EP200 SAP Enterprise Portal – System Administration
.
.
INSTRUCTOR HANDBOOK INSTRUCTOR-LED TRAINING . Course Version: 15 Course Duration: 5 Day(s) Material Number: 50124091
SAP Copyrights and Trademarks
© 2014 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. ●
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
●
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
●
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
●
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
●
Oracle is a registered trademark of Oracle Corporation
●
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
●
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
●
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
●
●
Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
●
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
●
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
●
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
© Copyright . All rights reserved.
iii
iv
© Copyright . All rights reserved.
Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used.
This information is displayed in the instructor’s presentation
Demonstration
Procedure
Warning or Caution
Hint
Related or Additional Information
Facilitated Discussion
User interface control
Example text
Window title
Example text
© Copyright . All rights reserved.
v
vi
© Copyright . All rights reserved.
Contents xi
Course Overview
1
Unit 1:
3 13 26 33 38 45 48 51 56 59 68 75
91
Unit 2:
92 107 111 119 126 129 133 143 153 154 157 165 170 173 178
User Administration and Authentication Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source Exercise 1: Set Up Microsoft Active Directory Server (AD) as UME Data Source
115 Minutes
Lesson: Describing the Different Authentication Mechanisms Exercise 2: Change the Initial Authentication Scheme of an SAP Java EE Application Lesson: Describing Authentication Schemes Exercise 3: Analyze the Authentication Schemes Lesson: Setting Up Anonymous Access Exercise 4: Set Up Anonymous Access Lesson: Configuring Integrated Windows Authentication (IWA) Exercise 5: Configure SPNego for Kerberos Authentication Lesson: Performing User Administration and Self-Registration Tasks Exercise 6: Perform Set-Up Tasks for Delegated User Administration and Self-Registration
40 Minutes 20 Minutes 40 Minutes 15 Minutes 45 Minutes 40 Minutes 60 Minutes 45 Minutes 75 Minutes 45 Minutes
Portal Authorization Lesson: Describing Delegated Content Administration Tasks Exercise 7: Assign Permissions on PCD Objects Lesson: Setting Permissions on Security Zones Exercise 8: Set Permissions on Security Zones Lesson: Setting Permissions on Portal Applications Exercise 9: Set Permissions on Portal Applications Lesson: Describing UME Actions Exercise 10: Analyze UME Actions
Unit 3:
30 Minutes
60 Minutes 15 Minutes 60 Minutes 30 Minutes 60 Minutes 15 Minutes 60 Minutes 15 Minutes
Single Sign-On (SSO) to Back-End Systems Lesson: Using Single Sign-On Logon Tickets Exercise 11: Analyze Logon Tickets Exercise 12: Configure the UME Settings for Logon Tickets Lesson: Configuring Single Sign-On with User Mapping Exercise 13: Configure Single Sign-On with User Mapping to Access Web-Based Applications Lesson: Using SAML 2.0
© Copyright . All rights reserved.
35 Minutes 10 Minutes 15 Minutes 45 Minutes 15 Minutes 15 Minutes
vii
189
Unit 4:
190 195 199
Lesson: Defining a Back-End System Landscape Exercise 14: Define a System Connection Lesson: Setting Up Single Sign-On (SSO)
45 Minutes 20 Minutes 35 Minutes
203 207 215
Exercise 15: Set Up SSO with an ABAP-Based Back-End System Lesson: Uploading Roles from ABAP-Based SAP Systems Exercise 16: Upload Roles from an ABAP-Based System
10 Minutes 45 Minutes 20 Minutes
221
Unit 5:
Solution Management
223 243 247
Lesson: Monitoring the Portal Exercise 17: Monitor SAP NetWeaver AS Java Exercise 18: Register a System with the Central Monitoring System
60 Minutes 25 Minutes 20 Minutes
251
Lesson: Analyzing the SAP NetWeaver Log Viewer and the Monitoring Service Exercise 19: Analyze the SAP NetWeaver Log Viewer and the Monitoring Service Lesson: Configuring Availability Monitoring for the Portal Exercise 20: Configure Availability Monitoring for the Portal Lesson: Configuring Specific Portal Monitoring Features Exercise 21: Create a Portal Activity Report Lesson: Creating Broadcast Messages Lesson: Using the Support Tools Exercise 22: Use the Support Tools Lesson: Transporting Portal Content Exercise 23: Set Up Change Recording in the Development and Quality Assurance portals Exercise 24: Transport Portal Content Using Enhanced CTS Lesson: Describing Backup and Restore Strategies
50 Minutes
257 262 267 276 279 285 290 293 297 321 325 335 347 348 353 359 371
viii
Integration of SAP Applications
Unit 6:
15 Minutes 60 Minutes 60 Minutes 10 Minutes 10 Minutes 30 Minutes 15 Minutes 60 Minutes 10 Minutes 10 Minutes 35 Minutes
Network Infrastructure Lesson: Managing Network Security Lesson: Defining Load Balancing Exercise 25: Set Up Load Balancing Lesson: Describing Accelerated Application Delivery (AccAD)
15 Minutes 120 Minutes 20 Minutes 35 Minutes
© Copyright . All rights reserved.
385 386 393 401 417 421 423
Unit 7:
Advanced Portal Scenarios Lesson: Configuring Navigation Settings and Bandwidth Optimization Exercise 26: Configure Navigation Settings and Bandwidth Optimization
60 Minutes
Lesson: Set Up a Federated Portal Network Exercise 27: Set Up a Federated Portal Network Exercise 28: Set Up a Federated Portal Network Using Remote Delta Links (RDL) Exercise 29: Set Up a Federated Portal Network Using Remote Role Assignment (RRA)
45 Minutes 20 Minutes 20 Minutes
© Copyright . All rights reserved.
40 Minutes
20 Minutes
ix
x
© Copyright . All rights reserved.
Course Overview
TARGET AUDIENCE This course is intended for the following audiences: ●
Technology Consultant
●
System Administrator
●
IT Support
© Copyright . All rights reserved.
xi
xii
© Copyright . All rights reserved.
UNIT 1
User Administration and Authentication
Lesson 1 Configuring the User Management Engine (UME) with LDAP Directory as a Data Source Exercise 1: Set Up Microsoft Active Directory Server (AD) as UME Data Source
3 13
Lesson 2 Describing the Different Authentication Mechanisms Exercise 2: Change the Initial Authentication Scheme of an SAP Java EE Application
26 33
Lesson 3 Describing Authentication Schemes Exercise 3: Analyze the Authentication Schemes
38 45
Lesson 4 Setting Up Anonymous Access Exercise 4: Set Up Anonymous Access
48 51
Lesson 5 Configuring Integrated Windows Authentication (IWA) Exercise 5: Configure SPNego for Kerberos Authentication
56 59
Lesson 6 Performing User Administration and Self-Registration Tasks Exercise 6: Perform Set-Up Tasks for Delegated User Administration and SelfRegistration
68 75
UNIT OBJECTIVES ●
Describe the architecture and function of the User Management Engine (UME)
●
List the requirements of setting up LDAP as a data source
●
Configure the LDAP data source
●
Describe the authentication options for the portal
© Copyright . All rights reserved.
1
Unit 1: User Administration and Authentication
●
List the different user authentication options available with SAP Enterprise Portal
●
List the methods for setting up anonymous access to selected portal content
●
Set up anonymous access
●
2
Explain the use of SPNego to enable the use of Windows Integrated authentication to log on to the portal
●
Configure SPNego for Kerberos authentication
●
Define a company group
●
Perform user administration and self-registration tasks
© Copyright . All rights reserved.
Unit 1 Lesson 1 3
Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
LESSON OVERVIEW In this lesson you will learn how to connect the UME of a portal installation to a directory service. The instructor notes in this handbook were created at the same time as the material for the participants. You also require additional information, which is currently available on SAP Service Marketplace under the Quick Link /curr-ep. This information includes the following: ●
A Training System Info with general information about the system landscape and logon data
●
A System Setup Guide including all preparatory steps
●
If necessary, an Add-On IG with supplementary information for the training material
In addition to SAPEP, the ADM800 class on “AS Java – Administration” is a mustrequirement for EP200. The EP200 course has many exercises. Preparation of the exercises is essential for success.
Remember that ADM800 is a required prerequisite of EP200 – so your students should already have a basic understanding of UME architecture and tools. Use the first slides (they are copied from ADM800) for a short ADM800 review, but don't spend too much time here. Students without SAPEP and ADM800 knowledge will experience some difficulties here and later anyway... In this lesson you will introduce the UME functions and configure a directory service. Prepare by doing all the exercises.
Business Example Most productive portal installations have a user data source based on an LDAP-compliant repository. You need to understand how to use this repository. You also need to know some of the other settings possible within User Management. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe the architecture and function of the User Management Engine (UME)
●
List the requirements of setting up LDAP as a data source
●
Configure the LDAP data source
© Copyright . All rights reserved.
3
Unit 1: User Administration and Authentication
Fundamentals of User Management Engine (UME) AS Java provides an open architecture supported by service providers for the storage of user and group data. The AS Java is supplied with the following service providers which are also referred to as a “user store”: ●
●
●
DBMS provider: storage in the system database UDDI (Universal Description, Discovery and Integration) provider: storage via external service providers UME provider: Connection of the integrated User Management Engine
The DBMS and UDDI providers implement standards and therefore ensure that AS Java is Java EE-compliant. When AS Java is installed, SAP's own User Management Engine (UME) is always set up as the user store and is the correct choice for most SAP customers. The UME is the only way to flexibly set up and operate user and authorization concepts. We do not write “for all SAP customers” since, for example, UDDI providers are also used in the web services environment. The core message is: The UME is set up during installation and should not be modified by any customer except in an emergency! Some history: The UME is a proprietary SAP development and comes from the SAP Markets / Enterprise Buyer environment. It is now an integral part of every AS Java (however, some of the concepts and parameter names indicate its origins).
Some of the important features of the UME are: ●
●
●
●
●
4
The UME has its own user interface named “Identity Management” for administering users, groups, and roles. It allows the administrator to perform the routine tasks of user administration, such as creating users and groups, role assignment, and other actions. Security settings can be used to define password policies, such as minimum password length and the number of incorrect logon attempts before a user is locked. The UME provides different self-service scenarios that can be used by applications. For example, a user can change his or her data, or register as a new user. Newly created users can be approved using a workflow. User data can be exchanged with other (AS Java or external) systems using an export/ import mechanism. The UME logs important security events, such as a user's successful logons or incorrect logon attempts, and changes to user data, groups, and roles.
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
Figure 1: User Store and Data Sources
Architecture of the UME The UME supports various data sources where user data can be stored: ●
System database
●
Directory service (LDAP server)
●
Client of an ABAP-based SAP system (as of AS ABAP 6.20 and above)
The figure below shows the architecture of the UME:
Figure 2: Architecture of the UME
The UME is a Java application, which runs on SAP NetWeaver AS Java and covers the following functional areas: ●
UME Core Layer: Provides persistence managers between the application programming interface and the user management data sources. These persistence managers control where user data such as users, user accounts, groups, roles, and their assignments are read from or written to, with the result that applications that use the API do not have to know where the user management data is stored.
© Copyright . All rights reserved.
5
Unit 1: User Administration and Authentication
●
●
UME API Layer: This layer provides programming interfaces (APIs) not just for UME developers but also for customers and partners. This means that you can access the UME functions with the Java programs that you develop yourself. UME services: The UME provides the following services to higher-level software layers: -
●
Logon procedure and Single Sign-On (logon to AS Java is taken over for other systems and vice versa)
-
Provisioning processes via user master data
-
Authorization Concept
UME UI: The UME is responsible for the user interface, which in some logon procedures appears in the web browser, as well as for the UME Identity Management.
The SAP NetWeaver usage types which are based on the AS Java (such as SAP Enterprise Portal) are based on the UME and perform a number of specific functions on this basis (such as self-registration with approval workflow).
Data Partitioning As described in the previous UME architecture section, the UME persistence manager offers the option of storing user data in different data sources. The UME persistence manager also supports data partitioning. This means in practice that, for example, user data for different user types can be stored in different data sources.
Figure 3: Data Partitioning
In practice, you often work with a combination of the data sources database + directory service or database + ABAP user management. When this is done, certain user attributes are stored in a different data source, for example, or users are separated by their categories (internal or self-registered users). Attribute-based data partitioning A user in the UME has certain attributes, some of which are classified as global attributes (user ID, telephone number, and so on) and others of which are application-specific. Global information is particularly suited to being stored in a directory service, and application-specific information in the database User-based data partitioning
6
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
With this type of partitioning, the data source in which users are stored is decided depending on the category of the user (self-registered or internal users). For example, users that register by self-service can be stored in the database, and internal users in the directory service. Type-based data partitioning: With type-based data partitioning, different object types can be distributed to different data sources. The types are, for example, users, groups, roles, user accounts. For example, users can be stored in the directory service, and roles in the database.
Configuration of the LDAP (Lightweight Directory Access Protocol) Data Source SAP delivers preconfigured data source combinations, which you should only change in special cases. For example, if you are using a directory service as a data source, you may need to perform attribute mapping. You usually use the delivered preconfigured data source combinations without additional changes. When performing specific customer UME configurations, SAP recommends that you ask for the advice of SAP consultants. The online documentation describes the structure of the configuration data and provides some examples. However, support during the adaptation process itself does not form part of SAP maintenance. In a portal installation, information is always stored in the portal system database (independent of the data source configuration). The next figure explains which data is stored in which data repository.
Figure 4: UME and Portal Persistence Stores
LDAP Directory as Data Source Before employing the LDAP directory server as UME data source, the following requirements must be fulfilled: ●
You have installed AS Java so that the UME is configured to use the database of the AS Java as data source.
© Copyright . All rights reserved.
7
Unit 1: User Administration and Authentication
●
●
The LDAP directory has a hierarchy of users and groups that is supported by the UME: flat or deep (see below). The administrator of the LDAP directory must create a user that the UME can use to connect to the LDAP server. This user should have read and search permissions for all branches of the LDAP directory. If the UME needs to write to the LDAP directory, the user must have create and change authorizations.
Note the following constraints: ●
●
●
●
●
●
●
●
The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters. The UME maintains internally, the default groups, Everyone, Authenticated Users, and Anonymous Users. If you create groups with these names with the native user interface of your LDAP directory, you must block the UME from reading them from the LDAP directory. Otherwise the name is ambiguous. To block a group name in an LDAP, set Unique Names of Blocked Groups when you configure the UME to use the LDAP directory as data source. Similarly, if you create user accounts with the same user ID as the service users used internally, you must block the UME from reading them from the LDAP directory. Service user IDs adhere to the naming convention _service. To block a user account ID in an LDAP, set Unique Names of Blocked Users when you configure the UME to use the LDAP directory as data source. If you configure your data source connection to use Secure Socket Layer (SSL), the UME cannot add any users to the built-in group Anonymous Users from the LDAP directory. These users must be in either the local database of the AS Java or an LDAP directory unprotected by SSL. The UME must be able to add the default guest user to the Anonymous Users group during startup or the AS Java cannot start. If user management is set up with write access to an LDAP directory, the following restriction applies: When assigning members to a group that is stored in the LDAP directory, you can only assign users or groups that are also stored in the LDAP directory. You cannot assign users or groups from the database to groups from the LDAP directory. You can, however, assign users and groups stored in the LDAP directory to a group in the database. You cannot search for users with locked passwords. Searching for users with locked passwords returns no results. If you are using an LDAP directory with a deep hierarchy, you cannot assign users or groups as members of another group using the UME user administration tools. If you allow the change of password from users via the portal, LDAPS is required and the user connection must have the necessary rights.
For possible issues with LDAP directory as data source, see SAP Note 673824.
Architectural Aspects of Data Source LDAP Before setting up an LDAP directory as UME data source, some implementation questions need to be discussed: Implementation Questions for UME Data Source LDAP
8
●
Is the LDAP server supported by SAP? (see SAP Note 983808)
●
Is the UME connected to the LDAP server in read-only or read/write mode?
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
●
Is the UME connection to the LDAP server SSL protected?
●
Which hierarchy model is used (flat or deep)?
●
Is further customizing of the UME Data Source configuration required? (creating customer-specific XML files)
Entries in an LDAP directory are organized in a tree-like structure called the Directory Information Tree (DIT). The main characteristic of a deep hierarchy is that users are entries below the group of which they are a member. The disadvantage of this schema is that users can only appear at one point in the directory tree and can therefore only be members of one group and its supergroups (the groups above it in the tree). You cannot change this group assignment with identity management or the UME API. The following figure illustrates a schema where a group is a tree.
Figure 5: Deep Hierarchy
In a flat hierarchy, the DIT has separate branches for user and group data. Each group must have an attribute that lists the members of that group, for example by providing the user IDs of the members.
Note: You can include an attribute in the people branch, which lists the groups to which that person is a member. This can be used by the UME to increase performance, for example, during logon. We recommend that you only do this if your LDAP supports automatic maintenance of an is-member-of attribute of the person. Trying to maintain group and people branches independently has a high potential for creating inconsistencies. This structure has the advantage that a user can be a member of more than one group. The disadvantage is that when you add a user to the hierarchy, the user is not assigned to any groups. The administrator must assign groups explicitly. The following figure illustrates a simple example of a flat hierarchy where each group has an attribute listing the members of that group. More complex trees containing more than one people or group branch are also possible.
© Copyright . All rights reserved.
9
Unit 1: User Administration and Authentication
Figure 6: Flat Hierarchy
To Configure an LDAP Data Source There are various environments available where you can configure an LDAP data source for an AS Java system: ●
SAP NetWeaver Administrator tool
●
UME Identity Management
●
UME Configuration iView
The SAP NetWeaver Administrator tool and the UME Identity Management are available in every SAP system with usage type AS Java, while the UME Configuration iView requires the usage type(s) EP (core). The Identity Management and the UME Configuration iView simplify the process of configuring the UME to use an LDAP directory. It allows you to choose a configuration file for configuring the data sources used by the UME, to enter connection data for the LDAP directory, and to test the data you entered.
Figure 7: User Management Configuration iView
10
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
To establish a connection from the UME of a portal server to an LDAP server: 1. Log on to the portal with a system administrator user. 2. Navigate to System Administration → System Configuration → UME Configuration. 3. Configure the LDAP data source on the Data Sources and LDAP Server views. 4. Restart all cluster elements of your AS Java system.
© Copyright . All rights reserved.
11
Unit 1: User Administration and Authentication
12
© Copyright . All rights reserved.
Unit 1 Exercise 1 11
Set Up Microsoft Active Directory Server (AD) as UME Data Source
Business Example You are in charge of connecting SAP Enterprise Portal to an LDAP-based user data store. At this point of time (at the latest), the initial course setup (as offered at SAP Service Marketplace, Quick Link /curr-ep) has to be completed.
Caution: As a prerequisite to this exercise, some initial setting up has to be prepared on the central server hosting the Microsoft Active Directory Server. Your instructor will provide the access. For the read-write mode, the Microsoft Active Directory Server (AD) requires an SSL-protected communication if passwords will be created or modified by AS Java.
Caution: Note that the double-click for PCD NetWeaver 7.3 is no longer working. Open by right-clicking and selecting an option.
Note: Ensure that your browser zoom mode is set to 100%. Otherwise, you may experience slow PCD performance.
After completing this first exercise, participants should be asked to log on to the PSM, DCC, QCC and PCC ABAP systems as their .A-## and .E-## users, so that they can set a non-initial password. This will help with later exercises.
(Optional) Test the Connection to the LDAP Server Verify that data stored in the central AD can be accessed from your server.
Caution: Do not change anything on the central AD!
© Copyright . All rights reserved.
13
Unit 1: User Administration and Authentication
1. Log on to the operating system of your portal server. 2. On the operating system of your portal server, choose Desktop. 3. Launch the ldp tool and connect or bind the central AD server using the following connection data: Server
twdfvmCCCC.adtwdfvmCCCC.demo.sap
Port
389
Connectionless
not selected
SSL
not selected
User
twdfSSSS__adsadm
Password
provided by your instructor
Domain
ADTWDFVMCCCC.DEMO.SAP
4. Explore the Directory Information Tree (DIT) for the BaseDN = DC=adtwdfvmCCCC,DC=demo,DC=sap. Check the Organizational Unit(OU) prepared for your server twdfSSSS. 5. Disconnect and try to reconnect, using the (SSL protected) LDAPS protocol using the following connection data: Server
twdfvmCCCC.adtwdfvmCCCC.demo.sap
Port
636
Connectionless
not checked
SSL
checked
Hint: This will fail because of a missing certificate issued by the AD server.
Then import the AD certificate file, which is available on the L:\ drive as Trusted Root Certification Authority. Now the connection should work. Enable SSL between UME and LDAP Server (required for the read/write mode) To encrypt the data transferred between the LDAP client and the LDAP server, SSL is recommended between the UME and the LDAP server. Some products, for example, Microsoft AD, require SSL if you want to create or change entries in the directory server. 1. At the operating system level of your portal server, verify that the AD certificate file is available (on the L:\ drive). 2. Log on to the SAP NetWeaver Administrator tool using your administrative user .A-##. For example, EP200.A-## for EP200 standard setup. 3. Launch the Key Storage in the SAP NetWeaver Administrator and import the AD certificate file as TrustedCAs.
14
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
Configure AD as the UME data source Change the UME configuration to use a flat Active Directory hierarchy in read/write mode. 1. Save the current UME configuration settings of your portal server for documentation purposes. Note: All AS Java configuration settings or single settings can be saved and restored by using the Configuration Tool.
This approach is not a backup or restore procedure, it's for documentation reasons. However, note that the Configuration Tool also offers an Export and Import mechanism for general configuration settings.
2. Launch the UME configuration iView provide the connection data to your LDAP server. Use the following values: When successful, choose Save All Changes and restart your AS Java, for example, using the SAP MC or SAP MMC. Data Source
Microsoft ADS (Flat Hierarchy) + Database
Data Source File Name
dataSourceConfiguration_ads_writeable_db.xml
Server Name
twdfvmCCCC.adtwdfvmCCCC.demo.sap
Server Port
636 (default LDAP SSL port)
User
[email protected]
Password
provided by your instructor
Use SSL for LDAP Access
verify that the checkbox is selected
Use Unique Attribute for UME Unique ID
verify that the checkbox is selected and the field has the value samaccountname
User Path
use Browse to select ou=twdfSSSS_,dc=ADTWDFVMCCC C,dc=DEMO,dc=SAP
Group Path
use Browse to select ou=twdfSSSS_,dc=ADTWDFVMCCC C, dc=DEMO,dc=SAP
Note: Note that the separators are caused by the formatting of this printed material. Do not enter them in the system. After a successful connection test, restart your AS Java.
© Copyright . All rights reserved.
15
Unit 1: User Administration and Authentication
Test the Changes Search for users and create a new user. 1. In the Identity Management iView, get a list of all users available in the LDAP directory server. 2. Create a new user SSSS.D-## with an E-Mail address .A##@training.sap.com and note the data source of this user. Caution: Since we all use the same data source (one central AD server for all portal classes worldwide), make sure that the new user ID is unique. Remember that SSSS represents the last 4 digits of a participant's host name. For example, the server twdf1902 would have the SSSS = 1902. The ## represents your 2digit group number. The E-Mail address .A-##@training.sap.com is already prepared and will be used later in this course. (Optional) Read entries from the LDAP Server Verify that the user SSSS.D-## was stored within the central AS.
Caution: Do not change anything on the central AD!
1. If you have closed the ldp tool, open it again and connect or bind to the central AD as described in the Connection Test to the LDAP Server task (using LDAP or LDAPS). 2. Explore the Directory Information Tree (DIT) for the BaseDN = DC=adtwdfvmCCCC,DC=demo,DC=sap. Verify that below the OU=twdfSSSS level your new user SSSS.D-## shows up.
16
© Copyright . All rights reserved.
Unit 1 Solution 1 15
Set Up Microsoft Active Directory Server (AD) as UME Data Source
Business Example You are in charge of connecting SAP Enterprise Portal to an LDAP-based user data store. At this point of time (at the latest), the initial course setup (as offered at SAP Service Marketplace, Quick Link /curr-ep) has to be completed.
Caution: As a prerequisite to this exercise, some initial setting up has to be prepared on the central server hosting the Microsoft Active Directory Server. Your instructor will provide the access. For the read-write mode, the Microsoft Active Directory Server (AD) requires an SSL-protected communication if passwords will be created or modified by AS Java.
Caution: Note that the double-click for PCD NetWeaver 7.3 is no longer working. Open by right-clicking and selecting an option.
Note: Ensure that your browser zoom mode is set to 100%. Otherwise, you may experience slow PCD performance.
After completing this first exercise, participants should be asked to log on to the PSM, DCC, QCC and PCC ABAP systems as their .A-## and .E-## users, so that they can set a non-initial password. This will help with later exercises.
(Optional) Test the Connection to the LDAP Server Verify that data stored in the central AD can be accessed from your server.
Caution: Do not change anything on the central AD!
© Copyright . All rights reserved.
17
Unit 1: User Administration and Authentication
1. Log on to the operating system of your portal server. 2. On the operating system of your portal server, choose Desktop. 3. Launch the ldp tool and connect or bind the central AD server using the following connection data: Server
twdfvmCCCC.adtwdfvmCCCC.demo.sap
Port
389
Connectionless
not selected
SSL
not selected
User
twdfSSSS__adsadm
Password
provided by your instructor
Domain
ADTWDFVMCCCC.DEMO.SAP
a) On the Desktop, choose the CMD shortcut. b) In the command window, enter ldp. Press ENTER. c) Within the Ldp tool, choose Connection → Connect and enter the values as provided in the table above. a) In the Connect dialog box, in the Server field, enter twdfvmCCCC.adtwdfvmCCCC.demo.sap where CCCC is the central AD server in use. b) In the Port field, enter 389. c) Ensure the Connectionless checkbox is not selected. d) Ensure the SSL checkbox is not selected. e) Choose OK. Verify that the connection was successfully established. d) Within the Ldp tool, choose Connection → Bind. For Bind type, choose Bind with credentials and enter the values as provided in the table above. Verify that the binding was successful. 4. Explore the Directory Information Tree (DIT) for the BaseDN = DC=adtwdfvmCCCC,DC=demo,DC=sap. Check the Organizational Unit(OU) prepared for your server twdfSSSS. a) Choose View → Tree. b) For BaseDN, choose DC=adtwdfvmCCCC,DC=demo,DC=sap. c) Choose OK. d) In the left area, expand that root entry by double-clicking it. Locate the entry starting with OU=twdfSSSS_ and double-click it. e) You should see at least two prepared entries: twdfSSSS__adsadm and twdfSSSS__adskrb (+ twdfSSSS__tstusr).
18
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
5. Disconnect and try to reconnect, using the (SSL protected) LDAPS protocol using the following connection data: Server
twdfvmCCCC.adtwdfvmCCCC.demo.sap
Port
636
Connectionless
not checked
SSL
checked
Hint: This will fail because of a missing certificate issued by the AD server.
Then import the AD certificate file, which is available on the L:\ drive as Trusted Root Certification Authority. Now the connection should work. a) Within the ldp.exe tool, choose Connection → Disconnect. b) Then, choose Connection → Connect and enter the values as provided in the table above. That operation should fail with a “Cannot open connection” error message. c) Open the L:\ drive and right-click the certificate file (similar to Certificate_twdfvmCCCC.crt). d) Choose Open then Install Certificate. e) On the Welcome screen ensure that Current User is selected as the store location and choose Next. f) On the Certificate Store screen, select the Place all certificates in the following store checkbox. g) Choose Browse. h) In the Select Certificate Store dialog box, select the Show physical stores checkbox. i) Still in the Select Certificate Store dialog box, expand Trusted Root Certification Authorities. j) Select Local Computer. k) Choose OK. l) Choose Next. m) Choose Finish. n) If you see a Security Warning dialog box, choose Yes. o) Try to establish the connection using LDAPS again. It should work now. p) Bind your user again.
© Copyright . All rights reserved.
19
Unit 1: User Administration and Authentication
Enable SSL between UME and LDAP Server (required for the read/write mode) To encrypt the data transferred between the LDAP client and the LDAP server, SSL is recommended between the UME and the LDAP server. Some products, for example, Microsoft AD, require SSL if you want to create or change entries in the directory server. 1. At the operating system level of your portal server, verify that the AD certificate file is available (on the L:\ drive). a) At the operating system level of your portal server, launch an Explorer and navigate to the L:\ drive – the certificate file (similar to Certificate_twdfvmCCCC.crt) should be available there. 2. Log on to the SAP NetWeaver Administrator tool using your administrative user .A-##. For example, EP200.A-## for EP200 standard setup. a) Navigate to the URL: http://twdfSSSS.wdf.sap.corp:5$$00/nwa. b) Log on as user .A-##. 3. Launch the Key Storage in the SAP NetWeaver Administrator and import the AD certificate file as TrustedCAs. a) Choose Configuration → Security. b) Select the Certificates and Keys link c) In the Key Storage Views table, scroll down and select the Trusted CAs view. d) In the Details area, choose Import Entry. The Entry Import dialog box opens. e) In the Select entry type field, select the X.509 Certificate from the dropdown list. f) Browse to your L:\ drive, where the file was found earlier. The name is similar to: Certificate_twdfvmCCCC.crt. g) Choose Import. Configure AD as the UME data source Change the UME configuration to use a flat Active Directory hierarchy in read/write mode. 1. Save the current UME configuration settings of your portal server for documentation purposes. Note: All AS Java configuration settings or single settings can be saved and restored by using the Configuration Tool.
This approach is not a backup or restore procedure, it's for documentation reasons. However, note that the Configuration Tool also offers an Export and Import mechanism for general configuration settings.
a) If you have not already done so, log on to the operating system of your portal server. b) Navigate to the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal.
20
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
c) Log on to your portal using the .A-## portal user (## is always your group number). d) Choose System Administration → System Configuration → UME Configuration → Support. e) Choose the Download Configuration ZIP File link to download the file and save the file (remember to use Save as from the dropdown list) in a folder on your portal server. 2. Launch the UME configuration iView provide the connection data to your LDAP server. Use the following values: When successful, choose Save All Changes and restart your AS Java, for example, using the SAP MC or SAP MMC. Data Source
Microsoft ADS (Flat Hierarchy) + Database
Data Source File Name
dataSourceConfiguration_ads_writeable_db.xml
Server Name
twdfvmCCCC.adtwdfvmCCCC.demo.sap
Server Port
636 (default LDAP SSL port)
User
[email protected]
Password
provided by your instructor
Use SSL for LDAP Access
verify that the checkbox is selected
Use Unique Attribute for UME Unique ID
verify that the checkbox is selected and the field has the value samaccountname
User Path
use Browse to select ou=twdfSSSS_,dc=ADTWDFVMCCC C,dc=DEMO,dc=SAP
Group Path
use Browse to select ou=twdfSSSS_,dc=ADTWDFVMCCC C, dc=DEMO,dc=SAP
Note: Note that the separators are caused by the formatting of this printed material. Do not enter them in the system. After a successful connection test, restart your AS Java. a) As portal user .A-##, choose System Administration → System Configuration → UME Configuration. b) Change to the Modify Configuration mode. c) Enter the data from the table above on the Data Sources and LDAP Server tabs. For the user and group paths select browse. Expand the top entry of twdfvmCCCC.adtwdfvmCCCC.demo.sap:636.
© Copyright . All rights reserved.
21
Unit 1: User Administration and Authentication
Hint: If this entry will not expand, check your previous steps. Expand the first sub line of DC=adtwdfvmCCCC,DC=demo,DC=sap. Locate and select your system OU=twdfSSSS_. Choose Select at the bottom of the screen. d) After you entered all data, choose Validate Configuration. Only proceed after a successful validation. e) When successful, choose Save All Changes. f) Restart your AS Java, for example, using the SAP MC or SAP MMC. Test the Changes Search for users and create a new user. 1. In the Identity Management iView, get a list of all users available in the LDAP directory server. a) As portal user .A-##, choose User Administration → Identity Management. b) As search criteria, select User and LDAP, enter * and choose Go. You should get some entries. Take note of the Data Source column. 2. Create a new user SSSS.D-## with an E-Mail address .A##@training.sap.com and note the data source of this user. Caution: Since we all use the same data source (one central AD server for all portal classes worldwide), make sure that the new user ID is unique. Remember that SSSS represents the last 4 digits of a participant's host name. For example, the server twdf1902 would have the SSSS = 1902. The ## represents your 2digit group number. The E-Mail address .A-##@training.sap.com is already prepared and will be used later in this course. a) In the User view of the Identity Management iView, choose Create User. b) On the General Information tab, fill in at least the following mandatory fields: Logon ID
SSSS.D-## (for example, DEP1234.D-12)
Password
any (note that UME settings and LDAP restrictions apply)
Last Name
any
E-Mail Address
.A-##@training.sap.com
c) Optionally, on the Assigned Roles tab, search for and assign the eu_role to this user.
22
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
Hint: Choose Modify before searching for the role.
d) Click Save and verify that Data Source is “LDAP” for the new user. (Optional) Read entries from the LDAP Server Verify that the user SSSS.D-## was stored within the central AS.
Caution: Do not change anything on the central AD!
1. If you have closed the ldp tool, open it again and connect or bind to the central AD as described in the Connection Test to the LDAP Server task (using LDAP or LDAPS). 2. Explore the Directory Information Tree (DIT) for the BaseDN = DC=adtwdfvmCCCC,DC=demo,DC=sap. Verify that below the OU=twdfSSSS level your new user SSSS.D-## shows up. a) Within the ldp.exe tool, choose View → Tree. For BaseDN, choose DC=adtwdfvmCCCC,DC=demo,DC=sap and choose OK. b) In the left area, expand that root entry. Locate the entry starting with OU=twdfSSSS_ and double-click it. c) Verify that an entry for your user SSSS.D-## shows up.
© Copyright . All rights reserved.
23
Unit 1: User Administration and Authentication
Related Information: LDAP Data Source ●
●
24
SAP NetWeaver 7.4 online documentation, path SAP NetWeaver Platform → SAP NetWeaver 7.4 → System Administration and Maintenance Information → Technical Operations for SAP NetWeaver(English) → Administration of Application Server Java (AS JAVA) → Administration → Administration Tools → SAP NetWeaver Administrator → User Management of the Application Server Java → LDAP Directory as Data Source SAP NetWeaver 7.4 online documentation, path SAP NetWeaver Platform → SAP NetWeaver 7.4 → System Administration and Maintenance Information → Technical Operations for SAP NetWeaver(English) → Administration of Application Server Java (AS JAVA) → Administration → Administration Tools → SAP NetWeaver Administrator → User Management of the Application Server Java → SAP NetWeaver AS ABAP User Management as Data Source
●
SAP Note 718383: Supported Data Sources and Change Options
●
SAP Note 673824: LDAP Recommendations for UME
●
SAP Note 983808: Certified LDAP directory servers
© Copyright . All rights reserved.
Lesson: Configuring the User Management Engine (UME) with LDAP Directory as a Data Source
LESSON SUMMARY You should now be able to: ●
Describe the architecture and function of the User Management Engine (UME)
●
List the requirements of setting up LDAP as a data source
●
Configure the LDAP data source
© Copyright . All rights reserved.
25
Unit 1 Lesson 2 24
Describing the Different Authentication Mechanisms
LESSON OVERVIEW This lesson reviews some of the ways to authenticate access to the portal. In this lesson your students should learn there are many ways to authenticate to the portal. ID and password is only one way. Try not to go into too much detail regarding each scenario. This is just a high-level overview.
Business Example You have been tasked with identifying and implementing a security model for the SAP Enterprise Portal at your organization that will ensure user authentication in the most efficient (you must take system performance into account) and effective (you must make the solution as unobtrusive to the end user as possible) manner possible. This includes securing the portal’s business content (both SAP delivered and custom developed), as well as securing the communication channels and content from all external applications and systems in the organization’s system landscape (both SAP and Non-SAP systems) that interact with the portal. To correctly plan and implement a security model for the SAP Enterprise Portal, you have decided to gather a round table of representatives, including security architects, system administrators, and senior application experts for each system that will be involved in the security model for the SAP Enterprise Portal. You discuss the security options available within the SAP Enterprise Portal, such as the following: ●
Authentication mechanisms
●
Security zones
●
JAAS authentication schemes
●
SAP Logon Tickets
●
User mapping
●
X.509 certs
This lesson explains some of the supported authentication mechanisms. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe the authentication options for the portal
Initial Authentication to the Portal Application Companies have many options when selecting how to authenticate access to the portal:
26
© Copyright . All rights reserved.
Lesson: Describing the Different Authentication Mechanisms
Figure 8: Different Authentication Options
Portal Authentication Options ●
Authentication with user ID and password -
Form-based logon (the default authentication method)
-
Basic authentication
●
Authentication with X.509 client certificates
●
Authentication with SAML 2.0
●
Authentication using external mechanisms such as
●
-
Windows authentication (Keberos and NTLM)
-
Products following the Java Authentication and Authorization Service (JAAS) standard
Authentication for anonymous logon with named anonymous user(s)
Using Basic Authentication (User ID and Password) By default, the AS Java uses basic authentication for applications that are set up to use basic or form authentication.
© Copyright . All rights reserved.
27
Unit 1: User Administration and Authentication
Figure 9: Basic Authentication
Basic authentication is an HTTP standard method to use for authentication, whereby the user provides a user ID and password for authentication. Per default, the AS Java uses Basic Authentication for applications that are set up to use basic or form authentication. The corresponding login module is BasicPasswordLoginModule.
User Authentication Using Client Certificates Use client certificate authentication for applications that require a higher level of security. In addition to using SSL for encrypting connections, you can use SS L and X.509 client certificates for client or user authentication. The authentication takes places using the underlying protocols and no user intervention is necessary, which also provides for a Single Sign-On environment.
Figure 10: Authentication via Client Certificates
Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can use a Trust Center Service to obtain certificates. When using client certificates, users are authenticated using the SSL protocol. Therefore SSL is necessary for the connections where user authentication takes place. The SSL authentication can be used when users access the AS Java directly or for those scenarios where they access the server via an intermediary proxy. An intermediary server may be a web proxy or SAP Web Dispatcher. A typical scenario is to place the intermediary server in the DMZ and the AS Java in the intranet zone.
28
© Copyright . All rights reserved.
Lesson: Describing the Different Authentication Mechanisms
The servers that are supported for use with the AS Java are: ●
SAP Web Dispatcher
●
Other devices (for example, the Apache Web Server)
Single Sign-On Between Applications Using Security Session IDs By default, the standard JSESSIONID mechanism is used to exchange the information about the user’s identity between the web applications when using Single Sign-On. It is based on the associations between the user's HTTP sessions established for the different applications, and the security session that is established after the user logs in to an application. This information is sent with the HTTP request using a session cookie (or URL rewriting, if cookies are disabled). The name of the cookie used for this purpose is JSESSIONID. If the client does not accept cookies, then the server can use URL rewriting for this session tracking. This adds the session ID to the URL path, and this ID is interpreted by the container to associate the request with the session. The session ID is encoded as a path parameter (JSESSIONID) in the string of the URL.
Note: Single sign-on using the JSESSIONID mechanism is only possible between applications that are running on the same server process in the cluster. This is because the security sessions created to identify the user’s security identity are not persistent, and therefore cannot be migrated to another server process.
User Authentication Using Header Variables You can use header variable authentication to delegate user authentication to any external product that authenticates the user and returns an authenticated user ID as part of the HTTP header. Integrated Windows authentication is an example of header variable authentication.
Figure 11: Authentication via Header Variables
The AS Java supports the use of header variables for Single Sign-On. This means that you can delegate user authentication to any external product that authenticates the user and returns an authenticated user ID as part of the HTTP header. Users only have to authenticate once against the external product and can then access applications on the Web AS Java, such as the portal, with Single Sign-On. Single Sign-On with header variables can be used as follows:
© Copyright . All rights reserved.
29
Unit 1: User Administration and Authentication
●
You can use an external Web Access Management (WAM) product to authenticate your users. This is useful if, for example, you are already using an external WAM product to protect other resources in your company, or if you wish to use authentication mechanisms that are not directly supported by the AS Java, such as token cards or biometrics.
The AS Java provides a login module named HeaderVariableLoginModule that reads a user ID from the HTTP header variable and then uses this user ID to authenticate the user. For example, authentication with an external WAM product works as follows: The WAM product authenticates the user and returns an authenticated user ID to the AS Java as part of the HTTP header. The AS Java compares this returned user ID against the user data sources and grants the user access to the required application upon finding a match. The user must exist in the UME user data sources.
