Connecting Your SAP Systems
Use the agent to register your SAP systems in order to safely extract and transmit security-related data to Access Risk Management. This data is used to identify potential risks and violations.
To register your SAP systems:
- Download the agent to your VM. The agent executable file link is provided by SailPoint Support.
- Select Install on the VM for the US/EU data server file.
- Select the ARM Agent Configuration desktop icon or go to http://localhost:5000.
- Enter your SailPoint-provided user ID and password.
- Select Add to register a new SAP system.
-
Enter your SAP system details, including the Application Server, Client Number, Instance Number, and the username and password of the SAP user with the appropriate roles.
-
Select Test Connection to check the agent’s connection to your SAP system.
- If you are using Emergency Access Management, you must edit the utilization options to use the SAP Security Audit Log.
- Select Save to integrate your SAP system to Access Risk Management.
Troubleshooting
If you can't log in with the provided sysJob ID and password, you may need to work with SailPoint support to set up a proxy server.
If you can't validate the connection to SAP, you may need to update your server's allow list.
Using a proxy server
If you are required to connect through a proxy server for external communication, such as to the Access Risk Management Cloud Service, and you are running the agent as a Windows service, you may need to manually configure the agent to communicate through it using the command-line interface (CLI).
Important
Work with SailPoint Support to set up a proxy using the following directions.
Configuring the agent to use a proxy server:
- Stop the SailPoint Agent Service. Ensure it is marked as Stopped.
- Stop the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Stopped.
- From a CLI with administrative access, navigate to the Agent binary folder. This folder will have the file SailPoint.Agents.Application.exe in it.
-
Execute the following command:
cd\ C:\>cd program files\SailPoint ARM\Agent SailPoint.Agents.Application.exe proxy set --hostname 10.6.222.2 --port 3128 >cdHost} --port {Proxy Server Port} --username {Username (if your proxy server does not require a username, do not include this parameter)} --password {Password (if you proxy server does not require a password, do not include this parameter)}cd\Note
If your proxy server does not require a username or password, do not include that parameter.
-
Restart the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Running.
- Restart the SailPoint Agent Service. Ensure it is marked as Running.
When you have finished using the proxy, you can remove it.
Removing the proxy:
- Stop the SailPoint Agent Service. Ensure it is marked as Stopped.
- Stop the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Stopped.
- Delete the proxy.settings file from the parent directory of the agent.
- Restart the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Running.
- Restart the SailPoint Agent Service. Ensure it is marked as Running.
Note
The local encryption key for securing the proxy server credentials is autogenerated based upon the machine name and several other factors. If a significant system change occurs, the encryption key may not work.
Updating your allow list
If you can’t validate the connection between the agent and SAP, verify that the SAP system info is correct. If it is correct but the connection still fails, add the following URLs to the server’s allow list:
| US Tenants | Tenants Outside the US |
|---|---|
| app.erpmaestro.com | grc-eu.erpmaestro.com |
| dashsvc.erpmaestro.com | dashsvc-eu.erpmaestro.com |
| authsvc.erpmaestro.com | authsvc-eu.erpmaestro.com |
| api.erpmaestro.com | api-eu.erpmaestro.com |
| rulebooks.erpmaestro.com | rulebooks-eu.erpmaestro.com |
| jobsvc.erpmaestro.com | jobsvc-eu.erpmaestro.com |