KLK Oleo Group

SAP Project Implementation

SBOP BI SSO

1 SAP BusinessObjects BI 4.1 Post Installation

1.1 BI Launchpad properties
1. Go to the following directory in your BI platform installation:
<INSTALLDIR>\SAP BusinessObjects Enterprise XI4.0\warfiles\webapps\BOE\WEBINF\config\custom\
<INSTALLDIR>\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom
2. Create a new file using Notepad and save the file under the following name:
BIlaunchpad.properties
3. To include the authentication options on the BI launch pad logon screen add the following:
authentication.visible=true
4. To prompt users for the CMS name on the BI launch pad logon screen:
cms.visible=true
5. Save and close the file.
6. Restart your web application server.

1.2 Configuration for SAP Integration transports

Since SAP BusinessObjects BI Platform 4.0, the SAP Integration Kit is already part of the installation
and no longer requires a separate add-on installation.
There are two sets of transport files, which can be used with BusinessObjects Enterprise Integration
Kit for SAP. One set is ANSI and the other set is Unicode enabled. The set of transports you must use
depends on the BASIS system your SAP system is running on. Additionally, each transport consists of
a data file and a cofile, which are listed in brackets behind the transport names.

Last Updated By: Kevin Ooi, 30-May-2014

Page 1 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

If your SAP system is running on a BASIS system earlier than 6.20, you must use the files listed
below: (These files are ANSI.)
Open SQL Connectivity transport (K900128.r22 and R900128.r22)
Info Set Connectivity transport (K900121.r22 and R900121.r22)
Row-level Security Definition transport (K900122.r22 and R900122.r22)
Cluster Definition transport (K900123.r22 and R900123.r22)
Authentication Helpers transport (K900124.r22 and R900124.r22)
If your SAP system is running on a 6.20 BASIS system or later, you must use the files listed below:
(These files are Unicode enabled.)
Open SQL Connectivity transport (K900732.R21 and R900732.R21)
Info Set Connectivity transport (K900688.r21 and R900688.r21)
Row-level Security Definition transport (K900689.r21 and R900689.r21)
Cluster Definition transport (K900690.r21 and R900690.r21)
Authentication Helpers transport (K900691.r21 and R900691.r21)
The following files must be used on an SAP BW system:
(These files are Unicode enabled.)
Content Administration transport (K900722.r21 and R900722.r21)
Personalization transport (K900748.r21 and R900748.r21)
ODS Connectivity transport (K900695.r21 and R900695.r21)
If your SAP BW system has not applied SAP Note 1232751, you must use the file listed below:
MDX Query Connectivity transport (K900744.r21 and R900744.r21)
If your SAP BW system has applied SAP Note 1232751, you must use the file listed below:
MDX Query Connectivity transport (K900047.R72 and R900047.R72)

Copy the relevant data and cofiles to the /usr/sap/trans/data and /usr/sap/trans/cofiles of the
relevant SAP systems (ERP / BW). Then add them to the import queue and import them using
transaction STMS.
For ERP:

Last Updated By: Kevin Ooi, 30-May-2014

Page 2 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

For BW:

Note: If SAPKW70102 or SAPKW71101 (or SAP Note 1232751) has been implemented, then use
K900047.R72, otherwise use K900744.R21).

Last Updated By: Kevin Ooi, 30-May-2014

Page 3 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2 SAP BusinessObjects BI 4.1 Server-side Single Sign-On (SSO) to

SAP Netweaver BI 7.40
2.1 Configuring SAP Authentication
2.1.1 Creating a User Account for BI Platform
Create a new PFCG role CRYSTAL_ENTITLEMENT in the BW system.
Adopt the SAP_USER_B template (general access for all users) and then manually add the
authorization objects below.

Last Updated By: Kevin Ooi, 30-May-2014

Page 4 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Create a new Service user called CRYSTAL and assign the role to it.

2.2 Connecting to SAP Entitlement Systems

Before you can import roles or publish BW content to the BI platform, you must provide information
about the SAP entitlement systems to which you want to integrate. BI platform uses this information
to connect to the target SAP system when it determines role memberships and authenticates SAP
users.

2.2.1 To Add an SAP Entitlement System

Double-click on SAP.
Last Updated By: Kevin Ooi, 30-May-2014

Page 5 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Click Update.

2.2.2 To verify if your entitlement system was added correctly

1. Click the Role Import tab.
2. Select the name of the entitlement system from the Logical system name list.
If the entitlement system was added correctly, the Available roles list will contain a list of roles that
you can choose to import.
Tip: If no roles are visible in the Logical system name list, look for error messages on the page. These
may give you the information you need to correct the problem.

