1 2 3 10 Previous Next

SAP BusinessObjects Mobile

138 Posts

This blog will solely look at the integration of Mobile BI with a Kerberos SSO setup on a BI 4.2 SP02 environment.


Prerequisites:

- SAP BI 4.2 SP2 landscape

- SSO already setup

- MDM profile management in place

- If you need to implement the fix for Tomcat (check 1.4 below) make sure to stop/start the Tomcat server. The rest of MoBI can be stopped/started individually from Tomcat.


 

1     web.xml

You can find the web.xml file via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\web.xml

 

Ensuring that the following settings are marked as active in this file.

  <filter>

    <filter-name>KerberosFilter</filter-name>

    <filter-class>com.businessobjects.mobilebi.server.filters.KerberosFilter</filter-class>

       <init-param>

       <param-name>sso.enabled</param-name>

      <param-value>true</param-value>

    </init-param>

    <init-param>

       <param-name>siteminder.enabled</param-name>

       <param-value>false</param-value>

    </init-param>

      <init-param>

       <param-name>vintela.enabled</param-name>

       <param-value>true</param-value>

    </init-param>

      <init-param>

       <param-name>idm.realm</param-name>

       <param-value><YOUR.FULL.DOMAINNAME></param-value>

    </init-param>

      <init-param>

       <param-name>idm.princ</param-name>

       <param-value><BICMS/YOUR_BICMS_SPN_SETUP></param-value>

    </init-param>

      <init-param>

       <param-name>idm.allowUnsecured</param-name>

       <param-value>true</param-value>

    </init-param>

      <init-param>

       <param-name>idm.allowNTLM</param-name>

       <param-value>false</param-value>

    </init-param>

     <init-param>

       <param-name>idm.logger.name</param-name>

       <param-value>simple</param-value>

    </init-param>

       <init-param>

       <param-name>idm.logger.props</param-name>

       <param-value>error-log.properties</param-value>

     </init-param>

       <init-param>

       <param-name>idm.keytab</param-name>

       <param-value><THE_PATH_PLUS_FILE_NAME_TO_YOUR_KTPASS></param-value>

    </init-param> 

  </filter>

  <filter-mapping>

   <filter-name>KerberosFilter</filter-name>

    <servlet-name>VintelaServlet</servlet-name>

    <dispatcher>REQUEST</dispatcher>

    <dispatcher>FORWARD</dispatcher>

       <dispatcher>INCLUDE</dispatcher>

   </filter-mapping>

 

The items that are environment specific:

      <init-param>

      <param-name>idm.realm</param-name>

       <param-value><YOUR.FULL.DOMAINNAME></param-value>

    </init-param>

Ensure for the idm.realm to set <YOUR.FULL.DOMAINNAME> to your full DN.

 

      <init-param>

       <param-name>idm.princ</param-name>

       <param-value><BICMS/YOUR_BICMS_SPN_SETUP></param-value>

    </init-param>

Ensure for the idm.princ to set <BICMS/YOUR_BICMS_SPN_SETUP> to the BICMS corresponding to your services accounts SPN setup as was done for the initial SSO deployment.

 

Additional paramaters to be added to the original file!

       <init-param>

       <param-name>idm.keytab</param-name>

       <param-value><THE_PATH_PLUS_FILE_NAME_TO_YOUR_KTPASS></param-value>

    </init-param> 

The idm.keytab is currently NOT highlighted in the web.xml file and is not highlighted in the documentation! However you will need to add this for a successful deployment.

 

Make sure to add all 4 lines to your web.xml. Change the <THE_PATH_PLUS_FILE_NAME_TO_YOUR_KTPASS> to wherever you stored your KTPASS from your original Kerberos configuration!

 

e.g. C:\Windows\myenvironment.keytab

 

All these manual settings can be found in your original SSO deployment in the global.properties file:

<Installation Folder>\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties.


1.1   authscheme.properties

 

Copy the authscheme.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\custom

 

# allows kerberos logon

KERBEROS=com.businessobjects.mobilebi.server.logon.impl.KerberosSSO

 

Ensure to activate the KERBEROS line, no further changes required rather than removing the #


1.2   sso.properties

Copy the sso.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\custom

 

# You can configure mobile server to connect multiple CMS, specify default CMS id here

default.cms.identifier=1

 

# You can specify IP Address/Qualified Name/Alias for your CMS here

1.aliases=<CMS_NAME:PORT>

 

# You can specify the Authentication type here.  secLDAP, secWinAD, secEnterprise

1.authentication.type=secWinAD

 

# Specify the default authentication scheme here. USERPASS, BASIC, BOETOKEN, COOKIE, TRUST

1.authentication.scheme=KERBEROS

 

There are four lines that need to be activated in this file with the identifier set in the first example:

 

# You can configure mobile server to connect multiple CMS, specify default CMS id here

default.cms.identifier=1

First one is to identify your default CMS, which is not relevant if you are running a single box as then it will always be 1. This value is then used to activate the following lines as well.

 

# You can specify IP Address/Qualified Name/Alias for your CMS here

1.aliases=<CMS_NAME:PORT>

Make sure to specify your full CMS name including the port e.g MyCMS:6400.

In case you make use of clustering with a supporting clustering file, just fill in this name only e.g. @BI-DEV

 

IMPORTANT NOTE

This name needs to be identical to the name specified in the server.properties which will be mentioned below.

 

# You can specify the Authentication type here.  secLDAP, secWinAD, secEnterprise

1.authentication.type=secWinAD

Specify the authentication type here to secWinAD.

 

# Specify the default authentication scheme here. USERPASS, BASIC, BOETOKEN, COOKIE, TRUST

1.authentication.scheme=KERBEROS

Specify the authentication scheme to KERBEROS (mind you to use capital letters!)


1.3   server.properties

Copy the server.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MOBIServer\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MOBIServer\WEB-INF\config\custom

 

mobi.connections=sso

sso.DisplayName=Nick_is_AWESOME!

sso.BOBJ_MOBILE_SSO_ENABLED:true

sso.BOBJ_MOBILE_SSO_TYPE:kerberos

sso.BOBJ_MOBILE_URL=<HTTP(S)://URL_TO_BI_SERVER:PORT>

sso.BOBJ_MOBILE_CMS=<CMS_NAME:PORT>

mobi.connections=sso

Activate your mobi connection by giving it a unique name, e.g. sso.

This will then need to be used onward for this specific connection setup.

 

sso.DisplayName=Nick_is_AWESOME!

This can be any given name that will reflect on the MobileApp as the connection name.

 

sso.BOBJ_MOBILE_SSO_ENABLED:true

SSO_ENABLED needs to be set to true

 

sso.BOBJ_MOBILE_SSO_TYPE:kerberos

SSO_TYPE needs to be set to Kerberos (mind you that this is in small letters!)

 

sso.BOBJ_MOBILE_URL=<HTTP(S)://URL_TO_BI_SERVER:PORT>

Fill in the URL that specifies your BI Server e.g. HTTP(S):MyBIServer:<PORT>

 

sso.BOBJ_MOBILE_CMS=<CMS_NAME:PORT>

Fill in the CMS name the same way as setup in the sso.properties file, e.g. MyCMS:6400

In case you make use of clustering with a supporting clustering file, just fill in this name only e.g. @BI-DEV


1.4   Tomcat Configuration

Lastly you will need to add a line to your Tomcat configuration.

 

-Dorg.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH=true

tomcatconf.png


Additional note!


This is only applicable if you run the SAP supplied version of Tomcat that was shipped with 4.2 (Apache Tomcat/8.0.21)

This issue is resolved in Apache Tomcat 8.0.29 onward (link)


Check your version otherwise this setting is NOT needed!


1.5   Setup connection on Mobile BI APP

Setup a new connection by calling the Import Connection option.

Import_connection.png

Now you select Configuration Server

 

import_configuration_server.png

In the URL box you log your BI Server name and port: e.g. HTTP(S):MyBIServer:<PORT>. Now select Import

 

import_configuration_server2.png

Now the app will get the connection details from the server. On the connections you will see all the defined connections from the earlier set server.properties file. Select the desired connection.

 

create_new_connection.png         

You now see all the credentials as expected from the setup server.properties file. Select done.

 

logging_in.png

Now the system will automatically try to establish a SSO connection to the server.

 

1.6   Known Errors

     1.6.1  MOB00929

This message comes up when you try to make an AD SSO attempt from MobileBI towards the SAP BI backend.

Full message: classcom.businessobjects.mobile.bi.server.logon.impl.KerberosSSO does not declare method ‘getEnterpriseSession’ with expected parameters (MOB00929)

 

Solution:

Ensure that you set the keytab entry in the web.xml file as well as to add the additional line into the Tomcat configuration as described above.


error.png

High Level Steps for Configuring BusinessObjects Mobile Server in DMZ End To End

1. Install BusinessObjects on Application Server hosted inside your organization LAN.
2. Assign start up port for services like CMS, APS, Web Intelligence Processing Server, IFRS, OFRS (If your APS is split, include all APS containing Auditing services)
3. Get ports open between Mobile Server and App Server from your Network Team (Include tomcat port along with above mentioned ports)
4. Install BusinessObjects Mobile which includes Tomcat, Java Web Apps, CMS Plugins on Mobile Server hosted in DMZ LAN facing the internet.
5. Configure SSL on Tomcat of Mobile Server. Configure tomcat on port 443.
6. Generate keystore file, CSR file using keytool. Send it to your organizations certificate authority and get certificate.

7. Import the certificate to tomcat. Restart tomcat.

8. Access https://mobileserverhostname

High Level Steps for Configuring BusinessObjects Mobile Server in DMZ End To End

1. Install BusinessObjects in Application Server hosted inside your organization LAN.
2. Assign start up port for services like CMS, APS, WebIntelligence Processing Server, IFRS, OFRS (If your APS is split, include all APS containing Auditing)
3. Get ports open between Mobile Server and App Server from your Network Team (Include tomcat port along with above mentioned ports)
4. Install BusinessObjects Mobile which includes Tomcat, Java Web Apps, CMS Plugins on Mobile Server hosted in DMZ LAN facing the internet.

5. Configure SSL on Tomcat of BusinessObjects Mobile Server. Configure tomcat on port 443.
6. Generate keystore file, CSR file using keytool. Send it to certificate authority and get certificate.

7. Import the certificate to tomcat. Restart tomcat.

8. Access https://mobileservername

This article would cover  Citrix Xenmobile wrapping support for SAP BusinessObjects Mobile Android version. SAP BusinesObjects Mobile for Android starting 6.2.12 release supports Citrix Xenmobile App wrapping. The article would cover up on how to  wrap and use the Xenmobile platform with minimal configuration settings required to run successfully the wrapped application and won't focus more from the feature perspectives of Citrix XemMobile platform offerings.

