Setting Up Single Sign-On (SSO) With SAP HANA and SAP BusinessObjects XI 4.0

Sett Settin in g up Singl e Sig Sig n-On (SSO (SSO)) with wit h SAP HANA and SAP Bus in essObj ects XI 4.0 4.0 February 8, 2013 Version 1.0

Vishal Dhir Customer Solution Adopti on (CSA) (CSA)

www.sap.com

www.sap.com

TABLE OF CONTENTS INTRODUCTION ......................................................................................................................................... 3 What i s Si ngl e Sign -On.............................................................................................................................. 3 Kerb eros ..................................................................................................................................................... 3 HANA CONFIGURATION............................................................................................................................ 3 Confirm the Kerberos client is installed......................................................................................................... 3 Create the keytab on the domain controller .................................................................................................. 4 HANA Server Side Configuration.................................................................................................................. 4 Testing the SSO Configuration on Linux....................................................................................................... 5 Testing the SSO Configuration via the HANA client on Linux........................................................................ 5 Testing the SSO Configuration via HANA Studio .......................................................................................... 6 BUSINESSOBJECTS CONFIGURATION ................................................................................................... 6 TOMCAT CONFIGURATION ....................................................................................................................... 8 BUSINESS OBJECTS CLIENTS CONFIGURATION................................................................................... 9 Information Design Tool ............................................................................................................................... 9 Web Intelligence Rich Client .......................................................................................................................11 Web Intelligence .........................................................................................................................................11 Explorer ......................................................................................................................................................12 TROUBLESHOOTING................................................................................................................................13 HANA .........................................................................................................................................................13 BusinessObjects .........................................................................................................................................13 Tomcat .......................................................................................................................................................14 Network Tracing..........................................................................................................................................14

Setting up Single Sign-On (SSO) wit h SAP HANA and SAP BusinessObjects XI 4.0


INTRODUCTION

This whitepaper will discuss how to setup SSO between SAP HANA and SAP BusinessObjects 4.0. We will setup SSO for the BI Launchpad and SSO to the HANA database (SSO to DB). Before setting up SSO, you will need to satisfy the following prerequisites:    

You are familiar with Active Directory, Kerberos, and BusinessObjects You have a user with read access to your Active Directory domain You have a user that will be used for delegation for HANA You have a user that will be used for delegation for BusinessObjects

To make it easier to follow the steps for setting up SSO, the following information will be used throughout this whitepaper,        

Domain Name - mydomain.com HANA Server – myhanaserver.mydomain.com BOE Server – myboeserver.mydomain.com User for HANA SSO - hanasso User for BOE SSO – bisso Group in AD - mygroup User mapped in AD – aduser1 User mapped in HANA – aduser1

These will need to be changed based on what you have setup and how complex your environment is. What is Sing le Sign-On

Single sign-on (SSO) allows a user to login once and gain access to multiple systems without being asked to login again. Depending on how SSO has been setup, this could permit the user login to just a front end application or it can enable S SO all the way down to the database in what’s known as SSO to database (SSO2DB). Kerberos

For SS O to work we will need to use Kerberos. Kerberos is a type of authentication protocol, which permits a client to authenticate with a server via a ticket. We will setup this trust between the client and server using two keytabs – one for HANA and one for BusinessObjects. A keytab is a file that contains a service principal and a key, the key needs to be setup on the client so it can authenticate with the server. In our case we will have two keytabs,  

One for HANA to allow SSO from HANA Studio to HANA and from BusnessObjects to HANA One for BusinessObjects to allow SSO into the BI Launchpad

HANA CONFIGURATION Confirm the Kerberos client is installed

First, you will need to make sure that the Kerberos libraries are installed, including the Kerberos client libraries. To do that run the command, 

rpm -qa | grep krb

The output will be similar to, #>rpm -qa | grep krb krb5-32bit-1.6.3-133.46.1 krb5-1.6.3-133.46.1 krb5-client-1.6.3-133.46.1 If you are missing any of the libraries, ask your administrator to install them.