Last Updated By: Kevin Ooi, 30-May-2014

Page 6 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.3 Setting SAP Authentication options

2.4 Importing SAP Roles

Last Updated By: Kevin Ooi, 30-May-2014

Page 7 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.4.1 To import SAP Roles

1. Go to the "Authentication" management area of the CMC.
2. Double-click the SAP link.
3. On the Options tab, select BI Viewer, BI Analyst, Concurrent users, or Named users
depending on your license agreement.
Note that the option you select here does not change the number or type of user licenses
that you have installed in BI platform. You must have the appropriate licenses available on
your system.
4. Click Update.
5. On the Role import tab, select the appropriate entitlement system from the Logical system
name list.
6. In the Available roles area, select the role(s) that you want to import, and then click Add.
7. Click Update.

Note: The Role Import was not done and left to the SBOP BI team to perform; depending on the S&A
strategy and approach to be adopted. Only the CRYSTAL_ENTITLEMENT role was imported.

2.4.2 To verify that roles and users were imported correctly

1. Ensure that you know the user name and password of an SAP user who belongs to one of
the roles that you just mapped to BI platform.
2. For Java BI launch pad, go to http://webserver:portnumber/BOE/BI. Replace webserver with
the name of the web server and portnumber with the port number that is set up for BI
Last Updated By: Kevin Ooi, 30-May-2014

Page 8 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

platform. You may need to ask your administrator for the name of the web server, the port
number, or the exact URL to enter.
3. From the Authentication Type list, select SAP.
4. Type the SAP system and system client that you want to log on to.
5. Type the user name and password of a mapped user.
6. Click Log On.
7. You should be logged on to BI launch pad as the selected user.

Last Updated By: Kevin Ooi, 30-May-2014

Page 9 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.4.3 Updating of SAP Roles and users

2.5 Configuring Secure Network Connection (SNC)

This section describes how to configure SNC as part of the process of setting up SAP authentication
to BI platform.
Before setting up trust between the SAP and BI platform systems, you must ensure the SIA is
configured to start and run under an account that has been set up for SNC. You must also configure
your SAP system to trust BI platform. It is recommended that you follow the instructions covered in
the Configuring SAP server-side trust section in the Supplementary Configurations for ERP
Environments chapter of this guide.
Last Updated By: Kevin Ooi, 30-May-2014

Page 10 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.5.1 Configuring SAP for server-side trust

Note: This is done on the SAP Netweaver BW server!
1. From the SAP marketplace, download the SAP Cryptographic Library for all relevant
platforms.
Note: For more information about the Cryptographic Library, see SAP notes 711093, 597059
and 397175 on the SAP web site.

2. Ensure that you have SAP administrator's credentials for within SAP and for the machine
running SAP, and administrator's credentials for BI platform and the machine (or machines)
it is running on.
3. On the SAP (BID) machine, copy the SAP Cryptographic Library and the SAPGENPSE tool to
<DRIVE>:\usr\sap\BID\SYS\exe\uc\NTAMD64 directory (on Windows).

Last Updated By: Kevin Ooi, 30-May-2014

Page 11 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

4. Locate the file named "ticket" that was installed with the SAP Cryptographic Library, and
copy it to the <DRIVE>:\usr\sap\<SID>\<instance>\sec\ directory (on Windows).

5. Create an environment variable named SECUDIR that points to the directory where the
ticket resides.
Note: This variable must be accessible to the user under which SAP's disp+work process
runs.

Last Updated By: Kevin Ooi, 30-May-2014

Page 12 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

6. In the SAP GUI, go to transaction RZ10 and change the instance profile in Extended
maintenance mode.
7. In profile edit mode, point SAP profile variables to the Cryptographic Library and give the
SAP system a Distinguished Name (DN). These variables should follow the LDAP naming
convention:

For example, for BID system: p:CN=BID, OU=PG, O=BOBJ, C=CA

Note:
Note that the prefix p: is for the SAP Cryptographic Library. It is required when referring to
the DN within SAP, but will not be visible when examining certificates in STRUST or using
SAPGENPSE.

Last Updated By: Kevin Ooi, 30-May-2014

Page 13 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

8. Enter the following profile values, substituting for your SAP system where necessary:

9. Restart your SAP instance.

10. When the system is running again, log on and go to transaction STRUST, which should now
have additional entries for SNC and SSL.
11. Right-click the SNC node and click Create. The identity you specified in RZ10 should now
appear.

12. Click OK.

Last Updated By: Kevin Ooi, 30-May-2014

Page 14 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

13. To assign a password to the SNC PSE, click the lock icon.
Note: Do not lose this password. You will be prompted for it by STRUST every time you view
or edit the SNC PSE.
14. Save the changes.
Note: If you do not save your changes, the application server will not start again when you
enable SNC.
15. Return to transaction RZ10 and add the remainder of the SNC profile parameters:

16. Restart your SAP system. You must now configure BI platform for server-side trust.

2.5.2 Configuring SBOP BI platform for server-side trust

Note: This is done on the SBOP BI server!