 


Pre-requisites

 

1. SAP BusinessObjects Mobile Android SDK (Can be downloaded from SAP service market place)

2. Citrix XenMobile Platform for  wrapping and applying policies

3. MDX Toolkit (Available from Citrix )

4. Android Studio Installed

 

What is Citrix XenMobile  Platform for wrapping :

 

Mobile application management allows you to securely manage and deliver mobile apps to users. Citrix Xenmobile provides is a cloud based  platform which helps wrap applications helping in enhancing security(customized) and enforce policies specific to organizations and as  the apps can be distributed to to the enterprise users securily through the CitrixWorx app . Its easy for larger organizations consuming multiple applications  which helps them  unify the experience with common security and policies for distribution and accessing the application with managed controlled  timely updates to their deployed apps. Applications can be  wrapped with  Citrix Xenmobile platform  using the citrix MDX Toolkit, ones.The MDX Toolkit inserts logic and policies into each mobile app. The wrapped MDX toolkit app has to be uploaded to the Xenmobile platform for applying different policies and as well as assigning the distribution details.


How to make SAP BusinessObjects Mobile for Android work


On high level, I have divided this process into four steps namely :


  1. Getting SAP BusinessObjects Mobile BI for Android APK.
  2. Wrapping with MDX Toolkit.
  3. Uploading to Xenmobile Platform and Configuarations.
  4. Wrapped app distribution.


Lets  begin !!!


Step 1 :

Please go to SAP service market place and download the SAP BusinessObjects Mobile for Android SDK . SAP Bi Android SDK project made made simple for usage so that it helps you do some cusmizations on top of our native offering of our app in the Google Playstore and if not interetsed in any customization, you can extract the built APK from the project and use it for your distribution/wrapping .

SDK project is a ZIP file which needs to be unzipped and imported into Android Studio for getting the project ready .  Once imported, its a Android project in itself having libraries consisting of SAP  Bi Mobile core content and a few properties file for customizations. For  in-depth details on how to setup this project, Please refer to the blog which has complete details:Mobi Android SDK setup using Android Studio

 

You can even leave it without doing any customization. Clean and build the project  and there you have  the APK in  your output bin which is nothing but your SAP BusinessObjects Mobile Android APK  file.

 

Step 2 :

 

Download MDX Toolkit from Citrix website. MDX toolket is available for Mac OS X and Windows platform.

I will cover from Mac OS X perspective which has a UI based wrapping toolkit , In case of Windows , its a JAR with a command line tool.

You can refer to the following link for MDX instalaltion details :

http://docs.citrix.com/en-us/mdx-toolkit/10/xmob-mdx-kit-install.html


Installation of MDX toolkit in mac is simple , Double click the DMZ and just install . Once you install, You would be required to


MDX Toolkit  to wrap Android app successfully  requires a configurations file to be set called android_settings.txt .

This is nothing but the  environment variables required for Java Runtime , Android SDK  location details  and other environemnt variables required.


MyPath file looks as below:


PATH = /Users/USER_NAME_MAC_LOGGED_IN/Library/Android/sdk/platform-tools:/Users/USER_NAME_MAC_LOGGED_IN/Library/Android/sdk/build-tools/19.1.0:/Users/USER_NAME_MAC_LOGGED_IN/Library/Android/sdk/tools:/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/

// paths to be PATh variable below.

PATH = /usr/bin:/usr/sbin

 

 

Once the configuarations for Android settings are set, Start the MDX Toolkit installed and  provide the details as required like  APK file, your Android Keystore  etc and click finish . It generatesa file with an extension .MDX  which  would be used for uploading to the XenMobile platform.

 

 

I have provided the completely workflow screenshots as below:

 

MDX-0.pngMDX-1.pngMDX-2.png

MDX-3.pngMDX-4.png


Step 3 :

Open your browser and go to your Citrix XenMobile administration console login page and provide your login credentials.

Click the Tab Configure.

In the new Page, Clock the Tab "Apps"

Click the link "Add" for adding  the newly created  mdx file

Choose the option "MDX"

In the new screen, On the left panel , Uncheck iOS and Windows since we are only going to  do this for Android

On the right side of the screen, provide the name , some description and you can select  your enterprise app category which has been provided by your admin, for me its default  and click NEXT

Choose the MDX file and upload

Once uploaded ,  you will reach the settings screen where you would be required to  configure the settings as required for SAP BusinessObjects Mobile Android app.

Please follow the below configurations which are required mandatory for the app to run successfully, i will try to explain as well why these settings are required.

 

      a. Under Encryption  settings , select the disabled option for the "Private File Encryption"  and "Public File Encryption" .

 

             platform 1.png

           Encryption used by default by  SAP BusinessObjects Mobile Android version has one of the highest  standards of encryption and is followed by FIPS                standards.  Doing second level of encryption by Citrix Platform is not supported by Citrix as Citrix Xenmobile Platform has some issues with it.

           You can find  complete details in the following link :

           http://docs.citrix.com/ru-ru/mdx-toolkit/10/xmob-mdx-dev-guide-overview/xmob-mdx-dev-android-best-practices.html

 

 

  b. Under App Interaction Option  "Document exchange (open in)" and Inbound document  exchange (open in)" as "Unrestricted"

 

  platform 2.png

This is required since  the app   has features in which data does flow outside the app  like for the feature Send to  email where-in screenshot and SAPBi Link information  is transferred to email app. similarly, app uses SAPBi link to open the app where-in parameters are passed from an externally hosted links.

 

  c. Under App network Access , make the network access "unrestricted" or if your organization supports VPN through Tunnel setup ready ,  use that.

   This is required since the app uses network communication and Citrix Xenmobile by default has the settings which blocks any network connectivity for apps.

 

Apart from these policiues, rest of the policies can be specific to your organization which can as well be applied  as per your need.

 

Step 4

 

Once the policies are set, The  app is available  for download through the Citrix Worx  Home. Download the application from google Play store and login to the application as provided by your administrator. If the user logged in has been given access for download of the app, he or she can download the same to your mobile directly from this Citrix Home app .

 

Thats it !!

SAP BusinessObjects Mobile BI are invited to join the ASUG BI Community in learning how they can influence the future direction of the software. This is a re-launch of the successful ASUG SAP BusinessObjects Mobile BI Influence Council.  If you're interested in attending to find out more about this Influence Council please register using the link below:

 

https://www.surveymonkey.com/r/bi_mobile_ic

 

Brian Marier of Kimberly-Clark is the ASUG Customer Chair

Reena Sethy is the SAP point of contact


Last month, Brian and Reena gave a webcast (prior to SAP's announcement of the Roambi acquisition)

 

For further background on this long-running council please see Power of ASUG Influence : How ASUG members Influenced SAP BusinessObjects Mobile BI Solution

1fig.jpg

Figure 1

 

 

ASUG Influence Councils give customers a direct voice in influencing the product, discuss issues, functionality, and influence the direction and prioritization of the product, in this case, Mobile BI

 

 

Goal is to have 15 members

 

 

Priority is customers, but encourage partners to apply

 

2fig.jpg

Figure 2

 

 

This council is now in the launch phase

 

3fig.jpg

Figure 3

 

 

Looking for those who consider MobI an important part of their strategy, what works what doesn't work

4fig.jpg

 

Figure 4: Source: SAP

 

 

iPads are supported for all products shown in Figure 4

 

 

5fig.jpg

 

Figure 5: Source: SAP

 

 

The roadmap is evolving (this was the pre-Roambi announcement)

 

 

Looking to provide offline support for Lumira; improve story experience for Lumira

Provide catchup features to Android

 

6fig.jpg

 

 

Figure 6

 

 

The Charter is to provide feedback on Mobile BI

7fig.jpg

 

Figure 7

 

 

Try to meet face to face twice a year

 

 

Meet virtually every 6 weeks

 

8fig.jpg

Figure 8

 

 

Figure 8 covers how to apply - apply here: https://www.surveymonkey.com/r/bi_mobile_ic

 

 

 

 

 

 

Question and Answer

Q: How fit in SAP Fiori?

A: Fiori helps mobilize content using HTML - looking to see how to make MobI a tile in Fiori launchpad - investigating that now - it is on the roadmap

 

 

Q: Customers XI3 / 4x - still backwards support

A: Depends - Lumira for BIP requires BI4.1 - features that depend on the platform

 

 

Q: release cycle?

A: 2 major releases a year - 6.3 iOS was December 2015, and look to release next end of Q2

 

Related

Upcoming ASUG Webcast June 28 What's New in SAP BusinessObjects Mobile BI 6.4 Release

ASUG BI Annual Conference Brochure

Installation and Version Requirements:-

 

1. SAP BI Platform 4.1 SP04 or later with “Mobile Services” installed on BI Platform (installed by default) – please refer “Mobile_Server_Deployment_and_Configuration_Guide” Section 4 for more details, go to http://help.sap.com/bomobiserver41?current=pcat_analytics .

 

2. SAP Lumira, server for BI platform 1.29 (“Mobile Web Applications” checked by default for installation) – please refer “SAP Lumira, server for BI Platform Installation and Administration Guide”, Section 3.2.4.1 for more details, go to http://help.sap.com/lumira?current=bomobiserver41#section3 .

 

3. SAP BusinessObjects Mobile client App version 6.3 or later for iPad.

 

Assuming that “Mobile Services” is already installed as part of BI platform as mentioned above in #1, there could be two scenarios as below:

 

  • Install Scenario 1:- Fresh install of SAP Lumira, Server for BI Platform 1.29 or later. Requires “Mobile Web Applications” to be selected during installation (checked by default). This needs to be done on top of SAP BI Platform which has “Mobile Services” already installed with the platform installation.

 

  • Install Scenario 2:- Upgrade or update install of SAP Lumira Server for BI Platform 1.29 or later. In this case the base installer of SAP Lumira, server for BI Platform needs to be re-run in Modify mode from the Control Panel “Add and Remove Programs” to install the “Mobile Web Application” component, this enables “Mobile Services” already installed by BI platform for SAP Lumira content support.

 

Device Support:-

 

We recommend devices used for SAP Lumira consumption on Mobile should have at least 1GB in memory for a better user experience. The recommended devices are iPad Air, iPad Air 2, iPad 4 and future higher spec Apple releases. SAP Lumira content is currently supported only on iPad.

 

 

Lumira Document Design Guidelines

 

We recommend Lumira Story be designed in Wide Screen format with multiple pages, while designing the Story in the Compose Room of SAP Lumira desktop as shown below.

 

templates_best_pratices_1.png

 

templates_layout_best_pratices_2.png

 

Widescreen is the default format with templates including Overview and Slide Show. Other Page Layouts for SAP Lumira are also supported by the SAP BusinessObjects Mobile App however there could be vertical scrolling needed.

 

The user can swipe through the multiple pages or toggle at the bottom of the page for easy navigation horizontally.

 

Document Sizing

 

In order to achieve optimal performance we recommend that Lumira Documents adhere to these limitations:

 Data Sources: maximum of 2

 Stories: maximum of 3 stories with a maximum of 6 parts each

 Data Volume: maximum of 10 million cells

 

You can access the Lumira stories online by connecting to the SAP BI platform enabled with SAP Lumira Server for BI Platform. Performance and response times while viewing documents are also dependent on the size of the document and the network bandwidth.

 

Note:- In this release, we don’t support downloading the Lumira stories for offline access from the Mobile Device.

Note:- SAP BusinessObjects Mobile App caches the Lumira Stories for subsequent interactions after the first load to be faster.

 

Designing Charts for Optimal Mobile Consumption

 

We recommend that charts be sized to cover at least 50% of the page so that axis labels are clearly visible.

 

Linking SAP Lumira documents to other documents or to an external link

 

When creating hyperlinks in a Lumira document to another Lumira document or to an external URL, we recommend a minimum font size of 13 pts and a minimum of 10 characters in width, which enables you to tap on it easily on the Mobile Device.

 

Exploring Visualizations

 

You can zoom in or view visualizations in full screen mode by double tapping on it, when viewing the stories in page mode. You can apply filters and Input controls as well. We recommend not to have very long list of values for the Input Control for the ease of selecting the values from the mobile device. Currently other functions including Applying Calculations, Sorting, Ranking, Chart Properties, and Do-Undo are not supported.

This blog discusses IOS 9 security changes and its impact on SAP BusinessObjects Mobile SSL or HTTPs connections.

 

With introduction of IOS 9 apple has added certain security measures and mandates that might cause existing setups not to work with certain SSL based setups which do not follow the IOS 9 security recommendations.

 

Quoting ATS requirements from Apple Site :-

Cocoa Keys

iOS 9.0 Whats New in IOS.

 

 

 

"Requirements for Connecting Using ATS

With ATS fully enabled, your app’s HTTP connections must use HTTPS and must satisfy the following security requirements:

 

  • The server certificate must meet at least one of the following trust requirements:The negotiated Transport Layer Security version must be TLS 1.2
    • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
    • Issued by a trusted root CA and installed by the user or a system administrator
  • The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • The leaf server certificate must be signed with one of the following types of keys:
    • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
    • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
  • In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (that is, SHA-256 or greater)."

 

It is also recommended to follow the ATS requirements which is more secure way for SSL communication.

This blog discusses about how to enable tracing for SAP BusinessObjects mobile server for troubleshooting issues with the SAP BusinessObjects Mobile App.

 

Errors encountered on the SAP BusinessObjects Mobile App may not always be App issues and would require further logging on the mobile server to troubleshoot and share logs for deeper analysis.

 

To set log levels for the Mobile server component, you need to create three environment variables in the system where Mobile Server is deployed.

 

  • BO_TRACE_LOGDIR: Specifies the path to the folder where logs are generated.
  • BO_TRACE_CONFIGFILE: Specifies the path to BO_trace.ini.
  • BO_TRACE_CONFIGDIR: Specifies the path to the folder where BO_trace.ini is located.

 

BO_trace.ini is the configuration file where multiple log levels can be set. This file is available in the location like for example tomcat ..webapps\MobileBIService\WEB-INF\conf. There are different log level types: trace_none, trace_debug, trace_path, trace_information and trace_error.

 

The following table describes the logging level importance in decreasing order of detail:

 

SeverityConfiguration Value
NONEtrace_none
DEBUGtrace_debug
PATHtrace_path
INFOtrace_information
ERRORtrace_ error

 

To set the log level, perform the following steps:

 

  • Open the BO_Trace.ini file for editing.
  • Set the required logging level for each unit as above.

 

Set dedicated folder for server logs

By default, the path to BO_trace file location is accessed from BO_TRACE_CONFIGFILE.

However, It can also be configured in web.xml by specifying a new context parameter "mobi.trace" and specifying the path value "/WEB-INF/conf/BO_Trace.ini".

 

Sample BO_trace.ini

  • sap_trace_level = trace_none; // Developer log information
  • sap_log_level = log_none; // Administrator log information
  • size = 10; // Size of log file
  • keep = false; // Retain the log file

Kerberos is an Authentication mechanism wherein no passwords are transmitted over the network. The server depends on a trusted ticket issued by a Ticket granting server, which the client sends in the request from the client to the server.

In order to enable Kerberos based authentication for the Mobi iOS application a few simple steps are to be done both on the iOS device and the Mobile server. Below we outline what these steps are and how they are to be done.

 

Supported on SAP BusinessObject Mobile 6.3 onwards(iOS only)

Supported on SAP BI Platform 4.1 (SP07 onwards) and 4.2(SP02 onwards)

 

(Note: This entire document is written assuming that the BI Platform is configured for Kerberos based Authentication. Kerberos SSO is supported only for normal BOE Connections from mobile. Connections involving SUP and SMP are not supported)


Configuring the iOS Device

 

On iOS Kerberos is controlled by a configuration profile which guides iOS framework so as to how Kerberos tickets should be handled. This profile can be installed from any MDM tool.  If you do not have an MDM tool then you can host the file on any application server and access the link on the safari browser. iOS will automatically detect it as a Kerberos SSO profile and will come up with the installation screen.The configuration profile should have a .mobileconfig extension. Let us look at a sample Configuration profile and check what values we are supposed to update.

 

  1. <?xml version="1.0" encoding="UTF-8"?> 
  2. <!DOCTYPE plist PUBLIC "-//Apple/DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
  3. <plist version="1.0"> 
  4. <dict> 
  5.   <key>PayloadContent</key> 
  6.   <array> 
  7.     <dict> 
  8.       <key>PayloadDisplayName</key> 
  9.       <string>SSO Settings</string> 
  10.       <key>PayloadType</key> 
  11.       <string>com.apple.sso</string> 
  12.       <key>PayloadVersion</key> 
  13.       <integer>1</integer> 
  14.       <key>PayloadUUID</key> 
  15.       <string>d3fe4709-0cc6-4f51-afed-839c6ab1451c</string> 
  16.       <key>PayloadIdentifier</key> 
  17.       <string>com.sap.example.sso</string> 
  18.       <key>Name</key> 
  19.       <string>username@EXAMPLE.COM</string> 
  20.       <key>Kerberos</key> 
  21.       <dict> 
  22.         <key>PrincipalName</key> 
  23.         <string>username</string> 
  24.         <key>Realm</key> 
  25.         <string>EXAMPLE.COM</string> 
  26.         <key>URLPrefixMatches</key> 
  27.         <array> 
  28.           <string>https://example.com/</string> 
  29.           <string>https://example.com:443/</string> 
  30.         </array> 
  31.         <key>AppIdentifierMatches</key> 
  32.         <array> 
  33.           <string>com.apple.mobilesafari</string> 
  34.           <string>com.sap.*</string> 
  35.         </array> 
  36.       </dict> 
  37.     </dict> 
  38.   </array> 
  39.   <key>PayloadOrganization</key> 
  40.   <string>SAP</string> 
  41.   <key>PayloadDisplayName</key> 
  42.   <string>SSO for SAP</string> 
  43.   <key>PayloadVersion</key> 
  44.   <integer>1</integer> 
  45.   <key>PayloadUUID</key> 
  46.   <string>f4544183-fc96-495f-a384-435cdb66e5b9</string> 
  47.   <key>PayloadIdentifier</key> 
  48.   <string>com.sap.example.sso.profile</string> 
  49.   <key>PayloadDescription</key> 
  50.   <string>SSO Configuration profile</string> 
  51.   <key>PayloadType</key> 
  52.   <string>Configuration</string> 
  53. </dict> 
  54. </plist>

 

 

AttributeValue
PayloadDisplayNameDo not modify this string. Leave it as it is
PayloadTypeDo not modify this string. Leave it as it is.
PayloadVersionDo not modify this string. Leave it as it is.
PayloadUUID

This should be a unique Id which can be generated from the following website

                              https://guidgenerator.com/

PayloadIdentifier

This should be modified so that it reflects your company domain.

                                    Example: com.<your company name>.mobi.sso

NameAny name for the Profile which you are creating
PrincipalNamePrincipal name the winAD user name with which the Kerberos login happens.
Realm

This should be the Kerberos Realm. In the case of Active Directory, that’s usually going to be an AD domain.

URLPrefixMatches

This is the URL to which iOS will append the service ticket. It can have multiple entries. Of these entries at least one of them should be of the following format.

http://<Host Name FQDN>:<Port> of the Mobile Server

FQDN is the fully qualified domain name.

AppIdentifierMatchesThis is the list of applications which are eligible to use Kerberos based Authentication. No changes are to be made here since we already have com.sap.* which includes the Mobi iOS application for which the app id is com.sap.mobi
PayloadOrganizationYour organization name.
PayloadDisplayNameName for this SSO payload. Any string can be given here
PayloadVersionDo not modify this string. Leave it as it is
PayloadUUID

This should be a unique id which can be generated from the following website

                              https://guidgenerator.com/

PayloadIdentifier

This should be modified so that it reflects your company domain.

                                    Example: com.<your company name>.mobi.sso.profile

PayloadDescriptionAny description of the payload profile.
PayloadTypeDo not modify this string. Leave it as it is.

 

 

This configuration profile must be modified carefully before deploying since this is the single source which tells iOS how and when to append the Kerberos service ticket. Utmost care should be taken while providing values for Name, PrincipalName, Realm and URLPrefixMatches.

 

 

Configuring the Import Connection Server

 

SSO connections in SAP BusinessObjects Mobile can be setup only using Import server URL. Following connection configuration need to be done on MOBI configuration server (MOBIServer) in the server.properties file.


Import_censored.jpg

 

 

 

SSO_Kerberos.DisplayName – This can be any string which will be your connection name

SSO_Kerberos.BOBJ_MOBILE_URL – This is the mobile server url. The url given here and the url given in the URLPrefixMatches of the iOS configuration profile prescribed in the previous section must be the same. (URL’s should be FQDN*)

SSO_Kerberos.BOBJ_MOBILE_CMS – This should be CMS cluster name or FQDN hostname running the BI Platform CMS.

SSO_Kerberos.BOBJ_MOBILE_SSO_ENABLED – Do not change the value! Let it be true

SSO_Kerberos.BOBJ_MOBILE_SSO_TYPE– Do not change the value. Let it be kerberos.



Configuring the Mobile Server

 

Last but not the least the mobile server must be enabled for kerberos based authentication. You will be required to carry the following three steps in order

 

*Stop tomcat server

*Modify sso.properties, authscheme.properties and web.xml

*Clean start tomcat server.

 

Let us see the changes to be made for the three files mentioned above.

 

Changes for sso.properties


sso_properties_censored.jpg

 

 

  1. Uncomment default.cms.identifier and assign it the value 1
  2. Uncomment aliases and give it the value which you gave for SSO_Kerberos.BOBJ_MOBILE_CMS described in the previous section.
  3. Uncomment authentication.scheme and assign it the value KERBEROS.

 

Changes for authscheme.properties

authescheme.png

 

  Uncomment the KERBEROS property as highlighted in the above image.


Configuring web.xml

 

Replace the Web.xml which exists in MobileBIService with the attached web.xml file! A few parameters mentioned below should be provided with values which are specific to your environment.

 

<init-param>

                  <param-name>sso.enabled</param-name>

                  <param-value>true</param-value>

    </init-param>

      <init-param>

                  <param-name>siteminder.enabled</param-name>

                  <param-value>false</param-value>

    </init-param>

      <init-param>

                  <param-name>vintela.enabled</param-name>

                  <param-value>true</param-value>

    </init-param>

      <init-param>

                  <param-name>idm.realm</param-name>

                  <param-value>{your-realm-name-here}</param-value>

    </init-param>

      <init-param>

                  <param-name>idm.princ</param-name>

                  <param-value>{your-principal-name-here}</param-value>

    </init-param>

      <init-param>

                  <param-name>idm.allowUnsecured</param-name>

                  <param-value>true</param-value>

    </init-param>

      <init-param>

                  <param-name>idm.allowNTLM</param-name>

                  <param-value>false</param-value>

    </init-param>

     <init-param>

                  <param-name>idm.logger.name</param-name>

                  <param-value>simple</param-value>

    </init-param>

     <init-param>

                  <param-name>idm.logger.props</param-name>

                  <param-value>error-log.properties</param-value>

    </init-param>

 

 

 

The values for each of these keys can be found in global.properties which would be created when setting up BI Platform with kerberos. global.properties can be found under installation folder\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties.

 

 

Troubleshooting and Help

 

       https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

 

  • Kerberos SSO does not seem to work on iPad – This might be due to a variety of reasons

        But it would be good to check the following few things on the device before investigating further

 

               User’s DNS server settings details must be included from where the ticket-granting

               server needs to provide the ticket to iPad. This includes adding the entries in DNS

               and Search Domains Under the IP address settings of the Wi-Fi network connected.

 

 

               If you get a Username/Password Authentication popup while trying to connect to a

               kerberos connection try restarting the iPad since the profile installed on the iPad

               requires a restart at times.


 

 

We would like to use web service query (Query as a Webservice) in dashboard mobile. It works fine in desktop but in mobile we get this error "Enterprise authentication could not log on. Please make sure your logon information is not empty". Does anybody have a good answer on how to solve this problem without a hardcoded user?

Update

 

We have fixed the below issue and the new version of the application is now available in AppStore with version 6.2.4


Regards

Srikanth

-----------------------------------------------------------------------------------------------------------------------------------------------------

 

 

Hi All,

 

It has been observed that if you are on iOS version 8.4 and then triggered an update of SAP BI app from version 6.1 to 6.2.3 product becomes unstable in some cases . Only workaround at this point of time is to delete & install the application again.

 

 

For those who have not yet updated the app to the latest version, we would recommend to remain on older version. We are actively working on a patch to ensure a smooth upgrade & we will keep you updated regarding this.

 

Regards

Srikanth

SAP Mobile BI 6.2 is planned for release during the first week of July - both iOS and Android.  Special thanks to Srikanth Rao for this webcast.

 

Please note the usual legal disclaimer applies that things in the future are subject to change

 

First a review of the general features.  SAP is trying to harmonize content types, so you can annotate on top of any content type, it has SSO capabilities; depends on your BI Platform.  SAP wants to ensure the experience is consistent

 

Enhancements 6.2 – first week of July

1fig.jpg

Figure 1: Source: SAP

 

Figure 1 shows a new feature; you can use the Apple Touch ID secure documents/apps

 

It validates your touch ID and fingerprint

 

If there are confidential documents, you can add more security by enabling touch ID for documents

 

Mobile security is always a prime concern

 

The administrator can control this behavior; the end user can choose to take advantage of touch ID

 

2fig.jpg

Figure 2: Source: SAP

 

Today support 6 different content types; in additional will support PDF content type.  Any PDF content would be accessible on Mobile BI

 

This will work in offline mode

 

It works for both iOS & Android

 

If password protected, this is supported as well

3fig.jpg

Figure 3: Source: SAP

 

This is a usability aspect

 

Today the default is all reports

 

Administrators can organize reports by creating categories

 

As an end user, you can decide your default landing page – set it as a default category as shown in Figure 3 - "High Tech" is the default landing category

 

Admins can control via properties to be enforced throughout organization

 

4fig.jpg

Figure 4: Source: SAP

 

If there is a network fluctuation, the application should handle it "gracefully"

 

Today there is an offline mode

 

If network goes off, or switch to airplane mode, show only the downloaded documents.  Once network is available, and once connected, it will show the documents.

5fig.jpg

Figure 5: Source: SAP

 

The ability to automatically download documents to your iPad; your users are CXO's and you want documents to be downloaded to iPad so it is available in offline mode.

 

On the BI Platform, if you tag "Featured" category, once they log on to those documents it is available in offline mode.

 

Once logs in, those marked as featured would download to iPad

 

I will get to Part 2 when I can...to be continued.

 

Question and Answer

 

 

Q: What version and patch level of Mobile BI are we reviewing and discussing?

A: Mobile BI 6.2 - coming in the future

 

 

Q: What about supporting Lumira documents store on BI Platform - when will Mobile BI support that?

Lumira documents - planned for H2 release - both for iOS & Android

A: Lumira documents - planned for H2 release - both for iOS & Android

 

 

Q; Is there a current document for Web Intellignece Mobile featues?

A: help.sap.com - Feature Compatibility matrix

 

 

Q: Is this new Mobile client compatable with SP5?

A: Yes, always backward compatible

 

 

Q: Automatic download: is version 6.2 the first time the "Featured" category has been utilized by the Mobile app?

A: Yes, that's correct

 

 

Q: Any plans for Windows Phone?

A: Currently assessing market for this; no plans in 2015 - assess market in Q3 timeframe and update direction & roadmap

 

If you have more questions join ASUG next week for this ASUG Q&A webcast on SAP Mobile BI June 3rd - register here

Thinking to deploy Mobile BI for your enterprise, then securing your BI content on mobile would possibly on top of your mind. You don't really have to worry a lot, as we know how important is that for you and hence we have built multiple security features into the app.

 

Here are some of the important ones ...

 

  • First and Foremost is the Application Password.
    • Mobile BI app is today secured with application password (of minimum length 8 by default) which is set by the user when he uses the application for the first time.
    • The password is prompted to user after the application is in background for more than 5 minutes (default value and can be changed).
    • As an additional security measure, the application data is wiped off after specific number of unsuccessful attempts.
    • Administrators can choose to ensure that the device user cannot disable the application password.

