Businessobjects Enterprise™ Xi Release 2 Deployment and Configuration Guide

BusinessObjects Enterprise XI Release 2 Deployment and Configuration Guide
BusinessObjects Enterprise XI Release 2
Patents
Business Objects owns the following U.S. patents, which may cover products that are offered and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352. Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners. Copyright 2007 Business Objects. All rights reserved. Business Objects products in this release may contain redistributions of software licensed from third-party contributors. Some of these individual components may also be available under alternative licenses. A partial listing of third-party contributors that have requested or permitted acknowledgments, as well as required notices, can be found at: http://www.businessobjects.com/thirdparty
Trademarks
Copyright Third-party contributors
Contents
Chapter 1 Getting Started 23 About this help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Who should use this help? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 About BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Where should I start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Planning or performing your first deployment . . . . . . . . . . . . . . . . . . . 25 Configuring your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Changing your deployments architecture . . . . . . . . . . . . . . . . . . . . . . 26 Improving your systems performance . . . . . . . . . . . . . . . . . . . . . . . . . 26 Chapter 2 BusinessObjects Enterprise Architecture 29
Chapter overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Architecture basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Client tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . 33 Central Configuration Manager (CCM) . . . . . . . . . . . . . . . . . . . . . . . . 33 Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Application server and BusinessObjects Enterprise SDK . . . . . . . 35 Web Component Adapter (WCA) . . . . . . . . . . . . . . . . . . . . . . . . . 35 Web development platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Java platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Windows .NET platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Web application environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Central Management Server (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . 38
BusinessObjects Enterprise Deployment and Configuration Guide 3
Contents
Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Program Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Web Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Destination Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Desktop Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Report Application Server (RAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Data tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Report viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Information flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 What happens when you schedule an object? . . . . . . . . . . . . . . . . . . . 46 What happens when you view a report? . . . . . . . . . . . . . . . . . . . . . . . . 47 Report viewing with the Cache Server and Page Server . . . . . . . . 49 Report viewing with the Report Application Server . . . . . . . . . . . . 50 Viewing Web Intelligence documents . . . . . . . . . . . . . . . . . . . . . . . 51 Choosing between live or saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Live data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Security management components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Chapter 3 Planning Your Deployment 57
Planning your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Assessing your organizations needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4 BusinessObjects Enterprise Deployment and Configuration Guide
Contents
Estimating the number and type of users . . . . . . . . . . . . . . . . . . . . . . 59 Other user considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Estimating the number of simultaneous requests . . . . . . . . . . . . . . . . 61 Estimating the number of concurrent active users and viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Concurrent active users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Calculating resource requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Analyzing service thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Calculating the minimum resource requirements . . . . . . . . . . . . . . . . . 71 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Summary of resource calculations . . . . . . . . . . . . . . . . . . . . . . . . 73 Designing for high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Designing a multiple-server system for high availability . . . . . . . . 77 Common configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Single-machine architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Balanced processing architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 High availability clustered architecture . . . . . . . . . . . . . . . . . . . . . . . . . 80 Firewalled architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Contents
Chapter 4
Creating a WebSphere cluster
83
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Creating a WebSphere cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Starting the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Creating a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Checking the assigned port number . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Adding the assigned port number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Setting heap size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Setting internal system configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Installing the applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Mapping BusinesssObjects WAR files to the cluster . . . . . . . . . . . . . . 95 Regenerating the web server plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Chapter 5 Managing and Configuring Servers 97
Server management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 BusinessObjects Enterprise administrative tools . . . . . . . . . . . . . . . . . 98 Viewing and changing the status of servers . . . . . . . . . . . . . . . . . . . . . . . . 99 Starting, stopping, and restarting servers . . . . . . . . . . . . . . . . . . . . . . . 99 Stopping a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . 102 Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Printing, copying, and refreshing server status . . . . . . . . . . . . . . . . . . 104 Adding and deleting servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Adding a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Configuring the application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Configuring the Web Component Adapter . . . . . . . . . . . . . . . . . . . . . 108 Configuring the Java Web Component Adapter . . . . . . . . . . . . . . 109 Changing the default session timeout value for the Java CMC . . 110 Changing the default session timeout value for the Java InfoView . . 111 Changing the connect port used by Tomcat . . . . . . . . . . . . . . . . . . . . 112 Configuring the .NET Web Component Adapter . . . . . . . . . . . . . 113
Contents
Configuring the intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Clustering Central Management Servers . . . . . . . . . . . . . . . . . . . . . . 114 Adding a new CMS cluster member . . . . . . . . . . . . . . . . . . . . . . . . . 116 Installing a new CMS and adding it to a cluster . . . . . . . . . . . . . 116 Adding an installed CMS to a cluster . . . . . . . . . . . . . . . . . . . . . 117 Adding clustered CMSs to the web.xml file . . . . . . . . . . . . . . . . . 119 Preparing to migrate a CMS database . . . . . . . . . . . . . . . . . . . . 119 Changing the name of a CMS cluster . . . . . . . . . . . . . . . . . . . . . 121 Copying data from one CMS database to another . . . . . . . . . . . . . . . 122 Deleting and recreating the CMS database . . . . . . . . . . . . . . . . . . . . 127 Selecting a new or existing CMS database . . . . . . . . . . . . . . . . . . . . 128 Setting root directories and idle times of the File Repository Servers 130 Modifying performance settings for Cache Servers and Event Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Configuring the processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Modifying performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring the destinations for job servers . . . . . . . . . . . . . . . . . . . . 133 Enabling or disabling destinations for job servers . . . . . . . . . . . . 133 Configuring the destination properties for job servers . . . . . . . . . 134 Inbox destination properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Email (SMTP) destination properties . . . . . . . . . . . . . . . . . . . . . 136 FTP destination properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Unmanaged Disk destination properties . . . . . . . . . . . . . . . . . . . 139 Configuring Windows processing servers for your data source . . . . . 140 Configuring UNIX processing servers for your data source . . . . . . . . 141 Native drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 ODBC drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Advanced server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Changing the default server port numbers . . . . . . . . . . . . . . . . . . . . . 147 Configuring a multihomed machine . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Configuring the CMS to bind to a network address . . . . . . . . . . . 150 Configuring the remaining servers to bind to a network address 150 Adding and removing Windows server dependencies . . . . . . . . . . . . 150
Contents
Changing the server startup type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Changing the server user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configuring servers for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Creating key and certificate files . . . . . . . . . . . . . . . . . . . . . . . . . 153 Configuring the SSL protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Chapter 6 Working with Firewalls 157
Firewalls overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 What is a firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 TCP/IP and packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Firewall types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 SOCKS proxy servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Understanding firewall integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between servers and the CMS directory listing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between the application tier and CMS . . . . . . . . 163 Firewall configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Typical firewall scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Application tier separated from the CMS by a firewall . . . . . . . . . 165 Thick client separated from the CMS by a firewall . . . . . . . . . . . . 165 Configuring the system for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Configuring desktop products across a firewall . . . . . . . . . . . . . . . . . . 166 Configuring for Network Address Translation . . . . . . . . . . . . . . . . . . . 167 Configuring NAT when application tier is separated from the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Configuring NAT when thick client is separated from the CMS . . 171 Configuring for packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Configuring packet filtering when application tier is separated from CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Contents
Configuring packet filtering when thick client is separated from the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Configuring for SOCKS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Configuring the CMS for SOCKS Servers . . . . . . . . . . . . . . . . . . 176 Configuring the WCA for SOCKS servers . . . . . . . . . . . . . . . . . . 177 Chapter 7 Security Concepts 179
Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Primary authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Single sign-on support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Single sign-on to BusinessObjects Enterprise . . . . . . . . . . . . . . 184 Single sign-on to database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 End-to-end single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 BusinessObjects Enterprise security plug-in . . . . . . . . . . . . . . . . 186 Processing extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Active trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Logon tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Ticket mechanism for distributed security . . . . . . . . . . . . . . . . . . . . . 189 Sessions and session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 CMS session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Environment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Web browser to web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Web server to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . 194 Auditing web activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Protection against malicious logon attempts . . . . . . . . . . . . . . . . . . . 194 Password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Logon restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 User restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Guest account restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 User creation opitons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Contents
Alias options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 User type options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Update options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Chapter 8 Modifying default security behavior 199
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Disabling the restoration of a timed out session . . . . . . . . . . . . . . . . . . . . 200 Disabling the restoration of a timed out session in Java InfoView 200 Disabling the restoration of a timed out session in .NET InfoView . . . 201 Enabling reverse proxies for Java applications servers . . . . . . . . . . . . . . 202 Enabling reverse proxies for BusinessObjects Java InfoView . . . . . . 202 Enabling reverse proxies for BusinessObjects Web Services . . . . . . 203 Enabling reverse proxies on Tomcat . . . . . . . . . . . . . . . . . . . . . . 203 Enabling reverse proxy on web application servers other than Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Enabling reverse proxies for BusinessObjects Live Office . . . . . . . . . 206 Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Deployment instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Disabling persistent cookies for InfoView . . . . . . . . . . . . . . . . . . . . . . . . . 208 Chapter 9 Using NT Authentication 211
Using NT user accounts and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Windows NT security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Business Objects NT Users Group . . . . . . . . . . . . . . . . . . . . . . . 213 NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 NT and single sign-on support . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 NT user account and group administration . . . . . . . . . . . . . . . . . . . . . . . . 214 Mapping NT user accounts and groups . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Mapping NT user accounts and groups from Windows NT . . . . . . . . . 215 Mapping NT user account or groups from Windows 2000 or 2003 . . . 216 Mapping NT groups from the CMC . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Unmapping NT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Contents
Viewing mapped NT users and groups . . . . . . . . . . . . . . . . . . . . . . . 221 Adding an NT account to a mapped NT group . . . . . . . . . . . . . . 222 Creating a new NT group account . . . . . . . . . . . . . . . . . . . . . . . 222 Disabling an NT user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Setting up NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Modifying IIS security settings for NT single sign-on . . . . . . . . . 224 Enabling InfoView NT single sign-on from the CMC . . . . . . . . . . 224 Modifying the web.config file for NT single sign-on . . . . . . . . . . . 225 Chapter 10 Using LDAP authentication 227
Managing LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 LDAP security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 More about LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Configuring the LDAP host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Configuring LDAP Server or Mutual Authentication and the SSL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 LDAP and SiteMinder Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Configuring the LDAP plug-in for SiteMinder . . . . . . . . . . . . . . . 236 Modifying web.xml for LDAP and SiteMinder . . . . . . . . . . . . . . . 237 Mapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Unmapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Viewing mapped LDAP users and groups . . . . . . . . . . . . . . . . . . . . . 242 Changing LDAP connection parameters and member groups . . . . . 242 Managing multiple LDAP hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Troubleshooting LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Creating a new LDAP user account . . . . . . . . . . . . . . . . . . . . . . 243 Chapter 11 Using AD with NTLM or SiteMinder 245
Using AD users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Windows AD security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 AD and NTLM and SiteMinder workflows . . . . . . . . . . . . . . . . . . . . . 248
Contents
AD and NTLM basic workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 AD, NTLM and single sign-on workflow . . . . . . . . . . . . . . . . . . . . 248 AD and SiteMinder workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Mapping AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Setting up AD single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Modifying IIS security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Modifying the web.config file for impersonation and Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Modifying the web.config file for InfoView AD single sign-on . . . . 254 Configuring AD and SiteMinder workflow . . . . . . . . . . . . . . . . . . . . . . 255 Configuring the Windows AD plug-in for SiteMinder . . . . . . . . . . 255 Modifying web.xml for Java AD and SiteMinder . . . . . . . . . . . . . . 257 Modifying web.xml for Java AD Single sign-on to InfoView . . . . . 258 Modifying the web.xml file for Java AD and SiteMinder . . . . . . . . 258 Modifying web.config for .NET InfoView and SiteMinder . . . . . . . 259 Disabling SiteMinder for Java clients . . . . . . . . . . . . . . . . . . . . . . 260 Disabling SiteMinder for .NET clients . . . . . . . . . . . . . . . . . . . . . . 261 Troubleshooting single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Duplicate ssoEnabled tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Chapter 12 Using AD and Kerberos with IIS 265
Configuring Kerberos for IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Kerberos, IIS and single sign-on options . . . . . . . . . . . . . . . . . . . . . . 266 Workflows for Kerberos and IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Basic AD and Kerberos workflow . . . . . . . . . . . . . . . . . . . . . . . . . 267 AD and Kerberos with single sign-on workflow . . . . . . . . . . . . . . 267 Single sign-on to database workflow . . . . . . . . . . . . . . . . . . . . . . 267 End-to-end Single sign-on workflow . . . . . . . . . . . . . . . . . . . . . . . 267 Setting up a service account on AD . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Setting up a service account with delegation on a Windows 2000 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Setting up a service account with delegation on a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Contents
Granting the service account rights . . . . . . . . . . . . . . . . . . . . . . . 270 Configuring the servers to use the service account . . . . . . . . . . 270 Enabling Kerberos authentication in the Windows AD plug-in . . . . . . 271 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Modifying web.config for impersonation and Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Modifying the AD plug-in settings for database single sign-on . 275 Configuring IIS and browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuring IIS for integrated Windows authentication . . . . . . . . 275 Configuring the Internet Explorer browser on a client machine . 276 Configuring IIS for end-to-end single sign-on . . . . . . . . . . . . . . . . . . 277 Configuring IIS 5 for Kerberos end-to-end single sign-on . . . . . . 277 Configuring IIS 6 for Kerberos end-to-end single sign-on . . . . . . 279 Configuring IIS for database single sign-on . . . . . . . . . . . . . . . . . . . . 281 Configuring IIS 5 for single sign-on to database only . . . . . . . . . 282 Configuring IIS 6 for single sign-on to database . . . . . . . . . . . . . 283 Modifying web.config for InfoView single sign-on . . . . . . . . . . . . 284 Configuring web applications for database single sign-on . . . . . 285 Configuring the database server for single sign-on . . . . . . . . . . . . . . 286 Configuring SQL Server for single sign-on . . . . . . . . . . . . . . . . . 286 Server cache expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Modifying the default cache expiry value . . . . . . . . . . . . . . . . . . 287 Chapter 13 Using AD and Kerberos with Java application servers 289
Configuring Kerberos for Java application servers . . . . . . . . . . . . . . . . . 290 General workflow for configuring Kerberos . . . . . . . . . . . . . . . . . . . . 290 Workflow for configuring Tomcat for Kerberos . . . . . . . . . . . . . . . . . . 291 Workflow for configuring WebSphere for Kerberos . . . . . . . . . . . . . . 291 Workflow for configuring WebLogic for Kerberos . . . . . . . . . . . . . . . . 291 Workflow for configuring Oracle for Kerberos . . . . . . . . . . . . . . . . . . 291 Setting up a service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Setting up a service account with delegation on a Windows 2000 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Contents
Creating an SPN for your CMS on a Windows 2000 domain . . . . 293 Setting up a service account with delegation on a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Creating an SPN for your CMS on a Windows 2003 domain . . . . 294 Setting up constrained delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Setting up constrained delegation for a service account . . . . . . . 295 Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Granting the service account rights . . . . . . . . . . . . . . . . . . . . . . . 295 Adding the Service Account to the servers Local Administrators group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Configuring the servers to use the service account . . . . . . . . . . . 297 Kerberos authentication in the Windows AD plug-in . . . . . . . . . . . . . 297 Configuring Kerberos for your Java application server . . . . . . . . . . . . 302 Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Creating the Kerberos configuration file for WebSphere . . . . . . . 304 Creating the JAAS login configuration file for Tomcat or WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Creating the JAAS login configuration file for Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Creating the JAAS login configuration file for WebSphere . . . . . . 306 Modifying your Java options for Kerberos on Tomcat . . . . . . . . . 307 Modifying the Java options for Kerberos on WebLogic . . . . . . . . 307 Modifying the Java options for Kerberos on Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Modifying the Java options for Kerberos on WebSphere . . . . . . . 308 Troubleshooting Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Enabling logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Testing your Java Kerberos configuration . . . . . . . . . . . . . . . . . . 310 Mapped AD user unable to log on to CMC or InfoView . . . . . . . . . . . 310 Configuring Kerberos and single sign-on to the database for Java application servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Configuring Kerberos and single sign-on for Java InfoView . . . . . . . . 312
Contents
Workflow for configuring Kerberos single sign-on to Java InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java. . . . . . . . . . . . . . . . . . . . . . . . 314 Step 2: Creating an SPN for your web application server . . . . . . 315 Step 3: Reset the service account password . . . . . . . . . . . . . . . 315 Step 4: Create and place a keytab file . . . . . . . . . . . . . . . . . . . . 316 Step 5: Enabling Vintela single sign-on for Java in the web.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Step 6: Increasing the header size limit of your Java application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Controlling logging with Vintela single sign-on for Java . . . . . . . 322 What to specify in your log4j properties file . . . . . . . . . . . . . . . . . 323 Alternate url to access InfoView . . . . . . . . . . . . . . . . . . . . . . . . . 324 Modifying the Vintela logon error page . . . . . . . . . . . . . . . . . . . . 325 Configuring Internet Explorer browsers . . . . . . . . . . . . . . . . . . . . 326 Chapter 14 Trusted Authentication 327
Enabling Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Configuring the server for Trusted Authentication . . . . . . . . . . . . . . . 328 Configuring Trusted Authentication for the client . . . . . . . . . . . . . . . . 329 Configuring Trusted Authentication for Business Process BI . . . . . . 334 Configuring Trusted Authentication on a separate web application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Chapter 15 Improving Performance 337
Improving performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Assessing your systems performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Assessing user needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Analyzing server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Viewing current server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Viewing system metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Logging server activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Evaluating your systems performance . . . . . . . . . . . . . . . . . . . . . . . 346
Contents
Resolving performance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Configuring the intelligence tier for enhanced performance . . . . . . . . 351 Configuring the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Modifying the polling time of the Event Server . . . . . . . . . . . . . . . 351 Configuring the File Repository Servers . . . . . . . . . . . . . . . . . . . . 352 Modifying Cache Server performance settings . . . . . . . . . . . . . . 352 Configuring the processing tier for enhanced performance . . . . . . . . 354 Modifying performance settings for job servers . . . . . . . . . . . . . . 355 Modifying Desktop Intelligence Report Server performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Modifying performance settings for the Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Modifying database settings for the RAS . . . . . . . . . . . . . . . . . . . 360 Modifying performance settings for the RAS . . . . . . . . . . . . . . . . 362 Modifying Page Server performance settings . . . . . . . . . . . . . . . 363 Scaling your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Increasing overall system capacity . . . . . . . . . . . . . . . . . . . . . . . . 367 Increasing scheduled reporting capacity . . . . . . . . . . . . . . . . . . . 367 Increasing on-demand viewing capacity for Crystal reports . . . . . 369 Increasing prompting capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Delegating XSL transformation to Internet Explorer . . . . . . . . . . . 370 Enhancing custom web applications . . . . . . . . . . . . . . . . . . . . . . 370 Improving web response speeds . . . . . . . . . . . . . . . . . . . . . . . . . 371 Getting the most from existing resources . . . . . . . . . . . . . . . . . . . 371 Chapter 16 General Troubleshooting 373
Troubleshooting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Documentation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Web accessibility issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Using an IIS web site other than the default . . . . . . . . . . . . . . . . . . . . 375 .NET CSP and ASP pages display code . . . . . . . . . . . . . . . . . . . . . . . 376 Unable to access the CMS from thick client . . . . . . . . . . . . . . . . . . . . 376 Unable to View .NET InfoView or CMC . . . . . . . . . . . . . . . . . . . . . . . . 377
Contents
Determining if the IIS 6.0 ASP.NET component is installed . . . . 377 Changing the connect port used by Tomcat . . . . . . . . . . . . . . . . . . . 378 Unable to connect to CMS when logging on to the CMC . . . . . . . . . . 379 Unable to open a report from InfoView . . . . . . . . . . . . . . . . . . . . . . . 379 Single sign-on from an IE Windows 2000 client fails . . . . . . . . . . . . . 380 Windows NT authentication cannot log you on . . . . . . . . . . . . . . . . . 380 Mapped AD user unable to log on to CMC or InfoView . . . . . . . . . . . 381 Unable to sign on with AD and Kerberos . . . . . . . . . . . . . . . . . . 381 TReport viewing and processing issues . . . . . . . . . . . . . . . . . . . 383 Troubleshooting reports with Crystal Reports . . . . . . . . . . . . . . . . . . 383 Images and charts not displayed . . . . . . . . . . . . . . . . . . . . . . . . 385 Troubleshooting reports and looping database logon prompts . . . . . 385 Ensuring that server resources are available on local drives . . . . . . . 388 Page Server error when viewing a report . . . . . . . . . . . . . . . . . . . . . 389 InfoView considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Supporting users in multiple time zones . . . . . . . . . . . . . . . . . . . . . . 390 Setting default report destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Unable to import users from BusinessObjects 6.5 . . . . . . . . . . . . . . . 390 Chapter 17 Managing Auditing 391
How does auditing work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Configuring the auditing database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Which actions can I audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Reference list of auditable actions . . . . . . . . . . . . . . . . . . . . . . . 395 Enabling auditing of user and system actions . . . . . . . . . . . . . . . . . . . . . 399 Configuring the universe connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Using sample audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Controlling synchronization of audit actions . . . . . . . . . . . . . . . . . . . . . . . 403 Optimizing system performance while auditing . . . . . . . . . . . . . . . . . . . . 404
Contents
Chapter 18
Auditing Reports
407
Using auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Why are reports important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Auditor report names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Average Number of Users Logged In . . . . . . . . . . . . . . . . . . . . . . 408 Average Refresh Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration per Cluster . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration per User . . . . . . . . . . . . . . . . . . . . . . . 409 Cluster Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Document Information Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Document Scheduling and Viewing Status . . . . . . . . . . . . . . . . . 410 Job Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Jobs per Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Jobs per User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Job Servers on the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Last Login for User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Least Accessed Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Accessed Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Popular Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Popular Actions per Document . . . . . . . . . . . . . . . . . . . . . . 413 Number of User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Number of Users in the System . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Password Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Peak Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Refresh and Edit Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Rights Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Total Users Logged In by Day . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 User Activity per Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Users Who Logged Off Incorrectly . . . . . . . . . . . . . . . . . . . . . . . . 415 Viewing sample auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Contents
Creating custom audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Auditing database schema reference . . . . . . . . . . . . . . . . . . . . . . . . 416 Audit_Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Audit_Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Server_Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Event_Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Application_Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Detail_Type table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Appendix A Customizing the appearance of Web Intelligence documents 427
Customizing the appearance of Web Intelligence documents . . . . . . . . . 428 What you can do with the defaultconfig.xml file . . . . . . . . . . . . . . . . . 429 Locating and modifying defaultconfig.xml . . . . . . . . . . . . . . . . . . . . . 430 Desktop Intelligence Enterprise Java InfoView . . . . . . . . . . . . . . 431 Desktop Intelligence Enterprise .NET InfoView . . . . . . . . . . . . . 431 List of key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Example: Modifying the default font in table cells . . . . . . . . . . . . . . . 433 Appendix B Server deployment and firewall configuration 435
About this appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Understanding how BusinessObjects Enterprise servers communicate . 436 Using CORBA to communicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Registering with the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Communicating with client applications . . . . . . . . . . . . . . . . . . . . . . . 438 Configuring BusinessObjects Enterprise servers . . . . . . . . . . . . . . . . . . . 439 Configuring the CMS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Configuring non-CMS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Configuring Job Servers for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . 442 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Contents
Configuring firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Example: A firewall between the application server and BusinessObjects Enterprise servers . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Deploying BusinessObjects Enterprise on multihomed machines . . . . . . 448 Multihomed machines with NICs on the same subnet . . . . . . . . . . . . 449 Multihomed machines with NICs on different subnets . . . . . . . . . . . . 450 Example problem: BusinessObjects Enterprise servers deployed across subnets that are not network connected . . . . . . . . . . . . . . 450 Binding to a particular NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Summary of unsupported deployment scenarios . . . . . . . . . . . . . . . . . . . 451 Appendix C Server Command Lines 453
Command lines overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Standard options for all servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 UNIX signal handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Page Server and Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 Input and Output File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . 465 Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Appendix D Rights and Access Levels 467
Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 No Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 View On Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Full Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Default rights on the top-level folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Object rights for the Report Application Server . . . . . . . . . . . . . . . . . . . . . 472
Contents
Appendix E
UNIX Tools
473
UNIX tools overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Script utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 ccm.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 ccm.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 cmsdbsetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 configpatch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 serverconfig.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 sockssetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 uninstallBOBJE.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Script templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 startservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 stopservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 silentinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Scripts used by BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . 482 bobjerestart.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 env.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 env-locale.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 initlaunch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 patchlevel.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 postinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 setup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 setupinit.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Appendix F Enabling support for ASP.NET 2.0 485
Enabling support for ASP.NET 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Appendix G Business Objects Information Resources 489
Documentation and information services . . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Whats in the documentation set? . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Where is the documentation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Contents
Documentation from the products . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation on the web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation on the product CD . . . . . . . . . . . . . . . . . . . . . . . . 490 Send us your feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Customer support, consulting and training . . . . . . . . . . . . . . . . . . . . . . . . 491 How can we support you? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Online Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Looking for the best deployment solution for your company? . . . . . . . 492 Looking for training options? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Index 495
Getting Started
chapter
Getting Started About this help
About this help

This help provides you with information and procedures for deploying and configuring your BusinessObjects Enterprise system. Procedures are provided for common tasks. Conceptual information and technical details are provided for all advanced topics. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide. For information about installing BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide.
Who should use this help?

