1 2 3 19 Previous Next

BI Platform

280 Posts


This blog is an implementation of the official SAP documentation : http://help.sap.com/businessobject/product_guides/sbo41/en/sbo41sp4_bip_admin_en.pdf


1. Introduction


The Monitoring Application is a new application in SAP BusinessObjects 4.x. You will find the application in the CMC under Manage. By default, the monitoring trending data are stored in four tables in a Derby (Java) database and we have the option to transfer this data to the Audit database.

If you want to use the auditing database for your monitoring data, and you have existing data in your Derby trending database, you will need to migrate the Derby database to the auditing database.

 

This provides several advantages:

  • The Derby tables will only store three months worth of data. The Audit DB tables will store as much data as you want.
  • Connecting to the audit tables, to build a universe, is much easier than connecting to Java tables.

 

 

 

2. Trending database schema


The following Trending database diagram and table explanations show you the tables where the metric, probe, and watch data will be recorded and how these tables are related.

 

19-10-2014 16-50-33.png


3. Trending database tables


  • MOT_MES_DETAILS: This table records the information about subscription breaches and alert delivery information. For example, breach time and alert delivery time.
Column_NameTypeKeyDescription

StatusDetailsId

INTEGER

Primary Key

Autogenerated

DetailsIdINTEGERForeign key (from MOT_TREND_DETAILS)

Time

BIGINT or NUMBER

Unix Epoch date

NATime at which data was collected
AlertTypeSMALLINT or NUMBERNASubscription notification delivery type (for example, email)

 

  • MOT_MES_METRICS: This table records information about watches and the metrics belonging to the watch equations. Every metric belonging to the watch will have one entry in this table.
Column_NameTypeKeyDescription

DataId

INTEGER

Primary Key

Autogenerated

DetailsIdINTEGERForeign key (from MOT_TREND_DETAILS)
CUIDVARCHAR(64)NACUID of the watch
NameVARCHAR(255)NAName of the watch

 

  • MOT_TREND_DATA: This table records the trending data from metrics, watches, and probes. For example, metric value and time.
Column_NameTypeKeyDescription

DataId

INTEGER

PrimaryKey

Autogenerated

DetailsIdINTEGERForeign key (from MOT_TREND_DETAILS)
Time or TimeT

BIGINT or NUMBER or FIXED

Unix Epoch date

NATime at which data was collected
ValueFLOAT or DOUBLE or NUMBERNAValue of the metric / subscription
MessageKeyVARCHAR(32)NAError message key or null if successful. For Watch, it can also be either "watchEnabled" or "watchDisabled". It is a "key" because it is ultimately used to fetch localized messages before displaying the UI.
TsDATETIME or TIMESTAMPNA

Time at which data is written to the databaseMOT

 

  • MOT_TREND_DETAILS: This table records information about managed entities, probes, and watches. For example, CUID and metric names.
Column_NameTypeKeyDescription

DetailsId

INTEGER

PrimaryKey

Autogenerated

CUIDVARCHAR(64)NACUID of the InfoObject that exposes the metric or is related to the metric
MetricNameVARCHAR(255)NAName of the Metric
TypeVARCHAR(32)NA

One of "Subscription", "ManagedEntityStatus", or "Probe"

NameVARCHAR(255)NA

Name of the watch when the type is "ManagedEntityStatus". Otherwise, default to the same string as in Type, except in all capital letters; for example, "PROBE" or "SUBSCRIPTION".

 

Therefore, it is recommended to migrate the data from the Derby tables, to the Audit database. Let’s talk about how to do that.




4. Migrating the Trending Data


Before you start migrating your data, verify these prerequisites:

  • The auditing database is working, and auditing is running properly.
  • You have sufficient authorizations and database client applications on the target database to create new tables, import CSV dumps, and so on.
  • The auditing database supports the import of comma-separated values (CSV) files.


 

 

    4.1 To export the data into CSV files


This section explains how to generate the CSV dump files required for migration. The CSV files contain comma-separated values of the embedded Derby database data content.

 

  • In the Manage area on the CMC home page, click Applications.
  • Double-click Monitoring Application to open the properties page.
  • In the Trending Database Settings area, beside Export Data from Embedded database as CSV files, click Export.

 

19-10-2014 16-49-28.png

 

The following four CSV files are generated in the default Trending Database location, which is:

<BOE_Install_Dir>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0/Data/TrendingDB


19-10-2014 17-42-54.png


   

      4.2 To create the monitoring tables in the MS SQL Server Audit DB


Follow these steps to prepare the target auditing database:

 

After installing the BI platform, DDLs related to all the supported CMS auditing databases are available in the <Install Dir>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\Data\TrendingDB location. You will find seven different (.sql extension) files with the respective database name.

19-10-2014 17-48-06.png

Go to the MS SQL Audit DB (in this case, the target database is the database where CMS auditing has been configured) and run the .sql file. The following four Monitoring tables are created: MOT_TREND_DETAILS, MOT_TREND_DATA, MOT_MES_DETAILS, and MOT_MES_METRICS. The required indexes are also created, along with the tables.

