Vintela SSO with BOE Edge 3.1 - Document

Hi All,
Can anybody help me to find the Document in SAP Notes.
SAP Notes "1328135: How to configure vintela Single Sign-On with BusinessObjects Edge 3.1"
When I searched the 'SAP Notes search' with 1328135 it says 'Document Not release'
Thanks
Ranjit Krishnan.

Unfortunately I think you need to remove Edge and reinstall choosing tomcat. There are other reasons customers are doing this (SAP integration kit compatibility, to get query builder back) and the installer does not allow the adding/removing of tomcat. If not installed on tomcat I'm not aware of any steps that have been created to add it manually. Make sure the backup your FRS and CMS DB if you have any system info/reports/folders/etc to preserve.
EDIT: I've just received an email and apparently Edge SP3 may be out sooner than I expected. Edge 3.1 and SP2 were 7-8 months behind XI 3.1 SP1 and SP2 but I'm reading that SP3 may be out at the end of this month or shortly after. At which point the releases may be synchronized and BOE patches will also work on Edge. I'll wait for Edge SP3 release notes to be certain of this but Good news if it's accurate.
Regards,
Tim

Similar Messages

Multiple Forests SSO with BO Edge 3.1

I have to setup and configure SSO on a 3.1 Edge with multiple forests. The setup looks like this right now.
BO Servers (call it BOXIServer) are in one forest (call it BODomain.top.local)
AD users and groups on another forest (call it UsersDomain.bottom.local)
My plan is to create 2 service accounts. One service account to integrate the AD and start up SIA (Call it ADServiceSSO) and the Second service account to implement the Vintela (call it VintelaServiceSSO) as I used to do it on the single domain setup.
The questions are:
1.     Is it possible to get SSO to work with this type of configuration (I think I read somewhere that u201CWhen operating with multiple forests, the users must be created on the domain in which the BOE server residesu201D which is not what I have here!)?
2.     Should I create the 2 service accounts on the forest where the BO server is (BODomain.top.local), or where the Users and groups are (UsersDomain.bottom.local)?
3.     How would I formulate the setspn and ktpass commands on this type of configuration?
Would it be true that I can create the 2 services account on BO Servers Forest (BODomain.top.local) and the commands would look like this:
setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO
Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ BOXIServer.BODomain.top.local
Or I can create the 2 services account on users and groups forest (UsersDomain.bottom.local) and the command would look like this:
setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO @ UsersDomain.bottom.local
Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ UsersDomain.bottom.local
Thank for your help
Aws

MF requires a 2-way transitive trust, so with this enabled there is no need to span forests with service accounts. 1 account in the same forest as the BO server is fine and straight forward to configure, although you are free to add more as you like.
Everything else is dependent on the 2 way trust as DNS will have certain records for each other forest that will allow the CMS to query remote forest users and MF users to access the CMS resources. Which is what we want.
The rules on groups is to put MF users in groups from their own forest and then map into BO, adding all users from multi forests int a single forest group may not work properly in our internal tests.
The last piece seems to be a Microsoft limitation, but when accessing an SSO URL from a remote forest the FQDN must be used for SPN recognition. When the host name or IP is used the request for SPN is sent to the wrong forest and SSO fails.
Regards,
Tim

SSO with Logon Ticket to non-SAP Unix based application

Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
Olivier

Check these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick

SSO with ITS & Webenabling WEBGui

Hello,
We have configured SSO with R/3 system. It works fine.
The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
We are able to do both on developement environment where both R/3 and portal has got the same host names.
But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
Regards,
Rukmani

Hi all,
it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
My suggestion is: do not skip even simple steps, sometimes problem appears there
Regards,
Pavol

SSO with SAP logon tickets to non-SAP web app

I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work. I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal. Anyone tried similar?
Cindy

Hi Cindy,
If it is EP6 SP2 probably you can checkout the following document.
http://service.sap.com/ep60
Go to Documentation Help>How-To-Guides>Current How To Guides section.
checkout the following how to guide.
Perform Cross Domain SSO with SAP Logon tickets zip file.
If you want the zip file please send an e-mail to
[email protected]
Regards
-Venkat Malempati

