Introduction

This document details the steps followed in setting up trusted authentication for using SSO in Business Objects XI 3.1. This enables users to log in directly into Infoview without entering the login credentials. It is assumed that user has successfully installed BO XI 3.1 and has deployed the files on the IIS Web Server (part of standard install)


Environment Details:

OS : Windows 7 64 bit

Business Object Version: XI 3.1 FP 6

Web Server : IIS 7.5

Web Application Server : Tomcat 7

IIS server plugin: Apache Jakarta Isapi redirector  1.2.28

BO Installation path : C:\Business Objects 3.1


Step 1: Setting up Apache Jakarta Redirector

On successful install of Business Objects, the tomcat folder will be available in C:\Business Objects 3.1\Tomcat 7

Create the folder structure given in below screen shot inside Tomcat folder

Tomcat-Folder.png

i.e. create folder for Connector and sub folders for bin, conf and logs.


Download the isapi_redirect-1.2.28.dll from

https://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win64/jk-1.2.28/amd64/  – to the bin folder inside tomcat directory.


Rename the isapi_redirect-1.2.28.dll to isapi_redirect.dll


Download the tomcat-connectors-1.2.28-src.zip file from

https://archive.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.28/


Copy the workers.properties.minimal and uriworkermap.properties from the downloaded zip file to the conf folder under tomcat directory

Rename workers.properties.minimal to workers.properties in conf folder and make the following changes

worker.ajp13w.host=localhost, change the localhost to the Server IP


Save and close this file.


Open the uriworkermap.properties file and add the following entry

/*/*=wlb

  1. i.e the uriworkermap.properties will have the following entries

/admin/*=wlb

/manager/*=wlb

/jsp-examples/*=wlb

/servlets-examples/*=wlb

/examples/*=wlb

/*/*=wlb


Save and close the file.


Once this is done create a registry file(.reg) with the following entries


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0]

“extension_uri”=”/jakarta/isapi_redirect.dll”

“worker_file”=”C:\\Business Objects 3.1\\Tomcat7\\Connector\\conf\\workers.properties”

“log_file”=”C:\\Business Objects 3.1\\Tomcat7\\Connector\\logs\\isapi.log”

“worker_mount_file”=”C:\\Business Objects 3.1\\Tomcat7\\Connector\\conf\\uriworkermap.properties”

“log_level”=”DEBUG”


Save the file as Jakarta.reg, right click on this file and click Merge to add the entries to registry.


Step 2: Configuring Jakarta Virtual Directory on IIS 7.5


Open IIS manager (Type IIS in search box from Start or type inetmgr). Right click on Default Website and click Add Virtual Directory, screenshot below. The Alias name will be jakarta and this should be similar to the extension_uri registry entry made in previous step. The Physical path should point to the bin folder having isapi_redirector.dll file.


Jakarta-Virtual.png


Next, with Jakarta folder selected open Handler mapping from IIS manager, screenshot below


Handler Mapping.png


Once Handler mapping is opened, click on Edit Feature Permissions option on the right corner and select read script and execute for all checked items and press OK , See screenshot below


Permission.png


Next, Select Default Web Site and click on ISAPI Filters from IIS manager. Click on Add and give the filter name as Jakarta and executable as the isapi_redirect.dll path, see screenshot below


ISAPI.png


Next, select the server name and click on ISAPI and CGI restrictions from IIS manager

Choose Add then provide the path to isapi_redirect.dll. Give the description as

jakarta. Check the box for Allow extension path to execute.


CGI.png

Click on Edit Feature Settings and select Allow Unspecified CGI Modules and Allow Unspecified ISAPI modules


/wp-content/uploads/2014/04/restriction_438683.png


Next, Select the server name in IIS manager, right click -> Stop and then click Start


Step 3: Configuring IIS 7.5 for Windows Authentication

Select the Default Web site in IIS manager and click on Authentication, disable Anonymous authentication and enable Windows authentication. If you don’t see Windows authentication listed then following the below steps

  • Open control Panel, select Programs and Features and select Turn Windows feature On or Off
  • In the popup window, select Internet information service,select world wide web services, select Security and then select windows authentication

This will display windows authentication in IIS manager


Authentication.png


Step 4: Configuring BO to use Trusted Authentication


  • Log on to the Central Management Console with administrative rights.
  • Go to the Authentication management area of the CMC.
  • Double Click on the Enterprise link.
  • Scroll down until you see Trusted Authentication.
  • Click Trusted Authentication is enabled.
  • Enter a string in the Shared Secret field.
  • Click Update.
  • Createa file called TrustedPrincipal.conf in C:\Business Objects 3.1\BusinessObjects   Enterprise 12.0\win32_x86 (replace this location with your BO install location)
  • Enter the following in this file
  • SharedSecret=<string entered in shared secret filed in CMC- Enterprise authentication> ,i.e SharedSecret=1234 where 1234 is the string entered in CMC

Step 5: Modifying Infoview Web.xml for trusted authentication

Open the web.xml in C:\Business Objects 3.1\Tomcat7\webapps\InfoViewApp\WEB-INF

Find this string in the file:

<param-name>cms.default</param-name>

· Enter the CMS name and port number in the cms.default <param-value> field. Use the format

  servername:portnumber

· Find this string in the file:

<param-name>sso.enabled</param-name>

· Change the <param-value> for sso.enabled from false to true.

<param-value>true</param-value>


· Find this string in the file:

<param-name>siteminder.enabled</param-name>

· Change the <param-value> for siteminder.enabled from true to false.

<param-value>false</param-value>

· Find this string in the file:

<param-name>trusted.auth.user.retrieval</param-name>

· Specify the <param-value> as follows,

<param-value>REMOTE_USER</param-value>

· Save and close the file

Verify whether the web.xml is opening in IE without any issues, if there are issues then IE will throw an error, correct the issues before proceeding to next step.


Step 6: Modifying Tomcat Server.xml for AJP 13 listener

Open the server.xml file from C:\Business Objects 3.1\Tomcat7\conf (replace C:\ Business Objects 3.1 with your BO installation directory). Find “port 8009” in the file, add the following in the next line to port 8009

<Connector port=”8009″ maxSpareThreads=”25″ maxThreads=”250″ minSpareThreads=”5″ protocol=”AJP/1.3″ redirectPort=”8443″ tomcatAuthentication=”false” />

After the changes Server.xml should look like

<!– Define an AJP 1.3 Connector on port 8009 –>

 

<Connector port=”8009″ maxSpareThreads=”25″ maxThreads=”250″ minSpareThreads=”5″ protocol=”AJP/1.3″ redirectPort=”8443″ tomcatAuthentication=”false” />

Save the file and restart Tomcat

Step 7: Changing the Physical path for applications in IIS manager

Open IIS manager and select InfoViewApp, change the Physical path to point to C:\Business Objects 3.1\Tomcat7\webapps\InfoViewApp.

Similarly for other applications in IIS manager,make sure the Physical path points to ..\Tomcat 7\Webapps folders

Restart IIS server

This above steps will enable BO XI 3.1 to use Trusted Authentication, for verification

Go to http://localhost/InfoViewApp – This should open up Infoview without asking for login credentials







To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply