Implementing SSO between the Enterprise Portal and the EPM Add-In

Applies to:
SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver SP1 and higher EPM Add-In, SP3 and higher. For more information, visit the Enterprise Performance Management homepage.

Summary
One of the major changes to SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver was moving to a more standard BW security model, which was made possible by replacing the .NET tier with the ABAP Web Application Server (WAS). This change allows us to connect to a BPC NetWeaver connection in the EPM Add-In directly from the portal without having to enter any user credentials giving Enterprise Portal customers a new deployment option. The SSO scenario covered in this guide can be incorporated into an existing Enterprise Portal implementation with minimal effort. Author: Daniel Settanni

Company: SAP Labs Created on: 2 December 2011

Author Bio
Daniel Settanni has worked SAP Labs in the EPM CSA for the last 5 years. He specializes in SAP BusinessObjects Planning and Consolidation, both the Microsoft and NetWeaver releases.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 1

Table of Contents
Prerequisites ....................................................................................................................................................... 3 Overview ............................................................................................................................................................. 4 Integration between the Enterprise Portal and BPC 10 for NetWeavers web client ...................................... 4 Integration between the Enterprise Portal and BPC 10 for NetWeavers Office client (EPM Add-In) ............ 5 Why would I want to integrate the Enterprise Portal with BPC 10? ................................................................ 5 Whats included in the Web Application .......................................................................................................... 6 Quick note on security..................................................................................................................................... 6 Importing the Web Project to NWDS .................................................................................................................. 7 Importing the WAR file into NWDS ................................................................................................................. 7 Adding References to the Apache HttpClient Libraries .................................................................................. 8 Updating the Deployment Descriptor .............................................................................................................. 9 Deploying the Web Application ......................................................................................................................... 11 Creating the Enterprise Application .............................................................................................................. 11 Deploying the Enterprise Application ............................................................................................................ 12 Testing the Web Application ............................................................................................................................. 14 Testing the Servlet ........................................................................................................................................ 14 Using the Test JSP Page .............................................................................................................................. 16 Related Content ................................................................................................................................................ 17 Copyright........................................................................................................................................................... 18

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 2

Prerequisites
This solution depends on: An AS Java instance with the Enterprise Portal components installed An AS ABAP instance with SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver SP1 or higher installed The EPM Add-In, SP3 or higher NetWeaver Developer Studio (NWDS) 7.3 Apache HTTPComponents > HttpClient 4.1.2 o o Can be downloaded from: http://hc.apache.org/downloads.cgi Required for proper cookie support (needed to generate reentrance tickets)

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 3

Overview
The underlying architecture of SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver (herein referred to as BPC or BPC 10) has changed from its previous releases. Specifically, the .NET server which previously supported Web operations has been replaced with the SAP ABAP Web Application Server (WAS). Due to this new architectural component, BPC now supports SAP Logon tickets which allow users to authenticate to one SAP system and seamlessly logon to another trusted SAP system without having to reenter their credentials.

This how-to guide provides a web application that can be deployed alongside the Enterprise Portal on an AS Java stack allowing you to launch the EPM Add-In directly from the portal without having to enter credentials a second time.

Integration between the Enterprise Portal and BPC 10 for NetWeavers web client Integrating the Enterprise Portal with the BPC 10 for NetWeaver web interface is a straight forward process and is supported by default. You can simply create a new page in Portal Content; making the BPC 10 for NetWeaver web client URL the target and you are ready to go. As long as the AS ABAP server trusts the AS Java server, users can seamlessly log into the BPC web client from the Portal. A user can then launch the EPM Add-In from the BPC web client using the link provided in the web client home page. The basic flow is as follows:

The only potential issue here is that a user has to go to the BPC web client, even if they only want to use the EPM Add-In. Its only a few extra steps, but still not optimal. In the next section we will explain how we can remove these extra steps to allow the user to log into the EPM Add-In directly.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 4

Integration between the Enterprise Portal and BPC 10 for NetWeavers Office client (EPM Add-In) Now that we have seen what is possible out of the box, lets look at the solution provided by this How-To guide. It is very similar to the one above, with one key difference: the user doesnt have to navigate to the BPC 10 web client to launch the EPM Add-In. Instead, they can click on a link directly in the portal which bypasses the BPC 10 web client completely. The target in the link is the custom web application included in this HTG. This web application communicates with the BPC 10 web services for the client, obtains the reentrance ticket and passes it to the EPM Add-In. The basic flow for this scenario is as follows:

