SAP NW Identity Manager With Lotus Notes

SAP NetWeaver® Identity ManagementIdentity Center

Lotus Notes connector for SAPProvisioning Framework Configuration Guide

Version 7.2 Rev 3

© 2014 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. Theinformation contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing hereinshould be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark informationand notices.

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

i

© Copyright 2014 SAP AG. All rights reserved.

Preface

The productSAP NetWeaver Identity Management Identity Center is a high-end identity managementsolution, capable of handling a large amount of repositories containing an unlimited amount ofinformation. The Identity Center offers a robust, flexible and scalable high-availability solutionfor workflow, provisioning, data synchronization and joining for a large number of datarepositories.

Using the Lotus Notes connector makes it possible for the SAP NetWeaver IdentityManagement to provision users and groups to Lotus Notes and Domino server. This is done byimplementing a provisioning solution based on templates in the Identity Center. The solutionintegrates with the provisioning framework for SAP systems, facilitating the usage of otherbackend systems as well.

The readerThis manual is intended for people who wish to implement a provisioning solution for LotusNotes and Domino server using the Lotus Notes connector.

PrerequisitesTo get the most benefit from this manual, you should have the following knowledge:

Knowledge of the Identity Center, and of the Lotus Notes and Domino server.

The following software is required (or recommended):

Windows 2003/2008 server.

SAP NetWeaver Identity Management Identity Center 7.2 SP9 (or newer) is correctlyinstalled and licensed.

Lotus Notes 8.5 or newer installed on the same machine as the Identity Center.

Lotus Domino server 8.5 or newer.

The manualThis document describes a process integrating the Lotus Notes/Domino with the SAPNetWeaver Identity Management.

Related documentsYou can find useful information in the following documents:

Identity Management for SAP System Landscapes: Architectural Overview

Identity Management for SAP System Landscapes: Configuration Guide

ii


iii


Table of contentsSAP NetWeaver® Identity Management ...................................................................................... 1Identity Center .............................................................................................................................. 1Lotus Notes connector for SAP Provisioning Framework .......................................................... 1Configuration Guide ..................................................................................................................... 1

Introduction .......................................................................................................................................... 1Section 1: Connector overview.............................................................................................................. 3Section 2: Preparing the import ........................................................................................................... 10Section 3: Importing the connector ...................................................................................................... 18Section 4: Configuring the connector .................................................................................................. 26Section 5: Using the ID vault .............................................................................................................. 35Section 6: Provisioning using Lotus Notes connector .......................................................................... 38Appendix A: Adding new attributes .................................................................................................... 51Appendix B: Configuring user creation tasks....................................................................................... 53

iv


1IntroductionSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


IntroductionThis document describes how you integrate SAP NetWeaver Identity Management and LotusNotes/Domino.

Using this solution, SAP NetWeaver Identity Management can provision users and groups to aLotus Domino server. The Lotus Notes connector has the following functionality:

User creation

User modification

Renaming of a user

User deletion

Group assignment for a user

Group creation

Group deletion

The solution integrates with the provisioning framework for SAP systems.

The configuration process described in this document consists of:

Importing the connector with preconfigured attributes using templates.

Manually configuring the imported connector.

Figure 1 Architecture

2Introduction

SAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Section overviewSection 1: Connector overview In this section you get an overview of the connector –

which entry types, attributes, and tasks and jobs areused.

Section 2: Preparing the import The preparations that are necessary in order to makethe import process as smooth as possible are describedin this section.

Section 3: Importing the connector In this section you see how to import the connector.

Section 4: Configuring the connector The manual configurations after the import aredescribed in this section.

Section 5: Using the ID vault The section describes the ID vault functionality andhow it is configured.

Section 6: Provisioning using Lotus Notesconnector

This section describes how to provision/de-provisionand modify users and groups using the Lotus Notesconnector.

Appendix A: Adding new attributes This section shows how you can add new Lotus Notesattributes.

Appendix B: Configuring user creation tasks This section shows you how you can control/changethe user creation process behavior by setting orremoving flags on the user creation tasks.

3Section 1: Connector overviewSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Section 1: Connector overviewThe Lotus Notes connector for provisioning framework for SAP systems is a set of templatesthat you can reference when you implement the provisioning solution for your Lotus Dominoserver.

Before you start configuring and working with the connector, you should familiarize yourselfwith the structure and contents. You should be familiar with:

The entry types that you will be working with.

The connector specific attributes defined.

Tasks and jobs to work with the entry types.

These aspects are described in the sub-sections that follow.

Entry typesThe identity store stores the identity data according to a schema that consists of entry types andattributes. The entry types are objects that describe how the different identity-relevant objectsare represented in the Identity Center.

The Lotus Notes connector provisions users and groups. The related MX_PERSON andMX_GROUP entry types have been extended with a minimum set of Lotus Notes attributes.

The entry types used are:

MX_PERSONThis entry type is used for user objects in the system. The Lotus Notes connector will extendthis entry type with a minimum set of Lotus Notes attributes.

MX_GROUPThis entry type is used to store Lotus Notes groups. The Lotus Notes connector will extend thisentry type with a minimum set of Lotus Notes attributes.

4Section 1: Connector overview



AttributesThere is a number of connector specific attributes, i.e. attributes used by the Lotus Notesconnector. This is only a minimum set of attributes, and additional attributes can be added.Section Appendix A: Adding new attributes at the end of this document (on page 51) shows youhow to extend with more attributes if needed. A complete list of the attributes available can beseen in the Identity Center's identity store (schema). For information about all identity storeattributes, see the document SAP NetWeaver Identity Management Identity Center Identity storeschema – Technical reference.

Lotus Notes specific attributes in the schema definition are shown in the tables below:Attribute Description Used by entry type

MX_NOTES_CERTIFIER_FILE The certifier file used for creating theuser.

MX_PERSON

MX_NOTES_CERTIFIER_PWD The certifier password for the certifierfile.

MX_PERSON

MX_NOTES_CLIENTTYPE Maps the client type field in the LotusNotes address book.

MX_PERSON

MX_NOTES_COUNTRYCODE Country code of the full name, wherethe user was created.

MX_PERSON

MX_NOTES_EXPIRATIONDATE Holds the user ID file expiration date. MX_PERSON

MX_NOTES_FULLNAME Entry's full name, which alsorepresents entry's location. E.g.cn=Torkil Torkilsen/o=sap.

MX_PERSON

MX_NOTES_GROUP_GROUPTYPE Lotus Notes group types, values 0-4. MX_GROUP

MX_NOTES_GROUP_GROUPTYPE_DISPLAY

Readable Lotus Notes group types.

