Monthly Archives: janvier 2013

BI4 SSO based on SAP BW

Steps to configure BO authentication on SAP BW abap stack:
– create BO certificates
– configure BO for SAP authentication in the Central Management Console
– import BO certificates in SAP BW
– modify BO config file to enable SAP authentication

1) At BO server OS level, issue the following commands in order to create certificates files
Change CN name with BO server name, alias can be whatever you want, and xxxxxxxxxxxx is the password

cd "C:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI4.0javalib"
"C:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win64_x64sapjvmbinjava" -jar PKCS12Tool.jar -alias mywin -storepass xxxxxxxxxx -dname CN=VORANGE
"C:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win64_x64sapjvmbinkeytool" -exportcert -keystore keystore.p12 -storetype pkcs12 -file cert.der -alias mywin

2) In SAP BO Central Management Console, select Authentication then SAP.
First tab Entitlement Systems, indicate SAP BW server informations and click on Update button.
bossosap01
In Options tab, tick SAP Authentication, and indicate SAP BW logical system. If no logical system is there, you can put it again at the end.
bossosap02
At the bottom of Options tab, upload the keystore.p12 file generated in step 1, enter the password and alias. Then click on the Update button
bossosap03
3) Import SAP BW roles relevant for BO access
Tab Import roles, select only relevant roles. Then click on Update button.
bossosap04
4) Import SAP BW users
In tab User update, click on Update now users and aliases
bossosap05
5) import in SAP the BO certificate
Transaction STRUSTSSO2, menu Certificate > Import, select cert.der generated in step 1
bossosap06
Click on button Add to certificate list
bossosap07
Click on button Add to ACL and declare it in all clients (only 000 should be needed but I got trouble without doing it in 500)
bossosap08
6) Check BO services used for SSO are running
Go in CMC, select Servers, open Service Categories, select Core Services and in the right pane select APS
bossosap09
Right click on APS select Edit Common Services, and check if Security Token Service is there. If not, stop APS and add Security Token Service, then start APS.
bossosap10
7) Edit BO configuration files to display SAP authentication at logon screen
Directory:

C:Program Files (x86)SAP BusinessObjectsTomcat6webappsBOEWEB-INFconfigdefault

File global.properties

# For turning persistent cookies on/off for the logon page.  Defaults to true if this is not present.
persistentcookies.enabled=true

# You can specify the siteminder Authentication type here.  secLDAP, secWinAD.
siteminder.authentication=secLDAP

# Set to false to disable Siteminder single sign on.
siteminder.enabled=false

# Set to true to enable other single sign on.
sso.enabled=true

# Set to true to use SAP SSO as the primary SSO mechanism
sso.sap.primary=false

# Set to true to enable immediate autologoff for SAP NetWeaver iViews
iview.autologoff=true

# The maximum number of elements in the object browser folder tree
max.tree.children.threshold=200

# Trusted authentication: session variable name to retrieve the shared secret;  Leave empty if shared secret is not passed from web session
trusted.auth.shared.secret=

# Trusted authentication: set Header/URL parameter/Cookie/Session variable name to retrieve username.  No need to set for REMOTE_USER or USER_PRINCIPAL.
trusted.auth.user.param=

# Trusted authentication: set to true to prefix external user name to secExternal:<username>; Leave empty if external user name is mapped to same user name
trusted.auth.user.namespace.enabled=

# Trusted authentication: set how to retrieve userID.  Set to "REMOTE_USER" for HttpServletRequest.getRemoteUser().  Set to "HTTP_HEADER" for HTTP header.  Set to "QUERY_STRING" for URL query string.  Set to "COOKIE" for cookie.  Set to "WEB_SESSION" for web session.  Set to "USER_PRINCIPAL" for user principal.  Reset to empty to disable trusted authentication.
trusted.auth.user.retrieval=

# Set to true to enable Vintela single sign on.
vintela.enabled=false
idm.realm=YOUR_REALM
idm.princ=YOUR_PRINCIPAL
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties

#whether or not to show the warning dialog with the message that the session will expire soon in CMC
pinger.showWarningDialog.cmc=true

#whether or not to show the warning dialog with the message that the session will expire soon in BI launch pad
pinger.showWarningDialog.bilaunchpad=true

#how often that a web server request should be sent while the warning message is displayed.  This is important for synchronization of the warning dialog across applications.
pinger.warningPeriod.pingIncrementsInSeconds=15