 

  • Next is connecting to your Enterprise Mobile Server. This could happen over Wifi, VPN or data network
    • In case of Wifi,  there is no network challenge encountered as you are already in corporate network
    • In case of VPN,  you are required to manually logon/device auto connects to your VPN as and when connection to mobile server is attempted
    • In case of Data, you are mostly presented with an enterprise authentication challenge - which could be Basic Auth, Form Auth etc.


     Note: SSO is supported for Mobile BI App, more details available at SAP BI Mobile Server Single Sign On Support

 

 

  • A user has to be authenticated to Business Objects Enterprise
    • Only an authenticated user can view/download documents on mobile device. And only the documents that he has rights to
    • Authentication is also required to even view the documents that have been previously downloaded on mobile device
    • If the right to view the document is revoked after the user downloaded the document to the device, the document is automatically removed from the device storage on the next refresh

 

  • As we know mobile has lots of offline use-cases and many a times users do not have access to the network. Hence, they do download documents from BIP on to their mobile devices.
    • Administrators can choose to allow users to save documents to device or not
    • even if administrators have allowed the storage of documents on the device, some documents can be marked as ‘secure’ and the contents of these documents are never stored on the device.
    • Once downloaded these documents are sandboxed within the app and are encrypted (FIPS-approved algorithm is used) before storage on the device. While viewing, the files mentioned above are loaded and decrypted in-memory
    • The Stored document are deleted (and possibly updated) in the following cases - The Documents are either updated or refreshed by the User, The Documents are deleted by the User, the connection is deleted by the user.
    • Additionally there is an option for the product to automatically delete the stored documents which is older than nnn days (configured by 'offlineStorage.ttl' in client settings)

 

  • Apple automatically takes a screen-capture of the active application’s screen before it goes to background, and stores it on the device. Apple does this to show a smooth transition when fore-grounding the application. the nature of BI Applications makes this behavior a possible security threat, hence this product ensures that only a blank screen gets captured by Apple when the application goes to background.

 

  • Application uses a small-sized low-resolution capture of the document view to display as a thumb-nail in tile view. However, the product does not create this thumbnail if the document has been marked as ‘secure’.

 

  • The product allows the device users to share reports/documents.
    • However, the product only shares URL to access the actual report (and not the underlying data) so that only authorized and authenticated users continue to have access to the data
    • The product allows for screen-image to be shared, but device users can crop the screen to the desired area, and also smudge (or blur) any sensitive data so that the sensitive data is no more visually recognizable


  • Definitely, this does not end here. Most of the enterprise customers do have a need of using the MDM apps for managing and securing the traffic from/into the app - Mobile BI App is already used by customers with solutions like Mocana, Xen Mobile etc.

 

In case you want more, do have a look at our detailed security guide at SAP BusinessObjects Mobile for iOS – SAP Help Portal Page


MOBI app user can now use touch based authentication for app password authentication. Many  users who don't like to type  a complex pass code can use touch based authentication in a seamless way to use  fingerprint as a pass code. It provides great security in simple way.

Apart from App password authentication , touch can be used to authenticate user while opening a secure document. BOE backend admin can mark a document as secure document by

  • Assigning document to additional security category
    • If Touch ID based additional security category is not already created then Admin need to create the category at backend.
  • When user try to access the document in MOBI app then app asks for authentication.

 

Here is the details about workflow where Touch ID can come :

  • User can enable touch ID , means its optional for user to enable.
  • Touch ID feature can be enabled (by User) Only when app password is enabled in the application.
    • If app password is not set then user can’t enable touch id.
  • Touch ID feature in MOBI app can be used for two purpose
    • App password level authentication
      • User can either type the app password or can use touch ID feature to authenticate
    • Document view of secure category
      • Admin can mark a mobile document at backend as option to set additional authentication by assigning it to specific category
      • When user try to open this document in MOBI app then
        • If app password is configured then
          • App prompts for authentication
            • If touch ID is enabled then user can authenticate via Touch ID or app password
            • If touch ID is not enabled then user can authenticate via entering app password.
      • If application password is not set then user can open this document directly, app doesn’t prompt for any authentication

 

In any of above authentication user has choice to authenticate by using either enter app password or by using fingerprint .

Personal Views is a capability to save personalized views of a Web Intelligence document. Mobile user can create multiple personalized views of the same base (source) Webi document, and each personal view document is independent of each other. Steps for creating personal view from Webi document is

 

  • Open Webi document (Source) in Mobi
  • perform the required server actions
  • Perform the required client side customization like sorting the table column data
  • Save the personalized view
  • Saving the Personalized view creates entirely new document in Mobile with the state and data of source Webi document.
  • Personal view document is created and maintained only on mobile device , not on BOE repository.
  • User can access this document while working offline also.

 

As created Personal View document is document inherited from source Webi document , its very important to ensure personal view doc doesn't breach the security set on source document.

Here is the security been considered in personal view document

  • If source document is marked for confidential then app doesn't allow user to create Personal view document from it
  • At any point of time if Admin removes the view permission of source Webi document from user then all personal view document created by user from source document get deleted from Mobi application.
  • Admin can restrict user from creating personal view
  • If connection that user has logged in is a secure connection then user won't be able to create personal view document.
  • If source document TTL get expired then all personal view document created by user from source document get deleted from Mobi application.
  • When admin deletes the source document at back end repository then all personal view document created by user from source document get deleted from Mobi application.
  • User can't share Personal view document .

Actions

Filter Blog

By author:
By date:
By tag: