Portal application development using Websphere Portlet Factory


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Portal application development using Websphere Portlet Factory

  1. 1. IBM WebSphere Portal Integrator for SAPIntroductionThis article describes the setup of a simple scenario of the IBM WebSphere Portal Integratorfor SAP to give you a quick start. It uses the standard page structure as it is created duringinstall of the package.Note: This is not the product documentation and comes as-is without warranty. It is anexample and may not configure everything. Especially this does not handle sessionalignment.Hostnames used in the scenarioSAP NetWeaver Portal 7.3 sapportal IBM WebSphere Portal (CF6) on ibmportal Linux, standaloneInstall base of IBM Portal: /opt/WebSpherePackagesPackage name Install locationSolution installer /tmp/SolutionInstaller.zipSAP integration /tmp/sap_integration.paaDownload packages from the catalog:https://greenhouse.lotus.com/plugins/plugincatalog.nsf/home_full.xspInstalling & Setup of Solution InstallerFollow the guidance in the Solution installer package:– set WAS administrator and Portal administrator passwords to wp_profile/ConfigEngine/properties/wkplc.properties (e.g. using vi)– Unzip SolutionInstaller.zip to /opt/tmp– Add wp_profile path to settings.properties (e.g. using vi)– verify UNIX EOL characters by executing “dos2unix -b install-SolutionInstaller.sh”– set run permissions “chmod 755 SolutionInstaller.sh”– run install script: “/opt/tmp/SolutionInstaller/commands/linux # ./install-SolutionInstaller.sh”– setup SolutionInstaller: – change to ConfigEngine directory: wp_profile/ConfigEngine – run “./ConfigEngine.sh si-setup” – Verify that the output prints “BUILD SUCCESSFUL”Installing IBM WebSphere Portal Integrator For SAP– Start IBM Portal © IBM, 2011 1
  2. 2. IBM WebSphere Portal Integrator for SAP– Install PAA: by running “/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh install-paa -DPAALocation=/tmp/sap_integration.paa”– Verify that the output prints “BUILD SUCCESSFUL”– Deploy PAA by running: “/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh deploy-paa -DappName=sap_integration”– Verify that the output prints “BUILD SUCCESSFUL”Configuring the AjaxProxy– create the AjaxProxy configuration file to allow GET connections to SAP Portal and allow BasicAuthentication on these connections. In this scenario we store it to /tmp/proxy- config-sap.xml<?xml version="1.0" encoding="UTF-8"?><proxy:proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:proxy="http://www.ibm.com/xmlns/prod/sw/ajax/proxy-config/1.0"> <proxy:mapping contextpath="/proxy" url="*"/> <proxy:mapping contextpath="/myproxy" url="*"/> <proxy:mapping contextpath="/common_proxy" url="*"/> <proxy:policy url="http://sapportal.boeblingen.de.ibm.com:50000/*" acf="none" basic-auth-support="true"> <proxy:actions> <proxy:method>GET</proxy:method> <proxy:method>HEAD</proxy:method> </proxy:actions> <proxy:cookies> <proxy:cookie>MYSAPSSO2</proxy:cookie> </proxy:cookies> <proxy:headers> <proxy:header>User-Agent</proxy:header> <proxy:header>Accept*</proxy:header> <proxy:header>Content*</proxy:header> <proxy:header>Authorization*</proxy:header> <proxy:header>set-cookie</proxy:header> </proxy:headers> </proxy:policy> <proxy:meta-data> <proxy:name>socket-timeout</proxy:name> <proxy:value>60000</proxy:value> </proxy:meta-data> <proxy:meta-data> <proxy:name>retries</proxy:name> <proxy:value>1</proxy:value> </proxy:meta-data> © IBM, 2011 2
  3. 3. IBM WebSphere Portal Integrator for SAP <proxy:meta-data> <proxy:name>max-connections-per-host</proxy:name> <proxy:value>5</proxy:value> </proxy:meta-data> <proxy:meta-data> <proxy:name>max-total-connections</proxy:name> <proxy:value>100</proxy:value> </proxy:meta-data> <proxy:meta-data> <proxy:name>forward-credentials-from-vault</proxy:name> <proxy:value>true</proxy:value> </proxy:meta-data></proxy:proxy-rules>– Check in the configuration file file for AjaxProxy by running “/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh checkin-wp-proxy-config -DproxyConfigFileName=/tmp/proxy-config-sap.xml”– Verify that the output prints “BUILD SUCCESSFUL”Finishing installationRestart IBM Portal to finish the installation.Seting up ivew integration– Navigate to “Applications”, “IBM WebSphere Portal Integrator for SAP”, “iView”– Open the “Edit shared settings” dialog of the portlet by clicking the small arrow in the upper right corner of the portlet and choosing the relevant menu entry.– Create a a non-shared Credential Vault slot which will later be used to store the users SAP credentials. Note: In our setup we use the same slot later for the navigation integration as well. But one could decide to use different slots. – Add the name “SAPIntegrationCV” to the field “Slot ID” – Click the button “Create Credential slot”– Before using the slot you now need to restart IBM Portal.– Add a Content URL of SAP Portal to be displayed in the portlet. Ask your SAP Portal administrator for this URL. We want to display the “Universal work list” which in our environment is this URL: http://sapportal.boeblingen.de.ibm.com:50000/irj/portal/interop? NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29– In this scenario we will later configure the navigational integration to pass the SAP SSO token to the users browser. So we would not need to set a Credential Vault slot in this dialog or to add the parameter “sap.SSOTokenDomain”, we would be done already. But for demonstration purposes we will do and later re-configure the portlet. © IBM, 2011 3
  4. 4. IBM WebSphere Portal Integrator for SAP– Select the Credential vault slot to be used to connect to SAP Portal. Select “SAPIntegrationCV” from the drop down box. If we would have not created the Credential Vault slot before, we could now add a name to the text filed and use the drop down entry to use the text field content. This would mean we can configure the portlet even before having a Credential Vault slot, but we still would need to create the slot before using the portlet.– For testing purposes we are adding the SSO domain “.ibm.com” to the field SAP SSP Domain. This makes the portlet pass the SAP Portal SSO cookie to the users browser. We will later configure the navigational integration as well and make it pass the cookie. Then we will remove the SSO domain here from the portlet as we do not need it anymore. If we would use the portlet only and use the SSO Domain here, we would also need to add the integration LogoutFilter now.– The SAP Portal SSO cookie is not being renamed in our instance of SAP Portal, so we do not set a value to the field “SAP SSO cookie name”, to stay to the default.– Click the button “Save parameters”.– Click the link “Done”.– Now an error is shown because our Credential Vault slot to be used does not hold Credentials for the current user already. For this we go to the “Personalize” dialog by clicking the small arrow in the upper right corner of the portlet and choosing the relevant menu entry.– Add the SAP user ID to the field “User ID” and the password to “Password”. Confirm the password by re-entering in “Confirm Password”.– Click the button “Save”– Click the link “Done”Now the portlet shows the SAP Portal resource you entered the URL for: © IBM, 2011 4
  5. 5. IBM WebSphere Portal Integrator for SAPSetting up navigation integrationThe navigation is included later as child pages of the label “SAP navigation”. All parametersfor connections to the SAP Portal are to be stored as page parameters of that label. Note thatthese parameters are more or less the same as for the portlet, but to configured here as wellto separate both integrations. If you want to share parameters you can do so by using theConfigService extension. See the documentation for that.– Use Portal Administration “Manage Pages” to navigate to “Applications”, “IBM WebSphere © IBM, 2011 5
  6. 6. IBM WebSphere Portal Integrator for SAP Portal Integrator for SAP”– Click “Edit page properties” for the label “SAP Navigation”– Click “Advanced parameters”, “I want to set parameters”– For our environment we add/change following parameters (for a description see the documention):sap.BaseUri http://sapportal.boeblingen.de Base Portal URI including .ibm.com:50000 portsap.CredentialSlotId SAPIntegrationCV Credential Vault slot holding the SAP credentials. We created the slot during portlet setup.sap.SSOTokenUrl http://sapportal.boeblinge Used to force an n.de.ibm.com:50000/irj/por authentication challenge to tal/interop? NavigationTarget=navurl:// get the SSO token b8820e07de4b98a23cbedc5c27 5bcc29sap.SSOTokenDomain .ibm.com SSO Domain to be used to pass the SAP Portal SSO cookie to the users browsers. Leave out if you do not want the browsers to be authenticated automatically.– Click button “Done”– Click button “OK”.– Log out of IBM Portal.– When logging back in the SAP Portal navigation is integrated: © IBM, 2011 6
  7. 7. IBM WebSphere Portal Integrator for SAP– Now add the Login- and Logoutfilter to pass the SAP Portal SSO cookie to the users browsers: – Log in to the IBM WebSphere Application server administration console – Navigate to “Recource Environment Providers” , “WP AuthenticationService”, “Custom properties”. – Add the Login- and LogoutFlter – Click “Save” and log out – Restart IBM Portal to get the filters effective. – Now if you click a integrated navigation link the SAP Portal page is displayed without an authentication challenge: © IBM, 2011 7
  8. 8. IBM WebSphere Portal Integrator for SAPSet access to appropriate audienceAs we do not want non-SAP users to access the SAP integration for security and performancereasons, we limit the access rights to the group “sap_users” which in our scenario allappropriate users are a member of.For the page “IBM WebSphere Portal Integrator for SAP” we set this group to the role “User”.Therefore we remove the “Allow inheritance” for the role “User” and click “Apply”: © IBM, 2011 8
  9. 9. IBM WebSphere Portal Integrator for SAPClick “Edit” for the role “User” and add the group “sap_user”:Go back to the roles overview and click “Apply” to save the changes. Then click “Done”. Nowonly for members of the group “sap_user” the navigation will be retrieved on login.As the access level is inherited from here to our sub-pages we do not need to set somethingspecial for the integration label. “User” is sufficient. For the portlet and the page where theportlet is placed on the user needs to be “Privileged user” so the user is allowed to enter © IBM, 2011 9
  10. 10. IBM WebSphere Portal Integrator for SAPcredentials. If we would use a shared Credential vault slot for all users, we could stay with therole “User” instead.For the page “iView” remove the “Allow inheritance” for the role “User” and click “Apply”:Click “Edit” for the role “Privileged User” and add the group “sap_user”: © IBM, 2011 10
  11. 11. IBM WebSphere Portal Integrator for SAPGo back to the roles overview and click “Apply” to save the changes. Then click “Done”.Now you need to configure access rights to the portlet application. Go to “PortletManagement”, “Applications” and click the small button holding a key for the application“sap.portal.integrator.war”. Click “Edit” for the role “Privileged user” and add the group“sap_users”:Go back to the roles overview and click “Apply” to save the changes. Then click “Done”. © IBM, 2011 11
  12. 12. IBM WebSphere Portal Integrator for SAPRemoving Token domain from portletThe LoginFilter is passing the SAP Portal SSO cookie to the users browser. So in thisscenario here we do not need the portlet passing the token as well. It was just configured fordemonstration purposes. For a re-configuration open the “Edit Shared Settings” mode of theportlet and click “Clear parameters”. Now configure the portlet by adding the Content URL,but leave out the Credential Vault slot and the SSO Token Domain. Click “Save parameters”.Testing with another userFor test purposes our group “sap_user” has a member called “sap_user_1”. Log out with theadministrator user and log back in with that test user. In the integration portlet enter the mode“Personalize” and enter the users SAP Portal credentials.Now log out and log back in. The integration shows another navigation structure – but only ifthe user has other Access Rights in SAP Portal than the user before.FinishingAccording to your needs you may want to move the integration label to another place withinIBM WebSphere Portal. You can do so by using the administration dialog “Manage Pages” orby using XMLAccess. After that you may need to restart for caches to be cleared, dependingon your caching scenario.Also you may want to place multiple instances of the integration portlet on different pagesshowing other SAP Portal content within IBM WebSphere Portal. If you do so you may want tothink about moving some configuration parameter values to the WP ConfigService. See theportal documentation for this.Depending on your scenario you also may want to separate the access rights between thenavigation and the portlet(s). Use the access control configuration as we have shown in thisarticle. © IBM, 2011 12