SSO Configuration for BI REST APIs on Tomcat

former_member230921 · ‎03-16-2018

This blog describes:-

BI Platform REST Webservices (biprws) in BOE 4.2 SP05

SSO Configuration in REST Service for AD users using kerberos

Configuration of biprws.properties on Web Server

From BOE 4.2 SP05 onwards, biprws supports deployment on:

WACS (Web Application Container Server) and

Apache Tomcat

BI Platfrom REST Services URL

http://<host>:<port>/biprws/

where

<host> – the name of the web server for BI platform.

<port> – the port number for the platform.

Version1 of biprws is introduced in 4.2SP03.

Supported Servers : WACS, Tomcat (4.2 SP05+)

BIP RWS APIs URI v1 : http://<host>:<port>/biprws/v1/

Data Formats : XML and JSON

Vintela SSO configuration for biprws on Tomcat:

Prerequisites:

Section 1 - Planning your Service Account Configuration

Roles of the Service Account

Role 1 – Query Active Directory

Role 2 – Run the SIA/CMS and allow manual AD logins.

Role 3 – Allows Single Sign On

Section 2 - Creating and preparing the service account

Creating the Service Account

Create Service Principal Names for the Service Account
- Background Information
- Setspn Commands
- To View all created SPN’s

Delegation for the Service Account

Section 3 - Configure the AD Plugin Page in the CMC and map in AD groups

Section 4 — Steps to start the SIA/CMS under the service account

Verify that the service account and AD logins are working

Section 5 –Configuring Manual AD authentication to Java Application Servers

Create the bscLogin.conf file

Create the krb5.ini file

Verify java to successfully receive a kerberos ticket

SAP KBA: https://launchpad.support.sap.com/#/notes/1631734

biprws on Tomcat:

Section 1: Copy the biprws.properties file to custom config

Copy the file <INSTALLDIR>\tomcat\webapps\biprws.properties to <INSTALLDIR>\tomcat\webapps \biprws\WEB-INF\config\custom\biprws.properties

Open biprws.properties file for editing.

Section 2: Enable kerberos SSO auth in biprws

To enable Kerberos SSO for Windows Active Directory (secWinAD) authentication, set sso.enabled to true.

Specify the following mandatory options:

idm.allowUnsecured parameter must be set to true if SSL is not in use with the Java application server. For more information about Tomcat SSL, see the Knowledge Base Article ID:1484802

Optional parameter: "idm.allowS4U = true" set this parameter for constraint delegated credential AD users, if not required then delete this property form biprws.properties file.

More info: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-sso-using...

Refer SAP KBA: https://launchpad.support.sap.com/#/notes/2613391

Section 3: Restart Tomcat.

Section 4: Test AD SSO REST API from client machine

http://<WebAppServer>:<portnumber>/biprws/v1/logon/adsso.The REST token must appear as a response to the API.

Section 5: Set Auth Negotiate Delegated whitelist

SSO works in IE by default. If SSO is not working in Chrome or Mozilla please add the URL to whitelist as below.

SAP KBA:

https://launchpad.support.sap.com/#/notes/1646920

https://launchpad.support.sap.com/#/notes/2613391

Learn More:

https://blogs.sap.com/2017/12/15/bi-platform-rest-sdk-rws-in-boe-4.2/

https://blogs.sap.com/2017/05/10/query-the-businessobjects-repository-using-bi-platform-rest-sdk-rws...

https://blogs.sap.com/2017/04/16/bi-platform-rest-sdk-version1/

https://blogs.sap.com/2017/04/21/session-management-in-bi-platform-rest-sdk-rws/

https://help.sap.com/viewer/product/SAP_BUSINESSOBJECTS_BUSINESS_INTELLIGENCE_PLATFORM/