19-10-2014 18-01-58.png

 

If all the tables are created with correct data types as mentioned in the .sql file, the database schema required for the Monitoring application is created.

19-10-2014 18-09-37.png

 

 

 

    4.3 To restore contents to the target database


The following steps need to be performed in order to restore the content to the target database:


  • Enable Identity Insert

The Monitoring tables contain a number of IDENTITY columns. These are columns that auto-generate their values. MS SQL Server do not allow explicit insertion of values to these columns.

During data migration, even these identity column values need to be migrated however. Users therefore have to enable the explicit insertion of these values using the following SQL command:

SET IDENTITY_INSERT <TABLE NAME> ON

 

  • Import the CSV dump file to the target table

All software provided by database clients enables users to import the data from CSV to the table using either a menu option or a command. The user needs to use this option to import the data from the CSV file to the corresponding table. Import the data files into the new tables in the following order:


    • MOT_TREND_DETAILS
    • MOT_TREND_DATA
    • MOT_MES_DETAILS
    • MOT_MES_METRICS

 

  • Disable Identity Insert

Once the data has been imported, the user needs to disable the identity insert on the table using the following SQL command:

SET IDENTITY_INSERT <TABLE NAME> OFF


Users have to disable the identity insert on a table after the data import in order to enable the identity insert on the next table. This is because the identity insert operation can be enabled on only one table at a time.

 

 

 

MSSQLServer scripts list :
19-10-2014 18-59-19.png
19-10-2014 19-08-27.png
19-10-2014 19-16-35.png
19-10-2014 19-20-45.png

 

 

 

 

4.4 To configuring SBO files

 

Internally, the Monitoring application uses Connection Server libraries, and the SBO configuration is required for the Connection Server to establish connectivity to the database driver. You need to specify the database driver and its location in the SBO file to establish this connectivity.

 

The connection name field configured in the CMC Auditing page is an ODBC DSN, so the driver should be configured in: <Install_Dir>\dataAccess\connectionServer\odbc\sqlsrv.sbo

 

Typically, the ODBC libraries are already configured in the SBO files and you just need to add the alias names. If this is not the case, follow this example to perform the configuration in the SBO file:

 

19-10-2014 20-04-20.png

 

 

 

4.5 To switch to the auditing database

 

Switch the database so that Monitoring trending information will be stored in the auditing database:

 

  • In the Manage area on the CMC home page, click Applications.
  • Double-click Monitoring Application to open the properties page.
  • In the Trending Database Settings area, select Use Audit Database.

 

19-10-2014 19-29-48.png

Restart your Monitoring APS.

 

 

 

4.6 To check the data entered into the audit DB


Here is a sample query to see if your monitoring entries are added:

 

19-10-2014 19-57-23.png

We currently have BI 4.1 SP01 Patch 6 and are considering upgrading, but to what version, support package and patch?  I know that there are lots of "What's New" resources like this one for 4.1 SP04.  But how do I know what fixes from previous patches are being carried forward?  There used to be something called the Forward Fit spreadsheet that would lay this out.  However, I was unable to find it.  I did find this very helpful blog post by Patrick Perrier though...

 

SAP BusinessObjects Business Intelligence Suite 4.1 SP04 (SP4) Released

 

And within that I found a link to the Forward Fit spreadsheet I sought, but it came with a bit of a surprise.

 

 

So I have to look at SAP notes to know what releases it is forward fit to?  In my view BI upgrades are a roll of the dice anyway in that while some things are fixed you never know what is going to get broken.  Not maintaining the Forward Fit spreadsheet going forward makes things even more difficult.

 

Here is what I would like to see.  I would like SAP to provide an interactive web page that allows me to enter the version, support package and patch I am on as well as what version, support package and patch I am to which considering upgrading.  The web page would then show me the new features and fixes I would gain and also what features and fixes I would forfeit.  I know this would take considerable effort, but I know that we would find it very helpful.

 

Anyone else?

 

Noel

We recently upgraded from BO 4.0 SP4 to BO 4.1 SP4. This was my first upgrade and I would have loved to find something like this on SCN (maybe there is and I just didn’t search hard enough). We all know 4.1 is old news, but I thought there might still be a few people who haven’t gone through the upgrade yet, so here goes:


We originally planned to go to SP3, but ran into a few bugs that were only fixed in SP4 at that time, so ended up at SP4.

 


1. Dashboard Design:


1.1

 

Our existing dashboards gave the following error (when launched in EP Portal):

 

" While trying to invoke the method java.lang.String.toUpperCase(java.util.Locale) of a null object loaded from local variable 'memberCountLimitNull' "

 

We used SAP Netweaver BW Connections. The errors were caused by BEx queries that had undergone some sort of “structure” change after the BW upgrade. We had about 5 connections in 2 dashboards that changed; each connection was a different case than the one before.

 

Solution: Delete and recreate the connections causing errors.

 

 

1.2

 

It was hard to find the connections that were causing the errors because another thing we picked up is that the connection preview did not work anymore. It gave the following error:

 

"Could not connect to BI Query. Make sure the request URL is valid and verify the network connection. "

 

We haven't found a solution for this yet. We had to delete each connection one at a time, publish the dashboard and then check if there is one less error.

