IDM 7.2.1

SAP connector

The SAP connector is an implementation of the Scripted Groovy Connector Toolkit that connects to any SAP system using the SAP JCo Java libraries. This chapter describes how to install and configure the scripted SAP connector, and how to test the sample scripts that are bundled with the connector.

The sample scripts illustrate the following scenarios:

  • Synchronization of users between an SAP HR module and IDM

  • Synchronization of users between IDM and an SAP (R/3) system

Before you start

  1. Download the SAP connector from the ForgeRock BackStage download site.

  2. Copy the SAP connector .jar file (sap-connector-1.5.20.9.jar ) to the openidm/connectors directory, or to the /path/to/openicf/connectors directory, if you are running the connector remotely. For example:

    cp ~/Downloads/sap-connector-1.5.20.9.jar /path/to/openidm/connectors
  3. The SAP connector requires the SAP Java Connector (JCo) libraries, version 3.0.12 or later. ForgeRock distributes the SAP connector without these JCo libraries. Before you can use the SAP connector, you must obtain the JCo libraries that correspond to your architecture.

    Copy the required SAP JCo libraries to the /path/to/openidm/lib directory. For example:

    cp sapjco3.jar /path/to/openidm/lib cp libsapjco3.so /path/to/openidm/lib
  4. Change your IDM logging configuration to log messages from the SAP connector.

    By default, IDM logs nothing for the SAP connector. To troubleshoot any issues with the connector, set the following properties in your project’s conf/logging.properties file:

    # SAP Connector Logging
    org.forgerock.openicf.connectors.sap.level=FINER
    scripts.sap.r3.level=FINER
    scripts.sap.hr.level=FINER
    scripts.sap.level=FINER

Using the SAP connector with an SAP HR system

The SAP HR sample scripts let you manage the email address and global employee UID of records in an SAP HR system.

The following sections explain how to configure IDM to use these sample scripts, how to test the connection to the SAP HR system, and how to update user records.

Setting up IDM for the SAP HR samples

  1. Create a connector configuration file for the SAP connector and place it in your project’s conf/ directory.

    You can use this sample provisioner.openicf-saphr.json as a guide.

    Edit that file with the connection details for your SAP HR system. Specifically, set at least the following properties:

    destination

    An alias to the SAP system to which you are connecting, for example, SAP1. If you are connecting to more than one SAP system, the destination property for each system must be unique.

    The sample connector configuration assumes a connection to a single SAP system, so the value for this property in the sample configuration is OPENIDM.

    asHost

    The FQDN of your SAP Application Server, for example sap.example.com.

    user

    Your SAP user account.

    password

    The password of this SAP user account.

    client

    The SAP Client number that will be used to connect to the SAP system.

    systemNumber

    The SAP system number.

    directConnection

    A boolean (true/false). If true, the connection goes directly to an SAP ABAP Application server or SAP router. If false, the connection goes to a group of SAP instances, through an SAP message server.

    sapRouter

    The IP address and port of the SAP router, if applicable. The syntax is /H/hostport], for example /H/203.0.113.0/S/3299.

    poolCapacity

    The maximum number of idle connections kept open by the destination. If there is no connection pooling, set this to 0. The default value is 1.

    For optimum performance, set this value to an integer between 5 and 10.

  2. The connector bundles a number of SAP-certified sample Groovy scripts:

    TestSAP.groovy
    SearchSAPHR.groovy
    UpdateSAPHR.groovy
    SchemaSAPHR.groovy
    EmplComm.groovy

    If necessary, you can customize these scripts to suit your deployment by extracting them from the connector JAR and updating the connector configuration to point to the new file path.

    The sample connector configuration assumes the following locations for the scripts (relative to the value of the scriptRoots property):

    "testScriptFileName" : "scripts/sap/TestSAP.groovy",
    "searchScriptFileName" : "scripts/sap/hr/SearchSAPHR.groovy",
    "updateScriptFileName" : "scripts/sap/hr/UpdateSAPHR.groovy",
    "schemaScriptFileName" : "scripts/sap/hr/SchemaSAPHR.groovy",

    The EmplComm.groovy must be placed in the same location as the Search, Update, and Schema scripts.

    The Groovy scripts belong to a specific package. The parent directory where the scripts are located must be the same as the package name. So the TestSAP.groovy script must be under a scripts/sap directory (because it belongs to the scripts/sap package) and the remaining HR scripts must be under a scripts/sap/hr directory (because they belong to the hr package).

Testing the connection to the SAP HR system

  1. Start IDM with the configuration for your SAP connector project.

    This procedure assumes that the configuration is in the default path/to/openidm directory. If your SAP project is in a different directory, use the -p option with the startup command to point to that directory:

    path/to/openidm/startup.sh
  2. Test that the connector has been configured correctly and that the SAP HR system can be reached:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
     --header "Accept-API-Version: resource=1.0" \
     --request POST \
     "http://localhost:8080/openidm/system/saphr/?_action=test"
    {
      "name" : "saphr",
      "enabled" : true,
      "config" : "config/provisioner.openicf/saphr2",
      "objectTypes" : [ "__ALL__", "employee" ],
      "connectorRef" : {
        "connectorName" : "org.forgerock.openicf.connectors.sap.SapConnector",
        "bundleName" : "org.forgerock.openicf.connectors.sap-connector",
        "bundleVersion" : "[1.5.0.0,1.6.0.0)"
      },
      "displayName" : "Sap Connector",
      "ok" : true
    }
  3. Retrieve a list of the existing users (with their employee number) in the SAP HR system:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
     --header "Accept-API-Version: resource=1.0" \
     --request GET \
     "http://localhost:8080/openidm/system/saphr/employee?_queryId=query-all-ids"
    {
      "result" : [ {
        "_id" : "00000010",
        "__NAME__" : "00000010"
      }, {
        "_id" : "00000069",
        "__NAME__" : "00000069"
      }, {
        "_id" : "00000070",
        "__NAME__" : "00000070"
      },
    ...
  4. Retrieve the complete record of an employee in the SAP HR system by including the employee’s ID in the URL.