Note: To use an external product with the header variable login module for authentication, you must have an external web server in front of the AS Java. All requests must pass through the external web server. The user ID that the external product returns in the HTTP header must exist in the user management data sources. If appropriate security measures are not taken, authentication using header variables can allow attackers to impersonate a user by sending a request with a user ID in the appropriate header variable to the SAP NetWeaver AS. To prevent this, you should do the following: ●
●
Using appropriate measures, make sure that the HTTP and HTTPS ports of the AS Java or portal cannot be directly accessed by client browsers, for example, by using firewalls. The SAP NetWeaver AS should only be accessed through its web server. This prevents attackers from bypassing the web server and impersonating authenticated users. If it is not possible to block the HTTP and HTTPS ports of the AS Java, you must configure Secure Sockets Layer (SSL) with mutual authentication between the web server that authenticates the user and the AS Java. In this way, the AS Java can trust the user information contained in the header variable.
Single Sign-On Using Security Assertion Markup Language (SAML) 2.0 Assertions The Security Assertion Markup Language (SAML) 2.0 is a standard for the communication of assertions about principles, typically users. An assertion can include the means by which a subject was authenticated, the attributes associated with the subject, and an authorization decision made for a given resource. The primary reason to use SAML 2.0 is to enable SSO across domains. You can configure SAP NetWeaver Application Server (AS) Java as a SAML 2.0 service provider. SAP applications can take part in cross-domain SSO. You can use SSO with SAML assertions with all usage types of SAP NetWeaver. The AS Java or AS ABAP supports the configuration and execution of the SSO and the SAP NetWeaver system can act as a SAML destination site. In addition, the portal can act as a SAML authority, or a SAML source site, to issue SAML assertions. The two main components of an SAML 2.0 landscape are an identity provider and a service provider. The system provider is a system entity that provides a set of web applications with a common session management, identity management, and trust management. The identity provider is a system entity that manages identity information for principles and provides authentication services to other trusted service providers. The service providers outsource
30
© Copyright . All rights reserved.
Lesson: Describing the Different Authentication Mechanisms
the job of authenticating the user to the identity provider. The identity provider maintains the list of service providers where the user is logged in and passes on logout requests to those service providers. The client that is trying to access the resource must be HTTP-compliant. SAML 2.0 supports identity-provider-initiated SSO as in SAML 1.x. SAML 2.0 also supports service-provider-initiated SSO. When the identity provider initiates SSO, the user must maintain links on the identity provider system to the protected resources on the service providers. When the user protects resources with SAML on a service provider, the service provider is configured to request authentication from the identity provider. Authentication via SAML is covered in more detail in the course ADM960.
Portal Access Using Anonymous Logon Anonymous logon allows users to access the portal in anonymous mode, without providing any form of authentication. For example, if your company sets up an external portal that is accessed via the Internet, you can make anonymous content available to anyone who wants to visit the portal. Using self-registration, visitors can then register themselves as portal users. The portal provides a form of anonymous logon with named anonymous users. Named anonymous users are users that exist either in the user data store or as service users. These users are automatically assigned to the Anonymous Users group. You can assign roles containing anonymous content to the users individually or to the group Anonymous Users.
© Copyright . All rights reserved.
31
Unit 1: User Administration and Authentication
32
© Copyright . All rights reserved.
Unit 1 Exercise 2 31
Change the Initial Authentication Scheme of an SAP Java EE Application
Business Example You have been asked to change the behavior of the initial login process to the portal. Launch the OpenSQLMonitors application as authenticated user 1/2 Accessing the portal and then the OpenSQLMonitors application afterwards, observing the login process. 1. In one of your “environments” (portal server, WTS, local classroom PC) close all browser windows. 2. Log on to your portal using portal user .A-##. 3. In the URL, replace the part .../irj/portal with .../OpenSQLMonitors. 4. Navigate to SQL Trace → Switch on and off SQLTrace. Do you have to relogon? Modify the authentication mechanism Changing the authentication mechanism for OpenSQLMonitors application so the user ID and password is accepted from your portal login. You will now no longer need to supply your username and password.
Caution: When there is only one portal server available for the class this task has to be done by the instructor. 1. Log on to the SAP NetWeaver Administrator tool using user .A-##. 2. Modify the login modules of the sap.com/SQLTrace*OpenSQLMonitors component so that logon tickets are accepted for login and are also issued. Note: The EvaluateTicketloginModule is the Login module to evaluate SAP Logon Tickets and the CreateTicketLoginModule is the Login Module to create SAP Logon Tickets after a successful logon. Launch the OpenSQLMonitors application as authenticated user 2/2 Accessing the portal and then the OpenSQLMonitors application afterwards, observing the login process. 1. In one of your “environments” (portal server, WTS, local classroom PC) close all browser windows.
© Copyright . All rights reserved.
33
Unit 1: User Administration and Authentication
2. Log on to your portal using portal user .A-##. 3. In the URL, replace the part .../irj/portal with .../OpenSQLMonitors. 4. Navigate to SQL Trace → Switch on and off SQLTrace. Do you have to relogon?
34
© Copyright . All rights reserved.
Unit 1 Solution 2 33
Change the Initial Authentication Scheme of an SAP Java EE Application
Business Example You have been asked to change the behavior of the initial login process to the portal. Launch the OpenSQLMonitors application as authenticated user 1/2 Accessing the portal and then the OpenSQLMonitors application afterwards, observing the login process. 1. In one of your “environments” (portal server, WTS, local classroom PC) close all browser windows. a) Close all browser windows In the environment in which you are working. 2. Log on to your portal using portal user .A-##. a) Navigate to the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal. b) Log on as portal user .A-##. 3. In the URL, replace the part .../irj/portal with .../OpenSQLMonitors. 4. Navigate to SQL Trace → Switch on and off SQLTrace. Do you have to relogon? a) After logging on to the portal, you can launch the OpenSQLMonitors application with reauthentication required. You need to supply your username and password to proceed. Modify the authentication mechanism Changing the authentication mechanism for OpenSQLMonitors application so the user ID and password is accepted from your portal login. You will now no longer need to supply your username and password.
Caution: When there is only one portal server available for the class this task has to be done by the instructor. 1. Log on to the SAP NetWeaver Administrator tool using user .A-##. a) Navigate to the SAP NetWeaver Administrator with your server URL: http:// twdfSSSS.wdf.sap.corp/5$$00/nwa. b) Log on to the SAP NetWeaver Administrator tool. 2. Modify the login modules of the sap.com/SQLTrace*OpenSQLMonitors component so that logon tickets are accepted for login and are also issued. a) Choose Configuration → Security.
© Copyright . All rights reserved.
35
Unit 1: User Administration and Authentication
b) Choose the Authentication and Single Sign-on link. c) Navigate to the top right of the table, and change the Type to Web by selecting it from the dropdown list in the first row. a) In the first filter option called Policy Configuration Name, enter OpenSQLMonitors. b) Filter by clicking the filter button to the top left of the table. c) Select the sap.com/opensqlmonitors entry. d) Choose the Edit button. e) In the Authentication Stack area, in the Used Template field choose ticket from the dropdown list. This has the result of adding the EvaluateTicketloginModule with the Flag Sufficient and the CreateTicketLoginModule with the flag of Optional to the Login Modules table.. f) Save your settings.
Note: The EvaluateTicketloginModule is the Login module to evaluate SAP Logon Tickets and the CreateTicketLoginModule is the Login Module to create SAP Logon Tickets after a successful logon. Launch the OpenSQLMonitors application as authenticated user 2/2 Accessing the portal and then the OpenSQLMonitors application afterwards, observing the login process. 1. In one of your “environments” (portal server, WTS, local classroom PC) close all browser windows. a) Close all browser windows in the environment in which you are working. 2. Log on to your portal using portal user .A-##. a) Navigate to the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal. b) Log on as portal user .A-##. 3. In the URL, replace the part .../irj/portal with .../OpenSQLMonitors. 4. Navigate to SQL Trace → Switch on and off SQLTrace. Do you have to relogon? a) You have logged on to the portal (and receiving a login ticket) so this will now be used to launch the OpenSQLMonitors application without the need to supply your username and password.
36
© Copyright . All rights reserved.
Lesson: Describing the Different Authentication Mechanisms
LESSON SUMMARY You should now be able to: ●
Describe the authentication options for the portal
© Copyright . All rights reserved.
37
Unit 1 Lesson 3 36
Describing Authentication Schemes
LESSON OVERVIEW This lesson covers the different options possible for correctly authenticating users to the SAP Enterprise Portal, and the configuration steps required for each. Different companies deploy the SAP Enterprise Portal for different purposes. Example 1: Public portal on the Internet, requiring the ability to allow users to self register (the SAP Developer Network for instance). Example 2: Corporate, secure Portal accessible from the Internet that allows a company's suppliers to access only their invoice and billing information. (Supplier self-service Portal). Example 3: Corporate, Employee Self-Service portal, dealing with sensitive HR related data that must be secured due to Privacy considerations. Each of the above examples may require the SAP Enterprise Portal to cater for different means of authenticating users correctly. In some cases, the same portal may require multiple means of authentication for the different types of content being accessed through it. It is worth mentioning that the requirements for portal authentication can become very complex. There is too much material to cover all aspects in the time allowed for this topic, so only the main concepts will be dealt with.
Business Example You are charged with delivering a portal for your company, which will allow external business partners to access only their relevant information in your company's ERP system, while at the same time providing people on the Internet the ability to view web content aimed at your customer base. Your company wants these potential internet customers to have the ability to register as users so that they can gain further access to products. You need to ascertain how the SAP Enterprise Portal can be configured to best accommodate the different requirements above. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
List the different user authentication options available with SAP Enterprise Portal
Portal Authentication The SAP Enterprise Portal supplies different options for properly authenticating users. These options include most of the standard security mechanisms available. Different authentication methods may have to be used in order to meet the deployment scenario. For example, a public portal would require the capability to allow anonymous authentication of users, while a secure intranet portal may require different authentication.
38
© Copyright . All rights reserved.
Lesson: Describing Authentication Schemes
The SAP Enterprise Portal comes shipped with several standard authentication schemes, and also allows customizing of these scenarios if required. Portal authentication is defined as follows: Portal Authentication Defined ● Authentication provides a way of verifying the user’s identity before he or she is granted access to the portal, or pieces of content accessed via the portal. ●
The process of authentication is based on each user having a unique set of credentials for gaining access. For example, with user ID and password authentication, the authentication server compares a user’s authentication credentials with other user credentials stored in a user data repository. If the credentials match, the user is granted access to the SAP Enterprise Portal. Otherwise, the authentication fails and portal access is denied.
Authentication schemes have the following uses within the portal: Authentication Schemes ●
●
●
In the portal, authentication is defined using authentication schemes, which are assigned to iViews or pages. Users log on to the portal with a specific authentication scheme and this scheme is stored in the user’s logon ticket. If a user needs to access an iView that requires a stronger authentication scheme, he or she must reauthenticate as specified by the stronger authentication scheme Authentication schemes therefore allow enforcement of different authentication mechanisms for different content.
●
●
Each iView and page is assigned an authentication scheme and only users that have logged on successfully with that authentication scheme or one with a higher priority can access the iView. In addition, authentication schemes enable pluggable authentication. You can easily “plug in” additional authentication schemes into the portal using modules that adhere to the Java Authentication and Authorization Service (JAAS) standard.
The authschemes.xml file contains the definitions of the authentication schemes for a portal. It stores information about: Information stored in the authschemes.xml File ●
Valid authentication schemes for the portal
●
Default authentication scheme for the portal
●
Priority (or hierarchy) of the different authentication schemes
●
References to authentication schemes (so each individual iView does not have to be changed) A reference to an authentication scheme acts as a pointer to an authentication scheme. By changing what the reference points to (that is, by modifying a reference to an authentication scheme), you can change the authentication scheme for a whole set of iViews and iView templates without having to change the property in each individual iView or iView template. To access the authschemes.xml file, use the Config Tool, switch to
© Copyright . All rights reserved.
39
Unit 1: User Administration and Authentication
configuration editor mode and choose cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume .service → persistent → authschemes.xml.
Figure 12: Accessing the authschemes.xml file using the Configuration Editor Mode
Maintenance of the authschemes.xml file. Maintaining the authschemes.xml file ●
●
●
You can change the authschemes.xml file using the Configuration Editor Mode of the Config Tool. It is reloaded on the next restart of the portal. For UME to use the new file, you must change the value of the property login.authschemes.definition.file to the name of the new authschemes file.
Figure 13: Default Authentication Schemes
The SAP Enterprise Portal is shipped with default authentication schemes. Default Authentication Schemes
40
© Copyright . All rights reserved.
Lesson: Describing Authentication Schemes
●
●
●
Each shipped iView template is assigned a reference to an authentication scheme. Initially, all references to authentication schemes point to the same authentication scheme (Default). If there are special authentication requirements for certain portal content (for example, iViews), custom authentication schemes can be defined. The configuration of the portal can be changed so that the references point to these custom authentication schemes.
Table 1: Authentication Schemes Shipped with SAP Enterprise Portal Authentication Scheme
Description
Login Module Stack
uidpwdlogon
Requires form-based ticket logon with user ID and password.
certlogon
Requires authentication using client certificates.
basicauthentication
Uses the Basic Auticket thentication feature of the HTTP protocol.
anonymous
Not listed in the authschemes.xml file. Provides a very basic form of anonymous logon. A logon ticket is not issued.
Referenced by: default, UserAdminScheme
client_cert
Login Modules and Login Module Stacks The Authentication Schemes refer to login modules or login module stacks. The definition of login modules and login module stacks can be found in the SAP Netweaver Administrator (NWA) under Configuration → Security → Authentication and Single Sign-On → Policy Configuration Name. Authentication Scheme Reference Targets ● Login Module - Java class that defines the authentication logic and is used by the Java EE for Authentication ●
Login Module Stack - groups of login modules that contain different authentication logic
Some to the default Login Modules include: BasicPasswordLoginModule
Performs a JSP log on using Basic or Form authentication. That is, you use this login module to perform user authentication with user name and password.
ClientCertificateLoginModule
Performs a certificate log on to Java EE Engine.
CreateTicketLoginModule
Login module to create SAP Logon Tickets after successful log on.
© Copyright . All rights reserved.
41
Unit 1: User Administration and Authentication
EvaluateTicketLoginModule
Login module to evaluate SAP Logon Tickets.
SPNegoLoginModule
Used for SSO with Kerberos authentication. This login module implements the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) on the Java EE. SPNEGO is a standard Generic Security Services Application Program Interface (GSS API) pseudomechanism. It is used to determine which GSS API mechanisms are shared. Select one, and then establish a security context for communication with it.
HeaderVariableLoginModule
Login module at SSO using header variables.
Some of the default Login Module Stacks include: Default Login Module Stacks (excerpt) basic – allows for Basic Authentication
●
●
client_cert – allows for client certificate authentication
●
form – allows for form authentication
●
ticket – used for creating and verifying logon tickets
●
evaluation_assertion_ticket – used for verifying assertion tickets (tickets used between systems)
The order in which login modules are called during the authentication process and the order in which a client can be authenticated to the AS Java is defined in the SAP NetWeaver Administrator. In addition, following the JAAS specification, each module is processed according to login module flags. Table 2: Login Modules Flags Description
42
Flag
Required to Succeed
Description
OPTIONAL
No
Authentication proceeds down the list if the module has succeeded or has failed.
REQUIRED
Yes
Authentication proceeds down the list of modules if the module has succeeded or has failed.
REQUISITE
Yes
If successful, the authentication proceeds down the list, otherwise control returns to the application – that is, the authentication does not proceed.
© Copyright . All rights reserved.
Lesson: Describing Authentication Schemes
Flag
Required to Succeed
Description
SUFFICIENT
No
If the authentication is successful, control returns to application; otherwise, the authentication proceeds.
© Copyright . All rights reserved.
43
Unit 1: User Administration and Authentication
44
© Copyright . All rights reserved.
Unit 1 Exercise 3 41
Analyze the Authentication Schemes
Business Example You have been asked to check the current configuration of the authschemes.xml file. Locate the authschemes.xml Finding the authschemes.xml file. 1. Launch the Config Tool. 2. Navigate to the authschemes.xml file. Caution: Do not perform any changes – this should only be done when all cluster elements of AS Java are down. From this location, you can download the file, modify it, and upload it back into the portal. It is recommended that you use a different name. For more information, see the reference documentation for the UME property login.authschemes.definition.file.
© Copyright . All rights reserved.
45
Unit 1 Solution 3 42
Analyze the Authentication Schemes
Business Example You have been asked to check the current configuration of the authschemes.xml file. Locate the authschemes.xml Finding the authschemes.xml file. 1. Launch the Config Tool. a) Log on to the operating system of your portal server. b) Start the config tool ●
at SAP Training → → Config Tool (for the EP200 standard training servers)
●
at :\usr\sap\\J\j2ee\configtool\configtool.bat
c) In the Connection settings dialog box, when asked if “You want to use the default DB settings?”, choose Yes. d) To open the configuration editor, choose Tools → Configuration Editor or choose the Switch to configuration editor mode button. It's to the right of the other menu buttons. 2. Navigate to the authschemes.xml file. Caution: Do not perform any changes – this should only be done when all cluster elements of AS Java are down. a) On the Display Configuration tab, choose Configurations → cluster_config → system → custom_global → cfg → services → com. sap.security.core.ume.service → persistent. b) Double-click the authschemes.xml file. From this location, you can download the file, modify it, and upload it back into the portal. It is recommended that you use a different name. For more information, see the reference documentation for the UME property login.authschemes.definition.file.
46
© Copyright . All rights reserved.
Lesson: Describing Authentication Schemes
LESSON SUMMARY You should now be able to: ●
List the different user authentication options available with SAP Enterprise Portal
© Copyright . All rights reserved.
47
Unit 1 Lesson 4 44
Setting Up Anonymous Access
LESSON OVERVIEW This lesson describes how to set up anonymous access to the portal. Anonymous access could be required for several reasons, but it is more likely to be a requirement for internet access rather than intranet access. You may visit http://www.wolfsburg.de – and demonstrate that even as an anonymous “Guest” user it's possible to access certain areas.
Business Example Your portal has some content that is appropriate for a group of users who do not need to go through the logon process. For example, you may have a portal that is accessed from the Internet with some specific company details that anyone may view, but also some transactional content that applies to a subset of authenticated users. Anonymous access could be an appropriate strategy for the first group of users. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
List the methods for setting up anonymous access to selected portal content
●
Set up anonymous access
Anonymous Logon Anonymous logon allows users to access the portal in anonymous mode, without providing any form of authentication. For example, if your company sets up an external portal that is accessed through the Internet, you can make anonymous content available to anyone who wants to visit the portal. Using self-registration, visitors can then register themselves as portal users.
48
© Copyright . All rights reserved.
Lesson: Setting Up Anonymous Access
Figure 14: Anonymous Access
The AS Java provides a form of anonymous logon with named anonymous users. Named anonymous users are users that exist either in the user data store or as service users. These users are automatically assigned to the group Anonymous Users. You can assign roles containing anonymous content to the users individually or to the group Anonymous Users. The following User Management Engine (UME) properties are relevant for anonymous logon: Table 3: UME Configuration Settings for Anonymous Access Property
Value
Description
ume.login. guest_user.uniqueids
List of user IDs separated Defines which users are the named anonyby commas. The default mous users. These users automatically bevalue is Guest. long to the default group Anonymous Users. The administrator has to create these anonymous users in the user data store.
The default URL to access an SAP Enterprise Portal anonymously is http(s):// .:/irj/portal/anonymous. In case of multiple anonymous users, by default the first user specified for ume.login.guest_user.uniqueids is evaluated; you may add ? guest_user= to that URL. The authentication scheme anonymous is shipped with SAP Enterprise Portal to support anonymous logon. You can define anonymous logon at iView level or at portal level. ●
You can set up the complete portal for anonymous logon with named anonymous users.
●
Alternatively you can define an individual iView as anonymous content by: -
Setting the value of the iView parameter authentication scheme to anonymous.
-
Ensuring that anonymous user(s) have end user permissions for the iView
Users can launch an anonymous iView using the direct URL for that iView without having to provide authentication.
© Copyright . All rights reserved.
49
Unit 1: User Administration and Authentication
For KM and anonymous portal access, see the How-to Guide How to Configure Anonymous Access to Knowledge Management (KM) available on the SAP Community Network, Quick Link /docs/DOC-7925.
Language Localization for Anonymous Users Anonymous users can change their portal language by selecting a language from a dropdown list in the portal masthead. This feature must be enabled by an administrator: to enable the language dropdown list, setting the Show Dropdown List in Masthead: Language Personalization for Anonymous Users property in the Masthead iView. As of SAP NetWeaver Portal 7.31, language localization for anonymous users is only available with classic and light framework pages. This feature is covered in an exercise in Unit 7.
Note: You can restrict the set of available languages. For more information, search for Setting or Getting Available Languages in SAP online documentation.
To Set Up Anonymous Users and Content 1. Create the anonymous user(s). 2. Stop all cluster nodes of AS Java. 3. Enter the user ID of the anonymous user(s) in the User Management Engine (UME) global server property ume.login.guest_user.uniqueids. 4. Start all cluster nodes of AS Java. 5. Create a role in which, for all pages and iViews, Authentication Scheme is set to anonymous. 6. Access the content through the URL ://.:/irj/ portal/anonymous for the default anonymous user, the first user in the uniqueid list, or url:://.:/irj/portal/anonymous? guest_user= for a specific anonymous user with the ID UserID.
50
© Copyright . All rights reserved.
Unit 1 Exercise 4 47
Set Up Anonymous Access
Business Example You have been asked to establish and test anonymous access to your portal. It is important that perspective customers have access to the marketing material on your portal. Check predefined content and setup Who is/are the anonymous user(s)? Which portal content is assigned to the .X## users. 1. Which users are currently members of the Anonymous Users group? 2. Which portal roles are assigned to the .X-## users? (note that ## is your two-digit group number) 3. Explore the predefined content. What makes the content anonymous? Check the Authentication Scheme property of the iViews and the page. UME Settings Set up your portal for anonymous access. You can use either the portal or the user administration tool to perform this task. 1. Log on to your portal or to the user administration tool as user .A-##. 2. Launch the UME Configuration iView. 3. Using the Expert View, make the users .X-## and .X-(##+1) (## is your group number, ##+1 is your group number plus one) anonymous users. Test the anonymous access Access the anonymous gateway 1. Open a browser session (not: browser window) and enter the URL to access the anonymous content.
© Copyright . All rights reserved.
51
Unit 1 Solution 4 48
Set Up Anonymous Access
Business Example You have been asked to establish and test anonymous access to your portal. It is important that perspective customers have access to the marketing material on your portal. Check predefined content and setup Who is/are the anonymous user(s)? Which portal content is assigned to the .X## users. 1. Which users are currently members of the Anonymous Users group? a) Navigate to the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal. b) Log on as portal user .A-##. c) Choose User Administration → Identity Management. d) In the Search Criteria, search for Group, Built-in Groups Adapter and choose Go (without any value in the third field). e) Select the Anonymous Users group. f) Choose the Assigned Users tab in the details area below. g) Choose Go. Result: The user Guest should be (the only) member of the Anonymous Users group. 2. Which portal roles are assigned to the .X-## users? (note that ## is your two-digit group number) a) As portal user .A-##, choose User Administration → Identity Management. b) In the Search Criteria, search for User .X-##. c) Choose Go. d) Select the user in the list. e) In the Details area, choose the Assigned Roles tab. f) Select Search Recursively. g) Choose Go. h) Result: Via group .X, the users .X* are assigned to the portal role pcd:portal_content/EP200/InitialContent/Roles/ com.sap.training.EP200.AnonRole. 3. Explore the predefined content. What makes the content anonymous? Check the Authentication Scheme property of the iViews and the page.
52
© Copyright . All rights reserved.
Lesson: Setting Up Anonymous Access
a) Choose Content Administration → Portal Content Man → Portal Content. b) Select role pcd:portal_content/EP200/InitialContent/Roles/ com.sap.training.EP200.AnonRole and choose Open → Role to see which content is included in this role. c) For any content object (iView or page), check the property Authentication Scheme. a) Select the page in the Role Content table. b) Choose Open. c) Choose the Properties tab. d) Choose All. e) Check the value for the Authentication Scheme property. Result: The Authentication Scheme should be set to anonymous (except one iView on the “Mixed Content Page”). UME Settings Set up your portal for anonymous access. You can use either the portal or the user administration tool to perform this task. 1. Log on to your portal or to the user administration tool as user .A-##. a) Navigate to the portal or to the user administration tool. ●
●
For the portal, navigate to http://twdfSSSS.wdf.sap.corp:5$$00/irj. For the user administration tool, navigate to http://twdfSSSS.wdf.sap.corp:5$$00/ useradmin.
b) Log on as user .A-##. 2. Launch the UME Configuration iView. a) In the portal, choose System Administration → System Configuration → UME Configuration. In the user administration tool, choose User Admin UI. b) Choose Open Expert Mode. This button is to the top right of the screen. 3. Using the Expert View, make the users .X-## and .X-(##+1) (## is your group number, ##+1 is your group number plus one) anonymous users. a) In the Key column, enter uniqueids in the filter row. b) Choose the Filter button. c) Choose Modify. d) In the Value field for ume.login.guest_user.uniqueids, replace the default value, Guest, with .X-## and .X-(##+1), separated by a comma and no spaces (example for a group 10 in an EP200 class: EP200.X-10,EP200.X-11).
© Copyright . All rights reserved.
53
Unit 1: User Administration and Authentication
Hint: Make sure both users are unique and already exist in your portal.
e) Choose Save. f) Choose Close Expert Mode. g) Restart your portal, for example using the SAP MC or SAP MMC. Test the anonymous access Access the anonymous gateway 1. Open a browser session (not: browser window) and enter the URL to access the anonymous content. a) Enter the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal/ anonymous. Note: In this case, the first user of parameter ume.login.guest_user.uniqueids is used. To launch the portal with another anonymous user, just add ? guest_user= to the URL.
54
© Copyright . All rights reserved.
Lesson: Setting Up Anonymous Access
LESSON SUMMARY You should now be able to: ●
List the methods for setting up anonymous access to selected portal content
●
Set up anonymous access
© Copyright . All rights reserved.
55
Unit 1 Lesson 5 52
Configuring Integrated Windows Authentication (IWA)
LESSON OVERVIEW This lesson will describe an authentication mechanism that allows a user to log on to the SAP Enterprise Portal without needing to enter a user name and password on a logon form. Instead, the credentials that a user supplies when logging on to their desktop are used by the SAP NetWeaver AS Java logon process to provide a user name that can then be validated against the UME persistence store. Though this lesson is placed in Unit 1, because of some restrictions and constraints, you should cover this lesson at the very end (last day) of your class!!! It is important that Windows Integrated Authentication is not confused with using Microsoft AD as a UME persistence and requiring the portal user to enter their Windows user name and password on the portal log on form.
Business Example Your organization wants to make use of the Windows Integrated Authenticated mechanism. In many organizations, acceptance of the SAP Enterprise Portal by the user community is dependent on making the logon process as simple as possible. This often means that the user should not have to remember another user name and password combination. In addition, the ability to make use of the information that was used to log on to the desktop as a mechanism for authenticating to the SAP Enterprise Portal can result in fewer calls to a support desk in relation to password issues, thus helping to reduce the cost of ownership. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
●
Explain the use of SPNego to enable the use of Windows Integrated authentication to log on to the portal Configure SPNego for Kerberos authentication
Kerberos Logon Using SPNego Another supported logon procedure, which is of particular relevance to Windows environments, is the Kerberos logon. A Kerberos ticket is evaluated by the AS Java using the SPNegoLoginModule during the logon. SPNego stands for Simple and Protected GSS-API Negotiation Mechanism. The GSS-API (Generic Security Services API) is a standard interface for security services. However, the GSS-API is troublesome in that different implementations are incompatible with one another. Therefore, a standard was developed with SPNego to find and use the authentication mechanisms that understand both communication partners.
56
© Copyright . All rights reserved.
Lesson: Configuring Integrated Windows Authentication (IWA)
In Microsoft Windows, the SPNego interface is used as Integrated Windows Authentication. The actual authentication mechanism here is NTLM (NT LAN Manager) or Kerberos. The following figure clarifies the Kerberos logon process for the AS Java in combination with a Microsoft Active Directory Server (used as a Windows-Domain-Controller and Key Distribution Center (KDC)):
Figure 15: Kerberos Logon
We assume that the user has already logged on to the Windows domain successfully. The user was already identified by the Active Directory for this purpose. As a prerequisite for the logon to the AS Java, there must be some sort of assignment of the users in the AS Java to the users in the Active Directory. This works best if the UME of the AS Java uses the Active Directory as a data source via the LDAP interface. However, other scenarios are also supported. If the user, Alice, now wants to call an application in the AS Java using the web browser (step 1), the AS Java sends the HTTP error message 401 - Unauthorized and at the same time the value Negotiate in the HTTP header www-authenticate (step 2). In step 3, the browser requests a Kerberos ticket (for Alice) from the KDC to log on to the host used in step 1. The Web browser transfers the host name of the AS Java in the request. The KDC must now (in step 4) identify the service user ID (see below) for this AS Java using the transferred host name and issue a ticket that is encrypted with the secret key of the service user that is found when identification takes place. In step 5, the encrypted Kerberos ticket is then sent to the user's browser. This passes the ticket in step 6 on to the AS Java. In step 7, the AS Java decrypts the ticket using the secret key (of the service user in the KDC, see below) and the user, Alice, is authenticated. Some of the steps specified are carried out using the revised SPNego configuration tool. For more information, see SAP Note 1488409.
Required Configuration Settings for Kerberos Authentication From this process detailed in the Kerberos logon example, the following required configuration settings for the Kerberos logon are derived: Required Configuration Settings for Kerberos Authentication ●
Configuration of the KDC
© Copyright . All rights reserved.
57
Unit 1: User Administration and Authentication
-
-
Setting up a service user to identify the AS Java. Registering a Service Principal Name (SPN) for the host name of the AS Java and assignment to the service user.
The KDC can identify the service user at a later stage using the SPN. The secret key of the service user is used to encrypt the Kerberos ticket. ●
Exchanging the Secret Key The secret key of the service user must be provided in the AS Java (keytab file) so that the encrypted Kerberos can be decrypted and verified.
●
Configuration of the UME Since the users that have logged on to the Windows domain are now going to log on to the AS Java, the UME must know the Windows users either directly or an assignment of user IDs must be made between Windows users and UME users. You can do so, for example, by configuring the Active Directory as a data source for the UME.
●
Setting up the Policy Configuration The logon procedure must be set up so that the SPNegoLoginModule is used.
●
Setting Java VM Parameters The Java VM must be configured with special parameters to enable the Kerberos logon.
58
© Copyright . All rights reserved.
Unit 1 Exercise 5 55
Configure SPNego for Kerberos Authentication
Business Example The users in your organization log on to their desktops using a user name and password. They wish to access portal content without needing to re-enter this user name and password combination. It is understood that users need to log off from their desktop before another user will access portal content from that desktop. It is assumed that there are suitable screen saver passwords in use that require the user to re-authenticate to the desktop after a period of inactivity.
Caution: Run this lesson (and demo and exercise) at the very end (last day) of your class!!!
Note: This exercise assumes that AD has been set as the UME source for the Development (DEP) system. We will set up SPNego on the instructor’s server (twdfxxxx) and then connect the student servers (twdfyyyy) to the AD domain. Preparation These steps are to be done once per server either by the DEP or QEP group. 1. Log on to the operating system of twdyyyy as adm. 2. Find the IP address of twdfvmCCCC.wdf.sap.corp. 3. Edit the Local Area Network properties to add the discovered IP address to the top of the DNS server list. 4. Change the Computer settings in the table and restart the computer. Run the SPNego Wizard on the Instructor’s Portal Hint: This task can be completed while the twdfyyyy system is restarting. This step is done by the instructor only as a demo on the instructor's DEP and QEP systems. Start with DEP.
© Copyright . All rights reserved.
59
Unit 1: User Administration and Authentication
1. Navigate to the following URL: http://twdfxxxx.wdf.sap.corp:5$$00/spnego and log on as .A-##. 2. Upload the keytab file from L:\twdfxxxx--j2ee-host.keytab using the SPNego wizard. Adjust the Logon Stack 1. Log on to the SAP Netweaver Administrator tool. 2. Ensure that the following Login Modules are present in the correct sequence with the correct flags. Login Module Name
Flag
EvaluateTicketLoginModule
SUFFICIENT
SPNegoLoginModule
OPTIONAL
CreateTicketLoginModule
SUFFICIENT
BasicPasswordLoginModule
REQUISITE
CreateTicketLoginModule
OPTIONAL
3. On the instructor’s QEP system, perform the tasks “Run the SPNego Wizard on the Instructor’s Portal” and “Adjust the Logon Stack”. Test the Logon The participants test the logon. 1. Log on to the twdfyyyy host as twdfxxxx__tstusr and domain adtwdfvmCCCC.demo.sap. 2. Add *.wdf.sap.corp to the IE's Local intranet zone and verify that the user automatically logs on to the Local intranet zone. Verify that the Integrated Windows Authentication is enabled. 3. Run the Klist command to display the Kerberos credentials. 4. Navigate to the following URL: http://twdfxxxx.wdf.sap.corp:53000/irj. (Optional) Debug Errors You can investigate errors using the troubleshooting wizard in the SAP NetWeaver Administrator. 1. Log on to the operating system of twdfxxxx as depadm. 2. Log on to the SAP NetWeaver Administrator tool on the Development portal. 3. Run a diagnostic test with Authentication as the incident for diagnostics. 4. On the operating system of twdfyyyy, try to log on again as the twdfxxxx_dep_tstusr. 5. If the attempt to relogon fails, stop the diagnostics on the other window (on twdfxxxx) and show the collected trace.
60
© Copyright . All rights reserved.
Unit 1 Solution 5 57
Configure SPNego for Kerberos Authentication
Business Example The users in your organization log on to their desktops using a user name and password. They wish to access portal content without needing to re-enter this user name and password combination. It is understood that users need to log off from their desktop before another user will access portal content from that desktop. It is assumed that there are suitable screen saver passwords in use that require the user to re-authenticate to the desktop after a period of inactivity.
Caution: Run this lesson (and demo and exercise) at the very end (last day) of your class!!!
Note: This exercise assumes that AD has been set as the UME source for the Development (DEP) system. We will set up SPNego on the instructor’s server (twdfxxxx) and then connect the student servers (twdfyyyy) to the AD domain. Preparation These steps are to be done once per server either by the DEP or QEP group. 1. Log on to the operating system of twdyyyy as adm. 2. Find the IP address of twdfvmCCCC.wdf.sap.corp. a) Start a command prompt. b) Run the command: ping twdfvmCCCC.adtwdfvmCCCC.demo.sap c) Take a note of the IP address. 3. Edit the Local Area Network properties to add the discovered IP address to the top of the DNS server list. a) Double-click the Network Connections shortcut icon on the desktop of twdfyyyy and choose Properties. b) Right-click the active internet connection, Ethernet 3, and choose Properties. c) Select the Internet Protocol Version 4 (TCP/IP) entry. d) Choose Properties.
© Copyright . All rights reserved.
61
Unit 1: User Administration and Authentication
e) On the General tab, choose Advanced. f) Choose the DNS tab. g) In the DNS server addresses area, choose Add. h) Enter the IP address you discovered in Step 2. i) Choose Add. j) Select the new entry and move it to the top of the list. k) Choose OK. l) Close the open windows. 4. Change the Computer settings in the table and restart the computer. a) Right-click the Computer icon on the desktop of twdfyyyy and choose Properties. b) In the Computer name, domain, and workgroup settings area, choose Change settings. c) On the Computer Name tab, choose Change. d) In the Member of area, select the Domain radio button. e) In the Domain field, enter ADTWDFVMCCCC.DEMO.SAP. f) Choose OK. g) As User name, enter twdfyyyy_DEP_tstusr. h) For the Password, see the Training System Info presentation. i) Confirm the “Welcome to the domain” window. j) Confirm the “You must restart this computer....” window. k) Choose Yes when you are asked for a computer restart. This computer restart may take up to 15 minutes. Run the SPNego Wizard on the Instructor’s Portal Hint: This task can be completed while the twdfyyyy system is restarting. This step is done by the instructor only as a demo on the instructor's DEP and QEP systems. Start with DEP. 1. Navigate to the following URL: http://twdfxxxx.wdf.sap.corp:5$$00/spnego and log on as .A-##. a) Navigate to the URL http://twdfxxxx.wdf.sap.corp:5$$00/spnego. b) Log on as user .A-##. 2. Upload the keytab file from L:\twdfxxxx--j2ee-host.keytab using the SPNego wizard. a) Choose Add → Uploading Keytab File. The SPNego wizard opens. b) Choose Browse and navigate to L:\twdfxxxx--j2ee-host.keytab.
62
© Copyright . All rights reserved.
Lesson: Configuring Integrated Windows Authentication (IWA)
c) Choose Open. d) Choose Next. e) On the Realm screen choose Next. f) On the Keys screen, select the checkbox for key code 23 (RC4-HMAC). g) Choose Next. h) On the User Mapping screen, in the Mapping Mode field, select Principal only from the dropdown list. i) In the Source field, select Logon ID from the dropdown list. j) Choose Finish. k) On the Kerberos Realms page, choose Enable. Adjust the Logon Stack 1. Log on to the SAP Netweaver Administrator tool. a) Navigate to the following URL: http://twdfxxxx.wdf.sap.corp:5$$00/nwa. b) Log on as user .A-##. 2. Ensure that the following Login Modules are present in the correct sequence with the correct flags. Login Module Name
Flag
EvaluateTicketLoginModule
SUFFICIENT
SPNegoLoginModule
OPTIONAL
CreateTicketLoginModule
SUFFICIENT
BasicPasswordLoginModule
REQUISITE
CreateTicketLoginModule
OPTIONAL
a) Within the SAP Netweaver Administrator tool, choose Configuration → Authentication and Single Sign-on → Authentication → Components. b) In the table, select ticket. c) Ensure the Login Modules in the table above are present in the correct sequence with the correct flags . Choose Edit and use the Add, Move Up, and Move Down buttons to create the correct arrangement in the Login Modules table. d) Save your changes. 3. On the instructor’s QEP system, perform the tasks “Run the SPNego Wizard on the Instructor’s Portal” and “Adjust the Logon Stack”. Test the Logon The participants test the logon. 1. Log on to the twdfyyyy host as twdfxxxx__tstusr and domain adtwdfvmCCCC.demo.sap.
© Copyright . All rights reserved.
63
Unit 1: User Administration and Authentication
a) Log on to the twdfyyyy host as adtwdfvmCCCC.demo.sap\twdfxxxx__tstusr with the password provided by the instructor. 2. Add *.wdf.sap.corp to the IE's Local intranet zone and verify that the user automatically logs on to the Local intranet zone. Verify that the Integrated Windows Authentication is enabled. a) Launch an Internet Explorer and navigate to Tools → Internet Options → Security → Local intranet → Sites → Advanced. b) Enter the zone *.wdf.sap.corp and choose Add. c) Choose Close. d) Choose OK. e) For the Local intranet zone, press Custom Level. Scroll down to the User Authentication area and make sure that the option Automatic logon only in Intranet zone is selected. f) Now navigate to Tools → Internet Options → Advanced and make sure that in the Security area the option Enable Integrated Windows Authentication is selected. g) Restart the IE. 3. Run the Klist command to display the Kerberos credentials. a) Start a command prompt. b) Run the command: Klist 4. Navigate to the following URL: http://twdfxxxx.wdf.sap.corp:53000/irj. a) Navigate to the following URL: http://twdfxxxx.wdf.sap.corp:53000/irj. You should be logged in without needing to enter a username and password. As your twdfxxxx_dep_tstusr does not have any portal roles, you will get an error that there are no roles assigned to the user. This can be solved by using the useradmin tool on twdfxxxx DEP to add one or more roles to the user. Refreshing the browser should then provide some useful content. (Optional) Debug Errors You can investigate errors using the troubleshooting wizard in the SAP NetWeaver Administrator. 1. Log on to the operating system of twdfxxxx as depadm. a) Log on to the operating system of twdfxxxx as depadm. 2. Log on to the SAP NetWeaver Administrator tool on the Development portal. a) Navigate to the following URL: http://twdfxxxx.wdf.sap.corp:5xx00/nwa. b) Log on as user .A-##. 3. Run a diagnostic test with Authentication as the incident for diagnostics. a) Within the SAP NetWeaver Administrator tool, choose Troubleshooting → Logs and Traces → Security Troubleshooting Wizard. b) In the Select Incident for Authentication field, select Authentication from the dropdown list. c) Choose Start Diagnostics.
64
© Copyright . All rights reserved.
Lesson: Configuring Integrated Windows Authentication (IWA)
d) Leave this screen open. 4. On the operating system of twdfyyyy, try to log on again as the twdfxxxx_dep_tstusr. 5. If the attempt to relogon fails, stop the diagnostics on the other window (on twdfxxxx) and show the collected trace. a) Return to the Security Troubleshooting Wizard on twdfxxxx. b) Choose Stop Diagnostics. c) Choose the link for the collected trace.
© Copyright . All rights reserved.
65
Unit 1: User Administration and Authentication
Related Information: SPNego for Kerberos Authentication ●
SAP NetWeaver 7.4 online documentation, path SAP NetWeaver Platform → SAP NetWeaver 7.4 → Function-Oriented View → Security → User Authentication and Single Sign-On → Authentication Concepts → Authentication for Web-Based Access → Kerberos Authentication
●
SAP Note 968191: SPNego: Central Note
●
SAP Note 1457499: SPNego add-on
●
SAP Note 1488409: New SPNego Implementation
●
SAP Note 1332726: Troubleshooting Wizard
●
SAP Note 1045019 : Web diagtool for collecting traces SAP Note 1753413: Configuring authentication stacks to use SPNego in NWA (7.3)
●
66
●
Detailed information about Kerberos: http://web.mit.edu/kerberos/
●
Kerberos under Windows: -
http://www.microsoft.com/msj/0899/kerberos/kerberos.aspx
-
http://msdn.microsoft.com/en-us/library/ms995329.aspx
© Copyright . All rights reserved.
Lesson: Configuring Integrated Windows Authentication (IWA)
LESSON SUMMARY You should now be able to: ●
●
Explain the use of SPNego to enable the use of Windows Integrated authentication to log on to the portal Configure SPNego for Kerberos authentication
© Copyright . All rights reserved.
67
Unit 1 Lesson 6 64
Performing User Administration and SelfRegistration Tasks
LESSON OVERVIEW This lesson introduces the concept of companies to user management to facilitate delegated user administration within an organization, plus the ability to allow for self-registration to a portal by users in a controlled manner. In combination with those topics, you will learn how to set up the UME to send notification e-mails. Delegated user administration is useful in a large organization where there are a number of easily identified groups of users who need to be managed. These groups will be given an attribute named “company” which is the logical separation of the users. A user can belong to only one company at a time, so some care is required. The term “company” may be confusing – it's from early UME times (note that it was originally developed for SAP Markets). Nowadays, something like “field of responsibility” would fit better. To ensure that the exercises are not too long for the students, you may demonstrate the exercise task “E-Mail Infrastructure and Configuration” at the start of the lesson and let the students run it also.
Business Example Delegated user administration allows you to distribute user administration between several administrators so that each administrator is responsible for a particular set of users. For example, you can designate one user administrator for each business area in your company. Each user administrator can only create, modify, and delete users in the business area that they are responsible for. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Define a company group
●
Perform user administration and self-registration tasks
Company Group A company is an attribute in a user’s profile. Every user belongs to one company only. A company is not the same thing as a user group. However, for each company, the UME automatically generates a corresponding company group. A company group contains all the users assigned to a specific company. Company groups are determined dynamically at runtime and are not stored in the user data source (LDAP directory or database).
68
© Copyright . All rights reserved.
Lesson: Performing User Administration and Self-Registration Tasks
Figure 16: Company Groups
After you activate companies by setting the corresponding UME properties and restarting AS Java, the company groups are automatically displayed on the user interface, and you can assign users and roles to them. If you deactivate companies, the company groups are no longer displayed. Company groups are named as follows: Company Group names ● If you retrieve the company information from a back-end system, such as SAP Enterprise Buyer (SAP EB), the company group is called: Company CompanyName (CompanyId) ●
●
If you use the simple implementation of companies, where ume.tpd.imp.class=com.sap.security.core.tpd.SimpleTPD, the company group is called: Company CompanyName (STPD_CompanyName) There is a guest user company group for users who do not belong to a company. This group has the following default name: GUEST_USERS_COMPANY (Company Guest Users).
Company groups make it easier to administer companies. To assign a user to a company, you can either assign the user to a company in the user’s profile, or you can assign the user to the group associated with that company. You can assign roles to company groups, so making it easy to assign a role to all members of a particular company. The following constraints apply: Company Group Constraints ●
●
You can assign company groups to other groups, but you cannot assign other groups to company groups. You cannot delete or change the names of company groups within the Identity Management UI.
You can assign company groups to other groups. Companies enable collaboration scenarios where users from more than one company work together or access a common portal. They can also be used to define sets of users, thus providing a form of delegated administration. Companies also allow for self-registration with an approval workflow.
© Copyright . All rights reserved.
69
Unit 1: User Administration and Authentication
Options for Setting Up a Company Group By default, companies are not activated. You activate them by setting UME Properties. When you activate companies, a group is automatically created for each company.
Figure 17: Company Parameters
There are two options for defining which companies are available for users: Options for Defining Companies ●
●
You can retrieve the company information from a back-end system using a custom implementation of the Trading Partner Directory interface. For scenarios with few companies, you can configure none, one, or more companies in the property ume.tpd.companies in UME properties. Using this option, you have the following scenarios: -
No companies: ume.tpd.companies=0
-
One company and guest users: ume.tpd.companies=1
-
Companies internal, external, and guest users: ume.tpd.companies=2
-
●
Two or more listed companies: ume.tpd.companies=[list of companies separated by commas]
A guest company can be activated through property ume.company_groups. guestusercompany.enabled and ume.company_groups. guestusercompany.name
Self-Registration with Approval Self-registration means that new users can register themselves at logon. If you have not configured user management to use companies, these users do not require approval and are full users immediately after registration. If you have configured user management to use companies, these users are guest users. If they specify a company in their registration request, their request has to be approved by a user administrator. After approval, they have the status of company users. This provides an effective workflow for approving new users. To use self-registration with approval, the following user management properties must be set: Self-Registration Parameters
70
© Copyright . All rights reserved.
Lesson: Performing User Administration and Self-Registration Tasks
●
●
ume.admin.selfreg_company=TRUE Assign the UME action UME.Selfregister_User to a role assigned to the group Anonymous Users.
A new user fills in a form to register as a user. A guest user account is created. If the user selected a company during registration, the user administrator for this company must approve the user’s registration. Until the user is approved, it has guest user status. Rejected users are not removed from the system. They keep the status of guest users and are not assigned to a company.
Figure 18: Self-Registration Process
Approval is only necessary if users register themselves as company users. When a user administrator creates a company user, no further approval is necessary. After self-registration, users receive a confirmation of registration to the E-Mail address they entered during registration. User administrators can approve or reject users by choosing New User Requests in the user administration console.
Delegated User Administration Delegated user administration allows you to distribute user administration between several administrators so that each administrator is responsible for a particular set of users. For example, you can designate one user administrator for each business area in your company. Each user administrator can only create, modify, and delete users in the business area that they are responsible for.
© Copyright . All rights reserved.
71
Unit 1: User Administration and Authentication
Figure 19: Delegated User Administration
You use companies to implement a simple form of delegated user administration. By assigning users to companies, you divide them up into administrative sets. One or more administrators are responsible for managing the users in each company. In delegated administration, we distinguish between overall user administrators and delegated user administrators: ●
Overall user administrators can add, modify, and delete users of all companies. They can create and administer delegated user administrators and assign them appropriate roles and permissions. In addition, the following tasks can only be performed by an overall user administrator: -
Group management
-
Role management with permissions to assign all roles to all users and groups
-
User mapping (SAP Enterprise Portal only)
-
Import and export of user data
In the portal, overall user administrators are all administrators who are assigned to the Super Administration or User Administration role. In all other cases, overall user administrators must belong to a role to which the UME.Manage_All action is assigned. ●
Delegated user administrators can add, modify, and delete users that belong to the same company as the delegated user administrator. When they search for users, only users in their company are displayed. They cannot perform any actions involving groups.
Hint: In the SAP Enterprise Portal only delegated user administrators can assign roles to their company users. They cannot assign roles to groups. They can only assign portal roles for which they have the Role Assigner permission. They do not need to have any Administrator or End User permissions for the role.
72
© Copyright . All rights reserved.
Lesson: Performing User Administration and Self-Registration Tasks
In the portal, delegated user administrators are all administrators who are assigned to the Delegated User Admin role. In all other cases, delegated user administrators must belong to a role to which the UME.Manage_Users action is assigned.
Caution: On no account should you assign the UME.Manage_Roles action to a delegated user administrator. This action allows users to assign roles using the UME web-based tool. Since the web-based tool does not check for the Role Assigner portal-permission, users can assign themselves any role if they have the UME.Manage_Roles action. For example, a delegated user administrator could assign herself or himself the Administrator role and would then have full administrator authorizations. There are a few constraints regarding companies: ●
●
Each user can belong to only one company. This also means that each delegated user administrator can belong to only one company, Therefore, they cannot administer more than one company. It is not possible to have a hierarchy of companies. As a result, you cannot have a hierarchy of user administrators.
Figure 20: Role Assigner Permission
The role assigner permission setting is available to role objects. It allows you to determine which portal users are permitted to assign other users, groups, or roles to the role principle using the Role Assignment tool. Role assigner permission can also be set to folders in the Portal Catalog (only for subfolders under the root Portal Content folder). This setting is however only valid for any role objects that inherit their permissions from the folder they reside in.
© Copyright . All rights reserved.
73
Unit 1: User Administration and Authentication
74
© Copyright . All rights reserved.
Unit 1 Exercise 6 71
Perform Set-Up Tasks for Delegated User Administration and Self-Registration
Business Example You have been asked to set up your portal so partners can perform their own user administration. UME Configuration Configuring the UME for Companies and Self-Registration. 1. Stop your AS Java using the SAP MMC. 2. Using the Configuration Tool, configure some companies (for example, CompA, CompB, CompC (as a comma separated list with no spaces)). When done, do not start your AS Java. 3. Using the Configuration Tool, establish self-registration including companies. When done, start your AS Java. 4. Ensure that the Enable Self-Registration for Companies checkbox is selected in the System Administration work center of the portal. Prepare a Delegated User Administrator Preparing a user for delegated user administration and setting up an ACL. 1. In the exercise “Microsoft Active Directory Server (AD) as UME Data Source” you should have created a portal user with the naming convention SSSS.D-## and an E-Mail address with the format .A-##@training.sap.com. If you have not created this “delegated” user, create it now. 2. Make the portal user SSSS.D-## a delegated user administrator for one of the companies (for example, CompA) you just created. 3. Assign your delegated admin user SSSS.D-## the right to assign the Standard User Role (eu_role). Configure Self-Registration and Self-Management Creating UME roles with certain actions for self-registration and self-management purposes. 1. Create a UME role SelfReg## and assign the UME action Selfregister_User. Assign this role to the Anonymous Users group. Note: UME actions are covered later in this class in more detail. 2. Create a UME role SelfMgmt## and assign the UME action Manage_My_Profile. Assign this role to the Authenticated Users group.
© Copyright . All rights reserved.
75
Unit 1: User Administration and Authentication
Test the Scenario Registering a new user for a company, approving the user and checking the E-Mails sent. 1. Register to your portal as user SSSS.R-## (R for self“r”egistered) and apply for membership of the company you chose for your delegated user administrator. For the EMail address, enter the existing mailbox .A-##@training.sap.com. 2. As delegated portal user SSSS.D-##, approve the new user request. 3. As portal user SSSS.D-##, assign the eu_role role to the new user. 4. Log on to the portal using the SSSS.R-## user. The self-registered user should have access to the content provided by the eu_role role.
76
© Copyright . All rights reserved.
Unit 1 Solution 6 73
Perform Set-Up Tasks for Delegated User Administration and Self-Registration
Business Example You have been asked to set up your portal so partners can perform their own user administration. UME Configuration Configuring the UME for Companies and Self-Registration. 1. Stop your AS Java using the SAP MMC. 2. Using the Configuration Tool, configure some companies (for example, CompA, CompB, CompC (as a comma separated list with no spaces)). When done, do not start your AS Java. a) Verify that your AS Java is stopped. b) Depending on your server type, launch the Configuration Tool at ●
●
the Windows toolbar entry SAP Training → → Config Tool (for EP200 standard images) or start file :\usr\sap\\J\j2ee\configtool \configtool.bat
c) In the Connection settings dialog box, choose Yes when asked if “You want to use the default DB settings?”. d) To open the configuration editor, choose Tools → Configuration Editor or choose the Switch to configuration editor mode button. It's to the right of the other menu buttons. e) Choose cluster_config → system → custom_global → cfg → services → com.sap.security.core. ume.service. f) Switch to edit mode. It's to the left of the other menu buttons. g) Choose Yes when presented with the warning in the Switch to edit mode dialog box. h) Double-click Propertysheet properties. i) Double-click ume.tpd.companies property. j) Enter the Custom-value as a comma separated list with no spaces (suggestion: CompA,CompB,CompC). k) Choose Apply custom. l) Verify that the ume.tpd.imp.class property has the (default) value com.sap.security.core.tpd.SimpleTPD. Keep your AS Java stopped.
© Copyright . All rights reserved.
77
Unit 1: User Administration and Authentication
3. Using the Configuration Tool, establish self-registration including companies. When done, start your AS Java. a) We continue modifying properties in the Propertysheet properties file. b) Double-click the ume.admin.selfreg_company property. c) Enter the Custom-value as true. d) Choose Apply custom. e) Double-click the ume.company_groups.enabled property. f) Enter the Custom-value as true. g) Choose Apply custom. h) Double-click the ume.company_groups.guestusercompany_enabled property. i) Enter the Custom-value as true. j) Choose Apply custom. k) To save your changes, in the Change Configuration dialog box, choose OK. l) Start your AS Java, for example, using the SAP MC or SAP MMC. 4. Ensure that the Enable Self-Registration for Companies checkbox is selected in the System Administration work center of the portal. a) Log on to the portal with the .A-## user. b) Choose System Administration → System Configuration → UME Configuration → User Admin in UI. c) Ensure that the Enable Self-Registration of Guest Users checkbox is selected. d) Ensure that the Enable Self-Registration for Companies checkbox is selected. Prepare a Delegated User Administrator Preparing a user for delegated user administration and setting up an ACL. 1. In the exercise “Microsoft Active Directory Server (AD) as UME Data Source” you should have created a portal user with the naming convention SSSS.D-## and an E-Mail address with the format .A-##@training.sap.com. If you have not created this “delegated” user, create it now. a) See the task “Testing the Changes” of exercise “Microsoft Active Directory Server (AD) as UME Data Source”. 2. Make the portal user SSSS.D-## a delegated user administrator for one of the companies (for example, CompA) you just created. a) Navigate to the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal. b) Log on to the portal with the .A-## user. c) Choose User Administration → Identity Management. d) With User as the first of the search criteria, search for the user SSSS.D-##. e) Select the user SSSS.D-##.
78
© Copyright . All rights reserved.
Lesson: Performing User Administration and Self-Registration Tasks
f) Choose Modify to enter the change mode. g) On the General Information tab, search for and select the desired company (suggestion: CompA). Hint: You can use the F4 help for the Company field. In the dialog box, choose Go to see all available companies. h) Choose the Assigned Roles tab. i) In the Available Roles area, search for the role delegated_user_admin_role (ID pcd:portal_content/administrator/user_admin/delegated_user_admin_role) and assign it to the new user by selecting it and choosing Add. j) Save the changes. 3. Assign your delegated admin user SSSS.D-## the right to assign the Standard User Role (eu_role). a) As portal user .A-##, choose Content Administration → Portal Content Management → Portal Content. b) In the Portal Content Catalog navigate to the Standard User Role pcd:portal_content/ every_user/general/eu_role (at Portal Content → Portal Users → Standard Portal Users). c) Right-click on the Standard User Role and choose Open → Permissions. d) Search for your SSSS.D-## user. e) Select the SSSS.D-## user. f) To have the user added to the Assigned Permissions list, choose Add. g) In the Assigned Permissions area, assign the following permissions: Administrator
None
End User
Not selected
Role Assigner
Selected
h) Save your changes. i) Confirm the dialog box and close. Configure Self-Registration and Self-Management Creating UME roles with certain actions for self-registration and self-management purposes. 1. Create a UME role SelfReg## and assign the UME action Selfregister_User. Assign this role to the Anonymous Users group. Note: UME actions are covered later in this class in more detail.
© Copyright . All rights reserved.
79
Unit 1: User Administration and Authentication
a) As portal user .A-##, choose User Administration → Identity Management. b) Change to the Role view by selecting it as the first of the search criteria. c) Choose Create Role. d) On the General Information tab, enter SelfReg## as Unique Name. e) On the Assigned Actions tab (area Available Actions), search for the action Selfregister_User of application UME. f) Assign this action to your new UME role by selecting the action and choosing Add. Hint: You can search for the application name (for example, UME) or the action name (for example, self). g) On the Assigned Groups tab (area Available Groups), search for the Anonymous Users group. h) Assign this group to your new UME role by selecting the group and choosing Add. i) Save the new UME role SelfReg##. 2. Create a UME role SelfMgmt## and assign the UME action Manage_My_Profile. Assign this role to the Authenticated Users group. a) As portal user .A-##, navigate to User Administration → Identity Management. b) Change to the Role view by selecting it as the first of the search criteria. c) Choose Create Role. d) On the General Information tab, enter SelfMgmt## as Unique Name. e) On the Assigned Actions tab (area Available Actions), search for the action Manage_My_Profile of application UME. f) Assign this action to your new UME role by selecting the action and choosing Add. g) On the Assigned Groups tab (area Available Groups), search for the Authenticated Users group. h) Assign this group to your new UME role by selecting the group and choosing Add. i) Save the new UME role SelfMgmt##. Test the Scenario Registering a new user for a company, approving the user and checking the E-Mails sent. 1. Register to your portal as user SSSS.R-## (R for self“r”egistered) and apply for membership of the company you chose for your delegated user administrator. For the EMail address, enter the existing mailbox .A-##@training.sap.com. a) In the browser choose File → New session and launch the URL of your portal.
80
© Copyright . All rights reserved.
Lesson: Performing User Administration and Self-Registration Tasks
Hint: You may start the Mozilla Firefox browser on the portal server to do so.
b) On the welcome screen, follow the Register Now... link. c) Fill out the (at least the mandatory) fields on the Personal information tab and choose Proceed with Registration when you are done. Note: ●
Logon ID: SSSS.R-##
●
E-mail: ep200.a-##@training.sap.com
●
●
The Password has to meet the requirements of the UME and the data source (here: Microsoft AD Server). For the Company, choose a company that is the responsibility of your delegated user administrator (for example, CompA).
At the end of the process, you should receive a success message at the Confirmation tab. 2. As delegated portal user SSSS.D-##, approve the new user request. a) Log on to your portal using the SSSS.D-## user. b) Navigate to Delegated User Administration → Identity Management. Note that in the User view, the company of the delegated user administrator is already displayed and cannot be changed. c) Open the Advanced Search. d) On the Frequently-Used Information tab, select the Unapproved Users checkbox. e) When you start a Search now, the user SSSS.R-## is listed. f) Select the user SSSS.R-## and choose Approve. g) Enter any message text and choose the Approve button below the text field. 3. As portal user SSSS.D-##, assign the eu_role role to the new user. a) We continue modifying the user SSSS.R-## in the Identity Management iView. b) Select the user SSSS.R-##. c) Enter the change mode by choosing Modify. d) Choose the Assigned Roles tab. e) When you search for Available Roles, you should only find the pcd:portal_content/ every_user/general/eu_role. Select this role and choose Add. f) Save the user record. 4. Log on to the portal using the SSSS.R-## user.
© Copyright . All rights reserved.
81
Unit 1: User Administration and Authentication
The self-registered user should have access to the content provided by the eu_role role.
82
© Copyright . All rights reserved.
Lesson: Performing User Administration and Self-Registration Tasks
LESSON SUMMARY You should now be able to: ●
Define a company group
●
Perform user administration and self-registration tasks
© Copyright . All rights reserved.
83
Unit 1: User Administration and Authentication
84
© Copyright . All rights reserved.
Unit 1
81
Learning Assessment
1. Match the hierarchy model with its key characteristic. Match the item in the first column to the corresponding item in the second column. Flat hierarchy Deep hierarchy
A user can be a member of more than one group. A user can be a member of only one group and its supergroups.
2. Match the authentication option with its description. Match the item in the first column to the corresponding item in the second column. Basic authentication Anonymous logon Header variable authentication
The user does not have to provide any form of authentication. The user provides a user ID and password for authentication. User authentication is delegated to any external product that authenticates the user and returns an authenticated user ID as part of the HTTP header.
3. Which of the following authentication schemes does not issue a logon ticket? Choose the correct answer. X
A certlogon
X
B uidpwdlogon
X
C basicauthentication
X
D anonymous
© Copyright . All rights reserved.
85
Unit 1: Learning Assessment
4. Within which of the following elements of the Classic Framework Page do you edit a property so that anonymous users can choose their portal language? Choose the correct answer. X
A Page Title Bar
X
B Masthead iView
X
C Top-Level Navigation
X
D Tool Area
5. Stages in the Kerberos logon process Arrange these steps into the correct sequence. 0 The AS Java decrypts the ticket using the secret key of the service user in the KDC. 0 The browser requests a Kerberos ticket for the user from the KDC to log on to the host that was used initially. 0 The encrypted Kerberos ticket is then sent to the user's browser. 0 The KDC identifies the service user ID for this AS Java using the transferred host name and issue a ticket that is encrypted with the secret key of the service user that is found when identification takes place. 6. Company groups are stored in the user data source. Determine whether this statement is true or false. X
True
X
False
7. How many companies can a user belong to? Choose the correct answers. X
A Four
X
B One
X
C Unlimited number
X
D None
8. Why must the UME.Manage_Roles action not be assigned to a delegated user administrator?
86
© Copyright . All rights reserved.
Unit 1
83
Learning Assessment - Answers
1. Match the hierarchy model with its key characteristic. Match the item in the first column to the corresponding item in the second column. Flat hierarchy Deep hierarchy
A user can be a member of more than one group. A user can be a member of only one group and its supergroups.
2. Match the authentication option with its description. Match the item in the first column to the corresponding item in the second column. Basic authentication Anonymous logon Header variable authentication
The user provides a user ID and password for authentication. The user does not have to provide any form of authentication. User authentication is delegated to any external product that authenticates the user and returns an authenticated user ID as part of the HTTP header.
3. Which of the following authentication schemes does not issue a logon ticket? Choose the correct answer. X
A certlogon
X
B uidpwdlogon
X
C basicauthentication
X
D anonymous
© Copyright . All rights reserved.
87
Unit 1: Learning Assessment - Answers
4. Within which of the following elements of the Classic Framework Page do you edit a property so that anonymous users can choose their portal language? Choose the correct answer. X
A Page Title Bar
X
B Masthead iView
X
C Top-Level Navigation
X
D Tool Area
5. Stages in the Kerberos logon process Arrange these steps into the correct sequence. 4 The AS Java decrypts the ticket using the secret key of the service user in the KDC. 1 The browser requests a Kerberos ticket for the user from the KDC to log on to the host that was used initially. 3 The encrypted Kerberos ticket is then sent to the user's browser. 2 The KDC identifies the service user ID for this AS Java using the transferred host name and issue a ticket that is encrypted with the secret key of the service user that is found when identification takes place. 6. Company groups are stored in the user data source. Determine whether this statement is true or false. X
True
X
False
7. How many companies can a user belong to? Choose the correct answers.
88
X
A Four
X
B One
X
C Unlimited number
X
D None
© Copyright . All rights reserved.
Unit 1: Learning Assessment - Answers
8. Why must the UME.Manage_Roles action not be assigned to a delegated user administrator? This action allows users to assign roles using the UME web-based tool. Since the webbased tool does not check for the Role Assigner portal-permission, users can assign themselves any role if they have the UME.Manage_Roles action. For example, a delegated user administrator could assign herself or himself the Administrator role and would then have full administrator authorizations.
© Copyright . All rights reserved.
89
Unit 1: Learning Assessment - Answers
90
© Copyright . All rights reserved.
UNIT 2
Portal Authorization
Lesson 1 Describing Delegated Content Administration Tasks Exercise 7: Assign Permissions on PCD Objects
92 107
Lesson 2 Setting Permissions on Security Zones Exercise 8: Set Permissions on Security Zones
111 119
Lesson 3 Setting Permissions on Portal Applications Exercise 9: Set Permissions on Portal Applications
126 129
Lesson 4 Describing UME Actions Exercise 10: Analyze UME Actions
133 143
UNIT OBJECTIVES ●
Describe delegated content administration
●
Describe the permission levels for access control lists
●
Set permissions
●
Reset permissions to objects
●
Describe the structure of the Portal Catalog
●
Assign permissions on Portal Content Directory (PCD) objects using delegated content administration
●
Describe security zones
●
Set permissions on security zones
●
Grant access to portal components for content administration activities
●
Describe UME actions
© Copyright . All rights reserved.
91
Unit 2 Lesson 1 88
Describing Delegated Content Administration Tasks
LESSON OVERVIEW This lesson discusses the concept of delegated administration in SAP Enterprise Portal. This lesson deals with the principles of delegated administration. Your participants will not get a “recipe” for their specific company demands on how to implement delegated content administration in their Enterprise Portal.
Business Example You need an overview of the concept of delegated content administration because you will be responsible for its implementation in your Enterprise Portal. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe delegated content administration
●
Describe the permission levels for access control lists
●
Set permissions
●
Reset permissions to objects
●
Describe the structure of the Portal Catalog
●
Assign permissions on Portal Content Directory (PCD) objects using delegated content administration
Delegated Administration Delegated administration is the process of distributing the various administrative tasks and content in the portal to one or more administrators or group of administrators. Delegated administration provides the following benefits: ●
●
Usability: -
Organize the administration framework according to your business scenario
-
Manage large-scale portal implementations
Security: -
Provide a secure environment for change
The administrative work may be delegated by type of work. Tasks lists are based on worksets and can be modified as required to meet customer needs.
92
© Copyright . All rights reserved.
Lesson: Describing Delegated Content Administration Tasks
Delegated Content Administration The content in the Portal Catalog is organized in a hierarchical folder structure. The structure can be customized and typically reflects your business environment, thus enabling the delegation of content and administration tools to members in your organization through permission assignments. Through hierarchical inheritance, permissions are passed from one object to another within the Portal Catalog. An object that does not have explicitly defined permissions inherits the permissions of its closest ancestor that has explicitly defined permissions. ●
●
●
Permission can be assigned to folders or portal objects in the Portal Catalog. The permissions of any given folder are automatically passed on to the objects contained in it. When permissions are defined for a given object or folder, the folder no longer inherits permissions from its ancestor. You can reset inheritance links that were broken. Child objects always inherit the permissions of the parent object to which they are assigned. You cannot modify the permissions of child objects. For example, when you add an iView to a portal page, the assigned iView inherits the permissions of that page.
Objects related to each other through a delta link do not share permissions. When you create a delta link or a copy of an existing object in the Portal Catalog, the new object automatically inherits the permissions of the folder in which it is created. Objects must have a permission setting for both an administrator and an end user. This permission setting distinguishes the content administrators see in the portal administration environment at design time from the content they see in the end user environment at runtime.
Access Control Lists Portal permissions define user access rights to objects in the Portal Content Directory (PCD). Permissions in the portal are based on Access Control List (ACL) methodology. Essentially, every portal object can be assigned directly to an individual user or collectively to groups of users through user groups and roles.
Figure 21: Delegated Content Administration with Access Control Lists (ACLs)
© Copyright . All rights reserved.
93
Unit 2: Portal Authorization
Permission Levels Each object in the Portal Content Directory (PCD) consists of three sets of permissions: administrator, end user, and role assigner. This distinction is necessary to control what a Content Administrator sees in the portal administrative environment (design time), what is seen in the end user environment (runtime), and which roles the User Administrator can assign.
Figure 22: Permission Levels
Many portal framework interfaces appear in both the portal runtime and design-time environments, but may operate differently. For example, PCD objects displayed in these respective environments must be filtered so that administrators accessing these tools as end users do not receive objects that are assigned to their administrative role. The ability to differentiate also protects runtime content from inadvertent modifications by portal administrators in the portal runtime environment. For example, a portal user with administrator privileges might accidentally personalize a page in the end user environment. At runtime, it is essential to filter in content that is intended only for runtime, and filter out design-time content. Permissions on portal objects are divided into the following categories: ●
Administrator
●
End user
●
Role assignment (on folders and roles)
Administrator Permissions Administrator permissions control objects in the design-time environment of the portal. Administrator permissions contain different levels of permissions:
94
© Copyright . All rights reserved.
Lesson: Describing Delegated Content Administration Tasks
Permission Level Owner
Roles, Worksets, Pages, iViews, Folders, Systems, Layouts The owner has full control permission, and can also modify the permissions of the object as follows: ●
Assigning permissions to others, including other owners
●
Removing permissions
Hint: Every object must have at least one owner, whether explicitly defined or granted by inheritance.
Full Control
Provides all permissions permitted by read and write, and also enables the authorized user, group, or role to: ●
Permission Level Read and Write
Delete the object
Roles, Worksets, Pages, iViews, Folders, Systems, Layouts Provides all permissions permitted by read and write, and also enables the authorized user, group, or role to: ●
●
Edit the object (add to and remove child objects from a parent object) Edit the object's properties
The authorized user, group, or role cannot delete a parent object, but can remove child objects assigned to it. For example, a user can add and remove worksets and pages to and from a role, but cannot delete the role itself. Read
Enables the following: ●
View the object in the Portal Catalog using the browse and search capabilities (this is valid only for the administrative portal tools that utilize the Portal Catalog)
●
Create instances (delta links and copies) from the object
●
Gain access to and choose templates in the object creation wizards
This permission level can be used to prevent content administrators from editing a particular object, while still providing them the ability to create an instance of the source and to use the new instance in any way necessary. For example, if you create a delta link instance of an object with read permission and place it in a folder that has write permission, you may fully edit the delta link object. However, if the object is not intended for end users, make sure that the target folder does not have end user permissions.
© Copyright . All rights reserved.
95
Unit 2: Portal Authorization
Permission Level Write
Roles, Worksets, Pages, iViews, Folders, Systems, Layouts This permission setting cannot be selected from the permission editor. It is only relevant for folders in the Portal Catalog. The permission level is transparently applied to folders by portal applications that require it. This permission enables: ●
Folders with write permissions allow authorized users to create objects in it Note that the write permission is disregarded by nonfolder objects contained in the folder.
This permission can be used for content creation and sharing by portal end users. To support this, the Everybody group could be granted write permission to a particular folder intended as a container for all users to share any content they create. This would enable the group members (who have the necessary sharing tools in the portal) to write their shared content to the designated folder. None
The user is not granted access to the object or folder in any administrator tool displaying the Portal Catalog. This setting is useful if you are providing content to a role that is purely runtime based. To do so, make sure that you provide end user permissions.
Hint: If the permissions of a particular user, group, or role in a given object are set to Administrator: none and End User: disabled, then that user, group, or role is ignored. This combination does not imply that this user/group/role is denied administrator and end user permission for the given object. To avoid confusion, we recommend removing any user, group, or role from an object that has this combination of permissions. By default, the super_admin_role has owner permission on all objects in the PCD. You cannot delete or modify this permission or other default permissions assigned to the super admin role. This is to prevent a complete lockout situation in the portal if the role or user who has owner permissions is deleted by accident. The super admin role also has end user permission.
End User Permissions The end user permission setting is valid for objects running in the portal runtime environment. It provides authorized users the ability to: ●
●
View the object View and personalize properties (the properties that are configured by the content owner from the Property Editor)
Unlike multiple permissions settings for administrators, end user permission can either be enabled or disabled. Objects whose end user permission is enabled affect the following areas in the portal:
96
© Copyright . All rights reserved.
Lesson: Describing Delegated Content Administration Tasks
Navigation Navigation iViews (such as the top-level navigation, detailed navigation, Drag&Relate targets, and related links) display only roles and objects that have end user permissions. Portal Catalog User interfaces in the end user environment that display the Portal Catalog (such as page personalization) display only objects that have end user permissions.
Hint: By default, the super_admin_role has end user permission on all objects in the PCD. You cannot delete or modify this permission or other default permissions assigned to the super_admin_role. The end user permission setting is not available for portal components. A portal user with administrator permission for a given object does not imply that the user automatically has end user permissions for that object. For example, if a user has full control on an iView, but does not have end user permission, the iView does not appear in the user's list of available content when personalizing a portal page. End user permission does not control whether or not iView properties can be viewed and personalized in the runtime environment. Permissions at property level are set for each iView in the Property Editor. In the runtime Page Personalization user interface, only users that have end user permission are able to see the object. Even if a user has full control permission on an iView, but no end user permission, the iView is not displayed in the page and iView lists. On the other hand, objects for which a user has only end user permission, without administration permissions, do not appear in the content administration environment. The end user permission setting is not available for portal components. End user permission is not relevant for rule collection, Portal Framework, or theme objects. Portal Frameworks and themes are assigned to users at runtime through rule collections.
Role Assigner Permissions The role assigner permission setting is available to role objects. It allows you to determine which portal users are permitted to assign other users, groups, or roles to the role principle using the Role Assignment tool.
Permission Editor Depending on the manner in which it is started, the permission editor comes in the following two forms: Central permission editor The central permission editor allows you to set permissions for all PCD objects, folders, portal components, security zones, business objects, and resource bundles from a single user interface. You access the central permission editor from the default system administration role supplied by SAP. Object-specific permission editor
© Copyright . All rights reserved.
97
Unit 2: Portal Authorization
The object-specific permission editor allows you to set permissions for the specific objects that are available in the portal tool or editor you are working in. For example, you can set permissions for iViews when working in the Portal Content Studio, or system objects when working in the System Landscape Editor. Administrators can set object-based permissions for their particular work area without having access to the central permission editor.
Hint: You must have owner permission on an object to be able to access the permission editor in this manner.
To Start the Central Permission Editor 1. In the top-level navigation area, choose System Administration → Permissions. If the permission editor does not start automatically, choose Portal Permissions in the detailed navigation area. To edit the permissions of a folder or object listed in the Portal Catalog, right-click the folder or object and choose Edit Permissions. Note: This option is available only for folders and objects for which you already have owner permission.
To Launch the Permission Editor from an Object-Specific Administration Tool 1. Launch the relevant administration tool or editor in the portal (for example, the Portal Content Studio) 2. In the Portal Catalog, select the object or folder you want to set permissions for. 3. Open the object or folder in its respective editor. 4. Make sure that the object you want to set permissions for is the object currently in focus in the Object Editor area. 5. In the Object Editor tools area, choose Open → Permissions.
To Set Permissions Use You use the permission editor to set user access and control permissions on portal components, folders, and objects in the Portal Catalog. The permission editor is divided into two areas: Permissions
98
© Copyright . All rights reserved.
Lesson: Describing Delegated Content Administration Tasks
Lists the users, groups, or roles that are authorized to access the selected object or folder, and their respective permission levels. Select Users, Groups, and Roles Enables you to search for and choose the users, groups, or roles to add to the Permissions area.
1. In the permission editor, open the object or folder whose permissions you want to edit. ●
●
If the current object has explicit permissions, you can use this button to display the closest ancestor in the Portal Catalog hierarchy that has explicit permissions. This option is useful before using the Restore Permissions option. If the current object does not have explicit permissions, you can use this button to display and edit the permissions of the ancestor object from which the current object inherits its permissions. Any changes you make to the permissions of the source object are inherited by the current object
2. Under Select Users, Groups, and Roles, locate who you want to assign permissions to. a) In the Search box, enter keywords to search for. You can use the wildcard symbol (*) in the search string. For example, enter Ethan* for all users whose first name is Ethan. b) In the adjacent dropdown list, choose the user category in which to perform the search. Your options are: User, Group, or Role. c) Choose Go. The results of the search query are displayed in the list below the Search box.
Hint: If you cannot find the user you are looking for, search again using a different or less refined search query, or try using different spelling variations. 3. Add the users, groups, or roles you have located to the Permissions area. a) In the Select Users, Groups, and Roles area, choose the user, group, or role you want to add. b) Choose Add. The user, group, or role is now displayed in the Permissions area. 4. In the Permission Editor area, define the permission level for the users, groups, or roles listed. a) To provide a user, group, or role with design-time authorization, choose a permissions level from the dropdown list in the Administrator column. b) To provide a user, group, or role with runtime authorization, select the checkbox in the End User column.
© Copyright . All rights reserved.
99
Unit 2: Portal Authorization
Note: The combination of Administrator: none, End User: disabled, and Role Assigner: disabled for a particular user, group, or role in an object implies that the user, group, or role has no administrator or end user permission for the given object. When you save or refresh the user interface, the user, group, or role is automatically removed from the Assigned Permissions list. 5. Repeat steps 1 to 4 to assign permissions to additional users, groups, or roles for the object or folder you are currently editing. 6. To remove user assigned permissions to a folder or object, select the user, group, or role from the Permissions area, and then choose Delete. 7. In the Object Editor tools area, choose Save. You have set the users, groups, or roles that have permission to access to the selected object or folder.
Figure 23: Permission Inheritance Model
Hint: Permissions are automatically passed on to objects contained in a folder, and to the children of parent objects (for example, iViews assigned to a page or pages assigned to a role). To set different permissions for objects within a folder manually, you must access those objects individually and modify the permissions as needed.
Permission Inheritance Based on the permission inheritance model, folders and unit objects in the portal catalog inherit the permissions of their parent folder unless they have their own explicitly defined permissions. When you apply explicit permissions to a folder or object, the permission inheritance between the folder or object and its parent folder become disconnected; any
100
© Copyright . All rights reserved.
Lesson: Describing Delegated Content Administration Tasks
future changes you make to permissions of the parent folder are no longer passed to the object or subfolder with explicit permissions. The permission editor allows you to reset explicit permissions in the following ways: ●
Restore permission inheritance to all child objects under a selected folder
●
Restore permission inheritance from a selected object or subfolder to its parent folder
Hint: You cannot directly modify the permission of a particular PCD object that is assigned as a child object (non-unit object) to another PCD object, such as an iView in a portal page. Non-unit child objects always inherit permissions from their parent object. To see from which object the current object you are editing inherits permissions, you can choose Permission Source. The system automatically jumps to the parent object and you are able to see and change the permission of this parent object.
Figure 24: Edit or Display Permission Source
To Reset Permissions to Objects Under a Folder Resetting permissions removes manual changes made to the permissions of all objects located under a particular folder, and reinstates the inheritance of permissions between them. This action also processes subfolders and their contained objects. If the selected folder contains more than one object, you will be unable to selectively choose which object to reset permissions to; permissions for all objects under that folder will be reset.
© Copyright . All rights reserved.
101
Unit 2: Portal Authorization
Figure 25: Reset Child Permissions
1. Open a folder in the permission editor. 2. In the permission editor, choose Reset Child Permissions.
To Reset Permission Inheritance from an Object or Subfolder to Its Parent Folder This action removes manual changes made to permissions for a selected object or subfolder and restores the inheritance between it and its parent folder.
Hint: If the parent folder of the selected object or subfolder does not contain explicit permissions, it will inherit the permissions of the closest ancestor (folder) in the hierarchical tree that has explicit permissions. To display the permissions of the current object's closest ancestor that has explicit permissions, choose Permission Source in the Child Object Tools area.
102
© Copyright . All rights reserved.
Lesson: Describing Delegated Content Administration Tasks
Figure 26: Restore Inheritance
1. Open the object or folder in the permission editor. 2. In the permission editor, choose Restore Inheritance.
Portal Catalog Structure According to the customer's administration and security requirements, the business scenarios for delegated administration can be rather complex. Comparing the following examples shows possible solutions for structuring the Portal Catalog. ●
●
●
Case 1: Creation of content usable within the whole organization by all content administrators Case 2: Creation of content usable within a special part of the organization by dedicated content administrators Case 3: Creation of content for end-user personalization
To evaluate the structure of the Portal Catalog, you must answer the following questions: ●
Which categories are relevant for building a portal catalog structure?
●
How should content objects be structured?
Figure 27: Structuring the Portal Catalog
© Copyright . All rights reserved.
103
Unit 2: Portal Authorization
The Portal Catalog can be structured in several ways: ●
●
●
●
By default structure: For example, providing administrators with predefined content By functional aspects (roles): For example, differentiate between content and system administration By organizational units: For example, differentiate between the areas accessed by different content administrators By object type: For example, differentiate between iViews, pages, worksets, templates, and roles
How do you define the process of content creation? How do you define the maintenance processes for portal content? How do you set up guidelines for content creation, for example, naming conventions, definition of ACLs, creation of templates, and so on?
