Setting Up Single Sign-On (SSO) With SAP HANA and SAP BusinessObjects XI 4.0

Setting up Single Sign-On (SSO) with SAP HANAand SAP BusinessObjects XI 4.0February 8, 2013Version 1.0

Vishal DhirCustomer Solution Adoption (CSA)

www.sap.com

TABLE OF CONTENTS

INTRODUCTION ......................................................................................................................................... 3What is Single Sign-On .............................................................................................................................. 3Kerberos ..................................................................................................................................................... 3

HANA CONFIGURATION............................................................................................................................ 3Confirm the Kerberos client is installed ......................................................................................................... 3Create the keytab on the domain controller .................................................................................................. 4HANA Server Side Configuration.................................................................................................................. 4Testing the SSO Configuration on Linux ....................................................................................................... 5Testing the SSO Configuration via the HANA client on Linux ........................................................................ 5Testing the SSO Configuration via HANA Studio .......................................................................................... 6

BUSINESSOBJECTS CONFIGURATION ................................................................................................... 6TOMCAT CONFIGURATION ....................................................................................................................... 8

BUSINESS OBJECTS CLIENTS CONFIGURATION ................................................................................... 9Information Design Tool ............................................................................................................................... 9Web Intelligence Rich Client .......................................................................................................................11Web Intelligence .........................................................................................................................................11Explorer ......................................................................................................................................................12

TROUBLESHOOTING................................................................................................................................13HANA .........................................................................................................................................................13BusinessObjects .........................................................................................................................................13Tomcat .......................................................................................................................................................14Network Tracing ..........................................................................................................................................14

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

3

INTRODUCTION

This whitepaper will discuss how to setup SSO between SAP HANA and SAP BusinessObjects 4.0. We willsetup SSO for the BI Launchpad and SSO to the HANA database (SSO to DB). Before setting up SSO, youwill need to satisfy the following prerequisites:

You are familiar with Active Directory, Kerberos, and BusinessObjects You have a user with read access to your Active Directory domain You have a user that will be used for delegation for HANA You have a user that will be used for delegation for BusinessObjects

To make it easier to follow the steps for setting up SSO, the following information will be used throughout thiswhitepaper,

Domain Name - mydomain.com HANA Server – myhanaserver.mydomain.com BOE Server – myboeserver.mydomain.com User for HANA SSO - hanasso User for BOE SSO – bisso Group in AD - mygroup User mapped in AD – aduser1 User mapped in HANA – aduser1

These will need to be changed based on what you have setup and how complex your environment is.

What is Single Sign-On

Single sign-on (SSO) allows a user to login once and gain access to multiple systems without being asked tologin again. Depending on how SSO has been setup, this could permit the user login to just a front endapplication or it can enable SSO all the way down to the database in what’s known as SSO to database(SSO2DB).

Kerberos

For SSO to work we will need to use Kerberos. Kerberos is a type of authentication protocol, which permitsa client to authenticate with a server via a ticket. We will setup this trust between the client and server usingtwo keytabs – one for HANA and one for BusinessObjects. A keytab is a file that contains a service principaland a key, the key needs to be setup on the client so it can authenticate with the server. In our case we willhave two keytabs,

One for HANA to allow SSO from HANA Studio to HANA and from BusnessObjects to HANA One for BusinessObjects to allow SSO into the BI Launchpad

HANA CONFIGURATION

Confirm the Kerberos client is installed

First, you will need to make sure that the Kerberos libraries are installed, including the Kerberos clientlibraries. To do that run the command,

rpm -qa | grep krb

The output will be similar to,

#> rpm -qa | grep krbkrb5-32bit-1.6.3-133.46.1krb5-1.6.3-133.46.1krb5-client-1.6.3-133.46.1

If you are missing any of the libraries, ask your administrator to install them.


