Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0



Similar documents
Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Configuring Single Sign-on for SAP HANA

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

SAP BW on HANA & HANA Smart Data Access Setup

SAP BusinessObjects Business Intelligence 4 Innovation and Implementation

BusinessObjects 4.0 Windows AD Single Sign on Configuration

LVS Troubleshooting Common issues and solutions

SAP Landscape Transformation (SLT) Replication Server User Guide

How-to guide: Monitoring of standalone Hosts. This guide explains how you can enable monitoring for standalone hosts in SAP Solution Manager

Sybase ASE Linux Installation Guide Installation and getting started guide for SAP Sybase ASE on Linux

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer

Create and run apps on HANA Cloud in SAP Web IDE

Set Up Hortonworks Hadoop with SQL Anywhere

Extend the SAP FIORI app HCM Timesheet Approval

Agentry and SMP Metadata Performance Testing Guidelines for executing performance testing with Agentry and SAP Mobile Platform Metadata based

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Creating a Fiori Starter Application for sales order tracking

Kerberos and Windows SSO Guide Jahia EE v6.1

Configuring Active Directory Manual Authentication and SSO for BI4

SAP PartnerEdge Program: Opportunities for SAP-Authorized Resellers

Memory Management simplifications in ABAP Kernel 7.4*

How to Extend a Fiori Application: Purchase Order Approval

Open Items Analytics Dashboard System Configuration

Configuring Java IDoc Adapter (IDoc_AAE) in Process Integration. : SAP Labs India Pvt.Ltd

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Using SAP Crystal Reports with SAP Sybase SQL Anywhere

KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

Installing and Configuring the HANA Cloud Connector for On-premise OData Access

BW Source System: Troubleshooting Guide

Consumption of OData Services of Open Items Analytics Dashboard using SAP Predictive Analysis

Using Database Performance Warehouse to Monitor Microsoft SQL Server Report Content

SAP BusinessObjects Query as a Web Service Designer SAP BusinessObjects Business Intelligence platform 4.0

How to Implement a SAP HANA Database Procedure and consume it from an ABAP Program Step-by-Step Tutorial

Configure the Application Server User Account on the Domain Server

Single Sign-On Using SPNEGO

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Compare & Adjust How to Guide for Compare & Adjust in SAP Solution Manager Application Lifecycle Management

LHI Leasing Simplifying and Automating the IT Landscape with SAP Software. SAP Customer Success Story Financial Services Provider LHI Leasing

Certification Guide Network Connectivity for SAP on Premise and Cloud Solutions Integration

SAP Sybase Adaptive Server Enterprise Shrinking a Database for Storage Optimization 2013

Nine Reasons Why SAP Rapid Deployment Solutions Can Make Your Life Easier Get Where You Want to Be, One Step at a Time

Understanding Security and Rights in SAP BusinessObjects Business Intelligence 4.1

SAP BusinessObjects Business Intelligence Suite Document Version: 4.1 Support Package Patch 3.x Update Guide

EMC Documentum Kerberos SSO Authentication

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

SAP Business Intelligence Suite Patch 10.x Update Guide

Five Strategies Small and Medium Enterprises Can Use to Successfully Implement High Value Business Mobility

How To Install The Sap Business Explorer 7.X 2.X (Sap) On A Windows 7.30 Computer (Windows 7)

SAP Solution Manager - Content Transfer This document provides information on architectural and design questions, such as which SAP Solution Manager

SAP Security Recommendations December Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.

Additional Guide to Implementing the SAP CRM Service Management rapiddeployment

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

How-to: Single Sign-On

Active Quality Management

SAP BusinessObjects Edge BI, Preferred Business Intelligence. SAP BusinessObjects Portfolio SAP Solutions for Small Businesses and Midsize Companies

SAP BusinessObjects Edge BI, Standard Package Preferred Business Intelligence Choice for Growing Companies

Design Thinking for. Requirements Analysis

Fiori Frequently Asked Technical Questions

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

Single Sign-On between SAP Portal and SuccessFactors

Crystal Reports Server Embedded 2008 with Service Pack 7 for Windows Supported Platforms

SAP CRM Service Manager 3.1 Mobile App Extended Feature List An extended list of all the features included in the default delivery of the SAP CRM

Information Design Tool User Guide SAP BusinessObjects Business Intelligence platform 4.0 Feature Pack 3

