Introduction
This document details the steps followed in setting up trusted authentication for using SSO in Business Objects XI 3.1. This enables users to log in directly into Infoview without entering the login credentials. It is assumed that user has successfully installed BO XI 3.1 and has deployed the files on the IIS Web Server (part of standard install)
Environment Details:
OS : Windows 7 64 bit
Business Object Version: XI 3.1 FP 6
Web Server : IIS 7.5
Web Application Server : Tomcat 7
IIS server plugin: Apache Jakarta Isapi redirector 1.2.28
BO Installation path : C:\Business Objects 3.1
Step 1: Setting up Apache Jakarta Redirector
On successful install of Business Objects, the tomcat folder will be available in C:\Business Objects 3.1\Tomcat 7
Create the folder structure given in below screen shot inside Tomcat folder
i.e. create folder for Connector and sub folders for bin, conf and logs.
Download the isapi_redirect-1.2.28.dll from
https://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win64/jk-1.2.28/amd64/ - to the bin folder inside tomcat directory.
Rename the isapi_redirect-1.2.28.dll to isapi_redirect.dll
Download the tomcat-connectors-1.2.28-src.zip file from
https://archive.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.28/
Copy the workers.properties.minimal and uriworkermap.properties from the downloaded zip file to the conf folder under tomcat directory
Rename workers.properties.minimal to workers.properties in conf folder and make the following changes
worker.ajp13w.host=localhost, change the localhost to the Server IP
Save and close this file.
Open the uriworkermap.properties file and add the following entry
/*/*=wlb
- i.e the uriworkermap.properties will have the following entries
/admin/*=wlb
/manager/*=wlb
/jsp-examples/*=wlb
/servlets-examples/*=wlb
/examples/*=wlb
/*/*=wlb
Save and close the file.
Once this is done create a registry file(.reg) with the following entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0]
"extension_uri"="/jakarta/isapi_redirect.dll"
"worker_file"="C:\\Business Objects 3.1\\Tomcat7\\Connector\\conf\\workers.properties"
"log_file"="C:\\Business Objects 3.1\\Tomcat7\\Connector\\logs\\isapi.log"
"worker_mount_file"="C:\\Business Objects 3.1\\Tomcat7\\Connector\\conf\\uriworkermap.properties"
"log_level"="DEBUG"
Save the file as Jakarta.reg, right click on this file and click Merge to add the entries to registry.
Step 2: Configuring Jakarta Virtual Directory on IIS 7.5
Open IIS manager (Type IIS in search box from Start or type inetmgr). Right click on Default Website and click Add Virtual Directory, screenshot below. The Alias name will be jakarta and this should be similar to the extension_uri registry entry made in previous step. The Physical path should point to the bin folder having isapi_redirector.dll file.
Next, with Jakarta folder selected open Handler mapping from IIS manager, screenshot below
Once Handler mapping is opened, click on Edit Feature Permissions option on the right corner and select read script and execute for all checked items and press OK , See screenshot below
Next, Select Default Web Site and click on ISAPI Filters from IIS manager. Click on Add and give the filter name as Jakarta and executable as the isapi_redirect.dll path, see screenshot below
Next, select the server name and click on ISAPI and CGI restrictions from IIS manager
Choose Add then provide the path to isapi_redirect.dll. Give the description as
jakarta. Check the box for Allow extension path to execute.
Click on Edit Feature Settings and select Allow Unspecified CGI Modules and Allow Unspecified ISAPI modules
Next, Select the server name in IIS manager, right click -> Stop and then click Start
Step 3: Configuring IIS 7.5 for Windows Authentication
Select the Default Web site in IIS manager and click on Authentication, disable Anonymous authentication and enable Windows authentication. If you don’t see Windows authentication listed then following the below steps
- Open control Panel, select Programs and Features and select Turn Windows feature On or Off
- In the popup window, select Internet information service,select world wide web services, select Security and then select windows authentication
This will display windows authentication in IIS manager
Step 4: Configuring BO to use Trusted Authentication
- Log on to the Central Management Console with administrative rights.
- Go to the Authentication management area of the CMC.
- Double Click on the Enterprise link.
- Scroll down until you see Trusted Authentication.
- Click Trusted Authentication is enabled.
- Enter a string in the Shared Secret field.
- Click Update.
- Create a file called TrustedPrincipal.conf in C:\Business Objects 3.1\BusinessObjects Enterprise 12.0\win32_x86 (replace this location with your BO install location)
- Enter the following in this file
- SharedSecret=<string entered in shared secret filed in CMC- Enterprise authentication> ,i.e SharedSecret=1234 where 1234 is the string entered in CMC
Step 5: Modifying Infoview Web.xml for trusted authentication
Open the web.xml in C:\Business Objects 3.1\Tomcat7\webapps\InfoViewApp\WEB-INF
Find this string in the file:
<param-name>cms.default</param-name>
· Enter the CMS name and port number in the cms.default <param-value> field. Use the format
servername:portnumber
· Find this string in the file:
<param-name>sso.enabled</param-name>
· Change the <param-value> for sso.enabled from false to true.
<param-value>true</param-value>
· Find this string in the file:
<param-name>siteminder.enabled</param-name>
· Change the <param-value> for siteminder.enabled from true to false.
<param-value>false</param-value>
· Find this string in the file:
<param-name>trusted.auth.user.retrieval</param-name>
· Specify the <param-value> as follows,
<param-value>REMOTE_USER</param-value>
· Save and close the file
Verify whether the web.xml is opening in IE without any issues, if there are issues then IE will throw an error, correct the issues before proceeding to next step.
Step 6: Modifying Tomcat Server.xml for AJP 13 listener
Open the server.xml file from C:\Business Objects 3.1\Tomcat7\conf (replace C:\ Business Objects 3.1 with your BO installation directory). Find “port 8009” in the file, add the following in the next line to port 8009
<Connector port="8009" maxSpareThreads="25" maxThreads="250" minSpareThreads="5" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" />
After the changes Server.xml should look like
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" maxSpareThreads="25" maxThreads="250" minSpareThreads="5" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" />
Save the file and restart Tomcat
Step 7: Changing the Physical path for applications in IIS manager
Open IIS manager and select InfoViewApp, change the Physical path to point to C:\Business Objects 3.1\Tomcat7\webapps\InfoViewApp.
Similarly for other applications in IIS manager,make sure the Physical path points to ..\Tomcat 7\Webapps folders
Restart IIS server
This above steps will enable BO XI 3.1 to use Trusted Authentication, for verification
Go to http://localhost/InfoViewApp - This should open up Infoview without asking for login credentials