SAP NetWeaver Identity Management Using the...

SAP NetWeaver® Identity Management Using the Configuration Analyzer

Version 7.2 Rev 3

© 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle and Java are registered trademarks of Oracle.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

i

© Copyright 2011 SAP AG. All rights reserved.

Preface

The product SAP NetWeaver Identity Management Configuration Analyzer analyzes and gathers the information about an existing configuration, and detects and reports potential configuration issues both related to the migration process and in general.

The reader This manual is written for people who are to use the SAP NetWeaver Identity Management Configuration Analyzer tool.

Prerequisites To get the most benefit from this manual, you should have the following knowledge:

Thorough knowledge about SAP NetWeaver Identity Management.

The manual This document gives an overview of how to use the Configuration Analyzer and consists of three sections. The first section describes the implementation, configuration and how to run the Configuration Analyzer. The second section gives an overview of the reports produced by the Configuration Analyzer. And the last section gives details about interpreting the produced results of the Configuration Analyzer, as well as how to process them.

Related documents You can find useful information in the following documents:

SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

ii


iii


Table of contents Introduction .................................................................................................................................. 1

Background .......................................................................................................................................... 1 Section overview .................................................................................................................................. 2

Section 1: Using the Configuration Analyzer tool ....................................................................... 3 Installing the Configuration Analyzer .................................................................................................... 3 Configuring and running the Configuration Analyzer ............................................................................ 4

Section 2: Configuration Analyzer reports .................................................................................. 9 The editable report .............................................................................................................................. 10

Section 3: Interpreting and processing the results ..................................................................... 16 Issue types .......................................................................................................................................... 16 Issue categories ................................................................................................................................... 17 The result files .................................................................................................................................... 18 Issue type: Not recommended ............................................................................................................. 19 Issue type: MXMEMBER_ ................................................................................................................. 20 Issue type: aValue ............................................................................................................................... 21 Issue type: uSelect .............................................................................................................................. 22 Issue type: Inconsistency..................................................................................................................... 23 Issue type: Obsolete view(s)................................................................................................................ 26 Issue type: Obsolete procedure(s) ........................................................................................................ 27 Issue type: uApplyPending .................................................................................................................. 28 Issue type: mxi_values ........................................................................................................................ 29 Issue type: Troubleshooting ................................................................................................................ 30 General limitation for script analysis ................................................................................................... 30

iv


1 Introduction SAP NetWeaver Identity Management Using the Configuration Analyzer


Introduction This document gives an overview and describes the use of the SAP NetWeaver Identity Management Configuration Analyzer tool.

Background The purpose of the Configuration Analyzer is to perform:

configuration analysis on an existing configuration for migration purposes.

generic configuration analysis for performance and functional analysis of an existing configuration.

The result of the analyzer tool is a report which identifies potential issues. It will never change any data.

Note: The analyzer tool will help in detecting the most of the potential issues in a configuration, but it is still not guaranteed that the configuration is correct and will run smoothly if the tool does not report any issues.

Note: If discovering any issues which are not reported by the Configuration Analyzer, please create and submit a CSS message explaining the issue(s), and what you think should be reported by the Configuration Analyzer.

Configuration analysis for migration purposes Configuration Analyzer is analyzing the configuration for the purpose of migrating a solution developed with SAP NetWeaver Identity Management 7.1 to SAP NetWeaver Identity Management 7.2. Before you can upgrade to SAP NetWeaver Identity Management 7.2 (with the 7.1 compatibility option enabled or not), you must verify that you are not using the features in the configuration that are changed in SAP NW IdM 7.2. For more information, see SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2.

Run the Identity Management Configuration Analyzer, and the tool will identify and report a list of issues which may or will cause problems for the configuration when running in SAP NW IdM 7.2 version. These issues need to be resolved before upgrading/disabling the 7.1 compatibility option.

Generic configuration analysis In addition to detecting potential configuration issues during the migration process, the Configuration Analyzer is also a generic tool for analyzing and gathering configuration information, and reporting potential issues.

This can be helpful in identifying potential functional and performance issues in the configuration.

Note: Before opening a support case regarding either migration or general configuration issues, make sure that you have run the Configuration Analyzer. Attach the archive ConfigAnalyzerDump.zip (described in Section 2: Configuration Analyzer reports on page 9) to the support case.