Permissions for Portal Content You have the following options for defining different permissions for portal content: ●
Define ACLs for a tree structure by using inheritance
●
Define guidelines for the setting of different ACL types
●
Set permissions to define reusability of objects
●
Keep in mind when to use which permission type
●
Set permissions for end-user personalization
●
Set permissions for administration areas
●
Set ACLs according to view on PCD objects: end user versus administrator
●
Separate settings for single objects
Considering end users, you have to think about personalization options and the use of objects. For administrators, only access and action level on objects are of interest. For both user types, you should always keep in mind what you have to assign and where to assign the appropriate ACL. You must decide which roles and groups should have different permissions so you can select the correct ACL.
Figure 28: Guidelines for Setting Permissions
You should assign ACLs on top folders to take advantage of inheritance. Limit the access on top-level folders because resetting permissions on top folders would reset the whole ACL
104
© Copyright . All rights reserved.
Lesson: Describing Delegated Content Administration Tasks
structure of the content tree. In addition, it is recommended that you assign roles and groups to the content objects and levels, but only assign single users in rare cases.
Guidelines for Portal Catalog The following figure shows a PCD structured by organizational units:
Figure 29: Structuring the PCD by Organizational Units
The figure below demonstrates a PCD structured by object type:
Figure 30: Structuring the PCD by Object Type
Discuss the advantages and disadvantages of these two structuring models with your participants.
© Copyright . All rights reserved.
105
Unit 2: Portal Authorization
106
© Copyright . All rights reserved.
Unit 2 Exercise 7 103
Assign Permissions on PCD Objects
Business Example You are a content administrator in a company with many other content administrators. The goal is to protect your PCD objects from being modified by members of other teams. Setting and Testing ACLs In this task, you will assign the content administration role to the SSSS.D-## user, grant SSSS.D-## read only access to the Portal content PCD folder and test the permissions.
Note: When there is only one portal for the whole class available, this exercise should be demonstrated by the instructor only.
1. In the exercise “Set Up Microsoft Active Directory Server (AD) as UME Data Source” you should have created a portal user with the naming convention SSSS.D-##. If you have not created this “delegated” user, create it now. 2. Assign the content_admin_role to the SSSS.D-## user. 3. On the Portal content root folder, grant the SSSS.D-## user the administrative read permission. 4. Log on as the SSSS.D-## user and test the permissions on the EP200 folder. 5. Add Full Control Administrator permissions and End User permissions for the SSSS.D-## user on the EP200 folder. Optional: ACL browser Launch the ACL browser to get an overview of the permissions. 1. In SAP NetWeaver documentation on the SAP Help Portal (available at http:// help.sap.com/nw74), under SAP NetWeaver Portal Platform, choose SAP Netweaver 7.4 → Application Help and beside SAP Netweaver Portal, choose English. Choose Portal → Managing the Portal → System Administration → Portal Permissions → Viewing Permission Structures in the Portal Then, launch the ACL browser using the URL at the end of the “Viewing Permission Structures in the Portal” procedure.
© Copyright . All rights reserved.
107
Unit 2 Solution 7 104
Assign Permissions on PCD Objects
Business Example You are a content administrator in a company with many other content administrators. The goal is to protect your PCD objects from being modified by members of other teams. Setting and Testing ACLs In this task, you will assign the content administration role to the SSSS.D-## user, grant SSSS.D-## read only access to the Portal content PCD folder and test the permissions.
Note: When there is only one portal for the whole class available, this exercise should be demonstrated by the instructor only.
1. In the exercise “Set Up Microsoft Active Directory Server (AD) as UME Data Source” you should have created a portal user with the naming convention SSSS.D-##. If you have not created this “delegated” user, create it now. a) See the task “Testing the Changes” of exercise “Microsoft Active Directory Server (AD) as UME Data Source”. 2. Assign the content_admin_role to the SSSS.D-## user. a) As portal user .A-##, choose User Administration → Identity Management. b) Search for your SSSS.D-## user and select it. c) Choose Modify to enter the change mode. d) On the Assigned Roles tab, search for the content_admin_role (at Available Roles) and assign it to the user. e) Choose Save. 3. On the Portal content root folder, grant the SSSS.D-## user the administrative read permission. a) As portal user .A-##, choose Content Administration → Portal Content Management → Portal Content. b) Right-click the Portal Content folder (ID pcd:portal_content) and choose Open → Permissions. c) Search for the SSSS.D-## user. d) Select the user.
108
© Copyright . All rights reserved.
Lesson: Describing Delegated Content Administration Tasks
e) Choose Add to add the user to the Assigned Permissions list. f) For the SSSS.D-## user, choose Read as the Administrator permission from the dropdown list. g) Save the permissions. 4. Log on as the SSSS.D-## user and test the permissions on the EP200 folder. a) Log on to the portal with the SSSS.D-## user. b) Navigate and right-click the folder at Content Administration → Portal Content Management → Portal Content → EP200. c) Notice which entries are available in the context menu. 5. Add Full Control Administrator permissions and End User permissions for the SSSS.D-## user on the EP200 folder. a) As portal user .A-##, choose Content Administration → Portal Content Management → Portal Content → EP200. b) Right-click the EP200 folder and choose Open → Permissions. c) For the SSSS.D-## user entry, choose Full Control as Administrator permission. d) Select the checkbox for End User permissions. e) Save the permissions. f) Confirm the dialog box. Optional: ACL browser Launch the ACL browser to get an overview of the permissions. 1. In SAP NetWeaver documentation on the SAP Help Portal (available at http:// help.sap.com/nw74), under SAP NetWeaver Portal Platform, choose SAP Netweaver 7.4 → Application Help and beside SAP Netweaver Portal, choose English. Choose Portal → Managing the Portal → System Administration → Portal Permissions → Viewing Permission Structures in the Portal Then, launch the ACL browser using the URL at the end of the “Viewing Permission Structures in the Portal” procedure. a) The procedure “Viewing Permission Structures in the Portal” gives you the URL to call: http://.:/irj/servlet/prt/portal/ prtroot/com.sap.portal.admin.acleditor.listPermissions. b) As portal user .A-##, log on to the portal. c) Open a new browser window (not a new browser session) and launch the URL given above. After some waiting time, all ACLs are listed.
Note: If you fail to launch the application, you may have to adjust the security zone settings – see next lesson for details.
© Copyright . All rights reserved.
109
Unit 2: Portal Authorization
LESSON SUMMARY You should now be able to: ●
Describe delegated content administration
●
Describe the permission levels for access control lists
●
Set permissions
●
Reset permissions to objects
●
Describe the structure of the Portal Catalog
●
110
Assign permissions on Portal Content Directory (PCD) objects using delegated content administration
© Copyright . All rights reserved.
Unit 2 Lesson 2 107
Setting Permissions on Security Zones
LESSON OVERVIEW In this lesson you will learn about security zones and how the portal administrator can use them to control access to portal services and components. This topic has not been covered in SAPEP, so carefully introduce the concept.
Business Example As a portal content developer, you have been tasked with developing a portal application to display highly sensitive information. To ensure that only those users authorized can access this application and its related portal components and portal services, there must be no capability to access this application directly from outside the portal. To run this application on the portal platform, you must secure it under a security zone. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe security zones
●
Set permissions on security zones
Security Zones Typically, a portal user has access to portal content by iViews. iViews are made available via portal roles (optionally, via pages and worksets). Portal roles can be assigned directly to a user or via a UME group assignment. In addition to this standard assignment, users may also try to access portal components directly (potentially without any iView assignment). This access is sometimes called prtroot access. The URL has the format http(s)://.:/irj/servlet/prt/portal/prtroot/.. An attacker may be able to use and misuse critical functions by performing a prtroot access to the components implementing those functions.
© Copyright . All rights reserved.
111
Unit 2: Portal Authorization
Figure 31: Threat: Direct Access to a Portal Component
Security zones are used to prevent unauthorized users from accessing iViews, portal components, and portal services through a direct URL used outside of the portal environment. When activated, security zones enable system administrators to control which portal components and portal services a portal user can launch. Security zones provide a means of implementing an optional, secondary layer of security to portal components and services, which are accessed by a URL. URL access to portal components and services can occur directly or indirectly via an iView. This access is controlled by progressive safety levels and permissions, which are assigned by system administrators to authorized users in the permission editor. A security zone specifies the vendor ID, the security area, and safety level for each portal component and portal service (web services accessed through the SOAP protocol). Access to portal components and services by authorized users is controlled by assigning portal user permissions to the hierarchical structure of vendor ID, the security area, and progressive safety levels in the portal’s security zones. Content developers assign portal components and services to a security zone during the development phase. The security zone is defined in a portal application’s descriptor XML file. Typically, it is the content or system administrator’s responsibility to provide the appropriate security zone assignment to the content developer.
112
© Copyright . All rights reserved.
Lesson: Setting Permissions on Security Zones
Figure 32: Solution: ACLs on Security Zones
After a portal application is deployed in a portal, an administrator with access to the central permission editor must assign authorized users, groups, or roles to the security zone to which the portal component or service belongs. Security zones are displayed in the Portal Catalog in a hierarchical structure. A portal component or service can belong to only one security zone; however, portal components and services may share the same safety level. This allows the administrator to assign permissions to a safety level instead of having to assign them directly to each portal component or service, and so takes advantage of the permission inheritance mechanism, which passes the permissions from the safety level to any portal component or service located in it. You can control access to portal components through direct URLs or through iViews. Access controlled through direct URLs Generally, portal components are accessed through an iView. However, special cases – such as the portal logon component – require direct URL access to portal applications without an iView. A user is allowed direct access by URL at runtime under the following conditions: ●
●
The portal component or service declares its security zone. The user (or group or role) has been assigned end user permissions in the permission editor to the security zone defined by the portal component.
Access controlled through iViews When an iView is launched by a user at runtime, the Portal Runtime (PRT) initially determines if the user is assigned end user permission to the role object containing the iView. If authorized, the user can view the iView’s content. Security zones offer an extra, but optional, layer of code-level security to iViews accessed through standard role-based assignment. When the security zone functionality is activated, the PRT also checks if the user has been assigned end user permission to the iView’s portal component in its designated security zone. Note that this check is performed after the end user permission to the iView has been approved. The user must pass both checks to view the iView’s content. This second level of security for iViews is activated or deactivated by setting a Java VM (virtual machine) parameter using the Config Tool (for both server and instance or server only).
© Copyright . All rights reserved.
113
Unit 2: Portal Authorization
By default, this functionality is disabled ●
To activate it, set the Dcom.sap.nw.sz parameter to true.
●
To deactivate it, set the Dcom.sap.nw.sz parameter to false.
Hint: This parameter also prevents unauthorized users from accessing iViews through a direct URL used outside of the portal environment. In a future release, this parameter may be deprecated; the functionality it provides will remain and operate permanently.
Portal Applications and Security Zones When the portal application archive is loaded in the system, if zones do not exist they are created. The entries that correspond to the portal objects are then created in the zone. When a portal object (portal component or portal service) is accessed, the portal runtime checks if the current user has the permissions required to access the zone to which the portal object belongs.
Figure 33: Example of Security Zone Entry in the Deployment Descriptor
You can specify security zones in the portal application descriptor file, portalapp.xml, in the following ways: Ways to Specify Security Zones ●
Computed (preferred method)
●
Fully specified
In the computed method, the security zone of a component is defined by creating the following properties in the portalapp.xml file in the application EAR file: ●
●
VendorID and SecurityArea: These properties are defined in the application-config section, and apply to all the components and services. SafetyLevel: This property is defined for each component and service
When the portal application is deployed in the portal, the full security zone is then automatically generated by the PRT using the above properties and the names of the components and services:
114
© Copyright . All rights reserved.
Lesson: Setting Permissions on Security Zones
●
●
Components: VendorID/SecurityArea/SafetyLevel/portal_application_name/ components/component_name Services: VendorID/SecurityArea/SafetyLevel/portal_application_name/ services/ service_name
In the fully specified method, the security zone is defined in the portal application descriptor with a single property, SecurityZone. The syntax of this property can be any slash-separated (/) string to define the security zone hierarchy; however, either of the following formats is recommended: ●
●
vendor_ID/security_area/safety_level/portal_application_name/ components/ component_name vendor_ID/security_area/safety_level/portal_application_name/ services/ component_name
Rules for Creating the Zones During the deployment of the portal application in the portal, the following rules apply to creating the zones associated with the portal objects: ●
●
If the portal application specifies a SecurityZone property (fully specified method), its value take precedence even if the portal application also specifies the VendorID and SafetyLevel properties (computed method). If no security zone is specified, the PRT computes a zone for each portal objects using the properties Vendor, SecurityArea, and SafetyLevel. Any component that does not have a proper vendor, security area, or safety level property is listed under an UndefinedVendor, UndefinedSecurityArea, or UndefinedSafetyLevel folder in the appropriate location in the Security Zones folder in the Portal Catalog. This enables administrators to easily locate components where the application has been deployed without the proper security zone properties.
Permissions and Security Zones Security zones extend to components and services the permission model implemented in the PRT, which controls access to all portal objects: ●
●
Portal components – either accessed from the prtroot URL or from the portal application repository. Portal services – when accessed as web services by the SOAP connection.
In the portal, security zones are located in the root Security Zones folder within the Portal Catalog and are represented as a set of portal components and portal services, to which Access Control Lists (ACL) are attached and checked at runtime when the portal object belonging to a zone is accessed. During the development phase, the security zone allows you to abstract the security level that a portal component or a portal service will require at runtime. You do not need to know the name of the roles or the name of the users that will be present in the portal environment in which the portal application will be installed. The zone defines a logical catalog containing a set of portal objects. You have to associate the principal security of the system to that zone by creating ACLs. The ACLs define the permission required for accessing a specific zone. A safety level for a security zone enables you to group objects that belong to a zone into different categories. Within that zone, you can define different safety levels. Each of these
© Copyright . All rights reserved.
115
Unit 2: Portal Authorization
safety levels can then be assigned to different permissions. This helps you to organize and classify objects that belong to a certain zone. The portal defines the following standard safety levels for initial portal content to which outof-the-box groups and roles are assigned permissions (note that the description of each safety level is based on the end user permission setting only, regardless of the administrator permission setting): Table 4: Safety Levels for Security Zones Safety Level
Description
No Safety
Anonymous users are permitted to access portal components defined in the security zone.
Low Safety
A user must be at least an authenticated portal user to access portal components defined in the security zone.
Medium Safety
A user must be assigned to a particular portal role that is authorized to access portal components defined in the security zone.
High Safety
A user must be assigned to a portal role with higher administrative rights that is authorized to access portal components defined in the security zone.
For information on which initial groups and roles are assigned to the standard security zones shipped with the portal, see Default Security Zone Permissions table below. We highly recommend that customers use this convention and the standard safety levels when deploying custom-made applications in the portal. In addition to the safety levels described above, the following security zone permissions exist for the standard safety levels in the Security Zone folder: Table 5: Default Security Zone Permissions Safety Level
Portal Catalog Folder
Permission Setting
No Safety
Security Zones → sap.com → NetWeaver.Portal → no_safety
Everyone group:
Security Zone → sap.com → NetWeaver.UserManagement → no_safety Low Safety
Security Zones → sap.com → NetWeaver.Portal → low_safety Security Zone → sap.com → NetWeaver.UserManagement → low_safety
116
●
Adminstrator: none
●
End user: enabled
Authenticated Users group: ●
Adminstrator: none
●
End user: enabled
© Copyright . All rights reserved.
Lesson: Setting Permissions on Security Zones
Safety Level
Portal Catalog Folder
Permission Setting
Medium and High Safety
Security Zones → sap.com → NetWeaver.Portal → medium_safety
Content Admin and System Admin roles:
Security Zone → sap.com → NetWeaver.UserManagement → high_safety (more) Medium and High Safety
Security Zones → sap.com → NetWeaver.Portal → medium_safety Security Zone → sap.com → NetWeaver.UserManagement → high_safety
●
Adminstrator: none
●
End user: enabled
User Admin and System Admin ●
Adminstrator: none
●
End user: enabled
Hint: Problems related to accessing the portal and its content are often attributed to insufficient permissions in security zones. When troubleshooting access-related issues in the portal, it is recommended to also check the security zone permissions. Default Permissions for Maximum Security The portal comes with a minimum set of permissions assigned to its initial content. These default permissions are designed to provide maximum security for a freshly installed portal. The default permissions settings are sufficient to enable users assigned to the super administrator role to work and gain access to all initial content. They also enable the remaining standard administration roles (content, system, and user) to access tools specific to these roles, but not initial content objects. For example, a content administrator has access to the Portal Content Studio, but is not able to gain access to any content objects, such as iViews, pages, and roles — the Portal Catalog in the Portal Content Studio is empty. This topic describes the default permissions assigned to the initial content of the portal.
Caution: The initial permissions described in this topic are only valid for a fresh and full installation of the portal. When upgrading a portal, the initial permissions script in the portal is not executed. This prevents the permissions in an existing portal from being overwritten. If you are upgrading your portal, you will however need to assign permission to the standard portal components and services shipped with the portal. These components and services reside in the Security Zones folder. It is recommended to use as a basis the initial permissions set for security zones in a fresh installation (as described in the Permissions in Security Zones section above).
© Copyright . All rights reserved.
117
Unit 2: Portal Authorization
Hint: For guidelines on reconfiguring the strict initial permissions to allow the preconfigured portal roles to access initial content objects relevant to their role, see the How-To Guide How to Configure Permission for Initial Content in SAP NetWeaver Portal available on the SAP Community Network, Quick Link /docs/ DOC-7925. While iViews automatically inherit their permissions from the role to which they are used, portal components and services inherit their permissions from the security zone or safety level to which they are assigned. Most generic portal applications intended for standard users in an organization should apply to either the no safety or low safety levels, and no additional role-specific permissions need to be assigned to their security zones. The reason for this is that the Everyone and Authenticated Users groups are by default assigned end-user permission to the no safety and low safety levels, respectively, and thereby permit all anonymous and authorized user activity already. The medium safety and high safety levels are typically reserved for sensitive applications, which require permission assignments that are targeted to specific users, groups, or roles. Security zone functionality is only operational when the PRT security mode is set to production mode. The security mode can be configured using The PRT runtime service. Start SAP NetWeaver Administrator at http://:/nwa. Navigate to Configuration Management Infrastructure Java System Properties Services. Choose Portal Runtime Container Extension (service component name tc~epbc~prtc~core). Here is an overview on the possible values of the portal.runtime.security.mode setting: Table 6: Portal Runtime Security Modes Setting
Result
development
prtroot access is allowed for every component
production
prtroot access is not allowed unless the component belongs to a security zone (access to the security zone is tested then)
Portal components that are not assigned to any security zone by the developer show up below a security zone named UndefinedSafetyLevel (with an inherited or explicit ACL).
Note: To prevent a complete lockout situation that prevents access to the portal by all users, including super users, you must make sure that all portal groups representing anonymous users (for example, the Everyone group) have end user permission enabled for the safety level that permits anonymous access to portal components and services accessed by a URL (for example, the no safety level). Typically, you should grant end user permission to the Everyone group in the following standard security zones that are shipped with the portal:
118
●
security/sap.com/NetWeaver.Portal/no_safety
●
security/sap.com/NetWeaver.UserManagement/no_safety
© Copyright . All rights reserved.
Unit 2 Exercise 8 115
Set Permissions on Security Zones
Business Example Your team’s portal content developers have created a very simple custom portal application, OceanFirst.par, for upload into the portal. This custom application component uses the newly introduced concept of security zones to prevent unauthorized users from accessing it directly via a URL. As the system administrator, it is your responsibility to upload the .par file into the portal and assign the proper permissions via an ACL. Preparation Migrating, analyzing, and deploying a new portal application. 1. Migrate the OceanFirst.par file to an EAR file using the PAR Migration tool. The OceanFirst.par file is on the server at S:\Courses\EP200_15\Security Zones \OceanFirst.par. 2. Check and compare the EAR and PAR files. 3. By analyzing the portalapp.xml file, determine the following specifications: Vendor of OceanFirst SecurityArea of OceanFirst Included Component(s) and their SafetyLevel Included Service(s) and their SafetyLevel 4. Deploy the EAR file to the portal system using the SAP NetWeaver Developer Studio. Note: The .ear file can also be deployed using a telnet session. a) Open a Command Prompt and enter the following command: telnet localhost 5$$08 b) When prompted supply your portal username and password. c) Enter the following command where d:\OceanFirst.ear is the full pathname to the .ear file: Deploy d:\OceanFirst.ear on_deploy_error=stop
prtroot access 1/2 Testing the prtroot access with the default ACL on the Security Zone.
© Copyright . All rights reserved.
119
Unit 2: Portal Authorization
1. In one of your “environments” (portal server, WTS, local classroom PC) close all browser windows. Log on to your portal using portal user .E-##. 2. What happens when you try to prtroot-access the OceanFirst.HelloWorld portal component? You should receive an error because your end user is not listed on the ACL list of the OceanFirst.HelloWorld portal component, you are not authorized to access the assigned security zone. Maintain the ACL of the Security Zone Maintaining the ACL of the Security Zone assigned to a portal application. 1. As portal user .A-##, provide all users of group .E prtroot access to the security zone level of OceanFirst.par, no_safety. prtroot access 2/2 Testing the prtroot access with modified ACL on the Security Zone. 1. In one of your “environments” (portal server, WTS, local classroom PC) close all browser windows. 2. Log on to your portal using portal user .E-##. 3. What happens when you try to prtroot-access the OceanFirst.HelloWorld portal component? You should not get a security error because your end user is listed on the ACL list of the ocean11.com Security Zone, and you are authorized to access all components and services.
120
© Copyright . All rights reserved.
Unit 2 Solution 8 117
Set Permissions on Security Zones
Business Example Your team’s portal content developers have created a very simple custom portal application, OceanFirst.par, for upload into the portal. This custom application component uses the newly introduced concept of security zones to prevent unauthorized users from accessing it directly via a URL. As the system administrator, it is your responsibility to upload the .par file into the portal and assign the proper permissions via an ACL. Preparation Migrating, analyzing, and deploying a new portal application. 1. Migrate the OceanFirst.par file to an EAR file using the PAR Migration tool. The OceanFirst.par file is on the server at S:\Courses\EP200_15\Security Zones \OceanFirst.par. a) Log on to the portal. b) Choose System Administration → Support → PAR Migration Tool. c) On the Select Files screen, browse to the OceanFirst.par file from the File field. The file is in the S:\Courses\EP200_15\Security Zones folder. d) Double-click the file. e) Choose Upload. f) Choose the Add Selected files button. g) Choose Next. h) On the Download Migrated Files screen, choose Download. i) Save the file to the d: drive. j) Choose Finish. 2. Check and compare the EAR and PAR files. a) Navigate to the folder where the PAR file is located. b) Right-click the file and choose Open. c) Open the file with WinRAR. d) Navigate to the portalapp.xml file. e) Open it and examine it. f) Now do the same for the EAR file. 3. By analyzing the portalapp.xml file, determine the following specifications:
© Copyright . All rights reserved.
121
Unit 2: Portal Authorization
Vendor of OceanFirst SecurityArea of OceanFirst Included Component(s) and their SafetyLevel Included Service(s) and their SafetyLevel a) The portalapp.xml file comes with the following specifications: Vendor of OceanFirst
ocean11.com
SecurityArea of OceanFirst
Ocean
Included Component(s) and their SafetyLevel
HelloWorld with no_safety
Included Service(s) and their SafetyLevel
OceanService with no_safety
4. Deploy the EAR file to the portal system using the SAP NetWeaver Developer Studio. Note: The .ear file can also be deployed using a telnet session. a) Open a Command Prompt and enter the following command: telnet localhost 5$$08 b) When prompted supply your portal username and password. c) Enter the following command where d:\OceanFirst.ear is the full pathname to the .ear file: Deploy d:\OceanFirst.ear on_deploy_error=stop
a) Open the SAP NetWeaver Developer Studio by choosing the NWDS link on the desktop of your portal server. b) When presented with the OS Logon to SAP JEE Host dialog box, choose Cancel. You will need to choose Cancel about twenty times. c) Choose Window → Preferences → SAP AS Java. d) Select and delete all systems in the list except for the one you are assigned, DEP or QEP. e) Deselect the Automatically detect local system at startup checkbox. f) Choose OK. g) Close the SAP NetWeaver Developer Studio. h) Open the SAP NetWeaver Developer Studio again by choosing the NWDS link on the desktop
122
© Copyright . All rights reserved.
Lesson: Setting Permissions on Security Zones
i) At the windows prompt enter your operating system user, adm and password. You may be prompted a number of times for this information. j) Choose Window → Open Perspective → Other.... k) Select Deployment. l) Choose OK. m) In the Deployment Perspective, select your portal system. If prompted for a username and password, use the .A-## username and the password for logging on to that portal. n) In the Deployment List area, choose Import. o) Ensure that File System is selected. p) Choose Finish. q) Browse to the file location and select the EAR file. r) Choose Open. s) To start the deployment, in the Deployment List area, choose Start. t) When presented with the Confirm Deployment Jobs for System Local / dialog box, choose OK. If a Transport Exception error occurs (see SAP Note 1682620), you need to add the user to the Administrators group in UME and start the deployment again. To view the deployed EAR file, log on to the portal as portal user .A-##. Choose Content Administration → Portal Content Management → Portal Applications → OceanFirst. Right-click HelloWorld and choose Preview. prtroot access 1/2 Testing the prtroot access with the default ACL on the Security Zone. 1. In one of your “environments” (portal server, WTS, local classroom PC) close all browser windows. Log on to your portal using portal user .E-##. 2. What happens when you try to prtroot-access the OceanFirst.HelloWorld portal component? a) In your end users's browser window, modify the URL to match with http://.:5$$00/irj/servlet/prt/portal/prtroot/ OceanFirst.HelloWorld. You should receive an error because your end user is not listed on the ACL list of the OceanFirst.HelloWorld portal component, you are not authorized to access the assigned security zone. Maintain the ACL of the Security Zone Maintaining the ACL of the Security Zone assigned to a portal application. 1. As portal user .A-##, provide all users of group .E prtroot access to the security zone level of OceanFirst.par, no_safety. a) Log on to your portal using portal user .A-##.
© Copyright . All rights reserved.
123
Unit 2: Portal Authorization
b) Choose System Administration → Permissions → Portal Permissions → Security Zones → ocean11.com → Ocean. c) Right-click the no_safety folder and select Open → Permissions. d) In the permissions editor, search for user.E-##. e) In the search result list, select .E-##. f) Choose Add. g) Set the Administrator permission to None. h) Select the End User (runtime) permission. i) Choose Save and confirm the message regarding permission inheritance. prtroot access 2/2 Testing the prtroot access with modified ACL on the Security Zone. 1. In one of your “environments” (portal server, WTS, local classroom PC) close all browser windows. 2. Log on to your portal using portal user .E-##. 3. What happens when you try to prtroot-access the OceanFirst.HelloWorld portal component? a) In your end users's browser window, modify the URL to match with http://.:5$$00/irj/servlet/prt/portal/prtroot/OceanFirst.HelloWorld. You should not get a security error because your end user is listed on the ACL list of the ocean11.com Security Zone, and you are authorized to access all components and services.
124
© Copyright . All rights reserved.
Lesson: Setting Permissions on Security Zones
LESSON SUMMARY You should now be able to: ●
Describe security zones
●
Set permissions on security zones
© Copyright . All rights reserved.
125
Unit 2 Lesson 3 122
Setting Permissions on Portal Applications
LESSON OVERVIEW This lesson covers how to protect the portal archive from content administrators. Prepare by doing the exercise.
Business Example The project manager has asked the portal content development team to complete two tasks. The first task is to create a new URL iView in the portal pointing to the company’s main web site. The second task is after importing a custom application component into the Portal Archive of the portal, your organization has a requirement to restrict access from portal content management. After installation of the portal, the content administrator does not have access to the URL iView component required to complete the task. Furthermore, the content administrator should not have access to the custom application that has been imported in the Portal Archive. As the super administrator, you grant content administration access to the URL iView application component and restrict access to the custom application component in the portal archive. After importing an application into the Portal Archive, your organization has a requirement to restrict access from portal content management. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Grant access to portal components for content administration activities
Portal Archive SAP ships many portal application components, bundled together as a .war file packed into a .ear file as standard initial content. Using the content creation wizard for iViews based on Portal Components in the portal, portal content developers can use these .war files as the basis for iViews or Templates in which they wish to expose the functionality of the underlying components and services provided in the .war file.
126
© Copyright . All rights reserved.
Lesson: Setting Permissions on Portal Applications
Figure 34: Protect the Portal Archive
Many of these portal components can be used to access sensitive data, and thus represent a potential security threat if not properly secured. After installation, the portal assigns a set of default permissions to this content to prevent unauthorized access. The initial permissions are set in a manner that permits only the Super Admin role full access to the entire portal and its initial content. The remaining preconfigured administration and business user roles shipped with the portal are permitted access to the out-of-the-box tools and user interfaces relevant to each role; however, access to objects within these tools is not permitted. For example, the content administrator has access to the Portal Content Studio, but the Portal Catalog is empty. This means that the administrator has no access to any iViews, pages, worksets, roles, or business objects.
Figure 35: The Permission Editor
To use any portal component (.war) as the basis of an iView or Template from the portal archive, the content administrator must be granted permission to access the portal component by the super administrator. The super administrator grants permission to users, groups, and roles using the central permission editor. The editor can be found at System Administration → Permissions → Portal Permissions → Portal Applications. When you access the central permission editor, the Portal Catalog displays Applications as a root folder: The Applications folder contains portal components, which are imported into the portal via WAR files. A super administrator can set permissions in the permission editor to the Applications folder and to each application within the folder. Portal applications include portal components and services, which are imported into the portal as WAR files.
© Copyright . All rights reserved.
127
Unit 2: Portal Authorization
Portal applications are located in the root Applications folder within the Portal Catalog. Permissions set to portal applications in this folder provide a means for securing design-time access to portal components in the object creation wizards. If a WAR-file contains more than one portal component, the permission level you set for the portal application will encompass all portal components included in it. It is also possible to set application-specific permissions, therefore you have to select the specific application and modify the permission.
Note: The Portal Catalog displays portal applications as portal components; they are in fact portal application files. The Applications folder contains WAR-files. If you want to expose any portal component (packaged in WAR-files) as an iView, then you must add Read administrator permission to the Applications folder. If you want to hide certain WAR files modify the permission of each WARfile individually.
128
© Copyright . All rights reserved.
Unit 2 Exercise 9 125
Set Permissions on Portal Applications
Business Example Content administrators, responsible for portal content creation, often require access to specific applications in the portal application to base their iView development on.
Note: This exercise requires that you have successfully deployed the OceanFirst portal application (see last exercise). ACLs on Portal Applications 1/2 Check the permissions on a portal component. 1. Log on to your portal using portal user .A-##. 2. As portal user .A-## assign read permissions for the content_admin_role to the HelloWorld portal component. iView creation 1/2 Testing the creation of a new iView with the default ACL on the portal application. 1. Log on to your portal using portal user SSSS.D-##. 2. Create a new iView based on the OceanFirst.HelloWorld portal component. ACLs on Portal Applications 2/2 Change the permissions on a portal component. 1. Log on to your portal using portal user .A-##. 2. As portal user .A-## withdraw read permissions for the content_admin_role to the HelloWorld portal component. iView creation 2/2 Testing the creation of a new iView with a modified ACL on the portal application 1. Log on to your portal using portal user SSSS.D-##. 2. What happens when you try to create a new iView based on the OceanFirst.HelloWorld portal component?
© Copyright . All rights reserved.
129
Unit 2 Solution 9 126
Set Permissions on Portal Applications
Business Example Content administrators, responsible for portal content creation, often require access to specific applications in the portal application to base their iView development on.
Note: This exercise requires that you have successfully deployed the OceanFirst portal application (see last exercise). ACLs on Portal Applications 1/2 Check the permissions on a portal component. 1. Log on to your portal using portal user .A-##. 2. As portal user .A-## assign read permissions for the content_admin_role to the HelloWorld portal component. a) Choose System Administration → Permissions → Portal Permissions → Portal Applications → OceanFirst. b) Right-click on HelloWorld and choose Open Permissions. c) In the Assigned Permissions table, select the content_admin_role. d) Ensure that the Administrator permission is set to Read. e) If you have made a change, choose Save and confirm the message regarding permission inheritance. iView creation 1/2 Testing the creation of a new iView with the default ACL on the portal application. 1. Log on to your portal using portal user SSSS.D-##. a) Navigate to http://twdfSSSS.wdf.sap.corp:5$$00/irj. b) Enter the log on details for portal user .D-##. 2. Create a new iView based on the OceanFirst.HelloWorld portal component. a) Choose Content Administration → Portal Content Management → Portal Applications → OceanFirst. b) Right-click HelloWorld and choose Copy. c) Navigate to the PCD folder: Portal Content → → . d) Right-click the iViews folder and choose Paste as PCD Object. You can enter the details for the iView.
130
© Copyright . All rights reserved.
Lesson: Setting Permissions on Portal Applications
ACLs on Portal Applications 2/2 Change the permissions on a portal component. 1. Log on to your portal using portal user .A-##. a) Navigate to http://twdfSSSS.wdf.sap.corp:5$$00/irj. b) Enter the log on details for portal user .A-##. 2. As portal user .A-## withdraw read permissions for the content_admin_role to the HelloWorld portal component. a) Choose System Administration → Permissions → Portal Permissions → Portal Applications → OceanFirst. b) Right-click HelloWorld and choose Open Permissions. c) In the Assigned Permissions table, select the content_admin_role. d) Change the Administrator permission to None. e) Choose Save. f) Confirm the message regarding permission inheritance. iView creation 2/2 Testing the creation of a new iView with a modified ACL on the portal application 1. Log on to your portal using portal user SSSS.D-##. a) Navigate to http://twdfSSSS.wdf.sap.corp:5$$00/irj. b) Enter the log on details for portal user .D-##. 2. What happens when you try to create a new iView based on the OceanFirst.HelloWorld portal component? a) Choose Content Administration → Portal Content → Portal Applications → OceanFirst. HelloWorld is no longer visible for the SSSS.D-## user after the change in their permissions on this component.
© Copyright . All rights reserved.
131
Unit 2: Portal Authorization
LESSON SUMMARY You should now be able to: ●
132
Grant access to portal components for content administration activities
© Copyright . All rights reserved.
Unit 2 Lesson 4 129
Describing UME Actions
LESSON OVERVIEW Within your SAP Enterprise Portal, you have to define roles that contain UME actions. A UME action is delivered with an SAP Java application. It defines which actions in the application are allowed. This lesson describes the standard UME actions. Prepare this lesson by performing the exercise.
Business Example You are using SAP Enterprise Portal. Within your portal, you have to define roles that contain UME actions. You want to learn how UME actions are used to protect Java applications running on your portal. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe UME actions
UME Actions The SAP User Management Engine (UME) uses actions to enforce authorizations. An action is a collection of Java permissions that defines which activities a user can perform. Java permissions relate to authorization checks that are defined in the coding of the SAP application. UME actions can be assigned to UME roles or portal roles. If a role with a UME action is assigned to a user or group, the user or group gains the authorizations provided by the action.
Figure 36: UME Permissions, Actions, and Roles
© Copyright . All rights reserved.
133
Unit 2: Portal Authorization
Note: Permissions are defined in the Java coding. This is known as programmable security. Permissions are used to provide access control. Permissions cannot be assigned directly to a user. An action is a collection of permissions. A Java application defines its own actions and specifies the authorizations in an XML file .xml, such as sap.com_TC~wd~dispwda.xml. Actions are displayed in the UME identity management (located at http://.:/useradmin, for example, http://twdf1234.wdf.sap.corp:53000/useradmin). UME identity management is also known as UME console. You can use the UME identity management to combine these actions into UME roles. UME roles group actions for one or more applications. You can assign UME roles to users or groups in the UME identity management. The UME verifies that users have the appropriate UME actions assigned to them before granting them access to UME iViews and functions. There are some standard UME actions delivered with the UME. These actions are defined in the authorization-configuration.xml file. This file is available in Config Tool (/usr/sap//j/j2ee/configtool/configtool) in the area configtool editor mode → cluster_config → system → custom_global → cfg → services → com.sap.security.cor e.ume.service → descriptors.
UME Standard Actions The UME standard actions can be displayed in the UME identity management (http:// .:/useradmin, for example, http://twdf1234.wdf.sap.corp: 53000/useradmin). For each role the assigned actions are displayed, and in the change mode, you can select from all actions available.
Figure 37: UME Actions in the UME Identity Management
Do a demonstration and show the actions assigned to a role, for example, pcd:portal_content/administrator/user_admin/user_admin_role or pcd:portal_content/ administrator/super_admin/super_admin_role.
134
© Copyright . All rights reserved.
Lesson: Describing UME Actions
Additionally go to Config Tool (/usr/sap/ Role -> Role from Back End
2. Search for the role or roles that you require, using the Search In dropdown list to select the alias of the back-end system, and the Search For field to define the ID of the role that you want to upload. When you choose Go, all IDs that answer the search criteria are listed in the Available Roles column of the displayed table. The name of each role is displayed as a tooltip on each entry.
210
© Copyright . All rights reserved.
Lesson: Uploading Roles from ABAP-Based SAP Systems
Figure 61: New Role from Back End Wizard
3. Select one or more roles for upload. You can use the CTRL key to select multiple roles, and the Select All / Deselect All options in the table selection menu as needed. 4. Add the roles to the Selected Roles list using the Add and Add All buttons, as appropriate.
Note: You can rename a selected role by changing its name in the Role Name column. We also recommend not uploading several roles at one time, because in this case you cannot use role-specific upload parameters, which might be required for individual roles. 5. To add roles from other back-end systems, perform steps 2 to 4 again. The roles that you choose are added to those already in the Selected Roles list. 6. In the Define Settings step, you can define specific (non-default) settings to apply when uploading the roles, such as retaining the defined user mapping, or setting the master language. (At upload, default settings are applied unless otherwise specified.) 7. Choose Start Upload. The upload process begins, and a progress bar tracks the process. For each object uploaded, a message is shown in the Status column of the displayed table. If errors and/or warnings occur, links to the required information are added in the Information column. Clicking the link displays a new browser window with the full list of error and warning messages. When you complete the wizard, the uploaded roles are displayed in the selected Portal Catalog folder.
Role Upload Settings The following general settings are possible during the upload process: Apply user mapping from backend Selecting the Apply user mapping from back end checkbox ensures any user assignment for a role in the ABAP system is carried forward to the portal. Save role ID from backend as
© Copyright . All rights reserved.
211
Unit 4: Integration of SAP Applications
●
●
●
Role Name Only: The ID from the ABAP system is not copied to the role name. The short description of the role from the ABAP system appears as the role name in the portal. Role Name and ID: The back-end ID is copied to the role name. The role name in the portal is a combination of the short description followed by the ID. ID and Role Name: The back-end ID is copied to the role name. The role name in the portal is a combination of the ID followed by the short description.
Master Language If there is no original language for an object in the back-end system, the object is uploaded in the language defined here. The logon language of the portal is always entered as the default value for the master language. Roles, for example, can have an original language in the back-end system. For transactions, however, the language entered under Master Language is always used. ID Prefix You can give the objects that are uploaded and stored in the PCD a prefix ID. If you enter or change an ID, be aware that this setting is valid for the entire portal landscape on all servers. You can thus overwrite the ID that was entered by another administrator.
Note: Note the length of the prefix. If the object ID created for the object exceeds the maximum length of 100 characters, the object cannot be uploaded. Overwrite existing content This setting is selected by default. This means that existing objects may be overwritten when they are uploaded.
Post-Upload Recommendations After the upload of roles you should check the upload log file. You can find the Log Viewer for the role upload at System Administration → Transport → Role Upload.
Figure 62: Log Viewer
212
© Copyright . All rights reserved.
Lesson: Uploading Roles from ABAP-Based SAP Systems
After the upload we recommend that you use the portal as your main system for role creation and maintenance. The aim of the upload is to initially transfer all role content of the ABAPbased system, including the role menu information, to the portal. As soon as your single and composite roles and their entire content is located in the portal, no further uploads are necessary. From then on you should no longer create your roles in the ABAP-based back-end system and upload them to the portal. Instead, you should use the portal administration tools for all actions involved in creating and managing roles. What remains to be done in the ABAP-based system? The ABAP-based system will still be used for providing authorization profiles and creating new profiles. SAP Enterprise Portal has no central authorization concept that can also be used to generate the authorization profiles required to execute iViews and transactions which are running in an ABAP-based system. The portal does not offer you the possibility of generating authorization profiles. After you have uploaded the ERP content to the portal, the relevant authorization profiles remain in the ERP system and can be accessed from the portal.
Note: This means that if you leave role content and user authorizations as uploaded, you need to take no further actions. However, as soon as you make changes in the portal, for example, by changing user assignments or role definitions, you must adjust the authorization profiles and user assignments in the ABAP-based system accordingly.
© Copyright . All rights reserved.
213
Unit 4: Integration of SAP Applications
214
© Copyright . All rights reserved.
