*This Blog gives you step by step installation and configuration of DUET 1.0 SP04. </p><p>S/w and h/w requirements: * Refer SAP Installation or SAP notes for hardware and Software requirements
<u>Duet Server Components Set-up (SAP):</u>
* <strong>Preparation:</strong> You must install SAP Net Weaver '04 Web Application Server Java 6.40 SP19, or higher. It provides the SAP Web Application Server Java system (SAP Web AS Java system) on top of which the Duet server runs </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/j2e.JPG|height=205|alt=image|width=513|src=http...! </p><p>Setting Up the SAP User Management Engine to Connect to the Active Directory* Installation of Duet Server components:
1. Double-click +sapinst.exe in the following path to start SAPInst: \SAP\Java\SAPINST\NT\I386</p><p>Duet Server :Consists of the Java components to deploy for Duet server. Select this option to deploy the Duet server components.</p><p>Note: You must install the Duet server components before deploying the DuetAdd-On components. </p><p style="margin: 0in 0in 0pt" class="MsoNormal">* !https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents.JPG|height=153|alt=image|width=3...!</p><p>Choose Next. The Specify Details of the Duet Server Host screen displays </p><p style="margin: 0in 0in 0pt" class="MsoNormal">!https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents1.JPG|height=189|alt=image|width=...!</p><p> </p><p>Choose Next. The Specify Details of the Software Deployment Manager screen displays </p><p style="margin: 2pt 0in; text-align: justify" class="MsoNormal">!https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents2.JPG|height=191|alt=image|width=...!</p><p> </p><p>Select this option to install all the archives and to update the deployed component, regardless of its version. </p><p> Enter the details of the load balancing mechanism in the Duet server environment: </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents3.JPG|height=153|alt=image|width=...! </p><p>Choose Next. The Select Default Language screen displays. </p><p> !https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents4.JPG|height=89|alt=image|width=4...!</p><p>If you select this option, Kerberos and SAP Logon Ticket authentication is automatically selected as the authentication method and the Configure Security Settings screen does not display.* </p><p> </p><p style="margin: 0in 0in 0pt" class="MsoNormal"> !https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents5.JPG|height=128|alt=image|width=...!</p><p style="margin: 0in 0in 0pt" class="MsoNormal"> </p><p style="margin: 0in 0in 0pt" class="MsoNormal">Choose Next. To Specify Duet Metadata Service Settings screen displays. </p><p style="margin: 0in 0in 0pt" class="MsoNormal"> </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents6.JPG|height=171|alt=image|width=...! </p><p>Enter the details for the host in which you intend to deploy the Duet Add-On: </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents7.JPG|height=187|alt=image|width=...! </p><p style="margin: 0in 0in 0pt" class="default"> </p><p style="margin: 0in 0in 0pt" class="default">!https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents8.JPG|height=150|alt=image|width=...!</p><p style="margin: 0in 0in 0pt" class="default"> </p><p style="margin: 0in 0in 0pt" class="default">Choose Next, and then choose Start in the summary screen to start deploying the Duet server components.</p><p style="margin: 0in 0in 0pt" class="default"> </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/duetcomponents9.JPG|height=118|alt=image|width=...!</p><p><u>Configuring the Duet Server Host for Kerberos:</u></p><p>You configure the host of the Duet server to use Kerberos authentication through a wizard, SPNego. Read SAP note number 994791 for more information about using the SPNego Wizard. </p><p>Important: Follow the instructions in the wizard. However, in the PolicyConfiguration screen, do the following:</p><p>• Click Existing Configuration, and selectsap.com\xappsospserver~deployer*osp_TicketIssuer+
• Under Authentication Stack Configuration, do +not +select Use BasicPassword fallback.
*Deploying the Duet Add-On *
1. Connecting User Management Engine to the SAP System User Store
Note: If the users IDs in the SAP system are not the same as the user IDs in the Active Directory server, you must map the users using the user mapping tool.
2. You must obtain the ID of an existing system user in SAP system, and define administrator rights for it in the User Management Engine (UME) in the Duet Add-On host.
<u>Deploying the Duet Add-On Components:</u>
1. Double-click sapinst.exe, in the following path to start SAPInst: …\SAPINST\Java\NT\I386
Select this option to deploy the Duet Add-On components in the SAP system landscape.
Note: Although you can install the Duet Add-On components in the same host as the Duet server, we recommend that you deploy the Duet Add-On components in a separate host.
2. Select Duet Add-On, and choose Next. The Specify Details of the Duet Add-On Host screen displays
3. Choose Next, the Specify Details of the Software Deployment Manager screen displays
4. Enter the J2EE administrator user ID and password.
Note: You created this administrator user ID in the SAP Web AS Java system during the preparation stage. Make sure that the same user ID exists as a system user in the SAP system
5.Choose Next. The Specify Details of the Duet Server screen displays.
Note: Make sure that the Duet server is running when you perform this step.
6. After you have entered all required input parameters, SAPInst starts the installation and displays the progress of the installation
<u>Installing Duet Business Applications</u>
*1. Creating New Folders in the Duet Metadata Service Host: Use the following names to create two new folders in the Duet Metadata Service host: </p><p>DuetMetadata:* Stores the metadata for the Duet business applications.
DuetCode: Stores the resources (DLL files, graphic files, and the Duet help) for the business applications. Share these folders and define specific permissions for working in them as per the installation guide .
*2. Security Settings for Request Handler Service: *
You must configure access to the Duet business applications through the Internet Information Service (IIS), in the same host as the Duet Metadata Service. This enables the Duet Metadata Service to access assemblies and metadata for the Duet business applications.* </p><p>Requirement:</p><p>• Make sure that the Duet Metadata Service and the Request Handler Service has been installed.</p><p>To configure the Request Handler service in the IIS:</p><p>1. From the +Start menu +→ +Settings +→ +Control Panel +→ +Administrative tools +→ InternetInformation Services Manager.2. Expand the node in the left hand pane, and choose +Web +Sites </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/businessapp1.JPG|height=353|alt=image|width=489...!</p><p>3. From the right hand panel, select RequestHandler.<em>asmx</em>.</p><p>4. Right-click RequestHandler.<em>asmx</em>, select Properties.</p><p>5. Select the +File Security +tab, and select +Edit +under Authenticated access control. </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/businessapp2.JPG|height=356|alt=image|width=434...! </p><p> </p><p>6. Select +Basic authentication +under Authenticated access control.</p><p>Note*: Make sure that the option, +Enable anonymous access is not selected. </p><p> <u>Loading Metadata for Duet Business Applications:</u><strong> </strong> </p><p>1.Open the Application Installer in each host (Duet Add-On and Duet server), http://<Duetmarteraddon host>:5$$00/duet</p><p> !https://weblogs.sdn.sap.com/weblogs/images/251818322/businessapp3.JPG|height=245|alt=image|width=650...! * </p><p>ApplicationsFramework.zip* Load this DAR file only in the Master Duet Add-On host.</p><p>Tools.UI.DAR.zip: Load this DAR file only in the Master Duet Add-On host.</p><p>OSPADDON.zip: First, load this DAR file in the Master Duet Add-On host, and make sure you choose Master Duet Add-On. </p><p>2. From the Duet server host, open the Application Installer, Choose browse to select the DAR file, </p><p>OSPADDON.zip.Do not select Master Duet Add-On. </p><p>3. Repeat step 1 and 2 to install the DAR file for specific Duet Business Applications. For example, TimeManagement.zip. </p><p>After loading the Duet business applications, the installation program places data and other resources for the business applications in the Duet Metadata Service host, in the following folders: </p><p> • DuetMetadata: the metadata for the installed business applications. </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/businessapp4.JPG|height=82|alt=image|width=606|...! </p><p> </p><p>• DuetCode: the resources for the installed business applications. </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/businessapp5.JPG|height=269|alt=image|width=456...!</p><p> <u>Configuring the Duet Add-On Environment :</u> </p><p>Setting the Size for Messages in the SAP Web Application Server Java</p><p>1. Start the Visual Admin Console using the file, go.bat in the path:Go to Cluster tab→ +Server +→ +Services +→ JMS Provider
2. Choose the +Properties +tab
• clientConsumerBuffer = 524288
• clientMemorySize = 52428800
•sizeLimitInMasterQueue = 3145728
Note: Choose +Update +when you edit the value of a property, and select +Save +to save the changes
3.Restart the +JMS Provider +as follows:
Settings for Queues in the JMS Provider Service:
1.Start the Offline Configuration editor using the file, offlinecfgeditor.bat in the path:<AddonServer_SAPJ2EE Engine_installation>\j2ee\configtool
2. Go to +Configurations +→ +jms provider +→DEFAULT→ +default +→Queues
→ ItemsQueues.
3. Switch to edit mode and set the following property value: deliveryAttemptsLimited = false
4. Restart the cluster of the Duet Add-On for the change to take effect.
Connect to an SAP System and Map Its Roles to Business Application Roles</p><p>1. Start the Duet Administration Control Panel using the following URL: + http://<duetserver host>:5$$00/duet+ </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/rolesmapping1.JPG|height=365|alt=image|width=67...!</p><p>2.From the Duet Administration Control Panel, select Define SAP System. </p><p>3. In the Connection Details screen, enter the connection settings to a specific SAP system </p><p> !https://weblogs.sdn.sap.com/weblogs/images/251818322/rolesmapping2.JPG|height=114|alt=image|width=33...!</p><p>4. Choose next, the Map Role screen displays: </p><p>Role Name: Specify the name of the role in the SAP system. </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/rolesmapping3.JPG|height=277|alt=image|width=50...!</p><p>5. Select the Duet business applications with their roles mapped to the roles in SAP system. </p><p>Note: Make sure that you install the appropriate support package required by the selected business applications in SAP system
6. Choose Finish.
7. Choose Define Add-On, and enter as the following:
8. Repeat step 7 to connect several SAP systems to the Duet Add-On.
*Configuring the Authorization Manager Configuring Authentication for AzMan Service through IIS *
1. From the +Start menu +→ +Settings +→ +Control Panel +→ +Administrative tools +→Internet Information Services. The Internet Information Services window opens
2. Under Internet Information Services, expand the computer host name and choose Web Sites
3. Right-click Duet AzMan Service and select Properties.
4. Select Directory Security tab, and choose Edit in the Authentication and access control panel.
+• Do not select Enable anonymous access. Make sure that this option is not selected. </p><p>• Select Basic authentication under Authenticated access </em> </p><p>
+
+5. +Choose +OK +* </p><p>Defining Permissions for the Administrator User in the Authorization Manager</p><p>After configuring authentication for the AzMan service in the Duet Metadata Servicehost, you must define permissions for the administrator user that runs SAP services, inthe Authority Manager (AzMan).</p><p>To define permissions for the administrator user:*
1. From the Start menu, select Run, and then type AzMan.msc
2. Right-click Authorization Manager, and select Open Authorization Store
3. For the authorization store type, choose XML file
4. Right-click Administrators, and choose Assign Windows Users and Groups
</p><p> </p><p>+5. +Enter the administrator user that runs SAP services in Windows. For example, SAPService<instance ID>. </p><p>Note: You can assign the entire Administrators Group if the user is part of this group.
Define Connection Settings to the Duet Metadata Service Host : <u>Define Duet Configuration Details </u></p><p><u> </u>Using a browser–based application Duet Configuration Details, you define the settings for configuring communication connections between the Item Handler service in the Duet Add-On host, and the Request Handler service in the Duet Metadata Service host. Using the settings you specify, the Duet Configuration Details application attempts to connect to the Request Handler service in the same host as the Duet Metadata Service. </p><p>1. Start the Duet Administration Control Panel using the following </p><p>URL: http://<Due Server Host Name>.<domain>:<J2EE Port Number>/duet </p><p>2. Choose Duet Connection Configuration Details. </p><p style="margin: 0in 0in 0pt" class="default"> !https://weblogs.sdn.sap.com/weblogs/images/251818322/metadata2.JPG|height=168|alt=image|width=472|sr...!</p><p> </p><p>3. Choose Apply. The application attempts to connect to the connection to the Request Handler service. If it fails, an appropriate error message is displayed. </p><p>4. Choose Finish, when Automatic background processing complete. </p><p>Note: Later, you configure trust between the Duet server and the Duet Add-On host using this screen.
*Define RFC Destinations </p><p>Using a browser–based application Duet Configuration Details, you define the settings for configuring communication connections between the specific Duet Add-On host and the specific SAP system. </p><p>1. Start the Duet Administration Control Panel using the following URL: http://<Duet Add-On Host Name>.<domain>:<J2EE Port Number>/duet </p><p>2. Choose SAP System Connection Configuration Details. Enter the following: </p><p> !https://weblogs.sdn.sap.com/weblogs/images/251818322/metadata3.JPG|height=157|alt=image|width=481|sr...!</p><p>3. Choose Apply. </p><p>Configuring the Duet System Landscape Configure Trust between Each Duet Add-On Host and the Duet Server</p><p> You configure trust between each Duet Add-On and the Duet server using a browser-based application. The application imports and configures a certificate issued in the Duet server host to the Duet Add-On host. This process enables single sign-on between the </p><p>1. Duet server host and Duet Add-On host.* System ID: Enter the System ID (SID) of the SAP Web Application Server (Java system) where the Duet Server is deployed
Client: Enter the client of the SAP Java WAS (J2EE system) where the Duet Server is deployed (the default client is 000).
*2. Configure Trust between Each Duet Add-On Host and SAP System </p><p>Issuing a Certificate in SAP System*
You must configure the SAP system you have prepared for Duet, to issue a certificate for use in the Duet Add-On host. Later, you import the certificate into Duet Add-On host.
To issue and export the certificate from the SAP Web AS ABAP system:1. Log on to the SAP system, and in the system command line enter the transaction STRUST.2. Select the +Personal Security Environment +(PSE) that is used for logon tickets (per default, this is the System PSE).3.Double-click the Distinguished Name. The certificate appears in the lower section of the screen.
4. Choose Certificate → Export. The Export Certificate dialog appears.
5. Save the certificate to a file.
*3. Import the Certificate from the SAP System into the Duet Add-On Host </p><p>Import the Certificate from the SAP System into the Duet Add-On Host </p><p>You need to configure the Duet Add-On host to accept assertion logon tickets issued from SAP system. You perform this task in the Duet Add-On environment. </p><p>To import the certificate from the SAP Web AS ABAP system: </p><p>1. Start the Visual Admin Console, using the file, go.bat, located in the path: <SAPJ2EEEngine_installation>\j2ee\admin\> </p><p>2. In the Visual Admin window, choose Server→Services →Key Storage. </p><p>3. From the Runtime tab, choose Ticket Keystore view, and then select Load from the Entry pane. </p><p>4. Select the exported certificate file. For example, abapaddon.crt. </p><p>Note: Specify the pathname of the certificate file you saved in the host of SAP. You can map a drive to the host of SAP from the Duet Add-On host. The certificate is stored in the selected view as a CERTIFICATE entry. </p><p>To configure trust between a Duet Add-On host and a specific SAP system: </p><p>1. Start the Duet Administration Control Panel using the following </p><p>URL: http://<Duet Add-On Host Name>.<domain>:<J2EE Port Number>/duet </p><p>2. Choose SAP System Connection Configuration Details. </p><p>Note: You configured the RFC destination using this screen. </p><p>3. Under Trust, enter the following: </p><p style="margin: 0in 0in 0pt" class="default">!https://weblogs.sdn.sap.com/weblogs/images/251818322/trust3.JPG|height=102|alt=image|width=338|src=h...!</p><p> </p><p>SAP System Certificate:* Select the certificate you imported into the Duet Add-On host.
*SAP system: Select the system ID of the SAP system from which you imported the certificate. </p><p>4. Choose Apply, to configure trust and the EvaluateAssertionTicketLoginModule. A message displays. </p><p>Issuing and Importing a Certificate from Duet Add-On into the SAP SystemChanging the Public Key of the New CertificateNote*: If you do not have an Add-In installation, skip the following steps.5. Select Set and select Save.6. Restart the nodes in the cluster for the changes to take effect. * </p><p>Exporting a Certificate from the Duet Add-On HostTo export the certificate using the Key Storage Service:</p><p>1. Start the Visual Admin Console, using the file, go.bat, located in the path:<SAPJ2EEEngine_installation>\j2ee\admin\></p><p>2. From Visual Admin window, choose → +Server +→ Services→ Key Storage.</p><p>3. From the +Runtime +tab, choose +TicketKeystore +view, and then choose SAPLogonTicketKeypair-<em>cert </em>Entry.</p><p>4. Select +Export to export the certificate by saving it to a file. </p><p style="margin: 0in 0in 0pt" class="default"> !https://weblogs.sdn.sap.com/weblogs/images/251818322/trust5.JPG|height=359|alt=image|width=572|src=h...!</p><p> </p><p>5. Specify a filename. Use the file type X.509 Certificate with the extension .crt +and choose OK. For example, JavaddonCert.<em>crt</em>. </p><p>Note: Write down the path and the name of the certificate file you saved, since you have to import it into your existing SAP system. </p><p>Importing the Certificate from the Duet Add- On Host into the SAP System</p><p>You need to configure your SAP system to accept logon tickets using the certificate issued by the Duet Add-On host. You perform this task in SAP environment. </p><p>To import the certificate into the SAP system:</p><p>1. Logon to the specific SAP system.2. Enter the transaction /nstrustSSO</p><p>2. The +Trust Manager for Single Sign-On +screen displays.</p><p>3. Select System PSE (for logon tickets).</p><p>4. Select +Import Certificate +from the Certificate Pane.</p><p> 5. Browse to locate the certificate from the Duet Add-On host. For example, javaddon.cert.</p><p>6. Choose +Add to certificate list +in +Certificate +pane.</p><p>7. Choose Add to ACL, and specify the following:• Common Name: Enter the system ID for the Duet Add-On host • Client: Enter the same three digit number that you specified for the client. For example, 120. See step 4, under Changing the Public Key of the New Certificate </p><p style="margin: 2pt 0in; text-align: justify" class="MsoNormal">!https://weblogs.sdn.sap.com/weblogs/images/251818322/trust6.JPG|height=167|alt=image|width=445|src=h...!</p><p> </p><p>8. Choose Save. </p><p>Configure Trust between the Duet Server Host and SAP System</p><p>You need to enable the Role management Web service in SAP system to call otherservices in the Duet server. </p><p>Import the Certificate from SAP into the Duet Server Host You need to configure the Duet server host to accept assertion logon tickets issued from SAP system. You perform this task in the Duet server environment. </p><p>To import the certificate from the SAP Web AS ABAP system: </p><p>1. Start the Visual Admin Console, using the file, go.bat, located in the path: <SAPJ2EEEngine_installation>\j2ee\admin\> </p><p>2. In the Visual Admin window, choose Server→ Services →Key Storage. </p><p>3. From the Runtime tab, choose Ticket Keystore view, and from the Entry pane select Load. </p><p>4. Choose the exported certificate file. </p><p style="margin: 2pt 0in; text-align: justify" class="MsoNormal">!https://weblogs.sdn.sap.com/weblogs/images/251818322/trust7.JPG|height=279|alt=image|width=579|src=h...!</p><p style="margin: 2pt 0in; text-align: justify" class="MsoNormal"> </p><p style="margin: 2pt 0in; text-align: justify" class="MsoNormal">!https://weblogs.sdn.sap.com/weblogs/images/251818322/trust8.JPG|height=207|alt=image|width=578|src=h...!