Hi,

BI administrators require authorization for transactions SM59, SMGW, RZ10, STRUSTSSO2, SM30 (table RSPOR_T_PORTAL) and, in some circumstances, STMS.

Portal Administrators need to have the portal roles super_admin_role and com.sap.ip.bi.business_explorer_showcase assigned to them.

Sequence of Steps

1. Create RFC Destination in J2EE Engine

2. Create RFC Destination for the Portal

3. Maintain Portal Server Settings for the Portal

4. Maintain Single Sign-On in the BI System

5. Export BW Certificate to the BI System

6. Import BW Certificate to the Portal

7. Configure User Management in the Portal

8. Export Portal Certificate to the Portal

9. Import Portal Certificate to the BI System

10. Maintain User Mapping in the Portal

Step 1: Create RFC Destination in J2EE Engine

Execute the following steps to create an RFC destination in the J2EE Engine:

1. Start the SAP J2EE Engine Administrator

2. Connect to the portal server.

3. Select <SID>/Server<#>/Services/Jco RFC Provider from the hierarchy.

4. Maintain an RFC destination:

Program ID: <PORTAL_HOSTNAME>_PORTAL_<SID>

Gateway host: <GATEWAY_HOST>

Gateway service: sapgw<SYSTEM_NUMBER>

Number of processes (1..20): 20

Application server host: see gateway host

System number: <SYSTEM_NUMBER>

Client: <BW_MANDANT>

Language: EN

User: <USER> (user in the BW system)

Password: <PASSWORD>

5. Copy the RFC destination to the available RFC destinations by choosing Set.

6. Start the RFC server by choosing Start.

Step 2: Create RFC Destination for the Portal

In this activity you create an RFC destination for the integration of a BI system and portal. You can specify this RFC destination in the activity Maintain Portal Server Settings for the Portal so that the RFC destination is recognized as the connected portal. The BI system uses the RFC destination to communicate with the portal.

Execute the following steps to create an RFC destination for the portal:

1. Start transaction Display and Maintenance of RFC Destinations (transaction code SM59).

2. Choose Create.

3. Maintain the RFC destination:

RFC destination: <RFC_DESTINATION>: The name of the RFC destination for a portal should be selected carefully. The name of the RFC destination is saved in the settings for information broadcasting. This is necessary so that the portal that is connected and being used for integration with Knowledge Management can be clearly identified. The broadcast settings can be transported between BI systems. For this reason, the name of the RFC destination should be the same in the source system and in the target system. The name recommended by SAP for the RFC destination to the connected portal is SAP_EP

Connection type: T for TCP/IP connection

Description: <DESCRIPTION>: You can maintain the description of the RFC destination as language dependent. The language-dependent description is used when publishing iViews from the BEx Web Application Designer and the BEx Query Designer when multiple portals are connected to the BI system.

Technical settings - Activation type: Registered server program

Program ID: <PORTAL_HOSTNAME>_PORTAL_<SID>: The server program is set up under the program ID on the J2EE engine. The recommended naming convention is <PORTAL_HOSTNAME>_PORTAL

Gateway Options: Enter the Gateway host and the Gateway service that the J2EE engine uses to communicate with the BI system. The gateway host, which is an application server for the BI system, and the gateway service can be generated generically from sapgw<SYSTEM_NUMBER>. You can determine the parameters of the gateway in transaction Gateway Monitor (transaction code SMGW) by choosing Goto -> Parameter -> Display.

Send SAP logon ticket: activate: Activate option Send SAP Logon Ticket on the Logon & Security tab page.

Save your entries. If the RFC destination is also set up on the J2EE Engine side you can test the connection by choosing the Test Connection

Step 3: Maintain Portal Server Settings for the Portal

In this activity you designate a default portal. You can also make settings that are relevant to information broadcasting. If you do not maintain this table, the corresponding menu entries for publishing in the BEx Web Application Designer and BEx Query Designer are deactivated.

Execute the following steps to maintain the portal server settings for the portal:

1. Start table view maintenance (transaction code SM30).

2. Enter RSPOR_T_PORTAL as the table.

3. Choose Maintain.

4. Choose New Entries to create a new entry.

5. Maintain the connected portal:

RFC destination: <RFC_DESTINATION>

System name: <SYSTEM_ALIAS>

Default: <DEFAULT>

Portal-URLprefix:<PORTAL_URL_PREFIX>,for example, http://<portalserver><domain>:<port>;

Prefix of RM for BW Metadata: <KM_RM_METADATA_PREFIX>, for example, /bw_metadata

KM service URL: <blank>

6. Save your entries.

Step 4: Maintain Single Sign-On in the BI System

In this activity you maintain Single-Sign-On settings in the BI system.

Execute the following steps to maintain the necessary settings for Single Sign-On in the BI system:

1. To use Single Sign-On (SSO).

2. Use the maintain profile transaction (transaction RZ10) to set the following profile parameter:

login/create_sso2_ticket=2: The profile parameter generates SSO tickets in the BI system. These are required for the communication between the BI system and the portal. The value 2 indicates that the certificate is self signed.

login/accept_sso2_ticket=1: The profile parameter means that the BI system SSO ticket is accepted by other systems (for example, the portal) when the appropriate certificate is imported (see, Importing Portal Certificates).

Step 5: Export BI Certificate to the BI System

Export Path and Export File Name: The BI certificate is saved under the specified path and file name and can then be imported into the portal. In this activity you export the BI certificate from the BI system.

The BI certificate has to be generated in and exported from the BI system so that it can be imported into the portal. The BI certificate is required in the portal so that portal content can be displayed in the BI system.

Execute the following steps in order to export the BI certificate to the BI system:

1. Start transaction Trust Manager for Single Sign-On with Logon Ticket (transaction code STRUSTSSO2).

2. Select your own certificate. Your certificate is located in the system PSE area in the Your Certificate field. You display the certificate in the certificate area by double clicking on the field value.

If you have not already created your own certificate, create one by choosing Create from the context menu in the system PSE and distribute it to all application servers for the BI system by choosing PSE -> Distribute. There may be a time delay when you distribute the certificate. If necessary, check more than once that the certificate has been distributed successfully.

3. Choose Certificate -> Export from the menu.

4. Enter file path <BW_SID>_certificate.crt ein (<BW_SID> is the system ID for the BI system).

5. Choose file format Binary.

The file <SID>_certificate.crt is used for step Importing BI Certificate with the settings in the portal.

Step 6: Import BW Certificate to the Portal

In this activity you import the BI certificate into the portal. This is necessary before content from the portal can be displayed in the BI system, for example, before portal roles can be displayed in the BEx Web Application Designer. Before the BI certificate can be imported into the portal, it has to be exported from the BI system.

Perform the following steps to import the BI certificate into the J2EE engine:

1. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.bat.

2. Connect to the portal server.

3. In the tree, select <SID>/Server<#>/Services/Key Storage.

4. Under Views, select the TicketKeystore view.

5. Under Entry, click Load.

6. Open the file <BW_SID>_certificate.crt.

In the Service Security Provider under Ticket, perform the following steps to ensure that the SAP J2EE Engine accepts the SAP Logon Tickets from the BI system as an external system.

7. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.

8. Connect to the portal server.

9. In the tree, choose <SID>/Server<#>/Services/Security Provider.

10. Under Component, choose Ticket.

11. Choose the Authentication tab page.

12. Change the options for com.sap.security.core.server.jaas.EvaluateTicketLoginModule and enter the following values:

trustedsys<Number>=<BW_SID>, <BW_CLIENT> (for example, BWP, 000)

trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (z. B. CN= BWP, OU=SAP Web AS, O=SAP Trust Community, C=DE)

trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (z. B. CN= BWP, OU=SAP Web AS, O=SAP Trust Community, C=DE)

Explanations:

<Number> is a number for all three entries, but must be incremented by one for every external system.

<BW_SID> and <BW_CLIENT> are the system ID and the client of the BI system.

<ISSUER_DISTINGUISHED_NAME> and <SUBJECT_DISTINGUISHED_NAME> correspond to the Own Certificate value in transaction Trust Manager for Single Sign-On with Logon Ticket (transaction STRUSTSSO2). The value trustediss corresponds to the value Issuer; the value trusteddn corresponds to the value Owner.

In addition, you have to maintain the values under evaluate_assertion_ticket:

1. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.

2. Connect to the portal server.

3. In the tree, choose <SID>/Server<#>/Services/Security Provider.

4. Under Component, choose evaluate_assertion_ticket.

5. Choose the Authentication tab page.

6. Change the options for com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule and enter the following values:

trustedsys<Number>=<BW_SID>, <BW_CLIENT> (for example, BWP, 000)

trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (z. B. CN= BWP, OU=SAP Web AS, O=SAP Trust Community, C=DE)

trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (z. B. CN= BWP, OU=SAP Web AS, O=SAP Trust Community, C=DE)

The values correspond to the values listed above under Application Ticket.

Step 7: Configure User Management in the Portal

In this activity you configure user management for the portal.

In portal user management, some settings are necessary in order to support Single Sign-On between the BI system and the portal. The SAP reference system is required for the communication of the BEx tools in the portal.

The login.ticket_client parameter only has to be maintained if more than one portal is connected and these portals have the same system ID. Normally however, you should install the portals with different system IDs.

Execute the following steps to configure user management in the portal.

1. Log on to the portal.

2. Start the iView System Administration -> System Configuration -> Configuration for User Management.

3. Choose tab page Security Settings.

4. Under SAP Reference System, enter the system alias of the BW system (see Creating BI Systems in the Portal). The default system alias of the BI system has to be entered.

5. Only one system can be specified as the SAP reference system. The SAP reference system cannot be the BI system. However, as it is not the BI system, the technical user name of the BI system has to be identical to the technical user name of the SAP reference system.

6. Save your entries.

If you want to connect more than one portal to a BI system and these portals have the same system ID, you have to maintain parameter login.ticket_client:

1. Start the SAP J2EE Configuration Tool.

2. Use the standard database settings.

3. Choose cluster-data -> Global server configuration -> services -> com.sap.security.core.ume.service.

4. Change the global property login.ticket_client =<CLIENT> under Global Properties.

You can choose any value between 000 and 999 as the <CLIENT>. The client is needed if more than one portal is connected and these portals have identical portal SIDs. The client has to be entered when the portal certificate is imported to the BI system.

5. Save your entries.

If changes are made in portal user management, the SAP J2EE has to be restarted with the portal.

Step 8: Export Portal Certificate to the Portal

In this activity you export the portal certificate. The portal certificate is required for displaying content from the BI system in the portal and has to be imported after the export to the BW system.

Execute the following steps to export the portal certificate from the J2EE Engine:

1. Start the SAP J2EE Engine Administrator with <PORTAL_DIRECTORY>\admin\go.bat.

2. Connect to the Portal Server.

3. Select <SID>/Server<#>/Services/Key Storage from the hierarchy.

4. Under Views, select the TicketKeystore view.

5. If SAPLogonTicketKeypair-cert is not available under Entries, generate a portal certificate as instructed in the following steps. Otherwise you can continue with the export from step 9.

6. Choose Create under Entry. Enter the following values for Key and Certificate Generation:

Subject Properties: Each key has to have one value under Value.

The value CN=Common Name is the first value that is displayed in transaction STRUSTSSO2. Therefore it can be seen as the name of the certificate. The recommendation <HOSTNAME_PORT> from the portal server is also valid.

Entry Name: SAPLogonTicketKeypair (the entry SAPLogonTicketKeypair-cert is generated automatically)

Store Certificate: X

Algorithm: DSA

7. Choose Generate to generate the certificate.

8. Under Entries, select SAPLogonTicketKeypair-cert.

9. Under Entry, choose Export.

10. Export the portal certificate as <PORTAL_SID>_certificate.crt in file format X.509 certificate (*.crt).

Importing the Portal Certificate to the J2EE Engine

1. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.bat.

2. Connect to the portal server.

3. Choose <SID> &#8594; Server<#> &#8594; Services &#8594; Key &#8594; Storage.

4. iViews: Select the view TicketKeystore.

