Monday, February 13, 2012

Hyperion EPM System 11.x Configuring the BI+ Workspace for Single Sign-On (SSO) with Internet Information Services (IIS) and Apache Tomcat


Hyperion EPM System 11.x Configuring the BI+ Workspace for Single Sign-On (SSO) with Internet Information Services (IIS) and Apache Tomcat [ID 1101884.1]
Modified 08-AUG-2011     Type HOWTO     Status PUBLISHED

Applies to:

Hyperion BI+ - Version: 11.1.1.0.00 to 11.1.1.3.00 - Release: 11.1 to 11.1
Information in this document applies to any platform.
Microsoft Internet Information Services (IIS)
Apache Tomcat
Microsoft Active Directory (MSAD)
Lightweight Directory Access Protocol (LDAP)
Single Sign-On (SSO)
ADSLoginPolicy.jar

Goal

Configure the Hyperion EPM System 11.x BI+ Workspace for Single Sign-On (SSO), with Internet Information Services (IIS) and Apache Tomcat.

Purpose

Single Sign-On means that when a user accesses Workspace, the login page is bypassed and the user is automatically logged on. 

Scope

This document is intended for use by Hyperion BI+ administrators with a good understanding of the Shared Services, External Authentication (MSAD/LDAP) and Workspace. 


Solution

1 - Prior Configuration Changes

Prior to configuring the BI+ Workspace for SSO, ensure: 
  • Shared Services is configured for External Authentication (MSAD/LDAP)
  • {MSAD/LDAP} User ID's and Groups are provisioned with Hyperion BI+ in Shared Services
  • {MSAD/LDAP} User ID can login manually to Workspace
  • Workspace is configured to work with Internet Information Services (IIS)  Manager, doing this by checking http://hostname/workspace

Note:
With the implementation of the SSO, the login page will no longer be available.
It is recommended that one of the external authentication user should be provisioning as an administrator or global administrators. Once the SSO is implemented, admin's ID is no longer available for login to Workspace. Or a second option is to setup a second UI (Workspace) for such manual login.


Prior to doing any modifications make sure that relevant backups have been done. This may also include making copy of files related to this process. 

2 - Configure BI+ Workspace for SSO

To configure SSO for BI+ Workspace: 
  1. Save the attached "ADSLoginPolicy.jar" to the location:
\deployments\Tomcat5\Workspace\webapps\workspace\WEB-INF\lib. 

3 - Configure BI+ Workspace for SSO Authentication Password

To set the SSO authentication password within BI+ Workspace:
  1. Using the command line, navigate to:  <Hyperion-Home>\products\Foundation\workspace\bin 
  2. settrustedpass.bat. 
  3. 123456. 


Note:This writes the password as encrypted text to the tp.conf file under\deployments\Tomcat5\Workspace\webapps\workspace\WEB-INF\config. 

4 - Configure BI+ Workspace Trusted Password

  1. Log on to Workspace, and select:  Navigate > Administer > Authentication.
  2. Under Trusted Password Settings, select  Enable Trusted Password, 
  3. Within "Password" field, enter the password same as per Step 3.4 (Configure BI+ Workspace for SSO Authentication Password)
  4. Within "Confirm Password" field, re-enter the password.
  5. Click OK. 
  

5 - Start User Interface Service

Start the User Inteface (UI) Service with startUI.bat in
\common\workspacert\9.5.0.0\bin 

6 - Configure CMC 

  1. Log on to CMC  e.g. http://<host>:55000/cmc
  2. In the Current View list, select:  Web-Application Configuration.
  3. Right-click Workspace Web-Application, and select:  Properties.
  4. Tab to:  User Interface.
  5. In the "LoginPolicy Class For $CUSTOM_LOGIN" box, enter:  com.brio.support.ohio.auth8.ADSLoginPolicy
  6. In the Custom Username Policy list, select:  $CUSTOM_LOGIN$ 
  7. In the Custom Password Policy list, select:  $TRUSTEDPASS$ 
  8. Click OK
  9. Exit CMC.
  

7 - Configure Apache Tomcat

Modify the Tomcat server.xml for BI+ Workspace:
  1. Browse to directory:   \deployments\Tomcat5\Workspace\conf\
  2. Make a backup copy of:  server.xml
  3. In Notepad open the file:  server.xml
  4. Locate the line:   URIEncoding="UTF-8" /> 
  5. Add to the end of "UTF-8" a space and the value:  tomcatAuthentication="false"
The line should read: 
<Connector port="45002"protocol="AJP/1.3" URIEncoding="UTF-8" tomcatAuthentication="false"/>

8 - Configure IIS Webserver

Set the authentication method for the Web server (IIS):
  1. Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager.
  2. Expand the local computer name > Web Sites.
  3. Right-click Web Sites and select Properties.
  4. Select the Directory Security tab.
  5. In the Authentication and access control area, click Edit.
  6. Clear Enable anonymous access, and select Integrated Windows authentication. Integrated Windows authentication must be the only option selected.
  7. Click OK.
  8. If prompted about child objects sharing security, do not select any options, and click OK, and close Internet Information Services (IIS) Manager.

9 - Restart Hyperion EPM Services

Restart the Hyperion Services in this order: 
  1. IIS Admin and World Wide Web Publishing
  2. Hyperion Foundation OpenLDAP
  3. Hyperion Foundation Shared Services - Web Application
  4. Hyperion Workspace - Web Application
  5. Hyperion Workspace - Agent Service


Show Attachments Attachments
 ADSLoginPolicy.jar (6.9 KB)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)