Scribd Logo
Upload

Welcome to Scribd!

  • 277 views

    SAP BI Configuration En-1

    Uploaded by

    Abhishek Tiwari
    This document provides technical configuration instructions for SAP BI4. It covers topics such as BI access credentials, post-installation configuration including memory settings, SSL and keystore configuration, user provisioning from BW to BI including entitlement systems and roles, trusted connections between BI and BW, and single sign-on configuration between BI and HANA.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    SAP BI Configuration En-1

    Uploaded by

    Abhishek Tiwari
    277 views42 pages
    This document provides technical configuration instructions for SAP BI4. It covers topics such as BI access credentials, post-installation configuration including memory settings, SSL and keystore configuration, user provisioning from BW to BI including entitlement systems and roles, trusted connections between BI and BW, and single sign-on configuration between BI and HANA.

    Original Description:

    SAP BI Configuration

    Original Title

    SAP BI Configuration en-1

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides technical configuration instructions for SAP BI4. It covers topics such as BI access credentials, post-installation configuration including memory settings, SSL and keystore configuration, user provisioning from BW to BI including entitlement systems and roles, trusted connections between BI and BW, and single sign-on configuration between BI and HANA.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    277 views42 pages

    SAP BI Configuration En-1

    Uploaded by

    Abhishek Tiwari
    This document provides technical configuration instructions for SAP BI4. It covers topics such as BI access credentials, post-installation configuration including memory settings, SSL and keystore configuration, user provisioning from BW to BI including entitlement systems and roles, trusted connections between BI and BW, and single sign-on configuration between BI and HANA.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 42
    At a glance
    Powered by AI
    The document outlines the steps to configure various aspects of the SAP BI system including memory configuration, SMTP settings, SSL, user provisioning, trusted connections, and single sign-on.

    The steps include adding service entries to /etc/services, generating a keystore file, importing certificates, and configuring Tomcat.

    The steps include generating a certificate on the BI platform, importing it into the HANA trust store, importing it into HANA security, and creating an SAML user in HANA.

    SAP BI4

    Technical Configuration

    Table des matières


    1 BI access3
    1.1 User3
    1.2 CMC3
    1.3 BI Launch pad3
    2 Post Installation4
    2.1 System Configuration Wizard4
    2.2 Configuration mémoire6
    2.3 SMTP8
    3 SSL Configuration SSL9
    3.1 /etc/service File9
    3.2 Keystore File9
    3.3 Tomcat10
    4 User Provisionning : BW to BI11
    4.1 Environments relationship11
    4.2 SimpleUsernameFormat11
    4.3 Entitlement System12
    4.3.1 Roles13
    4.3.2 Options14
    4.3.3 User Update14
    5 Trusted Connection BI / BW14
    5.1 Keystore File15
    5.2 Public Key Certificate15
    5.3 Import Certificate15
    5.4 SAP Database17
    6 Configuration SSO : BI – HANA18
    6.1 Overview18
    6.2 Generate a Certificate from BI Platform19
    6.3 Import the Certificate into the HANA Trust Store21
    6.4 Import Certificate into HANA Security22
    6.5 Create a HANA user with SAML23
    6.6 Validation24
    7 Configuration SSO : HANA - Kerberos25
    7.1 Prerequisites25
    7.1.1 Packages25
    7.1.2 Hostname resolution : verification26
    7.1.3 SAP HANA Database: several instance on one host26
    7.2 SAP HANA Database Server krb5.conf26
    7.3 Create Service User29
    7.4 Create Keytab30
    7.5 Verify Keytab32
    7.6 Definition / Test authentification32
    8 BI4: SSO setup33
    8.1 Prerequisite33
    8.2 Configuration33
    8.3 User's LDAP alias36
    8.4 Trusted Authentification37
    8.5 Linux/AD SSO38
    8.5.1 Create AD service account (already done by IT Integration)38
    8.5.2 Security Directory39
    8.6 Linux Configuration40
    8.6.1 global.properties40
    8.6.2 BIlaunchpad.properties40
    8.6.3 CmcApp.properties41
    8.6.4 OpenDocument.properties41
    8.6.5 Setup Vintela42
    1 BI access
    1.1 User
    user: Administrator
    password: ERMBoUsr2