Legal values: Access Control Listonly, Deny List only, Mail only,Multi-purpose and Server only.

MX_GROUP

MX_NOTES_GROUP_LISTNAME The attribute holds the name of thegroup in Lotus Notes.

MX_GROUP

MX_NOTES_IDFILE The ID file of the user. MX_PERSON

MX_NOTES_INACTIVE Holds a flag that indicates whether agiven user (or a group) has beendeleted or not in Lotus Notes.

MX_PERSON, MX_GROUP

MX_NOTES_IN_VAULT Holds a flag that indicates that a givenuser is stored in the ID vault on theLotus Domino server.

MX_PERSON

MX_NOTES_MAILADDRESS The attribute holds the informationfrom the mail address field in theLotus Notes address book.

MX_PERSON

MX_NOTES_MAILDOMAIN Entry's mail domain. MX_PERSON

MX_NOTES_MAILFILE Entry's mail file (e.g. mail\TTork). MX_PERSON

MX_NOTES_MAILSERVER The IP address of the mail server. MX_PERSON

MX_NOTES_MAILSYSTEM The users mail system, such as LotusNotes, CcMail, Vim.

MX_PERSON

MX_NOTES_NOTEID The ID of the note (Lotus Notesobject) on the Lotus Domino server.

MX_PERSON, MX_GROUP

MX_NOTES_OID Holds the originator ID in LotusNotes.

MX_PERSON, MX_GROUP



Attribute Description Used by entry type

MX_NOTES_OLD_PASSWORD The attribute is used to hold the oldpassword (encrypted) of the user's IDfile.

MX_PERSON

MX_NOTES_OLDFULLNAME User's name before name change. MX_PERSON

MX_NOTES_ORG Organization of the user. MX_PERSON

MX_NOTES_ORGUNIT Organization unit of the user. MX_PERSON

MX_NOTES_OWNER Owner of the Lotus Notes object.Entry reference of MX_PERSON.

MX_PERSON

MX_NOTES_PATH_IDFILE Local path to users ID file. MX_PERSON

MX_NOTES_POLICY Holds a server policy, if a user with aspecific server policy is created.

MX_PERSON

MX_NOTES_REGFULLNAME Users full name used at initial userregistration.

MX_PERSON

MX_NOTES_ROAMINGSERVER The attribute is used to hold theinformation about the roaming server,in cases where roaming user is created.

MX_PERSON

MX_NOTES_SERVERNAME Full name of the server. MX_PERSON

MX_NOTES_SHORTNAME Users short name (e.g. TTork). MX_PERSON

MX_NOTES_UNID The unique ID for the Lotus Notesobject in Lotus Notes.

MX_PERSON, MX_GROUP




The following is the mapping overview between the Identity Management and the Lotus Notesattributes for entry type MX_PERSON:

Identity Management attribute Lotus Notes attribute Create user Modify user Rename user

DESCRIPTION Comment X X

MX_ADDRESS_CITY City X

MX_ADDRESS_COUNTRY Country X

MX_ADDRESS_POSTAL_CODE Zip X

MX_ADDRESS_STREETADDRESS StreetAddress X

MX_LANGUAGE PreferredLanguage X X

MX_DEPARTMENT Department X

MX_FAX_PRIMARY HomeFaxPhoneNumber X

MX_FIRSTNAME Firstname X X

MX_INITIALS MiddelInitials X X

MX_LASTNAME LastName X X

MX_LOGON_ALIAS NetUsername X

MX_MAIL_PRIMARY InternetAddress X

MX_MOBILE_PRIMARY CellPhoneNumber X

MX_NOTES_FULLNAME Fullname Affected Affected

MX_NOTES_MAILADDRESS MailAddress X X

MX_NOTES_MAILDOMAIN MailDomain

MX_NOTES_MAILFILE MailFile X

MX_NOTES_MAILSERVER MailServer

MX_NOTES_MAILSYSTEM MailSystem X

MX_NOTES_SHORTNAME ShortName X X

MX_PAGER_PRIMARY PhoneNumber_6 X

MX_PASSWORD <password for the ID file>

MX_PHONE_PRIMARY PhoneNumber X

MX_SALUTATION Title X

MX_TITLE JobTitle X

The following is the mapping overview between the Identity Management and the Lotus Notesattributes for entry type MX_COMPANY_ADDRESS:

Identity Management attribute Lotus Notes attribute Create user Modify user Rename user

DISPLAYNAME CompanyName X

MX_ADDRESS_CITY OfficeCity X

MX_ADDRESS_COUNTRY OfficeCountry X

MX_ADDRESS_BUILDING OfficeNumber X



Tasks and jobs

Task templatesThe Lotus Notes connector provides a set of task templates that you can refer to when creatingthe tasks to use for identity management. These templates are divided into the followingcategories:

Web Enabled TasksThis group contains task templates for User Interface tasks, i.e. the tasks visible from theUser Interface.

Notes TasksThis group includes task templates that are specific to the Lotus Notes. The tasks in thisgroup interact directly with the Lotus Notes.

PluginsThis group contains task templates for tasks that constitute the logic of the connector.

IDVaultThis group contains task templates for tasks that are used for ID vault functionality.

Link global NOTES Service VBscripts hereThe task (a dummy task) is used to link the references to global VB scripts.

Link global NOTES Service JSscripts hereThe task (a dummy task) is used to link the references to global JS scripts.




Job templatesThe connector also provides a set of templates that you can use for setting up jobs. Thefollowing jobs are supported:

1. NOTES - initiate certifier tableThe job constant PATH should point to the location of your certifier id files. The job willload this information to mxmc_rt_role.certifiers table. After the certifier id has been loadedto the mxmc_rt_role.certifiers table, update the "CPASS" column to contain the password ofthe certifiers.

2. NOTES - add DN to certifier tableRunning this job, the distinguished name of the certifier will be retrieved and the passwordencrypted.

3. NOTES - load certifiers from NotesAs the name of the job implies, the job will load certifiers from Lotus Notes. The jobconstants DOMINO_DATABASE and DOMINO_SERVER need to be correctly definedfor the job.

4. NOTES - merge certifiersMerges the certifier information from Lotus Notes and the mxmc_rt_role.certifiers table.The result is available in mxi_attrValueHelp table so it can be accessed by the UserInterface task(s).

NOTES - load policies from notesThe job will load the policy information into the mxi_attrValueHelp table so it can beaccessed by the User Interface task(s). The job constants DOMINO_DATABASE andDOMINO_SERVER need to be correctly defined for the job.