4

Create the keytab on the domain controller

Next, we need to trust the HANA server for authentication. That will be done by creating a keytab. In thefirst step we will create a SPN for the HANA server and in the second step we will create the keytab.

setspn -A hdb/[email protected] hanasso

ktpass -princ hdb/[email protected] -mapuser MYDOMAIN\hanasso-pass Password1 -out C:\myhanaserver.keytab -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

To confirm what SPNs are assigned to the user run the command,

setspn -l hanasso

Also, we only setup the SPN for the domain’s fully qualified name (FQDN). If you have a load balancer (ormore complex environment) you will need to setup the correct SPNs for these additional servers as well.

HANA Server Side Configuration

When the ktpass command was run, a keytab was generated. We will need to copy this keytab to the HANALinux server. Then we will need to merge this keytab with the existing keytab file that may already bepresent. This will be done using the ktutil utility as seen below,

ktutil: rkt myhanaserver.keytabktutil: wkt /etc/krb5.keytabktutil: qchmod +r /etc/krb5.keytab

The first command will read the keytab we just created, the second command will write it to the krb5.keytabfile located in the /etc folder. The last command will change the krb5.keytab to have read access only.

In addition to the krb5.keytab, a krb5.conf needs to be setup. An example of this file is shown below,

#> cat /etc/krb5.conf[domain_realm] .MYDOMAIN.COM = MYDOMAIN.COM MYDOMAIN.COM = MYDOMAIN.COM

[libdefaults] forwardable = true default_realm = MYDOMAIN.COM dns_lookup_kdc = true dns_lookup_realm = true default_tkt_enctypes = RC4-HMAC default_tgs_enctypes = RC4-HMAC

[realms] MYDOMAIN.COM = { kdc = mydc.MYDOMAIN.COM admin_server = mydc.MYDOMAIN.COM kpasswd_server = mydc.MYDOMAIN.COM }

[logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON

The above is just for reference, you will need to change this file to suit your environments configuration.


5

Testing the SSO Configuration on Linux

We will first test the configuration by using the kinit and klist utilities. Kinit will try to authentication againstthe domain and create a ticket. Using klist we can see this ticket and also the keytab file being used.

#> kinit [email protected]

Password for aduser1@ MYDOMAIN.COM:

#> klistTicket cache: FILE:/tmp/krb5cc_1005Default principal: [email protected]

Valid starting Expires Service principal02/06/13 17:19:21 02/07/13 03:19:24 krbtgt/[email protected]

renew until 02/07/13 17:19:21

Kerberos 4 ticket cache: /tmp/tkt1005klist: You have no tickets cached

#> klist -kKeytab name: FILE:/etc/krb5.keytabKVNO Principal---- -------------------------------------------------------------------------- 3 hdb/hdb/[email protected]

Testing the SSO Configuration via the HANA client on Linux

This far, we have only tested the user authentication to AD and getting a ticketcreated. Now, we will test the SSO configuration on the Linux server by runningthe hdbsql command. Here is an example of this,

#> hdbsql -i 00

Welcome to the SAP HANA Database interactive terminal.

Type: \h for help with commands \q to quit

hdbsql=> \shost : myhanaserver:30015database : EXDuser : ADUSER1kernel version: 1.00.48.372847SQLDBC version: libSQLDBCHDB 1.00.48 Build 0372847-1510autocommit : ONlocale : en_US.UTF-8input encoding: UTF8

In the hdbsql command, -i represents the instance, so you will need to change that according to your HANAserver.


6

Testing the SSO Configuration via HANA Studio

To test with HANA Studio the user needs to be created with the External ID as seen below,

If you have many users to map, this can be scripted or IDM can be used to push the users to HANA.

When creating a connection to the HANA server in HANA Studio, select the ‘Authentication by currentoperating system user’ as seen below.

Test and determine user can connect to HANA without being prompted for credentials.

BUSINESSOBJECTS CONFIGURATION

As with the HANA configuration above, we need to trust the BusinessObjects server for authentication. Thatwill be done by creating another keytab on the domain controller. As before we will create the SPNs and thekeytab,

ktpass -out c:\myboeserver.keytab -princMYBOESERVER/[email protected] -mapuser [email protected] -pass Password1 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

setspn -a HTTP/MYBOESERVER bissosetspn -a HTTP/MYBOESERVER.MYDOMAIN.com bisso

The SPNs will differ depending on how your environment is configured. In this scenario we only have asingle instance of Tomcat, and thus the SPN has been mapped to the short name and the FQDN only.