    1.2 CMC
    http://DCDEVSAP4342:8080/BOE/CMC

    http://DCINTSAP4142:8080/BOE/CMC

    http://DCSRVSAP4042:8080/BOE/CMC

    1.3 BI Launch pad


    http://DCDEVSAP4342:8080/BOE/BI

    http://DCINTSAP4142:8080/BOE/BI

    http://DCSRVSAP4042:8080/BOE/BI
    2 Post Installation
    2.1 System Configuration Wizard

    Inside CMC, click on System Configuration


    Wizard

    Unselect following products


     Crystal Reports
     Dashboard servers
    Uncheck “Keep existing configuration”

    Initial Memory configuration : XS

    Configured memory Dev : S


    Configured memory Qual : S
    Configured memory Prod : S (to
    be adjusted when target users number will be
    known)

    Keep standard values

    Apply modifications
    Confirm (close)

    2.2 Configuration mémoire

    Inside CMC, click on Servers

    Then, click on Servers List


    Display APS.Analysis server’s proprieties

    Set memory to 2 Go in command line

    -Xmx2g

    Restart APS.Analysis server


    2.3 SMTP

    Inside CMC, click on Servers

    Select Servers List and Adaptive Job Server


    and then Destination

    Add Email Destination

    and fill with following information


     Domaine : euromaster.com
     Host : smtp-lbn.fr.erm.int
     Port : 25
    3 SSL Configuration SSL
    3.1 /etc/service File
    With user root
    QBI
    sapmsPPE 3601/tcp # SAP System
    Add following line(s) in /etc/service file
    Message Server Port

    PBI
    sapmsPKE 3601/tcp # SAP System
    Message Server Port

    3.2 Keystore File


    With user saproot

    Generate .keystore file


    cd
    /usr/sap/BI/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bin/

    ./keytool –genkey –alias BIDEV_tomcat –keyalg RSA

    pwd: pass4euromaster

    Alias:
     DBI alias BIDEV_tomcat

     QBI alias BIQAL_tomcat

     PBI alias BIPRD_tomcat

    File .keystore is generated in home directory

    cd

    ls -altr

    Move .keystore file in BO’s sec subdirectory

    cd

    mkdir /usr/sap/BI/sap_bobj/enterprise_xi40/sec

    mv .keystore /usr/sap/BI/sap_bobj/enterprise_xi40/sec
    3.3 Tomcat

    Backup initial configuration file


    cd /usr/sap/BI/sap_bobj/tomcat/conf

    cp server.xml server.xml.INIT

    Configuration initiale
    With user saproot

    Update configuration file by


     Uncomment following lines
    Configuration modifiée  Add parameter keystorePass with its value
     Add parameter keystoreFile with its value

    <Connector port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true"
    scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLS" keystorePass="SigmaV2"
    keystoreFile="/usr/sap/BI/sap_bobj/enterprise_xi40/sec/.keystor
    e" />

    With user saproot

    Restart tomcat server


    cd /usr/sap/BI/sap_bobj

    ./tomcatshutdown.sh
    ./tomcatstartup.sh

    Logs files are availables inside directory


    /usr/sap/BI/sap_bobj/tomcat/logs

    With user saproot

    Restart BI servers

    cd /usr/sap/BI/sap_bobj

    ./stopservers
    ./startservers
    4 User Provisionning : BW to BI
    4.1 Environments relationship
    BI landscape is composed by 3 systems

    ECC landscape is composed by 4 systems

    Relationship between BI and ECC systems is manage by following tab:

    Environment BI 4 ECC
    Development DBI QKE/300
    Quality QBI PPE/300
    Production PBI PKE/300

    4.2 SimpleUsernameFormat
    With user saproot

    Stop BI servers

    cd /usr/sap/BI/sap_bobj/

    ./stopsservers

    Goto directory
    /usr/sap/BI/sap_bobj/data/.bobj/registry/64/softwar
    e/sap businessobjects/suite xi 4.0/enterprise/auth
    plugins/secsapr3