NOTES - load servers from notesThe job loads the server information into the mxi_attrValueHelp table so it can be accessedby the User Interface task(s). The job constants DOMINO_DATABASE andDOMINO_SERVER need to be correctly defined for the job.

NOTES – System loadThis job creates basic privileges needed for provisioning to Lotus Notes and retrieves theidentity information (loads users and groups) from Lotus Notes. The job constantsDOMINO_DATABASE and DOMINO_SERVER need to be correctly defined for the job.

NOTES – Initial setup (optional)This job will create basic privileges for user and group provisioning to Lotus Notes. The jobis optional, and is used when you don't need/want to load the users and groups from LotusNotes but just create the necessary privileges. Usually, the job NOTES – System load isused.

NOTES – Extract and recover user ID filesThis job contains two passes. The pass "extract user id files" will read the Lotus Notes IDfile from the user (if the attachment exists on the user on the Lotus Domino server) andperform a recovery of the ID file. The pass "update user id on entry" updates theMX_PERSON object in the identity store with the new password, and the recovered ID file.

Note:This job does not work with vault enabled users. It handles users with password recoveryinformation only.

NOTES – Load IDs from vaultThis job loads IDs from the ID vault on the Lotus Domino server and stores them on theIdentity Management server. The job should be run after the system load. For moreinformation about the ID vault functionality, see Section 5: Using the ID vault on page 35.



Connector limitationsThe following is a list of known limitations for the Lotus Notes connector:

Users:

Roaming of users is supported but with limited functionality, i.e. the connector can createroaming users but does not support other functionalities such as e.g. changing the roamingstate.

Replication scenarios are not supported

The connector does not provide approval tasks.

There is no rollback for modifications performed on a user in case of error.

Groups:

No support of hierarchical groups.

Lotus Notes groups have a limitation of 32kb member space. Writing more than a 32kbmember space to a group in Lotus Notes fails.

Password/certification:

Internet password is not set/provisioned by the Identity Management.

The connector does not provide the mechanisms for moving of users between certifiers.

The connector does not do cross-certification.

Other:

The connector does not deal with additional Lotus Notes services, such as sametimeserver.

The adminp requests towards the Lotus Domino server are not processed immediately.

Only a limited set of Lotus Notes attributes is supported for users and groups (see sectionAttributes on page 4 for the attribute list).

Dispatcher must run on the same machine as the Identity Management and the Lotus Notesclient library.

The Lotus Notes connector supports up to three (3) recovery authorities.

Note:In Lotus Domino you can setup recovery authorities. After recovery information has beenconfigured, newly created users will have recovery information that enables recoveryauthorities to set new password for the user ID files. Already existing users will not haverecovery information set.

10Section 2: Preparing the import



Section 2: Preparing the importIn order to make the import process and execution of necessary steps as smooth as possible, weneed to do some preparations. This section covers

Lotus Notes setup

Preparing the Identity Center for the Lotus Notes integration

Encryption

Lotus Notes setupYou should already have an installed version of the Lotus Notes client library. We recommendinstalling Lotus Domino Designer which contains both the client library and the administratorconsole.

In order to prepare it for usage by the Identity Center do the following:

The Lotus Notes connector will generate ID files for the users provisioned to Lotus Notesand maintain them locally. For this we should create a folder reserved for this ID file (e.g.C:\Lotus\IDS\<host>\users).

It will also be necessary to obtain an ID and CERT file for the Identity Management system.For a small test system you can use the admin.id and cert.id generated from the serverinstallation. In the real world scenarios you would likely be given a user with managerprivileges and would have to contact your local Lotus Notes administrator for access. Pathsto both admin.id and cert.id (may be more than one cert.id file) need to be configured. Thepath to admin.id is configured in a global constant EXTIDFILE for the "Standalone jobs"node (see section on adding the global constants in the Identity Center ManagementConsole below for more). The admin.id is the ID that will be used for all IdentityManagement operations, it does not have to be an administrator but it has to have a propermanager access in Lotus Notes. The cert.id (may be more than one cert.id file) is configuredin a repository constant DOMINO_ADMINP_CERT (see section Creating and configuringthe NOTES repository definition on page 20 for details). The cert.id file(s) is/are neededwhen you create users, and basically used to assign the users to certain domains.

Please verify your Lotus Notes connectivity and the ID files through the Lotus DominoAdministrator console.

In order for the Lotus Notes connector to run unattended you must do as follows: Copy thefile MXEXTPWD.DLL from the Identity Center installation directory(C:\usr\sap\IdM\Identity Center) to the Lotus Notes installation directory.

Add the following line under "[Notes]" section of the file notes.ini (the file located in theLotus Notes installation directory):

EXTMGR_ADDINS=MXEXTPWD.DLL

Note:If you do not use the Lotus Domino Designer and its provided client library, the notes.inimight be located in %LOCALAPPDATA%\Lotus\Notes\Data only. In that case, you shouldcopy the notes.ini file to the Lotus Notes installation directory and apply the modifications.It is however recommended to use the Lotus Domino Designer provided client library as italso includes the administrator console.

11Section 2: Preparing the importSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Preparing the Identity Center for the Lotus NotesintegrationIn order to make the import process and execution of necessary steps as smooth as possible, weneed to do some preparations in the Identity Center.

Adding the global constantsA set of global constants needs to be defined under the "Standalone jobs" node (and not underthe Identity Center node) in the console tree in the Identity Center Management Console:

The following global constants need to be defined:

Constant name Description

EXTDB ODBC native connection string to the Identity Center database (the constantvalue may be triple DES encrypted). For more information see the sectionConnection string below. Used for recertification only.

EXTDEBUG (Optional) Used to obtain debugging details regarding the password manager.Its value should be set to full path of the debug log file folder. The systemvariable DSE_HOME must be configured to point to the Identity Center folder(see section Setting the system environment variables PATH and DSE_HOMEon page 15). As this option generates a lot of log and may degrade theperformance of the system, it is recommended to keep it disabled by default.

EXTIDFILE Path to the user ID file used for provisioning (admin.id). EXTPWD should bethe password of this ID file.

EXTOWNER Value of the ID file's (EXTIDFILE) full name. The full name must use thedistinguished name syntax, e.g. CN=Administrator/O=sap/C=DE. Most serverrequests (except the recertify) should match on the owner value. If in doubtcheck the debug file (EXTDEBUG option).

EXTPWD The Identity Management login password for the user ID file specified by theconstant EXTIDFILE (the constant value may be triple DES encrypted).

EXTREPDIR Points to a dedicated folder for replication of the provisioning ID file. Endingwith "\" for the directory, e.g. C:\Lotus\repdir\.

If you change the service account (the ID file used for the IdentityManagement) the contents of this folder should be deleted, whereupon it willbe regenerated.




The global constants may look something like this in the Identity Center Management Console:

These global constants are written to the GVar.ini file, located on the Identity Center installationdirectory and available to the external DLL used in Lotus Notes.

Note:This is also the reason why these global constants are defined under the "Standalone jobs" nodeand not for the Identity Center – the global constants under the "Standalone jobs" node arewritten to the file GVar.ini, while the global constants under the Identity Center node are storedin the database table mc_global_variables not available from the external DLL used in LotusNotes.

Review the GVar.ini file and make sure that all the defined global constants are added to thisfile.

Connection stringThe value of the global constant EXTDB should be in an ODBC native connection stringformat, e.g.:

Database Connection string example

MS SQL Server Option 1 (requires a 32-bit version of SQL Native client library):Driver={SQL NativeClient};Server=10.0.0.1;Database=mxmc_db;Uid=mxmc_rt;Pwd=password;

Option 2 (same connection string setup as for Oracle):DSN=IDS;UID=mxmc_rt;PWD=password;

Oracle DSN=IDS;UID=mxmc_rt;PWD=password;



Note:While the connection string for the Microsoft SQL Server may be entered into the globalconstant directly, it is different for the Oracle database. You need to use the Microsoft ODBCAdministrator to create a new data source, which then can be referred to from the connectionstring defined in the global constant (e.g. DSN=IDS;UID=mxmc_rt;).The password is notdefined as the part of the data source creation. Run the Microsoft ODBC Administrator usingC:\Windows\SysWOW64\odbcad32.exe for the 64-bit systems (for 32-bit systems the folder"System32" is used instead of "SysWOW64").

Defining a valid dispatcherEnsure that you have at least one valid dispatcher. The name should be unique for all youridentity store configurations. Both Windows and Java jobs should be defined for it. To makesure that this is the case, do the following:

1. Select "Dispatchers" under the "Management" node in the console tree and expand it.

2. Select the valid dispatcher to reveal its details pane.

3. Select the "Policy" tab.

Make sure that the boxes "Run provisioning jobs" and "Run regular jobs" are selected forboth the Java runtime engine and Windows runtime engine.

4. Choose "Apply".




Enabling interactive mode on the dispatcherYou should allow the dispatcher to run in interactive mode. Do the following:

1. Go to Start/Control Panel/Administrative Tools/Services.

2. Select the Lotus Notes dispatcher (MxDispatcher_notes) and view the properties.

3. Select the "Log On" tab:

Select "Allow service to interact with desktop".



Note:You may run the dispatcher service as a specific user instead of using the system account. Inthat case, configure the "This account" option and fill in the necessary fields in the dispatcherproperties dialog box.

4. Choose "Apply" and then "OK".

Setting the system environment variables PATH and DSE_HOMEIn order for the C-API functionality to be loaded at run time you must include it into theenvironment path variable (PATH). Also the system environment variable DSE_HOME needsto be created. Do the following:

1. Go to Control Panel/System.

2. Select the "Advanced" tab.

3. Choose "Environment Variables".

4. Edit the system environment variable PATH and include the location to Lotus Notes (pathto the client library folder, which contains nnotes.dll among others), for exampleC:\lotus\notes\. Choose "OK" to save the changes made to the variable.

5. Choose "New…" to create new system variable. Enter DSE_HOME as the variable nameand set its value to point to the Identity Center folder (the install directory), e.g.C:\usr\sap\IdM\Identity Center. Choose "OK" to save the new system variable.

EncryptionNote that the password hook handler only supports triple DES encryption on the constant, so ifyou choose to encrypt the value make sure that the triple DES encryption has been enabled first– see the section Enabling triple DES encryption of the user passwords below.

If you forgot this, delete the constant, change the encryption to triple DES as shown in theabovementioned section below and create the constant again.

You should also verify that the Identity Center installation has available DES keys in<Identity Center installation directory>\Key\Keys.ini.

See the help topic "About Encryption" in the Identity Center help file for more informationabout encryption.




Enabling triple DES encryption of the user passwordsThe Lotus Notes will use triple DES encryption for the Lotus Notes user password, in order torecover the password for change password requests. This should be done in the Identity Center:

1. In the identity store's details pane, select the "Password policy" tab.

Select "Enable password provisioning".

2. Choose "Apply".

3. Select Tools/Options… from the toolbar in the general pane.

Select "DES3/CBC" as the encryption algorithm in the "Encryption algorithm" field.



4. Choose "OK".

You will also need to install the key file. This file must be accessible by the IdentityManagement User Interface and all runtime engines in the system, and thus must be maintainedcentrally (in the Identity Center home directory, e.g. C:\usr\sap\IdM\Identity Center). For moredetails on key file configuration, review the document SAP NetWeaver Identity ManagementIdentity Center Installing and configuring the Identity Management User Interface.

Note that the Keys.ini file serves as a sample. You should update the keys stored in this file. Seethe documentSAP NetWeaver Identity Management Security Guide for more information.

SAP provisioning frameworkHaving the provisioning framework for the SAP systems available in the Identity CenterManagement Console is a prerequisite before importing the Lotus Notes connector to yoursystem. See the documents SAP NetWeaver Identity Management for SAP System Landscapes:Configuration Guide and SAP NetWeaver Identity Management for SAP System Landscapes:Technical Overview for more details.

If you are upgrading your solution with the SAP provisioning framework from SAP NetWeaverIdentity Management 7.1 to 7.2, see the document SAP NetWeaver Identity Management forSAP System Landscapes: Upgrading from Identity Management 7.1 to 7.2.

18Section 3: Importing the connector



Section 3: Importing the connectorThe Lotus Notes connector consists of different parts like specific tasks for the Lotus Notesprovisioning, the service jobs and the connector specific attributes in the identity store schema.In this section we will describe how to import the Lotus Notes connector and all its parts. Theimport process is performed in the following order:

Import the specific tasks for the Lotus Notes provisioning, which are divided into threesubfolders Web Enabled Tasks, Notes Tasks and Plugins.

Create and configure the NOTES repository definition.

Create a set of Lotus Notes service jobs (using the job templates in the Identity CenterManagement Console).

