cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up Trusted Authentication in BI4 for SAP CRM

Former Member
0 Kudos

Hello,

we have SAP BOBJ 4.0 with SSO to SAP BW and SAP BOBJ 4.0 integrated with SAP Enterprise Portal.
also we have SAP CRM, so we want from CRM Web Ui users can only view/refreshing documents (webis and xcelsius) by URL , but without providing SAP username and/or password.

URL Example:

                https://bobj.xxxxxxx/BOE/OpenDocument/opendoc/openDocument.jsp?iDocID=1E2BV2EADq_XOVQAUQClj.04oCVIPw...

this URL is assigned to business role in CRM Web UI.
When a user from CRM clicks on the URL appear the autentication screen of opendocument.

So, can you help me providing some links or what configuration we need to do in BOBJ 4.0 and SAP CRM?
We applied the sap note 1593628 - Setting up Trusted Authentication in BI4 for BIlaunchPad and Opendocument using QUERY_STRING, but the security is very poor and any user can access to BI LaunchPad .
SAP Business Objects 4.0 SP05
O.S- Windows Server 2008 R2
DB CMS - SQL Server 2008 R2
Application Server - SAP NetWeaver 7.3 EHP 1
SAP CRM 7.0
Thanks in advance
Regards,
Néstor


Accepted Solutions (1)

Accepted Solutions (1)

IngoH
Active Contributor
0 Kudos

Hello Nestor,

have you configured the SAP authentication on your SAP BusinessObjects BI system towards the CRM system and did you import the roles from the CRM system ?

regards

Ingo Hilgefort, SAP

Former Member
0 Kudos

Hello Ingo,

No, I have configured the SAP authentication on my BusinessObjects system towards the SAP BW system and imported the roles from the BW system.

can I configure another system in SAP authentication? for example SAP CRM

I only want the authentication for opendocument.

thanks for your response

Regards,

Néstor

IngoH
Active Contributor
0 Kudos

Hello Nestor,

yes you can have multiple systems configured as part of the SAP authentication.

You would repeat the configuration that you did for BW but now for the CRM system.

When a user then calls the CRM report - will the user be authenticated with the CRM user or the BW user and will it only be CRM data or BW data or both ?

regards

Ingo Hilgefort, SAP

Former Member
0 Kudos

Hello Ingo,

when a user calls a Webi Report from CRM the data are the BW only.

so if I do the configuration between CRM and SAP BOBJ 4.0 and import roles, I will have duplicate users for example:

BW---------    BID~100/user1

CRM-------    CRD~200/user1

if the user1 calls a webi report from CRM by opendocument, what user is going towards BW?

will I have to manage alias?

I did this configuration for SAP BW and SAP BOBJ 4.0:

Generate keystore and certificate for SAP BO BI4.0

http://wiki.sdn.sap.com/wiki/display/BOBJ/Generate+keystore+and+certificate+for+SAP+BO+BI4.0

 

Import SAP BO BI4.0 certificate into SAP BW

http://wiki.sdn.sap.com/wiki/display/BOBJ/Import+SAP+BO+BI4.0+certificate+into+SAP+BW

Setup of SAP SSO Service in SAP BO BI4.0 CMC

http://wiki.sdn.sap.com/wiki/display/BOBJ/Setup+of+SAP+SSO+Service+in+SAP+BO+BI4.0+CMC

and I did this configuration for SAP Enterprise Portal and SAP BOBJ 4.0:

http://wiki.sdn.sap.com/wiki/display/BOBJ/BI4+-+How+to+create+SAP+BusinessObjects+Document+List+temp...

thanks for your response

Regards,

Néstor

IngoH
Active Contributor
0 Kudos

Hello Nestor,

so the user logs on with the CRM users and is refreshing a report with data from BW.

Correct - that will require user aliases and it sounds like you already have most of the items configured.

- you will need the SAP Authentication for both systems

- you will need the Single Sign On Token for both system

- you will need to configure the user aliases as well

regards

Ingo Hilgefort

former_member199597
Participant
0 Kudos

All,

I was following this thread however could not get this to work.

As nestor mentioned I have the same requirements:

1. User authenticates towards BW

2. I want to use openDocument to include Webi Reports (4.x) in CRM Web UI

-> First only as a POC to get SSO to work

What I did was:

- Import roles from CRM

- Added useralias CRM~100/user to BW~100/user (no CRM user was importet - Alias active - BW User used for authentication ).

- Generate keystore and certificate for SAP BO BI4.0 (as mentioned above)

- Import SAP BO BI4.0 certificate into SAP BW (as mentioned above)

- Setup of Keystore in BO CMC.

- Setup of SAP SSO Service in SAP BO BI4.0 CMC ( Service was already setup)

Then I just added an openDocument link in CRM to my favorites (just to see if it is working - no parameter etc.)

The Link is working but I still get a popup for my secR3 Username/password.