2 Introduction

SAP NetWeaver Identity Management Using the Configuration Analyzer


Section overview The document consists of the following sections:

Section 1: Using the Configuration Analyzer tool

This section describes how to install, configure and run the Configuration Analyzer.

Section 2: Configuration Analyzer reports This section gives an overview of the files created as a result of Configuration Analyzer running. Editable report is also described in this section.

Section 3: Interpreting and processing the results

This section describes how to process the potential issues discovered by the Configuration Analyzer. An overview of issue types, with actual checks performed, categories, solution suggestions and limitations is given.

3 Section 1: Using the Configuration Analyzer tool SAP NetWeaver Identity Management Using the Configuration Analyzer


Section 1: Using the Configuration Analyzer tool Before proceeding with the installation process, make sure that the file ConfigAnalyzer.jar is downloaded and available to your system. The file is available on the SAP Developer Network (http://www.sdn.sap.com) together with this document.

Note: Make sure that you download the latest version.

Installing the Configuration Analyzer To install the Configuration Analyzer tool, do the following:

1. Create a folder (named e.g. ConfigAnalyzer) in the install directory, which is by default C:\usr\sap\IdM\Identity Center.

2. Copy the file ConfigAnalyzer.jar to the created directory (here C:\usr\sap\IdM\Identity Center\ConfigAnalyzer).

http://www.sdn.sap.com/

4 Section 1: Using the Configuration Analyzer tool



Configuring and running the Configuration Analyzer To launch and configure the Configuration Analyzer, do the following:

1. In the command prompt, navigate to the directory where the file ConfigAnalyzer.jar is stored.

2. To launch the Configuration Analyzer, enter and execute the following command line: java –jar ConfigAnalyzer.jar

Note: It is recommended to type the command line, since copying and pasting it may result in error.

3. Executing the command line opens a Configuration Analyzer configuration dialog box:

4. Configure the parameters in the configuration dialog box.

The configuration parameters are grouped into four sections in the dialog box: Environment, Database, Options and Checks to run.



Environment section

The parameters in the Environment section are detected and filled in by the Configuration Analyzer, but can be manually altered if necessary:

DSE home: A full path to the directory where the runtime engine (either Windows or Java) is located.

Service scripts: A full path to the directory where the service scripts are stored.

Keys.ini: A full path to the Keys.ini file.

Target directory: A full path to the target directory for the Configuration Analyzer, i.e. the directory where the Configuration Analyzer is stored (here folder ConfigAnalyzer on C:\usr\sap\IdM\Identity Center\).

Database section In the Database section, select a database to analyze:

Get database parameters from dispatcher: Enable this option to retrieve the database connection parameters from a specific dispatcher. Choose "Refresh list" to refresh the dispatcher list if needed, and then select a dispatcher from the list. The correct information is filled in automatically in the fields "JDBC URL", "Driver" and "Classpath".

Edit database connection parameters manually: Enable this option to enter the database connection parameters manually, i.e. to enter the correct information in the fields "JDBC URL", "Driver" and "Classpath" manually.

JDBC URL: Define a database URL. The JDBC URL can be copied from a dispatcher script of a running dispatcher, or from the "Database" tab in the details pane of the Identity Center node in the Identity Center Management Console tree.

Note: If using copy/paste to fill in the database URL, make sure to re-enter the password manually.

Note: To make sure that the Configuration Analyzer has access to all information when running, the <database_prefix>_admin user should be used. Using <database_prefix>_rt can be used, but may produce incomplete results due to limited information access.

Driver: Define a database driver.

Classpath: Define a full classpath to the database driver JAR file.

Options section In the Options section, fill in the following:

Verbose: Enable this option to show the status information while the Configuration Analyzer is running. The option is enabled by default.

Troubleshooting: Enable this option to report troubleshooting issues.




These issues are not errors that need to be resolved, but they should be closely examined. Often used for support purposes. For more information about this, see sections Issue types on page 16, Issue categories on page 17 and Issue type: Troubleshooting on page 30.

Java options: Use the field to specify the maximum Java heap size the program is allowed to allocate, here "-Xmx1024m" which sets the maximum heap size to 1024MB.

Checks to run section

In the Checks to run section, you can choose to run the standard defined checks (from the "Standard" list) or customize by choosing your own combinations of checks (from the "Custom" list).

The five standard checks are associated to and reflected in the list of custom checks, i.e. enabling a standard check will enable a set of checks in the custom list. The standard checks Check entries, Check configuration and Generate system configuration dump are enabled by default. Select checks to run according to your needs.