The Lotus Notes connector is a part of the SAP NetWeaver Identity Management IdentityCenter installation. The specific tasks for the Lotus Notes provisioning (the fileLotus Notes Connector.mcc) are available in <Identity Center installationdirectory>\Templates\Identity Center\SAP Provisioning framework (e.g.C:\usr\sap\IdM\Identity Center\Templates\Identity Center\SAP Provisioning framework).

Since the connector is extended with only a minimum of Lotus Notes attributes, the sectionAppendix A: Adding new attributes on page 51 describes how you extend the framework withadditional Lotus Notes attributes.

Importing the Lotus Notes connectorTo import the specific tasks for the Lotus Notes provisioning, do the following:

1. Select "CONNECTORS" in the console tree under your provisioning framework in theidentity store, and choose "Import…" from the context menu.

2. Navigate to and select the file Lotus Notes Connector.mcc and choose "Open".

19Section 3: Importing the connectorSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Make sure that "Import" is selected. Select "Link tasks into display- and event properties onentry types and attributes".

3. Select the "Advanced" tab to ensure that a dispatcher is assigned to the tasks.

4. Choose "Next >", then "Import".

5. When the import is finished, verify the log and then choose "Finish".

The result of this operation is a folder Lotus Notes Connector with subfolders Web EnabledTasks, Notes Tasks and Plugins, IDVault and the two tasks Link global NOTES ServiceVBscripts here and Link global NOTES Service JSscripts here.

All tasks are enabled and connected to the dispatcher which you selected during import.




Creating and configuring the NOTES repositorydefinitionIn order to create a repository definition NOTES, do the following:

1. Select "Repositories" under the "Management" node in the console tree, and selectNew/Repository… from the context menu.

2. Choose "Next >".

Select the repository definition template "Notes".

3. Choose "Next >".

Select NOTES as a repository definition name.



4. Choose "Next >".

Fill in the values according to the description below:

Domino Server (repository constant DOMINO_SERVER)Full name syntax of the default Lotus Domino server to be used for provisioning.

Database (repository constant DOMINO_DATABASE)The database you provision to – by default Names.nsf.

Domain (repository constant DOMINO_DOMAIN)Default provisioning domain.

Manager (repository constant DOMINO_MANAGER)The Identity Manager administrator/manager user in Lotus Domino server.

Admin database (repository constant DOMINO_ADMINDB)Database for adminp requests, which by default is Admin4.nsf.

Cert directory (repository constant DOMINO_ADMINP_CERT)Full directory for certifier files used for Identity Management provisioning.

User cert directory (repository constant DOMINO_USERCERT_PATH)Path to the user certificate folder, where the system will store the ID files.

System privilege (repository constant SYSTEM_PRIVILEGE)The system privilege constructed as PRIV:SYSTEM:<repository name>, i.e. herePRIV:SYSTEM:NOTES.

Save ID (repository constant SAVE_ID_IN_ADDRBOOK)Saves the ID file in the address book (on the server). Selected (set to TRUE) by default.Deselect the option if you do not wish to save the ID file in the address book.

5. Choose "Next >", and then "Finish". The repository definition NOTES is created.




6. Expand the new repository definition NOTES and select "Constants" in the console tree:

You can see the constants entered in the repository template (prefixed with "DOMINO_").Most of the repository constants are automatically filled in (retrieved from the SAPProvisioning framework). Constants REPOSITORY_SYNC and REPOSITORY_TYPE areset by the NOTES repository template.

7. Modify the following constants:

NAMING_RULERules for how the users' full names are constructed in Lotus Notes. Legal values for thisconstant are:

0: This is the default value. The full name is cn=FirstName MiddleName LastName,and any other user with the same name will be rejected.

1: The rule allows renaming of the user if an existing user with the same name is found.An incremental counter on existing user is applied, the full names will becn=FirstName MiddleName LastName, cn=FirstName MiddleName LastName1,…,cn=FirstName MiddleName LastName<N>.

2: The rule allows renaming of the user if an existing user with the same name is found.Letters from the last name are used as middle name on existing user, e.g. cn=FirstNameLastName, cn=FirstName L LastName, cn=FirstName La LastName, cn=FirstNameLas LastName,…, cn=FirstName LastName LastName.

3: Intended for custom implementation, where custom_notes_buildFullName is called.Default implementation is the same as for the naming rule 0.



USER_PREFIXLotus Notes users created in Lotus Notes will by default be prefixed withMSKEYVALUE=USER_PREFIX+NOTEID if no other value for MSKEYVALUE has beenset. The user prefix value is LN by default.

Creating the Lotus Notes Service jobsTo make the Lotus Notes connector complete, the Lotus Notes service jobs must be createdusing the job templates in the Identity Center Management Console. The following jobs need tobe created:

1. NOTES – initiate certifier table

2. NOTES – add DN to certifier table

3. NOTES – load certifiers from Notes

4. NOTES – merge certifiers

NOTES – load policies from notes

NOTES – load servers from notes

NOTES – System load

NOTES – Initial setup (optional)

NOTES – Extract and recover user ID files (optional)

NOTES – Load IDs from vault (optional)

To create the jobs, do the following:

1. Create a new job folder or rename an existing job folder to e.g. "7.2 Lotus Notes Servicejobs".

2. Select the job folder and then choose New/Run job wizard… from the context menu.Choose "Next>".

3. Navigate to the Lotus Notes service jobs in the directory C:\usr\sap\IdM\IdentityCenter\Templates\Identity Center\Jobs\SAP NetWeaver in the job wizard.

4. Select the jobs one by one and follow the wizard to create each job (the wizard needs to becompleted for one job, before the wizard for the other one can be started). When creatingthe jobs, you may have to define a repository definition and/or job constants in the wizardfor each job.

Job template Define in the wizard:

1. NOTES – initiate certifier table --

2. NOTES – add DN to certifier table --

3. NOTES – load certifiers from Notes Job constants DOMINO_DATABASE(destination database) andDOMINO_SERVER (full name of the LotusDomino server).

4. NOTES – merge certifiers --

NOTES – load policies from notes Job constants DOMINO_DATABASE(destination database) andDOMINO_SERVER (full name of the LotusDomino server).




Job template Define in the wizard:

NOTES – load servers from notes Job constants DOMINO_DATABASE(destination database) andDOMINO_SERVER (full name of the LotusDomino server).

NOTES – System load Select the repository definition ("NOTES").Define the job constantsDOMINO_DATABASE (destination database)and DOMINO_SERVER (full name of theLotus Domino server).

NOTES – Initial setup (optional) Repository definition ("NOTES").

