Professional Documents
Culture Documents
Patents
Business Objects owns the following U.S. patents, which may cover products that are offered and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352. Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners. Copyright 2007 Business Objects. All rights reserved. Business Objects products in this release may contain redistributions of software licensed from third-party contributors. Some of these individual components may also be available under alternative licenses. A partial listing of third-party contributors that have requested or permitted acknowledgments, as well as required notices, can be found at: http://www.businessobjects.com/thirdparty
Trademarks
Contents
Chapter 1 Getting Started 23 About this help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Who should use this help? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 About BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Where should I start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Planning or performing your first deployment . . . . . . . . . . . . . . . . . . . 25 Configuring your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Changing your deployments architecture . . . . . . . . . . . . . . . . . . . . . . 26 Improving your systems performance . . . . . . . . . . . . . . . . . . . . . . . . . 26 Chapter 2 BusinessObjects Enterprise Architecture 29
Chapter overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Architecture basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Client tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . 33 Central Configuration Manager (CCM) . . . . . . . . . . . . . . . . . . . . . . . . 33 Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Application server and BusinessObjects Enterprise SDK . . . . . . . 35 Web Component Adapter (WCA) . . . . . . . . . . . . . . . . . . . . . . . . . 35 Web development platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Java platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Windows .NET platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Web application environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Central Management Server (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Contents
Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Program Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Web Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Destination Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Desktop Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Report Application Server (RAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Data tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Report viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Information flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 What happens when you schedule an object? . . . . . . . . . . . . . . . . . . . 46 What happens when you view a report? . . . . . . . . . . . . . . . . . . . . . . . . 47 Report viewing with the Cache Server and Page Server . . . . . . . . 49 Report viewing with the Report Application Server . . . . . . . . . . . . 50 Viewing Web Intelligence documents . . . . . . . . . . . . . . . . . . . . . . . 51 Choosing between live or saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Live data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Security management components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Chapter 3 Planning Your Deployment 57
Contents
Estimating the number and type of users . . . . . . . . . . . . . . . . . . . . . . 59 Other user considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Estimating the number of simultaneous requests . . . . . . . . . . . . . . . . 61 Estimating the number of concurrent active users and viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Concurrent active users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Calculating resource requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Analyzing service thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Calculating the minimum resource requirements . . . . . . . . . . . . . . . . . 71 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Summary of resource calculations . . . . . . . . . . . . . . . . . . . . . . . . 73 Designing for high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Designing a multiple-server system for high availability . . . . . . . . 77 Common configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Single-machine architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Balanced processing architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 High availability clustered architecture . . . . . . . . . . . . . . . . . . . . . . . . . 80 Firewalled architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Contents
Chapter 4
83
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Creating a WebSphere cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Starting the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Creating a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Checking the assigned port number . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Adding the assigned port number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Setting heap size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Setting internal system configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Installing the applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Mapping BusinesssObjects WAR files to the cluster . . . . . . . . . . . . . . 95 Regenerating the web server plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Chapter 5 Managing and Configuring Servers 97
Server management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 BusinessObjects Enterprise administrative tools . . . . . . . . . . . . . . . . . 98 Viewing and changing the status of servers . . . . . . . . . . . . . . . . . . . . . . . . 99 Starting, stopping, and restarting servers . . . . . . . . . . . . . . . . . . . . . . . 99 Stopping a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . 102 Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Printing, copying, and refreshing server status . . . . . . . . . . . . . . . . . . 104 Adding and deleting servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Adding a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Configuring the application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Configuring the Web Component Adapter . . . . . . . . . . . . . . . . . . . . . 108 Configuring the Java Web Component Adapter . . . . . . . . . . . . . . 109 Changing the default session timeout value for the Java CMC . . 110 Changing the default session timeout value for the Java InfoView . . 111 Changing the connect port used by Tomcat . . . . . . . . . . . . . . . . . . . . 112 Configuring the .NET Web Component Adapter . . . . . . . . . . . . . 113
Contents
Configuring the intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Clustering Central Management Servers . . . . . . . . . . . . . . . . . . . . . . 114 Adding a new CMS cluster member . . . . . . . . . . . . . . . . . . . . . . . . . 116 Installing a new CMS and adding it to a cluster . . . . . . . . . . . . . 116 Adding an installed CMS to a cluster . . . . . . . . . . . . . . . . . . . . . 117 Adding clustered CMSs to the web.xml file . . . . . . . . . . . . . . . . . 119 Preparing to migrate a CMS database . . . . . . . . . . . . . . . . . . . . 119 Changing the name of a CMS cluster . . . . . . . . . . . . . . . . . . . . . 121 Copying data from one CMS database to another . . . . . . . . . . . . . . . 122 Deleting and recreating the CMS database . . . . . . . . . . . . . . . . . . . . 127 Selecting a new or existing CMS database . . . . . . . . . . . . . . . . . . . . 128 Setting root directories and idle times of the File Repository Servers 130 Modifying performance settings for Cache Servers and Event Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Configuring the processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Modifying performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring the destinations for job servers . . . . . . . . . . . . . . . . . . . . 133 Enabling or disabling destinations for job servers . . . . . . . . . . . . 133 Configuring the destination properties for job servers . . . . . . . . . 134 Inbox destination properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Email (SMTP) destination properties . . . . . . . . . . . . . . . . . . . . . 136 FTP destination properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Unmanaged Disk destination properties . . . . . . . . . . . . . . . . . . . 139 Configuring Windows processing servers for your data source . . . . . 140 Configuring UNIX processing servers for your data source . . . . . . . . 141 Native drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 ODBC drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Advanced server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Changing the default server port numbers . . . . . . . . . . . . . . . . . . . . . 147 Configuring a multihomed machine . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Configuring the CMS to bind to a network address . . . . . . . . . . . 150 Configuring the remaining servers to bind to a network address 150 Adding and removing Windows server dependencies . . . . . . . . . . . . 150
Contents
Changing the server startup type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Changing the server user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configuring servers for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Creating key and certificate files . . . . . . . . . . . . . . . . . . . . . . . . . 153 Configuring the SSL protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Chapter 6 Working with Firewalls 157
Firewalls overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 What is a firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 TCP/IP and packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Firewall types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 SOCKS proxy servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Understanding firewall integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between servers and the CMS directory listing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between the application tier and CMS . . . . . . . . 163 Firewall configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Typical firewall scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Application tier separated from the CMS by a firewall . . . . . . . . . 165 Thick client separated from the CMS by a firewall . . . . . . . . . . . . 165 Configuring the system for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Configuring desktop products across a firewall . . . . . . . . . . . . . . . . . . 166 Configuring for Network Address Translation . . . . . . . . . . . . . . . . . . . 167 Configuring NAT when application tier is separated from the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Configuring NAT when thick client is separated from the CMS . . 171 Configuring for packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Configuring packet filtering when application tier is separated from CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Contents
Configuring packet filtering when thick client is separated from the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Configuring for SOCKS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Configuring the CMS for SOCKS Servers . . . . . . . . . . . . . . . . . . 176 Configuring the WCA for SOCKS servers . . . . . . . . . . . . . . . . . . 177 Chapter 7 Security Concepts 179
Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Primary authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Single sign-on support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Single sign-on to BusinessObjects Enterprise . . . . . . . . . . . . . . 184 Single sign-on to database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 End-to-end single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 BusinessObjects Enterprise security plug-in . . . . . . . . . . . . . . . . 186 Processing extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Active trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Logon tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Ticket mechanism for distributed security . . . . . . . . . . . . . . . . . . . . . 189 Sessions and session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 CMS session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Environment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Web browser to web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Web server to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . 194 Auditing web activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Protection against malicious logon attempts . . . . . . . . . . . . . . . . . . . 194 Password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Logon restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 User restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Guest account restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 User creation opitons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Contents
Alias options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 User type options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Update options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Chapter 8 Modifying default security behavior 199
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Disabling the restoration of a timed out session . . . . . . . . . . . . . . . . . . . . 200 Disabling the restoration of a timed out session in Java InfoView 200 Disabling the restoration of a timed out session in .NET InfoView . . . 201 Enabling reverse proxies for Java applications servers . . . . . . . . . . . . . . 202 Enabling reverse proxies for BusinessObjects Java InfoView . . . . . . 202 Enabling reverse proxies for BusinessObjects Web Services . . . . . . 203 Enabling reverse proxies on Tomcat . . . . . . . . . . . . . . . . . . . . . . 203 Enabling reverse proxy on web application servers other than Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Enabling reverse proxies for BusinessObjects Live Office . . . . . . . . . 206 Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Deployment instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Disabling persistent cookies for InfoView . . . . . . . . . . . . . . . . . . . . . . . . . 208 Chapter 9 Using NT Authentication 211
Using NT user accounts and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Windows NT security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Business Objects NT Users Group . . . . . . . . . . . . . . . . . . . . . . . 213 NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 NT and single sign-on support . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 NT user account and group administration . . . . . . . . . . . . . . . . . . . . . . . . 214 Mapping NT user accounts and groups . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Mapping NT user accounts and groups from Windows NT . . . . . . . . . 215 Mapping NT user account or groups from Windows 2000 or 2003 . . . 216 Mapping NT groups from the CMC . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Unmapping NT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Contents
Viewing mapped NT users and groups . . . . . . . . . . . . . . . . . . . . . . . 221 Adding an NT account to a mapped NT group . . . . . . . . . . . . . . 222 Creating a new NT group account . . . . . . . . . . . . . . . . . . . . . . . 222 Disabling an NT user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Setting up NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Modifying IIS security settings for NT single sign-on . . . . . . . . . 224 Enabling InfoView NT single sign-on from the CMC . . . . . . . . . . 224 Modifying the web.config file for NT single sign-on . . . . . . . . . . . 225 Chapter 10 Using LDAP authentication 227
Managing LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 LDAP security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 More about LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Configuring the LDAP host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Configuring LDAP Server or Mutual Authentication and the SSL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 LDAP and SiteMinder Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Configuring the LDAP plug-in for SiteMinder . . . . . . . . . . . . . . . 236 Modifying web.xml for LDAP and SiteMinder . . . . . . . . . . . . . . . 237 Mapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Unmapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Viewing mapped LDAP users and groups . . . . . . . . . . . . . . . . . . . . . 242 Changing LDAP connection parameters and member groups . . . . . 242 Managing multiple LDAP hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Troubleshooting LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Creating a new LDAP user account . . . . . . . . . . . . . . . . . . . . . . 243 Chapter 11 Using AD with NTLM or SiteMinder 245
Using AD users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Windows AD security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 AD and NTLM and SiteMinder workflows . . . . . . . . . . . . . . . . . . . . . 248
Contents
AD and NTLM basic workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 AD, NTLM and single sign-on workflow . . . . . . . . . . . . . . . . . . . . 248 AD and SiteMinder workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Mapping AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Setting up AD single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Modifying IIS security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Modifying the web.config file for impersonation and Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Modifying the web.config file for InfoView AD single sign-on . . . . 254 Configuring AD and SiteMinder workflow . . . . . . . . . . . . . . . . . . . . . . 255 Configuring the Windows AD plug-in for SiteMinder . . . . . . . . . . 255 Modifying web.xml for Java AD and SiteMinder . . . . . . . . . . . . . . 257 Modifying web.xml for Java AD Single sign-on to InfoView . . . . . 258 Modifying the web.xml file for Java AD and SiteMinder . . . . . . . . 258 Modifying web.config for .NET InfoView and SiteMinder . . . . . . . 259 Disabling SiteMinder for Java clients . . . . . . . . . . . . . . . . . . . . . . 260 Disabling SiteMinder for .NET clients . . . . . . . . . . . . . . . . . . . . . . 261 Troubleshooting single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Duplicate ssoEnabled tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Chapter 12 Using AD and Kerberos with IIS 265
Configuring Kerberos for IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Kerberos, IIS and single sign-on options . . . . . . . . . . . . . . . . . . . . . . 266 Workflows for Kerberos and IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Basic AD and Kerberos workflow . . . . . . . . . . . . . . . . . . . . . . . . . 267 AD and Kerberos with single sign-on workflow . . . . . . . . . . . . . . 267 Single sign-on to database workflow . . . . . . . . . . . . . . . . . . . . . . 267 End-to-end Single sign-on workflow . . . . . . . . . . . . . . . . . . . . . . . 267 Setting up a service account on AD . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Setting up a service account with delegation on a Windows 2000 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Setting up a service account with delegation on a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Contents
Granting the service account rights . . . . . . . . . . . . . . . . . . . . . . . 270 Configuring the servers to use the service account . . . . . . . . . . 270 Enabling Kerberos authentication in the Windows AD plug-in . . . . . . 271 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Modifying web.config for impersonation and Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Modifying the AD plug-in settings for database single sign-on . 275 Configuring IIS and browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuring IIS for integrated Windows authentication . . . . . . . . 275 Configuring the Internet Explorer browser on a client machine . 276 Configuring IIS for end-to-end single sign-on . . . . . . . . . . . . . . . . . . 277 Configuring IIS 5 for Kerberos end-to-end single sign-on . . . . . . 277 Configuring IIS 6 for Kerberos end-to-end single sign-on . . . . . . 279 Configuring IIS for database single sign-on . . . . . . . . . . . . . . . . . . . . 281 Configuring IIS 5 for single sign-on to database only . . . . . . . . . 282 Configuring IIS 6 for single sign-on to database . . . . . . . . . . . . . 283 Modifying web.config for InfoView single sign-on . . . . . . . . . . . . 284 Configuring web applications for database single sign-on . . . . . 285 Configuring the database server for single sign-on . . . . . . . . . . . . . . 286 Configuring SQL Server for single sign-on . . . . . . . . . . . . . . . . . 286 Server cache expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Modifying the default cache expiry value . . . . . . . . . . . . . . . . . . 287 Chapter 13 Using AD and Kerberos with Java application servers 289
Configuring Kerberos for Java application servers . . . . . . . . . . . . . . . . . 290 General workflow for configuring Kerberos . . . . . . . . . . . . . . . . . . . . 290 Workflow for configuring Tomcat for Kerberos . . . . . . . . . . . . . . . . . . 291 Workflow for configuring WebSphere for Kerberos . . . . . . . . . . . . . . 291 Workflow for configuring WebLogic for Kerberos . . . . . . . . . . . . . . . . 291 Workflow for configuring Oracle for Kerberos . . . . . . . . . . . . . . . . . . 291 Setting up a service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Setting up a service account with delegation on a Windows 2000 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Contents
Creating an SPN for your CMS on a Windows 2000 domain . . . . 293 Setting up a service account with delegation on a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Creating an SPN for your CMS on a Windows 2003 domain . . . . 294 Setting up constrained delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Setting up constrained delegation for a service account . . . . . . . 295 Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Granting the service account rights . . . . . . . . . . . . . . . . . . . . . . . 295 Adding the Service Account to the servers Local Administrators group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Configuring the servers to use the service account . . . . . . . . . . . 297 Kerberos authentication in the Windows AD plug-in . . . . . . . . . . . . . 297 Configuring Kerberos for your Java application server . . . . . . . . . . . . 302 Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Creating the Kerberos configuration file for WebSphere . . . . . . . 304 Creating the JAAS login configuration file for Tomcat or WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Creating the JAAS login configuration file for Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Creating the JAAS login configuration file for WebSphere . . . . . . 306 Modifying your Java options for Kerberos on Tomcat . . . . . . . . . 307 Modifying the Java options for Kerberos on WebLogic . . . . . . . . 307 Modifying the Java options for Kerberos on Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Modifying the Java options for Kerberos on WebSphere . . . . . . . 308 Troubleshooting Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Enabling logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Testing your Java Kerberos configuration . . . . . . . . . . . . . . . . . . 310 Mapped AD user unable to log on to CMC or InfoView . . . . . . . . . . . 310 Configuring Kerberos and single sign-on to the database for Java application servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Configuring Kerberos and single sign-on for Java InfoView . . . . . . . . 312
Contents
Workflow for configuring Kerberos single sign-on to Java InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java. . . . . . . . . . . . . . . . . . . . . . . . 314 Step 2: Creating an SPN for your web application server . . . . . . 315 Step 3: Reset the service account password . . . . . . . . . . . . . . . 315 Step 4: Create and place a keytab file . . . . . . . . . . . . . . . . . . . . 316 Step 5: Enabling Vintela single sign-on for Java in the web.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Step 6: Increasing the header size limit of your Java application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Controlling logging with Vintela single sign-on for Java . . . . . . . 322 What to specify in your log4j properties file . . . . . . . . . . . . . . . . . 323 Alternate url to access InfoView . . . . . . . . . . . . . . . . . . . . . . . . . 324 Modifying the Vintela logon error page . . . . . . . . . . . . . . . . . . . . 325 Configuring Internet Explorer browsers . . . . . . . . . . . . . . . . . . . . 326 Chapter 14 Trusted Authentication 327
Enabling Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Configuring the server for Trusted Authentication . . . . . . . . . . . . . . . 328 Configuring Trusted Authentication for the client . . . . . . . . . . . . . . . . 329 Configuring Trusted Authentication for Business Process BI . . . . . . 334 Configuring Trusted Authentication on a separate web application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Chapter 15 Improving Performance 337
Improving performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Assessing your systems performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Assessing user needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Analyzing server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Viewing current server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Viewing system metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Logging server activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Evaluating your systems performance . . . . . . . . . . . . . . . . . . . . . . . 346
Contents
Resolving performance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Configuring the intelligence tier for enhanced performance . . . . . . . . 351 Configuring the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Modifying the polling time of the Event Server . . . . . . . . . . . . . . . 351 Configuring the File Repository Servers . . . . . . . . . . . . . . . . . . . . 352 Modifying Cache Server performance settings . . . . . . . . . . . . . . 352 Configuring the processing tier for enhanced performance . . . . . . . . 354 Modifying performance settings for job servers . . . . . . . . . . . . . . 355 Modifying Desktop Intelligence Report Server performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Modifying performance settings for the Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Modifying database settings for the RAS . . . . . . . . . . . . . . . . . . . 360 Modifying performance settings for the RAS . . . . . . . . . . . . . . . . 362 Modifying Page Server performance settings . . . . . . . . . . . . . . . 363 Scaling your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Increasing overall system capacity . . . . . . . . . . . . . . . . . . . . . . . . 367 Increasing scheduled reporting capacity . . . . . . . . . . . . . . . . . . . 367 Increasing on-demand viewing capacity for Crystal reports . . . . . 369 Increasing prompting capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Delegating XSL transformation to Internet Explorer . . . . . . . . . . . 370 Enhancing custom web applications . . . . . . . . . . . . . . . . . . . . . . 370 Improving web response speeds . . . . . . . . . . . . . . . . . . . . . . . . . 371 Getting the most from existing resources . . . . . . . . . . . . . . . . . . . 371 Chapter 16 General Troubleshooting 373
Troubleshooting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Documentation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Web accessibility issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Using an IIS web site other than the default . . . . . . . . . . . . . . . . . . . . 375 .NET CSP and ASP pages display code . . . . . . . . . . . . . . . . . . . . . . . 376 Unable to access the CMS from thick client . . . . . . . . . . . . . . . . . . . . 376 Unable to View .NET InfoView or CMC . . . . . . . . . . . . . . . . . . . . . . . . 377
Contents
Determining if the IIS 6.0 ASP.NET component is installed . . . . 377 Changing the connect port used by Tomcat . . . . . . . . . . . . . . . . . . . 378 Unable to connect to CMS when logging on to the CMC . . . . . . . . . . 379 Unable to open a report from InfoView . . . . . . . . . . . . . . . . . . . . . . . 379 Single sign-on from an IE Windows 2000 client fails . . . . . . . . . . . . . 380 Windows NT authentication cannot log you on . . . . . . . . . . . . . . . . . 380 Mapped AD user unable to log on to CMC or InfoView . . . . . . . . . . . 381 Unable to sign on with AD and Kerberos . . . . . . . . . . . . . . . . . . 381 TReport viewing and processing issues . . . . . . . . . . . . . . . . . . . 383 Troubleshooting reports with Crystal Reports . . . . . . . . . . . . . . . . . . 383 Images and charts not displayed . . . . . . . . . . . . . . . . . . . . . . . . 385 Troubleshooting reports and looping database logon prompts . . . . . 385 Ensuring that server resources are available on local drives . . . . . . . 388 Page Server error when viewing a report . . . . . . . . . . . . . . . . . . . . . 389 InfoView considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Supporting users in multiple time zones . . . . . . . . . . . . . . . . . . . . . . 390 Setting default report destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Unable to import users from BusinessObjects 6.5 . . . . . . . . . . . . . . . 390 Chapter 17 Managing Auditing 391
How does auditing work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Configuring the auditing database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Which actions can I audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Reference list of auditable actions . . . . . . . . . . . . . . . . . . . . . . . 395 Enabling auditing of user and system actions . . . . . . . . . . . . . . . . . . . . . 399 Configuring the universe connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Using sample audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Controlling synchronization of audit actions . . . . . . . . . . . . . . . . . . . . . . . 403 Optimizing system performance while auditing . . . . . . . . . . . . . . . . . . . . 404
Contents
Chapter 18
Auditing Reports
407
Using auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Why are reports important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Auditor report names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Average Number of Users Logged In . . . . . . . . . . . . . . . . . . . . . . 408 Average Refresh Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration per Cluster . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration per User . . . . . . . . . . . . . . . . . . . . . . . 409 Cluster Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Document Information Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Document Scheduling and Viewing Status . . . . . . . . . . . . . . . . . 410 Job Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Jobs per Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Jobs per User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Job Servers on the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Last Login for User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Least Accessed Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Accessed Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Popular Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Popular Actions per Document . . . . . . . . . . . . . . . . . . . . . . 413 Number of User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Number of Users in the System . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Password Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Peak Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Refresh and Edit Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Rights Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Total Users Logged In by Day . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 User Activity per Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Users Who Logged Off Incorrectly . . . . . . . . . . . . . . . . . . . . . . . . 415 Viewing sample auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Contents
Creating custom audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Auditing database schema reference . . . . . . . . . . . . . . . . . . . . . . . . 416 Audit_Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Audit_Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Server_Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Event_Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Application_Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Detail_Type table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Appendix A Customizing the appearance of Web Intelligence documents 427
Customizing the appearance of Web Intelligence documents . . . . . . . . . 428 What you can do with the defaultconfig.xml file . . . . . . . . . . . . . . . . . 429 Locating and modifying defaultconfig.xml . . . . . . . . . . . . . . . . . . . . . 430 Desktop Intelligence Enterprise Java InfoView . . . . . . . . . . . . . . 431 Desktop Intelligence Enterprise .NET InfoView . . . . . . . . . . . . . 431 List of key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Example: Modifying the default font in table cells . . . . . . . . . . . . . . . 433 Appendix B Server deployment and firewall configuration 435
About this appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Understanding how BusinessObjects Enterprise servers communicate . 436 Using CORBA to communicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Registering with the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Communicating with client applications . . . . . . . . . . . . . . . . . . . . . . . 438 Configuring BusinessObjects Enterprise servers . . . . . . . . . . . . . . . . . . . 439 Configuring the CMS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Configuring non-CMS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Configuring Job Servers for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . 442 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Contents
Configuring firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Example: A firewall between the application server and BusinessObjects Enterprise servers . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Deploying BusinessObjects Enterprise on multihomed machines . . . . . . 448 Multihomed machines with NICs on the same subnet . . . . . . . . . . . . 449 Multihomed machines with NICs on different subnets . . . . . . . . . . . . 450 Example problem: BusinessObjects Enterprise servers deployed across subnets that are not network connected . . . . . . . . . . . . . . 450 Binding to a particular NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Summary of unsupported deployment scenarios . . . . . . . . . . . . . . . . . . . 451 Appendix C Server Command Lines 453
Command lines overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Standard options for all servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 UNIX signal handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Page Server and Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 Input and Output File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . 465 Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Appendix D Rights and Access Levels 467
Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 No Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 View On Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Full Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Default rights on the top-level folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Object rights for the Report Application Server . . . . . . . . . . . . . . . . . . . . . 472
Contents
Appendix E
UNIX Tools
473
UNIX tools overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Script utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 ccm.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 ccm.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 cmsdbsetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 configpatch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 serverconfig.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 sockssetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 uninstallBOBJE.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Script templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 startservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 stopservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 silentinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Scripts used by BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . 482 bobjerestart.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 env.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 env-locale.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 initlaunch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 patchlevel.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 postinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 setup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 setupinit.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Appendix F Enabling support for ASP.NET 2.0 485
Enabling support for ASP.NET 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Appendix G Business Objects Information Resources 489
Documentation and information services . . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Whats in the documentation set? . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Where is the documentation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Contents
Documentation from the products . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation on the web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation on the product CD . . . . . . . . . . . . . . . . . . . . . . . . 490 Send us your feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Customer support, consulting and training . . . . . . . . . . . . . . . . . . . . . . . . 491 How can we support you? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Online Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Looking for the best deployment solution for your company? . . . . . . . 492 Looking for training options? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Index 495
Getting Started
chapter
planning your first deployment configuring your first deployment making significant changes to the architecture of an existing deployment improving your systems performance.
For a list of suggested topics for each of these scenarios, consult Where should I start? on page 25. This help is intended for system administrators who are responsible for configuring, managing, and maintaining a BusinessObjects Enterprise installation. Familiarity with your operating system and your network environment is beneficial, as is a general understanding of web application server management and scripting technologies. However, to assist all levels of administrative experience, this help aims to provide sufficient background and conceptual information to clarify all administrative tasks and features.
24
To get familiar with the components, read BusinessObjects Enterprise Architecture on page 29. Assess your needs and design a deployment architecture that works best for you. Planning Your Deployment on page 57 Working with Firewalls on page 157 Security Concepts on page 179 If you plan to use third-party authentication, read the following sections that apply to your deployment:
Using NT Authentication on page 211 Using AD with NTLM or SiteMinder on page 245 Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using LDAP authentication on page 227
Improving Performance on page 337 For more information about installing BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide. After you install, read Managing and Configuring Servers on page 97.
Managing and Configuring Servers on page 97 Working with Firewalls on page 157 Security Concepts on page 179
25
If you plan to use third-party authentication, read the following sections that apply to your deployment:
Using NT Authentication on page 211 Using AD with NTLM or SiteMinder on page 245 Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using LDAP authentication on page 227
Improving Performance on page 337 If you plan to audit your system, read Managing Auditing on page 391 and Auditing Reports on page 407. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide. If you encounter problems, read General Troubleshooting on page 373.
Improving Performance on page 337 If you are installing new server components, see Managing and Configuring Servers on page 97. If you are importing or configuring new users, see Security Concepts on page 179. If you encounter problems, read General Troubleshooting on page 373. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide. For information about installing new components, you can find more information in the BusinessObjects Enterprise Installation Guide.
26
Improving Performance on page 337 If you want to monitor your existing system, read Managing Auditing on page 391 and Auditing Reports on page 407. If you want to resolve specific performance problems, read General Troubleshooting on page 373. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide.
27
28
chapter
Chapter overview
This chapter briefly introduces BusinessObjects Enterprise administrators to the architecture of BusinessObjects Enterprise. This chapter covers the following topics:
Architecture basics Client tier Intelligence tier Processing tier Data tier Report viewers Information flow
For faster navigation, click on the title of the topic you are interested in.
Architecture basics
BusinessObjects Enterprise is a multi-tier system. Although the components are responsible for different tasks, they can be logically grouped based on the type of work they perform. If you are new to BusinessObjects Enterprise, use this section to gain familiarity with the BusinessObjects Enterprise framework, its components, and the general tasks that each component performs. In BusinessObjects Enterprise, there are five tiers:
The client tier The application tier The intelligence tier The processing tier The data tier
To provide flexibility, reliability, and scalability, the components that make up each of these tiers can be installed on one machine, or spread across many. The following diagram illustrates how each of the components fits within the multi-tier system. Other Business Objects products plug in to the BusinessObjects Enterprise framework in various ways. This section describes the framework itself. Consult each products installation or administration guides for details about how it integrates with the BusinessObjects Enterprise framework.
30
The servers run as services on Windows machines. On UNIX, the servers run as daemons. These services can be vertically scaled to take full advantage of the hardware that they are running on, and they can be horizontally scaled to take advantage of multiple computers over a network environment. This means that the services can all run on the same machine, or they can run on separate machines. The same service can also run in multiple instances on a single machine. For example, you can run the CMS and the Event Server on one machine, while you run the Report Application Server on a separate machine. This configuration is called horizontal scaling. If the Report Application Server is
31
running on a multi-processor computer, then you may choose to run multiple Report Application Servers on it. This configuration is called vertical scaling. The important thing to understand is that, even though these are called servers, they are actually services and daemons that do not need to run on separate computers. Tip: Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.
Client tier
The client tier is the only part of the BusinessObjects Enterprise system that administrators and end users interact with directly. This tier is made up of the applications that enable people to administer, publish, and view reports and other objects.
InfoView Central Management Console (CMC) Central Configuration Manager (CCM) Publishing Wizard Import Wizard
For faster navigation, click on the title of the topic you are interested in.
InfoView
BusinessObjects Enterprise comes with InfoView, a web-based interface that end users access to view, schedule, and keep track of published reports. Each BusinessObjects Enterprise request that a user makes is directed to the BusinessObjects Enterprise application tier. In .NET InfoView, the web server forwards the user request directly to an application server where the request
32
is processed by the Web Component Adapter (WCA); typically, InfoView only uses the WCA when OLAP is installed. In this case, the web server will forward the .csp request to the WCA for processing. InfoView also serves as a demonstration of the ways in which you can use the BusinessObjects Enterprise Software Development Kit (SDK) to create a custom web application for end users. In the case of .NET, InfoView also demonstrates how you can use the BusinessObjects Enterprise .NET Server Components. For more information, see the developer documentation available on your product CD.
33
Publishing Wizard
The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add reports to BusinessObjects Enterprise. By assigning object rights to BusinessObjects Enterprise folders, you control who can publish reports and where they can publish them to. The Publishing Wizard publishes reports from a Windows machine to BusinessObjects Enterprise servers running on Windows or on UNIX. For more information, see the BusinessObjects Enterprise Administrators Guide.
Import Wizard
The Import Wizard is a locally installed Windows application that guides administrators through the process of importing users, groups, reports, and folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or Crystal Info implementation to BusinessObjects Enterprise. The Import Wizard runs on Windows, but you can use it to import information into a new BusinessObjects Enterprise system running on Windows or on UNIX. For more information, see the BusinessObjects Enterprise Installation Guide.
Application tier
The application tier hosts the server-side components that process requests from the client tier as well as the components that communicate these requests to the appropriate server in the intelligence tier. The application tier includes support for report viewing and logic to understand and direct web requests to the appropriate BusinessObjects Enterprise server in the intelligence tier. For both the Java and .NET platforms, the application tier includes the following components:
Application server and BusinessObjects Enterprise SDK Web Component Adapter (WCA)
34
Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.
35
It also supports Business Objects applications such as the CMC (CMC) and Crystal report viewers (that are implemented through viewrpt.aspx requests).
Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.
Java platform
All UNIX installations of BusinessObjects Enterprise include a Web Component Adapter (WCA). In this configuration, a Java application server is required to host the WCA and the BusinessObjects Enterprise Java SDK. The use of a web server is optional as you may choose to have static content hosted by the application server.
In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.
36
You do not need a Web Component Adapter for custom ASP.NET applications. If after your initial installtion, you upgrade to version 2.0 of the .NET Framework, you will also need to modify the web.config used by IIS. See Enabling support for ASP.NET 2.0 on page 486.
Intelligence tier
The intelligence tier manages the BusinessObjects Enterprise system. It maintains all of the security information, sends requests to the appropriate servers, manages audit information, and stores report instances.
37
Maintaining security By maintaining a database of users and their associated object rights, the CMS enforces who has access to BusinessObjects Enterprise and the types of tasks they are able to perform. These tasks include enforcing and maintaining the licensing policy of your BusinessObjects Enterprise system.
Managing objects The CMS keeps track of the location of objects and maintains the containment hierarchy, which includes folders, categories, and inboxes. By communicating with the Job Servers and Program Job Servers, the CMS is able to ensure that scheduled jobs run at the appropriate times.
Managing servers By staying in frequent contact with each of the servers in the system, the CMS is able to maintain a list of server status. Report viewers access this list, for instance, to identify which Cache Server is free to use for a report viewing request.
Managing auditing By collecting information about user actions from each BusinessObjects Enterprise server, and then writing these records to a central audit database, the CMS acts as the system auditor. This audit information allows system administrators to better manage their BusinessObjects Enterprise deployment.
Typically, you provide the CMS with database connectivity and credentials when you install BusinessObjects Enterprise, so the CMS can create its own system database and BusinessObjects Enterprise Repository database using your organizations preferred database server. For details about setting up
38
CMS databases, see the BusinessObjects Enterprise Installation Guide. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. Note:
It is strongly recommended that you back up the CMS system database, and the audit database frequently. The backup procedure depends upon your database software. If you are unsure of the procedure, consult with your database administrator. The CMS database should not be accessed directly. System information should only be retrieved using the calls that are provided in the BusinessObjects Enterprise Software Development Kit (SDK). For more information, see the developer documentation available on your product CD. You can access the audit database directly to create custom audit reports. See the BusinessObjects Enterprise Auditors Guide for more information.
On Windows, the Setup program can install and configure its own Microsoft Data Engine (MSDE) database if necessary. MSDE is a client/server data engine that provides local data storage and is compatible with Microsoft SQL Server. If you already have the MSDE or SQL Server installed, the installation program uses it to create the CMS system database. You can migrate your default CMS system database to a supported database server later. For more information about Auditing, see the BusinessObjects Enterprise Auditors Guide.
Event Server
The Event Server manages file-based events. When you set up a file-based event within BusinessObjects Enterprise, the Event Server monitors the directory that you specified. When the appropriate file appears in the monitored directory, the Event Server triggers your file-based event: that is, the Event Server notifies the CMS that the file-based event has occurred. The CMS then starts any jobs that are dependent upon your file-based event. After notifying the CMS of the event, the Event Server resets itself and again monitors the directory for the appropriate file. When the file is newly created in the monitored directory, the Event Server again triggers your file-based event. Note: Schedule-based events, and custom events are managed by the CMS.
39
The Input and Output File Repository Servers cannot share the same directories. This is because one of the File Repository Servers could then delete files and directories belonging to the other. In larger deployments, there may be multiple Input and Output File Repository Servers, for redundancy. In this case, all Input File Repository Servers must share the same directory. Likewise, all Output File Repository Servers must share a directory. Objects with files associated with them, such as text files, Microsoft Word files, or PDFs, are stored on the Input File Repository Server.
Cache Server
The Cache Server is responsible for handling all report viewing requests. The Cache Server checks whether or not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays exactly the required data, with data that has been refreshed from the database within the interval that you have specified as the default, the Cache Server returns that cached report page. If the Cache Server cannot fulfil the request with a cached report page, it passes the request along to the Page Server. The Page Server runs the report and returns the results to the Cache Server. The Cache Server then
40
caches the report page for future use, and returns the data to the viewer. By storing report pages in a cache, BusinessObjects Enterprise avoids accessing the database each and every time a report is requested. If you are running multiple Page Servers for a single Cache Server, the Cache Server automatically balances the processing load across Page Servers.
Processing tier
The processing tier accesses the data and generates the reports. It is the only tier that interacts directly with the databases that contain the report data.
Job servers Web Intelligence Report Server Report Application Server (RAS) Page Server
Job servers
A Job Server processes scheduled actions on objects at the request of the CMS. When you add a Job Server to the BusinessObjects Enterprise system, you can configure the Job Server to:
41
If you configure a Job Server to process report objects, it becomes a Report Job Server. If you configure a Job Server to process program objects, it becomes a Program Job Server, and so on. The processing tier includes:
Report Job Server Program Job Server Web Intelligence Job Server Destination Job Server List of Values Job Server Desktop Intelligence Job Server
42
If the request is for an object, it retrieves the object from the Input File Repository Server. If the request is for a report or program instance, it retrieves the instance from the Output File Repository Server.
The Destination Job Server can send objects and instances to destinations inside the BusinessObjects Enterprise system, for example, a users inbox, or outside the system, for example, by sending a file to an email address. The Destination Job Server does not run the actual report or program objects. It only handles objects and instances that already exist in the Input or Output File Repository Servers.
43
Page Server
The Page Server is primarily responsible for responding to page requests by processing reports and generating Encapsulated Page Format (EPF) pages. The EPF pages contain formatting information that defines the layout of the report. The Page Server retrieves data for the report from an instance or directly from the database (depending on the users request and the rights he or she has to the report object). When retrieving data from the database, the Page Server automatically disconnects from the database after it fulfills its initial request and reconnects if necessary to retrieve additional data. (This behavior conserves database licenses.) The Cache Server and Page Server work closely together. Specifically, the Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server also interact to ensure cached EPF pages are reused as frequently as possible, and new pages are generated as soon as they are required. BusinessObjects Enterprise takes advantage of this behavior by ensuring that the majority of report-viewing requests are made to
44
the Cache Server and Page Server. (However, if a users default viewer is the Advanced DHTML viewer, the report is processed by the Report Application Server.) The Page Server also supports COM, ASP.NET, and Java viewer Software Development Kits (SDKs).
Data tier
The data tier is made up of the databases that contain the data used in the reports. BusinessObjects Enterprise supports a wide range of corporate databases.
See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.
Report viewers
BusinessObjects Enterprise includes report viewers that support different platforms and different browsers in the client tier, and which have different report viewing functionality. (For more information on the specific functionality or platform support provided by each report viewer, see the BusinessObjects Enterprise Users Guide or the Crystal Reports Developers Guide.) All of the viewers fall into two categories:
client-side viewers Client-side viewers are downloaded and installed in the users web browser. zero client viewers The code to support zero client viewers resides in the application tier.
45
All report viewers help process requests for reports, and present report pages that appear in the users browser. Client-side viewers Client-side viewers are downloaded and installed in the users browser. When a user requests a report, the application server processes the request, and retrieves the report pages (in .epf format) from the BusinessObjects Enterprise framework. The application server then passes the report pages to the client-side viewer, which processes the report pages and displays them directly in the browser. Zero client viewers Zero client viewers reside on the application server. When a user requests a report, the application server processes the request, and then retrieves the report pages (in .epf format) from the BusinessObjects Enterprise framework. The SDK creates a viewer object on the application server which processes the report pages and creates DHTML pages that represent both the viewer controls and the report itself. The viewer object then sends these pages through the web server to the users web browser. Installing viewers If they havent already done so, users are prompted to download and install the appropriate viewer software before the report is displayed in the browser. The Active X viewer is downloaded the first time a user requests a report, and then remains installed on the users machine. The user will be prompted to reinstall the ActiveX viewer only when a new version becomes available on the server.
Information flow
This section describes the interaction of the server components in order to demonstrate how report-processing is performed. This section covers two different scenarios:
What happens when you schedule an object? What happens when you view a report?
46
When a user schedules an object using InfoView, the following happens: 1. 2. 3. 4. 5. 6. InfoView sends the request to the web server. The web server passes the web request directly to the application server, where it is evaluated by the BusinessObjects Enterprise SDK. The SDK passes the request to the CMS. The CMS checks to see if the user has sufficient rights to schedule the object. If the user has sufficient rights, the CMS schedules the object to be run at the specified time(s). When the time occurs, the CMS passes the job to the appropriate job server. Depending on the type of object, the CMS will send the job to one of the following job servers:
7.
If the object is Web Intelligence document, it sends the job to the Web Intelligence Job Server, which sends the request to the Web Intelligence Report Server. If the object is a report, it sends the job to the Report Job Server. If the object is program, it sends the job to the Program Job Server.
The job server retrieves the object from the Input File Repository Server and runs the object against the database, thereby creating an instance of the object. The job server then saves the instance to the Output File Repository Server, and tells the CMS that it has completed the job successfully. If the job was for a Web Intelligence document, the Web Intelligence Report Server notifies the Web Intelligence Job Server. The Web Intelligence Job Server then notifies the CMS that the job was completed successfully.
8.
Note:
The Cache Server and the Page Server do not participate in scheduling reports or in creating instances of scheduled reports. This can be an important consideration when deciding how to configure BusinessObjects Enterprise, especially in large installations. When you schedule program objects or object packages, the interaction between servers follows the same pattern as it does for reports.
47
Report viewing with the Cache Server and Page Server Report viewing with the Report Application Server Viewing Web Intelligence documents
When you view a report through BusinessObjects Enterprise, the processing flow varies depending upon your default report viewer, the type of report, and the rights you have to the report. In addition, the processing flow for custom applications may differ. In all cases, however, the request that begins at the web server must be forwarded to the application server. The actual request is constructed as a URL that includes the reports unique ID. This ID is passed as a parameter to a server-side script that, when evaluated by the application server, verifies the users session and retrieves the logon token from the browser. The script then checks the users InfoView preferences and redirects the request to the viewing mechanism that corresponds to the users default viewer. Different report viewers require different viewing mechanisms:
The zero-client DHTML viewer is implemented through report_view_dhtml.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Cache Server and Page Server.
The zero-client Advanced DHTML viewer is implemented through report_view_advanced.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Report Application Server.
The client-side report viewers (the ActiveX and Java viewers) are implemented through viewrpt.aspx, hosted by the WCA. The Crystal Web Request is executed internally through viewer code on the application server. The viewer code communicates with the framework in order to retrieve a report page (in .epf format) from the Cache Server and Page Server. If they havent already done so, users are prompted to download and install the appropriate viewer software.
48
2.
The application server sends the report to the users Web browser in one of two ways, depending on how the initial request was made:
If the initial request was made through a DHTML viewer (report_view_dhtml.aspx), the viewer SDK (residing on the application server) is used to generate HTML that represents both the DHTML viewer and the report itself. The HTML pages are then returned through the web server to the users web browser.
49
If the initial request was made through an Active X or Java viewer (viewrpt.aspx), the application server forwards the cached pages (.epf files) through the web server to the report viewer software in the users web browser.
2.
d.
5.
50
6.
7.
b.
51
8. 9.
The viewer script calls the SDK to get the requested page of the document. The request is passed to the Web Intelligence Report Server. If the Web Intelligence Report Server has cached content for the page, it returns the cached XML to the SDK. If the Web Intelligence Report Server does not have the cached content for the page, it renders the page to XML using the current data for the document. It then returns the XML to the SDK.
10. The SDK applies an XSLT style sheet to the XML to transform it to HTML. 11. The viewer script returns the HTML to the browser.
Live data
On-demand reporting gives users real-time access to live data, straight from the database server. Use live data to keep users up-to-date on constantly changing data, so they can access information thats accurate to the second. For instance, if the managers of a large distribution center need to keep track of inventory shipped on a continual basis, then live reporting is the way to give them the information they need. Before providing live data for all your reports, however, consider whether or not you want all of your users hitting the database server on a continual basis. If the data isnt rapidly or constantly changing, then all those requests to the database do little more than increase network traffic and consume server resources. In such cases, you may prefer to schedule reports on a recurrent basis so that users can always view recent data (report instances) without hitting the database server. For more information about optimizing the performance of reports that are viewed on demand, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Tip: Users require View On Demand access to refresh reports against the database.
52
Saved data
To reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database. Report instances are useful for dealing with data that isnt continually updated. When users navigate through report instances, and drill down for details on columns or charts, they dont access the database server directly; instead, they access the saved data. Consequently, reports with saved data not only minimize data transfer over the network, but also lighten the database servers workload. For example, if your sales database is updated once a day, you can run the report on a similar schedule. Sales representatives then always have access to current sales data, but they are not hitting the database every time they open a report. Tip: Users require only View access to display report instances.
Note: Because these components are responsible for additional tasks, several of the components discussed here are described in additional detail elsewhere in this chapter.
53
CMS
In relation to system security, the Central Management Server (CMS) performs a number of important tasks. The majority of these tasks rely upon the database that the CMS uses to keep track of BusinessObjects Enterprise system data. This data includes security information, such as user accounts, group memberships, and object rights that define user and group privileges. When you first set up your system, the CMS allows you to create user accounts and groups within BusinessObjects Enterprise. And, with its thirdparty security plug-ins, the CMS allows you to reuse existing user accounts and groups that are stored in a third-party system (a Windows NT user database, an LDAP directory server, or a Windows AD server). The CMS supports third-party authentication, so users can log on to BusinessObjects Enterprise with their current Windows NT, LDAP, or Windows AD credentials. When users log on, the CMS coordinates the authentication process with its security plug-ins; the CMS then grants the user a logon token and an active session on the system. The CMS also responds to authorization requests made by the rest of the system. When a user requests a list of reports in a particular folder, the CMS authorizes the request only when it has verified that the users account or group membership provides sufficient privileges.. For more information about the CMS and the CMS database, see Central Management Server (CMS) on page 38.
