ibm websphere portal integrator for sap - sample scenario

8/3/2019 IBM WebSphere Portal Integrator for SAP - Sample Scenario

1/12

IBM WebSphere Portal Integrator for SAP

IntroductionThis article describes the setup of a simple scenario of the IBM WebSphere Portal Integratorfor SAP to give you a quick start. It uses the standard page structure as it is created duringinstall of the package.

Note: This is not the product documentation and comes as-is without warranty. It is anexample and may not configure everything. Especially this does not handle sessionalignment.

Hostnames used in the scenario

SAP NetWeaver Portal 7.3 sapportal

IBM WebSphere Portal 7.0.0.1 (CF6) onLinux, standalone

ibmportal

Install base of IBM Portal: /opt/WebSphere

Packages

Package name Install location

Solution installer /tmp/SolutionInstaller.zip

SAP integration /tmp/sap_integration.paa

Download packages from the catalog:https://greenhouse.lotus.com/plugins/plugincatalog.nsf/home_full.xsp

Installing & Setup of Solution InstallerFollow the guidance in the Solution installer package:

set WAS administrator and Portal administrator passwords towp_profile/ConfigEngine/properties/wkplc.properties (e.g. using vi)

Unzip SolutionInstaller.zip to /opt/tmp

Add wp_profile path to settings.properties (e.g. using vi)

verify UNIX EOL characters by executing dos2unix -b install-SolutionInstaller.sh

set run permissions chmod 755 SolutionInstaller.sh

run install script: /opt/tmp/SolutionInstaller/commands/linux # ./install-SolutionInstaller.sh

setup SolutionInstaller:

change to ConfigEngine directory: wp_profile/ConfigEngine

run ./ConfigEngine.sh si-setup

Verify that the output prints BUILD SUCCESSFUL

Installing IBM WebSphere Portal Integrator For SAP Start IBM Portal

IBM, 2011 1
https://greenhouse.lotus.com/plugins/plugincatalog.nsf/home_full.xsphttps://greenhouse.lotus.com/plugins/plugincatalog.nsf/home_full.xsp


2/12


Install PAA: by running /opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.shinstall-paa -DPAALocation=/tmp/sap_integration.paa


Deploy PAA by running: /opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh

deploy-paa -DappName=sap_integration


Configuring the AjaxProxy create the AjaxProxy configuration file to allow GET connections to SAP Portal and allow

BasicAuthentication on these connections. In this scenario we store it to /tmp/proxy-config-sap.xml

GETHEAD

MYSAPSSO2

User-AgentAccept*Content*Authorization*set-cookie

socket-timeout60000

retries1

IBM, 2011 2


3/12


max-connections-per-host5

max-total-connections100

forward-credentials-from-vaulttrue

Check in the configuration file file for AjaxProxy by running

/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh checkin-wp-proxy-config-DproxyConfigFileName=/tmp/proxy-config-sap.xml


Finishing installationRestart IBM Portal to finish the installation.

Seting up ivew integration Navigate to Applications, IBM WebSphere Portal Integrator for SAP, iView

Open the Edit shared settings dialog of the portlet by clicking the small arrow in theupper right corner of the portlet and choosing the relevant menu entry.

Create a a non-shared Credential Vault slot which will later be used to store the user'sSAP credentials. Note: In our setup we use the same slot later for the navigationintegration as well. But one could decide to use different slots.

Add the name SAPIntegrationCV to the field Slot ID

Click the button Create Credential slot

Before using the slot you now need to restart IBM Portal.

Add a Content URL of SAP Portal to be displayed in the portlet. Ask your SAP Portaladministrator for this URL. We want to display the Universal work list which in our

environment is this URL: http://sapportal.boeblingen.de.ibm.com:50000/irj/portal/interop?NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29

In this scenario we will later configure the navigational integration to pass the SAP SSOtoken to the user's browser. So we would not need to set a Credential Vault slot in thisdialog or to add the parameter sap.SSOTokenDomain, we would be done already. Butfor demonstration purposes we will do and later re-configure the portlet.

IBM, 2011 3
http://wpsvm204.boeblingen.de.ibm.com:50000/irj/portal/interop?NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29http://wpsvm204.boeblingen.de.ibm.com:50000/irj/portal/interop?NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29http://wpsvm204.boeblingen.de.ibm.com:50000/irj/portal/interop?NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29http://wpsvm204.boeblingen.de.ibm.com:50000/irj/portal/interop?NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29


4/12


Select the Credential vault slot to be used to connect to SAP Portal. SelectSAPIntegrationCV from the drop down box. If we would have not created the CredentialVault slot before, we could now add a name to the text filed and use the drop down entryto use the text field content. This would mean we can configure the portlet even beforehaving a Credential Vault slot, but we still would need to create the slot before using theportlet.

For testing purposes we are adding the SSO domain .ibm.com to the field SAP SSPDomain. This makes the portlet pass the SAP Portal SSO cookie to the users browser.We will later configure the navigational integration as well and make it pass the cookie.Then we will remove the SSO domain here from the portlet as we do not need it anymore.If we would use the portlet only and use the SSO Domain here, we would also need toadd the integration LogoutFilter now.

The SAP Portal SSO cookie is not being renamed in our instance of SAP Portal, so we donot set a value to the field SAP SSO cookie name, to stay to the default.

Click the button Save parameters.

Click the link Done.

Now an error is shown because our Credential Vault slot to be used does not holdCredentials for the current user already. For this we go to the Personalize dialog byclicking the small arrow in the upper right corner of the portlet and choosing the relevantmenu entry.

Add the SAP user ID to the field User ID and the password to Password. Confirm thepassword by re-entering in Confirm Password.

Click the button Save

Click the link Done

Now the portlet shows the SAP Portal resource you entered the URL for:

IBM, 2011 4


5/12


Setting up navigation integrationThe navigation is included later as child pages of the label SAP navigation. All parametersfor connections to the SAP Portal are to be stored as page parameters of that label. Note thatthese parameters are more or less the same as for the portlet, but to configured here as wellto separate both integrations. If you want to share parameters you can do so by using theConfigService extension. See the documentation for that.

Use Portal Administration Manage Pages to navigate to Applications, IBM WebSphere

IBM, 2011 5


6/12


Portal Integrator for SAP

Click Edit page properties for the label SAP Navigation

Click Advanced parameters, I want to set parameters

For our environment we add/change following parameters (for a description see thedocumention):

sap.BaseUri http://sapportal.boeblingen.de.ibm.com:50000

Base Portal URI includingport

sap.CredentialSlotId SAPIntegrationCV Credential Vault slot holdingthe SAP credentials. Wecreated the slot during portletsetup.

sap.SSOTokenUrl http://sapportal.boeblingen.de.ibm.com:50000/irj/por

tal/interop?NavigationTarget=navurl://

b8820e07de4b98a23cbedc5c27

5bcc29

Used to force anauthentication challenge toget the SSO token

sap.SSOTokenDomain .ibm.com SSO Domain to be used topass the SAP Portal SSOcookie to the user's browsers.Leave out if you do not wantthe browsers to beauthenticated automatically.

Click button Done

Click button OK.

Log out of IBM Portal.

When logging back in the SAP Portal navigation is integrated:

IBM, 2011 6


7/12


Now add the Login- and Logoutfilter to pass the SAP Portal SSO cookie to the user'sbrowsers:

Log in to the IBM WebSphere Application server administration console

Navigate to Recource Environment Providers , WP AuthenticationService, Customproperties.

Add the Login- and LogoutFlter

Click Save and log out

Restart IBM Portal to get the filters effective.

Now if you click a integrated navigation link the SAP Portal page is displayed withoutan authentication challenge:

IBM, 2011 7


8/12


Set access to appropriate audienceAs we do not want non-SAP users to access the SAP integration for security and performancereasons, we limit the access rights to the group sap_users which in our scenario allappropriate users are a member of.

For the page IBM WebSphere Portal Integrator for SAP we set this group to the role User.Therefore we remove the Allow inheritance for the role User and click Apply:

IBM, 2011 8


9/12


Click Edit for the role User and add the group sap_user:

Go back to the roles overview and click Apply to save the changes. Then click Done. Nowonly for members of the group sap_user the navigation will be retrieved on login.

As the access level is inherited from here to our sub-pages we do not need to set somethingspecial for the integration label. User is sufficient. For the portlet and the page where theportlet is placed on the user needs to be Privileged user so the user is allowed to enter

IBM, 2011 9


10/12


credentials. If we would use a shared Credential vault slot for all users, we could stay with therole User instead.

For the page iView remove the Allow inheritance for the role User and click Apply:

Click Edit for the role Privileged User and add the group sap_user:

IBM, 2011 10


11/12


Go back to the roles overview and click Apply to save the changes. Then click Done.

Now you need to configure access rights to the portlet application. Go to PortletManagement, Applications and click the small button holding a key for the applicationsap.portal.integrator.war. Click Edit for the role Privileged user and add the groupsap_users:

Go back to the roles overview and click Apply to save the changes. Then click Done.

IBM, 2011 11


12/12


Removing Token domain from portletThe LoginFilter is passing the SAP Portal SSO cookie to the user's browser. So in thisscenario here we do not need the portlet passing the token as well. It was just configured fordemonstration purposes. For a re-configuration open the Edit Shared Settings mode of the

portlet and click Clear parameters. Now configure the portlet by adding the Content URL,but leave out the Credential Vault slot and the SSO Token Domain. Click Save parameters.

Testing with another userFor test purposes our group sap_user has a member called sap_user_1. Log out with theadministrator user and log back in with that test user. In the integration portlet enter the modePersonalize and enter the user's SAP Portal credentials.

Now log out and log back in. The integration shows another navigation structure but only ifthe user has other Access Rights in SAP Portal than the user before.

FinishingAccording to your needs you may want to move the integration label to another place within

IBM WebSphere Portal. You can do so by using the administration dialog Manage Pages orby using XMLAccess. After that you may need to restart for caches to be cleared, dependingon your caching scenario.

Also you may want to place multiple instances of the integration portlet on different pagesshowing other SAP Portal content within IBM WebSphere Portal. If you do so you may want tothink about moving some configuration parameter values to the WP ConfigService. See theportal documentation for this.

Depending on your scenario you also may want to separate the access rights between thenavigation and the portlet(s). Use the access control configuration as we have shown in thisarticle.

IBM, 2011 12

ibm websphere portal integrator for sap - sample scenario

Documents