NOTES – Extract and recover user IDfiles

The following job constants:- DOMINO_DATABASE (destinationdatabase)- DOMINO_SERVER (full name of the LotusDomino server)- USER_ID_FOLDER (extraction folderwhere the ID files are dumped, we proposeusing C:\Lotus\IDS\<host>\users)- NEWPASSWORD (new password to beapplied to ID files)- RA_IDFILE1 (recovery authority (RA) IDfile)- RA_PWD1 (corresponding password of theRA ID file)- RA_IDFILE2/RA_IDFILE3 (optional RA IDfile, for the second and third recoveryauthorities)- RA_PWD2/RA_PWD3 (correspondingpassword of the optional RA ID file, for thesecond and third recovery authorities)

The fields "RA file (optional)" and "RApassword (optional)" (i.e. constantsRA_IDFILE2/RA_IDFILE3 andRA_PWD2/RA_PWD3) are depending on howmany recovery authorities has been set on theLotus Domino server.

NOTES – Load IDs from vault Default password set for all users.

To generate passwords for each userindependently, you would have to add acustom password script.

Note:For the service job NOTES – Extract and recover user ID files, if the "New password" field isleft empty during the creation in the wizard then the custom_initializePassword() will be calledto obtain the password.



The result of this operation is a job folder with the Lotus Notes specific jobs, the folder 7.2Lotus Notes Service jobs:

26Section 4: Configuring the connector



Section 4: Configuring the connectorAfter the import of the connector, some manual configuration needs to be done to complete theintegration.

Adding the repository definition to the User InterfacetasksFor all tasks in the connector that do not inherit repository definition, you have to set therepository definition manually. This involves the User Interface tasks underneath the folder WebEnabled Tasks. You might want to set the repository definition on the subtasks as well, if youare going to run test provisioning from them, as inheritances of repository definition then will belost.

To add the repository definition to the tasks, do the following:

1. Select the task in the console tree to reveal the details pane.

2. Select the "Options" tab and select "NOTES" in the "Repository" field:

3. Choose "Apply".

27Section 4: Configuring the connectorSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Enabling users for portalIn many cases you want your users to be enabled to use the portal as soon as they are created asLotus Notes users. To achieve this, you have to setup the UME/AS Java system in the IdentityManagement (add it as a repository and generate or bootstrap the privileges for this system).

As a next step you may want to alter the sub-tasks of the "Create new account" and "Createaccount" tasks, assigning the dedicated UME account privilege as illustrated below:

You may also want to configure your PRIV:SYSTEM attributes so that the UME does nottrigger on Lotus Notes system specific attributes and vice versa.

Setting the mail template fileDepending on the version of your Lotus Domino server, you will have to use the different mailtemplate files when creating the users in Lotus Notes. To configure this, do the following:

1. Check for the correct mail template file name on your Lotus Domino server, typically:

Lotus Domino server version Mail template file name

Lotus Domino server 8.5 mail85.ntf

Lotus Domino server 9.0 Mail9.ntf

2. Navigate to the task Create notes user ext, and select its pass "adminp create user requestext" in the console tree (the task is located under the folder structure Lotus NotesConnector\Notes Tasks\Lotus Notes: Provision users).

3. In the "Destination" tab of the pass, update the attribute MailTemplateName with the mailtemplate file according to the server version:




4. Choose "Apply" to save the changes.

Loading certifiers, policies and serversBefore running the NOTES - System load job, the certifiers, policies and servers should beloaded. Performing this load enables you to select the correct certifier, policy and server from alist when creating a new user.

Loading the certifiersTo load the certifiers, do the following:

1. In the Identity Center Management Console, select the job "1. NOTES – initiate certifiertable" in the console tree and run it (choose "Run now" in the details pane of the job). Basedon the job constant PATH, a table certifiers is created for your rt user.



2. For the certifiers to be loaded, update the "CPASS" field:

For MS SQL server: update [mxmc_rt_u].[certifiers] set CPASS='certpassword' whereID=1

For Oracle database: update certifiers set cpass='certpassword' wherecertfile='cert.id'; commit;

3. Select and run the job "2. NOTES – add DN to certifier table".

4. Then select and run the job "3. NOTES – load certifiers from Notes".

5. Finally select and run the job "4. NOTES – merge certifiers".

The certifiers should now be loaded and ready to use.

Loading the policiesTo load the policies, do the following:

1. In the Identity Center console tree select and run the job "5. NOTES – load policies fromnotes".

2. The policies should now be loaded from the server and can be used when creating the user:

Loading serversTo load the servers, do the following:

1. In the Identity Center console tree select and run the job "6. NOTES – load servers fromnotes".

2. The servers should now be loaded. This allows you to select servers when creating theLotus Notes user:




User Interface manager/administrator privilegesThere are a several manager/administrator privileges that are required for the different parts ofthe Identity Management User Interface. For more information about the User Interfaceprivileges, see the document SAP NetWeaver Identity Management Security Guide (section 5).

The privileges are included in the installation by default and you should assign these privilegesto your Identity Management users. To assign the privileges, do the following:

1. In the Identity Center console tree, select the Lotus Notes service job "NOTES – Systemload" and its pass "Write users to database".



2. In the "Destination" tab of the pass, update the attribute MXREF_MX_PRIVILEGE to holdthe User Interface privileges the user(s) should be assigned:

3. Choose "Apply" to save the changes.

Make sure that the user password matches in UME, User Interface and Lotus Notes. Any user inthe identity store, which is to have full access to the User Interface, should be maintained inUME and assigned the User Interface privileges. For configuration details for the IdentityManagement User Interface see the document SAP NetWeaver Identity Management IdentityCenter Installing and configuring the Identity Management User Interface.




Running the job NOTES - System loadTo run the job NOTES – System load and complete the configuration process, do the following:

1. Select the job in the console tree to display the details pane.

2. Run the job by choosing the "Run now" button in the "Options" tab of the details pane. Thejob log can be inspected to check for errors or warnings.

Viewing access filtering on attributesThe User Interface tasks have been configured to allow group membership assignment only foralready provisioned Lotus Notes users. It is the task access task under the Access tasks folder (inthe Web Enabled Tasks folder) that is used to add this limitation on these tasks. Or morespecifically on the group member attribute for these tasks (MXMEMBER_MX_PERSON). Inother words access task acts as a filter, returning a list of legal attribute values for the groupmember attribute MXMEMBER_MX_PERSON which in this case is a list of Lotus Notes usersonly.

To view this access filtering on attributes, do the following:

1. Select e.g. the task "Create new group (form)" in the console tree (under the Group folder inthe Web Enabled Tasks folder) and select the "Attributes" tab.