 

1.3

We also had another error in EP Portal when launcing the dashboards:

 

" Error while executing function module: BICS_PROV_GET_RESULT_SET "

 

Solution: This was caused due to timeouts in BW. We applied this note in BW 1980998 - GETWA_NOT_ASSIGNED during generic aggregation MIN/MAX

 

2. Client Tools:

2.1

 

We had the following logon errors with the client tools:

 

IDT - " Communication error occured when trying to connevt to server xyz "

UDT - " Cannot access the repository "

Webi RC - " Logon failure due to an internal error "

 

Solution: From the CMC we manually configured the ports of the services. (By default they were set to auto assign)

 

 

2.2

 

In IDT we are also unable to create a relational connection to SAP ERP 6:


" Fail to create an instance of Job : com/businessobjects/i18n/locale/BoLocale "


Solution: This is a bug, it's resolved in one of the patches.

 

3. Launchpad:


3.1

 

The Folder links did not work automatically. We configured the default folder URL (new feature in 4.1 SP3) by following this link:


Solution: Direct Links to Folders (4.1 SP3) (Comments)

 

3.2

We had an issue with scheduling Webi reports, they did not run for the dates we specified in the prompts, it was way out (more than a century). This was a big issue for us.

 

Solution: Upgrade to SP4. This was the main reason we went from SP3 to SP4.

 

3.3

 

Searching for documents on the BI Launchpad returned an error:

 

" An error occured while searching.: Unable to find servers in CMS xyz and cluster @xyz with kind pjs and service PlatformSearchService0CA. All such servers could be down or disabled by the administrator "


Solution: Recreate the index files on OS level then stop start the APS.

 

4. Webi:

 

4.1

 

We had a few Java issues with the Applet mode in the BI Launchpad. First error occured when we tried to create a new webi report in applet mode:


" Unspecified error ivoking method or accessing property "onChangeDocID" "


Solution: We had to upgrade our Java to version 7 update 51 or higher. 1933283 - Error: "Unspecified error invoking method or accessing property "onChangeDocID" " when refreshing a new WebI report after choosing query elements

 

4.2

After doing the above, the users came across an error when using Applet mode:

" Web intelligence Applet cannot be loaded, please make sure you have installed a Java virtual machine. "

Solution: Something else we picked up is that if you run 64bit IE, you need to have installed 64bit Java. If you run 64bit IE, and you have 32bit Java installed, you get the error.

 

4.3

 

When refreshing a webi report (on a BEx Query) in HTML mode and filtering in the BEx prompts, we picked up that if you select a value and then decide to remove it from the selection, the blank selection is then automatically populated with [EMPTY_VALUE]. this causes the refresh to fail when you run the report:

" System xyz: Incorrect value "[EMPTY_VALUE]" for data scurce variable abc "

 

Solution: This is a bug. See this post for more info Webi BEx Query Prompt default [EMPTY_VALUE] when removing selected values BO4.1

 

4.4

Some of our existing Webi report variables were not calculating correct. This this was easy to spot in the charts.

Solution: Recreate the variables. Clear the entire formulae and recreate it.

 

4.5

Some of the existing reports were empty (no data).

Solution: Remove and readd the filters on the reports components

 

4.6

When refreshing an existing report or creating a new report based on a universe to BW, we had the following error:

" Database error: Unable to connect to SAP BW server Could not convert from 4103 codepage to 1100 codepagerc = 2048. "

Solution: This was due to using SSO to connect to BW. This is a bug. We created a system connection user and maintained the uthorizations from the CMC. See this note for more info (did not resolve our issue) 2037630 - Webi reports based off of SSO enabled universes fail with codepage conversion error

 

5. CMC:

 

5.1

 

Promotion manager was unable to connect to an upgraded system and so we were unable to promonte:

" Could not reach CMS xyz. Specify the correct host and port and and check for network issues "

 

Solution: Upgrade BO4.0 to BO4.1. Promotion Manager: Could not reach CMS

 

 

Summary:

 

There are a few more where these came from. So why upgrade? Was it worth it?


Absolutely! BO 4.1 is much more stable than BO 4.0. The added features also makes it well worth your while.

 

Hope there is someone out there who found this usefull.

