In this blog I will go through the steps to configure Single Sign on in BOBJ System for BI Launchpad. This blog will be applicable for BOBJ which is running on Windows /Linux.

Process Overview

The following tasks needs to be done to enable Single Sign on in BOBJ:

1. Create an AD service account and SET SPN Values
2. LDAP configuration and map AD groups
3. Setup QUERY_STRING Trusted authentication
4. Setup part of vintela SSO for the application server
5. Setup the client browser and test SSO
6. Limitation
7. SAP Notes

1. Create an AD service account and Set SPN Values

Request Active Directory admin to create a service account (in this blog we will call it as: SAPServiceUser)

At a command prompt set the SPN to the service account.

setspn -s HTTP/myappserver SAPServiceUser
setspn -s HTTP/myappserverhostname.com SAPServiceUser
Validate the SPN is set up correctly using the command.

setspn -L sapserviceuser

2.LDAP configuration and map AD groups

Map an AD group to the LDAP plugin page in the CMC and verify users are imported.

1. Log on to CMC with Administrator rights.
2. Link for CMC - http://myappserverhostname.com:8080/BOE/CMC/
3. Navigate to the CMC | Authentication | LDAP
4. Begin the LDAP Wizard

1. Add the following info then press Next

      Ldap Host and Port

     b. Select Microsoft Active Directory 

     c.Change Default User Search Attribute to sAMAccountName &Change Username to sAMAccountName and press next

     Attribute Change

    d.Enter the credentials of AD user and Password

    You need to enter the AD service user distinguished name and password

     CN=SAPServiceUser,OU=SAP Service Accounts,OU=Batch,DC=<Example>,DC=<com>

      e.Click next select Basic (no SSl)

    f. Click next and select Basic (no SSO)

    g. Select the following entries and press Next

     h. Press finish to complete Wizard

     i. Add the LDAP groups 

3. Setup QUERY_STRING Trusted authentication

3.1 Steps to be done in CMC

• Navigate to CMC > Authentication > Enterprise
• Scroll down to the bottom and check the box for Trusted Authentication is enabled
• Click the button for New Shared Secret
• Click the button for Download Shared Secret (save as TrustedPrincipal.conf file)
• load the TrustedPrincial.conf into the server. (Refer 3.2)
• Click the button Update

3.2 Steps to be done in Server

3.2.1 Steps to be done in Windows Server

• Save the TrustedPrincipal.conf attached to this message, to the following locations on your application server:

INSTALLDIR:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86

INSTALLDIR:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64

          TrustedPrincipal.conf location

          TrustedPrincipal.conf location

• Click Update to save the settings in CMC.
• Navigate to Start | Programs | Tomcat | Tomcat Configuration
• Click on the Java tab
• Add the following to the bottom of the Java Options

-Dbobj.trustedauth.home= INSTALLDIR:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64
-Dbobj.trustedauth.home= INSTALLDIR:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x86

• Navigate to INSTALLDIR:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom
• Create a file named global.properties and add the following information: (Warning: Copy/paste may add a space at the end of the following lines that will break TA SSO)

sso.enabled=true
trusted.auth.user.param=user
trusted.auth.user.retrieval=QUERY_STRING                

•  Create a file named FioriBI.properties and add the following information.

sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

• Wait until Tomcat Server is up
• In a browser navigate to your BI launchpad URL with the bolded parameters added to the end. Eg: http://myappserverhostname.com/BOE/BI?user=ADuser

3.2.2 Steps to be done in Linux Server

• Save the TrustedPrincipal.conf attached to this message, to the following locations on your application server:

Linux: /usr/sap/SID/SBO/sap_bobj/enterprise_xi40/linux_x64 and /usr/sap/SID/SBO/sap_bobj/enterprise_xi40/linux_x86

• Click Update to save the settings.
• Navigate to /usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/custom
• Create a file named global.properties and add the following information: (Warning: Copy/paste may add a space at the end of the following lines that will break TA SSO)

sso.enabled=true
trusted.auth.user.param=user
trusted.auth.user.retrieval=QUERY_STRING 

• Restart Tomcat
• Navigate to /usr/sap/SID/SBO/sap_bobj /Tomcat/logs/stderr.log and wait until you see INFO: Server startup in ###### ms
• In a browser navigate to your BI launchpad URL with the bolded parameters added to the end. Eg: http://myappserverhostname.com/BOE/BI?user=x_userid

4.Setup part of Vintela SSO for the application server

4.1. Enable low level vintela tracing in Tomcat's Java Options

4.1.1 Enable low level vintela tracing in Tomcat's Java Options in Windows

1. Navigate to Start | Programs | Tomcat | Tomcat Configuration
2. Click on the Java tab
3. Add the following to the bottom of the Java Options We will also be adding the tracing parameter -Djcsi.kerberos.debug=true which can be removed later.

4.1.2 Enable low level vintela tracing in Tomcat's Java Options in Linux

1. Backup and edit the env.sh located in /bo_install_dir/bobje/setup with your preferred text editor (NOTE: path & syntax can vary depending on tomcat version)
2. Make the additions inside the single quotes, on the same line (there may be terminal wrap-around, just assure you are not adding a carriage return (Enter) on this line.
3. We will also be adding the tracing parameter -Djcsi.kerberos.debug=true which can be removed later.

