More Related Content
Similar to IBM WebSphere Portal Integrator for SAP - Escenario de ejemplo. (20)
IBM WebSphere Portal Integrator for SAP - Escenario de ejemplo.
- 1. IBM WebSphere Portal Integrator for SAP
Introduction
This article describes the setup of a simple scenario of the IBM WebSphere Portal Integrator
for SAP to give you a quick start. It uses the standard page structure as it is created during
install of the package.
Note: This is not the product documentation and comes as-is without warranty. It is an
example and may not configure everything. Especially this does not handle session
alignment.
Hostnames used in the scenario
SAP NetWeaver Portal 7.3 sapportal
IBM WebSphere Portal 7.0.0.1 (CF6) on ibmportal
Linux, standalone
Install base of IBM Portal: /opt/WebSphere
Packages
Package name Install location
Solution installer /tmp/SolutionInstaller.zip
SAP integration /tmp/sap_integration.paa
Download packages from the catalog:
https://greenhouse.lotus.com/plugins/plugincatalog.nsf/home_full.xsp
Installing & Setup of Solution Installer
Follow the guidance in the Solution installer package:
– set WAS administrator and Portal administrator passwords to
wp_profile/ConfigEngine/properties/wkplc.properties (e.g. using vi)
– Unzip SolutionInstaller.zip to /opt/tmp
– Add wp_profile path to settings.properties (e.g. using vi)
– verify UNIX EOL characters by executing “dos2unix -b install-SolutionInstaller.sh”
– set run permissions “chmod 755 SolutionInstaller.sh”
– run install script: “/opt/tmp/SolutionInstaller/commands/linux # ./install-SolutionInstaller.sh”
– setup SolutionInstaller:
– change to ConfigEngine directory: wp_profile/ConfigEngine
– run “./ConfigEngine.sh si-setup”
– Verify that the output prints “BUILD SUCCESSFUL”
Installing IBM WebSphere Portal Integrator For SAP
– Start IBM Portal
© IBM, 2011 1
- 2. IBM WebSphere Portal Integrator for SAP
– Install PAA: by running “/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh
install-paa -DPAALocation=/tmp/sap_integration.paa”
– Verify that the output prints “BUILD SUCCESSFUL”
– Deploy PAA by running: “/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh
deploy-paa -DappName=sap_integration”
– Verify that the output prints “BUILD SUCCESSFUL”
Configuring the AjaxProxy
– create the AjaxProxy configuration file to allow GET connections to SAP Portal and allow
BasicAuthentication on these connections. In this scenario we store it to /tmp/proxy-
config-sap.xml
<?xml version="1.0" encoding="UTF-8"?>
<proxy:proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:proxy="http://www.ibm.com/xmlns/prod/sw/ajax/proxy-config/1.0">
<proxy:mapping contextpath="/proxy" url="*"/>
<proxy:mapping contextpath="/myproxy" url="*"/>
<proxy:mapping contextpath="/common_proxy" url="*"/>
<proxy:policy url="http://sapportal.boeblingen.de.ibm.com:50000/*" acf="none" basic-auth-
support="true">
<proxy:actions>
<proxy:method>GET</proxy:method>
<proxy:method>HEAD</proxy:method>
</proxy:actions>
<proxy:cookies>
<proxy:cookie>MYSAPSSO2</proxy:cookie>
</proxy:cookies>
<proxy:headers>
<proxy:header>User-Agent</proxy:header>
<proxy:header>Accept*</proxy:header>
<proxy:header>Content*</proxy:header>
<proxy:header>Authorization*</proxy:header>
<proxy:header>set-cookie</proxy:header>
</proxy:headers>
</proxy:policy>
<proxy:meta-data>
<proxy:name>socket-timeout</proxy:name>
<proxy:value>60000</proxy:value>
</proxy:meta-data>
<proxy:meta-data>
<proxy:name>retries</proxy:name>
<proxy:value>1</proxy:value>
</proxy:meta-data>
© IBM, 2011 2
- 3. IBM WebSphere Portal Integrator for SAP
<proxy:meta-data>
<proxy:name>max-connections-per-host</proxy:name>
<proxy:value>5</proxy:value>
</proxy:meta-data>
<proxy:meta-data>
<proxy:name>max-total-connections</proxy:name>
<proxy:value>100</proxy:value>
</proxy:meta-data>
<proxy:meta-data>
<proxy:name>forward-credentials-from-vault</proxy:name>
<proxy:value>true</proxy:value>
</proxy:meta-data>
</proxy:proxy-rules>
– Check in the configuration file file for AjaxProxy by running
“/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh checkin-wp-proxy-config
-DproxyConfigFileName=/tmp/proxy-config-sap.xml”
– Verify that the output prints “BUILD SUCCESSFUL”
Finishing installation
Restart IBM Portal to finish the installation.
Seting up ivew integration
– Navigate to “Applications”, “IBM WebSphere Portal Integrator for SAP”, “iView”
– Open the “Edit shared settings” dialog of the portlet by clicking the small arrow in the
upper right corner of the portlet and choosing the relevant menu entry.
– Create a a non-shared Credential Vault slot which will later be used to store the user's
SAP credentials. Note: In our setup we use the same slot later for the navigation
integration as well. But one could decide to use different slots.
– Add the name “SAPIntegrationCV” to the field “Slot ID”
– Click the button “Create Credential slot”
– Before using the slot you now need to restart IBM Portal.
– Add a Content URL of SAP Portal to be displayed in the portlet. Ask your SAP Portal
administrator for this URL. We want to display the “Universal work list” which in our
environment is this URL: http://sapportal.boeblingen.de.ibm.com:50000/irj/portal/interop?
NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29
– In this scenario we will later configure the navigational integration to pass the SAP SSO
token to the user's browser. So we would not need to set a Credential Vault slot in this
dialog or to add the parameter “sap.SSOTokenDomain”, we would be done already. But
for demonstration purposes we will do and later re-configure the portlet.
© IBM, 2011 3
- 4. IBM WebSphere Portal Integrator for SAP
– Select the Credential vault slot to be used to connect to SAP Portal. Select
“SAPIntegrationCV” from the drop down box. If we would have not created the Credential
Vault slot before, we could now add a name to the text filed and use the drop down entry
to use the text field content. This would mean we can configure the portlet even before
having a Credential Vault slot, but we still would need to create the slot before using the
portlet.
– For testing purposes we are adding the SSO domain “.ibm.com” to the field SAP SSP
Domain. This makes the portlet pass the SAP Portal SSO cookie to the users browser.
We will later configure the navigational integration as well and make it pass the cookie.
Then we will remove the SSO domain here from the portlet as we do not need it anymore.
If we would use the portlet only and use the SSO Domain here, we would also need to
add the integration LogoutFilter now.
– The SAP Portal SSO cookie is not being renamed in our instance of SAP Portal, so we do
not set a value to the field “SAP SSO cookie name”, to stay to the default.
– Click the button “Save parameters”.
– Click the link “Done”.
– Now an error is shown because our Credential Vault slot to be used does not hold
Credentials for the current user already. For this we go to the “Personalize” dialog by
clicking the small arrow in the upper right corner of the portlet and choosing the relevant
menu entry.
– Add the SAP user ID to the field “User ID” and the password to “Password”. Confirm the
password by re-entering in “Confirm Password”.
– Click the button “Save”
– Click the link “Done”
Now the portlet shows the SAP Portal resource you entered the URL for:
© IBM, 2011 4
- 5. IBM WebSphere Portal Integrator for SAP
Setting up navigation integration
The navigation is included later as child pages of the label “SAP navigation”. All parameters
for connections to the SAP Portal are to be stored as page parameters of that label. Note that
these parameters are more or less the same as for the portlet, but to configured here as well
to separate both integrations. If you want to share parameters you can do so by using the
ConfigService extension. See the documentation for that.
– Use Portal Administration “Manage Pages” to navigate to “Applications”, “IBM WebSphere
© IBM, 2011 5
- 6. IBM WebSphere Portal Integrator for SAP
Portal Integrator for SAP”
– Click “Edit page properties” for the label “SAP Navigation”
– Click “Advanced parameters”, “I want to set parameters”
– For our environment we add/change following parameters (for a description see the
documention):
sap.BaseUri http://sapportal.boeblingen.de Base Portal URI including
.ibm.com:50000 port
sap.CredentialSlotId SAPIntegrationCV Credential Vault slot holding
the SAP credentials. We
created the slot during portlet
setup.
sap.SSOTokenUrl http://sapportal.boeblinge Used to force an
n.de.ibm.com:50000/irj/por
authentication challenge to
tal/interop?
NavigationTarget=navurl:// get the SSO token
b8820e07de4b98a23cbedc5c27
5bcc29
sap.SSOTokenDomain .ibm.com SSO Domain to be used to
pass the SAP Portal SSO
cookie to the user's browsers.
Leave out if you do not want
the browsers to be
authenticated automatically.
– Click button “Done”
– Click button “OK”.
– Log out of IBM Portal.
– When logging back in the SAP Portal navigation is integrated:
© IBM, 2011 6
- 7. IBM WebSphere Portal Integrator for SAP
– Now add the Login- and Logoutfilter to pass the SAP Portal SSO cookie to the user's
browsers:
– Log in to the IBM WebSphere Application server administration console
– Navigate to “Recource Environment Providers” , “WP AuthenticationService”, “Custom
properties”.
– Add the Login- and LogoutFlter
– Click “Save” and log out
– Restart IBM Portal to get the filters effective.
– Now if you click a integrated navigation link the SAP Portal page is displayed without
an authentication challenge:
© IBM, 2011 7
- 8. IBM WebSphere Portal Integrator for SAP
Set access to appropriate audience
As we do not want non-SAP users to access the SAP integration for security and performance
reasons, we limit the access rights to the group “sap_users” which in our scenario all
appropriate users are a member of.
For the page “IBM WebSphere Portal Integrator for SAP” we set this group to the role “User”.
Therefore we remove the “Allow inheritance” for the role “User” and click “Apply”:
© IBM, 2011 8
- 9. IBM WebSphere Portal Integrator for SAP
Click “Edit” for the role “User” and add the group “sap_user”:
Go back to the roles overview and click “Apply” to save the changes. Then click “Done”. Now
only for members of the group “sap_user” the navigation will be retrieved on login.
As the access level is inherited from here to our sub-pages we do not need to set something
special for the integration label. “User” is sufficient. For the portlet and the page where the
portlet is placed on the user needs to be “Privileged user” so the user is allowed to enter
© IBM, 2011 9
- 10. IBM WebSphere Portal Integrator for SAP
credentials. If we would use a shared Credential vault slot for all users, we could stay with the
role “User” instead.
For the page “iView” remove the “Allow inheritance” for the role “User” and click “Apply”:
Click “Edit” for the role “Privileged User” and add the group “sap_user”:
© IBM, 2011 10
- 11. IBM WebSphere Portal Integrator for SAP
Go back to the roles overview and click “Apply” to save the changes. Then click “Done”.
Now you need to configure access rights to the portlet application. Go to “Portlet
Management”, “Applications” and click the small button holding a key for the application
“sap.portal.integrator.war”. Click “Edit” for the role “Privileged user” and add the group
“sap_users”:
Go back to the roles overview and click “Apply” to save the changes. Then click “Done”.
© IBM, 2011 11
- 12. IBM WebSphere Portal Integrator for SAP
Removing Token domain from portlet
The LoginFilter is passing the SAP Portal SSO cookie to the user's browser. So in this
scenario here we do not need the portlet passing the token as well. It was just configured for
demonstration purposes. For a re-configuration open the “Edit Shared Settings” mode of the
portlet and click “Clear parameters”. Now configure the portlet by adding the Content URL,
but leave out the Credential Vault slot and the SSO Token Domain. Click “Save parameters”.
Testing with another user
For test purposes our group “sap_user” has a member called “sap_user_1”. Log out with the
administrator user and log back in with that test user. In the integration portlet enter the mode
“Personalize” and enter the user's SAP Portal credentials.
Now log out and log back in. The integration shows another navigation structure – but only if
the user has other Access Rights in SAP Portal than the user before.
Finishing
According to your needs you may want to move the integration label to another place within
IBM WebSphere Portal. You can do so by using the administration dialog “Manage Pages” or
by using XMLAccess. After that you may need to restart for caches to be cleared, depending
on your caching scenario.
Also you may want to place multiple instances of the integration portlet on different pages
showing other SAP Portal content within IBM WebSphere Portal. If you do so you may want to
think about moving some configuration parameter values to the WP ConfigService. See the
portal documentation for this.
Depending on your scenario you also may want to separate the access rights between the
navigation and the portlet(s). Use the access control configuration as we have shown in this
article.
© IBM, 2011 12