SSO Configuration for BI REST APIs on Tomcat
This blog describes:-
- BI Platform REST Webservices (biprws) in BOE 4.2 SP05
- SSO Configuration in REST Service for AD users using kerberos
- Configuration of biprws.properties on Web Server
From BOE 4.2 SP05 onwards, biprws supports deployment on:
- WACS (Web Application Container Server) and
- Apache Tomcat
BI Platfrom REST Services URL | http://<host>:<port>/biprws/ |
where
<host> – the name of the web server for BI platform.
<port> – the port number for the platform.
Version1 of biprws is introduced in 4.2SP03.
Supported Servers : WACS, Tomcat (4.2 SP05+)
BIP RWS APIs URI v1 : http://<host>:<port>/biprws/v1/
Data Formats : XML and JSON
Vintela SSO configuration for biprws on Tomcat:
Prerequisites:
Section 1 – Planning your Service Account Configuration
- Roles of the Service Account
- Role 1 – Query Active Directory
- Role 2 – Run the SIA/CMS and allow manual AD logins.
- Role 3 – Allows Single Sign On
Section 2 – Creating and preparing the service account
- Creating the Service Account
- Create Service Principal Names for the Service Account
- Background Information
- Setspn Commands
- To View all created SPN’s
- Delegation for the Service Account
Section 3 – Configure the AD Plugin Page in the CMC and map in AD groups
Section 4 — Steps to start the SIA/CMS under the service account
- Verify that the service account and AD logins are working
Section 5 –Configuring Manual AD authentication to Java Application Servers
- Create the bscLogin.conf file
- Create the krb5.ini file
- Verify java to successfully receive a kerberos ticket
SAP KBA: https://launchpad.support.sap.com/#/notes/1631734
biprws on Tomcat:
Section 1: Copy the biprws.properties file to custom config
- Copy the file <INSTALLDIR>\tomcat\webapps\biprws.properties to <INSTALLDIR>\tomcat\webapps \biprws\WEB-INF\config\custom\biprws.properties
- Open biprws.properties file for editing.
Section 2: Enable kerberos SSO auth in biprws
- To enable Kerberos SSO for Windows Active Directory (secWinAD) authentication, set sso.enabled to true.
- Specify the following mandatory options:
- idm.allowUnsecured parameter must be set to true if SSL is not in use with the Java application server. For more information about Tomcat SSL, see the Knowledge Base Article ID:1484802
- Optional parameter: “idm.allowS4U = true” set this parameter for constraint delegated credential AD users, if not required then delete this property form biprws.properties file.
- More info: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-sso-using-kcd
- Refer SAP KBA: https://launchpad.support.sap.com/#/notes/2613391
Section 3: Restart Tomcat.
Section 4: Test AD SSO REST API from client machine
- http://<WebAppServer>:<portnumber>/biprws/v1/logon/adsso.The REST token must appear as a response to the API.
Section 5: Set Auth Negotiate Delegated whitelist
- SSO works in IE by default. If SSO is not working in Chrome or Mozilla please add the URL to whitelist as below.
SAP KBA:
https://launchpad.support.sap.com/#/notes/1646920
https://launchpad.support.sap.com/#/notes/2613391
Learn More:
https://blogs.sap.com/2017/12/15/bi-platform-rest-sdk-rws-in-boe-4.2/
https://blogs.sap.com/2017/04/16/bi-platform-rest-sdk-version1/
https://blogs.sap.com/2017/04/21/session-management-in-bi-platform-rest-sdk-rws/
https://help.sap.com/viewer/product/SAP_BUSINESSOBJECTS_BUSINESS_INTELLIGENCE_PLATFORM/
biprws deployment on Tomcat9:
Note: https://launchpad.support.sap.com/#/notes/2623290
Fix will be available in 4.2 SP05 Patch4 +, SP06 + .
Configuring AD SSO is not working on Tomcat server:
https://launchpad.support.sap.com/#/notes/2633539
https://launchpad.support.sap.com/#/notes/2613391