    Edit file
    .Registry

    Set the value for the parameter


    SimpleUsernameFormat to Yes, as in
    "SimpleUsernameFormat"="Yes"

    With user saproot

    Restart BI serveurs BI

    cd /usr/sap/BI/sap_bobj/

    ./startservers
    4.3 Entitlement System

    Inside CMC, click on Authentification

    And choose type « SAP »

    Fill system/client connection information

    DBI
     App.Serevr: dcintsap4131.erm.ci.erm
     Syst. Nun : 10
     Username : SDC.BATCH.EU
     Password
     Language : en

    QBI
     Message Server: dcpresap4730.erm.ci.erm
     Logon Group : ERM
     Username : SDC.BATCH.EU
     Password
     Language : en
    PBI
     Message Server: dcsrvsap4030.erm.ci.erm
     Logon Group : ERM
     Username : SDC.BATCH.EU
     Password
     Language : en

    Validate with

    Logical System Name is automatically filled

    4.3.1 Roles

    In “Role Import” tab,

    1. Select roles to be imported in BI4 system


    2. Click on UPDATE

    All users assigned to following roles will be


    considered and imported in BI (next steps)

    ZBO_Finance Remarks:
    ZBO_HRAndSafety
    ZBO_Quality Roles are available only if they are already
    ZBO_Sales assigned to SAP userid.
    ZBO_Supply
    ZC_NL_ACCOUNT_MANAGER If they are not available, it is not a show stopper
    ZC_NL_AREA_MANAGER and next steps can be done.
    ZC_NL_BUSINESS_PARTNER_CONTROL
    ZC_NL_BUSINESS_SUPPORT_CONTROL
    ZC_NL_CATEGORY_MANAGER
    ZC_NL_CENTER_MANAGER
    ZC_NL_CENTRAL_MNG_DIRECTOR
    ZC_NL_CREDIT_MANAGER
    ZC_NL_DIRECTOR_LEASING
    ZC_NL_FINANCE_DIRECTOR
    ZC_NL_FINANCE_MANAGER
    ZC_NL_HEAVY_SERVICE_DIRECTOR
    ZC_NL_HEAVY_SERVICE_SALES_SUPP
    ZC_NL_HR_ADMINISTRATOR
    ZC_NL_HR_DIRECTOR
    ZC_NL_HR_MANAGER
    ZC_NL_INTERNAL_AUDIT
    ZC_NL_MARKETING_MANAGER
    ZC_NL_MEDEW_FLEET_SUPPORT
    ZC_NL_MNG_DIRECTOR
    ZC_NL_PROCURE_DIRECTOR
    ZC_NL_PURCHAS_MANAGER
    ZC_NL_SUP_CHAIN_MANAGER

    4.3.2 Options

    In “Options” tab,

    Check “Enable SAP Authentification”

    Select Default System


     DBI : QKECLNT300
     QBI : PPECLNT300
     PBI : PKECLNT300

    Imported users have to be created as


    Concurrent users

    4.3.3 User Update

    In “User Update” tab,

    Schedule Users & Roles update

    Define a hourly job an click on

    5 Trusted Connection BI / BW
    In the next commands, replace “DBI” string depending on which system configuration is done :

     Development DBI
     Quality QBI
     Production PBI

    5.1 Keystore File

    Generate keystore file


    cd
    /usr/sap/BI/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bi
    n/

    ./java -jar
    /usr/sap/BI/sap_bobj/enterprise_xi40/java/lib/PKCS12Tool.jar
    –keystore DBI_keystore.p12 -alias DBI_trust -storepass
    pass4euromaster -dname CN=DBI

    5.2 Public Key Certificate

    Exporter Keystore’s public key

    cd
    /usr/sap/BI/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bi
    n/

    ./keytool -exportcert -keystore DBI_keystore.p12 -storetype


    pkcs12 –file DBI_public.cer –alias DBI_trust

    5.3 Import Certificate

    Transaction STRUSTSSO2 (client =000)

    Switch in update mode

    Select System PSE

    In certificate frame, import public key with


    Select public key file

    QKE DBI_public.cer
    PPE QBI_public.cer
    PKE PBI_public.cer

    Add certificate in certificate list

    Add certificate in in Acces Control list

    Fill with BO’s System ID (DBI / QBI / PBI)