This help covers deployment and configuration tasks. We recommend consulting this guide if you are:
planning your first deployment configuring your first deployment making significant changes to the architecture of an existing deployment improving your systems performance.
For a list of suggested topics for each of these scenarios, consult Where should I start? on page 25. This help is intended for system administrators who are responsible for configuring, managing, and maintaining a BusinessObjects Enterprise installation. Familiarity with your operating system and your network environment is beneficial, as is a general understanding of web application server management and scripting technologies. However, to assist all levels of administrative experience, this help aims to provide sufficient background and conceptual information to clarify all administrative tasks and features.
About BusinessObjects Enterprise

BusinessObjects Enterprise is a flexible, scalable, and reliable solution for delivering powerful, interactive reports to end users via any web application intranet, extranet, Internet or corporate portal. Whether it is used for distributing weekly sales reports, providing customers with personalized service offerings, or integrating critical information into corporate portals, BusinessObjects Enterprise delivers tangible benefits that extend across and beyond the organization. As an integrated suite for reporting, analysis, and information delivery, BusinessObjects Enterprise provides a solution for increasing end-user productivity and reducing administrative efforts.
24
BusinessObjects Enterprise Deployment and Configuration Guide
Getting Started Where should I start?
Where should I start?

Depending on your situation, you may want to focus on specific sections of this help, and there may be other resources available for you. For each of the following situations, there is a list of suggested tasks and reading topics.
Planning or performing your first deployment

If you are planning or performing your first deployment of BusinessObjects Enterprise, it is recommended that you perform the following tasks and read the corresponding sections:
To get familiar with the components, read BusinessObjects Enterprise Architecture on page 29. Assess your needs and design a deployment architecture that works best for you. Planning Your Deployment on page 57 Working with Firewalls on page 157 Security Concepts on page 179 If you plan to use third-party authentication, read the following sections that apply to your deployment:
Using NT Authentication on page 211 Using AD with NTLM or SiteMinder on page 245 Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using LDAP authentication on page 227
Improving Performance on page 337 For more information about installing BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide. After you install, read Managing and Configuring Servers on page 97.
Configuring your deployment

If you have just completed your installation of BusinessObjects Enterprise and need to perform initial configuration tasks, such as firewall configuration and user management, it is recommended that you read the following sections:
Managing and Configuring Servers on page 97 Working with Firewalls on page 157 Security Concepts on page 179
25
If you plan to use third-party authentication, read the following sections that apply to your deployment:
Using NT Authentication on page 211 Using AD with NTLM or SiteMinder on page 245 Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using LDAP authentication on page 227
Improving Performance on page 337 If you plan to audit your system, read Managing Auditing on page 391 and Auditing Reports on page 407. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide. If you encounter problems, read General Troubleshooting on page 373.
Changing your deployments architecture

Are you expecting a significant increase in server traffic? Do you need to accommodate a sudden influx of users? Do you need to incorporate new kinds of content from new sources? Or do you need to update a deployment that didnt adequately anticipate the volume of objects being processed on a daily basis? If you need to revise your deployment to account for significant changes in how you use the system, it is recommended that you read the following sections:
Improving Performance on page 337 If you are installing new server components, see Managing and Configuring Servers on page 97. If you are importing or configuring new users, see Security Concepts on page 179. If you encounter problems, read General Troubleshooting on page 373. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide. For information about installing new components, you can find more information in the BusinessObjects Enterprise Installation Guide.
Improving your systems performance

If you want to assess your deployments efficiency and fine-tune it in order to maximize resources, it is recommended that you read the following sections:
26
Improving Performance on page 337 If you want to monitor your existing system, read Managing Auditing on page 391 and Auditing Reports on page 407. If you want to resolve specific performance problems, read General Troubleshooting on page 373. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide.
27
28
BusinessObjects Enterprise Architecture
chapter
BusinessObjects Enterprise Architecture Chapter overview
Chapter overview
This chapter briefly introduces BusinessObjects Enterprise administrators to the architecture of BusinessObjects Enterprise. This chapter covers the following topics:
Architecture basics Client tier Intelligence tier Processing tier Data tier Report viewers Information flow
For faster navigation, click on the title of the topic you are interested in.
Architecture basics
BusinessObjects Enterprise is a multi-tier system. Although the components are responsible for different tasks, they can be logically grouped based on the type of work they perform. If you are new to BusinessObjects Enterprise, use this section to gain familiarity with the BusinessObjects Enterprise framework, its components, and the general tasks that each component performs. In BusinessObjects Enterprise, there are five tiers:
The client tier The application tier The intelligence tier The processing tier The data tier
To provide flexibility, reliability, and scalability, the components that make up each of these tiers can be installed on one machine, or spread across many. The following diagram illustrates how each of the components fits within the multi-tier system. Other Business Objects products plug in to the BusinessObjects Enterprise framework in various ways. This section describes the framework itself. Consult each products installation or administration guides for details about how it integrates with the BusinessObjects Enterprise framework.
30
BusinessObjects Enterprise Administrators Guide
BusinessObjects Enterprise Architecture Architecture basics
The servers run as services on Windows machines. On UNIX, the servers run as daemons. These services can be vertically scaled to take full advantage of the hardware that they are running on, and they can be horizontally scaled to take advantage of multiple computers over a network environment. This means that the services can all run on the same machine, or they can run on separate machines. The same service can also run in multiple instances on a single machine. For example, you can run the CMS and the Event Server on one machine, while you run the Report Application Server on a separate machine. This configuration is called horizontal scaling. If the Report Application Server is
31
BusinessObjects Enterprise Architecture Client tier
running on a multi-processor computer, then you may choose to run multiple Report Application Servers on it. This configuration is called vertical scaling. The important thing to understand is that, even though these are called servers, they are actually services and daemons that do not need to run on separate computers. Tip: Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.
Client tier
The client tier is the only part of the BusinessObjects Enterprise system that administrators and end users interact with directly. This tier is made up of the applications that enable people to administer, publish, and view reports and other objects.
The client tier includes:
InfoView Central Management Console (CMC) Central Configuration Manager (CCM) Publishing Wizard Import Wizard
For faster navigation, click on the title of the topic you are interested in.
InfoView
BusinessObjects Enterprise comes with InfoView, a web-based interface that end users access to view, schedule, and keep track of published reports. Each BusinessObjects Enterprise request that a user makes is directed to the BusinessObjects Enterprise application tier. In .NET InfoView, the web server forwards the user request directly to an application server where the request
32
BusinessObjects Enterprise Architecture Client tier
is processed by the Web Component Adapter (WCA); typically, InfoView only uses the WCA when OLAP is installed. In this case, the web server will forward the .csp request to the WCA for processing. InfoView also serves as a demonstration of the ways in which you can use the BusinessObjects Enterprise Software Development Kit (SDK) to create a custom web application for end users. In the case of .NET, InfoView also demonstrates how you can use the BusinessObjects Enterprise .NET Server Components. For more information, see the developer documentation available on your product CD.
Central Management Console (CMC)

The Central Management Console (CMC) allows you to perform user management tasks such as setting up authentication and adding users and groups. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups. Because the CMC is a webbased application, you can perform all of these administrative tasks remotely. For more information, see the BusinessObjects Enterprise Administrators Guide. The CMC also serves as a demonstration of the ways in which you can use the administrative objects and libraries in the BusinessObjects Enterprise SDK to create custom web applications for administering BusinessObjects Enterprise. For more information, see the developer documentation available on your product CD.
Central Configuration Manager (CCM)

The Central Configuration Manager (CCM) is a server-management tool that allows you to configure each of your BusinessObjects Enterprise server components. This tool allows you to start, stop, enable, and disable servers, and it allows you to view and to configure advanced server settings. On Windows, these settings include default port numbers, CMS database and clustering details, SOCKS server connections, and more. In addition, on Windows the CCM allows you to add or remove servers from your BusinessObjects Enterprise system.On UNIX, some of these functions are performed using other tools. .
33
BusinessObjects Enterprise Architecture Application tier
Publishing Wizard
The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add reports to BusinessObjects Enterprise. By assigning object rights to BusinessObjects Enterprise folders, you control who can publish reports and where they can publish them to. The Publishing Wizard publishes reports from a Windows machine to BusinessObjects Enterprise servers running on Windows or on UNIX. For more information, see the BusinessObjects Enterprise Administrators Guide.
Import Wizard
The Import Wizard is a locally installed Windows application that guides administrators through the process of importing users, groups, reports, and folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or Crystal Info implementation to BusinessObjects Enterprise. The Import Wizard runs on Windows, but you can use it to import information into a new BusinessObjects Enterprise system running on Windows or on UNIX. For more information, see the BusinessObjects Enterprise Installation Guide.
Application tier
The application tier hosts the server-side components that process requests from the client tier as well as the components that communicate these requests to the appropriate server in the intelligence tier. The application tier includes support for report viewing and logic to understand and direct web requests to the appropriate BusinessObjects Enterprise server in the intelligence tier. For both the Java and .NET platforms, the application tier includes the following components:
Application server and BusinessObjects Enterprise SDK Web Component Adapter (WCA)
34
Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.
Application server and BusinessObjects Enterprise SDK

BusinessObjects Enterprise systems that use the BusinessObjects Enterprise Java SDK or the BusinessObjects Enterprise .NET SDK run on a third party application server. See the Platforms.txt file included with your product distribution for a complete list of tested application servers and version requirements. The application server acts as the gateway between the web server and the rest of the components in BusinessObjects Enterprise. The application server is responsible for processing requests from your browser. It also supports InfoView and other Business Objects applications, and uses the SDK to convert report pages (.epf files) to HTML format when users view pages with a DHTML viewer.
Web Component Adapter (WCA)

The web server communicates directly with the application server that hosts the BusinessObjects Enterprise SDK. The Web Component Adapter (WCA) runs within the application server and provides all services that are not directly supported by the BusinessObjects Enterprise SDK. The web server passes requests directly to the application server, which then forwards the requests on to the WCA. The WCA has two primary roles:
It processes ASP.NET (.aspx) and Java Server Pages (.jsp) files
35
It also supports Business Objects applications such as the CMC (CMC) and Crystal report viewers (that are implemented through viewrpt.aspx requests).
Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.
Web development platforms

BusinessObjects Enterprise supports the following web development platforms:

Java platform
Java platform Windows .NET platform
All UNIX installations of BusinessObjects Enterprise include a Web Component Adapter (WCA). In this configuration, a Java application server is required to host the WCA and the BusinessObjects Enterprise Java SDK. The use of a web server is optional as you may choose to have static content hosted by the application server.
Windows .NET platform

BusinessObjects Enterprise installations that use the .NET Framework include Primary Interop Assemblies (PIAs) that allow you to use the BusinessObjects Enterprise .NET SDK with ASP.NET, and a set of .NET Server Components that you can optionally use to simplify the development of custom applications. This configuration requires the use of a Microsoft Internet Information Services (IIS) web server. Note:
In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.
36
BusinessObjects Enterprise Architecture Intelligence tier
You do not need a Web Component Adapter for custom ASP.NET applications. If after your initial installtion, you upgrade to version 2.0 of the .NET Framework, you will also need to modify the web.config used by IIS. See Enabling support for ASP.NET 2.0 on page 486.
Web application environments

BusinessObjects Enterprise supports Java Server Pages (.jsp) and ASP.NET (.aspx) pages. BusinessObjects Enterprise includes web applications developed in .aspx, such as InfoView and the sample applications available via the BusinessObjects Enterprise Launchpad. Java Server Pages (.jsp) and ASP.NET (.aspx) pages allow you to develop cross-platform J2EE and ASP.NET applications that use the BusinessObjects Enterprise SDKs in conjunction with third party APIs. Note: For backward compatibility, BusinessObjects Enterprise continues to support Crystal Server Pages (.csp) and Active Server Pages (.asp). BusinessObjects Enterprise also includes Primary Interop Assemblies (PIAs) that enable you to use the BusinessObjects Enterprise SDK and Report Application Server SDK with ASP.NET. It also includes a set of .NET Server Components which simplify development of custom BusinessObjects Enterprise applications in ASP.NET. For more information, see the developer documentation available on your product CD.
Intelligence tier
The intelligence tier manages the BusinessObjects Enterprise system. It maintains all of the security information, sends requests to the appropriate servers, manages audit information, and stores report instances.
The intelligence tier includes the following components:
Central Management Server (CMS) Event Server
37
File Repository Servers Cache Server
Central Management Server (CMS)

The CMS is responsible for maintaining a database of information about your BusinessObjects Enterprise system, which other components can access as required. The data stored by the CMS includes information about users and groups, security levels, BusinessObjects Enterprise content, and servers. The CMS also maintains the BusinessObjects Enterprise Repository, and a separate audit database of information about user actions. This data allows the CMS to perform its four main tasks:
Maintaining security By maintaining a database of users and their associated object rights, the CMS enforces who has access to BusinessObjects Enterprise and the types of tasks they are able to perform. These tasks include enforcing and maintaining the licensing policy of your BusinessObjects Enterprise system.
Managing objects The CMS keeps track of the location of objects and maintains the containment hierarchy, which includes folders, categories, and inboxes. By communicating with the Job Servers and Program Job Servers, the CMS is able to ensure that scheduled jobs run at the appropriate times.
Managing servers By staying in frequent contact with each of the servers in the system, the CMS is able to maintain a list of server status. Report viewers access this list, for instance, to identify which Cache Server is free to use for a report viewing request.
Managing auditing By collecting information about user actions from each BusinessObjects Enterprise server, and then writing these records to a central audit database, the CMS acts as the system auditor. This audit information allows system administrators to better manage their BusinessObjects Enterprise deployment.
Typically, you provide the CMS with database connectivity and credentials when you install BusinessObjects Enterprise, so the CMS can create its own system database and BusinessObjects Enterprise Repository database using your organizations preferred database server. For details about setting up
38
CMS databases, see the BusinessObjects Enterprise Installation Guide. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. Note:
It is strongly recommended that you back up the CMS system database, and the audit database frequently. The backup procedure depends upon your database software. If you are unsure of the procedure, consult with your database administrator. The CMS database should not be accessed directly. System information should only be retrieved using the calls that are provided in the BusinessObjects Enterprise Software Development Kit (SDK). For more information, see the developer documentation available on your product CD. You can access the audit database directly to create custom audit reports. See the BusinessObjects Enterprise Auditors Guide for more information.
On Windows, the Setup program can install and configure its own Microsoft Data Engine (MSDE) database if necessary. MSDE is a client/server data engine that provides local data storage and is compatible with Microsoft SQL Server. If you already have the MSDE or SQL Server installed, the installation program uses it to create the CMS system database. You can migrate your default CMS system database to a supported database server later. For more information about Auditing, see the BusinessObjects Enterprise Auditors Guide.
Event Server
The Event Server manages file-based events. When you set up a file-based event within BusinessObjects Enterprise, the Event Server monitors the directory that you specified. When the appropriate file appears in the monitored directory, the Event Server triggers your file-based event: that is, the Event Server notifies the CMS that the file-based event has occurred. The CMS then starts any jobs that are dependent upon your file-based event. After notifying the CMS of the event, the Event Server resets itself and again monitors the directory for the appropriate file. When the file is newly created in the monitored directory, the Event Server again triggers your file-based event. Note: Schedule-based events, and custom events are managed by the CMS.
39
File Repository Servers

There is an Input and an Output File Repository Server in every BusinessObjects Enterprise implementation. The Input File Repository Server manages all of the report objects and program objects that have been published to the system by administrators or end users (using the Publishing Wizard, the CMC, the Import Wizard, or a Business Objects designer component such as Crystal Reports or the Web Intelligence Java or HTML Report Panels). Tip: If you use the BusinessObjects Enterprise SDK, you can also publish reports from within your own code. The Output File Repository Server manages all of the report instances generated by the Report Job Server or the Web Intelligence Report Server, and the program instances generated by the Program Job Server. The File Repository Servers are responsible for listing files on the server, querying for the size of a file, querying for the size of the entire file repository, adding files to the repository, and removing files from the repository. Note:
The Input and Output File Repository Servers cannot share the same directories. This is because one of the File Repository Servers could then delete files and directories belonging to the other. In larger deployments, there may be multiple Input and Output File Repository Servers, for redundancy. In this case, all Input File Repository Servers must share the same directory. Likewise, all Output File Repository Servers must share a directory. Objects with files associated with them, such as text files, Microsoft Word files, or PDFs, are stored on the Input File Repository Server.
Cache Server
The Cache Server is responsible for handling all report viewing requests. The Cache Server checks whether or not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays exactly the required data, with data that has been refreshed from the database within the interval that you have specified as the default, the Cache Server returns that cached report page. If the Cache Server cannot fulfil the request with a cached report page, it passes the request along to the Page Server. The Page Server runs the report and returns the results to the Cache Server. The Cache Server then
40
BusinessObjects Enterprise Architecture Processing tier
caches the report page for future use, and returns the data to the viewer. By storing report pages in a cache, BusinessObjects Enterprise avoids accessing the database each and every time a report is requested. If you are running multiple Page Servers for a single Cache Server, the Cache Server automatically balances the processing load across Page Servers.
Processing tier
The processing tier accesses the data and generates the reports. It is the only tier that interacts directly with the databases that contain the report data.
The processing tier includes:
Job servers Web Intelligence Report Server Report Application Server (RAS) Page Server
Job servers
A Job Server processes scheduled actions on objects at the request of the CMS. When you add a Job Server to the BusinessObjects Enterprise system, you can configure the Job Server to:
Process report objects Process program objects
41
Send objects or instances to specified destinations
If you configure a Job Server to process report objects, it becomes a Report Job Server. If you configure a Job Server to process program objects, it becomes a Program Job Server, and so on. The processing tier includes:
Report Job Server Program Job Server Web Intelligence Job Server Destination Job Server List of Values Job Server Desktop Intelligence Job Server
Report Job Server

If you configure a Job Server to process report objects, it becomes a Report Job Server. The Report Job Server processes scheduled reports, as requested by the CMS, and generates report instances (instances are versions of a report object that contain saved data). To generate a report instance, the Report Job Server obtains the report object from the Input FRS and communicates with the database to retrieve the current data. Once it has generated the report instance, it stores the instance on the Output FRS.
Program Job Server

If you configure a Job Server to process program objects, it becomes a Program Job Server. Program objects allow you to write, publish, and schedule custom applications, including scripts, Java programs or .NET programs that run against, and perform maintenance work on, BusinessObjects Enterprise. The Program Job Server processes scheduled program objects, as requested by the CMS. To run a program, the Program Job Server first retrieves the files from storage on the Input File Repository Server, and then runs the program. By definition, program objects are custom applications. Therefore the outcome of running a program will be dependent upon the particular program object that is run. Unlike report instances, which can be viewed in their completed format, program instances exist as records in the object history. BusinessObjects Enterprise stores the programs standard out and standard error in a text output file. This file appears when you click a program instance in the object History.
42
Web Intelligence Job Server

The Web Intelligence Job Server processes scheduling requests it receives from the CMS for Web Intelligence documents. It forwards these requests to the Web Intelligence Report Server, which will generate the instance of the Web Intelligence document. The Web Intelligence Job Server does not actually generate object instances.
Destination Job Server

If you configure a Job Server to send objects or instances, it becomes a Destination Job Server. A Destination Job Server processes requests that it receives from the CMS and sends the requested objects or instances to the specified destination:
If the request is for an object, it retrieves the object from the Input File Repository Server. If the request is for a report or program instance, it retrieves the instance from the Output File Repository Server.
The Destination Job Server can send objects and instances to destinations inside the BusinessObjects Enterprise system, for example, a users inbox, or outside the system, for example, by sending a file to an email address. The Destination Job Server does not run the actual report or program objects. It only handles objects and instances that already exist in the Input or Output File Repository Servers.
List of Values Job Server

The List of Values Job Server processes scheduled list-of-value objects. These are objects that contain the values of specific fields in a Business View. Lists of values are use to implement dynamic prompts and cascading lists of values within Crystal Reports. List-of-value objects do not appear in CMC or InfoView. For more information, see the Business Views Administrators Guide. The List of Values Job Server behaves similarly to the Report Job Server in that it retrieves the scheduled objects from the Input File Repository Server (FRS) and saves the instance it generates to the Output FRS. There is never more than one instance of a list-of-values object. On demand list of value objects are processed by the Report Application Server.
Desktop Intelligence Job Server

The Desktop Intelligence Job Server processes scheduling requests it receives from the CMS for Desktop Intelligence documents and generates the instance of the Desktop Intelligence document.
43
Web Intelligence Report Server

The Web Intelligence Report Server is used to create, edit, view, and analyze Web Intelligence documents. It also processes scheduled Web Intelligence documents and generates new instances of the document, which it stores on the Output File Repository Server (FRS). Depending on the users access rights and the refresh options of the document, the Web Intelligence Report Server will use cached information, or it will refresh the data in the document and then cache the new information.
Report Application Server (RAS)