    The following command retrieves the record for employee Maria Gonzales:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request GET \
    "http://localhost:8080/openidm/system/saphr/employee/55099307"
    {
      "_id" : "55099307",
      "PERSONAL_DATA" : {
        "PERNO" : "55099307",
        "INFOTYPE" : "0002",
        "TO_DATE" : "Fri Dec 31 00:00:00 CET 9999",
        "FROM_DATE" : "Tue Mar 30 00:00:00 CET 1954",
        "SEQNO" : "000",
        "CH_ON" : "Thu Mar 27 00:00:00 CET 2003",
        "CHANGED_BY" : "MAYROCK",
        "LAST_NAME" : "Gonzales",
        "FIRSTNAME" : "Maria",
        "NAME_FORM" : "00",
        "FORMOFADR" : "2",
        "GENDER" : "2",
        "BIRTHDATE" : "Tue Mar 30 00:00:00 CET 1954",
        "LANGU" : "D",
        "NO_O_CHLDR" : "0",
        "BIRTHYEAR" : "1954",
        "BIRTHMONTH" : "03",
        "BIRTHDAY" : "30",
        "LASTNAME_M" : "GONZALES",
        "FSTNAME_M" : "MARIA"
      },
    ...
    }

Using the SAP connector to manage employee information (SAP HR)

The following sample commands show how the SAP connector is used to manage the email account of user Maria Gonzales, retrieved in the previous step. Management of the global UID (SYS-UNAME) works in the same way.

  1. Check if Maria Gonzales already has an email account on the SAP HR system by filtering a query on her user account for the EMAIL field:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
     --header "Accept-API-Version: resource=1.0" \
     --request GET \
     "http://localhost:8080/openidm/system/saphr/employee/55099307?_fields=EMAIL"
    {
      "_id" : "55099307",
    }

    No email account is found for Maria Gonzales.

  2. Add an email account by sending a PUT request. The JSON payload should include the email address as the value of the ID property:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
     --header "Accept-API-Version: resource=1.0" \
     --header "Content-Type: application/json" \
     --request PUT \
     --data '{
      "EMAIL": { "ID": "maria.gonzales@example.com" }
     }' \
     "http://localhost:8080/openidm/system/saphr/employee/55099307"
    {
      "_id" : "55099307",
      "EMAIL" : [ {
        "EMPLOYEENO" : "55099307",
        "SUBTYPE" : "0010",
        "VALIDEND" : "Fri Dec 31 00:00:00 CET 9999",
        "VALIDBEGIN" : "Fri March 18 00:00:00 CET 2016",
        "RECORDNR" : "000",
        "COMMTYPE" : "0010",
        "NAMEOFCOMMTYPE" : "E-mail",
        "ID" : "Maria.Gonzales@example.com"
      } ],
    …​

    By default, the connector sets the VALIDBEGIN date to the current date, and the VALIDEND date to the SAP "END" date (12/31/9999). You can specify different temporal constraints by including these properties in the JSON payload, with the format YYYYMMDD. For example:

    {
      "EMAIL": {
         "ID": "maria.gonzales@example.com"
         "VALIDBEGIN": "20160401",
         "VALIDEND": "20161231"
      }
    }
  3. To change the value of an existing email account, provide a new value for the ID.

    The JSON payload of the change request must also include the RECORDNR attribute, as well as the VALIDBEGIN and VALIDEND dates, in SAP format (YYYYMMDD).

    The following example changes Maria Gonzales' email address to maria.gonzales-admin@example.com:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
     --header "Accept-API-Version: resource=1.0" \
     --header "Content-Type: application/json" \
     --request PUT \
     --data '{
      "EMAIL": {
         "ID": "maria.gonzales-admin@example.com",
         "RECORDNR" : "000",
         "VALIDEND" : "99991231",
         "VALIDBEGIN" : "20000101"
      }
     }' \
     "http://localhost:8080/openidm/system/saphr/employee/55099307"
  4. To change the temporal constraint (VALIDEND date) of the record, include the existing VALIDEND data in the JSON payload, and specify the new end date as a value of the DELIMIT_DATE attribute.

    The following example changes the end date of Maria Gonzale’s new mail address to December 31st, 2016:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
     --header "Accept-API-Version: resource=1.0" \
     --header "Content-Type: application/json" \
     --request PUT \
     --data '{
      "EMAIL": {
         "ID": "maria.gonzales-admin@example.com",
         "RECORDNR" : "000",
         "VALIDEND" : "99991231",
         "VALIDBEGIN" : "20000101",
         "DELIMIT_DATE": "20161231"
      }
     }' \
     "http://localhost:8080/openidm/system/saphr/employee/55099307"
  5. To delete the email address of the record, send a PUT request with the current RECORDNR, VALIDBEGIN, and VALIDEND attributes, but without the ID.