BO XI 3.1 OpenDocument direct SSO with secWinAD in web.config

Hi, fellows,
The need has emerged to provide users with direct links to InfoView documents using the OpenDocument URL syntax and perform primary authentication of request automatically without showing the InfoView welcome screen. We have BO XI 3.1 ASP.NET application installed on Windows 2008 Server's IIS 7 with Kerberos already configured.
Usually, the OpenDocument links work nicely but only after the user has visited the /InfoViewApp page. The OpenDocument virtual directory by default has only the anonymous authentication enabled.
I've skimmed and searched for the keywords included in the topic subject in Google, help.sap.com and specifically in the BO Enterprise Admin Guide and the paper by Miles Escow on configuring XI 3.1 InfoView with Active Directory using Kerberos.
Unfortunately, the sources I've already encountered do not provide sufficient details on configuring the OpenDocument section of the Web application.
To solve the problem I disabled anonymous access to OpenDocument directory and enabled ASP.NET impersonation and Windows authentication (this would force IIS to attempt authenticating the user originating the request before serving the page) and mirrored the authentication.default and cookie-related settings ("opendoc.authentication.default" value="secWinAD") to the OpenDocument/web.config from InfoViewApp/web.config and turned the "opendoc.sso.enabled" to "true" (this is crucial, otherwise you will still receive the logon screen for primary authentication in BO although already authenticated by IIS).
Hope this helps others.

Hi Aleley
To solve the problem I disabled anonymous access to OpenDocument directory and enabled ASP.NET impersonation and Windows authentication (this would force IIS to attempt authenticating the user originating the request before serving the page) and mirrored the authentication.default and cookie-related settings ("opendoc.authentication.default" value="secWinAD") to the OpenDocument/web.config from InfoViewApp/web.config and turned the "opendoc.sso.enabled" to "true" (this is crucial, otherwise you will still receive the logon screen for primary authentication in BO although already authenticated by IIS)
Can you pls tell how I can achieve this in Tomcat environment?
Thanks

How to configure sso with SSL step by step

Purpose
In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
Overview
In this document we will demonstrate:
1. How to configure OHS support SSL
2. How to Register SSO with SSL
3. Configure SSO for certificates
Prerequisites
Before start this document, you should have:
1. Oracle AS 10g infrastructure installed (10.1.2)
2. OCA installed
Note:
1. “When you install Oracle infrastructure, please make sure you have select OCA.
2. How Certificate-Enabled Authentication Works:
a. The user tries to access a partner application.
b. The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
c. The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
Enable SSL on the Single Sign-On Middle Tier
The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
l You must configure SSL on the computer where the single sign-on middle tier is running.
l You are configuring one-way SSL.
l You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
1. Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
2. In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3. Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
4. Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
5. Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
6. Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
<VirtualHost ssl_host:port>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
Save and close the file.
7. Update the distributed cluster management database with the changes:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
8. Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
9. Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
Reconfigure the Identity Management Infrastructure Database
Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
1. Change Single Sign-On URLs
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
2. Restart OC4J_SECURITY instance and verify the configuration
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/pls/orasso/
 3. Back up the file targets.xml:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
· HTTPMachine—the server host name
· HTTPPort—the server port number
· HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
5.Save and close the file.
6. Reload the OracleAS console:
 ORACLE_HOME/bin/emctl reload
7. Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Registering mod_osso
1. This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
$ORACLE_HOME/sso/bin/ssoreg.sh
 -oracle_home_path $ORACLE_HOME
 -config_mod_osso TRUE
 -mod_osso_url https://myhost.mydomain.com:4443
2. Restarting the Oracle HTTP Server
After running ssoreg, restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Configuring the Single Sign-On System for Certificates
1. Configure policy.properties with the Default Authentication Plugin
Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
DefaultAuthLevel = MediumHighSecurity
Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
2. Restart the Single Sign-On Middle Tier
After configuring the server, restart the middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Bringing the SSO Users to OCA User Certificate Request URL
The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
The URL for the SSO certificate Request is:
https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
To link the OCA server to OracleAS SSO server, use the following command:
ocactl linksso
opmnctl stoproc type=oc4j instancename=oca
opmnctl startproc type=oc4j instancename=oca
You also can use ocactl unlinksso to unlink the OCA to SSO.