54
Security plug-ins
Security plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits. Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system. The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials. Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC. Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK. BusinessObjects Enterprise supports the following security plug-ins:
55
56
chapter
2.
3.
4.
58
To make an accurate assessment, you need to perform the following tasks: 1. Determine the number of users on the system, and the type of users they are. See Estimating the number and type of users on page 59. 2. 3. Estimate the number of simultaneous requests. See Estimating the number of simultaneous requests on page 61. Estimate the number of concurrent active users and simultaneous viewing sessions. See Estimating the number of concurrent active users and viewing sessions on page 62. If you are assessing the performance of an existing system, you can use server metrics to determine how your system is currently being used. For information about assessing the performance of an existing deployment of BusinessObjects Enterprise, see Assessing your systems performance on page 338.
59
Note: The number of concurrent users will be used to calculate the resource requirements for the Web Application Server and the number of concurrent active users. For information, see Estimating the number of concurrent active users and viewing sessions on page 62. 4. Divide the number of concurrent users into groups according to how they will use the system:
Heavy Users Heavy users are logged onto the system all day. They interact with objects continuously throughout the day, averaging one request per second.
Active Users Active users log onto the system frequently throughout the day. They average one request every four seconds. Moderate Users Moderate users log onto the system at various points throughout the day. They average one request every eight seconds. Light Users Light users log onto the system infrequently. They view a couple of objects and log out, averaging one request every 16 seconds.
Make note of the number of users that fall into each of these groups.
Determine the number of users for each geographical location. Where your users are can affect how you configure your system architecture. Make note of the number of users at various locations. You may want to establish local processing servers to account for significant load in areas with more users.
Estimate traffic schedule. Knowing when your users are likely to use BusinessObjects Enterprise can also help you configure your deployment. If users around the world access the system throughout the day and night, then the system should be prepared for the continuous traffic. Or, you may run all of your scheduled objects in the evenings and your users dont access them until the morning, so you may want to maintain different server configurations for day and night traffic. It is also important to consider traffic from different time zones.
60
For example, if you have 400 concurrent users and 10 are heavy users, 40 are active users, 150 are moderate users, and 200 are light users, the formula will look like this:
(10*1) + (40*.25) + (150*.12) + (200*.06) = 10 + 10 + 18 + 12 = 50 simultaneous requests
3.
If necessary, round up the result for your final estimate of the number of simultaneous requests.
Note: This step procedure uses the following common usage rates tested by Business Objects:
61
For every 100 heavy users For every 100 active users For every 100 moderate users For every 100 light users
Users Determine the number and type of concurrent users. (For information about estimating the number of concurrent users, see Estimating the number and type of users on page 59.) How many concurrent users do you have? What percentage of these users will have an active viewing session at the same time? To begin estimating the number of concurrent active users, you can add the number of users that you classified as heavy and active users when you sorted them into groups.
62
Objects
Estimate the number of objects per user. Will your users publish and view their own documents? Or will they spend more time viewing company-wide or departmental reports? How many objects will they use at once? You need to determine how many unique objects such as Crystal reports and Web Intelligence documents might be viewed at the same time by multiple users.
Estimate the types of objects. The types of objects also affect the number of concurrent active users. Split the total number of objects per user into unique and shared objects. Will your users share documents and reports with others? Shared objects reduce the number of concurrent active users because they allow multiple users to use the same viewing session. Typically, static objects such as operational view-only Crystal reports are more likely to share viewing sessions than Web Intelligence documents or OLAP Intelligence reports, which are dynamically interactive. Keep this in mind when you calculate the shared component of your load requirements.
Viewing sessions
To estimate the number of simultaneous viewing sessions, consider the following examples:
If every user logged onto the system is interacting with a single unique object (such as a report, a document, or a dashboard), the number of viewing sessions is equal to the number of concurrent users. If you had 100 users viewing 100 unique objects, then the number of viewing sessions equals 100. If every user logged onto the system is interacting with more than one unique object, the number of viewing sessions is higher than the number of concurrent users. If every user viewed two unique objects, for example, then the number of viewing sessions will be twice the number of concurrent users. If every user logged onto the system is viewing one or more objects that are not unique (shared between users), the number of viewing sessions will be lower than the number of concurrent users. If you have 100 users and 50 of them are viewing a shared report, while the other half are interacting with a single unique object, then there will be 51 viewing sessions: one for the shared report and 50 for the unique objects.
63
Based on your understanding of your users and the shared and unique content they need, you can use the following equation to determine a rough estimate of the number of viewing sessions:
(# of unique objects)(number of concurrent users viewing unique objects) + number of shared objects
For example, if you have 100 concurrent active users and 20 users are viewing 2 shared objects and 80 users are viewing 2 unique objects each, then you will have 162 simultaneous viewing sessions:
(2)(80) + (2) = 162
If you have 100 concurrent active users and 80 users are viewing 2 shared objects and 20 users are viewing 2 unique objects each, then you will have 42 simultaneous viewing sessions:
(2)(20) + (2) = 42
The number of BusinessObjects Enterprise server components (or services) you need in order to accommodate the load. The number of CPUs required to run the server components and support the load.
For a table summarizing resource calculations, see Summary of resource calculations on page 73.
Central Management Server Web Application Server Cache Server Report Job Server
64
List of Values Job Server Web Intelligence Report Server Report Application Server Page Server
It is important to note that the service threshold numbers provided in this section are based on benchmark testing performed by Business Objects. The test machines had an average clock speed of 2.5 GHz with 2 GB memory per CPU. These threshold numbers are intended only as a baseline to help you determine the size and configuration of your system. These numbers are affected by many factors, such as: the size and complexity of objects; the number of users; your network speed; operating system; clock speed; application server; disk speed; memory; and many more factors. The sample threshold numbers provided here assume that each BusinessObjects Enterprise server is installed on a separate machine and that each machine is a single CPU box. After you perform the initial sizing calculations, you can adjust the sizing numbers and system configuration to accommodate your specific system requirements. It is important to monitor your system performance regularly and adjust the configuration accordingly. For more information about monitoring performance, see Assessing your systems performance on page 338. Note: For more information about these server components and how they work together, see BusinessObjects Enterprise Architecture on page 29. Note: The Event Server is not a processing- or memory-intensive server, so it is not included in the discussion of service thresholds. However, it is good practice to install one Event Server for each CMS. For information about installing additional Event Servers, see Scaling your system on page 366.
One Central Management Server can handle 600 concurrent active users and 150 simultaneous requests. One CPU can handle 500 concurrent active users and 150 simultaneous requests.
For example, to support 4000 concurrent active users generating 400 simultaneous requests, your deployment could include:
65
Two quad boxes with four CMS services each. Eight single CPU machines with one CMS service each.
Note: This example is only a guideline. You need to consider CPU speed, network configuration, database connectivity, and so on.
There are many factors that can increase the amount of memory required for the Central Management Server. Report objects and instances in particular can vary in size considerably. For example, report instances that contain numerous prompts will be larger than average because every string prompt requires 256 bytes. In normal operation, the Central Management Server keeps only the most recently accessed objects in memory. During periods of rapid object access, such as batch reporting, the Central Management Server may exceed the specified amount of memory.
Memory requirements depend on the number of individual accounts and objects that need to be loaded by the Central Management Server. For example, when you access a folder or a category, if the folder contains many objects and instances, it will take longer to load. By maintaining a detailed and organized folder structure, you can improve the speed of your system. The registry setting MaximumObjectsToKeepInMemory controls the number of objects kept in memory by the Central Management Server. Adjust this setting if memory resources on the Central Management Server are either scarce or plentiful.
66
Processing the .NET/Java script Translating the Encapsulated Page Files (page on demand) to DHTML pages. Communicating with the Crystal Reports Cache Server for report view requests. Managing session state information for the users. Facilitating OLAP Intelligence view requests. Communicating with the Web Intelligence Report Server for view requests.
Web Application Server thresholds generally depend on the number of CPUs and the number of services running on them. Its good practice to configure for a higher number of users and simultaneous requests than your current system usage.
One service can handle virtually unlimited numbers of concurrent users and simultaneous requests, but consult your web application server documentation for specific numbers. One CPU can handle 400 concurrent users One CPU can handle 100 simultaneous requests if ActiveX is used as a primary viewer. One CPU can handle 50 simultaneous requests if DHTML is used as a primary viewer. One CPU can handle 40 simultaneous requests if OLAP Intelligence is used as a primary document viewing engine (OLAP DHTML viewer).
For example, to support 4000 concurrent users generating 400 simultaneous requests, your deployment could include one web application service installed across
10 single-CPU machines. Two quad boxes and a dual machine. Five dual machines.
Note: This example is only a guideline. You need to consider CPU speed, network configuration, database connectivity, and so on.
67
Cache Server
The Cache Server handles all report viewing requests. When the Cache Server receives a request, it checks whether of not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays the required data and the data has been refreshed from the database within the specified interval, the Cache Server returns the cached report page to the Web Application Server. If not, then the page is requested from the Page Server. The thresholds for the Cache Server are:
1 service can handle 400 simultaneous requests. 1 CPU can handle 200 simultaneous requests.
For example, to support 4000 concurrent users generating 400 simultaneous requests, your deployment could include: one Cache Server service installed across a dual-CPU machine. two Cache Server services installed across two single-CPU machines.
Note: Since the Cache Server works directly with the Page Server, the maximum simultaneous requests for the Cache Servers should equal the maximum simultaneous requests for the Page Servers.
One Job Server can handle 20 concurrent Crystal Reports jobs. One CPU can handle five concurrent Crystal Reports jobs.
Do not set individual Job Servers to process more than 20 simultaneous jobs. For example, if there are 40 simultaneous jobs and you have an 8-CPU computer, configure two Job Servers on the machine with each server set to handle 20 simultaneous jobs. Note: Complex reports that retrieve and process a large set of data should be scheduled. Jobs run as independent processes rather than threads on the Reports Job Server. This requires more resources for each job, but allows for efficient processing of a smaller set of large processing reports.
68
((# of reports) x (average report processing time)) / ((time window) x (maximum number of jobs per job server) = # of job servers required
Note: Make sure you use the same time measurement (minutes, for example) for the average report processing time and the time window. (The time window is the maximum amount of time the system can take to process the reports.) For example:
(200 reports x 1 minute) / (10 minutes x 20) = 1 job server required
One List of Values Job Server can handle 20 simultaneous requests. One CPU can handle five simultaneous requests.
One Web Intelligence Report Server can support 25 simultaneous viewing sessions. One CPU can support 25 simultaneous viewing sessions.
For example, if you expect users of Web Intelligence documents to need an average of 100 simultaneous viewing sessions, you could have four Web Intelligence Reports Server services installed on a quad machine.
69
Note: Memory requirements can be affected by the document design and the types of actions being performed. For example, a refresh request demands the greatest amount of memory for a Web Intelligence document because the database is queried and the entire dataset is transferred to the Web Intelligence Report Server.
One Report Application Server can handle 200 simultaneous requests. One CPU can handle 25 to 75 simultaneous requests. For optimal performance, use 25 simultaneous requests for your calculations.
For example, if you expect 100 concurrent active users viewing or modifying a Crystal report, you could configure a quad machine with one Report Application Server installed for each CPU.
Page Server
The Page Server retrieves data for the report from an instance or directly from the database (depending on the users request and access rights for the object). The Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server interact to ensure cached EPF pages are reused as frequently as possible. The number of concurrent active users is not important for determining the number of Page Servers you need, because BusinessObjects Enterprise automatically creates new Page Server processes to accommodate extra traffic. Because Cache Servers work directly with Page Servers, the maximum simultaneous requests for the Cache Servers should equal the maximum simultaneous requests for the Page Servers. The thresholds for the Page Server are as follows:
One CPU can handle 25 to 75 simultaneous requests. The recommended settings is 50.
For example, to support 400 simultaneous requests, your deployment could include:
one Page Server service installed across an 8-way CPU machine. two Page Server services installed across two quad CPU machines.
70
Note: Unless the machine is dedicated to serve multiple Page Server groups, do not install more than one Page Server on a single machine (even if the machine has four or more CPUs).
For 1 CPU, the Maximum Simultaneous Report Jobs is 50. For 2 CPUs, the Maximum Simultaneous Report Jobs is 50. For 4 CPUs, the Maximum Simultaneous Report Jobs is 100. For 8 CPUs, the Maximum Simultaneous Report Jobs is 200.
The estimated number of concurrent users. The estimated number of simultaneous requests. The estimated number of concurrent active users and viewing sessions. Service threshold information for each server type.
This section provides examples of how to calculate the minimum required resources for your deployment. Note: You may also want to expand the system to account for high availability. For information about designing for high availability, see Designing for high availability on page 76.
71
Cache Server
Assume for this example that you have 800 concurrent users using the ActiveX viewer and there are 500 simultaneous requests. Each Cache Server can handle 200 simultaneous requests per CPU. This system requires three Cache Servers installed across three single-CPU machines.
72
Page Server
Assume for this example that you have 500 simultaneous requests. One CPU can handle 50 simultaneous requests, this system requires 10 CPUs. You need only one Page Server service per machine, because it automatically creates new processes on each machine to account for high traffic. In this example, you could use 3 Page Servers installed across two quad machines and one dual machine.
The server component. The user and traffic loads that each server component can support. The user and traffic loads that each CPU can handle when running the server component. A sample configuration.
For more information about the service thresholds, see Analyzing service thresholds on page 64. For more information about making resource calculations, see Calculating the minimum resource requirements on page 71.
73
Example
600 concurrent active users per CMS 150 simultaneous requests per CMS 400 concurrent users per Web Application Server
500 concurrent active users per CPU 150 simultaneous requests per CPU
If you have 600 concurrent active users running an average of 100 simultaneous requests, you will need one CMS across two CPUs. If you have 600 concurrent users using the ActiveX viewer and generating an average of 100 simultaneous requests, you will need two Web Application Servers running on a single CPU.
400 concurrent users per CPU 100 simultaneous requests using the ActiveX viewer per CPU 50 to 75 simultaneous requests using the DHTML viewer per CPU 40 OLAP Intelligence requests using the OLAP Intelligence DHTML viewer per service per CPU 200 simultaneous requests per CPU
Cache Server
If you have 600 concurrent users running an average of 500 simultaneous requests, you will need three Cache Servers installed across three CPUs. If you need to run 40 report objects simultaneously every day at midnight, you will need two Job Servers, running on eight CPUs (two quad machines).
74
Example
If you need to run 10 objects that use List of Values objects simultaneously, you will need three Job Servers, running on ten CPUs (two quad machines and a dual machine). If you need to support 100 simultaneous viewing sessions, you will need four Web Intelligence Report Servers running across four CPUs (one quad machine). If you need to support 300 simultaneous requests, you will need two Report Application Servers running across 12 CPUs (three quad machines). If you need to support 400 simultaneous viewing sessions, you will need 8 CPUs (two quad machines).
Page Server
25 to 75 simultaneous viewing sessions per CPU. (Use 50 simultaneous viewing sessions for your initial calculations.)
75
Fault tolerance If a BusinessObjects Enterprise service fails, a fault tolerance system allows for continuous processing of system requests with no loss of service. To achieve this level of availability, you need to provide duplicate BusinessObjects Enterprise services. For example, if a Web Intelligence Job Server fails, you need a duplicate Web Intelligence Job Server to immediately take its place to process requests with no loss of service.
Disaster recovery A disaster recovery plan consists of precautions to be taken in the event of a full system failure. A disaster recovery plan needs to minimize the effects of the disaster on the organization so you can maintain or quickly resume important system functions. If your organization has multiple offices, it is good practice to keep the backup system in a different geographical location. A BusinessObjects Enterprise disaster recovery plan often involves implementing redundant servers in a backup system that mirrors the primary system. In the event that the primary system goes down, the backup system is still available and becomes the full production system. Note: When you back up your primary system, you need to back up: the Central Management Server system database; the content of the Input and Output File Repository Servers; the user ID and password for the Administrator account; the application code from the Web Application Server; and the registry settings (if manual changes were made).
You may not have the resources to implement a high degree of availability, but there are still best practices you can use to provide the best possible availability for your system.
76
CMS clustering With CMS clustering, a set of two or more CMS server machines function as a single Central Management Server. In the event of a failure, the workload of the failed CMS is picked up by another available CMS within the cluster. For more information about CMS clustering, see Clustering Central Management Servers on page 114.
Active and passive File Repository Servers Your deployment can have multiple Input and Output File Repository Servers. The first File Repository Server pair to register with the CMS cluster becomes the active FRS pair and the other FRS services are considered passive. Although all File Repository Server services run simultaneously, only the active FRS pair handles requests. In the event that an active FRS fails, a passive FRS that is registered with the CMS cluster is changed to active status. When the previously active FRS becomes operational again, it is registered as a passive FRS with the CMS.
For disaster recovery, the most important considerations for disaster recovery are backups and data recovery. Depending on your organizations needs, it may also be important to minimize down time. If your system must remain available during a disaster, its good practice to maintain a full backup system that mirrors the primary system. If you set up a backup system, ensure that the two systems do not run at the same time. Otherwise, the primary and backup systems may not be synchronized properly. You can configure the primary and backup systems as
77
members of the same CMS cluster regardless of location, but ensure that the the primary and backup CMSs run off of the corresponding primary and backup system databases.
Common configurations
After you determine the needs of your users and the resources required for the deployment, you can develop an initial deployment architecture for BusinessObjects Enterprise. This section describes potential scenarios for administrators who are planning an installation of BusinessObjects Enterprise. It is important to note that the optimal configuration for your deployment will depend on many factors: hardware configuration, database software, reporting requirements, operating system, clock speed, hyperthreading, disk speed, application server configuration, load frequency, and many more. Every deployment is unique, and these examples are provided only as guidelines. For information about assessing your systems unique needs, see Assessing your organizations needs on page 58. For information about fine-tuning performance, see Improving Performance on page 337. It is also recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment. As a baseline, this section assumes that you have not yet distributed the BusinessObjects Enterprise servers across multiple machines; however, this section does assume familiarity with the BusinessObjects Enterprise architecture, installation, and server configuration. For preliminary installation information, see the BusinessObjects Enterprise Installation Guide. Tip: If you are deploying multi-processor machines, you may also want to run one or more BusinessObjects Enterprise servers in multiple instances on that machine. For details, see Adding and deleting servers on page 105. This section describes the following common configurations:
Single-machine architecture on page 79 Balanced processing architecture on page 79 High availability clustered architecture on page 80 Firewalled architecture on page 81
For a detailed sample deployment that illustrates the concepts described in this chapter, see Server deployment and firewall configuration on page 435.
78
Single-machine architecture
Useful for testing purposes, this basic configuration separates the BusinessObjects Enterprise servers from the rest of your reporting environment and from your web server, and installs all BusinessObjects Enterprise servers on a single machine. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not need to share with database and web server processes. To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:
Install all of the BusinessObjects Enterprise servers on a single, dedicated machine. Run the CMS database on your database server. If you are still using the MySQL CMS database on Windows, migrate the CMS database to a supported database server. See the Platforms.txt file included with your product distribution for a list of supported database servers.
For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install your BusinessObjects Enterprise servers on the same machine as your Java web application server and the Web Component Adapter.
Install the BusinessObjects Enterprise management components on one machine. For example, you could install the Central Management Server and the Event Server on one machine. Note: Here, the Event Server is installed on the same machine as the Central Management Server. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.
79
Install the web services components on the second machine. For example, you could install the web application server, the Web Component Adapter, and the Cache Server on the second machine. Note: In this example, the Cache Server is installed with the The Cache Server is included with the web services components because it communicates regularly with the Web Application Server. You could install it on the third machine instead.
On the third machine, install the storage and processing components: the Page Server, the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, the Web Intelligence Report Server, the Report Application Server (RAS), and the Input and Output File Repository Servers.
For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install the Java web application server and the Web Component Adapter on the same machine as your Cache Server. Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.
Install the balanced processing setup first. Verify that BusinessObjects Enterprise is functioning correctly. For details, see Balanced processing architecture on page 79. Install a second CMS/Event Server pair on the fourth machine. This machine must have a fast network connection (minimum 10 Mbps) to the CMS that you have already installed.
80
Cluster the two CMS services, so they share the task of maintaining the CMS database. Ensure that each CMS accesses the CMS database in exactly the same manner (the same database client software, the same database user name and password, and so on). For more information about CMS clustering, see Clustering Central Management Servers on page 114. Note: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.
On the remaining machine, install a second Page Server, Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, Web Intelligence Report Server, and Report Application Server, along with a pair of Input and Output File Repository Servers. Ensure that all Page Servers and job servers, including the Web Intelligence Report Server, can access your reporting database in exactly the same manner. Install and configure any required database client software similarly on each machine, along with any ODBC DSNs that are required for your reports.
Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.
Firewalled architecture
Another common configuration is a firewalled architecture based on one of the previous configurations. For a detailed example of a firewalled deployment, see Server deployment and firewall configuration on page 435. For general information about configuring firewalls with BusinessObjects Enterprise, see Working with Firewalls on page 157.
81
82
chapter
Overview
WebSphere Application Server Network Deployment has the ability to balance the application workload through the use of vertical and horizontal scaling. A vertical cluster has cluster members on the same node, or physical machine. A horizontal cluster has cluster members on multiple nodes across many machines in a cell. While you can configure either type of cluster, or have a combination of vertical and horizontal clusters, this section explains how create a vertical cluster and deploy InfoView on this vertical cluster. When you cluster InfoView in the method described in this section you will create logon session affinity, not session failover. This means that under normal circumstances, once a session begins, all requests for that session go to the same cluster member. However, if the cluster member processing your session fails, your session will be automatically redirected to another functioning cluster. While you will not be required to log on again, you may loose your context, and may be required to navigate back to your original location. Note: Logon session affinity is only supported for InfoView. None of the other applications have support for this feature at this time.
IBM WebSphere Application Server Network Deployment with administrative privileges. IBM WebSphere Application Standalone Server with administrative privileges.
84
Starting the servers on page 85 Creating a cluster on page 87 Checking the assigned port number on page 89 Adding the assigned port number on page 90 Setting heap size on page 90 Setting internal system configuration on page 92 Installing the applications on page 93
Mapping BusinesssObjects WAR files to the cluster on page 95 Regenerating the web server plugin on page 96
Note: You can also use serverStatus -all to check the status of the deployment manager server. c. If the Deployment Manager is not started, start it with the following command:
startManager
2.
Add the node to the Deployment Manager Cell: a. b. In the command prompt, navigate to the <App_Server_root> bin directory. Issue the following command to federate the node into the cell and start the node agent:
addNode localhost 8879
3.
Initialize the node agent: a. b. In the command prompt, navigate to the <App_Server_root> directory. Issue the following command to check the status of the node agent:
serverStatus nodeagent
Note: You can also use serverStatus -all to check the status of the node agent. c. If the node agent is not started, start it with the following command:
startNode
85
4.
Initialize the HTTP server: a. b. c. Open Windows Services Scroll down and select IBM HTTP Server 1.3.26 If the status of the IBM HTTP Server is not set to Started, click the start icon in the tool bar.
The servers are now started and you are ready to create a cluster. To start the servers in UNIX Note: You may require sudo authority on your UNIX machine to start the server. This type of authority is granted by your UNIX administrator. 1. Start the deployment manager if its not already running: a. b. In a command prompt, navigate to the <network_deployment_root> bin directory. Issue the following command to check the status of the deployment manager server:
./serverStatus.sh dmgr
Note: You can also use ./serverStatus.sh -all to check the status of the deployment manager server. c. If the Deployment Manager is not started, start it with the following command:
./startManager.sh
2.
Add the node to the Deployment Manager Cell: a. b. In the command prompt, navigate to the <App_Server_root> bin directory. Issue the following command to federate the node into the cell and start the node agent:
./addNode.sh localhost 8879
3.
Initialize the node agent: a. b. In the command prompt, navigate to the <App_Server_root> directory. Issue the following command to check the status of the node agent:
./serverStatus.sh nodeagent
Note: You can also use ./serverStatus.sh -all to check the status of the node agent. c. If the node agent is not started, start it with the following command:
./startNode.sh
86
4.
Initialize the HTTP server: a. Issue the following command to check if HTTP server is running:
ps -ef | grep httpd
Note: You should see a list of processes running with the name of "httpd". b. If httpd is not running, start your HTTP server manually by issuing the following command:
IHS_install_dir/bin/apachectl start
The servers are now started and you are ready to create a cluster.
Creating a cluster
A cluster is a group of application servers (cluster members) that are distributed across one or more nodes. An application installed in the cluster runs on each cluster member, so workload management and failover are provided for the application. Following are the steps involved in creating a cluster: 1. To create a cluster Start the IBM WebSphere Administrative Console in your browser.
2. 3. 4. 5. 6.
For IBM WebSphere 5.1, type http://servername:9091/admin/ For IBM WebSphere 6.0, type http://servername:9060/admin/
Logon to the administrative console. Expand Servers and click Clusters. Click New. The Step 1 : Enter Basic Cluster Information panel appears. In the Cluster Name field, type MyCluster. Verify that Prefer local enabled is selected. This specifies whether EJB requests are routed to the node on which the client resides, if possible.
7.
Select Create Replication Domain for this cluster. This will create a single replication domain for the cluster to allow replication of session data for a failover.
8.
Verify that Do not include an existing server in this cluster is selected. This will create the first cluster member as a new application server instead of using the server1 application server as the first member of your cluster.
87
9.
Click Next. The Step 2 : Create New Clustered Servers panel appears.
10. Define a node for the cluster: a. b. c. d. e. f. In the Name field, type MgServer1. Click your node from the drop down menu. In the Weight field, type 2. Verify that Generate Unique Http ports is selected. Select Create Replication Entry in this server. Note: Skip this step if you are using WebSphere 6.0. Select Existing application server and click was5hostNetwork/ was5host/server1 to select the template in the drop down menu. This will allow the server to use the setting of the server1 applications server as the template for your cluster members. g. h. Click Apply. MgServer1 is now displayed in the table Application servers, at the bottom of the page. Add another cluster member to the server by typing MgServer2 in the Name field. Click on your node from the drop down menu. In the Weight field, type 2. Verify that Generate Unique Http ports is selected. Select Create Replication Entry in this server. Note: Skip this step if you are using WebSphere 6.0. f. g. Click Apply. MgServer2 is now displayed in the table Application servers, at the bottom of the page.
11. In the same panel, define another node for the cluster: a. b. c. d. e.
12. Click Next. 13. Review the configuration summary and click Finish. The cluster is now created in the configuration. For each newly defined node go to Servers and click on Application Servers. 14. Save your changes: a. Click the hyperlink Save in the task bar at the top of the console to open the Save page.
88
b. c.
On the Save page, expand and review the list of files to be changed. Click Save.
The HTTP Transport ports configured for MgServer1 should be listed on this page. In the table, locate the host name WCInboundDefault and note its port number. You need to add this port and the port number configured for MgServer2 to the default_host aliases list. 1. To check the assigned ports in WebSphere 6.0 Expand Servers and click Application Servers. The servers that you created (MgServer1 and MgServer2) in the section Creating a cluster on page 87 are now listed on the Application Servers page. 2. 3. Click MgServer1. Go to the HTTP Transports page. a. b. Under Container Settings, expand Web Container Settings. Click Web container transport chains to view the HTTP ports.
The HTTP Transport ports configured for MgServer1 should be listed on this page. In the table, locate the port name WCInboundDefault and note its port number. You need to add this port and the port number configured for MgServer2 to the default_host aliases list.
89
Note: Follow this step to add other port numbers to the host aliases list. Save your configuration: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
90
4. 5. 6. 7. 8.
Scroll down until you see Initial Heap Size. In the Initial Heap Size field, type 512. In the Maximum Heap Size field, type 1024. Click Apply and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
Note: Follow the same procedure to set heap sizes of any other servers. 1. 2. 3. To set the heap size in WebSphere 6.0 Expand Servers and click Application Servers. Click on the application server to set its heap size. Go to the JVM page. a. b. c. 4. 5. 6. 7. 8. Under the Server Infastructure section, click and expand Java and Process Management. Click on Process Definition. In the Additional Properties section, click on Java Virtual Machine.
Scroll down until you see Initial Heap Size. In the Initial Heap Size field, type 512. In the Maximum Heap Size field, type 1024. Click Apply and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
Note: Follow the same procedure to set heap sizes of any other servers.
91
4. 5. 6.
If you are using WebSphere 5.1, under Additional Properties, click on Custom Properties. If you are using WebSphere 6.0, under Server Infastructure, expand Administration and click on Custom Properties.
Click New. In the * Name field, type PATH. In the * Value field, type the path that points to BusinessObjects folder. Note: The default location of this folder is C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86. Modify the path if you changed the default location.
7. 8. 9.
Click Apply. Click OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
1. 2. 3.
To set internal system configuration in UNIX Expand Servers and click on Application Servers. Click on your server name. Go to the Custom Properties page.
4.
If you are using WebSphere 5.1, under Additional Properties, click on Custom Properties. If you are using WebSphere 6.0, under Server Infastructure, expand Administration and click on Custom Properties.
Click New.
92
5.
In the * Name field, type the name of the path variable that applies to your deployment. These are your options:
Operating Variable System For Solaris LD_LIBRARY_PATH For AIX For Linux For HPUX 6. LIBPATH LD_LIBRARY_PATH SHLIB_PATH
In the * Value field, type the path that points to BusinessObjects platform name folder. The location of this file is <INSTALLDIR>/bobje/enterprise115/ solaris_sparc
Replace INSTALLDIR with the location of your installation and replace solaris_sparc with the platform name that applies to your installation. The platform name options are as follows:
7. 8. 9.
Click Apply. Click OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
93
Note: The default location for the application files is c:\Program Files\Business objects\BusinessObjects Enterprise 11.5\java\applications\ 5. 6. 7. Type the context root for the application file in the Context Root field. Click Next. Accept the defaults on each page and click Next until you get to Step:3 Map modules to application servers. Note: Each page may take several minutes to process. 8. 9. Select the application server you created from the Clusters and Servers field. Select the module to apply it to, and click Apply. Note: You will receive a message when the process is complete. 1. 2. 3. 4. To install the applications in UNIX Go to the administrative console. Expand Applications and click Install New Application Select the Server Path button. Click Browse and then find the location of the war files. Note: The application files can be found in the location <INSTALLDIR>/bobje/enterprise115/java/applications, where INSTALLDIR is the directory where you installed BusinessObjects Enterprise. 5. 6. 7. 8. Click the button beside the file you want to deploy, and then click OK. Type the context root for the application file in the Context Root field. Click Next. Accept the defaults on each page and click Next until you get to Step:3 Map modules to application servers. Note: Each page may take several minutes to process. 9. Select the application server you created from the Clusters and Servers field.
10. Select the module to apply it to, and click Apply. 11. Click Next, and click Finish. Note: You will receive a message when the process is complete.
94
In the list, scroll to select a cluster that you want to map the modules to. Note: This cluster can be the same cluster that you created in section Creating a cluster on page 87.
5. 6. 7.
Select your module from the Module section of the table. Click Apply, and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
1. 2. 3.
To map BusinessObjects WAR files to the cluster in WebSphere 6.0 In the navigation menu, expand Applications and click on Enterprise Applications. Click on desktop_war from the list. Go to the Map modules page. a. b. Scroll down to Additional Properties. Click on Map modules to servers.
4.
In the list, scroll to select a cluster that you want to map the modules to. Note: This cluster can be the same cluster that you created in section Creating a cluster on page 87.
5. 6.
Select your module from the Module section of the table. Click Apply, and OK.
95
7.
Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
Note: If the update is successful, a confirmation message will appear at the top of the page stating, The web server plugin configuration was updated successfully. 2. You can view or download the current web server plugin file by clicking on the hyperlink View or download the current web server plugin configuration file. To regenerate the web server plugin in WebSphere 6.0 Follow these steps to update the web server plugin: a. b. 2. In the navigation menu, expand Servers and click on Web servers. Select your server from the list and click on Generate Plug-in.
1.
You can view or download the current web server plugin file by clicking on the hyperlink View or download the current web server plugin configuration file.
96
chapter
Central Management Console (CMC) The CMC is the web-based administration tool that allows you to view and to modify server settings while BusinessObjects Enterprise is running. For instance, you use the CMC to change the status of a server, change server settings, access server metrics, or create server groups. Because the CMC is a web-based interface, you can configure your BusinessObjects Enterprise servers remotely over the Internet or through your corporate intranet.
Central Configuration Manager (CCM) The CCM is a program that allows you to view and to modify server settings while Business Objects servers are offline. For instance, you use the CCM to stop servers, to modify performance settings, and to change the default server port numbers. With BusinessObjects Enterprise, the CCM allows you to configure BusinessObjects Enterprise remotely over your corporate network.
You can accomplish some configuration tasks with both tools, while other tasks must be performed with a specific tool.
98
Managing and Configuring Servers Viewing and changing the status of servers
Related topics:
For an overview of the multi-tier architecture and the BusinessObjects Enterprise server components, see BusinessObjects Enterprise Architecture in the BusinessObjects Enterprise Administrators Guide. With the BusinessObjects Enterprise Software Development Kit (SDK), you can now access and modify server metrics and settings from your own web applications. For more information, see the developer documentation available on your product CD.
Starting, stopping, and restarting servers on page 99 Enabling and disabling servers on page 102 Stopping a Central Management Server on page 102 Printing, copying, and refreshing server status on page 104
99
Managing and Configuring Servers Viewing and changing the status of servers
Description
You must stop BusinessObjects Enterprise servers before you can modify certain properties and settings. If you have stopped a server to configure it, you need Starting a server to start it to effect your changes and to have the server resume processing requests. Restarting a server Restarting a server is a shortcut to stopping a server completely and then starting it again. You can change certain settings without stopping the server; however, the changes typically do not take effect until your restart the server. Tip: When you stop (or restart) a server, you terminate the servers process, thereby stopping the server completely. If you want to prevent a server from receiving requests without actually stopping the server process, you can also enable and disable servers. We recommend that you disable Job Servers and Program Job Servers before stopping them so that they can finish processing any jobs they have in progress. For details, see Enabling and disabling servers on page 102. To start, stop, or restart servers with CMC Note: You cannot use CMC to stop the CMS. You must use the CCM instead. See Stopping a Central Management Server on page 102 for more information. 1. Go to the Servers management area of the CMC. A list of servers appears. The icon associated with each server identifies its status:
Running is indicated by a server with a green arrow. Stopped is indicated by a server with a red arrow. Disabled is indicated by a server with a red circle.
In this example, the Page Server is stopped, the Event Server is disabled, and the remaining servers are running and enabled.
100
Managing and Configuring Servers Viewing and changing the status of servers
2. 3.
Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Start, Stop, or Restart. You may be prompted for network credentials that allow you to start and stop services running on the remote machine.
4. 1. 2. 3.
Click Refresh to update the page. To start, stop, or restart a Windows server with the CCM Start the CCM. Select the server that you want to start, stop, or restart. On the toolbar, click the appropriate button.
Toolbar Action Icon Start the selected server. Stop the selected server. Restart the selected server. You may be prompted for network credentials that allow you to start and stop services. Note: When you provide your network credentials, they are first checked against the machine hosting the CMS. If the server that you want to start, stop, or restart is located on another machine, the same credentials are used to access the other machine. If you supply credentials that are valid on the remote machine but not on the machine running the CMS, then you receive an error message. The CCM performs the action and refreshes the list of servers.
101
Managing and Configuring Servers Viewing and changing the status of servers
To start, stop, or restart a UNIX server with the CCM Use the ccm.sh script. For reference, see ccm.sh on page 474.
102
Managing and Configuring Servers Viewing and changing the status of servers
The icon associated with each server identifies its status. In this example, the Event Server is disabled (but not stopped), and the remaining servers are running and enabled.
2. 3. 1. 2. 3. 4.
Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Enable or Disable. To enable or disable a Windows server with the CCM Start the CCM. On the toolbar, click Enable/Disable. When prompted, log on to your CMS with the credentials that provide you with administrative privileges to BusinessObjects Enterprise. Click Connect. The Enable/Disable Servers dialog box appears.
This dialog box lists all of the BusinessObjects Enterprise servers that are registered with your CMS, including servers running on remote machines. By default, servers running on remote machines are displayed as MACHINE.servertype. In this example, all of the listed servers are currently enabled.
103
Managing and Configuring Servers Viewing and changing the status of servers
5. 6.
To disable a server, clear the check box in the Server Name column. Click OK to effect your changes and return to the CCM.
To enable or disable a UNIX server with the CCM Use the ccm.sh script. For reference, see ccm.sh on page 474.
Note: Disabled servers may not appear in this list. Click Enable/Disable to view a list of servers and ensure that each is enabled.
104
Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on new, additional machines, run the BusinessObjects Enterprise installation and setup program from your product distribution. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that you want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide. Note: You can also add and delete servers from the Central Management Console. For more information, see the BusinessObjects Enterprise Administrators Guide.
Adding a server
These steps add a new instance of a server to the local machine. You can run multiple instances of the same BusinessObjects Enterprise server on the same machine. To add a Windows server Note: To complete this procedure, you must log on as an Administrator of the local machine. 1. 2. Start the CCM on the BusinessObjects Enterprise machine upon which you want to install a new server. On the toolbar, click Add Server. The Add Business Objects Server Wizard displays its Welcome dialog box. 3. Click Next.
105
The Server Type and Display Name Configuration dialog box appears
4. 5.
Click the Server Type list and select the kind of server you want to add. Change the default Display Name field if you want a different name to appear in the list of servers in the CCM. Note: The display name for each server on the local machine must be unique.
6.
Change the default Server Name field if required. Each server on the system must have a unique name. The default naming convention is HOSTNAME.servertype (a number is appended if there is more than one server of the same type on the same host machine). This Server Name is displayed when you manage servers over the Web in the Central Management Console (CMC). Note: When you add Input or Output File Repository Servers, the wizard always precedes the server name you type with an Input. or Output. prefix. So, if you add an Input FRS with the name SERVER02, the CCM actually names the server Input.SERVER02. This Input. prefix is required by the system. If you subsequently modify the servers name through its command line, do not remove the prefix.
7.
Click Next. The Set Configuration for this server dialog box appears. The contents of this dialog vary slightly, depending upon the type of server that you are installing.
8.
Type the name of the CMS that you want the server to communicate with. If your CMS is not listening on the default port (6400), include the appropriate port number, as in CMSname:port#
9.
Click Next to accept any other default values, or modify them to suit your environment.
106
Note: If port number options are displayed in this dialog box, do not modify them. Instead, change ports through each servers command line. For details, see Changing the default server port numbers on page 147. 10. Confirm that the summary information is correct; then click Finish. The new server appears in the list, but it is neither started nor enabled automatically. 11. Use the CCM (or the CMC) to start and then to enable the new server when you want it to begin responding to BusinessObjects Enterprise requests. For details, see Viewing and changing the status of servers on page 99. Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis. If you add a new server to your BusinessObjects Enterprise installation you must enable auditing of actions on each new server. If you do not, the actions performed on the new server will not be audited. See the BusinessObjects Enterprise Auditors Guide for more information. To add a UNIX server Use the serverconfig.sh script. For reference, see serverconfig.sh on page 478.
Deleting a server
1. 2. 3. 4. To delete a Windows server Start the CCM on the BusinessObjects Enterprise machine that you want to delete a server from. Stop the server that you want to delete from the system. With the server selected, click Delete Server on the toolbar. When prompted for confirmation, click Yes.
To delete a UNIX server Use the serverconfig.sh script. For reference, see serverconfig.sh on page 478.
107
The majority of the settings discussed in this section allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Note: This section does not show how to configure your Web application server to deploy BusinessObjects Enterprise applications. This task is typically performed when you install BusinessObjects Enterprise. For details, see the BusinessObjects Enterprise Installation Guide. For further troubleshooting, see Working with Firewalls on page 157.
On a Java platform edit the web.xml file associated with the WCA. See Configuring the Java Web Component Adapter on page 109. On a .NET platform edit the web.config file associated with the WCA. See Configuring the .NET Web Component Adapter on page 113.
108
Windows: C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\java\applications directory UNIX: WEB-INF subdirectory of the webcompadapter.war archive file stored in the bobje_root/enterprise115/java/applications directory
For example, the context parameter that controls whether a group tree will be generated looks like this:
<context-param> <param-name>viewrpt.groupTreeGenerate</param-name> <param-value>true</param-value> <desctiption>true or false value determining whether a group tree will be generated.</description> </context-param>
To change the value of a context parameter, edit the value between the <param-value> </param-value> tags. To configure web.xml Note: Your Java Web Application Server may provide tools to allow you to edit web.xml directly from an administrative console.Otherwise use the following procedure to configure web.xml. 1. 2. 3. 4. Stop your application server. Extract the web.xml file from the webcompadapter.war archive. Edit the file by using a text editor such as Notepad or vi. Reinsert the file into the WEB-INF directory in webcompadapter.war. Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the WEB-INF directory that contains your edited web.xml file and select Add to Zip File.... Adding the file in this way ensures that it is placed in the correct directory inside the archive. 5. Restart your application server. When you install more than one WCA, each webcomponentadapter.war file contains its own web.xml file containing configuration parameters for that WCA. However, you can only set the parameters listed in the following table individually for each WCA. The remaining parameters must be the same for all WCA in your system.
109
Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the real path to the directory containing the CSP/WAS application(s) that you would like to host. This is a required field. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. The default loglevel is error. Please refer to log4j documentation for accepted log entry patterns.
cspApplication.dir
connection.cms
connection.listeningPort log.file
log.level log.entryPattern
Changing the default session timeout value for the Java CMC
The default session timeout value is 20 minutes in the CMC. Use this procedure if you want to modify the default session timeout value. 1. To change the session timeout value Verify that the Java SDK is installed and its location is in your PATH environment variable. If you are able to execute the jar command, and receive usage information on the command, proceed to the next step. If you receive an error message, install the JAVA SDK and add its location to your PATH. 2. Stop the Web application server on the machine where webcompadapter.war is deployed.
110
3.
Extract the web.xml file from the directory where webcompadapter.war is deployed by running the following command:
jar -xvf webcompadapter.war WEB-INF/web.xml
4.
Open web.xml in a text editor like Notepad and search for the following section:
<session-config> <session-timeout>20</session-timeout> </session-config>
5. 6. 7.
Change the value between <session-timeout> to the number of minutes you require for the session to timeout. Save web.xml. Update the webcompadapter.war with the modified web.xml file. Use the following command:
jar -uvf webcompadapter.war WEB-INF/web.xml
8.
Changing the default session timeout value for the Java InfoView
The default session timeout value is 20 minutes in the InfoView. Use this procedure if you want to modify the default session timeout value. 1. To change the session timeout value for InfoView Verify that the Java SDK is installed and its location is in your PATH environment variable. If you are able to execute the jar command, and receive usage information on the command, proceed to the next step. If you receive an error message, install the JAVA SDK and add its location to your PATH. 2. 3. Stop the Web application server on the machine where desktop.war is deployed. Extract the web.xml file from the directory where desktop.war is deployed or edit the deployed web.xml file.
Note: Instead of extracting the web.xml from the specified location, you can edit web.xml from the deployed location. If you installed Tomcat with your installation, you can find this file in this location:
C:\Program Files\Business Objects\Tomcat\webapps\businessobjects\enterprise115\ desktoplaunch\WEB-INF
111
4.
Open web.xml in a text editor like Notepad and search for the following section:
<session-config> <session-timeout>20</session-timeout> </session-config>
5. 6. 7.
Change the value between <session-timeout> to the number of minutes you require for the session to timeout. Save web.xml. Update the desktop.war with the modified web.xml file. Use the following command:
jar -uvf desktop.war WEB-INF/web.xml
Note: This step is not required if you did not extract the web.xml file. 8. Restart you web application server and redeploy desktop.war. Note: You dont need to redeploy desktop.war if you edited the web.xml file from the deployed location; restarting your web application server will suffice.
