Skip to Content

After a short introduction on the general idea of FPN in the An Introduction to Federated Portal Network (FPN), we are now going to dive really into some detailed aspects of portal federation. Within this blog, we will cover the main configuration steps.

Before starting how to configure FPN, let me say that it is a lot more time consuming and complex to evaluate the organizational aspects and plan the portal architecture in comparison to the configuration steps themselves. You should really make yourself clear how your federated landscape will look like and what you want to achieve with it. You should be aware that governance and organizational processes within your company will be crucial for setting up a federation and maintaining it appropriately. Thus there are some questions you should ask yourself in advance like for example: Which portals should be accessed by end users? In which portals will administrators like content administrators perform their tasks? Who oversees the federated portal network overall and maintains and tests the landscape regularly? And how can I ensure that these guidelines will then be carried out?

 

After you have answered those questions for yourself, let me briefly state some of the basic boundaries of FPN. These are mainly:

  • All portals should reside in the same subdomain of the network
  • The portals should be connected to the same user store preferably (alternatively they could be connected to different user stores, but the user stores contain identical user-id)
  • The portals have to use the same transport protocol (all are addressed via http or all via https)
  • There is no “barrier” established between the portals such as firewalls, reverse proxies or load balancers.

We will cover some considerations and required setup steps if some of these requirements cannot be fulfilled in upcoming blogs or articles. Within this blog here we will stay within those limits and cover the steps required in a basic setup.

 

I would like to point out here two important settings that might lead to a couple of errors if they are not set correctly: Proxy and P4 Port settings. Those settings are relevant for both consumer and producer. The protocols used by the FPN tools are http (for Remote Role Assignment) and RMI P4 (for Remote Delta Links). First of all, you should configure the proxy settings in the portal accordingly, so that traffic leaving your company domain is controlled appropriately and that all content is displayed correctly. For that purpose you should configure the portal configuration service “com.sap.portal.ivs.httpservice – proxy” according to your network settings. The P4 Port is then especially crucial for Remote Delta Link communciation. In standard we expect that the P4 Port is similar to the HTTP Port, but ends with “4” instead of “0” (e.g. http = 50000 – P4 = 50004). It might be the case that you have modified the P4 port of your portal or your landscape requires to connect to a different address, e.g. because there is a load balancer in between the portals. Then you should configure the appropriate FPN service to ensure that P4 communication is working correctly. For that purpose you should fill in the according value into the portal service “com.sap.portal.fpn.persistance – ProducerInformationService”. This step is not necessary if you haven’t modified the standard settings. By the way: you can find the information on the P4 port of your engine on the Web Application Server itself in the area “System Information”.

 

image” 
 
After those basic settings, we can now establish connections between individual consumer and producer portals. For this purpose two basic steps are required as illustrated in the graph above.
First you should set up a trust relationship by exchanging portal certificates and defining the Java Systems as trusted systems. Between two SAP NetWeaver 7.0 (2004s) portals you perform those steps:
1. In the portal under “system administration – keystore administration” (see screenshot 1) you can export your keystore tickets and import those of the other portal.
2. In Visual Administrator in the area “Security Provider – ticket” (see screenshot 2) you enter the details of the system you want to trust.
Those steps have to be performed on both consumer and producer. After you have done that the portals will trust each other and single sign-on from one portal to the other is possible.

 

image

        Screenshot 1 – keystore administration in portal system administration
 

image

         Screenshot 2 – Visual Administrator – security provider ticket

 

Now you can define a producer system within a consumer portal. This can be created in the portal under “System Administration – Federated Portal” (see screenshot 3). You should provide the details for the producer system and then register to the producer.

 

image

          Screenshot 3 – create producer system in consumer portal

 

You can define on the producer portal a registration password, which will then be required during the registration phase on the consumer side. Moreover, after registration you will see in the producer portal all the consumers that have registered to it and can block access if required. Similar applies for the consumer portal: You can see a list of all producer systems that were created and you can block access to individual producer portals if required.

 

After you have established both trust and the producer system, you can then in a next step share content between different portals. The methods that are available and some considerations in this context will be covered in the next edition of this blog series.

 

Overview Blog Series FPN:

An Introduction to Federated Portal Network (FPN)
FPN Part II: Configuring a Federated Portal Network – this blog
FPN Part III – Sharing Content between SAP NetWeaver Portals

To report this post you need to login first.

27 Comments

You must be Logged on to comment or reply to a post.

  1. Megha Bokam
    Hi,

    First of all thanks for this blog.

    I have a question on the options attributes of “EvaluateTicketLoginModule”. Can you elaborate on those KEY=VALUE pairs.

    Thanks,
    Megha.

    (0) 
    1. Jana Richter Post author
      Hi Megha,

      Those values are required for authenticating a system as a trusted system. You can get those values from the keystore certificate of the portal that you want to trust (that is located in the portal as described in the blog). The values are basically the System ID and client. More details are available in the documentation http://help.sap.com/saphelp_nw70/helpdata/en/43/2235260b413fe1e10000000a11466f/content.htm .