 

Regards

Antonette

One of the frequent questions from our customers is how to create a customized SSO enterprise authentication for BI LaunchPad and for Open Document queries. One of the most easiest way is to use servlet filter in Tomcat. You can find below the steps needed to create, develop and deploy the SSO filter:

 

Create a new project in Eclipse:

s1.png

Enter the project name and pick the Tomcat runtime (same as your BI web server):

 

s2.png

Add a new class to your project

s3.png

Type the package name, class name and click on Add button

s4.png

Type filter and choose the interface javax.servlet.Filter

s5.png

Click on finish

s6.png

Copy the SDK libraries from the folder below to a project folder:

s7.png

Go to configure build path of your project and add the SDK files, using Add External JARs button:

s9.png

Copy and paste the code below into the SSOFilter.java file:

package com.xxx.yyy.aaa;

 

import java.io.IOException;

 

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

 

import com.crystaldecisions.sdk.exception.SDKException;

import com.crystaldecisions.sdk.framework.CrystalEnterprise;

import com.crystaldecisions.sdk.framework.IEnterpriseSession;

 

import java.io.UnsupportedEncodingException;

import java.net.URLEncoder;

 

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

 

public class SSOFilter implements Filter {

private static FilterConfig filterConfig = null;

 

public SSOFilter() {}

 

@Override

public void destroy() {

// TODO Auto-generated method stub

 

}

 

@Override

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain chain) throws IOException, ServletException {

// TODO Auto-generated method stub

HttpServletRequest servletRequest = (HttpServletRequest)request;

HttpServletResponse servletResponse = (HttpServletResponse)response;

 

String userName = "test";

String password = "password";

 

        String requestURL = servletRequest.getRequestURL().toString();

 

        try

{

if (requestURL.contains("openDocument.jsp") && servletRequest.getParameter("token")==null) {

servletResponse.sendRedirect(requestURL+"?iDocID="+servletRequest.getParameter("iDocID")+"&sIDType="+

servletRequest.getParameter("sIDType")+"&token="+createEncodedToken(userName, password));

} else if (requestURL.contains("BOE/BI") && !(requestURL.contains("start"))) {

((HttpServletResponse) response).sendRedirect(requestURL+"/logon/start.do?ivsLogonToken="+createEncodedToken(userName, password));

} else {

chain.doFilter(request, response);

}

} catch (SDKException e) {

chain.doFilter(request, response);

} catch (UnsupportedEncodingException e) {

chain.doFilter(request, response);

}

 

}

 

@Override

public void init(FilterConfig config) throws ServletException {

// TODO Auto-generated method stub

setFilterConfig(config);

}

 

public String createEncodedToken(String userName, String password) throws SDKException, UnsupportedEncodingException {

IEnterpriseSession enterpriseSession = CrystalEnterprise.getSessionMgr().logon(userName, password, "localhost", "secEnterprise");

return URLEncoder.encode(enterpriseSession.getLogonTokenMgr().createWCAToken("", 750, 9999), "UTF-8");

}

 

 

private void setFilterConfig(FilterConfig config)

{

filterConfig = config;

}

 

private static FilterConfig getFilterConfig()

{

return filterConfig;

}

 

}

 

It should look like the following:

s10.png

Export the project as JAR file:

s11.png

Select only source files, like below:

s12.png

Copy the jar file into the following folder:

s13.png

Modify the file web.xml from the folder to add the new SSO filter:

s14.png

Add the class name and the filter and filter-mapping xml nodes as following:

s15.png

Restart the tomcat server and the filter should be running!


In our previous blogs we have analyzed various components required for Designing security model such as List of available rights, possible user categories and finally the Security models. Before taking deep dive in to each model we need to organize BusinessObjects content at below levels

 

  • Reporting folders
  • Universe folders
  • User hierarchy

 

You can have a look at below articles to know more about organizing contents (Content Management Plan)

 

BusinessObjects Administration - Content Management Procedure

BusinessObjects Administration - Content Management Plan

 

And the next step would be identifying required rights for each user category. You should make use of Custom Access Levels for each user category.  Refer my external blog here to understand about Custom access levels

http://blogs.hexaware.com/business-objects-boogle/businessobjects-administration-custom-access-levels/


Based on the requirement create list of rights necessary for each user category.  Consolidated list of all the rights and a custom access level grouping for admin group is depicted below.

 

BI 4.x Master rights

 

1.jpg

 

Delegated Administrators Access level

 

2.jpg

 

I also attached prototype of the document with this blog.  Since .xls doesn't supported, I have exported it to .txt format . Make use of it if you want to utilize it to your requirement. Thanks for reading once again.


Related blogs


BusinessObjects Administration - Setting up security model – An easy way to configure and manage

BusinessObjects Administration - Setting up security model – Part II



Hey!

 

Great news from Sathish Rajagopal - he's just announced on his blog http://scn.sap.com/blogs/sathishrajagopal that we've just release 'Phase 3' of our SAP BI Pattern Books project!

 

These now include a further 2 books, totally comprehensive, tailored and delivered specifically for customers moving to BI 4.1.

 

 

  • How to successfully Upgrade from SAP BusinessObjects Enterprise XI 3.1 release to SAP BusinessObjects BI 4.1 release
  • How to successfully Update from SAP BusinessObjects BI 4.0 release to SAP BusinessObjects BI 4.1 release

 

 

Think of these as "friendly" instruction manuals, with step-by-step instructions, following the particular 'pattern' of real-world deployment scenarios. 

The perfect complement to our technical Help guides, these Pattern Books also list the challenges, tips & tricks, best-practices etc. including links to relevant SCN articles and SAP Notes.

 

 

Here are the links to the SAP BI Pattern Books:

 

 

If you have any questions please ask. 

Enjoy ,and good luck!

