Skip to Content

This blog will solely look at the integration of Mobile BI with a Kerberos SSO setup on a BI 4.2 SP02 environment.


Prerequisites:

– SAP BI 4.2 SP2 landscape

– SSO already setup

– MDM profile management in place

– If you need to implement the fix for Tomcat (check 1.4 below) make sure to stop/start the Tomcat server. The rest of MoBI can be stopped/started individually from Tomcat.


1     web.xml

You can find the web.xml file via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\web.xml

Ensuring that the following settings are marked as active in this file.

  <filter>

    <filter-name>KerberosFilter</filter-name>

    <filter-class>com.businessobjects.mobilebi.server.filters.KerberosFilter</filter-class>

       <init-param>

       <param-name>sso.enabled</param-name>

      <param-value>true</param-value>

    </init-param>

    <init-param>

       <param-name>siteminder.enabled</param-name>

       <param-value>false</param-value>

    </init-param>

      <init-param>

       <param-name>vintela.enabled</param-name>

       <param-value>true</param-value>

    </init-param>

      <init-param>

       <param-name>idm.realm</param-name>

       <param-value><YOUR.FULL.DOMAINNAME></param-value>

    </init-param>

      <init-param>

       <param-name>idm.princ</param-name>

       <param-value><BICMS/YOUR_BICMS_SPN_SETUP></param-value>

    </init-param>

      <init-param>

       <param-name>idm.allowUnsecured</param-name>

       <param-value>true</param-value>

    </init-param>

      <init-param>

       <param-name>idm.allowNTLM</param-name>

       <param-value>false</param-value>

    </init-param>

     <init-param>

       <param-name>idm.logger.name</param-name>

       <param-value>simple</param-value>

    </init-param>

       <init-param>

       <param-name>idm.logger.props</param-name>

       <param-value>error-log.properties</param-value>

     </init-param>

       <init-param>

       <param-name>idm.keytab</param-name>

       <param-value><THE_PATH_PLUS_FILE_NAME_TO_YOUR_KTPASS></param-value>

    </init-param> 

  </filter>

  <filter-mapping>

   <filter-name>KerberosFilter</filter-name>

    <servlet-name>VintelaServlet</servlet-name>

    <dispatcher>REQUEST</dispatcher>

    <dispatcher>FORWARD</dispatcher>

       <dispatcher>INCLUDE</dispatcher>

   </filter-mapping>

The items that are environment specific:

      <init-param>

      <param-name>idm.realm</param-name>

       <param-value><YOUR.FULL.DOMAINNAME></param-value>

    </init-param>

Ensure for the idm.realm to set <YOUR.FULL.DOMAINNAME> to your full DN.

      <init-param>

       <param-name>idm.princ</param-name>

       <param-value><BICMS/YOUR_BICMS_SPN_SETUP></param-value>

    </init-param>

Ensure for the idm.princ to set <BICMS/YOUR_BICMS_SPN_SETUP> to the BICMS corresponding to your services accounts SPN setup as was done for the initial SSO deployment.

Additional paramaters to be added to the original file!

       <init-param>

       <param-name>idm.keytab</param-name>

       <param-value><THE_PATH_PLUS_FILE_NAME_TO_YOUR_KTPASS></param-value>

    </init-param> 

The idm.keytab is currently NOT highlighted in the web.xml file and is not highlighted in the documentation! However you will need to add this for a successful deployment.

Make sure to add all 4 lines to your web.xml. Change the <THE_PATH_PLUS_FILE_NAME_TO_YOUR_KTPASS> to wherever you stored your KTPASS from your original Kerberos configuration!

e.g. C:\Windows\myenvironment.keytab

All these manual settings can be found in your original SSO deployment in the global.properties file:

<Installation Folder>\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties.


1.1   authscheme.properties

Copy the authscheme.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\custom

# allows kerberos logon

KERBEROS=com.businessobjects.mobilebi.server.logon.impl.KerberosSSO

Ensure to activate the KERBEROS line, no further changes required rather than removing the #


1.2   sso.properties

Copy the sso.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\custom

# You can configure mobile server to connect multiple CMS, specify default CMS id here

default.cms.identifier=1

# You can specify IP Address/Qualified Name/Alias for your CMS here

1.aliases=<CMS_NAME:PORT>

# You can specify the Authentication type here.  secLDAP, secWinAD, secEnterprise

1.authentication.type=secWinAD

# Specify the default authentication scheme here. USERPASS, BASIC, BOETOKEN, COOKIE, TRUST

1.authentication.scheme=KERBEROS

There are four lines that need to be activated in this file with the identifier set in the first example:

# You can configure mobile server to connect multiple CMS, specify default CMS id here

default.cms.identifier=1

First one is to identify your default CMS, which is not relevant if you are running a single box as then it will always be 1. This value is then used to activate the following lines as well.