5. Entry: Choose Load.

6. Open the file <PORTAL_SID>_certificate.crt.

In the Service Security Provider, under Ticket, perform the following steps to ensure that the SAP J2EE Engine accepts SAP logon tickets from the SAP NetWeaver 2004s portal as an external system.

7. Start the SAP J2EE Engine Administrator

8. Connect to the portal server.

9. Choose <SID> &#8594; Server<#> &#8594; Services &#8594; Security &#8594; Provider.

10. Components: Choose Ticket.

11. Choose the Authentication tab page.

12. Add the following values for com.sap.security.core.server.jaas.EvaluateTicketLoginModule:

trustedsys<Number>=<PORTAL_SID>, <PORTAL_CLIENT> (for example, J2E, 000)

trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= J2E)

trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=J2E)

<Number> is an identical number for all three entries, but must be incremented by one for each external system.

<PORTAL_SID> and <PORTAL_CLIENT> are the system ID and client of the SAP NetWeaver 2004s portal. The client is the value of the parameter login.ticket_client. The default value is 000.

<ISSUER_DISTINGUISHED_NAME> and <SUBJECT_DISTINGUISHED_NAME> are the values of [issuerDN] and [DN] of certificate SAPLogonTicketKeypair-cert (see above).

You also have to add these values under evaluate_assertion_ticket:

13. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.

14. Connect to the portal server.

15. Choose <SID> &#8594; Server<#> &#8594; Services &#8594; Security &#8594; Provider.

16. Components: Select evaluate_assertion_ticket.

17. Choose the Authentication tab page.

18. Add the following values for com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule:

trustedsys<Number>=<PORTAL_SID>, <PORTAL_CLIENT> (for example, J2E, 000)

trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= J2E)

trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=J2E)

The values are the same as the above values under Ticket.

Step 9: Import Portal Certificate to BI System

Firstly export the verify.der file as shown below and extract certificate from the same.

In this activity you import the portal certificate. You need this setting to call content from the BI system in the portal. Execute the following steps to import the portal certificate into the BI system:

1. In transaction STRUSTSSO2, choose Certificate -> Import and import file <PORTAL_SID>_certificate.crt in binary format.

2. To include the certificate in the SSO Access Control List (ACL), choose Edit -> Certificate in ACL from the menu.

With the portal, you can specify the portal system ID as the system and the value of parameter logon.ticket_client as the client. (see step Configuring User Management in the Portal). If the logon.ticket_client parameter is not maintained, you can use client 000.

The system ID for the portal is determined when you install the portal and can be found in portal file path: #/<PORTAL_SID>/JC<Instance Number>/j2ee/cluster/server<Number>/#

3. To include the certificate in the list of certificates, choose Edit -> Include Certificate from the menu.

4. If you want to distribute the settings for more than one application server, choose Distribute from the context menu for the tree on the left-hand side of the screen.

There may be a time delay when you distribute the certificate. If necessary, check more than once that the certificate has been distributed successfully.

5. Save your entries.

When changes are made in user management in the portal, a new certificate may have to be generated and imported into the BI system. The portal certificate is generated automatically when the J2EE server is restarted and can then be exported again.

Step 10: Maintain User Assignment in the Portal

In this activity you assign a user in the BI system to a user in the portal.

Ensure that all users have at least read access to the BI system created in step 7. Start the iView System Administration -> System Configuration -> System Landscape. Navigate to the system you have created, open the context menu and choose Open -> Authorizations. Search by user, user group or role, add these and allocate the authorization Read.

Execute the following steps to maintain user mapping in the portal:

1. Logon to the portal.

2. Start iView User Management -> User Mapping.

3. Choose User from the dropdown box.

4. Enter a user or choose Start for all users.

5. Choose Start.

6. Choose a user and choose Edit.

7. Choose the system alias of the BI system (see step Creating BI Systems in the Portal).

8. Enter the technical user name in the BI system.

9. Enter the password.

10. Save your entries.

Kind regards,

Vamsi.

Vamsi,

Very good document.

Thank you.