Unit 4 Exercise 16 209
Upload Roles from an ABAP-Based System
Business Example You want to use existing role definitions of an ABAP-based SAP system in SAP Enterprise Portal. The following requirements exist for this exercise: ●
●
●
●
There is a system in the system landscape that has been defined to point to xCC. The alias for this system is either DCCCLNT100 or QCCCLNT100. SSO has been set up between xEP and xCC (for example, DEP is trusted by DCC) . There is an ABAP role in the xCC system called EP200_ABAP_ROLE. This might need to be created using transaction PFCG. Optionally it can be assigned to .e-xx in the ABAP system. A backend role has been created. Use the operating system to log on to the xCC system as .A-## and us transaction PFCG to upload a role definition file that can be found at the following location: d:\TrainingSetup\EP200 role
1. Log on to your portal using portal user .A-##. 2. Upload the EP200_ABAP_ROLE role to the portal. To view the imported structure, navigate to Content Administration → Portal Content Management → Portal Content → → Group## → Roles Right-click the role and choose Open → Role. If user mapping was selected, you can use the User Administration tool to check that the correct user to role assignment has occurred.
© Copyright . All rights reserved.
215
Unit 4 Solution 16 210
Upload Roles from an ABAP-Based System
Business Example You want to use existing role definitions of an ABAP-based SAP system in SAP Enterprise Portal. The following requirements exist for this exercise: ●
●
●
●
There is a system in the system landscape that has been defined to point to xCC. The alias for this system is either DCCCLNT100 or QCCCLNT100. SSO has been set up between xEP and xCC (for example, DEP is trusted by DCC) . There is an ABAP role in the xCC system called EP200_ABAP_ROLE. This might need to be created using transaction PFCG. Optionally it can be assigned to .e-xx in the ABAP system. A backend role has been created. Use the operating system to log on to the xCC system as .A-## and us transaction PFCG to upload a role definition file that can be found at the following location: d:\TrainingSetup\EP200 role
1. Log on to your portal using portal user .A-##. a) Navigate to the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal. b) Log on as portal user .A-##. 2. Upload the EP200_ABAP_ROLE role to the portal. a) Choose Content Administration → Portal Content Management → Portal Content → → Group##. b) Right-click Roles and choose New → Role → Role from Back End. c) On the Select Roles screen, in the Search in: field, choose your system alias, DCCCLNT100 or QCCCLNT100, from the dropdown list. d) In the Search for: field, enter EP200*. e) Choose Go. f) Select the EP200_ABAP_ROLE. g) Choose the Add button. h) Choose Next. i) On the Define Settings screen, you have the option to define settings for the upload.
216
© Copyright . All rights reserved.
Lesson: Uploading Roles from ABAP-Based SAP Systems
Selecting the Apply user mapping from back end check box ensures any user assignment for a role in the ABAP system is carried forward to the portal. Any user who had that role in the ABAP system will have that role in the portal also once the upload is complete. Selecting the Overwrite existing content check box overwrites any previous version of this role on the portal. When you have defined the settings, choose Start Upload. j) On the Upload status screen, you can see the progress of the upload and any messages relating to it. When the upload is complete, choose Finish. To view the imported structure, navigate to Content Administration → Portal Content Management → Portal Content → → Group## → Roles Right-click the role and choose Open → Role. If user mapping was selected, you can use the User Administration tool to check that the correct user to role assignment has occurred.
© Copyright . All rights reserved.
217
Unit 4: Integration of SAP Applications
LESSON SUMMARY You should now be able to:
218
●
List the requirements to perform an SAP role upload
●
Define the settings for role upload
●
Upload roles from an ABAP-based system
© Copyright . All rights reserved.
Unit 4
213
Learning Assessment
1. In the context of portal systems, what does the term “system alias” refer to?
2. When SSO is realized with SAP Logon tickets, to upload a role/user assignment from the SAP back-end system, the users in the portal and in the back-end system must have corresponding users. Determine whether this statement is true or false. X
True
X
False
3. In the context of uploading a role from an ABAP system, match these Save role ID from backend as options with their description. Match the item in the first column to the corresponding item in the second column. Role Name Only Role Name and ID ID and Role Name
The ID from the ABAP system is not copied to the role name. The short description of the role from the ABAP system appears as the role name in the portal. The back-end ID is copied to the role name. The role name in the portal is a combination of the short description followed by the ID. The back-end ID is copied to the role name. The role name in the portal is a combination of the ID followed by the short description.
© Copyright . All rights reserved.
219
Unit 4
214
Learning Assessment - Answers
1. In the context of portal systems, what does the term “system alias” refer to? A system alias is a name by which portal components can reference a specific system. 2. When SSO is realized with SAP Logon tickets, to upload a role/user assignment from the SAP back-end system, the users in the portal and in the back-end system must have corresponding users. Determine whether this statement is true or false. X
True
X
False
3. In the context of uploading a role from an ABAP system, match these Save role ID from backend as options with their description. Match the item in the first column to the corresponding item in the second column. Role Name Only Role Name and ID ID and Role Name
The ID from the ABAP system is not copied to the role name. The short description of the role from the ABAP system appears as the role name in the portal. The back-end ID is copied to the role name. The role name in the portal is a combination of the short description followed by the ID. The back-end ID is copied to the role name. The role name in the portal is a combination of the ID followed by the short description.
220
© Copyright . All rights reserved.
UNIT 5
Solution Management
Lesson 1 Monitoring the Portal Exercise 17: Monitor SAP NetWeaver AS Java Exercise 18: Register a System with the Central Monitoring System
223 243 247
Lesson 2 Analyzing the SAP NetWeaver Log Viewer and the Monitoring Service Exercise 19: Analyze the SAP NetWeaver Log Viewer and the Monitoring Service
251 257
Lesson 3 Configuring Availability Monitoring for the Portal Exercise 20: Configure Availability Monitoring for the Portal
262 267
Lesson 4 Configuring Specific Portal Monitoring Features Exercise 21: Create a Portal Activity Report
276 279
Lesson 5 Creating Broadcast Messages
285
Lesson 6 Using the Support Tools Exercise 22: Use the Support Tools
290 293
Lesson 7 Transporting Portal Content Exercise 23: Set Up Change Recording in the Development and Quality Assurance portals Exercise 24: Transport Portal Content Using Enhanced CTS
297 321 325
Lesson 8 Describing Backup and Restore Strategies
© Copyright . All rights reserved.
335
221
Unit 5: Solution Management
UNIT OBJECTIVES
222
●
Monitor the portal
●
Analyze the SAP NetWeaver Log Viewer and the Monitoring Service
●
Configure availability monitoring for the portal
●
Use TREX for monitoring
●
Create a portal activity report
●
Use the activity data collector
●
Describe the process of creating broadcast messages
●
Use the support tools
●
Explain the purpose of the enhanced Change and Transport System (CTS)
●
Describe the architecture for enhanced CTS
●
Describe the configuration of enhanced CTS
●
Configure the TDC system import process
●
Configure the TDC system export process
●
Configure the system landscape of the TDC system
●
Configure the portal systems
●
Transport portal content using enhanced CTS
●
List the SAP Enterprise Portal components requiring a backup and recovery solution
© Copyright . All rights reserved.
Unit 5 Lesson 1 217
Monitoring the Portal
LESSON OVERVIEW You can use various tools to monitor the SAP Enterprise Portal. You can find most collected monitoring data locally in the environment of SAP Enterprise Portal or in a central monitoring system. This lesson provides an overview of the available monitors. Business Example You are using SAP Enterprise Portal and want to react quickly if errors occur. For this reason, you have decided to set up monitoring with SAP resources. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Monitor the portal
Monitoring Overview Monitoring a system landscape is a complex task of significant importance for every company that operates one or more SAP systems. SAP Enterprise Portal is a very important component within the landscape of a modern IT system architecture. This component must be monitored, as both a gradual reduction in performance and a sudden breakdown could affect productivity. There are different tools available to monitor SAP Enterprise Portal. With the monitoring architecture of the CCMS (Computing Center Management System), SAP provides a flexible and universally usable infrastructure with which you can monitor your entire IT landscape centrally, and which reports problems quickly and reliably. The CCMS in the Solution Manager or in AS ABAP (transaction RZ20) ensures central and efficient monitoring of SAP Enterprise Portal. Log data is displayed and analyzed centrally in the Log Viewer (service of the AS Java). Specific monitor data can directly be monitored in the portal. These areas are listed in the figure below and will be explained in further sections or lessons:
© Copyright . All rights reserved.
223
Unit 5: Solution Management
Figure 63: Portal Monitoring Overview
Each CCMS agent can analyze log files for a given text string and pass the results to the monitoring architecture as an alert. Additionally the log files (portal logs and system logs) are displayed centrally in the Log Viewer. These features are supported by TREX, Portal Framework, and Content Management (CM). Operating system monitoring implemented with SAPOSCOL allows you to monitor the following resources: ●
virtual store
●
physical store
●
CPU
●
file system management
●
processes
●
hard disk
●
network
SAPOSCOL data can be transferred to a central monitoring system using CCMS agent technology. SAPOSCOL can be installed on each available server in your system landscape. Operating system data is provided to the monitoring framework via shared memory by the SAP Host Agent. The Availability Monitoring area (heartbeats) can be used for availability of portal back-end systems, Portal Framework as well as AS Java, TREX and URL links centrally. These heartbeats are triggered using the GRMG (Generic Request and Message Generator) infrastructure within AS ABAP. Portal Activity Report allows the portal administrator to gather and present information about the activities of portal users and how they use portal contents, such as iViews, and pages. This tool is available for Portal Framework and Content Management (CM). For more information about monitoring: SAP Community Network, Quick Link /docs/ DOC-8335
224
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
Monitoring Infrastructure The monitoring in SAP NetWeaver AS Java is based on the standard Java Management Extension (JMX). JMX provides a new flexible administration infrastructure that is used for the monitors. The JMX infrastructure allows different resources to register as suppliers for monitoring data. Through the JMX API, data is made available for resources of all server components (services, interfaces, libraries, and managers), and applications using MBeans. The data of the JMX monitors is stored in the monitoring segment. Since JMX is a standard, this ensures that external tools can also access the monitoring data. The external tools connect through the JMX API and can display all current values in the JMX monitors. They can also create, delete, and change groups, as well as installing and uninstalling monitor nodes. The JMX infrastructure is provided by the JMX Adapter service.
Figure 64: Monitoring Infrastructure
During the start of the sapstartsrv the monitoring segment is created. The data collector of the AS Java stores the current status and open alerts of the monitoring objects in the monitoring segment. Completed alerts are removed from the monitoring segment. The data in the monitoring infrastructure is grouped in several areas like Kernel, Services, Performance and Applications. ●
Kernel Status information for the managers registered for monitoring is displayed under the Kernel entry.
●
Performance The Performance area displays available data about performance measurements of the SAP NetWeaver AS Java,for example, communication to external systems.
●
Services Status information for the services registered for monitoring is displayed under the Services entry.
●
Applications This branch contains information about the status of applications that are running on the SAP NetWeaver AS Java and for which monitoring functions are implemented in the coding. This is a configurable type of monitor, since you can specify which information is
© Copyright . All rights reserved.
225
Unit 5: Solution Management
displayed in the monitor for your own applications. An application developer usually creates his or her own monitors and objects under the Applications branch. The other monitor branches, such as Kernel, System, and so on are reserved for data that is directly and automatically collected by the system. The monitor Table Buffer is always displayed in the Applications area along with other items. There are various tools for the operating with the monitoring data.
Figure 65: Monitoring - Tools
RZ20 The RZ20 in a CEN (central monitoring system with) is a powerfull tool to monitor multiple SAP systems and their operating systems. You can set up additional notifications in case of alerts and auto-reaction methods there. Beyond that, you are able to view the current status and open alerts of monitoring attributes. You can maintain thresholds and complete open alerts. The RZ20 gets her information out of the monitoring segment of the AS Java, this means, that e.g. performance issues of the AS Java doesn't affect the monitoring and alerting in the CEN system. SAP MC and SAP MMC With the SAP MC and SAP MMC you are able to view the current status and open alerts of monitoring attributes. The SAP MC and SAP MMC communicates directly with the sapstartsrv and gets the information out of the monitoring segment of the AS Java, this means, that for example performance issues of the AS Java doesn't affect the monitoring and alerting. System Overview The system overview is available in two versions. One version is available in the SAP NetWeaver Administrator and the other is avalable via sapstartsrv (this is called the offline system overview). The system overview gives you a graphical overview of the current status of some monitoring attributes and their values. The system overview in the SAP NetWeaver Administrator provides a navigation to expert functions in the SAP NetWeaver Administrator for the displayed attributes. Monitoring Browser
226
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
The monitoring browser is available in the SAP NetWeaver Administrator. The monitoring browser shows the current status of the monitoring attributes and you can maintain thresholds and activate/deactivate monitoring attributes.
System Overview Monitoring
Figure 66: Monitoring with the System Overview
The system overview is available in two versions. You can access the System Overview in the SAP NetWeaver Administrator in the workcenter Availability and Performance in the work set System Overview. You can access the offline System Overview via url http:// twdfxxxx.wdf.sap.corp:5$$13/ctsv/SystemOverview.html . Both versions show the current values of the displayed monitoring attributes. In the System Overview of the NWA you can navigate to other funcitons by choosing the left mouse button on the monitoring attribute. This is not possible in the offline System Overview. As shown in the figure above, on the selected attribute is a link (Help) available for the online documentation and links for View History (History Reports), Configure Thresholds (Monitoring Browser) and the Manage User Sessions (Session Management) available. The options can vary for every monitoring attribute. Show the different types of monitors. Demonstrate how to change the threshold for the responsetime. Be aware, that there is no yellow color for this monitoring attribute in the System Overview, there is only grey or red.
To Activate a Monitoring Attribute Note that not all monitoring attributes are activated by default. To activate a monitoring attribute, proceed as follows: 1. As portal user .A-##, log on to SAP NetWeaver Administrator (URL http(s):// .:/nwa, for example,http://twdfSSSS.wdf.sap.corp:5$$00/ nwa). 2. Choose Availability and Performance → Resource Monitoring → History Reports → Reports → Monitor Browser. 3. In the Show field, select Inactive/Not used from the dropdown list.
© Copyright . All rights reserved.
227
Unit 5: Solution Management
4. Filter for the attribute you want to activate. 5. In the Monitoring List table, select the attribute row and choose Activate. 6. In the Show field, select Active/Used from the dropdown list. 7. Filter for the attribute you activated. 8. Select the attribute row. In the Monitor Details for: area, you should find a current value for the selected monitoring attribute.
Transfer of Monitoring Data to a Central Monitoring System On the SAP NetWeaver AS Java, there is a monitoring infrastructure that collects various data, which is displayed in the monitoring browser of the SAP NetWeaver Administrators (NWA). You can display this data in a central SAP monitoring system by connecting the AS Java to the central monitoring system (called CEN here). If the SAP NetWeaver AS Java starts, JMX monitors are created. They deliver data for runtime monitoring. To deliver the data to the CEN the SAP NetWeaver management agents are used. The SAP NetWeaver management agents are used to administer and monitor SAP NetWeaver components. They are automatically installed and started during the installation of any SAP NetWeaver components as of release SAP EHP2 for SAP NetWeaver 7.0 (in short 7.02) or SAP NetWeaver 7.1. There are two types of agents, depending on the associated component: the host agent and the instance agent. One host agent runs for each monitored host (including hosts on which one or more instance agent is running). An instance agent runs for each monitored instance.
Figure 67: Monitoring Data Transfer from AS Java to CEN
Point out, that the CEN has to be minimum 7.01 and the monitored system minimum 7.02 or 7.10.
The SAP NetWeaver management agent sapstartsrv contains the functionality for different central monitoring functions. The functions of the CCMS agents (SAPCCMSR, SAPCCM4X) are integrated into sapstartsrv as a static library for this purpose; the CCMS agents therefore are no longer needed as standalone executables as of SAP NetWeaver 7.02. The monitoring
228
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
functions are started in a separate thread within sapstartsrv. This thread connects to the monitoring segment in the shared memory of the monitored instance. Applications can access the monitoring functions of sapstartsrv through a Web service interface. This interface replaces the RFC server part of the CCMS agent. An application (usually an ABAP or dualstack system) can register as a central monitoring system (CEN). The registration is performed using a protected Web service. During the registration, the caller sends sapstartsrv information about the CEN and the logon data for the CSMREG user. An SAP NetWeaver management agent communicates with CEN in the following way: ●
●
As a Web service, it provides access to the data in the monitoring segment. This access is, for example, used in transaction RZ20. As an RFC client, it independently sends alerts and values for the monitoring attributes to the CEN (push technology). This data is then stored in a cache there to allow the system to display it more quickly or triggers central auto-reaction methods there. This improves performance, since CEN then no longer needs to periodically query the agents.
Hint: In addition to system monitoring, the SAP Solution Manager provides further functions.
System Landscape Monitoring Using the Monitoring and Alerting Infrastructure To access the monitoring and alerting infrastructure (MAI), call transaction SM_WORKCENTER and open the Technical Monitoring work center. By default, SAP delivers many queries for system types including ABAP, Java, MDM, and more. If the standard queries do not meet your needs, you can define your own queries. Within a query you can also filter by system IDs, system types, depending on what you want to display. Within a query you can filter by system IDs or system types, such as SAP Hana Database, Sybase Unwired Platform, TREX, external services, or Microsoft Information Services. To start System Monitoring, open the Technical Monitoring work center and choose System Monitoring from the navigation area. Select the managed object or managed objects you want to view, then choose System Monitoring to launch the application. Alternatively, you can choose Workstation to launch CA Wily Introscope workstation. When you open System Monitoring the system list displays a summary of your selected systems. It also displays the category (Availability, Performance, Configuration, or Exception) in which the highest alert has been triggered. Selecting the product version displays the system hierarchy, which is the graphical system monitoring application. Here you can navigate through individual metrics and their state either in the graphical tree or on the tree hierarchy, as shown in the figure.
© Copyright . All rights reserved.
229
Unit 5: Solution Management
Figure 68: System Monitoring - System List and Hierarchy
From here you can access the landscape information, change the configuration for this managed object, or access the problem analysis function. You can also display the metric monitor, as shown in the figure.
Figure 69: System Monitoring - Metric Monitor
The data shown in the metric monitor is stored in the SAP BW system. The length of time the data is stored is determined during system monitoring configuration. You can choose whether to use the monitor with or without thresholds, change the graphical view to a table, and define the period you want to evaluate. Selecting a point in the graphic displays the tool tip, which shows you the single value and the time stamp of this point. To select another time frame, enter a start and end date for the data, then shift the time scale on the bottom of the graphic to select the new time frame. Examples of additional functions of the MAI follow.
230
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
Figure 70: End-User Experience Monitoring
Figure 71: BI Monitoring
Figure 72: Interface Channel Monitoring
Analysis of Metrics with Interactive Reporting The following sections discuss how to access information using interactive reporting.
© Copyright . All rights reserved.
231
Unit 5: Solution Management
To Set Up Interactive Reporting The metrics collected by the new monitoring and alerting infrastructure are transferred to a business warehouse. The most important metrics have been selected for interactive reporting, and reports have been created that provide you with a quick and comprehensive overview of the status of your managed objects in the following areas: ●
Availability
●
Performance
●
Exceptions
●
Capacity
●
Usage 1. Log on to SAP Solution Manager with your user name and password.
2. On the SAP Easy Access screen call transaction SOLMAN_SETUP. 3. In the navigation area, choose Technical Monitoring. 4. In the Technical Monitoring wizard open the 2.4 Reporting - Settings tab. 5. Choose Edit. The health check results of the BI-based reporting display, so you can see whether the conditions for activating BI-based reporting are met. These conditions include ●
BI client setup
●
working RFC connections between BI and SAP Solution Manager
●
ICF Service availability
●
error-free health checks
6. If the health checks are error free, in the BI Content Activation area, choose Start. Watch the result in the Log display. The BI Content activation job is scheduled and the BI Content activation should complete successfully.
To Define the Lifetime of Data in Interactive Reporting You can define the lifetime of metrics in the BI. 1. In the Technical Monitoring setup wizard, open the Housekeeping tab. The lifetime of the metrics in the BI display in the upper part of the screen and the lifetime of alerts and events in the alert store and event store display in the lower part of the screen. 2. Check the default values and decide if they are sufficient for your needs. The metrics stored with the default settings build a pool for the interactive reports, so you should only change the lifetimes if you have a dedicated need to do so. If you change the default settings you can restore them later. 3. Open the Define Scope tab. 4. Select all the system or scenarios for which you want to activate reporting.
232
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
You can select several systems at once with the CTRL key. 5. Open the Reporting tab. 6. Select the systems for which you want to activate the reporting and choose Activate. The collection settings can be fine-tuned at metric level, which can be useful if you want to create your own queries. You do this fine-tuning in the BI Diagnostic Center, which you access by opening a report in the Technical Monitoring work center, choosing Data Quality, and choose Reporting Scenarios → System Reporting → Scenario Setup.
Interactive Reporting Outputs You can display interactive reports for the following object types: ●
Systems
●
Hosts
●
Databases
●
Scenarios - Performance and availability values of End-User Experience Monitoring
To Display a Report 1. In the Technical Monitoring work center open the Interactive Reporting area and choose Systems from the Type Selection. 2. Select a system from the list or open a tab for a specific system. 3. Choose System Reports → Start Embedded or System Reports → Start New Window. The system report contains an overview report of all systems, ABAP and Java, of the selected SID, as well as system-specific reports. If the data quality is poor, choose Data Quality to display the data providers and take you to the BI Diagnostics center, where you can perform troubleshooting. System Report Overview
Figure 73: Interactive Reporting Overview Screen
© Copyright . All rights reserved.
233
Unit 5: Solution Management
As the figure shows, the reports on the Overview tab give an overview of multiple systems. For each report, one value is displayed for each system; that is, instead of seeing the development over time of the metrics displayed in these reports, you see an average value for the selected time period. The metrics display both graphically and in a table, as shown in the figure.
Figure 74: Example of a Response Time Distribution Report
The reports provide you with a comparison of the most important metrics for your relevant administered systems, so you can quickly identify outliers for particular metrics. You can then use the respective reports for the individual systems to perform a more detailed investigation. The following reports are displayed: ●
System Availability
●
Response Time
●
Response Time Distribution
●
CPU Utilization
●
Database Utilization
●
Logons
●
User Activity
System-Specific Reports As this figure shows, the system-specific reports span various periods, from the present day to the previous year, so you can see both the current and long-term development of performance values. The values for each period are automatically displayed in the appropriate level of detail.
234
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
Figure 75: Example of a DB Performance Report
The following reports are available for a Java-based system: ●
Availability
●
Performance
●
Capacity
●
Usage
Each report has an overview display and a details display. When you open a report, the development of the displayed metric is shown for the relevant system: you can see a mean value for all instances of the system. However, in the overview display you can also display specific instances or nodes be selecting them in the instances or nodes areas and choosing Filter. The details display shows the 10 nodes of the selected system with the highest values for the displayed metric. You can also filter by hosts and instances. You can also start the Metric Monitor, as shown.
Figure 76: Interactive Reporting Metric Monitor
© Copyright . All rights reserved.
235
Unit 5: Solution Management
Here you can choose from instance views and select the metric you are interested in with the help of a dropdown menu. You can also use the Show Trend button to view the trend analysis for the selected metric. Interactive Reports for Scenarios In the reports for scenarios you can display the most important performance and availability values of End-User Experience Monitoring (EEM). An EEM scenario contains one or more technical systems that are relevant for a business scenario. EEM is explained in detail in course E2E120. Customer-Specific Reports If you define your own queries for interactive reporting, you can create customer-specific reports, which enhances interactive reporting. To create your own reports you need the following applications: ●
BEx Query Designer
●
BEx Web Applications Designer
Figure 77: BEx Query Designer
The main steps for creating customer-specific reports are: 1. Create a query. 2. Put the query in a web template. 3. Include the new web template in interactive reporting. For more information about creating your own reports see the online documentation SolMan 7.1 Technical Monitoring Interactive Reporting Creating Your Own Queries for Interactive Reporting. If you have already created your own queries for IT performance reporting in the context of SAP Solution Manager 7.0 EHP1, you can use them for interactive reporting provided you edit them as described in the documentation. Creating your own queries is also discussed in detail in Course E2E120. Self-Monitoring of BI-Based Reporting – The BI Diagnostic Center The BI Diagnostic Center is available to support you in troubleshooting and administering BIbased reporting. The status of the connections between the SAP Solution Manager system
236
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
and the associated BW are shown here; you can also see the current status of BI-based reporting, broken down by the different scenarios. This status includes the following information: ●
●
●
●
Overall Status: Do problems affect the functioning of the scenario? Status of the Data Loading: Is this scenario being provided with data from all managed systems? Are the RFC destinations in the managed systems functioning correctly? Used Storage in the Database: How much space is required by the reporting data collected for this scenario in BW? Result of the Self-Checks: Do problems affect the correct functioning of the scenario? If problems occur, the cause and consequences are described in detail, together with options for solving the relevant problem.
Access the BI Diagnostic Center You can access the BI Diagnostic Center from the Administration of SAP Solution Manager work center by choosing Infrastructure → BI Reporting. Alternatively, you can access it by choosing Data Quality in the Interactive Reporting view.
Figure 78: BI Diagnostics Center
As the figure shows, the display is divided into the following areas: ●
BI Status
●
Reporting Scenarios
●
Self-Check
For BI-based reporting to function correctly, RFC destinations are required in both directions between the SAP Solution Manager system and the associated BW. The status of these destinations, which are created in the SAP Solution Manager configuration, is displayed in the BI status area. You can also edit the RFC destinations. By default, this area is collapsed if there are no problems for the RFC destinations. You can also find details on the overall storage requirement and the fill level of the BI database.
© Copyright . All rights reserved.
237
Unit 5: Solution Management
The Data Load area displays a table of all scenarios that report values to the self-monitoring. If a data load was not performed successfully and the settings of an RFC destination require editing, you can edit the connection on the Data Loading tab. To edit the connection, choose Edit in the Connection column of the system in question. You are then logged on to the system and directed to the settings of this RFC destination. Many self-checks are performed to check the prerequisites for correct functioning of the relevant scenario. By default, the Self-Check tab is collapsed if all self-check scenarios report a green status. If the corresponding node is expanded, one or more messages are displayed below each associated check. By default, the messages for a particular check are expanded if a problem was found during the check. Most messages also contain a long text, which you can display below the message by choosing the relevant button. The long texts contain a detailed description of what was tested and, where a problem was discovered, information about the cause and consequences of the problem and ways to solve it. If you have solved the problem, you can repeat the check at any time by choosing Check Again. To perform all checks again, choose Refresh on the Reporting Scenarios tab page.
Use of Dashboards to Access Key Reports The following sections explain how to access information using the standard dashboards delivered with SAP Solution Manager.
SAP Solution Manager Standard Dashboards Dashboards can display large amounts of information in a concise form, giving you a quick overview of important topics. SAP Solution Manager 7.1 provides a dashboard framework composed of three main components: the dashboard itself, dashboard apps, and configuration apps. You can call dashboards directly from a work center. Small images of the available apps are then displayed in a single screen, and you choose individual apps to expand them. You can configure a dashboard by adding additional apps, changing the order of the apps, or removing apps you do not need (see Configuring Dashboards for more information). The dashboard apps output information. All the relevant information of an app is displayed without further user input. Most delivered apps have a configuration app, with which you can adjust the app to your requirements, such as specifying headers or other texts to be displayed, or to change the app data. SAP provides dashboards and apps about various topics in various work centers. Apart from using and configuring the dashboards and apps delivered by SAP, you can also change the layout of existing apps or create your own apps and register them in the Dashboard Framework. The Business Warehouse is the source of the data for most dashboards, but you can also provide the data required at a BAdi interface. You create the user interface of the apps with the program Dashboard and Presentation Design (Xcelsisus), an SAP BusinessObjects product. Dashboards require no specific setup, but the associated application requires configuration to collect the data displayed by the apps. For example, the End-User Experience Monitoring (EEM) and Alert Management Reporting dashboards use the monitoring and alerting infrastructure data in the Business Warehouse. To use these apps, set up Technical Monitoring in the SAP Solution Manager setup (transaction SOLMAN_SETUP).
238
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
Advantages of the Dashboard View ●
They allow you to see several reports in one view.
●
The arrangement of your reports and their content can be changed easily.
●
Several report instances can be created out of a single dashboard application.
●
Reporting applications can be created using Xcelsius technology.
●
The dashboard framework accommodates customer-developed applications.
Since 2011, SAP has delivered dashboards for the following areas: ●
●
●
Technical operations - This dashboard shows the availability and performance of your managed systems. End-User Experience Reporting - This dashboard shows the availability and performance of your technical scenarios from End-User Experience Monitoring. Alert Management Reporting - This dashboard shows the number and distribution of alerts, support messages, and the processing time of alerts, in your managed systems.
The Dashboard for Alert Management The dashboard for Alert Management (ALM dashboard) gives you a quick overview of the occurrence of alerts in your managed systems. The ALM dashboard displays important metrics, such as the number and distribution of alerts, support messages, and the processing times of alerts. You can specify the period for which you want to display the data. You can draw conclusions about the status and correct functioning of your managed systems from the occurrence, distribution, and processing time of these alerts. The ALM dashboard gives you an overview of important metrics for a time period you specify, such as the number of alerts, number of incidents and the total alert time. ●
●
●
Number of Alerts: The number of alerts for the selected period is displayed. By default, an app is displayed in the dashboard that shows the number of alerts broken down by alert types and managed objects. Number of Incidents: Displays the number of support messages for the selected period. Again, by default, an app is displayed in the dashboard that shows the number of support messages broken down by alert types and managed objects. Total Alert Time: The total of the validity periods of all alert groups for the selected period is displayed, broken down by alert types and managed objects. An alert group combines all alert instances of the same alert type on the same managed object that occur immediately after each other without interruption. The validity period of an alert group therefore starts with the first occurrence of the alert and ends with the confirmation of the associated alerts.
The ALM dashboard does not require any separate configuration; once you have set up technical monitoring and interactive reporting, the dashboard is available to you, and is provided with the required data.
© Copyright . All rights reserved.
239
Unit 5: Solution Management
Figure 79: ALM Dashboard
You can call the ALM Dashboard from the Technical Monitoring work center by choosing the Reporting button in the Alert Inbox area and choosing Embedded or Open New Window. Besides the three standard apps of the ALM dashboard, you can display four additional apps, which include the following: ●
The number of alerts broken down by alert type
●
The number of alerts broken down by managed object
●
The number of support messages broken down by alert type
●
The number of messages broken down by managed object
Dashboard for End-User Experience The dashboard for SLA Reporting for End-User Experience Monitoring (EEM dashboard) offers a quick overview of the performance and availability of your technical systems. The dashboard consists of individual graphics, known as dashboard apps. When you call the dashboard, all apps are displayed, allowing you to see at a glance the EEM scenarios for which performance or availability does not meet your requirements. Threshold values within the apps for both values are also displayed. These values are used to rate the values with the status Green, Yellow, or Red. With the default settings, a dashboard app is displayed for each EEM scenario. The EEM dashboard does not require any separate configuration; once you have set up EEM and interactive reporting, a dashboard app for each EEM scenario is available to you, and is provided with the required data.
240
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
Figure 80: The End-User Experience Dashboard
On the EEM dashboard, an app is displayed for each scenario, showing the performance and availability data for the current month, the three previous months, and an average value for the last 12 months. The value shows the following: ●
●
The average availability of, for example, the scenario or EEM robot as a percentage of the EEM scripts. The average proportion of the steps of, for example, the scenario or the robot, for which the status is green based on the respective response time.
In addition to the percentage values, relevant threshold values also display, both for the availability and the performance. These values are used to rate the measured values with the status Red, Yellow, or Green. You can adjust these threshold values according to your needs in the context of the dashboard app. Each of the displayed apps provides a drilldown to display the respective EEM reporting data. To display this data, right-click the desired app and choose the entry Display EEM Report from the context menu. For the current month, an arrow is also displayed to emphasize the current trend for performance and availability, allowing you to see at a glance which scenarios might need action. In addition to the apps shipped by SAP, you can develop your own applications for the dashboard using the Dashboard and Presentation Design tool (Xcelsius) from SAP BusinessObjects.
To Create a Dashboard App 1. Create the user interface Flash file (.swf) in Xcelsius. 2. Create the configuration UI in Xcelsius. 3. Create a BW query in Query Designer. 4. Register your app in the framework. The APP shows the data from the BW query and can be configured using the configuration UI.
© Copyright . All rights reserved.
241
Unit 5: Solution Management
User-Created Dashboard Apps If you want to put your own apps into the dashboard framework, you should understand the architecture of the dashboard framework. An app typically comprises two parts: the standard app itself, which shows performance or availability values in a dashboard, and a configuration app, in which the user can set texts, threshold values, filters, and other values, to determine the values displayed by the standard app. These two apps are a pair of partner apps. The data displayed comes mostly from the SAP NetWeaver Business Warehouse. To use this data in an app, you create a BW query. You create the user interface of the apps with the program Dashboard and Presentation Design (Xcelsius). You create connections for the data transfer of the app in Xcelsius also. Data can be transferred from, for example, the configuration app to the standard app, from a BW query (the source of the data to be displayed), to the app, or from the configuration app to the BW query, to filter the BW data. All data from or to an app or configuration app is transferred using Xcelsius connections. Another type of app is the context app. Like the configuration app, it sets the conditions for the app data to be displayed, but for all apps with relevant connections in a dashboard, not just one app. A context app in a dashboard is always displayed. You export the user interface as a Flash file (.swf) in Xcelsius to display the app user interface in a dashboard. You register your app in the dashboard framework using the registration tool. You specify how the data is transferred via the Excelsius connections. A tutorial for the development of dashboard applications in the online documentation. Search for Enhancing the Dashboard Framework with User Apps.
242
© Copyright . All rights reserved.
Unit 5 Exercise 17 237
Monitor SAP NetWeaver AS Java
Business Example For successful monitoring using the Monitoring service in SAP NetWeaver AS Java, you must set the threshold values appropriately. Adapt Monitor Settings with the SAP NetWeaver Administrator Use the Monitoring Browser within the SAP NetWeaver Administrator to check alerts for different monitoring attributes, activate an inactive monitoring attribute, and change thresholds. 1. Log on to the SAP NetWeaver Administrator, open the Monitoring Browser, and check whether an alert has occurred in the memory service. 2. Activate the inactive Monitor Kernel/Application Threads Pool/Waiting Tasks Count in the SAP NetWeaver Administrator Monitoring Browser. 3. Set the threshold values for the monitor /Services/Memory Info/Used Memory Rate to the following entries: GY/YR/RY/YG to 75/90/85/70. Create a History report with SAP NetWeaver Administrator Create your own History Report for your monitoring. 1. Create a History Report showing Thread Pool Usage Rate and Used MemoryRate.
© Copyright . All rights reserved.
243
Unit 5 Solution 17 238
Monitor SAP NetWeaver AS Java
Business Example For successful monitoring using the Monitoring service in SAP NetWeaver AS Java, you must set the threshold values appropriately. Adapt Monitor Settings with the SAP NetWeaver Administrator Use the Monitoring Browser within the SAP NetWeaver Administrator to check alerts for different monitoring attributes, activate an inactive monitoring attribute, and change thresholds. 1. Log on to the SAP NetWeaver Administrator, open the Monitoring Browser, and check whether an alert has occurred in the memory service. a) Enter the URL http://.wdf.sap.corp:5 00/nwa (for example, http://twdf1234.wdf.sap.corp:53000/nwa). b) Log on to as portal user .A-##. c) Choose Availability and Performance. Hint: If you wait one minute you will see the overall Status.
d) Choose Resource Monitoring → History Reports. e) Choose the Monitor Browser tab. f) In the Show field select Active/Used. Hint: Here you can see the various monitors. You can use the colors (red, yellow, green, gray) to identify whether an alert has occurred. g) In the Name column, enter Memory in the filter row. h) Choose the Filter button. i) Select the row /Services/Memory Info/Available Memory. j) In the Monitor Details area you see the Configured HEAP memory for each instance. k) Select the row /Kernel/SAPJVM/GCProblemReporting/Out OfMemory Errors. l) Check the status of each Server Node ID.
244
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
2. Activate the inactive Monitor Kernel/Application Threads Pool/Waiting Tasks Count in the SAP NetWeaver Administrator Monitoring Browser. a) Within the SAP NetWeaver Administrator, in the Show field select Inactive/Not Used. b) In the Name column, enter Application Threads in the filter row. c) Choose the Filter button. d) Select the row /Kernel/Application Threads Pool/Waiting Tasks Count. e) In the Monitor Configuration area, choose Activate. You should receive the information on top: Changes were successfully saved. f) in the Show field select Active/Used. g) In the Name column, enter Application Threads in the filter row. h) Choose the Filter button. i) Select the row /Kernel/Application Threads Pool/Waiting Tasks Count. j) In the Monitor Details for: Waiting Tasks Count area, you should find a current value. 3. Set the threshold values for the monitor /Services/Memory Info/Used Memory Rate to the following entries: GY/YR/RY/YG to 75/90/85/70. a) In the Name column, enter used memory in the filter row. b) Choose the Filter button. c) Select the row /Services/Memory Info/Used Memory Rate. d) If the Monitor Configuration area, enter the following threshold settings: ●
Changes from Green to Yellow: 75
●
Changes from Yellow to Red: 90
●
Changes from Red to Yellow: 85
●
Changes from Yellow to Green: 70
e) Choose Save. You should receive the information on top: Changes were successfully saved. Create a History report with SAP NetWeaver Administrator Create your own History Report for your monitoring. 1. Create a History Report showing Thread Pool Usage Rate and Used MemoryRate. a) Choose the History Reports tab. b) Choose the Configure tab. c) Choose New Report. d) In the New Report dialog box, enter the following information: Name Label
© Copyright . All rights reserved.
-
245
Unit 5: Solution Management
Default Report Time Unit
Quarters
Default Report Type
Chart per node
e) Choose OK. f) On the left-hand side select the row Thread Pool Usage Rate. g) Choose Add to Report. h) On the left-hand side search for and select the row Used Memory Rate. i) Choose Add to Report. j) Choose Save Reports. k) Choose the Display tab.
246
© Copyright . All rights reserved.
Unit 5 Exercise 18 241
Register a System with the Central Monitoring System
Business Example You can monitor the monitoring data of the AS Java using the Monitoring Browser in the SAP NetWeaver Administrator or using a central monitoring system. To be able to display the data in the monitoring system, you need to register the system. Optional: Create CSMREG user Caution: The creation of a CSMREG user can only be done once per central monitoring system (CEN). So only the group which is assigned to the DEP system can do the creation of the csmreg user (Step 1). All groups shoud check the CSMREG user in transaction SU01 (Step 2). 1. Log on to the Solution Manager system in client 000 with your course user and create the CSMREG user (password monitor) with transaction RZ21. 2. Check CSMREG user with transaction SU01 in client 000 of the Solution Manager system (PSM) of your server. Register the AS Java Register your AS Java system to the central monitoring system. 1. Log on to the Solution Manager system in client 000 with your course user and register your AS Java with transaction RZ21. View Monitoring Data View the monitoring data of your AS Java in the central monitoring system. 1. Check whether the monitoring data is displayed in the Alert Monitor (transaction RZ20) in client 000.
© Copyright . All rights reserved.
247
Unit 5 Solution 18 242
Register a System with the Central Monitoring System
Business Example You can monitor the monitoring data of the AS Java using the Monitoring Browser in the SAP NetWeaver Administrator or using a central monitoring system. To be able to display the data in the monitoring system, you need to register the system. Optional: Create CSMREG user Caution: The creation of a CSMREG user can only be done once per central monitoring system (CEN). So only the group which is assigned to the DEP system can do the creation of the csmreg user (Step 1). All groups shoud check the CSMREG user in transaction SU01 (Step 2). 1. Log on to the Solution Manager system in client 000 with your course user and create the CSMREG user (password monitor) with transaction RZ21. a) Log on to the Solution Manager system (PSM) of your server in client 000 and call transaction RZ21. b) Choose Technical infrastructure → Configure Central System → Create CSMREG User. c) Enter a password monitor twice and choose Continue (Enter). 2. Check CSMREG user with transaction SU01 in client 000 of the Solution Manager system (PSM) of your server. a) Log on to the Solution Manager system (PSM) of your server in client 000 and call transaction SU01. b) Enter CSMREG in the User field and choose Display. If you get the message User CSMREG does not exist, contact the group that is assigned to the DEP system on your server and let them complete Task 1 of this exercise. c) Choose the Roles tab and check that the Role SAP_BC_CSMREG is assigned to the user CSMREG. Register the AS Java Register your AS Java system to the central monitoring system. 1. Log on to the Solution Manager system in client 000 with your course user and register your AS Java with transaction RZ21. a) Log on to the Solution Manager system in client 000 and call transaction RZ21.