#how many minutes before the session expiry that the warning dialog should be displayed, ie, give the user a 5 minute warning that the session will expire.
pinger.warningPeriod.lengthInMinutes=5

# Logoff all applications' Enterprise Sessions on web session expiry.
# You may wish to turn this off if your web servers run in a clustered environment.
logoff.on.websession.expiry=true

pinger.enabled=true

# Max number of JCo destinations cached.
system.com.sap.bip.jcomanager.destinations.maxsize=1000

# HTTP proxy server user name and password
httpproxy.username=
httpproxy.password=

# Embed secret (enter your own)
# A shared secret between a portal embedding BOE applications and the BOE application server which is used to
# determine whether BOE applications can be safely embedded in other pages.
# Make sure you change in both places.
logon.embed.secret=

# Embed timeout
# Number of seconds after which BOE applications like BI Launchpad will reject being
# embedded into a portal. Make sure the system clocks on the BOE web server and portal server machines
# are within this number of seconds of each other.
logon.embed.timeout=300

File BIlaunchpad.properties

# application name
app.name=BI launch pad
app.name.greeting=BusinessObjects
app.name.short=BI launch pad

# the name in the URL.  It must start with a '/', and it must contain exactly 1 '/'.
app.url.name=/BI

# You can specify the default Authentication types here.  secEnterprise, secLDAP, secWinAD, secSAPR3
authentication.default=secSAPR3

# Choose whether to let the user change the authentication type.  If it isn't shown the default authentication type from above will be used
authentication.visible=true

# You can specify the default CMS machine name here
cms.default=VORANGE:6400

# Choose whether to let the user change the CMS name
cms.visible=true

# Set to true to prompt when navigating away from a writable page in a modal dialog. Default is false
dialog.prompt.enabled=false

# Set to false to disable logon with token.
logontoken.enabled=false

# Shared Destination From Field.  Enables or Disables the From field when scheduling a object to a destination.  When the value is set to false the From field will not be rendered and the system will first attempt to get the email value from the report default, if report default is not available it will attempt to get the value from the email address on user profile of the logged on user and lastly if the user profile email address in not available it will use the job server default
SMTPFrom=true

#The URL that a logout will redirect to if the logon was an external logon (i.e. via start.do). This is optional.
url.exit=

# If the locale preference is disabled (only english languages will be used/allowed)
disable.locale.preference=false

# Allow or disallow logoff on web session expiry for external logon.
# Has no effect if the global logoff.on.websession.expiry value is false
extlogon.allow.logoff=true

File OpenDocument.properties

app.name=BusinessObjects OpenDocument
app.name.short=OpenDocument

# You can specify the default Authentication types here.  secEnterprise, secLDAP, secWinAD, secSAPR3
authentication.default=secSAPR3

# Choose whether to let the user change the authentication type.  If it isn't shown the default authentication type from above will be used
authentication.visible=true

# You can specify the default CMS machine name here
cms.default=VCHOUX:6400

# Choose whether to let the user change the CMS name.  If it isn't shown the default System from above will be used
cms.visible=true

# Set to false to disable logon with token.
logontoken.enabled=true

# Allow or disallow logoff on web session expiry for external logon.
# Has no effect if the global logoff.on.websession.expiry value is false
extlogon.allow.logoff=true

Issuer of SSO ticket is not authorized

I got a HTTP 500 error in SAP EP when I tryed to launch Bex reports or tools, error message « Issuer of SSO ticket is not authorized ».
In my case it is because portal certificate is no longer valid in the ABAP stack.

Solution 1
Import again portal certificate in ABAP stack.
Start VisualAdmin, select Services > Key Storage. Select TicketKeystore in Views, select SAPLogonTicketKeypair-cert in Entries, then click on the Export button dans save the file. This is the public portal certificate that we will import in abap stack.
In transaction STRUSTSSO2, I choose to delete everything after having saved other relevant certificate (for example the one for BO)
Select System PSE, right click, create, then OK or save.
Then import again public portal certificate, add it to the certificate List, and add it to ACL using SID TBI and system number (client) 500. Save, check the all thing.
Then import again the BO certificate, add it to the certificate list and add it to ACL using SID TBI and client 000. Save.
Every thing should be ok.

Solution 2
For each certificate, declare ACL in all client, here 000 and 500. And it works !
cert_acl