Why would I want to integrate the Enterprise Portal with BPC 10? So why would someone want to enable SSO between the Enterprise Portal and their BPC 10 NetWeaver installation? Weve already covered one reason; seamless authentication but there is another equally valid reason to enable additional authentication scenarios. Currently, the web client and EPM Add-In support three basic types of authentication and in each case the credentials are all stored in BW: Basic / Forms based o Credentials are stored in BW X.509 Client Certificates o X.509 certificates are stored in BW and mapped to BW users SAP Logon Tickets o Allows users to login to the EPM Add-In without entering credentials when launched from the web client. If you are familiar with authentication in the previous releases you will notice that authentication using Active Directory credentials is not supported (this was the only supported mechanism previously). Integration with the Enterprise Portal puts this option back on the table because AS Java supports using LDAP as a data source with the UME. This means that you can still use Active Directory credentials to authenticate to BPC 10 for NetWeaver assuming the Enterprise Portal is your starting point.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 5

Whats included in the Web Application The web application includes three classes and one JSP in addition to all the standard web application components. The Java source is also included in the WAR file in case you want to tweak anything or just get more insight on how this was implemented. com.sap.csa.bpc.EPM_AddIn_Launcher.java o Description: Servlet implementation providing the core functionality for the HTG. o Default URI: /PCNW10_SSO_EA/EPM_AddIn_Launcher com.sap.csa.bpc.HostDescriptor.java o Description: Standard bean style class used to store connectivity information for the BPC 10 NetWeaver AS ABAP Web Application Server (WAS). com.sap.csa.bpc.ReentranceDetails.java o Description: Stores the Reentrance token and logs associated with retrieving the token. index.jsp o Description: A basic JSP, really just an HTML form that allows you to test calling the EPM_AddIn_Launcher servlet with different host/port/protocol/environment parameters using the GET and POST HTTP methods. o Default URI: /PCNW10_SSO_EA/index.jsp
Note: You can change the default context root (/PCNW10_SSO_EA) in the enterprise applications application.xml file. This change would not require any changes in the web app. You can also change the default servlet URI (EPM_AddIn_Launcher) in the web applications web.xml file. You will have to update the form actions in index.jsp if you change the servlet URI.

Quick note on security Two sensitive pieces of information get passed between the client and the Portal during this process, the SAP Logon Ticket and the Reentrance Ticket. These tickets could be compromised if the end user accesses the Portal without using SSL. Due to this, SSL (HTTPS) must be used when deploying this solution in production.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 6

Importing the Web Project to NWDS

This section covers importing the PCNW10_SSO_WP.war file into NWDS as well as adding references to the libraries included with the Apache HttpClient 4.1.2. The PCNW10_SS_WP.war file can be downloaded here: PCNW10_SS_WP.war file Importing the WAR file into NWDS 1. Launch NWDS. 2. Select File > Import 3. Expand Web and select War File. Click Next. 4. Enter the path to PCNW10_SSO_WP.war in the War file text box, then click Finish

5.

You should now see the PCNW10_SSO_WP project in Project Explorer.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 7

Adding References to the Apache HttpClient Libraries 1. Download httpcomponents-client-4.1.2-bin.zip from http://hc.apache.org/downloads.cgi and extract it. 2. Right click the PCNW10_SSO_WP project in your NWDS Project Explorer and select Properties. 3. Select Java Build Path and click Add External JARs on the Libraries tab.

4. Browse to httpcomponents-client-4.1.2\lib and select all 6 JAR files. Click Open.

5. Click OK in the Properties window.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 8

Updating the Deployment Descriptor The deployment descriptor contains the following initialization parameters used by the servlet: host The fully qualified domain name or IP address of the AS ABAP instance hosting BPC 10 NetWeaver. port The TCP port used by the Web Application Server hosting the BPC 10 NetWeaver instance. protocol Either HTTP or HTTPS. o Note If you select HTTPS, you must ensure that your AS Java system trusts the WAS servers certificate and certificate path. environment The default Environment or Appset for the EPM Add-In to connect to unless another is specified in the request.

To update the deployment descriptor: 1. Launch NWDS. 2. Expand PCNW10_SSO_WP and double click on the Deployment Descriptor

3. Ensure you are looking at the Design View

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 9

4. Expand web-app > servlet. There are four init-param blocks, one for each initialization parameter. Expand the first init-param (param-name = host) and update the param-value to reflect the FQDN or IP address of your BPC 10 for NetWeaver WAS server.

5. Expand the second init-param (param-name = port) and update the param-value to reflect the TCP port of your BPC 10 for NetWeaver WAS server.

6. Expand the third init-param (param-name = protocol) and update the param-value to reflect the transport protocol to use when connecting to your BPC 10 for NetWeaver WAS server.

Note: You should use HTTPS in a production landscape to ensure that the SAP Logon Ticket and Reentrance Tickets dont cross the network in clear text, unless you are certain that communication between the AS Java and AS ABAP systems is on a trusted network.