3



Create the keytab on the domain controller

Next, we need to trust the HANA server for authentication. That will be done by creating a keytab. In the first step we will create a SP N for the HANA server and in the second step we will create the keytab. 



setspn -A hdb/[email protected] hanasso ktpass -princ hdb/[email protected] -mapuser MYDOMAIN\hanasso -pass P assword1 -out C:\myhanaserver.keytab -ptype KRB5_NT_ PRINCIP AL -crypto RC4-HMACNT

To confirmwhat SPNs are assigned to the user run the command, 

setspn -l hanasso

Also, we only setup the SPN for the domain’s fully qualified name (FQDN). If you have a load balancer (or more complex environment) you will need to setup the correct SP Ns for these additional servers as well. HANA Server Side Configuration

When the ktpass command was run, a keytab was generated. We will need to copy this keytab to the HANA Linux server. Then we will need to merge this keytab with the existing keytab file that may already be present. This will be done using the ktutil utility as seen below, ktuti l kt ut i l kt ut i l chmod

: r kt myhanaser ver . keytab : wkt / et c/ krb5. keyt ab : q +r / et c/ kr b5. keyt ab

The first command will read the keytab we just created, the second command will write it to the krb5.keytab file located in the /etc folder. The last command will change the krb5.keytab to have read access only. In addition to the krb5.keytab, a krb5.conf needs to be setup. An example of this file is shown below, #> cat / et c/ kr b5. conf [ domai n_r eal m] . MYDOMAI N. COM = MYDOMAI N. COM MYDOMAI N. COM = MYDOMAI N. COM [ l i bdef aul t s ] f or war dabl e = t r ue def aul t _r eal m = MYDOMAI N. COM dns_l ookup_kdc = t r ue dns_l ookup_r eal m = t r ue def aul t _ t kt _enct ypes = RC4- HMAC def aul t _ t gs_enct ypes = RC4- HMAC [ r eal ms] MYDOMAI N. COM = { kdc = mydc . MYDOMAI N. COM admi n_s er ver = mydc. MYDOMAI N. COM kpass wd_s er ver = mydc. MYDOMAI N. COM } [ l oggi ng] kdc = FI LE: / var/ l og/ kr b5/ krb5kdc. l og admi n_ser ver = FI LE: / var / l og/ krb5/ kadmi nd. l og def aul t = SYSLOG: NOTI CE: DAEMON The above is just for reference, you will need to change this file to suit your environments configuration.

4



Testing the SSO Configuration on Linux

We will first test the configuration by using the kinit and klist utilities. Kinit will try to authentication against the domain and create a ticket. Using klist we can see this ticket and also the keytab file being used. #> ki ni t aduser 1@MYDOMAI N. COM Password for aduser1@ MYDOMAIN.COM: #> kl i s t Ti cket cache: FI LE: / t mp/ kr b5cc_ 1005 Def aul t pr i nci pal : aduser 1@MYDOMAI N. COM Val i d st ar t i ng Expi r es 02/ 06/ 13 17: 19: 21 02/ 07/ 13 03: 19: 24 r enew unti l 02/ 07/ 13 17: 19: 21

Servi ce pr i nci pal kr bt gt / MYDOMAI N. COM@MYDOMAI N. COM

Kerber os 4 t i cket cache: / t mp/ t kt 1005 kl i st : You have no t i cket s cached #> kl i st - k Keyt ab name: FI LE: / etc/ krb5. keyt ab KVNO Pr i nci pal - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - -- - - - - - - - - - - - - -- - - - - - - - - - - - - -- - - - - - - - - - - - - -- - - 3 hdb/ hdb/ myhanas er ver . mydomai n. com@MYDOMAI N. COM Testing the SSO Configuration via the HANA client on Linux

Thi s f ar , we have onl y t est ed t he user aut hent i cat i on t o AD and get t i ng a t i cket cr eat ed. Now, we wi l l t est t he SSO conf i gur at i on on t he Li nux ser ver by r unni ng t he hdbsql command. Her e i s an exampl e of t hi s, #> hdbsql - i 00 Wel come t o t he SAP HANA Dat abase i nt er act i ve t er mi nal . Type:

\ h f or hel p wi t h commands \ q to qui t

hdbsql => \ s host : myhanaser ver : 30015 dat abase : EXD user : ADUSER1 ker nel ver si on: 1. 00. 48. 372847 SQLDBC ver si on: l i bSQLDBCHDB 1. 00. 48 Bui l d 0372847- 1510 aut ocommi t : ON l ocal e : en_US. UTF- 8 i nput encodi ng: UTF8 In the hdbsql command, -i represents the instance, so you will need to change that according to your HANA server.

5

Setting u p Singl e Sign-On (SSO) with SAP HANA and SAP BusinessObj ects XI 4.0

Setting Up Single Sign-On (SSO) With SAP HANA and SAP BusinessObjects XI 4.0

Recommend Documents