Professional Documents
Culture Documents
Applies to:
SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver SP1 and higher EPM Add-In, SP3 and higher. For more information, visit the Enterprise Performance Management homepage.
Summary
One of the major changes to SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver was moving to a more standard BW security model, which was made possible by replacing the .NET tier with the ABAP Web Application Server (WAS). This change allows us to connect to a BPC NetWeaver connection in the EPM Add-In directly from the portal without having to enter any user credentials giving Enterprise Portal customers a new deployment option. The SSO scenario covered in this guide can be incorporated into an existing Enterprise Portal implementation with minimal effort. Author: Daniel Settanni
Author Bio
Daniel Settanni has worked SAP Labs in the EPM CSA for the last 5 years. He specializes in SAP BusinessObjects Planning and Consolidation, both the Microsoft and NetWeaver releases.
Table of Contents
Prerequisites ....................................................................................................................................................... 3 Overview ............................................................................................................................................................. 4 Integration between the Enterprise Portal and BPC 10 for NetWeavers web client ...................................... 4 Integration between the Enterprise Portal and BPC 10 for NetWeavers Office client (EPM Add-In) ............ 5 Why would I want to integrate the Enterprise Portal with BPC 10? ................................................................ 5 Whats included in the Web Application .......................................................................................................... 6 Quick note on security..................................................................................................................................... 6 Importing the Web Project to NWDS .................................................................................................................. 7 Importing the WAR file into NWDS ................................................................................................................. 7 Adding References to the Apache HttpClient Libraries .................................................................................. 8 Updating the Deployment Descriptor .............................................................................................................. 9 Deploying the Web Application ......................................................................................................................... 11 Creating the Enterprise Application .............................................................................................................. 11 Deploying the Enterprise Application ............................................................................................................ 12 Testing the Web Application ............................................................................................................................. 14 Testing the Servlet ........................................................................................................................................ 14 Using the Test JSP Page .............................................................................................................................. 16 Related Content ................................................................................................................................................ 17 Copyright........................................................................................................................................................... 18
Prerequisites
This solution depends on: An AS Java instance with the Enterprise Portal components installed An AS ABAP instance with SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver SP1 or higher installed The EPM Add-In, SP3 or higher NetWeaver Developer Studio (NWDS) 7.3 Apache HTTPComponents > HttpClient 4.1.2 o o Can be downloaded from: http://hc.apache.org/downloads.cgi Required for proper cookie support (needed to generate reentrance tickets)
Overview
The underlying architecture of SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver (herein referred to as BPC or BPC 10) has changed from its previous releases. Specifically, the .NET server which previously supported Web operations has been replaced with the SAP ABAP Web Application Server (WAS). Due to this new architectural component, BPC now supports SAP Logon tickets which allow users to authenticate to one SAP system and seamlessly logon to another trusted SAP system without having to reenter their credentials.
This how-to guide provides a web application that can be deployed alongside the Enterprise Portal on an AS Java stack allowing you to launch the EPM Add-In directly from the portal without having to enter credentials a second time.
Integration between the Enterprise Portal and BPC 10 for NetWeavers web client Integrating the Enterprise Portal with the BPC 10 for NetWeaver web interface is a straight forward process and is supported by default. You can simply create a new page in Portal Content; making the BPC 10 for NetWeaver web client URL the target and you are ready to go. As long as the AS ABAP server trusts the AS Java server, users can seamlessly log into the BPC web client from the Portal. A user can then launch the EPM Add-In from the BPC web client using the link provided in the web client home page. The basic flow is as follows:
The only potential issue here is that a user has to go to the BPC web client, even if they only want to use the EPM Add-In. Its only a few extra steps, but still not optimal. In the next section we will explain how we can remove these extra steps to allow the user to log into the EPM Add-In directly.
Integration between the Enterprise Portal and BPC 10 for NetWeavers Office client (EPM Add-In) Now that we have seen what is possible out of the box, lets look at the solution provided by this How-To guide. It is very similar to the one above, with one key difference: the user doesnt have to navigate to the BPC 10 web client to launch the EPM Add-In. Instead, they can click on a link directly in the portal which bypasses the BPC 10 web client completely. The target in the link is the custom web application included in this HTG. This web application communicates with the BPC 10 web services for the client, obtains the reentrance ticket and passes it to the EPM Add-In. The basic flow for this scenario is as follows:
Why would I want to integrate the Enterprise Portal with BPC 10? So why would someone want to enable SSO between the Enterprise Portal and their BPC 10 NetWeaver installation? Weve already covered one reason; seamless authentication but there is another equally valid reason to enable additional authentication scenarios. Currently, the web client and EPM Add-In support three basic types of authentication and in each case the credentials are all stored in BW: Basic / Forms based o Credentials are stored in BW X.509 Client Certificates o X.509 certificates are stored in BW and mapped to BW users SAP Logon Tickets o Allows users to login to the EPM Add-In without entering credentials when launched from the web client. If you are familiar with authentication in the previous releases you will notice that authentication using Active Directory credentials is not supported (this was the only supported mechanism previously). Integration with the Enterprise Portal puts this option back on the table because AS Java supports using LDAP as a data source with the UME. This means that you can still use Active Directory credentials to authenticate to BPC 10 for NetWeaver assuming the Enterprise Portal is your starting point.