    Fill with client 000
    Save configuration

    5.4 SAP Database

    Inside CMC, click on Authentification

    And choose type « SAP »


    In “Options” tab,

    Dans l’onglet « Options » , select default ECC


    system and

    Fill :
     BO system ID (1)
     Path and public BO certificat (1)
     Keystore’s password(1)
     Public key’s password (1)
     Keystore’s alias(1)

    (1)
    As mentioned in paragraph 5.1 and 5.2

    DBI / QBI / PBI

    6 Configuration SSO : BI – HANA

    6.1 Overview
    To setup SAML authentication, a trust must be established between the HANA and BI Platform
    System. At a high level, the steps include:

    1. Generate a certificate from BI Platform


    2. Import the certificate into the HANA Trust Store

    After that trust has been established, the last step is to setup the security on the HANA system:

    1. Import the certificate into the HANA Security


    2. Configure a SAML user with an external identity user
    3. Test the connection
    6.2 Generate a Certificate from BI Platform

    Inside CMC, click on Applications

    And then click on « Authentification HANA »


    Create a new connection

    Fill following parameters :

    Click on

    Provider name has to be the same as parameter


    saml_service_provider_name

    -----BEGIN CERTIFICATE-----
    MIICIzCCAYygAwIBAgIQCXR0HMl1fsFEb3ufOTHHTTANBgkqhkiG9w0BAQUFADBQ
    MRgwFgYDVQQDDA9IQU5BUUtFQk9CSlNBTUwxDDAKBgNVBAsMA0JPRTEMMAoGA1UE
    CgwDU0FQMQswCQYDVQQIDAJCQzELMAkGA1UEBhMCQ0EwHhcNMTcwNTI5MTIwNzA4 Save certificate in text file
    WhcNMjcwNTI3MTIwNzA4WjBQMRgwFgYDVQQDDA9IQU5BUUtFQk9CSlNBTUwxDDAK
    BgNVBAsMA0JPRTEMMAoGA1UECgwDU0FQMQswCQYDVQQIDAJCQzELMAkGA1UEBhMC
    Q0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANCLOcSIyXYmopqyfQAo0pb3
    HANA<SID>BOBJSAML.cer
    17qnD8VS6d8INJtiY1Ijtxd2YLcUv5njKBOPx1fOTZWBGrIP1fsyEzgys8hUhNPU
    D5I3mS/WlF4jJ+sUf9s9b4nmU6U8qBIUrJEM8cz0JfwxcjrsWkQ+Zvwmuxrv2BrB
    H3qrEFkDl+QmtjV1ZwRbAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAniHaMm4V1AXR
    iEwAdpTQsQoBVjTZw4b0OKBy/guJ9S5ZSyJYdzPkJyDS51YNMw5ap6D8SF952ZPp
    GEpfgwtStlp4d8iz8QCH7CBGV8GVtwzbszZTVaom3jPGUoU7pAOgmzFBF8DCNiBg
    tXRz5sXu3ohRJvCiiZ0IE0phjbph9Fw=
    -----END CERTIFICATE-----
    6.3 Import the Certificate into the HANA Trust Store

    To find out which trust store is used by HANA, check the


    configuration setting global.ini > [communication] >
    ssltruststore

    By default, the value is sapsrv.pse.

    This means the sapsrv.pse is located in the


    $SECUDIR/sapsrv.pse

    Access to HANA Web Dispatcher Administration

    For example QKE HANA Database:


    http://dcdevapp5102:8010/sap/hana/xs/wdisp/a
    dmin

    Select PSE Management on the left hand side

    From the Manage PSE drop down menu, select sapsrv.pse

    Select Import Certificate from the Trusted Certificates

    Copy the certificate text from the certificate generated from


    the BI Platform CMC.

    Make sure to include the -----BEGIN CERTIFICATE----- and


    -----END CERTIFICATE-----
    The certificate should appear in the Trusted Certificates
    section

    Restart the HANA system for these changes to take


    effect

    Remark : Next configuration steps can be perform before


    HANA system restart

    6.4 Import Certificate into HANA Security

    The next step is to import the same certificate into


    HANA Security.
    This step is needed to create the SAML Identity
    Provider (IdP).