 

Cheers,

H

Dear BI users around the globe..

 

For all those that feared BI4.1 being the end station of the well know and beloved SAP BusinessObjects BI Suite, some interesting news have been shared by Steve Lucas during the ASUG User Conference (SABOC)

 

To be clear: Yes there will be a BusinessObjects BI 4.2,” Lucas announced, “and it will be in 2015.” He promised some major enhancements, such as in administration, ease of use and live streaming of data. “Above all else,” he said, “the No. 1 feature will be quality.”

 

read more about what will be coming in the SAP Analytics Portfolio in the Vision Article shared by ASUG via http://www.asugnews.com/article/sap-shares-analytics-vision-lumira-bi-4.2-details-at-asugs-saboc-event

 

Once more details can be shared, I will update you all with our plans for BI4.2

Regards

Merlijn

Hi everyone,

 

Just a quick hello to let you know that a new BI-related course has just opened for registration.

 

This free openSAP course is called "BI Clients and Applications on SAP HANA" and is designed to help you get hands-on experience in deploying BI on SAP HANA, leveraging HANA both as a data source and as a platform.

 

 

Learn about the new features in SAP BusinessObjects BI 4.1, and how it is optimized for SAP HANA. Benefit from best-practices around design, development, and troubleshooting of BI content, and simplify your SAP BusinessObjects BI toolkit. You can also experience SAP Lumira, in the desktop, cloud, and server releases to create amazing visualizations that can be consumed anywhere.

 


BI Clients and Applications on SAP HANA begins from October 29 and enrolment is now open. The course is targeted at BI Developers and Business/Data Analysts, but is open to anyone interested in learning about BI.

 

 

 

Please note that whilst the (optional) hands-on exercises will incur some minimal infrastructure costs, Registration, learning content, final exam and Record of Achievement are all free of charge.

 

 

Enroll today!

 

Regards,

H

I would like to share my recent experience on configuring Windows AD and SSO on a new SAP BI 4.1 BOBJ server. I used to follow the traditional way of using Kerberos Key tab file; this time went for the plain password technique. Thanks to SAP Support for clarifying the different approaches.

 

Below are the steps followed in my configuration…

 

Service Account Setup

 

1.1    Creation of New Account

 

 

·         To set up user authentication for a service, you must register the service as a user in AD on the Domain Controller.

·         To register the service, on the Domain Controller, open the Active Directory Users and Computers snap in.

·         Click the Users folder to display a list of users and on the Action menu, click New and then click User.

·         Enter a name and logon name for the new service, and then click Next.

·         On the next screen, enter a password for the service. Ensure that the User must change password at next logon option is not selected.

·         Click Next and then click Finish.

·         Right-click the user you have entered in the User folder list, and then click Properties.

·         Click the Account tab and then select Account is trusted for delegation and Password never expires. This prevents the service account from expiring, which would cause Kerberos errors.

·         If your Domain Controller is running in a lower Domain Functional Level (lower than Windows 2003 Domain), view the  Account properties for the user you created in step 2, and select Use DES encryption types for this account.

·         Note: In Windows 2003 and 2008, Domain Functional Level RC4 is used by default.

·         Click OK.

 

1.2      Settings to be done on the User Account

 

·         Ensure the Password Never Expires option is enabled in the User Account Properties à Account Tab

 

1.3     To grant the service account rights

 

·         Logon to BOBJ server and perform the below steps

·         Click Start > Control Panel > Administrative Tools > Local Security Policy.

·         Expand Local Policies, and then click User Rights Assignment.

·         Double-click Act as part of the operating system.

·         Click Add.

·         Enter the name of the service account BOserviceaccount, and then click OK.

·         Ensure that the Local Policy Setting check box is selected, and click OK

·         Ensure the service account BOserviceaccount has the following System Rights enabled on the BOBJ Server

   *  Act as part of Operating System

   *  Log on as a Batch Job

   *  Log on as a service

   *  Replace a process level Token

 

 

1.1     To add an account to the Administrator's group

 

 

·         Logon to BOBJ Server and perform the below steps

·         Right-click My Computer and click Manage.

·         Go to System Tools > Local Users and Groups > Groups.

·         Right-click Administrators, then click Add to Group.

·         Click Add and type the logon name BOserviceaccount of the service account.

·         Click Check Names to ensure that the account resolves.

·         Click OK, and then click OK again.

 

    2.0  SPN

 

Steps to set  SPN .

 

In order to create appropriate Service Principal Names (SPNs), execute the following commands on Active Directory server:

 

·         Login to the Domain Controller Server

·         Use the setspn -a command to add the HTTP service principal names to the service account which was created earlier

a)     setspn -a HTTP/BOBJServerName  BOserviceaccount

                              b)     setspn -a HTTP/BOBJServerName.Domain.COM BOserviceaccount

                              c)     setspn -a HTTP/IP address of BOBJ Server BOserviceaccount

                              d)     setspn -a ServicePrincipalName  BOserviceaccount

 

Verify the Service Account Properties and it should similar to the below screenshot.

serviceaccountprop1.png

·         Go to the Delegation Tab on the Properties of the Service Account Created and Enable the option “Trust this user for delegation to any service (Kerberos only) on the Service Account” as denoted in the below screenshot

 

serviceaccountprop2.png

·         Run setspn -l BOserviceaccount to verify that the HTTP service principal names were added to the service account.

 

      3.0     Expected Output

      At the end of the set of activities performed as denoted in the sections

·         Service Principal Name

·         Domain Controller IP address and its FDQN

·         Service Account

·         Service Account Password

      4.0     Adding Entries for AD Configuration

 

·         Create a file bscLogin.conf & Krb5.ini in the BOBJ Installation Directory

·         Add the below entry in the bscLogin.conf in case of Tomcat Web Application Server

                              com.businessobjects.security.jgss.initiate {
                              com.sun.security.auth.module.Krb5LoginModule required;
                                                  };

·         Add the below entry in the Krb5.ini file. Ensure the entry kdc=<Domain Controller Server Name>.DOMAIN.COM

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
DOMAIN.COM = {
kdc = Domain Controller Server nme. DOMAIN.COM
default_domain = DOMAIN.COM
}

Make sure this file is saved correctly by navigating to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BOBJ server, and execute ‘kinit BOserviceaccount’ in a command prompt. If a new ticket is stored, the file is correct.

 

·         Open the Tomcat Configuration and add the below command lines to the Java Option

-Djava.security.auth.login.config=C:\BO\WinAD\bscLogin.conf
-Djava.security.krb5.conf=C:\BO\WinAD\Krb5.ini

·         Update the server.xml located in the directory C:\BO\Tomcat\conf search for Connector String and ensure the Connector entry is similar to that of entries mentioned below

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" acceptCount="100" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" maxHttpHeaderSize=" 65536" minSpareThreads="25" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json" />

 

4.1     Active Directory SSO Configuration

 

 

  ·         The active directory SSO configuration involves creation of .properties file in the Tomcat WebApps folder where the BOE .war file is deployed

·      Go to the location C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom and create the BIlaunchpad.properties file and add the following entries in that file.

                     authentication.default=secWinAD
               authentication.visible=true

·      Go to the location C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom and create the global.properties file and add the following entries in that file.

                     sso.enabled=true
               siteminder.enabled=false
               vintela.enabled=true
               idm.realm=DOMAIN.COM
               idm.princ=ServicePrincipalName
               idm.allowUnsecured=true
               idm.allowNTLM=false
               idm.logger.name=simple
               idm.logger.props=error-log.properties
               idm.allowS4U=true

Note that we are not keeping key tab file path in global file.

·         Open Tomcat Options Add the following lines to Tomcat Java Options:

                       -Dcom.wedgetail.idm.sso.password=<Password of BOServiceaccount>

                       -Djcsi.kerberos.debug=true

 

Start Tomcat, go to C:\BO\SAP BusinessObjects\Tomcat\logs\, check stdout.log  has ‘credentials obtained’ shown.

Test single-sign-on is now working in a browser on any client system (not on the BOBJ server).

 

In order to avoid SSO stops working on patch upgrades,

We can copy the BIlaunchpad.properties and global.properties from C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom to C:\BO\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom

 

 

Hope this helps..

 

Thanks and Regards

Sandeep Chandran


Continuing with my earlier blog BusinessObjects Administration - Setting up security model – An easy way to configure and manage. In this blog we are going to see the different security model designs which I came across throughout my experience. Here are some of them

1. Basic setup with Functional user categorization


This is the basic setup without any application/Department wise user categorization. Users will be categorized only based on their functionality (Viewer/Analyst/Author). This means users can view data across different applications and there is virtually no restriction on viewing the BI content. Functionalities enabled for each user category is described here in my previous blog  BusinessObjects Administration - Setting up security model – An easy way to configure and manage

Graphical representation of the model


Model 1.jpg

2. Hybrid setup with inherited user category

 

In this model, Users are segregated by each Application/department first. The subsequent user categorization would be additive in nature and the hierarchy will fall from least privileged group to most privileged group by making use of Group level inheritance capability. Similar to type 1 model, users of Application/department can view all the reports but only within their department.


Graphical representation of the model


Model 2.jpg


3. Hybrid setup  with cross Application/departmental & user category


This is the most effective and commonly used security model across various BusinessObjects deployments. Compared to previous two models this model ensures the BI content is accessed in a highly secured way i.e. reports are viewed by only group of users who are intended to do so. Here user groups within the department will be having distinct functional access rather than additive functional access as compared to that of type 2 model.


Graphical representation of the model

Model 3.jpg

Let us see about each model in detail in upcoming blogs. Keep reading.


Related blogs


BusinessObjects Administration - Setting up security model – An easy way to configure and manage

BusinessObjects Administration - Setting up security model – Part III



The Issue

 

I recently deployed SAP BusinessObjects 4.1 across several environments at a client site and ran into the following error message when saving a Web Intelligence report to the platform from the Webi Rich Client, Java Panel and HTML Panel.


The document's serialization version is too recent (Error: WIS 30915)


Scheduling a Web Intelligence report to Webi format also resulted in the above error.

