SAP BI Configuration En-1

SAP BI4
Technical Configuration
Table des matières

1 BI access3
1.1 User3
1.2 CMC3
1.3 BI Launch pad3
2 Post Installation4
2.1 System Configuration Wizard4
2.2 Configuration mémoire6
2.3 SMTP8
3 SSL Configuration SSL9
3.1 /etc/service File9
3.2 Keystore File9
3.3 Tomcat10
4 User Provisionning : BW to BI11
4.1 Environments relationship11
4.2 SimpleUsernameFormat11
4.3 Entitlement System12
4.3.1 Roles13
4.3.2 Options14
4.3.3 User Update14
5 Trusted Connection BI / BW14
5.1 Keystore File15
5.2 Public Key Certificate15
5.3 Import Certificate15
5.4 SAP Database17
6 Configuration SSO : BI – HANA18
6.1 Overview18
6.2 Generate a Certificate from BI Platform19
6.3 Import the Certificate into the HANA Trust Store21
6.4 Import Certificate into HANA Security22
6.5 Create a HANA user with SAML23
6.6 Validation24
7 Configuration SSO : HANA - Kerberos25
7.1 Prerequisites25
7.1.1 Packages25
7.1.2 Hostname resolution : verification26
7.1.3 SAP HANA Database: several instance on one host26
7.2 SAP HANA Database Server krb5.conf26
7.3 Create Service User29
7.4 Create Keytab30
7.5 Verify Keytab32
7.6 Definition / Test authentification32
8 BI4: SSO setup33
8.1 Prerequisite33
8.2 Configuration33
8.3 User's LDAP alias36
8.4 Trusted Authentification37
8.5 Linux/AD SSO38
8.5.1 Create AD service account (already done by IT Integration)38
8.5.2 Security Directory39
8.6 Linux Configuration40
8.6.1 global.properties40
8.6.2 BIlaunchpad.properties40
8.6.3 CmcApp.properties41
8.6.4 OpenDocument.properties41
8.6.5 Setup Vintela42
1 BI access
1.1 User
user: Administrator
password: ERMBoUsr2
1.2 CMC
http://DCDEVSAP4342:8080/BOE/CMC
http://DCINTSAP4142:8080/BOE/CMC
http://DCSRVSAP4042:8080/BOE/CMC
1.3 BI Launch pad

http://DCDEVSAP4342:8080/BOE/BI
http://DCINTSAP4142:8080/BOE/BI
http://DCSRVSAP4042:8080/BOE/BI
2 Post Installation
2.1 System Configuration Wizard
Inside CMC, click on System Configuration

Wizard
Unselect following products

 Crystal Reports
 Dashboard servers
Uncheck “Keep existing configuration”
Initial Memory configuration : XS
Configured memory Dev : S

Configured memory Qual : S
Configured memory Prod : S (to
be adjusted when target users number will be
known)
Keep standard values
Apply modifications
Confirm (close)
2.2 Configuration mémoire
Inside CMC, click on Servers
Then, click on Servers List

Display APS.Analysis server’s proprieties
Set memory to 2 Go in command line
-Xmx2g
Restart APS.Analysis server

2.3 SMTP
Inside CMC, click on Servers
Select Servers List and Adaptive Job Server

and then Destination
Add Email Destination
and fill with following information

 Domaine : euromaster.com
 Host : smtp-lbn.fr.erm.int
 Port : 25
3 SSL Configuration SSL
3.1 /etc/service File
With user root
QBI
sapmsPPE 3601/tcp # SAP System
Add following line(s) in /etc/service file
Message Server Port
PBI
sapmsPKE 3601/tcp # SAP System
Message Server Port
3.2 Keystore File

With user saproot
Generate .keystore file

cd
/usr/sap/BI/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bin/
./keytool –genkey –alias BIDEV_tomcat –keyalg RSA
pwd: pass4euromaster
Alias:
 DBI alias BIDEV_tomcat
 QBI alias BIQAL_tomcat
 PBI alias BIPRD_tomcat
File .keystore is generated in home directory
cd
ls -altr
Move .keystore file in BO’s sec subdirectory
cd
mkdir /usr/sap/BI/sap_bobj/enterprise_xi40/sec
mv .keystore /usr/sap/BI/sap_bobj/enterprise_xi40/sec
3.3 Tomcat
Backup initial configuration file

cd /usr/sap/BI/sap_bobj/tomcat/conf
cp server.xml server.xml.INIT
Configuration initiale
With user saproot
Update configuration file by

 Uncomment following lines
Configuration modifiée  Add parameter keystorePass with its value
 Add parameter keystoreFile with its value
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" keystorePass="SigmaV2"
keystoreFile="/usr/sap/BI/sap_bobj/enterprise_xi40/sec/.keystor
e" />
With user saproot
Restart tomcat server

cd /usr/sap/BI/sap_bobj
./tomcatshutdown.sh
./tomcatstartup.sh
Logs files are availables inside directory

/usr/sap/BI/sap_bobj/tomcat/logs
With user saproot
Restart BI servers
cd /usr/sap/BI/sap_bobj
./stopservers
./startservers
4 User Provisionning : BW to BI
4.1 Environments relationship
BI landscape is composed by 3 systems
ECC landscape is composed by 4 systems
Relationship between BI and ECC systems is manage by following tab:
Environment BI 4 ECC
Development DBI QKE/300
Quality QBI PPE/300
Production PBI PKE/300
4.2 SimpleUsernameFormat
With user saproot
Stop BI servers
cd /usr/sap/BI/sap_bobj/
./stopsservers
Goto directory
/usr/sap/BI/sap_bobj/data/.bobj/registry/64/softwar
e/sap businessobjects/suite xi 4.0/enterprise/auth
plugins/secsapr3
Edit file
.Registry
Set the value for the parameter

SimpleUsernameFormat to Yes, as in
"SimpleUsernameFormat"="Yes"
With user saproot
Restart BI serveurs BI
cd /usr/sap/BI/sap_bobj/
./startservers
4.3 Entitlement System
Inside CMC, click on Authentification
And choose type « SAP »
Fill system/client connection information
DBI
 App.Serevr: dcintsap4131.erm.ci.erm
 Syst. Nun : 10
 Username : SDC.BATCH.EU
 Password
 Language : en
QBI
 Message Server: dcpresap4730.erm.ci.erm
 Logon Group : ERM
 Password
 Language : en
PBI
 Message Server: dcsrvsap4030.erm.ci.erm
 Logon Group : ERM
 Password
 Language : en
Validate with
Logical System Name is automatically filled
4.3.1 Roles
In “Role Import” tab,
1. Select roles to be imported in BI4 system

2. Click on UPDATE
All users assigned to following roles will be

considered and imported in BI (next steps)
ZBO_Finance Remarks:
ZBO_HRAndSafety
ZBO_Quality Roles are available only if they are already
ZBO_Sales assigned to SAP userid.
ZBO_Supply
ZC_NL_ACCOUNT_MANAGER If they are not available, it is not a show stopper
ZC_NL_AREA_MANAGER and next steps can be done.
ZC_NL_BUSINESS_PARTNER_CONTROL
ZC_NL_BUSINESS_SUPPORT_CONTROL
ZC_NL_CATEGORY_MANAGER
ZC_NL_CENTER_MANAGER
ZC_NL_CENTRAL_MNG_DIRECTOR
ZC_NL_CREDIT_MANAGER
ZC_NL_DIRECTOR_LEASING
ZC_NL_FINANCE_DIRECTOR
ZC_NL_FINANCE_MANAGER
ZC_NL_HEAVY_SERVICE_DIRECTOR
ZC_NL_HEAVY_SERVICE_SALES_SUPP
ZC_NL_HR_ADMINISTRATOR
ZC_NL_HR_DIRECTOR
ZC_NL_HR_MANAGER
ZC_NL_INTERNAL_AUDIT
ZC_NL_MARKETING_MANAGER
ZC_NL_MEDEW_FLEET_SUPPORT
ZC_NL_MNG_DIRECTOR
ZC_NL_PROCURE_DIRECTOR
ZC_NL_PURCHAS_MANAGER
ZC_NL_SUP_CHAIN_MANAGER
4.3.2 Options
In “Options” tab,
Check “Enable SAP Authentification”
Select Default System

