SAP Crypto & BusinessObjects Enterprise

SAP Crypto & BusinessObjects Enterprise
Applies to:
BusinessObjects Enterprise XI Release 2 and 3.1 XI Release 2 and 3.1 Integration for SAP Solutions
Summary
The purpose of this document is to provide the reader with an understanding of how BusinessObjects utilizes Secure Network Communication (SNC). This document also provides instructions to setup SAP Crypto SNC in a BusinessObjects environment. Author(s): Jeremy Shinall with contributions from Ingo Hilgefort, Gabriel De Lapparent and Sinisa Knezevic Company: SAP Created on: 9 October 2009 (v2); 12 August 2009 (v1)
Author Bio
Jeremy Shinall is a support consultant with SAP BusinessObjects. Jeremy has been with the BusinessObjects division since 2005.
SAP COMMUNITY NETWORK 2009 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 1
Table of Contents
Introduction ................................................................................................................................................... 3 SAP SNC ......................................................................................................................................................3 What is SAP SNC? ....................................................................................................................................3 SAP Crypto ...............................................................................................................................................3 SNC & BusinessObjects Enterprise ...........................................................................................................3 SAP Server Setup .........................................................................................................................................3 Library Files...............................................................................................................................................3 Profile Parameters .....................................................................................................................................4 BusinessObjects Setup .................................................................................................................................4 BusinessObjects Services .........................................................................................................................4 Local SAP Crypto Libraries ........................................................................................................................4 Local PSE Certificates ...............................................................................................................................5
Creation ............................................................................................................................................................... 5 Exchanging Certificates......................................................................................................................................... 5 Complete the Trust Relationship............................................................................................................................ 7 Configure User Access.......................................................................................................................................... 7
Adding SNC ACL Entry..............................................................................................................................8 Configuring SNC in the Central Management Console ...............................................................................9
SNC Options Tab ............................................................................................................................................... 9 Entitlement Systems Tab .................................................................................................................................. 10 Setup Confirmation ............................................................................................................................................. 10
Troubleshooting .......................................................................................................................................... 10 JCO Test ................................................................................................................................................. 10 RFC & CPIC Tracing ............................................................................................................................... 11 SOFA Tracing.......................................................................................................................................... 11 SAP Gateway Monitor ............................................................................................................................. 12 ABAP Dump Analysis .............................................................................................................................. 13 Related Content .......................................................................................................................................... 14 Copyright .................................................................................................................................................... 15
Introduction
The purpose of this document is to provide insight and information for customers that wish to implement SAP Crypto SNC technology in their BusinessObjects Enterprise deployments. This document is not meant to be a quick reference guide for installation or implementation. In short, read the entire document to get a thorough understanding of all concepts related to implementing SAP Crypto with BusinessObjects Enterprise This document is NOT to be considered an authoritative source of information regarding SNC technology or the implementation and troubleshooting of SNC. SAP notes are used as references where applicable. Additionally, this document assumes that all servers involved are Microsoft Windows-based. Any references to file names, file locations, environment variables, etc. will need to be modified to accommodate a Unix/Linux platform.
SAP SNC
What is SAP SNC? SNC is a software layer in the SAP system architecture that provides an interface to external security product. SNC provides security at the application level. This means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) is guaranteed, regardless of the communication link or transport medium. You therefore have a secure network connection between two SNC-enabled communication partners. There are 3 methods for deploying SAP SNC: NTLMSSP, Kerberos and SAP Crypto. This document focuses on SAP Crypto only. SAP Crypto The SAP Crypto library provides an API to configure SNC connectivity from external applications with an SAP system configured for SNC authentication. The main principle behind SAP Crypto is a certificate trust relationship between servers.
Note: The SAP Crypto library is licensed for server side trust but not for client applications. It cannot be used to provide SNC communication via the SAP GUI or BusinessObjects Enterprise client tools (Designer, Webi Rich Client, etc.).
SNC & BusinessObjects Enterprise The Configuring SAP Server-Side Trust chapter of the Installation and Administration Guide for the SAP Integration product describes SNC integration with BusinessObjects Enterprise in more detail. For the purposes of implementation and configuration, the following summary should suffice: Encrypts communication channel between BusinessObjects and SAP servers. Provides user impersonation required for report viewing & processing (Web Intelligence, Crystal, etc.).
SAP Server Setup