      Best regards
      Jana

      (0) 
  2. Thomas Pham
    Hi Jana,

    You make a very good point regarding the Consumer and Producer Portals being on the same subdomain as I ran into this issue.  I believe there is a work around for this, but will this limitation be addressed with further releases?

    Regards,

    Thomas Pham

    (0) 
    1. Jana Richter Post author
      Hi Thomas,

      the reason why FPN is recommended only in a setup within one subdomain are Single Sign-On SAP Logon Tickets. Those tickets are required for authentication, but are only issued for systems residing in one subdomain. The workaround (which contains some security considerations and thus is not fully recommended) is described more in detail here: http://help.sap.com/saphelp_nw04s/helpdata/en/a0/88a340fa432b54e10000000a1550b0/frameset.htm . From FPN side there are currently no plans to move away from SAP Logon Tickets and thus the restriction will remain.

      Hope this helps, best regards
      Jana

      (0) 
  3. Juwel Cecilia
    Dear Jana,

    Could you elaborate on your statement:

    “There is no “barrier” established between the portals such as firewalls, reverse proxies or load balancers”

    Regards,

    Juwel Cecilia

    (0) 
    1. Jana Richter Post author
      Hi Juwel,

      In case you have firewalls or proxies in between the portals some additional considerations apply. Basically the communcation ways from consumer to producer and vice versa are based on HTTP and RMI P4. Thus there are some additional measurements required to enable a smooth communication flow. Some more details on the considerations in these setups are available in a recorded presentation (https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/8036060f-2b0c-2a10-f4b2-a3eed1a25a24) and a How-To-Guide (https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/400c82cc-c570-2910-3d83-b3b2799b10e9).

      Best regards
      Jana

      (0) 
  4. Marcel Rabe
    Hi Jana,

    thank you for the blogs. I was wondering how your experiences are with combining SAP NP with other portal vendors like Microsoft (Sharepoint and Dynamics for instance) and IBM.

    Using WSRP and JSR technically they should be able to exchange content but does this really work?

    Kind regards
    Marcel

    (0) 
    1. Jana Richter Post author
      Hi Marcel,

      I will cover in one of my next blogs integration of Non-SAP Portals via WSRP. You can find some information on this topic already in the Portal Knowledge Center here: WSRP Application Sharing . JSR 168 is currently only available in SAP NetWeaver 7.1 Composition Environment.

      Best regards
      Jana

      (0) 
  5. Hi Jana,
           I have a scenario with BI integration with the SAP portal in a Federated Network. There is a utility in portal which is BEX Broadcaster which has  the ability to send online link to current data through email. This in turn send the link of the producer and not the consumer. So the enduser who receives the link will be routed to the producer, the passowrd or access of which might not be available to him due to security reasons. So In a federated portal scenario, How does SAP intend to handle this?
    (0) 
    1. Jana Richter Post author
      Hi Akshaya,

      we are working on this conceptual issue on how this could be solved. As of now I don’t have any information on how this could be handeled, but as soon as we have something, I will post it in SDN.

      Best regards
      Jana

      (0) 
      1. Jana Richter Post author
        Hi,

        there is now a note existing that describes how to enable BI Bookmarks in an FPN setup to work correctly: Note 1149597.

        Best regards
        Jana

        (0) 
    2. Michael Öztürk
      Hi Jana,

      we are facing the same problem as described by Akshaya Prakash. Afzer looking for a sonlution we found and implemented the named Note in OSS.
      After implementing the Note we faced two other problems:
      a) when trying to preview a BI report in SAP e.g BI QueryDesigner or BI Web Application Designer the URL settings are taken also from the setup for the Consumer-Portal. This makes it rather impossible to do a preview or to deploy a BI report to the Producer Portal.

      b) due to some unknown happenings the setup does not work anymore. When trying to store a bookmark or to use the broadcasting feature in the producer Portal the URL show to the producerportal .. we are not aware of having done any changes.

      Do you have any idea how to solve the two mentioned problems?

      Kind regards,
      Michael Öztürk

      (0) 
  6. Martin Bille
    Dear Jana,

    Thanks for a good blog.
    I can get Remote role assignment to work, but not the Remote delta link. In the consumer, I get; “Exception while trying to get InitialContext”, and in the Producer, the same error in log. What needs to be done?

    Do I need to do something on the deltalink iView?
    like setting – Federated Alias? And how should this be put?

    BR
    Martin

    (0) 
    1. Aravinda Boyapati
      HI Martin,

      I am facing similar issue with copying RDL content  to consumer portal. Also i have another problem with Remote Role assignment. I can able  to see  producer  roles  in consumer , but  when  try to access roles it is asking  for  login details ( producer).

      Please help me .

      Thanks
      Aravinda

      (0) 
  7. Richard Hirsch
    Hi,

    How would you recommend using Guided Procedures in an FPN-based environment? One obvious way is to use UWL in the consumer portal to access the GP-based UWL tasks from the producer (CE).