    The following request removes the email address from Maria Gonzales' record:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
     --header "Accept-API-Version: resource=1.0" \
     --header "Content-Type: application/json" \
     --request PUT \
     --data '{
      "EMAIL": {
         "RECORDNR" : "000",
         "VALIDEND" : "99991231",
         "VALIDBEGIN" : "20000101"
      }
     }' \
     "http://localhost:8080/openidm/system/saphr/employee/55099307"

Using the SAP connector to manage SAP Basis System (R/3) users

The SAP Connector enables you to perform the following operations on SAP system user accounts:

  • List all users

  • List all activity groups (roles)

  • Manage user profiles

  • List all user companies

  • Obtain a user’s details

  • Create a user

  • Update a user

  • Assign roles to a user

  • Lock a user account

  • Unlock a user account

  • Delete a user account

Currently, the SAP connector cannot detect changes on the SAP system in real time. You must run a reconciliation operation to detect changes on the SAP system.

Setting up IDM for the SAP R/3 samples

  1. Create a connector configuration file for the SAP connector and place it in your project’s conf/ directory.

    You can use this sample provisioner.openicf-sapr3.json as a guide.

    Edit that file with the connection details for your SAP R/3 system. Specifically, set at least the following properties:

    destination

    An alias to the SAP system to which you are connecting, for example, SAP1. If you are connecting to more than one SAP system, the destination property for each system must be unique.

    The sample connector configuration assumes a connection to a single SAP system, MYSAP.

    asHost

    The FQDN of your SAP Application Server, for example sap.example.com.

    user

    Your SAP user account.

    password

    The password of this SAP user account.

    client

    The SAP Client number that will be used to connect to the SAP system.

    systemNumber

    The SAP system number.

    directConnection

    A boolean (true/false). If true, the connection goes directly to an SAP ABAP Application server or SAP router. If false, the connection goes to a group of SAP instances, through an SAP message server.

    sapRouter

    The IP address and port of the SAP router, if applicable. The syntax is /H/hostport], for example /H/203.0.113.0/S/3299.

    poolCapacity

    The maximum number of idle connections kept open by the destination. If there is no connection pooling, set this to 0. The default value is 1.

    For optimum performance, set this value to an integer between 5 and 10.

  2. The connector bundles a number of SAP-certified sample Groovy scripts:

    TestSAP.groovy
    SearchSAPR3.groovy
    CreateSAPR3.groovy
    UpdateSAPR3.groovy
    DeleteSAPR3.groovy
    SchemaSAPR3.groovy

    If necessary, you can customize these scripts to suit your deployment by extracting them from the connector JAR and updating the connector configuration to point to the new file path.

    The sample connector configuration assumes the following locations for the scripts (relative to the value of the scriptRoots property):

    "testScriptFileName" : "scripts/sap/TestSAP.groovy",
    "searchScriptFileName" : "scripts/sap/r3/SearchSAPR3.groovy",
    "createScriptFileName" : "scripts/sap/r3/CreateSAPR3.groovy",
    "updateScriptFileName" : "scripts/sap/r3/UpdateSAPR3.groovy",
    "deleteScriptFileName" : "scripts/sap/r3/DeleteSAPR3.groovy",
    "schemaScriptFileName" : "scripts/sap/r3/SchemaSAPR3.groovy",
    The Groovy scripts belong to a specific package. The parent directory where the scripts are located must be the same as the package name. So the TestSAP.groovy script must be under a scripts/sap directory (because it belongs to the scripts/sap package) and the R/3 scripts must be under a scripts/sap/r3 directory (because they belong to the r3 package).

Testing the connection to the SAP R/3 system

  1. Start IDM with the configuration for your SAP R/3 project.

    This procedure assumes that the configuration is in the default path/to/openidm directory. If your SAP project is in a different directory, use the -p option with the startup command to point to that directory:

    /path/to/openidm/startup.sh
  2. Test that the connector has been configured correctly and that the SAP R/3 system can be reached:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/system/mysap/?_action=test"
    {
      "name": "mysap",
      "enabled": true,
      "config": "config/provisioner.openicf/mysap",
      "objectTypes": [
        "__ALL__",
        "user",
        "activity_group",
        "company",
        "profile"
      ],
      "connectorRef": {
        "connectorName": "org.forgerock.openicf.connectors.sap.SapConnector",
        "bundleName": "org.forgerock.openicf.connectors.sap-connector",
        "bundleVersion": "[1.5.0.0,1.6.0.0)"
      },
      "displayName": "Sap Connector",
      "ok": true
    }

Using the SAP Connector to Manage SAP R/3 Users

This section provides sample commands for managing users in an SAP system.

Listing the Users in the SAP System

The following command returns a list of the existing users in the SAP system, with their IDs:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --request GET \
 "http://localhost:8080/openidm/system/mysap/user?_queryId=query-all-ids"
{
  "result": [
    {
      "_id": "BJENSEN",
      "__NAME__": "BJENSEN"
    },
    {
      "_id": "DDIC",
      "__NAME__": "DDIC"
    },
    ...
    {
      "_id": "USER4",
      "__NAME__": "USER4"
    },
    {
      "_id": "USER6",
      "__NAME__": "USER6"
    },
    {
      "_id": "USER7",
      "__NAME__": "USER7"
    }
  ],
  "resultCount": 9,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": -1
}