Where the username seems to be transmitted properly.

http://bo4.internal:8080/BOE/OpenDocument/opendoc/openDocument.jsp?authType=secSAPR3&sIDType=CUID&iD...

Anyone can help me out here or has inputs?

Thanks in advance.

Andreas

IngoH
Active Contributor
0 Kudos

Hi Andreas,

from where does the URL get started and does this application that starts the URL also handover a SSO Token ?

Ingo

former_member199597
Participant
0 Kudos

Hi Ingo,

Thanks for your reply.

The URL gets executed from CRM Web_ui where the URL does not explicitly contain the token

(see example from above).

Also I was confused since I was setting up the keystore in BO4 and imported the certificate on CRM and BW System. Is this sufficient?

Do I have to exchange a certificate between CRM and BW aswell?

Thanks for your input,

Andreas

IngoH
Active Contributor
0 Kudos

Hi,

the URL doesn't have to contain the token but the application which is calling the URL needs to also issue a MYSAPSSO2 token.

Ingo

former_member199597
Participant
0 Kudos

Hello Ingo,

Got it working now

I exchanged certs from BW and CRM - working like a charm now.


Thanks for your input and the input of the previous colleagues.

Andreas

Former Member
0 Kudos

Hello Andreas,

I have to do the same thing: from CRM UI (through URL transaction launcher) I call a webi on BO system. We need to implement SSO between CRM - BO system.

What are all the steps to follow?

I try to summarize

1) Import roles from CRM. Could you specify what are the roles?

2) Added useralias CRM~100/user to BW~100/user (no CRM user was importet - Alias active - BW  User used for authentication ).

3) Generate keystore and certificate for SAP BO BI4.0

4) Import SAP BO BI4.0 certificate into SAP BW

5) Setup of Keystore in BO CMC.

6) Setup of SAP SSO Service in SAP BO BI4.0 CMC ( Service was already setup)

7) Is it all? or is it necessary to import the certificate into the CRM ABAP component or CRM JAVA component?

Regards, Roberto

former_member199597
Participant
0 Kudos

Hello Roberto,

1. The roles from CRM.

Select the roles the users are assigned to - otherwise you cannot make a alias for the CRM system

2. ok

3. ok

4. ok

5. ok

6. ok

7. Yeah you need to import using TA strustsso2

8. You need to exchange certificates between CRM and BW aswell.

So that CRM has the BW and the BW has the CRM cert.

In addition to that I did the changed the OpenDocument.properties:

D:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\default\OpenDocument.properties

like this:

# You can specify the default Authentication types here. 

secEnterprise, secLDAP, secWinAD, secSAPR3

  1. authentication.default=secSAPR3

# Set to false to disable logon with token.

  1. logontoken.enabled=true

# Set to false to disable logon with SAP LogonToken obtained through RESTful Web Service

  1. SAPLogonToken.enabled=true


Hope this helps.

Lemme know if you have any other questions.

Can you send me your E-Mail - it would be nice to exchange information since I havent used the transaction launcher for now.

Btw. did you aktivate the business function CRM_ANA_BOB ?

I am not sure if I really need this for using Transaction launcher.

Let me know.

thanks

IngoH
Active Contributor
0 Kudos

Hello Andreas,

is this resolved ?

regards

Ingo

former_member199597
Participant
0 Kudos

Hello Ingo,

Yes from my side all is working fine.

Thanks again.


Andreas

Former Member
0 Kudos

This message was moderated.

Former Member
0 Kudos

Hello Andreas,

I am Sam.

I meet the same problem of SSO: our webi report is linked in SAP CRM UI, and the data of report is stored in SAP BW, then user will access SAP CRM UI to review webi report.

I expect your help, and it's deeply grateful if you have document about the SSO, thanks very much.

former_member199597
Participant
0 Kudos

Hello Sam,

I have documented this but in german language and also there are some screenshots that are not ment for public.

However, you can follow the guide from Nestor which also lead me to the solution.

If I find some time soon, I could exchange the screenshots and translate the stuff in english.

Maybe you could start pointing out what is not clear for you ?

Cheers,

Andreas

Former Member
0 Kudos

Hi Andreas,

Thanks for your prompt reply.

I have some confusion:

1) I have read the SAP BO 4.0 document "Administrator Guide", and it does't refered to the step of "Generating and importing certificate between BO and BW", so I don't know the necessity of this step?

Maybe it is different between BO 3.1 and  4.0.

2) If it is necessary, what about certificate between CRM and BO? 


I will try again, and I will discuss with you if I have any problem, thanks a lot.

former_member199597
Participant
0 Kudos

Hi Sam,

I did the SSO with BO 4.x and I havent tried to use 3.x since we do not need this. From what I read, the SSO with BO 3.1 is different from 4.x.

We use SAP BW as authentication system for BO.

Your questions:

1. yeah you will have to exchange certs between BW and BO.