248
© Copyright . All rights reserved.
Lesson: Monitoring the Portal
b) Choose Technical infrastructure → Configure Central System → Create remote monitoring entry. c) From the Instance Type to Be Monitored dropdown list select Java d) Enter your SID as the System ID, for example QEP or DEP. Enter the full qualified host name of the Message Server, for example twdfSSSS.wdf.sap.corp. Enter the HTTP Port of the Message Server, for example 8134 for DEP and 8144 for QEP. e) Choose the Test button. f) Enter the Password of the CSMREG user in your CEN and the Password of the adm operating system user for the monitored system. g) Choose Save and wait a few seconds until the registration completes. View Monitoring Data View the monitoring data of your AS Java in the central monitoring system. 1. Check whether the monitoring data is displayed in the Alert Monitor (transaction RZ20) in client 000. a) Call transaction RZ20 in the Solution Manager system. b) Open the SAP J2EE Monitor Templates monitor set and choose the Engines monitor. Open the monitor by double-clicking it. You should now see data for your system. Note: It can take a few minutes before the data becomes visible.
© Copyright . All rights reserved.
249
Unit 5: Solution Management
LESSON SUMMARY You should now be able to: ●
250
Monitor the portal
© Copyright . All rights reserved.
Unit 5 Lesson 2 245
Analyzing the SAP NetWeaver Log Viewer and the Monitoring Service
LESSON OVERVIEW Logging and tracing are important functions in the context of error detection. You can access all log files with the Log Viewer. The Monitoring Service provides an overview of the available monitoring data and displays a status, such as warning or error. Based on knowledge of course ADM800 this lesson should be used to impart additional knowledge about special portal functions within Log Viewer, Log Configurator Service and monitoring service.
Business Example You are working with AS Java and want to know more about the options for evaluating log files. Since a great deal of log information is created in the SAP Enterprise Portal environment based on AS Java, you need to be familiar with a tool that automatically displays the log files for stable operation. The monitoring service can be used to get a quick overview of components with problems. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Analyze the SAP NetWeaver Log Viewer and the Monitoring Service
Log and Trace Files All Java nodes write log and trace information to files in the file system. These files are formatted in a special way. This formatting makes it possible to use filters to hide or display specific entries when viewing the files in a Log Viewer. The files which possess this formatting are known as “ListLogs”. The entries in the ListLogs also contain a Severity field which indicates the weighting of the entry. Some of the ListLogs are listed in the figure “ListLogs in the File System”. For each Java server process, there is a separate directory named “log” in the file system under which the files for the node are stored. A basic distinction is made between log and trace files. Log files are sometimes also referred to as logging files. The trace files comprise only files with the name default..trc where the stands for the node number and for a sequential number. The trace files which are discussed here should not be confused with other “trace” files such as the developer traces. The log files include the other files displayed in the figure.
© Copyright . All rights reserved.
251
Unit 5: Solution Management
Figure 81: ListLogs in the File System
Log files are displayed in the Log Viewer. There are two types of log files: logging and trace files. The following distinction is made between logging and tracing. Logging means: Logging ●
Recording normal and exceptional events
●
Runtime information of a system or an application is written to log files
●
Active during normal operation
Tracing means: Tracing ●
Recording the process flow of an application
●
Use during development and for error detection in the production environment
●
All traces are stored in the default..trc files
Log Viewer and Log Configuration Java-based applications write messages in log files. In complex applications, important messages can be distributed across more than 100 log files. To ensure stable operation, these log files should be regularly checked for error messages. The portal is logged using the standard central logging system of AS Java, consisting of the Log Manager, Log Configurator Service, and Log Viewer. From SAP NetWeaver Portal 7.3 the log viewer is located in the SAP NetWeaver Administrator within the Troubleshooting tab. In the advanced mode the various categories can refine the results of the log files. These categories are shown as a drop-down and include the options: applications, available, changes, configChanges, database, defaultTrace, and bootstrap. All the log data is written in the following directories and subdirectories /usr/sap// /j2ee/cluster/ server or dispatcher/log. All SAP Java applications based on SAP NetWeaver AS write in one trace file per java node (server or dispatcher). This trace file is created with the default setting of the AS Java. It is
252
© Copyright . All rights reserved.
Lesson: Analyzing the SAP NetWeaver Log Viewer and the Monitoring Service
named defaultTrace.trc and stored in directory /usr/sap///j2ee/cluster/ server or dispatcher/log.
Log Viewer The Log Viewer is a tool to display log messages (application and system logs). These messages assist you to monitor and diagnose problems. The Log Viewer is available in the following versions: ●
Log Viewer as part of SAP NetWeaver Administrator
Log Viewer allows you to: ●
View different types of Java log messages.
●
View administration, development, and specific logs in a set of predefined views.
●
Control the amount of log data displayed.
●
Merge list formatted logs and traces.
●
View logs and traces from an inactive AS Java.
●
Filter logs and traces.
●
Download log content.
●
Create, export, and import custom views.
Figure 82: Log Viewer in SAP NetWeaver Administrator
You can find portal-specific Log Viewer files in the area server → Group##. Set Up the Transport Landscape To complete the following tasks, you must have logged on as .A-## in DEP, QEP, and PSM. 1. Check the Web Services Navigator after logging on to http://twdfSSSS.wdf.sap.corp: 58000 as .A-##. a) Log on to http://twdfSSSS.wdf.sap.corp:58000. b) Choose Web Services Navigator.
© Copyright . All rights reserved.
327
Unit 5: Solution Management
c) Enter the User and Password for .A-##. d) Choose DeployProxy. 2. Using SAP Logon, log on to PSM in client 100 and create the CTSDEPLOY destination. a) Launch SAP Logon from the shortcut on your remote desktop. b) As user .A-##, log on to PSM in client 100. c) In the Search field, enter SM59. d) Choose the Enter button. e) Choose Edit → Create. f) On the Technical Settings tab, in the RFC Destination field, enter CTSDEPLOY. g) In the Connection Type field, select G from the context menu. h) In the Description field, enter HTTP Connection to External Server. i) Under Description, in the Description 1 field, enter CTS deployment. j) Under Target System Settings, in the Target Host field, enter twdfSSSS.wdf.sap.corp. k) In the Service No: field, enter 58000. l) Choose the Logon & Security tab. m) Under Logon Procedure, select the Basic Authentication radio button. n) In the User and Password fields, enter your .A-## username and password from PSM. o) Choose the Special Options tab. p) Under Timeout, select the No Timeout radio button. q) Save your changes. 3. Run a connection test for the CTSDEPLOY destination. a) Choose Utilities(M) → ConnectionTest. There should be no errors. 4. Verify that the CTS_ORGANIZER ICF service is already deployed. a) In the Search field, enter SICF. b) Choose the Enter button. c) On the Maintain Services screen, in the Service Name field, enter CTS_ORGANIZER. d) Choose the Execute button. When the service is deployed, you have the option to open elements in the table by double-clicking them. 5. Add the DEP system, using transaction STMS in PSM. a) In the Search field, enter STMS. b) Choose the Enter button.
328
© Copyright . All rights reserved.
Lesson: Transporting Portal Content
c) On the Transport Management System screen, choose Overview → Systems. d) On the System Overview screen, choose SAP System → Create → Non-ABAP System. e) In the System field, enter DEP. f) In the Description field, enter Portal development system. g) Under Source System Settings, select the Activate Transport Organizer checkbox. h) Under Target System Settings, select the Activate Deployment Service checkbox and select DC as the method. i) In the Target Host field, enter twdfSSSS.wdf.sap.corp. j) In the System field, enter 30. k) Save your changes. l) When presented with the “Should configuration changes be distributed immediately?” question, choose Yes. m) When asked for a User and Password, enter the credentials of a .A-## user (with a non-initial password) of the DEP portal. 6. Add the QEP system, while continuing to use transaction STMS in PSM. a) On the System Overview screen, choose SAP System → Create → Non-ABAP System. b) In the System field, enter QEP. c) In the Description field, enter Portal QA system. d) Under Target System Settings, select the Activate Deployment Service checkbox and select DC as the method. e) In the Target Host field, enter twdfSSSS.wdf.sap.corp. f) In the System field, enter 40. g) When asked for a User and Password, enter the credentials of a .A-## user (with a non-initial password) of the QEP portal. h) Save your changes. i) When presented with the “Should configuration changes be distributed immediately?” question, choose Yes. 7. Add the PEP system, while continuing to use transaction STMS in PSM. a) On the System Overview screen, choose SAP System → Create → Non-ABAP System. b) In the System field, enter PEP. c) In the Description field, enter Productive portal system. d) Under Target System Settings, select the Activate Deployment Service checkbox and select DC as the method. e) In the Target Host field, enter twdfSSSS.wdf.sap.corp. f) In the System field, enter 50.
© Copyright . All rights reserved.
329
Unit 5: Solution Management
g) When asked for a User and Password, enter the credentials of a .A-## user (with a non-initial password) of the PEP portal. h) Save your changes. i) When presented with the “Should configuration changes be distributed immediately?” question, choose Yes. 8. Change DEP so that WBO_REL_REQ_STRATEGY has the value AUTO. a) On the Transport Management System screen, choose Overview → Systems. b) Double-click DEP. c) On the Transport Tool tab, check if the WBO_REL_REQ_STRATEGY parameter has the value AUTO. If not, choose the Display Change button and set the value. Save your changes. If the WBO_REL_REQ_STRATEGY parameter is not there, you need to add it. 9. Define the transport routes, while continuing to use transaction STMS in PSM. Join DEP to QEP as Consolidation and QEP to PEP as Delivery. a) On the Transport Management System screen, choose Overview → Transport Routes. b) On the Display Transport Routes screen, choose Configuration → Display Change or press F5. c) Click DEP in the top area. A green rectangular box appears in the lower area. Drag this box to the left of the screen and right or left-click. This positions the DEP system in the lower screen. If you need to change the position of DEP, drag and drop it. d) Click QEP in the top area. A green rectangular box appears in the lower area. Drag this box to the right of the DEP system and right or left-click. This positions the QEP system in the lower screen. If you need to change the position of QEP, drag and drop it. e) Click PEP in the top area. A green rectangular box appears in the lower area. Drag this box to the right of the QEP system and right or left-click. This positions the PEP system in the lower screen. If you need to change the position of PEP, drag and drop it. f) Choose Edit → Transport Route → Add Transport Route. g) Drag the pencil cursor from DEP to QEP. h) In the Create Transport Route dialog box, select the Consolidation radio button. i) In the Transport layer field, select ZDEP from the context help (or enter it) and choose the Copy buton. j) Choose the Transfer button. k) Drag the pencil cursor from QEP to PEP. l) In the Create Transport Route dialog box, select the Delivery radio button. m) Choose the Transfer button. n) Save and distribute. 10. Change destinations in the SAP NetWeaver Administrator. This is only done on the Development portal.
330
© Copyright . All rights reserved.
Lesson: Transporting Portal Content
a) Log on to the SAP NetWeaver Administrator as .A-##. Use the following URL for example: http://twdfSSSS.wdf.sap.corp:5$$00/nwa b) Choose Configuration → Security → Destinations. c) In the Show: field, select RFC Destinations from the dropdown list. d) Choose Create. e) On the General Data screen, in the Hosting System field choose Local Java System DEP. f) In the Destination Name field, enter sap.com/com.sap.tc.di.CTSserver. g) In the Destination Type field, select RFC from the context menu. h) Choose Next. i) On the Connection and Transport Security Settings screen, for Load Balancing choose the No radio button. j) In the Target Host field, enter twdfSSSS.wdf.sap.corp. k) In the System Number field, enter 80. l) In the System ID field, enter PSM. m) Choose Next. n) On the Logon Data screen, in the Authentication field, select Current User (Logon Ticket) from the dropdown list. o) In the Language field, enter en. p) In the Client field, enter 100. q) Choose Finish. 11. Set up trust between the Development portal (DEP) and Solution Manager (PSM). a) Log on to the portal as portal user .A-##. b) Choose System Administration → System Landscape. c) Under System Landscape Overview → System Landscape select the EP200 SAP Solution Manager system. d) Choose Configure. e) Choose Modify Properties. f) In the Application Host field, update the application host with your server name. g) Under Internet Transaction Server (ITS), update the ITS host name with your server name. h) Under Web Application Server (WTS), update the ICM host name with your server name. i) Choose Save. j) Choose System Aliases.
© Copyright . All rights reserved.
331
Unit 5: Solution Management
k) Enter the alias SolutionManager and choose Add. l) Save and close. m) Select the EP200 SAP Solution Manager system. n) Choose Establish Trust. o) In the Establish trust dialog box, in the User field enter .A-##. p) In the Password field, enter the password in PSM for user .A-##. q) Choose Apply. Create, Export, and Import a Transport This exercise involves creating transports with change lists. 1. Both the Development and Quality Assurance teams log on to the Development portal as user .A-##. 2. Both the Development and Quality Assurance teams activate a change list from the DEP portal and attach it to a transport request. a) Choose Content Administration → Portal Content Management → My Open Change Lists. b) Right-click the change list and choose Open in Change Organizer. c) Select your change list in the table. The Development team choose the change list they created in Exercise 23 and the Quality Assurance team choose the change list that they created in Exercise 23. d) Choose Activate. e) Confirm that none of the PCD objects are locked by navigating to System Administration → Monitoring → Object Locking. If there are any locked objects, select them choose Unlock. f) In the Activate Changelist(s) dialog box, choose Activate and Attach. g) In the Attach Changelists for Transport dialog box, choose Attach. The change list is attached to the ABAP transport detailed. 3. Launch the CTS Browser and view your released transport. a) Choose Content Administration → Portal Content Management → Portal Content → EP200 → Initial Content → iViews. b) Ensure that the correct system alias is set. Right-click CTS Browser, and choose Open → Properties. Choose All. In the Show Category field, select Content – Web Dynpro from the dropdown list. If the System value is not set to SolutionManager, choose Modify Properties and change the value to SolutionManager. Save the change. c) Right-click CTS Browser, and choose Preview. d) In the Status field, choose Released from the dropdown list. The released transport will be in the list. 4. Using SAP Logon, both the Development and Quality Assurance team log on to PSM and transport the change request to the Quality Assurance portal.
332
© Copyright . All rights reserved.
Lesson: Transporting Portal Content
a) Launch SAP Logon from the shortcut on your remote desktop. b) Log on to PSM. c) Log on as user .A-##. d) In the Search field, enter STMS. e) Choose the Enter button. f) On the Transport Management System screen, choose Overview → Imports. g) Double-click QEP. h) If your transport is not visible, choose the Refresh button. i) Select your change request and then choose the Import Request button (small truck icon) to import only your request. j) Choose the Continue button. k) Choose Yes when presented with the “Import all transport requests in import queue into system QEP?” question. l) Wait a minute or two and then choose the Refresh button. m) Once the transport is completed, check the logs by selecting your change request and choosing the Logs button from the toolbar (or select the change request and press CTRL + F4). There should not be a status greater than 4. n) Log on the QEP system to see your objects moved from DEP to QEP. Check your group folder for the new objects.
© Copyright . All rights reserved.
333
Unit 5: Solution Management
LESSON SUMMARY You should now be able to:
334
●
Explain the purpose of the enhanced Change and Transport System (CTS)
●
Describe the architecture for enhanced CTS
●
Describe the configuration of enhanced CTS
●
Configure the TDC system import process
●
Configure the TDC system export process
●
Configure the system landscape of the TDC system
●
Configure the portal systems
●
Transport portal content using enhanced CTS
© Copyright . All rights reserved.
Unit 5 Lesson 8 321
Describing Backup and Restore Strategies
LESSON OVERVIEW This lesson covers the details for performing online and offline backups of portal content. Try to keep this lesson high level – and as an addition to the topics covered in ADM800.
Business Example The SAP Enterprise Portal is being deployed in your company to replace the current Intranet, and will be the single point of access for all users to Web based content, as well as Webenabled, critical Business Applications. You are charged with constructing a suitable Backup and Recovery Strategy for this Landscape to meet the Business needs. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
List the SAP Enterprise Portal components requiring a backup and recovery solution
Portal Backup and Restore Strategy Carefully develop your backup and restore strategy for the portal infrastructure in order to achieve a consistent state upon recovery. The strategy may involve backup at the component level, or a full backup of the entire system. The portal infrastructures differ for customers; therefore performing a full backup is a comprehensible solution. This solution can easily restore portal components and enable the portal to recover from a complete system loss. In addition, portal components and their configurations are interdependent, and need to be backed up together. All operations of the portal that use some type of storage for saving business information must be considered for backup. The backup type to be defined for individual components depends on the type of data storage. In most cases, backing up just the database shared by the portal and SAP NetWeaver Application Server is sufficient.
© Copyright . All rights reserved.
335
Unit 5: Solution Management
Figure 113: Portal Components
Knowing the portal components is helpful in planning your backup strategy. The following are the critical components for the portal. Table 14: Critical Components Considered for a Backup Strategy Components
Description
AS Java
The Portal Runtime runs on top of the AS Java of the SAP NetWeaver Application Server.
Portal Framework
The Portal Framework is a logical environment comprised of a collection of software applications for running and managing the portal.
iView Runtime Java (IRJ) appli- The iView runtime application is a runtime environment for cation processing iViews. Database
This is a relational database management system (RDBMS) shared by the portal and SAP NetWeaver Application Server. The database is usually on a separate machine. It stores data for the Portal Content Directory (PCD), which is based on the database repository. The database stores runtime objects, including role definitions, page-torole relationships, deployable (PARs), and iView templates, together with their personalization data and derivations.
User Persistence Store
Refers to user related data stored in one or more repositories. Such user related data repositories might be a database, Lightweight Directory Access Protocol (LDAP) directory server, or ABAP-based SAP system.
Because the portal interrelates with other components, they must be backed up too. These components can include:
336
●
Web servers
●
User Persistence Store
© Copyright . All rights reserved.
Lesson: Describing Backup and Restore Strategies
●
Java applications and their configuration files
●
Native applications and their configuration files
●
Relational Database Management System (RDBMS) and their data
Backup and Restore Strategy for an Implementation of SAP Enterprise Portal This section describes the general backup and restore concepts for a distributed system environment. It provides the information needed to set up a backup and restore strategy for an implementation of SAP Enterprise Portal. Out of scope: ●
Backup of NetWeaver insallations with usage type AS ABAP
●
Backup of other usage types like BI or PI
●
Backup of TREX (see SAP Note 975965 regarding backup of TREX)
●
Backup of systems, integrated into the SAP Enterprise Portal
●
Backup of customer-specific components
Backup refers to the activity of copying files and data with the intention of preserving them for later use (such as in case of hardware failure or other disaster). When you retrieve files that have been backed up earlier, you are restoring them. The following criteria should be used to evaluate the quality of a backup and restore strategy: What makes a quality Backup strategy? ●
●
●
●
●
●
Minimize Data Loss and Data Inconsistencies: A system backup must ensure a system recovery to a certain point in time, such as when a crash occurs. Is data loss acceptable? To which degree? Can data be recovered from data in other systems? Which kind of data can be inconsistent? Can operation continue with partly inconsistent data? Backup Runtime and Speed Of The Restore: A fast backup can reduce the impact on production According to Service Level Agreements (SLA), the implementation of special solutions, for example, mirror disks, might be required The restore process must usually meet some kind of agreement that regulates system availability.
For the design of a backup and restore strategy, necessary considerations for SAP NetWeaver components are as follows: ●
●
●
Which system components and which data need to be backed up? Which backup methods shall be used (online/offline) depending on the data storage type (file system, database)? Is a consistent system landscape backup necessary? In which situations is a system landscape backup necessary?
Which system components and which data need to be backed up?
© Copyright . All rights reserved.
337
Unit 5: Solution Management
System Component
Type of Data
Storage of Data
SAP NetWeaver AS Java Configuration data and Cluster (Startup Framesoftware work, SCS instance, PAS, AAS)
File system and database
Internet Graphics Server (IGS)
Configuration data
File system
SAPCCMSR Agent SAPOSCol Agent
Configuration data
File system and database
RDBMS Instance
Configuration data and software
File system and database
SAP Enterprise Portal (as Configuration data softapplication deployed on ware Application data SAP NetWeaver AS Java cluster)
Database and file system
Content Management & Configuration data softCollaboration (as applica- ware Application data tion deployed on SAP NetWeaver AS Java cluster)
Database and file system depending on configuration: external systems (filesystem, database)
User Management Persistence Database
Application data
Depending on configuration: external systems (LDAP servers, database)
TREX (as standalone application)
Configuration data software Application data
Backup Methods Supported by SAP NetWeaver Which backup methods should be used (online or offline) depending on the data storage type (file system or database)? Starting with SAP NetWeaver `04 SP Stack 10, online backup and restore is officially supported for all SAP NetWeaver components. Data of SAP NetWeaver AS Java Cluster and deployed applications (EP, KMC) is stored in database. Essential data to start, stop, run and monitor the SAP NetWeaver AS Java cluster is stored on the file system.
Hint: Online backup of the SAP NetWeaver AS Java database and file system is possible. The database is the primary persistence for data storage. Parts of the file system are synchronized with the database upon any AS Java system restart. The following figure provides an example of the file system for a portal system (DEP) with two instances. Instance 30 is the PAS, instance 31 is an AAS and instance 38 is the central services. A backup should include all the folders and files for the DEP system. This is a Windows based system. A Unix based system would have similar file and folder names.
338
© Copyright . All rights reserved.
Lesson: Describing Backup and Restore Strategies
Figure 114: File Structure Backup
The Bootstrap JAVA program synchronizes the binary data from the Java database with the local file system and creates a property file, which describes the processes of the Java instance. Data consistency between database and file system is guaranteed by the bootstrapping. Which backup methods will be used (online or offline) depending on the data storage type (file system or database)?
Figure 115: Bootstrap Synchronization
During any software deployment via SAPInst, files can be opened. Thus, we recommend performing backup while no deployments are proceeding.
© Copyright . All rights reserved.
339
Unit 5: Solution Management
Hint: A part of the configuration data of Portal and KM is stored on file system. Online backup is possible as files are only read by the applications. Creating transport packages and defining XML forms builder projects will perform write operations to file system. During online backup, loss of data might therefore be possible! Although this is administrator data only. Transport packages can be reproduced. To back up a database, follow these recommended steps: Recommended Steps for a Database Online Backup ●
●
●
Schedule a short period of inactivity of SAP NetWeaver AS administrators to reduce the probability of inconsistencies. Schedule a short period of inactivity of end users to reduce the probability of inconsistencies. For every SAP application running on AS Java, carry out the backup procedures described in the Technical Operations Manual (included in SAP online documentation).
Offline backup is fully supported with SAP NetWeaver AS. SAP ensures that a correctly performed offline backup is consistent and thus can be restored successfully. When performing an offline backup, you must shut down the following components of an installation: ●
All AS Java processes on all machines
●
All database processes
●
All TREX processes (for EP)
To perform offline backup, follow these steps: ●
Make a quick snapshot and write that to a tape while the application server runs again.
●
Shut down all services on each application server
●
Copy all files quickly to a fast storage device
●
Start up the portal immediately after the files are copied.
●
Perform a real (slow) backup to tapes from the temporary Directories
Hint: SAP strongly recommends performing offline backup on a regular basis (for example, weekly or biweekly). The use of hardware that can do snapshots of the hard disks reduces the downtime and the backup is consistent. To restore AS Java, follow these recommended steps:
340
●
Restore Java instances
●
Restore databases
© Copyright . All rights reserved.
Lesson: Describing Backup and Restore Strategies
●
Restore deployed applications
●
Restart AS Java
The backup and restore scenarios are part of the Technical Operations Manual which you can find in SAP NetWeaver 7.31 online documentation. Navigate to that path in online documentation, show the areas of AS Java and EP(C).
FACILITATED DISCUSSION In your company, is a backup strategy for the overall landscape defined? established? tested?
LESSON SUMMARY You should now be able to: ●
List the SAP Enterprise Portal components requiring a backup and recovery solution
© Copyright . All rights reserved.
341
Unit 5: Solution Management
342
© Copyright . All rights reserved.
Unit 5
329
Learning Assessment
1. Match each type of log controller with its description. Match the item in the first column to the corresponding item in the second column. Location Category
Describes messages that originate from delimited source code areas. It is used to store and emit trace messages. Describes messages specific to distinguished problem areas. It is used to store and emit log messages.
2. Match each part of the Portal Activity Report tool with its description. Match the item in the first column to the corresponding item in the second column. Data collection service Aggregator application Portal Activity Report iView Template
Creates iViews for displaying the aggregated portal activity data. Combines the collected data from all the nodes in the portal cluster and, based on this data, generates aggregated data about users and their use of portal content. Gathers raw data from the Portal Runtime (PRT) about logged on users and the pages and iViews that were viewed.
3. To release a transport request automatically, you must set the WBO_REL_REQ_STRATEGY parameter to AUTO. Determine whether this statement is true or false. X
True
X
False
© Copyright . All rights reserved.
343
Unit 5: Learning Assessment
4. Which of the following is a characteristic of close coupling between the TDC system and the SAP Enterprise portal system? Choose the correct answer. X
A Manual creation of transport requests.
X
B Attachment of objects directly from the Package Export Editor.
5. During a database online backup, it is recommended that there is a short period of inactivity for end users to reduce the probability of inconsistencies. Determine whether this statement is true or false. X
True
X
False
6. Which of the following processes are you recommended to stop during an offline backup? Choose the correct answers.
344
X
A All AS Java processes on all machines
X
B All database processes
X
C All TREX processes (for EP)
© Copyright . All rights reserved.
Unit 5
331
Learning Assessment - Answers
1. Match each type of log controller with its description. Match the item in the first column to the corresponding item in the second column. Location Category
Describes messages that originate from delimited source code areas. It is used to store and emit trace messages. Describes messages specific to distinguished problem areas. It is used to store and emit log messages.
2. Match each part of the Portal Activity Report tool with its description. Match the item in the first column to the corresponding item in the second column. Data collection service Aggregator application Portal Activity Report iView Template
Gathers raw data from the Portal Runtime (PRT) about logged on users and the pages and iViews that were viewed. Combines the collected data from all the nodes in the portal cluster and, based on this data, generates aggregated data about users and their use of portal content. Creates iViews for displaying the aggregated portal activity data.
3. To release a transport request automatically, you must set the WBO_REL_REQ_STRATEGY parameter to AUTO. Determine whether this statement is true or false. X
True
X
False
© Copyright . All rights reserved.
345
Unit 5: Learning Assessment - Answers
4. Which of the following is a characteristic of close coupling between the TDC system and the SAP Enterprise portal system? Choose the correct answer. X
A Manual creation of transport requests.
X
B Attachment of objects directly from the Package Export Editor.
5. During a database online backup, it is recommended that there is a short period of inactivity for end users to reduce the probability of inconsistencies. Determine whether this statement is true or false. X
True
X
False
6. Which of the following processes are you recommended to stop during an offline backup? Choose the correct answers.
346
X
A All AS Java processes on all machines
X
B All database processes
X
C All TREX processes (for EP)
© Copyright . All rights reserved.
UNIT 6
Network Infrastructure
Lesson 1 Managing Network Security
348
Lesson 2 Defining Load Balancing Exercise 25: Set Up Load Balancing
353 359
Lesson 3 Describing Accelerated Application Delivery (AccAD)
371
UNIT OBJECTIVES ●
Describe why securing portal and application components is necessary
●
Compare server-based and client-based load balancing
●
Set up load balancing
●
Describe Accelerated Application Delivery (AccAD) basics
●
Explain the benefits of using AccAD in a global scenario
© Copyright . All rights reserved.
347
Unit 6 Lesson 1 334
Managing Network Security
LESSON OVERVIEW The portal landscape can consist of many components, distributed over intranets, extranets, or on the public Web. As such, securing data and communications between these components against attack and intrusion is an important consideration. This lesson covers how to ensure secure, encrypted communications between the different components (both internal and external to the SAP Enterprise Portal itself) in the SAP Portal Landscape. Security of applications, both within corporations and on the Internet, is a hot topic so a discussion of the reasons why this topic needs to be included should not be hard to facilitate. Hackers, virus attacks, and identity fraud through unauthorized data capture and the need to prevent these are constantly in the media.
Business Example Your corporation wants to deploy a web-based portal to allow business partners to access certain data securely from the company's SAP applications. You have been asked to design a landscape to achieve this. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe why securing portal and application components is necessary
Reasons for Secure Communications Protecting the information transferred between the client and the portal server and between the internal components of the SAP Enterprise Portal is important. The data transferred contains authentication credentials and possibly other sensitive data that must not be known to unauthorized parties. This kind of data must be encrypted using secure communication protocols such as Secure Sockets Layer (SSL) or Secure Network Communication (SNC). It is recommended that all communication channels used during normal operation of the SAP Enterprise Portal are protected appropriately. The main reasons for securing communications: Reasons for Securing Communications
348
●
To prevent unauthorized access to authentication credentials leading to misuse.
●
To prevent unauthorized access to sensitive data leading to misuse.
●
To meet legal, or mandated data privacy requirements.
© Copyright . All rights reserved.
Lesson: Managing Network Security
●
To reduce the chances of the systems and applications being compromised.
The following statements clarify the importance of securing communication: Secure Communication with SAP Systems ●
●
●
●
●
If sensitive data (such as passwords, financial information, or data that underlies particular legal protection) is being sent over these connections, SAP recommends that you secure the connection. The network architecture needs to protect your business needs, without allowing unauthorized access. Highly sensitive systems and components (portal server, backend applications, persistence layer) need to be protected. You should locate the sensitive data in a separate area that is sealed off from external and internal network attacks. Application servers, database servers, and directory servers should be accessible only via a demilitarized zone (DMZ) that is protected by firewalls.
Figure 116: Secure Infrastructure Communication
The figure shows the possible components in a portal landscape, together with the communication protocols (non-secure and secure) that can be configured between them. The portal client (web browser) can communicate directly to the portal server and in some cases the back-end applications, without the need for the optional web server shown. In many scenarios (particularly involving extranet or internet portals), the web server would be located in a demilitarized zone or DMZ, with a firewall or firewalls to prevent unauthorized traffic directly to the portal server and backend applications.
© Copyright . All rights reserved.
349
Unit 6: Network Infrastructure
Figure 117: Secure Communication with a DMZ
Securing Communications with Portal Data Stores and Applications The portal server uses a database to store portal-related data, such as content objects. It can use any combination of database, LDAP server, and SAP system to store user management data. As user-related data is sensitive data, you should protect all communication channels to user data stores. Communication channels between the portal server and any back-end systems are also used for providing content to display in the portal. Depending on the nature of the data passed from the back-end systems to the portal server, these communication channels should also be protected. For example, the portal server can connect to SAP systems using the remote function call (RFC) protocol. These connections can be secured using Secure Network Communication (SNC).
Figure 118: Secure Communication with two DMZs
Protocols for Secure Communications The table lists the protocols used to secure communication:
350
© Copyright . All rights reserved.
Lesson: Managing Network Security
Table 15: Protocols Used for Secure Communications Components
Secure Protocol Used
Web browser ICM
HTTPS (SSL)
Web browser SAP Web Dispatcher or Web server HTTPS (SSL) SAP Web Dispatcher or Web server ICM
HTTPS (SSL)
Web browser SAP standalone ITS
HTTPS (SSL)
Portal server Database
SSL (depends on DB vendor)
Portal server LDAP directory server
LDAPS (SSL)
Portal server ABAP-based SAP system
RFC using SNC
SAP GUI for Windows ABAP-based SAP system
DIAG using SNC
Table 16: Standard TCP/IP Communication Ports Service
Port Number
Default
Range
Comment
HTTP
5$$00
50000
50000-59900
$$ = Instance number
HTTP over SSL
5$$01
50001
50001-59901
IIOP initial context
5$$02
50002
50002-59902
IIOP over SSL
5$$03
50003
50003-59903
P4
5$$04
50004
50004-59904
P4 over HTTP tun- 5$$05 neling
50005
50005-59905
P4 over SSL
5$$06
50006
50006-59906
IIOP
5$$07
50007
50007-59907
Telnet
5$$08
50008
50008-59908
JMS
5$$10
50010
50010-59910
Server Join Port
5$$20 + x*5
50020
50020-59995
X = 0, 1, 2, 3 - 15 (number of server)
Server Debug Port 5$$21 + x*5
50021
50021-59996
X = 0, 1, 2, 3 - 15 (number of server)
The complete list of ports used by SAP applications can be found on the SAP Service Marketplace, Quick Link /security , path Security in Detail → Infrastructure Security → TCP/IP Ports Used by SAP Applications, and SAP Community Network, Quick Link /docs/DOC-17124. Navigate to this document and present it to your students.
Security involves extra costs:
© Copyright . All rights reserved.
351
Unit 6: Network Infrastructure
●
Additional capacity requirements (clients, network, and servers)
●
Additional costs (certificates, software, hardware)
●
Additional support costs
●
Additional complexity
FACILITATED DISCUSSION In your company, is the team responsible for the network separated from the portal team? How can you ensure that an overall security strategy is defined and established?
Related Information ●
●
●
For details on configuring secure communications for portal components, refer to the latest Security Guides, available from http://service.sap.com/securityguide For various documents on configuring secure communications in an SAP landscape, visit SAP Service Marketplace, Quick Link /security, path Security in Detail → Infrastructure Security. For documents on the TCP/IP ports used by SAP applications and network integration guides for SAP applications, visit the SAP Security site at SAP Service Marketplace, Quick Link /security, path Security in Detail → Infrastructure Security → TCP/IP Ports Used by SAP Applications, and SAP Community Network, Quick Link /docs/DOC-17124.
LESSON SUMMARY You should now be able to: ●
352
Describe why securing portal and application components is necessary
© Copyright . All rights reserved.
Unit 6 Lesson 2 339
Defining Load Balancing
LESSON OVERVIEW In order to optimize the availability and load of your portal, your organization wants to set up load balancing of the portal. Business Example Your organization runs several SAP-delivered business packages as well as multiple custom developed content (iViews, pages, and portal components) for rendering company-specific business processes. To optimize the availability, and load of your portal, your manager has has asked you to set up a load balanced set of AS Java instances. Using this architecture has the following advantages: ●
●
By distributing workload to separate AS Java instances, the AS Java has more stability and less load per instance server By clustering the AS Java instances, the portal has higher availability
LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Compare server-based and client-based load balancing
●
Set up load balancing
Load Balancing in General In this section, some general concepts relevant for load balancing are introduced.
Server-Based Versus Client-Based Load Balancing You can differentiate between two mechanisms for load balancing: client-based and serverbased load balancing. In general, we recommend server-based load balancing. In the case of server-based load balancing, the load balancer connected in front acts as a central entry point to the SAP system. This is the case, even if the SAP system is made up of multiple instances. This technique offers the following advantages: ●
All instances can be addressed using a common IP address or a common name.
●
The users always use the same URL to access the system.
●
One SSL server certificate is sufficient for all of the instances.
●
The advantages listed above reduce the operating and maintenance effort and costs.
This central entry point to the SAP system can be realized using an additional component, known as a “load balancer”.
© Copyright . All rights reserved.
353
Unit 6: Network Infrastructure
In the case of client-based load balancing, all inbound client requests are initially directed to a central location in the system, a load balancing server, when the connection is first made. The load balancing server informs the client which instance it should address. Although this method is implemented in SAP NetWeaver AS Java using the message server of the central service instance, and is already available after installation, it is not the preferred method due to a number of disadvantages. Some of these disadvantages are listed briefly here: ●
●
Can confuse the user, as the URL displayed in the browser changes with the rerouting. If Favorites are created in the browser, these point to the server to which the user was redirected.
●
Each instance requires an SSL server certificate.
●
Can cause problems if a firewall is used.
Stateless Versus Stateful Applications The programming model that underlies the development of web applications has an important influence on a load balancer. The programming model differentiates between “stateless” and “stateful” web applications. The programming model for stateless requests is used for simple applications, for which each request to SAP NetWeaver AS is independent of all other requests. The programming model for stateful requests is used for more complex applications, which are based on a transactional concept. With these applications, information about the status of the user session must be stored in the instance. The mechanism for load balancing in the SAP system must support both stateless and stateful requests. Stateful requests are a particular challenge for the load balancer, since the HTTP protocol only supports stateless requests. The first request is forwarded to an instance by the load balancer. If a subsequent request is forwarded to a different instance, this different instance has no information about the user context. The load balancer must therefore ensure that stateful requests are always forwarded to the same instance. This can be achieved by different implementations in the load balancer.
AS Java Load Balancing Load balancing within SAP NetWeaver AS Java allows the optimal distribution of the incoming requests to the available resources. SAP NetWeaver AS Java provides load balancing at different levels, as shown in the following figure:
354
© Copyright . All rights reserved.
Lesson: Defining Load Balancing
Figure 119: AS Java Load Balancing
In a cluster with multiple SAP NetWeaver AS Java instances, load balancing is performed using a load balancer connected in front. Stage 1 in the graphic. Within an instance, the Internet Communication Manager (ICM) distributes the inbound requests to the server processes of that instance. Stage 2 in the graphic.
Definition of Logon Groups Logon groups represent a logical mapping of a set of instances in an SAP system to a set of application aliases. They can be used by a load balancing solution to determine the set of instances, which are available to load balance the request to a given alias. One logon group can contain multiple instances; one instance can participate in one or more logon groups. The recommended way of creating logon groups is to make use of the SAP NetWeaver Administrator (NWA) tool. To create logon groups, log on to the NWA system (the NWA can be used in a local and a central mode) with a user with sufficient permissions. The URL is http(s)://:/nwa. Then navigate to Configuration → Infrastructure → Java HTTP Provider Configuration. Then choose the Logon Groups tab. The logon group definition consists of the definition of the instance IDs (of the AS Java instances in the cluster where applications from this group are accessible) and definition of the application aliases (of the applications that are requested with the corresponding logon group).
SAP Web Dispatcher The SAP Web Dispatcher, which is located between the Intranet or Internet, and an SAP system (AS ABAP+Java, AS ABAP, or AS Java), can be used as a load balancer. It is the entry point for HTTP(S) requests into your system, which consists of one or more instances. As a “software web switch”, it can reject or accept connections. When it accepts a connection, it distributes the requests to ensure an even distribution across the servers (load balancing).
Hint: You can also use any other load balancing device instead of the SAP Web Dispatcher. In this case, you need to register the servers and ports with it; you also have to take care about aspects like session stickiness, load information, logon groups, SSL handling, URL filter, web cache,...
© Copyright . All rights reserved.
355
Unit 6: Network Infrastructure
Of course we do recommend using the SAP Web Dispatcher!
The SAP Web Dispatcher forwards inbound requests (HTTP, HTTPS) to the SAP NetWeaver AS instances (also known as application servers) of the SAP system in turn, where the number of requests that an instance receives is weighted according to its capacity. The capacity of an AS ABAP based system depends on the number of configured dialog work processes. For AS Java, the capacity is determined by the number of server processes. If the application is stateful, the SAP Web Dispatcher ensures at the next request that the user is again forwarded to the server processing their application. It uses session cookies to do this for HTTP connections, and the client IP address for end-to-end SSL. In the case of an AS ABAP+Java based system, the SAP Web Dispatcher also decides whether the inbound request is to be forwarded to the ABAP or Java stack. The SAP Web Dispatcher is a separate program (similar architecture as the Internet Communication Manager (ICM) process) that can run on a host that is directly connected to the Intranet or Internet. It requires minimal configuration. You only need to enter the following data in the profile file for the SAP Web Dispatcher: ●
●
Port on which the HTTP(S) requests are to be received (parameter icm/server_port_) Host and HTTP port of the SAP message server (parameters rdisp/mshost and ms/ http_port)
Note: In the context for EP200, only some basic information on SAP Web Dispatcher can be covered. See SAP online documentation and SAP training ADM103 for more.
SAP Web Dispatcher and Java EE Requests If we assume an AS Java based portal made of the following instances: Primary Application Server (PAS), two Additional Application Servers (AAS) and the central services instance (CS). A user performs a logon to that portal via SAP Web Dispatcher, and then launches a stateful application that is mapped to a logon group to which the two Additional Application Servers have been assigned. The following figure explains the flow of request and responses at runtime:
356
© Copyright . All rights reserved.
Lesson: Defining Load Balancing
Figure 120: Request and Response Flow at Runtime
The major steps are: 1. The initial request cannot include any logon group information, so it is dispatched by the SAP Web Dispatcher to any instance (let's assume PAS). 2. In the case of a stateful application, the response generated by any server process of AAS2 contains a session cookie saplb_. 3. With subsequent requests to that portal application, this cookie, saplb_, is sent to SAP Web Dispatcher. This ensures that these requests are always dispatched to the same instance (here AAS2)... 4. ...and returned to the user. The following figure explains the strategy of determining the proper instance in case of a Java EE request:
Figure 121: Server Selection Strategy for Java EE Requests
The SAP Web Dispatcher always communicates with the message server of the SAP system to receive server information about that system (instances, ports, protocols, and capacity).