Obtaining the Details of an SAP User

The following command uses the SAP connector to obtain a user’s details from a target SAP system:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
"http://localhost:8080/openidm/system/mysap/user/BJENSEN"
{
    "__NAME__": "BJENSEN",
    "__ENABLE__": true,
    "__ENABLE_DATE__": "2015-09-01",
    "__DISABLE_DATE__": "2016-09-01",
    "__LOCK_OUT__": false,
    "ADDTEL": [
        {
            "COUNTRY": "DE",
            "TELEPHONE": "19851444",
            ...
        },
        ...
    ],
    "PROFILES": [
        {
            "BAPIPROF": "T_ALM_CONF",
            ...
        }
    ],
    "ISLOCKED": {
        "WRNG_LOGON": "U",
        ...
    },
    "ACTIVITYGROUPS": [
        {
            "AGR_NAME": "MW_ADMIN",
            "FROM_DAT": "2015-07-15",
            "TO_DAT": "9999-12-31",
            "AGR_TEXT": "Middleware Administrator"
        },
        ...
    ],
    "DEFAULTS": {
        ...
    },
    "COMPANY": {
        "COMPANY": "SAP AG"
    },
    "ADDRESS": {
        ...
    },
    "UCLASS": {
        ...
    },
    "LASTMODIFIED": {
        "MODDATE": "2015-07-15",
        "MODTIME": "14:22:57"
    },
    "LOGONDATA": {
        "GLTGV": "2015-09-01",
        "GLTGB": "2016-09-01",
        ...
    },
    "_id": "BJENSEN"
}

In addition to the standard user attributes, the GET request returns the following ICF operational attributes:

  • __ENABLE__ - indicates whether the account is enabled, based on the value of the LOGONDATA attribute

  • __ENABLE_DATE__ - set to the value of LOGONDATA/GLTGV (date from which the user account is valid)

  • __DISABLE_DATE__ - set to the value of LOGONDATA/GLTGB (date to which the user account is valid)

  • __LOCK_OUT__ - indicates whether the account is locked

Creating SAP User Accounts

To create a user, you must supply at least a username and password. If you do not provide a lastname, the connector uses the value of the username.

The following command creates a new SAP user, SCARTER:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--request POST \
--data '{
    "__NAME__" : "SCARTER",
    "__PASSWORD__": "Passw0rd"
}' \
"http://localhost:8080/openidm/system/mysap/user/?_action=create"
{
  "_id": "SCARTER",
  "COMPANY": {
    "COMPANY": "SAP AG"
  },
  "__LOCK_OUT__": false,
  "ADDRESS": {
    ...
  },
  "__NAME__": "SCARTER",
  "LASTMODIFIED": {
    "MODDATE": "2016-04-20",
    "MODTIME": "04:14:29"
  },
  "UCLASS": {
    "COUNTRY_SURCHARGE": "0",
    "SUBSTITUTE_FROM": "0000-00-00",
    "SUBSTITUTE_UNTIL": "0000-00-00"
  },
  "__ENABLE__": true,
  "DEFAULTS": {
    "SPDB": "H",
    "SPDA": "K",
    "DATFM": "1",
    "TIMEFM": "0"
  },
  "LOGONDATA": {
    ...
  },
  "ISLOCKED": {
    "WRNG_LOGON": "U",
    "LOCAL_LOCK": "U",
    "GLOB_LOCK": "U",
    "NO_USER_PW": "U"
  }
}

The SAP account that is created is valid and enabled, but the password is expired by default. To log in to the SAP system, the newly created user must first provide a new password.

To create a user with a valid (non-expired) password, include the __PASSWORD_EXPIRED__ attribute in the JSON payload, with a value of false. For example:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--request POST \
--data '{
    "__NAME__" : "SCARTER",
    "__PASSWORD__": "Passw0rd",
    "__PASSWORD_EXPIRED__": false
}' \
"http://localhost:8080/openidm/system/mysap/user/?_action=create"

To create an account that is locked by default, include the __LOCK_OUT__ attribute in the JSON payload, with a value of true. For example:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --request POST \
 --data '{
    "__NAME__" : "SCARTER",
    "__PASSWORD__": "Passw0rd",
    "__LOCK_OUT__": true
 }' \
 "http://localhost:8080/openidm/system/mysap/user/?_action=create"
{
    "__NAME__": "SCARTER",
    "__ENABLE__": false,
    "__LOCK_OUT__": true,
    "LOGONDATA": {
        "GLTGV": "0000-00-00",
        "GLTGB": "0000-00-00",
        "USTYP": "A",
        "LTIME": "00:00:00",
        "BCODE": "2FC0D86C99AA5862",
        "CODVN": "B",
        "PASSCODE": "1DBBD983287D7CB4D8177B4333F439F808A395FA",
        "CODVC": "F",
        "PWDSALTEDHASH": "{x-issha, 1024}zrs3Zm/fX/l/KFGATp3kvOGlis3zLLiPmPVCDpJ9XF0=",
        "CODVS": "I"
    },
    "LASTMODIFIED": {
        "MODDATE": "2015-10-01",
        "MODTIME": "15:25:18"
    },
    "ISLOCKED": {
        "WRNG_LOGON": "U",
        "LOCAL_LOCK": "L",     // "L" indicates that the user is locked on the local system
        "GLOB_LOCK": "U",
        "NO_USER_PW": "U"
    },
...
Schema Used by the SAP Connector For User Accounts

For the most part, the SAP connector uses the standard SAP schema to create a user account. The most common attributes in an SAP user account are as follows:

  • ADDRESS - user address data

  • LOGONDATA - user logon data

  • DEFAULTS - user account defaults

  • COMPANY - the company to which the user is assigned

  • REF_USER - the usernames of the Reference User

  • ALIAS - an alias for the username

  • UCLASS - license-related user classification

  • LASTMODIFIED - read-only attribute that indicates the date and time that the account was last changed

  • ISLOCKED - read-only attribute that indicates the lockout status of the account

  • IDENTITY - assignment of a personal identity to the user account

  • PROFILES - any profiles assigned to the user account (see Managing User Profiles).