The Report Application Server (RAS) processes reports that users view with the Advanced DHTML viewer. The RAS also provides the ad hoc reporting capabilities that allow users to create and modify reports over the Web. The RAS is very similar to the Page Server: it too is primarily responsible for responding to page requests by processing reports and generating EPF pages. However, the RAS uses an internal caching mechanism that involves no interaction with the Cache Server. As with the Page Server, the RAS supports COM, ASP.NET, and Java viewer SDKs. The Report Application Server also includes an SDK for reportcreation and modification, providing you with tools for building custom report interaction interfaces.
Page Server
The Page Server is primarily responsible for responding to page requests by processing reports and generating Encapsulated Page Format (EPF) pages. The EPF pages contain formatting information that defines the layout of the report. The Page Server retrieves data for the report from an instance or directly from the database (depending on the users request and the rights he or she has to the report object). When retrieving data from the database, the Page Server automatically disconnects from the database after it fulfills its initial request and reconnects if necessary to retrieve additional data. (This behavior conserves database licenses.) The Cache Server and Page Server work closely together. Specifically, the Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server also interact to ensure cached EPF pages are reused as frequently as possible, and new pages are generated as soon as they are required. BusinessObjects Enterprise takes advantage of this behavior by ensuring that the majority of report-viewing requests are made to
44
BusinessObjects Enterprise Architecture Data tier
the Cache Server and Page Server. (However, if a users default viewer is the Advanced DHTML viewer, the report is processed by the Report Application Server.) The Page Server also supports COM, ASP.NET, and Java viewer Software Development Kits (SDKs).
Data tier
The data tier is made up of the databases that contain the data used in the reports. BusinessObjects Enterprise supports a wide range of corporate databases.
See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.
Report viewers
BusinessObjects Enterprise includes report viewers that support different platforms and different browsers in the client tier, and which have different report viewing functionality. (For more information on the specific functionality or platform support provided by each report viewer, see the BusinessObjects Enterprise Users Guide or the Crystal Reports Developers Guide.) All of the viewers fall into two categories:
client-side viewers Client-side viewers are downloaded and installed in the users web browser. zero client viewers The code to support zero client viewers resides in the application tier.
client-side viewers Active X viewer Java viewer
zero client viewers DHTML viewer Advanced DHTML viewer
45
BusinessObjects Enterprise Architecture Information flow
All report viewers help process requests for reports, and present report pages that appear in the users browser. Client-side viewers Client-side viewers are downloaded and installed in the users browser. When a user requests a report, the application server processes the request, and retrieves the report pages (in .epf format) from the BusinessObjects Enterprise framework. The application server then passes the report pages to the client-side viewer, which processes the report pages and displays them directly in the browser. Zero client viewers Zero client viewers reside on the application server. When a user requests a report, the application server processes the request, and then retrieves the report pages (in .epf format) from the BusinessObjects Enterprise framework. The SDK creates a viewer object on the application server which processes the report pages and creates DHTML pages that represent both the viewer controls and the report itself. The viewer object then sends these pages through the web server to the users web browser. Installing viewers If they havent already done so, users are prompted to download and install the appropriate viewer software before the report is displayed in the browser. The Active X viewer is downloaded the first time a user requests a report, and then remains installed on the users machine. The user will be prompted to reinstall the ActiveX viewer only when a new version becomes available on the server.
Information flow
This section describes the interaction of the server components in order to demonstrate how report-processing is performed. This section covers two different scenarios:
What happens when you schedule an object? What happens when you view a report?
What happens when you schedule an object?

When you schedule an object, you instruct BusinessObjects Enterprise to process an object at a particular point in time, or on a recurring schedule. For example, if you have a report that is based on your web server logs, you can schedule the report to run every night on a recurring basis.
46
When a user schedules an object using InfoView, the following happens: 1. 2. 3. 4. 5. 6. InfoView sends the request to the web server. The web server passes the web request directly to the application server, where it is evaluated by the BusinessObjects Enterprise SDK. The SDK passes the request to the CMS. The CMS checks to see if the user has sufficient rights to schedule the object. If the user has sufficient rights, the CMS schedules the object to be run at the specified time(s). When the time occurs, the CMS passes the job to the appropriate job server. Depending on the type of object, the CMS will send the job to one of the following job servers:

7.
If the object is Web Intelligence document, it sends the job to the Web Intelligence Job Server, which sends the request to the Web Intelligence Report Server. If the object is a report, it sends the job to the Report Job Server. If the object is program, it sends the job to the Program Job Server.
The job server retrieves the object from the Input File Repository Server and runs the object against the database, thereby creating an instance of the object. The job server then saves the instance to the Output File Repository Server, and tells the CMS that it has completed the job successfully. If the job was for a Web Intelligence document, the Web Intelligence Report Server notifies the Web Intelligence Job Server. The Web Intelligence Job Server then notifies the CMS that the job was completed successfully.
8.
Note:
The Cache Server and the Page Server do not participate in scheduling reports or in creating instances of scheduled reports. This can be an important consideration when deciding how to configure BusinessObjects Enterprise, especially in large installations. When you schedule program objects or object packages, the interaction between servers follows the same pattern as it does for reports.
What happens when you view a report?

This section describes the viewing mechanisms that are implemented in InfoView. It contains information on:
47
Report viewing with the Cache Server and Page Server Report viewing with the Report Application Server Viewing Web Intelligence documents
When you view a report through BusinessObjects Enterprise, the processing flow varies depending upon your default report viewer, the type of report, and the rights you have to the report. In addition, the processing flow for custom applications may differ. In all cases, however, the request that begins at the web server must be forwarded to the application server. The actual request is constructed as a URL that includes the reports unique ID. This ID is passed as a parameter to a server-side script that, when evaluated by the application server, verifies the users session and retrieves the logon token from the browser. The script then checks the users InfoView preferences and redirects the request to the viewing mechanism that corresponds to the users default viewer. Different report viewers require different viewing mechanisms:
The zero-client DHTML viewer is implemented through report_view_dhtml.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Cache Server and Page Server.
The zero-client Advanced DHTML viewer is implemented through report_view_advanced.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Report Application Server.
The client-side report viewers (the ActiveX and Java viewers) are implemented through viewrpt.aspx, hosted by the WCA. The Crystal Web Request is executed internally through viewer code on the application server. The viewer code communicates with the framework in order to retrieve a report page (in .epf format) from the Cache Server and Page Server. If they havent already done so, users are prompted to download and install the appropriate viewer software.
48
Report viewing with the Cache Server and Page Server

This section describes the process for viewing a Crystal report when using the zero-client DHTML, ActiveX, or Java viewer. This process uses the Cache Server and the Page Server. 1. Upon receiving a report-viewing request, the Cache Server checks to see if it has the requested pages cached. Cached pages are stored as Encapsulated Page Format (.epf) files. If a cached page for the report (.epf file) is available: a. b. 3. The Cache Server checks with the CMS to see if the user has rights to view the cached page. If the user is granted the right to view the report, the Cache Server sends the cached page (.epf file) to the application server. The Cache Server requests new cached pages (.epf files) from the Page Server. The Page Server checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the Page Server retrieves the report from the Input File Repository Server. If the report is an instance, and the user only has View rights, the Page Server will generate pages of the report instance using the data stored in the report instance. That is, the Page Server will not retrieve the latest data from the database. If the report is an object, the user must have View On Demand rights to view the report successfully (because the Page Server needs to retrieve data from the database). e. f. g. 4. If the user has sufficient rights, the Page Server generates the cached page (.epf files) and forwards them to the Cache Server. The Cache Server then caches the pages (.epf files). The Cache Server sends the pages (.epf files) to the application server.
2.
If a cached page for the report (.epf file) is unavailable: a. b. c. d.
The application server sends the report to the users Web browser in one of two ways, depending on how the initial request was made:
If the initial request was made through a DHTML viewer (report_view_dhtml.aspx), the viewer SDK (residing on the application server) is used to generate HTML that represents both the DHTML viewer and the report itself. The HTML pages are then returned through the web server to the users web browser.
49
If the initial request was made through an Active X or Java viewer (viewrpt.aspx), the application server forwards the cached pages (.epf files) through the web server to the report viewer software in the users web browser.
Report viewing with the Report Application Server

This section describes the process for viewing a Crystal report when using the Advanced DHTML viewer. This process flow uses the Report Application Server (RAS). 1. Upon receiving a report-viewing request, the RAS checks to see if it has the requested report data in cache. (The RAS has its own caching mechanism, which is separate from the Cache Server.) If a cached version of the report (.epf file) is available: a. b. 3. The RAS checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the RAS returns cached pages (.epf files) to the application server. The RAS checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the RAS retrieves the report object from the Input File Repository Server. The RAS then processes the report object, obtains the data from the database, generates the cached pages (.epf files), caches the pages and sends the pages to the application server. If the user is granted View rights to the report object, then the RAS will only ever generate pages of the latest report instance. That is, the RAS will not retrieve the latest data from the database. If the user is granted View On Demand rights to the report object, then the RAS will refresh the report against the database. Note: The interactive search and filter features provided by the Advanced DHTML viewer are available only if the user has View On Demand rights (or greater) to the report object. 4. When the application server receives the cached pages (.epf files) from the RAS, the viewer SDK generates HTML that represents both the Advanced DHTML viewer and the report itself. The application server sends the HTML pages through the web server to the users web browser.
2.
If a cached page of the report (.epf file) is unavailable: a. b. c.
d.
5.
50
Viewing Web Intelligence documents

This section describes the process for viewing a Web Intelligence document. 1. 2. 3. 4. 5. InfoView sends the request to the web application server. The web application server sends the request to the application server, which creates a new session with the Web Intelligence Report Server. The Web Intelligence Report Server checks if the user has rights to use the Web Intelligence application. The web application server then sends the request to the Web Intelligence Report Server. The Web Intelligence Report Server contacts the CMS to check whether the user has the right to view the document, and to check when the document was last updated. If the user has the right to view the document, the Web Intelligence Report Server checks whether it has up-to-date cached content for the document. If cached content is available, the Web Intelligence Report Server sends the cached document information to the SDK. If cached content is not available, the following happens: a. The Web Intelligence Report Server obtains the document information from the CMS and checks what rights the user has on the document. The Web Intelligence Report Server obtains the Web Intelligence document from either the Input or Output File Repository Server and loads the document file. Note: Which FRS is used depends on whether the request was for a Web Intelligence document that was saved to BusinessObjects Enterprise or for an instance of the document. Documents are stored on the Input FRS. Instances are generated when an object is run according to a schedule, and they are stored on the Output FRS. c. If the document is set to refresh on open and the user has the View On Demand rights, the Web Intelligence Report Server refreshes the data in the document with data from the database. Note: If the document is set to refresh on open but the user does not have View On Demand rights, an error message is displayed. d. e. The Web Intelligence Report Server stores the document file and the new document information in cache. The Web Intelligence Report Server sends the document information to the SDK.
6.
7.
b.
51
BusinessObjects Enterprise Architecture Choosing between live or saved data
8. 9.
The viewer script calls the SDK to get the requested page of the document. The request is passed to the Web Intelligence Report Server. If the Web Intelligence Report Server has cached content for the page, it returns the cached XML to the SDK. If the Web Intelligence Report Server does not have the cached content for the page, it renders the page to XML using the current data for the document. It then returns the XML to the SDK.
10. The SDK applies an XSLT style sheet to the XML to transform it to HTML. 11. The viewer script returns the HTML to the browser.
Choosing between live or saved data

When reporting over the Web, the choice to use live or saved data is one of the most important decisions youll make. Whichever choice you make, however, BusinessObjects Enterprise displays the first page as quickly as possible, so you can see your report while the rest of the data is being processed.
Live data
On-demand reporting gives users real-time access to live data, straight from the database server. Use live data to keep users up-to-date on constantly changing data, so they can access information thats accurate to the second. For instance, if the managers of a large distribution center need to keep track of inventory shipped on a continual basis, then live reporting is the way to give them the information they need. Before providing live data for all your reports, however, consider whether or not you want all of your users hitting the database server on a continual basis. If the data isnt rapidly or constantly changing, then all those requests to the database do little more than increase network traffic and consume server resources. In such cases, you may prefer to schedule reports on a recurrent basis so that users can always view recent data (report instances) without hitting the database server. For more information about optimizing the performance of reports that are viewed on demand, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Tip: Users require View On Demand access to refresh reports against the database.
52
BusinessObjects Enterprise Architecture Security management components
Saved data
To reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database. Report instances are useful for dealing with data that isnt continually updated. When users navigate through report instances, and drill down for details on columns or charts, they dont access the database server directly; instead, they access the saved data. Consequently, reports with saved data not only minimize data transfer over the network, but also lighten the database servers workload. For example, if your sales database is updated once a day, you can run the report on a similar schedule. Sales representatives then always have access to current sales data, but they are not hitting the database every time they open a report. Tip: Users require only View access to display report instances.
Security management components

System security within BusinessObjects Enterprise is distributed across most components, but it is managed primarily by the WCA, the CMS, the security plug-ins, and third-party authentication tools, such as SiteMinder and Kerberos. These components work together to authenticate and to authorize users who access BusinessObjects Enterprise, its folders, and its other objects. This section discusses key components as they relate to system security, including:
Web Component Adapter CMS Security plug-ins
Note: Because these components are responsible for additional tasks, several of the components discussed here are described in additional detail elsewhere in this chapter.
53
Web Component Adapter

The WCA is the gateway between the web server and the remaining BusinessObjects Enterprise components. As such, the WCA receives all HTTP requests that are sent to BusinessObjects Enterprise from users web browsers. The WCA ensures that each user has a valid logon token for the system. If the logon token is missing, or if it has expired, the WCA initiates the primary authentication process. The WCA is also responsible for maintaining the users session state in the WCA session variable. This session variable contains information that BusinessObjects Enterprise uses when fulfilling users requests.
CMS
In relation to system security, the Central Management Server (CMS) performs a number of important tasks. The majority of these tasks rely upon the database that the CMS uses to keep track of BusinessObjects Enterprise system data. This data includes security information, such as user accounts, group memberships, and object rights that define user and group privileges. When you first set up your system, the CMS allows you to create user accounts and groups within BusinessObjects Enterprise. And, with its thirdparty security plug-ins, the CMS allows you to reuse existing user accounts and groups that are stored in a third-party system (a Windows NT user database, an LDAP directory server, or a Windows AD server). The CMS supports third-party authentication, so users can log on to BusinessObjects Enterprise with their current Windows NT, LDAP, or Windows AD credentials. When users log on, the CMS coordinates the authentication process with its security plug-ins; the CMS then grants the user a logon token and an active session on the system. The CMS also responds to authorization requests made by the rest of the system. When a user requests a list of reports in a particular folder, the CMS authorizes the request only when it has verified that the users account or group membership provides sufficient privileges.. For more information about the CMS and the CMS database, see Central Management Server (CMS) on page 38.
54
Security plug-ins
Security plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits. Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system. The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials. Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC. Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK. BusinessObjects Enterprise supports the following security plug-ins:
BusinessObjects security plug-in
55
Windows NT security plug-in LDAP security plug-in Windows AD security plug-in
56
Planning Your Deployment
chapter
Planning Your Deployment Planning your deployment
Planning your deployment

This section provides guidelines for assessing your organizations needs, and suggestions for deployment scenarios. By putting effort into planning before you deploy your BusinessObjects Enterprise system, you can keep troubleshooting to a minimum and deliver a deployment tailored to your organizations unique needs. The section includes many examples and suggestions for deployment, but it is important to note that each deployment of BusinessObjects Enterprise is unique. The flexibility of its service-based architecture allows you to tailor the deployment to serve your organizations requirements as precisely as possible. Planning your deployment involves the following steps: 1. Perform a detailed assessment of your needs and limitations. You need to know who will be using the system and what they will be using it to accomplish. For more information, see Assessing your organizations needs on page 58 Calculate the resources required to support your organizations needs. How much load is supported by each server component? What hardware is required to support the load? For information about analyzing service thresholds and calculating server and hardware requirements, see Calculating resource requirements on page 64. Choose an initial deployment architecture. What deployment architecture will serve your needs within the limits of your resources? For suggestions and common configurations, see Common configurations on page 78. Test your deployment and adjust it to improve performance. It is good practice to deploy a test environment and fine-tune it before implementing your full production deployment. For more information, see Improving Performance on page 337.
2.
3.
4.
Assessing your organizations needs

Before you choose a system architecture and deploy BusinessObjects Enterprise, you need to perform a detailed assessment of your organizations needs. Who will be using the system? How will they be using it? What types of documents will be managed through the system? What volume of content will be accessed through the system? By understanding your users and the volume of traffic they will generate, you can determine the resources required for your deployment.
58
Planning Your Deployment Assessing your organizations needs
To make an accurate assessment, you need to perform the following tasks: 1. Determine the number of users on the system, and the type of users they are. See Estimating the number and type of users on page 59. 2. 3. Estimate the number of simultaneous requests. See Estimating the number of simultaneous requests on page 61. Estimate the number of concurrent active users and simultaneous viewing sessions. See Estimating the number of concurrent active users and viewing sessions on page 62. If you are assessing the performance of an existing system, you can use server metrics to determine how your system is currently being used. For information about assessing the performance of an existing deployment of BusinessObjects Enterprise, see Assessing your systems performance on page 338.
Estimating the number and type of users

The first step toward understanding how your BusinessObjects Enterprise system will be used is to determine the total number of users. You also need to estimate the number of concurrent users: users who are logged onto BusinessObjects Enterprise at the same time. You also need to understand how your users will use the system and how much traffic they will generate. To accurately determine the number and type of users of BusinessObjects Enterprise, perform the following steps: 1. 2. To estimate the number and type of users Determine the total number of users of the system. Include all users who will potentially have access to the system. Adjust the total number of users to account for future users. How many new users do you expect to add to the system this year? In the next five years? By deploying a system that is robust enough to accommodate future growth, you can save time and money later. 3. Estimate the number of concurrent users. The number of concurrent users is typically 10% to 20% of the total number of potential users in the system. For example, if you have a total of 4000 users, you will probably have 400 to 800 concurrent users.
59
Note: The number of concurrent users will be used to calculate the resource requirements for the Web Application Server and the number of concurrent active users. For information, see Estimating the number of concurrent active users and viewing sessions on page 62. 4. Divide the number of concurrent users into groups according to how they will use the system:
Heavy Users Heavy users are logged onto the system all day. They interact with objects continuously throughout the day, averaging one request per second.
Active Users Active users log onto the system frequently throughout the day. They average one request every four seconds. Moderate Users Moderate users log onto the system at various points throughout the day. They average one request every eight seconds. Light Users Light users log onto the system infrequently. They view a couple of objects and log out, averaging one request every 16 seconds.
Make note of the number of users that fall into each of these groups.
Other user considerations

When you draft your final deployment plan, it is also important to think about think about where your users are and when they will use the system:
Determine the number of users for each geographical location. Where your users are can affect how you configure your system architecture. Make note of the number of users at various locations. You may want to establish local processing servers to account for significant load in areas with more users.
Estimate traffic schedule. Knowing when your users are likely to use BusinessObjects Enterprise can also help you configure your deployment. If users around the world access the system throughout the day and night, then the system should be prepared for the continuous traffic. Or, you may run all of your scheduled objects in the evenings and your users dont access them until the morning, so you may want to maintain different server configurations for day and night traffic. It is also important to consider traffic from different time zones.
60
Estimating the number of simultaneous requests

The number of requests that the system needs to process simultaneously affects how you configure and expand your deployment. Specifically, you need the number of simultaneous requests when you calculate the resource requirements for the Central Management Server, the Web Application Server, the Cache Server, the Report Application Server, and the Page Server. The number of simultaneous requests is typically 10% to 20% of the number of concurrent users. For example, if you have 400 concurrent users, you will probably have between 40 and 80 simultaneous requests. However, your users may differ from the typical scenario. To make your estimates as accurate as possible, group your users according to how they will use the system. After you determine the number of users in each group, you can use common usage rates to calculate a final estimate of the number of simultaneous requests. For information about grouping your users, see Estimating the number and type of users on page 59. 1. To estimate the number of simultaneous requests Sort your estimated number of concurrent users into groups. For information about grouping your users, see Estimating the number and type of users on page 59. 2. Calculate the number of simultaneous requests, using the following formula:
((#of heavy users)*1) + ((# of active users)*.25) + ((# of moderate users)*.12) + ((# of light users)*.06)
For example, if you have 400 concurrent users and 10 are heavy users, 40 are active users, 150 are moderate users, and 200 are light users, the formula will look like this:
(10*1) + (40*.25) + (150*.12) + (200*.06) = 10 + 10 + 18 + 12 = 50 simultaneous requests
3.
If necessary, round up the result for your final estimate of the number of simultaneous requests.
Note: This step procedure uses the following common usage rates tested by Business Objects:
61
Concurrent users by type
Number of simultaneous requests 100 25 12 6
% of simultaneous usage rate 100% 25% 12% 6%
For every 100 heavy users For every 100 active users For every 100 moderate users For every 100 light users
Estimating the number of concurrent active users and viewing sessions

A concurrent active user is a user that is logged onto the system and is running at least one open viewing session. A viewing session refers to the length of time that an object is viewed by one or more users. When a user interacts with an object in BusinessObjects Enterprise, a viewing session is created for the object. The session remains open until the objects idle time expires. The number of concurrent active users is used to calculate resource requirements for the Central Management Server. The number of simultaneous viewing sessions is used to calculate resource requirements for Web Intelligence Report Servers and all types of Job Servers.
Concurrent active users

To calculate an accurate estimate of the number of concurrent active users, you need to ask questions about how your users work and about the objects they use.
Users Determine the number and type of concurrent users. (For information about estimating the number of concurrent users, see Estimating the number and type of users on page 59.) How many concurrent users do you have? What percentage of these users will have an active viewing session at the same time? To begin estimating the number of concurrent active users, you can add the number of users that you classified as heavy and active users when you sorted them into groups.
62
Objects
Estimate the number of objects per user. Will your users publish and view their own documents? Or will they spend more time viewing company-wide or departmental reports? How many objects will they use at once? You need to determine how many unique objects such as Crystal reports and Web Intelligence documents might be viewed at the same time by multiple users.
Estimate the types of objects. The types of objects also affect the number of concurrent active users. Split the total number of objects per user into unique and shared objects. Will your users share documents and reports with others? Shared objects reduce the number of concurrent active users because they allow multiple users to use the same viewing session. Typically, static objects such as operational view-only Crystal reports are more likely to share viewing sessions than Web Intelligence documents or OLAP Intelligence reports, which are dynamically interactive. Keep this in mind when you calculate the shared component of your load requirements.
Viewing sessions
To estimate the number of simultaneous viewing sessions, consider the following examples:
If every user logged onto the system is interacting with a single unique object (such as a report, a document, or a dashboard), the number of viewing sessions is equal to the number of concurrent users. If you had 100 users viewing 100 unique objects, then the number of viewing sessions equals 100. If every user logged onto the system is interacting with more than one unique object, the number of viewing sessions is higher than the number of concurrent users. If every user viewed two unique objects, for example, then the number of viewing sessions will be twice the number of concurrent users. If every user logged onto the system is viewing one or more objects that are not unique (shared between users), the number of viewing sessions will be lower than the number of concurrent users. If you have 100 users and 50 of them are viewing a shared report, while the other half are interacting with a single unique object, then there will be 51 viewing sessions: one for the shared report and 50 for the unique objects.
63
Planning Your Deployment Calculating resource requirements
Based on your understanding of your users and the shared and unique content they need, you can use the following equation to determine a rough estimate of the number of viewing sessions:
(# of unique objects)(number of concurrent users viewing unique objects) + number of shared objects
For example, if you have 100 concurrent active users and 20 users are viewing 2 shared objects and 80 users are viewing 2 unique objects each, then you will have 162 simultaneous viewing sessions:
(2)(80) + (2) = 162
If you have 100 concurrent active users and 80 users are viewing 2 shared objects and 20 users are viewing 2 unique objects each, then you will have 42 simultaneous viewing sessions:
(2)(20) + (2) = 42
Calculating resource requirements

In the previous sections, you estimated the number and type of users, the number of simultaneous requests, the number of concurrent active users, and the number of viewing sessions. Together, this information allows you to estimate the load that will be placed on your system. The next step is to determine the BusinessObjects Enterprise and hardware resources required to support the load. To estimate the systems resource requirements, you need to use service threshold standards to estimate the following:
The number of BusinessObjects Enterprise server components (or services) you need in order to accommodate the load. The number of CPUs required to run the server components and support the load.
For a table summarizing resource calculations, see Summary of resource calculations on page 73.
Analyzing service thresholds

Before you can calculate your resource estimates, you need to analyze the service thresholds for the following server components:
Central Management Server Web Application Server Cache Server Report Job Server
64
List of Values Job Server Web Intelligence Report Server Report Application Server Page Server
It is important to note that the service threshold numbers provided in this section are based on benchmark testing performed by Business Objects. The test machines had an average clock speed of 2.5 GHz with 2 GB memory per CPU. These threshold numbers are intended only as a baseline to help you determine the size and configuration of your system. These numbers are affected by many factors, such as: the size and complexity of objects; the number of users; your network speed; operating system; clock speed; application server; disk speed; memory; and many more factors. The sample threshold numbers provided here assume that each BusinessObjects Enterprise server is installed on a separate machine and that each machine is a single CPU box. After you perform the initial sizing calculations, you can adjust the sizing numbers and system configuration to accommodate your specific system requirements. It is important to monitor your system performance regularly and adjust the configuration accordingly. For more information about monitoring performance, see Assessing your systems performance on page 338. Note: For more information about these server components and how they work together, see BusinessObjects Enterprise Architecture on page 29. Note: The Event Server is not a processing- or memory-intensive server, so it is not included in the discussion of service thresholds. However, it is good practice to install one Event Server for each CMS. For information about installing additional Event Servers, see Scaling your system on page 366.
Central Management Server

Central Management Server thresholds depend on the number of CPUs and the number of services running on them. Its good practice to configure for a higher number of users and simultaneous requests than your current system usage.
One Central Management Server can handle 600 concurrent active users and 150 simultaneous requests. One CPU can handle 500 concurrent active users and 150 simultaneous requests.
For example, to support 4000 concurrent active users generating 400 simultaneous requests, your deployment could include:
65
Two quad boxes with four CMS services each. Eight single CPU machines with one CMS service each.
Note: This example is only a guideline. You need to consider CPU speed, network configuration, database connectivity, and so on.
Estimating CMS memory usage

To determine how much memory you need on the Central Management Server machine, estimate how many objects and instances youll have in the system and calculate the estimated memory usage. This table lists the estimated memory usage for the object types: Object User Folder Report object Estimated Memory Usage 14 KB (7 KB memory and 7 KB virtual memory) 10 KB 20 KB average (Report object size can vary considerably. Estimate higher for large or complex report objects.) 20 KB average per instance
Report instance Note:
There are many factors that can increase the amount of memory required for the Central Management Server. Report objects and instances in particular can vary in size considerably. For example, report instances that contain numerous prompts will be larger than average because every string prompt requires 256 bytes. In normal operation, the Central Management Server keeps only the most recently accessed objects in memory. During periods of rapid object access, such as batch reporting, the Central Management Server may exceed the specified amount of memory.
Memory requirements depend on the number of individual accounts and objects that need to be loaded by the Central Management Server. For example, when you access a folder or a category, if the folder contains many objects and instances, it will take longer to load. By maintaining a detailed and organized folder structure, you can improve the speed of your system. The registry setting MaximumObjectsToKeepInMemory controls the number of objects kept in memory by the Central Management Server. Adjust this setting if memory resources on the Central Management Server are either scarce or plentiful.
66
Web Application Server

Each Web Application Server handles different numbers of concurrent active users and simultaneous requests. When youre configuring your Web Application Server (for example, IIS, Apache Tomcat, BEA WebLogic, or IBM WebSphere), consider the main functions of the Web Application Server within the BusinessObjects Enterprise system:
Processing the .NET/Java script Translating the Encapsulated Page Files (page on demand) to DHTML pages. Communicating with the Crystal Reports Cache Server for report view requests. Managing session state information for the users. Facilitating OLAP Intelligence view requests. Communicating with the Web Intelligence Report Server for view requests.
Web Application Server thresholds generally depend on the number of CPUs and the number of services running on them. Its good practice to configure for a higher number of users and simultaneous requests than your current system usage.
One service can handle virtually unlimited numbers of concurrent users and simultaneous requests, but consult your web application server documentation for specific numbers. One CPU can handle 400 concurrent users One CPU can handle 100 simultaneous requests if ActiveX is used as a primary viewer. One CPU can handle 50 simultaneous requests if DHTML is used as a primary viewer. One CPU can handle 40 simultaneous requests if OLAP Intelligence is used as a primary document viewing engine (OLAP DHTML viewer).
For example, to support 4000 concurrent users generating 400 simultaneous requests, your deployment could include one web application service installed across
10 single-CPU machines. Two quad boxes and a dual machine. Five dual machines.
Note: This example is only a guideline. You need to consider CPU speed, network configuration, database connectivity, and so on.
67
Cache Server
The Cache Server handles all report viewing requests. When the Cache Server receives a request, it checks whether of not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays the required data and the data has been refreshed from the database within the specified interval, the Cache Server returns the cached report page to the Web Application Server. If not, then the page is requested from the Page Server. The thresholds for the Cache Server are:
1 service can handle 400 simultaneous requests. 1 CPU can handle 200 simultaneous requests.
For example, to support 4000 concurrent users generating 400 simultaneous requests, your deployment could include: one Cache Server service installed across a dual-CPU machine. two Cache Server services installed across two single-CPU machines.
Note: Since the Cache Server works directly with the Page Server, the maximum simultaneous requests for the Cache Servers should equal the maximum simultaneous requests for the Page Servers.
Report Job Server

The Report Job Server processes report objects for the Central Management Server and generates report instances. The thresholds for the Report Job Server are:
One Job Server can handle 20 concurrent Crystal Reports jobs. One CPU can handle five concurrent Crystal Reports jobs.
Do not set individual Job Servers to process more than 20 simultaneous jobs. For example, if there are 40 simultaneous jobs and you have an 8-CPU computer, configure two Job Servers on the machine with each server set to handle 20 simultaneous jobs. Note: Complex reports that retrieve and process a large set of data should be scheduled. Jobs run as independent processes rather than threads on the Reports Job Server. This requires more resources for each job, but allows for efficient processing of a smaller set of large processing reports.
Reports Job Server threshold formula

You can use the following formula to help determine the number of Report Job Servers you need:
68
((# of reports) x (average report processing time)) / ((time window) x (maximum number of jobs per job server) = # of job servers required
Note: Make sure you use the same time measurement (minutes, for example) for the average report processing time and the time window. (The time window is the maximum amount of time the system can take to process the reports.) For example:
(200 reports x 1 minute) / (10 minutes x 20) = 1 job server required
List of Values Job Server

The List of Values (LOV) Job Server processes List of Values objects for the Central Management Server and generates object instances. List of Values objects are used for dynamic prompts and cascading lists of values for Crystal reports. The thresholds for the List of Values Job Server are:
One List of Values Job Server can handle 20 simultaneous requests. One CPU can handle five simultaneous requests.

The Web Intelligence Report Server is used to create, edit, view, and analyze Web Intelligence documents (stored in the File Repository Servers). It also processes scheduled Web Intelligence documents and generates new instances of documents. Depending on the users access rights and the refresh options set on the document, the Web Intelligence Report Server uses cached information or refreshes the data. Note: The Web Intelligence Report Server also processes Crystal xCelsius documents. If your users work with Crystal xCelsius, they may have significantly higher simultaneous viewing sessions and you will need to install more Web Intelligence Report Servers. The thresholds for the Web Intelligence Report Server are:
One Web Intelligence Report Server can support 25 simultaneous viewing sessions. One CPU can support 25 simultaneous viewing sessions.
For example, if you expect users of Web Intelligence documents to need an average of 100 simultaneous viewing sessions, you could have four Web Intelligence Reports Server services installed on a quad machine.
69
Note: Memory requirements can be affected by the document design and the types of actions being performed. For example, a refresh request demands the greatest amount of memory for a Web Intelligence document because the database is queried and the entire dataset is transferred to the Web Intelligence Report Server.
Report Application Server

The Report Application Server processes reports that InfoView users view with the Interactive DHTML viewer. It also provides the reporting capabilities that allow InfoView users to create and modify Crystal report over the web. The thresholds for the Report Application Server are:
One Report Application Server can handle 200 simultaneous requests. One CPU can handle 25 to 75 simultaneous requests. For optimal performance, use 25 simultaneous requests for your calculations.
For example, if you expect 100 concurrent active users viewing or modifying a Crystal report, you could configure a quad machine with one Report Application Server installed for each CPU.
Page Server
The Page Server retrieves data for the report from an instance or directly from the database (depending on the users request and access rights for the object). The Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server interact to ensure cached EPF pages are reused as frequently as possible. The number of concurrent active users is not important for determining the number of Page Servers you need, because BusinessObjects Enterprise automatically creates new Page Server processes to accommodate extra traffic. Because Cache Servers work directly with Page Servers, the maximum simultaneous requests for the Cache Servers should equal the maximum simultaneous requests for the Page Servers. The thresholds for the Page Server are as follows:
One CPU can handle 25 to 75 simultaneous requests. The recommended settings is 50.
For example, to support 400 simultaneous requests, your deployment could include:
one Page Server service installed across an 8-way CPU machine. two Page Server services installed across two quad CPU machines.
70
Note: Unless the machine is dedicated to serve multiple Page Server groups, do not install more than one Page Server on a single machine (even if the machine has four or more CPUs).
Dedicated Page Server machine

If you have a dedicated Page Server machine, it will dynamically adapt to different loads by creating and stopping Page Server processes as needed (within available resources). For a dedicated Page Server, it is good practice to change the Maximum Simultaneous Report Jobs setting to Unlimited. When you use the Unlimited setting, the maximum number of jobs is set to 25 jobs per CPU, with a minimum of 50. For example,
For 1 CPU, the Maximum Simultaneous Report Jobs is 50. For 2 CPUs, the Maximum Simultaneous Report Jobs is 50. For 4 CPUs, the Maximum Simultaneous Report Jobs is 100. For 8 CPUs, the Maximum Simultaneous Report Jobs is 200.
Shared Page Server machine

If the Page Server shares resources with other services such as the Job Server or the Central Management Server, you may want to change the Maximum Simultaneous Report Jobs setting. The recommended range for this value is between 25 and 75 per available CPU. If machine resources are particular scarce, as in a full deployment on one standalone machine for example, you may need to choose a value below 25.
Calculating the minimum resource requirements

After you assess your organizations needs and understand the service threshold limitations, you can determine the minimum resources needed to implement an effective BusinessObjects Enterprise deployment. To calculate the minimum resource requirements, you need the following information from the previous section:
The estimated number of concurrent users. The estimated number of simultaneous requests. The estimated number of concurrent active users and viewing sessions. Service threshold information for each server type.
This section provides examples of how to calculate the minimum required resources for your deployment. Note: You may also want to expand the system to account for high availability. For information about designing for high availability, see Designing for high availability on page 76.
71

For this example, assume that you estimated a total of 8000 users of the system, with 800 concurrent active users. According to the service threshold benchmarks, a single Central Management Server on a single CPU can handle up to 500 concurrent active users. You will need more than one Central Management Server to support all requests. In this example, you would need to install two Central Management Server services across two single-CPU machines to support up to 1000 users. This exceeds the systems needs by 200 concurrent active users but allows for future growth.

Assume that the 800 concurrent users view Crystal report objects using the ActiveX viewer and generate an average of 100 simultaneous requests. One Web Application Server allows for 400 concurrent users per processor. It also allows for 100 simultaneous requests. Although the 100 simultaneous viewing ActiveX requests can be handled by a single CPU, this system requires two Web Application Server services because each service can handle only 400 concurrent users per server on a single-CPU machine.
Cache Server
Assume for this example that you have 800 concurrent users using the ActiveX viewer and there are 500 simultaneous requests. Each Cache Server can handle 200 simultaneous requests per CPU. This system requires three Cache Servers installed across three single-CPU machines.
Report Job Server

For this example, assume that 1000 report objects are being scheduled to run during the night. On average, it takes nine minutes to run each report. You have five hours (300 minutes) to run all of the reports. The number of Crystal Reports Job Server services required is determined by performing the Crystal Reports Job Server threshold calculation. (For more information, see Report Job Server on page 68.) In this example, the calculation is:
(1000 reports x 9 minutes to run each report) / (300 minutes for the time window x 20 maximum jobs per service) = 2 Crystal Reports Job Servers installed on two quad machines
72

Assume for this example that you need to support 100 simultaneous viewing sessions. A single Web Intelligence Report Server can support 25 simultaneous viewing sessions on a single-CPU machine; the system requires four Web Intelligence Report Servers installed across four singleCPU machines.

If you have an average of 50 concurrent users working in the Report Application Server, running an average of 50 simultaneous requests, then your system will need one Report Application Server installed across two CPUs. You could install the single Report Application Server on a dual machine.
Page Server
Assume for this example that you have 500 simultaneous requests. One CPU can handle 50 simultaneous requests, this system requires 10 CPUs. You need only one Page Server service per machine, because it automatically creates new processes on each machine to account for high traffic. In this example, you could use 3 Page Servers installed across two quad machines and one dual machine.
Summary of resource calculations

The following table summarizes the load supported by each server component. The table includes the following:
The server component. The user and traffic loads that each server component can support. The user and traffic loads that each CPU can handle when running the server component. A sample configuration.
For more information about the service thresholds, see Analyzing service thresholds on page 64. For more information about making resource calculations, see Calculating the minimum resource requirements on page 71.
73
Server type CMS
Supported load per Supported load per server component CPU
Example
600 concurrent active users per CMS 150 simultaneous requests per CMS 400 concurrent users per Web Application Server
500 concurrent active users per CPU 150 simultaneous requests per CPU
If you have 600 concurrent active users running an average of 100 simultaneous requests, you will need one CMS across two CPUs. If you have 600 concurrent users using the ActiveX viewer and generating an average of 100 simultaneous requests, you will need two Web Application Servers running on a single CPU.
400 concurrent users per CPU 100 simultaneous requests using the ActiveX viewer per CPU 50 to 75 simultaneous requests using the DHTML viewer per CPU 40 OLAP Intelligence requests using the OLAP Intelligence DHTML viewer per service per CPU 200 simultaneous requests per CPU
Cache Server
400 simultaneous requests per Cache Server
If you have 600 concurrent users running an average of 500 simultaneous requests, you will need three Cache Servers installed across three CPUs. If you need to run 40 report objects simultaneously every day at midnight, you will need two Job Servers, running on eight CPUs (two quad machines).
Report Job Server
20 simultaneous report jobs per Job Server
5 simultaneous report jobs per CPU
74
Server type List of Values Job Server
Supported load per Supported load per server component CPU
Example
20 simultaneous requests per List of Values Job Server
5 simultaneous requests per CPU
If you need to run 10 objects that use List of Values objects simultaneously, you will need three Job Servers, running on ten CPUs (two quad machines and a dual machine). If you need to support 100 simultaneous viewing sessions, you will need four Web Intelligence Report Servers running across four CPUs (one quad machine). If you need to support 300 simultaneous requests, you will need two Report Application Servers running across 12 CPUs (three quad machines). If you need to support 400 simultaneous viewing sessions, you will need 8 CPUs (two quad machines).
25 simultaneous viewing sessions per Web Intelligence Report Server
25 simultaneous viewing sessions per CPU
200 simultaneous requests per Report Application Server
25 simultaneous requests per CPU
Page Server
25 to 75 simultaneous viewing sessions per CPU. (Use 50 simultaneous viewing sessions for your initial calculations.)
75
Designing for high availability

After you calculate the minimum resource requirements for your system, you should consider expanding your deployment to account for high availability. High availability refers to a system that is almost continuously operational. When designing a system for high availability, you need to consider how much time is acceptable for the system to be down. To minimize the amount of down time, you need to plan for failover processing, system backup, and data storage. To provide a BusinessObjects Enterprise architecture that provides high availability, all of its services and sources of data must be continuously available and operational. You need to consider:
Fault tolerance If a BusinessObjects Enterprise service fails, a fault tolerance system allows for continuous processing of system requests with no loss of service. To achieve this level of availability, you need to provide duplicate BusinessObjects Enterprise services. For example, if a Web Intelligence Job Server fails, you need a duplicate Web Intelligence Job Server to immediately take its place to process requests with no loss of service.
Disaster recovery A disaster recovery plan consists of precautions to be taken in the event of a full system failure. A disaster recovery plan needs to minimize the effects of the disaster on the organization so you can maintain or quickly resume important system functions. If your organization has multiple offices, it is good practice to keep the backup system in a different geographical location. A BusinessObjects Enterprise disaster recovery plan often involves implementing redundant servers in a backup system that mirrors the primary system. In the event that the primary system goes down, the backup system is still available and becomes the full production system. Note: When you back up your primary system, you need to back up: the Central Management Server system database; the content of the Input and Output File Repository Servers; the user ID and password for the Administrator account; the application code from the Web Application Server; and the registry settings (if manual changes were made).
You may not have the resources to implement a high degree of availability, but there are still best practices you can use to provide the best possible availability for your system.
76
Designing a multiple-server system for high availability

You can attain a high degree of availability with a multiple-server system. It depends largely on the resources available to you after the basic resource requirements of the system have been met. You can manage fault tolerance for a multiple-server environment by adding additional services to handle failover support. In a multiple-server environment, the duplicate services can be added to different machines. You can cluster services together so that if one service fails or if there is a hardware failure on the machine running the service, the duplicate service on a different machine continues to process requests with no impact to the system. Two common examples of fault tolerance in a multiple-server environment are:
CMS clustering With CMS clustering, a set of two or more CMS server machines function as a single Central Management Server. In the event of a failure, the workload of the failed CMS is picked up by another available CMS within the cluster. For more information about CMS clustering, see Clustering Central Management Servers on page 114.
Active and passive File Repository Servers Your deployment can have multiple Input and Output File Repository Servers. The first File Repository Server pair to register with the CMS cluster becomes the active FRS pair and the other FRS services are considered passive. Although all File Repository Server services run simultaneously, only the active FRS pair handles requests. In the event that an active FRS fails, a passive FRS that is registered with the CMS cluster is changed to active status. When the previously active FRS becomes operational again, it is registered as a passive FRS with the CMS.
For disaster recovery, the most important considerations for disaster recovery are backups and data recovery. Depending on your organizations needs, it may also be important to minimize down time. If your system must remain available during a disaster, its good practice to maintain a full backup system that mirrors the primary system. If you set up a backup system, ensure that the two systems do not run at the same time. Otherwise, the primary and backup systems may not be synchronized properly. You can configure the primary and backup systems as
77
Planning Your Deployment Common configurations
members of the same CMS cluster regardless of location, but ensure that the the primary and backup CMSs run off of the corresponding primary and backup system databases.
Common configurations
After you determine the needs of your users and the resources required for the deployment, you can develop an initial deployment architecture for BusinessObjects Enterprise. This section describes potential scenarios for administrators who are planning an installation of BusinessObjects Enterprise. It is important to note that the optimal configuration for your deployment will depend on many factors: hardware configuration, database software, reporting requirements, operating system, clock speed, hyperthreading, disk speed, application server configuration, load frequency, and many more. Every deployment is unique, and these examples are provided only as guidelines. For information about assessing your systems unique needs, see Assessing your organizations needs on page 58. For information about fine-tuning performance, see Improving Performance on page 337. It is also recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment. As a baseline, this section assumes that you have not yet distributed the BusinessObjects Enterprise servers across multiple machines; however, this section does assume familiarity with the BusinessObjects Enterprise architecture, installation, and server configuration. For preliminary installation information, see the BusinessObjects Enterprise Installation Guide. Tip: If you are deploying multi-processor machines, you may also want to run one or more BusinessObjects Enterprise servers in multiple instances on that machine. For details, see Adding and deleting servers on page 105. This section describes the following common configurations:
Single-machine architecture on page 79 Balanced processing architecture on page 79 High availability clustered architecture on page 80 Firewalled architecture on page 81
For a detailed sample deployment that illustrates the concepts described in this chapter, see Server deployment and firewall configuration on page 435.
78
Single-machine architecture
Useful for testing purposes, this basic configuration separates the BusinessObjects Enterprise servers from the rest of your reporting environment and from your web server, and installs all BusinessObjects Enterprise servers on a single machine. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not need to share with database and web server processes. To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:
Install all of the BusinessObjects Enterprise servers on a single, dedicated machine. Run the CMS database on your database server. If you are still using the MySQL CMS database on Windows, migrate the CMS database to a supported database server. See the Platforms.txt file included with your product distribution for a list of supported database servers.
For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install your BusinessObjects Enterprise servers on the same machine as your Java web application server and the Web Component Adapter.
Balanced processing architecture

This second configuration divides the BusinessObjects Enterprise processing load in a logical manner, based on the types of work performed by each server. By dividing architecture components into logical groups, you prevent the server components from competing with each other for the same hardware and processing resources. Note: It is recommended that you use three multi-processor machines (dualCPU or better), with at least 2 GB RAM installed on each machine. To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:
Install the BusinessObjects Enterprise management components on one machine. For example, you could install the Central Management Server and the Event Server on one machine. Note: Here, the Event Server is installed on the same machine as the Central Management Server. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.
79
Install the web services components on the second machine. For example, you could install the web application server, the Web Component Adapter, and the Cache Server on the second machine. Note: In this example, the Cache Server is installed with the The Cache Server is included with the web services components because it communicates regularly with the Web Application Server. You could install it on the third machine instead.
On the third machine, install the storage and processing components: the Page Server, the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, the Web Intelligence Report Server, the Report Application Server (RAS), and the Input and Output File Repository Servers.
For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install the Java web application server and the Web Component Adapter on the same machine as your Cache Server. Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.
High availability clustered architecture

One of the most common configurations, this third configuration mirrors the balanced processing architecture. You maintain the logical breakdown of processing based on the types of work performed by each server, but you increase the number of available machines and servers for redundancy and fault-tolerance. If a server stops responding, or if you need to take one or two machines offline completely, you need not interrupt BusinessObjects Enterprise requests in order to service the system. Note: This example was tested using five multi-processor machines (dualCPU or better), with at least 2 GB RAM installed on each machine. To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:
Install the balanced processing setup first. Verify that BusinessObjects Enterprise is functioning correctly. For details, see Balanced processing architecture on page 79. Install a second CMS/Event Server pair on the fourth machine. This machine must have a fast network connection (minimum 10 Mbps) to the CMS that you have already installed.
80
Cluster the two CMS services, so they share the task of maintaining the CMS database. Ensure that each CMS accesses the CMS database in exactly the same manner (the same database client software, the same database user name and password, and so on). For more information about CMS clustering, see Clustering Central Management Servers on page 114. Note: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.
On the remaining machine, install a second Page Server, Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, Web Intelligence Report Server, and Report Application Server, along with a pair of Input and Output File Repository Servers. Ensure that all Page Servers and job servers, including the Web Intelligence Report Server, can access your reporting database in exactly the same manner. Install and configure any required database client software similarly on each machine, along with any ODBC DSNs that are required for your reports.
Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.
Firewalled architecture
Another common configuration is a firewalled architecture based on one of the previous configurations. For a detailed example of a firewalled deployment, see Server deployment and firewall configuration on page 435. For general information about configuring firewalls with BusinessObjects Enterprise, see Working with Firewalls on page 157.
81
82
chapter
Creating a WebSphere cluster Overview
Overview
WebSphere Application Server Network Deployment has the ability to balance the application workload through the use of vertical and horizontal scaling. A vertical cluster has cluster members on the same node, or physical machine. A horizontal cluster has cluster members on multiple nodes across many machines in a cell. While you can configure either type of cluster, or have a combination of vertical and horizontal clusters, this section explains how create a vertical cluster and deploy InfoView on this vertical cluster. When you cluster InfoView in the method described in this section you will create logon session affinity, not session failover. This means that under normal circumstances, once a session begins, all requests for that session go to the same cluster member. However, if the cluster member processing your session fails, your session will be automatically redirected to another functioning cluster. While you will not be required to log on again, you may loose your context, and may be required to navigate back to your original location. Note: Logon session affinity is only supported for InfoView. None of the other applications have support for this feature at this time.
Before you begin

Make sure the following servers are installed:
IBM WebSphere Application Server Network Deployment with administrative privileges. IBM WebSphere Application Standalone Server with administrative privileges.

Creating and setting up the WebSphere cluster includes these tasks:

84
Starting the servers on page 85 Creating a cluster on page 87 Checking the assigned port number on page 89 Adding the assigned port number on page 90 Setting heap size on page 90 Setting internal system configuration on page 92 Installing the applications on page 93
Creating a WebSphere cluster Creating a WebSphere cluster
Mapping BusinesssObjects WAR files to the cluster on page 95 Regenerating the web server plugin on page 96
Starting the servers

To create a cluster, the deployment manager and the node agent must be running. To start the servers in Windows Note: You may be required to be a member of the local Administrators group to start the server. 1. Start the deployment manager if its not already running: a. b. In a command prompt, navigate to the <network_deployment_root> bin directory. Issue the following command to check the status of the deployment manager server:
serverStatus dmgr
Note: You can also use serverStatus -all to check the status of the deployment manager server. c. If the Deployment Manager is not started, start it with the following command:
startManager
2.
Add the node to the Deployment Manager Cell: a. b. In the command prompt, navigate to the <App_Server_root> bin directory. Issue the following command to federate the node into the cell and start the node agent:
addNode localhost 8879
3.
Initialize the node agent: a. b. In the command prompt, navigate to the <App_Server_root> directory. Issue the following command to check the status of the node agent:
serverStatus nodeagent
Note: You can also use serverStatus -all to check the status of the node agent. c. If the node agent is not started, start it with the following command:
startNode
85
4.
Initialize the HTTP server: a. b. c. Open Windows Services Scroll down and select IBM HTTP Server 1.3.26 If the status of the IBM HTTP Server is not set to Started, click the start icon in the tool bar.
The servers are now started and you are ready to create a cluster. To start the servers in UNIX Note: You may require sudo authority on your UNIX machine to start the server. This type of authority is granted by your UNIX administrator. 1. Start the deployment manager if its not already running: a. b. In a command prompt, navigate to the <network_deployment_root> bin directory. Issue the following command to check the status of the deployment manager server:
./serverStatus.sh dmgr
Note: You can also use ./serverStatus.sh -all to check the status of the deployment manager server. c. If the Deployment Manager is not started, start it with the following command:
./startManager.sh
2.
Add the node to the Deployment Manager Cell: a. b. In the command prompt, navigate to the <App_Server_root> bin directory. Issue the following command to federate the node into the cell and start the node agent:
./addNode.sh localhost 8879
3.
Initialize the node agent: a. b. In the command prompt, navigate to the <App_Server_root> directory. Issue the following command to check the status of the node agent:
./serverStatus.sh nodeagent
Note: You can also use ./serverStatus.sh -all to check the status of the node agent. c. If the node agent is not started, start it with the following command:
./startNode.sh
86
4.
Initialize the HTTP server: a. Issue the following command to check if HTTP server is running:
ps -ef | grep httpd
Note: You should see a list of processes running with the name of "httpd". b. If httpd is not running, start your HTTP server manually by issuing the following command:
IHS_install_dir/bin/apachectl start
The servers are now started and you are ready to create a cluster.
Creating a cluster
A cluster is a group of application servers (cluster members) that are distributed across one or more nodes. An application installed in the cluster runs on each cluster member, so workload management and failover are provided for the application. Following are the steps involved in creating a cluster: 1. To create a cluster Start the IBM WebSphere Administrative Console in your browser.

2. 3. 4. 5. 6.
For IBM WebSphere 5.1, type http://servername:9091/admin/ For IBM WebSphere 6.0, type http://servername:9060/admin/
Logon to the administrative console. Expand Servers and click Clusters. Click New. The Step 1 : Enter Basic Cluster Information panel appears. In the Cluster Name field, type MyCluster. Verify that Prefer local enabled is selected. This specifies whether EJB requests are routed to the node on which the client resides, if possible.
7.
Select Create Replication Domain for this cluster. This will create a single replication domain for the cluster to allow replication of session data for a failover.
8.
Verify that Do not include an existing server in this cluster is selected. This will create the first cluster member as a new application server instead of using the server1 application server as the first member of your cluster.
87
9.
Click Next. The Step 2 : Create New Clustered Servers panel appears.
10. Define a node for the cluster: a. b. c. d. e. f. In the Name field, type MgServer1. Click your node from the drop down menu. In the Weight field, type 2. Verify that Generate Unique Http ports is selected. Select Create Replication Entry in this server. Note: Skip this step if you are using WebSphere 6.0. Select Existing application server and click was5hostNetwork/ was5host/server1 to select the template in the drop down menu. This will allow the server to use the setting of the server1 applications server as the template for your cluster members. g. h. Click Apply. MgServer1 is now displayed in the table Application servers, at the bottom of the page. Add another cluster member to the server by typing MgServer2 in the Name field. Click on your node from the drop down menu. In the Weight field, type 2. Verify that Generate Unique Http ports is selected. Select Create Replication Entry in this server. Note: Skip this step if you are using WebSphere 6.0. f. g. Click Apply. MgServer2 is now displayed in the table Application servers, at the bottom of the page.
11. In the same panel, define another node for the cluster: a. b. c. d. e.
12. Click Next. 13. Review the configuration summary and click Finish. The cluster is now created in the configuration. For each newly defined node go to Servers and click on Application Servers. 14. Save your changes: a. Click the hyperlink Save in the task bar at the top of the console to open the Save page.
88
b. c.
On the Save page, expand and review the list of files to be changed. Click Save.
Checking the assigned port number

Follow the procedures below to check the assigned port numbers in WebSphere 5.1 or WebSphere 6.0: 1. To check the assigned ports in WebSphere 5.1 Expand Servers and click Application Servers. The servers that you created (MgServer1 and MgServer2) in the section Creating a cluster on page 87 are now listed on the Application Servers page. 2. 3. Click MgServer1. Go to the HTTP Transports page. a. b. Under Additional Properties, go to Web Container. Under Additional Properties, click on HTTP Transports.
The HTTP Transport ports configured for MgServer1 should be listed on this page. In the table, locate the host name WCInboundDefault and note its port number. You need to add this port and the port number configured for MgServer2 to the default_host aliases list. 1. To check the assigned ports in WebSphere 6.0 Expand Servers and click Application Servers. The servers that you created (MgServer1 and MgServer2) in the section Creating a cluster on page 87 are now listed on the Application Servers page. 2. 3. Click MgServer1. Go to the HTTP Transports page. a. b. Under Container Settings, expand Web Container Settings. Click Web container transport chains to view the HTTP ports.
The HTTP Transport ports configured for MgServer1 should be listed on this page. In the table, locate the port name WCInboundDefault and note its port number. You need to add this port and the port number configured for MgServer2 to the default_host aliases list.
89
Adding the assigned port number

After checking the port number in section Checking the assigned port number on page 89, add the port numbers to the virtual hosts using the following procedure: 1. 2. 3. To add the assigned port number In the navigation menu, expand Environment, click Virtual Hosts. From the virtual hosts list, click default_host. Add port number to the host aliases list: a. b. c. d. e. 4. Under Additional Properties, click Host Aliases. Click New. In the HostName field, type * In the Port field, type the port number. Click OK.
Note: Follow this step to add other port numbers to the host aliases list. Save your configuration: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
Setting heap size

You may be prompted to set the heap size. Follow the procedures below to set the heap size in WebSphere 5.1 or WebSphere 6.0: 1. 2. 3. To set the heap size in WebSphere 5.1 Expand Servers and click Application Servers. Click on the application server to set its heap size. Go to the JVM page. a. b. c. Scroll down until you see Process Definition in the Additional Properties table. Click on Process Definition. Scroll down and click on Java Virtual Machine in the Additional Properties table.
90
4. 5. 6. 7. 8.
Scroll down until you see Initial Heap Size. In the Initial Heap Size field, type 512. In the Maximum Heap Size field, type 1024. Click Apply and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
Note: Follow the same procedure to set heap sizes of any other servers. 1. 2. 3. To set the heap size in WebSphere 6.0 Expand Servers and click Application Servers. Click on the application server to set its heap size. Go to the JVM page. a. b. c. 4. 5. 6. 7. 8. Under the Server Infastructure section, click and expand Java and Process Management. Click on Process Definition. In the Additional Properties section, click on Java Virtual Machine.
Scroll down until you see Initial Heap Size. In the Initial Heap Size field, type 512. In the Maximum Heap Size field, type 1024. Click Apply and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
Note: Follow the same procedure to set heap sizes of any other servers.
91
Setting internal system configuration

For each node in a new cluster, set the path variable that applies to your environment and the PATH. 1. 2. 3. To set internal system configuration in Windows Expand Servers and click on Application Servers. Click on your server name. Go to the Custom Properties page.

4. 5. 6.
If you are using WebSphere 5.1, under Additional Properties, click on Custom Properties. If you are using WebSphere 6.0, under Server Infastructure, expand Administration and click on Custom Properties.
Click New. In the * Name field, type PATH. In the * Value field, type the path that points to BusinessObjects folder. Note: The default location of this folder is C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86. Modify the path if you changed the default location.
7. 8. 9.
Click Apply. Click OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
1. 2. 3.
To set internal system configuration in UNIX Expand Servers and click on Application Servers. Click on your server name. Go to the Custom Properties page.

4.
If you are using WebSphere 5.1, under Additional Properties, click on Custom Properties. If you are using WebSphere 6.0, under Server Infastructure, expand Administration and click on Custom Properties.
Click New.
92
5.
In the * Name field, type the name of the path variable that applies to your deployment. These are your options:
Operating Variable System For Solaris LD_LIBRARY_PATH For AIX For Linux For HPUX 6. LIBPATH LD_LIBRARY_PATH SHLIB_PATH
In the * Value field, type the path that points to BusinessObjects platform name folder. The location of this file is <INSTALLDIR>/bobje/enterprise115/ solaris_sparc
Replace INSTALLDIR with the location of your installation and replace solaris_sparc with the platform name that applies to your installation. The platform name options are as follows:

7. 8. 9.
aix_rs6000 linux_x86 hpux_pa_risc
Click Apply. Click OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
Installing the applications

1. 2. 3. 4. To install the applications in Windows Go to the administrative console. Expand Applications and click Install New Application Select Local path system and click Browse. Navigate to the application directory, select and click Open. The Local path field should now contain the path of the WAR file.
93
Note: The default location for the application files is c:\Program Files\Business objects\BusinessObjects Enterprise 11.5\java\applications\ 5. 6. 7. Type the context root for the application file in the Context Root field. Click Next. Accept the defaults on each page and click Next until you get to Step:3 Map modules to application servers. Note: Each page may take several minutes to process. 8. 9. Select the application server you created from the Clusters and Servers field. Select the module to apply it to, and click Apply. Note: You will receive a message when the process is complete. 1. 2. 3. 4. To install the applications in UNIX Go to the administrative console. Expand Applications and click Install New Application Select the Server Path button. Click Browse and then find the location of the war files. Note: The application files can be found in the location <INSTALLDIR>/bobje/enterprise115/java/applications, where INSTALLDIR is the directory where you installed BusinessObjects Enterprise. 5. 6. 7. 8. Click the button beside the file you want to deploy, and then click OK. Type the context root for the application file in the Context Root field. Click Next. Accept the defaults on each page and click Next until you get to Step:3 Map modules to application servers. Note: Each page may take several minutes to process. 9. Select the application server you created from the Clusters and Servers field.
10. Click Next, and click Finish.
10. Select the module to apply it to, and click Apply. 11. Click Next, and click Finish. Note: You will receive a message when the process is complete.
94
Mapping BusinesssObjects WAR files to the cluster

Follow the procedures below to map BusinessObjects WAR files to the cluster in WebSphere 5.1 or WebSphere 6.0: 1. 2. 3. To map BusinessObjects WAR files to the cluster in WebSphere 5.1 In the navigation menu, expand Applications and click on Enterprise Applications. Click on desktop_war from the list. Go to the Map modules page. a. b. 4. Scroll down to Additional Properties. Click on Map modules to application servers.
In the list, scroll to select a cluster that you want to map the modules to. Note: This cluster can be the same cluster that you created in section Creating a cluster on page 87.
5. 6. 7.
Select your module from the Module section of the table. Click Apply, and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
1. 2. 3.
To map BusinessObjects WAR files to the cluster in WebSphere 6.0 In the navigation menu, expand Applications and click on Enterprise Applications. Click on desktop_war from the list. Go to the Map modules page. a. b. Scroll down to Additional Properties. Click on Map modules to servers.
4.
In the list, scroll to select a cluster that you want to map the modules to. Note: This cluster can be the same cluster that you created in section Creating a cluster on page 87.
5. 6.
Select your module from the Module section of the table. Click Apply, and OK.
95
7.
Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.
Regenerating the web server plugin

When you make changes to an application server, you must regenerate the Web server plugin configuration file to ensure that the correct set of requests are forwarded to the WebSphere Application Server. Follow the procedures below to regenerate the web server plugin in WebSphere 5.1 or WebSphere 6.0: 1. To regenerate the web server plugin in WebSphere 5.1 Follow these steps to update the web server plugin: a. b. In the navigation menu, expand Environments and click on Update Web Server Plugin. Click OK.
Note: If the update is successful, a confirmation message will appear at the top of the page stating, The web server plugin configuration was updated successfully. 2. You can view or download the current web server plugin file by clicking on the hyperlink View or download the current web server plugin configuration file. To regenerate the web server plugin in WebSphere 6.0 Follow these steps to update the web server plugin: a. b. 2. In the navigation menu, expand Servers and click on Web servers. Select your server from the list and click on Generate Plug-in.
1.
You can view or download the current web server plugin file by clicking on the hyperlink View or download the current web server plugin configuration file.
96
Managing and Configuring Servers
chapter
Managing and Configuring Servers Server management overview
Server management overview

This section provides information on a range of server tasks that allow you to customize the behavior of BusinessObjects Enterprise. It also includes information on the server settings that you can alter to accommodate the needs of your organization. The default values for these settings have been chosen to maximize the reliability, predictability, and consistency of operation of a typical BusinessObjects Enterprise installation. The default settings guarantee the highest degree of data accuracy and timeliness. For example, by default, data sharing between reports is disabled. When running reports on demand, disabling data sharing means that every user can always assume that they will receive the latest data. If you prefer to place more emphasis on the efficiency, economy, and scalability of BusinessObjects Enterprise, you can tune server settings to set your own balance between system reliability and performance. For example, enabling data sharing between reports markedly increases system performance when user loads are heavy. To take advantage of this feature while ensuring that every user receives data that meets your criteria for timeliness, you can also specify how long data will be shared between users.
BusinessObjects Enterprise administrative tools

BusinessObjects Enterprise includes two key administrative tools that allow you to view and to modify a variety of server settings:
Central Management Console (CMC) The CMC is the web-based administration tool that allows you to view and to modify server settings while BusinessObjects Enterprise is running. For instance, you use the CMC to change the status of a server, change server settings, access server metrics, or create server groups. Because the CMC is a web-based interface, you can configure your BusinessObjects Enterprise servers remotely over the Internet or through your corporate intranet.
Central Configuration Manager (CCM) The CCM is a program that allows you to view and to modify server settings while Business Objects servers are offline. For instance, you use the CCM to stop servers, to modify performance settings, and to change the default server port numbers. With BusinessObjects Enterprise, the CCM allows you to configure BusinessObjects Enterprise remotely over your corporate network.
You can accomplish some configuration tasks with both tools, while other tasks must be performed with a specific tool.
98
Managing and Configuring Servers Viewing and changing the status of servers
Related topics:
For an overview of the multi-tier architecture and the BusinessObjects Enterprise server components, see BusinessObjects Enterprise Architecture in the BusinessObjects Enterprise Administrators Guide. With the BusinessObjects Enterprise Software Development Kit (SDK), you can now access and modify server metrics and settings from your own web applications. For more information, see the developer documentation available on your product CD.
Viewing and changing the status of servers

The status of a server is its current state of operation: a server can be started, stopped, enabled, or disabled. To respond to BusinessObjects Enterprise requests, a server must be started and enabled. A server that is disabled is still running as a process; however, it is not accepting requests from the rest of BusinessObjects Enterprise. A server that is stopped is no longer running as a process. This section shows how to modify the status of servers by using the CMC and the CCM. It includes:
Starting, stopping, and restarting servers on page 99 Enabling and disabling servers on page 102 Stopping a Central Management Server on page 102 Printing, copying, and refreshing server status on page 104
Starting, stopping, and restarting servers

Starting, stopping, and restarting servers are common actions that you perform when you configure servers or take them offline for other reasons. For example, if you want to change the name of a CMS, then you must first stop the server. Once you have made your changes, you start the server again to effect your changes. The remainder of this section tells you when a certain configuration change requires that you first stop or restart the server. However, because these tasks appear frequently, the concepts and differences are explained first, and the general procedures are provided for reference.
99
Action Stopping a server
Description
You must stop BusinessObjects Enterprise servers before you can modify certain properties and settings. If you have stopped a server to configure it, you need Starting a server to start it to effect your changes and to have the server resume processing requests. Restarting a server Restarting a server is a shortcut to stopping a server completely and then starting it again. You can change certain settings without stopping the server; however, the changes typically do not take effect until your restart the server. Tip: When you stop (or restart) a server, you terminate the servers process, thereby stopping the server completely. If you want to prevent a server from receiving requests without actually stopping the server process, you can also enable and disable servers. We recommend that you disable Job Servers and Program Job Servers before stopping them so that they can finish processing any jobs they have in progress. For details, see Enabling and disabling servers on page 102. To start, stop, or restart servers with CMC Note: You cannot use CMC to stop the CMS. You must use the CCM instead. See Stopping a Central Management Server on page 102 for more information. 1. Go to the Servers management area of the CMC. A list of servers appears. The icon associated with each server identifies its status:
Running is indicated by a server with a green arrow. Stopped is indicated by a server with a red arrow. Disabled is indicated by a server with a red circle.
In this example, the Page Server is stopped, the Event Server is disabled, and the remaining servers are running and enabled.
100
2. 3.
Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Start, Stop, or Restart. You may be prompted for network credentials that allow you to start and stop services running on the remote machine.
4. 1. 2. 3.
Click Refresh to update the page. To start, stop, or restart a Windows server with the CCM Start the CCM. Select the server that you want to start, stop, or restart. On the toolbar, click the appropriate button.
Toolbar Action Icon Start the selected server. Stop the selected server. Restart the selected server. You may be prompted for network credentials that allow you to start and stop services. Note: When you provide your network credentials, they are first checked against the machine hosting the CMS. If the server that you want to start, stop, or restart is located on another machine, the same credentials are used to access the other machine. If you supply credentials that are valid on the remote machine but not on the machine running the CMS, then you receive an error message. The CCM performs the action and refreshes the list of servers.
101
To start, stop, or restart a UNIX server with the CCM Use the ccm.sh script. For reference, see ccm.sh on page 474.
Stopping a Central Management Server

If your BusinessObjects Enterprise installation has a single Central Management Server (CMS), shutting it down will make BusinessObjects Enterprise unavailable to your users and will interrupt the processing of reports and programs. Before stopping your CMS, you may wish to disable your processing servers so that they can finish any jobs in progress before BusinessObjects Enterprise shuts down. See Enabling and disabling servers on page 102 for more information. If you have a CMS cluster consisting of more than one active CMS, you can shut down a single CMS without losing data or affecting system functionality. The other CMS in the cluster will assume the workload of the stopped server. Using a CMS cluster enables you to perform maintenance on each of your Central Management Servers in turn without taking BusinessObjects Enterprise out of service. For more information on CMS clusters, see Clustering Central Management Servers on page 114.
Enabling and disabling servers

When you disable a BusinessObjects Enterprise server, you prevent it from receiving and responding to new BusinessObjects Enterprise requests, but you do not actually stop the server process. This is especially useful when you want to allow a server to finish processing all of its current requests before you stop it completely. For example, you may want to stop a Job Server before rebooting the machine it is running on. However, you want to allow the server to fulfill any outstanding report requests that are in its queue. First, you disable the Job Server so it cannot accept any additional requests. Next, go to the Central Management Console to monitor when the server completes the jobs it has in progress. (From the Servers management area, choose the server name and then the metrics tab). Then, once it has finished processing current requests, you can safely stop the server. Note: The CMS must be running in order for you to enable and/or disable other servers. 1. To enable and disable servers with CMC Go to the Servers management area of the CMC.
102
The icon associated with each server identifies its status. In this example, the Event Server is disabled (but not stopped), and the remaining servers are running and enabled.
2. 3. 1. 2. 3. 4.
Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Enable or Disable. To enable or disable a Windows server with the CCM Start the CCM. On the toolbar, click Enable/Disable. When prompted, log on to your CMS with the credentials that provide you with administrative privileges to BusinessObjects Enterprise. Click Connect. The Enable/Disable Servers dialog box appears.
This dialog box lists all of the BusinessObjects Enterprise servers that are registered with your CMS, including servers running on remote machines. By default, servers running on remote machines are displayed as MACHINE.servertype. In this example, all of the listed servers are currently enabled.
103
5. 6.
To disable a server, clear the check box in the Server Name column. Click OK to effect your changes and return to the CCM.
To enable or disable a UNIX server with the CCM Use the ccm.sh script. For reference, see ccm.sh on page 474.
Printing, copying, and refreshing server status

When using the CCM on Windows, you can print and copy the properties of a server, and refresh the list of servers. 1. 2. 3. 4. To print the status of a server Start the CCM. Select the server(s). Click Print. The Print dialog box appears. Click OK. A brief listing of the servers properties is printed, including the Display Name, Version, Command Line, Status, and other information. To copy the status of a server To save the status of a server, you can copy the details from the CCM to a document or to an email message (if you want to send the status information to someone else). 1. 2. 3. 4. Start the CCM. Select the server(s). Click Copy. Paste the information into a document for future reference. To refresh the list of servers To ensure you are looking at the latest information, click Refresh.
Note: Disabled servers may not appear in this list. Click Enable/Disable to view a list of servers and ensure that each is enabled.
104
Managing and Configuring Servers Adding and deleting servers
Adding and deleting servers

This section shows how to add and delete servers from a machine that is already running BusinessObjects Enterprise components. It includes the following sections:
Adding a server on page 105 Deleting a server on page 107
Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on new, additional machines, run the BusinessObjects Enterprise installation and setup program from your product distribution. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that you want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide. Note: You can also add and delete servers from the Central Management Console. For more information, see the BusinessObjects Enterprise Administrators Guide.
Adding a server
These steps add a new instance of a server to the local machine. You can run multiple instances of the same BusinessObjects Enterprise server on the same machine. To add a Windows server Note: To complete this procedure, you must log on as an Administrator of the local machine. 1. 2. Start the CCM on the BusinessObjects Enterprise machine upon which you want to install a new server. On the toolbar, click Add Server. The Add Business Objects Server Wizard displays its Welcome dialog box. 3. Click Next.
105
The Server Type and Display Name Configuration dialog box appears
4. 5.
Click the Server Type list and select the kind of server you want to add. Change the default Display Name field if you want a different name to appear in the list of servers in the CCM. Note: The display name for each server on the local machine must be unique.
6.
Change the default Server Name field if required. Each server on the system must have a unique name. The default naming convention is HOSTNAME.servertype (a number is appended if there is more than one server of the same type on the same host machine). This Server Name is displayed when you manage servers over the Web in the Central Management Console (CMC). Note: When you add Input or Output File Repository Servers, the wizard always precedes the server name you type with an Input. or Output. prefix. So, if you add an Input FRS with the name SERVER02, the CCM actually names the server Input.SERVER02. This Input. prefix is required by the system. If you subsequently modify the servers name through its command line, do not remove the prefix.
7.
Click Next. The Set Configuration for this server dialog box appears. The contents of this dialog vary slightly, depending upon the type of server that you are installing.
8.
Type the name of the CMS that you want the server to communicate with. If your CMS is not listening on the default port (6400), include the appropriate port number, as in CMSname:port#
9.
Click Next to accept any other default values, or modify them to suit your environment.
106
Note: If port number options are displayed in this dialog box, do not modify them. Instead, change ports through each servers command line. For details, see Changing the default server port numbers on page 147. 10. Confirm that the summary information is correct; then click Finish. The new server appears in the list, but it is neither started nor enabled automatically. 11. Use the CCM (or the CMC) to start and then to enable the new server when you want it to begin responding to BusinessObjects Enterprise requests. For details, see Viewing and changing the status of servers on page 99. Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis. If you add a new server to your BusinessObjects Enterprise installation you must enable auditing of actions on each new server. If you do not, the actions performed on the new server will not be audited. See the BusinessObjects Enterprise Auditors Guide for more information. To add a UNIX server Use the serverconfig.sh script. For reference, see serverconfig.sh on page 478.
Deleting a server
1. 2. 3. 4. To delete a Windows server Start the CCM on the BusinessObjects Enterprise machine that you want to delete a server from. Stop the server that you want to delete from the system. With the server selected, click Delete Server on the toolbar. When prompted for confirmation, click Yes.
To delete a UNIX server Use the serverconfig.sh script. For reference, see serverconfig.sh on page 478.
107
Managing and Configuring Servers Configuring the application tier
Configuring the application tier

This section includes technical information and procedures that show how you can modify settings for the application tier.
The majority of the settings discussed in this section allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Note: This section does not show how to configure your Web application server to deploy BusinessObjects Enterprise applications. This task is typically performed when you install BusinessObjects Enterprise. For details, see the BusinessObjects Enterprise Installation Guide. For further troubleshooting, see Working with Firewalls on page 157.
Configuring the Web Component Adapter

The WCA (Web Component Adapter) is a web application that provides support for the Central Management Console and CSP applications. It does not appear as a server in the Central Management Console or in the Central Configuration Manager. To configure the WCA, edit either of the following files, depending on whether you are running the system on a Java or .NET platform:
On a Java platform edit the web.xml file associated with the WCA. See Configuring the Java Web Component Adapter on page 109. On a .NET platform edit the web.config file associated with the WCA. See Configuring the .NET Web Component Adapter on page 113.
108
Configuring the Java Web Component Adapter

To configure the Java WCA you edit the web.xml file associated with the WCA:
Windows: C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\java\applications directory UNIX: WEB-INF subdirectory of the webcompadapter.war archive file stored in the bobje_root/enterprise115/java/applications directory
For example, the context parameter that controls whether a group tree will be generated looks like this:
<context-param> <param-name>viewrpt.groupTreeGenerate</param-name> <param-value>true</param-value> <desctiption>true or false value determining whether a group tree will be generated.</description> </context-param>
To change the value of a context parameter, edit the value between the <param-value> </param-value> tags. To configure web.xml Note: Your Java Web Application Server may provide tools to allow you to edit web.xml directly from an administrative console.Otherwise use the following procedure to configure web.xml. 1. 2. 3. 4. Stop your application server. Extract the web.xml file from the webcompadapter.war archive. Edit the file by using a text editor such as Notepad or vi. Reinsert the file into the WEB-INF directory in webcompadapter.war. Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the WEB-INF directory that contains your edited web.xml file and select Add to Zip File.... Adding the file in this way ensures that it is placed in the correct directory inside the archive. 5. Restart your application server. When you install more than one WCA, each webcomponentadapter.war file contains its own web.xml file containing configuration parameters for that WCA. However, you can only set the parameters listed in the following table individually for each WCA. The remaining parameters must be the same for all WCA in your system.
109
Context Parameter display-name cspApplication.defaultPage
Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the real path to the directory containing the CSP/WAS application(s) that you would like to host. This is a required field. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. The default loglevel is error. Please refer to log4j documentation for accepted log entry patterns.
cspApplication.dir
connection.cms
connection.listeningPort log.file
log.ext log.isRolling log.size
log.level log.entryPattern
Changing the default session timeout value for the Java CMC
The default session timeout value is 20 minutes in the CMC. Use this procedure if you want to modify the default session timeout value. 1. To change the session timeout value Verify that the Java SDK is installed and its location is in your PATH environment variable. If you are able to execute the jar command, and receive usage information on the command, proceed to the next step. If you receive an error message, install the JAVA SDK and add its location to your PATH. 2. Stop the Web application server on the machine where webcompadapter.war is deployed.
110
3.
Extract the web.xml file from the directory where webcompadapter.war is deployed by running the following command:
jar -xvf webcompadapter.war WEB-INF/web.xml
4.
Open web.xml in a text editor like Notepad and search for the following section:
<session-config> <session-timeout>20</session-timeout> </session-config>
5. 6. 7.
Change the value between <session-timeout> to the number of minutes you require for the session to timeout. Save web.xml. Update the webcompadapter.war with the modified web.xml file. Use the following command:
jar -uvf webcompadapter.war WEB-INF/web.xml
8.
Restart you web application server and redeploy webcompadapter.war.
Changing the default session timeout value for the Java InfoView
The default session timeout value is 20 minutes in the InfoView. Use this procedure if you want to modify the default session timeout value. 1. To change the session timeout value for InfoView Verify that the Java SDK is installed and its location is in your PATH environment variable. If you are able to execute the jar command, and receive usage information on the command, proceed to the next step. If you receive an error message, install the JAVA SDK and add its location to your PATH. 2. 3. Stop the Web application server on the machine where desktop.war is deployed. Extract the web.xml file from the directory where desktop.war is deployed or edit the deployed web.xml file.
To extract web.xml, issue the following command.

jar -xvf desktop.war WEB-INF/web.xml
Note: Instead of extracting the web.xml from the specified location, you can edit web.xml from the deployed location. If you installed Tomcat with your installation, you can find this file in this location:
C:\Program Files\Business Objects\Tomcat\webapps\businessobjects\enterprise115\ desktoplaunch\WEB-INF
111
4.
Open web.xml in a text editor like Notepad and search for the following section:
<session-config> <session-timeout>20</session-timeout> </session-config>
5. 6. 7.
Change the value between <session-timeout> to the number of minutes you require for the session to timeout. Save web.xml. Update the desktop.war with the modified web.xml file. Use the following command:
jar -uvf desktop.war WEB-INF/web.xml
Note: This step is not required if you did not extract the web.xml file. 8. Restart you web application server and redeploy desktop.war. Note: You dont need to redeploy desktop.war if you edited the web.xml file from the deployed location; restarting your web application server will suffice.
Changing the connect port used by Tomcat

During the installation, the default port used for Tomcat is 8080. If this port is already in use by another instance of Tomcat, or if another application is using this port, you will need to change the connect port used by Tomcat. 1. 2. To change the Tomcat connect port Stop Tomcat server by selecting the server name and clicking on the stop button. Open the server.xml file for Tomcat in a text editor. On Windows, this file can normally be found in the following directory: C:\Program Files\Business Objects\Tomcat\conf 3. Locate the following string:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443" />
4. 5.
Change port 8080 to an available port number. Save and close the file.
112
Configuring the .NET Web Component Adapter

To configure the .NET WCA you edit the web.config file associated with the WCA. This file is located in the following directory:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\application
To configure web.config Note: Your .NET Web Application Server may provide tools to allow you to edit web.config directly from an administrative console. 1. 2. 3. Stop your application server. Edit the web.config file by using a text editor such as Notepad. Restart your application server. Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. The default loglevel is error. Please refer to log4j documentation for accepted log entry patterns.
Parameter display-name cspApplication.defaultPage
connection.cms
connection.listeningPort log.file
log.ext log.isRolling log.size
log.level log.entryPattern
113
Managing and Configuring Servers Configuring the intelligence tier
Configuring the intelligence tier

This section includes technical information and procedures that show how you can modify settings for the BusinessObjects Enterprise servers that make up the intelligence tier.
The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the intelligence tier includes the following tasks:
Clustering Central Management Servers on page 114 Copying data from one CMS database to another on page 122 Deleting and recreating the CMS database on page 127 Selecting a new or existing CMS database on page 128 Setting root directories and idle times of the File Repository Servers on page 130 Modifying performance settings for Cache Servers and Event Servers on page 131
Clustering Central Management Servers

If you have a large or mission-critical implementation of BusinessObjects Enterprise, you will probably want to run several CMS machines together in a CMS cluster. A CMS cluster consists of two or more CMS servers working together to maintain the system database. If a machine that is running one CMS fails, a machine with another CMS will continue to service BusinessObjects Enterprise requests. This failover support helps to ensure that BusinessObjects Enterprise users can still access information when there is an equipment failure. This section shows how to add a new CMS cluster member to a production system that is already up and running. When you add a new CMS to an existing cluster, you instruct the new CMS to connect to the existing CMS
114
database and to share the processing workload with any existing CMS machines. For information about your current CMS and CMS cluster, go to the Settings management area of the CMC and click the Cluster tab. Before clustering CMS machines, you must make sure that each CMS is installed on a system that meets the detailed requirements (including version levels and patch levels) for operating system, database server, database access method, database driver, and database client outlined in the platforms.txt file included in your product distribution. In addition, you must meet the following clustering requirements:
For best performance, the database server that you choose to host the system database must be able to process small queries very quickly. The CMS communicates frequently with the system database and sends it many small queries. If the database server is unable to process these requests in a timely manner, BusinessObjects Enterprise performance will be greatly affected. For best performance, run each CMS cluster member on a machine that has the same amount of memory and the same type of CPU. Configure each machine similarly:
Install the same operating system, including the same version of operating system service packs and patches. Install the same version of BusinessObjects Enterprise (including patches, if applicable). Ensure that each CMS connects to the CMS database in the same manner: whether you use native or ODBC drivers. Make sure that the drivers are the same on each machine, and are a supported version. Ensure that each CMS uses the same database client to connect to its system database, and that it is a supported version. Check that each CMS uses the same database user account and password to connect to the CMS database. This account must have create, delete, and update rights on the system database. Run each CMS service/daemon under the same account. (On Windows, the default is the LocalSystem account.) Verify that the current date and time are set correctly on each CMS machine (including settings for daylight savings time).
Ensure that each and every CMS in a cluster is on the same Local Area Network.
115
If you wish to enable auditing, each CMS must be configured to use the same auditing database and to connect to it in the same manner. The requirements for the auditing database are the same as those for the system database in terms of database servers, clients, access methods, drivers, and user IDs.
Tip: By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. To modify the default name, see Restart your application server. on page 119.
Adding a new CMS cluster member

There are two ways to add a new CMS cluster member. Follow the appropriate procedure, depending upon whether or not you have already installed a second CMS:
Installing a new CMS and adding it to a cluster on page 116 See this section if you have not already installed the new CMS on its own machine. Adding an installed CMS to a cluster on page 117 Follow this procedure if you have already installed a second, independent CMS on its own machine. While testing various server configurations, for instance, you might have set up an independent BusinessObjects Enterprise system with its own CMS. Follow this procedure when you want to incorporate this independent CMS into your production system.
Note: Back up your current CMS database before making any changes. If necessary, contact your database administrator.
Installing a new CMS and adding it to a cluster

When you install a new CMS, you can quickly cluster it with your existing CMS. Run the BusinessObjects Enterprise installation and setup program on the machine where you want to install the new CMS cluster member. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that want to install on the local machine. In this case, specify the name of the CMS that is running your existing system, and choose to install a new CMS on the local machine. Then provide the
116
Setup program with the information it needs to connect to your existing CMS database. When the Setup program installs the new CMS on the local machine, it automatically adds the server to your existing CMS cluster. For complete requirements for CMS added to a cluster, see Clustering Central Management Servers on page 114. For complete information on running the Setup program and performing the Expand installation, see the BusinessObjects Enterprise Installation Guide.
Adding an installed CMS to a cluster

In these steps, the independent CMS refers to the one that you want to add to a cluster. You will add the independent CMS to your production CMS cluster. By adding an independent CMS to a cluster, you disconnect the independent CMS from its own database and instruct it to share the system database that belongs to your production CMS. Before starting this procedure, ensure that you have a database user account with Create, Delete, and Update rights to the database storing the BusinessObjects Enterprise tables. Ensure also that you can connect to the database from the machine that is running the independent CMS (through your database client software or through ODBC, according to your configuration). Also ensure that the CMS you are adding to the cluster meets the requirements outlined in Clustering Central Management Servers on page 114. Note: Back up your current CMS database before beginning this procedure. If necessary, contact your database administrator. 1. 2. To add an installed CMS to a cluster on Windows Use the CCM to stop the independent Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar.
117
The CMS Database Setup dialog box appears.
3. 4.
Click Select a Data Source; then click OK. In the Select Database Driver dialog box, specify whether you want to connect to the production CMS database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:
5. 6.
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that corresponds to your production CMS database; then click OK. If prompted, provide your database credentials and click OK. The CCM connects to the database server and adds the new CMS to the cluster. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Once you provide this information, the CCM connects to the database server and adds the new CMS to the cluster.
The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server.
To add an installed CMS to a cluster on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 477.
118
Adding clustered CMSs to the web.xml file

If you have added additional CMSs, and you are using a Java application server, you will need to modify the web.xml file with your changes. 1. To modify the web.xml to define CMS clusters Open the web.xml from the following location:
C:\Program Files\Business Objects\Tomcat\webapps\businessobjects\enterprise115\ desktoplaunch\WEB-INF
2.
Locate the following section in the file:

 <context-param> <param-name>proxy.contextpaths</param-name>
Note: This string appears more than once in the file. The first occurrence of this is an example and is in a comment. Ensure the string you edit is not commented out.
Enter the context path for your reverse proxy in the <param-value> for <param-name>proxy.contextpaths.
If you have multiple reverse proxy paths, separate each path with a comma.
<context-param> <param-name>proxy.contextpaths</param-name> <param-value>/Path1,/Path2,/Path3</param-value> </context-param>
3. 4.
Save and close the file. Restart your application server.
Enabling reverse proxies for BusinessObjects Web Services

This section describes the required procedures to enable reverse proxies for BusinessObjects Web Services.
Enabling reverse proxies on Tomcat

Note: The following information only applies if you are using Tomcat.
203
1. 2.
To enable reverse proxies Stop Tomcat. Open the server.xml for Tomcat. On Windows, server.xml is located at <CATALINA_HOME>\conf On UNIX server.xml is located at <CATALINA_HOME>/conf Note:
If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows and you did not modify the default installation location, replace <CATALINA_HOME> with C:\Program Files\Business Objects\Tomcat If you are using the version of Tomcat installed with BusinessObjects Enterprise on UNIX and you did not modify the default installation location, replace <CATALINA_HOME> with <INSTALLDIR>/bobje/ tomcat
  <!-<Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" debug="0" connectionTimeout="20000" proxyPort="80" disableUploadTimeout="true" /> -->
3.
Locate this string in the server.xml file:
4. 5. 6.
Uncomment the Connector element by removing . Modify the value of proxyPort to be the reverse proxy server listen port. Add a new proxyName attribute to the Connectors attribute list. The value of the proxyName must be the proxy server name which should be resolvable to the correct IP address by Tomcat. Here is a sample:
  <Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
204
acceptCount="100" debug="0" connectionTimeout="20000" proxyName="my_reverse_proxy_server.domain.com" proxyPort="ReverseProxyServerPort" disableUploadTimeout="true" />
Where my_reverse_proxy_server.domain.com and ReverseProxyServerPort should be substituted by the correct reverse proxy server name and its listen port. 7. 8. 9. Save and close the server.xml file. Restart Tomcat. Ensure the reverse proxy server maps its virtual path to the correct Tomcat connector port. In the above example, the port is 8082. The following example shows a sample configuration for Apache HTTP Server 2.0 to reverse proxy BusinessObjects Web Services deployed on Tomcat:
ProxyPass /dswsbobje http://internalServer:8082/ dswsbobje ProxyPassReverse /dswsbobje http://internalServer:8082/ dswsbobje
Enabling reverse proxy on web application servers other than Tomcat

Note: The following procedure requires that BusinessObjects Enterprise web applications are successfully configured against your chosen web application server. 1. 2. To enable reverse proxies Stop the web application server. Specify the external URL of the Web Services in the dsws.properties file. This file is located in dswsbobje web application. For example if your external is URL is http://my_reverse_proxy_server.domain.com/ dswsbobje/, update the following properties in the dsws.properties file:
wsresource1=ReportEngine|reportengine web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ reportengine wsresource2=BICatalog|bicatalog web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ bicatatog wsresource3=Publish|publish web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/publish
205

3. 4. 5.
wsresource4=QueryService|query web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ queryservice wsresource5=BIPlatform|BIPlatform web service|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ biplatform wsresource6=LiveOffice|Live Office web service|http:// my_reverse_proxy_server.domain.com/dswsbobje/servicesliveoffice
Save and close the dsws.properties file. Restart the web application server. Ensure the reverse proxy server maps its virtual path to the correct web application server connector port. The following example shows a sample configuration for Apache HTTP Server 2.0 to reverse proxy BusinessObjects Web Services deployed on the web application server of your choice:
ProxyPass /dswsbobje http://internalServer:<listen port>/dswsbobje ProxyPassReverse /dswsbobje http:// internalServer:<listen port>/dswsbobje
Where <listen port> is the listen port of your web application server.
Enabling reverse proxies for BusinessObjects Live Office

Note: This section assumes reverse proxies for BusinessObjects Java InfoView and BusinessObjects Web Services have been successfully enabled. To enable BusinessObjects Live Offices View Object in Web Browser feature for reverse proxies, adjust the default viewer URL. This can be done in the Central Management Console (CMC) or through Live Office options. 1. 2. 3. To adjust the default viewer URL using the CMC Log on to the CMC. Navigate to the Objects page and click Object Settings. In the URL field, set the correct default viewer URL and click Set URL. Here is a sample default viewer URL: http://ReverseProxyServer:ReverseProxyServerPort/ ProxiedInfoView/opendoc/ openDocument.jsp?sIDType=CUID&iDocID=%SI_CUID%
206
Where ReverseProxyServer and ReverseProxyServerPort are the correct reverse proxy server name and its listen port. ProxiedInfoView is the correct virtual path for Java InfoView. To adjust the default view URL using Live Office options 1. 2. On the LiveOffice menu click Options and then click the Enterprise tab. Select Specify the URL to view the report in repository: and type the correct URL in the adjacent field. For example: http://ReverseProxyServer:ReverseProxyServerPort/ProxiedInfoView/ opendoc/openDocument.jsp. Where ReverseProxyServer and ReverseProxyServerPort are the correct reverse proxy server name and its listen port. ProxiedInfoView is the correct virtual path for Java InfoView. 3. Click OK.
Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server
Prerequisites
Ensure that you have read and implemented the steps for Enabling reverse proxies for Java applications servers on page 202.
Deployment instructions
In a regular deployment you create a service account and an SPN that maps to that service account for use with the application server machine. For details on this, refer to Configuring Kerberos and single sign-on to the database for Java application servers on page 311. In a deployment where the reverse proxy server sits between the client and the application sever, you must make the following change:
Follow the instructions for Configuring Kerberos and single sign-on for Java InfoView on page 312 with modifications for step 2, setting an SPN for your web application server and step 4, creating and placing a keytab file. In these steps, the service account and the SPN need to be for the reverse proxy server rather than the application server.
In both steps, when executing the ktpass command, the <host> should be the fully qualified domain name of the reverse proxy server.
207
Modifying default security behavior Disabling persistent cookies for InfoView
Disabling persistent cookies for InfoView

You may notice that whenever you go to the InfoView logon page, any time after you first successful log in, these three items are populated:
Your CMS name and port number. Your User name. Your authentication method.
This behavior is made possible through the use of persistent cookies. Persistent cookies are text small files that are stored on your hard drive in the Cookies folder, under your profile name folder, and in the Temporary Internet Folder in your Windows directory. Although these cookies do not store your password, some companies have stringent security requirements which prohibit this behavior. The use of persistent cookies on the InfoView logon screen is the default, however, if you want you can disable this behavior in either the .NET or the Java InfoView client. 1. To disable persistent cookies for .NET InfoView Open the Web.config file for InfoView, from its deployed location:
2. 3. 4. 5. 1.