# You can specify IP Address/Qualified Name/Alias for your CMS here

1.aliases=<CMS_NAME:PORT>

Make sure to specify your full CMS name including the port e.g MyCMS:6400.

In case you make use of clustering with a supporting clustering file, just fill in this name only e.g. @BI-DEV

IMPORTANT NOTE

This name needs to be identical to the name specified in the server.properties which will be mentioned below.

# You can specify the Authentication type here.  secLDAP, secWinAD, secEnterprise

1.authentication.type=secWinAD

Specify the authentication type here to secWinAD.

# Specify the default authentication scheme here. USERPASS, BASIC, BOETOKEN, COOKIE, TRUST

1.authentication.scheme=KERBEROS

Specify the authentication scheme to KERBEROS (mind you to use capital letters!)


1.3   server.properties

Copy the server.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MOBIServer\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MOBIServer\WEB-INF\config\custom

mobi.connections=sso

sso.DisplayName=Nick_is_AWESOME!

sso.BOBJ_MOBILE_SSO_ENABLED:true

sso.BOBJ_MOBILE_SSO_TYPE:kerberos

sso.BOBJ_MOBILE_URL=<HTTP(S)://URL_TO_BI_SERVER:PORT>

sso.BOBJ_MOBILE_CMS=<CMS_NAME:PORT>

mobi.connections=sso

Activate your mobi connection by giving it a unique name, e.g. sso.

This will then need to be used onward for this specific connection setup.

sso.DisplayName=Nick_is_AWESOME!

This can be any given name that will reflect on the MobileApp as the connection name.

sso.BOBJ_MOBILE_SSO_ENABLED:true

SSO_ENABLED needs to be set to true

sso.BOBJ_MOBILE_SSO_TYPE:kerberos

SSO_TYPE needs to be set to Kerberos (mind you that this is in small letters!)

sso.BOBJ_MOBILE_URL=<HTTP(S)://URL_TO_BI_SERVER:PORT>

Fill in the URL that specifies your BI Server e.g. HTTP(S):MyBIServer:<PORT>

sso.BOBJ_MOBILE_CMS=<CMS_NAME:PORT>

Fill in the CMS name the same way as setup in the sso.properties file, e.g. MyCMS:6400

In case you make use of clustering with a supporting clustering file, just fill in this name only e.g. @BI-DEV


1.4   Tomcat Configuration

Lastly you will need to add a line to your Tomcat configuration.

-Dorg.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH=true

/wp-content/uploads/2016/05/tomcatconf_947235.png


Additional note!


This is only applicable if you run the SAP supplied version of Tomcat that was shipped with 4.2 (Apache Tomcat/8.0.21)

This issue is resolved in Apache Tomcat 8.0.29 onward (link)


Check your version otherwise this setting is NOT needed!


1.5   Setup connection on Mobile BI APP

Setup a new connection by calling the Import Connection option.

Import_connection.png

Now you select Configuration Server

/wp-content/uploads/2016/05/import_configuration_server_947288.png

In the URL box you log your BI Server name and port: e.g. HTTP(S):MyBIServer:<PORT>. Now select Import

/wp-content/uploads/2016/05/import_configuration_server2_947289.png

Now the app will get the connection details from the server. On the connections you will see all the defined connections from the earlier set server.properties file. Select the desired connection.

/wp-content/uploads/2016/05/create_new_connection_947290.png         

You now see all the credentials as expected from the setup server.properties file. Select done.

/wp-content/uploads/2016/05/logging_in_947301.png

Now the system will automatically try to establish a SSO connection to the server.

1.6   Known Errors

     1.6.1  MOB00929

This message comes up when you try to make an AD SSO attempt from MobileBI towards the SAP BI backend.

Full message: classcom.businessobjects.mobile.bi.server.logon.impl.KerberosSSO does not declare method ‘getEnterpriseSession’ with expected parameters (MOB00929)

Solution:

Ensure that you set the keytab entry in the web.xml file as well as to add the additional line into the Tomcat configuration as described above.


/wp-content/uploads/2016/05/error_947302.png

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Tobias Unland

    Hi,

    many thanks for your very good summary about Kerberos SSO.,

    We have the problem that we get every time a login screen with the correct profile of the user (user@REALM.COM). But after accepting the window with and without password the window still appears.

    Do you have an idea how we can solve this problem?

    Thanks and

    Kind regards,

    Tobias

    kerberos_sso.JPG

    (0) 
    1. Nick Vorstermans Post author

      Hi Tobias,

      Only see your message now. Hope you have resolved it by now?

      Are you able to make an SSO connection to your Launchpad from your mobile device and try it again from there?

      Regards,

      Nick

      (0) 

Leave a Reply