Welcome to the third part of the SAP Fiori Customization Samples tutorial series. In this tutorial I am going to show you how to configure Single Sign-On between a Fiori Launchpad deployed on a BW system, and SAP Business Objects.
A FLP with BO Reports integrated, comes with the need of entering the credentials for the SAP Business Objects server when accessing a report, a step that can be resolved once you have Single Sign-On implemented on your system.
Having HTTPS configured/SSL Certificate is a must when you want to use the SSO functionality, because of course we are talking about accessing a server without entering it’s credentials, therefore a first word that steps in is SECURITY.
In the next steps I will show you how to configure HTTPS on the SAP Business Objects server and after that, I will guide you through the SSO configuration.
- HTTPS Setup
In order to setup the HTTPS communication over port 8443 please access the command line where your Business Objects server is hosted.
Please make sure that you are on the right path with administrator rights.
- Search for your sapjvm folder and access the bin folder.
Run the following command to generate a keystore.
Although the Keytool.exe file has many parameters, we will specify the an alias, the keysize, the keyalgorithm and the name of the keystore which is going to be generated.
When running the command it prompts for a few inputs.
Please be sure that you enter the relevant data for your scenario. In my case I have entered some dummy data. You are asked first to choose a password, and some company details. First question „What is your first and last name?” is the most important one, here to need to specify the host name registered over the internet. After entering the all data and the password again, the keystore is generated in the bin folder.
Now, based on this keystore, we have to generate a certificate file, which will be later uploaded on the BW side.
Use the following command.
With the same keytool file we specify the same alias, the name of the certificate which is going to be generated, the name of the keystore file that was generated earlier and the password which we’ve used in the previous step.
After running the command, move the generated files into a separate folder. Now we need to modify the server.xml file for tomcat. You can find this file under:
Open the file and configure the following settings:
Connector port = 8443
SSLEnabled = true
Secure = true
keystorePass = password configured when generating the keystore
keystoreFile = location where you have moved the file
Restart tomcat services and verify if HTTPS links is accessible.
Please keep in mind that the https is crossed and not secure because the certificate must be signed by a Certified Authority.
2. SSO Setup
We generate a pkcs file and a .cer file with the following command:
We gave it an alias with capital letters, the name is not important but SAP ABAP takes it in caps so it is better to write it with capital letters. A password exactly like in the previous step, and the point of keeping the same CN name is that it will allow the domain to be kept the same across different products.
On the left side we have the generated files in a separate folder.
We need to upload both certificates, the one generated in the SSL Setupt and the other one in the SSO Setup, into a BW transaction called STRUSTSSO2.
Log in into your system with administrator rights and access the transaction.
Import the first certificate.
ress the edit button and then Add to Certificate List. After you have added the certificate to the certificate list press ADD to ACL. Here you need to enter the System ID, in my case is INSPBI4, the alias I have used when I have generated the files, and the Client must be 000 because all Logons Tickets are processing through Client 000.
Make sure that you follow the same steps for the second certificate as well. After we’ve imported both certificates into the BW site (SSL Certificate and SSO Certificate), we need to import the keystore.p12 on the BO side.
Log in into the CMC (Central Management Console) with admin rights and go to Authentication -> SAP -> Options
Here you have SAP SSO Service. Configure it with your details.
System ID = System ID choosen when you have added the certificate in the ACL (on the BW side)
Password = your password which you have chosen
Private Key Alias = the alias used when you’ve generated the certificates/keystores
Upload the keystore.p12 and press Update
Next step, check if the APS (Adaptive Processing Server) has the STS (Security Token Service) available, under Server List – explorer.AdaptiveProcessingServer – Edit Common Services. Make sure that STS is enabled.
Now we need to configure some files BILaunchpad.properties and OpenDocument.properties, files that can be found in here:
and CmcApp.properties which can be found here:
In each file, scroll till the end of the file and write two settings:
The exacts same files exists in:
Ensure that the files from here are modified as well, to be sure that the changes are kept when an upgrade happens.
As mentioned at the beginning of this article, this video is the third part of the tutorial series SAP Fiori Customization Samples.
The first part of this series shows you how to create an SAP Fiori Launchpad on the SAP Cloud platform and add apps on the Fiori Launchpad (German version available here).
The second part explains you how to customize your Fiori Launchpad.
Don’t miss the following 2 parts.
If you have any questions about this tutorial, don’t hesitate to contact me. I will be happy to answer these questions for you.