(make sure BW/CRM have a valid certificate before exporting).

-> BW needs to have BO and CRM certs.

2. -> CRM needs to have BW and BO certs.

Dont forget to use the alias and keystore in BO

That should do the trick

Cheers,

Andreas



0 Kudos

Thanks...

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Experts,

I am facing with an strange behavior.

I am now able to logon with my CRM-User to BI-Launchpad

Problem: If I want to see my Report in CRM-Web Ui i am still getting the logon-Screen for the BO-System.

i don't know what i missed in my configurations.
This is what i did so far:

On CRM (local BW) side
1. I created a role and assigned some CRM-Users to this role

5. I imported the BO-certificate to CRM

On BI-Platform side
2. I did the Import of the role in BI-CMC

3. I assigned the role to my Dashbaord

4. I created the certificate of the BO-Server

What should i do now?

Many thanks in advance.
.
Best regards,

Markus

former_member199597
Participant
0 Kudos

Hey Markus

sorry for late reply - holidays rule

Exchange of certificates must be done for ALL systems in the chain.

BW - BO; BO - CRM; CRM - BW

Did you do that?

Cheers

Andreas

Former Member
0 Kudos

Hello Andreas Schuth,

I am trying to implement this requirement for Business and I have struck at to generate Generate keystore and certificate.

When I am trying to run the command line statement

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\> "C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java" -jar PKCS12Tool.jar -alias mywin -storepass administrator -dname CN=w2k8devbo-and

it is throwing error like.

not a recognized internal or external command.

I have tried only with below command

-jar PKCS12Tool.jar -alias mywin -storepass administrator -dname CN=w2k8devbo-and

and it is throwing error like

'-jar' is not recognized as internal or external command

I am suspecting that Java has not installed in my server. could you please correct me?

Am I in the right path?

Regards,

S Babu

former_member199597
Participant
0 Kudos

Hi Babu

This wiki entry explains the way to generate the keystore and certificate

http://wiki.scn.sap.com/wiki/display/BOBJ/Generate+keystore+and+certificate+for+SAP+BO+BI4.0

However do not use the "<- Quotationmark

Your expression:

java" -jar PKCS12Tool.jar -alias mywin -storepass admin1 -dname CN=palmtree


should be like this:

java -jar PKCS12Tool.jar -alias mywin -storepass admin1 -dname CN=palmtree


Hope this helps.

BR

Andreas

Former Member
0 Kudos

Thank you Andreas Schuth,

I have successfully generated the keystore file as well as cert.der

I just imported this cert.der into CRM & BW.

In case I struck anywhere I will take your help.

Kindly support me.

Regards,

S Babu

Former Member
0 Kudos

Hello,  Andreas Schuth,

I have done all the steps but it is not working to me.

I will share the document what I did, could you please check and correct me.

could you please share your mail id or contact information so, that I can share the document. kindly send test message to my mail id.

S Babu

sureshbabu.kommuri@gauri.co.uk

Former Member
0 Kudos

Hello, Andreas Schuth,

Should I restart CRM & BW servers as well?. I have restarted BO services after done this. kindly send test mail so, that I can share the document.

Regards,

S Babu

Former Member
0 Kudos

Hello, Andreas Schuth,

I have done all the steps for implementing SSO between BO and CRM web UI. but it is not working to me.

Summary of my workflow

1. created roles in CRM & BW

2. imported CRM & BW roles & users into BO

     2.1 user alias done

3. Enabled SAP authentication

4. Generated keystore & certification at BO Side

5. imported BO certification into BW & CRM ( in ACL are I have mentioned system as CRD for CRM system and its client. same to BW system as well. Am I correct? please correct me )

6. exported BW certificate into CRM and the same way exported CRM certificate into BW by using client 000

7. uploaded keystore file into BO

8. changed settings of BILaunchpad.properties & OpenDocument.properties files

9. configured BO opendocument url (http://XXXXXX-XXX.XXXXXX.XXX:8080/BOE/OpenDocument/1402060926/OpenDocument/opendoc/openDocument.face...) into CRM web UI (Is this generated OpenDocument url format is correct or wrong?)


But no luck.

please correct me where I did mistake and also tell me did I miss any steps?

Advanced thanks.

Suresh

former_member199597
Participant
0 Kudos

Hi Babu

I am sorry since I am very busy at the moment.

Following I found different:

1.

In our case we authenticate BO to SAP BW and not to SAP CRM.

This means all users are only replicated from BW to BO.

-> user looks like this: ecSAPR3:BWx~001/MOO1234

Where MOO1234 is the BW user.

We do not replicate the crm user.

However we changed that since we use AD Authentication now...



2.

Your OpenDoc Link doesnt look like mine:

http://serverbo4.xxx.yy:8080/BOE/OpenDocument/opendoc/openDocument.jsp?sIDType=CUID&iDocID=X1ysx70Wm...



HTH

Andreas