2. In the "Attributes" tab, view the properties of the attribute MXMEMBER_MX_PERSON.In the "Attribute values (Task specific)" tab you will find the link to the access task.

Post-creation task (optional)The Lotus Notes connector uses the API functions that limit to a certain set of attributes duringthe user creation. If it is desirable to set more attributes on the user at the time of creation, apost-creation task can be configured on the repository definition.




This task will modify (extend) the Lotus Notes user(s) with the specified attributes. In addition,a recertify task is executed in order to alter/extend the expiration date of the user ID (file). Incase of failure, the tasks executed during the post-creation will not cause rejection/losing of theaccount privilege as the user already is created in Lotus Notes.

To enable or disable the post-creation task, do the following:

1. Navigate to and select the task "Execute post creation – no wait" (located under Lotus NotesConnector\Plugins\1. Create Notes User).

2. Enable or disable the task by selecting or deselecting the "Enabled" option:

3. Choose "Apply" to apply and save the changes for the task.

35Section 5: Using the ID vaultSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Section 5: Using the ID vaultPrerequisites

The ID Vault functionality is available with Lotus Notes 8.5. To configure the passwordreset function for use with ID Vault, you need to enable Lotus Notes shared login. Inaddition, if you want the Lotus Notes shared login to be possible only with IdentityManagement host, you need to have Lotus Notes 8.5.3 or higher installed to be able toconfigure it in the Lotus Domino Administrator console.

To enable the ID vault functionality you first need to create an ID vault in the administratorconsole on the Lotus Domino sever (if one is not already created and configured).

If you are using recovery password option on your users, you will have to disable this first. Formore information on how to setup an ID vault, please consult IBM documentation.

36Section 5: Using the ID vault



Make sure to setup a Lotus Notes shared login with the Identity Management server in thesecurity policy document for the vault:

You should not enforce password change after the password reset, as this would not allow theIdentity Center to stay synchronized with the user password changes:

User creation in the vault is controlled through policies, so only the policies that are associatedwith the vault will create users. Identity Center allows multiple policies to be used.

When users are created, or loaded from the vault, a flag is set on each user(MX_NOTES_IN_VAULT) indicating that the user is a vault user. This flag will be checked bythe logic for the ID vault functionality to verify if the vault synchronization is needed or not.

37Section 5: Using the ID vaultSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


If a password has been reset externally (not through the connector, but directly in the LotusNotes system), then the Identity Management password reset task or a load of ID file fromLotus Notes can be performed to reestablish the password synchronization in the IdentityCenter. The password reset task is not a part of the Lotus Notes connector, but is available in theIdentity Center. For more information on how to configure the password reset, see the documentSAP NetWeaver Identity Management Identity Center Implementation Guide – Self-servicepassword reset available on SAP Community Network/SCN (http://scn.sap.com/docs/DOC-17111).

http://scn.sap.com/docs/DOC-17111

http://scn.sap.com/docs/DOC-17111

38Section 6: Provisioning using Lotus Notes connector



Section 6: Provisioning using Lotus Notes connectorProvisioning using Lotus Notes connector is done by running the User Interface tasks from theIdentity Management User Interface. The following is described in this section:

Creating and deleting of a user/group

Self-service task for activating the user

Assigning the membership to the group

Modifying the user/group

Renaming the user

Recertifying the ID file

Changing the password

To access the User Interface do the following:

1. Enter http://<host>:<port>/idm in your browser. Provide the credentials in the log-inwindow.

2. Choose "Log on".

You are now logged on to the User Interface.

39Section 6: Provisioning using Lotus Notes connectorSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Creating the user/groupTo create a new Lotus Notes user, the task Create Notes user in the User Interface is used. Usethe task Create Notes group to create a group.

To create new Lotus Notes user, do the following:

1. In the "Manage" tab in the User Interface, make sure that "Person" is selected in the "Show"field and choose "Create…".

Navigate to the task "Create Notes user".




2. Choose "Choose Task":

Fill in the information about the new user.

Select the "Roaming" tab and provide the necessary information (the roaming server) if youwish to create a roaming user.

3. Choose "Save" to save the information and run the task.

The user should now be created and provisioned to Lotus Notes.

Note:If you wish to use an already existing user in the Identity Management and provision it to LotusNotes, you should select the user and choose "Choose Task…", then navigate to the task"Create Notes user" under the folder "Notes identity".



To create new Lotus Notes group, do the following:

1. In the "Manage" tab in the User Interface, make sure that "Group" is selected in the "Show"field and choose "Create…".

2. Navigate to the task "Create Notes group" and choose "Choose Task":

Fill in the information about the new group.


The group should now be created and provisioned to Lotus Notes.




Self-service task for activating the userThe self-service task Notes activate user is available to all logged-in users. The users canregister to activate, and they can also upload and download the ID file. To activate the user, dothe following:

1. In the "Self Services" tab in the User Interface, select the task "Notes activate user":

Fill in the information.

2. Choose "Save" to save the changes and run the task.



Modifying the user/groupTo modify a Lotus Notes user, the task Modify Notes user in the User Interface is used. Use thetask Modify Notes group to modify a group.

To create new Lotus Notes user, do the following:

1. In the "Manage" tab in the User Interface, make sure that "Person" is selected in the "Show"field and choose "Go" to display all available users.

2. Select the user you want to modify and choose "Choose Task".

3. Navigate to the task "Modify Notes user" (under folder "Notes identity"), and choose"Choose Task":

Modify the user.


The user should now be modified.




To modify a Lotus Notes group, do the following:

1. In the "Manage" tab in the User Interface, make sure that "Group" is selected in the "Show"field and choose "Go" to display all available groups.

2. Select the group you want to modify and choose "Choose Task".

3. Navigate to the task "Modify Notes group" and choose "Choose Task":

Modify the group.


The group should now be modified.

Renaming the Lotus Notes userThere is a User Interface task that allows you to modify only the name of the user (task RenameNotes user). This can be done only for the users with the ID file. To modify the name of theuser, do the following:





3. Navigate to the task "Rename Notes user" (under folder "Notes identity"), and choose"Choose Task":

Change the name of the user.


Changing the passwordThere is a User Interface task that allows you to modify only the password of the user (taskChange password). This can be done only for the users with the ID file. To change thepassword, do the following:






3. Navigate to the task "Change password" (under folder "Notes identity"), and choose"Choose Task":

Modify the password.


Recertifying the ID fileTo recertify the ID file, do the following:


2. Select the user you want to recertify the ID file for and choose "Choose Task".



3. Navigate to the task "Recertify Notes user ID file" (under folder "Notes identity" for userswith ID file only), and choose "Choose Task":

Change the expiration date for the certifier (ID file).





