SAP BOP_BI 4.1 Server-side Sso Setup v1.1

KLK Oleo Group SAP Project Implementation

SBOP BI SSO

Last Updated By: Kevin Ooi, 30-May-2014 Page 1 of 30

1 SAP BusinessObjects BI 4.1 Post Installation

1.1 BI Launchpad properties

1. Go to the following directory in your BI platform installation:

<INSTALLDIR>\SAP BusinessObjects Enterprise XI4.0\warfiles\webapps\BOE\WEB-INF\config\custom\

<INSTALLDIR>\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom 2. Create a new file using Notepad and save the file under the following name:

BIlaunchpad.properties 3. To include the authentication options on the BI launch pad logon screen add the following:

authentication.visible=true 4. To prompt users for the CMS name on the BI launch pad logon screen:

cms.visible=true 5. Save and close the file. 6. Restart your web application server.

1.2 Configuration for SAP Integration transports

Since SAP BusinessObjects BI Platform 4.0, the SAP Integration Kit is already part of the installation and no longer requires a separate add-on installation. There are two sets of transport files, which can be used with BusinessObjects Enterprise Integration Kit for SAP. One set is ANSI and the other set is Unicode enabled. The set of transports you must use depends on the BASIS system your SAP system is running on. Additionally, each transport consists of a data file and a cofile, which are listed in brackets behind the transport names.


SBOP BI SSO


If your SAP system is running on a BASIS system earlier than 6.20, you must use the files listed below: (These files are ANSI.)

Open SQL Connectivity transport (K900128.r22 and R900128.r22)

Info Set Connectivity transport (K900121.r22 and R900121.r22)

Row-level Security Definition transport (K900122.r22 and R900122.r22)

Cluster Definition transport (K900123.r22 and R900123.r22)

Authentication Helpers transport (K900124.r22 and R900124.r22) If your SAP system is running on a 6.20 BASIS system or later, you must use the files listed below: (These files are Unicode enabled.)

Open SQL Connectivity transport (K900732.R21 and R900732.R21)

Info Set Connectivity transport (K900688.r21 and R900688.r21)

Row-level Security Definition transport (K900689.r21 and R900689.r21)

Cluster Definition transport (K900690.r21 and R900690.r21)

Authentication Helpers transport (K900691.r21 and R900691.r21) The following files must be used on an SAP BW system: (These files are Unicode enabled.)

Content Administration transport (K900722.r21 and R900722.r21)

Personalization transport (K900748.r21 and R900748.r21)

ODS Connectivity transport (K900695.r21 and R900695.r21) If your SAP BW system has not applied SAP Note 1232751, you must use the file listed below:

MDX Query Connectivity transport (K900744.r21 and R900744.r21) If your SAP BW system has applied SAP Note 1232751, you must use the file listed below:

MDX Query Connectivity transport (K900047.R72 and R900047.R72)

Copy the relevant data and cofiles to the /usr/sap/trans/data and /usr/sap/trans/cofiles of the relevant SAP systems (ERP / BW). Then add them to the import queue and import them using transaction STMS.

For ERP:


SBOP BI SSO


For BW:

Note: If SAPKW70102 or SAPKW71101 (or SAP Note 1232751) has been implemented, then use K900047.R72, otherwise use K900744.R21).


SBOP BI SSO


2 SAP BusinessObjects BI 4.1 Server-side Single Sign-On (SSO) to SAP Netweaver BI 7.40

2.1 Configuring SAP Authentication

2.1.1 Creating a User Account for BI Platform

Create a new PFCG role CRYSTAL_ENTITLEMENT in the BW system.

Adopt the SAP_USER_B template (general access for all users) and then manually add the authorization objects below.


SBOP BI SSO


Create a new Service user called CRYSTAL and assign the role to it.

2.2 Connecting to SAP Entitlement Systems

Before you can import roles or publish BW content to the BI platform, you must provide information about the SAP entitlement systems to which you want to integrate. BI platform uses this information to connect to the target SAP system when it determines role memberships and authenticates SAP users.

2.2.1 To Add an SAP Entitlement System

Double-click on SAP.


SBOP BI SSO


Click Update.

2.2.2 To verify if your entitlement system was added correctly

1. Click the Role Import tab.

2. Select the name of the entitlement system from the Logical system name list.

If the entitlement system was added correctly, the Available roles list will contain a list of roles that you can choose to import.

