BI 4 64 bit- Configuring Trusted Authentication using IIS – Tomcat Bridge with Apache Jakarta Isapi
Introduction:
BI 4 has the ability to Single Sign On using Trusted Authentication.This feature will allow the user to log into InfoView without being prompted for username and
password. Using Trusted Authentication we can do Single Sign On for any user in Enterprise (Enterprise/Windows NT/Windows AD/LDAP).
Single Sign-on Configuration Tasks
1. Go to the Authentication management area of the CMC, and then doubleclick
Enterprise, check Trusted Authentication is enabled and click update.
2. Click New Shared Secret button. Click download shared secret button and save
the “TrustedPrincipal.conf” file in the “D:\SAP BusinessObjects\SAP
BusinessObjects Enterprise XI 4.0\win32_x86” location on web application servers(tomcat)
NOTE: if the folder ”win32_x86” does not exists then create a folder called
“win32_x86” and copy the file
3. Copy the BIlaunchpad.properties, global.properties and
OpenDocument.properties files from “D:\SAP
BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\default” to “D:\SAP
BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom” folder on web application servers(tomcat)
4. Modify the following parameters in the global.properties file (“D:\SAP
BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom”) on web
application server
sso.enabled=true
trusted.auth.user.retrieval=REMOTE_USER
5. Verify/Update the below properties in BIlaunchpad.properties and
OpenDocument.properties files (“D:\SAP
BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom”) on web
application server
authentication.default=secEnterprise
cms.default=”Appropriate CMS Name with Port number”
6. Add “tomcatAuthentication=”false” property to AJP connector section in
server.xml located in “D:\SAP BusinessObjects\Tomcat6\conf” on web application
tomcat server and uncomment that property.
7. Configuration of “Jakarta isapi_redirect-1.2.28” 64-bit version of Windows
2008 on all web application servers:
Create Connector folder under “D:\SAP
BusinessObjects\Tomcat6” location on Web App server
Connector folder should contain 3 sub folders
a) bin – ( In the bin folder place the following file: http://www.reverse.net/pub/apache/tomcat/tomcat-connectors/jk/binaries/win64/jk-
1.2.28/amd64/isapi_redirect-1.2.28.dll
NOTE: In this example I am choosing the isapi_redirect from version 1.2.28 for a
64-bit version of Windows 2008.)
b) conf – ( Download the JK 1.2.28 Source Release zip (e.g. Windows) http://www.reverse.net/pub/apache/tomcat/tomcat-connectors/jk/source/jk- 1.2.28/tomcatconnectors-1.2.28-src.zip
In this zip folder copy workers.properties.minimal and uriworkermap.properties from the config folder in this zip to our config folder)
c) log – (write log files to this location)
8. Edit/Update the ‘worker.ajp13w.host=” property in workers.properties file
located “D:\SAP BusinessObjects\Tomcat6\Connector\conf” with ip address of web
application server
worker.list=wlb,jkstatus
#
# Defining a worker named ajp13w and of type ajp13
# Note that the name and the type do not have to match.
#
worker.ajp13w.type=ajp13
worker.ajp13w.host=10.X.XX.XXX(IP Address of web application server)
worker.ajp13w.port=8009
9. Make sure “/*=wlb” entry is added to uriworkermap.properties file located in
“D:\SAP BusinessObjects\Tomcat6\Connector\conf” folder on web application
server
# uriworkermap.properties – IIS
#
# This file provides sample mappings for example wlb
# worker defined in workermap.properties.minimal
# The general syntax for this file is:
# [URL]=[Worker name]
/admin/*=wlb
/manager/*=wlb
/jsp-examples/*=wlb
/servlets-examples/*=wlb
/examples/*=wlb
/*=wlb
10. In notepad copy/paste the below information and save it as jakarta.reg
Right click on jakarta.reg and choose merge
NOTE: Take a backup of existing registry editor before performing this
merger activity
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi
Redirector\1.0]
“extension_uri”=”/jakarta/isapi_redirect.dll”
“worker_file”=”C:\\Tomcat\\Connector\\conf\\workers.properties”
“log_file”=”C:\\Tomcat\\Connector\\logs\\isapi.log”
“worker_mount_file”=”C:\\Tomcat\\Connector\\conf\\uriworkermap.properties”
“log_level”=”DEBUG”
11. On web application server
Make sure that the below keys are present in registry editor after the step 20
[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta
Isapi Redirector]
[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta
Isapi Redirector\1.0]
“extension_uri”=”/jakarta/isapi_redirect.dll”
“log_file”=”D:\\SAP BusinessObjects\\Tomcat6\\Connector\\logs\\isapi.log”
“worker_file”=”D:\\SAP
BusinessObjects\\Tomcat6\\Connector\\conf\\workers.properties”
“worker_mount_file”=”D:\\SAP
BusinessObjects\\Tomcat6\\Connector\\conf\\uriworkermap.properties”
“log_level”=”INFO”
12. On web application server
Add the jakarta Virtual Directory in IIS
Start | run | inetmgr
Expand to Default Web Site, right click and choose Add Virtual Directory
Name the virtual directory “jakarta” (this must be same as your extension_uri in
the registry) and point to “isapi_redirect.dll” file located in “D:\SAP
BusinessObjects\Tomcat6\Connector\bin” folder
13. On web application server
Edit the jakarta Virtual directory handler mappings in IIS:
Highlight the “jakarta” virtual directory under Default website and double click the
“handler mappings” icon in the right pane. In the Handler Mappings window click
Edit Feature Permissions in the action pane. In the Edit Feature Permissions
pop-up ensure Read, Script and Execute are all checked
and press OK.
14. On web application server
Add the ISAPI filter to default web site in IIS:
Highlight Default Web Site and choose the ISAPI Filters icon. Click Add in the
top right, name the filter jakarta and point to the “D:\SAP
BusinessObjects\Tomcat6\Connector\bin\isapi_redirect.dll”
15. On web application server
Set the ISAPI restrictions for the IIS7 server:
Highlight server name and double click ISAP and CGI Restrictions. Choose Add
then provide the path to “D:\SAP
BusinessObjects\Tomcat6\Connector\bin\isapi_redirect.dll” and give description
of “jakarta”. Check the box for Allow extension path to execute
16. On web application server
Reset IIS and Test
Reset IIS with Start | run | iisreset
17. Configure IIS7 for REMOTE_USER Trusted Authentication
In IIS, highlight Default Web Site and choose the Authentication icon. Disable
Anonymous Authentication and enable Windows Authentication
Hi,
this is very useful document as we are just upgraded to BI 4.1 in dev. But based on the document, looks like I have to install JK isapi_redirector.exe file, Which version should the exe file be? I cound not find the isapi_redirect-1.2.28.exe file. There is a hotfix for isapi_redirect-1.2.28.exe in fpt watch file. I don't know what is that. And also I can't file jakarta.reg file. In the Reg edit, when I right click a file under the directory reg edit, there is no Merge option.
Please help.
Thanks.
Proper SSO AD/LDAP via Tomcat is more secure and easier to configure, what would the benefits of using trusted auth with IIS be ?
Our company domain control team neither give anyone outside of their team the right to run scripts nor we provide the scripts to let them run on the domain control server. In the past, we always use Tomcat bridge with Aprache Jakarta ISPI.
does anyone knows why after I finished step 10 in the above document, but I can not see the reg keys I created?
Thanks.