In BI 4.0, a new service has been introduced to offer Single Sign On capability to connect to SAP BW data sources, called STS (Security Token Service).
The STS Token Service :
0.1. Replaces what was done with server side trust in XI 3.1
0.2. Allows for token to be generated – for example for a WAD app hosted in BusinessObjects Enterprise
0.3. Allows for scheduling with Single Sign On as the token can be generated
STS is based on a Web service allowing you to use Single Sign-On (SSO) in heterogeneous system landscapes. It acts as a token broker. It exchanges security tokens, which identify the users of consumer systems for security tokens. Then, provider systems can evaluate the security tokens.* </p><p class=”Body”>Note* : the previous mechanism, SNC (Secure Network Communication) is still valid in most of the situations.
As an overview of the situations where the Security Token Service will apply, below are examples of different scenarios, based on the following configuration : Single Sign On implemented by mapping Active Directory Users to SAP aliases – and using STS as the Single Sign On mechanism between BI 4.0 and SAP datasource :
Client Tools| |
Crystal Reports Designer 2011| |
Crystal Reports Designer Next Generation| | Create : X
Refresh : X | Create : Y
Refresh : Y |
Server Tools| |
* Webi Legacy Universe (unv)</p></td><td style=”background-color: #a6b7fb;” valign=”top”><p>Webi New universe (unx)</p></td><td style=”background-color: #a6b7fb;” valign=”top”><p>Crystal Report 2011 in InfoView </p></td><td style=”background-color: #a6b7fb;” valign=”top”>Crystal Reports for Enterprise in InfoView</td></tr><tr><td> *| Refresh : X
Schedule : X | Refresh : Y
Schedule : Y | Refresh : X
Schedule : X | Refresh : Y
Schedule : Y |
1. Creation/Import of certificates
1.1 On BusinessObjects Enterprise server side (Central Management Server CMS)
*java –jar PKCS12Tool.jar –alias BI4 –keystore BI4_193_IWX.p12 –storepass <password> <br />-dname “CN=BI4_193” –cert BI4_193_IWX.der
—- you can choose a naming convention with no special character</li></ul><ul><li>The 2 following files are generated and stored in the same location : <ul><li>BI4_193_IWX.p12</li><li>BI4_193_IWX.der*For next steps :
The keystore file .p12 has to be imported in Bi4.0 Central Management Console on SAP Authentication Option tab.0.1.
The certificate file .der has to be imported in SAP Netweaver with STRUSTSSO2 transaction. *Notes *:
The option Alias is optional.0.1.
CN name MUST BE UNIQUE* *
1.2 On BW Server side
0.1. Prerequisite : make sure the .der file generated in 1.1 can be accessible from a local / shared drive during this workflow.
0.2. Login to your SAP ABAP BW system as user with administrative privileges via SAP GUI, by using the same id client that on your BW system where you want to configure STS.
In SAP GUI execute STRUSTSSO2 (and not STRUSTSSO)0.1.
In the Certificate Tab click on the *import certificate (green arrow) *