4. 5.
Change port 8080 to an available port number. Save and close the file.
112
To configure web.config Note: Your .NET Web Application Server may provide tools to allow you to edit web.config directly from an administrative console. 1. 2. 3. Stop your application server. Edit the web.config file by using a text editor such as Notepad. Restart your application server. Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. The default loglevel is error. Please refer to log4j documentation for accepted log entry patterns.
connection.cms
connection.listeningPort log.file
log.level log.entryPattern
113
The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the intelligence tier includes the following tasks:
Clustering Central Management Servers on page 114 Copying data from one CMS database to another on page 122 Deleting and recreating the CMS database on page 127 Selecting a new or existing CMS database on page 128 Setting root directories and idle times of the File Repository Servers on page 130 Modifying performance settings for Cache Servers and Event Servers on page 131
114
database and to share the processing workload with any existing CMS machines. For information about your current CMS and CMS cluster, go to the Settings management area of the CMC and click the Cluster tab. Before clustering CMS machines, you must make sure that each CMS is installed on a system that meets the detailed requirements (including version levels and patch levels) for operating system, database server, database access method, database driver, and database client outlined in the platforms.txt file included in your product distribution. In addition, you must meet the following clustering requirements:
For best performance, the database server that you choose to host the system database must be able to process small queries very quickly. The CMS communicates frequently with the system database and sends it many small queries. If the database server is unable to process these requests in a timely manner, BusinessObjects Enterprise performance will be greatly affected. For best performance, run each CMS cluster member on a machine that has the same amount of memory and the same type of CPU. Configure each machine similarly:
Install the same operating system, including the same version of operating system service packs and patches. Install the same version of BusinessObjects Enterprise (including patches, if applicable). Ensure that each CMS connects to the CMS database in the same manner: whether you use native or ODBC drivers. Make sure that the drivers are the same on each machine, and are a supported version. Ensure that each CMS uses the same database client to connect to its system database, and that it is a supported version. Check that each CMS uses the same database user account and password to connect to the CMS database. This account must have create, delete, and update rights on the system database. Run each CMS service/daemon under the same account. (On Windows, the default is the LocalSystem account.) Verify that the current date and time are set correctly on each CMS machine (including settings for daylight savings time).
Ensure that each and every CMS in a cluster is on the same Local Area Network.
115
If you wish to enable auditing, each CMS must be configured to use the same auditing database and to connect to it in the same manner. The requirements for the auditing database are the same as those for the system database in terms of database servers, clients, access methods, drivers, and user IDs.
Tip: By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. To modify the default name, see Restart your application server. on page 119.
Installing a new CMS and adding it to a cluster on page 116 See this section if you have not already installed the new CMS on its own machine. Adding an installed CMS to a cluster on page 117 Follow this procedure if you have already installed a second, independent CMS on its own machine. While testing various server configurations, for instance, you might have set up an independent BusinessObjects Enterprise system with its own CMS. Follow this procedure when you want to incorporate this independent CMS into your production system.
Note: Back up your current CMS database before making any changes. If necessary, contact your database administrator.
116
Setup program with the information it needs to connect to your existing CMS database. When the Setup program installs the new CMS on the local machine, it automatically adds the server to your existing CMS cluster. For complete requirements for CMS added to a cluster, see Clustering Central Management Servers on page 114. For complete information on running the Setup program and performing the Expand installation, see the BusinessObjects Enterprise Installation Guide.
117
3. 4.
Click Select a Data Source; then click OK. In the Select Database Driver dialog box, specify whether you want to connect to the production CMS database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:
5. 6.
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that corresponds to your production CMS database; then click OK. If prompted, provide your database credentials and click OK. The CCM connects to the database server and adds the new CMS to the cluster. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Once you provide this information, the CCM connects to the database server and adds the new CMS to the cluster.
The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server.
To add an installed CMS to a cluster on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 477.
118
2.
3. 4.
Remove the comment tags from this section in the file. In the first param-value tag, list the names of each cms cluster. Begin each cluster name with a @ and separate each cluster name with a comma.
5.
In the second param-name tag, add the name of the first cms cluster. Note: Do not start the cluster name with a @.Each cluster name must be entered in the same case as in the previous step.
6.
In the second param-value tag, list the name of each CMS in that cluster and enter the port number for the CMS if required. Note: Separate each CMS name with a comma. The port number is separted from the CMS name with a colon; The port number is assumed to be 6400 unless it is specified. Note: Repeat the procedure for each CMS cluster you have.
7. 8.
119
you can connect to both databasesthrough your database client software or through ODBC, according to your configurationfrom the CMS machine whose database you are replacing. Make a note of the license keys you purchased for the current version of BusinessObjects Enterprise. During migration, license keys that are present in the destination database are retained only if the source database contains no license keys that are valid for the current version of BusinessObjects Enterprise. License keys in the destination database are replaced with license keys from the source database when the source license keys are valid for the current version of BusinessObjects Enterprise. License keys from earlier versions of Crystal Enterprise are not copied. If you are copying CMS data from a different CMS database (version 8.0, 8.5, 9, or 10 of Crystal Enterprise or version XI of BusinessObjects Enterprise) into your current CMS database, your current CMS database is the destination database whose tables are deleted before they are replaced with the copied data. In this scenario, make note of the current root directories used by the Input and Output File Repository Servers in the source environment. The database migration does not actually move report files from one directory location to another. After you migrate the database, you will connect your new Input and Output File Repository Servers to the old root directories, thus making the report files available for the new system to process. Log on with an administrative account to the CMS machine whose database you want to replace. Complete the procedure that corresponds to the version of the source environment:
If you are copying a CMS database from its current location to a different database server, your current CMS database is the source environment. Its contents are copied to the destination database, which is then established as the active database for the current CMS. This is the procedure to follow if you want to move the default CMS database on Windows from the local Microsoft Data Engine (MSDE) to a dedicated database server, such as Microsoft SQL Server, Informix, Oracle, DB2, or Sybase. Log on with an administrative account to the machine that is running the CMS whose database you want to move. Complete the following procedure:
Copying data from one CMS database to another on page 122 When you migrate a CMS database from an earlier version of Crystal Enterprise, the database and database schema are upgraded to the format required by the current version of BusinessObjects Enterprise.
Note:
120
When you copy data from one database to another, the destination database is initialized before the new data is copied in. That is, if your destination database does not contain the four BusinessObjects Enterprise XI system tables, these tables are created. If the destination database does contain BusinessObjects Enterprise XI system tables, the tables will be permanently deleted, new system tables will be created, and data from the source database will be copied into the new tables. Other tables in the database, including previous versions of Crystal Enterprise system tables, are unaffected.
121
To change the cluster name on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 477. 1. 2. 3. 4. To register servers with the CMS cluster on Windows Use the CCM to stop a Business Objects server. Select the server from the list, and then click Properties. Click the Configuration tab. In the CMS Name box, type the name of the cluster. The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE in the box. 5. Click OK, and then start the server. Repeat for each Business Objects server in your installation. To registers servers with the CMS cluster on UNIX Use ccm.sh to stop each server. Use a text editor such as vi to open the ccm.config file found in the root directory of your BusinessObjects Enterprise installation. Find the -ns command in the launch string for each server, and change the name of the CMS to the name of the CMS cluster. The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE. Do not include a port number with the cluster name. 4. Save the file, and then use ccm.sh to restart the servers.
1. 2. 3.
122
permanently deleted (all BusinessObjects Enterprise tables are destroyed permanently and then recreated). Once the data has been copied, the destination database is established as the current database for the CMS. Note: Prior to BusinessObjects Enterprise XI, the CMS was known as Crystal Management Server, and also as the Automated Process Scheduler (APS). Tip: If you want to import users, groups, folders, and reports from one system to another, without deleting the contents of the current CMS database, see Using the Import Wizard in BusinessObjects Enterprise Administrators Guide. Depending on the platform of your system and the version of your CMS database, migrating a CMS database will include several of the following tasks:
Restart your application server. on page 119 Changing the name of a CMS cluster on page 121
When you finish copying data from the source database to the destination database, complete these steps before allowing users to access the system. When migrating from an older version of Crystal Enterprise, servers that existed in the source installation do not appear in the migrated install. This occurs because there cannot be a mix of old and new servers in a BusinessObjects Enterprise installation. Server groups from the old installation appear in the new system, but they will be empty. New servers are automatically detected and added to the servers list (outside of any group) in a disabled state. You must enable these servers before they can be used. You may add the new servers to the imported groups as appropriate. Reports that depend on a particular server group for scheduled processing will not execute until a job server is added to that group. Reports that depend on a particular server group for processing are not available until servers are added to that group. 1. To complete a CMS database migration on Windows If errors occurred during migration, a db_migration log file was created in the logging directory on the machine where you ran the CCM to carry out the migration. The CCM will notify you if you need to check the log file. The default logging directory is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Logging\
123
2.
If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways:
Copy the contents of the original input root directory into the root directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use. Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories. If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option in both servers command lines to have them register with your new CMS.
3. 4. 5.
Use the Central Configuration Manager (CCM) to start the CMS on the local machine. Make sure your web application server is running. Log on to the CCM with the default Administrator account, using Enterprise authentication. Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system.
6. 7. 8.
Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly. In the CCM, start and enable the Input File Repository Server and the Output File Repository Server. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are both started and enabled. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location.
9.
10. Return to the Central Configuration Manager. 11. If objects in your source database require updating, the Update Objects button on the toolbar will show a flashing red exclamation mark. Click Update Objects.
124
12. When prompted, log on to your CMS with credentials that provide you with administrative privileges to BusinessObjects Enterprise. The Update Objects dialog box tells you how many objects require updating. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. Because your Central Management Server was stopped when the migration occurred, you need to update the objects now. 13. If there are objects that require updating, click Update, otherwise click Cancel. 14. Start and enable the remaining BusinessObjects Enterprise servers. Verify that BusinessObjects Enterprise requests are handled correctly, and check that you can view and schedule reports successfully. 1. To complete a CMS database migration on UNIX If errors occurred during migration, a db_migration log file was created in the logging directory on the machine where you ran cmsdbsetup.sh to carry out the migration. The script will notify you if you need to check the log file. The default logging directory is:
BusinessObjects_root/logging
where BusinessObjects_root is the absolute path to the root Business Objects directory of your BusinessObjects Enterprise installation. 2. If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways:
Copy the contents of the original input root directory into the root directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use. Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories. If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option
125
in both servers command lines to have them register with your new CMS. For more information, see Setting root directories and idle times of the File Repository Servers on page 130. 3. 4. 5. Use the ccm.sh script to start the CMS on the local machine. See ccm.sh on page 474 for more information. Ensure that the Java web application server that hosts your Web Component Adapter is running. Log on to the Central Management Console with the default Administrator account, using Enterprise authentication. Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system. 6. 7. 8. Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly. Use the ccm.sh script to start and enable the Input File Repository Server and the Output File Repository Server. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are started and enabled. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location.
9.
10. Run the ccm.sh script again. If you migrated a source database from an earlier version of BusinessObjects Enterprise, enter the following command:
./ccm.sh -updateobjects authentication info
See ccm.sh on page 474 for information on the authentication information required by ccm.sh. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. 11. Use ccm.sh to start and enable the remaining BusinessObjects Enterprise servers. 12. Verify that BusinessObjects Enterprise requests are handled correctly, and check that you can view and schedule reports successfully.
126
127
If you have changed the password for the current CMS database, these steps allow you to disconnect from, and then reconnect to, the current database. When prompted, you can provide the CMS with the new password. If you want to select and initialize an empty database for BusinessObjects Enterprise, these steps allow you to select that new data source. If you have restored a CMS database from backup (using your standard database administration tools and procedures) in a way that renders the original database connection invalid, you will need to reconnect the CMS to the restored database. (This might occur, for instance, if you restored the original CMS database to a newly installed database server.)
Note: These steps are essentially the same as adding a CMS to an existing cluster. However, in this case, there are no other CMS machines already maintaining the database. For complete details about CMS clusters, see Clustering Central Management Servers on page 114. 1. 2. To select a new or existing database for a CMS on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar.
128
3. 4.
Click Select a Data Source; then click OK. In the Select Database Driver dialog box, specify whether you want to connect to the new database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:
5. 6.
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that you want to use as the CMS database; then click OK. (Click New to configure a new DSN.) When prompted, provide your database credentials and click OK. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.
The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server.
To select a new or existing database for a CMS on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 477.
129
Setting root directories and idle times of the File Repository Servers
The Properties tabs of the Input and Output File Repository Servers enable you to change the locations of the default root directories. These root directories contain all of the report objects and instances on the system. You may change these settings if you want to use different directories after installing BusinessObjects Enterprise, or if you upgrade to a different drive (thus rendering the old directory paths invalid). Note:
The Input and Output File Repository Servers must not share the same root directory, because modifications to the files and subdirectories belonging to one server could have adverse effects on the other server. In other words, if the Input and Output File Repository Servers share the same root directory, then one server might damage files belonging to the other. If you run multiple File Repository Servers, all Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution. The root directory should be on a drive that is local to the server.
You can also set the maximum idle time of each File Repository Server. This setting limits the length of time that the server waits before it closes inactive connections. Before you change this setting, it is important to understand that setting a value too low can cause a user's request to be closed prematurely. Setting a value too high can cause excessive consumption of system resources such as processing time and disk space. 1. 2. To modify settings for a File Repository Server Go to the Servers management area of the CMC. Click the link to the File Repository Server you want to change. By default, the File Repository Servers are named Input and Output, respectively. If you run multiple instances of each server, their names should be prefixed with Input. and Output. as appropriate. 3. Make your changes on the Properties tab. In this example, the Input File Repository Server is set to use
D:\InputFRS\ as its root directory. The server will remain idle for a
maximum of 10 minutes.
130
4.
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
131
The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the processing tier includes:
Modifying performance settings on page 132 Configuring the destinations for job servers on page 133 Configuring Windows processing servers for your data source on page 140 Configuring UNIX processing servers for your data source on page 141
132
Enabling or disabling destinations for job servers on page 133 Configuring the destination properties for job servers on page 134
For information about selecting destinations for objects see the BusinessObjects Enterprise Administrators Guide.
133
4. 5.
Select the check box for each destination you want to support. Click Enable. To disable destinations, click Disable. When a destination is disabled a red circle is shown beside the name.
6.
If you enabled the destination, you must also configure the destination. See Configuring the destination properties for job servers on page 134.
Job Server Program Job Server Report Job Server Destination Job Server Web Intelligence Job Server Desktop Intelligence Job Server
For a job server to store output instances in a destination other than the default, you have to enable and configure the other destinations on the job servers. See also Enabling or disabling destinations for job servers on page 133. 1. 2. 3. 4. 5. To set the destination properties for a job server Go to the Servers management area of the CMC. Click the link for the job server whose setting you want to change. Click the Destinations tab. Click the link for the destination whose setting you want to set, for example, FTP. Set the properties for the destination. For information about the properties for each destination, see:
6. 7.
Inbox destination properties on page 135 Unmanaged Disk destination properties on page 139 FTP destination properties on page 138 Email (SMTP) destination properties on page 136
Click Update. Make sure the destination has been enabled. See Enabling or disabling destinations for job servers on page 133.
134
ShortcutThe system sends a shortcut to the specified destination. CopyThe system sends a copy of the instance, for example, the .rpt file, to the destination.
Send List Specify which users or user groups you want to receive instances from that have been generated or processed by the job server.
135
See also Configuring the destination properties for job servers on page 134. Domain Name Enter the fully qualified domain of the SMTP server. Server Name Enter the name of the SMTP server. Port Enter the port that the SMTP server is listening on. (This standard SMTP port is 25.) Authentication Select Plain or Login if the job server must be authenticated using one of these methods in order to send email. SMTP User Name Provide the Job Server with a user name that has permission to send email and attachments through the SMTP server. SMTP Password Provide the Job Server with the password for the SMTP server. From Provide the return email address. Users can override this default when they schedule an object.
136
To, Cc, Subject, and Message Set the default values for users who schedule reports to this SMTP destination. Users can override these defaults when they schedule an object. Add viewer hyperlink to message body Click Add if you want to add the URL for the viewer in which you want the email recipient to view the report. You can set the default URL by clicking Object Settings on the main page of the Objects management area of the CMC. If you send a hyperlink, the email recipient must log on to BusinessObjects Enterprise to see the report.) Users can override this default when they schedule an object. Attach report instance to email message Clear this check box if you do not want to attach a copy of the report or program instance attached to the email. Users can override these defaults when they schedule an object. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file name. You can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list, and click Add. Add file extension Adds the .%EXT% extension to the specified filename. This is similar to selecting File Extension from the list and clicking Add. By adding an extension to the file name, Windows will know which program to use to open the file when users want to view the file.
137
See also Configuring the destination properties for job servers on page 134. Host Enter your FTP host information. Port Enter the FTP port number (the standard FTP port is 21). FTP User Name Specify a user who has the necessary rights to upload a report to the FTP server. FTP Password Enter the users password. Account Enter the FTP account information, if required. Account is part of the standard FTP protocol, but it is rarely implemented. Provide the appropriate account only if your FTP server requires it. Destination Directory Enter the FTP directory that you want the object to be saved to. A relative path is interpreted relative to the root directory on the FTP server.
138
Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add.
Destination Directory Type the absolute path to the directory. The directory can be on a local drive of the Job Server machine, or on any other machine that you can specify with a UNC path. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name.
139
Specified File Name Select this option if you want to specify a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. When each instance runs, the variable is replaced with the appropriate information. For example, when you add the variable Owner, the file name of each object includes the object owners name. User Name Specify a user who has permission to write files to the destination directory. Password Type the password for the user. In this example, the destination directory is on a network drive that is accessible to the Job Server machine through a UNC path. Each file name will be randomly generated, and a user name and password have been specified to grant the Job Server permission to write files to the remote directory.
140
For details on changing the user accounts, see Changing the server user account on page 152. For a complete list of supported databases and drivers, refer to the platform.txt file included with your installation.
Native drivers
If you design reports using native drivers, you must install the appropriate database client software on each Job Server and/or Page Server machine that will process the reports. The server loads the client software at runtime in order to access the database that is specified in the report. The server locates the client software by searching the library path environment variable that corresponds to your operating system (LD_LIBRARY_PATH on Sun Solaris, LIBPATH on IBM AIX, and so on), so this variable must be defined for the login environment of each Job Server and Page Server. Depending on your database, additional environment variables may be required for the Job Server and Page Server to use the client software. These include:
Oracle The ORACLE_HOME environment variable must define the top-level directory of the Oracle client installation. Sybase The SYBASE environment variable must define the top-level directory of the Sybase client installation. The SYBPLATFORM environment variable must define the platform architecture.
DB2 The DB2INSTANCE environment variable must define the DB2 instance that is used for database access. Use the DB2 instance initialization script to ensure that the DB2 environment is correct.
141
Note: For complete details regarding these and other required environment variables, see the documentation included with your database client software. As an example, suppose that you are running reports against both Sybase and Oracle. The Sybase database client is installed in /opt/sybase, and the Oracle client is installed in /opt/oracle/app/oracle/product/8.1.7. You installed BusinessObjects Enterprise under the crystal user account (as recommended in the BusinessObjects Enterprise Installation Guide). If the crystal users default shell is a C shell, add these commands to the crystal users login script:
setenv LD_LIBRARY_PATH /opt/oracle/app/oracle/product/8.1.7/ lib:opt/sybase/lib:$LD_LIBRARY_PATH setenv ORACLE_HOME /opt/oracle/app/oracle/product/8.1.7 setenv SYBASE /opt/sybase setenv SYBPLATFORM sun_svr4 If the crystal users default shell is a Bourne shell, modify the syntax
accordingly:
LD_LIBRARY_PATH=/opt/oracle/app/oracle/product/8.1.7/ lib:opt/sybase/lib:$LD_LIBRARY_PATH;export LD_LIBRARY_PATH ORACLE_HOME=/opt/oracle/app/oracle/product/8.1.7;export ORACLE_HOME SYBASE=/opt/sybase;export SYBASE SYBPLATFORM=sun_svr4;export SYBPLATFORM
ODBC drivers
If you design reports off ODBC data sources (on Windows), you must set up the corresponding data sources on the Job Server and Page Server machines. In addition, you must ensure that each server is set up properly for ODBC. During the installation, BusinessObjects Enterprise installs ODBC drivers for UNIX, creates configuration files and templates related to ODBC reporting, and sets up the required ODBC environment variables. This section discusses the installed environment, along with the information that you need to edit. Note: If you report off DB2 using ODBC, your database administrator must first bind the UNIX version of the driver to every database that you report against (and not just each database server). The bind packages are installed below the crystal/enterprise/platform/odbc/lib directory; their filenames are iscsso.bnd, iscswhso.bnd, isrrso.bnd, isrrwhso.bnd, isurso.bnd, and isurwhso.bnd. Because Crystal Reports runs on Windows, ensure that the Windows version of the driver has been bound to each database.
142
On UNIX, BusinessObjects Enterprise does not include the Informix client-dependent ODBC driver (CRinf16) that is installed on Windows. The UNIX version does, however, include the clientless ODBC driver for Informix connectivity.
The INSTALL_ROOT/bobje/enterprise115/platform/odbc/lib directory of your installation is added to the library path environment variable. The ODBC_HOME environment variable is set to the INSTALL_ROOT/bobje/ enterprise115/platform/odbc directory of your installation. The ODBCINI environment variable is defined as the path to the .odbc.ini file that was created by the BusinessObjects Enterprise installation.
Modify the environment variables in the env.csh script only if you have customized your configuration of ODBC. The main ODBC configuration file that you need to modify is the system information file.
The following example shows the contents of a system information file that defines a single ODBC DSN for servers running on UNIX. This DSN allows the Job Server and Page Server to process reports based on a System DSN (on Windows) called CRDB2:
[ODBC Data Sources] CRDB2=MERANT 3.70 DB2 ODBC Driver
143
[CRDB2] Driver=/opt/bobje/enterprise115/platform/odbc/lib/crdb216.so Description=MERANT 3.70 DB2 ODBC Driver Database=myDB2server LogonID=username [ODBC] Trace=0 TraceFile=odbctrace.out TraceDll=/opt/bobje/enterprise115/platform/odbc/lib/ odbctrac.so InstallDir=/opt/bobje/enterprise115/platform/odbc
As shown in the example above, the system information file is structured in three major sections:
The first section, denoted by [ODBC Data Sources], lists all the DSNs that are defined later in the file. Each entry in this section is provided as dsn=driver, and there must be one entry for every DSN that is defined in the file. The value of dsn must correspond exactly to the name of the System DSN (on Windows) that the report was based off. The second section sequentially defines each DSN that is listed in the first section. The beginning of each definition is denoted by [dsn]. In the example above, [CRDB2] marks the beginning of the single DSN that is defined in the file. Each DSN is defined through a number of option=value pairs. The options that you must define depend upon the ODBC driver that you are using. These pairs essentially correspond to the Name=Data pairs that Windows stores for each System DSN in the registry:
\\HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\odbc.ini\dsn
However, the options for a particular ODBC driver on UNIX may not correspond by name to the options available for a Windows version of the same driver. For example, some Windows drivers store a UID value in the registry, and on UNIX you may need to specify this value with the LogonID option. The final section of the file, denoted by [ODBC], includes ODBC tracing information. You need not modify this section. When the installation creates the system information file, it completes some fields and sets up a number of default DSNsone for each of the installed ODBC drivers. The standard options that are commonly required for each driver are included in the file (Database=, LogonID=, and so on). Edit the file and provide the corresponding values that are specific to your reporting environment. This example shows the entire contents of a system information file created when BusinessObjects Enterprise was installed to the /usr/local directory.
144
[ODBC Data Sources] CRDB2=MERANT 3.70 DB2 ODBC Driver CRINF_CL=MERANT 3.70 Informix Dynamic Server ODBC Driver CROR8=MERANT 3.70 Oracle8 ODBC Driver CRSS=MERANT 3.70 SQL Server ODBC Driver CRSYB=MERANT 3.70 Sybase ASE ODBC Driver CRTXT=MERANT 3.70 Text ODBC Driver [CRDB2] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crdb216.so Description=MERANT 3.70 DB2 ODBC Driver Database= LogonID= [CRINF_CL] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crifcl16.so Description=MERANT 3.70 Informix Dynamic Server ODBC Driver ServerName= HostName= PortNumber= Database= LogonID= [CROR8] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ cror816.so Description=MERANT 3.70 Oracle8 ODBC Driver ServerName= ProcedureRetResults=1 LogonID= [CRSS] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crmsss16.so Description=MERANT 3.70 SQL Server ODBC Driver Address= Database= QuotedId=Yes LogonID= [CRSYB] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crase16.so Description=MERANT 3.70 Sybase ASE ODBC Driver NetworkAddress= Database= LogonID= [CRTXT] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crtxt16.so Description=MERANT 3.70 Text ODBC Driver Database=
145
Then define the new DSN by adding the following lines just before the system information files [ODBC] section:
[SalesDB] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ cror816.so Description=MERANT 3.70 Oracle8 ODBC Driver ServerName=MyServer ProcedureRetResults=1 LogonID=MyUserName
Once you have added this information, the new DSN is available to the Job Server and Page Server, so they can process reports that are based off the SalesDB System DSN (on Windows).
Changing the default server port numbers on page 147 Configuring a multihomed machine on page 149 Adding and removing Windows server dependencies on page 150 Changing the server startup type on page 151 Changing the server user account on page 152 Configuring servers for SSL on page 152
146
CMS Specifies the primary BusinessObjects Enterprise port on which the CMS listens for requests from all other servers. The default is 6400. port that the CMS uses for identifying other servers and for registering with itself and/or a cluster. Selected dynamically if unspecified. n/a
Other Servers Used only in multihomed environments or for certain NAT firewall environments. In both cases, specify -port interface only. (-port number has no meaning for these servers). Specifies the port on which the server listens for BusinessObjects Enterprise requests. The server registers this port with the CMS. Selected dynamically if unspecified. Specifies the CMS that the server will register with.
-ns
147
CMS port number, you must change the -ns option in every other servers command line, to ensure that each server connects to the appropriate port of the CMS. (The -ns option stands for nameserver. The CMS functions as the nameserver in BusinessObjects Enterprise, because it maintains a list that includes the host name and port number of each server that is started, enabled, and thus available to accept BusinessObjects Enterprise requests.) You must also set the name and port number of the CMS with the connection.cms context parameter in web.xml. See Configuring the Web Component Adapter on page 108. If you are working with multihomed machines or in certain NAT firewall configurations, you may wish to specify -port interface:number for the CMS and -port interface for the other servers. For details, see Configuring a multihomed machine on page 149 or Configuring desktop products across a firewall on page 166. On Windows, the CCM displays default port numbers on each servers Configuration tab. This displayed port corresponds to the -port option. For servers other than the CMS, this default port is not actually in use (each server registers its -requestPort number with the CMS instead). To change the default CMS port for BusinessObjects Enterprise servers Use the CCM (on Windows) or ccm.sh (on UNIX) to stop all the BusinessObjects Enterprise servers. Add (or modify) the following option in the CMS command line:
-port number
1. 2.
Replace number with the port that you want the CMS to listen on. (The default port is 6400.) 3. Add (or modify) the following option in the command line of all of the remaining non-CMS BusinessObjects Enterprise servers:
-ns hostname:number
Replace hostname with the host name of the machine that is running the CMS. The host name must resolve to a valid IP address within your network. Replace number with the port that the CMS is listening on. 4. Start and enable all the BusinessObjects Enterprise servers. The CMS begins listening on the port specified by number, and the nonCMS servers broadcast to that port when attempting to register with the CMS. 5. Set the name and port number of the CMS with the connection.cms context parameter in web.xml. See Configuring the Web Component Adapter on page 108.
148
1. 2.
To change the port a server registers with the CMS Use the CCM (on Windows) or ccm.sh (on UNIX) to stop the server. Add (or modify) the following option in the servers command line:
-requestPort number
Replace number with the port that you want the server to listen on. 3. Start and enable the server. The server binds to the new port specified by number. It then registers with the CMS and begins listening for BusinessObjects Enterprise requests on the new port. By default, each server registers itself with the CMS by IP address, rather than by name. This typically provides the most reliable behavior. If you need each server to register with the CMS by fully qualified domain name instead, use the -requestPort option in conjunction with -port interface (where interface is the servers fully qualified domain name). Having the servers register by name can be useful if a NAT firewall resides between the server and the CMS. For more information, see Configuring desktop products across a firewall on page 166. You may also need to specify -port interface when BusinessObjects Enterprise is running on a multihomed machine.
149
If the machine has multiple network interfaces, interface can be the fully qualified domain name or the IP address of the interface that you want the server to bind to. If the machine has a single network interface, interface must be the IP address that you want the server to bind to. Note:
To retain the default port numbers, replace port with 6400 for the CMS. If you change the default port numbers, you will need to make additional configuration changes. For details, see Changing the default server port numbers on page 147. To configure the WCA, use interface:port when setting the connection.listeningPort context parameter in web.xml. (See Configuring the Web Component Adapter on page 108.)
Replace interface with the same value that you specified for the CMS. Ensure that each servers -ns parameter points to the CMS, and that the DNS resolves the value to the appropriate network address.
150
As shown here, at least three services should be listed: Event Log, NT LM Security Support Provider, and Remote Procedure Call (RPC).
4.
To add a dependency to the list, click Add. The Add Dependency dialog box provides you with a list of all available dependencies. Select the dependency or dependencies, as required, and then click Add.
5. 6. 7.
To remove a dependency from the list, select it and click Remove. Click OK. Restart the server.
Automatic starts the server each time the machine is started. Manual requires you to start the server before it will run. Disabled requires you to change the startup type to automatic or manual before it can run. To change the server startup type on Windows Start the CCM. Stop the server whose startup type you want to modify. With the server selected, click Properties on the toolbar.
1. 2. 3.
151
4. 5. 6.
Click the Startup Type list and select Automatic, Disabled, or Manual. Click OK. Restart the server.
To change the server startup type on UNIX On UNIX, this requires root privileges. For more information, see UNIX Tools on page 473.
Deploy BusinessObjects Enterprise with SSL enabled. Create key and certificate files for each machine in your deployment. Configure the location of these files in the Central Configuration Manager (CCM) and your web application server.
152
Note: If you are using thick clients, such as Crystal Reports or Designer you will also need to configure these for SSL if you will be connecting to the CMS from these thick client. Otherwise, you will get errors when you attempt to connect to a CMS that has been configured for SSL from a thick client that has not been configured the same way.
You need to create certificates and keys for all machines in the deployment, including machines running thick client components such as Crystal Reports. For these client machines, use the sslconfig command line tool to do the configuration. For maximum security, all private keys should be protected and should not be transferred through unsecured communication channels. For more information about using the SSLC command line tool, consult the SSLC documentation. To create key and certificate files for a machine Run the SSLC.exe command line tool. The SSLC tool is installed with your BusinessObjects Enterprise software. (On Windows, for example, it is installed by default in
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86.)
1.
2.
This command creates two files, a Certificate Authority (CA) certificate request (cacert.req) and a private key (privkey.pem). 3. To decrypt the private key, type the following command:
sslc rsa -in privkey.pem -out cakey.pem
This command creates the decrypted key, cakey.pem. 4. To sign the CA certificate, type the following command:
sslc x509 -in cacert.req -out cacert.pem -req -signkey cakey.pem -days 365
This command creates a self-signed certificate, cacert.pem, that expires after 365 days. Choose the number of days that suits your security needs.
153
5.
Open the sslc.cnf file, stored in the same folder as the SSLC command line tool. Perform the following steps based on settings in the sslc.cnf file.
Place the cakey.pem and cacert.pem files in the directories specified by sslc.cnf file's certificate and private_key options. By default, the settings in the sslc.cnf file are:
certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem
Create a file with the name specified by the sslc.cnf file's database setting. Note: By default, this file is $dir/index.txt. The file can be empty.
Create a file with the name specified by the sslc.cnf file's serial setting. Ensure that this file provides an octet-string serial number (in hexadecimal format). Note: To ensure that you can create and sign more certificates, choose a large hexadecimal number with an even number of digits, such as 11111111111111111111111111111111.)
6.
To create a certificate request and a private key, type the following command:
sslc req -config sslc.cnf -new -out servercert.req
The certificate and key files generated are placed under the current working folder. 7. 8. Make a copy of the private key.
copy privkey.pem server.key
To sign the certificate with the CA certificate, type the following command:
sslc ca -config sslc.cnf -days 365 -out servercert.pem in servercert.req
This command creates the servercert.pem file, which contains the signed certificate. 9. Use the following commands to convert the certificates to DER encoded certificates:
154
sslc x509 -in cacert.pem -out cacert.der -outform DER sslc x509 -in servercert.pem -out servercert.der -outform DER
Note: The CA certificate (cacert.der) and its corresponding private key (cakey.pem) need to be generated only once per deployment. All machines in the same deployment must share the same CA certificates. All other certificates need to be signed by the private key of any of the CA certificates. 10. Create a text file for storing the plain text passphrase used for decrypting the generated private key. 11. Store the following key and certificate files in a secure location (under the same directory) that can be accessed by the machines in your BusinessObjects Enterprise deployment:
the trusted certificate file (cacert.der) the generated server certificate file (servercert.der) the server key file (server.key) the passphrase file
This location will be used to configure SSL for the CCM and your web application server.
155
The following table shows the descriptions that correspond to these examples: Example
DcertDir=d:\ssl DtrustedCert=cacert.der
Description The directory to store all the certificates and keys. Trusted certificate file. If specifying more than one, separate with semicolons. Certificate used by the SDK. Private key of the SDK certificate. The file that stores the passphrase for the private key.
2.
If you have an IIS web application server, run the sslconfig tool from the command line and follow the configuration steps.
156
chapter
Firewalls overview
BusinessObjects Enterprise works with firewall systems to provide reporting across intranets and the Internet without compromising network security. This section provides general information about what a firewall is and types of firewalls:
If you are already familiar with firewalls and the configuration used in your network, proceed directly to Understanding firewall integration on page 162.
What is a firewall?
A firewall is a security system that protects one or more computers from unauthorized network access. A firewall restricts people to entering and leaving your network at a carefully controlled point. It also prevents attackers from getting close to your other defenses. Typically, a firewall protects a companys intranet from being improperly accessed through the Internet. A firewall can enforce a security policy, log Internet activity, and be a focus for security decisions. A firewall cant protect against malicious insiders or connections that dont go through it. A firewall also cant set itself up correctly or protect against completely new threats. To help explain how firewalls work, some basic networking terms are described here:
If you are already familiar with these topics see Understanding firewall integration on page 162.
158
Transport layer (TCP or UDP). Internet layer (IP). Network Access layer (for example, ethernet and ATM).
At the application layer, the packet consists simply of the data to be transferred. As the packet moves through the layers, each layer adds a header to the packet, preserving the data from the previous level. These headers are used to determine the packets destination and to ensure that it arrives intact. When the packet reaches its destination, the process is reversed: the layers are sequentially removed until the transferred data is available to the destination application.
Ports
Ports are logical connection points that a computer uses to send and receive packets. With TCP/IP, ports allow a client program to specify a particular server program on a computer in a network. High-level applications that use TCP/IP have ports with pre-assigned numbers. For instance, when you visit a typical HTTP site over the Web, you communicate with the web server on port 80, which is the pre-assigned port for HTTP communication. Other application processes are given port numbers dynamically for each connection. When a service or daemon initially is started, it binds to its designated port number. When any client program wants to use that server, it must also request to bind to the designated port number. Valid port numbers range from 0 to 65536, but ports 0 to 1024 are reserved for use by certain privileged services.
Firewall types
Firewalls primarily function using at least one of the following methods:
Packet filtering on page 160 Network Address Translation on page 160 SOCKS proxy servers on page 161
BusinessObjects Enterprise works with these firewall types. Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method.
159
Packet filtering
Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized services. Packet filtering can reject packets based on the following:
The address the data is coming from. The address the data is going to. The session and application ports being used to transfer the data. The data contained within the packet. Stateful packet filters remember the state of connections at the network and session layers by recording the established session information that passes through the filter gateway. The filter then uses that information to discriminate valid return packets from invalid connection attempts. Stateless packet filters do not retain information about connections in use; instead, they make determinations packet-by-packet based only on the information contained within the packet. Firewalls that employ packet filtering will work with BusinessObjects Enterprise.
160
Static translation (port forwarding) grants a specific internal host a fixed translation that never changes. For example, if you run an email server inside a firewall, you can establish a static route through the firewall for that service. Dynamic translation (automatic, hide mode, or IP masquerade) shares a small group of external IP addresses amongst a large group of internal clients for the purpose of expanding the internal network address space. Because a translation entry does not exist until an internal client establishes a connection out through the firewall, external computers have no way to address an internal host that is protected using a dynamically translated IP address. Note: Some protocols do not function correctly when the port is changed. These protocols will not work through a dynamically translated connection.
BusinessObjects Enterprise and static translation NAT can be configured so that they work together.
161
Communication between servers on page 162 Typical firewall scenarios on page 164 Firewall configuration overview on page 164
For detailed step-by-step instructions on how to configure your system to work in a firewalled environment, see Configuring the system for firewalls on page 166.
Communication between servers and the CMS directory listing service on page 162 Communication between the application tier and CMS on page 163
Some examples also apply to communications between a BusinessObjects Enterprise server and the BusinessObjects Enterprise SDK (or other BusinessObjects Enterprise SDKs, such as the Report Application Server SDK or the Viewer SDK). Where applicable, these examples are indicated in the descriptions.
162
For example, before running a scheduled report, the Job Server must communicate with the Input File Repository Server (FRS) to obtain the report object. To do so: 1. 2. 3. The Job Server contacts the CMS and requests connection information for the Input FRS. The CMS replies to the Job Server with the IP address and port number of the Input FRS. The Job Server uses this information to connect directly to the Input FRS. All subsequent communications between the two servers continues using the same address and port. This communication model is also used when a BusinessObjects Enterprise SDK or the WCA communicates directly with a server in the Intelligence tier or the Processing tier. Communications between the CMS and the BusinessObjects Enterprise SDK and WCA follow another model. See Communication between the application tier and CMS on page 163. Using the -requestport command, you can configure any BusinessObjects Enterprise server to register a fixed port number with the CMS, rather than using one that is dynamically selected.
Note:
Before changing the default port numbers, see Changing the default server port numbers on page 147 for additional configuration information.
163
You may also change the default port that the CMS uses to listen for initial communications from the Configuration tab of the Properties dialog in the Central Configuration Manager.
The process is similar when you configure your BusinessObjects Enterprise system to communicate across SOCKS proxy filters. But BusinessObjects Enterprise provides direct support for SOCKS proxy filters, so you need only configure each component to be aware of the location and type of the proxies that they communicate with. Note: When this section mentions firewalling different BusinessObjects Enterprise components, it assumes that the components reside on separate computers. If the components reside on the same computer, their communication is uninterrupted by firewalls, and no additional configuration is required.
164
Application tier separated from the CMS by a firewall on page 165 Thick client separated from the CMS by a firewall on page 165
These scenarios are general cases: once you understand the firewalling issues involved, you should be able to support BusinessObjects Enterprise in wide variety of contexts.
Configuring NAT when application tier is separated from the CMS on page 168 Configuring packet filtering when application tier is separated from CMS on page 172 Configuring for SOCKS servers on page 175
Configuring NAT when thick client is separated from the CMS on page 171
165
Configuring packet filtering when thick client is separated from the CMS on page 174
Configuring desktop products across a firewall on page 166 Configuring for Network Address Translation on page 167 Configuring for packet filtering on page 172 Configuring for SOCKS servers on page 175
For a conceptual overview of communications between BusinessObjects Enterprise components and of supported firewall configurations, see Understanding firewall integration on page 162. Note: If you have multiple BusinessObjects Enterprise servers of a given type, the overall procedure for configuring your system to work with firewalls will not change. Configure each server as described in the section that describes your firewall environment, and then specify a firewall rule for the server.
You can use different ports than in the previous examples. However, it is not recommended you use port 6400 except as is shown in the example since port 6400 is the default port number for the CMS.
Click OK, and then restart the CMS. Repeat steps 1 through 4 for the Input FRS but add this entry to the Command field:
-port <FQDN> -requestport 6402
166
6.
Repeat steps 1 through 4 for the Output FRS but add this entry to the Command field:
-port <FQDN> -requestport 6403
Note:
Replace FQDN with the fully qualified domain name of the server running your BusinessObjects Enterprise servers. You can use different ports than in the previous examples. However, it is not recommended you use port 6400 except as is shown in the example since port 6400 is the default port number for the CMS. To make the required changes on the firewall Go to the area where you specify ports in your firewall software. Note: Consult your specific firewall documentation for details. Open the following TCP BI-Directional ports between the server running your BusinessObjects Enterprise servers and the desktop:
1. 2.
3.
Configuring NAT when application tier is separated from the CMS on page 168 Configuring NAT when thick client is separated from the CMS on page 171
167
Ports
The application server must be able to communicate with every BusinessObjects Enterprise server behind the firewall. Therefore, you must open a port on the firewall for each server. The application server must be a supported Java application server or IIS. Configuring BusinessObjects Enterprise for Network Address Translation when the application tier is separated from the CMS by a firewall includes:
Configuring the BusinessObjects Enterprise servers on page 168 Configuring the hosts files on page 169 Specifying firewall rules for NAT on page 170
1. 2. 3. 4.
To configure BusinessObjects Enterprise servers on Windows on page 168 To configure BusinessObjects Enterprise servers on UNIX on page 169 To configure BusinessObjects Enterprise servers on Windows Start the CCM. Stop the server. On the toolbar, click Properties. In the Command box, add the following option: -port FQDN -requestport
portnum
For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. 5. 6. Click OK to return to the CCM. Start the server.
168
7. 1.
Repeat for each BusinessObjects Enterprise server behind the firewall. To configure BusinessObjects Enterprise servers on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the Business Objects install directory, for example /INSTALLDIR/bobje.
2. 3.
Stop the server. Edit the ccm.config file to insert the following command line: -port FQDN -requestport
portnum
For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. 4. 5. Use ccm.sh to start the server. Repeat for each BusinessObjects Enterprise server behind the firewall.
1. 2.
To configure the hosts files on Windows on page 169 To configure the hosts files on UNIX on page 170 To configure the hosts files on Windows Open the hosts file using a text editor like Notepad. The hosts file is located at \WINNT\system32\drivers\etc\hosts. Follow the instructions in the hosts file to add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server or servers. Use the internally routable IP address of the machine and its externally routable fully qualified domain name. Save the hosts file.
3.
169
To configure the hosts files on UNIX Note: Your UNIX operating system must be configured to first consult the hosts file to resolve domain names, before consulting DNS. Consult your UNIX systems documentation for details. 1. 2. Open the hosts file using an editor like vi. The hosts file is located in the following directory \etc Add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server. Use the translated IP address of the machine and its fully qualified domain name. Save the hosts file. On the firewall machine, add a route from the translated IP address to the actual internal IP address:
route add translatedIPaddress actualIPaddress
actualIPaddress
3. 4.
Where translatedIPDaddress is the actual translated IP address, and is the actual internal IP address for the a server.
The fixed port numbers specified in the chart are the port numbers you specify for servers using -requestport. See Configuring the BusinessObjects Enterprise servers on page 168 for details. Inbound Rules Source Computer Application server Application server Application server Port Any Any Any Destination Computer Port CMS CMS Other BusinessObjects Enterprise server 6400 fixed fixed Action Allow Allow Allow
170
Destination Computer Port CMS Other BusinessObjects Enterprise Server Any Any
Note: There must be one inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number. Outbound Rules Source Computer Machines hosting BusinessObjects Enterprise server Port Any Destination Computer Port Application server Any Action Allow
This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server.
Configure only the Central Management Server and the Input File Repository Server. Establish inbound firewall rules for communication between the Crystal Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule.
171
Configuring packet filtering when application tier is separated from CMS on page 172 Configuring packet filtering when thick client is separated from the CMS on page 174.
Configuring the BusinessObjects Enterprise servers on page 172 Specifying firewall rules for packet filtering on page 173
1. 2. 3. 4.
To configure BusinessObjects Enterprise servers on Windows on page 172 To configure BusinessObjects Enterprise servers on UNIX on page 173 To configure BusinessObjects Enterprise servers on Windows Start the CCM. Stop the first server. On the toolbar, click Properties. In the Command box, add the following option:
-requestport portnum
For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.
172
Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port cmsport to the command line, where cmsport is the new port number for the default value of 6400. For example:
-port cmsport -requestport portnum
If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see Changing the default server port numbers on page 147. 5. 6. 7. 1. Click OK to return to the CCM. Start the server. Repeat for each BusinessObjects Enterprise server behind the firewall. To configure BusinessObjects Enterprise servers on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the BusinessObjects install directory, for example /export/home/ businessobjects. 2. 3. Stop the server. Edit the ccm.config file to insert the following command line:
-requestport portnum
For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port 6400 to the command line, substituting your new port number for the default value of 6400. If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see Changing the default server port numbers on page 147. 4. 5. Use ccm.sh to start the server. Repeat for each BusinessObjects Enterprise server.
173
For details of how to specify these rules, consult your firewall documentation. For details about the rules see:
The fixed port numbers specified in the chart are the port numbers you specify for the CMS and other BusinessObjects Enterprise servers using requestport. Inbound Rules Source Computer Application server Application server Application server Any Any Port Any Any Any Any Any Destination Computer Port CMS CMS Other BusinessObjects Enterprise server CMS Other BusinessObjects Enterprise servers 6400 fixed fixed Any Any Action Allow Allow Allow Reject Reject
Note: There must be an inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number. Outbound Rules Source Computer Machines hosting BusinessObjects Enterprise server Port Any Destination Computer Port Application server Any Action Allow
This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server.
Configuring packet filtering when thick client is separated from the CMS
You can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import or Publishing Wizards. However, if there is a firewall between the computer running one of these thick clients and the CMS, this operation fails.
174
Configuring your BusinessObjects Enterprise system to support this configuration when the firewall uses packet filtering is very similar to configuring your system to support a packet filtering firewall between the application tier and the Central Management Server (CMS). For full instructions, follow the detailed steps in Configuring packet filtering when application tier is separated from CMS on page 172 but:
Configure only the Central Management Server and the Input File Repository Server to use fixed port numbers for communication. Establish inbound firewall rules for communication between the Crystal Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule.
Configuring the CMS for SOCKS Servers Complete these steps if one or more SOCKS servers separate the WCA from the CMS.
175
Configuring the WCA for SOCKS servers When configuring your WCA for SOCKS, complete these steps regardless of the location of your SOCKS server(s).
BusinessObjects Enterprise requires that the CMS and the remaining server components are not separated from one another by firewalls. The remaining server components automatically obtain their SOCKS configuration from the CMS, as required, so you dont need to configure them separately.
176
1.
To configure the WCA on UNIX on page 177 To configure the WCA on Windows on page 177 To configure the WCA on UNIX Run the sockssetup.sh script to configure the BusinessObjects Enterprise servers and WCA to work with the SOCKS servers. To configure the WCA on Windows Add the SOCKS information to the WCA. Edit the web.xml deployment descriptor file associated with the webcompadapter.war to insert a SOCKS URI (universal resource identifier). This URI tells your WCA how to contact the CMS through your SOCKS server(s). See Configuring the Web Component Adapter on page 108 for details on editing web.xml.
1.
2.
Edit the file C:\Inetpub\wwwroot\Web.config. a. b. Go to the line: <add key=connection.socksUri value-*/> Add the following SOCKS server information:
*Socks://Version;User:Password@SOCKSserver:Port/ CMSmachine:Port
c. 3. a. b. c. d. e. f. g.
Save the file. Start the CCM. Stop the CMS. Double-click the CMS. The Properties dialog box appears. Click Configuration tab. Enter the SOCKS information. Start the server again. Repeat step 3 for all the BusinessObjects Enterprise server.
177
178
Security Concepts
chapter
Security overview
The BusinessObjects Enterprise architecture addresses the many security concerns that affect todays businesses and organizations. The current release supports features such as distributed security, single sign-on, resource access security, granular object rights, and third-party Windows NT, LDAP, and Windows AD authentication in order to protect against unauthorized access. Because BusinessObjects Enterprise provides the framework for an increasing number of components from the Enterprise family of Business Objects products, this section details the security features and related functionality to show how the framework itself enforces and maintains security. As such, this section does not provide explicit procedural details; instead, it focuses on conceptual information and provides links to key procedures. Related topics:
For key procedures that show how to modify the default accounts, passwords, and other security settings, see BusinessObjects Enterprise Administrators Guide. For procedures that show how to set up authentication for Enterprise users, see BusinessObjects Enterprise Administrators Guide. For the basic information on how to set up third-party authentication to work with BusinessObjects Enterprise, see the following sections:
Using NT Authentication on page 211 Using LDAP authentication on page 227 Using AD with NTLM or SiteMinder on page 245
For information more in depth information how to use Kerberos with AD authentication, see the following sections: Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289
180
This section describes the authentication and authorization processes in order to provide a general idea of how system security works within BusinessObjects Enterprise. Each of the components and key terms is discussed in greater detail later in this section. The detailed information on how to implement these different methods of authentication is discussed in the following section: The current release supports these methods of authentication:
Enterprise authentication Windows NT authentication LDAP authentication Windows AD authentication Trusted Authentication
If you want to use any of the third-party methods of authentication or Trusted Authentication, you will need to configure them before you use them. See the following sections, for procedural details on how to implement these authentication methods:
Using AD with NTLM or SiteMinder on page 245 Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289
Because BusinessObjects Enterprise is fully customizable, the authentication and authorization processes may vary from system to system. This section uses InfoView as a model and describes its default behavior. If you are developing your own BusinessObjects Enterprise end-user or administrative applications using the BusinessObjects Enterprise Software Development Kit (SDK), you can customize the systems behavior to meet your needs. For complete details, see the developer documentation available on your product CD.
Primary authentication
Primary authentication occurs when a user first attempts to access the system. One of two things can happen during primary authentication:
If single sign-on is not configured, the user provides their credentials, such as their user name, password and authentication type. These details are entered by the users on the logon screen. If a method of single sign-on is configured, the credentials for the users are silently propagated. These details are extracted using other methods such as Kerberos, SiteMinder.
181
The authentication type may be Enterprise, Windows NT, LDAP, or Windows AD authentication, depending upon which type(s) you have enabled and set up in the Authentication management area of the Central Management Console (CMC). The users web browser sends the information by HTTP to your web server, which routes the information to the CMS or the appropriate BusinessObjects Enterprise server.
The web application server passes the users information to logon.do or logon.aspx and runs the script. Internally, this script communicates with the SDK and, ultimately, the appropriate security plug-in to authenticate the user against the user database. For instance, if the user specifies Enterprise Authentication, the SDK ensures that the BusinessObjects Enterprise security plug-in performs the authentication. The Central Management Server (CMS) uses the BusinessObjects Enterprise security plug-in to verify the user name and password against the system database. Alternatively, if the user specifies Windows NT, LDAP, or Windows AD authentication, the SDK uses the corresponding security plug-in to authenticate the user. If the security plug-in reports a successful match of credentials, the CMS grants the user an active identity on the system and the system performs several actions:
The CMS creates an enterprise session for the user. While the session is active, this session consumes one user license on the system. The CMS generates and encodes a logon token and sends it to the web application server. The web application server stores the users information in memory in a session variable. While active, this session stores information that allows BusinessObjects Enterprise to respond to the users requests. Note: The session variable does not contain the users password. The web application server persists the logon token in a cookie on the client's browser. This cookie is only used for failover purposes, such as when you have a clustered CMS or when InfoView is clustered for session affinity, not as a part of the normal operation of the system. Note: Although it is not the default behavior, it is possible to disable the logon token, However, if you disable the logon token, you will disable failover.
Each of these steps contributes to the distributed security of BusinessObjects Enterprise, because each step consists of storing information that is used for secondary identification and authorization purposes. This is the model used in
182
InfoView. However, if you are developing your own client application and you prefer not to store session state on the web application server you can design your application such that it avoids using session variables. Note:
The third-party Windows NT, LDAP, and Windows AD security plug-ins work only once you have mapped groups from the external user database to BusinessObjects Enterprise. For procedural details, see the following sections:
Using AD with NTLM or SiteMinder on page 245 Using LDAP authentication on page 227 Using NT Authentication on page 211
In a single sign-on situation, BusinessObjects Enterprise retrieves users credentials and group information directly from the Windows NT, Windows AD or SiteMinder. Hence, users are not prompted for their credentials.
This method of single sign-on if you are using either IIS or a Java application server on Windows. Windows AD with Kerberos This method of single sign-on if you are using Java application server on Windows: Windows AD with SiteMinder. These method of single sign-on support is available on Windows or Unix, with either any supported web application server for the platform. LDAP with SiteMinder. Trusted Authentication.
183
Within the context of BusinessObjects Enterprise, we distinguish the following levels of single sign-on:
Single sign-on to BusinessObjects Enterprise on page 184 Single sign-on to database on page 184 End-to-end single sign-on on page 185
Setting up NT single sign-on on page 259 Configuring LDAP authentication on page 218 Setting up AD single sign-on on page 246
184
See these sections for information on configuring single sign-on to the database with BusinessObjects Enterprise:
Configuring Kerberos single sign-on on page 267 Configuring IIS for single sign-on to databases only on page 279 Configuring web applications for single sign-on to the databases on page 283.
Note: Single sign-on to the database with BusinessObjects Enterprise is supported if you are using IIS with Kerberos and SQL Server for you database.
Security plug-ins
Security plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits. Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system. The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to
185
BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials. Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC. Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK. BusinessObjects Enterprise supports the following security plug-ins:
BusinessObjects Enterprise security plug-in on page 186 LDAP security plug-in on page 228 Windows AD security plug-in on page 246
Default accounts
When you first install BusinessObjects Enterprise, this plug-in sets up two default Enterprise accounts: Administrator and Guest. Neither account has a default password.
186
Single sign-on
The BusinessObjects Enterprise authentication provider supports anonymous single sign-on for the Guest account. Thus, when users connect to BusinessObjects Enterprise without specifying a user name and password, the system logs them on automatically under the Guest account. If you assign a secure password to the Guest account, or if you disable the Guest account entirely, you disable this default behavior. For details, see the BusinessObjects Enterprise Administrators Guide.
Processing extensions
BusinessObjects Enterprise offers you the ability to further secure your reporting environment through the use of customized processing extensions. A processing extension is a dynamically loaded library of code that applies business logic to particular BusinessObjects Enterprise view or schedule requests before they are processed by the system. Note: On Windows systems, dynamically loaded libraries are referred to as dynamic-link libraries (.dll file extension). On UNIX systems, dynamically loaded libraries are often referred to as shared libraries (.so file extension). You must include the file extension when you name your processing extensions. Through its support for processing extensions, the BusinessObjects Enterprise administration SDK essentially exposes a handle that allows developers to intercept the request. Developers can then append selection formulas to the request before the report is processed. A typical example is a report-processing extension that enforces row-level security. This type of security restricts data access by row within one or more database tables. The developer writes a dynamically loaded library that intercepts view or schedule requests for a report (before the requests are processed by the Job Server, Page Server, or Report Application Server). The developers code first determines the user who owns the processing job; then it looks up the users data-access privileges in a third-party system. The code then generates and appends a record selection formula to the report in order to limit the data returned from the database. In this case, the processing extension serves as a way to incorporate customized row-level security into the BusinessObjects Enterprise environment. Tip: In BusinessObjects Enterprise XI, you can also set and enforce rowlevel security through the use of Business Views. For more information, see the Business Views Administrator's Guide.
187
The CMC provides methods for registering your processing extensions with BusinessObjects Enterprise and for applying processing extensions to particular object. For details, see the BusinessObjects Enterprise Administrators Guide. By enabling processing extensions, you configure the appropriate BusinessObjects Enterprise server components to dynamically load your processing extensions at runtime. Included in the SDK is a fully documented API that developers can use to write processing extensions. For more information, see the developer documentation available on your product CD. Note: In the current release, processing extensions can be applied only to Crystal report (.rpt) objects.
Logon tokens
A logon token is an encoded string that defines its own usage attributes and contains a users session information. The logon tokens usage attributes are specified when the logon token is generated. These attributes allow restrictions to be placed upon the logon token to reduce the chance of the logon token being used by malicious users. The current logon token usage attributes are:
Number of minutes This attribute restricts the lifetime of the logon token. Number of logons This attribute restricts the number of times that the logon token can be used to log on to BusinessObjects Enterprise.
188
Both attributes hinder malicious users from gaining unauthorized access to BusinessObjects Enterprise with logon tokens retrieved from legitimate users. Note: Storing a logon token in a cookie is a potential security risk if the network between the browser and application or web server is insecure for example if the connection is made over a public network and is not using SSL or Trusted Authentication. It is good practice to use Secure Sockets Layer (SSL) to reduce security risk between the browser and application or web server. For BusinessObjects Enterprise, the default is to create a logon token to be used for failover. This information is stored by default in a cookie and this information allows you to have failover in InfoView when your user session expires. Failover for InfoView, in this context, means that when your session expires, you are logged back in to InfoView. However, you can disable the default behavior of storing logon tokens in a cookie, but this will also disable failover in InfoView. When the default behavior is disabled, and the logon token is not stored in a cookie, the user session will be limited by the web server or web browser timeout. When that session expires, the user will be required to log in again to BusinessObjects Enterprise. For BusinessObjects Enterprise, the default is to have logon tokens enabled in the web client, however, you can disable logon tokens for InfoView. When you disable the logon tokens in the client, the user session will be limited by the web server or web browser timeout. When that session expires, the user will be required to log in again to BusinessObjects Enterprise. Related topics:
Configuring servers for SSL on page 152 Disabling the restoration of a timed out session in .NET InfoView on page 201 Disabling the restoration of a timed out session in Java InfoView on page 200
189
BusinessObjects Enterprise addresses distributed security by implementing a ticket mechanism (one that is similar to the Kerberos ticket mechanism). The CMS grants tickets that authorize components to perform actions on behalf of a particular user. In BusinessObjects Enterprise, the ticket is referred to as the logon token. This logon token is most commonly used over the Web. When a user is first authenticated by BusinessObjects Enterprise, he or she receives a logon token from the CMS. The users web browser caches this logon token. When the user makes a new request, other BusinessObjects Enterprise components can read the logon token from the users web browser. This use of the logon token provides the distributed security that is required for load balancing to be implemented in conjunction with effective faultprotection. The users active identity is stored as a session variable on the web application server that processed the request; consequently, the users active identity is not immediately accessible by the other web application server. For this reason, the users logon token is used to route all of the users requests to the web application server that is storing the users session. By doing so, security is maintained while providing optimal performance: the users identity is verified, but the system does not have to repeatedly prompt the user for his or her credentials; in addition, the user is prevented from unnecessarily consuming resources on both Web Component Adapters. If the web application server that is storing the users active session is taken offline, the logon token again serves a critical purpose. If one web application server ceases to respond to a users requests, InfoView and the CMC are designed such that the request is redirected to the remaining web application server. The client application logs the user on with the valid logon token, and the remaining web application server can authenticate the user and create a new, active session without prompting the user for his or her credentials. The remaining web application server can then authorize and carry out the users request. In this way, the logon token enables the systems load-balancing and fault-tolerance mechanisms to maintain a secure environment without affecting the users experience. In this scenario, when the original web application server is brought back online, the system automatically resumes its load balancing responsibilities by routing each subsequent request to the least used web application server.
190
CookiesA cookie is a small text file that stores session state on the client side: the users web browser caches the cookie for later use. The BusinessObjects Enterprise logon token is an example of this method. Session variablesA session variable is a portion of memory that stores session state on the server side. When BusinessObjects Enterprise grants a user an active identity on the system, information such as the users authentication type is stored in a session variable. So long as the session is maintained, the system neither has to prompt the user for the information a second time nor has to repeat any task that is necessary for the completion of the next request. There are two different types of sessions: a web session (sometimes referred to as an Enterprise session) and a Web Component Adapter (WCA) session. For Java deployments, the web session is used to handle .jsp requests; for .NET deployments, the web session is used to handle .aspx requests. The WCA session is used by the Web Component Adapter. The WCA is a web application, that is deployed on the same machine as your web application server. The WCA allows your web application server to run BusinessObjects Enterprise applications, such a OLAP Intelligence, and allows you to host the Central Management Console (CMC). It also allows you to run legacy CSP applications.
Note: Ideally, the system should preserve the session variable while the user is active on the system. And, to ensure security and to minimize resource usage, the system should destroy the session variable as soon as the user has finished working on the system. However, because the interaction
191
between a web browser and a web server can be stateless, it can be difficult to know when users leave the system, if they do not log off explicitly. To address this issue, BusinessObjects Enterprise implements session tracking.
Session tracking
There are two different types of sessions used for session tracking: a web session and a Web Component Adapter (WCA) session. The web session is used to process .NET requests or to process Java requests. For Java deployments, the web session is used to handle .jsp requests; for .NET deployments, the web session is used to handle .aspx requests.The WCA session is used whenever the CMC or legacy CSP applications are used. Note: The WCA is a web application that is deployed on the same machine as your web application server. The WCA allows your web application server to run BusinessObjects Enterprise applications, such a OLAP Intelligence, and allows you to host the Central Management Console (CMC). It also allows you to run legacy CSP applications. The WCA session server-side script pages (Crystal Server Pages) programmatically save variables to the web session. By default, the web session retains the session until the user explicitly logs off, or until 20 minutes after the users last request (whichever occurs first). Note: The web application server session timeout can be programmatically configured in the server-side .aspx or .jsp pages to timeout earlier if the default of 20 minutes is not desired. For information on changing the WCA timeout, see Changing the default session timeout value for the Java CMC on page 110. For information on changing the web session timeout see Changing the default session timeout value for the Java InfoView on page 111. The .NET timeout values for the WCA session and the web are set in web.config.
To change the .NET WCA timeout, edit the web.config file in this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content
To change the .NET web session timeout, edit the web.config file in this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise11.5\WebAdmin
192
Environment protection
Environment protection refers to the security of the overall environment in which client and server components communicate. Although the Internet and web-based systems are increasingly popular due to their flexibility and range of functionality, they operate in an environment that can be difficult to secure. When you deploy BusinessObjects Enterprise, environment protection is divided into two areas of communication:
Ensuring that the communication of data is secure. Ensuring that only valid users retrieve information from the web server.
Note: These tasks are typically handled by web servers through various security mechanisms, including the Secure Sockets Layer (SSL) protocol, Windows NT Challenge/Response authentication, and other such mechanisms. It is good practice to use Secure Sockets Layer (SSL) to reduce security risk between the browser and application or web server. For procedural information, see Configuring servers for SSL on page 152. You must secure communication between the web browser and the web server independently of BusinessObjects Enterprise. For details on securing client connections, refer to your web server documentation.
193
194
Password restrictions
Password restrictions ensure that Enterprise users create passwords that are relatively complex. You can enable the following options:
Enforce mixed-case passwords This option ensures that passwords contain at least two of the following character classes: upper case letters, lower case letters, numbers, or punctuation.
Must contain at least N characters By enforcing a minimum complexity for passwords, you decrease a malicious users chances of simply guessing a valid users password.
Logon restrictions
Logon restrictions serve primarily to prevent dictionary attacks (a method whereby a malicious user obtains a valid user name and attempts to learn the corresponding password by trying every word in a dictionary). With the speed of modern hardware, malicious programs can guess millions of passwords per minute. To prevent dictionary attacks, BusinessObjects Enterprise has an internal mechanism that enforces a time delay (0.51.0 second) between logon attempts. In addition, BusinessObjects Enterprise provides several customizable options that you can use to reduce the risk of a dictionary attack:
Disable accounts after N failed attempts to log on Reset failed logon count after N minute(s) Re-enable account after N minute(s)
User restrictions
User restrictions ensure that Enterprise users create new passwords on a regular basis. You can enable the following options:
Must change password every N day(s) Cannot reuse the N most recent password(s) Must wait N minute(s) to change password
These options are useful in a number of ways. Firstly, any malicious user attempting a dictionary attack will have to recommence every time passwords change. And, because password changes are based on each users first logon time, the malicious user cannot easily determine when any particular
195
password will change. Additionally, even if a malicious user does guess or otherwise obtain another users credentials, they are valid only for a limited time.
Alias options
Alias options on page 196 User type options on page 196 Update options on page 197
Assign each added AD alias to an account with the same name. Create a new account for every added AD alias.
Note: The type of alias option you see will vary, based on what type of thirdparty user being configured. If you are mapping AD accounts, you will see AD alias options. If you are mapping LDAP accounts, you will see LDAP alias options. If you are mapping NT accounts, you will see NT alias options. These options control whether or not multiple aliases are linked to the same account or whether a separate account is created for each alias you add.
New users are created as named users New users are created as concurrent users
These choices control the type of users created. There are two user types available with BusinessObjects Enterprise: names and concurrent.
196
Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.
Update options
You have these choices when you select Select when users and aliases are created:
New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.
Note: The type of alias option you see will vary, based on what type of thirdparty user being configured. If you are mapping AD accounts, you will see AD alias options. If you are mapping LDAP accounts, you will see LDAP alias options. If you are mapping NT accounts, you will see NT alias options.
If you choose the first option, the users and aliases will be created in BusinessObjects Enterprisewhen you click Finish; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise Tip: To deny AD authentication for all users, clear the Windows Active Directory Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias other than the one assigned for AD authentication. To restrict access, disable or delete the users Enterprise account. For more information, see the BusinessObjects Enterprise Administrators Guide.
197
198
chapter
Overview
This section describes how to disable the restoration of a timed out session and persistent cookies and how to enable reverse proxies work in BusinessObjects Enterprise. Note: You do not need to do anything specific in BusinessObjects Enterprise to enable reverse proxies unless you are using one of these web application servers with Apache 2.0: Tomcat, Oracle Application Server, or SAP Web Application Server.
Disabling the restoration of a timed out session in Java InfoView on page 200 Disabling the restoration of a timed out session in .NET InfoView on page 201
Note:
200
Modifying default security behavior Disabling the restoration of a timed out session
If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
C:\Program Files\Business Objects\Tomcat\webapps\
If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
<INSTALLDIR>/bobje/tomcat/webapps
2. 3.
If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.
4. 5.
2. 3. 4. 5.
Change the value for logonTokenEnabled from true to false. Save and close the file. Restart IIS.
201
Modifying default security behavior Enabling reverse proxies for Java applications servers
If you are using Apache 2.2 or later, you can either follow these steps or configure the Apache server to rewrite the path string in Set-Cookie headers by using ProxyPassReverseCookiePath. For instructions, consult your Apache documentation. Note:
These steps are not required if you are using WebSphere or WebLogic.
1.
To enable reverse proxies Open the web.xml file from the following location:
On Windows, this is the deployed location: <DeployedLocation>\businessobjects\enterprise115\desktop launch\WEB-INF On Unix, this is the deployed location: <DeployedLocation>/businessobjects/enterprise115/ desktoplaunch/WEB-INF
Note:
202
Modifying default security behavior Enabling reverse proxies for Java applications servers
If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
C:\Program Files\Business Objects\Tomcat\webapps\
If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
<INSTALLDIR>/bobje/tomcat/webapps
2.
If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.
Note: This string appears more than once in the file. The first occurrence of this is an example and is in a comment. Ensure the string you edit is not commented out.
Enter the context path for your reverse proxy in the <param-value> for <param-name>proxy.contextpaths.
If you have multiple reverse proxy paths, separate each path with a comma.
<context-param> <param-name>proxy.contextpaths</param-name> <param-value>/Path1,/Path2,/Path3</param-value> </context-param>
3. 4.
203
Modifying default security behavior Enabling reverse proxies for Java applications servers
1. 2.
To enable reverse proxies Stop Tomcat. Open the server.xml for Tomcat. On Windows, server.xml is located at <CATALINA_HOME>\conf On UNIX server.xml is located at <CATALINA_HOME>/conf Note:
If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows and you did not modify the default installation location, replace <CATALINA_HOME> with C:\Program Files\Business Objects\Tomcat If you are using the version of Tomcat installed with BusinessObjects Enterprise on UNIX and you did not modify the default installation location, replace <CATALINA_HOME> with <INSTALLDIR>/bobje/ tomcat
<!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> <!-- See proxy documentation for more information about using this. --> <!-<Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" debug="0" connectionTimeout="20000" proxyPort="80" disableUploadTimeout="true" /> -->
3.
4. 5. 6.
Uncomment the Connector element by removing <!-- and -->. Modify the value of proxyPort to be the reverse proxy server listen port. Add a new proxyName attribute to the Connectors attribute list. The value of the proxyName must be the proxy server name which should be resolvable to the correct IP address by Tomcat. Here is a sample:
<!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> <!-- See proxy documentation for more information about using this. --> <Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
204
Modifying default security behavior Enabling reverse proxies for Java applications servers
Where my_reverse_proxy_server.domain.com and ReverseProxyServerPort should be substituted by the correct reverse proxy server name and its listen port. 7. 8. 9. Save and close the server.xml file. Restart Tomcat. Ensure the reverse proxy server maps its virtual path to the correct Tomcat connector port. In the above example, the port is 8082. The following example shows a sample configuration for Apache HTTP Server 2.0 to reverse proxy BusinessObjects Web Services deployed on Tomcat:
ProxyPass /dswsbobje http://internalServer:8082/ dswsbobje ProxyPassReverse /dswsbobje http://internalServer:8082/ dswsbobje
wsresource1=ReportEngine|reportengine web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ reportengine wsresource2=BICatalog|bicatalog web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ bicatatog wsresource3=Publish|publish web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/publish
205
Modifying default security behavior Enabling reverse proxies for Java applications servers
3. 4. 5.
wsresource4=QueryService|query web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ queryservice wsresource5=BIPlatform|BIPlatform web service|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ biplatform wsresource6=LiveOffice|Live Office web service|http:// my_reverse_proxy_server.domain.com/dswsbobje/servicesliveoffice
Save and close the dsws.properties file. Restart the web application server. Ensure the reverse proxy server maps its virtual path to the correct web application server connector port. The following example shows a sample configuration for Apache HTTP Server 2.0 to reverse proxy BusinessObjects Web Services deployed on the web application server of your choice:
ProxyPass /dswsbobje http://internalServer:<listen port>/dswsbobje ProxyPassReverse /dswsbobje http:// internalServer:<listen port>/dswsbobje
Where <listen port> is the listen port of your web application server.
206
Modifying default security behavior Enabling reverse proxies for Java applications servers
Where ReverseProxyServer and ReverseProxyServerPort are the correct reverse proxy server name and its listen port. ProxiedInfoView is the correct virtual path for Java InfoView. To adjust the default view URL using Live Office options 1. 2. On the LiveOffice menu click Options and then click the Enterprise tab. Select Specify the URL to view the report in repository: and type the correct URL in the adjacent field. For example: http://ReverseProxyServer:ReverseProxyServerPort/ProxiedInfoView/ opendoc/openDocument.jsp. Where ReverseProxyServer and ReverseProxyServerPort are the correct reverse proxy server name and its listen port. ProxiedInfoView is the correct virtual path for Java InfoView. 3. Click OK.
Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server
Prerequisites
Ensure that you have read and implemented the steps for Enabling reverse proxies for Java applications servers on page 202.
Deployment instructions
In a regular deployment you create a service account and an SPN that maps to that service account for use with the application server machine. For details on this, refer to Configuring Kerberos and single sign-on to the database for Java application servers on page 311. In a deployment where the reverse proxy server sits between the client and the application sever, you must make the following change:
Follow the instructions for Configuring Kerberos and single sign-on for Java InfoView on page 312 with modifications for step 2, setting an SPN for your web application server and step 4, creating and placing a keytab file. In these steps, the service account and the SPN need to be for the reverse proxy server rather than the application server.
In both steps, when executing the ktpass command, the <host> should be the fully qualified domain name of the reverse proxy server.
207
Your CMS name and port number. Your User name. Your authentication method.
This behavior is made possible through the use of persistent cookies. Persistent cookies are text small files that are stored on your hard drive in the Cookies folder, under your profile name folder, and in the Temporary Internet Folder in your Windows directory. Although these cookies do not store your password, some companies have stringent security requirements which prohibit this behavior. The use of persistent cookies on the InfoView logon screen is the default, however, if you want you can disable this behavior in either the .NET or the Java InfoView client. 1. To disable persistent cookies for .NET InfoView Open the Web.config file for InfoView, from its deployed location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView
2. 3. 4. 5. 1.
Change the value for persistentCookiesEnabled from true to false. Save and close the file. Restart IIS. To disable persistent cookies for Java InfoView Open the web.xml file for InfoView, from its deployed location on your web application server.
On Windows, this is the deployed location: <DeployedLocation>\businessobjects\enterprise115\desktop launch\WEB-INF On Unix, this is the deployed location: <DeployedLocation>/businessobjects/enterprise115/ desktoplaunch/WEB-INF
Note:
208
If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
C:\Program Files\Business Objects\Tomcat\webapps\
If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: <INSTALLDIR>/bobje/tomcat/webapps If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.
2. 3. 4. 5.
Change the <param-value> for persistentcookies.enabled from true to false. Save and close the file. Restart your application server.
209
210
Using NT Authentication
chapter
If the BusinessObjects Enterprise server components are running on UNIX If your system uses the BusinessObjects Enterprise Java SDK.
212
NT single sign-on
The Windows NT security plug-in supports single sign-on, thereby allowing authenticated NT users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped NT group:
To obtain NT single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK. In this scenario, the Windows NT security plug-in queries the operating system for the current users credentials when the client is launched.
To obtain NT single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS). In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the users credentials to BusinessObjects Enterprise. Note:
Although single sign-on is supported for InfoView, you will still see the logon screen for the CMC. When you see the CMC logon screen, leave the userid and password fields blank, select Windows NT from the authentication type drop down, and then click logon. IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation. For details on configuring IIS for single sign-on, see Setting up NT single sign-on on page 259. For information on NT single sign-on, see Setting up NT single sign-on on page 259.
213
When IIS is the web server When Internet Explorer is used as the web browser
This support means that your authenticated NT users can log on to BusinessObjects Enterprise without explicitly entering their credentials. The first two sections, Windows NT security plug-in on page 212 and Mapping NT user accounts and groups on page 215 provide overview information about how NT authentication works with BusinessObjects Enterprise. The remaining sections provide the procedural details related to using NT user accounts and groups and NT single sign-on for InfoView.
Mapping NT user accounts and groups from Windows NT on page 215 Mapping NT user account or groups from Windows 2000 or 2003 on page 216 Mapping NT groups from the CMC on page 217 Modifying IIS security settings for NT single sign-on on page 224 Enabling InfoView NT single sign-on from the CMC on page 224 Modifying the web.config file for NT single sign-on on page 225 NT authentication only works for servers running on Windows systems. If you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003 machine, NT authentication is installed and enabled by default. NT accounts refer to Windows NT, 2000, or 2003 accounts.
Note:
Mapping NT user accounts and groups from Windows NT on page 215 Mapping NT user account or groups from Windows 2000 or 2003 on page 216 Mapping NT groups from the CMC on page 217
214
Unmapping NT groups on page 220 Viewing mapped NT users and groups on page 221
Through the User Manager in NT. Through Computer Management in Windows 2000 or 2003. Through the CMC.
215
7.
Click OK to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:
\\NTDomainName\NTusername or NTMachineName\LocalUserName
Users do not have to specify the NT Domain Name if it is specified in the Default NT Domain field on the Windows NT tab.
Users do not have to specify the NT Domain Name if it is specified in the Default NT Domain field on the Windows NT tab.
216
When you map a NT group to BusinessObjects Enterprise, all the users from the group are mapped. If you want to exclude specific users from having access to BusinessObjects Enterprise, you can change the specific users access after the group has been mapped. Before starting this procedure, ensure you have the NT domain and group information. To map NT groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC.
1.
217
2.
3. 4.
Ensure that the NT Authentication is enabled check box is selected. If you will be using single sign-on, select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see Setting up NT single sign-on on page 223. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.
5.
To change the Default NT domain, click the domain name. Complete the Default NT Domain field, and then click Update. Note: By typing the default NT Domain Name, users do not have to specify the NT Domain Name when they log on to BusinessObjects Enterprise via NT authentication. Also, you dont have to specify the NT domain name when you map groups.
218
6.
In the Mapped NT Member Groups area, enter the NT domain\group in the Add NT Group (NT Domain\Group) field. Note: If you want to map a local NT group, you must type \\NTmachinename\groupname.
7. 8.
Click Add. The group is added to the list. Select how aliases are mapped to Enterprise accounts. You have these choices:
Assign each added NT alias to an account with the same name. Create a new account for every added NT alias.
Note: For more information on these options, see Alias options on page 196. 9. Select when new users and aliases are created. You have these choices:
New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Finish; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise. For more information on these options, see Update options on page 197.
10. Select what type of users are created. You have these choices:
New users are created as named users. New users are created as concurrent users. Note: For more information on what these options do, see User type options on page 196.
11. Click Finish. A message appears stating that it will take several seconds to update the member groups. 12. Click OK.
219
Unmapping NT groups
Similar to mapping, it is possible to unmap groups using the administrative tool in Windows NT/2000, or BusinessObjects Enterprise. 1. 2. 3. 4. 5. To unmap NT users and groups using Windows NT From the Administrative Tools program group, click User Manager. Select BusinessObjects NT Users. From the User menu, click Properties. Select the user(s) or group(s), and click Remove. Click OK. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases, see Security Concepts on page 179. 1. 2. 3. 4. 5. 6. 7. To unmap NT users and groups using Windows 2000 or 2003 From the Administrative Tools program group, click Computer Management. Under System Tools, select Local Users and Groups. Click the Groups folder. Select BusinessObjects NT Users. From the Action menu, click Properties. Select the user(s) or group(s), and click Remove. Click OK or Apply (and then Close) to complete the process. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases see Security Concepts on page 179. 1. 2. 3. 4. To unmap NT groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the Windows NT tab. In the Mapped NT Member Groups area, select the NT group you would like to remove. Click Delete.
220
5.
Click Update. The users in this group will not be able to access BusinessObjects Enterprise. Tip: To deny NT Authentication for all groups, clear the NT Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases see Security Concepts on page 179.
To view users and groups that have been added using BusinessObjects Enterprise 1. Go to the Authentication management area of the CMC. 2. Click the Windows NT tab. The Mapped NT Member Groups area displays the groups that have been mapped to BusinessObjects Enterprise. Note: You can view the groups and users by selecting the appropriate group from the Groups management area and then clicking the Users tab.
221
When the new NT user logs on to BusinessObjects Enterprise and selects NT authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesnt require any extra steps, but the user wont be added until he or she logs on to BusinessObjects Enterprise. You can add the new user to BusinessObjects Enterprise and select Windows NT authentication. The user is added and is automatically assigned a Windows NT alias. For more information on aliases, see Security Concepts on page 179. You can go to the Windows NT tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all NT users will be added to BusinessObjects Enterprise. For details, see Mapping NT user accounts and groups on page 215. However, if the NT group contains many users who dont require access to BusinessObjects Enterprise, you may want to add the user individually instead.
If you create a new NT group account, and the group account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see Mapping NT user accounts and groups on page 215. If you create a new NT group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see Viewing mapped NT users and groups on page 221.
222
Modifying IIS security settings for NT single sign-on on page 224 Enabling InfoView NT single sign-on from the CMC on page 224 Modifying the web.config file for NT single sign-on on page 225
Note: BusinessObjects Enterprise does not support the Kerberos protocol for Windows NT. For information on Kerberos, see these sections: Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using AD with NTLM or SiteMinder on page 245
223
10. Click OK. 11. Proceed to Modifying the web.config file for NT single sign-on on page 225. 12. Restart your IIS server. Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in Setting up NT single sign-on on page 223.
224
Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in Setting up NT single sign-on on page 223.
2. 3. 4. 5. 6. 7. 8. 9.
Enter the CMS machine in the cmsDefault value field. Find the following string:
<add key=" ssoEnabled" value="false" />
Change the ssoEnabled value from false to true. Find the following string:
<add key="authenticationDefault" value="secEnterprise" />
10. Ensure the value for authenticationDefault is set to secWindowsNT. 11. Save and close the file. 12. Restart IIS.
225
226
chapter
10
Configuring LDAP authentication on page 230 Mapping LDAP groups on page 238 Unmapping LDAP groups on page 241 Viewing mapped LDAP users and groups on page 242 Changing LDAP connection parameters and member groups on page 242 Managing multiple LDAP hosts on page 243 Troubleshooting LDAP accounts on page 243
Map users and groups from the LDAP directory service. Map LDAP against AD.
228
10
Note:
If you configure LDAP against AD, you will be able to map your users, however, you will not be able to configure either single sign-on or single sign-on to the database. These are the restrictions if you configure LDAP against AD.
Users who are only members of a default groups from AD will not be able to log in successfully. Users must also be a member of another explicitly created group in AD and, in addition, this group must be mapped. An example of such a group is the domain users group. If a mapped domain local group contains a user from a different domain in the forest, the user from a different domain in the forest will not be able to log in successfully. Users from universal group from a domain different than the DC specified as the LDAP host will not be able to log in successfully.
Specify multiple host names and their ports. Configure LDAP with SiteMinder.
For information on mapping your LDAP users and groups to BusinessObjects Enterprise, see Managing LDAP accounts on page 218. Once you have mapped your LDAP users and groups, all of the BusinessObjects Enterprise client tools support LDAP authentication, except for the Import Wizard. You can also create your own applications that support LDAP authentication.
229
10
Because LDAP is application-independent, any client with the proper authorization can access its directories. LDAP offers you the ability to set up users to log on to BusinessObjects Enterprise through LDAP authentication. It also enables users to be authorized when attempting to access objects in BusinessObjects Enterprise. As long as you have an LDAP server (or servers) running, and use LDAP in your existing networked computer systems, you can use LDAP authentication (along with Enterprise, NT, and Windows AD authentication). If desired, the LDAP security plug-in provided with BusinessObjects Enterprise can communicate with your LDAP server using an SSL connection established using either server authentication or mutual authentication. With server authentication, the LDAP server has a security certificate which BusinessObjects Enterprise uses to verify that it trusts the server, while the LDAP server allows connections from anonymous clients. With mutual authentication, both the LDAP server and BusinessObjects Enterprise have security certificates, and the LDAP server must also verify the client certificate before a connection can be established. The LDAP security plug-in provided with BusinessObjects Enterprise can be configured to communicate with your LDAP server via SSL, but always performs basic authentication when verifying users credentials. Before deploying LDAP authentication in conjunction with BusinessObjects Enterprise, ensure that you are familiar with the differences between these LDAP types. For details, see RFC2251, which is currently available at http:// www.faqs.org/rfcs/rfc2251.html
Configuring the LDAP host on page 231. Configuring LDAP Server or Mutual Authentication and the SSL settings on page 233. Configuring the LDAP plug-in for SiteMinder on page 236.
230
10
Note: If you configure LDAP against AD, you will be able to map your users, however, you will not be able to configure single sign-on or single sign-on to the database.
7.
231
10
The LDAP Referral Credentials area must be configured if all of the following apply:
The primary host has been configured to refer to another directory server that handles queries for entries under a specified base. The host being referred to has been configured to not allow anonymous binding. A group from the host being referred to will be mapped to BusinessObjects Enterprise.
Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password. If Maximum Referral Hops is set to zero, no referrals will be followed.
9.
Click Next.
10. Choose the type of Secure Sockets Layer (SSL) authentication used, and then click Next. These are your SSL authentication choices:
Basic (no SSL) Server Authentication Mutual Authentication Note: See Configuring LDAP Server or Mutual Authentication and the SSL settings on page 233 for further information.
11. Choose a method of LDAP single sign-on authentication from these choices:
Basic (No SSO) SiteMinder Note: If you select SiteMinder, see Configuring the LDAP plug-in for SiteMinder on page 236.
232
10
12. Select how aliases are mapped to Enterprise accounts. You have these choices:
Assign each added NT alias to an account with the same name Create a new account for every added NT alias
Note: For more information on what these options do, see Alias options on page 196. 13. Select when aliases and users are created. You have these choices:
New aliases will be added and new users will be created No new aliases will be added and new users will not be created Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Finish. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise. For more information on what these options do, see Update options on page 197.
14. Select how new users are created. You have these choices:
New users are created as named users New users are created as concurrent users
Note: For more information on what these options do, see User type options on page 196. 15. Click Finish.
You can do this configuration after you complete all the steps in Configuring the LDAP host on page 231. For additional information or for information on configuring the LDAP host server, refer to http:// www.techsupport.businessobjects.com/ or your LDAP vendor documentation.
233
10
1.
To configure LDAP Server or Mutual Authentication Choose what level of SSL security you want to use from the available options: Note:
Java applications will ignore the first and last setting and will accept the server certificate only if it comes from a trusted Certificate Authority. Always accept server certificate This is the lowest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. BusinessObjects Enterprise does not verify the certificate it receives.
Accept server certificate if it comes from a trusted Certificate Authority This is a medium security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database.
Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server This is the highest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the Add LDAP host field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work. The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host.
234
10
2.
In the SSL host box, type the host name of each machine, and then click Add.
Note: You must next add the host name of each machine in your BusinessObjects Enterprise system that uses the BusinessObjects Enterprise SDK. (This includes the machine running your Central Management Server and the machine running your WCA.) 3. Specify the SSL settings for each SSL host that has been added to the list, and specify the default settings that will be used for each host that is not on the list. Note: The default settings will be used for any setting (for any host) where you leave the Use default value box checked or for any machine whose name you do not explicitly add to the list of SSL hosts.
To specify the default settings: a. c. Select default from the SSL list. Type your values for the Path to the certificate and key database files and the Password for the key database. b. Clear the Use default value boxes.
d. If youre specifying settings for Mutual authentication, you can also enter a value in the Nickname for the client certificate in the cert7.db field.
4.
To select settings for another host, select its name in the list on the left. Then type the appropriate values in the boxes on the right.
Click Next.
235
10
5.
Note: For further details on configuring SiteMinder, see Configuring the LDAP plug-in for SiteMinder on page 236. 6. 7. Choose how new LDAP users and aliases are created. Click Finish.
In the LDAP plug-in the CMC. In the web.xml file for your web application server.
Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation. To configure LDAP for single sign-on with SiteMinder On the Please configure your SiteMinder settings screen, in the Policy Server Host box, type the name of each Policy Server, and then click Add. Note: This screen is visible after you select SiteMinder on the Please choose a method of LDAP single sign-on authentication screen.
1.
2.
For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers.
236
10
3.
Enter the name of the Agent Name and the Shared Secret. Enter the shared secret again. Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.
4. 5.
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. 4. 5. 6. 7. 8. 9. Locate the following string in the file:
<param-name>cms.default</param-name>
Enter the CMS name and port in the cms.default<param-value> field. Use the format servername:portnumber. Locate the following string in the file:
<param-name>authentication.default</param-name>
237
10
12. Save and close the file. 13. Restart your web application server.
2.
Create a second key, set its type to REG_SZ, and set its value to the authentication type that you want to use for Siteminder single sign-on (secLDAP or secWinAD):
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\SiteMinderAuthenticat ion
Ensure that the Siteminder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using.
238
10
3.
In the Mapped LDAP Member Groups area, specify your LDAP group (either by common name or distinguished name) in the Add LDAP group (by cn or dn) field; click Add. You can add more than one LDAP group by repeating this step. To remove a group, highlight the LDAP group and click Delete.
239
10
4.
New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:
Assign each added LDAP alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users. or
Create a new account for every added LDAP alias Use this option when you want to create a new account for each user.
5.
Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:
New aliases will be added and new users will be created Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the Create a new account for every added LDAP alias option. or
No new aliases will be added and new users will not be created Use this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.
6.
New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:
New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system
240
10
regardless of how many other people are connected. You must have a named user license available for each user account created using this option. or
New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.
7.
Click Update.
241
10
242
10
Make sure that you add the primary host first, followed by the remaining failover hosts. If you use failover LDAP hosts, you cannot use the highest level of SSL security (that is, you cannot select Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server.) For more information, see Configuring LDAP authentication on page 230.
If you create a new LDAP user account, and the account does not belong to a group account that is mapped to BusinessObjects Enterprise, either map the group to BusinessObjects Enterprise, or add the new LDAP user account to a group that is already mapped to BusinessObjects Enterprise. For more information, see Configuring LDAP authentication on page 230. If you create a new LDAP user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see Viewing mapped LDAP users and groups on page 242.
243
10
244
33
chapter
11
The AD authentication described in this section only works for servers running on Windows systems. If you want to use AD authentication on Unix, you must configure LDAP against AD. For procedural details, see Configuring LDAP authentication on page 230. AD authentication with aggregation is not functional without a network connection. AD authentication with aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).
The section Windows AD security plug-in on page 246 provides overview information about how Active Directory authentication works with BusinessObjects Enterprise. The section that follows, AD and NTLM and SiteMinder workflows on page 248 provides a summary of the workflows for using AD with NTLM authentication and for using AD with SiteMinder. The remaining sections provide the procedural details related to the following:
Configuring AD with NTLM Configuring AD, NTLM and single sign-on Configuring AD with SiteMinder.
Note: Using AD authentication with Kerberos is not covered in this section. For information on Kerberos, see these sections:
Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289
246
11
verify all logon requests that specify Windows AD Authentication. Users are authenticated against the Windows AD user database, and have their membership in a mapped AD group verified before the Central Management Server grants them an active BusinessObjects Enterprise session. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see Managing AD accounts on page 236. The AD security plug-in also enables you to use these authentication methods:
NTLM Kerberos
Note: For information on using Kerberos, see Using AD and Kerberos with IIS on page 265 and Using AD and Kerberos with Java application servers on page 289. The AD security plug-in is compatible with both Microsoft Active Directory 2000 and 2003 domains running in either native mode or mixed mode. Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on the collaterals disk of your product distribution. This information can also found from the Start menu:
Start > Programs > BusinessObjects XI Release 2 > BusinessObjects Enterprise > BusinessObjects Enterprise Developer Documentation
AD authentication only works for servers running on Windows systems. The Windows AD plug-in for BusinessObjects Enterprise supports multiple domains within the same forest but not multiple forests. All of the following must come from domains in the same forest:
Your CMS machine Your AD Administration credentials All groups and users you are mapping
AD authentication and aggregation is not functional without a network connection. AD authentication and aggregation may not continue to function if the administration credentials become invalid. For example, if the administrator changes his or her password or if the account becomes disabled.
247
11
Single sign-on
The Windows AD security plug-in supports single sign-on, thereby allowing authenticated AD users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped AD group.
To obtain AD single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK). In this scenario, the Windows AD security plug-in queries the operating system for the current users credentials when the client is launched.
To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).
BusinessObjects Enterprise provides its own form of anonymous single signon, which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify InfoView) if you want to use AD single sign-on. For information on AD single sign-on, see Setting up AD single sign-on on page 246.
Mapping AD accounts Modifying IIS security settings Modifying the web.config file for impersonation and Windows authentication
248
11
Mapping AD accounts Modifying IIS security settings Modifying the web.config file for InfoView AD single sign-on
Mapping AD accounts Configuring the Windows AD plug-in for SiteMinder Whichever of these steps that applies to your deployment type:
Modifying web.config for .NET InfoView and SiteMinder Modifying web.xml for Java AD and SiteMinder
Mapping AD accounts
To simplify administration, BusinessObjects Enterprise supports AD authentication for user and group accounts. However, before users can use their AD user name and password to log on to BusinessObjects Enterprise, their AD user account needs to be mapped to BusinessObjects Enterprise. When you map an AD account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. To map AD users and groups and configure the Windows AD security plug-in for NTLM authentication 1. Go to the Authentication management area of the CMC. 2. Click the Windows AD tab.
249
11
3. 4.
Ensure that the Windows Active Directory Authentication is enabled check box is selected. In the Windows AD Configuration Summary area, click the link beside AD Administration Name. Note: Before the Windows AD plug-in is configured, this link will appear as two double quotes. After the configuration has been saved, the link with be populated with the AD Administration names.
5.
Enter the name and password of the domain user account youve set up on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups. Administration credentials can use one of the following formats:
Administration credentials must be entered to enable AD authentication, map groups, check rights, and so on. 6. Complete the Default AD Domain field. Note:
Groups from the default domain can be mapped without specifying the domain name prefix. If you enter the Default AD Domain name, users from the default domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication.
250
11
7.
In the Mapped AD Member Groups area, enter the AD domain\group in the Add AD Group (Domain\Group) field. Groups can be mapped using one of the following formats:
Security Account Manager account name (SAM), also referred to as NT name (DomainName\GroupName) DN (cn=GroupName, ......, dc=DomainName, dc=com)
Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore, they will not be able to access BusinessObjects Enterprise. 8. 9. Click Add. The group is added to the list. For basic NTLM authentication, follow these steps: a. b. a. b. EnsureUse NTLM authentication is selected. Clear Enable Single Sign On for selected authentication mode. Ensure Use NTLM authentication is selected. Ensure Enable Single Sign On for selected authentication mode is selected.
10. For NTLM authentication with single sign-on follow these steps:
11. Select how aliases are mapped to Enterprise accounts. You have these choices:
Assign each added AD alias to an account with the same name. Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.
12. Select when users and aliases are created. You have these choices:
New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.
251
11
13. Select what type of users are created. You have these choices:
New users are created as named users. New users are created as concurrent users.
For further details on these options, see User type options on page 196. 14. Click Update. 15. Click OK.
Modifying IIS security settings on page 252 Modifying the web.config file for impersonation and Windows authentication on page 253
Completing the configuration for AD single sign-on involves these tasks for IIS: Note:
AD single sign-on is not supported on client machines running on Windows 98. By default, AD single sign-on is not enabled.
For information on how to set up end-to-end single sign on with AD and Kerberos, see End-to-end Single sign-on workflow on page 267.
252
11
6. 7. 8.
Click on the Directory Security tab. In the Anonymous access and authentication control area of the page, click Edit. Ensure the following check boxes are cleared:
9.
10. Click OK. 11. Click OK. 12. Repeat the procedure starting from step 6 for crystalreportviewers115 and Styles. 13. Restart your IIS server.
To configure both the CMC and InfoView, configure the web.config file in the Web Content directory.
To configure only InfoView, configure the web.config file in the InfoView directory. Note: The values in web.config file are case-sensitive. 1. To modify web.config for basic AD authentication Open the appropriate Web.config file from either of the following locations:
2. 3.
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\ C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\
253
11
4. 5. 6.
To change the authentication mode used. To allow impersonation. To enable single sign-on. To specify the authentication default.
These changes are in addition to changing how IIS is configured. Note: The values in web.config file are case-sensitive. 1. To modify web.config for AD single sign-on Open the Web.config file from this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\
2. 3. 4. 5. 6. 7. 8. 9.
Enter the CMS machine in the cmsDefault value field. Find the following string:
<add key=" ssoEnabled" value="false" />
Change the ssoEnabled value from false to true. Find the following string:
<add key="authenticationDefault" value="secWinAD" />
10. Ensure the value for authenticationDefault is set to secWinAD. 11. Save and close the file.
254
11
12. Restart IIS. Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in Setting up AD single sign-on on page 252.
Configure the AD plug-in for single sign-on with SiteMinder Modify either the Web.xml file to use Java and SiteMinder or the Web.config file to use .NET and SiteMinder
Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of which supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.
255
11
6. 7. 8. 9.
Click Use SiteMinder Single Sign On. In the Policy Server Host box, type the name of each Policy Server, and click Add. For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers. Enter the name of the Agent Name and the Shared Secret. Enter the Shared Secret again. Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of which supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.
256
11
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
<param-name>cms.default</param-name>
Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber. Find the following string in the file:
<param-name>authentication.default</param-name>
4. 5.
6. 7. 8. 9.
12. Save and close the file. 13. Restart your web application server.
257
11
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
<param-name>cms.default</param-name>
Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber. Find the following string in the file:
<param-name>authentication.default</param-name>
4. 5. 6. 7. 8. 9.
Save and close the file. Restart your web application server.
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you
258
11
are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
<param-name>cms.default</param-name>
Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber. Find the following string in the file:
<param-name>authentication.default</param-name>
4. 5. 6. 7. 8. 9.
12. Save and close the file. 13. Restart your web application server.
Note: The path mentioned is the default location. Modify your path accordingly if you changed the default location. 2. Find the following string in the file:
259
11
3. 4. 5. 6. 7. 8. 9.
Enter the CMS name in the cmsDefault value field. Find the following string in the file:
<add key="authenticationDefault" value="secEnterprise" />
Set the value for the authenticationDefault to secWinAD. Find the following string in the file:
<add key="ssoEnabled" value="false" />
Change the value for ssoEnabled from false to true. Find the following string in the file:
<add key="siteminderEnabled" value="true" />
10. Find the following string in the file: 11. Set the value for sitemindeAuthentication to secWinAD.
<param-value>secWinAD</param-value>
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
<param-name>siteminder.enabled</param-name>
260
11
4. 5.
Save and close the file. Restart your web application server.
2. 3. 4. 5.
This problem occurs when single sign-on configuration is missing from the CMC but present in all the other required locations. 1. 2. To enable single sign-on in the CMC Go to the Authentication area of the CMC. Click the Window AD.
261
11
3. 4.
In the Authentication Options area of the page, select Enable Single Sign On for selected authentication mode. Restart IIS.
This can be caused because the impersonation setting has been set incorrectly or the setting is missing from the web.config file. 1. To fix this problem Open the web.config file at this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView
2.
If either line is missing, add it, if either has a different setting, change it to match the required setting. 3. 4. Save and close the file Restart IIS.
262
11
Set to false to disable Siteminder sso --> key="siteminderEnabled" value="true" /> key="siteminderAuthentication" value="secLDAP" /> Set to true to enable other Single Sign On --> key="ssoEnabled" value="false" />
1.
To remove the duplicate tag Open the web.config from the following location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content
2. 3. 4. 5.
If you find multiple occurrences, ensure the first one has the setting you want, then delete the duplicate tags. Save and close the file. Restart IIS.
263
11
264
chapter
12
Single sign-on Single sign-on to BusinessObjects Enterprise means that once users have logged on to the operating system they can access BusinessObjects Enterprise without having to provide their logon credentials again. When they log on to the operating system, a logon token is created. The system uses this token to authenticate the users and grant them access to BusinessObjects Enterprise and its components.
Single sign-on to the database Once users are logged on to BusinessObjects Enterprise, single sign-on to the database enables them to perform actions that require database access. In particular, viewing reports and Web Intelligence documents, without having to provide their logon credentials again. BusinessObjects Enterprise currently supports single sign-on to the database with Windows AD using Kerberos. For details on which databases are supported for single-sign on, consult the platforms.txt file included with your product distribution.
End-to-end single sign-on End-to-end single sign-on refers to a configuration where users have both single sign-on access to BusinessObjects Enterprise at the frontend, and single sign-on access to the databases at the back-end. Thus, users need to provide their logon credentials only once when they log on to the operating system, to have access to BusinessObjects Enterprise and to be able to perform actions that require database access, such as viewing reports.
266
12
Setting up a service account on AD Granting the service account rights Configuring the servers to use the service account Configuring IIS for integrated Windows authentication Modifying web.config for impersonation and Windows authentication Enabling Kerberos authentication in the Windows AD plug-in
Setting up a service account on AD Granting the service account rights Configuring IIS for integrated Windows authentication Configuring the servers to use the service account Modifying web.config for InfoView single sign-on Enabling Kerberos authentication in the Windows AD plug-in
Modifying the AD plug-in settings for database single sign-on Configuring web applications for database single sign-on Configuring IIS for database single sign-on Configuring the database server for single sign-on
Modifying the AD plug-in settings for database single sign-on Configuring IIS and browsers
267
12
Configuring IIS for end-to-end single sign-on Modifying web.config for InfoView single sign-on Configuring Kerberos for IIS on page 266
If you are using a Windows 2000 Domain, see Setting up a service account with delegation on a Windows 2000 Domain on page 268 If you are using a Windows 2003 Domain, see Setting up a service account with delegation on a Windows 2003 Domain on page 269.
After you set up the service account, you will need to grant the account appropriate rights, see Granting the service account rights on page 270.
1.
Account is trusted for delegation Use DES encryption types for this account
To run the SPN utility on Windows 2000 Download the utility from this location to your Domain controller:
http://www.microsoft.com/windows2000/techinfo/reskit/ tools/existing/setspn-o.asp
2.
268
12
Replace HOSTNAME with the name of your machine running the CMS service. Replace serviceaccount with name of your service account. Note: The name of your service account is case-sensitive. 3. Verify that you receive a message similar to this one:
Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object
Replace HOSTNAME with the name of your machine running the CMS service. Replace serviceaccount with name of your service account. 6. Verify that you receive a message similar to this one: Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/ HOSTNAME.DOMAIN.COM Updated object 7. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command. 8. 9. Select Trust this user for delegation to any service (Kerberos only) Click OK.
Granting the service account rights on page 270 Configuring the servers to use the service account on page 270
269
12
CMS Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on AD on page 268. 1. 2. 3. 4. 5. 6. 7. To grant the service account rights Click Start > Control Panel > Administrative Tools > Local Security Policy. Expand Local Policies, then click User Rights Assignment. Double-click Act as part of the operating system. Click Add. Enter the name of the service account you created, then click OK. Ensure that the Local Policy Setting check box is selected, and click OK. Repeat the above steps on each machine running a BusinessObjects Enterprise server.
CMS server Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on AD on page 268. 1. 2. To configure a server Start the CCM. Stop the server you want to configure, for example, the CMS server.
270
12
3. 4.
Double-click the server you want to configure. The Properties dialog box is displayed. On the Properties tab: a. b. c. In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, then click OK.
5. 6.
Start the server again. Repeat steps 2 through 5 for each BusinessObjects server that has to be configured.
Prerequisites
Ensuring Windows AD authentication is enabled. Entering the AD Administrator account. Note: This account requires read access to Active Directory only; it does not require any other rights. Entering the service principal name (SPN) for the service account. If you want to use single sign-on, you will also have to enable single signon in the CMC.
Before you configure the Windows AD security plug-in for Kerberos, you must have completed the following tasks:
1. 2.
Setting up a service account on AD on page 268 Granting the service account rights on page 270 Configuring the servers to use the service account on page 270 To configure the Windows AD security plug-in for Kerberos Go to the Authentication management area of the CMC. Click the Windows AD tab.
271
12
3.
Ensure that the Windows Active Directory Authentication is enabled check box is selected.
4. 5.
In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name. Enter the AD administrators credentials in the Name and Password fields.
Note:
6.
Use the format DOMAIN\Account in the Name field. The AD Administrator account requires read access to Active Directory only; it does not require any other rights.
Enter the default domain in the Default AD Domain field. Note: Use The FQDN format for the AD default domain and enter the domain in uppercase.
7.
Click Update.
272
12
8.
In the Mapped AD Member Group area, enter the name of an AD group whose users require access to BusinessObjects Enterprise, and then click Add. Repeat this procedure to add additional AD groups. If you want to add individual users, rather than a group, see Managing Users in the BusinessObjects Enterprise Administrators Guide.
9.
If you want to configure single sign-on, select Enable Single Sign On for selected authentication mode. If you want to configure single sign-on to a database, select the Cache Security context (required for SSO to database) check box. In the service principal name: field, enter the service principal name of the service account. Note:
273
12
The Service Principal Name is case sensitive. The case must match exactly what you have set up on your AD domain. This must be the same account that you use to run the BusinessObjects Enterprise. The domain name is entered in uppercase. This must be the same account that you use to run the BusinessObjects Enterprise servers. This is the AD account you created in this step: Setting up a service account on AD on page 268.
10. Select how aliases are mapped to Enterprise accounts. You have these choices:
Assign each added AD alias to an account with the same name. Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.
11. Select when users and aliases are created. You have these choices:
New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.
12. Select what type of users are created. You have these choices:
New users are created as named users. New users are created as concurrent users.
For further details on these options, see User type options on page 196. 13. Click Update.
274
12
2. 3. 4. 5. 6.
Configuring IIS for integrated Windows authentication on page 275 Configuring the Internet Explorer browser on a client machine on page 276
275
12
7.
Setting up the client machines for integrated Windows authentication. Adding IIS to the trusted sites. In configuring IIS for database single sign-on, you do not need to configure the browser for single sign-on. See also Configuring IIS for database single sign-on on page 281. You can automate the following steps through a registry key. For details, refer to your Windows documentation. To configure the IE browser on the client machines On the client machine, open an Internet Explorer browser window. Enable integrated windows authentication. a. b. c. d. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Advanced tab. Navigate to the Security settings. Click the Enable integrated windows authentication option, and click Apply.
Note:
1. 2.
3.
Add IIS to the Trusted sites. You can enter the full domain name of the site. a. b. c. d. e. f. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Security tab. Click Sites. Click Advanced. Type in the web site for IIS, and click Add. Click OK, then click OK twice more to close the Internet Options dialog box.
4.
Close the Internet Explorer browser windows and then open them again for the changes to take effect.
276
12
5.
Configuring IIS 5 for Kerberos end-to-end single sign-on on page 277 Configuring IIS 6 for Kerberos end-to-end single sign-on on page 279
Note: Instead of configuring IIS worker processes for end-to-end single signon you can configure them to use database single sign-on. You may want to do this, for example, if you dont want to run IIS worker processes under an account that has been trusted for delegation. For more information, see:
Configuring IIS for database single sign-on on page 281 Configuring web applications for database single sign-on on page 285
If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which will result in an error condition.
The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:
To configure IIS 5 for database single sign-on on page 282 To run IIS 5 worker process under a user domain account on page 278
277
12
1.
To run IIS 5 worker process under the machine domain account On the domain controller, set the domain account of IIS machine to be trusted for delegation. Changing this property can take several minutes to propagate. Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters in the <processModel> block in the
\WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.c onfig file:
2.
userName="SYSTEM" Password="AutoGenerate"
In the above path name, version represents the software version. Note:
3.
Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.
If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
userName="domainaccount" Password="password"
Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account. In the above path name, version represents the software version. Note: For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.
278
12
2.
If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and may expire, which will result in an error condition.
The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:
To run IIS 6 worker processes under the machine domain account on page 279 To run IIS 6 worker processes under a user domain account on page 280
Changing this property can take several minutes to propagate. If you dont want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for database single sign-on on page 281.
279
12
2.
Configure the account for the w3wp.exe worker process: a. b. c. In the Internet Service Manager window, right-click the machine name and select Application Pool > New. Type in a name for the application pool. In the tree panel on the left, expand to Default Web Site > businessobjects > EnterpriseX (where X equals your version number). Right-click InfoView and select Properties. On the Home Directory tab, select the new application pool name from the list, and click Apply. Right-click the application
pool
d. e. f. g.
On the Identity tab, select LocalSystem from the list, and click Apply. Configuring the w3wp.exe account to run as a LocalSystem account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS worker processes run under does not belong to a mapped group.
Note:
3.
If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
userName="domainaccount" Password="password"
In the above path name, version represents the software version. Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.
280
12
Note: If you dont want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for database single sign-on on page 281. For security reasons, make sure that the account which IIS worker processes run under does not belong to a mapped group. 2. Add the domain account to IIS_WPG local group, and give it the relevant rights to access the needed files. For more information, see http:// msdn.Microsoft.com/ If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
3.
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
Configure IIS worker processes to run as a domain account. Refer to either of the following procedures, depending on whether you are using IIS 5 or IIS 6:
Configuring IIS 5 for single sign-on to database only on page 282 Configuring IIS 6 for single sign-on to database on page 283
Configure the web applications for single sign-on to the database. See Configuring web applications for database single sign-on on page 285. Modify the Windows AD options. See Modifying the AD plug-in settings for database single sign-on on page 275.
281
12
If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which would result in an error condition.
The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsoft s web site: http:// www.microsoft.com/ 1. To configure IIS 5 for database single sign-on Make sure your BusinessObjects Enterprise web site on IIS is running as a domain account. Note: Unless you specified a different web site during installation, this will be the Default Web Site under IIS. 2. Locate and open the machine.cong file. This file can be found at the following location:
C:\Winnt\Microsoft.NET\Framework\version\CONFIG\ where,
version
3. 4.
Find the processModel Attributes area in the file. Set UserName and password as follows:
5.
userName="SYSTEM" Password="AutoGenerate".
6.
Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.
If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
282
12
For example, if you access the machine via www.domainname.com but the machine name is web.domainname.com, you will have to add an a SPN for HTTP access on the web server machine.
If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which would result in an error condition.
The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ 1. To configure IIS 6 for database single sign-on Make sure the BusinessObjects Enterprise IIS web site is running as a domain account. Note: Unless you specified a different site during installation, this will be the Default Web Site under IIS. 2. Configure the account for the w3wp.exe worker process: a. b. c. d. e. f. g. h. In the Internet Information Services Manager window, expand the computer name. Right-click Application Pool and select New > Application Pool. Type in a name for the application pool. In the tree panel on the left, expand to Default Web Site > businessobjects > Enterprise115. Right-click InfoView and select Properties. On the Directory tab select the new application pool name from the application pool list, and then click Apply. Right-click the application pool you created, and select Properties. On the Identity tab, select LocalSystem from the list, and click Apply.
283
12
Note:
3.
Configuring the w3wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.
If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if you access the machine via www.domainname.com but the machine name is web.domainname.com, you will have to add an a SPN for HTTP access on the web server machine.
2. 3. 4. 5. 6. 7.
Enter the CMS machine in the cmsDefault value field. Find the following string:
<add key=" ssoEnabled" value="false" />
284
12
8. 9.
Change the ssoEnabled value from false to true. Find the following string:
<add key="authenticationDefault" value="secWinAD" />
10. Ensure the value for authenticationDefault is set to secWinAD. 11. Save and close the file. 12. Restart IIS. Note: For AD single sign-on to function correctly, make sure you complete all tasks that apply to the type of single sign-on you are using, as outlined in Workflows for Kerberos and IIS on page 267.
Change the value from None to Windows. To set InfoView to not impersonate the users, add the following line to the <system.web> block in the C:\Program Files\Business
Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\Web.config file:
Change the value from None to Windows. Save and close the files.
285
12
Users will now be able to log on to BusinessObjects Enterprise by providing their logon credentials in the InfoView or CMC logon dialog box and selecting the authentication method that applies to them. Once they are logged on, the users will have database single sign-on access associated with BusinessObjects Enterprise.
If SQL Server is running under the LocalSystem account, no additional configuration is required. SQL Server registers itself when it starts and the system registers the SPN. When SQL Server shuts down, the system automatically un-registers the SPNs for the LocalSystem account. If SQL Server is running under a service account, you have to configure to be trusted for delegation. To run SQL Server under a service account In Active Directory, set up the SQL Server service account for security delegation: a. b. c. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. Right-click the domain account and select Properties. On the Accounts tab, make sure the following options are selected:
1.
In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account. In Windows 2003, ensure that these two options have been selected for the account: Trust this user for delegation to specified service only and Use Kerberos only.
286
12
Note: If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account. 2. Set the machine running SQL Server as follows: a. b. 3. Computer is trusted for delegation Click Apply, and click OK.
Where host:port is the name of the machine running SQL Server and the port, and serviceaccount is the name of the SQL Server service account.
If the CMS cache expiry is greater than that of the ticket, the system renews the ticket until the CMS cache expiry is reached. If the CMS cache expiry is less than that of the ticket, the ticket will expire when the CMS cache expiry is reached. If the CMS cache expiry is zero, the system will use the globally set ticket expiry.
The other servers use either their cache expiry or the ticket expiry, whichever has the lowest value. Regardless of whether the cache expiry for the server is greater or less than that of the ticket, the ticket will expire when the lowest expiry value is reached. The system comes configured with default values for the server cache expiry. To change the default values for the cache expiry, see Modifying the default cache expiry value on page 287. Note: If you are running multiple instances of a server, you can control the cache expiry for each instance individually.
287
12
3. 4. 5.
Click the Single Sign-On tab. Type in a new cache expiry value. Click Update.
288
chapter
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
The general workflow that you must follow regardless of the web application server your are using. The workflow specific to your Java web application server. This second workflow is necessary because the implementation of Java Authentication and Authorization Service (JAAS) varies between different application servers.
The procedural details for each step in the workflow. Two samples of Krb5.ini files. Troubleshooting information.
Note: If you are using IIS and Kerberos, see Workflows for Kerberos and IIS on page 267.
Setting up a service account Granting the service account rights Configuring the servers to use the service account Kerberos authentication in the Windows AD plug-in
290
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server Creating the JAAS login configuration file for Tomcat or WebLogic Modifying your Java options for Kerberos on Tomcat
Configuring Kerberos and single sign-on for Java InfoView Creating the JAAS login configuration file for WebSphere Modifying the Java options for Kerberos on WebSphere
Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server. Creating the JAAS login configuration file for Tomcat or WebLogic Modifying the Java options for Kerberos on WebLogic
Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server Creating the JAAS login configuration file for Oracle Application Server Modifying the Java options for Kerberos on Oracle Application Server
291
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
If you are using a Windows 2000 Domain, see Setting up a service account with delegation on a Windows 2000 Domain on page 292 and Creating an SPN for your CMS on a Windows 2000 domain on page 293. If you are using a Windows 2003 Domain, see Setting up a service account with delegation on a Windows 2003 Domain on page 293 and Creating an SPN for your CMS on a Windows 2003 domain on page 294. If you are using a Windows 2003 Domain, you also have the option of setting up constrained delegation. See Setting up constrained delegation on page 294 for more information.
Note: In a forest with multiple domains you can create this service account in any domain. All domains that trust the domain you have created the service account in will be able to authenticate.
Account is trusted for delegation Use DES encryption types for this account
292
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
Note: The SETSPN utility is a program that allows you to manage the Service Principal Name (SPN) for service accounts in Active Directory. 2. Open a command prompt and enter this command:
SETSPN.exe A BOBJCentralMS/HOSTNAME serviceaccount
Replace HOSTNAME with the fully qualified domain name of your machine running the CMS service. For example, MACHINE.DOMAIN.COM. Replace serviceaccount with name of your service account that runs the CMS service. Note: The name of your service account is case-sensitive. 3. Verify that you receive a message similar to this one:
Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object
Run the SPN utility. For details, see Creating an SPN for your CMS on a Windows 2003 domain on page 294. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command.
7.
Select this option: Trust this user for delegation to any service (Kerberos only)
293
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
Note: If you are using a 2003 Active Directory domain, and you need to restrict delegation, see Setting up constrained delegation on page 294. 8. Click OK.
Replace HOSTNAME with the fully qualified domain name of your machine running the CMS service. For example, MACHINE.DOMAIN.COM. Replace serviceaccount with name of your service account that runs the CMS service. Note: The name of your service account is case-sensitive. 2. Verify that you receive a message similar to this one: Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/ HOSTNAME.DOMAIN.COM Updated object 3. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command.
This method allows you to limit the amount of delegation permitted. Constrained delegation for a service account allows you to do further limit delegation to a specific service for a specific user on a specific computer. Because constrained delegation for a service account is more restrictive, it is considered a more secure option. Note: Constrained delegation is only supported on Active Directory 2003.
294
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
3. 4. 5. 6. 7. 8. 9.
Replace HOSTNAME with the fully qualified name of your machine running the CMS service: For example, machine_name.domain_name.com. Replace CMS_Machine_Name with the name of machine running the CMS service.
Open Active Directory. Expand Users and Computers. Select the Users folder. Select the service account user. Right-click, then select Properties. Click on the Delegation tab. Select Trust this user for delegation to specified services only.
10. Ensure Use Kerberos only is selected. 11. Click Add. 12. Click Users and Computers. 13. Enter the CMS_machine_name you specified in step 2, then click OK. 14. Select BOBJCentralMS from the list of services, then click OK. 15. Click OK.
Granting the service account rights on page 295 Configuring the servers to use the service account on page 297
CMS
295
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on page 292. 1. 2. 3. 4. 5. 6. 7. To grant the service account rights Click Start > Administrative Tools > Local Security Policy. Click Local Policies, then click User Rights Assignment. Double-click Act as part of the operating system. Click Add. Type the name of the user to add, and click OK. Ensure that the Local Policy Setting check box is selected, and click OK. Repeat the above steps on each machine running a BusinessObjects Enterprise server.
Note: It is important that the Effective Right ends up being checked after Act as part of the operating system is selected. Typically, you will need to restart the server for this to occur. If, after restarting the server, this option is still not on, your Local Policy settings are being overridden by your Domain Policy settings.
CMS Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. For details, see Setting up a service account on page 292. You must also have administrative rights on the server. 1. 2. To add an account to the Administrators Group On the desired machine, right-click My Computer and then click Manage. Go to System Tools > Local Users and Groups > Groups.
296
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
3. 4. 5. 6. 7.
Right-click Administrators and then click Add to Group... Click Add... and enter the logon name of the service account. Click Check Names to ensure the account resolves. Click Ok and then click OK again. Repeat these steps for each Business Objects server that has to be configured.
CMS server Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on page 292. 1. 2. 3. 4. To configure a server Start the CCM. Stop the server you want to configure, for example, the CMS server. Double-click the server you want to configure. The Properties dialog box is displayed. On the Properties tab: a. b. c. 5. 6. In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, and click OK.
Start the server again. Repeat steps 2 through 5 for each BusinessObjects server that has to be configured.
297
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
This account requires read access to Active Directory only; it does not require any other rights.
Note: If you enable single sign-on in the CMC, you also must configure it in the web.xml file. For details, see Configuring Kerberos and single sign-on for Java InfoView on page 312.
Entering the service principal name (SPN) for the service account.
Prerequisites
Before you configure the Windows AD security plug-in for Kerberos, you must have completed these tasks:
1. 2. 3.
Setting up a service account on page 292 Granting the service account rights on page 295 Configuring the servers to use the service account on page 297 To configure the Windows AD security plug-in for Kerberos Go to the Authentication management area of the CMC. Click the Windows AD tab. Ensure that the Windows Active Directory Authentication is enabled check box is selected.
4.
In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.
298
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
5.
Enter the credentials that have read access to Active Directory in the Name and Password fields.
Note:
6.
Use the format Domain\Account in the Name field. The account requires read access to Active Directory only; it does not require any other rights.
Enter the default domain in the Default AD Domain field. Note: Use The FQDN format and enter the domain in uppercase. Note: In a deployment with multiple domains, the Default AD Domain may be any of the desired domains. The best practice is to use the domain with the largest number of users that will be authenticating with their AD account.
7.
In the Mapped AD Member Group area, enter the name of an AD group whose users require access to BusinessObjects Enterprise, and then click Add. Repeat this procedure to add additional AD groups. If you want to add individual users, rather than a group, see Managing Users in the BusinessObjects Enterprise Administrators Guide.
299
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
8.
Note:
9.
If you want to configure single sign-on, select Enable Single Sign On for selected authentication mode. If you want to configure single sign-on to a database, select the Cache Security context (required for SSO to database) check box.
In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account you created in the section Creating an SPN for your CMS on a Windows 2000 domain on page 293 or Creating an SPN for your CMS on a Windows 2003 domain on page 294. Use the following format, where svcacct is the name of your service account or SPN, and DNS.COM is your fully qualified domain in uppercase. For example, the Service Account would be svcacct@DNS.COM and the SPN would be BOBJCentralMS/MACHINE.DOMAIN.COM@DOMAIN.COM
300
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
Note:
If you plan to enable Single Sign-On to Java InfoView with users from multiple domains, you must enter the SPN in this field. The service account is case sensitive. The case of the account you enter here must match with what is set up in your Active Directory Domain. If your UPN and SAM name are not identical, enter the UPN name. This must be the same account that you use to run the BusinessObjects Enterprise servers or the SPN that maps to this account. See Setting up a service account on page 292. When manually logging on to Java InfoView, users from other domains must log on with their AD account in UPN format. This is what is displayed in the logon name field in the AD Users and Computers snap-in. For example: user@child.parentdomain.com
10. Select how aliases are mapped to Enterprise accounts. You have these choices:
Assign each added AD alias to an account with the same name Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.
11. Select when users and aliases are created. You have these choices:
New aliases will be added and new users will be created No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.
12. Select what type of users are created. You have these choices:
New users are created as named users New users are created as concurrent users
Note: For further details on these options, see User type options on page 196. 13. Click Update.
301
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
Creating the Kerberos configuration file. Creating the JAAS login configuration file. Modifying the Java Options. Restarting you Java application server. SAP Web Application Server and Java AD with Kerberos is not supported. The default Active Directory domain must be in uppercase DNS format. You are no longer required to download and install MIT Kerberos for Windows. You also no longer require a keytab for your service account.
Note:
Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server
Follow these steps to create the Kerberos configuration file if youre using Tomcat, Oracle Application Server or WebLogic. 1. To configure Kerberos for Java AD Create the file krb5.ini, if it does not exist, and store it under the following platform dependant location: Platform Windows Location
c:\WINNT
Note: You can store this file in a different location, however if you do, you will need to specify its location in your java options. See Modifying your Java options for Kerberos on Tomcat on page 307 for procedural details.
302
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
2.
Note:
You can add multiple domain entries to the [realms] section if your users log in from multiple domains. To see a sample of this file with multiple domain entries, see Sample single domain Krb5.ini file on page 305 or Sample multiple domain Krb5.ini file on page 304. For further information see http://java.sun.com/j2se/1.5.0/docs/guide/ security/jgss/tutorials/KerberosReq.html. In a multiple domain configuration, under [libdefaults] the default_realm value may be any of the desired domains. The best practice is to use the domain with the greatest number of users that will be authenticating with their AD accounts.
303
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
Note: You can store this file in a different location, however if you do, you will need to specify its location in your java options. See Modifying the Java options for Kerberos on WebSphere on page 308 for procedural details. 2. Add the following required information in the Kerberos configuration file:
[libdefaults] default_realm = DNS.COM dns_lookup_kdc = true dns_lookup_realm = true default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] DNS.COM = { default_domain = DNS.COM kdc = hostname.DNS.COM }
Note:
uppercase in FQDN format. These lines are required for the default encryption types for WebSphere, and are different than the encryption types for WebLogic, Oracle Application Server and Tomcat: default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc
3.
For samples of this file see Sample single domain Krb5.ini file on page 305 and Sample multiple domain Krb5.ini file on page 304.
304
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
.child1.domain03.com = CHILD1.DOMAIN03.COM child1.domain03.com = CHILD1.DOMAIN03.com .child2.domain03.com = CHILD2.DOMAIN03.COM child2.domain03.com = CHILD2.DOMAIN03.com .domain04.com = DOMAIN04.COM domain04.com = DOMAIN04.com [libdefaults] default_realm = DOMAIN03.COM dns_lookup_kdc = true dns_lookup_realm = true [logging] [realms] DOMAIN03.COM = { admin_server = testvmw2k07 kdc = testvmw2k07 default_domain = domain03.com } CHILD1.DOMAIN03.COM = { admin_server = testvmw2k08 kdc = testvmw2k08 default_domain = child1.domain03.com } CHILD2.DOMAIN03.COM = { admin_server = testvmw2k09 kdc = testvmw2k09 default_domain = child2.domain03.com } DOMAIN04.COM = { admin_server = testvmw2k011 kdc = testvmw2k011 default_domain = domain04.com }
305
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
This is the default location for the bscLogin.conf file. You can specify a different location for this file, but if you do, you must also specify in this location in your java arguments. See Modifying the Java options for Kerberos on WebLogic on page 307 for details. 2. Add the following code to your JAAS bscLogin.conf configuration file:
com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required; };
Note: For more information on how to configure JAAS authentication, see the following: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ LoginConfigFile.html 3. Save and close the file.
Creating the JAAS login configuration file for Oracle Application Server
1. To create the JAAS login configuration file for Oracle Locate the jazn-data.xml file. Note: This default location for this file is C:\OraHome_1\j2ee \home\config. If you installed Oracle Application Server in a different location, find the file specific to your installation. 2. Add the following content to the file between the <jazn-loginconfig> tags:
<application> <name>com.businessobjects.security.jgss.initiate</name> <login-modules> <login-module> <class>com.sun.security.auth.module.Krb5LoginModule</ class> <control-flag>required</control-flag> </login-module> </login-modules> </application>
3.
306
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
C:\WINNT
3.
Note: For more information on how to configure JAAS authentication, see the following: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ LoginConfigFile.html 4. Save and close the file.
2. 1. 2. 3.
Restart Tomcat. To modify the Java options from the Java tab for Tomcat From the Start menu, select Programs >Tomcat > Tomcat Configuration. Click the Java tab. Add the following options:
-Djava.security.auth.login.config=C:\XXX\bscLogin.conf -Djava.security.krb5.conf=C:\XXX\krb5.ini
Replace XXX with the location you stored the file. 4. 5. Close the Tomcat configuration file. Restart Tomcat.
307
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
1. 2.
To modify the Java options from the Java tab for WebLogic Stop the domain of WebLogic that runs your BusinessObjects Enterprise applications. Open the script that starts the domain of WebLogic that runs your BusinessObjects Enterprise applications. Script name startWeblogic.cmd startWebLogic.sh
Replace XXX with the location you stored the file. 4. Restart the domain of WebLogic that runs your BusinessObjects Enterprise applications.
308
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
http://servername:9090/admin.
2.
Expand Server, a click on Application Servers and then servername. Note: Replace servername with the name of the application server you created to use with BusinessObjects Enterprise.
3.
If you are using WebSphere 5.1, follow these steps to get to the JVM page. a. On the server page, scroll down until you see Process Definition in the Additional Properties column. Scroll down and click on Java Virtual Machine.
If you are using WebSphere 6.0, follow these steps to get to the JVM page. a. c. On the server page, select Java and Process Management. Select Java Virtual Machine. b. Select Process Definition.
4.
Click Generic JVM arguments then type the location of your Krb5.ini and the location of your bscLogin.conf file. -Djava.security.auth.login.config=C:\XXX\bscLogin.conf -Djava.security.krb5.conf=C:\XXX\krb5.ini Replace XXX with the location you stored the file.
5. 6. 7.
Click Apply, and then click Save. Stop the server. Restart the server.
Troubleshooting Kerberos
These steps may help you if you encounter problems when configuring kerberos:
309
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
Enabling logging
1. 2. 3. To enable logging From the Start menu, select Programs >Tomcat > Tomcat Configuration. Click the Java tab. Add the following options:
-Dcrystal.enterprise.trace.configuration=verbose
To test your Java Kerberos configuration Run the following command to test your Kerberos configuration, where servact is the service account and domain under which the CMS is running, and password is the password associated with the service account.
C:\Program Files\Business Objects\j2sdk1.4.2_04\bin\kinit.exe" servact@TESTM03.COM Password
If you still have a problem, ensure that the case you entered for your domain and service principal name match exactly with what is set in Active Directory.
Logon failure due to different AD UPN and SAM names on page 310 Pre-authentication error on page 311
DOMAIN\ABC123
310
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
This problem, which happens with the Sun, IBM or BEA JRE, can occur when the user is set up in Active Directory with a UPN and SAM name are not the same, either in case or otherwise. Following are two examples which may cause a problem:
The UPN is abc123@company.com but the SAM name is DOMAIN\ABC123. The UPN is jsmith@company but the SAM name is DOMAIN\johnsmit Have users log in using UPN rather than SAM name. Ensure the SAM account name and the UPN name are the same.
Pre-authentication error
A user who has previously been able to log on, can no longer log on successfully. The user will receive this error: Account Information Not Recognized. The Tomcat error logs reveal the following error: Pre-authentication information was invalid (24) This can occur because the Kerberos user database didnt get a change made to UPN in AD. This may mean that the Kerberos user database and the AD information are out of sync. To resolve this problem, reset the users password in AD. This will ensure the changes are propagated correctly. Note: This problem is not an issue with J2SE 5.0.
Configuring Kerberos and single sign-on to the database for Java application servers
Single sign-on to the database is supported for deployments that meet all these requirements:
The deployment of BusinessObjects Enterprise is on a Java web application server. The Java web application server has been configured with AD with Kerberos. The database to which single sign-on is required is a supported version of SQL Server. The groups or users that need access to the database must have been granted permissions within SQL Server.
The final step is to modify the krb5.ini file to support single sign-on to the database for Java.
311
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
Note:
These instructions explain how to configure single sign-on to the database for Java application servers. If you want to configure endto-end single sign-on to the database for Java application servers, you must also configuration required for Vintela single sign-on for Java. For details, see Restart your web application server. on page 312. If you want to configure single sign-on to a database, ensure that you have set the cache security context. For detailed instructions, go to Kerberos authentication in the Windows AD plug-in on page 297.
1.
To enable single sign-on to the database for Java application servers Open the krb5.ini file that is being used for your deployment of BusinessObjects Enterprise. The default location for this file is the WINNT directory on your web application server. Tip: If you cannot find the file in the WINNT directory, check this Java argument for the location of the file:
-Djava.security.auth.login.config
This variable is specified when AD with Kerberos is configured on your Java web application server. 2. 3. 4. 5. Go to the [libdefaults] section of the file. Enter this string prior to the start of the [realms] section of the file:
forwardable = true
Save and close the file. Restart your web application server.
312
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
Prerequisites
Before you configure single sign-on for Java InfoView, you must complete configuration prerequisites: these prerequisites are the steps from the General workflow for configuring Kerberos on page 290 and the steps that apply specifically to your type of Java application server. Also, ensure that single sign-on is enabled in the Authentication page of the CMC. For details, go to Kerberos authentication in the Windows AD plug-in on page 297. See these sections for the configuration steps that apply specifically to your Java application server:
Workflow for configuring Tomcat for Kerberos on page 291 Workflow for configuring WebSphere for Kerberos on page 291 Workflow for configuring WebLogic for Kerberos on page 291 Workflow for configuring Oracle for Kerberos on page 291
Note: Single sign-on to Java InfoView is only supported when BusinessObjects Enterprise services are installed on a supported Windows platform. Supported application servers can be deployed on supported platforms other than Windows. For a complete list of supported platforms, see the Platforms.txt file included on your product CD.
Step 2
Step 3
313
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
Step 4
Create and place a keytab file Detailed steps are included in the section Step 4: Create and place a keytab file on page 316 Edit the web.xml file Detailed steps are included in the section Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 Ensure the HTTP header size of your Java application server is sufficient. Detailed steps are included in the section Step 6: Increasing the header size limit of your Java application server on page 321
Step 5
Step 6
The following sections describe how to complete each of these steps. In addition to the steps you must complete, you may also want to change either of these configurable items available with Vintela single sign-on for Java:
The level of error logging recorded. The text users receive if their authentication with Vintela single sign-on for Java fails. Modifying the Vintela logon error page on page 325 Controlling logging with Vintela single sign-on for Java on page 322
The final section Alternate url to access InfoView on page 324, explains why there is an alternate page provided and lists the url for this page.
Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java.
To set up user authentication for a service, you must register the service as a user in AD on the Domain Controller. 1. 2. 3. 4. To register the service: On the Domain Controller open the Active Directory Users and Computers snap in. Click the Users folder to display a list of users and on the Action menu, click New and then click User. Enter a name and logon name for the new service, and then click Next. On the next screen, enter a password for the service. Ensure that the option called User must change password at next logon is not selected.
314
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
5. 6. 7.
Click Next and then click Finish. Right-click the user you have entered in the User folder list, and then click Properties to open the Properties dialog box. Click the Account tab and then select Account is trusted for delegation and Password never expires. This prevents the service account from ever expiring, which would cause Kerberos errors.
8. 9.
Select Use DES encryption types for this account. This will allow you to configure the KerberosFilter using a keytab file. Click OK.
Note: In some Active Directory Users and Computers snap ins, the option called Account is trusted for delegation is not available until a mapped Service Principal Name has been created. If you do not see this option, complete the steps in the next section, then open the user account in the AD Users and Computers snap in and select the Delegation tab. You can enable it from here.
315
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
1.
To reset the password On the Domain Controller with Active Directory installed, on the Start menu click Programs > Administrative Tools > Active Directory Users and Computers. Right-click the user account that you created previously and click Reset Password. Enter and confirm the same password that you entered previously. Ensure that User must change password at next logon is not selected an click OK.
2. 3. 4.
The keytab is usually found in the same folder as your ktpass support tool unless you specified a different location. Typically the keytab is stored in C:/WINNT or C:/Windows.
Step 5: Enabling Vintela single sign-on for Java in the web.xml file
Note: If you are using WebLogic as your application server, read WebLogicspecific instructions on page 319 before proceeding.
316
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
1.
To enable Vintela single sign-on in the web.xml file Open the web.xml file for InfoView from its deployed location on your web application server. This is where the InfoView web.xml file is on Windows: <DeployedLocation>\businessobjects\enterprise115\desktoplaunch\ WEB-INF
If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.
2.
Find the following parameters and make the appropriate changes: <param-name> Original <param-value> cms.default New <param-value>
your CMS name and port your CMS name and port number number. SecWinAD false true false
4.
Remove the comment start tag that immediately follows this comment as well as its corresponding end tag.
317
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
5.
In this section find the following parameters and make the appropriate changes. <paramname> idm.realm Original <param-value> YOUR_REALM New <param-value> Default realm for AD. This should be the same value you set when you configured the default_realm in your krb5.ini file Note: Value must be in upper case The SPN you created. It must follow the format: HTTP/ Hostname Where Hostname is the fully qualified domain name of your machine. false true, unless you are planning to use SSL.
idm.princ
YOUR_PRINCIPAL
Add the idm.keytab parameter. In the Vintela section of the web.xml file add the following lines. Note: Place it after the idm.princ parameter and values.
<init-param> <param-name>idm.keytab</param-name> <param-value>PATH_TO_YOUR_KEYTAB_FILE</param-value> </init-param>
Where Path_To_Your_Keytab_File is the directory path to the location of your keytab file. Ex.C:\WINNT\host.keytab Note: Only add the above parameter if you have chosen to use a keytab file. If you have chosen to use a password do not add this parameter. 7. 8. Save and Close the file. Restart your web application server.
Note: If you are using WebLogic, go to Modifying the web.xml in the war package on page 320.
318
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
WebLogic-specific instructions
If you are using WebLogic as your application server, you may not find the commented section in the Vintela xml properties that is mentioned in Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316. This is because WebLogic Builder, which is used in preparing the war files for deployment, removes the commented portions of the web.xml file. Therefore, you must add the following xml to the web.xml file before proceeding with Step 5:
<filter> <filter-name>authFilter</filter-name> filter class>com.businessobjects.sdk.credential.WrappedResponse AuthFilter</filter-class> <init-param> <param-name>idm.realm</param-name> <param-value>YOUR_REALM</param-value> </init-param> <init-param> <param-name>idm.princ</param-name> <param-value>YOUR_PRINCIPAL</param-value> </init-param> <init-param> <param-name>idm.allowUnsecured</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>idm.allowNTLM</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>idm.logger.name</param-name> <param-value>simple</param-value> <description> The unique name for this logger. </description> </init-param> <init-param>
319
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
<param-name>idm.logger.props</param-name> <param-value>error-log.properties</param-value> <description> Configures logging from the specified file. </description> </init-param> <init-param> <param-name>error.page</param-name> param-value> <param-value>/InfoView/logon/vintelaError.jsp</ <description> The URL of the page to show if an error occurs during authentication. </description> </init-param> </filter> <filter-mapping> <filter-name>authFilter</filter-name> <url-pattern>/InfoView/logon/logon.do</url-pattern> </filter-mapping>
Return to Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 and complete the steps there.
2.
Create a folder called WEB-INF and place the modified web.xml file in this folder.
320
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
Note: You must configure the web.xml file with the steps described in Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 first. 3. 4. 5. Open a command window. Change directories to the folder containing the deksktop.war Execute the following command:
<DeployedLocation>\j2sdk1.4.2_08\bin\jar uf desktop.war WEB-INF/web.xml
If you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects 6. Go back to Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 and complete the tasks outlined there.
Step 6: Increasing the header size limit of your Java application server
Active Directory creates a Kerberos token which is used in the authentication process. This token is stored in the HTTP header. Your Java application server will have a default HTTP header size and you should ensure a minimum size of 16384 bytes to avoid failures. 1. To configure the HTTP header size with Tomcat On the server with Tomcat installed, open the server.xml file. On Windows, this file is located at <TomcatDeployedLocation>/conf
If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <TomcatDeployedLocation> with C:\ProgramFiles\Business Objects\Tomcat\ If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.
2.
Find the corresponding <Connector > tag for the port number you have configured. If you are using the default port of 8080, find the <Connector > tag with port=8080 in it. For example:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443" />
321
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
3.
For example:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" maxHttpHeaderSize=16384 minSpareThreads="25" port="8080" redirectPort="8443" />
4. 5.
Note: For other Java application servers, consult your java application servers documentation.
The settings related to Vintela logging in the web.xml for InfoView. The setting in the log4j properties file.
For more efficient problem determination, you may want to use the log files that are used to capture error or warning messages.
322
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
The table which follows summarizes what you can control about error logging with Vintela in the web.xml file for InfoView: <param-name> idm.logger.name Use of parameter The name of the log file is specified in the <param-value> for this parameter. This must be a unique name not in used by any other implementation of log4j logging on your web application. The <param-value> for this parameter can be set to three things: (blank), BASIC or
AnythingElse.
idm.logger.props
If the <param-value> for idm.logger.props is set to (blank), no logging will be performed. If the <param-value> for idm.logger.props is set to BASIC, basic errors will be logged and errors will be sent to the standard output. If the <param-value> for idm.logger.props is set to anything other than or BASIC, Vintela will look for a properties file that matches the value you set. Vintela will look for this properties file in the WEB-INF directory for InfoView. For example, if you specify BOE for your <param-value>, Vintela will look in the WEBINF directory for Infoview for this file:
BOE.properties
You must create the properties file if you specify that one is to be used. For details see What to specify in your log4j properties file on page 323.
Defining which logger to use. Defining what level of logging to perform in this properties file.
323
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
For details on the syntax to use in the file and details on the of valid options of an Apache log4j properties file, see the following url:
http://jakarta.apache.org/log4j/docs/api/index.html
To change the level of logging provided with Vintela single sign-on for Java 1. Open the web.xml file for InfoView from its deployed location on your web application server. This is where the InfoView web.xml file is on Windows: <DeployedLocation>\businessobjects\enterprise115\desktoplaunch\ WEB-INF
If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.
2.
If you want to have the output from error logging written to a file, find this string:
<param-name>idm.logger.name</param-name>
3. 4.
In the <param-value> for idm.logger.name, enter the name for your log file. If you want to use a properties file to define the logger used and level of logging recorded, find this string:
<param-name>idm.logger.props</param-name>
5.
In the <param-value> for idm.logger.props, enter the name for your properties file. Note: If you set this value to anything other than or BASIC, you must also define the logger used and define level of logging in the properties file you specify. For details, on the logging parameters available, see the table in the section Controlling logging with Vintela single sign-on for Java on page 322
6.
324
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
13
This is the url you should use if you want to access InfoView without single sign-on, after single sign-on has been enabled:
http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/ logonForm.do
A second url is available to access InfoView. This url is provided for the administrator or a user to access InfoView, without single sign-on, after single sign-on has been enabled.
325
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
This is the url you should use if you want to access InfoView without single sign-on, after single sign-on has been enabled:
http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/ logonform.do
Configuring IIS for database single sign-on on page 281. Configuring the Internet Explorer (IE) browser on the client machines. Note: You can automate this through a registry key or use the following steps.
1. 2.
Configuring the IE browser on the client machines On the client machine open and IE browser window. Enable integrated Windows authentication 1. 2. 3. On the Tools menu click Internet Options. Click the Advanced tab. Scroll to Security, select Enable Integrated Windows Authentication, and then click Apply.
3.
Add IIS to the trusted sites. You can enter the full domain name of the site. 1. 2. 3. 4. 5. On the Tools menu click Internet Options. Click the Security tab. Click Sites and then click Advanced. Type the web site for IIS and click Add. Click Ok until the Internet Options dialog box closes.
4. 5.
Close and reopen the IE browser window for these changes to take effect. Repeat all of these steps on each BusinessObjects Enterprise client machine.
326
33
Trusted Authentication
chapter
14
Configuring the server for Trusted Authentication on page 328 Configuring Trusted Authentication for the client on page 329
If you are using Business Process BI Web Service, you also must configure the BusinessProcessBI.properties file. See Configuring Trusted Authentication for Business Process BI on page 334 for details. Note: Before you are able to use Trusted Authentication, you must have either created Enterprise users or mapped the third-party users you will be using to sign on to BusinessObjects Enterprise.
328
14
8.
Click Update.
If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: C:\Program Files\Business Objects\Tomcat\webapps\ If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: <INSTALLDIR>/bobje/tomcat/webapps If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.
2. 3.
Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber Find this string in the file: <param-name>sso.enabled</param-name> Change the <param-value> for sso.enabled from false to true.
<param-value>true</param-value>
4. 5. 6.
329
14
7.
8. 9.
Specify the way in which you want to use to retrieve the user name.
330
14
Enter the <param-value> from the table that corresponds with the user retrieval method you want to use. <param-value> REMOTE_USER How the User name will be retrieved The user name will be retrieved from a call to getRemoteUser() on the HttpServletRequest object for the current request in a servlet or JSP. The user name is retrieved from the contents of a specified HTTP header. Note: You must define which http header you want to use retrieve the user name. You define the http header to use is defined in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from the contents of contents of a specified parameter of the request URL. Note: You must define which query string parameter you want to use to retrieve the user name. You define query string parameter to use in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from the contents of contents of a specified cookie. Note: You must define which cookie you want to use to retrieve the user name. You define the cookie to use in the trusted.auth.user.param in the web.xml file for InfoView.
HTTP_HEADER
QUERY_STRING
COOKIE
331
14
<param-value> WEB_SESSION
How the User name will be retrieved The user name is retrieved from the contents of a specified session variable. Note: You must define which web session variable want to use to retrieve the user name. You define the web session variable to use in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from a call to getUserPrincipal().getName() on the HttpServletRequest object for the current request in a servlet or JSP.
USER_PRINCIPAL
Note:
There are various mechanisms that populate the user name. Configure or set up your web application server so that your user names are exposed before you use these user retrieval name methods. See http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/ http/HttpServletRequest.html for further information. Some web application servers require that you have the environment variable REMOTE_USER set to true on your web application server. See the documentation specific to your web application server for details on whether this is required. If it is required, ensure the environment variable is set to true if you are using this method of user name retrieval.
10. If you selected HTTP header, URL query string, cookie or web session, find this string:
<param-name>trusted.auth.user.param</param-name>
Note: This step is not required if your retrieval method is USER_PRINCIPAL or REMOTE_USER. 11. Enter the variable name to use to retrieve the user name in the <paramvalue> for trusted.auth.user.param.
If you are using the HTTP header as your method of retrieving the user name, enter the name for the HTTP header variable. If you are using a URL query string parameter as your method of retrieving the user name, enter the name for the parameter. If you are using a cookie as your method of retrieving the user name, enter the name for the cookie.
332
14
If you are using a web session variable as your method of retrieving the user name, enter the name for the web session variable.
Note: This step is not required if your retrieval method is USER_PRINCIPAL or REMOTE_USER. 12. Decide how you want to retrieve the shared secret.
To retrieve the shared secret from a file. a. Create a file called TrustedPrincipal.conf. b. Store the file in the platform specific directory of Business Objects. This table specified the location where the TrustedPrincipal.conf file should be stored, based on your platform.
Windows, modified <INSTALLDIR>/BusinessObjects default install directory Enterprise 11.5\win32_x86\ plugins\auth\secEnterprise Note: Replace INSTALLDIR with your installation directory. AIX
aix_rs6000/plugins/auth/ secEnterprise
<INSTALLDIR>/bobje/enterprise115/
Solaris
<INSTALLDIR>/bobje/enterprise115/
HP_UX
<INSTALLDIR>/bobje/enterprise115/
Linux
<INSTALLDIR>/bobje/enterprise115/
c.
Define the string you want to use for the shared secret. Enter the following in the file, where String is the shared secret string you want to use.
SharedSecret=String
333
14
To retrieve the shared secret from a session variable. a. Find this string in the web.xml file:
<param-name>trusted.auth.shared.secret</paramname>
b. Enter the session variable name from which to retrieve the shared secret in the </param-value> for
trusted.auth.shared.secret.
Note: Business Process BI Web Services does not support retrieving the shared secret from a session variable. 13. Save and close the file. 14. Restart your web application server.
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\. If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. 4. 5. Find this line:
bisecurity.trustedAuthentication.enabled = false
Change the value false to true. Save and close the file. Restart your web application server.
334
14
<INSTALLDIR>/bobje/enterprise115/hpux_pa_risc/plugins/auth/
secEnterprise
Note: INSTALLDIR can be any location you want. 3. 4. 5. Place your configured TrustedPrincipal.conf in the folder you just created. Specify the location of INSTALLDIR in this java argument:
-Dbobj.enterprise.home=<INSTALLDIR>
Note: If GetDocumentURL methods are used, InfoView must also be deployed, but not necessarily on the same web application servers. See the Business Process BI Services Guide for more information.
335
14
336
Improving Performance
chapter
15
Improving performance
It is good practice to regularly assess the performance of your system and make changes to account for future growth and potential problem areas. First, you need to assess the current performance of your system. You can assess your systems performance by talking to your users and delegated administrators, and by studying your system metrics. When you have an idea of potential problem areas, you can compare your systems performance to expected service thresholds. After you identify performance issues, you can take steps to account for them by scaling your system or adjusting your configuration settings.
Assessing your systems performance on page 338 Resolving performance issues on page 348
Note: This section is for improving the performance of an existing deployment. For information about If you havent deployed your system yet, see Planning Your Deployment on page 57.
Assess user needs. Get qualitative feedback from your users. See Assessing user needs on page 339. Analyze server metrics. Check the server and system logs. For detailed instructions, see Analyzing server metrics on page 339. Evaluate the performance of each server component. Compare the current system usage to recommended service thresholds. Determine the required number of processors, services, and machines. For more information, see Evaluating your systems performance on page 346.
338
15
What types of tasks are they performing and how often? Have they noticed slow performance when performing particular tasks? What types of objects do they use most often? Have they noticed slow performance when using particular types of objects? Do they anticipate increasing or decreasing their use of the system in the near future? Are they hiring new people? Do they plan to use BusinessObjects Enterprise to perform more tasks in the future?
It is good practice to regularly re-assess your organizations needs. Follow the steps you used when planning your deployment. For detailed instructions, see Assessing your organizations needs on page 58. When you have a sense of the organizations performance issues, you can verify them by viewing the current system metrics.
339
15
The CMC allows you to view server metrics over the Web. These metrics include general information about each machine, along with details that are specific to the type of server. The CMC also allows you to view system metrics, which include information about your product version, your CMS, and your current system activity. Tip: For an example of how to use server metrics in your own web applications, see the View Server Summary sample on the BusinessObjects Enterprise Admin Launchpad.
The Metrics tabs for the following servers include additional, server-specific information: Input and Output File Repository Servers For each File Repository Server, the Metrics tab provides the following metrics:
the number of bytes sent and received the number of active files and active client connections the total available hard disk space
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the root directory of the files that the server maintains the maximum idle time
Each File Repository Server also has an Active Files tab, which lists the file name, the number of readers, and the number of writers for each active file. Cache Server For each Cache Server, the Metrics tab provides the following metrics:
340
15
the total threads running the number of bytes transferred the number of current connections the current cache size the number of requests served the cache hit rate the number of requests that are queued
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the maximum number of simultaneous processing threads the number of minutes before an idle job is closed whether or not the database is accessed whenever a viewers file (object) is refreshed the location of the cache files the maximum cache size the number of minutes between refreshes from the database
The Metrics tab also provides a table that lists the Page Servers that the Cache Server has connections to, along with the number of connections made to each Page Server. Central Management Server For the CMS, the Metrics tab lists only the general information about the machine it is running on. The Properties tab, however, shows a list of users who have active sessions on the system. Click any users link to view the associated account details. Connection Server For the Connection Server, the Metrics tab lists the current settings, which you can change on the Properties tab:
HTTP and CORBA protocol settings trace settings connection pooling the timeout duration for inactive jobs
Job Servers The Metrics tabs of these servers lists the following metrics:
the location of its temporary files the processing mode the current number of jobs that are being processed
341
15
the total number of requests received the total number of failed job creations
Note: This applies to all types of Job Servers, including Crystal Reports Job Servers, Program Job Servers, Destination Job Servers, List of Values Job Servers, Desktop Intelligence Job Servers, and Web Intelligence Job Servers. Desktop Intelligence Cache Server For each Desktop Intelligence Cache Server, the Metrics tab provides the following metrics:
the current cache size the number of bytes transferred the number of current connections the number of requests served the cache hit rate the number of requests that are queued
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the location of the cache files whether or not report jobs are shared the number of minutes before an idle job is closed whether or not the database is accessed whenever a viewers file (object) is refreshed the number of documents to keep in the cache when the cache is full the maximum cache size whether or not to share report data between clients the number of minutes between refreshes from the database
The Metrics tab also provides a table that lists the processing servers that the Desktop Intelligence Cache Server has connections to, along with the number of connections made to each server. Note: This server processes information only for Desktop Intelligence documents. Desktop Intelligence Report server For the Desktop Intelligence Report Server, the Metrics tab provides the following metrics:
the number of current connections the current number of open processing threads running the total number of requests served
342
15
the total bytes transferred the number of requests queued the maximum number of child processes the number of failed requests
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the location of temporary files the number of minutes before an idle connection is closed the maximum number of simultaneous report jobs the maximum number of operations allowed before resetting a report job whether a viewer refresh always hits the database whether or not report jobs are shared the number of minutes before an idle report job is closed the number of preloaded report jobs whether or not to share report data between clients the oldest processed data given to a client VBA settings
Note: This server processes information only for Desktop Intelligence documents. Event Server For the Event Server, the Metrics tab displays statistics for each file that the server is monitoring, including the file name and the last time the event occurred. Crystal Reports Page Server For the Page Server, the Metrics tab provides the following metrics:
the number of current connections the number of requests queued the current number of processing threads running the total number of requests served the number of failed requests the total bytes transferred
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the maximum number of simultaneous report jobs the number of minutes before an idle connection is closed
343
15
the maximum number of database records shown when previewing or refreshing a report whether a viewer refresh always hits the database the setting for the Report Job Database Connection the location of temporary files the maximum number of subprocesses the minutes before a report job is closed the oldest processed data given to a client
Note: This server processes information only for Crystal Reports objects. Report Application Server The Metrics tab of the Report Application Server (RAS) shows the number of reports that are open, and the number of reports that have been opened. It also shows the number of open connections, along with the number of open connections that have been created. Web Intelligence Report Server For the Web Intelligence Report Server, the Metrics tab provides the number of current requests and the total number of requests. The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:
the maximum number of connections the number of minutes before an idle connection is closed whether or not to enable document caching whether or not to enable real-time caching the number of minutes allowed for document caching the size of the document cache whether or not to enable list of values caching the batch size for lists of values the maximum size allowable for custom sorting a list of values the size of the universe cache the percentage of documents to keep in the cache when the cache is full the maximum number of minutes allowed for scanning the document cache the maximum number of downloaded documents to cache the maximum size of binary and character files
Note: This server processes information only for Web Intelligence documents.
344
15
Related topics:
In addition, each of the BusinessObjects Enterprise servers is designed to log messages to your operating systems standard system log.
On Windows NT/2000, BusinessObjects Enterprise logs to the Event Log service. You can view the results with the Event Viewer (in the Application Log). On UNIX, BusinessObjects Enterprise logs to the syslog daemon as a User application. Each server prepends its name and PID to any messages that it logs.
345
15
This example shows two messages logged to the syslog daemon on UNIX:
Each server also logs assert messages to the logging directory of your product installation. The programmatic information logged to these files is typically useful only to Business Objects support staff for advanced debugging purposes. The location of these log files depends upon your operating system:
On Windows, the default logging directory is C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Logging On UNIX, the default logging directory INSTALL_ROOT/bobje/logging directory of your installation.
The important point to note is that these log files are cleaned up automatically, so there will never be more than approximately 1 MB of logged data per server.
346
15
2.
For each server component, compare the information you received from your users to the server metrics in the Central Management Console. Note: For information, see Analyzing server metrics on page 339. Compare the servers current traffic metrics to the recommended service thresholds. Pay particular attention to the number of simultaneous requests and user connections. For a list of the recommended service thresholds, see Analyzing service thresholds on page 64. For information about making resource calculations, see Calculating the minimum resource requirements on page 71.
3.
4.
Sort the server components into the following categories: Minor performance risk: A server component is considered a minor risk if a low percentage of your users report performance problems and the server metrics do not reflect the same problems. Moderate performance risk: A server component is considered a moderate risk if the server metrics show that the current usage is close to the limit of the recommended service thresholds. You may also want to flag a server component as a moderate risk if a high percentage of users report performance issues, or if you expect an increase in usage that will cause the current usage numbers to meet the service thresholds. Major performance risk: A server component is considered a major performance risk if the server metrics show that current usage significantly exceeds the minimum service thresholds. You may also want to flag a server component as a major risk if you expect a substantial increase in usage that will cause the usage numbers to exceed the service thresholds.
5.
After you isolate the key problem areas and the severity of the performance issues, proceed to the next section: Resolving performance issues on page 348.
347
15
For minor or moderate performance issues, users encounter occasional performance issues or your system approaches the limits of the recommended service thresholds. You may be able to resolve these issues by fine-tuning your system configuration. For more information, see Configuring the intelligence tier for enhanced performance on page 351 and Configuring the processing tier for enhanced performance on page 354.
For major performance issues, your server traffic significantly exceeds the recommended service thresholds. You should consider expanding the system by adding servers to account for the problem areas. For more information about scaling considerations, see Scaling your system on page 366. For installation instructions, see the BusinessObjects Enterprise Installation Guide.
For example, when you install a default deployment of Business Objects Enterprise, one Web Intelligence Report Server is installed by default. This deployment will easily meet your needs if you have under 20 concurrent active users accessing the Web Intelligence Report Server by working with xCelsius or Web Intelligence documents. If you have 20 to 30 users accessing the Web Intelligence Report Server, you may encounter some performance issues because you are reaching the limits of the recommended service threshold. To account for some of these problems, you can tweak the Web Intelligence Report Server settings. (For details, see Modifying performance settings for the Web Intelligence Report Server on page 357.) However, if your traffic is significantly higher than the service threshold (such as 50 concurrent active users using the Web Intelligence Report Server) then you need to scale your system to include more instances of the Web Intelligence Report Server service. The following table provides a quick reference for troubleshooting performance for each type of server component:
348
15
Performance risk
Solutions
Minor/moderate
Because the CMS manages the entire system, problems that appear to be CMS issues may be caused by the server components managed by the CMS. It is good practice to check the performance of all other services before adding new CMS services. For other information about advanced CMS configuration, see Advanced server configuration options on page 146. Install additional CMS services. For information, see Increasing overall system capacity on page 367. Change how often the Event Server checks for file events. For more information, see Modifying the polling time of the Event Server on page 351. It is unlikely that you will encounter major performance issues with the Event Server. However, it is good practice to install one Event Server for each CMS. For information about installing additional Event Servers, see Scaling your system on page 366. You can resolve many issues by changing Cache Server properties such as the maximum cache size and the number of minutes between database refreshes. For more information, see Modifying Cache Server performance settings on page 352. If your system exceeds 400 simultaneous requests, install an additional Cache Server. See Scaling your system on page 366. If the number of simultaneous jobs does not exceed the recommended threshold of 20 jobs, check the Maximum Jobs Allowed setting. For more information, see Modifying performance settings for job servers on page 355. If the Job Server is running more than 20 simultaneous jobs on average, install another Job Server service. See Scaling your system on page 366.
Event Server
Major
Minor/moderate
Major
Cache Server
Minor/moderate
Job Servers
Major
Minor/moderate
Major
349
15
Performance risk
Solutions
Minor/moderate
If the number of concurrent active users does not exceed 25, try changing the settings. See Modifying Desktop Intelligence Report Server performance settings on page 356. If the number of concurrent active users exceeds 25, install addition servers. See Scaling your system on page 366. If the number of concurrent active users does not exceed 25, try changing the settings. See Modifying performance settings for the Web Intelligence Report Server on page 357. If the number of concurrent active users exceeds 25, install addition servers. See Increasing Web Intelligence document processing capacity on page 368. If the problem seems to be related to database access, see Modifying database settings for the RAS on page 360. To adjust the Report Application Servers settings for connection idle time and the maximum number of simultaneous threads, see Modifying performance settings for the RAS on page 362. If your users run more than 200 simultaneous requests, install additional Report Application Servers. For more information, see Increasing on-demand viewing capacity for Crystal reports on page 369. You can change how a Page Server handles data and user connections by fine-tuning its settings. See Modifying Page Server performance settings on page 363. If the Page Server is handling more than 400 simultaneous viewing sessions, install more Page Servers. For more information, see Increasing on-demand viewing capacity for Crystal reports on page 369.
Major
Minor/moderate
Major
Minor/moderate
Major
Page Server
Minor/moderate
Major
350
15
Configuring the CMS on page 351 Modifying the polling time of the Event Server on page 351 Configuring the File Repository Servers on page 352 Modifying Cache Server performance settings on page 352
351
15
5.
4.
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
352
15
353
15
354
15
Modifying Desktop Intelligence Report Server performance settings on page 356 Modifying performance settings for the Web Intelligence Report Server on page 357 Modifying database settings for the RAS on page 360 Modifying performance settings for the RAS on page 362 Modifying Page Server performance settings on page 363
355
15
Temp Directory
You can also change the default directory where the server stores its temporary files.
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
356
15
5.
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
Return to the Servers management area of the CMC and restart the Job Server.
357
15
358
15
359
15
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Database.
360
15
361
15
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Server.
362
15
It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.
Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.
363
15
364
15
value too low can cause a users request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary.
365
15
disabled, the setting ensures that the Page Server will treat requests generated by a viewer refresh in exactly the same way as it treats as new requests.
366
15
Increasing overall system capacity on page 367 Increasing scheduled reporting capacity on page 367 Increasing on-demand viewing capacity for Crystal reports on page 369 Increasing prompting capacity on page 369 Enhancing custom web applications on page 370 Improving web response speeds on page 371 Getting the most from existing resources on page 371
Install the Job Server in close proximity to (but not on the same machine as) the database server against which the reports run. Ensure also that the File Repository Servers are readily accessible to all Job Server (so they can read report objects from the Input FRS and write report instances to the Output FRS quickly). Depending upon your network configuration, these strategies may improve the processing speed of the Job Server, because there is less distance for data to travel over your corporate network.
367
15
Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database servers resources to group data, incorporating parameter fields, and so on. For more information, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Use event-based scheduling to create dependencies between large or complex reports. For instance, if you run several very complex reports on a regular, nightly basis, you can use Schedule events to ensure that the reports are processed sequentially. This is a useful way of minimizing the processing load that your database server is subject to at any given point in time. If some reports are much larger or more complex than others, consider distributing the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Job Servers. Then, when you schedule recurrent reports, you can specify that it be processed by a particular server group to ensure that especially large reports are distributed evenly across resources. Increase the hardware resources that are available to a Job Server. If the Job Server is currently running on a machine along with other BusinessObjects Enterprise components, consider moving the Job Server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple Job Servers on the same machine (typically no more than one service/daemon per CPU).
368
15
Increase the maximum allowed size of the cache. For details, see Modifying Cache Server performance settings on page 352. Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database servers resources to group data, incorporating parameter fields, and so on. For more information, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Increase the number of Page Servers that service requests on behalf of Cache Servers. You can do this by installing additional Page Servers on multiple machines. However, do not install more than one Page Server per machine. The Page Server has been re-designed to optimize the processing capability of a machine. It is therefore no longer recommended that you install multiple Page Servers on one machine. Increase the number of Page Servers, Cache Servers, and Report Application Servers on the system, and then distribute the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Cache Server/Page Server pairs along with one or more Report Application Servers. You can then specify individual reports that should always be processed by a particular server group.
369
15
To avoid contention with other applications that use the RAS, you can add a RAS server that will be dedicated to processing list-of-value objects. In CMC you can then create a RAS server group and assign the dedicated RAS to the RAS server group. In Business View Manager, you then assign the list-ofvalues objects to be processed by the RAS server group.
2.
370
15
Assess your web servers ability to serve the number of users who connect regularly to BusinessObjects Enterprise. Use the administrative tools provided with your web server software (or with your operating system) to determine how well your web server performs. If the web server is indeed limiting web response speeds, consider increasing the web servers hardware. If web response speeds are slowed only by report viewing activities, see Increasing scheduled reporting capacity on page 367 and Increasing on-demand viewing capacity for Crystal reports on page 369. Take into account the number of users who regularly access your system. If you are running a large deployment, ensure that you have set up a CMS cluster. For details, see Increasing overall system capacity on page 367.
If you find that a single application server inadequately services the number of scripting requests made by users who access your system on a regular basis, consider the following options:
Increase the hardware resources that are available to the application server. If the application server is currently running on the web server, or on a single machine with other BusinessObjects Enterprise components, consider moving the application server to a dedicated machine.
Note: BusinessObjects Enterprise does not support the session-replication functionality provided by some Java web application servers.
371
15
necessary to provide BusinessObjects Enterprise users with acceptable levels of performance. Consult your network administrator for more information. BusinessObjects Enterprise processes reports against your database servers. If your databases are not optimized for the reports you need to run, then the performance of BusinessObjects Enterprise may suffer. Consult your database administrator for more information.
372
General Troubleshooting
chapter
16
Troubleshooting overview
BusinessObjects Enterprise is designed to integrate with a multitude of different operating systems, web servers, network and firewall configurations, database servers, and reporting environments. Thus, any troubleshooting that you may need to undertake will likely reflect the particularities of your deployment environment. This section includes general troubleshooting steps along with solutions to some specific configuration issues. In general, consider the following key points when troubleshooting:
Ensure that client and server machines are running supported operating systems, database servers, database clients, and appropriate server software. For details, consult the Platforms.txt file, included with your product distribution. Verify that the problem is reproducible, and take note of the exact steps that cause the problem to recur. On Windows, use the sample reports and sample data included with the product to confirm whether or not the same problem exists.
Determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another. If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration.
If the problem relates to connectivity or functionality over the Web, check that BusinessObjects Enterprise is integrated properly with your web environment. For details, see BusinessObjects Enterprise Installation Guide and Web accessibility issues on page 375. If the problem relates to report viewing or report processing, verify your database connectivity and functionality from each of the affected machines. Use Crystal Reports to verify that the report can be viewed properly. If the Job or Page Servers are running on Windows, open the report in Crystal Reports on the server machine and check that you can refresh the report against the database. For details, see TReport viewing and processing issues on page 383. Look for solutions in the documentation included with your product. For details, see Documentation resources on page 375. Check out the Business Objects Customer Support technical support web site for white papers, files and updates, user forums, and Knowledge Base articles: http://support.businessobjects.com/
374
16
Documentation resources
The BusinessObjects Enterprise Release Notes are provided in the root directory of your product distribution, as is the Platforms.txt file. These documents list supported third-party software along with any known issues or implementation-specific configuration details. BusinessObjects Enterprise also includes a number of manuals. CHM and PDF files are located in the doc directory of your product distribution. Access the HTML versions from the BusinessObjects Enterprise Administrator Launchpad, or from within the CMC or InfoView. Additional Compiled HTML Help (CHM) files are provided with the following client tools:
Central Configuration Manager Publishing Wizard Repository Migration Wizard Import Wizard Crystal Report Offline Viewer
Press F1 or click Help to launch the online help from within these applications.
375
16
If you have multiple web sites on IIS, in addition to those running BusinessObjects Enterprise, type the following: aspnet_regiis.exe -c C:\<Installdir> If IIS is only running BusinessObjects Enterprise, type the following: aspnet_regiis.exe -i
376
16
SSLTrustCertificate = cacert.der SSLKey = server.key SSLPassphrase = passphrase.txt '== End Current SSL Settings ===
2. 3. 4.
Copy the files from this location and add them to the appropriate folder (UNC or Local). Copy the SSLConfig.exe utility to a location on the client computer and open a command prompt to the directory where you copied the file. Type the following command and replace the variable with the specifics from the SSL configuration you displayed in a previous step:
"SSLCONFIG -dir <certdir> -mycert <sdkcert> -rootcert <rootcert> -mykey <privatekey> -passphrase <passphrase> -protocol <protocol>"
Tip: If your configuration was identical to the sample output from step 1, you would enter the command as follows:
SSLCONFIG -dir C:/SSL -mycert servercert.der rootcert cacert.der -mykey server.key -passphrase passphrase.txt -protocol ssl
Note: If any of your directories contain spaces, be sure to enclose the path with a double quotation marks.
If the box is checked, ASP.NET is installed. If the box is clear, check the box and then click OK.
377
16
6. 7. 8.
Click Next. The component will be installed. Click Finish. If you have changed the configuration for IIS, restart IIS.
4. 5.
Change port 8080 to an available port number. Save and close the file.
378
16
Use the CCM to start the CMS. (If the CMS was already started, use the CCM to restart it.)
This error message occurs on Windows 2003 computers running IIS version 6.0 where the default application pool is running under the Network Service Account. However, the Network Service Account does not have sufficient rights to the files and registry needed to create a copy of the report in the enterprise system. To resolve this error message, use the Local System Account to run the default application pool as this account has sufficient rights. 1. 2. 3. 4. 5. 6. 7. 8. To run IIS under Local System account Open the IIS Console. Expand the Application Pools folder. Right-click DefaultAppPool, and then click Properties. Click the Identity tab. Ensure the Predefined radio button is selected. Select the Local System account from the drop-down list. Click OK. Restart IIS.
379
16
This error may occur for various reasons. Investigate these common solutions:
Ensure that the specified authentication type corresponds to the user name and password provided on the log on page. To log on with a Windows NT user name, verify that the authentication type is set to Windows NT Authentication and not Enterprise. Netscape users must provide a valid Windows NT user name in the form of Domain\User. Microsoft Internet Explorer users must provide a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS. If Windows NT Integrated security (NT Challenge/Response) is enabled in Internet Information Services (IIS) and in the Web Component Adapter (WCA), then users must use Microsoft Internet Explorer. In addition, users must log on to the client machine with a valid NT domain user
380
16
account before logging on to BusinessObjects Enterprise. Users must log on to BusinessObjects Enterprise with a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS.
The web server and all BusinessObjects Enterprise components must be running on Windows NT/2000 for Windows NT authentication to work.
DOMAIN\ABC123
This problem, which happens with with the Sun, IBM or BEA JRE, can occur when the user is set up in Active Directory with a UPN and SAM name are not the same either in case or otherwise. Following are two examples which may cause a problem:
The UPN is abc123@company.com but the SAM name is DOMAIN\ABC123. The UPN is jsmith@company but the SAM name is DOMAIN\johnsmit Have users log in using UPN rather than SAM name. Ensure the SAM account name and the UPN name is the same.
Because the web.config file used by IIS has not been configured properly. Because IIS has not been configured properly.
381
16
Follow these steps to resolve this problem. Modify either of the following web.conf file based on what you want to configure for AD and Kerberos. To configure both the CMC and InfoView configure the web.config file in the Web Content directory; To configure only InfoView , configure the web.config file in the InfoView directory. 1. To configure the web.config for AD and Kerberos Open the appropriate Web.config file from either of the following locations:
2. 3. 4. 5. 6. 1. 2. 3. 4. 5. 6. 7. 8.
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\ C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView
Save and close the web.config. Restart IIS. To modify the security setting on IIS From the Windows Administrative Tools program group, click Computer Management. Expand Services and Applications. Expand Internet Information Services. Expand the web site that runs your BusinessObjects Enterprise applications. Right-click businessobjects, and then select Properties. Click on the Directory Security tab. In the Anonymous access and authentication control area of the page, click Edit. Ensure the following check boxes are cleared:
9.
382
16
10. Click OK. 11. Click OK. 12. Repeat the procedure starting from step 6 for crystalreportvewiers115 and styles. 13. Restart your IIS server.
383
16
1.
If the report runs successfully on demand, but fails when scheduled, start Crystal Reports on the Job Server. If the report fails when viewed on demand, but runs successfully when scheduled, start Crystal Reports on the Page Server. If the report fails when viewed on demand with the Advanced DHTML viewer, start Crystal Reports on the RAS. If the report fails in all cases, first complete these troubleshooting steps on one processing server; then verify whether or not the problem is resolved on all processing servers. If not, repeat the steps on a different processing server.
2.
Open the report from the CMS. On the File menu, click Open. Click Enterprise Folders and log on to your CMS. If you cannot open the report, verify network connectivity between the server you are working on, the CMS, and the Input File Repository Server.
3.
Test your database connection and authentication. On the Database menu, click Log On/Off Server. If you cannot log on to the database server, check the configuration of the database client software and ensure that the report contains a valid database user name and password.
4.
If the reports parameters or record selection need to be modified by BusinessObjects Enterprise users when they schedule or view the report, change the parameter values or record selection formula accordingly. If the values are invalid, Crystal Reports will report an error. Verify that the tables used in the report match the tables in the database. On the File menu, clear the Save Data with Report check box. On the Database menu, click Verify Database. Correct any issues reported by Crystal Reports, and then save the report.
5.
6.
Refresh the report and, if current data is not returned from the database, check these possible causes:
If the report fails, ensure that the database credentials provide READ rights to all tables in the report. If the database credentials are valid, the reports SQL statement is evaluated at this time. Check the join information. Note any ODBC errors that are produced.
384
16
If the SQL statement is valid, data begins to return to Crystal Reports. As this happens, the temporary files increase in size. Verify resource allocation in case the machine is running out of memory or disk space.
7.
Go to the last page of the report. Crystal Reports will report any errors that it encounters within the report (such as formulas, subreports, and other objects).
8.
Export the report to Crystal Reports format (or any other desired format). This step ensures that Crystal Reports is able to create temporary files that are required in order to complete the processing of a report.
9.
10. Close the report. 11. Close Crystal Reports. 12. Repeat the activity that caused the original report to fail: view the report on demand over the Web, or schedule the report for processing.
385
16
Use Crystal Reports to verify the report. If you have the Crystal Reports Designer installed on the Page Server, Job Server, or RAS machine, test database connectivity by opening the report in Crystal Reports on the server. For details, see Troubleshooting reports with Crystal Reports on page 383. 2. Change the servers logon account. BusinessObjects Enterprise servers require access to various local and/ or remote resources and to the database server. Experience shows that running the Page Server, Job Server, RAS, and Web Component Adapter (WCA) under a Domain Administrator account allows them to access the components necessary to connect successfully to data sources. To change a servers logon account, see Configuring Windows processing servers for your data source on page 140. Tip: Running a background application under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services. 3. Verify the servers access to ODBC Data Source Names (DSNs). Base reports off System DSNs (and not File or User DSNs), and set up each System DSN identically on every Job Server, Page Server, and RAS machine that will process the report. If the report is based off an ODBC data source, the processing server must have permission to access the corresponding DSN configuration. This information is stored in the Windows registry. The Job Server, Page Server, and RAS require Full Control or Special Access to the ODBC registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI
Consult your Windows documentation for information about working with the registry. Additional configuration may be required, depending upon the database that you are reporting off of. For details, see Configuring Windows processing servers for your data source on page 140. 4. Determine the configuration of the database client software. If you are not using ODBC, the database client software must be installed on each machine that will process reports. On Windows, many database clients store their configuration in the registry below HKEY_LOCAL_MACHINE. If your database client stores its configuration below
HKEY_CURRENT_USER, the BusinessObjects Enterprise services cannot
use the database client software to communicate with the database. 5. Verify the NTFS permissions granted to the Job Server, Page Server, and RAS.
386
16
Insufficient NTFS rights on the server may cause a number of problems to arise when you view reports over the Web. As in step 2, changing each servers logon account to that of a Domain Administrator account should resolve such problems. For the minimum set of NTFS permissions required by BusinessObjects Enterprise, see the BusinessObjects Enterprise Deployment and Configuration Guide. 6. Check whether or not NT authentication is performed by the database. If you report against a database that uses NT authentication for access control (Microsoft SQL Server, Sybase, and so on), the Job Server, Page Server, and RAS must run under a Windows NT/2000 domain user account that has access to the appropriate database tables. (In this scenario, each servers logon account determines the level of access it is granted by the database. BusinessObjects Enterprise does not pass endusers NT tokens through to the database server.) To retain the access control levels that are set up within the database, you can instead change each ODBC DSN so that it implements SQL Server Login instead of NT authentication. 7. Check the available environment variables. Environment variables are used by the operating system to govern and manage system files for particular users. On Windows, BusinessObjects Enterprise servers are generally most affected by the TMP and TEMP environment variables. Because the servers are run as services, they cannot access the User Environment variables that are created by default. Therefore, it is recommended that you create System Environment variables if they do not already exist. Consult your Windows documentation for details. 8. Reference remote data sources with UNC paths. Ensure that servers have access to remote databases through UNC paths, instead of through mapped drives. For example, if you design a report off a PC database that resides on a network drive, ensure that the report references its data source with the appropriate UNC path. For details, see Ensuring that server resources are available on local drives on page 388. 9. Ensure that you have enough database client licenses. If all database client licenses are in use, the BusinessObjects Enterprise servers are unable to retrieve data from the database. 10. Check that database connections are closed in a timely fashion.
387
16
If a database connection is not closed quickly, the database may not service another request until the connection has been closed. To decrease the Minutes Before an Idle Job is Closed setting, see Modifying Page Server performance settings on page 363. 11. Use multi-threaded database drivers. Multi-threaded database drivers allow the processing servers to connect to the database without having to wait for the database to fulfill initial requests. ODBC connections are typically recommended because they provide multithreaded connections to the database. However, Crystal Reports now includes a number of thread-safe native and OLEDB drivers. A list of these thread-safe drivers is available in the Crystal Reports Release Notes. 12. Check for problems with particular data sources. If your report is based on a Lotus Notes database, you may need to perform additional configuration. Download the latest instructions from the Business Objects Customer Support Knowledge Base. IBM offers several client applications for connecting to DB2. The recommended client is IBM DB2 Direct Connect, whose ODBC drivers were written for actual programmatic interaction with products like BusinessObjects Enterprise. See the Business Objects Customer Support Knowledge Base for discussions of this and other DB2 clients. If you encounter problems with any other specific data sources, check the Knowledge Base for the latest information.
388
16
Tip: If your report runs against a PC database that resides on a network drive, then the report itself must reference its data source through a UNC path. In this case, the service must run under a domain user account with network permissions. For details, see Configuring Windows processing servers for your data source on page 140. Similarly, if you configure a server to use a mapped drive, the server may appear to function correctly. However, servers cannot access mapped resources when the machine is restarted. Drives are mapped according to your user profile when you log on to Windows NT/2000, but, once a drive is mapped, it is available to the entire operating system. So, when you log on and map a local or network drive, the mapped drive is accessible to the LocalSystem account, and hence to the BusinessObjects Enterprise servers running on the local machine. When you log off the local machine, the servers may retain access to the mapped drive for some time (Windows will release the drive mapping if no application maintains a persistent connection to the mapped resource). However, when you restart the local machine, the mapped drive is not restored until you log back on. Note: Changing a servers log on account from the LocalSystem account to a Windows NT/2000 user account with network privileges will not resolve the problem, because the servers do not actually log on to the network with that account. Instead, the servers perform account impersonation. This provides access to some profile-specific resources (such as printers and email profiles), but not others (such as ODBC User Data Source Names and mapped drives).
This error indicates that the Page Server is not started and enabled. Use the CCM to start the Page Server and then enable it. (If the Page Server was already started and enabled, use the CCM to restart it.)
389
16
InfoView considerations
Supporting users in multiple time zones
Avoid granting Schedule access to the default Guest account if you deploy InfoView for users in different time zones. Instead, ensure that each user who is allowed to schedule reports has a dedicated account on the system, and that each user's InfoView preferences include the appropriate time-zone setting. Dedicated accounts are recommended because the default Guest account does not allow users to modify account preferences that would affect other users. For more information about using specific time-zone properties in your custom web applications, see the BusinessObjects Enterprise SDK documentation.
Import Wizard
Unable to import users from BusinessObjects 6.5
When using the Import Wizard, you get the following error after you enter your BusinessObjects 6.5 credentials:
"Error logging on to server. Please check logon information and try again. Unspecified error."
This error occurs because you because your new server that hosts BusinessObjects Enterprise does not have the same System DSN used on the BusinessObjects 6.x system. To fix this problem, create an exact copy of the System DSN used for the security domain on the BusinessObjects 6.x on the new destination BusinessObjects Enterprise machine.
390
Managing Auditing
chapter
17
You must configure the auditing database. If you installed Auditor, and provided the authentication details for your auditing database when you installed BusinessObjects Enterprise, you have already configured the auditing database. If you did not install Auditor, you must configure the auditing database before you can use Auditor. For step by step instructions, see Configuring the auditing database on page 393. Note: Auditor is installed by default when you install and use a keycode that authorizes you to Auditor, unless you cleared the Auditing Database check box during the install, or did a custom install and specifically excluded Auditor.
You must first determine which server controls that action. To determine which server controls an action, see Reference list of auditable actions on page 395. You must enable auditing of that action in the Servers management area of the Central Management Console (CMC). For step by step instructions, see Enabling auditing of user and system actions on page 399. You must configure the universe connection. The auditing reports are written against the Activity universe, this universe connection must be configured so it can connect to the auditing database. For step by step instructions, see Configuring the universe connection on page 401.
As the auditee, the BusinessObjects Enterprise server will then begin to record these audit actions in a local log file. As the auditor, the CMS controls the overall audit process. Each server writes audit records to a log file local to the server. At regular intervals the CMS communicates with the auditee servers to request copies of records from the auditees local log files. When the CMS receives these records it writes data from the log files to the central auditing database.
392
17
The CMS also controls the synchronization of audit actions that occur on different machines. Each auditee provides a time stamp for the audit actions that it records in its log file. To ensure that the time stamps of actions on different servers are consistent, the CMS periodically broadcasts its system time to the auditees. The auditees then compare this time to their internal clocks. If differences exist, they make a correction to the time stamp they record in their log files for subsequent audit actions. Once the data is in the auditing database, you can run the sample reports against the database or design custom reports to suit your own needs.
It is recommended that you develop a back up strategy for your auditing database. If necessary, contact your database administrator for more information. Note:
The CMS system database and the auditing database are independent. If you choose, you can use different database software for the CMS system database and the auditing database, or you can install these databases on separate servers. If you have a CMS cluster, every CMS in the cluster must be connected to the same auditing database, using the same connection method and the same connection name. Note that connection names are case sensitive. (See Clustering Central Management Servers on page 114 for more information on setting up CMS clusters.)
393
17
1. 2. 3. 4.
To configure the auditing database on Windows Start the Central Configuration Manager (CCM). Stop the CMS. Click Specify Auditing Data Source. In the Select Database Driver dialog box, specify whether you want to connect to the new database through SQL Server (ODBC), or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:
5. 6.
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that you want to use as the auditing database; then click OK. (Click New to configure a new Data Source Name (DSN).) Use a System DSN, and not a User DSN or File DSN. By default, server services are configured to run under the System account, which only recognizes System DSNs. When prompted, provide your database credentials and click OK. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.
The SvcMgr dialog box notifies you when the auditing database setup is complete. 7. 8. Click OK. Start the CMS. When the CMS starts, it will create the auditing database.
Note: You can also configure the auditing database using the Properties option for the CMS. Stop the CMS, select Properties, and then go to the Configuration tab. Select Write server audit information to specified data source, and then click Specify. To configure the auditing database on UNIX For more information on UNIX scripts, see UNIX Tools on page 473. 1. 2. Use ccm.sh to stop the CMS. Run cmsdbsetup.sh.
394
17
3. 4. 5. 6.
Choose the selectaudit option, and then supply the requested information about your database server. Run serverconfig.sh. Choose the Modify a server option. Select the CMS, and enable auditing. Enter the port number of the CMS when prompted (the default value is 6400).
Use ccm.sh to start the CMS. When the CMS starts, it will create the auditing database. Note:
The CMS acts as both an auditor and as an auditee when you configure it to audit an action that the CMS itself controls. In a CMS cluster, the cluster will nominate one CMS to act as system auditor. If the machine that is running this CMS fails, another CMS from the cluster will take over and begin acting as auditor.
395
17
User Actions
Actions Objects An object is created. An object is deleted. An object is modified. A report has been viewed successfully. A report could not be viewed. A report is opened successfully using: the Advanced DHTML viewer. BusinessObjects Enterprise Server CMS
Crystal reports
A report fails to open. A report has been created successfully using: a custom application that uses the RAS SDK. A report fails to be created. A report is saved successfully (using a custom application based on the RAS SDK). A report fails to save using a custom application based on the RAS API. Get list of universes. Web Web Intelligence Intelligence A user has begun creating a new Web Report Server documents Intelligence document, which triggers a request to the server for the list of available universes. Save document to repository. A user has saved a Web Intelligence document within BusinessObjects Enterprise. Read Document. User opens an existing Web Intelligence document. Selection of universe.
A user has selected a universe as they create a new Web Intelligence document, or as they edit an existing Web Intelligence document.
396
17
Actions
Refresh document. Web Intelligence Web Report Server Intelligence User manually refreshes a Web documents Intelligence document, or the user opens a Web Intelligence document that is set to refresh on open. Edit document. User enters Edit document mode for an existing Web Intelligence document. Apply format.
User applies a formatting change to an existing Web Intelligence document in a query panel.
Get page. Server renders the pages of a Web Intelligence document in response to a user request to display all or part of a document. Generate SQL. Server generates an SQL query in response to a user action that requires data to be retrieved from a database. Drill out of scope.
User drills past the scope of the data currently in memory, and triggers a call to the database for more data. List of values. A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. Select prompt.
397
17
Actions Desktop A job has been run successfully. Intelligence Either a Desktop Intelligence document documents has been scheduled or a publication based of that document has been scheduled.
A job has failed to run. Users A job failed but will try to run again. A concurrent user logon succeeds. A named user logon succeeds. A user logon fails. A users password is changed. User logs off. Send an object to a destination A job has been run successfully. (A user has successfully sent an object to a destination.) A job has failed to run. (An object has failed to be sent to a destination.) A job failed but will try to run again. An event is registered. (Event is created, and registered with system) An event is updated. (The name, description, or filename of an event is modified.) An event is unregistered. (Event is removed from system.) Destination Job Server CMS
File-based events
Event Server
398
17
System Actions
Actions Scheduled objects A job has been run successfully. For example, a scheduled Crystal report or publication has run successfully. A job has failed to run. For example, a scheduled Crystal report or publication has failed to run. BusinessObjects Enterprise Server Job Servers
Tip: To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of A job has failed to run on the Job Server, and Communication with a running instance is lost. on the Central Management Server. A job failed but will try to run again. Communication with a running instance is lost. For CMS example, a scheduled Crystal report has failed to run because communication with the instance was lost, and the scheduled time for running the report expired. Note: You do not need to enable this option to audit every failure of a scheduled Web Intelligence document. An event is triggered. Event Server
File-based events
399
17
In some special cases you may wish to enable auditing on only one server of a given type. For example, if you are interested in the success or failure of only one kind of scheduled report and you have configured your system so that these reports are processed on one particular Job Server, it is not necessary to enable auditing on every Job Server in your system. You only need to enable auditing on the Job Server where the reports are processed. Note: You must configure the auditing database before you can collect data on audit actions. See Configuring the auditing database on page 393 for information on how to configure the auditing database. 1. 2. To enable audit actions Go to the organize Servers area of the CMC. Click the server that controls the action that you wish to audit. (See the Reference list of auditable actions on page 395 to find the correct server.) 3. Click the Auditing tab.
4. 5. 6.
Select the Auditing is enabled check box. Select the audit actions that you wish to record. Ensure that your audit log file is located on a hard drive that has sufficient space to store the log files. (See Optimizing system performance while auditing on page 404 for information on adjusting the size of log files.)
400
17
7. Tip:
Click Update. To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of A job has failed to run on the Job Server, and Communication with a running instance is lost. on the Central Management Server. Auditing is enabled independently on each server. If you want to audit all actions of a given type, enable identical audit actions on every server that supports those actions. Otherwise your audit record will be incomplete. For example, if you want to track the total number of concurrent logons to your BusinessObjects Enterprise system, you must enable logging of concurrent logons on every Central Management Server in your system.
Tip: You may want to write down the name of your data source as it will be required when you create or edit the universe connection. 1. 2. 3. To configure the Activity universe connection Start Designer from the BusinessObjects Enterprise program group. Click on the connections icon in the toolbar. The Connection List dialog box appears. Click Add, and then click Next.
401
17
4. 5. 6. 7. 8. 9.
Expand the database type and the version that corresponds with the your auditing database. Select the driver or client to use. Enter a name for your connection. Enter the User Name and Password for your connection. Select the Data source name from the list, and then click Next. Click Next on the Perform a Test dialog box.
10. Click Next on the Advanced Parameters dialog box. 11. Click Finish on the Custom Parameters dialog box. 12. Click Finish to exit and finalize your connection.
One set was created using Crystal Reports. One set was created using Web Intelligence.
Both sets of reports are available in the collateral folder on your product distribution in the file auditing.biar. These sample reports are published to the Auditor folder when you install BusinessObjects Enterprise with a product keycode which authorizes you to use Auditor. The Crystal Reports audit reports are available as object packages with the report sections as individual documents. The Web Intelligence audit reports are available as Web Intelligence documents with the report sections as tabs within the documents. Both sets of reports are based on the Activity universe. Note: You can also deploy the auditing samples to another node. To do this, use the Import Wizard to deploy the auditing.biar to the CMS on the node where you want the reports. For further details, see the Import Wizard help. If you configured the auditing database when you installed BusinessObjects Enterprise, you must do these things before using the sample audit reports:
Enable the auditing of the user and server actions needed to provide data for the sample reports. For information on how to enable auditing on servers, see Enabling auditing of user and system actions on page 399.
Configure the universe connection used for the sample reports. For procedural details, see Configuring the universe connection on page 401.
402
17
If you did not configure the database when you installed BusinessObjects Enterprise, before you use the reports, you must do these things:
Configure the auditing database before you use the sample reports. For information on how to configure the auditing database, see Configuring the auditing database on page 393 Enable the auditing of the user and server actions needed to provide data for the sample reports. For information on how to enable auditing on servers, see Enabling auditing of user and system actions on page 399
Configure the universe connection used for the sample reports. For procedural details, see Configuring the universe connection on page 401.
After you enable auditing of the user and server actions, the auditing database will then begin to be populated with the audit data you specified. Note: If you have recently enabled auditing, the sample audit reports may contain little or no data the first time you view them.
You can turn off this option by setting minutes to zero. For more information on the CMS, see the Server Command Lines chapter in the BusinessObjects Enterprise Administrators Reference Guide. This built-in method of time synchronization will be accurate enough for most applications. For more accurate and robust time synchronization, configure the auditee and auditor machines to use an Network Time Protocol (NTP) client, and then turn off internal synchronization by setting:
-AuditeeTimeSyncInterval 0
403
17
Tip: If you have a CMS cluster, apply the same command-line options to each server. Only one CMS in the cluster acts as the auditor. However, if this CMS fails, another CMS takes over auditing. This CMS will apply its own command-line options. If these options are different than those of the original auditor, audit behavior may not be what you expect.
default value is 5.) The CMS requests audit records from each audited server every audit interval.
-AuditBatchSize number, where number is between 50 and 500. (The
default value is 200.) The CMS requests this fixed number of records from each audited server, every time interval.
-auditMaxEventsPerFile number (number has a default value of 500
and must be greater than 0). The maximum number of records that an audited server will store in a single audit log file. When this maximum value is exceeded, the server opens a new log file. Note: Log files remain on the audited server until all records have been requested by the CMS. Changing each of these options has a different impact on system performance. For example, increasing the audit interval reduces frequency with which the CMS writes events to the auditing database. Decreasing the audit batch size decreases the rate at which records are moved from the audit log files on the audited servers to the auditing database, thereby increasing the length of time that it takes these records to get transferred to the central auditing database. Increasing the maximum number of audit events stored in each audit log file reduces the number of file open and close operations performed by audited servers. You can use these options to optimize audit performance to meet your needs. For example, if you frequently need up-to-date information about audited actions, you can choose a short audit interval and a large audit batch size. In this case, all audit records are quickly transferred to the auditing database, and you can always report accurately on the latest audit actions. However, choosing these options may have an impact on the performance of BusinessObjects Enterprise.
404
17
Alternatively, you may only need to review audit results periodically (weekly, for example). In this case you can choose to increase the audit interval, and to decrease the number of audit records in each batch. Choosing these options minimizes the impact that auditing has on the performance of BusinessObjects Enterprise. However, depending upon activity levels in your system, these options can create a backlog of records stored in audit log files. This backlog is cleared at times of low system activity (such as overnight, or over a weekend), but means that at times your audit reports may not contain records of the most recent audit actions.
405
17
406
Auditing Reports
chapter
18
You can use the auditing reports that are included with BusinessObjects Enterprise. You can modify the auditing reports that are included with BusinessObjects Enterprise. You can create your own auditing reports.
the list of the report names the report sections included with the reports the report prompts
Average Number of Logged In select reporting year Sessions Users Logged In Average Number of Users Logged In select reporting month
408
18
409
18
Report sections Average Session Duration in Minutes per Month per User Average Session Duration in Minutes per Week per User
Report prompts
Cluster Nodes
Report sections Servers in the Cluster Report prompts None
Job Summary
Report sections Jobs per Status Successful Jobs Failed Jobs Report prompts
410
18
411
18
412
18
Password Modifications
Report sections Password Modifications - By Month Password Modifications - By Week Password Modifications - By Details Report prompts select start date select end date
413
18
Peak Usage
Report sections Users Login Peaks Session Login Peaks Number of Action Peaks Report prompts select year
Rights Modification
Report sections Rights Modification - By User Report prompts select start date
Total Users Logged In by Day - enter a date Total Number of Logged In Users Total Users Logged In by Day Total Number of Logged in Sessions
User Activity
Report sections User Activity by Month User Activity by Week User Activity by Day Report prompts select start date select end data
414
18
To open a Web Intelligence audit report, click on the report you want to view. To open a Crystal Reports audit report, open the object package, and then open the report you want to view.
415
18
Audit_Event on page 416 Audit_Detail on page 417 Server_Process on page 418 Detail_Type table on page 420 Event_Type on page 419 Application_Type on page 419
The following diagram shows the Activity universe which is based on the auditing database.
Audit_Event
The Auditt_Event table stores one record per action that is audited and contains general information about each audit event.
416
18
Field
Server_CUID
Description Server process ID. Combined with the Event_ID to form the primary key for the Audit_Event table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID to form the primary key for the Audit_Event table. Name of user who performed the action. Time for start of action in UTC (Coordinated Universal Time) to the nearest millisecond. The time stamp is created by the server recording the action in its log file, and includes any correction necessary to synchronize with CMS time. You may want to correct this time to your local time zone when creating audit reports. Duration, in seconds, of the action that is audited. Number that uniquely identifies the type of action the entry represents. Foreign key for the Event_Type table. Info Object ID of object associated with the action. This number uniquely identifies an object. Field reserved for error codes generated by the Web Intelligence Report Server.
Event_ID
User_Name Start_Timestamp
Duration Event_Type_ID
Object_CUID Error_Code
Audit_Detail
The Audit_Detail table records more details about each audit action recorded in the Audit_Event table. For example, when a user logon fails, the reasons for that failure are recorded as audit details. There may be more than one record in this table for each audit action recorded in the Audit_Event table.
417
18
Field
Server_CUID
Description Server process ID. Combined with the Event_ID and the Detail_ID to form the primary key for the Audit_Detail table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID and the Detail_ID to form the primary key for the Audit_Detail table. The Detail_ID field is used to number the individual details associated with each audit action. That is, if there are two details associated with a particular audit action, the first will have a Detail_ID of 1, and the second will have a Detail_ID of 2. Number that uniquely identifies the type of detail about the audit action that the entry represents. Foreign key for the Detail_Type table. Information about the audit detail being recorded. For example, if the Detail_Type_Description were universe name, the detail text would contain the name of that universe.
Event_ID
Detail_ID
Detail_Type_ID
Detail_Text
Server_Process
The Server_Process table contains information about the servers running within your BusinessObjects Enterprise system which can generate audit events. Field
Server_CUID Server_Name
Description Server process ID. Primary key for the Server_Process table. Machine name of the server that produced the action. That is, the host name. that generated the audit action. Foreign key to the Application_Type table.
418
18
Field
Server_FullName
Description Friendly name of the server that produced the action. The servers friendly name is the name displayed in the CMC. The default friendly name is
hostname.servertype.
Server_Version
Event_Type
The Event_Type table contains a static list of the kinds of events that can be audited in your BusinessObjects Enterprise system. This table provides information roughly equivalent to that provided by AuditIDs and AuditStrings in Crystal Enterprise Field
Event_Type_ID
Description Number that uniquely identifies the type of audit event that the entry represents.
Application_Type
The Application_Type table contains a static list of the applications that can produce audit events. In BusinessObjects Enterprise XI, the applications that can be audited are servers. Field Name
Application_Type_ID
Description A unique ID that identifies the type of application that generated the audit action. The description of the application generating the audit event.
Application_Type_Description
419
18
Detail_Type table
The Detail_Type table contains a static list of the standard details that can be recorded about audited events. For example, a user logon can fail for a number of different reasons. These reasons are listed as entries in the Detail_Type table. The information in the Detail_Type table is equivalent to the information that was recorded in variable AuditStrings in Crystal Enterprise 10. Field
Detail_Type_ID Detail_Type_Description
Description Number that uniquely identifies the type of audit detail that the entry represents. The description of the type of audit detail generated by the audit event.
65538
420
18
Event_Type_ ID Event_Type_Description Description 65542 New folder created. A new folder is created, or an existing folder is copied. Note that this audit string will not be recorded when a new user account is created, even though creating a user creates a user folder. A folder is deleted. Note that this audit string will be recorded when a user account (and therefore the users folder) is deleted. The name, location, or description of the folder was changed. A scheduled report or scheduled program failed to run because communication with the running instance was lost, and the scheduled time for running the job expired. Note: This action must be audited by the CMS as Job Servers are not aware of losing communications with a job. Cache Server audit events Event_Type_ ID Event_Type_Description 196609 Crystal report viewed successfully. A report could not be viewed. Description User successfully viewed a Crystal report that has saved or live data. User attempted to view a Crystal report, but was not successful.
65543
Folder deleted.
65544
Folder modified.
65545
196610
421
18
Job Server audit events For scheduled objects, the audit messages give you information about the status of scheduled actions. For example, the audit messages can tell you if a scheduled report ran successfully. For the Destination Job Server, the audit messages give you information on whether an object was sent to a destination, as requested by a user. Event_Type Event_Type_Description _ ID 327681 Job successful. Description The object ran as scheduled (or requested) and the job completed successfully. The scheduled job did not complete successfully. The scheduled job did not complete successfully. The job will be retried by the CMS at a later time. For more information on scheduling jobs, see the BusinessObjects Enterprise Administrators Guide.
327682 327683
Event Server audit events Event_Type_ ID Event_Type_Description 262145 Event registered Description User creates a file-based event that can be used to schedule objects. User deletes a file-based event. Event object was modified by a user, or by the system. Events are updated when a user modifies the name or description of the file-based event. File-based event was initiated.
262146 262147
262148
Event triggered
422
18
Report Application Server audit events The Report Application Server (RAS) is used to view reports opened with the Advanced DHTML viewer, and to create reports using custom applications developed with the RAS SDK.
423
18
Description
Report was opened for User opened a report for viewing and/or modification viewing or modification. Note: In a few cases, this Event_Type_ID may be generated when the report opens but cannot be viewed. This may occur when:
There are problems with the database setup for the report. For example, you may see this message when the database driver for the report is not present on the client machine A processing extension associated with the report aborts viewing, or fails. The report used Business Views and the user did not have permissions to refresh the underlying data connections. The machine running the RAS ran out of space in its temporary directory.
458754
generated when a custom application created using the RAS SDK saves a report (using the Save method). Consult your RAS SDK documentation for details.
424
18
Event_Type_ ID Event_Type_Description 458755 Report was created and saved to the CMS
Description A new report was created and saved. This Event_Type_ID is generated when a custom application created using the RAS SDK saves a new report (using the Save As method). Consult your RAS SDK documentation for details. The report could not be opened by the RAS. An existing report could not be saved by RAS. This Event_Type_ID is generated when a custom application created using the RAS SDK cannot save a new report (using the Save As method). Consult your RAS SDK documentation for details. A newly created report could not be saved by RAS.
458756 458757
Report could not be opened. Report could not be saved to the CMS.
458758
Web Intelligence Report Server audit events Event_Type_ ID Event_Type_Description Description 6 Get list of universes User accesses a list of universes as part of a document creation workflow. User saves a Web Intelligence document to BusinessObjects Enterprise. User opens an existing Web Intelligence document. User selects a universe as part of a document creation workflow. This event occurs when a user opens the query panel.
11 13
425
18
Event_Type_ ID Event_Type_Description Description 19 Document refresh User manually refreshes a Web Intelligence document, or user opens a Web Intelligence document that has the refresh on open document property assigned. A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. User has moved into Edit document mode. User applies a formatting change to a document, in a query panel. User action results in a request to server to generate the necessary data and layout to display all or part of a Web Intelligence document. Appears when a user refreshes a document. User drills past the scope of the data currently in memory, and triggers a call to the database for more data.
21
List of values
22 28
40
Get page
41 42
426
appendix
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
fonts and font sizes for tables, cells, chart axes, and so on background colors (wallpaper) lines and borders for cells and tables color palettes
The new settings take effect only for reports created after the defaultconfig.xml file is modified and saved. Earlier reports are not affected by the new settings. In the defaultconfig.xml file, settings are grouped by key value. (See List of key values on page 432.) To modify a setting, open the defaultconfig.xml file in a text editor and modify the parameter you want. Back up the original file before you start. For an example of how to modify the defaultconfig.xml file, see Example: Modifying the default font in table cells on page 433. Note:
You cannot use defaultconfig.xml to customize the appearance of the HTML Report panel. The defaultconfig.xml is also used by the REBean Editing SDK. For more information, see the developer documentation.
428
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
429
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
By modifying a few settingsstable header and body cell fonts, alternative row settings, chart axes values, label fonts, and section cell bordersdefault Web Intelligence tables and charts can look like this:
430
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
3.
Extract defaultconfig.xml from the desktop.war file. For the Java Report Panel, extract
webiApplet\AppletConfig\defaultconfig.xml
Tip: On Windows, you can use a tool such as WinZip to extract and replace files in a .war file. 4. 5. Make a backup of the defaultconfig.xml file. Open defaultconfig.xml, and make your changes. See List of key values on page 432 for information on the values you can change, and Example: Modifying the default font in table cells on page 433 for an example. 6. 7. 8. Save and close defaultconfig.xml. Reinsert defaultconfig.xml into desktop.war. Ensure that you insert the file into the correct directory within the .war file. Restart your web application server and redeploy desktop.war. See the BusinessObjects Enterprise Installation Guide for details.
431
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
432
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
Interface element Object name cells in a crosstable Footer cells in a table General settings for forms Header cells in a table Header cells in a form General settings for tables Custom fonts
433
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
4.
To change the default font for specified languages, enter the font name after FACE=. For example, to change only Japanese to a font named SpecialFont, you would enter:
<FONT xml:lang="ja" FACE="SpecialFont" ...
5.
To change the overall default font for all non-specified languages, enter the new font name after FONT FACE=. Note: You must modify the default font values separately for each language you want to change.
6. 7.
Modify any other attributes you want, such as font size. Save and close the defaultconfig.xml file.
434
appendix
Information on how BusinessObjects Enterprise components communicate across the network. Instructions for configuring BusinessObjects Enterprise servers. Instructions for configuring firewalls to allow BusinessObjects Enterprise components to communicate with each other. Help for deploying BusinessObjects Enterprise servers on machines with more than one Network Interface Card (NIC). A list of unsupported deployment scenarios. BusinessObjects Enterprise servers and clients are separated from each other by one or more firewalls. BusinessObjects Enterprise servers are deployed on machines with more than one Network Interface Card.
If all BusinessObjects Enterprise components are deployed entirely on the same subnet, and if no server is deployed on a multi-homed machine, then you do not need the information in this appendix.
436
Server deployment and firewall configuration Understanding how BusinessObjects Enterprise servers communicate
If the -port <host name or host address> option is set, the BusinessObjects Enterprise server uses the specified host name or host address in the IOR. If its -port option is not set, the server makes a system call to its host machine to discover its IP address. (On a multihomed machine, this call typically returns the machines main IP address). If the -requestport <port number> option is set, the BusinessObjects Enterprise server uses the specified port number in the IOR. Otherwise, the BusinessObjects Enterprise server chooses chose a port at random. If your BusinessObjects Enterprise components are separated from each other by firewalls, you should use the -requestport option. Then you can open that specific port in your firewall.
3.
437
Server deployment and firewall configuration Understanding how BusinessObjects Enterprise servers communicate
The BusinessObjects Enterprise server registers with the CMS via the CMS factory service. The CMS creates a server infoObject to represent the BusinessObjects Enterprise server. The infoObject contains the BusinessObjects Enterprise servers host name, the IOR it passed in, and other information. (You can look in the System Objects table in the CMS Repository to see a list of server infoObjects.) Note: The CMS uses two ports. Every BusinessObjects Enterprise server must be able to contact the CMS on both ports.
438
Whether the IOR contains a specific port or a randomly-selected port This is important if BusinessObjects Enterprise components must contact each other through a firewall. Whether the IOR contains host IP address or host name This is important if your firewall uses NAT. Whether the server listens on any port or only the specified port Whether the server listens on any NIC or only the specified NIC This can be important when you deploy multiple CMS servers on the same machine, or when you deploy a BusinessObjects Enterprise server on a machine with more than one NIC.
Note: When you change a servers configuration parameters you must force the BusinessObjects Enterprise system to recognize the changes. See Frequently Asked Questions on page 443.
Examples
-port servername.example.com:6401 -requestport 6499 -port 10.50.1.2:6400 -requestport 6410 -port servername.example.com
439
Parameter
-port
Description (CMS server) Description Optional. Forces the CMS to listen on the specified host and port. Forces the CMS factory service IOR to contain the specified host name or host IP address. If not specified CMS server makes a system call to determine the IP address of its host machine, and uses port 6400 by default. CMS factory service IOR will contain the host IP address. Allowed settings -port FQDN -port FQDN:port -port host_address -port host_address:port Relationship to other servers Other CMS servers must know how to contact the CMS. A servers -ns option contains the CMS host and port that the server will contact when it starts up. If you change the -port parameter on the CMS, you must update the -ns parameter of all other servers in the cluster. Optional. Forces the CMS to accept CORBA communication on the specified port only. If not specified CMS will accept CORBA communication on any port. The CMS factory service IOR will contain a randomly-chosen port.
When to use If BusinessObjects Enterprise components must communicate across firewalls that use NAT. If you do not specify -port, the service IOR will contain the servers IP address. If you specify -port <fqdn>, the service IOR will contain the servers host name. This allows firewalls that use NAT to resolve the host name to a routable address. If more than one CMS server is deployed on the same machine. If you deploy multiple CMS servers on the same machine, you must bind each CMS Name Server to its own port.
-requestport Description
CMS must communicate across firewalls, even non-NAT ones You must specify -requestport if a firewall separates this CMS from any BusinessObjects Enterprise servers, client applications, or the Application server. Open the specified port in the firewall.
440
Example
-port servername -requestport 6409 -ns servername.example.com:6400 -requestport 6409
Parameter
-port
Description (non-CMS server) Description Optional. Binds the service to the specified NIC. The service accepts communication only on the specified NIC. The server itself can still use any NIC when initiating communication. (It uses the host machines routing tables to ensure it chooses the right NIC.) If not specified Server can listen on any NIC. IOR will contain IP address, not host name. Allowed settings -port FQDN (IOR uses the host name) -port host_address (IOR uses the IPaddress)
When to use If this server must communicate across firewalls that use NAT. If you do not specify -port, the service IOR will contain the servers IP address. If you specify -port <fqdn>, the service IOR will contain the servers host name. This allows firewalls that use NAT are able to resolve the host name to a routable address.
(Specifies host for the IOR. Has nothing to do with port numbers)
441
Description (non-CMS server) Optional. Forces the server to accept communication on the specified port only. The server can still talk out any port. If not specified Server will accept communication on any port. The services IOR will contain a randomly-chosen port Description Required. Tells the server where to find the CMS. Allowed settings Must match the -port option set on the CMS server. If the CMS server does not have the -port option set, use the host name on which the CMS server is deployed plus port 6400. The CMS bootstrap host and port must be routable from this servers host machine.
When to use Server must communicate across firewalls, even non-NAT ones You must specify -requestport if a firewall separates this server from the CMS or any other BusinessObjects Enterprise servers. Open the specified port in the firewall. Always specified. (If CMS clusters are used, the server is guaranteed to use the host and port specified in the -ns parameter only for the very first contact with the CMS. At this point, a list of the bootstrap ports from all CMS servers in the cluster is added to the registry on the servers host machine. Any one of those CMS might be used in subsequent start-ups.)
-requestport Description
-ns
(the bootstrap host and port for the CMS that this server must contact when it starts up.)
On each Job Server, specify a port range for the Job Server children:
-requestJSChildPorts <lowestport>-<highestport>
All Job Server children will be bound to a port from within the specified range. Note that the port range should never exceed the -maxJobs setting. Note: If -requestJSChildPorts is not set, then Job Server children will be bound to a randomly-selected port.
On the firewall, open the specified port range. Allow communication in both directions between the Job Server children and all BusinessObjects Enterprise servers. On the firewall, open the following additional ports (for Destination Job Servers):
442
port 21 and 22 for FTP in and FTP out (for sending objects to an FTP destination) port 25 for SMTP out (for sending objects to an email destination) (UNIX only) ports 512 and 514 for rexec/rsh out (for sending objects to a disk destination)
Note: For the purposes of configuring your firewall, assume that the Job Server must talk to every other server.
Note: If you change the CMS bootstrap host and/or port, you must update the -ns option for the other BusinessObjects Enterprise servers in the cluster. Should the -name option match the -port option? No, the -name option does not have to match the -port option. However, the -name option must be unique in the CMS cluster, and must contain at least one "." character. Im deploying a CMS or other BusinessObjects Enterprise server on a multihomed machine. Should I do anything special? See Configuring a multihomed machine on page 149. Should I configure a server with its host name or its fully qualified domain name? The service's IOR must contain a host and port number that is routable from all other BusinessObjects Enterprise components that need to use the server. In general, it is better to use the server machine's fully qualified domain name (FQDN). However, in some cases you might actually want to use the server machine's host name.
443
Consider the following example. Your File Repository Server is on a machine called myhost.domain.com with an IP address of 987.654.32.1. From the application servers point of view, myhost.domain.com resolves to 987.654.32.1. In this case, you can use the FQDN for the -port option on the FRS. However if you use only the host name myhost for the -port option, the application server might not be able to resolve myhost to the correct address. The host name may resolve to an incorrect address, such as myhost.olddomain.com. However, there are situations where you may need to configure a server with its host name instead of its FQDN. For example, you might have a firewall between the application server and the CMS. On the client side of the firewall, the host name could resolve to myhost.fwdomain.com. On the CMS side of the firewall, the host name could resolve to myhost.secure.com. You could configure your network so that myhost.fwdomain.com:6400 is forwarded to myhost.secure.com:6400. In this case, you can configure the FRS with the host name instead of the fully qualified domain name.
Configuring firewalls
This section explains how to configure firewalls in different deployment scenarios. This appendix talks about firewalls as hardware devices that are deployed on the network. However, these concepts also apply to software firewalls running on any BusinessObjects Enterprise or non-BusinessObjects Enterprise machine. For example, you may also need to open holes in any software firewall that is running on the same machine as your BusinessObjects Enterprise servers. The following table summarizes general guidelines for configuring firewalls to work with BusinessObjects Enterprise servers:
444
Configuration Set -port <FQDN>:<port> if the CMS must communicate across firewalls. If the firewalls use NAT, you must use the host name. If the firewalls do not use NAT, you can use the host name or the IP address. Remember servers (probably) cant communicate across firewalls that use PAT or NAT in Hide Mode. In some cases you might need to use -port to force the server to bind to a specific NIC. Set -requestport if the CMS must communicate across firewalls This applies to all deployments in which BusinessObjects Enterprise components must communicate through firewalls. Setting requestport forces a service to listen on the specific port. You can then open that port on the firewall. Note: CMS servers may be clustered. If so, you need to configure the firewall for each CMS in the cluster.
BusinessObjects Set -port <FQDN> if the server must communicate Enterprise server across firewalls that use NAT (non-CMS server) Remember servers (probably) cant communicate across firewalls that use PAT or NAT in Hide Mode. In some cases you might need to use -port to force the server to bind to a specific NIC. Set -requestPort <port> if the server must communicate across firewalls Description is the same as for the CMS server. Additional servers If you add another server on the same machine, you need to open another hole in the firewall. Also note that each new server must have a friendly name that is unique across the entire deployment. That is, no other server registered with the Name Server should have that friendly name. For example, assume you used the Central Configuration Manager -> Add Server to add a second Page server to a machine. If that second Page server needs to communicate across a firewall, you must open a hole in the firewall. Special consideration for Job Servers See Configuring Job Servers for firewalls on page 442.
445
Not every BusinessObjects Enterprise component needs to initiate communication with every other BusinessObjects Enterprise component. However, without knowing exactly which components need to communicate in which workflows, it is safer to assume all of these points are true. You must then open the corresponding ports in any firewalls that separate these components.
Every BusinessObjects Enterprise server must be able to initiate communication with the CMS (both on the bootstrap host and port and the CMS factory service). Every CMS (both bootstrap port and factory service) must be able to initiate communication with every BusinessObjects Enterprise server. Every BusinessObjects Enterprise server must be able to initiate communication with ever other BusinessObjects Enterprise server. Note: This is not always true, but it is easier to assume that it is. Most servers need to talk to both the input and the output FRS. Some types of Job Servers need to talk to their related processing servers. EPM (Performance Management) servers typically need to talk to each other.
Job Servers children need a port range. These servers spawn child processes. These child processes will be assigned a random port unless you specify a port range. Remember that Destination Job Servers use additional ports. See Configuring Job Servers for firewalls on page 442. Every BusinessObjects Enterprise web client and thick client must be able to initiate communication with every BusinessObjects Enterprise server. Every BusinessObjects Enterprise client must be able to initiate communication with the Application Server, and vice versa. This is only a concern on IIS, where the Application Server and the Web Server can be deployed separately.
Should you assume that every BusinessObjects Enterprise server must be able to initiate communication with every BusinessObjects Enterprise client? No. No Platform server needs to initiate contact with the client.
446
Example: A firewall between the application server and BusinessObjects Enterprise servers
When you put a firewall between the application server and the BusinessObjects Enterprise servers, you must open a port for every BusinessObjects Enterprise server. Consider the following example. Assume that an application server (210.32.24.1) and the rest of the BusinessObjects Enterprise servers are on different subnets, with a firewall between them. The firewall uses Network Address Translation (NAT). In this example, the servers are configured as follows:
Configuration
-port host1 -requestport 6499 -port host2 -requestport 6401 -ns host1:6400 -port host3 -request 6401 -ns host1:6400
that uses NAT. Port 6400 will be used for the bootstrap port, because no other port was specified.
-requestport 6499 was specified because communication must cross
a firewall. Port 6499 will be opened in the firewall. When configuring other servers in this situation, consider the following:
-port FQDN was specified because communication must cross a firewall
that uses NAT. Of course, you never specify a port number on this option for non-CMS servers.
-requestport port was specified because communication must cross
447
Server deployment and firewall configuration Deploying BusinessObjects Enterprise on multihomed machines
Source
Destination 192.168.10.1:6400
Permissions allow
Application server initiates 210.32.24.1:any communication with CMS Factory Service Application server initiates communication with CMS Application server initiates communication to Page Server Application server initiates communication to Cache Server Do BusinessObjects Enterprise servers ever initiate communication with application server? 210.32.24.1:any 210.32.24.1:any 210.32.24.1:any
No. However the RAS viewer initiates communication with one or more clients.
448
Server deployment and firewall configuration Deploying BusinessObjects Enterprise on multihomed machines
However, if the server needs to initiate communication to another BusinessObjects Enterprise component, it can use any NIC. The server will use its host machines routing tables to ensure it initiates communication via the correct NIC.
Each NIC had its own IP address, or Every NIC shares a common IP address, plus has its own IP address (This implementation can occur with some load balancing products such as Microsoft Load Balancer.)
What happens if -port is not specified You do not always have to set the -port option when you deploy BusinessObjects Enterprise servers on multihomed machines. This section explains what happens if you do not specify -port. What IP address goes in the IOR? If you do not specify -port, the BusinessObjects Enterprise server will make a system call to its host machine to discover its IP address. The IP address returned from the system call will be used in the services IOR. (On some Windows OS versions, the host machine will pick the IP address of the first NIC in the binding order. ) BusinessObjects Enterprise server can receive communication from any NIC If you do not specify -port, the BusinessObjects Enterprise server can listen on any NIC. Considerations when -port <FQDN> is specified If communication crosses a firewall that uses NAT, you probably need to specify -port <FQDN> so that the service IOR contains the host name instead of the host IP address. However, if this option is set, your service will only accept communication from a single NIC. Host name is resolved to a specific IP address If you set -port <FQDN>, the services IOR contains the host name. However, the host name must still be resolved to an IP address before it is routed. If more than one NIC has the same host name, is up the host machine to choose the IP address.
449
Server deployment and firewall configuration Deploying BusinessObjects Enterprise on multihomed machines
This scenario requires a patch The CMS must be patched if other BusinessObjects Enterprise servers are deployed on machines with multiple NICs that connect to the same subnet. 1. When a server starts, it registers with the CMS. The CMS stores the servers host name and other information. The CMS stores the host name that the server used to register. 2. Later, the server may make another call to the CMS to log on. This logon might occur during a schedule, view, or other operation. It does not have to occur during a regular user logon. 3. If the server sends the logon request to the CMS via a different NIC than the registration request, the CMS will reject the logon. The logon will fail.
Example problem: BusinessObjects Enterprise servers deployed across subnets that are not network connected
This problem exists because the BusinessObjects Enterprise servers are deployed across different subnets which are not reachable from each other. In the example below, machines on one subnet are not routable from machines on the other subnet. The application server is on one subnet and the FRS is on the other. The CMS is deployed on a mulihomed machine that is connected to both subnets. You will see this problem whether or not you configure the CMS with the port option. Whether or not -port is set, the CMS always puts only one IP address in its IOR. If you cannot route between the two subnets, then either the application server or the FRS cannot reach the CMS's factory service IOR. To resolve this issue, you need to set up a network path between the two subnets.
450
451
Why is this not supported? If you are deploying BusinessObjects Enterprise components in an environment where they use SSL to communicate, and the communication must cross firewalls, then you need a patch. If you deploy BusinessObjects Enterprise clients and servers across different subnets, there must be a network path between the subnets. The BusinessObjects Enterprise components must be able to contact each other.
BusinessObjects Enterprise components deployed across two or more subnets, where there is no network path between the subnets.
452
appendix
On Windows, use the CCM to stop the server. Then open the servers Properties to modify the command line. Start the server again when you have finished. On UNIX, run ccm.sh to stop the server. Then edit ccm.config to modify the servers command line. Start the server again when you have finished. Note: On UNIX, each servers command line is actually passed as an argument to the crystalrestart.sh script. This script launches the server and monitors it in case an automatic restart is required. For more information, see UNIX Tools on page 473.
454
Valid Arguments Behavior string Specify the friendly name of the server. The server registers this name with the Central Management Server (CMS), and the name is displayed in the CMC. The default friendly name is hostname.servertype Note:
Do not modify -name for a CMS. If you modify -name for an Input or Output File Repository Server, you must include Input. or Output. as the prefix to the value you type for string (for example, -name Input.Server01 or -name Output.UK).
-ns
cmsname[:port Specify the CMS that the server should register with. Add port if the CMS is not listening on the default (6400). This ] option does not apply to the CMS itself. Specify the port that the server listens on. The server registers this port with the CMS. If unspecified, the server chooses any free port > 1024. Note: This port is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide.
-requestPort port
455
Option
-port
Valid Arguments Behavior [interface:][ Bind WCA or CMS to the specified port, or to the port] specified network interface and port. Binds other servers to the specified network interface. Useful on multihomed machines or in certain NAT firewall environments. Note:
Use -port port or -port interface:port for WCA and CMS. Use -port interface for other servers. The port command is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide. If you change the default port value for the CMS, you must perform additional system configuration. For more information please see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide.
-restart -fg
Server restarts if it exits with an unusual exit code. UNIX only. Run the daemon in the foreground. When passing the servers command line to the crystalrestart.sh script, you must use this option (see ccm.config). If you run the servers command line directly, do not use this option, because the foreground process blocks the shell until the server exits.
SIGTERM results in a graceful server shutdown (exit code = 0). SIGSEGV, SIGBUS, SIGSYS, SIGFPE, and SIGILL result in a rapid
456
INSTALL_ROOT/bobje/enterprise11/platform/boe_cmsd
457
Option
-threads -reinitializedb
Valid Behavior Arguments number Use a thread pool of the specified size. The default is one thread per request. Cause the CMS to delete the system database and recreate it with only the default system objects. Force the CMS to quit after processing the reinitializedb option. number Specify the number of threads the CMS creates to receive client requests. A client may be another Business Objects server, the Report Publishing Wizard, Crystal Reports, or a custom client application that you have created. The default value is 5. Normally you will not need to increase this value, unless you create a custom application with many clients. Specify the maximum number of objects that the CMS stores in its memory cache. Increasing the number of objects reduces the number of database calls required and greatly improves CMS performance. However, placing too many objects in memory may result in the CMS having too little memory remaining to process queries. The upper limit is 100000. Specify the number of CMS worker threads sending requests to the database. Each thread has a connection to the database, so you must be careful not to exceed your database capacity. In most cases, the maximum value you should set is 10. Specify interval at which the CMS requests audit information from audited servers. The default value is 5 minutes. (Maximum value is 15 minutes, and minimum value is 1 minute.). Specify the maximum number of audit records that the CMS requests from each audited server, per audit interval. The default value is 200 records. (Maximum value is 500, and minimum value is 50.)
-quit -receiverPool
-maxobjectsincache
number
-ndbqthreads
number
-AuditInterval
minutes
-AuditBatchSize
number
458
Option
-auditMaxEventsPerFile
Valid Behavior Arguments number Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file. Specify the interval between time synchronization events. The CMS broadcasts its system time to audited servers at the interval specified by AuditeeTimeSyncInterval. The audited servers compare their internal clocks to the CMS time, and then adjust the timestamps they give to all subsequent audit records so that the time of these records synchronizes with the CMS time. The default interval is 60 minutes. (Maximum value is 1 day, or 1440 minutes. Minimum value is 15 minutes. Setting the interval to 0 turns off time synchronization.)
-AuditeeTimeSyncInterval minutes
459
Option
-cache -dir
Valid Arguments
absolutepath Specify the cache directory for a Cache Server and the temp directory for the Page Server. The directories created are absolutepath/cache and
absolutepath/temp
Delete the cache directory every time the server starts and stops. absolutepath Specify the temp directory for the Page Server. This option overrides -dir. minutes number Share cached pages for the specified number of minutes. Limit the number of database records that are returned from the database. The default limit is 20000 records. If a user views an on-demand report containing more than 20000 records, an error message indicates that the report contains too many database records. To increase the enforced limit, increase number accordingly; to disable the limit, replace number with 0 (zero). Disable automatic database disconnection for the Page Server. By default the Page Server will automatically disconnect from the reporting database after retrieving data, to free up database licenses. This may affect performance if your site uses many reports with on-demand subreports, or group-by-on-server. absolutepath Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide. number On the Cache Server, specifies the maximum number of audit actions recorded in the audit log file. The default value is 500. If this maximum number of records is exceeded, the server will open a new log file.
-noautomaticdbdisconnect
-report_ProcessExtPath
-auditMaxEventsPerFile
460
Job servers
This section provides the command-line options that are specific to the job servers, which include Job Servers, Program Job Servers, Destination Job Server, and List of Values Job Server. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
Option
-dir -lib
procProgram
Loading procReport starts the Job Server as a Report Job Server. Loading procProgram starts the Job Server as a Program Job Server. This option is used in conjunction with -objectType.
-objectType
progID
The program ID of the processing library, which determines the class of object supported by the Job Server: CrystalEnterprise.Report or
-maxJobs
number
Set the maximum number of concurrent jobs that the server will handle. The default is five. Specify the range of ports that child processes should use in a firewall environment. For example, 6800-6805 limits child processes to six ports.
-requestJSChildPorts
lowerboundupperbound
461
Option
Valid Arguments
Behavior Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide. Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
-report_ProcessExtPath absolutepath
-auditMaxEventsPerFile number
Option
-ipport
Behavior Specify the port number for receiving TCP/IP requests when running in stand-alone mode (outside of BusinessObjects Enterprise). Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide.
-report_ProcessExtPath absolutepat
462
Option
-ProcessAffinityMask
Behavior Use a mask to specify exactly which CPUs that RAS will use when it runs on a multiprocessor machine. The mask is in the format 0xffffffff, where each f represents a processor, and the list of processors reads from right to left (that is, the last f represents the first processor). For each f, substitute either 0 (use of CPU not permitted) or 1 (use of CPU is permitted). For example, if you run the RAS on a 4 processor machine and want it to use the 3rd and 4th processor, use the mask 0x1100. To use the 2nd and 3rd processor, use 0x0110. Note:
-auditMaxEventsPerFile number
RAS uses the first permitted processors in the string, up to the maximum specified by your license. If you have a two processor license, 0x1110 has the same effect as 0x0110. The default value of the mask is -1, which has the same meaning as 0x1111.
Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
463
Option
-ConnectionTimeout Minutes -MaxConnections
Behavior Specify the number of minutes before the server will timeout. Specify the maximum number of simultaneous connections that the server allows at one time. Enables caching of Web Intelligence documents when the document is being viewed. Enables real time caching of Web Intelligence documents.
-DocExpressEnable
-DocExpressRealTime CachingEnable -DocExpressCache DurationMinutes -DocExpressMaxCache SizeKB -EnableListOfValues Cache -ListOfValuesBatchSize number -UniverseMaxCacheSize -WIDMaxCacheSize
minutes kilobytes
Specify the amount of time (in minutes) that content is stored in cache. Specify the size of the document cache. Enables the caching per user sessions of lists of values Specify the maximum number of values that can be returned per list of values batch. Specify the number of universes to be cached. Specify the maximum number of Web Intelligence documents that can be stored in cache.
number number
464
The default paths to the program that provides both servers on UNIX are:
INSTALL_ROOT/bobje/enterprise11/platform/boe_inputfilesd INSTALL_ROOT/bobje/enterprise11/platform/boe_outputfilesd Note: If you modify -name for an Input or Output File Repository Server, you
must include Input. or Output. as the prefix to the value you type (for example, -name Input.Server01 or -name Output.UK). Option
-rootDir
Valid Arguments
Behavior
absolutepath Set the root directory for the various subfolders and files that are managed by the server. File paths used to refer to files in the File Repository Server are interpreted relative to this root directory. Note: All Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). Additionally, the input root directory must not be the same as the output root directory. It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution.
-tempDir
absolutepath Set the location of the temporary directory that the FRS uses to transfer files. Use this command line option if you want to control the location of the FRS temporary directory, or if the default temporary directory name generated by the FRS exceeds the file system path limit (which will prevent the FRS from starting). minutes Specify the number of minutes after which an idle session is cleaned up.
-maxidle
465
Event Server
This section provides the command-line options that are specific to the Event Server. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
Option
-poll -cleanup
Behavior Specify the frequency (in seconds) with which the server checks for File events. Specify the frequency (in minutes) with which the server cleans up listener proxies. Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
-auditMaxEventsPerFile number
466
appendix
Rights
This table lists the rights available within the Advanced Rights page of the Central Management Console (CMC). Other BusinessObjects Enterprise plug-in components may in future add their own, object-specific rights to this list. The table matches the descriptions used in the CMC with the programmatic name that developers use when assigning rights with the BusinessObjects Enterprise SDK. Description used in the CMC Respect current security by inheriting rights from parent groups Respect current security by inheriting rights from parent folders Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Define server groups to process jobs Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the reports data Refresh the reports data Export the reports data View objects that the user owns Edit objects that the user owns Modify the rights users have to objects that the user owns Name used in the SDK AdvancedInheritGroups AdvancedInheritFolders ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightPickMachines ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport ceRightOwnerView ceRightOwnerEdit ceRightOwnerModifyRights
468
Description used in the CMC Delete objects that the user owns Delete instances that the user owns View document instances that the user owns
Pause and resume document instances ceRightOwnerPauseResumeSche that the user owns dule
Access levels
This section lists the rights that constitute each of the predefined access levels that are available through the Advanced Rights page of the Central Management Console (CMC). Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see Object rights for the Report Application Server on page 472.
No Access
This access level ensures that all rights remain unspecified. That is, rights are neither explicitly granted nor explicitly denied. When rights are unspecified, the system denies the right by default.
View
Description used in the CMC View objects View document instances Name used in the SDK ceRightView ceRightViewInstance
Schedule
Description used in the CMC View objects Schedule the document to run Name used in the SDK ceRightView ceRightSchedule
469
Description used in the CMC Define server groups to process jobs Copy objects to another folder Schedule to destinations View document instances Print the reports data Export the reports data Edit objects that the user owns Pause and resume document instances that the user owns
Name used in the SDK ceRightPickMachines ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerPauseResumeSchedule
View On Demand
Description used in the CMC View objects Schedule the document to run Define server groups to process jobs Copy objects to another folder Schedule to destinations View document instances Print the reports data Refresh the reports data Export the reports data Edit objects that the user owns Delete instances that the user owns Pause and resume document instances that the user owns Name used in the SDK ceRightView ceRightSchedule ceRightPickMachines ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightRefreshOnDemandRepo rt ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerDeleteInstance ceRightOwnerPauseResumeSchedule
470
Full Control
Description used in the CMC Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the reports data Refresh the reports data Export the reports data Name used in the SDK ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemandRe port ceReportRightPageServerExport
The Everyone group is granted the Schedule access level. The Administrators group is granted the Full Control access level.
471
Rights and Access Levels Object rights for the Report Application Server
View objects (or View document instances, as appropriate) Edit objects Refresh the reports data Export the reports data
User must also have permission to add objects to at least one folder before they can save new reports back to BusinessObjects Enterprise. To ensure that users retain the ability to perform additional reporting tasks (such as copying, scheduling, printing, and so on), its recommended that you first assign the appropriate access level and update your changes. Then, change the access level to Advanced, and add any of the required rights that are not already granted. For instance, if users already have View On Demand rights to a report object, you allow them to modify the report by changing the access level to Advanced and explicitly granting the additional Edit objects right. When users view reports through the Advanced DHTML viewer and the RAS, the View access level is sufficient to display the report, but View On Demand is required to actually use the advanced search features. The extra Edit objects right is not required.
472
UNIX Tools
appendix
Script utilities
This section describes the administrative scripts that assist you in working with BusinessObjects Enterprise on UNIX. The remainder of this help discusses the concepts behind each of the tasks that you can perform with these scripts. This reference section provides you the main command-line options and their arguments.
ccm.sh
The ccm.sh script is installed to the bobje directory of your installation. This script provides you with a command-line version of the CCM. This section lists the command-line options and provides some examples. Note:
Arguments in square brackets [ ] are optional. By default, servers are named with a hostname.servertype convention. If the option requires the server name, use servertype as the server name. If the option requires the fully qualified server name, use hostname.servertype. If you are unsure of a servers fully qualified name, look in the ccm.config file, locate the servers launch string, and use the value that appears after the -name option.
474
CCM Option
-help -start -stop
Arguments denoted by other authentication information are provided in the second table. Valid Arguments n/a
all or servername all or servername
Description Display command-line help. Start each server as a process. Use the short form of the server name. Stop each server by terminating its Process ID. Use the short form of the server name. Stop each server by terminating its Process ID; then each server is started. Use the short form of the server name.
-restart
all or servername
-enable
all or hostname.servertype Enable a started server so that it [other authentication registers with the system and starts information] listening on the appropriate port. Use the fully qualified form of the server name. all or hostname.servertype Disable a server so that it stops [other authentication responding to BusinessObjects information] Enterprise requests but remains started as a process. Use the fully qualified form of the server name.
-disable
-display
Reports the servers current status (enabled or disabled). The CMS must be running before you can use this option. Update objects migrated from a previous version of BusinessObjects Enterprise into your current CMS system database. Use this option after running cmsdbsetup.sh.
information]
475
This table describes the options that make up the argument denoted by other authentication information. Authentication Option
-cms
Description Specify the CMS that you want to log on to. If not specified, the CCM defaults to the local machine and the default port (6400). Specify an account that provides administrative rights to BusinessObjects Enterprise. If not specified, the default Administrator account is attempted. Specify the corresponding password. If not specified, a blank password is attempted. Note: To specify the -password argument, you must also specify the username argument. type for the administrative account. If not specified, secEnterprise is attempted.
-username
username
-password
password
The CCM reads the server launch strings and other configuration values from the ccm.config file. For details, see ccm.config on page 477.
Examples
These two commands start and enable all the servers. The Central Management Server (CMS) is started on the local machine and the default port (6400):
ccm.sh -start all ccm.sh -enable all
These two commands start and enable all the servers. The CMS is started on port 6701, rather than on the default port:
ccm.sh -start all ccm.sh -enable all -cms MACHINE01:6701
These two commands start and enable all the servers with a specified administrative account named SysAdmin:
ccm.sh -start all ccm.sh -enable all -cms MACHINE01:6701 -username SysAdmin password 35%bC5@5 -authentication LDAP
This single command logs on with a specified administrative account to disable a Job Server that is running on a second machine:
476
ccm.sh -disable MACHINE02.businessobjects.com.reportserver cms MACHINE01:6701 -username SysAdmin -password 35%bC5@5 -authentication secLDAP
ccm.config
This configuration file defines the server launch strings and other values that are used by the CCM when you run its commands. This file is maintained by the CCM itself, and by the other BusinessObjects Enterprise script utilities. You typically edit this file only when you need to modify a servers command line. For details, see Command lines overview on page 454.
cmsdbsetup.sh
The cmsdbsetup.sh script is installed to the bobje directory of your installation. The script provides a text-based program that enables you to configure the CMS database, CMS clusters, and to set up the audit database. You can add a CMS to a cluster by selecting a new data source for its CMS database. You can also delete and recreate (re-initialize) a CMS database, copy data from another data source, or change the existing cluster name. Note: Before running this script, back up your current CMS database. Also be sure to see Clustering Central Management Servers on page 114 for additional information about CMS clusters and configuring the CMS database. The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. To check the name of your CMS (or any other server), view the contents of ccm.config and look for the servers launch string. The servers current name appears after the -name option. For more information about configuring the CMS database or setting up the auditing database, see Managing Auditing on page 391.
configpatch.sh
The configpatch.sh script is installed to the bobje/enterprise/ generic directory of your installation. Use the configpatch.sh script when installing patches that require updates to system configuration values. After installing the patch, run configpatch.sh with the appropriate .cf file name as an argument. The readme.txt file that accompanies BusinessObjects Enterprise patches tells you when to run configpatch.sh, and the name of the .cf file to use.
477
serverconfig.sh
The serverconfig.sh script is installed to the bobje directory of your installation. This script provides a text-based program that enables you to view server information and to add and delete servers from your installation. This script adds, deletes, modifies, and lists information from the ccm.config file. When you modify a server using serverconfig.sh, you can change the location of its temporary files. For the Central Management Server, you can change its port number or enable auditing. For the Input File Repository Server or the Output File Repository Server, you can enter the root directory. 1. 2. To add/delete/modify/list UNIX servers Go to the bobje directory of your installation. Issue the following command:
./serverconfig.sh
3. 4.
1 - Add a server 2 - Delete a server 3 - Modify a server 4 - List all servers in the config file
Type the number that corresponds to the action you want to perform. If you are adding, deleting, or modifying a server, provide the script with any additional information that it requests. Tip: The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. However, in this script you can enter hostname to check the name of your CMS (or any other server), view the contents of ccm.config, and look for the servers launch string. The servers current name appears after the name option.
5.
Once you have added or modified a server, use the CCM to ensure that the server is both started and enabled.
For more information about working with servers, see Managing and Configuring Servers on page 97.
478
sockssetup.sh
The sockssetup.sh script is installed to the bobje directory of your installation. The script provides a text-based program that enables you to configure the Web Component Adapter (WCA) and the Central Management Server (CMS) when they must communicate across one or more SOCKS proxy server firewalls. For technical information about BusinessObjects Enterprise and firewalls, see Working with Firewalls on page 157. 1. 2. 3. To modify SOCKS configuration Go to the bobje directory of your installation. Issue the following command:
./sockssetup.sh
Type wca to configure the communication between the WCA and the CMS. Or, type servers to configure SOCKS information between the remaining servers. The script may prompt you for the name or friendly name of the server. By default, each servers name is hostname.servertype. To check the name of a server, view the contents of ccm.config and look for the servers launch string. The servers current name appears after the name option. The friendly name of the WCA by default is hostname.wca. To check the name of the WCA, look for the <display-name> of the WCA as listed in the web.xml file in the WEB-INF directory of the webcompadapter.war archive. (This archive is found in the businessobjects_root/enterprise/JavaSDK/applications directory, where businessobjects_root is the root directory of your BusinessObjects Enterprise installation.)
4.
5.
Type show to display any SOCKS servers that have already been entered with this script. A blank list is displayed if no servers have been added. Type create to add a new SOCKS server to the list. Type modify to change one of the SOCKS servers in the list. Type delete to remove a SOCKS server from the list. Type moveup or movedown to modify the sequence of SOCKS servers.
Proceed through the script and provide any additional information that it requests:
479
If you are creating a new entry in the list, you will typically need to provide the name or IP address of the SOCKS server, the port number it is listening on, the version number of the SOCKS server (4 or 5), and any authentication information that the BusinessObjects Enterprise servers will require in order to establish a connection with your SOCKS server. If you choose to delete, modify, or move an existing entry, you will be asked to specify the server by index. Type the number that corresponds to the SOCKS server you want to modify.
For details about SOCKS and the importance of the sequence of servers, see Configuring for SOCKS servers on page 175.
uninstallBOBJE.sh
The uninstallBOBJE.sh script is installed to the bobje directory of your installation. This script deletes all of the files installed during your original installation of BusinessObjects Enterprise by running the scripts in the bobje/uninstall directory. Do not run the scripts in the uninstall directory yourself: each of these scripts removes only the files associated with a single BusinessObjects Enterprise component, which may leave your BusinessObjects Enterprise system in an indeterminate state. Before running this script, you must disable and stop all of the BusinessObjects Enterprise servers. Note:
The uninstallBOBJE.sh script will not remove files created during the installation process, or files created by the system or by users after installation. To remove these files, after running installBOBJE.sh, perform an rm -rf command on the bobje directory. If you performed the system installation type, you will also need to delete the run control scripts from the appropriate /etc/rc# directories.
Script templates
These scripts are provided primarily as templates upon which you can base your own automation scripts.
480
startservers
The startservers script is installed to the bobje directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that starts the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see ccm.sh on page 474.
stopservers
The stopservers script is installed to the bobje directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that stops the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see ccm.sh on page 474.
silentinstall.sh
The silentinstall.sh script is installed to the bobje directory of your installation. Once you have set up BusinessObjects Enterprise on one machine, you can use this template to create your own scripts that install BusinessObjects Enterprise automatically on other machines. Essentially, once you have edited the silentinstall.sh template accordingly, it defines the required environment variables, runs the installation and setup scripts, and sets up BusinessObjects Enterprise according to your specifications, without requiring any further input. The silent installation is particularly useful when you need to perform multiple installations and do not want to interrupt people who are currently working on machines in your system. You can also use the silent installation script in your own scripts. For example, if your organization uses scripts to install software on machines, you can add the silent BusinessObjects Enterprise installation command to your scripts. For information about script parameters, see the comments in the silentinstall.sh script. Note:
Because the silentinstall.sh file is installed with BusinessObjects Enterprise, you cannot install silently the first time you install BusinessObjects Enterprise.
481
The silent installation is not recommended if you need to perform custom installations. The installation options are simplified and do not allow for the same level of customization provided in the BusinessObjects Enterprise install script.
bobjerestart.sh
This script is run internally by the CCM when it starts the BusinessObjects Enterprise server components. If a server process ends abruptly without returning its normal exit code, this script automatically restarts a new server process in its place. Do not run this script yourself.
env.sh
The env.sh script is installed to the bobje directory of your installation. This script sets up the BusinessObjects Enterprise environment variables that are required by some of the other scripts. BusinessObjects Enterprise scripts run env.sh as required. When you install BusinessObjects Enterprise on UNIX, you must configure your Java application server to source this script on startup. See the BusinessObjects Enterprise Installation Guide for more details.
env-locale.sh
The env-locale.sh script is used for converting the script language strings between different types of encoding (for example, UTF8 or EUC or Shift-JIS). This script is run by env.sh as needed.
initlaunch.sh
The initlaunch.sh script runs env.sh to set up the BusinessObjects Enterprise environment variables, and then runs any command that you have added as a command-line argument for the script. This script is intended primarily for use as a debugging tool by Business Objects SA.
482
patchlevel.sh
The patchlevel.sh is installed to the bobje/enterprise/generic directory of your installation. This script reports on the patch level of your UNIX distribution. This script is intended primarily for use by Business Objects SA support staff. Option
list query check
Valid Arguments Description n/a patch # textfile List all the installed patches. Query the operating system for the presence of a particular patch by numeric ID. Check that all the patches listed in textfile are installed on your operating system.
postinstall.sh
The postinstall.sh script is installed to the bobje directory of your installation. This script runs automatically at the end of the installation script and launches the setup.sh script. You need not run this script yourself.
setup.sh
The setup.sh script is installed to the bobje directory of your installation. This script provides a text-based program that allows you to set up your BusinessObjects Enterprise installation. This script is run automatically when you install BusinessObjects Enterprise. It prompts you for the information that is required in order to set up BusinessObjects Enterprise for the first time. For complete details on responding to the setup script when you install BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide.
setupinit.sh
The setupinit.sh script is installed to the bobje directory of your installation when you perform a system installation. This script copies the run control scripts to your rc# directories for automated startup. When you run a system installation you are directed to run this script after the setup.sh script completes. Note: You must have root privileges to run this script.
483
484
appendix
Enabling support for ASP.NET 2.0 Enabling support for ASP.NET 2.0
2.
<!-To run on ASP.NET 2.0, InfoView requires the setting: <xhtmlConformance mode="Legacy"/> For asp.net 2.0, the installer will automatically replace (or has replaced) the comment below with this setting. -->
3. 4. 5.
<!--BOASPNET20REPLACE-->
Copy the string <xhtmlConformance mode="Legacy"/> from the first comment. Replace the comment <!--BOASPNET20REPLACE--> with string copied in the previous step. When your change is complete, the file should look like this:
<!-To run on ASP.NET 2.0, InfoView requires the setting: <xhtmlConformance mode="Legacy"/> For asp.net 2.0, the installer will automatically replace (or has replaced) the comment below with this setting. --> <xhtmlConformance mode="Legacy"/>
6. 7.
486
Enabling support for ASP.NET 2.0 Enabling support for ASP.NET 2.0
487
Enabling support for ASP.NET 2.0 Enabling support for ASP.NET 2.0
488
appendix
Documentation
You can find answers to your questions on how to install, configure, deploy, and use Business Objects products from the documentation.
490
491
492
Address Business Objects Consulting Services http://www.businessobjects.com/ services/consulting/ Business Objects Education Services http://www.businessobjects.com/ services/training
Content Information on how Business Objects can help maximize your business intelligence investment. Information on Business Objects training options and modules.
493
494
Index
A
access levels available in the CMC 469 for RAS 472 active sessions, viewing 341, 341 active trust relationship 188 AD authentication plug-in 246 adding CMS cluster members 114 servers 105 administration configuration tools 98, 338 Administrators group, default rights 471 affinity, and SSL 189 anonymous single sign-on 184 application servers 35 application tier 34 applications CCM 33 CMC 33 Import Wizard 34 InfoView 32 Publishing Wizard 34 applications, installing 93 apsdbsetup.sh 477 architecture balanced processing 79 firewalled 81 high availability 80 single-machine 79 ASP pages display code 376 ASP.NET 2.0 modifying web.config to support 486 ASP.NET component, verifying 377 attributes, logon tokens 188 audit actions enabling auditing of 399 reference list 395 synchronizing records 403 audit enablement 399 auditable actions CMS 399 Destination Job Server 398 Event Server 398 Job Server 399 auditee 392 auditing configuring database 393 database schema 416 enabling 399 information flow 392 optimizing performance 404 reporting results 402, 416 synchronizing records 403 user and system actions 395 web activity 194 auditing database configuring 393 database schema 416 Application_Type table 419 Audit_Detail table 417 Audit_Event table 416 Detail_Type table 420 Event_Type table 419 Server_Process table 418 auditor 392 Auditor report names 408 Average Number of Users Logged In 408 Average Refresh Time 409 Average Session Duration 409 Average Session Duration per Cluster 409 Average Session Duration per User 409 Cluster Nodes 410 Document Information Detail 410 Document Scheduling and Viewing Status 410 Job Servers on the System 411 Job Summary 410
495
Index
Jobs per Job Server 411 Jobs per User 411 Last Login for User 411 Least Accessed Documents 412 Modifications 413 Most Accessed Documents 412 Most Active Users 412 Most Popular Actions 412 Most Popular Actions per Document 413 Number of User Sessions 413 Number of Users in the System 413 Peak Usage 414 Refresh and Edit Activity 414 Rights Modification 414 Total Users Logged in by Day 414 User Activity 414 User Activity per Session 415 Users Who Logged Off Incorrectly 415 authentication BusinessObjects Enterprise security plug-in 186 Kerberos configuration IBM WebSphere 304 IIS 266 Java AD 302 Java application server 290, 302 Java options, modify 307 See also IIS, IIS 5, IIS 6 Windows AD 297 LDAP security plug-in 228 primary 181 security plug-ins 55, 185 troubleshooting log on 380 Trusted Authentication 328 Windows AD security plug-in 246 Windows NT Challenge/Response 213, 248 Windows NT security plug-in 212
B
Business Objects consulting services 492, 493 support services 491 training services 492, 493 Business Objects applications CCM 33
CMC 33 CMS 38 Import Wizard 34 InfoView 32 Publishing Wizard 34 BusinessObjects Enterprise communication between servers 162 firewall integration 162 primary authentication process 181 single sign-on 187 single sign-on with NT 213 BusinessObjects Enterprise SDK 187 Java SDK 35 .NET SDK 35 BusinessObjects Enterprise security plug-in 186 BusinessObjects Enterprise servers Cache Server 40 configuring hosts file for firewall 169 description 30 Event Server 39 File Repository Servers 40 Job Server 42 Page Server 44 Program Job Server 42 Report Application Server 44 BusinessObjects Enterprise servers, configure configure IIS and browsers 275 configure servers to use service account 297 configuring the servers configuring servers to use service account 270 granting service account rights 270 grant service account rights 295 setting service account 268, 292 BusinessObjects Enterprise Sizing Guide 366 BusinessObjects WAR files deploying 93 mapping to cluster in WebSphere 5.1 95 in WebSphere 6.0 95
C
cacert.der 153 Cache Server 40 command-line options 459
496
Index
configuring 131, 352 metrics 340, 342 performance 68 performance settings 131, 352 viewing with 49 Cache Server auditable actions 396 cakey.pem 153 CCM adding a server 105 changing server startup type 151 server user account 152 Windows server dependencies 150 copying server status 104 deleting a server 107 enabling and disabling servers 102 printing server status 104 refreshing the list of servers 104 starting, stopping, and restarting servers 99 CCM, for UNIX 474 ccm.sh 474 Central Configuration Manager. See CCM Central Management Console. See CMC Central Management Server. See CMS certificate files 153 Changing Tomcat connect port 112, 378 client side viewers 45 client tier 32 clusters 114, 116, 117 changing names 121 requirements 114 viewing details 345 clusters, creating 87 CMC enabling and disabling servers 102 starting, stopping, and restarting servers 99 unable to connect 379 CMC timeout setting 110 CMS adding to a cluster 117 and authentication 181 and distributed security 189 as nameserver 147 changing cluster name 121
clustering 114 installing new cluster member 116 requirements 114 CMS tasks 38 command-line options 456 configuring 127, 128, 147 NAT 168 SOCKS 176 database 38 default port 147 limitations 65 metrics 341, 345 performance 65 security 54 security plug-ins 54 session variables 191 and authentication 181 tracking 193 stopping 102 unable to connect 379 when enabling and disabling other servers 102 CMS auditable actions 399 CMS clustering 77 CMS database changing password 128 configuring 122 copying 122 deleting 127 migrating 122 recreating 127 selecting 128 command lines, overview 454 command-line options all servers 455 Cache Server 459 CMS 456 Event Server 466 Input and Output File Repository Servers 465 Job Server 461 Page Server 459 Program Job Server 461 Report Application Server 462 Web Intelligence Job Server 461 Web Intelligence Report Server 464
497
Index
command-line options, SSL 152 communication between browser and Web application server 181 between BusinessObjects Enterprise servers 162 components, security management 53 computer contstrained delegation 294 concurrent active users 62 configuration planning 58 sample 436 configuration, common scenarios 78 Configure the thick client to use SSL 376 configuring auditing database 393 auditing database on UNIX 394 auditing database on windows 394 Cache Server 131, 352 CMS clusters 114, 121 CMS database 122, 127, 128 Event Server 351 File Repository Servers 130, 352 firewalls 166 intelligence tier 114 Job Server 133, 140, 355, 355 Page Server 132, 140, 356, 363 processing tier 132 server settings 98, 338 servers 98, 338 universe connection 401 configuring trusted authentication 329 Connection Server metrics 341 constrained delegation service account 295, 295 consultants, Business Objects 492 cookies and session tracking 191 logon tokens 188 CORBA 437 creating custom audit reports 416 Crystal reports troubleshooting reports 383
Crystal Reports Cache Server. See Cache Server Crystal Reports Page Server. See Page Server Crystal Reports sample audit reports 402 Crystal xCelsius 69 performance 69 CSP pages display code 376 custom audit report creation 416 custom web applications, enhancing 370 customer support 491 customizing your configuration 366
D
daemons, signal handling 456 data live 52 saved 53 data sharing 98, 338 on Cache Server 131, 352 on Page Server 132, 356, 363 on RAS 360 data sources on UNIX 141 on Windows 140 data tier 45 databases configuring servers for 140 copying CMS data 122 initializing the CMS 127 modifying RAS interactions 360 selecting for the CMS 128 single sign-on access 184 troubleshooting logon 385 default settings authentication 186 Enterprise accounts 186 NT account 213 ports 147 security plug-in 186 default timeout 110 defaultconfig.xml about 428 customizing elements 432 finding correct version to change 430 modifying for Java Report Panel 431
498
Index
modifying for .NET InfoView 431 deleting CMS database 127 servers 107 dependencies of servers on Windows 150 deployment planning 58 sample 436 deployment manager adding nodes 85, 86 starting 85 Designer firewall settings 166 Desktop Intelligence firewall settings 166 Destination Job Server destinations configuring 134 enabling or disabling 133 enabling Inbox destination 133 performance settings 355 Destination Job Server auditable actions 398 destinations for job servers configuring 134 enabling or disabling 133 troubleshooting 390 directory servers about LDAP 229 security plug-in 228 disabling destinations for job servers 133 servers 102 Disabling logon tokens 196 disabling logon tokens 196, 200 disabling restoration of a timed out session 200 disabling the restoration of a timed out session 200 disabling the restoration of a timed out session in Java 200 disabling the restoration of a timed out session in .NET 201 disaster recovery 76 DLL. See dynamic-link libraries documentation additional 375
feedback on 491 on product CD 490 on the web 490 roadmap 490 DSNs on UNIX 143 dynamic-link libraries as processing extensions 187
E
education. See training email destination setting defaults 136 enable ASP.NET 2.0 support 486 enable .NET 2.0 support 486 enabling destinations for a job server 133 servers 102 enabling auditing 399 encoding logon tokens 188 end-to-end single sign-on 185 environment variables ODBC 143 env.sh 482 ePortfolio. See InfoView errors Page Server 389 troubleshooting 374 Event Log 150, 345 Event Server auditable actions 399 configuring 351 metrics 343 polling time 351 Event Server auditable actions 398 Event Server, command-line options 466 events polling time 351 Everyone group, default rights 471 expanding the system 366 extensions, processing 187
F
fault tolerance 76 feedback, on documentation 491
499
Index
File Repository Servers command-line options 465 maximum idle times 130, 352 metrics 340 Properties page 130, 352 root directories 130, 352 firewall rules specifying for NAT 170 specifying for packet filtering 173 firewall types 159 NAT 160 packet filtering 160 SOCKS 161 firewall, desktop product 166 firewalls 158, 194, 436 configuration scenarios 164 configuring 166 NAT 167 packet filtering 172 SOCKS 175 thick client 171 with application tier 168 with WCA 177 forcing servers to register by name 149 integration with BusinessObjects Enterprise 162 Job Servers 442 server communications, and 162 folders default rights 471 root 471 FTP destination setting defaults 138 Full Control access level 471
hosts file, configuring for NAT firewall 169 HTTP 181, 191 HTTP server, check status 87 HTTP server, starting 86
I
IBM WebSphere Kerberos configuration 304 idle times Cache Server 131, 352 File Repository Servers 130, 352 Page Server 132, 356, 363 IIS database single sign-on configuration 281 end-to-end single sign on configuration 277 single sign-on configuration 275 IIS 5 database single sign-on configuration 282 end-to-end single sign on configuration 277 IIS 6 database single sign-on configuration 283 end-to-end single sign on configuration 279 IIS 6, run under local system 379 Import Wizard 34 information flow, between servers 46 information resources 490 InfoView considerations 390 Java version 108 troubleshooting 390 initializing CMS database 127 initlaunch.sh 483 Input File Repository Server maximum idle time 130, 352 metrics 340 root directory 130, 352 intelligence tier 37 configuring 114 internal system configuration, setting 92 Internet Explorer, configuring 276 Internet Information Services (IIS), default web site 375 IOR 437
G
Guest account, default rights 471
H
heap sizes, setting in WebSphere 5.1 90 in WebSphere 6.0 91 help, documentation resources 375 high availability 76
500
Index
J
JAAS login configuration files, create Oracle 306 Tomcat/WebLogic 305 WebSphere 306 Java CMC timeout 110 Java InfoView timeout 111 Java InfoView, customizing appearance of Web Intelligence documents 431 Java Options, modify Kerberos 307 Oracle 308 WebLogic 307 Java platform 36 Java SDK 36 Job Server command-line options 461 configuring 140 for firewalls 442 on UNIX 141 destinations configuring 134 enabling or disabling 133 performance settings 355 Job servers types 41 job servers configuring destinations 134 performance settings 355 Job Servers auditable actions 399
Kerberos troubleshooting enable logging 310 testing Java Kerberos configuration 310 key files 153
L
LDAP 229 about 229 and SSL 229 LDAP accounts 229 managing 228 modifying connection parameters 242 member groups 242 troubleshooting 243, 243 LDAP authentication configuring 230 LDAP authentication plug-in 228 LDAP groups mapping 238 unmapping 241 viewing mapped groups 242 LDAP hosts configuring 231 managing multiple 243 LDAP security plug-in 228 LDAP single sign-on, configuring 236, 255 Least Accessed Documents 412 license keys and CMS database migration 119 reinitializing the CMS database 127 Lightweight Directory Access Protocol. See LDAP List of Values Job Server auditable actions 399 description 43 destinations configuring 134 enabling or disabling 133 performance 69 performance settings 355 live data 52 load managing 60 load balancing and distributed security 189
K
Kerberos configuration IBM WebSphere 304 IIS 266 Java AD 302 Java application server 290, 302 Java options, modify 307 See also IIS, IIS 5, IIS 6 Windows AD 297 Kerberos configuration files IBM WebSphere 304 Java AD 302 Kerberos single sign-on 53
501
Index
CMS clustering 114 Local System account 140 log on processing server accounts 140 protection against malicious attempts 194 logging server activity 345 web activity 194 logon tokens 188 and authentication 181 and distributed security 189 and session tracking 191 logon.csp 181
M
malicious logon attempts, protection against 194 mapped drives 388 mapped groups viewing Windows NT 221 mapping Windows AD accounts and groups 249 Windows NT accounts 215 metrics viewing 339 migrating CMS database 122 from BusinessObjects Enterprise 6.x 495 modify InfoView timeout 111 Most Accessed Documents 412 Most Active Users 412 Most Popular Actions 412 Most Popular Actions per Document 413 multihomed machines 149
.NET InfoView, customizing appearance of Web Intelligence documents 431 .NET pages display code 376 Network Address Translation application tier, and 168 configuring 167 server hosts file 169 servers behind firewall 168 definition 160 specifying firewall rules 170 thick client, and 171 No Access level 469 node agent, start 85 NT authentication and UNIX 212 NT authentication plug-in 212 NT LM Security Support Provider 150 NT single sign-on 225 NT single sign-on and Windows NT security plugin 213 number of logons, logon tokens 188 number of minutes, logon tokens 188 Number of User Sessions 413 Number of Users in the System 413
O
object rights 468, 472 ODBC CMS database 117 connectivity 120 drivers 140 environment variables 143 processing server accounts 140 reporting on UNIX 142 system information file 143 .odbc.ini 143 Online Customer Support 491 optimizing system 404 Optimizing system performance 404 Oracle application Server reverse proxies 202 Output File Repository Server maximum idle time 130, 352 metrics 340 root directory 130, 352
N
nameserver, role of CMS 147 NAT. See Network Address Translation native drivers 140 on UNIX 141 needs assessment 58 .NET 20 support 486 .NET InfoView or CMC, unable to view 377
502
Index
P
packet filtering 160 configuring for 172 packets, firewalls and 158 Page Server command-line options 459 configuring for data source 140 configuring on UNIX 141 metrics 343 performance 70 performance settings 132, 356, 363 Properties page 132, 356, 363 viewing with 49 Password Modifications 413 passwords changing for CMS database 128 restrictions 195 patchlevel.sh 483 Peak Usage 414 performance 366, 404 assessment 338 Cache Server 68 Cache Server settings 131, 352 CMS clusters 114 common scenarios 78 general considerations 367 List of Values Job Server 69 load balancing 189 of jobs per server 355 Page Server 70 Page Server settings 132, 356, 363 RAS settings 362 Report Job Server 68 Web Application Server 67 Web Intelligence Report Server 69 Windows NT Challenge/Response authentication 213, 248 performance improvement, delegating XSL transformation 370 performance while auditing 404 planning deployment 58 platforms Java 36
Windows .NET 36 plug-ins, security 55, 185 polling time, setting for Event Server 351 port numbers adding 90 checking in WebSphere 5.1 89 in WebSphere 6.0 89 port numbers, changing 147 ports definition 159 firewalls, and 159 opening on firewall 168 postinstall.sh 483 primary authentication 181 processing extensions 187 processing servers, configuring 141 processing threads Cache Server 131, 352 Page Server 132, 356, 363 processing tier 41 configuring 132 Program Job Server 399 destinations configuring 134 enabling or disabling 133 Program Job Server auditable actions 399 Program Job Server, command-line options 461 Properties tab for job servers 355
Q
.qry files 388
R
RAS database settings 360 metrics 344 performance settings 362 Properties page 362 Refresh and Edit Activity 414 refreshing cache files 131, 352 registry keys 238 Remote Procedure Call 150
503
Index
remote resources, troubleshooting 388 Report Application Server auditable actions 396 command-line options 462 performance 70 required object rights 472 viewing report 50 Report Job Server 399 auditable actions 399 performance 68 Report Job Server, performance settings 355 report objects, rights for creating/modifying 472 report viewers 45 report_view_advanced.aspx 48 report_view_dhtml.aspx 48 reports audit 402, 416 custom 416 sample 402 configuring servers for data sources 140 modifying RAS SQL options 360 scheduling 46 troubleshooting 383, 385 viewing 47 required steps to audit actions 392 requirements, clustering 114 resource requirements 73 resources 490 estimating 64 requirements 71 restarting servers 99 restart.sh 482 restrictions guest account 196 logon 195 password 195 user 195 reverse proxies 202 rights advance, reference 468 Report Application Server 472 top-level folder 471 Rights Modification 414 root directories, File Repository Servers 130, 352
S
sample audit reports 402 saved data 53 scalability 366 common scenarios 78 scaling the system 366 Schedule access level 469 scheduling increasing capacity 367 information flow 46 secEnterprise.dll 186 secLDAP.dll 228 Secure Sockets Layer 152 Secure Sockets Layer (SSL) 193, 229 and LDAP 229 and load balancing 189 security 180 active trust relationship 188 auditing web activity 194 components 53 distributed 189 environment protection 193 firewalls 194 Guest account restrictions 196 logon restrictions 195, 195 password restrictions 195, 195 plug-ins 55, 185 processing extensions 187 protection against malicious logon attempts 194 restrictions 195 session tracking 191 user restrictions 195 web browser to web server 193 web servers 193 security plug-ins 55, 185 Enterprise authentication 186 LDAP authentication 228 Windows AD authentication 246 Windows NT authentication 212 secWindows.dll 212 selecting CMS database 128 sending
504
Index
to inboxes, default configuration 133 Server cache expiry, modifying default expiry value 287 server dependencies, changing 150 serverconfig.sh 478 servers 98, 338 activity, logging 345 adding 105 adding nodes 85 application tier 34 changing status 99 user account on Windows 152 changing startup type 151 command lines 454 communication 162 application tier and CMS 163 CMS directory listing 162 configuring 98, 338 default settings 98, 338 deleting 107 dependencies, adding or removing 150 deployment manager 85 disabling 102 enabling 102 information flow 46 intelligence tier 37 limitations 64 logging activity 345 managing 97 metrics, viewing 340 node agent 85 processing tier 41 refreshing list using the CCM 104 registering by name 149 restarting 99 standard command-line options 455 starting 85, 99 status changing 99 copying 104 printing 104 stopping 99 troubleshooting 388 UNIX signal handling 456
user account, changing 152 service account contstrained delegation 295 service thresholds 64 session variables 191 and authentication 181 primary authentication 181 sessions tracking 191 viewing active 341 setup.sh 483 shared libraries, as processing extensions 187 signal handling 456 silentinstall.sh 481 simultaneous requests 61 single sign-on anonymous 184 authentication Enterprise 187 LDAP 230 NT 213 Windows AD 248 end-to-end 185 Java, Kerberos configuration 311, 312 setting up AD 255 LDAP 236 SiteMinder 236, 255 Windows AD 252 Windows NT 223 to BusinessObjects Enterprise 184 to database 184 troubleshooting 238 single sign-on options database single sign-on 266 modify AD plug-in settings 275 setting up database single sign-on 267 web applications configuration 285 end-to-end single sign-on 266 configuring IIS for end-to-end single signon 277 configuring Internet Explorer 276 setting up end-to-end single sign-on 267
505
Index
single sign-on 266 configuring IIS for single sign-on 275 database server configuration 286 setting up basic single sign-on 267 SQL server configuration 286 SiteMinder configuring LDAP plug-in 236 error 238 setting up single sign-on with LDAP 236, 255 troubleshooting 238 Window AD 255 Siteminder AD 255 SMTP destinations, setting defaults 136 SOCKS 161 configuring 175 CMS 176 WCA 177 sockssetup.sh 479 SPN Vintella 315 web application server 315 SPN utility Windows 2003 293, 294 SSL 152 certificates 153 configuring servers 152, 152 keys 153 SSL. See Secure Sockets Layer (SSL) SSL, thick client configuration 376 sslc.cnf 152 sslc.exe 152 starting servers 99 startservers 481 startup types changing for servers 151 configuring servers 151 statistics, auditing web activity 194 status, viewing and changing for servers 99 steps to audit actions 392 stopping CMS 102 servers 99 stopservers 481
support customer 491 locations 491 technical 491 web site 491 synchronizing audit actions 403 syslog 345 system actions, list of auditable 399 system data, copying 122 system database, migrating 122 system information file (ODBC) 143 system metrics, viewing 345 system security 180
T
TCP/IP, firewalls and 158 technical support 491 temporary files, configuring Page Server 132, 356, 363 the 200 thick client, firewall configuration 165 NAT 171 third-party security plug-ins 55, 185 tickets for distributed security 189 logon tokens 188 tiers application 34 client 32 data 45 intelligence 37 processing 41 time zones 60 supporting multiple 390 timeout CMC modify 110 Infoview modify 111 Tomcat reverse proxies 202 Tomcat connect port, changing 112, 378 tools, UNIX 474 Total Users Logged in by Day 414 tracking, sessions 191 training, on Business Objects products 492 transfer of trust 189
506
Index
troubleshooting 374 InfoView deployments 390 LDAP accounts 243 report viewing and processing 383 single sign-on 238 web accessibility 375 trust, active trust relationship 188 trusted authenitcation configuring in web.xml 329 Trusted Authentication 328
U
UNC paths 388 uninstall 480 uninstallCE.sh 480 universe connection configuration 401 UNIX and NT authentication 212 application server 35 installation 36 syslog 345 WCA 36 UNIX tools, overview 474 unmanaged disk destination setting defaults 139 unmapping Windows NT accounts 220 user accounts configuring servers 152 user actions, list of auditable 396 User Activity 414 User Activity per Session 415 user databases, NT4 and Windows 2000 Active Directory 212 users concurrent active users 62 estimating 59 types 59 viewing active sessions 341, 341 Users Who Logged Off Incorrectly 415
client-side 45 in InfoView 47 zero client 45 viewing active users 341, 341 BusinessObjects Enterprise architecture 47 CMS cluster details 345 current metrics 339 information flow 47 server metrics 340 system metrics 345 with the Cache Server 49 with the Page Server 49 viewing sessions 62 viewrpt.aspx 48
W
WCA and logon tokens 54 and security 54 auditing web activity 194 configuring for SOCKS 177 description 35 WCA session variables 191 tracking 192 web customer support 491 getting documentation via 490 useful addresses 492 Web application environments 37 Web Application Server performance 67 Web application server authentication 181 Web Component Adapter. See WCA web desktop. See InfoView Web Intelligence Job Server 461 Report Server 464 Web Intelligence documents changing default appearance 428 customizing for Java InfoView 431 customizing for .NET InfoView 431 delegating XSL transformation 370 finding correct defaultconfig.xml 430
V
View access level 469 viewers
507
Index
list of customizable elements 432 Web Intelligence Job Server auditable actions 399 destinations enabling or disabling 133 performance settings 355 Web Intelligence Report Server auditable actions 396, 397 performance 69 performance settings 357 Web Intelligence sample audit reports 402 web response speeds, improving 371 Web server plugin, regenerating in WebSphere 5.1 96 in WebSphere 6.0 96 web servers 37 improving response speeds 371 securing 193 web sites support 491 training 492 web.config .Windows authentication 274 WebSphere cluster, creating 87 installing applications 93 WebSphere deployment 308, 309 Windows Event Log 345 Local System account 140 server dependencies 150 Windows 2000 Active Directory 212 Windows 2000, unmapping accounts in 220 Windows AD database single sign-on, modify AD plug-in settings 275 Kerberos authentication 271, 297 single sign-on, modifying web.config 284 Windows AD accounts See also Windows AD users mapping 249 Windows AD groups mapping 249 Windows AD security plug-in 246 Windows AD single sign-on 252
to BusinessObjects Enterprise 252 Windows AD users See also Windows AD accounts Windows .NET platform 36 Windows NT accounts adding to mapped groups 222 disabling 222 managing 214 mapping 215 in CMC 217 in Windows 2000 216 in Windows NT 215 unmapping 220 Windows NT Challenge/Response authentication 193, 213, 248 Windows NT groups creating 222 mapping 215 unmapping 220, 220 viewing 221 Windows NT security plug-in 212 and UNIX 212 Windows NT single sign-on, setting up 223 Windows NT users, viewing 221
X
XSL transformation for Web Intelligence documents 370
Z
zero client viewers 45
508