- The following exercise describes setup of server-side trust between WebIntelligence processes and SAP BW. Server-side trust is required for Windows AD (or LDAP, or Windows NT)/SAP user mapping and SSO to SAP BW.
- The exercise is using SAP Crypto as an example. The presented setup with SAP Crypto will be different for different SNC software (which certified with SAP) and reader would need to reference vendor specific documentation.
- Please read "Configuring BusinessObjects Enterprise for server-side trust" chapter (page 101) of Integration for SAP Solutions Install and Admin guide for more information
- The SAP Cryptographic Library and PSE maintenance tool have been downloaded and expanded on the host on which Business Objects Enterprise XI3.1 (FP1.8 or SP2) processing servers run.
- The appropriate SAP systems have been configured to use SAP Cryptographic Library as the SNC provider. (For more information, see Configuring SAP server-side trust with SAP crypto library)
- SAP GUI 710 and DLLs from sapjco-ntintel-2.1.8_32bit_windows.zip are used
- BOE XI3.1 CMS server process is running under domain user account.
- User is logged into OS/machine with user that has administrator privileges while doing below steps
3. Environment setup
- Copy the SAP Cryptographic Library (including the PSE maintenance tool) to a folder on the machine running Business Objects Enterprise XI3.1. (For example: C:\Program Files\SAP\Crypto)
- Add the folder to the PATH environment variable.
- Add a system-wide environment variable SNC_LIB that points to the Cryptographic Library. (For example: C:\Program Files\SAP\Crypto\sapcrypto.dll)
- Create a subfolder named sec. (For example: C:\Program Files\SAP\Crypto\sec)
- Add a system-wide environment variable SECUDIR that points to the sec folder.
- Copy the ticket file from the SAP Cryptographic Library into the sec folder.
4. Generate PSE (Personal Security Environment)
- SAP accepts a Business Objects Enterprise server as a trusted entity when the relevant Business Objects Enterprise servers have a PSE and the PSE is associated with SAP. This "trust" between SAP and Business Objects Enterprise components is established by sharing the public version of each other's certificates.
- Open a command prompt and run "sapgenpse.exe gen_pse -v -p BOE31.pse" from within the Cryptographic Library folder.
- Choose a PIN and the DN you want for your BusinessObjects Enterprise system. For example, CN=papgvmwin011, OU=PG, O=BOBJ, C=CA. You now have a default PSE, with its own certificate. (DN should follow the LDAP naming convention)
(In this example host name of the machine where BOE is running is papgvmwin011 )
- Use the following command to export the certificate in the PSE: sapgenpse.exe export_own_cert -v -p BOE31.pse -o papgvmwin011.crt
- Open SAP GUI, go to transaction STRUST and open the SNC PSE. You will be prompted for the password you have already assigned.
- Import the papgvmwin011.crt file created earlier:
The certificates from SAPGENPSE are Base64-encoded. Make sure you select Base64 when importing them
- To add the Business Objects Enterprise certificate to the SAP server's PSE certificate list, click the "Add to Certificate List" button.
- Save your changes in STRUST.
- Click on server certificate
- Click the Export button to export server certificate and provide a file name for the certificate. In this example, SAPcert.crt. The file has been exported to the same folder C:\Program Files\SAP\Crypto from where papgvmwin011.crt has been imported. (Note: The format should remain Base64. )
- In SAP GUI go to transaction SNC0.
- Add a new entry, where: The System ID is arbitrary but reflects your Business Objects Enterprise system.
- The SNC name should be the DN (prefixed by p: ) that you provided when you created your Business Objects Enterprise XI3.1 PSE (in step 3).
- The Entry for RFC activated, Entry for ext. ID activated and Entry for CPIC activated checkboxes are selected (CPIC is optional and it can be skipped):
- To add the exported SAP server certificate to the BusinessObjects Enterprise PSE, run the following command on the command prompt:
sapgenpse.exe maintain_pk -v -a SAPcert.crt -p BOE31.pse
- To add SSO-Credentials to PSE file for the users that are WebIntelligence server processes are running under, run following command (in this case user is Windows local user account "xisnc")
sapgenpse.exe seclogin -p BOE31.pse -O xisnc
- To verify that the single sign-on (SSO) link is established, list the contents of the PSE using the following command:
sapgenpse.exe maintain_pk -l
5. Setup for WebIntelligence server processes and CMS
All processes that have trusted relationship with SAP system has to run under separate SIA. The steps how to configure those processes are described below.
- Go to CCM (Central Configuration Manager) and add new SIA ( Server Intelligence Agent) (PAPGVMWIN011_2 on below image)
- In CCM. Stop new SIA. Go to SIA properties and set new SIA to run under Windows local user account that has Windows administrator right (in this case "xisnc" local user account). Start SIA.
- Add new WebIntelligence processing server (or Job Server) and add it to new SIA. In this way WebIntelligence server processes will run under local Windows account.
(On below image you will see that WebIntelligence server process is running under local Windows user account)
- Go to CMC (Central Management Console) and delete WebIntelligence server processes that are exist for existing SIA (in this example PAPGVMWIN011 SIA)
- Stop both SIAs, than go to CCM, go to property for the existing SIA (in this example PAPGVMWIN011 SIA) and set to run under domain user account (in this example it is "xiad" user that is defined on bobjtest.com domain) that has administrator right on the box. Start both SIAs.(On the above image you will see that CMS and all other, except WebIntelligence, server processes running under Windows domin user account "xiad")
Note 1: It is important to understand that in the presented solution CMS server process is running under domain account which is requirement for Windows AD authentication to work. Also, all processes that have "trusted" relationship with SAP BW, run under different user account which can be local user account or domain user account. The presented solution is using local Windows account for those processes that are trusted with SAP BW.
Note 2: If tight security is needed, please refer "Using server groups - Guidelines for using a server group" on page 108 of Integration for SAP Solutions Install and Admin guide for more information.