Tip: If no roles are visible in the Logical system name list, look for error messages on the page. These may give you the information you need to correct the problem.


SBOP BI SSO


2.3 Setting SAP Authentication options

2.4 Importing SAP Roles


SBOP BI SSO


2.4.1 To import SAP Roles

1. Go to the "Authentication" management area of the CMC.

2. Double-click the SAP link.

3. On the Options tab, select BI Viewer, BI Analyst, Concurrent users, or Named users depending on your license agreement.

Note that the option you select here does not change the number or type of user licenses that you have installed in BI platform. You must have the appropriate licenses available on your system.

4. Click Update.

5. On the Role import tab, select the appropriate entitlement system from the Logical system name list.

6. In the Available roles area, select the role(s) that you want to import, and then click Add.

7. Click Update.

Note: The Role Import was not done and left to the SBOP BI team to perform; depending on the S&A strategy and approach to be adopted. Only the CRYSTAL_ENTITLEMENT role was imported.

2.4.2 To verify that roles and users were imported correctly

1. Ensure that you know the user name and password of an SAP user who belongs to one of the roles that you just mapped to BI platform.

2. For Java BI launch pad, go to http://webserver:portnumber/BOE/BI. Replace webserver with the name of the web server and portnumber with the port number that is set up for BI


SBOP BI SSO


platform. You may need to ask your administrator for the name of the web server, the port number, or the exact URL to enter.

3. From the Authentication Type list, select SAP.

4. Type the SAP system and system client that you want to log on to.

5. Type the user name and password of a mapped user.

6. Click Log On.

7. You should be logged on to BI launch pad as the selected user.


SBOP BI SSO


2.4.3 Updating of SAP Roles and users

2.5 Configuring Secure Network Connection (SNC)

This section describes how to configure SNC as part of the process of setting up SAP authentication to BI platform.

Before setting up trust between the SAP and BI platform systems, you must ensure the SIA is configured to start and run under an account that has been set up for SNC. You must also configure your SAP system to trust BI platform. It is recommended that you follow the instructions covered in the Configuring SAP server-side trust section in the Supplementary Configurations for ERP Environments chapter of this guide.


SBOP BI SSO


2.5.1 Configuring SAP for server-side trust

Note: This is done on the SAP Netweaver BW server!

1. From the SAP marketplace, download the SAP Cryptographic Library for all relevant platforms. Note: For more information about the Cryptographic Library, see SAP notes 711093, 597059 and 397175 on the SAP web site.

2. Ensure that you have SAP administrator's credentials for within SAP and for the machine running SAP, and administrator's credentials for BI platform and the machine (or machines) it is running on.

3. On the SAP (BID) machine, copy the SAP Cryptographic Library and the SAPGENPSE tool to <DRIVE>:\usr\sap\BID\SYS\exe\uc\NTAMD64 directory (on Windows).


SBOP BI SSO


4. Locate the file named "ticket" that was installed with the SAP Cryptographic Library, and

copy it to the <DRIVE>:\usr\sap\<SID>\<instance>\sec\ directory (on Windows).

5. Create an environment variable named SECUDIR that points to the directory where the ticket resides. Note: This variable must be accessible to the user under which SAP's disp+work process runs.


SBOP BI SSO


6. In the SAP GUI, go to transaction RZ10 and change the instance profile in Extended maintenance mode.

7. In profile edit mode, point SAP profile variables to the Cryptographic Library and give the SAP system a Distinguished Name (DN). These variables should follow the LDAP naming convention:

For example, for BID system: p:CN=BID, OU=PG, O=BOBJ, C=CA Note: Note that the prefix p: is for the SAP Cryptographic Library. It is required when referring to the DN within SAP, but will not be visible when examining certificates in STRUST or using SAPGENPSE.


SBOP BI SSO


8. Enter the following profile values, substituting for your SAP system where necessary:

9. Restart your SAP instance. 10. When the system is running again, log on and go to transaction STRUST, which should now

have additional entries for SNC and SSL. 11. Right-click the SNC node and click Create. The identity you specified in RZ10 should now

appear.

12. Click OK.


SBOP BI SSO


13. To assign a password to the SNC PSE, click the lock icon. Note: Do not lose this password. You will be prompted for it by STRUST every time you view or edit the SNC PSE.