# set the JAVA_OPTS for tomcat
JAVA_OPTS="-d$OBJECT_MODEL -Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=false"

To:

# set the JAVA_OPTS for tomcat
JAVA_OPTS="-d$OBJECT_MODEL -Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=false -Djcsi.kerberos.debug=true"

4.2 Add trustedvintela line to the FioriBi properties (Windows and Linux)

1. Backup and edit your fioribi.properties file.
2. Ensure the following lines are present:

sso.types.and.order=trustedVintela
authentication.default=secLDAP
authentication.visible=true
logon.authentication.visibleList=secEnterprise,secLDAP,secWinAD,secSAPR3,secOraApps,secPSE1,secpsenterprise,secSiebel7
cms.default=<System Alias>
cms.visible=true
sso.types.and.order=trustedVintela
sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

NOTE: When sso.types.and.order= is used (above) then the settings in the global.properties for sso.enabled, vintela.enabled, and trusted.auth.user.retrieval are no longer needed below (and have been removed)

4.3 Add Vintela lines to the global.properties file (Windows and Linux)

1. Backup and edit your global.properties file.
2. Navigate to INSTALLDIR:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom in case of Windows and /usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/custom in case of linux
3. Following lines are added:

siteminder.enabled=false
sso.enabled=true
vintela.enabled=true
idm.realm=<DOMAIN NAME>.COM
idm.princ=SAPServiceUser
idm.allowS4U=true
idm.password=<Password of SAPServiceUser>
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties

4.4 Remove legacy settings in global.properties from testing query_string

1. While you have the global.properties file open remove the line trusted.auth.user.param=user
2. Remove the trusted.auth.user.retrieval=QUERY_STRING (this is all handled by the sso.types.and.order)

Note:

• Copy the contents of your custom folder (<INSTALLDIR>\tomcat\webapps\BOE\WEB-INF\config\custom\) to <INSTALLDIR>\SAP BusinessObjects Enterprise XI4.0\warfiles\webapps\BOE\WEB-INF\config\custom\ in case of Windows
• Copy the contents of your custom folder (/usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/custom) to /usr/sap/SID/SBO/sap_bobj\warfiles\webapps\BOE\WEB-INF\config\custom\ in case of linux OS

4.5 Increase Tomcat's maxHttpHeaderSize

1. Increase Tomcat's maxHttpHeaderSize
2. For Tomcat servers it is necessary to increase the default HTTP Header size in the server.xml. Kerberos login requests contain, among other things, group information. The more AD groups a user is a member of the larger the http header must be to accommodate the size of the kerberos packet. 16384 is usually large enough but if your mapped users are a member of many groups (50 or more AD groups) you may need to increase this size to 32768, 65536 or more (multiples of 16384).

• NOTE: Make a backup copy of server.xml file prior to editing
• The line should look like this after adding the bold text and single space:

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json" maxHttpHeaderSize="65536"/>

NOTE: Do not copy/paste. Also, this file is case sensitive.

4.6 Restart Tomcat and check to make sure the Vintela filter has loaded

Check for message “Message sent sucessfully to KDC and credentials obtained” in stderr.log

 [DEBUG] Tue Sep 27 10:31:23 EDT 2011 jcsi.kerberos: Message sent sucessfully to KDC: /10.167.255.113:88
[DEBUG] Tue Sep 27 10:31:23 EDT 2011 jcsi.kerberos: ** credentials obtained .. **

5. Setup the client browser and test SSO

1. Goto Internet Explorer
2. Click menu à  Internet Options à Advanced menu à Enable Windows Integrated Authentication
3. Ensure Internet Options à  Security à Local Intranet à Custom Level à Automatic logon in Intranet zone is selected.
   • If the URL for BI Launch Pad is not a hostname (such as the FQDN or it contains a . then it must be added to the client's local intranet sites)
4. Ensure you are logged onto a workstation with the domain credentials of a user who can manually log into BI Launch Pad and attempt SSO
5. Navigate to http://server:port/BOE/BI and ensure SSO occurs
6. On a separate browser, login to the CMC as the Administrator, click Sessions and note that the AD user's session exists as an Enterprise session

6. Limitation

• Multi forest (or even tree root trusts) in AD are NOT supported due to limitations on the LDAP Plug-In
• Multiple AD domains in the same tree (parent child) are supported on a limited basis see KBA 1245218
• kerbeors SSO to the database is NOT supported for any database as it requires users to login with the AD Plug-In
• SSO via BI client tools is NOT supported either through the tool or web services (web services SSO requires logon via AD Plug-In)

7. SAP Notes

The below notes will be useful for implementing SSO in BI launchpad

1965433 - Setting up AD SSO when CMS is on Unix or Linux in BI4.x ***BEST PRACTICE***

1245218 - How to connect the LDAP plugin to Active Directory

1593628 - Setting up Trusted Authentication for the BOE web applications using the QUERY_STRING method

1549258 - BI 4.x: Authentication drop down option is missing from "BI launch pad" login page

1615492 - How to preserve custom settings for SAP BusinessObjects Tomcat WebApps in Business Intelligence Platform 4.x

2629070 - How to Securely Integrate BI 4.2 or 4.3 with Windows Active Directory and SSO in Distributed Environments - Best Practices

2041379 - Explaining the sso.types.and.order parameter in BI 4.1 & 4.2

2781286 - How To: Configure Security Token Service (STS) communication on BI 4.2, BI 4.3 and above

3239174 - Quick setup of STS for Cloud (such as HEC) customers

2524775 - Certificates generation using Java Keytool when configuring STS in BI 4.2 SP04 (Patch 4) onwards instead of PKCS12 tool

1653890 - Your security profile does not include permission to create documents. (Error: ERR_WIS_30263) error given in Webi Rich Client

Conclusion

The above steps complete the SSO configuration in BOBJ BI Launchpad. Please refer the below KBA for entire solution

1965433 - Setting up AD SSO when CMS is on Unix or Linux in BI4.x ***BEST PRACTICE*** for entire solution