7. Expand the fourth init-param (param-name = environment) and update the param-value to reflect the default environment (appset) to use if one is not provided in the HTTP request.

8. Save the deployment descriptor (web.xml) using File > Save or CTRL + S.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 10

Deploying the Web Application

Web applications are deployed to the Enterprise Portal via NetWeaver Developer Studio (NWDS). This section provides step-by-step instructions for creating and deploying our new Enterprise Application. Creating the Enterprise Application 1. Launch NWDS 2. Click File > New > Enterprise Application Project 3. Enter PCNW10_SSO_EA as the project name. Click Next.

4. Select PCNW10_SSO_WP as a Java EE Module Dependency and select Generate application.xml deployment descriptor. Click Finish.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 11

5. Right click on the project PCNW10_SSO_EA in the Project Explorer and select Properties. 6. Select the Server page, select the server you want to deploy this project to and click OK.

Tip:

You can add servers by navigating to Window > Preferences > SAP AS Java and clicking Add.

Deploying the Enterprise Application 1. Open the J2EE Perspective by clicking on the Open Perspective button in the upper right hand of the NWDS display and selecting Other.

2. Select Java EE and click OK.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 12

3. Switch to the Servers tab in the bottom pane.

4. Right click your server and select Add/Remove.

5. Select PCNW10_SSO_EA and click the Add > button. Click Finish.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 13

6. Right click PCNW10_SSO_EA in the Servers tab and select Publish.

7. Verify the project deployed successfully in the Deployment View Console tab.

Testing the Web Application

We will perform two tests in this section. In the first test, we will navigate to the servlet directly. This will launch the EPM Add-In using the server, port, protocol and environment that you specified in the deployment descriptor. This test provides a viable solution for simple integration scenarios where users only access a single environment hosted on a single server. The servlet responsible for launching the EPM Add-In can also use URL parameters to override the default server, port, protocol and/or environment specified in the deployment descriptor. In the second test, we will use a JSP page included in the web application to override the host we specified in the deployment descriptor. The JSP page creates the appropriate URL based on your specifications and can be used to generate links for more complex integration scenarios (i.e. where there are multiple BPC 10 NetWeaver servers and environments). Testing the Servlet 1. Launch internet explorer and navigate to the servlet Default URL is http://as_java_server:port/PCNW10_SSO_WP/EPM_AddIn_Launcher 2. You will receive a message stating that the MYSAPSSO2 logon cookie was not detected. Click the link provided to log into the Enterprise Portal.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 14

3. Enter your Enterprise Portal credentials.

4. Navigate back to the URL provided in step 1. You will see the Reentrance Token used as output in Internet Explorer

5. The EPM Add-In will be launched providing you with one of two logon prompts: a. If you already have a connection in the EPM Add-In for the specified host, you will be logged in automatically b. If you dont have a connection in the EPM Add-In for the specified host, you will be prompted to select which application to log into.

Note: When deploying this on the portal, you can launch the servlet in a hidden IFrame to keep the details from being displayed to end users.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 15

Using the Test JSP Page In this section we will use the provided JSP page to override the hostname we specified for the BPC 10 NetWeaver server (in the deployment descriptor) with the IP address. In real life you would change parameters to match the various BPC 10 NetWeaver environments that you want to integrate with the Enterprise Portal. You could add the resulting URLs as portal content to complete your integration scenario. 1. Launch internet explorer and navigate to the test page. Default URL is http://as_java_server:port/PCNW10_SSO_WP/index.jsp

2. Select GET as your HTTP method and change one of the host/port/protocol/environment parameters to another valid value.

Note: The most likely candidates for things you can change are the host (use IP Address if you specified the FQDN in the deployment descriptor or vice-versa) and environment. Note: HTTP GET requests pass parameters via the URL while POST requests pass parameters in the request body. The servlet supports both, but GET is much easier to demonstrate since the URL is easily viewed.

3. Click Test it Out.

Note: If the servlet fails to find the MYSAPSSO2 cookie, log into the portal then navigate back to the test JSP page.

4. Note the URL for the servlet it now includes an HTTP parameter for host/port/protocol and environment. You can use these parameters to tell the servlet to launch the EPM Add-In against different BPC 10 instances and/or environments.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 16

Related Content
BPC 10 for NetWeaver Authentication Scenarios Blog Implementing Client Certificate Authentication in SAP BusinessObjects Planning and Consolidation 10.0, version for NetWeaver SBOP PC 10 for NetWeaver Security Guide SAP NetWeaver 7.3 Security Guide > User Authentication and SSO For more information, visit the Enterprise Performance Management homepage.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 17

Copyright
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Oracle Corporation. JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 18