Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 June 14, 2013 Version 2.0 Vishal Dhir Customer Solution Adoption (CSA)
www.sap.com TABLE OF CONTENTS INTRODUCTION... 3 What is Single Sign-On... 3 Kerberos... 3 HANA CONFIGURATION... 3 BUSINESSOBJECTS CONFIGURATION... 3 TOMCAT CONFIGURATION... 5 BUSINESS OBJECTS CLIENTS CONFIGURATION... 6 Information Design Tool... 7 Web Intelligence Rich Client... 8 Web Intelligence... 9 Explorer... 9 TROUBLESHOOTING...10 HANA...10 BusinessObjects...11 Tomcat...11 Network Tracing...11
INTRODUCTION This whitepaper will discuss how to setup SSO between SAP HANA and SAP BusinessObjects 4.0. We will setup SSO for the BI Launchpad and SSO to the HANA database (SSO to DB). Before setting up SSO, you will need to satisfy the following prerequisites: You are familiar with Active Directory, Kerberos, and BusinessObjects You have a user with read access to your Active Directory domain You have a user that will be used for delegation for HANA You have a user that will be used for delegation for BusinessObjects To make it easier to follow the steps for setting up SSO, the following information will be used throughout this whitepaper, Active Directory Domain Name - mydomain.com Network Domain Name - mydomain.com HANA Server myhanaserver.mydomain.com BOE Server myboeserver.mydomain.com User for HANA SSO - hanasso User for BOE SSO bisso Group in AD - mygroup User mapped in AD aduser1 User mapped in HANA aduser1 These will need to be changed based on what you have setup and how complex your environment is. What is Single Sign-On Single sign-on (SSO) allows a user to login once and gain access to multiple systems without being asked to login again. Depending on how SSO has been setup, this could permit the user login to just a front end application or it can enable SSO all the way down to the database in what s known as SSO to database (SSO2DB). Kerberos For SSO to work we will need to use Kerberos. Kerberos is a type of authentication protocol, which permits a client to authenticate with a server via a ticket. We will setup this trust between the client and server using two keytabs one for HANA and one for BusinessObjects. A keytab is a file that contains a service principal and a key, the key needs to be setup on the client so it can authenticate with the server. In our case we will have two keytabs, One for HANA to allow SSO from HANA Studio to HANA and from BusnessObjects to HANA One for BusinessObjects to allow SSO into the BI Launchpad HANA CONFIGURATION For detailed information on how to configure and test HANA for SSO, please refer to the following SAP Note HOWTO below, 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory BUSINESSOBJECTS CONFIGURATION As with the HANA configuration above, we need to trust the BusinessObjects server for authentication. That will be done by creating another keytab on the domain controller. As before we will create the SPNs and the keytab, 3
ktpass -out c:\myboeserver.keytab -princ MYBOESERVER/bisso.mydomain.com@MYDOMAIN.COM -mapuser bisso@mydomain.com - pass Password1 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT setspn -a HTTP/MYBOESERVER bisso setspn -a HTTP/MYBOESERVER.MYDOMAIN.com bisso The SPNs will differ depending on how your environment is configured. In this scenario we only have a single instance of Tomcat, and thus the SPN has been mapped to the short name and the FQDN only. To confirm what SPNs are setup run the command, setspn -l bisso Once the keytab has been created, copy it over to the BusinessObjects server. For this whitepaper, we will assume that you ve placed it inside the c:\winnt folder. For the bisso user we also need to trust it for Kerberos delegation. This is done by going to the properties of the user and setting up the trust under the delegation tab. Your security team might have the user configured for the 3 rd delegation option delegation to specified services only which is also ok. On the BusinessObjects server you will need to do the following, 4
Add the MYDOMAIN\bisso account to the Administrators group Assign the MYDOMAIN\bisso account to the following four rights located in the Local Security Policy (located under Local Computer Policy > Computer Configuration> Windows Settings > Security Settings> Local Security Policy > Security Settings > Local Policies > User Rights Assignment) o Act as part of the Operating System o Log on as a Batch Job o Log on a Service o Replace a Process Level Token Change the account that runs the SIA to run under the MYDOMAIN\bisso account Now that the server side configuration is done, BusinessObjects needs to be setup for SSO. In the Central Management Console (CMC) configure the Windows Active Directory plugin, Configure it for the MYDOMAIN.COM domain Map the group, mygroup Under the Authentication Options, check the Use Kerberos authentication, Cache security context, and Enable Single Sign On options as seen below, It is important to have the correct SPN set or else SSO will not work properly. To make sure this is correct, use the same principal that we used above, during the creation of the ktpass command, TOMCAT CONFIGURATION For this whitepaper the Application Server that was used is Tomcat, thus steps for this application server will be shown. For SSO to work on the BI Launchpad we need to configure the web application files to enable the Vintela SSO plugin. Before changing the configuration files confirm that you have copied over the MYBOESERVER.keytab to the c:\winnt folder and have a backup of the files that will be changed. We won t go into the details on how to configure this more information on this can be found in these two SAP Notes, 1631734 - Configuring Active Directory Manual Authentication and SSO for BI4 1476374 - ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On In the BIlaunchpad.properties change the authentication.default to secwinad as below, 5