 DBI : QKECLNT300
 QBI : PPECLNT300
 PBI : PKECLNT300
Imported users have to be created as

Concurrent users
4.3.3 User Update
In “User Update” tab,
Schedule Users & Roles update
Define a hourly job an click on
5 Trusted Connection BI / BW
In the next commands, replace “DBI” string depending on which system configuration is done :
 Development DBI
 Quality QBI
 Production PBI
5.1 Keystore File
Generate keystore file

cd
/usr/sap/BI/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bi
n/
./java -jar
/usr/sap/BI/sap_bobj/enterprise_xi40/java/lib/PKCS12Tool.jar
–keystore DBI_keystore.p12 -alias DBI_trust -storepass
pass4euromaster -dname CN=DBI
5.2 Public Key Certificate
Exporter Keystore’s public key
cd
/usr/sap/BI/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bi
n/
./keytool -exportcert -keystore DBI_keystore.p12 -storetype

pkcs12 –file DBI_public.cer –alias DBI_trust
5.3 Import Certificate
Transaction STRUSTSSO2 (client =000)
Switch in update mode
Select System PSE
In certificate frame, import public key with

Select public key file
QKE DBI_public.cer
PPE QBI_public.cer
PKE PBI_public.cer
Add certificate in certificate list
Add certificate in in Acces Control list
Fill with BO’s System ID (DBI / QBI / PBI)

Fill with client 000
Save configuration
5.4 SAP Database
Inside CMC, click on Authentification
And choose type « SAP »

In “Options” tab,
Dans l’onglet « Options » , select default ECC

system and
Fill :
 BO system ID (1)
 Path and public BO certificat (1)
 Keystore’s password(1)
 Public key’s password (1)
 Keystore’s alias(1)
(1)
As mentioned in paragraph 5.1 and 5.2
DBI / QBI / PBI
6 Configuration SSO : BI – HANA
6.1 Overview
To setup SAML authentication, a trust must be established between the HANA and BI Platform
System. At a high level, the steps include:
1. Generate a certificate from BI Platform

2. Import the certificate into the HANA Trust Store
After that trust has been established, the last step is to setup the security on the HANA system:
1. Import the certificate into the HANA Security

2. Configure a SAML user with an external identity user
3. Test the connection
6.2 Generate a Certificate from BI Platform
Inside CMC, click on Applications
And then click on « Authentification HANA »

Create a new connection
Fill following parameters :
Click on
Provider name has to be the same as parameter

saml_service_provider_name
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIQCXR0HMl1fsFEb3ufOTHHTTANBgkqhkiG9w0BAQUFADBQ
MRgwFgYDVQQDDA9IQU5BUUtFQk9CSlNBTUwxDDAKBgNVBAsMA0JPRTEMMAoGA1UE
CgwDU0FQMQswCQYDVQQIDAJCQzELMAkGA1UEBhMCQ0EwHhcNMTcwNTI5MTIwNzA4 Save certificate in text file
WhcNMjcwNTI3MTIwNzA4WjBQMRgwFgYDVQQDDA9IQU5BUUtFQk9CSlNBTUwxDDAK
BgNVBAsMA0JPRTEMMAoGA1UECgwDU0FQMQswCQYDVQQIDAJCQzELMAkGA1UEBhMC
Q0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANCLOcSIyXYmopqyfQAo0pb3
HANA<SID>BOBJSAML.cer
17qnD8VS6d8INJtiY1Ijtxd2YLcUv5njKBOPx1fOTZWBGrIP1fsyEzgys8hUhNPU
D5I3mS/WlF4jJ+sUf9s9b4nmU6U8qBIUrJEM8cz0JfwxcjrsWkQ+Zvwmuxrv2BrB
H3qrEFkDl+QmtjV1ZwRbAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAniHaMm4V1AXR
iEwAdpTQsQoBVjTZw4b0OKBy/guJ9S5ZSyJYdzPkJyDS51YNMw5ap6D8SF952ZPp
GEpfgwtStlp4d8iz8QCH7CBGV8GVtwzbszZTVaom3jPGUoU7pAOgmzFBF8DCNiBg
tXRz5sXu3ohRJvCiiZ0IE0phjbph9Fw=
-----END CERTIFICATE-----
6.3 Import the Certificate into the HANA Trust Store
To find out which trust store is used by HANA, check the

configuration setting global.ini > [communication] >
ssltruststore
By default, the value is sapsrv.pse.
This means the sapsrv.pse is located in the