The checks are listed in the table below:

Standard check Description Associated check(s) (visible in the custom list)

Check entries Enable this option to run a test on entries, e.g. check for missing entry type or MSKEYVALUE for the entries. The option is enabled by default. Disabling this option will result in the Configuration Analyzer not reading and checking the entries. This can be used to reduce the execution time for the Configuration Analyzer (if the amount of entries is large). Use disabling with care. For more information see page 20 and 25.

The following checks are run:

Check references

Dump inconsistent audit entries to file

Verify all entries

Dump all entries Enable this option to create an information dump of all entries in the configuration (Entries.txt). The file is stored in the defined target directory. In order to be able to select this option, the option "Check entries" must be enabled.

The following checks are run:

Dump all entries to file

Check references


Verify all entries




Check configuration Enable this option to check for the configuration issues. The option is enabled by default.

The checks run are:

Check attributes

Check dynamic groups

Check global constants

Check ID store settings

Check jobs

Check repositories

Check schedule settings

Check scripts

Check SQL statements

Check tasks

Generate system configuration dump

Enable this option to create a textual information dump of the configuration, i.e. to create the archive ConfigAnalyzerDump.zip described in Section 2: Configuration Analyzer reports on page 9. The option is enabled by default. In order to be able to select this option, the option "Check Configuration" must be enabled. Disabling the option will result in no creation of the textual information dump of the configuration (no ConfigAnalyzerDump.zip).

Checks to run:

Dump checked items

Dump configuration information to file

Dump SQL statements to file





Check for potential 7.20 migration problems

If migrating your existing configuration to SAP NetWeaver Identity Management 7.2 from a previous version (7.1), enable this check for an overview of possible migration issues that need to be resolved before proceeding with the migration.

Checks to run:

Check attributes

Check dynamic groups

Check global constants

Check ID store settings

Check jobs

Check migration to 7.20

Check references

Check repositories

Check schedule settings

Check scripts

Check SQL statements

Check tasks


Verify all entries

5. To create a batch file for the Configuration Analyzer tool (ConfigAnalyzer.bat) choose "Create batch file…", then choose "Close" to close the dialog box. The file is stored in the defined target directory.

6. Choose "Run" to close the dialog box and run the Configuration Analyzer with the defined options. Choose "Close" to cancel the configuration and close the dialog box.

When the Configuration Analyzer tool has completed, the results are stored in the same directory where the file ConfigAnalyzer.jar is stored (here C:\usr\sap\IdM\Identity Center\ConfigAnalyzer). Information about what reports are produced is described in Section 2: Configuration Analyzer reports on page 9.

7. Choose "View report…" to open and view editable report of issues discovered by the Configuration Analyzer. This means that Configuration Analyzer must have been run once before this report can be viewed. Read more about the editable report in section The editable report on page 10.

9 Section 2: Configuration Analyzer reports SAP NetWeaver Identity Management Using the Configuration Analyzer


Section 2: Configuration Analyzer reports Running the Configuration Analyzer reveals potential configuration issues during the migration process and in general. The result is a set of reports stored in a specified directory. The following files may be produced, depending on the checks that are selected when running the Configuration Analyzer:

Issues.csv

Issues.htm

Issues.xml

Summary.txt

InconsistentEntries.txt

Entries.txt

ConfigAnalyzerDump.zip

The first three files contain about the same information but in different formats, a detailed list of the issues detected. The file Summary.txt contains a short summary of the number of issues found and their categories. See Section 3: Interpreting and processing the results on page 16 for details about the contents of these files.

InconsistentEntries.txt and Entries.txt contain a list of entries. The difference is that InconsistentEntries.txt lists all inconsistent entries (the Configuration Analyzer is run with only "Check entries" and not "Dump all entries" enabled), while Entries.txt lists all entries, both consistent and inconsistent (is produced instead of InconsistentEntries.txt only if enabling "Dump all entries" option for the Configuration Analyzer). Only one of these two will be created each time.

The archive ConfigAnalyzerDump.zip contains the textual dumps of the configuration useful for the support purposes – depending on the checks selected for running it may or may not contain the first four files mentioned above (Issues.csv/htm/xml and Summary.txt), either InconsitentEntries.txt or Entries.txt, and in addition the following files:

Attributes.txt: lists the attributes with details about their properties. Potential problems are also listed for each attribute, if any discovered.