    Open HANA Studio

    Expand Security Folder and select Security

    Select the SAML Identity Providers tab and

    Select the Import button


    Select .cer file

    Fill in the Identity Provider Name

    Fille Entity ID with saml_service_provider_name


    parameter value

    6.5 Create a HANA user with SAML


    Only for test purpose
    Mass users creation will be perform with bath job

    The certificate has been generated and imported into


    the truststore and also into HANA Security.
    The next step is to assign a HANA user to a BI
    Platform user.

    Open HANA Studio

    Expand Security Folder and select User

    Select the check box SAML and select Configure.

    Select Add and there should be the SAML Identity


    Provider in the list.

    Select correct IdP (available only after system


    has been restarted)
    Add an External Identity

     The External Identity is the username from


    the BI Platform system

     This name is case sensitive

    6.6 Validation

    Dans la CMC, cliquer sur Application puis

    Inside CMC, click on Application, and then


    Authentification HANA

    Use previously defined connection


    Specify the username to test : This user must
    match the External Identity user

    Test with

    Mapping du compte BO « Administrator » sur


    le compte HANA « ERM_SYSTEM »

    7 Configuration SSO : HANA - Kerberos


    7.1 Prerequisites
    7.1.1 Packages
    1. The clocks of all hosts involved are
    synchronized.
    2. On the Active Directory domain controller, Network
    Kerberos is forced to use TCP instead of UDP (see
    http://support.microsoft.com/kb/244474/en-us for
    reference)
    3. Hostname reverse lookup (/etc/hosts on the DB
    server and/or DNS record type PTR in Active
    Directory) is set up for “physical” and “virtual” DB
    server hostname(s).
    4. On the DB server, hostname resolution must be
    consistent with reverse lookup.
    5. A “virtual” hostname must actually be a DNS
    alias, while a “physical” hostname must be a
    canonical name.
    Important
    A virtual hostname aka DNS alias must be realized
    using a DNS CNAME record, while the corresponding
    physical hostname must be registered as

    Software

    Kerberos client and server librairies must be installed ;


    version should be above 1.6.3.132

    Check that kinit and ktutil tools are available


    7.1.2 Hostname resolution : verification

    for getting the FQDN of the server:


    hostname --fqdn

    for getting the respective IP address:


    hostname –ip-address

    for checking the reverse lookup:


    ~> python <<EOF
    > import socket
    > host =
    socket.gethostbyaddr('10.50.0.233') [0]
    > print host
    > EOF

    7.1.3 SAP HANA Database: several instance on one host


    It is possible to use different Kerberos configurations for different instances of the SAP HANA DB running on
    the same host. To this end, the following environment variables can be used:

    1. KRB5_CONFIG: Path to the Kerberos configuration file (default: /etc/krb5.conf)

    2. KRB5_KTNAME: Path to the Kerberos keytab file (default: /etc/krb5.keytab)

    These environment variables have to be set in the file setenv.sh and/or setenv.csh, respectively.

    Important : You have to stop and restart the sapstartsrv for making these changes effective.

    7.2 SAP HANA Database Server krb5.conf

    Backup file /etc/krb5.conf


    Initial Version:

    [libdefaults]
    # default_realm = EXAMPLE.COM
    default_realm = FR.ERM.INT

    [realms]
    # EXAMPLE.COM = {
    # kdc = kerberos.example.com
    # admin_server =
    kerberos.example.com
    # }
    FR.ERM.INT = {
    kdc = frsrvadc0006.fr.erm.int
    kdc = frsrvadc0007.fr.erm.int
    }

    [domain_realm]
    .ci.erm.int = FR.ERM.INT
    ci.erm.int = FR.ERM.INT

    [logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server =
    FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

    yast
    Version modifiée YAST:

    [libdefaults]
    # default_realm = EXAMPLE.COM
    default_realm = FR.ERM.INT
    clockskew = 300