14. Save the changes. Note: If you do not save your changes, the application server will not start again when you enable SNC.

15. Return to transaction RZ10 and add the remainder of the SNC profile parameters:

16. Restart your SAP system. You must now configure BI platform for server-side trust.

2.5.2 Configuring SBOP BI platform for server-side trust

Note: This is done on the SBOP BI server!


SBOP BI SSO


Extract the SAPCRYPTOLIB.SAR file to a temporary folder. Then create the folder C:\Program Files\SAP\Crypto. Copy the files from ..\nt-x86_64 folder to this newly created folder. Then create a sub-folder \sec and copy the file 'ticket' from the extracted SAPCRYPTOLIB.SAR file to this folder.


SBOP BI SSO


Set up the environment variables:

2.5.2.1 To generate a PSE

sapgenpse.exe gen_pse -v -p BOE.pse

Pin: KLKOLEO1

DN: CN=BOE, OU=PG, O=BOBJ, C=CA

The default PSE is now created, with its own certificate.


SBOP BI SSO


sapgenpse.exe export_own_cert -v -p BOE.pse -o BOE.crt

Go to transaction STRUST:


SBOP BI SSO


Click Save.

There following certificate should appear below:


SBOP BI SSO


Now double-click on SNC SAPCryptolib for the BID Own Certificate.

Go to transaction SNC0.


SBOP BI SSO


Return back to the command prompt of the SBOP BI Platform server:

sapgenpse.exe maintain_pk -v -a MySAPCert.crt -p BOE.pse

The SAP Cryptographic Library is installed on the BI platform machine. You have created a PSE that will be used by BI platform servers to identify themselves to SAP servers. SAP and the BI platform PSE have exchanged certificates. SAP permits entities with access to the BI platform PSE to perform RFC calls and password-less impersonation.

2.5.2.2 To configure PSE access

sapgenpse.exe seclogin -p BOE.pse


SBOP BI SSO


sapgenpse.exe maintain_pk -l

2.5.2.3 To configure SAP authentication SNC settings

After you configure PSE access, you need to configure the SAP authentication settings in the CMC.

1. Go to the "Authentication" management area of the CMC.

2. Double-click the SAP link. The entitlement systems settings appear.

3. Click the SNC settings tab on the SAP Authentication page.

4. Select your entitlement system from the Logical system name list.

5. Select Enable Secure Network Communication (SNC) under Basic Settings.

6. Enter the path for the SNC library settings in SNC library path.

7. Select a level of protection under Quality of Protection.

8. Enter the SNC name of the SAP system under Mutual authentication settings.

9. Ensure that the SNC name of the credentials under which BI platform servers run appears in the SNC name of Enterprise system field.

10. Provide the DNs of both the SAP system and the BI platform PSE.


SBOP BI SSO


2.5.3 To configure the SNC settings in the Central Management Console

In the optional SNC name field, type the SNC name if you have one.


SBOP BI SSO


2.5.4 To associate the entitlement user with an SNC name

If the Active Directory (or LDAP) Single Sign-On is configured (Client side SNC), then key in the SNC name for the users. E.g. SNC Name = p:<username>@<domain>, e.g. p:[email protected].


SBOP BI SSO


2.6 Setting up single sign-on to the SAP system

2.6.1 To generate the keystore file

"D:\Program Files\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\java.exe" -jar PKCS12Tool.jar -keystore keystore.p12 -storepass KLKOLEO1 -alias BOE -dname CN=BOE -validity 365 -cert cert.der

The files cert.der and keystore.p12 are generated.

2.6.2 To export the public key certificate

"D:\Program Files\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\keytool.exe" -exportcert -keystore keystore.p12 -storetype pkcs12 -file cert.der -alias BOE

keystore password: KLKOLEO1

2.6.3 Importing the certificate file into the target ABAP SAP system

Launch transaction STRUSTSSO2.


SBOP BI SSO



SBOP BI SSO


2.6.4 To set up single sign-on to the SAP database in the CMC


SBOP BI SSO


2.6.5 Test Login using SAP Authentication


SBOP BI SSO



SBOP BI SSO


3 Troubleshooting

increase Apache Tomcat memory settings.

Documents

SAP BOP_BI 4.1 Server-side Sso Setup v1.1