$SECUDIR/sapsrv.pse
Access to HANA Web Dispatcher Administration
For example QKE HANA Database:

http://dcdevapp5102:8010/sap/hana/xs/wdisp/a
dmin
Select PSE Management on the left hand side
From the Manage PSE drop down menu, select sapsrv.pse
Select Import Certificate from the Trusted Certificates
Copy the certificate text from the certificate generated from

the BI Platform CMC.
Make sure to include the -----BEGIN CERTIFICATE----- and

-----END CERTIFICATE-----
The certificate should appear in the Trusted Certificates
section
Restart the HANA system for these changes to take

effect
Remark : Next configuration steps can be perform before

HANA system restart
6.4 Import Certificate into HANA Security
The next step is to import the same certificate into

HANA Security.
This step is needed to create the SAML Identity
Provider (IdP).
Open HANA Studio
Expand Security Folder and select Security
Select the SAML Identity Providers tab and
Select the Import button

Select .cer file
Fill in the Identity Provider Name
Fille Entity ID with saml_service_provider_name

parameter value
6.5 Create a HANA user with SAML

Only for test purpose
Mass users creation will be perform with bath job
The certificate has been generated and imported into

the truststore and also into HANA Security.
The next step is to assign a HANA user to a BI
Platform user.
Open HANA Studio
Expand Security Folder and select User
Select the check box SAML and select Configure.
Select Add and there should be the SAML Identity

Provider in the list.
Select correct IdP (available only after system

has been restarted)
Add an External Identity
 The External Identity is the username from

the BI Platform system

 This name is case sensitive
6.6 Validation
Dans la CMC, cliquer sur Application puis
Inside CMC, click on Application, and then

Authentification HANA
Use previously defined connection

Specify the username to test : This user must
match the External Identity user
Test with
Mapping du compte BO « Administrator » sur

le compte HANA « ERM_SYSTEM »
7 Configuration SSO : HANA - Kerberos

7.1 Prerequisites
7.1.1 Packages
1. The clocks of all hosts involved are
synchronized.
2. On the Active Directory domain controller, Network
Kerberos is forced to use TCP instead of UDP (see
http://support.microsoft.com/kb/244474/en-us for
reference)
3. Hostname reverse lookup (/etc/hosts on the DB
server and/or DNS record type PTR in Active
Directory) is set up for “physical” and “virtual” DB
server hostname(s).
4. On the DB server, hostname resolution must be
consistent with reverse lookup.
5. A “virtual” hostname must actually be a DNS
alias, while a “physical” hostname must be a
canonical name.
Important
A virtual hostname aka DNS alias must be realized
using a DNS CNAME record, while the corresponding
physical hostname must be registered as
Software
Kerberos client and server librairies must be installed ;

version should be above 1.6.3.132
Check that kinit and ktutil tools are available

7.1.2 Hostname resolution : verification
for getting the FQDN of the server:

hostname --fqdn
for getting the respective IP address:

hostname –ip-address
for checking the reverse lookup:

~> python <<EOF
> import socket
> host =
socket.gethostbyaddr('10.50.0.233') [0]
> print host
> EOF
7.1.3 SAP HANA Database: several instance on one host

It is possible to use different Kerberos configurations for different instances of the SAP HANA DB running on
the same host. To this end, the following environment variables can be used:
1. KRB5_CONFIG: Path to the Kerberos configuration file (default: /etc/krb5.conf)
2. KRB5_KTNAME: Path to the Kerberos keytab file (default: /etc/krb5.keytab)
These environment variables have to be set in the file setenv.sh and/or setenv.csh, respectively.
Important : You have to stop and restart the sapstartsrv for making these changes effective.
7.2 SAP HANA Database Server krb5.conf
Backup file /etc/krb5.conf