Assigning a group membershipTo assign a group membership, do the following:


2. Select the group you want to assign the members to and choose "Choose Task".

3. Navigate to the task "Assign membership" (under folder "Notes group"), and choose"Choose Task":

Add the users you want to be the members of the group. Choose "Search" in the "Available"pane to list all available users, select the user(s) and choose "Add". The added users will bedisplayed in the "Assigned" pane.

4. Choose "Save" to run the task and add the group membership to the selected user(s).



Deleting the user/groupTo delete a Lotus Notes user (account), the task Delete Notes account in the User Interface isused. Use the task Delete Notes group to delete a group.

To delete an account, do the following:


2. Select the user you want to delete the account for and choose "Choose Task".

3. Navigate to the task "Delete Notes account" (under folder "Notes identity"), and choose"Choose Task":

4. Choose "Delete" to run the task and delete the user account.

To delete a Lotus Notes group, do the following:


2. Select the group you want to delete and choose "Choose Task".




3. Navigate to the task "Delete Notes group" (under the folder "Notes group") and choose"Choose Task":

4. Choose "Delete" to run the task and delete the group.

51Appendix A: Adding new attributesSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Appendix A: Adding new attributesThe Lotus Notes connector has only included a small set of attributes and objects. However youmay extend the number of attributes.

If we inspect the "Read notes users" pass of the NOTES – System load job, you will see that inthe "Destination" tab, there are a lot of additional attributes on the user entry.

52Appendix A: Adding new attributes



We can append the attribute "Assistant" to the user object:

1. Select the "Write users to database" pass in the NOTES – System load job.

2. Select the "Destination" tab of the "Write users to database" pass and create an attribute"CUSTOM_ASSISTANT" like shown below:

Insert the attribute value by selecting "ASSISTANT" from the "Source attributes" in thecontext menu.

3. Choose "Apply".

Given that you have selected "Automatically create attributes" on your identity store detailspane ("General" tab), you may now just rerun the part and the attribute CUSTOM_ASSISTANTis appended to your user object.

53Appendix B: Configuring user creation tasksSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Appendix B: Configuring user creation tasksIn the Lotus Notes connector there is a set of tasks that control the behavior of the user creationprocess. The process behavior is controlled by setting or removing a set of flags on the tasks.

Some flags might be mutually exclusive, and some states may not be supported by theconnector. Care should be taken when modifying the flags. For instance the flagfREGSaveIDInFile is considered mandatory for the create task in order to be able to obtain theID file for other operations of the connector.

The tasks are located in Lotus Notes Connector\Notes Tasks\Configure tasks\Set user creationproperties in the console tree in the Identity Center Management Console:

Configure creation flags

Configure creation extension flags

Configure roaming settings

The flags for each of these tasks are described in more details in the following sub-sections.

Task Configure creation flagsFlag Description

fREGCreateIDFileNow This flag should be set during creation if an ID file shouldbe created.

fREGUSARequested This flag should be set for all ID's being created for use inthe US or Canada.

fREGCreateMailFileNow This flag should be set during user creation to create amail file during registration (it may be created later if, forinstance, the mail server is not available).

fREGCreateAddrBookEntry This flag should be set during user creation to create ormodify an Address book or Domino Directory entry.

fREGOkayToModifyID If this flag is not set during the user creation and therequested ID file exists, an error will be returned. If theflag is set, the existing ID file will be overwritten.Certificates and encryption keys that were in the existingID file will no longer exist in the resulting ID file.

fREGOkayToModifyAddrbook If this flag is not set during user creation a user with thesame name as the new user is found in the DominoDirectory on the registration server, an error will bereturned. If the flag is set, the existing Address book orDomino Directory entry will be modified, e.g. non-optional fields will not be overwritten if a null string ispassed.

fREGSaveIDInFile Save the ID in a file. The IDFilename parameter must bespecified. If this flag is NOT specified and noIDFileName is specified, then the ID will be saved in theAddress book or Domino Directory.

fREGCreateLimitedClient Create a Lotus Notes Mail user.

fREGCreateDesktopClient Create a Lotus Notes Desktop user.

54Appendix B: Configuring user creation tasks



Flag Description

fREGSaveIDInAddrBook Save the ID in the Address book or Domino Directory. Ifthis flag is NOT specified and an IDFileName isspecified, then the ID will be saved in the specifiedIDFileName.

fREGCreateMailFileUsingAdminp Use admin process to create mail file. NOTE:fREGCreateMailFileUsingAdminp andfREGCreateMailFileNow are mutually exclusive. If bothflags are specified, then fREGCreateMailFileNow is theaction that will be performed.

fREGSetInternetPassword Store the password for use as the Internet password.

Task Configure creation extension flagsFlag Description

fREGExtCreateMailFTIndex This flag should be set during user creation formail creation.

fREGExtReturnPersonNote This flag is set during user creation if the callerwants the note handle of the new persondocument.

fREGExtEnforceUniqueShortName Use this flag to enforce the shortname of the user.

fREGExtRoamingUserNow Create roaming files now - person is created withability to roam.

fREGExtRoamingFilesUsingAdminp Create roaming files via the administrationprocess - person is created with ability to roam.

fREGExtCreateINetKeyPair Add the INetPublicKey to the person document.

fREGExtMailReplicasUsingAdminp Create mail replicas via the administrationprocess.

fREGExtRoamingReplicasUsingAdminp Create roaming replicas via the administrationprocess.

fREGExtRegUsingPolicy Person registration will use the policy settings(registration) as parameter values for registration.

55Appendix B: Configuring user creation tasksSAP NetWeaver Identity Management Identity Center Lotus Notes connector for SAP Provisioning Framework Configuration Guide


Task Configure roaming settingsLegal values for ROAMING_CLEANUP are:

NEVER

EVERY_NDAYS

AT_SHUTDOWN

Legal values for ROAMING_CLEANUP_PERIOD should be set to a value from 1 to 365, ifROAMING_CLEANUP=EVERY_NDAYS.

Legal values for ROAMING_ONDUPLICATE:

REG_FILE_DUP_STOP: When a duplicate is found, registration should stop.

REG_FILE_DUP: When a duplicate is found, registration should generate a unique nameand continue.

REG_FILE_DUP: When a duplicate is found, registration should continue by using thename (possibly overwriting the file).

SAP NW Identity Manager With Lotus Notes

Documents

Transcript of SAP NW Identity Manager With Lotus Notes