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Using Active Directory as your Solaris Authentication Source

SAP BusinessObjects Dashboarding Strategy and Statement of Direction

Quick Guide to the SAP Customer Relationship Management Rapid- Deployment Solution (based on EhP1) Demo/Evaluation Appliance

Setting up the Environment for Creating or Extending SAP Fiori Apps

SAP BUSINESS PLANNING AND CONSOLIDATION 10.0, VERSION FOR SAP NETWEAVER, POWERED BY SAP HANA STARTER KIT FOR USGAAP

What's New in SAP BusinessObjects XI 3.1 Service Pack 5

SAP White Paper Enterprise Information Management

Implementing an Enterprise Information Management Strategy An Approach That Mitigates Risk and Drives Down Costs

Streamlined Planning and Consolidation for Finance Teams in Any Organization

How To... Master Data Governance for Material: Create Custom Print forms. Applicable Releases: MDG 7

How To... Master Data Governance for Material: Maintenance for multiple Materials in one Change Request. Applicable Releases: all

Kerberos -Based Active Directory Authentication to Support Smart Card and Single Sign-On Login to DRAC5

Collaboration Technology Support Center - Microsoft - Collaboration Brief

Integrating OID with Active Directory and WNA

Secure MobiLink Synchronization using Microsoft IIS and the MobiLink Redirector

HR400 SAP ERP HCM Payroll Configuration

Integration Option for Microsoft SharePoint Software Getting Started Guide SAP BusinessObjects 4.0 Support Package 4

HRSWEB ActiveDirectory How-To

Guide to SASL, GSSAPI & Kerberos v.6.0

Training.sap.com User Guide

Single Sign On (SSO) solution for BMC Remedy Action Request System

CRM WebClient UI & Netweaver Enterprise Portal Integration

Building your SAP Business One Cloud Landscape. SAP Business One Cloud Landscape Workshop

How To Use Sap Business Objects For Microsoft (For Microsoft) For Microsoft (For Pax) For Pax (For Sap) For Spera) For A Business Intelligence (Bio) Solution

IceWarp Server - SSO (Single Sign-On)

Installation Guide for Windows

Backup Strategy for Oracle

BICS Connectivity for Web Intelligence in SAP BI 4.0. John Mrozek / AGS December 01, 2011

H2G Install SAP Web IDE locally for trial (Mac version)

Transcription:

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 June 14, 2013 Version 2.0 Vishal Dhir Customer Solution Adoption (CSA)

www.sap.com TABLE OF CONTENTS INTRODUCTION... 3 What is Single Sign-On... 3 Kerberos... 3 HANA CONFIGURATION... 3 BUSINESSOBJECTS CONFIGURATION... 3 TOMCAT CONFIGURATION... 5 BUSINESS OBJECTS CLIENTS CONFIGURATION... 6 Information Design Tool... 7 Web Intelligence Rich Client... 8 Web Intelligence... 9 Explorer... 9 TROUBLESHOOTING...10 HANA...10 BusinessObjects...11 Tomcat...11 Network Tracing...11

INTRODUCTION This whitepaper will discuss how to setup SSO between SAP HANA and SAP BusinessObjects 4.0. We will setup SSO for the BI Launchpad and SSO to the HANA database (SSO to DB). Before setting up SSO, you will need to satisfy the following prerequisites: You are familiar with Active Directory, Kerberos, and BusinessObjects You have a user with read access to your Active Directory domain You have a user that will be used for delegation for HANA You have a user that will be used for delegation for BusinessObjects To make it easier to follow the steps for setting up SSO, the following information will be used throughout this whitepaper, Active Directory Domain Name - mydomain.com Network Domain Name - mydomain.com HANA Server myhanaserver.mydomain.com BOE Server myboeserver.mydomain.com User for HANA SSO - hanasso User for BOE SSO bisso Group in AD - mygroup User mapped in AD aduser1 User mapped in HANA aduser1 These will need to be changed based on what you have setup and how complex your environment is. What is Single Sign-On Single sign-on (SSO) allows a user to login once and gain access to multiple systems without being asked to login again. Depending on how SSO has been setup, this could permit the user login to just a front end application or it can enable SSO all the way down to the database in what s known as SSO to database (SSO2DB). Kerberos For SSO to work we will need to use Kerberos. Kerberos is a type of authentication protocol, which permits a client to authenticate with a server via a ticket. We will setup this trust between the client and server using two keytabs one for HANA and one for BusinessObjects. A keytab is a file that contains a service principal and a key, the key needs to be setup on the client so it can authenticate with the server. In our case we will have two keytabs, One for HANA to allow SSO from HANA Studio to HANA and from BusnessObjects to HANA One for BusinessObjects to allow SSO into the BI Launchpad HANA CONFIGURATION For detailed information on how to configure and test HANA for SSO, please refer to the following SAP Note HOWTO below, 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory BUSINESSOBJECTS CONFIGURATION As with the HANA configuration above, we need to trust the BusinessObjects server for authentication. That will be done by creating another keytab on the domain controller. As before we will create the SPNs and the keytab, 3