IDStores.txt: information about the identity stores on the database, and statistics like total number of values, entries (MX_PERSON, groups, privileges, roles, and pending values).

DatabaseInfo.txt: information about the database and statistics like provisioning queue size, audit and extended audit log size.

Dispatchers.txt: information about the dispatcher (version, status, last run, reload frequency, etc).

DynamicGroups.txt: list of dynamic groups.

Groups.txt: list of groups, listed with name, GUID, exact path to the group and which identity store they are located in.

GlobalConstants.txt: list of global constants.

GlobalVariables.txt: list of global variables.

Jobs.txt: list of jobs stored in the database and their settings and rules.

Repositories.txt: list of repository definitions and their constants.

10 Section 2: Configuration Analyzer reports



Scripts.txt: list of scripts – the code, information about what jobs the scripts are referred from, etc.

SystemConstants.txt: list of global system constants.

SQL.txt: holds the list of all SQL statements found in the system, in upper case.

Tasks.txt: list of tasks and their details.

Note: All passwords are removed from the reports that are created by the Configuration Analyzer, making it secure/safe to distribute the reports (e.g. to the support teams).

The editable report After the Configuration Analyzer has run and created its reports, it can display the discovered issues in an application (based on the information in Issues.xml file), which gives you the ability to do the following:

Review issues.

Ignore issues that are verified and not considered an issue (or for other reasons), which then are removed from the list of active issues.

Review the list of ignored issues, where these can be reverted to the list of active issues.

View both ignored and active issues in the same list.

Export different views of the list of issues (active, ignored or all) to either HTML file format or to a CSV file format.

Viewing the editable report To open and view the editable report produced by the Configuration Analyzer, do the following:

1. In the command prompt, navigate to the directory where the file ConfigAnalyzer.jar is stored.

2. To open the report, execute the following command line: java –jar ConfigAnalyzer.jar view

or choose "View report…" button in the configuration dialog box.



3. Executing the command line (or choosing the "View report…" button) opens the application displaying the editable report:

The application loads up the information available in Issues.xml file, that was created

earlier, and presents the issues found in the editable report (in the Active issues view which is by default a main view).

Note: If the file is not opened automatically, it can be opened by choosing File/Open..., and navigating to the file.




4. By double-clicking the issues on the list, the available details of the issue are displayed. If the issue is a global script or a job script, it will display the script corresponding to that issue, giving you a chance to review it:

If the script is verified as OK during this review, you can choose "Ignore" to ignore the

issue (place it on the ignore list). Read more about ignoring of issues in the section Ignoring an issue below. Otherwise, choose "OK" to close the details and inspect your configuration.

Note: In order to be able to view the script information, the ConfigAnalyzerDump.zip file must be in the same location as the ConfigAnalyzer.jar.

Note: You will not be able to modify the script here, only review it.



Ignoring an issue From the main view (Active issues view), you can choose to inspect issues in details and ignore certain issues that have been verified not to cause any problems in the configuration. To ignore an issue, do the following:

1. Select the "Ignore" option (check box) for the given issue in the far left column of the issue list. This will open an "Add Ignore Comment" dialog box:

Enter the name of the user ignoring this issue, and add the comment (e.g. reason why this

issue is ignored) which is optional although recommended.

2. Choose "Ok" to close the dialog box and remove the issue from the list of active issues. Ignored issues are added to a new file called Ignore.xml, with the name of the user who ignored it, the comment (if entered), and the time it was ignored.

Note: An issue can also be ignored when viewing the details of the issue. To view details double-click the issue, and the details will be displayed in the new window. To ignore the issue, choose "Ignore" button.

Some of the issues discovered by the Configuration Analyzer can be based on an SQL statement. For these issues, the "Add Ignore Comment" dialog box looks slightly different. You are asked to enter the same information as described above (name and comment), but you also have the option "Mark all identical SQL statements as safe":




3. Choose this option to add all statements that use the identical SQL statement to the ignore list. The ignored SQL statements will be added to the Ignore.xml file.

Note: If you choose not to select the "Mark all identical SQL statements as safe" option for the issue, then the issue is added as a regular ignored issue to the list of ignored issues. This means that if you at a later point decide to ignore all identical SQL statements, this issue will be then ignored twice. If you choose to remove the regular ignore from the ignore list, it will still be ignored by the SQL statement. Also if you try to remove all identical SQL statements from the ignore list, you have to manually remove the regularly added statement as well.