I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
on a URL that looks like this :
http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
and gives the error :
( Forbidden
You don't have permisission to access /sso/auth on this server at port 7777)
when I manually change the URL to :
https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
the SSO works correctly.
The question is :
How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
Any ideas ?
Thanks in advance

Error while configuring Vintella SSO

Hi,
I'm trying to implement SSO with Vintela in BO XI3.1 SP3
AD Authentication is working corectly.
I'm getting the following error after configuring Vintela, the error shows when trying to login:
"HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "HTTP/SERVER" but not key type (23) + KVNO (143) in this entry: Principal: HTTP/SERVER Type: 1 TimeStamp: Wed Dec 31 18:00:00 CST 1969 KVNO: -1 Key: 3, ad c1 7f df e3 61 9e 9e )"
I have also tried to use :
-Dcom.wedgetail.idm.sso.password=Password in the Java configuration, (commenting the keytab entry on Web.xml) but when I comment the idm.keytab in the web.xml, I can't even reach the Infoview login page, It shows a 404 error
Any help will be appreciated
Thanks,
Akhil

Hi Michelle
I have changed the Client in Java from 000 to 001. I have added the certificate to ACL in 001 in my ABAP system. After doing that, I am getting the following error message.
N Comparing certificates ...N *** ERROR => ASN.1 blob lengths are not identical. 575 769. [ssoxxkrn.c   2074]
Leaving VerifyOwnSystemInfo...
N HMskiVerifyOwnSystemInfo failed with rc=19.
N *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c   1067]
N dy_signi_ext: issuer not trusted
M *** ERROR => SosIAnchorArrayCreatable: T42/M0 in state cancel [thxxtool2.c 947]
My TWPSSO2ACL Entries Client 001.
============================
MANDT WPS_SYSID WPS_MANDT
001                 BWD       001
The Production client in ABAP is 100 and not 001. when I have changed the Clinet 100 in Java, then also I am getting the error message mentioned in my main question.
So I am confused as to where I can make the changes in the system. Please advise!!!!!!!!!!

Weblogic SSO with AD - My Try - What's wrong?