Last Updated By: Kevin Ooi, 30-May-2014

Page 15 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Extract the SAPCRYPTOLIB.SAR file to a temporary folder. Then create the folder C:\Program
Files\SAP\Crypto. Copy the files from ..\nt-x86_64 folder to this newly created folder. Then create a
sub-folder \sec and copy the file 'ticket' from the extracted SAPCRYPTOLIB.SAR file to this folder.

Last Updated By: Kevin Ooi, 30-May-2014

Page 16 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Set up the environment variables:

2.5.2.1 To generate a PSE

sapgenpse.exe gen_pse -v -p BOE.pse

Pin: KLKOLEO1
DN: CN=BOE, OU=PG, O=BOBJ, C=CA

The default PSE is now created, with its own certificate.

Last Updated By: Kevin Ooi, 30-May-2014

Page 17 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

sapgenpse.exe export_own_cert -v -p BOE.pse -o BOE.crt

Go to transaction STRUST:

Last Updated By: Kevin Ooi, 30-May-2014

Page 18 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Click Save.

There following certificate should appear below:

Last Updated By: Kevin Ooi, 30-May-2014

Page 19 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Now double-click on SNC SAPCryptolib for the BID Own Certificate.

Go to transaction SNC0.

Last Updated By: Kevin Ooi, 30-May-2014

Page 20 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Return back to the command prompt of the SBOP BI Platform server:

sapgenpse.exe maintain_pk -v -a MySAPCert.crt -p BOE.pse

The SAP Cryptographic Library is installed on the BI platform machine. You have created a PSE that
will be used by BI platform servers to identify themselves to SAP servers. SAP and the BI platform
PSE have exchanged certificates. SAP permits entities with access to the BI platform PSE to perform
RFC calls and password-less impersonation.

2.5.2.2 To configure PSE access

sapgenpse.exe seclogin -p BOE.pse
Last Updated By: Kevin Ooi, 30-May-2014

Page 21 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

sapgenpse.exe maintain_pk -l

2.5.2.3 To configure SAP authentication SNC settings

After you configure PSE access, you need to configure the SAP authentication settings in the CMC.
1. Go to the "Authentication" management area of the CMC.
2. Double-click the SAP link. The entitlement systems settings appear.
3. Click the SNC settings tab on the SAP Authentication page.
4. Select your entitlement system from the Logical system name list.
5. Select Enable Secure Network Communication (SNC) under Basic Settings.
6. Enter the path for the SNC library settings in SNC library path.
7. Select a level of protection under Quality of Protection.
8. Enter the SNC name of the SAP system under Mutual authentication settings.
9. Ensure that the SNC name of the credentials under which BI platform servers run appears in
the SNC name of Enterprise system field.
10. Provide the DNs of both the SAP system and the BI platform PSE.

Last Updated By: Kevin Ooi, 30-May-2014

Page 22 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.5.3 To configure the SNC settings in the Central Management Console

In the optional SNC name field, type the SNC name if you have one.

Last Updated By: Kevin Ooi, 30-May-2014

Page 23 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.5.4 To associate the entitlement user with an SNC name

If the Active Directory (or LDAP) Single Sign-On is configured (Client side SNC), then key in the SNC
name for the users. E.g. SNC Name = p:<username>@<domain>, e.g. p:John.Smith@ACME.COM.

Last Updated By: Kevin Ooi, 30-May-2014

Page 24 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.6 Setting up single sign-on to the SAP system

2.6.1 To generate the keystore file

"D:\Program Files\SAP BusinessObjects\SAP BusinessObjects Enterprise XI

4.0\win64_x64\sapjvm\bin\java.exe" -jar PKCS12Tool.jar -keystore keystore.p12 -storepass
KLKOLEO1 -alias BOE -dname CN=BOE -validity 365 -cert cert.der

The files cert.der and keystore.p12 are generated.

2.6.2 To export the public key certificate

"D:\Program Files\SAP BusinessObjects\SAP BusinessObjects Enterprise XI
4.0\win64_x64\sapjvm\bin\keytool.exe" -exportcert -keystore keystore.p12 -storetype pkcs12 -file
cert.der -alias BOE

keystore password: KLKOLEO1

2.6.3 Importing the certificate file into the target ABAP SAP system
Launch transaction STRUSTSSO2.

Last Updated By: Kevin Ooi, 30-May-2014

Page 25 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Last Updated By: Kevin Ooi, 30-May-2014

Page 26 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.6.4 To set up single sign-on to the SAP database in the CMC

Last Updated By: Kevin Ooi, 30-May-2014

Page 27 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

2.6.5 Test Login using SAP Authentication

Last Updated By: Kevin Ooi, 30-May-2014

Page 28 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

Last Updated By: Kevin Ooi, 30-May-2014

Page 29 of 30

KLK Oleo Group

SAP Project Implementation
SBOP BI SSO

3 Troubleshooting

increase Apache Tomcat memory settings.

Last Updated By: Kevin Ooi, 30-May-2014

Page 30 of 30