© Copyright . All rights reserved.
357
Unit 6: Network Infrastructure
Information about logon groups and URL mappings can be retrieved from a (static) file or from any instance of the SAP system.
358
© Copyright . All rights reserved.
Unit 6 Exercise 25 345
Set Up Load Balancing
Business Example Your company has a system that receives many HTTP(s) requests. You need to ensure that when a connection is accepted, the load is balanced to ensure an even distribution across the servers. Even if there is only one instance installed for a portal system, it is still worth considering setting up an SAP Web Dispatcher. If extra instances are installed at a later stage, the URL that is used to access the portal will not need to be changed. The install will take about 40 minutes to complete. For more information about the SAP Web Dispatcher installation and upgrade, see SAP Note 908097.
Note: Note that we start using the Software Provisioning Manager (SWPM) for the installation – but without any details and background information. Refer to ADM110 if students want to learn more... To avoid any complications (resulting from ports used by SWPM / SAPinst), the students (Development team and Quality team) should run the installation one after the other!
Caution: To avoid conflicts, the Development team and the Quality team should run the installation consecutively. Once the first team has closed their SAPinst, the second team may start SPinst. Install and Configure SAP Web Dispatcher 1. Locate the latest Software Provisioning Manager (SWPM) offered at S:\Installation \SL_Toolset_1.0. Unpack it within a folder D:\SWPM_## on your training server and launch the executable sapinst.exe within. 2. Using SAP Software Provisioning Manager, install a SAP Web Dispatcher system using the settings in the following table: Development Group Parameter Mode
Typical
SAP System ID
DWD
Master Password
wgroup##
© Copyright . All rights reserved.
Quality Group
QWD
359
Unit 6: Network Infrastructure
Development Group
Quality Group
UC Kernel NW740
S:\Installation\SAP NetWeaver 7.4 SR1\SAP Kernel 7.41 Windows X86 64 (51047455_10)\DATA_UNITS \K_741_U_WINDOWS_X86_64
Message Server Host
twdfSSSS.wdf.sap.corp
Message Server HTTP Port
8134
8144
SAP Web Dispatcher Instance Number
35
45
SAP Web Dispatcher HTTP Port
8035
8045
Create Configuration for System of Size
Small
SAP Cryptographic Software
Keep default settings
The phase “Setting ACL of directory D:\usr\sap...” has a pretty long runtime on the Universal Target (it might take about 35 minutes). Don’t panic, just wait. Update the SAP Web Dispatcher Apply an update to your SAP Web Dispatcher installation. 1. Update the SAP Web Dispatcher 7.40 installation using the latest SAP Web Dispatcher package offered at S:\Maintenance\SAP Web Dispatcher 7.40. Configure the Web Administration Interface Configuring and using the Web administration interface for administration and monitoring of the SAP Web Dispatcher. 1. Modify the generated instance profile of your SAP Web Dispatcher installation with the settings in the following table: Development Group
Quality Group
SAP Web Dispatcher HTTP 8035 Port for standard remote access
8045
SAP Web Dispatcher HTTP Port for local administrative access
8046
8036
2. Launch the SAP Web Dispatcher Web administration interface, log on on using the generated webadm user. 3. Determine the servers that are available for each of the logon groups. Enable Logon Groups Setting up logon groups in AS Java and making them available for SAP Web Dispatcher.
360
© Copyright . All rights reserved.
Lesson: Defining Load Balancing
1. Launch the SAP NetWeaver Administrator (NWA) of your portal using user .A-##. Create a logon group Portal## for the URL alias /irj containing the AAS instance (only). 2. Within the SAP NetWeaver Administrator (NWA) of your portal, set the following values for the global (template) server settings of the http service. Property
Value
GroupInfoRequest
/J2EE/icr_groups
UrlMapRequest
/J2EE/icr_urlprefix
3. For your SAP Web Dispatcher system, DWD or QWD, set the following profile parameter: wdisp/enable_j2ee_groups = true. Final Test Testing the workload distribution. 1. Assign the com.sap.training.EP200.WorkloadDist role to your .E-## user. 2. In a new browser session, log on to your portal via the SAP Web Dispatcher URL and the .E-## user.
© Copyright . All rights reserved.
361
Unit 6 Solution 25 348
Set Up Load Balancing
Business Example Your company has a system that receives many HTTP(s) requests. You need to ensure that when a connection is accepted, the load is balanced to ensure an even distribution across the servers. Even if there is only one instance installed for a portal system, it is still worth considering setting up an SAP Web Dispatcher. If extra instances are installed at a later stage, the URL that is used to access the portal will not need to be changed. The install will take about 40 minutes to complete. For more information about the SAP Web Dispatcher installation and upgrade, see SAP Note 908097.
Note: Note that we start using the Software Provisioning Manager (SWPM) for the installation – but without any details and background information. Refer to ADM110 if students want to learn more... To avoid any complications (resulting from ports used by SWPM / SAPinst), the students (Development team and Quality team) should run the installation one after the other!
Caution: To avoid conflicts, the Development team and the Quality team should run the installation consecutively. Once the first team has closed their SAPinst, the second team may start SPinst. Install and Configure SAP Web Dispatcher 1. Locate the latest Software Provisioning Manager (SWPM) offered at S:\Installation \SL_Toolset_1.0. Unpack it within a folder D:\SWPM_## on your training server and launch the executable sapinst.exe within. a) You are logged on to the operating system of your training server twdfSSSS.wdf.sap.corp. b) Create a new folder D:\SWPM_##. c) Open the S:\Installation\SL_Toolset_1.0\SWPM folder and locate the latest SWPM.SAR file offered. Copy that file to your folder D:\SWPM_##. d) In the left pane of the Windows Explorer, right-click your D:\SWPM_## folder and choose CMD Prompt Here.
362
© Copyright . All rights reserved.
Lesson: Defining Load Balancing
e) Within this command prompt, to unpack the SAR archive, enter sapcar -xvf SWPM.SAR. f) After you have ensured that there is no other SAPinst instance running on your server, start the executable D:\SWPM_##\sapinst.exe. 2. Using SAP Software Provisioning Manager, install a SAP Web Dispatcher system using the settings in the following table: Development Group
Quality Group
Parameter Mode
Typical
SAP System ID
DWD
Master Password
wgroup##
UC Kernel NW740
S:\Installation\SAP NetWeaver 7.4 SR1\SAP Kernel 7.41 Windows X86 64 (51047455_10)\DATA_UNITS \K_741_U_WINDOWS_X86_64
Message Server Host
twdfSSSS.wdf.sap.corp
Message Server HTTP Port
8134
8144
SAP Web Dispatcher Instance Number
35
45
SAP Web Dispatcher HTTP Port
8035
8045
Create Configuration for System of Size
Small
SAP Cryptographic Software
Keep default settings
QWD
The phase “Setting ACL of directory D:\usr\sap...” has a pretty long runtime on the Universal Target (it might take about 35 minutes). Don’t panic, just wait. a) Within SAP Software Provisioning Manager, navigate to option SAP NetWeaver 7.4 → MaxDB → SAP Systems → Standalone Engines → Web Dispatcher → Web Dispatcher and choose Next. b) As Parameter Mode, select Typical and choose Next. c) In the SAP System ID field, enter DWD or QWD and choose Next. d) In the Master Password field, enter wgroup## (twice) and choose Next. e) As medium for UC Kernel NW740, Browse to S:\Installation\SAP NetWeaver 7.4 SR1\SAP Kernel 7.41 Windows X86 64 (51047455_10)\DATA_UNITS \K_741_U_WINDOWS_X86_64 and choose OK. f) Choose Next. g) In the Message server host field, enter twdfSSSS.wdf.sap.corp. h) In the Message server HTTP port field, enter 8134 or 8144. Choose Next.
© Copyright . All rights reserved.
363
Unit 6: Network Infrastructure
i) On the Parameter Summary screen, choose Show Detail. j) Select the Web Dispatcher checkbox and choose Revise. k) In the Instance number field, enter 35 or 45. l) In the HTTP port field, enter 8035 or 8045. m) For Create configuration for system of size, choose Small. Choose Next. n) On the SAP Cryptographic Software screen, keep the default settings and choose Next. o) On the Parameter Summary screen, check all parameters and choose Next. Note: The pure installation runtime is about 40 minutes. p) After the installation completes, choose OK to close SAPinst. Hint: At this time, the next team may launch SAPinst
Your SAP Web Dispatcher is up and running. Update the SAP Web Dispatcher Apply an update to your SAP Web Dispatcher installation. 1. Update the SAP Web Dispatcher 7.40 installation using the latest SAP Web Dispatcher package offered at S:\Maintenance\SAP Web Dispatcher 7.40. a) You are logged on to the operating system of your training server twdfSSSS.wdf.sap.corp. b) Create a new folder D:\SAPWebDisp_##. c) Using SAP MC or SAP MMC, stop your DWD or QWD system. Right-click your DWD or QWD system and choose Stop. When asked for an operating system user, you can enter dwdadm or qwdadm as user and wgroup## as password. Hint: To open the SAP MC for your SAP Web Dispatcher system, you can do one of the following: ●
●
launch the URL http://twdfSSSS.wdf.sap.corp:513 launch the SAP MC shortcut on operating system level of your training server’s desktop and navigate to File → New. Provide 35 or 45 as Instance Nr and twdfSSSS.wdf.sap.corp as Instance Host. You can use File → Save Landscapes to store the landscape.
After (re)starting the SAP MMC, the new SAP Web Dispatcher system DWD or QWD should be visible without any additional configuration steps.
364
© Copyright . All rights reserved.
Lesson: Defining Load Balancing
d) In case you (or the other group) have the SAP MMC still open, close it now (to prevent auto-starting any Windows service). e) Using the Windows Services Manager, stop the Windows service named SAP_. Hint: To open the Windows Services Manager, choose the Services shortcut on the desktop. f) Copy the latest SAP Web Dispatcher 7.40 package offered at S:\Maintenance\SAP Web Dispatcher 7.40 to your D:\SAPWebDisp_## folder. g) In the left pane of the Windows Explorer, right-click the D:\SAPWebDisp_## folder and choose CMD Prompt Here. h) Within that command prompt, enter sapcar -xvf sapwebdisp_.sar to unpack the SAR archive. i) Copy the extracted files (including subfolders) from folder D:\SAPWebDisp_## to D: \usr\sap\\SYS\exe\nuc\NTAMD64. Hint: If you are asked, choose to copy and replace existing files/folders (for all files and folders). j) Using the Windows Services Manager, start the Windows service named SAP_. k) Using SAP MC or SAP MMC, start your DWD or QWD system. When asked for an operating system user, you can enter dwdadm|qwdadm as user and wgroup## as password. l) You can right-click the DWD or QWD entry in the SAP (M)MC now and choose Version Info to determine the SAP Web Dispatcher patch level. Your SAP Web Dispatcher installation is now up-to-date. Configure the Web Administration Interface Configuring and using the Web administration interface for administration and monitoring of the SAP Web Dispatcher. 1. Modify the generated instance profile of your SAP Web Dispatcher installation with the settings in the following table: Development Group SAP Web Dispatcher HTTP 8035 Port for standard remote access
© Copyright . All rights reserved.
Quality Group 8045
365
Unit 6: Network Infrastructure
SAP Web Dispatcher HTTP Port for local administrative access
Development Group
Quality Group
8036
8046
a) You are logged on to the operating system of your training server twdfSSSS.wdf.sap.corp. b) Navigate to and open the D:\usr\sap\\SYS\profile\_W_twdfSSSS instance profile in a text editor, for example, SAPpad. c) Note the values of the following parameters: icm/server_port_0 icm/server_port_1 icm/HTTP/admin_0 d) Modify the ports in parameters icm/server_port_1 to and icm/HTTP/ admin_0 to as listed above. e) Save the instance profile D:\usr\sap\\SYS\profile\_W_twdfSSSS. f) Using SAP MC or SAP MMC, restart your DWD|QWD system. When asked for an operating system user, you can enter dwdadm|qwdadm as user and wgroup## as password. 2. Launch the SAP Web Dispatcher Web administration interface, log on on using the generated webadm user. a) You are logged on to the operating system of your training server twdfSSSS.wdf.sap.corp. b) Launch the following URL: http://localhost:/sap/admin. Note: For security reasons, the SAP Web Dispatcher Web administration is bound to a dedicated port and localhost only. By modifying icm/HTTP/ admin_, it is also possible to make the Web administration accessible from other hosts. In that case, you have several options to launch the Web administration interface: ●
●
●
Launch the following URL: http://twdfSSSS.wdf.sap.corp:/sap/admin. Within SAP MC, navigate to → W on → Web Dispatcher. Within SAP MMC, navigate to → W → Web Dispatcher.
c) To log on, enter webadm as user name and wgroup## as password.
366
© Copyright . All rights reserved.
Lesson: Defining Load Balancing
3. Determine the servers that are available for each of the logon groups. a) Navigate to the menu option Backend System → Monitor Server Groups. b) On the right of the screen, you can analyze and manage details for each logon group (such as the next instance to be used). Enable Logon Groups Setting up logon groups in AS Java and making them available for SAP Web Dispatcher. 1. Launch the SAP NetWeaver Administrator (NWA) of your portal using user .A-##. Create a logon group Portal## for the URL alias /irj containing the AAS instance (only). a) Launch the following URL: http://twdfSSSS.wdf.sap.corp:5$$00/nwa and log on. b) Navigate to Configuration → Infrastructure → Java HTTP Provider Configuration → Logon Groups. c) Choose Create. d) For Logon Group, enter Portal## and choose OK. e) On the Instances tab, choose Add Instance. Select the AAS instance of your system (starting with 31 for DEP systems and 41 for QEP systems). f) On the Prefixes tab, choose Add Prefix. As New Prefix, enter a / sign (only) and choose OK. g) Save your changes. 2. Within the SAP NetWeaver Administrator (NWA) of your portal, set the following values for the global (template) server settings of the http service. Property
Value
GroupInfoRequest
/J2EE/icr_groups
UrlMapRequest
/J2EE/icr_urlprefix
a) You are still working in the NWA of your portal system. b) Navigate to Configuration → Infrastructure → Java System Properties. c) Make sure to keep the ZATPL_AIO template selected. d) Switch to the Services tab. e) Search for the HTTP Provider service and select it. f) In the Extended Details area, select the GroupInfoRequest propery and choose Modify. Enter /J2EE/icr_groups and choose Set. g) In the Extended Details area, select the UrlMapRequest propery and choose Modify. Enter /J2EE/icr_urlprefix and choose Set. h) Save your changes. i) Restart your portal sytem DEP or QEP, for example, using SAP MC or SAP MMC.
© Copyright . All rights reserved.
367
Unit 6: Network Infrastructure
Note: You may continue with the next step while the AS Java is restarting. 3. For your SAP Web Dispatcher system, DWD or QWD, set the following profile parameter: wdisp/enable_j2ee_groups = true. a) You are logged on to the operating system of your training server twdfSSSS.wdf.sap.corp. b) Navigate to and open the D:\usr\sap\\SYS\profile\_W_twdfSSSS instance profile in a text editor, for example, SAPpad. c) Add a new line wdisp/enable_j2ee_groups = true (and make sure that there is a “new line” after the very last parameter). d) Save your changes. e) Using SAP MC or SAP MMC, restart your DWD or QWD system. When asked for an operating system user, you can enter dwdadm or qwdadm as user and wgroup## as password. f) (Optional) In the Web administration interface (at Dispatching Module → Parameters), check the values of the following parameters: ●
wdisp/enable_j2ee_groups
●
wdisp/J2EE/group_info_location
●
wdisp/J2EE/url_map_location
g) (Optional) If your portal system is up again, launch the following URLs: ●
http://twdfSSSS.wdf.sap.corp:5$$00/J2EE/icr_groups
●
http://twdfSSSS.wdf.sap.corp:5$$00/J2EE/icr_urlprefix
You should get responses without the need to log on. Final Test Testing the workload distribution. 1. Assign the com.sap.training.EP200.WorkloadDist role to your .E-## user. a) As portal user .A-##, navigate to User Administration → Identity Management. b) Search for the user .E-##. Select it and choose Modify. c) On the Assigned Roles tab at Available Roles, search for the com.sap.training.EP200.WorkloadDist role. Select it and Add it. Choose Save. 2. In a new browser session, log on to your portal via the SAP Web Dispatcher URL and the .E-## user. a) Choose File → New Session from the browser menu bar. b) Launch the URL http://twdfSSSS.wdf.sap.corp:/irj and log on to the portal using your .E-## user.
368
© Copyright . All rights reserved.
Lesson: Defining Load Balancing
c) Navigate to the content available at SAP Training → Workload Distribution. Note that the “You are here” message in the iView output indicates which server process of which instance has processed the current request. The node number should start with 31 for DEP and 41 for QEP.
© Copyright . All rights reserved.
369
Unit 6: Network Infrastructure
LESSON SUMMARY You should now be able to:
370
●
Compare server-based and client-based load balancing
●
Set up load balancing
© Copyright . All rights reserved.
Unit 6 Lesson 3 356
Describing Accelerated Application Delivery (AccAD)
LESSON OVERVIEW In this lesson you will learn about the benefits of SAP's product Accelerated Application Delivery for SAP NetWeaver (AccAD). This lesson gives an introduction to AccAD. Note that the portal is one of the applications that is aware of AccAD (that's why we present AccAD in this course). There is no AccAD system available for EP200 classes, and the installation or configuration of AccAD is not in the focus. To keep yourself informed, visit the latest documents at SAP Community Network, Quick Link /community/accad-for-netweaver and (if you have access to the SAP corporate portal) https://portal.wdf.sap.corp/go/nw-accad.
Business Example You are an IT architect for a global company. The employees, located in different subsidiaries, have access to a central portal installation. Your goal is to optimize the response times of your portal applications for those worldwide users, even if they are connected with limited bandwidth and high latency. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe Accelerated Application Delivery (AccAD) basics
●
Explain the benefits of using AccAD in a global scenario
Landscape and Optimizations Accelerated Application Delivery for SAP NetWeaver (AccAD) is a standalone product that is positioned as a complimentary offering to SAP NetWeaver. It can be leveraged as an enabler for SAP‘s global central system strategy, for example, when setting up one central portal that is the access point for all end users worldwide. Quite commonly, due to bandwidth and latency restrictions, users in remote offices encounter performance issues, like lengthy response times for logging in or navigating within an SAP Enterprise Portal.
© Copyright . All rights reserved.
371
Unit 6: Network Infrastructure
Figure 122: Value Proposition
Accelerated Application Delivery is a software appliance that can overcome those issues and thus deliver applications at near-LAN speed to global user groups. Accelerated Application Delivery can provide benefits for all web-based SAP applications. It‘s application aware compression and caching mechanisms can be more efficient than generic WAN acceleration and application delivery technologies. Accelerated Application Delivery focuses on accelerating global access to SAP applications and thus it is not intended to be a full-fledged holistic application delivery tool for all kinds of traffic.
Figure 123: Benefits
The generic optimization mechanisms offer means to overcome physical distance (that is, latency) and the actual available capacity (that is, bandwidth and congestions) with caching and compression algorithms. These mechanisms allow you to optimize any web-based SAP traffic significantly for access via Wide Area Networks. Moreover, there are application aware optimizations especially targeting SAP applications and scenarios – often referred to as “Layer-8 optimizations”. Currently, there are specific optimizations available for the SAP Enterprise Portal, Knowledge Management (accessing and collaborating on documents) and the SAP Learning Solution. Additional predefined service types are available for a variety of applications, such as SAP CRM, SAP Business
372
© Copyright . All rights reserved.
Lesson: Describing Accelerated Application Delivery (AccAD)
Objects Solutions, Web Dynpro ABAP, and Web Dynpro Java-based applications. Additional optimizations are planned to be provided whenever there are options to tune the traffic additionally. Quite important is the low total cost of ownership that this kind of setup involves. Especially compared to creating copies of web-based systems for different regions, utilizing an application delivery technology instead is inexpensive and easy-to-maintain. Accelerated Application Delivery can run on standard simple hardware – relatively inexpensive in comparison to application servers. In one central location, you could administer the delivery policies for all remote locations and the data center. The technology itself is productive, simple, and effective – the installation runs out-of-the-box and the configuration can be easily performed in an end-to-end manner. Moreover, there are flexible platform options suiting the needs of your individual setup: it can operate as a software appliance on Linux hosts or alternatively on Windows clients for small remote offices – for the future versions embedding into partner platforms is planned, that is, integrating into generic application delivery tools offered by other vendors.
Figure 124: Basic Landscape – Without AccAD
The basic landscape without using Accelerated Application Delivery consists of a data center. This connects users in the local office via the LAN connection as well as users in remote offices via WAN connections. If this landscape is optimized with Accelerated Application Delivery for SAP NetWeaver, several components are added to this picture:
© Copyright . All rights reserved.
373
Unit 6: Network Infrastructure
Figure 125: Basic Landscape – Major AccAD Components
First of all, the AccAD Repository is introduced to this landscape – this is the central component for AccAD and stores the overall landscape configuration settings, audit information, and traffic history data. On the same or an additional host, the server front-end (SFE) is running. The SFE improves the traffic from the application server by offloading tasks like encryption, data compression, and handling slow WAN communication (TCP termination). Repository and SFE are the core of the application delivery software and are installed at the data center on a dedicated Linux host. The client front-end (CFE) in each remote office is the counterpart to the SFE. The major tasks of a CFE are to: ●
emulate application services in the remote office
●
take over LAN encoding and compression of messages for transmission to the SFE
●
decode messages received from the SFE
Moreover, the CFE integrates a cache, which can provide content that was already loaded beforehand. The CFE is part of the core application delivery software and is installed at each remote office on a dedicated Linux or Windows host. Between the CFE and the SFE, there is a secured and optimized tunnel for optimizing the communication between remote office and data center. Messages are compressed and parallelized here. The tunnel can be secured by encoding the messages sent between the CFE and the SFE. For setting up the appliance landscape and configuring it, two different environments are now available. The web-based UI for administration of the overall landscape including monitoring and audit tasks is called AccAD Administrator. This environment especially suits application administrators that are used to graphical UIs. You can simply call the UI via the IP address of the according engine or repository, and port 7443. Compared to previous releases, this environment has no dependency anymore on an SAP Enterprise Portal and thus replaces the former portal admin plug-in. In addition there is a command line interface, the AD Monitor, offered as an alternative environment suiting typically the network administrator. This environment is a secure shell
374
© Copyright . All rights reserved.
Lesson: Describing Accelerated Application Delivery (AccAD)
connection to a network-device like CLI. The CLI contains advanced characteristics – it’s auto-comprehensive and provides auto-completion for commands and content. Within a command line, you have the option to work with scripts for automation purposes – this can be especially useful in large and dynamic landscapes. Both environments offer the same configuration options and are exchangeable (apart from the slight differences discussed before). If you set up your landscape in a high-availability manner, then the landscape could change slightly, for example, by multiplying the SFE in the data center and the CFEs in remote offices and by providing a fall-back mechanism to access the data center directly in case of nonavailability of AccAD.
Figure 126: Key Capabilities & Optimizations
In the figure above, you can see the general communication flow from end user via CFE – WAN – SFE to the application server and back to the end user. The overall transaction time thus consists of the time for transmitting the request, the processing at the application server itself, and the time for transmitting the reply. The optimization effects and key capabilities of Accelerated Application Delivery are especially efficient due to the application awareness in all of the following areas: Integrated cache with caching patterns This saves unnecessary roundtrips to the application server if the content was already requested by other users before (for example, a huge document was already downloaded) Efficient compression mechanisms You could also label this capability as adaptive traffic flow minimization. Here AccAD achieves 1/10-1/20 more compression than standard http compression. It identifies redundancies in the transaction messages (based on SAP Patent algorithms) and thus the traffic over the WAN for Web enabled enterprise applications is reduced. For the future, there would be even a potential to integrate service prioritization. Offloading the application servers On the application server, commodity tasks and processes can be offloaded: this comprehends for example compression, encryption and handling communication over slow WAN. Those tasks do not create load on the application server anymore, but are rather moved to the dedicated Accelerated Application Delivery hosts.
© Copyright . All rights reserved.
375
Unit 6: Network Infrastructure
TCP traffic optimization TCP roundtrips are minimized by using local TCP termination – this reduces the overall number of roundtrips and parallel transmission can increase the efficiency further. Usually, without AccAD, 1 roundtrip is necessary to open the TCP connection before transferring the request. Since CFE and SFE keep connections open, those connections can be reused and at least 1 roundtrip per request is saved. Between CFE and SFE, multiple connections are opened, thus the traffic can potentially be transmitted in parallel. End-to-end security All communication between user and CFE, CFE and SFE, SFE and Application Server can be secured. Software appliance Accelerated Application Delivery follows a software appliance approach, thus it is preconfigured and contains a straight-forward installation with kickstart files. The common baseline is that it takes at max. 60 min to set up a client front-end.
Figure 127: Functional Concept of Operation
The main features of AccAD are optimization, central management, and security: Optimization SAP applications are delivered to remote locations using application aware optimizations, namely adaptive compression of transaction messages and caching patterns. Commodity processes are offloaded from the application servers. Central Management You can configure the landscape end-to-end by defining a single central delivery policy. If you define new services for the remote locations that should be delivered as well, then those new delivery rules can be activated with one click. Security The tunnel and the communication between user and CFE, and SFE and application server can be encrypted with SSL. Moreover, support for different Single Sign-On technologies is offered by Accelerated Application Delivery.
376
© Copyright . All rights reserved.
Lesson: Describing Accelerated Application Delivery (AccAD)
Figure 128: Product Availability Matrix for AccAD 2.3
This Product Availability Matrix illustrates the platforms on which the previously mentioned components can be run. It contains current platforms as well as platforms that are planned to be supported with upcoming Support Packages. The Application Delivery Monitor is a pure Java application that requires JDK 1.2 and higher, and can then run on both Windows and Unix or Linux platforms. The PAM listed here reflects the situation in July 2014. For an up-to-date view, launch QL /pam on the SAP Service Marketplace (with a customer user, not an SAP internal one please) and navigate to SAP NetWeaver → AAD 2.3 FOR SAP NETWEAVER .
Optimization Effects at SAP One of the current showcases for successful implementations of AccAD is SAP itself. In order to provide quick access at near-LAN speed for remote offices, like Palo Alto and Bangalore to the Corporate Portal, SAP conducted a pilot project with early versions of AccAD. The assessments of the technology were convincing and since September 2006 the productive portals are accelerated with AccAD. In 2007 additional Client Front-Ends were added to the landscape and in Asia Pacific / Japan full coverage has been achieved. In addition, at the end of 2007, SAP leveraged AccAD for the productive CRM installations.
Figure 129: AccAD @ SAP
© Copyright . All rights reserved.
377
Unit 6: Network Infrastructure
Usually every week approx. 20,000 users access the SAP Corporate Portal via WAN and benefit from the optimizations from Accelerated Application Delivery.
Figure 130: Overcoming Bandwidth and Latency Issues
With the graphic above, you can see the effects of Accelerated Application Delivery on overcoming bandwidth and latency issues. These 3 showcases are quite typical activities that are usually performed when using a portal: login to the SAP Enterprise Portal, a 5 MB document download, and using a transaction to create a sales order. These scenarios were run in an SAP lab environment in 2007 with the previous version 2.1 (the current version AccAD 2.3 for SAP NetWeaver should be even more efficient in most areas). All activities were performed addressing the portal with HTTPS and with different lines. The numbers in ms illustrate the latency and thus the distance between user and data center (the higher the latency the longer the distance, for example, 150 ms equals the distance between Europe and the USA). The percentage shows whether the line is congested or not. The benchmarking took place with different bandwidths - via WAN T3 lines and DSL. The red line illustrates the baseline when performing those activities in an LAN environment. Within the blue bars, you can see the time that the activity took when accessing the portal directly, in comparison to the orange bars that show the time that was required when accessing the same scenario via Accelerated Application Delivery. The improvements with AccAD are quite obvious and usually close to the LAN baseline.
Figure 131: Latency Sensitivity and Mitigation
378
© Copyright . All rights reserved.
Lesson: Describing Accelerated Application Delivery (AccAD)
This graph illustrates how latency issues for remote offices can be mitigated by using Accelerated Application Delivery. When using the portal and, for example, executing transactions, like creating a sales order, the latency increases with increasing distance and this cannot be overcome unlike bandwidth or packet loss issues (where you would have the option to purchase better lines“better lines”). Therefore the average response times of the example transaction increases with increasing distance from approximately 3 seconds up to 26 seconds. When using Accelerated Application Delivery, the response time stays almost at its LAN performance level even when the physical distance is huge (increases up to 6 seconds at max in this scenario). Again those numbers were measured in SAP lab tests in 2007.
Figure 132: Many connections test (offloading effect)
Another effect that was described beforehand is the offloading of commodity tasks. This is illustrated in this performance test. An increasing number of users accessed the portal (up to 500 concurrent users) and when comparing the direct access to access via Accelerated Application Delivery, you can see that up to 48 % CPU offloading of the server were achieved. As a remark, this offloading effect is a usually achieved only by application delivery appliances and not by classical WAN accelerators.
FACILITATED DISCUSSION You may discuss the landscapes at your student's companies. Do all portal users have a LAN connection to the portal installation(s)?
Related Information: Accelerated Application Delivery (AccAD) ●
SAP Community Network, Quick Link /community/accad-for-netweaver
●
SAP Service Marketplace /nw-accad
●
SAP Note 1313848
●
SAP Note 1616097
Also check SAP Note 1313848 for release restrictions and 1616097 as a central entry point for all AccAD related notes.
© Copyright . All rights reserved.
379
Unit 6: Network Infrastructure
LESSON SUMMARY You should now be able to:
380
●
Describe Accelerated Application Delivery (AccAD) basics
●
Explain the benefits of using AccAD in a global scenario
© Copyright . All rights reserved.
Unit 6
365
Learning Assessment
1. Which of the following are reasons for securing communications in your organization? Choose the correct answers. X
A To meet legal, or mandated data privacy requirements.
X
B To reduce the upfront costs of the organization.
X
C To prevent unauthorized access to sensitive data leading to misuse.
X
D To reduce the complexity of the IT infrastructure.
2. Match the communication path with the secure protocol used. Match the item in the first column to the corresponding item in the second column. SAP GUI for Windows ABAP-based SAP system Web browser SAP Web Dispatcher or Web server SAP Web Dispatcher or Web server ICM
LDAPS (SSL) DIAG using SNC HTTPS (SSL) HTTPS (SSL)
Portal server LDAP directory server 3. What are the advantages of server-based load balancing?
4. The programming model for stateless requests is used for complex applications. Determine whether this statement is true or false. X
True
X
False
© Copyright . All rights reserved.
381
Unit 6: Learning Assessment
5. What are the disadvantages of client-based load balancing?
6. Match these AccAD components and tools with their description. Match the item in the first column to the corresponding item in the second column. AccAD Repository Server Front-End AccAD Administrator AD Monitor
Improves the traffic from the application server by offloading tasks like encryption, data compression, and handling slow WAN communication. Administers the overall landscape through a web-based UI. Administers the overall landscape through a command line interface. Stores the landscape and configuration settings.
382
© Copyright . All rights reserved.
Unit 6
367
Learning Assessment - Answers
1. Which of the following are reasons for securing communications in your organization? Choose the correct answers. X
A To meet legal, or mandated data privacy requirements.
X
B To reduce the upfront costs of the organization.
X
C To prevent unauthorized access to sensitive data leading to misuse.
X
D To reduce the complexity of the IT infrastructure.
2. Match the communication path with the secure protocol used. Match the item in the first column to the corresponding item in the second column. SAP GUI for Windows ABAP-based SAP system Web browser SAP Web Dispatcher or Web server SAP Web Dispatcher or Web server ICM
DIAG using SNC HTTPS (SSL) HTTPS (SSL) LDAPS (SSL)
Portal server LDAP directory server 3. What are the advantages of server-based load balancing? All instances can be addressed using a common IP address or a common name. The users always use the same URL to access the system. One SSL server certificate is sufficient for all of the instances. The aforementioned advantages reduce the operating and maintenance effort and costs. 4. The programming model for stateless requests is used for complex applications. Determine whether this statement is true or false. X
True
X
False
© Copyright . All rights reserved.
383
Unit 6: Learning Assessment - Answers
5. What are the disadvantages of client-based load balancing? Clent-based load balancing has the following disadvantages: It can confuse the user, as the URL displayed in the browser changes with the rerouting. If Favorites are created in the browser, these point to the server to which the user was redirected. Each instance requires an SSL server certificate. Finally, it can cause problems if a firewall is used. 6. Match these AccAD components and tools with their description. Match the item in the first column to the corresponding item in the second column. AccAD Repository Server Front-End AccAD Administrator AD Monitor
Stores the landscape and configuration settings. Improves the traffic from the application server by offloading tasks like encryption, data compression, and handling slow WAN communication. Administers the overall landscape through a web-based UI. Administers the overall landscape through a command line interface.
384
© Copyright . All rights reserved.
UNIT 7
Advanced Portal Scenarios
Lesson 1 Configuring Navigation Settings and Bandwidth Optimization Exercise 26: Configure Navigation Settings and Bandwidth Optimization
386 393
Lesson 2 Set Up a Federated Portal Network Exercise 27: Set Up a Federated Portal Network Exercise 28: Set Up a Federated Portal Network Using Remote Delta Links (RDL) Exercise 29: Set Up a Federated Portal Network Using Remote Role Assignment (RRA)
UNIT OBJECTIVES ●
Describe key navigation features of web-like portals
●
Configure navigation settings and bandwidth optimization
●
Describe federated portal networks
●
Describe the supported content sharing modes for a federated portal network
●
Set up a federated portal network
© Copyright . All rights reserved.
385
401 417 421 423
Unit 7 Lesson 1 370
Configuring Navigation Settings and Bandwidth Optimization
LESSON OVERVIEW This lesson introduces some navigation concepts and settings which can improve the portal performance. In EP200/62, this lesson was about external-facing portal (EFP) – this is now shifted (in sync with product management positioning) to “Configuring Navigation Settings and Bandwidth Optimization”. Note that this lesson is not designed to cover all aspects of portal performance.
Business Example You company uses an external customer portal based on SAP Enterprise Portal. Since some customers do not have access to broadband Internet, they want to keep network traffic down to a minimum. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe key navigation features of web-like portals
●
Configure navigation settings and bandwidth optimization
Web-Like Portals Large companies today need to provide information, services and applications to customers, vendors and partners in a public Web portal that performs well over the Internet and operates in a manner similar to standard, customizable Web sites. To enable and ease the implementation of a Web portal, the SAP Enterprise Portal includes tools for creating a web-like portal. The portal offers support of standard Web-like behavior, quickly putting casual and first-time portal visitors at ease. It provides the means for customizing the portal look and feel to provide a fresh and updated Web-site look for a public audience. And it reduces the number of resources transmitted over the Web, increasing the performance for Internet users, which is especially important for users who access the portal over low-bandwidth connections and dial-up networks. Although not always appropriate for certain applications that require a large number of resources and the support of the SAP NetWeaver client framework an external-facing portal using SAP Enterprise Portal can help companies boost their portal project ROI by using the same platform for the company's Internet and Intranet implementations. As with a normal Web site, users expect ●
386
Navigation with the standard browser keys such as Back, Forward and Refresh
© Copyright . All rights reserved.
Lesson: Configuring Navigation Settings and Bandwidth Optimization
●
Fast page setup, also if the bandwidth of the Internet connection is low
●
Attractive Web site optic that is adapted to the company in question
●
Portal alignment with WCAG2.0 accessibility standard (accessibility) For German participants, you could show the Web page of the state of Wolfsburg http:// www.wolfsburg.de, which was created as an external-facing portal based on SAP NetWeaver.
Implementation of Web-Like Portals SAP Enterprise Portal supports the setup of external portals with the following functions (that can also be used independently of one another): Functions for Web-like Portals ●
●
●
●
●
●
Navigation cache: For users with the same navigation hierarchy, the portal reads the hierarchy from the cache instead of setting it up again Short URLs: The long portal URLs in the standard version are shortened – This reduces the network traffic, hides the inner portal structure from the user, and simplifies the procedure for storing and forwarding Web addresses Quick links: With the quick links (created by the content administrator), the user can get to certain navigation nodes using a descriptive abbreviation Simplified framework page: This framework page runs in a frame and therefore does not need JavaScript communication between frames; only simple iViews that do not need HTMLB and JavaScript (to save resources) should be offered on the page Resource-saving Page Builder: Special libraries (such as JavaScript for eventing) are only sent to the browser if they are really needed (according to specification of developer) JSP Tag libraries: Libraries for easily creating new navigation iViews and page layouts are available for portal developers
The next graphic illustrates the main implementation process for the IT Scenario Implementing an External-Facing Portal.
Figure 133: Process Steps for IT Scenario Implementing an EFP
© Copyright . All rights reserved.
387
Unit 7: Advanced Portal Scenarios
Some of the IT process steps are covered in more detail in the following sections.
Caution: Not all steps mentioned in online documentation are covered in this lesson of EP200; some of them are discussed in other lessons of EP200 class.
Navigation Cache In order to improve performance and reduce network traffic the portal caches each set of navigation nodes required by a user. If a user has access to the same navigation hierarchy as a previous user, the portal can retrieve the navigation hierarchy from the cache instead of generating them again. The navigation cache stores nodes separately for each navigation connector. Both entry points and navigation nodes are cached. The feature is disabled by default so that navigation nodes are not cached during testing and configuration of the portal. Once the portal is ready for production, the caching feature can be enabled. The Navigation Cache iView allows you to monitor and maintain the cache. You access the iView as system administrator at System Administration → Cache Management → Navigation Cache. The main Navigation Cache screen enables you to perform actions on all of the connectors simultaneously as well as access the settings for each connector separately. Demonstrate the exercise task Navigation Cache.
Light Framework Page The page builder was enhanced by SAP to become resource-sensitive: The page builder can prevent the downloading of client-side eventing JavaScript if an iView indicates it does not need eventing. The need for eventing has to be specified by the developer (EPCFLevel profile property). In addition, even when a page requires client-side eventing JavaScript or HTMLB controls, the page builder only loads the required resources and not the entire libraries. The light framework page (ID pcd:portal_content/every_user/general/lightframeworkpage) provided by SAP is a single-frame page which enhances performance, reduces network traffic and enables Website-like behavior. Framework page resolving is done by portal aliases (see below) and portal desktop technology. Customers can make use of the “light” objects shipped by SAP – another option is to create your own navigation iViews (masthead, top-level navigation, detailed navigation), or modify the default light navigation iViews to fit your company’s needs. You can use the navigation tag library to build JSP-based navigation iViews. Finally, you replace the navigation iViews of the default light framework page with your customized navigation iViews.
388
© Copyright . All rights reserved.
Lesson: Configuring Navigation Settings and Bandwidth Optimization
Figure 134: Light Desktop with Light Framework Page
Light Portal Desktop The Theme Editor now includes styles that are used in the default light navigation iViews. Using rule collections, ensure that your target group is assigned to a portal desktop that is made of your light framework page and one (or more) themes. Remember that you can assign portal desktops based on the current user, group, role, URL alias, or the user’s network bandwidth. The default light desktop shipped by SAP has the ID pcd:portal_content/every_user/general/ lightDesktop. You may modify this one or create your own version of a light desktop. Demonstrate the exercise task Light Desktop for new Portal Alias part 1.
Portal URL Aliases A URL alias is the part of the portal URL that comes after the section pointing to the portal application (irj). You can define custom URL aliases for you own portal usage scenarios. After defining a URL alias, you can use it in a portal display rule to specify the portal desktop that is assigned to portal users at runtime when accessing the portal with a specific URL alias. The preferred way to define URL aliases is using the URL Alias Manager. You can find the URL Alias Manager at System Administration → System Configuration → Portal Display → URL Alias Manager.
© Copyright . All rights reserved.
389
Unit 7: Advanced Portal Scenarios
Figure 135: Portal URL Aliases
To access the classic desktop of your portal for example, you can use the predefined alias http://:/irj/portal/classic.
Figure 136: Classic Desktop Portal
Note: It is also possible to create Portal URL Aliases in the Web.xml file of your portal. Changes that are made to the Web.xml file are overwritten when upgrading your portal to a new release or support package stack. For this reason, this is not the recommended way to create Portal URL Aliases.