  • ACTIVITYGROUPS - activity groups assigned to the user

  • ADDTEL - telephone numbers assigned to the user

In addition, the SAP connector supports the following ICF operational attributes for CREATE requests:

  • LOCK_OUT

  • PASSWORD

  • PASSWORD_EXPIRED

The following example creates a user, KVAUGHAN, with all of the standard attributes:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --request POST \
 --data '{
    "__NAME__" : "KVAUGHAN",
    "__PASSWORD__": "Passw0rd",
    "__PASSWORD_EXPIRED__": false,
    "LOGONDATA": {
	       "GLTGV": "2016-04-01",
	       "GLTGB": "2016-12-01",
	       "USTYP": "A"
	   },
    "ADDRESS": {
	      "FIRSTNAME": "Katie",
	      "LASTNAME": "Vaughan",
	      "TEL1_NUMBR": "33297603177",
	      "E_MAIL": "katie.vaughan@example.com",
	      "FUNCTION": "Test User"
	   },
    "COMPANY": {
	       "COMPANY": "EXAMPLE.COM"
	   },
    "ALIAS": {
	       "USERALIAS": "KVAUGHAN"
	   }
 }' \
 "http://localhost:8080/openidm/system/mysap/user/?_action=create"
{
  "_id": "KVAUGHAN",
  "ADDRESS": {
    "PERS_NO": "0000010923",
    "ADDR_NO": "0000010765",
    "FIRSTNAME": "Katie",
    "LASTNAME": "Vaughan",
    "FULLNAME": "Katie Vaughan",
    …​
    "E_MAIL": "katie.vaughan@example.com",
    "LANGU_CR_P": "E",
    "LANGUCPISO": "EN"
  },
  "LOGONDATA": {
    "GLTGV": "2016-04-01",
    "GLTGB": "2016-12-01",
    …​
  },
  "COMPANY": {
    "COMPANY": "SAP AG"
  },
  "__ENABLE__": true,
  "ADDTEL": [
    {
      …​
    }
  ],
  "ISLOCKED": {
    "WRNG_LOGON": "U",
    "LOCAL_LOCK": "U",
    "GLOB_LOCK": "U",
    "NO_USER_PW": "U"
  },
  "UCLASS": {
    "COUNTRY_SURCHARGE": "0",
    "SUBSTITUTE_FROM": "0000-00-00",
    "SUBSTITUTE_UNTIL": "0000-00-00"
  },
  "ALIAS": {
    "USERALIAS": "KVAUGHAN"
  },
  "__NAME__": "KVAUGHAN",
  "__LOCK_OUT__": false,
  "LASTMODIFIED": {
    "MODDATE": "2016-04-20",
    "MODTIME": "04:55:08"
  },
  "__ENABLE_DATE__": "2016-04-01",      // (Value of LOGONDATA/GLTGV)
  "DEFAULTS": {
    "SPDB": "H",
    "SPDA": "K",
    "DATFM": "1",
    "TIMEFM": "0"
  },
  "__DISABLE_DATE__": "2016-12-01"     // (Value of LOGONDATA/GLTGB)
}

Updating SAP User Accounts

The following sections provide sample commands for updating an existing user account.

Locking and Unlocking an Account

To lock or unlock a user’s account, send a PUT request, and set the value of the user’s __LOCK_OUT__ attribute to true.

The following example locks user KVAUGHAN’s account:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --header "If-Match: *" \
 --request PUT \
 --data '{
    "__LOCK_OUT__": true
 }' \
 "http://localhost:8080/openidm/system/mysap/user/KVAUGHAN"

The following example unlocks KVAUGHAN’s account:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --header "If-Match: *" \
 --request PUT \
 --data '{
    "__LOCK_OUT__": false
 }' \
 "http://localhost:8080/openidm/system/mysap/user/KVAUGHAN"
Updating the Standard Attributes of a User’s Account

To update a user’s standard attributes, send a PUT request to the user ID. The JSON payload must respect the structure for each attribute, as indicated in Schema Used by the SAP Connector For User Accounts.

The following command updates the ADDRESS attribute of user KVAUGHAN:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --header "If-Match: *" \
 --request PUT \
 --data '{
    "ADDRESS": {
        "FIRSTNAME": "Katie",
        "LASTNAME": "Vaughan",
        "FULLNAME": "Katie Vaughan",
        "FUNCTION": "Administrator",
        "TITLE": "Company",
        "NAME": "EXAMPLE.COM",
        "CITY": "San Francisco",
        "POSTL_COD1": "94105",
        "STREET": "Sacramento St",
        "HOUSE_NO": "2912",
        "COUNTRY": "US",
        "COUNTRYISO": "US",
        "LANGU": "E",
        "LANGU_ISO": "EN",
        "REGION": "CA",
        "TIME_ZONE": "PST",
        "TEL1_NUMBR": "33297603177",
        "E_MAIL": "katie.vaughan@example.com",
        "LANGU_CR_P": "E",
        "LANGUCPISO": "EN"
    }
}' \
 "http://localhost:8080/openidm/system/mysap/user/KVAUGHAN"
Resetting a User’s Password

To reset the user’s password, provide the new password as the value of the __PASSWORD__ attribute, in a PUT request. The following command resets KVAUGHAN’s password to MyPassw0rd:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --header "If-Match: *" \
 --request PUT \
 --data '{
    "__PASSWORD__": "MyPassw0rd"
 }' \
 "http://localhost:8080/openidm/system/mysap/user/KVAUGHAN"

Note that unless you set the __PASSWORD_EXPIRED__ attribute to false, the user will be required to reset her password the next time she logs into the SAP system.