Viewing the ignored issues To view the list of all the ignored issues, select View/Ignored issues.

In the Ignored issues view, the list of currently ignored issues is displayed. For each issue selected in the list the ignore information (ignored by, the comment and the date) is shown, along with the general issue information (category, type, description, etc).

From this view you can place the ignored issues back into the list of active issues. To do so, deselect the checkbox to the far left. The issue will disappear (be removed from the ignore list), and be displayed in the list of active issues again. Verify by inspecting the main Active issues view (choose View/Active issues).



Viewing all issues (including ignored issues) To view all the current issues, select View/All. This will show all issues, both active and ignored:

From this view you can also ignore and place the ignored issues back into the list of active issues. To do so, select or deselect the checkbox to the far left. The issue will remain visible in this list but as active or ignored issue depending on the action performed, and it will be removed from or displayed in the list of active issues. Verify by inspecting the main Active issues view (choose View/Active issues).

Exporting the list of issues After processing the issues, and ignoring those issues that have been verified, the new views can be exported to either a HTML or to a CSV file. The export uses the current view you are in to determine what to export, i.e. if you are in the Ignored issues view then the list of ignored issues is exported to the selected file format. Do the following:

1. Decide what view you want to export (Active issues, Ignored issues or All) and review it.

2. Select Export/Export to HTML (or Export/Export to CSV, depending on the format you want to export to).

3. Enter the name of the file that the information is exported to. The following names are set by default:

Issues_Active.htm/Issues_Active.csv for the Active issues view

Issues_Ignored.htm/Issues_Ignored.csv for the Ignored issues view

Issues_All.htm/Issues_All.csv for the All view

4. The exported files are saved in the same directory as the ConfigAnalyzer.jar file.

16 Section 3: Interpreting and processing the results



Section 3: Interpreting and processing the results This section describes how to interpret and process the issues detected by the Configuration Analyzer, presented in the files Issues.csv/htm/xml and Summary.txt. Each issue is listed with its type and category, a description, a solution suggestion and information about where the issue occurs.

Issue types An issue type gives a description of what type of configuration issue is discovered and reported. There is a subsection for each issue type, describing the type in details with the following information:

To which category the type of issue belongs.

The check(s) performed by the Configuration Analyzer when considering this type of issue and the possible solution.

Limitations of the performed Configuration Analyzer check.

The following issue types are used by the Configuration Analyzer:

Not recommended: see section Issue type: Not recommended on page 19 for details.

MXMEMBER_: see section Issue type: MXMEMBER_ on page 20 for details.

aValue: see section Issue type: aValue on page 21 for details.

uSelect: see section Issue type: uSelect on page 22 for details.

Inconsistency: see section Issue type: Inconsistency on page 23 for details.

Obsolete view(s): see section Issue type: Obsolete view(s) on page 26 for details.

Obsolete procedure(s): see section Issue type: Obsolete procedure(s) on page 27 for details.

uApplyPending: see section Issue type: uApplyPending on page 28 for details.

mxi_values: see section Issue type: mxi_values on page 29 for details.

Troubleshooting: see section Issue type: Troubleshooting on page 30 for details.

17 Section 3: Interpreting and processing the results SAP NetWeaver Identity Management Using the Configuration Analyzer


Issue categories The issue category tells something about the severity of the issue listed in the report, i.e. how critical it is. The following categories are used by the Configuration Analyzer:

Category Description

7.2 upgrade issue Issue is critical and as long as present the upgrade from SAP NetWeaver Identity Management 7.1 to 7.2 should not be performed. Example: missing entry type or MSKEYVALUE.

Possible 7.2 upgrade issue Potentially critical issue, and should at least be thoroughly inspected before performing an upgrade from 7.1 to 7.2. Example: if the Configuration Analyzer is configured to analyze only a subset of data (disabling the "Check entries" option) as described on page 6.

7.2 pure mode issue Issue is critical and as long as it is present the upgrade to pure SAP NetWeaver Identity Management 7.2 (disabling the 7.1 compatibility option) should not be performed. Example: use of an obsolete view in SQL statement.

Possible 7.2 pure mode issue

Potentially critical issue, and should be at least thoroughly inspected before performing an upgrade to pure 7.2 version (before disabling the 7.1 compatibility option). Example: use of the view mxiv_sentries.