    I can also imagine using a RDL to the GP Runtime Page but I don’t think this would work/be appropriate in an environment with multiple CEs…

    Are there any other possibilities?

    Thanks.

    Dick

    (0) 
  8. Ken Miller
    We have a BI portal connected to a BI system (both 7.0, of course).  Authentication is done against the ABAP stack.  The BI portal will be a producer portal.

    We have another portal (also 7.0) which will be the Consumer portal, and the primary portal for the corporation.  For various reasons, authentication for this portal is performed against the corporate LDAP.  There will be cases where a person’s LDAP user id is different than their SAP id.  We have implemented an additional LDAP attribute which contains the SAP user id in addition to the info.  We have successfully used this configuration, in combination with an ABAP Reference System, to implement SSO between the primary SAP portal and various SAP back end’s.

    Will this configuration work between the consumer and producer portal that I describe above?  In other words, can I sign into the consumer portal using my LDAP id, and have information served to me from the producer portals where my backend SAP id is different.

    One of your initial statements seems to indicate not.  Any guidance you may have would be much appreciated.

    (0) 
  9. Sanjay Bhagat
    Hi,

    We are currently in the beginning phases of our portal project. Our current thinking is that we will set up FPN right from the start. So that consumer portal will handle login and some basic contents while all the heavy duty content is prepared/delivered via the producer portals. The question we have is how should one size for FPN architecture? If I have my corporate portal as a producer portal and I set up a consumer portal that fronts all other portal in my environment, does my consumer portal need to be just as big (in terms of resources) as the producer portals ? Do I just size consumer portal to handle logins only ?

    Any help and/or guidance here will be greatly appreciated.

    Thanks,
    Sanjay

    (0) 
  10. Mohammed Siddiqui
    Hi Jana,

    Firstly, appreciate your pretty comprehensive blog on FPN.
    We have configured FPN based on EP7 as consumer and BI7.0 as producer in our test environment. Both of them are at same SPS13 level. Last week, after we refreshed our BI system only from production data, the FPN connectivity seems to have been lost.
    From my consumer, it shows that I am registered on the producer. But when i directly log into BI portal, I don’t see my EP system as registered consumer. I can no longer see any of the remote content from consumer.
    I even tried to unregister my consumer, but the system will not allow and gives error message “”Could not unregister
    your portal. Possible reasons: producer server is down, network problems, or incorrect registration parameters”

    Strange thing is I can create a new connection to producer, register with same parameters but different ID. Using this connection, I can search and assign remote content from Producer.

    Are you aware of any FPN issues that might be related to above scenario, more importantly, during/after System refresh of BI Abap+Java?

    Thanks!
    Fahad

    (0) 
  11. Takefumi Otani
    Hi.
    I have a two portal.

    producer portal = BI7.0(AS ABAP+AS JAVA)
    consumer Portal = EP7.0(AS JAVA)

    I create dialog instance for BI(AS ABAP+AS JAVA)
    on another instance.
    How should I access to  “dialog instace”?
    Can I register “dialog instance” to consumer portal as “producer portal”?

    Or only have to do is “to create new system alias for dialog instance”.
    Then I copy the role, workset, iview that already existing as “remote contens”, and change the system alias “producer portal” to “dialog instance” each iview.

    What do you think?
    reards,

    (0) 
  12. David Pham
    Hi
    Thanks for the informaion in your blog.
    In our environment the consumer has 2 web dispatchers and 3 app servers. Producer also has its own web dispatcher and 2 app servers. So what should we enter in the host name for HTTP/HTTPS Communication for the Producer URL and Producer Registration?
    In all the configuration/video clips I have read they only show the host name of the portal server and its 5XXXX port. This is ok if we have only 1 app server. How can we achieve load balancing in a multi app server environment? Can I enter the Message server host name and message server http port here?
    Best Regards
    David Pham
    (0) 
  13. Bharath Chowdary
    Thanks for ur blog

    I had done all the configuration.
    My FPN is working fine with the normal iview.
    But when comming to iviews which uses user information (like Employee self service) it is showing some error.

    Can u solve this for me.

    Bharath.

    (0) 
    1. Jana Richter Post author
      Hi Bharath,

      for those specific issues it is usually better to open an OSS message. Our support can then have a detailed look on the issue and potential solutions. Unfortunately there is no easy answer to errors.

      Best regards
      Jana

      (0) 
  14. Teng-Li Yong
    Hi Jana,
    Thanks for the excellent detailed blog.
    Just wondering if there are any issues with FPN on EP7 SP16?

    I have configured FPN many times on the portal upto SP14 but having trouble showing the FPN alias showing up in the datasource under User Admin > Identity Management > Role.

    Do you know if there are any known issues with RRA on EP7 SP16 with FPN?

    Teng-Li  

    (0) 
      1. Hi Jana,
        Thanks again for taking the time to reply.
        I have already applied your suggested advice in the producer portal.

        Turns out there was a bug in SAP NetWeaver 7.0 SPS16 and SAP Note 1171684 provided a workaround.

        Thanks again!
        Teng-Li

        (0) 

Leave a Reply