Operations Guide

8 Troubleshooting

8.1 Identity Center: Dispatcher fails to start

8 Troubleshooting The following problem analysis scenarios are available for SAP NetWeaver Identity Management

• Identity Center: Dispatcher fails to start

• Identity Center: Timeout issues

• Identity Center: Insufficient dispatcher memory

• Identity Center: Codepage <number> not supported by JAVA-environment

• Identity Center: Error messages from jobs accessing ABAP systems

• Identity Management User Interface: Java runtime exception when logging in

• Identity Management User Interface: Error message about missing database columns or procedures

• Virtual Directory Server: The Windows service starts, but later fails with "No driver for database"

• Virtual Directory Server: Application starts, but later fails with "No driver for database"

• Virtual Directory Server: Server doesn’t start

• Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first attempt to contact the database fails

8.1 Identity Center: Dispatcher fails to start

8.1.1 Problem Description The dispatcher fails to start.

8.1.2 Solution Run the following command to verify the dispatcher configuration:

Dispatcher_Service_<dispatcher name> test checkconfig

Verify that the dispatcher finds all necessary JDBC drivers.

Run the following command to start the dispatcher in test mode:

Dispatcher_Service_<dispatcher name> test

Check for error messages from the dispatcher in the console window.

For Microsoft Windows:

• Increase the log level in the dispatcher property file to get more logging.

• Make sure that the JDBC connection string for the runtime engine is correct.

For Unix:

• Always use SAPJVM 5.

• Make sure all values in dispatcher.prop file are set correctly.

2009-06 35

Page 36: IDM Operations Guide

Troubleshooting

Identity Center: Timeout issues

36 2009-06

8.2 Identity Center: Timeout issues

8.2.1 Problem Description A job fails with an error message indicating there was a timeout problem.

8.2.2 Solution • Increase the Identity Center's timeout values on the "Options" tab of the Identity Center

properties.

• If the timeout comes from a directory server, adjust the size limit, time limit or page size in the properties of the "From LDAP pass".

8.3 Identity Center: Insufficient memory

8.3.1 Problem Description A job fails with an error message indicating insufficient memory.

8.3.2 Solution You need to increase the available memory by modifying the .prop file for the dispatcher.

Add the following to JAVAOPTIONS:

JAVAOPTIONS=-Xmx256m

Reinstall the dispatcher(s).

If you need to have more than one option in the JAVAOPTIONS string, make sure that MXDISPATCHER_EXECSTRING is set to 1, for instance MXDISPATCHER_EXECSTRING=1.

Page 37: IDM Operations Guide

8 Troubleshooting

8.4 Identity Center: Codepage <number> not supported by JAVA-environment

8.4 Identity Center: Codepage <number> not supported by JAVA-environment

8.4.1 Problem Description This error message appears when running a job with a SELECT statement to a Microsoft SQL Server database.

8.4.2 Solution This indicates that the current Java Runtime Environment does not support the server collation of the database. The setting for the server collation can be found in the Microsoft SQL Server Management Studio. View the "Server Properties" of the database and select "General". The "Server Collation" property shows the current server collation of the database.

You need to make sure that you have /lib/charsets.jar installed. Depending on which Java Runtime Environment you are using, this is done in different ways.

The recommended Java Runtime Environment is SAP JVM 5 that will support most collations.

If you are using Sun's Java Runtime Environment, you need to make sure that you have lib/charsets.jar installed. For information see http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.

This extended encoding set is an installation option when installing the Sun Java Runtime Environment. To install the /lib/charsets.jar do the following:

3. Choose Start/Settings/Control Panel/Add and Remove Programs.

4. Select the component Java 2 Runtime Environment.

5. Choose "Change" to start the installation wizard.

6. Run through the wizard and select "Modify".

7. Add "Support for Additional Languages".

8. Complete the wizard

2009-06 37

Page 38: IDM Operations Guide

Troubleshooting

Identity Center: Error messages from jobs accessing ABAP systems

38 2009-06

8.5 Identity Center: Error messages from jobs accessing ABAP systems

8.5.1 Problem Description A job accessing an ABAP system fails with an error message "Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC'. Possible reasons for this could be:

• No library found (library not referenced in shared library path)

• Wrong library version

• Wrong platform

8.5.2 Solution Check the path to the JCo library in the shared library path. For more information see the installation documentation for JCO.

8.6 Identity Management User Interface: Java runtime exception when logging in

8.6.1 Problem Description Users get a Java runtime exception when logging in.

8.6.2 Solution Verify that all JMX settings are set correctly according to the document SAP NetWeaver Identity Management Identity Center: Installing the Identity Management User Interface.

8.7 Identity Management User Interface: Error message about missing database columns or procedures

8.7.1 Problem description Users get error messages about missing database columns or procedures.

8.7.2 Solution This may be due to a mismatch between the database schema and the user interface. Make sure you have upgraded the database schema to the same version as the User Interface.

Page 39: IDM Operations Guide

8 Troubleshooting

8.8 Virtual Directory Server: The Windows service starts, but later fails with "No driver for database"

8.8 Virtual Directory Server: The Windows service starts, but later fails with "No driver for database"

8.8.1 Problem Description The CLASSPATH appears to be correct, but the CLASSPATH is written to registry only when the service is created.

8.8.2 Solution Uninstall and install service.

8.9 Virtual Directory Server: Application starts, but later fails with "No driver for database"

8.9.1 Problem Description The error message "No driver for database" appears in the operation log.

8.9.2 Solution Verify that all necessary database drivers are available. All back-end API JAR files must also be available.

8.10 Virtual Directory Server: Server doesn’t start

8.10.1 Problem Description An error message is displayed in the message pane in the user interface: Couldn't find class <class name>.

This indicates that the class used by the configuration is not compiled.

8.10.2 Solution You can solve this in one of two ways:

• Open each of the offending classes and compile from the class editor.

• Choose Tools/Options… and select "Compile classes on startup". Start the server to compile the classes. Turn the setting off again afterwards.

Generally, it is recommended to choose Tools/Check config… before you start the server.

2009-06 39

Page 40: IDM Operations Guide

Troubleshooting

Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first attempt to contact the database fails

8.11 Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first attempt to contact the database fails

8.11.1 Problem Description A: Typically, when testing on a local server, the IP of the server is set to localhost.

B: The necessary drivers are not transported to the SAP NetWeaver server.

8.11.2 Solution A: You need to change this when deploying the configuration on a remote SAP NetWeaver server.

B: Create a \lib folder in the configuration's work area. Copy all necessary drivers and JAR files here and redeploy the configuration.

40 2009-06