To enable the Vintela filter, edit the global.properties file as below with your domain information and keytab information as below, Restart Tomcat and confirm that you can SSO into the BI Launchpad with your AD user account. BUSINESS OBJECTS CLIENTS CONFIGURATION Thus far, we have only configured SSO for HANA and SSO into the BI Launchpad. Now, we will connect the two pieces and enable SSO to database, meaning a user who logs into the BI Launchpad will be able to have their credentials passed to HANA via the trusts that have been setup making the user experience seamless. 6
Information Design Tool To configure the Information Design Tool (IDT) for SSO, two files needs to be created. They are the krb5.ini and the bsclogin.conf. These files are required to enable the Java (client) application to use Kerberos. Also, the MYBOESERVER.keytab needs to be copied over to the machine that IDT is running on (as this file enables the trust with the AD), again place it in the c:\winnt folder. The krb5.ini below is the same as the krb5.conf that we used earlier. Here is a sample of these two files, change according to your company s domain and server configuration, krb5.ini [domain_realm].mydomain.com = MYDOMAIN.COM MYDOMAIN.COM = MYDOMAIN.COM [libdefaults] forwardable = true default_realm = MYDOMAIN.COM dns_lookup_kdc = true dns_lookup_realm = true default_tkt_enctypes = RC4-HMAC default_tgs_enctypes = RC4-HMAC [realms] MYDOMAIN.COM = { kdc = mydc.mydomain.com admin_server = mydc.mydomain.com kpasswd_server = mydc.mydomain.com } bsclogin.conf com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.krb5loginmodule required debug=true; }; com.businessobjects.security.jgss.accept { com.sun.security.auth.module.krb5loginmodule required storekey=true usekeytab=true keytab="c:/winnt/myboeserver.keytab" principal=" MYBOESERVER/bisso.mydomain.com@MYDOMAIN.COM" debug = true; }; The IDT tool also has its own configuration file; therefore we need to configure it to use the krb5.ini and bsclogin.conf we created earlier by adding these two parameters, -Djava.security.auth.login.config=C:\WINNT\bscLogin.conf -Djava.security.krb5.conf=C:\WINNT\krb5.ini The configuration will look like, 7
In IDT, when the connection to HANA is created it needs have the Authentication Mode set to Use Single Sign On when refreshing reports at view time, Also, the user used to connect to BusinessObjects must be an AD user as this is the user that will be used for authentication back to HANA. Web Intelligence Rich Client Web Intelligence (Webi) Rich Client requires no configuration once the BusinessObjects Windows AD authentication plugin has been configured. When the rich client loads change the Authentication to Windows AD and click login, 8
Web Intelligence A Web Intelligence report uses the Adaptive Processing Sever (APS) for connectivity. As this is a Java process, it also needs to be configured with the krb5.ini and bsclogin.conf files. This is done through CMC > Servers under the APS s Command Line Parameters -Djava.security.auth.login.config=C:/WINNT/bscLogin.conf -Djava.security.krb5.conf=C:/WINNT/krb5.ini As Webi utilizes the connection server, we need to configure this process for SSO as well. This is done via the cs.cfg file located inside the SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\dataAccess\connectionServer folder. Under the JavaVM section add the path to the krb5.ini and bsclogin.conf as seen below, <Option>-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf</Option> <Option>-Djava.security.krb5.conf=C:\WINNT\Krb5.ini</Option> Explorer For Explorer, the Master Server will need to be configured for the location of the krb5.ini and bsclogin.conf as the master server will make a connection to HANA when you are in the Explorer Manage Spaces screen in Explorer, -Djava.security.auth.login.config=C:/WINNT/bscLogin.conf -Djava.security.krb5.conf=C:/WINNT/krb5.ini 9
TROUBLESHOOTING HANA If you are unable to connect via SSO using HANA Sutdio, the first step is to enable JDBC logging which will give you more verbose output and may lead to a probable cause of the issue. If the jdbc trace reveals nothing, then we can enable logging on the HANA database for the authentication piece. This is done via the Trace Configuration in HANA Studio s Administration screen. The screen below shows debug tracing being enabled on the indexserver for authentication only, 10
Remember to disable the logging once you are done tracing. BusinessObjects Logging in BusinessObjects can be enabled in in the client that s connecting (Webi Rich Client for example) or on a specific service that the client is using such as the APS. Here s an example of enabling verbose tracing for a BusinessObjects service under the TraceLog, Tomcat To enable more verbose logging for BI Launchpad SSO, debug settings can be enabled by setting the D parameters on the JVM, -Djcsi.kerberos.debug=true -Dsun.security.krb5.debug=true The above configuration is for Tomcat only; it may vary for the application server you are using. Network Tracing Sometimes logging the HANA and BusinessObjects client and server will not provide the answer as to why SSO is not working. In these cases, a network trace tool like Wireshark or Microsoft Network Monitor should be used to determine what is wrong and where it is wrong. In Wireshark a filter for kerberos can be used to filter for just the Kerberos requests, whereas in Network Monitor you can load a filter just for AuthenticationTraffic. 11
Wireshark Microsoft Network Monitor Here s an example of a network capture from logging into the BI Launchpad with SSO, You can drill into each request and get more information and determine what is wrong with the SSO configuration. 12
www.sap.com 2012 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.