The following command resets KVAUGHAN’s password to MyPassw0rd, and ensures that she does not have to reset her password the next time she logs in:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --request PUT \
 --data '{
    "__PASSWORD__": "MyPassw0rd",
    "__PASSWORD_EXPIRED__": false
 }'
 "http://localhost:8080/openidm/system/mysap/user/KVAUGHAN"

Deleting User Accounts

To delete a user account, send a DELETE request to the user ID. The following example deletes KVAUGHAN:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --request DELETE \
 "http://localhost:8080/openidm/system/mysap/user/KVAUGHAN"

The command returns the complete user object that was deleted.

Managing User Profiles

An SAP system uses profiles to manage authorization. The following examples demonstrate how to add, change, and remove a user’s profiles.

Creating a User With One or More Profiles

Profiles are added as an array of one or more objects.

The following command creates a user BJENSEN, with the system administrator profile (S_A.SYSTEM):

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --request POST \
 --data '{
    "__NAME__" : "BJENSEN",
    "__PASSWORD__": "Passw0rd",
    "__PASSWORD_EXPIRED__": false,
    "PROFILES": [
        {"BAPIPROF": "S_A.SYSTEM"}
    ]
 }' \
 "http://localhost:8080/openidm/system/mysap/user/?_action=create"
{
  "_id": "BJENSEN",
  "COMPANY": {
    "COMPANY": "SAP AG"
  },
  "PROFILES": [
    {
      "BAPIPROF": "S_A.SYSTEM",
      "BAPIPTEXT": "System administrator (Superuser)",
      "BAPITYPE": "S",
      "BAPIAKTPS": "A"
    }
  ],
  ...
  "__NAME__": "BJENSEN"
}

Note that the additional information regarding that profile is added to the user account automatically.

Updating a User’s Profiles

To update a user’s profiles, send a PUT request to the user’s ID, specifying the new profiles as an array of values for the PROFILES attribute. The values provided in the PUT request will replace the current profiles, so you must include the existing profiles in the request.

The following example adds the SAP_ALL profile to user BJENSEN’s account:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --header "If-Match: *" \
 --request PUT \
 --data '{
   "PROFILES": [
      {"BAPIPROF": "S_A.SYSTEM"},
      {"BAPIPROF": "SAP_ALL"}
      ]
}' \
 "http://localhost:8080/openidm/system/mysap/user/BJENSEN"
{
  "_id": "BJENSEN",
  "COMPANY": {
    "COMPANY": "SAP AG"
  },
  "PROFILES": [
    {
      "BAPIPROF": "SAP_ALL",
      "BAPIPTEXT": "All SAP System authorizations",
      "BAPITYPE": "C",
      "BAPIAKTPS": "A"
    },
    {
      "BAPIPROF": "S_A.SYSTEM",
      "BAPIPTEXT": "System administrator (Superuser)",
      "BAPITYPE": "S",
      "BAPIAKTPS": "A"
    }
  ],
 ...
  "__NAME__": "BJENSEN"
}
Removing All Profiles From a User Account

To remove all profiles from a user’s account, update the account with an empty array. The following example removes all profiles from BJENSEN’s account:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --header "If-Match: *" \
 --request PUT \
 --data '{
   "PROFILES": []
}' \
 "http://localhost:8080/openidm/system/mysap/user/BJENSEN"
"_id": "BJENSEN",
  "COMPANY": {
    "COMPANY": "SAP AG"
  },
 ...
  "__NAME__": "BJENSEN"
}

The output shows no PROFILES attribute, as this attribute is now empty for this user.

Managing User Roles

SAP user roles (or activity groups) are an alternative mechanism to grant authorization to an SAP system. Essentially, a role encapsulates a set of one or more profiles.

Roles can be granted with temporal constraints, that is, a period during which the role is valid. If no temporal constraints are specified, the SAP connector sets the FROM date to the current date and the TO date to 9999-12-31.

Creating a User With One or More Profiles

Roles are added as an array of one or more objects.

The following command creates a user SCARTER, with two roles: SAP_AUDITOR_SA_CCM_USR and SAP_ALM_ADMINISTRATOR. The auditor role has a temporal constraint, and is valid only from May 1st, 2016 to April 30th, 2017. The format of the temporal constraint is YYYY-mm-dd:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --request POST \
 --data '{
    "__NAME__" : "SCARTER",
    "__PASSWORD__": "Passw0rd",
    "__PASSWORD_EXPIRED__": false,
    "ACTIVITYGROUPS": [
        {
            "AGR_NAME": "SAP_AUDITOR_SA_CCM_USR",
            "FROM_DAT": "2016-05-01",
            "TO_DAT": "2017-04-30"
        },
        {
            "AGR_NAME": "SAP_ALM_ADMINISTRATOR"
        }
    ]
 }' \
 "http://localhost:8080/openidm/system/mysap/user/?_action=create"
{
  "_id": "SCARTER",
  "COMPANY": {
    "COMPANY": "SAP AG"
  },
  "PROFILES": [
    {
      "BAPIPROF": "T_ALM_CONF",
      "BAPIPTEXT": "Profile for the Role SAP_ALM_ADMINISTRATOR",
      "BAPITYPE": "G",
      "BAPIAKTPS": "A"
    }
  ],
  ...
  "ACTIVITYGROUPS": [
    {
      "AGR_NAME": "SAP_ALM_ADMINISTRATOR",
      "FROM_DAT": "2016-04-20",
      "TO_DAT": "9999-12-31",
      "AGR_TEXT": "Alert Management Administrator"
    },
    {
      "AGR_NAME": "SAP_AUDITOR_SA_CCM_USR",
      "FROM_DAT": "2016-05-01",
      "TO_DAT": "2017-04-30",
      "AGR_TEXT": "AIS - System Audit - Users and Authorizations"
    }
  ],
  "__NAME__": "SCARTER"
}

When a role is granted, the corresponding profiles are attached to the user account automatically.

