Encouraged by my good friend Dallas Marks, I thought I would actually contribute to my blog for once and discuss the new SAP certification I achieved last week.
The official certification is ‘SAP Certified Support Associate – Incident Mangement with SAP BusinessObjects’, and details on the SAP website can be found here.
So what is the certification for? Well sorry if you are an SAP customer, because this certification isn’t for you personally – its for SAP partners only. It is a certification SAP have put in place to ensure quality support is provided to you by partners. The partner that I now work for, ASG Group, run an SAP-certified support desk for existing SAP customers using Solution Manager, so by achieving the BusinessObjects Support certification, we are also now certified to support BusinessObjects customers as well.
I found the most useful resource for studying for the exam was this blog post by Clariba. Having done quite a few other BusinessObjects exams, I found this exam quite straightforward and the study materials provided on the SAP partner portal are adequate to answer the questions. Preferably, you should already be using Solution Manager as hands-on experience helps a lot.
So, if you are a partner consultant and want to provide SAP-certified BusinessObjects product support, then look no further than this certification.
So following my previous post on AD SSO with BusinessObjects XI 3.1 and a lot of interest in updating the post to provide step-by-step guidance for BI4 AD SSO, below please find another SSO cheat sheet for BI4. I have used the latest KB note on AD SSO which is 1631734, written by Steve Fredell.
Please note that in this example below, I am assuming that Tomcat is being used for the web application server, and it is by default installed on the same instance as the BusinessObjects BI4 application. In a distributed scenario, certain actions will take place on the Web App instance, and others on the BusinessObjects BI4 instance.
Instead of just letting you walk through the process yourself, I also wanted to give you a more visual guide. So below, please find a DSLayer special edition, video walkthrough of this guide:
Firstly, let’s define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs:
Domain Name: DOMAIN (FQDN: DOMAIN.INTERNAL)
Service Account: biservice (password: Password1)
Domain Controller: adserver.DOMAIN.INTERNAL
BusinessObjects Server: bi4server.DOMAIN.INTERNAL
BusinessObjects AD Group: DOMAIN\UserGroup
Step 1
Create an Active Directory service account, biservice (pass: Password1). Ensure the user config has ‘Password never expires’ option checked on.
On the BusinessObjects server, add the DOMAIN/biservice user to the Local Administrators group. Also assign the biservice user the right ‘Act as part of Operating System’ in the Local Security Policy snap-in.
Step 2
Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs):
setspn -a BICMS/biservice.domain.internal biservice
setspn -a HTTP/bi4server biservice
setspn -a HTTP/bi4server.domain.internal biservice
Verify the SPNs have been created by running ‘setspn -l biservice’.
Step 3
Change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’.
Step 4
Under the AD Authentication area in the Central Management Console, take the following actions:
Enable Windows Active Directory (AD)
AD Administration Name = DOMAIN\biservice
Default AD Domain: DOMAIN.INTERNAL
Add AD Group: DOMAIN\UserGroup
Use Kerberos Authentication
Service principal name = BICMS/biservice.domain.internal
Enable Single Sign On for selected authentication mode
Click Save to save all your entries. Check under the Groups area to make sure your AD group has been added.
Step 5
Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\biservice user.
Step 6
Test this by logging into Web Intelligence Rich Client by using an AD user who is part of the group. SSO should occur once you select ‘Windows AD’ authentication and click OK (no need to input your username or password).
Step 7
Create a file called ‘bscLogin.conf’, save it into C:\Windows\ directory on the BusinessObjects server, and put the following content into it using Notepad:
Verify this file is completed correctly by navigating to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BusinessObjects server, and execute ‘kinit biservice’ in a command prompt. If a new ticket is stored, the file is correct.
Step 8
Stop Tomcat. Modify the BI Launch Pad’s .properties file to reveal the authentication dropdown. Navigate to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\custom and create a file called ‘BIlaunchpad.properties’ with the following text:
Start Tomcat, then try and do a manual logon to BusinessObjects, and check Tomcat trace logs for a ‘commit succeeded’.
Step 9
Stop Tomcat. Modify C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.
Navigate to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom and create a file called ‘global.properties’ with the following text:
Delete logs in C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\ and C:\SBOPWebapp_BIlaunchpad_IP_PORT\.
Start Tomcat, go to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\, check stdout.log has ‘credentials obtained’ shown.
Test silent single sign on is now working in a browser (not on the BusinessObjects server).
Step 10
Copy BIlaunchpad.properties and global.properties from C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom so that patches don’t overwrite them and SSO stops working.
Step 11
Create a keytab on the AD server by running the following command:
Add the following line to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom\global.properties
idm.keytab=C:/WINDOWS/bosso.keytab
Open up the Tomcat Configuration, remove the Wedgetail line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stdout.log.
Now check silent single sign on still operating correctly.
Step 12
Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.
Conclusion
Hopefully this walkthrough gives you a good idea of what is required to get AD SSO working on BI4.
Don’t forget to look at SAP note 1631734. Also included in the SAP note is troubleshooting assistance for each step.
Well, after prompting from Dallas Marks and another viewier that I needed to post another update, I thought I’d let everyone know where I’m up to. I’ve now had the laptop for several months, and am absolutely loving it – as those who follow me on Twitter will have seen. I thought I would be booting into Windows Server 2008 most of the time while at work, but I’ve found I can’t live without some of my OSX apps, including MindNode and Nambu.
However, I have changed the operating systems a few times, and now settled on pure OSX, with the following VMs running in VMWare Fusion:
Desktop – Windows 7 64bit for MS Office (especially Outlook) and BusinessObjects desktop tools
Server – Windows Server 2008 R2 for SQL Server 2008, Oracle 11g XE, BusinessObjects Enterprise XI 3.1 and Data Services XI 3.2
BI4 – Windows Server 2008 R2 for SAP BusinessObjects BI4 beta
The thing I’m regretting is moving up to a 15″ MBP. I really miss the form factor of my 13″ Macbook, and now with 13″ MBPs, I can get the same performance from a 13″ that I can from my 15″. When I upgrade in a few years, I’m definitely going back to 13″.
The performance is excellent. I run my Server VM with 4GB RAM assigned, and it hums along. I’ve got the services that start on boot optimised, so now I only start SQL Server (but not SSAS), the SIA (with only the CMS, File Input and File Output servers) and Tomcat. Boot up time is only a minute or two, and then I use batch scripts to start up various BusinessObjects servers as required for demos.
Data Services also performs extremely well. I benchmarked performance of a CSV file with 64,000 rows being pivoted in memory to a couple of million rows, and run time of the job was less than a minute.
For those that seek performance and the usability of OSX, I definitely recommend a MBP with VMWare Fusion.