Data inconsistency issue May not be a critical issue, but should be inspected. Example: a task linking to a missing job, i.e. a job that cannot be found.

Configuration issue Not a critical issue, but should be inspected. Example: a task linked to a disabled job, or a job containing (a) disabled pass(es).

Performance issue Issue may have impact on performance. Example: use of aValue in a SELECT statement.

Troubleshooting info This category of issues is not necessarily critical, or not even an error, but it should be taken a closer look into. It reports issues that are legal but by experience may cause some challenges or unfortunate behavior in the configuration.




The result files A file created by the Configuration Analyzer will typically look something like this (here using the file Issues.csv read into Microsoft Excel, where it is easy to sort and filter the issues on type or category):



Issue type: Not recommended This issue type covers the occurrences of configuration not being configured in a recommended way.

Category Related to this issue type are categories:

Configuration issue

Performance issue

Possible 7.2 upgrade issue.

Check(s) performed and the solution(s) There are four checks that are performed for this issue type, two for category Configuration issue and one for each of the two other categories.

Category Check Solution

Configuration issue

Check if the "Automatically create attributes" option is enabled on the identity store. The issue type is listed with the category Configuration issue if this option is enabled.

Disable the "Automatically create attributes" option if possible. It should normally not be enabled in the production environment. When the option is disabled, inserting a non-existent attribute, or adding an attribute to an entry type which is not allowed, will fail. All additional attributes must be added to the identity store manually.

Check if any jobs that are linked to multiple tasks exist. The issue type is listed with the category Configuration issue if this option is enabled.

Having a job that links to multiple tasks is legal, but not recommended. If such a job fails, it is difficult to determine which task it belongs to. For supportability purposes consider rewriting, e.g. try linking the job to a task and then link the task to multiple tasks instead.

Check for any scripts containing the string "{DES3}".

Any script searching for "{DES3}" to see if a string is encrypted, should be rewritten to check for "{DES3" (without the terminating curly bracket). In SAP NetWeaver Identity Management version 7.2 or newer, there are more than one possible triple-DES encryption prefixes, all starting with "{DES3".

Check for correct script naming.

Make sure that the script is named correctly, e.g. that the name of the script matches with the name the function is called in the script itself.

Performance issue

Check if the "Use simplified access control" option is enabled on the identity store. The issue type is listed with the category Performance issue if this option is disabled.

Enabling the "Use simplified access control" option is strongly recommended, which means that filters cannot be used to specify "Allow access for" in access control for tasks. Disabling this option degrades the performance.





Possible 7.2 upgrade issue

Check if the Configuration Analyzer was configured to analyze only a subset of data, i.e. skip the analysis of entries). The issue type is listed with the category Possible 7.2 upgrade issue if this option is used.

Disabling the option "Check entries" will result in the Configuration Analyzer not reading and checking the entries, which means that the check for missing MX_ENTRYTYPE and/or MSKEYVALUE on entries is not performed. This check must be run at least once and possible issues (if any) processed before performing an upgrade to SAP NetWeaver Identity Management 7.2.

Limitations None.

Issue type: MXMEMBER_ Possible use of MXMEMBER_ attributes is reported using this issue type.

Category Related to this issue type is category Possible 7.2 pure mode issue.

Check(s) performed and the solution(s) There is one check performed for the category Possible 7.2 pure mode issue.



Check for the use of MXMEMBER_ attributes. The check is performed by searching for the string "MXMEMBER_" in all constants, variables, scripts and SQL statements.

The MXMEMBER_ attributes are no longer present in the SAP NW IdM 7.2 data structure.

It is still possible to write MXMEMBER_ attributes. However, if you read MXMEMBER_ attributes from an SQL statement, this statement has to be rewritten. See the SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2 for more information.

Limitations General script limitation (see page 30).



Issue type: aValue Any detected use of a column aValue is reported using this issue type.

Category Related to this issue type is category Performance issue.

Check(s) performed and the solution(s) There is one check performed for the category Performance issue.


Performance issue

The Configuration Analyzer detects the use of a column aValue by searching the string "AVALUE" in all SQL statements, and following the string "SELECT" in a script, variable or constant. The issue type is listed if any detected.

Avoid the use of aValue on the right side of a WHERE/ORDER clause. Use the SEARCHVALUE instead.

Limitations If you have complex SQL statements, you may get false reports of this type, i.e. a report on this issue is produced but the statement is still OK.

General script limitation (see page 30).




Issue type: uSelect Any detection of use of SELECT statement through the uSelect function call is reported using this issue type.

Category Related to this issue type is category Performance issue.

Check(s) performed and the solution(s) There is one check performed for the category Performance issue.


Performance issue

Check for the use of SELECT statement in scripts by searching for the string "SELECT" in scripts, variables and constants. This issue type is listed if any detected.

It is possible in the code, to build a string which is then executed by uSelect. The configuration analyzer is not able to parse this string, and therefore all usage of uSelect should be analyzed manually.


All instances of uSelect are reported.



Issue type: Inconsistency The inconsistencies in the configuration are reported using this issue type.

Category The following categories are related to this issue type:

Configuration issue

Data inconsistency issue

7.2 upgrade issue

7.2 pure mode issue

Check(s) performed and the solution(s) There are 28 checks that are performed for this issue type, several for each category.


Configuration issue

Check if any tasks are linked to disabled jobs.

If a task with the disabled job(s) is discovered, then either enable the job(s) or disable the task.

Check if there are any tasks that are not linked to a job at all.

If an action task that is not linked to any jobs is discovered, then either link the task to a job or disable the task.

Check if any jobs contain no passes.

If a job with no (enabled) passes is found, disable or delete the job, or create a pass if needed.

Check if any enabled jobs are missing dispatchers.

If an enabled job has no dispatchers defined, then it will not run even it is enabled. Define a dispatcher for the job or disable it.

Check if any jobs are referencing a missing (shared) master job.

If a job references a missing shared job, then disable or delete the job.

Check if a shared job references a non-existing repository definition.

If the shared job points to a non-existing repository definition, then either create the repository definition or delete the job.

Check if there are any jobs that are missing the job definition.

If the job is missing a job definition, disable or delete the job.

Check for entries with illegal attributes.

If you have illegal attributes defined for an entry, either remove attributes from the entry or allow them for the given entry type.

Check for entries missing mandatory attributes.

Either add the mandatory attributes missing to the entry or delete the entry.

Check if any non-existing tasks are referenced.

If any references to non-existing tasks exist, correct the references.





Check if any disabled tasks are referenced.

Enable the tasks or correct the references.

Check if any global scripts that are not referenced exist.

If the script is not referenced by any jobs, check whether it should be referenced or not.

Check if there are any scripts that are not referenced by any enabled jobs.

Check if any jobs should be referencing this script.

Check if any jobs are referencing non-existing/missing global script(s).

If references to non-existing global script(s) exist, you need to check if the job really uses the script. Then either create the script or remove the reference.

Check if any jobs are referencing disabled global script(s).

Either enable the script(s) or disable the job.

Check if any references to missing/non-existing job(s) exist.

Correct the job reference.

Check if any references to disabled job(s) exist.

Enable to job, or correct the job reference.

Data inconsistency issue

Check if there are any tasks linked to a missing job.

If a task that links to a job that cannot be found is detected by the Configuration Analyzer, then it is possible that the job is deleted. Link the task to a job, or disable it.

Check if provisioning jobs have more than one enabled pass.

If the Configuration Analyzer discovers a provisioning job with more than one enabled pass, then disable all passes but one. The provisioning job is not allowed to have more than one active pass.

Check for the job GUID mismatch (that the internal job GUID is different from the GUID stored in the database.

If job GUID mismatch is discovered, review the job in the Identity Center Management Console and save it (choose "Apply"). This issue may have occurred if a job was copied using cut/paste in an earlier version.

Check for the TaskType inconsistency for tasks. It is checked for situations where the TaskType indicates that the task is an action task but the ActionType indicates that it is not (and vice versa).

In case of discovering TaskType inconsistency for a task, try to recreate the task and remove the old one if possible.

Check if two tasks with the same GUID exist.

In case of duplicate task GUID, recreate one of the tasks and delete the old one if possible.

Check if two jobs with the same GUID exist.

In case of duplicate job GUID, recreate one of the jobs and then delete the old one if possible.




7.2 upgrade issue

Check if any entries have no MX_ENTRYTYPE defined.

If an entry with no MX_ENTRYTYPE defined is discovered, then either the attribute must be defined for the entry or the entry must be deleted, as Identity Management 7.2 does not allow entries without an entry type.

Check if any entries have no MSKEYVALUE defined.

If an entry with no MSKEYVALUE defined is discovered, then either the attribute must be defined for the entry or the entry must be deleted, as Identity Management 7.2 does not allow entries without an MSKEYVALUE.

Check if any entries that are not identities are set to inactive (including the containers and contexts).

Only identities can be set to inactive. If any other entries are discovered set to inactive, either activate the entries again or delete them.

7.2 pure mode issue

Check if any entries have attributes that are referring to a missing entry.

If an entry's attribute references a missing entry, then the reference needs to be deleted or the referenced entry re-created.

Check if any entries have entry reference attributes with a non-numeric value.

If such an entry attribute is discovered, delete the entry reference or replace it with the correct value.





Issue type: Obsolete view(s) Use of obsolete views in the configuration is reported using this issue type.

Category The categories related to this issue type are:

7.2 pure mode issue


Check(s) performed and the solution(s) There are two checks that are performed for this issue type, one for each category.


7.2 pure mode issue

Search for SQL statements that refer to one or more of the views deprecated in SAP NetWeaver Identity Management 7.2. Every such SQL statement discovered is listed as this issue type (Obsolete view(s)) with the category 7.2 pure mode issue.

The solution for this issue type, independent of the category, is to rewrite the references to use the new views. See SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2 for details about which views to use instead.


Check for possible use of the deprecated views. Search for view names in scripts, constants and variables. The issue type is listed with the category Possible 7.2 upgrade issue if any discovered.

The solution for this issue type, independent of the category, is to rewrite the references to use the new views. See SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2 for details about which views to use instead.




Issue type: Obsolete procedure(s) Use of obsolete procedures in the configuration is reported using this issue type.

Category The categories related to this issue type are:

7.2 upgrade issue


Check(s) performed and the solution(s) There are two checks that are performed for this issue type, one for each category.


7.2 upgrade issue

Search for SQL statements that refer to one or more of the procedures deprecated in SAP NetWeaver Identity Management 7.2. Every such SQL statement discovered is listed as this issue type (Obsolete view(s)) with the category 7.2 upgrade issue.

The procedure(s) no longer in use.


Check for possible use of the deprecated procedures. Search for procedure names in scripts, constants and variables. The issue type is listed with the category Possible 7.2 upgrade issue if any discovered.

The procedure(s) no longer in use.





Issue type: uApplyPending Use of uApplyPending in the configuration is reported using this issue type.

Category Category Configuration issue is related to this issue type.

Check(s) performed and the solution(s) There is one check performed for the category Configuration issue.


Configuration issue

Check for use of function uApplyPending by searching the string "uApplyPending" in scripts, constants and variables. The issue type is listed with the category Configuration issue if the Configuration Analyzer discovers any "uApplyPending" strings.

In SAP NetWeaver Identity Management 7.2, uApplyPending has no function when operating on an event task, but is causing no damage if called.




Issue type: mxi_values Direct references to the table mxi_values are reported using this issue type.

Category Category Configuration issue is related to this issue type.

Check(s) performed and the solution(s) There are two checks performed for the category Configuration issue.


Configuration issue

Check for any (possible) direct references to the mxi_values table, by searching for the string "mxi_values" in all constants, variables and scripts.

All references to this table should be done using a predefined view. See SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2 for information about the views.

Check for any (possible) direct references to the mxi_values table, by searching for the string "mxi_values" in SQL statements.

All references to this table should be done using a predefined view. See SAP NetWeaver Identity Management Migration Guide Identity Management 7.1 to 7.2 for information about the views.





Issue type: Troubleshooting This issue type covers a number of issues which should be closely investigated, even though they are not necessarily incorrect. The reason to check these issues is that experiences from the support show that they may cause some unfortunate configuration combinations, or that they often are not optimized although they are legal.

This issue type will be reported only if the Configuration Analyzer is configured to do so, as described in section Configuring and running the Configuration Analyzer on page 4, and is mostly used for support purposes.

The following is an example of the troubleshooting issues being reported:

General limitation for script analysis The Configuration Analyzer does not perform any syntactic or semantic checks of the scripts. The tool performs simple string searches within the scripts, which means that it does not know whether the strings found are within comments, strings, or in the code itself.

SAP NetWeaver Identity Management Using the...

Documents

Transcript of SAP NetWeaver Identity Management Using the...