Updating a User’s Roles

To update a user’s roles, send a PUT request to the user’s ID, specifying the new roles as an array of values of the ACTIVITYGROUPS attribute. The values provided in the PUT request will replace the current ACTIVITYGROUPS.

The following example removes the SAP_AUDITOR_SA_CCM_USR role and changes the temporal constraints on the SAP_ALM_ADMINISTRATOR role for SCARTER’s account:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --header "If-Match: *" \
 --request PUT \
 --data '{
  "ACTIVITYGROUPS": [
      {
      "AGR_NAME": "SAP_ALM_ADMINISTRATOR",
      "FROM_DAT": "2015-06-02",
      "TO_DAT": "2016-06-02"
      }
  ]
}' \
 "http://localhost:8080/openidm/system/mysap/user/SCARTER"
{
  "_id": "SCARTER",
  "COMPANY": {
    "COMPANY": "SAP AG"
  },
  "PROFILES": [
    {
      "BAPIPROF": "T_ALM_CONF",
      "BAPIPTEXT": "Profile for the Role SAP_ALM_ADMINISTRATOR",
      "BAPITYPE": "G",
      "BAPIAKTPS": "A"
    }
  ],
  ...
  "ACTIVITYGROUPS": [
    {
      "AGR_NAME": "SAP_ALM_ADMINISTRATOR",
      "FROM_DAT": "2015-06-02",
      "TO_DAT": "2016-06-02",
      "AGR_TEXT": "Alert Management Administrator"
    }
  ],
  "__NAME__": "SCARTER"
}
Removing All Roles From a User Account

To remove all roles from a user’s account, update the value of the ACTIVITYGROUPS attribute with an empty array. The following example removes all roles from SCARTER’s account:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
 --header "Accept-API-Version: resource=1.0" \
 --header "Content-Type: application/json" \
 --header "If-Match: *" \
 --request PUT \
 --data '{
   "ACTIVITYGROUPS": []
}' \
 "http://localhost:8080/openidm/system/mysap/user/SCARTER"
{
  "_id": "SCARTER",
  "COMPANY": {
    "COMPANY": "SAP AG"
  },
  ...
  "LASTMODIFIED": {
    "MODDATE": "2016-04-21",
    "MODTIME": "04:27:00"
  },
  "__NAME__": "SCARTER"
}

The output shows no ACTIVITYGROUPS attribute, as this attribute is now empty.

Configuring the SAP Connector For SNC

The SAP connector supports an SNC (Secure Network Connection) configuration. SNC is a software layer in the SAP System architecture that provides an interface to an external security product.

For a list of the configuration properties specific to SNC, see SAP Secure Network Connection Configuration Properties.

Implementation Specifics

For PATCH requests, a connector can potentially add, remove, or replace an attribute value. The SAP connector implements the add, remove, and replace operations but the sample scripts provided with the connector implement only the replace operation. If you use these sample scripts, a PATCH request will therefore always replace the entire attribute value with the new value.

Setting Productive Passwords on the SAP System

Synchronization of passwords to the SAP system requires that you configure SNC and SSO. If you do not configure these two elements correctly, passwords that are updated by IDM are set as initial passwords rather than productive passwords, and users are forced to change their passwords on login.

  1. To configure the SAP connector to use SNC, set the sncMode property to "1".

    To configure the connector to use SSO with SNC, set the sncSSO property to "1".

  2. The logon session during which a productive password is set must be secured using the authentication method Single Sign-On (SSO) using Secure Network Communications (SNC). IDM must request and receive an SSO logon ticket from the SAP system to allow the BAPI_USER_CHANGE process to set a productive password. For more information, see SAP Note 1287410.

    To configure the connector to request this logon ticket, set the value of the x509Cert property as follows:

    • If you are using an X509 certificate to negotiate with the SAP server, set the x509Cert property to the base 64-encoded certificate.

      Note that the certificate must be a valid, CA-signed certificate. You cannot use a self-signed certificate here.

    • If you are not using an X509 certificate to negotiate with the SAP server, set the x509Cert property to null.

      In this case, the connector will use the user and password specified in the connector configuration to request the SSO logon ticket.

OpenICF Interfaces Implemented by the SAP Connector

The SAP Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:

Authenticate

Provides simple authentication with two parameters, presumed to be a user name and password.

Create

Creates an object and its uid.

Delete

Deletes an object, referenced by its uid.

Resolve Username

Resolves an object by its username and returns the uid of the object.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector.

Any script that runs on the connector has the following characteristics:

  • The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.

  • The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.

  • The script has access to any script arguments passed in by the application.

Script on Resource

Runs a script on the target resource that is managed by this connector.

Search

Searches the target resource for all objects that match the specified object class and filter.

Sync

Polls the target resource for synchronization events, that is, native changes to objects on the target resource.

Test

Tests the connector configuration.

Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

SAP Connector Configuration

The SAP Connector has the following configurable properties:

Operation Script Files

Property Type Default Encrypted(1) Required(2)

createScriptFileName

String

null

The name of the file used to perform the CREATE operation.

customizerScriptFileName

String

null

No

The script used to customize some function of the connector. Read the documentation for more details.

resolveUsernameScriptFileName

String

null

The name of the file used to perform the RESOLVE_USERNAME operation.

updateScriptFileName

String

null

The name of the file used to perform the UPDATE operation.

schemaScriptFileName

String

null

The name of the file used to perform the SCHEMA operation.

authenticateScriptFileName

String

null

The name of the file used to perform the AUTHENTICATE operation.

scriptOnResourceScriptFileName

String

null

The name of the file used to perform the RUNSCRIPTONRESOURCE operation.

deleteScriptFileName

String

null

The name of the file used to perform the DELETE operation.

searchScriptFileName

String

null

The name of the file used to perform the SEARCH operation.

testScriptFileName

String

null

The name of the file used to perform the TEST operation.

syncScriptFileName

String

null

The name of the file used to perform the SYNC operation.

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

Groovy Engine configuration

Property Type Default Encrypted(1) Required(2)

targetDirectory

File

null

No

Directory into which to write classes.

warningLevel

int

1

No

Warning Level of the compiler

scriptExtensions

String[]

['groovy']

No

Gets the extensions used to find groovy files

scriptBaseClass

String

null

No

Base class name for scripts (must derive from Script)

scriptRoots

String[]

null

Yes

The root folder to load the scripts from. If the value is null or empty the classpath value is used.

tolerance

int

10

No

The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted.

disabledGlobalASTTransformations

String[]

null

No

Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none is disabled.

sourceEncoding

String

UTF-8

No

Encoding for source files

recompileGroovySource

boolean

false

No

If set to true recompilation is enabled

minimumRecompilationInterval

int

100

No

Sets the minimum of time after a script can be recompiled.

debug

boolean

false

No

If true, debugging code should be activated

classpath

String[]

[]

No

Classpath for use during compilation.

verbose

boolean

false

No

If true, the compiler should produce action information

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

Configuration properties

Property Type Default Encrypted(1) Required(2)

customSensitiveConfiguration

GuardedString

null

Yes

No

Custom Sensitive Configuration script for Groovy ConfigSlurper

customConfiguration

String

null

No

Custom Configuration script for Groovy ConfigSlurper

x509Cert

String

null

Yes

No

The X509 certificate supplied for authentication.

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

Basic Configuration

Property Type Default Encrypted(1) Required(2)

asHost

String

null

Yes

The FQDN of your SAP Application Server, for example sap.example.com

gwHost

String

null

Yes

SAP gateway host name

gwServ

String

null

Yes

SAP gateway service

user

String

null

Yes

SAP Logon user

password

GuardedString

null

Yes

Yes

SAP Logon password

client

String

000

Yes

SAP client

systemNumber

String

00

Yes

SAP system number

language

String

EN

Yes

SAP Logon language

destination

String

OPENIDM

Yes

SAP JCo destination name

directConnection

boolean

true

Yes

If true, direct connection to an SAP ABAP Application server or SAP router. If false connection to a group of SAP instances through an SAP message server

sapRouter

String

null

Yes

SAP router string to use for a system protected by a firewall. (/H/host[/S/port])

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

SAP Jco Logs Configuration

Property Type Default Encrypted(1) Required(2)

trace

String

0

No

Enable/disable RFC trace (0 or 1)

cpicTrace

String

0

No

Enable/disable CPIC trace [0..3]

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

Advanced Configuration

Property Type Default Encrypted(1) Required(2)

msHost

String

null

No

Specifies the host that the message server is running on

group

String

null

No

Specifies the group name of the application servers, used when you log in to a logon group that uses load balancing

msServ

String

null

No

Name of the service where the message server can be reached

r3Name

String

null

No

Specifies the name of the SAP system, used when you log in to a logon group that uses load balancing

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

SAP Secure Network Connection Configuration

Property Type Default Encrypted(1) Required(2)

sncMode

String

0

Yes

Flag used to activate SNC. Possible values are 0 (OFF) and 1 (ON).

sncQoP

String

3

No

Specifies the security level to use for the connection. Possible values are 1 - Authentication only, 2 - Integrity protection, 3 - Privacy protection, 8 - Use the value from snc/data_protection/use on the application server, 9 - Use the value from snc/data_protection/max on the application server

sncLibrary

String

null

No

Specifies the path to the external library that provides Secure Network Connection service. The default is the system-defined library as defined in the environment variable SNC_LIB.

sncPartnerName

String

null

No

Specifies the AS ABAP SNC name, for example, "p:CN=ABC, O=MyCompany, C=US". You can find the application server SNC name in the profile parameter snc/identity/as on the AS ABAP.

sncMyName

String

null

No

Specifies the connector SNC name, for example, "p:CN=OpenIDM, O=MyCompany, C=US". This parameter is optional, but you should set it to make sure that the correct SNC name is used for the connection.

sncSSO

String

0

No

Specifies whether the connection should be configured for single sign-on (SSO). Possible values are 0 (OFF) and 1 (ON).

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

JCo Connection Pool Configuration

Property Type Default Encrypted(1) Required(2)

poolCapacity

String

1

No

Maximum number of idle connections kept open by the destination. 0 = no connection pooling. Default is 1.

expirationTime

String

60000

No

Time in ms after that a free connection can be closed. Default is one minute.

maxGetTime

String

30000

No

Maximum time in ms to wait for a connection, if the maximum allowed number of connections is allocated by the pool. Default is 30 seconds.

peakLimit

String

0

No

Maximum number of active connections that can be created for a destination simultaneously. The default is 0 (unlimited).

expirationPeriod

String

60000

No

Period in ms after that the destination checks the released connections for expiration. Default is one minute

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

Copyright © 2010-2022 ForgeRock, all rights reserved.