 

The Web Intelligence processing server logs left the following trace:

 

**ERROR:SRM:An internal error occured while dgSerializeManagerImpl is calling ibo_idgSrmStore->PublishToCorporate [kdgSerializeManager.cpp;2533]

 

  • No issues were logged in the setupengine.log
  • Running a repair on the deployment didn't resolve the issue

 

Root Cause

 

Query Builder reveals what would appear to be an incorrect version number for the Web Intelligence application

 

SELECT SI_ID, SI_NAME, SI_FILENAME, SI_WEBI_SERIALIZATION_VERSION FROM CI_APPOBJECTS WHERE SI_KIND = 'WebIntelligence'


14.0.3.0.jpg


Solution

 

  • Note the dfo filename above - BusinessObjects_WebIntelligence_dfo.xml.
  • Stop all SIA nodes
  • Backup the CMS database
  • Copy the file from the <InstallDir>\SAP BusinessObjects Enterprise XI 4.0\dfo directory to <InstallDir>\SAP BusinessObjects Enterprise XI 4.0\packages directory
  • Start the SIA Node containing the CMS
  • Confirm the file has been removed from the <InstallDir>\SAP BusinessObjects Enterprise XI 4.0\packages directory
  • Confirm the update via Query Builder

14.1.4.0.jpg

 

  • Run earlier tests.......All working

 

Side Notes

 

I ran into this issue on an upgrade from BI4.0 SP5 FP4. I wasn't able to replicate this issue (as expected) on an environment that had a clean build i.e. no upgrade

 

I'll report the issue through the correct channels in due course but I felt it was best to get this information out there as I burnt several hours troubleshooting this and no doubt someone else might run into the same problem.


Designing security model is one among the important phase in BusinessObjects implementation/migration projects. Well-organized security model not only provides easier Administration but also ensures security is seamlessly implemented across different functional/application user groups with less maintenance effort.

 

From this blog on wards, we are going to see how to design and implement the security model. Before starting the design, we should consider the below things

 

Various rights categories (as on BI 4.0 SP3)

 

There are 4 different rights categories as we already aware and they listed below

 

  • General
  • Application
  • Content
  • System

 

I have consolidated all of them and the same is depicted below

rights.png

 

Various user categories


Always categorize users based on Application as well as functionality (what they can do). I have categorized users based on their BusinessObjects Application/content and their functionality on BI content


Application wise user category


User category

Description

Crystal users

Crystal report users

WebI users

Web Intelligence report users

Dashboard users

Xcelcius dashboard users

Design Studio Users

Design Studio dashboard users

Universe/Information designers

Universe Designers

Analysis users

Analysis Application users

Explorer users

Explorer application users

Mobile users

Mobile report users


Functional user category


User category

Description

BOE Users

All users of the BusinessObjects system

Viewers

Users who can only view/refresh the reports

Interactive Analysts

Analysts can refresh/create/modify the reports that they create and they cannot create/modify the corporate reports

Interactive Authors

Analysts can refresh/create/modify the corporate reports

Super Users/Managers

Users who can manage and maintain document as well as users for a particular application/department

Content Schedulers

Users who can schedule reports for their own and on behalf of others

Content Promoters

Users who can migrate/promote BI content across different environments

Delegated administrators

Users who can administrate the Businessobjects deployment as a whole or part of it

 

Based on the rights and user categorizations we are going to see more about the security model design in my upcoming blogs! Thanks for reading!


Related blogs

 

BusinessObjects Administration - Setting up security model – Part II

BusinessObjects Administration - Setting up security model – Part III

We can add the HANA Live views in UDT by adding HANA connection. Normally views will be stored in_SYS_BIC schema.

Step 1: Create a HANA Connection with JDBC driver

p1

 

Step 2: Choose JDBC drive and Add the credentials and Host name for HANA DB

p2

p3

 

Step 3: Test the Connection

 

p4

 

 

Step 4: Add a new class under project.

 

p5

Step 5: Select  the view from _SYS_BIC schema

 

p6

 

p7

 

 

Step 6: Select your view and add the objects for the class.

 

p9

Now you have successfully added the HANA Live View from HANA Database into UDT. Universe can be created using HANA Live view.

Thanks

Let me know, if you have any issues.


As we all already aware, In BI 4.x the capabilities provided by as-is sample of Audit reporting suite is limited and we can see there are so many requirements flowing in SCN around this for quite some time with reference to additional requirements from Auditing .

 

Can I extend the Auditing capabilities and How?

 

We can enhance the existing audit capability from the as-is sample. Besides the default sample reports provided, I do have few more requirements something like below.

  • Frequently used reports
  • List of most active users
  • Who are all my Mobile BI users?

 

To achieve the requirements above I have adopted following approaches.

 

Approaches

 

Below are some of the approaches I have considered for Audit reporting enhancements.

 

1. Creating customized Audit reports from the existing Audit schema

 

We can create enhanced audit reports from the existing Audit schema based on our requirement. We can create extended reports by referring existing report and modify the report prompts/filter etc.

 

For example to get the Mobile report access use  "Application_Type_Name" from table "ADS_APPLICATION_TYPE_STR" which provides the application type from which the access is from i.e. mobile device. It is available as "Client Application Type" in class "Events" in the Universe)

 

2. Creating Custom tables in Audit schema for the reporting

 

          We can create custom tables in Audit schema based on our requirement. One of such option is to create derived tables in Audit universe based on the Custom SQL statements than can be run directly on Audit database.

 

More active users can be obtained by running the below SQL on Audit database

-----------------------------------------------------------------------------------------------------------------

SELECT

            ADS_EVENT.USER_NAME AS USER,

            COUNT(ADS_EVENT.EVENT_ID) AS COUNT,

RANK() OVER (ORDER BY COUNT(ADS_EVENT.EVENT_ID) DESC) AS RANK,

FROM ADS_EVENT

WHERE EVENT_TYPE_ID=1014

GROUP BY ADS_EVENT.USER_NAME

-----------------------------------------------------------------------------------------------------------------

 

Create a derived table in Audit universe with the above SQL and then you can directly run reports on top of the derived table column/objects.

 

Alternatively if the Custom SQL extracts large dataset we can skip the derived table approach which is meant for less number of rows and create a materialized view at database side and refresh it periodically and then do the reporting from there.

 

3. Creating a metadata repository and start the reporting by creating the multi source universe which points to both Auditing schema as well as metadata schema.

 

          This approach will be very useful whenever we need to create reports that need to capture the information from both Audit and BO repository. Some of the information such as number of Named users/Concurrent users cannot be extracted from Audit schema in which metadata reporting along with Audit reporting will be handy.

 


BI 4.x Audit reporting references:

 

BusinessObjects Auditing - What is changed in BO 4.0?

Sample Auditing Universe and Reports for SAP BusinessObjects_4_x

SAP BusinessObjects 4.0 Auditor Configuration & Deployment End to End

BusinessObjects Auditing - Considerations & Enabling

 


Thanks for reading. Appreciate all your thoughts, comments, ideas & feedback.

Hi All,

 

I wanted to share an experience that I had during migration of universes and reports from BO 6.5 to BOE 3.1

 

My BO 6.5 Admin gave me the bomain.key file which I used in the Import Wizard.

 

A little bit of background for the people like me who have never worked on a BO 6.5 system. There is no concept of CMS and filestore in BO 6.5

 

Instead there are domains which house the BI content. There are mainly three types of domains in BO 6.5 which I am aware of.

 

1. Security Domain :- It has the users, groups and the security information.

2. Document Domain :- It has the reports.

3. Universe Domain :- It has the universes.

 

A particular environment can have multiple Document and Universe Domains. These documents translate to folders while migrating to BOE architecture (BOE XI R2 or BOE 3.1)

 

bomain.key is the encrypted file which has the connection and linking information for these domains of BO 6.5 environment. You need this file while logging into the BO 6.5 system using Import Wizard.

 

So my BO 6.5 Admin provided me with the bomain.key file for migrating content required for the project. My BO 6.5 repository was on Oracle and so was the CMS of BOE 3.1

 

I faced a weird issue while logging into BO 6.5 through Import Wizard. It gave me an error about missing TNS entry. So I contacted my BO 6.5 Admin and he provided the TNS for my security domain. This help me pass the login screen.

 

However when I selected the folders and universes to migrate, I saw only empty folders. None of the reports or universes were visible in the Import Wizard.

 

To troubleshoot this issue further, I enabled tracing on Import Wizard by adding "-trace" to the IW shortcut in the startup menu. The logs were very lucid and correctly pointed to the problem.

 

I got the below trace in the logs.

 

2014/08/21 08:33:10.966|>=|W| | 3864|7560| |||||||||||||||_BOImportHelper::getUniverses: Universe 15 cannot be imported because the corresponding domain is down

2014/08/21 08:33:10.966|>=|W| | 3864|7560| |||||||||||||||_BOImportHelper::getUniverses: Universe 16 cannot be imported because the corresponding domain is down

2014/08/21 08:33:20.028|>>|E| | 3864|7560| |||||||||||||||PingDomain: Unable to connect to domain 11 because: ORA-12154: TNS:could not resolve the connect identifier specified


Apparently my universe and document domains required additional tns entries. So to further overcome this issue, I just merged the tnsnames.ora file from the BO 6.5 server with the one on BO 3.1 server.


This resolved the issue and migration went very smooth.


I will just put the crux of my blog in points for easier understanding.


  • There is no CMS or Filestore concept in BO 6.5 It has domains.
  • There are three types of domains, mainly security, document and universe domain
  • These domains translate to folders while migrating to BOE XI R2\3.1
  • bomain.key file is the encrypted file holding information of all domains. It is required logging into the Import Wizard.
  • The machine\box from where you launch the Import Wizard should be able to connect to all the domains in BO 6.5 for successful migration.

 

Thanks for reading my blog and I hope you found it useful.

 

Regards

Chinmaya

Actions

Filter Blog

By author:
By date:
By tag: