SAP Crypto & BusinessObjects Enterprise

Applies to:
BusinessObjects Enterprise XI Release 2 and 3.1 XI Release 2 and 3.1 Integration for SAP Solutions

Summary
The purpose of this document is to provide the reader with an understanding of how BusinessObjects utilizes Secure Network Communication (SNC). This document also provides instructions to setup SAP Crypto SNC in a BusinessObjects environment. Author(s): Jeremy Shinall with contributions from Ingo Hilgefort, Gabriel De Lapparent and Sinisa Knezevic Company: SAP Created on: 9 October 2009 (v2); 12 August 2009 (v1)

Author Bio
Jeremy Shinall is a support consultant with SAP BusinessObjects. Jeremy has been with the BusinessObjects division since 2005.

SAP COMMUNITY NETWORK © 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 1

....com | BPX ...................................................................................................................................................................................................................................................................................................................................................................................................... 7 Configure User Access...................................................................................................................................................3 Profile Parameters .............4 BusinessObjects Services .....sap.................................com | BOC ........................................................................................................................................................................................................................................................5 Creation ................................................................................................................................................................................................3 Library Files...................................... 15 SAP COMMUNITY NETWORK © 2009 SAP AG SDN .... 10 JCO Test ..... 10 Troubleshooting .................................3 SAP Crypto ...........................................................................................................................................................................3 SNC & BusinessObjects Enterprise ............................................... 10 RFC & CPIC Tracing ......................................................................... 5 Complete the Trust Relationship............. 13 Related Content ................................................. 5 Exchanging Certificates....................................... 10 Setup Confirmation ......................................................................................................................................................................sdn....com 2 ...................................................................................................................boc.......................................9 “SNC Options” Tab .............................................................................................................................................................................................................................................................................................................. 12 ABAP Dump Analysis ........................................................................................................... 3 SAP SNC ............................ 11 SOFA Tracing............................................................................................................... 9 “Entitlement Systems” Tab ..................................................................................................................................................................3 What is SAP SNC? ................................................................................................................................................................................................................. 14 Copyright .................................8 Configuring SNC in the Central Management Console ......................................................................................................bpx............... 11 SAP Gateway Monitor ......SAP Crypto & BusinessObjects Enterprise Table of Contents Introduction ..............................4 Local SAP Crypto Libraries .......................................................................................................................................................................................................................................................4 BusinessObjects Setup ............................................................................................................................................................... 7 Adding SNC ACL Entry............................................................................................................................................................................sap.................................sap.......................................................................3 SAP Server Setup ................................................................................................................................................................................................4 Local PSE Certificates ......................................................

Crystal. SAP Crypto The SAP Crypto library provides an API to configure SNC connectivity from external applications with an SAP system configured for SNC authentication.). For both 32.and 64-bit versions of the SAP Crypto library.). between the SAP GUI and the SAP application server) is guaranteed. It cannot be used to provide SNC communication via the SAP GUI or BusinessObjects Enterprise client tools (Designer.com | BOC . In short. Additionally. it serves the interests of BusinessObjects customers to highlight some aspects of the SAP Server setup Library Files The SNC setup on your SAP server starts with putting the SAP Crypto library on your SAP server.sap. this document assumes that all servers involved are Microsoft Windows-based. file locations.dll. This document focuses on SAP Crypto only. Here are the libraries used for each flavor of SNC. Any references to file names. SAP notes are used as references where applicable. This means that a secure connection between the components of the SAP system (for example.sdn.boc. etc. The main principle behind SAP Crypto is a certificate trust relationship between servers. regardless of the communication link or transport medium. For the purposes of implementation and configuration. Webi Rich Client.com 3 . environment variables. You therefore have a secure network connection between two SNC-enabled communication partners. read the entire document to get a thorough understanding of all concepts related to implementing SAP Crypto with BusinessObjects Enterprise This document is NOT to be considered an authoritative source of information regarding SNC technology or the implementation and troubleshooting of SNC. etc.SAP Crypto & BusinessObjects Enterprise Introduction The purpose of this document is to provide insight and information for customers that wish to implement SAP Crypto SNC technology in their BusinessObjects Enterprise deployments.sap.com | BPX . SNC & BusinessObjects Enterprise The “Configuring SAP Server-Side Trust” chapter of the Installation and Administration Guide for the SAP Integration product describes SNC integration with BusinessObjects Enterprise in more detail. etc. this file is sapcrypto. Note: The SAP Crypto library is licensed for server side trust but not for client applications. This document is not meant to be a quick reference guide for installation or implementation. SNC provides security at the application level. However.sap. SAP SNC What is SAP SNC? SNC is a software layer in the SAP system architecture that provides an interface to external security product. Kerberos and SAP Crypto. SAP COMMUNITY NETWORK © 2009 SAP AG SDN . There are 3 methods for deploying SAP SNC: NTLMSSP. SAP Server Setup Configuring SAP Crypto on your SAP Server is outside the scope of this document.bpx. will need to be modified to accommodate a Unix/Linux platform. Provides user impersonation required for report viewing & processing (Web Intelligence. the following summary should suffice: Encrypts communication channel between BusinessObjects and SAP servers.

Create a sub-directory titled “sec”. 2. 3. o The ticket file should be placed in this directory.com | BOC . C:\sapcrypto. o The sapcrypto. Here is a list of the services requiring this change: Crystal processing servers (Processing Tier) Web Intelligence processing servers (Processing Tier) Note: Desktop Intelligence is not supported for use with SAP data sources Ideally. This user account does not have to be a domain account. 32-bit SAP Crypto library has been downloaded from the SAP Service MarketPlace (http://service. Create a directory to store the SAP Crypto libraries – for example. users can log on to BusinessObjects using SAP authentication). BusinessObjects Services By default. Local SAP Crypto Libraries This section will walk you through setting up the SAP Crypto libraries on your BusinessObjects server.sdn.SAP Crypto & BusinessObjects Enterprise Profile Parameters The following profile parameters (found using RZ10 transaction) are typical of an SAP server setup with SNC: Parameter snc/data_protection/max snc/data_protection/min snc/enable snc/gssapi_lib snc/identity/as ssf/name ssf/ssfapi_lib sec/libsapsecu Value 3 1 1 <full path to sapcrypto.dll> BusinessObjects Setup Before SNC can be configured on a BusinessObjects server. SAP COMMUNITY NETWORK © 2009 SAP AG SDN .dll> p:< SAP server’s DN> SAPSECULIB <full path to sapcrypo. The user account can be local to the BusinessObjects server.com | BPX .exe files should be placed in this directory.bpx.sap. Add the directory created in step 1 to the system PATH variable.com 4 .dll and sapgenpse. This will have to be changed to accommodate an SNC setup. o Because the BusinessObjects services are 32-bit applications. 1. one user account would be used for all of the affected services. the following must be in place: SAP authentication has been configured in the CMC and proven to be working correctly (i.sap.dll> <full path to sapcrypto.com/tcs).sap.e. the 32-bit SAP Crypto library must be implemented on the BusinessObjects server.sap. the BusinessObjects services are configured to run as the LOCALSYSTEM account.boc. The full path would be C:\sapcrypto\sec.

Create a system environment variable named SECUDIR. C:\sapcrypto\sapcrypto. Run the STRUST transaction Expand the “SNC (SAPCryptolib)” item SAP COMMUNITY NETWORK © 2009 SAP AG SDN . enter a DN of your choosing as long as it adheres to LDAP naming conventions.exe – for example. When prompted for a Distinguished Name (DN). C:\sapcrypto.dll file – for example. You will find this PSE file in the directory specified in the SECUDIR environment variable.SAP Crypto & BusinessObjects Enterprise 4.sdn.crt. This PIN will be used in later steps.sap.dll. You will find this CRT file in the directory this command was executed from. 5. 1. O=SAP.com | BPX . This step creates the SAP Crypto equivalent of a “private key”. we will choose BOESERVER. The following steps must be followed to create each PSE certificate: 1. o o 3.pse –o <filename>. Exchanging Certificates The next step in creating the trust relationship between the BusinessObjects server and the SAP server is to exchange public certificates between the systems. we will use CN=BOESERVER. Execute the following command: sapgenpse gen_pse –v –p <filename>. o The value of this variable should be the full path of the directory created in step 2. These steps should be performed for each CRT file created. Create a system environment variable named SNC_LIB. This step creates the SAP Crypto equivalent of a “public key”.bpx.sap. C=US.pse. You will be prompted for a PIN. Local PSE Certificates Creation Each BusinessObjects server/deployment must have a PSE certificate in order to establish a trust with the SAP server. o o o Replace <filename> with an appropriate filename of your choosing.sap. The BusinessObjects services will have to be restarted before the environment variables in steps 4 & 5 will be utilized. Logon to the SAP server using the SAP GUI application 2. OU=CA. o o o Replace <filename> with an appropriate filename of your choosing. In this example.com 5 . In this example.boc. 2. we will choose BOESERVER.com | BOC . Execute the following command: sapgenpse export_own_cert –v –p BOESERVER. Open a command prompt and navigate to the directory that contains sapgenpse. In this example. Choose any PIN you desire. o The value of this variable should be the full path of sapcrypto.

3.SAP Crypto & BusinessObjects Enterprise Double-click the server entry and enter the password when prompted. Click the green checkmark to continue. SAP COMMUNITY NETWORK © 2009 SAP AG SDN . The details of your public certificate will now appear in the “Certificate” section. Select the “Base64” radio button.sap.com | BPX . click the “Import Certificate” button Select the CRT that you created.sap.com 6 .com | BOC .sap.boc.bpx. In the “Certificate” section.sdn.

Click the green checkmark to continue. So.boc.crt –p BOESERVER. Navigate to the directory that contains the SAP server public certificate. 5. Open a command prompt: 1.SAP Crypto & BusinessObjects Enterprise 4.exe. Click the “Save” icon in the Trust Manager (STRUST) & exit the STRUST transaction.pse SAP COMMUNITY NETWORK © 2009 SAP AG SDN .com | BPX . However.sap.sap.pse At this point. 2. we must associate the username running the BusinessObjects services with the PSE file. the PSE file is secured by a PIN. The SAP server’s certificate details will now appear in the “Certificate” section. Select the “Base64” radio button. C:\sapcrypto\SAPserver. 6.bpx. Open a command prompt and navigate to the directory containing sapgenpse.com | BOC .sdn. 2.sap. we have one more step before the BusinessObjects server is aware of the SAP server and the trust relationship is completed. Complete the Trust Relationship At this point. Configure User Access As the SAP Crypto equivalent of a private key.crt. Execute the following command: sapgenpse maintain_pk –v –a SAPserver. the BusinessObjects services are not capable of responding to such a prompt.com 7 . 3. However. Double-click the DN in the “Own Certificate” section. Click the “Add to Certificate List” button. Click the “Export Certificate” button to export the SAP server’s public certificate. Execute the following command: sapgenpse seclogin –p BOESERVER. the SAP server is aware of the BusinessObjects server. Log on to the BusinessObjects server as the user running the BusinessObjects services. 7. the SAP server and BusinessObjects server are aware of and trust each other. Specify a filename a location to save the certificate to – for example. 1.

Save the new entry by clicking the “Save” icon. Run the SNC0 transaction.sap. you can execute this command: sapgenpse seclogin –p BOESERVER. we must configure the actions that the BusinessObjects services will be allowed to perform.bpx. Entry for DIAG activated – checked or unchecked (optional) f. ID activated – checked 5. OU=CA. 2. try the following commands: sapgenpse get_my_name –p BOESERVER. Entry for ext.sap. you will see “Canonical Name Determined” in the entry after saving. Adding SNC ACL Entry Now that the trust relationship has been completed. enter the PIN you created for this PSE file Note: If you are unable to log on to the BusinessObjects server as the username running the BusinessObjects services. 3.boc. Entry for RFC activated – checked d.pse o This will display all of the SAP server certificates that have been added to the PSE file If either of these commands prompts you for a PIN. For example: p: CN=BOESERVER. prefixed by “p:” i. Fill out the new entry using the following as guidance: a. If the SNC Name field was entered correctly. Entry for certificate activated – checked or unchecked (optional) g. the username executing the commands has not been associated with the PSE file. 1.com | BPX .com 8 .sdn. Entry for CPIC activated – checked or unchecked (optional) e. Click the “New Entries” button on the toolbar.sap. SNC Name – DN from PSE file. Example: SAP COMMUNITY NETWORK © 2009 SAP AG SDN . 4. Logon to the SAP server using the SAP GUI application. This is done by adding entries to the SNC Access Control List (ACL) on the SAP server.com | BOC . C=US c.pse o This will display the details of the PSE file selected sapgenpse maintain_pk –l –p BOESERVER.SAP Crypto & BusinessObjects Enterprise When prompted.pse –O <username> To confirm that the user can now access the PSE file without providing a PIN. O=SAP. System ID – Description of entry b.

Select the appropriate logical system from the dropdown menu. “SNC Options” Tab 1. 4. SAP COMMUNITY NETWORK © 2009 SAP AG SDN .boc. C=CA.sap. it may be best to leave it unchecked until the rest of this configured is completed. O=BOBJ. However.com | BPX .com | BOC . Under Mutual authentication settings: In the “SNC name of SAP system:” field.sdn. O=SAP. enter the SNC name created for BusinessObjects Enterprise. 2. 5. OU=CA. select the “Authentication” radio button. C=US.bpx. Under Trust Settings: In the “SNC name of the Enterprise system:” field. your SAP Crypto setup is ready for implementation within BusinessObjects. Configuring SNC in the Central Management Console Now that the SAP Crypto foundation has been set. enter the full path of the sapcrypto.com 9 . For the “Quality of Protection” option. Under Basic settings: Check the “Enable Secure Network Communication [SNC]” checkbox. the SNC options can be configured under SAP Authentication in the CMC. 3. OU=CA. The “Disallow insecure incoming RFC connections” checkbox can also be selected.sap.sap. For example – p:CN=T25.SAP Crypto & BusinessObjects Enterprise NOTE: At this point. For example – p:CN=BOESERVER.dll file on the BusinessObjects server. prefixed by “p:”. Note: This will correspond to the value of the SNC_LIB environment variable on the BusinessObjects server. Under SNC library settings: In the "SNC library path" field. prefixed by “p:”. enter the SNC name of the SAP server.

sap.com 10 .sap. The most popular method is to refresh a Web Intelligence document whose underlying universe connection is configured to use the Use Single Sign On when refreshing reports at view time authentication method. Setup Confirmation To confirm that the server-side trust is configured correctly.support.sdn. Select ‘2’ for Connection Test 2. You may leave this field blank and continue to use the existing username and password.com | BPX . The following command should be executed from the command-line: java –classpath <full path to sapjco.bpx. you must perform an action that would invoke the user impersonation.jar> com. Troubleshooting JCO Test Connection to the SAP system can be tested outside of the BusinessObjects product using the JCO.sap.JRfcTest 1. a new field titled SNC Name will be visible on the “Entitlement Systems” tab.jco.mw.com | BOC .boc.SAP Crypto & BusinessObjects Enterprise Example: “Entitlement Systems” Tab After enabling SNC on the “SNC Settings” tab.sap. Select ‘3’ for R/3 connectivity SAP COMMUNITY NETWORK © 2009 SAP AG SDN .

sap.bpx.0\MDA\Log\Modules\INTERFACE] "Verbosity"=dword:00000000 SAP COMMUNITY NETWORK © 2009 SAP AG SDN .sdn.SAP Crypto & BusinessObjects Enterprise The rest of the options can be customized to fit the situation.boc. SOFA tracing can be useful to determine why a report is failing. make sure to choose ‘Y’ at the “Working with SNC” prompt. To test SNC connectivity.0\MDA\Asserts] "Model"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\JNIMODULE] "Verbosity"=dword:00000005 "Timer Threshold"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.sap.sap.log" "LogFormat"="%T ThreadID<%i> %X : %m" [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules] [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\JNIMODULE\Components\INFO] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\ESSBASEMODULE] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.com 11 . most BusinessObjects services use the SOFA protocol.reg” with the following content: Windows Registry Editor Version 5.0\MDA\Log\Modules\COMMONMODULE] "Verbosity"=dword:0000000a [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\APIMODULE] "Verbosity"=dword:00000000 "Timer Threshold"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12. Create a text file and save it as “trace.com | BOC .0\MDA\Log] "OverWrite"="No" "AppendPID"="Yes" "LogFile"="C:\\sofa.com | BPX . Please see the following SAP Notes: RFC Traces – 1342398 CPIC Traces – 1342389 SOFA Tracing When processing reports based on SAP data sources.0\MDA\Log\Modules\ASSERTION] "Verbosity"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\APIMODULE\Components\INFO] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12. RFC & CPIC Tracing The SAP libraries on the BusinessObjects server allow RFC and CPIC traces to be collected in order to examine the communication between the BusinessObjects and SAP servers.

reg file.0\MDA\Log\Modules\UTILITIES] "Verbosity"=dword:00000000 After saving this trace. The “Display File” button will display the trace log for connections. double-click it to merge the settings into the Windows registry.SAP Crypto & BusinessObjects Enterprise [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12. Generate a trace log to capture the RFC connection details It is recommended that you ask the assistance of your SAP system administrators to gather Gateway Monitor logs. Please use wisely. However here is some general guidance: As connections are made to the server you will see the new connections listed in the main monitor page. SOFA tracing will be enabled and the corresponding log files will be created when SOFA communication is initiated by the BusinessObjects services (i.0\MDA\Log\Modules\ODBOMODULE] "Verbosity"=dword:00000004 "MDX Query Log"="C:\\mdx_odbo_query.0\MDA\Log\Modules\OCAMODULE] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\MEMORY] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.log" [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12. The “Details” button will display the connection’s current status details.e.com | BOC .com 12 .com | BPX . a report is processed).sap. Example: SAP COMMUNITY NETWORK © 2009 SAP AG SDN . SAP Gateway Monitor The SMGW transaction can be used to examine communication with your SAP systems gateway: Monitor active connections to the SAP Server. Note: Increased tracing details can introduce performance issues on your SAP system.sap.log" "MDX Query Clock"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\MDA\Log\Modules\ODBOPROVIDERMODULE] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12. The tracing detail level can be adjusted using the “GoTo > Trace > Gateway” sub-menu items.bpx.0\MDA\Log\Modules\ORACLEMODULE] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.sdn. After restarting your BusinessObjects services.boc.sap.0\MDA\Log\Modules\SAPMODULE] "Verbosity"=dword:0000000a "MDX Query Log"="C:\\mdx_sap_query.0\MDA\Log\Modules\ODBOSHAREDUTILITIES] "Verbosity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.

it is recommended that you engage your SAP system administrators for assistance.sap.bpx.com | BOC .sap. SAP COMMUNITY NETWORK © 2009 SAP AG SDN .com 13 .sdn. As with the SMGW transaction.com | BPX .boc.sap.SAP Crypto & BusinessObjects Enterprise ABAP Dump Analysis The ST22 transaction provides another source of troubleshooting information.

com | BPX .boc.sap.SAP Crypto & BusinessObjects Enterprise Related Content SAP Note 662340 SAP Note 1342435 SAP Note 1342398 SAP Note 1342389 SAP COMMUNITY NETWORK © 2009 SAP AG SDN .sap.com | BOC .com 14 .sap.sdn.bpx.

Inc. SAP COMMUNITY NETWORK © 2009 SAP AG SDN . Netfinity. and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. System z9. Program Neighborhood. Power Architecture. National product specifications may vary. The information contained herein may be changed without prior notice. GPFS.sdn.A. WinFrame. UNIX. IBM. These materials are subject to change without notice. zSeries. All rights reserved. z10. AIX. Inc.sap. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only. Windows. Nothing herein should be construed as constituting an additional warranty. and SAP Group shall not be liable for errors or omissions with respect to the materials. All other product and service names mentioned are the trademarks of their respective companies. RACF. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. eServer. without representation or warranty of any kind. PartnerEdge. DB2. System i5. Java is a registered trademark of Sun Microsystems. z/VM. Parallel Sysplex.SAP Crypto & BusinessObjects Enterprise Copyright © Copyright 2009 SAP AG. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.S. pSeries. z/OS. DB2 Connect. MVS/ESA. World Wide Web Consortium. POWER6.bpx. System p5. System z. DB2 Universal Database.boc. PowerPC. System x. Oracle is a registered trademark of Oracle Corporation. R/3. SAP. and other countries. and Motif are registered trademarks of the Open Group. Intelligent Miner. OSF/1. Citrix. Business Objects is an SAP company. Crystal Decisions. Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. AS/400. POWER. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services. POWER5. Excel. used under license for technology invented and implemented by Netscape. JavaScript is a registered trademark of Sun Microsystems.com | BPX . PowerVM. HACMP. WebSphere. HTML. OS/390.. Business Objects and the Business Objects logo. RETAIN. xSeries. z9. ICA. S/390 Parallel Enterprise Server. OS/2. Duet. Inc.com 15 . X/Open. XHTML and W3C are trademarks or registered trademarks of W3C®. ByDesign. PostScript. Crystal Reports. i5/OS. XML. BusinessObjects. BatchPipes. and MultiWin are trademarks or registered trademarks of Citrix Systems. Microsoft. and PowerPoint are registered trademarks of Microsoft Corporation. POWER6+. Linux is the registered trademark of Linus Torvalds in the U. Outlook.com | BOC . S/390. System Storage. Web Intelligence. OS/400. POWER5+. Redbooks.sap. Adobe. BladeCenter. in the United States and in other countries. and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Acrobat. System z10. Data contained in this document serves informational purposes only. and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S. SAP NetWeaver. MetaFrame. VideoFrame. System i.sap. the Adobe logo. if any. Xcelsius. iSeries. System p. OpenPower. Massachusetts Institute of Technology. SAP Business ByDesign.

Sign up to vote on this title
UsefulNot useful