ktpass -out c:\myboeserver.keytab -princ MYBOESERVER/bisso.mydomain.com@MYDOMAIN.COM -mapuser bisso@mydomain.com - pass Password1 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT setspn -a HTTP/MYBOESERVER bisso setspn -a HTTP/MYBOESERVER.MYDOMAIN.com bisso The SPNs will differ depending on how your environment is configured. In this scenario we only have a single instance of Tomcat, and thus the SPN has been mapped to the short name and the FQDN only. To confirm what SPNs are setup run the command, setspn -l bisso Once the keytab has been created, copy it over to the BusinessObjects server. For this whitepaper, we will assume that you ve placed it inside the c:\winnt folder. For the bisso user we also need to trust it for Kerberos delegation. This is done by going to the properties of the user and setting up the trust under the delegation tab. Your security team might have the user configured for the 3 rd delegation option delegation to specified services only which is also ok. On the BusinessObjects server you will need to do the following, 4

Add the MYDOMAIN\bisso account to the Administrators group Assign the MYDOMAIN\bisso account to the following four rights located in the Local Security Policy (located under Local Computer Policy > Computer Configuration> Windows Settings > Security Settings> Local Security Policy > Security Settings > Local Policies > User Rights Assignment) o Act as part of the Operating System o Log on as a Batch Job o Log on a Service o Replace a Process Level Token Change the account that runs the SIA to run under the MYDOMAIN\bisso account Now that the server side configuration is done, BusinessObjects needs to be setup for SSO. In the Central Management Console (CMC) configure the Windows Active Directory plugin, Configure it for the MYDOMAIN.COM domain Map the group, mygroup Under the Authentication Options, check the Use Kerberos authentication, Cache security context, and Enable Single Sign On options as seen below, It is important to have the correct SPN set or else SSO will not work properly. To make sure this is correct, use the same principal that we used above, during the creation of the ktpass command, TOMCAT CONFIGURATION For this whitepaper the Application Server that was used is Tomcat, thus steps for this application server will be shown. For SSO to work on the BI Launchpad we need to configure the web application files to enable the Vintela SSO plugin. Before changing the configuration files confirm that you have copied over the MYBOESERVER.keytab to the c:\winnt folder and have a backup of the files that will be changed. We won t go into the details on how to configure this more information on this can be found in these two SAP Notes, 1631734 - Configuring Active Directory Manual Authentication and SSO for BI4 1476374 - ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On In the BIlaunchpad.properties change the authentication.default to secwinad as below, 5

To enable the Vintela filter, edit the global.properties file as below with your domain information and keytab information as below, Restart Tomcat and confirm that you can SSO into the BI Launchpad with your AD user account. BUSINESS OBJECTS CLIENTS CONFIGURATION Thus far, we have only configured SSO for HANA and SSO into the BI Launchpad. Now, we will connect the two pieces and enable SSO to database, meaning a user who logs into the BI Launchpad will be able to have their credentials passed to HANA via the trusts that have been setup making the user experience seamless. 6