Initial Version:
[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = FR.ERM.INT
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server =
kerberos.example.com
# }
FR.ERM.INT = {
kdc = frsrvadc0006.fr.erm.int
}
[domain_realm]
.ci.erm.int = FR.ERM.INT
ci.erm.int = FR.ERM.INT
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server =
FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
yast
Version modifiée YAST:
[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = FR.ERM.INT
clockskew = 300
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
FR.ERM.INT = {
default_domain = ci.erm.int
admin_server = frsrvadc0006.fr.erm.int
admin_server = frsrvadc0007.fr.erm.int
}
[domain_realm]
.ci.erm.int = FR.ERM.INT
ci.erm.int = FR.ERM.INT
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server =
FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
}
Check connectivity between DB server and

Active Directory
Show ticket
7.3 Create Service User
Create Service User
SEU_SAP_HANA_<SID>@fr.erm.int
FR-ERM\ SEU_SAP_HANA_<SID>
Check
“User cannot change password”
“Password never expired”
Define Service Principal Name (SPN)

Set value hdb/<HANA server hostname>
PPE: hdb/dcpresap4750.ci.erm.int
PKE: hdb/dcsrvsap4051.ci.erm.int
hdb/dcsrvsap4052.ci.erm.int
Verification
On the DB server, run

#> /usr/bin/kinit
myhdbserviceuser@MYDOMAIN.COM
to get a TGT for the SAP HANA database
service user. You have to supply the
password that was used when the service user
account was created in AD.
Afterwards, run klist to check the resulting
ticket cache (example):
#> /usr/bin/klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal:
myhdbserviceuser@MYDOMAIN.COM
Valid starting Expires Service principal
02/18/13 15:50:47 02/19/13 01:50:50
krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 02/19/13 15:50:47
7.4 Create Keytab
Create Link to avoid following error message

(only if it’s occurred)
ln -s /usr/lib64/jvm/jre/bin/kinit /usr/bin/kinit
As <sidadm> in directory /etc
python /tmp/hdbkrbconf.py -k -s
SEU_SAP_HANA_PPE
All checks and default values should already be

correct (depending on krb5.conf file)
Fill service account password
Generate krb5.keytab file in a directory in which

one user <sid>adm has write permissions
Move the krb5.keytab file in directory /etc
Secure this file

chown <sid>adm:sapsys krb5.keytab
chmod 400 krb5.keytab
7.5 Verify Keytab
Check content of the keytab
klist -k /etc/krb5.keytab -etK
Verify consistency of the keytab
kvno –k /etc/krb5.keytab
hdb/dcpresap4750.ci.erm.int
7.6 Definition / Test authentification

8 BI4: SSO setup
8.1 Prerequisite
BI4 SSO is based on LDAP. To perform the setup, following information are needed.
LDAP host name fr.erm.int:389

and port number
LDAP directory Microsoft Active Directory Application Server
type
LDAP CN=Service.EU_SAP,OU=ACCOUNTS,OU=ADMIN,OU=EU,DC=fr,DC=erm,DC=int
distinguished
name
LDAP server fr-erm\seu_sap
administrator
credentials
8.2 Configuration
CMC  Authentification  LDAP
Start configuration wizard
Add : fr.erm.int:389
Show Attribute Mappings

User Name: sAMAccountName
User search : sAMAccountName
Rem : These modifications change LDAP Server Type to

« custom »
DC=fr,DC=erm,DC=int
CN=Service.EU_SAP,OU=ACCOUNTS,OU=ADMIN,OU=EU,D
C=fr,DC=erm,DC=int
 Assign each added LDAP alias to an account with the same
name
 Create new aliases when the Alias Update occurs
 New users are created as concurrent users
Clic
Attribut Binding Option :
 Import Full Name, Email Address and other attributes
Clic
8.3 User's LDAP alias
/!\ Add Europe LDAP Group
CN=GEU.SFT.SAP.BI.ACCESS,OU=GROUPS,OU=ADMIN,OU=
EU,DC=fr,DC=erm,DC=int
/!\ Add each country LDAP Group
CN=gfr.sft.sap.bi.access, OU=Soft
groups,OU=Groups,OU=ADMIN,OU=FR,DC=fr,DC=erm,DC=in
t
CN=gro.sft.sap.bi.access, OU=Soft
groups,OU=Groups,OU=ADMIN,OU=RO,DC=fr,DC=erm,DC=in
t
CN=gnl.sft.sap.bi.access, OU=Soft
groups,OU=Groups,OU=ADMIN,OU=NL,DC=fr,DC=erm,DC=in
t
Schedule hourly user's LDAP alias updates

Schedule hourly User's LDAP Group Updates
8.4 Trusted Authentification
CMC  Authentification  Enterprise
 TrustedPrincipal.conf
Copy file TrustedPrincipal.conf

into directory
/usr/sap/BI/sap_bobj/enterprise_xi40/linux_x
64
8.5 Linux/AD SSO
8.5.1 Create AD service account (already done by IT Integration)
Create user SEU_SAP_<SID>
SEU_SAP_DBI
SEU_SAP_QBI
SEU_SAP_PBI
fr.erm.int/EU/ADMIN/ACCOUNTS
Set SPN
HTTP/<tomcat_servername>
HTTP/<tomcat_servername.domainname>
Create keytab file for Service Account:
ktpass -out bosso.keytab -princ service-account-

name@REALM.COM –pass service-account-
password -kvno 255 -ptype
KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
ktpass -out SEU_SAP_DBI.keytab -princ

SEU_SAP_DBI@FR.ERM.INT -pass “password” -
kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto
RC4-HMAC-NT
8.5.2 Security Directory
Create security directory under BI <sid>adm

home directory
/home/saproot/security
Copy keytab file (cf. following attached file)

inside this directory
Set permissions 660 to directory and file
Attached files
8.6 Linux Configuration
8.6.1 global.properties
# Threshold at which the tree list control will

Create file
not display all the nodes but instead a 'too many
children message' will be printed
# Scope: global
max.tree.children.threshold=300 /usr/sap/BI/sap_bobj/enterprise_xi40/warfiles/webap
ps/BOE/WEB-INF/config/custom/global.properties
# Choose whether to let the user change the #
LEGACY SSO SETTING - Ignored when an application's
sso.types.and.order is set
# Set to true to enable other single sign on.
# Scope: application /!\ Caution : no space character at end of line /!\
sso.enabled=true
# LEGACY SSO SETTING - Ignored when an application's

sso.types.and.order is set
# Trusted authentication: set how to retrieve userID.
# Set to "REMOTE_USER" for
HttpServletRequest.getRemoteUser().
# Set to "HTTP_HEADER" for HTTP header.
# Set to "QUERY_STRING" for URL query string.
# Set to "COOKIE" for cookie.
# Set to "WEB_SESSION" for web session.
# Set to "USER_PRINCIPAL" for user principal.
# Reset to empty to disable trusted authentication.
# Scope: application
trusted.auth.user.retrieval=QUERY_STRING
# Trusted authentication: set Header/URL

parameter/Cookie/Session variable name to retrieve
username. No need to set for REMOTE_USER or
USER_PRINCIPAL.
# Scope: application.
# Applicable if supported by app and included in its
sso.types.and.order.
# For BIP apps (CMC, BI Launchpad, OpenDocument): see
below regarding legacy settings.
trusted.auth.user.param=user
# Trusted authentication: session variable name to

retrieve the shared secret; Leave empty if shared secret
is not passed from web session.
# Scope: application
# Applicable if supported by app and included in its
sso.types.and.order.
# For BIP apps (CMC, BI Launchpad, OpenDocument): see
below regarding legacy settings.
###trusted.auth.shared.secret=secret
Copy the file inside directory
/usr/sap/BI/sap_bobj/tomcat/webapps/BOE/WEB-
INF/config/custom
8.6.2 BIlaunchpad.properties
# You can specify the default Authentication Create

types file
here. secEnterprise, secLDAP, secWinAD, secSAPR3
authentication.default=secLDAP
# Choose whether to let the user change the /usr/sap/BI/sap_bobj/enterprise_xi40/warfiles/webap

authentication type. If it isn't shown the ps/BOE/WEB-
default authentication type from above will be
used
INF/config/custom/BIlaunchpad.properties
authentication.visible=true
# Set sso.types.and.order to define a comma

delimited list of SSO types to be enabled and the
ordering
# An empty list indicates that the legacy ordering
is to be used
# If the list is specified, the legacy options
will be ignored
# Valid options: vintela, trustedIIS,
trustedHeader, trustedParameter, trustedCookie,
trustedSession, trustedUserPrincipal,
trustedVintela, trustedX509, sapSSO, siteminder
# If none are desired specify: none
sso.types.and.order=trustedVintela
INF/config/custom
8.6.3 CmcApp.properties

types file

authentication type. If it isn't shown the ps/BOE/WEB-INF/config/custom/CmcApp.properties
used

ordering
is to be used
will be ignored
INF/config/custom
8.6.4 OpenDocument.properties

types file

authentication type. If it isn't shown the ps/BOE/WEB-
used
INF/config/custom/OpenDocument.properties

ordering
is to be used
will be ignored
INF/config/custom
8.6.5 Setup Vintela

8.6.5.1 Enable low level tracing
Add the tracing parameter

-Djcsi.kerberos.debug=true
in file
/usr/sap/BI/sap_bobj/tomcat/bin/bobjenv.sh
From:
# set the JAVA_OPTS for tomcat
JAVA_OPTS="-d$OBJECT_MODEL -
Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -
Djava.awt.headless=true -
Djava.net.preferIPv4Stack=false"
To:
# set the JAVA_OPTS for tomcat
JAVA_OPTS="-d$OBJECT_MODEL -
Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -
Djava.awt.headless=true -
Djava.net.preferIPv4Stack=false -
Djcsi.kerberos.debug=true"

SAP BI Configuration En-1

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SAP BI Configuration En-1

Transféré par

Droits d'auteur :

Formats disponibles

SAP BI4

Table des matières

1.3 BI Launch pad

Inside CMC, click on System Configuration

Unselect following products

Initial Memory configuration : XS

Configured memory Dev : S

Keep standard values

2.2 Configuration mémoire

Inside CMC, click on Servers

Then, click on Servers List

Set memory to 2 Go in command line

Restart APS.Analysis server

Inside CMC, click on Servers

Select Servers List and Adaptive Job Server

Add Email Destination

and fill with following information

3.2 Keystore File

Generate .keystore file

./keytool –genkey –alias BIDEV_tomcat –keyalg RSA

 QBI alias BIQAL_tomcat

 PBI alias BIPRD_tomcat

File .keystore is generated in home directory

Move .keystore file in BO’s sec subdirectory

Backup initial configuration file

Update configuration file by

With user saproot

Restart tomcat server

Logs files are availables inside directory

With user saproot

ECC landscape is composed by 4 systems

Relationship between BI and ECC systems is manage by following tab:

Set the value for the parameter

With user saproot

Inside CMC, click on Authentification

And choose type « SAP »

Fill system/client connection information

Logical System Name is automatically filled

In “Role Import” tab,

1. Select roles to be imported in BI4 system

All users assigned to following roles will be

Check “Enable SAP Authentification”

Select Default System

Imported users have to be created as

4.3.3 User Update

In “User Update” tab,

Schedule Users & Roles update

Define a hourly job an click on

5.1 Keystore File

Generate keystore file

5.2 Public Key Certificate

Exporter Keystore’s public key

./keytool -exportcert -keystore DBI_keystore.p12 -storetype

5.3 Import Certificate

Transaction STRUSTSSO2 (client =000)

Switch in update mode

Select System PSE

In certificate frame, import public key with

Add certificate in certificate list

Add certificate in in Acces Control list

Fill with BO’s System ID (DBI / QBI / PBI)

5.4 SAP Database

Inside CMC, click on Authentification