Light Content For the performance benefits of the external-facing portal light framework page to be fully utilized “light” content must be assigned to the external users. Content that does not use a lot of resources is considered “light”. To create light content:
390
●
Use static content as much as possible
●
Avoid client-side eventing (EPCFLevel=1)
●
Use page layouts with custom iView trays. The default iView tray uses HTMLB.
●
Make sure that any dynamic navigation iView for your content is also light
●
Do not create related links for iViews and pages
© Copyright . All rights reserved.
Lesson: Configuring Navigation Settings and Bandwidth Optimization
Short URLs The portal creates URLs for each URL to a specific navigation node. The URL consists of the default portal URL, plus a NavigationTarget parameter. This parameter can have two possible formats: ●
●
Long URL (like http://twdfXXXX.wdf.sap.corp:5$$00/irj/portal/light? NavigationTarget=ROLES://portal_content/administrator/super_admin/ super_admin_role/com.sap.portal.user_administration/ com.sap.portal.user_admin_wd_ws&InitialNodeFirstLevel=true) Short URL (like http://twdfXXXX.wdf.sap.corp:5$$00/irj/portal/light? NavigationTarget=navurl:// 631c127e4710538c99e4aeb58b928ec8&InitialNodeFirstLevel=true)
Figure 137: Short Navigation URLs
The portal is by default configured to create short URLs for each URL to a specific navigation node. The short URL consists of the default portal URL, plus a NavigationTarget parameter with a hashed version of the full navigation target. This functionality ●
Reduces network traffic by reducing the length of the request string
●
Hides internal content structure
●
Supports HTTP GET request and browser cache utilization
The settings for enabling or disabling short URLs are offered in an iView available for system administrators at System Configuration → Runtime settings → Short URLs. By some support packages, the default setting changed from long to short URL. Demonstrate the exercise task Short URLs.
© Copyright . All rights reserved.
391
Unit 7: Advanced Portal Scenarios
392
© Copyright . All rights reserved.
Unit 7 Exercise 26 377
Configure Navigation Settings and Bandwidth Optimization
Business Example Your company has decided to establish a public web site based on SAP Enterprise Portal. As a system administrator, you are a member of the project team working on the external-facing portal implementation. Now you have to ensure that the whole setup workflow runs smooth and successfully.
Note: This exercise assumes that you already configured anonymous access to your portal (see earlier exercise).
Navigation Cache Activiating and configuring the portal cache for navigation nodes. 1. Check the current cache settings using the Navigation Cache iView. 2. Enable the entire navigation cache. 3. For the ROLES connector, configure it to store 7500 navigation nodes with a lifetime of 120 minutes. 4. Optional: (Re-)Log on with another portal user (for example,.E-##) and perform some navigation steps. As portal user .A-##, verify that entries were written to the navigation cache. You enabled the navigation cache which will increase your portal performance. Light Desktop for new Portal Alias Assigning the light desktop, anonymous logon, and language localization for every user launching the portal with a special alias portal/ext. 1. Create a new URL alias in the portal called portal/ext. 2. Open the light framework page and enable language localization for anonymous users. 3. Modify the master rule collection in a way that everyone launching the portal with the alias portal/ext is assigned to the pcd:portal_content/every_user/general/lightDesktop. 4. To test the settings, open a new web browser session (not only a new browser window) and launch the portal. Make sure that the URL ends with /irj/portal/ext. When launching the portal using the url-pattern /irj/portal/ext, users are assigned to the light version of the portal desktop.
© Copyright . All rights reserved.
393
Unit 7: Advanced Portal Scenarios
Short URLs Checking short URLs setting (for example, for browser bookmarks) 1. Check if short URLs are enabled – if not, enable them. 2. To test the settings, open a new web browser session (not only a new browser window) and launch the portal. Make sure that the URL ends with /irj/portal/ext. Click on the Anonymous Role in the top-level navigation menu. When launching the portal with the light portal desktop, short URLs are generated instead of long navigation paths.
394
© Copyright . All rights reserved.
Unit 7 Solution 26 379
Configure Navigation Settings and Bandwidth Optimization
Business Example Your company has decided to establish a public web site based on SAP Enterprise Portal. As a system administrator, you are a member of the project team working on the external-facing portal implementation. Now you have to ensure that the whole setup workflow runs smooth and successfully.
Note: This exercise assumes that you already configured anonymous access to your portal (see earlier exercise).
Navigation Cache Activiating and configuring the portal cache for navigation nodes. 1. Check the current cache settings using the Navigation Cache iView. a) Navigate to the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal. b) Log on as portal user .A-##. c) Choose System Administration → System Configuration → Cache Management → Navigation Cache. 2. Enable the entire navigation cache. a) In that iView, choose Enable All. 3. For the ROLES connector, configure it to store 7500 navigation nodes with a lifetime of 120 minutes. a) Within the Navigation Cache iView, choose the Configure link for the ROLES connector. b) Choose the Navigation Nodes tab. c) In the Number of objects in cache field, enter 7500. d) In the Lifetime (in minutes) field , enter 120. e) Choose Apply. f) Choose the Back to Cache Management link to return to the initial view. 4. Optional: (Re-)Log on with another portal user (for example,.E-##) and perform some navigation steps. As portal user .A-##, verify that entries were written to the navigation cache.
© Copyright . All rights reserved.
395
Unit 7: Advanced Portal Scenarios
a) Navigate to the URL http://twdfSSSS.wdf.sap.corp:5$$00/irj/portal. b) Log on as a portal user other than .A-##, choose .E-## for example. c) Perform some navigation steps. d) Log off. e) Log on as portal user .A-##. f) Navigate to the Navigation Cache iView by choosing System Administration → System Configuration → Cache Management → Navigation Cache g) Choose Show Content. You enabled the navigation cache which will increase your portal performance. Light Desktop for new Portal Alias Assigning the light desktop, anonymous logon, and language localization for every user launching the portal with a special alias portal/ext. 1. Create a new URL alias in the portal called portal/ext. a) Log on to the portal as portal user .A-##. b) Choose System Administration → System Configuration → Portal Display → URL Alias Manager. c) Choose New. d) In the Properties of New Alias area, in the Name field, enter portal/ext. e) Select the Accessible via low bandwidth connections checkbox. f) Select the Enable anonymous user access checkbox. g) Choose Save. 2. Open the light framework page and enable language localization for anonymous users. a) Logged on as portal user .A-##, choose Content Administration → Portal Content Management → Portal Content. b) Navigate to the default framework page at pcd:portal_content/every_user/general (path Portal Content → Portal Users → Standard Portal Users). c) Select the Light Framework Page. d) Choose Open → Page. e) Select the Light Masthead iView. f) Choose Open. g) Choose Properties → All. h) Search for the Show Dropdown List in Masthead: Language Personalization for Anonymous Users property by entering *Language* in the Find Property field. i) Select the property.
396
© Copyright . All rights reserved.
Lesson: Configuring Navigation Settings and Bandwidth Optimization
j) Choose Modify Properties. k) Choose the Yes value. l) Save this change. 3. Modify the master rule collection in a way that everyone launching the portal with the alias portal/ext is assigned to the pcd:portal_content/every_user/general/lightDesktop. a) Logged on as portal user .A-##, choose System Administration → System Configuration → Portal Display → Desktops & Display Rules. b) Navigate to the master rule collection at pcd:portal_content/administrator/ super_admin/main_rules by choosing Portal Content → Portal Administrators → Super Administrator → Master Rule Collection. c) Right-click it and choose Open → Rule Collection. d) Choose Add IF Expression. e) In the second field, choose URL alias from the dropdown list. f) In the third field, enter portal/ext. g) Choose Apply. h) Select the “THEN” statement below the first “IF” statement. i) In the Browse area to the left, navigate to the light deskop at pcd:portal_content/ every_user/general/lightDesktop by choosing Portal Content → Portal Users → Standard Portal Users → Light Portal Desktop. j) Right-click this object and choose Add Portal Desktop to Expression. k) Choose Apply to apply these changes. l) When you are done, Save the new master rule collection. m) In the Confirmation dialog box, choose OK. n) Log off the portal. 4. To test the settings, open a new web browser session (not only a new browser window) and launch the portal. Make sure that the URL ends with /irj/portal/ext. a) See exercise text. If you set up everything properly, you should ●
be logged on with the first user of the ume.login.guest_user.uniqueids parameter
●
see the light version of the portal desktop
●
be able to choose a portal language in the masthead.
Note: In the EP200 demo role, not much content is translated, so do not be surprised if the iView title or content does not change. You can restrict the set of available languages – for more search for Setting or Getting Available Languages in SAP online documentation.
© Copyright . All rights reserved.
397
Unit 7: Advanced Portal Scenarios
When launching the portal using the url-pattern /irj/portal/ext, users are assigned to the light version of the portal desktop. Short URLs Checking short URLs setting (for example, for browser bookmarks) 1. Check if short URLs are enabled – if not, enable them. a) As portal user .A-##, log on to the portal. b) Choose System Administration → System Configuration → Runtime Settings → Short URLs. c) In the Use Short URLs field, choose True from the dropdown list. d) Choose Save. 2. To test the settings, open a new web browser session (not only a new browser window) and launch the portal. Make sure that the URL ends with /irj/portal/ext. Click on the Anonymous Role in the top-level navigation menu. a) If you set up everything properly, you should observe URLs which include a section similar to ?NavigationTarget=navurl://b3d6d9ebac16a46574d62757803b05d4. If you want, you can store any navigation path as a bookmark on your web browser. When launching the portal with the light portal desktop, short URLs are generated instead of long navigation paths.
398
© Copyright . All rights reserved.
Lesson: Configuring Navigation Settings and Bandwidth Optimization
Related Information: Navigation Settings and Bandwidth Optimization ●
●
●
●
●
Look & Feel, Framework Pages and Portal Navigation: SAP Community Network, Quick Link /docs/DOC-23058. How-to Guide Configuring the J2EE Engine Deployment Descriptor: SAP Community Network, Quick Link /docs/DOC-16509 How to Customize your Ajax Framework Page with SAP NetWeaver Portal 7.30 : SAP Community Network, Quick Link /docs/DOC-16315 SAP Note 916545: Central Note for External-Facing Portal (SAP NetWeaver Portal 7.0 SPS 15 and higher, 7.01, 7.02, 7.30 and 7.31) SAP Note 1538600 - Defining Portal URL Aliases for SAP NetWeaver Portal 7.30
© Copyright . All rights reserved.
399
Unit 7: Advanced Portal Scenarios
LESSON SUMMARY You should now be able to:
400
●
Describe key navigation features of web-like portals
●
Configure navigation settings and bandwidth optimization
© Copyright . All rights reserved.
Unit 7 Lesson 2 385
Set Up a Federated Portal Network
LESSON OVERVIEW This lesson introduces the concept of a federated portal network (FPN) in general. Then the different ways of implementing an FPN are presented in detail. Note that the demo and exercises require two portal servers at minimum – it should be obvious that a federated portal network cannot be implemented with a single portal installation only. There are many good presentations (overview and details) on SAP Community Network, Quick Link /docs/DOC-23069 – maybe you want to show some of them? Some parts of this lesson were taken from SCN...
Business Example A federated portal network (FPN) allows organizations with multiple portals, both SAP and non-SAP, to share content between the portals. By implementing a federated portal network and sharing content between portals, organizations can provide users at each location with a single portal access point. From each portal configured as an access point, the users are able to access information, services, and applications distributed on portals throughout the entire organizational network. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Describe federated portal networks
●
Describe the supported content sharing modes for a federated portal network
●
Set up a federated portal network
Federated Portal Networks The general idea of a portal is to integrate content centrally and web-based. It serves as the central entry point for end users in order to find information they require. However, in reality quite often various portals evolve in a company: different internal and external information sources and portals exist in parallel, often due to different owners of those systems. The end users have to know where they can find the specific information they need and how to find it. FPN could provide an option to increase end user productivity by defining one central login portal that serves as an entry point for users to content that is spread over various portals.
© Copyright . All rights reserved.
401
Unit 7: Advanced Portal Scenarios
Figure 138: Motivation for Multiple Portal Installations
With SAP NetWeaver 7.0 the FPN is available, which allows to set up different portal landscapes.
Figure 139: Portal Landscapes
As in previous releases, an important landscape option is to create one central portal. All users connect to this portal and all content and connections to back-end systems are available there. If this architecture is possible suiting the organizational and technical requirements, if offers a lean setup and central administration. However, if this architecture does not serve the needs of the company, the federated portal network allows you to create more complex landscapes in which portals can share content. In a Content Federation one consumer portal serves as the central access point for all end users in the company. The applications and connections to back-end systems are located on various autonomous producer portals and users are redirected to these portals accordingly. Different producer portals can own these producer portals. In a Portal Federation the portals will act as producers and consumers simultaneously. This might be useful for example after mergers & acquisitions where both companies already have an SAP Enterprise Portal in place. In order not to migrate all content in the first place to only one portal, both portals could
402
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
coexist. The users can access the according portals and content relevant for both companies can be shared. Overall, the Federated Portal Network allows you to share content between portals. The content is deployed only once, but users from other portals could access this content either. It is not about synchronizing portal content or transporting content to various instances.
Figure 140: Exemplified Landscape Comparison
In case you would like to decide for yourself, whether a federated portal network would be an appropriate portal landscape in your company, you should thoroughly evaluate the pros and cons of this solution. One central productive portal implementation of course causes a lot less administrative effort than a federated landscape with multiple portals that have to be monitored, administered, configured… However, a federated portal network can offer you some other benefits, which might make it desirable: You can have multiple portals exchanging content, which could run on different releases, SPS and service-level agreements. Moreover, business units can own autonomous portals and create content (the delegated content administration sometimes is too restricted for organizational requirements). Thus you should decide for yourself whether organizational or technical requirements demand a federated portal landscape or whether you should stay with one central portal.
© Copyright . All rights reserved.
403
Unit 7: Advanced Portal Scenarios
Use Cases and Benefits of Federated Portal Networks
Figure 141: Use Case 1: Central Portal With Autonomous Portals for Business Units
In this use case business units can own autonomous portals. The content is integrated into a central consumer portal with the help of the tools provided by the Federated Portal Network (basically a kind of “enhanced URL redirect” takes place). The end users could access the central consumer portal and when trying to access remote content they are redirected accordingly in a seamless manner.
Figure 142: Use Case 2: Autonomous Portal Servers for Different Departments
In this use case, several consumer portals exist for different user groups. Central content is provided in one producer portal, thus this content does not have to be duplicated. The end users will access their business unit-specific portal and are redirected to the producer portal when accessing central content.
404
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
Figure 143: Use Case 3: Content Separation
This use case might support the following use cases: If one producer portal includes only noncritical applications, it is quite unproblematic if this server incurs performance issues at certain times (for example, due to some home-grown applications that require an unexpected amount of memory under load). The critical applications are deployed onto another producer portal and thus will not be effected from downtimes on other producer portals. The consumer will remain critical, since it might become a bottleneck if performance problems occur here – however, if only minimal content is maintained on the consumer portal, then this risk could be minimized. Thus for the different consumer and producer portals different internal servicelevel agreements (SLAs) could be set depending on the importance of the included content.
Figure 144: Use Case 4: BI Java Distributed Landscape
The new BI Java capabilities in SAP NetWeaver 7.0 require usage type Enterprise Portal. FPN offers tools with which you can integrate content coming from various „BI Java-Portals“ into a central consumer portal.
© Copyright . All rights reserved.
405
Unit 7: Advanced Portal Scenarios
Figure 145: Use Case 5: CE Portal as a Sidecar
This use case is only relevant for SAP NetWeaver 7.1 Composition Environment (CE) scenarios. The FPN tools can be used to integrate composition applications and according portal content into a consumer portal based on SAP NetWeaver 7.0. This will enable you to integrate the very latest state-of-the-art applications into a stable already established environment at customer sites.
Figure 146: Use Case 6: Interoperability With Non-SAP WSRP-Compliant Portals
The Web Service for Remote Portlets (WSRP) is a standard defined by the OASIS technical committees and allows you to share portlets from different vendors. Currently WSRP 1.0 is supported by SAP, and thus content from other vendors offering WSRP-compliant portlets could be integrated into an SAP Enterprise consumer portal.
Content Sharing Modes The Federated Portal Network supports three content sharing modes when discussing SAP NetWeaver – SAP NetWeaver Integration:
406
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
Figure 147: Content Sharing Modes
Remote Role Assignment (RRA) Here you have the full content administration performed on the producer portal. You deploy applications, create iViews / pages / worksets / roles … on the producer and basically want to reuse the content as is on the central consumer portal. In the consumer, you then have no content administration effort at all, but you can assign the remote roles to users on this consumer portal directly. This is available since SAP NetWeaver 7.00.09 and can be performed through standard UME role assignment tools. Remote Role Assignment (RRA) – Facts ●
●
●
●
●
●
●
An SAP Enterprise portal producer can offer complete roles to an SAP Enterprise portal consumer. Role content is maintained on the producer. The navigation structure of the role is built on the consumer (top level navigation and detailed navigation). Role content is executed on the producer. The remote roles are assigned to the consumer users using the standard Role Assignment tools. Remote Role Assignment is ideal in cases where no changes to the provided content are required. Merging Remote Roles is possible. Available as of SAP NetWeaver 7.00.09.
Remote Delta Links (RDL) With this content usage mode, portal content (such as iViews, pages …) from a producer portal can be reused, adjusted, and embedded into the local content offering of a consumer portal. You can browse the portal content directory (pcd) of the producer portal, copy the content and paste as delta link into the local PCD of the consumer portal. This mode is available since SAP NetWeaver 7.00.10. Remote Delta Links (RDL) – Facts
© Copyright . All rights reserved.
407
Unit 7: Advanced Portal Scenarios
●
●
●
●
An SAP Enterprise portal producer can offer content from its location to be copied to a remote consumer. The consumer administrator can easily browse the PCD of the producer and copy required content to its local PCD. Copied content becomes local consumer content and can be reused, configured, and customized. It allows delta link synchronization of copied content. Any change on the producer object properties, which were not updated on the consumer, is synchronized and reflected during runtime.
●
The is ideal for cases that require combination of local and remote content within one role.
●
Available as of SAP NetWeaver 7.00.10.
Remote Application Integration (RAI) This new content sharing mode is available in SAP NetWeaver 7.00.13 for BI reports only. It is basically a contrary content usage mode to Remote Role Assignment. In RAI you do not have any content administration on the producer portal, but do the full content administration flow only through the central consumer portal. Thus you can create iViews on the consumer portal that are integrating BI reports from a remote producer portal. For future Enhancement Packages in NetWeaver SAP plans to increase the scope of this content usage mode to other applications. Remote Application Integration (RAI) – Facts ●
Only applications / reports running on the producer portal.
●
All portal content is created and maintained on the consumer portal.
●
●
Wizard-based creation of iViews linking to remote applications (Application Integrator-like behavior). Available as of SAP NetWeaver 7.00.13 for BI reports only. (Enhancements and more application types planned for later SPS)
Comparison of Content Sharing Modes The traffic lights illustrate the effort and possibilities provided by the different content sharing modes and display the differences. All solutions are valuable for different use cases, but have certain administrative impacts you should be aware of.
408
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
Figure 148: Decision Matrix for Content Sharing Mode
The three content sharing modes Remote Role Assignment, Remote Delta Links, and Remote Application Integrator might suit different business needs. The following approaches can exist: ●
●
●
Bottom-Up-Approach: Autonomous units create and maintain content on their own producer portals. They build fully configured roles, which should be integrated into a central consumer portal with only little central administration effort. This approach is supported by Remote Role Assignment. Top-Down-Approach: Due to technical reasons the central department decides to separate content to individual producer portals (especially BI reports are executed on a separate producer portal). The admin effort on the producer portals should be minimized, because the content is only deployed to the producer, but in the consumer portal you would like to do all content creation and maintenance. For this approach Remote Application Integration would be the right choice (whereby you should notice that currently only BI reports are supported, other applications are planned for future Enhancement Packages of SAP NetWeaver). Mixed scenarios: Autonomous portal content is created in a producer portal, however, this will be reused and adjusted on other consumer portals. Here Remote Delta Links are most likely to be suitable for this use case.
Depending on the necessary modification possibilities and desired administration scenario, you should decide thoroughly which content sharing mode you would like to use. It should fit the overall administration concept of your federation, since the content sharing mode impacts on the administration effort required on consumer and producer portals. Moreover, your choice might be influenced by some limitations that are existing for individual content sharing modes (more details see SAP Note 880482).
Web Service for Remote Portlets (WSRP) Content Sharing In order to integrate standard-compliant content coming from Non-SAP portals, a new iView template is available in the Portal Content Studio. Consuming and producing content is supported since SAP NetWeaver 7.00.09. Web Service for Remote Portlets (WSRP) – Facts
© Copyright . All rights reserved.
409
Unit 7: Advanced Portal Scenarios
●
WSRP allows sharing of portlets (iViews) between SAP and non-SAP portals
●
Runtime execution of portlets remains on the WSRP producer
●
Consuming WSRP Content
●
-
Any WSRP producer can offer portlets to an SAP NetWeaver consumer
-
The SAP consumer can integrate remote portlets into local content as standard iViews
Producing WSRP Content -
-
●
Customers and partners are able to develop Java-based iViews and make them available for WSRP consumption The WSRP standard provides support for integration on a generic portlet level only
Available as of SAP NetWeaver 7.00.09.
Consuming WSRP-compliant content in an SAP Enterprise portal works quite easily: You can integrate the content from a Non-SAP producer into your portal by selecting in the iView Wizard the portlets that you would like to consume in your SAP Enterprise Portal. The look and feel of the portlets will be adjusted to the theme applied to the consumer portal. Producing WSRP-compliant content is a more complex issue: Today the WSRP standard only supports sharing portlets / iViews, thus no pages, worksets, roles … can be shared. Moreover, because the standard is quite basic, currently only Java-based iViews (for example, Java Server Pages) can be exchanged. SAP-specific content like Web Dynpro Java / ABAP applications or applications leveraging Portal APIs cannot be shared, because they are unique to SAP and provide functionality that cannot be exposed through a standard. They provide unique functionality, such as Object-Based Navigation, Client-Side Eventing, and Session Management. Thus SAP Business Packages cannot be consumed by non-SAP portals using WSRP.
Implementation of a Federated Portal Network The next graphic illustrates the main implementation process for the IT Scenario Implementing a Federated Portal Network.
Figure 149: Process Steps for IT Scenario Implementing a FPN
Some of the IT process steps are covered in more detail in the following sections.
410
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
Caution: Not all steps mentioned in online documentation are covered in this lesson of EP200; some of them are discussed in other lessons of EP200 class. The Online Documentation contains detailed workflows describing which of the following (and more) steps you have to perform depending on the content usage modes you want to implement.
User Persistence For content sharing interactions between SAP Enterprise portals in your federation network, users on the consumer portal must also exist in the user store utilized by the producer portal; otherwise runtime authorization for remote-based content will fail. The reason for this is that remote content is executed on the producer portal using the user's profile from the consumer.
Note: Content sharing between SAP Enterprise and non-SAP portals does not support user authentication; therefore, users on the consumer portal do not need to also exist in the user store on the producer portal.
Figure 150: Configuration Options for the User Persistence
A single user base can be realized in various ways using various hardware or software solutions. Some examples include the following: ●
●
●
Single user store: Using a single physical user store that serves all your portal installations. Distributed user stores with exact duplication: Using two or more distributed user stores, typically one at each portal installation, which are exact replicas of one another. Distributed user stores with partial duplication: Using two or more distributed user stores, typically one at each portal installation, whereby only portal users that are assigned to remote content are copied to the user store on the producer portal.
© Copyright . All rights reserved.
411
Unit 7: Advanced Portal Scenarios
Note: Since the federated portal network makes use of logon tickets for authentication, the users' logon IDs must be identical on both the consumer portal and the producer portal. Therefore, if you are using user stores of different types within the network, for example LDAP on consumer and ABAP on producer, the logon IDs must be identical across the user bases.
Trust Between Producer and Consumer Portals A trust must be established between the producer and consumer portal so that users on the consumer are recognized as authenticated users when they request content from the content producer. The following is applicable to ●
remote role assignment
●
remote delta links
●
remote application integration
●
WSRP application sharing (between SAP Enterprise Portals only)
Figure 151: Set Up a Trust between Producer and Consumer Portal - Establish Trust as Part of the FPN Configuration
412
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
Figure 152: Set Up a Trust between Producer and Consumer Portal – Establish Trust via the NWA of the Producer Portal…
You have different options to set up a trust between the consumer portal and the producer portal: SSO wizard based: The SSO wizard is available as an SAP NetWeaver Administrator application as of SAP NetWeaver 7.00.14 . For older releases, see SAP Note 1083421. Within the SAP NetWeaver Administrator, choose Configuration → Security → Trusted Systems to launch the wizard. There are two options to establish the trust: ●
Adding a Trusted System by Connecting to it
●
Adding a Trusted System by Manually Uploading its Certificate
For SAP NetWeaver Administrator versions 7.00, 7,01, and 7.02 you may also set up the trust manually – to do so, you have to perform the following steps: 1. On the consumer portal, navigate to System Administration → System Configuration → Keystore Administration. 2. In the Content tab, select the SAPLogonTicketKeypair-cert entry and choose Download verify.der File. 3. Save the ZIP file. 4. Extract the packed verify.der and transfer it to the producer portal. 5. On the producer portal, navigate to System Administration → System Configuration → Keystore Administration. 6. In the Import Trusted Certificate tab, click Browse. 7. Navigate to the consumer's verify.der, enter a unique Alias. 8. Choose Upload. 9. Launch the Visual Administrator tool on the producer portal. 10. Navigate to Server Node → Services → Security Provider → Runtime → Policy Configuration. 11. In the Components list, click Modify for the ticket component.
© Copyright . All rights reserved.
413
Unit 7: Advanced Portal Scenarios
12. In the Authentication tab, choose the login module EvaluateTicketLoginModule. 13. Create the following parameters in the Options table: trusteddn1 Enter the distinguished name of the certificate owner (see Keystore Administration) trustediss1 Enter the distinguished name of the certificate issuer (see Keystore Administration) trustedsys1 Enter the system ID and client ID of the consumer portal in , format (for example, P7T,000) For AS Java based SAP systems, the is determined by the value of the UME parameter login.ticket_client on the consumer portal (000 by default), see SAP Note 721815 for more.
Note: If you have more than one consumer accessing content in your portal, define a new set of parameters in the login module for each consumer. For each set of parameters, increment the suffix in the parameter name. For example: trusteddn2, trustediss2, trustedsys2, and so on.
Management of Producers and Consumers You can use the Producer Editor on the consumer portal to view and edit the connection properties to a producer portal. The connection properties enable a consumer portal to locate the WSDL file on the producer portal upon registration. ●
●
The connection properties for an SAP NetWeaver producer include its protocol, host name, and port number. The connection properties for a non-SAP producer include a full URL to the producer's published WSDL file.
Figure 153: Managing Producers in the Consumer Portal
The main steps are:
414
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
1. On the consumer portal, choose System Administration → Federated Portal → SAP NetWeaver - FPN Connections → Manage My FPN Connections. 2. Create a new content producer object. 3. Check the alias name for the content producer. 4. Configure trust in case you have not done this previously. 5. Perform a connection test. 6. Register at the producer portal. In the portal catalog, there are predefined areas (for example, NetWeaver Content Producers or WSRP Content Producers) you can use. As with other PCD objects, the producer may inherit the permission assigned to its parent folder in the Portal Catalog.
© Copyright . All rights reserved.
415
Unit 7: Advanced Portal Scenarios
416
© Copyright . All rights reserved.
Unit 7 Exercise 27 401
Set Up a Federated Portal Network
Business Example In your global organization there are multiple SAP Enterprise Portal installations running – one for the headquaters, and further independent installations for each region. Now you are in charge of setting up a Federated Portal Network between those two portals. Add a Content Producer Adding and registering a new content producer. In the virtual environment the instructor can demonstrate the producer steps and be the producer for all groups. All the participants would then be the consumer and perform the consumer steps.
Caution: For these exercises, it's very important to distinguish between the producer portal and the consumer portal. We recommend that you run this exercise in teams build of a producer portal group and the consumer portal group. For example, the development portal, DEP, could act as the producer portal and QEP as the consumer portal. This arrangement will be referred to throughout these exercises. 1. Log on to the consumer portal using portal user .A-##. 2. Enter your consumer portal settings: 3. Enter details of your FPN Connections. 4. (Optional) Check your changes in both the consumer and producer portals.
© Copyright . All rights reserved.
417
Unit 7 Solution 27 402
Set Up a Federated Portal Network
Business Example In your global organization there are multiple SAP Enterprise Portal installations running – one for the headquaters, and further independent installations for each region. Now you are in charge of setting up a Federated Portal Network between those two portals. Add a Content Producer Adding and registering a new content producer. In the virtual environment the instructor can demonstrate the producer steps and be the producer for all groups. All the participants would then be the consumer and perform the consumer steps.
Caution: For these exercises, it's very important to distinguish between the producer portal and the consumer portal. We recommend that you run this exercise in teams build of a producer portal group and the consumer portal group. For example, the development portal, DEP, could act as the producer portal and QEP as the consumer portal. This arrangement will be referred to throughout these exercises. 1. Log on to the consumer portal using portal user .A-##. a) Log on to the consumer portal using portal user .A-##. 2. Enter your consumer portal settings: a) Navigate to System Administration → Federated Portal → SAP NetWeaver - FPN Connections → Control Panel. b) Choose the Default Settings of my System tab. c) In the My HTTP/HTTPS Connection Settings area, in the Protocol field choose HTTP from the dropdown list. d) In the Host Name field, enter the full qualified hostname of the consumer portal. e) In the Port field, enter the port number of the consumer portal. f) In the My RMI-P4 Connection Settings area, in the RMI-P4 Connection Method and Protocol field select Connection string or single server ( non-secure) from the dropdown list.
418
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
g) In the RMI-P4 Host Name field , enter the the full qualified host name of the consumer portal. h) In the RMI-P4 Port field, enter the port number of the consumer portal and change the last digit to 4. For example, 54004 for QEP and 53004 for DEP. i) Choose Save. j) Choose the Connection Options tab. k) Select the Remote systems must enter a password to connect to your system check box. l) In the Password field, enter a password that remote systems must enter to connect to your system. m) Choose Save. 3. Enter details of your FPN Connections. a) Navigate to System Administration → Federated Portal → SAP NetWeaver - FPN Connections → Manage my FPN Connections. b) Choose New → FPN Connection. c) In the FPN Connection Name field, enter the value Producer. d) In the FPN Connection ID field, enter the SID of the producer portal. e) Choose Next. f) Validate your portal settings on the My System Settings screen. g) Choose Next. h) On the Remote System Settings tab, in the My HTTP/HTTPS Connection Settings area, in the Protocol field choose HTTP from the dropdown list. i) In the Host Name field, enter the the full qualified host name of the producer portal. j) In the Port field, enter the port number of the producer portal. k) In the My RMI-P4 Connection Settings area, in the RMI-P4 Connection Method and Protocol field select Connection string or single server ( non-secure) from the dropdown list. l) In the RMI-P4 Host Name field, enter the host name of the producer portal. m) In the RMI-P4 Port field, enter the port of the producer portal and change the last digit to 4. For example, 53004 for a DEP producer and 54004 for a QEP producer. n) Choose Next. o) On the Trust Configuration screen, in the Trust Configuration field, select One-way trust: upload local certificate to remote system. p) Enter a user name and password for the producer portal. q) Choose Next. r) On the Test Connection screen, select the Access to Remote Systems check box.
© Copyright . All rights reserved.
419
Unit 7: Advanced Portal Scenarios
s) Choose Test. t) If there are no problems with the test, choose Next. Note: In case of connection errors, verify all of your settings. The connection test has to be passed before you continue. u) Choose Finish. v) Close the wizard and you should see your system in the list of FPN connections. 4. (Optional) Check your changes in both the consumer and producer portals. a) Log on to the producer portal as .A-##. b) Choose System Administration → Federated Portal → SAP NetWeaver - FPN Connections → Manage My FPN Connections. You will see an entry created by the wizard in the previous step. c) Log on to the consumer portal as .A-## . d) Navigate to Content Administration → Portal Content Management. e) Choose Remote FPN Producers. You can browse to content on the producer portal.
420
© Copyright . All rights reserved.
Unit 7 Exercise 28 405
Set Up a Federated Portal Network Using Remote Delta Links (RDL)
Business Example In your global organization there are multiple SAP Enterprise Portal installations running – one for the headquaters, and further independent installations for each region. Within the distributed portals “local” content (for example, iViews) has been created. Now these objects shall be used within the main portal with a minimum of effort. Assigning an iView from the producer portal to the end user group. Note that we do not cover all aspects (for example, caching) – refer to the latest online documentation for details. 1. Log on to the consumer portal ## using portal user .A-##. For the Development team this is DEP, and for the Quality Assurance team it is QEP. Copy the iView, Current Cluster Node (default), from the producer portal and paste it into your PCD folder.
© Copyright . All rights reserved.
421
Unit 7 Solution 28 406
Set Up a Federated Portal Network Using Remote Delta Links (RDL)
Business Example In your global organization there are multiple SAP Enterprise Portal installations running – one for the headquaters, and further independent installations for each region. Within the distributed portals “local” content (for example, iViews) has been created. Now these objects shall be used within the main portal with a minimum of effort. Assigning an iView from the producer portal to the end user group. Note that we do not cover all aspects (for example, caching) – refer to the latest online documentation for details. 1. Log on to the consumer portal ## using portal user .A-##. For the Development team this is DEP, and for the Quality Assurance team it is QEP. Copy the iView, Current Cluster Node (default), from the producer portal and paste it into your PCD folder. a) Log on to the consumer portal ## using portal user .A-##. b) Choose Content Administration → Portal Content Management → Remote FPN Producers → #EP → Portal Content → → Initial Content → iViews. → Current Cluster Node (default) If you cannot see the iView, try refreshing with a right click or navigating to System Administration → Federated Portal → SAP NetWeaver - FPN Connections → Control Panel → Cache and Content Synchronization. Under Clear Content Consumed by Remote Role Assignment choose the Clear Cache button to refresh the local cache. Then navigate to Content Administration → Portal Content Management. Right-click the Remote FPN Producers folder and choose Refresh. The iView should now be visible. c) Right-click the iView and choose Copy. d) Choose Portal Content Management → Portal Content → → Group##. e) Right-click the iViews folder and choose Paste as Local Content. f) Choose Finish. Take note of the icon in front of the iView that indicates that the iView is linked to a federated portal. g) Right click the iView and choose Preview. The iView launches in a new window and shows details of the producer portal, indicating it is running on that portal, not the consumer portal.
422
© Copyright . All rights reserved.
Unit 7 Exercise 29 407
Set Up a Federated Portal Network Using Remote Role Assignment (RRA)
Business Example In your global organization there are multiple SAP Enterprise Portal installations running – one for the headquaters, and further independent installations for each region. Within the distributed portals “local” content has been created and assigned to “local” roles. Now these objects shall be used within the main portal with a minimum of effort. Granting UME permissions to the pcd_service user on the producer portal. 1. Log on to the producer portal ## using portal user .A-##. 2. Create a new freestyle role Role in remote System and add the Current Cluster Node (default) iView to the role as a delta link. 3. Create a UME role RemoteRoleAccess and assign the UME actions Remote_Producer_Read_Access and Remote_Producer_Write_Access to it. Assign this role to the pcd_service user. 4. Log on to the consumer portal using portal user .A-##. 5. Search for the role you created in the producer system and assign it to user .E-##. 6. In a new browser log on to the consumer portal as portal user .E-##.
© Copyright . All rights reserved.
423
Unit 7 Solution 29 408
Set Up a Federated Portal Network Using Remote Role Assignment (RRA)
Business Example In your global organization there are multiple SAP Enterprise Portal installations running – one for the headquaters, and further independent installations for each region. Within the distributed portals “local” content has been created and assigned to “local” roles. Now these objects shall be used within the main portal with a minimum of effort. Granting UME permissions to the pcd_service user on the producer portal. 1. Log on to the producer portal ## using portal user .A-##. 2. Create a new freestyle role Role in remote System and add the Current Cluster Node (default) iView to the role as a delta link. a) Choose Content Administration → Portal Content Management → Portal Content → → Group##. b) Right-click the Roles folder and choose New → Role → Freestyle Role. c) On the Role Properties screen, in the Object Name field enter Role in remote System. This is the of the producer portal, which is the system where the role is created. d) Choose Finish. e) On the What’s Next? screen, under Edit, choose Content and Structure. f) In the Role Content table, select the Entry Point checkbox. g) In the left pane, choose Portal Content → CourseID → Initial Content → iViews. h) Right-click the Current Cluster Node (default) iView and choose Add iView to Role → Delta Link. i) Save and close the role. 3. Create a UME role RemoteRoleAccess and assign the UME actions Remote_Producer_Read_Access and Remote_Producer_Write_Access to it. Assign this role to the pcd_service user. a) As portal user .A-##, navigate to User Administration → Identity Management. b) Switch to the Role view. c) Choose Create Role. d) On the General Information tab, enter RemoteRoleAccess## as Unique Name.
424
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
e) Choose the Assigned Actions tab. f) Choose Modify. g) Search for Available Actions with search term *remote*. h) Select the actions Remote_Producer_Read_Access and Remote_Producer_Write_Access. i) Choose Add. j) Choose the Assigned Users tab. k) Search for Available User with search term pcd*. l) Select the user pcd_service. m) Choose Add. n) Save the new role. The portal service user pcd_service on the producer portal ## has the necessary permisions for RRA. Note: These permissions were introduced with SAP NetWeaver Portal 7.00.15. 4. Log on to the consumer portal using portal user .A-##. 5. Search for the role you created in the producer system and assign it to user .E-##. a) Choose User Administration → Identity Management. b) In the first of the Search Criteria fields, choose Role from the dropdown list. c) In the third of the Search Criteria fields, search for the role you created in the producer by entering appropriate search text from the role name. For example, the SID of the producer portal or *remote*. d) Choose Go. You can see the roles in the remote system. e) Select this role. f) Choose Modify. g) Choose the Assigned Users tab. h) In the Available Users area, search for the portal user .E-##. i) Select the user. j) Choose Add. k) Save your changes. 6. In a new browser log on to the consumer portal as portal user .E-##. a) Log on to the consumer portal using portal user .E-##.
© Copyright . All rights reserved.
425
Unit 7: Advanced Portal Scenarios
One of the work centers available to the .E-## user is Role in . This is the role definition from the producer portal.
426
© Copyright . All rights reserved.
Lesson: Set Up a Federated Portal Network
LESSON SUMMARY You should now be able to: ●
Describe federated portal networks
●
Describe the supported content sharing modes for a federated portal network
●
Set up a federated portal network
© Copyright . All rights reserved.
427
Unit 7: Advanced Portal Scenarios
428
© Copyright . All rights reserved.
Unit 7
413
Learning Assessment
1. Which of the following are considered consistent with the assignment of “light content”? Choose the correct answers. X
A Using page layouts with custom iView tray
X
B Using static content as much as possible
X
C Creating related links for iViews and pages
X
D Using client-side eventing
2. In which of the following content-sharing modes is the full content administration performed on the producer portal? Choose the correct answer. X
A Remote Role Assignment (RRA)
X
B Remote Delta Links (RDL)
X
C Remote Application Integration (RAI)
3. Which of the following content-sharing modes is deemed most appropriate for a business case where autonomous portal content created in a producer portal will be reused and adjusted on other consumer portals. Choose the correct answer. X
A Remote Role Assignment (RRA)
X
B Remote Delta Links (RDL)
X
C Remote Application Integration (RAI)
4. In your federation network, why must users on the consumer portal also exist in the user store utilized by the producer portal?
© Copyright . All rights reserved.
429
Unit 7
414
Learning Assessment - Answers
1. Which of the following are considered consistent with the assignment of “light content”? Choose the correct answers. X
A Using page layouts with custom iView tray
X
B Using static content as much as possible
X
C Creating related links for iViews and pages
X
D Using client-side eventing
2. In which of the following content-sharing modes is the full content administration performed on the producer portal? Choose the correct answer. X
A Remote Role Assignment (RRA)
X
B Remote Delta Links (RDL)
X
C Remote Application Integration (RAI)
3. Which of the following content-sharing modes is deemed most appropriate for a business case where autonomous portal content created in a producer portal will be reused and adjusted on other consumer portals. Choose the correct answer. X
A Remote Role Assignment (RRA)
X
B Remote Delta Links (RDL)
X
C Remote Application Integration (RAI)
4. In your federation network, why must users on the consumer portal also exist in the user store utilized by the producer portal? If users on the consumer portal don't also exist in the user store utilized by the producer portal runtime authorization for remote-based content will fail. The reason for this is that remote content is run on the producer portal using the user's profile from the consumer.
430
© Copyright . All rights reserved.