    [realms]
    # EXAMPLE.COM = {
    # kdc = kerberos.example.com
    # admin_server = kerberos.example.com
    # }
    FR.ERM.INT = {
    kdc = frsrvadc0006.fr.erm.int
    kdc = frsrvadc0007.fr.erm.int
    default_domain = ci.erm.int
    admin_server = frsrvadc0006.fr.erm.int
    admin_server = frsrvadc0007.fr.erm.int
    }

    [domain_realm]
    .ci.erm.int = FR.ERM.INT
    ci.erm.int = FR.ERM.INT

    [logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server =
    FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON
    [appdefaults]
    pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    minimum_uid = 1
    external = sshd
    use_shmem = sshd
    }

    Check connectivity between DB server and


    Active Directory

    Show ticket
    7.3 Create Service User

    Create Service User

    SEU_SAP_HANA_<SID>@fr.erm.int
    FR-ERM\ SEU_SAP_HANA_<SID>

    Check
    “User cannot change password”
    “Password never expired”

    Define Service Principal Name (SPN)


    Set value hdb/<HANA server hostname>

    PPE: hdb/dcpresap4750.ci.erm.int

    PKE: hdb/dcsrvsap4051.ci.erm.int
    hdb/dcsrvsap4052.ci.erm.int

    Verification

    On the DB server, run


    #> /usr/bin/kinit
    [email protected]
    to get a TGT for the SAP HANA database
    service user. You have to supply the
    password that was used when the service user
    account was created in AD.
    Afterwards, run klist to check the resulting
    ticket cache (example):
    #> /usr/bin/klist
    Ticket cache: FILE:/tmp/krb5cc_1003
    Default principal:
    [email protected]
    Valid starting Expires Service principal
    02/18/13 15:50:47 02/19/13 01:50:50
    krbtgt/[email protected]
    renew until 02/19/13 15:50:47

    7.4 Create Keytab

    Create Link to avoid following error message


    (only if it’s occurred)

    ln -s /usr/lib64/jvm/jre/bin/kinit /usr/bin/kinit
    As <sidadm> in directory /etc

    python /tmp/hdbkrbconf.py -k -s
    SEU_SAP_HANA_PPE

    All checks and default values should already be


    correct (depending on krb5.conf file)

    Fill service account password

    Generate krb5.keytab file in a directory in which


    one user <sid>adm has write permissions

    Move the krb5.keytab file in directory /etc

    Secure this file


    chown <sid>adm:sapsys krb5.keytab
    chmod 400 krb5.keytab
    7.5 Verify Keytab

    Check content of the keytab

    klist -k /etc/krb5.keytab -etK

    Verify consistency of the keytab

    kvno –k /etc/krb5.keytab
    hdb/dcpresap4750.ci.erm.int

    7.6 Definition / Test authentification


    8 BI4: SSO setup
    8.1 Prerequisite
    BI4 SSO is based on LDAP. To perform the setup, following information are needed.

    LDAP host name fr.erm.int:389


    and port number
    LDAP directory Microsoft Active Directory Application Server
    type
    LDAP CN=Service.EU_SAP,OU=ACCOUNTS,OU=ADMIN,OU=EU,DC=fr,DC=erm,DC=int
    distinguished
    name
    LDAP server fr-erm\seu_sap
    administrator
    credentials

    8.2 Configuration

    CMC  Authentification  LDAP

    Start configuration wizard

    Add : fr.erm.int:389

    Show Attribute Mappings


    User Name: sAMAccountName
    User search : sAMAccountName

    Rem : These modifications change LDAP Server Type to


    « custom »

    DC=fr,DC=erm,DC=int

    CN=Service.EU_SAP,OU=ACCOUNTS,OU=ADMIN,OU=EU,D
    C=fr,DC=erm,DC=int
     Assign each added LDAP alias to an account with the same
    name

     Create new aliases when the Alias Update occurs

     New users are created as concurrent users

    Clic

    Attribut Binding Option :

     Import Full Name, Email Address and other attributes

    Clic
    8.3 User's LDAP alias

    /!\ Add Europe LDAP Group

    CN=GEU.SFT.SAP.BI.ACCESS,OU=GROUPS,OU=ADMIN,OU=
    EU,DC=fr,DC=erm,DC=int

    /!\ Add each country LDAP Group

    CN=gfr.sft.sap.bi.access, OU=Soft
    groups,OU=Groups,OU=ADMIN,OU=FR,DC=fr,DC=erm,DC=in
    t