Configuring SAP Crypto on your SAP Server is outside the scope of this document. However, it serves the interests of BusinessObjects customers to highlight some aspects of the SAP Server setup Library Files The SNC setup on your SAP server starts with putting the SAP Crypto library on your SAP server. Here are the libraries used for each flavor of SNC. For both 32- and 64-bit versions of the SAP Crypto library, this file is sapcrypto.dll.
Profile Parameters The following profile parameters (found using RZ10 transaction) are typical of an SAP server setup with SNC:
Parameter snc/data_protection/max snc/data_protection/min snc/enable snc/gssapi_lib snc/identity/as ssf/name ssf/ssfapi_lib sec/libsapsecu
Value 3 1 1 <full path to sapcrypto.dll> p:< SAP servers DN> SAPSECULIB <full path to sapcrypo.dll> <full path to sapcrypto.dll>
BusinessObjects Setup
Before SNC can be configured on a BusinessObjects server, the following must be in place: SAP authentication has been configured in the CMC and proven to be working correctly (i.e. users can log on to BusinessObjects using SAP authentication). 32-bit SAP Crypto library has been downloaded from the SAP Service MarketPlace (http://service.sap.com/tcs). o Because the BusinessObjects services are 32-bit applications, the 32-bit SAP Crypto library must be implemented on the BusinessObjects server.
BusinessObjects Services By default, the BusinessObjects services are configured to run as the LOCALSYSTEM account. This will have to be changed to accommodate an SNC setup. Here is a list of the services requiring this change: Crystal processing servers (Processing Tier) Web Intelligence processing servers (Processing Tier)
Note: Desktop Intelligence is not supported for use with SAP data sources
Ideally, one user account would be used for all of the affected services. This user account does not have to be a domain account. The user account can be local to the BusinessObjects server. Local SAP Crypto Libraries This section will walk you through setting up the SAP Crypto libraries on your BusinessObjects server. 1. Create a directory to store the SAP Crypto libraries for example, C:\sapcrypto. o The sapcrypto.dll and sapgenpse.exe files should be placed in this directory.
2. Create a sub-directory titled sec. The full path would be C:\sapcrypto\sec. o The ticket file should be placed in this directory.
3. Add the directory created in step 1 to the system PATH variable.
4. Create a system environment variable named SNC_LIB. o The value of this variable should be the full path of sapcrypto.dll file for example, C:\sapcrypto\sapcrypto.dll.
5. Create a system environment variable named SECUDIR. o The value of this variable should be the full path of the directory created in step 2.
The BusinessObjects services will have to be restarted before the environment variables in steps 4 & 5 will be utilized.
Local PSE Certificates Creation Each BusinessObjects server/deployment must have a PSE certificate in order to establish a trust with the SAP server. The following steps must be followed to create each PSE certificate: 1. Open a command prompt and navigate to the directory that contains sapgenpse.exe for example, C:\sapcrypto. 2. Execute the following command: sapgenpse gen_pse v p <filename>.pse. o o o Replace <filename> with an appropriate filename of your choosing. In this example, we will choose BOESERVER. You will be prompted for a PIN. Choose any PIN you desire. This PIN will be used in later steps. When prompted for a Distinguished Name (DN), enter a DN of your choosing as long as it adheres to LDAP naming conventions. In this example, we will use CN=BOESERVER, OU=CA, O=SAP, C=US. This step creates the SAP Crypto equivalent of a private key. You will find this PSE file in the directory specified in the SECUDIR environment variable.
o o
3. Execute the following command: sapgenpse export_own_cert v p BOESERVER.pse o <filename>.crt. o o o Replace <filename> with an appropriate filename of your choosing. In this example, we will choose BOESERVER. This step creates the SAP Crypto equivalent of a public key. You will find this CRT file in the directory this command was executed from.
Exchanging Certificates The next step in creating the trust relationship between the BusinessObjects server and the SAP server is to exchange public certificates between the systems. These steps should be performed for each CRT file created. 1. Logon to the SAP server using the SAP GUI application 2. Run the STRUST transaction Expand the SNC (SAPCryptolib) item
Double-click the server entry and enter the password when prompted. 3. In the Certificate section, click the Import Certificate button
Select the CRT that you created. Select the Base64 radio button. Click the green checkmark to continue.
The details of your public certificate will now appear in the Certificate section.
4. Click the Add to Certificate List button. 5. Double-click the DN in the Own Certificate section.
The SAP servers certificate details will now appear in the Certificate section. 6. Click the Export Certificate button to export the SAP servers public certificate.
Specify a filename a location to save the certificate to for example, C:\sapcrypto\SAPserver.crt. Select the Base64 radio button. Click the green checkmark to continue. 7. Click the Save icon in the Trust Manager (STRUST) & exit the STRUST transaction. Complete the Trust Relationship At this point, the SAP server is aware of the BusinessObjects server. However, we have one more step before the BusinessObjects server is aware of the SAP server and the trust relationship is completed. Open a command prompt: 1. Navigate to the directory that contains the SAP server public certificate. 2. Execute the following command: sapgenpse maintain_pk v a SAPserver.crt p
BOESERVER.pse
At this point, the SAP server and BusinessObjects server are aware of and trust each other.
Configure User Access As the SAP Crypto equivalent of a private key, the PSE file is secured by a PIN. However, the BusinessObjects services are not capable of responding to such a prompt. So, we must associate the username running the BusinessObjects services with the PSE file.
1. Log on to the BusinessObjects server as the user running the BusinessObjects services. 2. Open a command prompt and navigate to the directory containing sapgenpse.exe. 3. Execute the following command: sapgenpse seclogin p BOESERVER.pse
When prompted, enter the PIN you created for this PSE file
Note: If you are unable to log on to the BusinessObjects server as the username running the BusinessObjects services, you can execute this command: sapgenpse seclogin p BOESERVER.pse O <username>
To confirm that the user can now access the PSE file without providing a PIN, try the following commands:
sapgenpse get_my_name p BOESERVER.pse
This will display the details of the PSE file selected
sapgenpse maintain_pk l p BOESERVER.pse
This will display all of the SAP server certificates that have been added to the PSE file
If either of these commands prompts you for a PIN, the username executing the commands has not been associated with the PSE file.
Adding SNC ACL Entry Now that the trust relationship has been completed, we must configure the actions that the BusinessObjects services will be allowed to perform. This is done by adding entries to the SNC Access Control List (ACL) on the SAP server. 1. Logon to the SAP server using the SAP GUI application. 2. Run the SNC0 transaction. 3. Click the New Entries button on the toolbar. 4. Fill out the new entry using the following as guidance: a. System ID Description of entry b. SNC Name DN from PSE file, prefixed by p: i. For example: p: CN=BOESERVER, OU=CA, O=SAP, C=US c. Entry for RFC activated checked
d. Entry for CPIC activated checked or unchecked (optional) e. Entry for DIAG activated checked or unchecked (optional) f. Entry for certificate activated checked or unchecked (optional)
g. Entry for ext. ID activated checked 5. Save the new entry by clicking the Save icon. If the SNC Name field was entered correctly, you will see Canonical Name Determined in the entry after saving. Example:
NOTE: At this point, your SAP Crypto setup is ready for implementation within BusinessObjects.
Configuring SNC in the Central Management Console Now that the SAP Crypto foundation has been set, the SNC options can be configured under SAP Authentication in the CMC. SNC Options Tab 1. Select the appropriate logical system from the dropdown menu. 2. Under Basic settings: Check the Enable Secure Network Communication [SNC] checkbox. The Disallow insecure incoming RFC connections checkbox can also be selected. However, it may be best to leave it unchecked until the rest of this configured is completed. 3. Under SNC library settings: In the "SNC library path" field, enter the full path of the sapcrypto.dll file on the BusinessObjects server.
Note: This will correspond to the value of the SNC_LIB environment variable on the BusinessObjects server.
For the Quality of Protection option, select the Authentication radio button. 4. Under Mutual authentication settings: In the SNC name of SAP system: field, enter the SNC name of the SAP server, prefixed by p:. For example p:CN=T25, OU=CA, O=BOBJ, C=CA. 5. Under Trust Settings: In the SNC name of the Enterprise system: field, enter the SNC name created for BusinessObjects Enterprise, prefixed by p:. For example p:CN=BOESERVER, OU=CA, O=SAP, C=US.
Example:
Entitlement Systems Tab After enabling SNC on the SNC Settings tab, a new field titled SNC Name will be visible on the Entitlement Systems tab. You may leave this field blank and continue to use the existing username and password. Setup Confirmation To confirm that the server-side trust is configured correctly, you must perform an action that would invoke the user impersonation. The most popular method is to refresh a Web Intelligence document whose underlying universe connection is configured to use the Use Single Sign On when refreshing reports at view time authentication method.
Troubleshooting
JCO Test Connection to the SAP system can be tested outside of the BusinessObjects product using the JCO. The following command should be executed from the command-line:
java classpath <full path to sapjco.jar> com.sap.mw.jco.support.JRfcTest
1. Select 2 for Connection Test 2. Select 3 for R/3 connectivity
The rest of the options can be customized to fit the situation. To test SNC connectivity, make sure to choose Y at the Working with SNC prompt. RFC & CPIC Tracing The SAP libraries on the BusinessObjects server allow RFC and CPIC traces to be collected in order to examine the communication between the BusinessObjects and SAP servers. Please see the following SAP Notes: RFC Traces 1342398 CPIC Traces 1342389 SOFA Tracing When processing reports based on SAP data sources, most BusinessObjects services use the SOFA protocol. SOFA tracing can be useful to determine why a report is failing. Create a text file and save it as trace.reg with the following content:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Asserts] "Model"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log] "OverWrite"="No" "AppendPID"="Yes" "LogFile"="C:\\sofa.log" "LogFormat"="%T ThreadID<%i> %X : %m" [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules] [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\APIMODULE] "Verbosity"=dword:00000000 "Timer Threshold"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\APIMODULE\Components\INFO] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\JNIMODULE] "Verbosity"=dword:00000005 "Timer Threshold"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\JNIMODULE\Components\INFO] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\ASSERTION] "Verbosity"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\COMMONMODULE] "Verbosity"=dword:0000000a [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\ESSBASEMODULE] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\INTERFACE] "Verbosity"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\MEMORY] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\OCAMODULE] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\ODBOMODULE] "Verbosity"=dword:00000004 "MDX Query Log"="C:\\mdx_odbo_query.log" "MDX Query Clock"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\ODBOPROVIDERMODULE] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\ODBOSHAREDUTILITIES] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\ORACLEMODULE] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\SAPMODULE] "Verbosity"=dword:0000000a "MDX Query Log"="C:\\mdx_sap_query.log" [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\UTILITIES] "Verbosity"=dword:00000000
After saving this trace.reg file, double-click it to merge the settings into the Windows registry. After restarting your BusinessObjects services, SOFA tracing will be enabled and the corresponding log files will be created when SOFA communication is initiated by the BusinessObjects services (i.e. a report is processed).
SAP Gateway Monitor The SMGW transaction can be used to examine communication with your SAP systems gateway: Monitor active connections to the SAP Server. Generate a trace log to capture the RFC connection details It is recommended that you ask the assistance of your SAP system administrators to gather Gateway Monitor logs. However here is some general guidance: As connections are made to the server you will see the new connections listed in the main monitor page. The Details button will display the connections current status details. The Display File button will display the trace log for connections. The tracing detail level can be adjusted using the GoTo > Trace > Gateway sub-menu items.
Note: Increased tracing details can introduce performance issues on your SAP system. Please use wisely.
Example:
ABAP Dump Analysis The ST22 transaction provides another source of troubleshooting information. As with the SMGW transaction, it is recommended that you engage your SAP system administrators for assistance.
Related Content
SAP Note 662340 SAP Note 1342435 SAP Note 1342398 SAP Note 1342389
Copyright
Copyright 2009 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP Crypto &amp; BusinessObjects Enterprise

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

SAP Crypto &amp; BusinessObjects Enterprise

Diunggah oleh

Hak Cipta:

Format Tersedia

SAP Crypto & BusinessObjects Enterprise

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 1