Dear All
I'm trying to setup Weblogic to Authenticate using AD and have SSO with a Windows workstation(joined to the domain).
I just setup an Active Directory(Win2K3), a Windows XP(SP2) and a Linux System(CentOS5) with Weblogic 10.3.
I'm wondering what is wrong with my configuration. I can only logon on Adminstration Console using weblogics local users, and even with entering username(those which created on AD) and password AD Authentication does not work.
Anyone has simliar experiance or any clue?
Appreciated
TIA
Cheers
Here is the setup:
The domain is: example.com and machines are: dc.example.com (AD), winclient.example.com (Windows XP joined to the example.com domain) and weblogic.example.com (CentOS with Weblogic 10.3 installed)
The hosts file on all three machines are filled with their FQDN, Machine Name and corresponding IP addresses. They all have ping working successfully between each two of them. Firewalls are checked to be off.
These are the steps I came through based on documentation I could found on the net:
h1. 0. Configuring Your Network Domain to Use Kerberos
In Linux Machine(Weblogic Server) edit Kerberos configuration file for appropriate values:
*/etc/krb5.conf*
\[logging\]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
\[libdefaults\]
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des_cbc_crc
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime =28800
forwardable = yes
\[realms\]
EXAMPLE.COM = {
kdc = 192.168.1.193:88
admin_server = dc
default_domain = EXAMPLE.COM
\[domain_realm\]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
\[kdc\]
profile = /var/kerberos/krb5kdc/kdc.conf
\[appdefaults\]
autologin = true
forward = true
forwardable = true
encrypt = true
pkinit = {
allow_pkinit = false
h1. 1. Create two users on AD: "New->User" with "User must change password at next logon" option cleared (not tidked)
weblogic (for weblogic service) (with password = "password1")
weblogicusr (the user which should access Weblogic Administration Console) ("password2")
* Note that group membership of these two users are left default.(Domain Users)
h1. 2. For "weblogic" & "weblogicusr" user set these Account Optiones:
- Use DES encryption types for this account (ticked)
- Do not require Kerberos preauthentication (cleared)
* then reset the password again for "weblogic" (with password = "password1") and "weblogicusr" (with "password2").
h1. 3. Create Service Principal Names for Weblogic Server and User on Win2K3 machine:
- >setspn -a host/weblogic.example.com weblogic
- >setspn -a HTTP/weblogic.example.com weblogic
here is the result
C:\Documents and Settings\Administrator.DC>setspn -L weblogic
Registered ServicePrincipalNames for CN=weblogic,CN=Users,DC=example,DC=com:
HTTP/weblogic
host/weblogic
HTTP/weblogic.example.com
host/weblogic.example.com
and
- >setspn -a HTTP/weblogic.example.com weblogicusr
and the result
C:\Documents and Settings\Administrator.DC>setspn -L weblogicusr
Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=example,DC=com:
HTTP/weblogicsrv.example.com
HTTP/weblogicsrv
h1. 4. Create the keytab file for Weblogic Server:
On AD machine issue:
(ktpass from MS Windows Support Tools)
>ktpass -princ host/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.host.keytab
>ktpass -princ HTTP/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.HTTP.keytab
(ktab from JRE 6)
>ktab -k c:\temp\weblogic.keytab -a [email protected]
Password for [email protected]:*password1*
Done!
Service key for [email protected] is saved in c:\temp\weblogic.keytab
** Note I could not kinit successfully merely with weblogic.host.keytab and/or weblogic.HTTP.keytab, I got this error +"Key table entry not found while getting initial credentials"+ how ever the keytab I created using ktab("weblogic.keytab") works fine in this case, so I decided to merge whole three of them into a keytab.
>\[root@weblogic keytabs\]# kinit -k -t weblogic.host.keytab [email protected]
>kinit(v5): Key table entry not found while getting initial credentials
h1. 5. Port and Merge keytabs
Then I ported these three files to the Linux Machine(weblogic.example.com): weblogic.host.keytab, weblogic.HTTP.keytab and weblogic.keytab
and merged into one keytab:
ktutil: "rkt weblogic.host.keytab"
ktutil: "rkt weblogic.HTTP.keytab"
ktutil: "rkt weblogic.keytab"
ktutil: "wkt weblogic-keytab"
ktutil: "q"
* then put the result keytab "weblogic-keytab" somewhere in Weblogic Path:
>/root/bea/user_projects/domains/base_domain/kerberos
h2. 5.1 Test the keytab and kerberos configuration
>\[root@weblogic keytabs\]# kinit -k -t weblogic-keytab [email protected]
>\[root@weblogic keytabs\]# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: [email protected]
>
>Valid starting Expires Service principal
>09/04/09 16:16:42 09/05/09 00:16:42 krbtgt/[email protected]
>
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
h1. 6. Creating a JAAS Login File
Create krb5Login.conf and put it in here: "/root/bea/user_projects/domains/base_domain/kerberos/"
krb5Login.conf
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=*"[email protected]"* useKeyTab=true
keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=*"[email protected]"* useKeyTab=true
keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
h1. 7. Modify startup options
add these option to "/root/bea/user_projects/domains/base_domain/bin/startWebLogic.sh"
h2. 7.1 Kerberos
-Djava.security.krb5.realm=EXAMPLE.COM
-Djava.security.krb5.kdc=dc.example.com
-zjava.security.auth.login.config=$PATHTOKRB/krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true h2. 7.2 Debug
-DDebugSecurityAdjudicator=true
-Dweblogic.debug.DebugSecurityAtn=true
-Dsun.security.krb5.debug=true
-Dweblogic.StdoutDebugEnabled=true";
-Dweblogic.log.StdoutSeverity=Debugh1. 8. Configuring the Identity Assertion Provider
In Weblogic Administration I created a Security Realm called "example.com" with everything default and made it default. Then restarted the Weblogic Server.
Again in Administation Console did this to example.com Security Realm:
h2. 8.1 -> Prividers: Add 3 Providers
Negotiate WebLogic Negotiate Identity Assertion provider 1.0
 DIA WebLogic Identity Assertion provider 1.0
 AD Provider that performs LDAP authentication 1.0 (Active Directory provider)
 Default WebLogic Authentication Provider 1.0
h2. 8.2 -> Change the default parameters
h3. 8.2.1 Negotiate WebLogic Negotiate Identity Assertion provider
-> Base64 Decoding Required: false (No Change, but shouldn't it be true and how to change?)
-> Form Based Negotiation Enabled: Removed the tick
h3. 8.2.2 DIA WebLogic Identity Assertion provider (no changes)
(no changes)
h3. 8.2.3 AD Provider that performs LDAP authentication (Active Directory provider)
-> Control Flag: *SUFFICIENT*
-> User Name Attribute: *sAMAccountName*
-> Principal: *HTTP/[email protected]*
-> Host: *192.168.1.193*
-> User Base DN: *CN=Users,DC=example,dc=com*
-> Propagate Cause For Login Exception: *ticked*
-> Group Base DN: *CN=Users,DC=example,dc=com*
-> Credential: *password1*
* others left with their default values.
h1. 9. Configuring an Internet Explorer Browser
On Windows XP machine (winclient.example.com):
h2. 9.1 Configure Local Intranet Domains
- In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Sites:
> "Include all sites that bypass the proxy server" *ticked*
> "Include all local (intranet) sites not listed in other zones" *ticked*
- then in -> Advanced Dialog Box added this:
> weblogic.example.com
h2. 9.2 Configure Intranet Authentication
- In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Custome Level:
> In the Security Settings dialog box -> the User Authentication section.
> "Automatic logon only in Intranet zone" *ticked*
h2. 9.3 The Proxy Settings
No proxies are enabled
h2. 9.4 Enable Integrated Windows Authentication
- In Internet Explorer, Tools > Internet Options -> Advanced tab -> Security section:
> "Enable Integrated Windows Authentication" *ticked* by default
Edited by: Mehdi Sarmadi on Sep 4, 2009 5:51 AM

I found something in Logfile:
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <new LDAP connection to host 192.168.1.193 port 389 use local conne
ction is false>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:
""}>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: error result (49);
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090294]could not get connection>
According to this post: Re: WL10.3 and SSO and Active Directory
a correct ldap connection should look like this:
<LDAP Atn Login username: Administrator>
<userExists? user:Administrator>
<new LDAP connection to host 10.10.0.254 port 389 use local connection is false>
<created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:""}>
<connection succeeded>
*<getConnection return conn:LDAPConnection {ldaps://10.10.0.254:389 ldapVersion:3 bindDN:"HTTP/[email protected]"}>
<getDNForUser search("CN=Users,DC=DOMAIN,dc=local", "(&(&(cn=Administrator)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>xist>*
Moreover, I turned AD's debug logging and this is what happens when I try to login with a AD user: Why "Anonymous Logon"?!
Event Type: Information
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1535
Date: 9/4/2009
Time: 6:47:07 PM
User: NT AUTHORITY\*ANONYMOUS LOGON*
Computer: DC
Description:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Any help would be greatly appreciated

Bursting with BO EDGE ?

How can we do bursting with BO EDGE?
I have a Crystal Report(2008) which is extract data from SAP through the SAP integration kit. I also have BO EDGE 3.0 and I would like to publish this report to many sales rep with their own data. Then, I know with BO Enterprise there a publication feature that allow to do that but I cannot see it in EDGE. Could you explain step by step how to do bursting with Edge 3.0 and Crystal Report 2008 ?
thanks in advance.

In the document "Crystal Reports 2008 User's Guide" I can read;
"Advanced report publishing
Also known as report bursting, this new advanced-publishing feature is a
platform for the mass distribution of personalized content. Multiple reports
can be created based on different data sources, combined into one desired
file format (for example, PDF), loaded with personalized content, and then
sent to a dynamic list of recipientsu2014all in one action. The content can be
archived, printed, or emailed in separate actions, or simultaneously. This
feature makes scheduling much faster and easier, and provides the ability
to conduct cost effective one-on-one marketing campaigns and other
personalized high-volume reporting.
Note: This feature is available only with a BusinessObjects Enterprise
Release 3 server environment.
Then, I repeat my question because we don't have BO Enterprise: Can we do Bursting with BO Edge Series 3.0 or 3.1?
I'm asking because even though there's a note, sometime it's confuse between Enterprise and Edge.

Integration of SSO with Third Party Application

Hello Colleagues,
I have requirement where I have to integrate SSO with a third party application.
After some R & D I found out that there is some one class "SSO2Ticket.java" which can do that or help in verify the ticket.
Since I am new to this area, I am not sure how do I go ahead with the execution of this java file.
Can somebody help me with this.
Also, is there any documents which talks about SSO integration or about the above mentioned JAVA file.
Best regards,
Arvind

Which type of 3rd party application is this, and which SSO authentication methods does it support?
If you can find a common one, then that will be good for you.
Specifically for non-SAP systems re-using the SAP LogonTickets, I know that you can extract the user name from the ticket. I think SAP even provides some verification tools here for external applications to verify the ticket?
Currently there is much excitement about SAML 2.0 which is also worth taking a look into as well.
Cheers,
Julius

How to BackUp BOE Edge XI 3.1 Steap by Steap?