</p><p> </p><p>Note: Specify the pathname of the certificate file you saved in the host of SAP. You can map a drive to the host of mySAP REP from the Duet server host. The certificate is stored in the selected view as a CERTIFICATE entry. Note the server’s Distinguished Name () and the issuer’s Distinguished Name(). You need these two Distinguished Names for the access control list (ACL) entries in the next step.5. Maintain the logon ticket access control list in the options for the login module EvaluateAssertionTicketLoginModule:</p><p>a. Go to +Visual Admin +→ +Services +→ Security Provider, and select the +User Management +tab.</p><p>b. Switch to edit mode and choose Manage Security Stores.</p><p>c. Select UME User Store as the user store.</p><p>d. Select the +EvaluateAssertionTicketLoginModule +entry and choose +View +/ Change Properties. </p><p style="margin: 2pt 0in; text-align: justify" class="MsoNormal"> !https://weblogs.sdn.sap.com/weblogs/images/251818322/trust9.JPG|height=337|alt=image|width=580|src=h...!</p><p> </p><p>e. Under Options, enter the following for the host that issued the logon ticket to be accepted by the Duet server: </p><p> !https://weblogs.sdn.sap.com/weblogs/images/251818322/trust10.JPG|height=108|alt=image|width=532|src=...!</p><p>Configuring the Duet Business Applications Environment <strong>Configuring</strong> <strong>Client Access to Resources for Duet Business Applications through URL </strong></p><p>To configure clients to access the resources for business applications using URL: </p><p>1. From the file system of the host of the Duet Metadata Service host, select the folder, \DuetCode. </p><p>2. Right click the selected folder, and select Properties. </p><p>3. Select the tab, Web Sharing, and select Share this folder. </p><p>4. Select Edit Properties, and under Access permissions, select the following: • Directory browsing </p><p> • Read </p><p>5. Choose OK twice to the close the Edit, and the Properties dialog boxes. </p><p>Publishing the Metadata for Duet Business Applications </p><p>You manually publish the metadata for the Duet business applications from the Duet Metadata Service host. </p><p>To publish the metadata for the Duet business applications: </p><p>To publish metadata, you use the metadata publishing tool in the folder: <drive>:\Inetpub\DuetServiceProvider\bin </p><p>1. From the Duet Metadata Service host, find the XML file DuetMetadata.xml, in the shared folder, Duetmetadata. For example,
<Duet Metadata Service host>\Duetmetadata </p><p>2. At the command line, change directory to folder: <drive>:\Inetpub\DuetServiceProvider\bin </p><p>3. Type the following: Microsoft.Duet.Tools.DeployMetadata.exe copyftos <Duetmetadata path>\DuetMetadata.xml </p><p>!https://weblogs.sdn.sap.com/weblogs/images/251818322/publishing1.JPG|height=117|alt=image|width=642|...!</p><p>Note: Duet automatically updates the file, DuetMetadata.XML, whenever you make changes to the metadata. For this reason, you must republish the metadata using the above procedures. </p><p>Synchronizing Duet Business Applications Roles with SAP System Roles*
1. Start the Duet Administration Control Panel using the following URL:
2. From the Duet Administration Control Panel → Duet System Management, select Role Management.
3. Choose Activate SAP System Role Synchronization to automate the configuration of roles between Duet business applications and SAP system.
Note: If users do not have the same user ID in Windows and SAP, you must configure user mapping data in the Duet Server environment before activating Role Synchronization.
When you republish the metadata for a business application, use Copy Role Assignments to AzMan. Doing so copies the assigned roles from the Duet server host to the Authorization Manager (AzMan), in the Duet Metadata host
10 Comments
