cancel
Showing results for 
Search instead for 
Did you mean: 

Implementing SSO + SAP Authentication with SAP BO 4.0 SP5 and BW 7.3 SP5

bruno_heissler2
Participant
0 Kudos

Hi guys,

I´m implementing "SAP Authentication" and "SSO" between BO 4.0 SP5 P7 and BW 7.3 servers.

Follow the steps that I did until now:

1) Generated the keystore and the certificate.

In my BO Server (Linux), I executed the follow command line to generate the keystore (BO Linux Server):

/sap_bobj/enterprise_xi40/java/lib>/sap_bobj/enterprise_xi40/linux_x64/sapjvm/bin/java -jar PKCS12Tool.jar -alias key -storepass admin1 -dname CN=hostname(BO server)

Command line to generate the certificate (BO Linux Server):

/sap_bobj/enterprise_xi40/java/lib>/sap_bobj/enterprise_xi40/linux_x64/sapjvm/bin/keytool -exportcert -keystore keystore.p12 -storetype pkcs12 -file cert.der -alias key

2) Importing certificate in BW system

I accessed the BW system, on sotrustsso2 and imported the certificate. Follow:

3) SAP Authentication on CMC

I configured my BW system and imported the roles/user to BOE.

On the option tab (into SAP Authentication menu), I´ve imported the keystore file and inputed the keys/alias and system id.

-----------------

So far, I´m able to access the Launch Pad using SAP Authentication Mode and using a user from BW system.

This access is working fine and I´m able to re-use the users that were created on BW side.

Right now, I need to re-use the restrictions of data and structure for this users in my Webi Intelligence reports.

I created a OLAP connection based in a BEX Query and designed my Webi Intelligence report on the top of this OLAP connection.

When I created the OLAP connection, I configured the authentication as "SSO", so the user that is logged on the LaunchPad, should be the same that will run the query on BW structure.

When I tried to create a report under my OLAP connection (using a BW user logged on LaunchPAD - SAP Authentication ON), I got the follow message in the moment that I selected the OLAP connection:

-------------

java.util.concurrent.ExecutionException: com.businessobjects.sdk.core.server.CommunicationException$UnexpectedServerException: [[error.openSapBwBrowsingSessionFailed] 0] <Initial Catalog=MC_GTORCA;Language=en_US;Data Source=172.22.0.150;SapLoginMode=0;Cube Type=Query;JCO_ASHOST=172.22.0.150;SaveLanguage=true;JCO_R3NAME=BWD;Initial Cube=Q_MC_GTORCA_001;TargetProvider=SAPNETWEAVER7X;JCO_CLIENT=100;Authentication Mode=2;NetworkLayer=SAPBW_BICS;JCO_LANG=EN;JCO_SYSNR=20;>,<Error: com.sap.conn.jco.JCoException: (103) JCO_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized on 172.22.0.150 sysnr 20

Key:   JCO_ERROR_LOGON_FAILURE

Group: 103

Type:

com.sap.conn.jco.JCoException: (103) JCO_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized on 172.22.0.150 sysnr 20

Issuer of SSO ticket is not authorized on 172.22.0.150 sysnr 20

Issuer of SSO ticket is not authorized on 172.22.0.150 sysnr 20

Issuer of SSO ticket is not authorized

Issuer of SSO ticket is not authorized

-------------

I applied some SAP notes but didn´t solve the issue so far.

I´ve already created an specifically APS Server on CMC, containing the STS (Security Token Services).

Anyone know how to solve this issue?

Any idea?

Best Regards,

Bruno Heissler

Accepted Solutions (1)

Accepted Solutions (1)

IngoH
Advisor
Advisor
0 Kudos

Hello Bruno,

most likely your configuration of the certificates and the exchange of certificates is not 100% correct.

You should double-check that part

regards

Ingo Hilgefort

0 Kudos

Hi,

usually the process of configuring the SSO connection via STS is pretty straight forward. Maybe you first try Ingo`s hint.

Do you have a clustered SAP BI4 Environment? If yes check SAP Note - 1695870.

Has the user which you are using enough permissions on that BEx Query? Maybe you try it and run it natively without WebI.

Regards

-Seb.

bruno_heissler2
Participant
0 Kudos

Hi,

I´don´t have a clustered SAP BI4 Environment.

The user that I´m using came from BW, but is under "Administrator" group on BO CMC, so has permissions.

Just for test, I update my OLAP (BICS) connection and set the pre-defined user authentications, instead of SSO. I used the same user that I´m login in LaunchPad (user from BW that is getting error as post above), but pre-defined on the conection authentication and got success when I run my webi report (return data from BW).

So in this case, I´m assuming that the user is not a problem when used on pre-defined authentication option. When I change this for SSO (without user pre defined), I got the error above.

I´m trying to understand what is going on, and I have a issue:

When I´m generating the certificate on Linux Server, I´ve a parameter in my command line called "CN". As my understand, this should be the BO HOSTNAME server.

For example, in my case, the BO HOSTNAME IS "gc-santaadelia", and I fixed this on CN parameter.

When I import the cert.der into BW certificates, I´ve the parameter called SYSTEM ID.

This parameter has something related with BO HOSTNAME Server?

Now, I´m setting my "BW - System ID" in this parameter, that is "BWQ", and fixing this one with client 000.

So the next issue is related to SYSTEM ID paramter on BO CMC steps.

CMC - Authentication - SAP - Options Tab - System ID parameter.

What I should put in this parameter? Is the system ID used in BW ? Is the CN parameter used when I generated the certificates?

Regards,

Bruno Heissler

IngoH
Advisor
Advisor
0 Kudos

Hello Bruno,

the "CN" part is following the LDAP naming convention for "Common Name" and you can define the common name - it does not have to be your full qualified host name.

The System ID when importing the certificate is the System ID for your BI4 Server - you assign it. Don't use the BW System ID.

The System ID on the CMC is the System ID from your BI4 server that you assigned in the previous step

Ingo

bruno_heissler2
Participant
0 Kudos

Hello Ingo,

Thank you for this informations.

I found the solution for my cenario.

When I imported the cert.der in BW system, I did this on mandant 000, on the strustsso2.

After add to the certificate list, I added to the ACL, one time setting client 000 and another time setting the client for my BW QAS system.

The problem is that when I logged in my BW System on QAS mandandt (not 000), I saw the certificated, but didn´t have tickets assigned to this.

So I added to the ACL in my QAS mandandt.

Now, I´m able to logon with BW user on Launchad Pad and run webi report using OLAP (BICS) connection.

This is working fine on SAP BI App (IPAD Devide) using SAP Authentication mode.

All the restrictions are working fine for the users.

Thank you guys for the help.

Best Regards,

Bruno Heissler

IngoH
Advisor
Advisor
0 Kudos

Hi Bruno,

for running a WebI report with SSO, there is no need to even exchange certificates.

the STS (Single Sign On TOken Service) is for scenarios where the normal SAP authentication is not enough - for example a publication.

but viewing a WebI report with SAP credentials doesn't require this

ingo

bruno_heissler2
Participant
0 Kudos

Hi Ingo,

You means that I just need to configure SAP Authentication Mode (CMC) and set the authentication mode into OLAP Connection to SSO?

The application will understand that the user that is loged on LaunchPad should be the same user to navegate into BW data? STS is reponsible to this comunication?

In my cenario I don´t have SAP Portal, just BW and BO4.0, with Webi reports acessing BW using BICS (OLAP) connections, and this should work fine on Mobile application.

Thank for this point.

Regards,

Bruno Heissler

IngoH
Advisor
Advisor
0 Kudos

Hello Bruno,

for viewing a Web Intelligence report with SSO there is no need for STS. That only requires the SAP Authentication and the OLAP Connection with SSO.

STS is in  a nutshell the replacement for what SNC was doing in XI 3.1. So you can use STS to leverage a publication without having to enter passwords.

or you can leverage STS for SSO for Analysis Office (thick client) or Design Studio (thick client).

ingo

bruno_heissler2
Participant
0 Kudos

Thanks for the support!

Really appreciate.

Former Member
0 Kudos

Hi Ingo,

I am getting similar error what Bruno got. It works with Predefined Authentication and Analysis Olap but not with Webi.

We have a clustered BI 4.0 environment on Suse Linux.

The bobj system has SAP Authentication setup in Launchpad and CMC but i believe we done have any certificate exchange settings between BW and BOBJ system.

And i believe, we don't need the SNC or STS setup to make that SSO work from your above comment.

In CMC, when i create an OLAP connection with pre-defined connection everything works in Webi report side.

But when i use SSO as an authentication type i couldn't see the BEx Browser gives the below error.

And this error also doesn't say much why it's failing. Could you please help. Thank you so much for helping all times..

Caused by: com.businessobjects.sdk.core.server.ServerException: [[error.openSapBwBrowsingSessionFailed] 0] <<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ConnectionString>

   <Properties>

Former Member
0 Kudos

Hi Tilak,

            Did you find a solution to your problem above.I am getting the same error

on changing authentication to SSO.

Caused by: com.businessobjects.sdk.core.server.ServerException: [[error.openSapBwBrowsingSessionFailed] 0] <<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ConnectionString>

Thanks & Regards,

Anuradha Padhee

Former Member
0 Kudos

Hi All,

I am getting the same error when OLAP Connection type changed to SSO.

It works fine with Pre-defined Type and we have successfully configured AD SSO.

Please let me know any solution.

Thanks,

Kris

Former Member
0 Kudos

Bruno,

I have a question regarding this. When you say the following:

"re-use the restrictions of data and structure for this users in my Webi Intelligence reports."


I understand that desired result is that the User Authorizations from the SAP BW side will take effect on the BOE side when reports are executed.


What was the undertaking to achieve successful restriction on certain reports or certain Data? Did you utilize regular SAP Users and Roles that restrict table access by something like S_TABU_DIS or something else?


Thanks,

Alex

Answers (2)

Answers (2)

0 Kudos

Hello,

I have the same issue,I double check certificates configurations and profile parameter login and they seems to be ok.

Could you illustrate us which configuration was wrong?

Thank you

0 Kudos

Hi everybody!

I had the same issue, but in my case, i forgot to set the profile parameter login/accept_sso2_ticket=1.

After that the connection works fine!