Good day all,
Couls you please guide me how to back-up BOE Edge XI 3.1 with standar configurations and using mySQL?
I am looking for a Tool or SW that best works for this...
Thanks.
Edited by: klon2001cr on Oct 10, 2011 3:46 PM
Edited by: klon2001cr on Oct 10, 2011 3:46 PM

Hi,
No problems, but with all due respect - those are the official documentation! You can trust this content - it's published by us @SAP
If you're new the BO server admin, those .pdf Admin guides are your 'reference texts' and will become indispensible.
Also, please search the SDN for articles, as Denis mentionned in the other thread. For example: http://wiki.sdn.sap.com/wiki/display/BOBJ/UpgradetoSp2-Testingandbackup+strategy
if you are new to this I would advise caution. Those step by steps (I previously referenced) are absolutely accurate. If you cannot make sense of these, then you may need to work collaboratively with colleagues using the 4-eye principle.
... which is sort of like a human backup strategy
Regards,
H

Getting Error in SSO with OWA scenario.

Hi All,
I am trying the SSO with OWA with EP 6.0 SP13. I am refering the document " Integration Of OutLook Web Access into SAP Enterprise Portal "
I am getting following error:
Portal Runtime Error
An exception occurred while processing a request for :
iView : N/A
Component Name : N/A
Unknown Logon Method 'null' for system 'SSO_OWA'.
See the details for the exception ID in the log file.
I do not find any option which allows me to specify the Login Method While creating a system, in SP13.
What should I do to get the successful implementation?
Thanks in Advance.
Pradnya

Hi Pradnya
There are three methods for creating a new system
1. Use the XML profile in a deployed PARfile
The new system inherits all the global properties defined in the PAR file component. It inherits property names, meta attributes and any default property values.
2. Use an existing template.
If the template was created directly from the PAR file, the new system is identical to the one generated by the first method. If the template has undergone changes, the system inherits the changes made to the property attributes in the template.
3. Copy an existing system
The procedure you use to create a system is not application-sensitive.
You run the same wizard for creating the system for any of the applications to which the portal provides connectors, or for which you have created and deployed a PAR file. The differences reside in the XML profiles, whose properties are determined by the application being defined, as each application has some unique connectivity requirements.
For further details, please go through the following link.
http://help.sap.com/saphelp_erp2004/helpdata/en/ec/0fe43d19734b5ae10000000a11405a/content.htm
Hope that was helpful.
Warm Regards
Priya
P.S: Please consider rewarding points if your problem is solved.

SSO with Custom LDAP

This is the landscape :-
Web Application / Portal at Oracle Web Center Suite (WCS).
SAP BO 4.0
Authentication using Custom LDAP & SSO with Trusted Authentication.
Used OpenLDAP for authentication via RadiantOne VDS as the proxy.
Activities :
Authenticate the BO users with OpenLDAP via RadiantOne.
Synchronize the BO user group from OpenLDAP via RadiantOne.
Used openDocument.jsp to open WEBI reports.
Problems :
We configure the LDAP as Custom. Attributes mapping as default.
When BOE trying to connect the RadiantOne VDS & create user u201Cuser01u201D which already exists in the OpenLDAP server. It throws the exception :
"An internal error has occurred in the secLdap plugin.u201D
When trying to create user that does not exist in LDAP. It throws the exception :
u201CThe secLdap plugin failed to get the dn for the user notuser.u201D
Please advise us how to resolved this internal error if we want to SSO with custom LDAP !!
Thanks & regards,
Herries E

Hi,
Herrie, Roland is correct, OpenLDAP is not supported and you can run into problems if you want to escalate issues in the future. The customer must have that into account.
However, LDAP is pretty standard and usually you just need to make sure that the attribute mappings is correct.
Are users correctly created when you map an LDAP group?
Are you able to manually authenticate using LDAP? You can use the CMC page and select authentication LDAP
When you have confirmed that LDAP manual authentication is working, you can set up Trusted Authentication. Check first that the system is working just using QUERY_STRING:
https://service.sap.com/sap/support/notes/1593628
When trusted auth is confirmed to work, you can configure the parameters that Radiant users to pass the user: cookies, web session, etc.
Regards,
Julian

Fall back systemwhen multiple SAP systems trying to acheive SSO with BOEXI

Friends,
I need a small clarification on ' SSO between BOE XI 3.1 and SAP BI 7' Scenario,
Say when multiple users log on through their SAP EP Portals or Netwever Portals, they use their tokens generated by their respective EP portals which are passed through the 'Web application server' hosting BOE environment.
1) When its a Single EP portal , we can have have a fall back system. when we register its logical name in the CMC of BOE Environment , a typical SNC.But what's the fall back system for multiple SAP systems?
2) Also Whether there are any pit falls via token method when more than one SAP system communicating to BOE?
3) Do we have any documentation for this?
Thanks ,
Sivakanth.

Hi Sivakanth,
the normal scenario for SSO is the following:
When you said ''back end system ', i did not get it.
Enterprise Portal -
(iView)-------> BOE -
> SAP BI <- This is your backend system
Well Could I define more than one logical name there in SNC tab of CMC.?
I assume you have the following situation:
(EP1, EP2, EP3) -
> BOE -
> (SAP BI 1, SAP BI 2, SAP BI n)
You can define more than one entitlement systems in the BOE CMC and also configure for each one of them for SNC. Please note that we are talking about server trust and NOT client trust here. It is all about letting your sap system and the boe system trust each other. If you have your portal with client SNC configured (ie. the user logs using a certificate and an SAP logon ticket is created) it is NOT necessary to configure SNC in the CMC (Please refer to the section "Configuring SAP Server-Side Trust" in the installation guide for the integration kit for SAP) side.
Back to the SSO scenario now: When a user connects from an enterprise portal on the BOE system the logon ticket, generated from the portal, is forwarded to the back-end system, which is defined in the portal iView the user is currently navigating through. If it is a Crystal Enterprise iView then you just have to select the appropriate system alias of your back-end system in the System drop down menu when creating the iView. For URL iViews you must utilize the relevant openDocument parameters. If you do not define anything at all when creating the iView then BOE tries to authenticate the logon ticket against the SAP BI system you selected to be the default one in the "Authentication->SAP->Options" tab of the CMC.
If what you want is just to distribute the load between your SAP back-end systems then you should consider utilizing an SAP cluster for your pursposes. As explained before BOE will not distribute the requests evenly on the back-end systems. It will try to contact either the system defined in the request (iView) or the default system. To be honest I am not sure what happens if the explicitely defined system is not available but I think that an error message is what you should expect then. I do not think that in this case the BOE system tries to use the system defined as default.
Another part is what kind of security is defined in BEX querys..as i read from SAP IK guide, we can import all the roles which are defined at ABAB level.
Will there be any security threats to SAP data via this method.
It is true that you can import all roles in your BOE system. But keep the following four things in mind:
1) You can restrict on the BOE side the users which are authorized to logon in the CMC and import the roles (normally only the BOE administrator is authorized to do this)
2) Importing a role means that an SAP user can try to logon the BOE. Still the logon process can only be succesfull only if the SAP user has special authorization on the SAP side (Please check the Appendix "Authorizations" in the installation guide of the integration Kit for SAP.
3) You can restrict the access to data by assigning authorizations only for specific infoareas/infoproviders. In order to partially restrict data access in a given infoprovider (e.g infocube or multiprovider) you can utilize authorization variables in your BW query.
4) You can further restrict access on specific reports either on the BOE side or on the portal side (by rstricting access to the defined iViews).
For sure you must invest some time to define and implement your security concept.
More over could you please answer other 2 questions in my original question.
2) Also Whether there are any pit falls via token method when more than one SAP system communicating to BOE?
3) Do we have any documentation for this?
2) As long as your portals, the back-end systems and your BOE system are configured correctly for SSO this should not be a problem. Well just a tip based on my experience: be sure to use full qualified domain names for your systems in the iView definitions. And do not forget SSO works only if all systems are in the same domain.
3) As said in my previous posting the netweaver documentation regadring SSO setup maybe interesting for you. As far as I know the multiple systems scenario is not contained explicitely in any official BOBJ documentation. I assume that you already went through the installation guide for the integration kit for SAP.
Please tell me if you have a completely different scenario in mind
Regards,
Stratos
Edited by: Efstratios Karaivazoglou on Mar 22, 2009 12:27 AM

Vintela SSO with BOE Edge 3.1 - Document

Similar Messages

Maybe you are looking for