Information Design Tool To configure the Information Design Tool (IDT) for SSO, two files needs to be created. They are the krb5.ini and the bsclogin.conf. These files are required to enable the Java (client) application to use Kerberos. Also, the MYBOESERVER.keytab needs to be copied over to the machine that IDT is running on (as this file enables the trust with the AD), again place it in the c:\winnt folder. The krb5.ini below is the same as the krb5.conf that we used earlier. Here is a sample of these two files, change according to your company s domain and server configuration, krb5.ini [domain_realm].mydomain.com = MYDOMAIN.COM MYDOMAIN.COM = MYDOMAIN.COM [libdefaults] forwardable = true default_realm = MYDOMAIN.COM dns_lookup_kdc = true dns_lookup_realm = true default_tkt_enctypes = RC4-HMAC default_tgs_enctypes = RC4-HMAC [realms] MYDOMAIN.COM = { kdc = mydc.mydomain.com admin_server = mydc.mydomain.com kpasswd_server = mydc.mydomain.com } bsclogin.conf com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.krb5loginmodule required debug=true; }; com.businessobjects.security.jgss.accept { com.sun.security.auth.module.krb5loginmodule required storekey=true usekeytab=true keytab="c:/winnt/myboeserver.keytab" principal=" MYBOESERVER/bisso.mydomain.com@MYDOMAIN.COM" debug = true; }; The IDT tool also has its own configuration file; therefore we need to configure it to use the krb5.ini and bsclogin.conf we created earlier by adding these two parameters, -Djava.security.auth.login.config=C:\WINNT\bscLogin.conf -Djava.security.krb5.conf=C:\WINNT\krb5.ini The configuration will look like, 7

In IDT, when the connection to HANA is created it needs have the Authentication Mode set to Use Single Sign On when refreshing reports at view time, Also, the user used to connect to BusinessObjects must be an AD user as this is the user that will be used for authentication back to HANA. Web Intelligence Rich Client Web Intelligence (Webi) Rich Client requires no configuration once the BusinessObjects Windows AD authentication plugin has been configured. When the rich client loads change the Authentication to Windows AD and click login, 8

Web Intelligence A Web Intelligence report uses the Adaptive Processing Sever (APS) for connectivity. As this is a Java process, it also needs to be configured with the krb5.ini and bsclogin.conf files. This is done through CMC > Servers under the APS s Command Line Parameters -Djava.security.auth.login.config=C:/WINNT/bscLogin.conf -Djava.security.krb5.conf=C:/WINNT/krb5.ini As Webi utilizes the connection server, we need to configure this process for SSO as well. This is done via the cs.cfg file located inside the SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\dataAccess\connectionServer folder. Under the JavaVM section add the path to the krb5.ini and bsclogin.conf as seen below, <Option>-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf</Option> <Option>-Djava.security.krb5.conf=C:\WINNT\Krb5.ini</Option> Explorer For Explorer, the Master Server will need to be configured for the location of the krb5.ini and bsclogin.conf as the master server will make a connection to HANA when you are in the Explorer Manage Spaces screen in Explorer, -Djava.security.auth.login.config=C:/WINNT/bscLogin.conf -Djava.security.krb5.conf=C:/WINNT/krb5.ini 9

TROUBLESHOOTING HANA If you are unable to connect via SSO using HANA Sutdio, the first step is to enable JDBC logging which will give you more verbose output and may lead to a probable cause of the issue. If the jdbc trace reveals nothing, then we can enable logging on the HANA database for the authentication piece. This is done via the Trace Configuration in HANA Studio s Administration screen. The screen below shows debug tracing being enabled on the indexserver for authentication only, 10

Remember to disable the logging once you are done tracing. BusinessObjects Logging in BusinessObjects can be enabled in in the client that s connecting (Webi Rich Client for example) or on a specific service that the client is using such as the APS. Here s an example of enabling verbose tracing for a BusinessObjects service under the TraceLog, Tomcat To enable more verbose logging for BI Launchpad SSO, debug settings can be enabled by setting the D parameters on the JVM, -Djcsi.kerberos.debug=true -Dsun.security.krb5.debug=true The above configuration is for Tomcat only; it may vary for the application server you are using. Network Tracing Sometimes logging the HANA and BusinessObjects client and server will not provide the answer as to why SSO is not working. In these cases, a network trace tool like Wireshark or Microsoft Network Monitor should be used to determine what is wrong and where it is wrong. In Wireshark a filter for kerberos can be used to filter for just the Kerberos requests, whereas in Network Monitor you can load a filter just for AuthenticationTraffic. 11

Wireshark Microsoft Network Monitor Here s an example of a network capture from logging into the BI Launchpad with SSO, You can drill into each request and get more information and determine what is wrong with the SSO configuration. 12

www.sap.com 2012 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information