7

To confirm what SPNs are setup run the command,

setspn -l bisso

Once the keytab has been created, copy it over to the BusinessObjects server. For this whitepaper, we willassume that you’ve placed it inside the c:\winnt folder.

For the bisso user we also need to trust it for Kerberos delegation. This is done by going to the properties ofthe user and setting up the trust under the delegation tab.

Your security team might have the user configured for the 3rd delegation option ‘delegation to specifiedservices only’ which is also ok.

On the BusinessObjects server you will need to do the following,

Add the MYDOMAIN\bisso account to the Administrators group Assign the MYDOMAIN\bisso account to the following four rights located in the Local Security Policy

(located under Local Computer Policy > Computer Configuration> Windows Settings > SecuritySettings> Local Security Policy > Security Settings > Local Policies > User Rights Assignment)

o Act as part of the Operating Systemo Log on as a Batch Jobo Log on a Serviceo Replace a Process Level Token

Change the account that runs the SIA to run under the MYDOMAIN\bisso account


8

Now that the server side configuration is done, BusinessObjects needs to be setup for SSO. In the CentralManagement Console (CMC) configure the Windows Active Directory plugin,

Configure it for the MYDOMAIN.COM domain Map the group, mygroup Under the ‘Authentication Options’, check the ‘Use Kerberos authentication’, ‘Cache security context’,

and Enable Single Sign On’ options as seen below,

It is important to have the correct SPN set or else SSO will not work properly. To make sure this is correct,use the same principal that we used above, during the creation of the ktpass command,

TOMCAT CONFIGURATION

For this whitepaper the Application Server that was used is Tomcat, thus steps for this application server willbe shown. For SSO to work on the BI Launchpad we need to configure the web application files to enablethe Vintela SSO plugin. Before changing the configuration files confirm that you have copied over theMYBOESERVER.keytab to the c:\winnt folder and have a backup of the files that will be changed. We won’tgo into the details on how to configure this more information on this can be found in these two SAP Notes,

1631734 - Configuring Active Directory Manual Authentication and SSO for BI4 1476374 - ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual

Logon, NTLM, Kerberos and Vintela Single Sign On

In the BIlaunchpad.properties change the authentication.default to secWinAD as below,


9

To enable the Vintela filter, edit the global.properties file as below with your domain information and keytabinformation as below,

Restart Tomcat and confirm that you can SSO into the BI Launchpad with your AD user account.

BUSINESS OBJECTS CLIENTS CONFIGURATIONThus far, we have only configured SSO for HANA and SSO into the BI Launchpad. Now, we will connect thetwo pieces and enable SSO to database, meaning a user who logs into the BI Launchpad will be able tohave their credentials passed to HANA via the trusts that have been setup – making the user experienceseamless.

Information Design Tool

To configure the Information Design Tool (IDT) for SSO, two files needs to be created. They are the krb5.iniand the bscLogin.conf. These files are required to enable the Java (client) application to use Kerberos.Also, the MYBOESERVER.keytab needs to be copied over to the machine that IDT is running on (as this fileenables the trust with the AD), again place it in the c:\winnt folder.

The krb5.ini below is the same as the krb5.conf that we used earlier. Here is a sample of these two files,change according to your company’s domain and server configuration,


10

krb5.ini

[domain_realm] .MYDOMAIN.COM = MYDOMAIN.COM MYDOMAIN.COM = MYDOMAIN.COM

[libdefaults] forwardable = true default_realm = MYDOMAIN.COM dns_lookup_kdc = true dns_lookup_realm = true default_tkt_enctypes = RC4-HMAC default_tgs_enctypes = RC4-HMAC

[realms] MYDOMAIN.COM = { kdc = mydc.MYDOMAIN.COM admin_server = mydc.MYDOMAIN.COM kpasswd_server = mydc.MYDOMAIN.COM }

bscLogin.conf

com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true;};

com.businessobjects.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="C:/WINNT/MYBOESERVER.keytab" principal=" MYBOESERVER/[email protected]" debug = true;};

The IDT tool also has its own configuration file; therefore we need to configure it to use the krb5.ini andbscLogin.conf we created earlier by adding these two parameters,

-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf-Djava.security.krb5.conf=C:\WINNT\krb5.ini

The configuration will look like,


11

In IDT, when the connection to HANA is created it needs have the Authentication Mode set to ‘Use SingleSign On when refreshing reports at view time’,

Also, the user used to connect to BusinessObjects must be an AD user as this is the user that will be usedfor authentication back to HANA.

Web Intelligence Rich Client

Web Intelligence (Webi) Rich Client requires no configuration once the BusinessObjects Windows ADauthentication plugin has been configured. When the rich client loads change the Authentication to‘Windows AD’ and click login,

Web Intelligence

A Web Intelligence report uses the Adaptive Processing Sever (APS) for connectivity. As this is a Javaprocess, it also needs to be configured with the krb5.ini and bscLogin.conf files. This is done through CMC >Servers under the APS’s ‘Command Line Parameters’

-Djava.security.auth.login.config=C:/WINNT/bscLogin.conf-Djava.security.krb5.conf=C:/WINNT/krb5.ini


12

As Webi utilizes the connection server, we need to configure this process for SSO as well. This is done viathe cs.cfg file located inside the SAP BusinessObjects\SAP BusinessObjects Enterprise XI4.0\dataAccess\connectionServer folder. Under the JavaVM section add the path to the krb5.ini andbscLogin.conf as seen below,

<Option>-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf</Option><Option>-Djava.security.krb5.conf=C:\WINNT\Krb5.ini</Option>

Explorer

For Explorer, the Master Server will need to be configured for the location of the krb5.ini and bscLogin.confas the master server will make a connection to HANA when you are in the Explorer Manage Spaces screenin Explorer,

-Djava.security.auth.login.config=C:/WINNT/bscLogin.conf-Djava.security.krb5.conf=C:/WINNT/krb5.ini


13

TROUBLESHOOTING

HANA

If you are unable to connect via SSO using HANA Sutdio, the first step is to enable JDBC logging which willgive you more verbose output and may lead to a probable cause of the issue.

If the jdbc trace reveals nothing, then we can enable logging on the HANA database for the authenticationpiece. This is done via the Trace Configuration in HANA Studio’s Administration screen. The screen belowshows debug tracing being enabled on the indexserver for authentication only,

Remember to disable the logging once you are done tracing.

BusinessObjects

Logging in BusinessObjects can be enabled in in the client that’s connecting (Webi Rich Client for example)or on a specific service that the client is using such as the APS. Here’s an example of enabling verbosetracing for a BusinessObjects service under the TraceLog,


14

Tomcat

To enable more verbose logging for BI Launchpad SSO, debug settings can be enabled by setting the –Dparameters on the JVM,

-Djcsi.kerberos.debug=true-Dsun.security.krb5.debug=true

The above configuration is for Tomcat only; it may vary for the application server you are using.

Network Tracing

Sometimes logging the HANA and BusinessObjects client and server will not provide the answer as to whySSO is not working. In these cases, a network trace tool like Wireshark or Microsoft Network Monitor shouldbe used to determine what is wrong and where it is wrong.

In Wireshark a filter for ‘kerberos’ can be used to filter for just the Kerberos requests, whereas in NetworkMonitor you can load a filter just for AuthenticationTraffic.

Wireshark


15

Microsoft Network Monitor

Here’s an example of a network capture from logging into the BI Launchpad with SSO,

You can drill into each request and get more information and determine what is wrong with the SSOconfiguration.

© 2013 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP

products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany

and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks

of Business Objects Software Ltd. Business Objects is an SAP

company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL

Anywhere, and other Sybase products and services mentioned herein

as well as their respective logos are trademarks or registered

trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are

registered trademarks of Crossgate AG in Germany and other

countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if

any. Nothing herein should be construed as constituting an additional

warranty.

www.sap.com

Documents

Setting Up Single Sign-On (SSO) With SAP HANA and SAP BusinessObjects XI 4.0