Whats included in the Web Application The web application includes three classes and one JSP in addition to all the standard web application components. The Java source is also included in the WAR file in case you want to tweak anything or just get more insight on how this was implemented. com.sap.csa.bpc.EPM_AddIn_Launcher.java o Description: Servlet implementation providing the core functionality for the HTG. o Default URI: /PCNW10_SSO_EA/EPM_AddIn_Launcher com.sap.csa.bpc.HostDescriptor.java o Description: Standard bean style class used to store connectivity information for the BPC 10 NetWeaver AS ABAP Web Application Server (WAS). com.sap.csa.bpc.ReentranceDetails.java o Description: Stores the Reentrance token and logs associated with retrieving the token. index.jsp o Description: A basic JSP, really just an HTML form that allows you to test calling the EPM_AddIn_Launcher servlet with different host/port/protocol/environment parameters using the GET and POST HTTP methods. o Default URI: /PCNW10_SSO_EA/index.jsp
Note: You can change the default context root (/PCNW10_SSO_EA) in the enterprise applications application.xml file. This change would not require any changes in the web app. You can also change the default servlet URI (EPM_AddIn_Launcher) in the web applications web.xml file. You will have to update the form actions in index.jsp if you change the servlet URI.
Quick note on security Two sensitive pieces of information get passed between the client and the Portal during this process, the SAP Logon Ticket and the Reentrance Ticket. These tickets could be compromised if the end user accesses the Portal without using SSL. Due to this, SSL (HTTPS) must be used when deploying this solution in production.
5.
Adding References to the Apache HttpClient Libraries 1. Download httpcomponents-client-4.1.2-bin.zip from http://hc.apache.org/downloads.cgi and extract it. 2. Right click the PCNW10_SSO_WP project in your NWDS Project Explorer and select Properties. 3. Select Java Build Path and click Add External JARs on the Libraries tab.
Updating the Deployment Descriptor The deployment descriptor contains the following initialization parameters used by the servlet: host The fully qualified domain name or IP address of the AS ABAP instance hosting BPC 10 NetWeaver. port The TCP port used by the Web Application Server hosting the BPC 10 NetWeaver instance. protocol Either HTTP or HTTPS. o Note If you select HTTPS, you must ensure that your AS Java system trusts the WAS servers certificate and certificate path. environment The default Environment or Appset for the EPM Add-In to connect to unless another is specified in the request.
To update the deployment descriptor: 1. Launch NWDS. 2. Expand PCNW10_SSO_WP and double click on the Deployment Descriptor
4. Expand web-app > servlet. There are four init-param blocks, one for each initialization parameter. Expand the first init-param (param-name = host) and update the param-value to reflect the FQDN or IP address of your BPC 10 for NetWeaver WAS server.
5. Expand the second init-param (param-name = port) and update the param-value to reflect the TCP port of your BPC 10 for NetWeaver WAS server.
6. Expand the third init-param (param-name = protocol) and update the param-value to reflect the transport protocol to use when connecting to your BPC 10 for NetWeaver WAS server.
Note: You should use HTTPS in a production landscape to ensure that the SAP Logon Ticket and Reentrance Tickets dont cross the network in clear text, unless you are certain that communication between the AS Java and AS ABAP systems is on a trusted network.
7. Expand the fourth init-param (param-name = environment) and update the param-value to reflect the default environment (appset) to use if one is not provided in the HTTP request.
8. Save the deployment descriptor (web.xml) using File > Save or CTRL + S.
4. Select PCNW10_SSO_WP as a Java EE Module Dependency and select Generate application.xml deployment descriptor. Click Finish.
5. Right click on the project PCNW10_SSO_EA in the Project Explorer and select Properties. 6. Select the Server page, select the server you want to deploy this project to and click OK.
Tip:
You can add servers by navigating to Window > Preferences > SAP AS Java and clicking Add.
Deploying the Enterprise Application 1. Open the J2EE Perspective by clicking on the Open Perspective button in the upper right hand of the NWDS display and selecting Other.
5. Select PCNW10_SSO_EA and click the Add > button. Click Finish.
7. Verify the project deployed successfully in the Deployment View Console tab.
4. Navigate back to the URL provided in step 1. You will see the Reentrance Token used as output in Internet Explorer
5. The EPM Add-In will be launched providing you with one of two logon prompts: a. If you already have a connection in the EPM Add-In for the specified host, you will be logged in automatically b. If you dont have a connection in the EPM Add-In for the specified host, you will be prompted to select which application to log into.
Note: When deploying this on the portal, you can launch the servlet in a hidden IFrame to keep the details from being displayed to end users.
Using the Test JSP Page In this section we will use the provided JSP page to override the hostname we specified for the BPC 10 NetWeaver server (in the deployment descriptor) with the IP address. In real life you would change parameters to match the various BPC 10 NetWeaver environments that you want to integrate with the Enterprise Portal. You could add the resulting URLs as portal content to complete your integration scenario. 1. Launch internet explorer and navigate to the test page. Default URL is http://as_java_server:port/PCNW10_SSO_WP/index.jsp
2. Select GET as your HTTP method and change one of the host/port/protocol/environment parameters to another valid value.
Note: The most likely candidates for things you can change are the host (use IP Address if you specified the FQDN in the deployment descriptor or vice-versa) and environment. Note: HTTP GET requests pass parameters via the URL while POST requests pass parameters in the request body. The servlet supports both, but GET is much easier to demonstrate since the URL is easily viewed.
Note: If the servlet fails to find the MYSAPSSO2 cookie, log into the portal then navigate back to the test JSP page.
4. Note the URL for the servlet it now includes an HTTP parameter for host/port/protocol and environment. You can use these parameters to tell the servlet to launch the EPM Add-In against different BPC 10 instances and/or environments.
Related Content
BPC 10 for NetWeaver Authentication Scenarios Blog Implementing Client Certificate Authentication in SAP BusinessObjects Planning and Consolidation 10.0, version for NetWeaver SBOP PC 10 for NetWeaver Security Guide SAP NetWeaver 7.3 Security Guide > User Authentication and SSO For more information, visit the Enterprise Performance Management homepage.
Copyright
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Oracle Corporation. JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.