    CN=gro.sft.sap.bi.access, OU=Soft
    groups,OU=Groups,OU=ADMIN,OU=RO,DC=fr,DC=erm,DC=in
    t

    CN=gnl.sft.sap.bi.access, OU=Soft
    groups,OU=Groups,OU=ADMIN,OU=NL,DC=fr,DC=erm,DC=in
    t

    Schedule hourly user's LDAP alias updates


    Schedule hourly User's LDAP Group Updates

    8.4 Trusted Authentification

    CMC  Authentification  Enterprise

     TrustedPrincipal.conf

    Copy file TrustedPrincipal.conf


    into directory
    /usr/sap/BI/sap_bobj/enterprise_xi40/linux_x
    64
    8.5 Linux/AD SSO
    8.5.1 Create AD service account (already done by IT Integration)

    Create user SEU_SAP_<SID>

    SEU_SAP_DBI
    SEU_SAP_QBI
    SEU_SAP_PBI

    fr.erm.int/EU/ADMIN/ACCOUNTS
    Set SPN

    HTTP/<tomcat_servername>
    HTTP/<tomcat_servername.domainname>

    Create keytab file for Service Account:

    ktpass -out bosso.keytab -princ service-account-


    [email protected] –pass service-account-
    password -kvno 255 -ptype
    KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

    ktpass -out SEU_SAP_DBI.keytab -princ


    [email protected] -pass “password” -
    kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto
    RC4-HMAC-NT

    8.5.2 Security Directory

    Create security directory under BI <sid>adm


    home directory
    /home/saproot/security

    Copy keytab file (cf. following attached file)


    inside this directory

    Set permissions 660 to directory and file

    Attached files
    8.6 Linux Configuration
    8.6.1 global.properties

    # Threshold at which the tree list control will


    Create file
    not display all the nodes but instead a 'too many
    children message' will be printed
    # Scope: global
    max.tree.children.threshold=300 /usr/sap/BI/sap_bobj/enterprise_xi40/warfiles/webap
    ps/BOE/WEB-INF/config/custom/global.properties
    # Choose whether to let the user change the #
    LEGACY SSO SETTING - Ignored when an application's
    sso.types.and.order is set
    # Set to true to enable other single sign on.
    # Scope: application /!\ Caution : no space character at end of line /!\
    sso.enabled=true

    # LEGACY SSO SETTING - Ignored when an application's


    sso.types.and.order is set
    # Trusted authentication: set how to retrieve userID.
    # Set to "REMOTE_USER" for
    HttpServletRequest.getRemoteUser().
    # Set to "HTTP_HEADER" for HTTP header.
    # Set to "QUERY_STRING" for URL query string.
    # Set to "COOKIE" for cookie.
    # Set to "WEB_SESSION" for web session.
    # Set to "USER_PRINCIPAL" for user principal.
    # Reset to empty to disable trusted authentication.
    # Scope: application
    trusted.auth.user.retrieval=QUERY_STRING

    # Trusted authentication: set Header/URL


    parameter/Cookie/Session variable name to retrieve
    username. No need to set for REMOTE_USER or
    USER_PRINCIPAL.
    # Scope: application.
    # Applicable if supported by app and included in its
    sso.types.and.order.
    # For BIP apps (CMC, BI Launchpad, OpenDocument): see
    below regarding legacy settings.
    trusted.auth.user.param=user

    # Trusted authentication: session variable name to


    retrieve the shared secret; Leave empty if shared secret
    is not passed from web session.
    # Scope: application
    # Applicable if supported by app and included in its
    sso.types.and.order.
    # For BIP apps (CMC, BI Launchpad, OpenDocument): see
    below regarding legacy settings.
    ###trusted.auth.shared.secret=secret

    Copy the file inside directory

    /usr/sap/BI/sap_bobj/tomcat/webapps/BOE/WEB-
    INF/config/custom

    8.6.2 BIlaunchpad.properties

    # You can specify the default Authentication Create


    types file
    here. secEnterprise, secLDAP, secWinAD, secSAPR3
    authentication.default=secLDAP

    # Choose whether to let the user change the /usr/sap/BI/sap_bobj/enterprise_xi40/warfiles/webap


    authentication type. If it isn't shown the ps/BOE/WEB-
    default authentication type from above will be
    used
    INF/config/custom/BIlaunchpad.properties
    authentication.visible=true

    # Set sso.types.and.order to define a comma


    delimited list of SSO types to be enabled and the
    ordering
    # An empty list indicates that the legacy ordering
    is to be used
    # If the list is specified, the legacy options
    will be ignored
    # Valid options: vintela, trustedIIS,
    trustedHeader, trustedParameter, trustedCookie,
    trustedSession, trustedUserPrincipal,
    trustedVintela, trustedX509, sapSSO, siteminder
    # If none are desired specify: none
    sso.types.and.order=trustedVintela

    Copy the file inside directory

    /usr/sap/BI/sap_bobj/tomcat/webapps/BOE/WEB-
    INF/config/custom

    8.6.3 CmcApp.properties

    # You can specify the default Authentication Create


    types file
    here. secEnterprise, secLDAP, secWinAD, secSAPR3
    authentication.default=secLDAP

    # Choose whether to let the user change the /usr/sap/BI/sap_bobj/enterprise_xi40/warfiles/webap


    authentication type. If it isn't shown the ps/BOE/WEB-INF/config/custom/CmcApp.properties
    default authentication type from above will be
    used
    authentication.visible=true

    # Set sso.types.and.order to define a comma


    delimited list of SSO types to be enabled and the
    ordering
    # An empty list indicates that the legacy ordering
    is to be used
    # If the list is specified, the legacy options
    will be ignored
    # Valid options: vintela, trustedIIS,
    trustedHeader, trustedParameter, trustedCookie,
    trustedSession, trustedUserPrincipal,
    trustedVintela, trustedX509, sapSSO, siteminder
    # If none are desired specify: none
    sso.types.and.order=trustedVintela

    Copy the file inside directory

    /usr/sap/BI/sap_bobj/tomcat/webapps/BOE/WEB-
    INF/config/custom

    8.6.4 OpenDocument.properties

    # You can specify the default Authentication Create


    types file
    here. secEnterprise, secLDAP, secWinAD, secSAPR3
    authentication.default=secLDAP

    # Choose whether to let the user change the /usr/sap/BI/sap_bobj/enterprise_xi40/warfiles/webap


    authentication type. If it isn't shown the ps/BOE/WEB-
    default authentication type from above will be
    used
    INF/config/custom/OpenDocument.properties
    authentication.visible=true

    # Set sso.types.and.order to define a comma


    delimited list of SSO types to be enabled and the
    ordering
    # An empty list indicates that the legacy ordering
    is to be used
    # If the list is specified, the legacy options
    will be ignored
    # Valid options: vintela, trustedIIS,
    trustedHeader, trustedParameter, trustedCookie,
    trustedSession, trustedUserPrincipal,
    trustedVintela, trustedX509, sapSSO, siteminder
    # If none are desired specify: none
    sso.types.and.order=trustedVintela

    Copy the file inside directory

    /usr/sap/BI/sap_bobj/tomcat/webapps/BOE/WEB-
    INF/config/custom

    8.6.5 Setup Vintela


    8.6.5.1 Enable low level tracing

    Add the tracing parameter


    -Djcsi.kerberos.debug=true

    in file
    /usr/sap/BI/sap_bobj/tomcat/bin/bobjenv.sh

    From:
    # set the JAVA_OPTS for tomcat
    JAVA_OPTS="-d$OBJECT_MODEL -
    Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -
    Djava.awt.headless=true -
    Djava.net.preferIPv4Stack=false"
    To:
    # set the JAVA_OPTS for tomcat
    JAVA_OPTS="-d$OBJECT_MODEL -
    Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -
    Djava.awt.headless=true -
    Djava.net.preferIPv4Stack=false -
    Djcsi.kerberos.debug=true"

    You might also like