<add key="persistentCookiesEnabled" value="true"/>
Change the value for persistentCookiesEnabled from true to false. Save and close the file. Restart IIS. To disable persistent cookies for Java InfoView Open the web.xml file for InfoView, from its deployed location on your web application server.
Note:
208
If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: <INSTALLDIR>/bobje/tomcat/webapps If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.
2. 3. 4. 5.
Locate this string in the file:

<param-name>persistentcookies.enabled</param-name>
Change the <param-value> for persistentcookies.enabled from true to false. Save and close the file. Restart your application server.
209
210
Using NT Authentication
chapter
Using NT Authentication Using NT user accounts and groups
Using NT user accounts and groups

BusinessObjects Enterprise supports NT authentication with the Windows NT security plug-in, which is included by default when the product is installed on Windows. Support for NT authentication means that users or groups created with NT, Windows 2000 and Windows 2003 can be used to authenticate with BusinessObjects Enterprise. This allows you to map previously created NT user accounts and groups, instead of setting up each user and group within BusinessObjects Enterprise.
Windows NT security plug-in

The Windows NT security plug-in (secWindowsNT.dll) allows you to map user accounts and groups from your Windows NT user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows NT Authentication. Users are authenticated against the Windows NT user database, and have their membership in a mapped NT group verified before the CMS grants them an active BusinessObjects Enterprise session. This plug-in is compatible with NT 4 and Windows 2000 Active Directory user databases (when Windows 2000 Active Directory is configured in non-native mode only). If a Windows 2000 Active Directory user database is configured in native mode and contains universal groups that span several domains, you must use the Windows AD security plug-in. For information on mapping Windows NT users and groups to BusinessObjects Enterprise, see Managing NT accounts on page 248. For information on the Windows AD security plug-in, see Windows AD security plug-in on page 246. Once you have mapped your NT users and groups, all of the BusinessObjects Enterprise client tools support NT authentication, except for the Import Wizard. You can also create your own applications that support NT authentication. For more information, see the developer documentation available on your product CD. Note: The Windows NT security plug-in cannot authenticate users under the following conditions:
If the BusinessObjects Enterprise server components are running on UNIX If your system uses the BusinessObjects Enterprise Java SDK.
212
Using NT Authentication Windows NT security plug-in
Business Objects NT Users Group

If you install BusinessObjects Enterprise on Windows as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Business Objects NT Users) is created on the local machine, and your NT user account is added to the group. The Business Objects NT Users group is then mapped to BusinessObjects Enterprise. As a result, you can log on to BusinessObjects Enterprise with your usual NT user credentials.
NT single sign-on
The Windows NT security plug-in supports single sign-on, thereby allowing authenticated NT users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped NT group:
To obtain NT single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK. In this scenario, the Windows NT security plug-in queries the operating system for the current users credentials when the client is launched.
To obtain NT single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS). In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the users credentials to BusinessObjects Enterprise. Note:
Although single sign-on is supported for InfoView, you will still see the logon screen for the CMC. When you see the CMC logon screen, leave the userid and password fields blank, select Windows NT from the authentication type drop down, and then click logon. IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation. For details on configuring IIS for single sign-on, see Setting up NT single sign-on on page 259. For information on NT single sign-on, see Setting up NT single sign-on on page 259.
213
Using NT Authentication NT user account and group administration
NT and single sign-on support

BusinessObjects Enterprise also supports single sign-on support for InfoView and the CMC with NT authentication under the following conditions:
When IIS is the web server When Internet Explorer is used as the web browser
This support means that your authenticated NT users can log on to BusinessObjects Enterprise without explicitly entering their credentials. The first two sections, Windows NT security plug-in on page 212 and Mapping NT user accounts and groups on page 215 provide overview information about how NT authentication works with BusinessObjects Enterprise. The remaining sections provide the procedural details related to using NT user accounts and groups and NT single sign-on for InfoView.
Mapping NT user accounts and groups from Windows NT on page 215 Mapping NT user account or groups from Windows 2000 or 2003 on page 216 Mapping NT groups from the CMC on page 217 Modifying IIS security settings for NT single sign-on on page 224 Enabling InfoView NT single sign-on from the CMC on page 224 Modifying the web.config file for NT single sign-on on page 225 NT authentication only works for servers running on Windows systems. If you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003 machine, NT authentication is installed and enabled by default. NT accounts refer to Windows NT, 2000, or 2003 accounts.
Note:
NT user account and group administration

Setting up and maintaining NT authentication involves these tasks:
Mapping NT user accounts and groups
Mapping NT user accounts and groups from Windows NT on page 215 Mapping NT user account or groups from Windows 2000 or 2003 on page 216 Mapping NT groups from the CMC on page 217
Setting up NT single sign-on on page 223
214
Using NT Authentication Mapping NT user accounts and groups
Unmapping NT groups on page 220 Viewing mapped NT users and groups on page 221
Mapping NT user accounts and groups

To simplify administration, BusinessObjects Enterprise supports user accounts and groups that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. You can map NT accounts to BusinessObjects Enterprise three ways:
Through the User Manager in NT. Through Computer Management in Windows 2000 or 2003. Through the CMC.
Note: NT accounts refer to Windows NT, 2000 and 2003 accounts.
Mapping NT user accounts and groups from Windows NT

To simplify administration, BusinessObjects Enterprise supports user accounts and group that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. 1. To map NT users to BusinessObjects Enterprise from Windows NT From the Windows NT Administrative Tools program group, click User Manager. Note: Ensure that you have selected the domain that contains the BusinessObjects NT Users group. This group is created automatically when you install BusinessObjects Enterprise on Windows. 2. 3. 4. 5. 6. Select the BusinessObjects NT Users group. From the User menu, click Properties. Click Add. Select the group(s) and/or user(s); then click Add. Click OK to add the group(s) and/or user(s).
215
7.
Click OK to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:
\\NTDomainName\NTusername or NTMachineName\LocalUserName
Users do not have to specify the NT Domain Name if it is specified in the Default NT Domain field on the Windows NT tab.
Mapping NT user account or groups from Windows 2000 or 2003

To simplify administration, BusinessObjects Enterprise supports user accounts and group that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. To map NT users to BusinessObjects Enterprise from Windows 2000 or 2003 1. From the Windows Administrative Tools program group, click Computer Management. 2. 3. 4. 5. 6. 7. 8. Under System Tools, select Local Users and Groups. Click the Groups folder. Select the BusinessObjects NT Users and from the Action menu, select Properties. Click Add. Select the group(s) and/or user(s); then click Add. Click OK to add the group(s) and/or user(s). Click OK or Apply (and then Close) to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:
\\NTDomainName\NTusername or NTMachineName\LocalUserName
Users do not have to specify the NT Domain Name if it is specified in the Default NT Domain field on the Windows NT tab.
216
Mapping NT groups from the CMC

To simplify administration, BusinessObjects Enterprise supports user accounts and groups that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. Note:
When you map a NT group to BusinessObjects Enterprise, all the users from the group are mapped. If you want to exclude specific users from having access to BusinessObjects Enterprise, you can change the specific users access after the group has been mapped. Before starting this procedure, ensure you have the NT domain and group information. To map NT groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC.
1.
217
2.
Click the Windows NT tab.
3. 4.
Ensure that the NT Authentication is enabled check box is selected. If you will be using single sign-on, select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see Setting up NT single sign-on on page 223. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.
5.
To change the Default NT domain, click the domain name. Complete the Default NT Domain field, and then click Update. Note: By typing the default NT Domain Name, users do not have to specify the NT Domain Name when they log on to BusinessObjects Enterprise via NT authentication. Also, you dont have to specify the NT domain name when you map groups.
218
6.
In the Mapped NT Member Groups area, enter the NT domain\group in the Add NT Group (NT Domain\Group) field. Note: If you want to map a local NT group, you must type \\NTmachinename\groupname.
7. 8.
Click Add. The group is added to the list. Select how aliases are mapped to Enterprise accounts. You have these choices:
Assign each added NT alias to an account with the same name. Create a new account for every added NT alias.
Note: For more information on these options, see Alias options on page 196. 9. Select when new users and aliases are created. You have these choices:
New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Finish; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise. For more information on these options, see Update options on page 197.
10. Select what type of users are created. You have these choices:
New users are created as named users. New users are created as concurrent users. Note: For more information on what these options do, see User type options on page 196.
11. Click Finish. A message appears stating that it will take several seconds to update the member groups. 12. Click OK.
219
Unmapping NT groups
Similar to mapping, it is possible to unmap groups using the administrative tool in Windows NT/2000, or BusinessObjects Enterprise. 1. 2. 3. 4. 5. To unmap NT users and groups using Windows NT From the Administrative Tools program group, click User Manager. Select BusinessObjects NT Users. From the User menu, click Properties. Select the user(s) or group(s), and click Remove. Click OK. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases, see Security Concepts on page 179. 1. 2. 3. 4. 5. 6. 7. To unmap NT users and groups using Windows 2000 or 2003 From the Administrative Tools program group, click Computer Management. Under System Tools, select Local Users and Groups. Click the Groups folder. Select BusinessObjects NT Users. From the Action menu, click Properties. Select the user(s) or group(s), and click Remove. Click OK or Apply (and then Close) to complete the process. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases see Security Concepts on page 179. 1. 2. 3. 4. To unmap NT groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the Windows NT tab. In the Mapped NT Member Groups area, select the NT group you would like to remove. Click Delete.
220
5.
Click Update. The users in this group will not be able to access BusinessObjects Enterprise. Tip: To deny NT Authentication for all groups, clear the NT Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases see Security Concepts on page 179.
Viewing mapped NT users and groups

There are two methods to view mapped users and groups in BusinessObjects Enterprise. The method you use depends on the way the groups and users have been mapped. To view users and groups that have been added using Windows NT/ 2000, 2003 or BusinessObjects Enterprise 1. Go to the Groups management area of the CMC. 2. If you added users and groups through Windows NT/2000, then click BusinessObjects NT Users. If you added users and groups through the CMC, then select the appropriate group. 3. 4. 5. 6. Click the Users tab. Click OK to the message which states that accessing the user list may take several seconds. Click Refresh. Click OK.
To view users and groups that have been added using BusinessObjects Enterprise 1. Go to the Authentication management area of the CMC. 2. Click the Windows NT tab. The Mapped NT Member Groups area displays the groups that have been mapped to BusinessObjects Enterprise. Note: You can view the groups and users by selecting the appropriate group from the Groups management area and then clicking the Users tab.
221
Adding an NT account to a mapped NT group

When you have added a new account in NT, and the NT group to which the account belongs to is already mapped to BusinessObjects Enterprise, there are three ways you can get the new NT account into BusinessObjects Enterprise. Choose the method that works best for your situation:
When the new NT user logs on to BusinessObjects Enterprise and selects NT authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesnt require any extra steps, but the user wont be added until he or she logs on to BusinessObjects Enterprise. You can add the new user to BusinessObjects Enterprise and select Windows NT authentication. The user is added and is automatically assigned a Windows NT alias. For more information on aliases, see Security Concepts on page 179. You can go to the Windows NT tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all NT users will be added to BusinessObjects Enterprise. For details, see Mapping NT user accounts and groups on page 215. However, if the NT group contains many users who dont require access to BusinessObjects Enterprise, you may want to add the user individually instead.
Creating a new NT group account
If you create a new NT group account, and the group account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see Mapping NT user accounts and groups on page 215. If you create a new NT group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see Viewing mapped NT users and groups on page 221.
Disabling an NT user account

If you disable an NT user account (using Windows Administrative Tools), the user will not be able to log on to BusinessObjects Enterprise using the mapped NT account. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account.
222
Setting up NT single sign-on

You can configure BusinessObjects Enterprise to allow users to use various BusinessObjects Enterprise applications without being prompted to log on. Users need only to enter their NT user name and password information once at the beginning of the NT session. For instance, if you have set up NT single sign-on, when you launch the CMC, NT authentication occurs in the background. You are not required to enter any additional information. Note: This feature is available if you are using a Microsoft Internet Information Server (IIS) and the users are using Internet Explorer as their web browser. See the Platforms.txt file included with your product distribution for a complete list of version requirements. BusinessObjects Enterprise provides its own form of anonymous single signon, which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. When a user launches InfoView, he or she can log on using the Guest account (Enterprise authentication). You can disable this featurefor more information, on this and other routine administrative tasks, see the BusinessObjects Enterprise Administrators Guide. However, even when you disable the Guest account, BusinessObjects Enterprise is designed to display a logon page. With single sign-on enabled, the user can select Windows NT from the Authentication list and click Log On without entering his or her user name or password. In the developer documentation, refer to the tutorial for an example on creating a web application that uses single sign-on. Setting up NT single sign-on to BusinessObjects Enterprise includes these tasks:
Modifying IIS security settings for NT single sign-on on page 224 Enabling InfoView NT single sign-on from the CMC on page 224 Modifying the web.config file for NT single sign-on on page 225
Note: BusinessObjects Enterprise does not support the Kerberos protocol for Windows NT. For information on Kerberos, see these sections: Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using AD with NTLM or SiteMinder on page 245
223
Modifying IIS security settings for NT single sign-on

1. 2. 3. 4. 5. 6. 7. 8. 9. To modify the security setting on IIS From the Windows Administrative Tools program group, click Computer Management. Expand Services and Applications. Expand Internet Information Services. Click on the web site that runs InfoView, and then select Properties. Click on the Directory Security tab. In the Anonymous access and authentication control area of the page, click Edit. Deselect the Anonymous access and Basic authentication check boxes. Ensure that the Integrated Windows authentication check box is selected. Click OK.
10. Click OK. 11. Proceed to Modifying the web.config file for NT single sign-on on page 225. 12. Restart your IIS server. Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in Setting up NT single sign-on on page 223.
Enabling InfoView NT single sign-on from the CMC

1. 2. 3. To enable the Windows NT plug-in for single sign-on from the CMC Go to the Authentication management area of the CMC. Click the Windows NT tab. Select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see Modifying IIS security settings for NT single sign-on on page 224. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because when users access one of the web applications they would automatically have the same access privileges as the IIS machine account. 4. Click Update.
224
Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in Setting up NT single sign-on on page 223.
Modifying the web.config file for NT single sign-on

Modify either of the following web.conf files based on what you want to configure for single sign-on. To configure both CMC and InfoView for single sign-on, configure the web.config file in the Web Content directory; To configure only InfoView for single sign-on, configure the web.config file in the InfoView directory. 1. To modify the web.config file for NT single sign-on Open the appropriate Web.config file from this location:
2. 3. 4. 5. 6. 7. 8. 9.
Locate the following line in the <system.web> block:

<Authentication mode="None" />
Replace None with Windows.

<Authentication mode="Windows" />
Add the following line:

<identity impersonate="true" />
Find the following string:

<add key="cmsDefault" value="" />
Enter the CMS machine in the cmsDefault value field. Find the following string:
<add key=" ssoEnabled" value="false" />
Change the ssoEnabled value from false to true. Find the following string:
<add key="authenticationDefault" value="secEnterprise" />
10. Ensure the value for authenticationDefault is set to secWindowsNT. 11. Save and close the file. 12. Restart IIS.
225
226
Using LDAP authentication
chapter
10
Using LDAP authentication Managing LDAP accounts
Managing LDAP accounts

To use LDAP authentication, you need to first ensure that you have your respective LDAP directory set up. For more information about LDAP, refer to your LDAP documentation. For more information on the LDAP security plugin, see LDAP security plug-in on page 228. Note: When you install BusinessObjects Enterprise, the LDAP authentication plug-in is installed automatically, but not enabled by default. This section describes tasks related to configuring LDAP on BusinessObjects Enterprise. In particular, it includes information on:
Configuring LDAP authentication on page 230 Mapping LDAP groups on page 238 Unmapping LDAP groups on page 241 Viewing mapped LDAP users and groups on page 242 Changing LDAP connection parameters and member groups on page 242 Managing multiple LDAP hosts on page 243 Troubleshooting LDAP accounts on page 243
LDAP security plug-in

The LDAP security plug-in (secLDAP.dll) allows you to map user accounts and groups from your LDAP directory server to BusinessObjects Enterprise; it also enables the system to verify all logon requests that specify LDAP Authentication. Users are authenticated against the LDAP directory server, and have their membership in a mapped LDAP group verified before the CMS grants them an active BusinessObjects Enterprise session. User lists and group memberships are dynamically maintained by BusinessObjects Enterprise. You can specify that BusinessObjects Enterprise use a Secure Sockets Layer (SSL) connection to communicate to the LDAP directory server for additional security. LDAP authentication for BusinessObjects Enterprise is similar to NT and AD authentication in that you can map groups and set up authentication, authorization, and alias creation. Also as with NT or AD authentication, you can create new Enterprise accounts for existing LDAP users, and can assign LDAP aliases to existing users if the user names match the Enterprise user names. In addition, you can do the following:
Map users and groups from the LDAP directory service. Map LDAP against AD.
228
10
Note:
If you configure LDAP against AD, you will be able to map your users, however, you will not be able to configure either single sign-on or single sign-on to the database. These are the restrictions if you configure LDAP against AD.
Users who are only members of a default groups from AD will not be able to log in successfully. Users must also be a member of another explicitly created group in AD and, in addition, this group must be mapped. An example of such a group is the domain users group. If a mapped domain local group contains a user from a different domain in the forest, the user from a different domain in the forest will not be able to log in successfully. Users from universal group from a domain different than the DC specified as the LDAP host will not be able to log in successfully.
Specify multiple host names and their ports. Configure LDAP with SiteMinder.
For information on mapping your LDAP users and groups to BusinessObjects Enterprise, see Managing LDAP accounts on page 218. Once you have mapped your LDAP users and groups, all of the BusinessObjects Enterprise client tools support LDAP authentication, except for the Import Wizard. You can also create your own applications that support LDAP authentication.
More about LDAP

Lightweight Directory Access Protocol (LDAP), a common, applicationindependent directory, enables users to share information among various applications. Based on an open standard, LDAP provides a means for accessing and updating information in a directory. LDAP is based on the X.500 standard, which uses a directory access protocol (DAP) to communicate between a directory client and a directory server. LDAP is an alternative to DAP because it uses fewer resources and simplifies and omits some X.500 operations and features. The directory structure within LDAP has entries arranged in a specific schema. Each entry is identified by its corresponding distinguished name (DN) or common name (CN). Other common attributes include the organizational unit name (OU), and the organization name (O). For example, a member group may be located in a directory tree as follows: cn=BusinessObjects Enterprise Users, ou=Enterprise Users A, o=Research. Refer to your LDAP documentation for more information.
229
10
Because LDAP is application-independent, any client with the proper authorization can access its directories. LDAP offers you the ability to set up users to log on to BusinessObjects Enterprise through LDAP authentication. It also enables users to be authorized when attempting to access objects in BusinessObjects Enterprise. As long as you have an LDAP server (or servers) running, and use LDAP in your existing networked computer systems, you can use LDAP authentication (along with Enterprise, NT, and Windows AD authentication). If desired, the LDAP security plug-in provided with BusinessObjects Enterprise can communicate with your LDAP server using an SSL connection established using either server authentication or mutual authentication. With server authentication, the LDAP server has a security certificate which BusinessObjects Enterprise uses to verify that it trusts the server, while the LDAP server allows connections from anonymous clients. With mutual authentication, both the LDAP server and BusinessObjects Enterprise have security certificates, and the LDAP server must also verify the client certificate before a connection can be established. The LDAP security plug-in provided with BusinessObjects Enterprise can be configured to communicate with your LDAP server via SSL, but always performs basic authentication when verifying users credentials. Before deploying LDAP authentication in conjunction with BusinessObjects Enterprise, ensure that you are familiar with the differences between these LDAP types. For details, see RFC2251, which is currently available at http:// www.faqs.org/rfcs/rfc2251.html
Configuring LDAP authentication

To simplify administration, BusinessObjects Enterprise supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log on to BusinessObjects Enterprise, you need to map their LDAP account to BusinessObjects Enterprise. When you map an LDAP account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. Before setting up and enabling LDAP authentication, ensure that you have your LDAP directory set up. For more information, refer to your LDAP documentation. Configuring LDAP authentication includes the following steps:
Configuring the LDAP host on page 231. Configuring LDAP Server or Mutual Authentication and the SSL settings on page 233. Configuring the LDAP plug-in for SiteMinder on page 236.
230
10
Note: If you configure LDAP against AD, you will be able to map your users, however, you will not be able to configure single sign-on or single sign-on to the database.
Configuring the LDAP host

1. 2. To configure the LDAP host Go to the Authentication management area of the CMC, and then click on the LDAP tab. Enter the name and port number of your LDAP hosts in the Add LDAP host (hostname:port) field (for example, myserver:123), click Add, and then click OK. Repeat this step to add more than one LDAP host of the same server type if you want to add hosts that can act as failover servers. If you want to remove a host, highlight the host name and click Delete. For more information on multiple hosts, refer to Managing multiple LDAP hosts on page 243. 3. Select your server type from the LDAP Server Type list. Note: If you are Mapping LDAP to AD, select Custom for your server type. 4. If you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes, click Show Attribute Mappings. By default, each supported server types server attribute mappings and search attributes are already set. 5. 6. Click Next. In the Base LDAP Distinguished Name field, type the distinguished name (for example, o=SomeBase) for your LDAP server, and then click Next. In the LDAP Server Administration Credentials area, type the distinguished name and password for a user account that is authorized to administer your LDAP server. Note: If your LDAP Server allows anonymous binding, leave this area blankBusinessObjects Enterprise servers and clients will bind to the primary host via anonymous logon. 8. If you have configured referrals on your LDAP host, enter the authentication information in the LDAP Referral Credentials area, and then enter the number of referral hops in the Maximum Referral Hops field. Note:
7.
231
10
The LDAP Referral Credentials area must be configured if all of the following apply:
The primary host has been configured to refer to another directory server that handles queries for entries under a specified base. The host being referred to has been configured to not allow anonymous binding. A group from the host being referred to will be mapped to BusinessObjects Enterprise.
Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password. If Maximum Referral Hops is set to zero, no referrals will be followed.
9.
Click Next.
10. Choose the type of Secure Sockets Layer (SSL) authentication used, and then click Next. These are your SSL authentication choices:
Basic (no SSL) Server Authentication Mutual Authentication Note: See Configuring LDAP Server or Mutual Authentication and the SSL settings on page 233 for further information.
11. Choose a method of LDAP single sign-on authentication from these choices:
Basic (No SSO) SiteMinder Note: If you select SiteMinder, see Configuring the LDAP plug-in for SiteMinder on page 236.
232
10
12. Select how aliases are mapped to Enterprise accounts. You have these choices:
Assign each added NT alias to an account with the same name Create a new account for every added NT alias
Note: For more information on what these options do, see Alias options on page 196. 13. Select when aliases and users are created. You have these choices:
New aliases will be added and new users will be created No new aliases will be added and new users will not be created Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Finish. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise. For more information on what these options do, see Update options on page 197.
14. Select how new users are created. You have these choices:
Note: For more information on what these options do, see User type options on page 196. 15. Click Finish.
Configuring LDAP Server or Mutual Authentication and the SSL settings

This section describes the CMC related information for configuring SSL with LDAP Server and Mutual Authentication. It assumes that you have completed the first 10 applicable steps in Configuring the LDAP host on page 231, and that you selected either of these for your SSL authentication choice:
Server Authentication Mutual Authentication
You can do this configuration after you complete all the steps in Configuring the LDAP host on page 231. For additional information or for information on configuring the LDAP host server, refer to http:// www.techsupport.businessobjects.com/ or your LDAP vendor documentation.
233
10
1.
To configure LDAP Server or Mutual Authentication Choose what level of SSL security you want to use from the available options: Note:
Java applications will ignore the first and last setting and will accept the server certificate only if it comes from a trusted Certificate Authority. Always accept server certificate This is the lowest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. BusinessObjects Enterprise does not verify the certificate it receives.
Accept server certificate if it comes from a trusted Certificate Authority This is a medium security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database.
Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server This is the highest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the Add LDAP host field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work. The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host.
234
10
2.
In the SSL host box, type the host name of each machine, and then click Add.
Note: You must next add the host name of each machine in your BusinessObjects Enterprise system that uses the BusinessObjects Enterprise SDK. (This includes the machine running your Central Management Server and the machine running your WCA.) 3. Specify the SSL settings for each SSL host that has been added to the list, and specify the default settings that will be used for each host that is not on the list. Note: The default settings will be used for any setting (for any host) where you leave the Use default value box checked or for any machine whose name you do not explicitly add to the list of SSL hosts.
To specify the default settings: a. c. Select default from the SSL list. Type your values for the Path to the certificate and key database files and the Password for the key database. b. Clear the Use default value boxes.
d. If youre specifying settings for Mutual authentication, you can also enter a value in the Nickname for the client certificate in the cert7.db field.
4.
To select settings for another host, select its name in the list on the left. Then type the appropriate values in the boxes on the right.
Click Next.
235
10
5.
Choose a method of LDAP single sign-on authentication from these choices:
Basic (No SSO) SiteMinder
Note: For further details on configuring SiteMinder, see Configuring the LDAP plug-in for SiteMinder on page 236. 6. 7. Choose how new LDAP users and aliases are created. Click Finish.
LDAP and SiteMinder Workflow

To use SiteMinder and LDAP with BusinessObjects Enterprise you need to make configuration changes in two places:
In the LDAP plug-in the CMC. In the web.xml file for your web application server.
Configuring the LDAP plug-in for SiteMinder

This section explains how to configure the CMC to use LDAP with SiteMinder. SiteMinder is a third-party user access and authentication tool that you can use with the LDAP security plug-in to create single sign-on to BusinessObjects Enterprise. This section assumes that you have completed Configuring the LDAP host on page 231 and chosen SiteMinder for your method of LDAP single sign-on authentication. Note:
Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation. To configure LDAP for single sign-on with SiteMinder On the Please configure your SiteMinder settings screen, in the Policy Server Host box, type the name of each Policy Server, and then click Add. Note: This screen is visible after you select SiteMinder on the Please choose a method of LDAP single sign-on authentication screen.
1.
2.
For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers.
236
10
3.
Enter the name of the Agent Name and the Shared Secret. Enter the shared secret again. Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.
4. 5.
Click Next. Proceed with configuring the LDAP options.
Modifying web.xml for LDAP and SiteMinder

1. To enable LDAP and SiteMinder Open the web.xml file for InfoView on your web application server.
<DeployedLocation>businessobjects\enterprise115\desktopl aunch\WEB-INF
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. 4. 5. 6. 7. 8. 9. Locate the following string in the file:
<param-name>cms.default</param-name>
Enter the CMS name and port in the cms.default<param-value> field. Use the format servername:portnumber. Locate the following string in the file:
<param-name>authentication.default</param-name>
Set the <param-value> for the authentication.default to secLDAP.

<param-value>secEnterprise</param-value>
Locate the following string in the file:

<param-name>sso.enabled</param-name>
Change the <param-value> for sso.enabled from false to true.

<param-value>true</param-value>
Locate the following string in the file:

<param-name>siteminder.enabled</param-name>
Change the <param-value> for siteminder.enabled from false to true.

237
10
10. Locate the following string in the file:

<param-name>siteminder.authentication</param-name>
11. Set the <param-value> for siteminder.authentication to secLDAP.

<param-value>secLDAP</param-value>
12. Save and close the file. 13. Restart your web application server.
Troubleshooting SiteMinder single sign-on

If you are using SiteMinder with IIS, you may receive an error message in the Central Management Console regarding the failure of single sign-on. If you encounter this message, you may need to manually create two registry keys for SiteMinder: 1. Create the following key, set its type to REG_DWORD, and set its value to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\EnableSiteMinderSingl eSignOn
2.
Create a second key, set its type to REG_SZ, and set its value to the authentication type that you want to use for Siteminder single sign-on (secLDAP or secWinAD):
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\SiteMinderAuthenticat ion
Ensure that the Siteminder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using.
Mapping LDAP groups

Once you have configured LDAP authentication using the LDAP configuration wizard, you can map LDAP groups to Enterprise groups. See Configuring LDAP authentication on page 230. Note: If you have configured LDAP against AD, this procedure will map your AD groups. 1. 2. To map LDAP groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the LDAP tab.
238
10
If LDAP authorization is configured, the LDAP summary page appears.
3.
In the Mapped LDAP Member Groups area, specify your LDAP group (either by common name or distinguished name) in the Add LDAP group (by cn or dn) field; click Add. You can add more than one LDAP group by repeating this step. To remove a group, highlight the LDAP group and click Delete.
239
10
4.
New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:
Assign each added LDAP alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users. or
Create a new account for every added LDAP alias Use this option when you want to create a new account for each user.
5.
Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:
New aliases will be added and new users will be created Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the Create a new account for every added LDAP alias option. or
No new aliases will be added and new users will not be created Use this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.
6.
New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:
New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system
240
10
regardless of how many other people are connected. You must have a named user license available for each user account created using this option. or
New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.
7.
Click Update.
Unmapping LDAP groups

Similar to mapping, it is possible to unmap groups using BusinessObjects Enterprise. 1. 2. 3. 4. To unmap LDAP groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the LDAP tab. If LDAP authorization is configured, the LDAP summary page will appear. In the Mapped LDAP Member Groups area, select the LDAP group you would like to remove. Click Delete, and then click Update. The users in this group will not be able to access BusinessObjects Enterprise. Tip: To deny LDAP Authentication for all groups, clear the LDAP Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the users Enterprise account.
241
10
Viewing mapped LDAP users and groups

You can view your LDAP mapped groups in BusinessObjects Enterprise by clicking the LDAP tab (located in the Authentication management area). If LDAP authorization is configured, the Mapped LDAP Member Groups area displays the LDAP groups that have been mapped to BusinessObjects Enterprise.
Changing LDAP connection parameters and member groups

After you have configured LDAP authentication using the LDAP configuration wizard, you can change LDAP connection parameters and member groups using the LDAP Server Configuration Summary Page. For information on configuring LDAP authentication using the LDAP configuration wizard, see Configuring LDAP authentication on page 230. 1. 2. To change connection settings Go to the Authentication management area of the CMC. Click the LDAP tab. If LDAP authorization is configured, the LDAP Server Configuration Summary page appears. On this page you can change any of the connection parameter areas or fields. You can also modify the Mapped LDAP Member Groups area. 3. 4. 5. 6. 7. 8. 9. Delete currently mapped groups that will no longer be accessible under the new connection settings. Click Update. Change your connection settings. Click Update. Change your Alias and New User options. Click Update. Map your new LDAP member groups.
10. Click Update.
242
10
Managing multiple LDAP hosts

Using LDAP and BusinessObjects Enterprise, you can add fault tolerance to your system by adding multiple LDAP hosts. BusinessObjects Enterprise uses the first host that you add as the primary LDAP host. Subsequent hosts are treated as failover hosts. The primary LDAP host and all failover hosts must be configured in exactly the same way, and each LDAP host must refer to all additional hosts from which you wish to map groups. For more information about LDAP hosts and referrals, see your LDAP documentation. To add multiple LDAP Hosts, enter all hosts when you configure LDAP using the LDAP configuration wizard (see Configuring LDAP authentication on page 230 for details.) Or if you have already configured LDAP, go to the Authentication management area of the Central Management Console and click the LDAP tab. In the LDAP Server Configuration Summary area, click the name of the LDAP host to open the page that enables you to add or delete hosts. Note:
Make sure that you add the primary host first, followed by the remaining failover hosts. If you use failover LDAP hosts, you cannot use the highest level of SSL security (that is, you cannot select Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server.) For more information, see Configuring LDAP authentication on page 230.
Troubleshooting LDAP accounts

Creating a new LDAP user account
If you create a new LDAP user account, and the account does not belong to a group account that is mapped to BusinessObjects Enterprise, either map the group to BusinessObjects Enterprise, or add the new LDAP user account to a group that is already mapped to BusinessObjects Enterprise. For more information, see Configuring LDAP authentication on page 230. If you create a new LDAP user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see Viewing mapped LDAP users and groups on page 242.
243
10
244
33
Using AD with NTLM or SiteMinder
chapter
11
Using AD with NTLM or SiteMinder Using AD users and groups
Using AD users and groups

BusinessObjects Enterprise supports Active Directory (AD) authentication with the Windows security plug-in, which is included by default when the product is installed on Windows. Support for AD authentication means that users and groups created in Microsoft Active Directory 2000 or 2003 can be used to authenticate with BusinessObjects Enterprise. This allows you, the administrator, to map previously created user accounts and groups, instead of setting up each user and group within BusinessObjects Enterprise. Note:
The AD authentication described in this section only works for servers running on Windows systems. If you want to use AD authentication on Unix, you must configure LDAP against AD. For procedural details, see Configuring LDAP authentication on page 230. AD authentication with aggregation is not functional without a network connection. AD authentication with aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).
The section Windows AD security plug-in on page 246 provides overview information about how Active Directory authentication works with BusinessObjects Enterprise. The section that follows, AD and NTLM and SiteMinder workflows on page 248 provides a summary of the workflows for using AD with NTLM authentication and for using AD with SiteMinder. The remaining sections provide the procedural details related to the following:
Configuring AD with NTLM Configuring AD, NTLM and single sign-on Configuring AD with SiteMinder.
Note: Using AD authentication with Kerberos is not covered in this section. For information on Kerberos, see these sections:
Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289
Windows AD security plug-in

Windows AD security plug-in enables you to map user accounts and groups from your Microsoft Active Directory (AD) 2000 or 2003 user database to BusinessObjects Enterprise. It also enables BusinessObjects Enterprise to
246
11
verify all logon requests that specify Windows AD Authentication. Users are authenticated against the Windows AD user database, and have their membership in a mapped AD group verified before the Central Management Server grants them an active BusinessObjects Enterprise session. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see Managing AD accounts on page 236. The AD security plug-in also enables you to use these authentication methods:
NTLM Kerberos
Note: For information on using Kerberos, see Using AD and Kerberos with IIS on page 265 and Using AD and Kerberos with Java application servers on page 289. The AD security plug-in is compatible with both Microsoft Active Directory 2000 and 2003 domains running in either native mode or mixed mode. Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on the collaterals disk of your product distribution. This information can also found from the Start menu:
Start > Programs > BusinessObjects XI Release 2 > BusinessObjects Enterprise > BusinessObjects Enterprise Developer Documentation
AD authentication only works for servers running on Windows systems. The Windows AD plug-in for BusinessObjects Enterprise supports multiple domains within the same forest but not multiple forests. All of the following must come from domains in the same forest:
Your CMS machine Your AD Administration credentials All groups and users you are mapping
AD authentication and aggregation is not functional without a network connection. AD authentication and aggregation may not continue to function if the administration credentials become invalid. For example, if the administrator changes his or her password or if the account becomes disabled.
247
11
Single sign-on
The Windows AD security plug-in supports single sign-on, thereby allowing authenticated AD users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped AD group.
To obtain AD single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK). In this scenario, the Windows AD security plug-in queries the operating system for the current users credentials when the client is launched.
To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).
BusinessObjects Enterprise provides its own form of anonymous single signon, which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify InfoView) if you want to use AD single sign-on. For information on AD single sign-on, see Setting up AD single sign-on on page 246.
AD and NTLM and SiteMinder workflows

These are the workflows for using AD with NTLM and AD with SiteMinder.
AD and NTLM basic workflow

The workflow for configuring BusinessObjects Enterprise to use IIS with AD and NTLM involves these steps:
Mapping AD accounts Modifying IIS security settings Modifying the web.config file for impersonation and Windows authentication
AD, NTLM and single sign-on workflow

The workflow for configuring BusinessObjects Enterprise to use IIS with AD and NTLM involves these steps:
248
11
Mapping AD accounts Modifying IIS security settings Modifying the web.config file for InfoView AD single sign-on
AD and SiteMinder workflow

The workflow for configuring BusinessObjects Enterprise to use IIS with AD and SiteMinder involves these steps:
Mapping AD accounts Configuring the Windows AD plug-in for SiteMinder Whichever of these steps that applies to your deployment type:
Modifying web.config for .NET InfoView and SiteMinder Modifying web.xml for Java AD and SiteMinder
Mapping AD accounts
To simplify administration, BusinessObjects Enterprise supports AD authentication for user and group accounts. However, before users can use their AD user name and password to log on to BusinessObjects Enterprise, their AD user account needs to be mapped to BusinessObjects Enterprise. When you map an AD account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. To map AD users and groups and configure the Windows AD security plug-in for NTLM authentication 1. Go to the Authentication management area of the CMC. 2. Click the Windows AD tab.
249
11
3. 4.
Ensure that the Windows Active Directory Authentication is enabled check box is selected. In the Windows AD Configuration Summary area, click the link beside AD Administration Name. Note: Before the Windows AD plug-in is configured, this link will appear as two double quotes. After the configuration has been saved, the link with be populated with the AD Administration names.
5.
Enter the name and password of the domain user account youve set up on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups. Administration credentials can use one of the following formats:
NT name (DomainName\UserName) UPN (user@DNS_domain_name)
Administration credentials must be entered to enable AD authentication, map groups, check rights, and so on. 6. Complete the Default AD Domain field. Note:
Groups from the default domain can be mapped without specifying the domain name prefix. If you enter the Default AD Domain name, users from the default domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication.
250
11
7.
In the Mapped AD Member Groups area, enter the AD domain\group in the Add AD Group (Domain\Group) field. Groups can be mapped using one of the following formats:
Security Account Manager account name (SAM), also referred to as NT name (DomainName\GroupName) DN (cn=GroupName, ......, dc=DomainName, dc=com)
Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore, they will not be able to access BusinessObjects Enterprise. 8. 9. Click Add. The group is added to the list. For basic NTLM authentication, follow these steps: a. b. a. b. EnsureUse NTLM authentication is selected. Clear Enable Single Sign On for selected authentication mode. Ensure Use NTLM authentication is selected. Ensure Enable Single Sign On for selected authentication mode is selected.
10. For NTLM authentication with single sign-on follow these steps:
Assign each added AD alias to an account with the same name. Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.
12. Select when users and aliases are created. You have these choices:
New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.
251
11
New users are created as named users. New users are created as concurrent users.
For further details on these options, see User type options on page 196. 14. Click Update. 15. Click OK.
Setting up AD single sign-on

Installation of the Active Directory plug-in enables you to use AD single signon. However, there are a two additional tasks you will need to complete the configuration for single sign-on for BusinessObjects Enterprise. Completing the configuration for AD single sign-on involves these tasks for IIS:
Modifying IIS security settings on page 252 Modifying the web.config file for impersonation and Windows authentication on page 253
Completing the configuration for AD single sign-on involves these tasks for IIS: Note:
AD single sign-on is not supported on client machines running on Windows 98. By default, AD single sign-on is not enabled.
For information on how to set up end-to-end single sign on with AD and Kerberos, see End-to-end Single sign-on workflow on page 267.
Modifying IIS security settings

1. 2. 3. 4. 5. To modify the security setting on IIS From the Windows Administrative Tools program group, click Computer Management. Expand Services and Applications. Expand Internet Information Services. Expand the web site that runs your BusinessObjects Enterprise applications. Right-click businessobjects, and then select Properties.
252
11
6. 7. 8.
Click on the Directory Security tab. In the Anonymous access and authentication control area of the page, click Edit. Ensure the following check boxes are cleared:

9.
Anonymous access Basic authentication
Ensure Integrated Windows authentication is selected.
10. Click OK. 11. Click OK. 12. Repeat the procedure starting from step 6 for crystalreportviewers115 and Styles. 13. Restart your IIS server.
Modifying the web.config file for impersonation and Windows authentication

If you want to use AD authentication, you must modify the web.config file to change the authentication mode used and allow impersonation. This is in addition to changing how IIS is configured. Modify either of the following web.config files based on what application you want to configure.
To configure both the CMC and InfoView, configure the web.config file in the Web Content directory.
To configure only InfoView, configure the web.config file in the InfoView directory. Note: The values in web.config file are case-sensitive. 1. To modify web.config for basic AD authentication Open the appropriate Web.config file from either of the following locations:

2. 3.
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\ C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\
Find the following line in the <system.web> block:

<authentication mode="None" />

<authentication mode="Windows" />
253
11
4. 5. 6.

Save and close the file. Restart IIS.
Modifying the web.config file for InfoView AD single sign-on

If you want to have AD single sign-on for InfoView, you must modify the web.config file for the following reasons:
To change the authentication mode used. To allow impersonation. To enable single sign-on. To specify the authentication default.
These changes are in addition to changing how IIS is configured. Note: The values in web.config file are case-sensitive. 1. To modify web.config for AD single sign-on Open the Web.config file from this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\
2. 3. 4. 5. 6. 7. 8. 9.




<add key="authenticationDefault" value="secWinAD" />
10. Ensure the value for authenticationDefault is set to secWinAD. 11. Save and close the file.
254
11
12. Restart IIS. Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in Setting up AD single sign-on on page 252.
Configuring AD and SiteMinder workflow

This section explains how to use AD and SiteMinder. SiteMinder is a thirdparty user access and authentication tool that you can use with the AD security plug-in to create single sign-on to BusinessObjects Enterprise. This section assumes that you have completed Mapping AD accounts on page 249. There are two things you must do to enable AD single sign-on with SiteMinder:
Configure the AD plug-in for single sign-on with SiteMinder Modify either the Web.xml file to use Java and SiteMinder or the Web.config file to use .NET and SiteMinder
Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of which supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.
Configuring the Windows AD plug-in for SiteMinder

1. 2. 3. 4. 5. To configure the AD plug-in for single sign-on with SiteMinder From the CMC, click Authentication. Click on the Windows AD tab. Scroll down to the SiteMinder options area of the page. Click Disabled. The Windows AD SiteMinder configuration page will appear. If you have not configured the Windows AD plug-in, you will receive a warning and will be asked if you wish to continue. Click OK.
255
11
The AD SiteMinder configuration page will appear.
6. 7. 8. 9.
Click Use SiteMinder Single Sign On. In the Policy Server Host box, type the name of each Policy Server, and click Add. For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers. Enter the name of the Agent Name and the Shared Secret. Enter the Shared Secret again. Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of which supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.
10. Click Update.
256
11
Modifying web.xml for Java AD and SiteMinder

1. To enable Java AD SiteMinder Open the web.xml file for InfoView, from its deployed location on your web application server.
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber. Find the following string in the file:
4. 5.
Set the <param-value> for the authentication.default to secWinAD.

<param-value>secWinAD</param-value>
6. 7. 8. 9.




10. Find the following string in the file:

11. Set the <param-value> for siteminder.authentication to secWinAD.

257
11
Modifying web.xml for Java AD Single sign-on to InfoView

1. To enable Java AD single sign-on Open the web.xml file for InfoView, from its deployed location on your web application server.
4. 5. 6. 7. 8. 9.



Save and close the file. Restart your web application server.
Modifying the web.xml file for Java AD and SiteMinder

1. To enable the Java AD client for SiteMinder Open the web.xml file for InfoView, from its deployed location on your web application server.
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you
258
11
are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
4. 5. 6. 7. 8. 9.





10. Find the following string in the file:

11. Set the <param-value> for siteminder.authentication to secWinAD.

Modifying web.config for .NET InfoView and SiteMinder

1. To enable .NET InfoView client for SiteMinder Open the web.config file for InfoView, from its deployed location for IIS.
Note: The path mentioned is the default location. Modify your path accordingly if you changed the default location. 2. Find the following string in the file:
259
11
3. 4. 5. 6. 7. 8. 9.
Enter the CMS name in the cmsDefault value field. Find the following string in the file:
<add key="authenticationDefault" value="secEnterprise" />
Set the value for the authenticationDefault to secWinAD. Find the following string in the file:
<add key="ssoEnabled" value="false" />
Change the value for ssoEnabled from false to true. Find the following string in the file:
<add key="siteminderEnabled" value="true" />
Ensure the value for siteminderEnabled is set to true.

<add key="siteminderAuthentication" value="secLDAP" />
10. Find the following string in the file: 11. Set the value for sitemindeAuthentication to secWinAD.
12. Save and close the file. 13. Restart IIS.
Disabling SiteMinder for Java clients

If you want to prevent SiteMinder from being configured, or to disable it after it has been configured in the CMC, modify the web.xml file for Infoview. 1. To modify web.xml to disable SiteMinder Open the web.xml file for InfoView on your web application server.
Change the <param-value> from true to false.

260
11
4. 5.
Disabling SiteMinder for .NET clients

If you want to prevent SiteMinder from being configured, or to disable it after it has been configured in the CMC for .NET, modify the web.config file for InfoView. 1. To modify web.config to disable SiteMinder for .NET clients Open the web.config file for InfoView on your web application server.
2. 3. 4. 5.

<add key="siteminderEnabled" value="true" />
Change the value from true to false.

Troubleshooting single sign-on

This section contains some of the common configuration errors which can single sign-on not to function properly.
Disabled single sign-on Security context problem Duplicate ssoEnabled tags
Disabled single sign-on

Despite the fact that single sign-on has been configured in the web.config files, users receive the following error:
The administrator has disabled Single Sign-On logons for this authentication plugin. Please log on using your username and password.
This problem occurs when single sign-on configuration is missing from the CMC but present in all the other required locations. 1. 2. To enable single sign-on in the CMC Go to the Authentication area of the CMC. Click the Window AD.
261
11
3. 4.
In the Authentication Options area of the page, select Enable Single Sign On for selected authentication mode. Restart IIS.
Security context problem

After single sign-on has been set up, when the users attempt to access InfoView, they receive the following error:
An error has occurred propagating the security context between the security server and the client. Please contact your system administrator.
This can be caused because the impersonation setting has been set incorrectly or the setting is missing from the web.config file. 1. To fix this problem Open the web.config file at this location:
2.
Make sure both of these lines exist in the file.

<authentication mode="Windows"/> <identity impersonate="true" />
If either line is missing, add it, if either has a different setting, change it to match the required setting. 3. 4. Save and close the file Restart IIS.
Duplicate ssoEnabled tags

Single sign-on has been configured in the web.config files, but the InfoView Log on screen appears with a blank user name and password, and with Windows AD authentication selected. If you click the Log on you are logged on successfully. No error message is displayed. This can occur if you have multiple contradictory values set for the key ssoEnable in the web.config file. Consider the following sample where the ssoEnable is set twice: the first time it is set to true, the second time it is set to false.
<add <add <add <add key="cmsDefault" value="ABCADEI01" /> key="ssoEnabled" value="true" /> key="authenticationDefault" value="secWinAD" /> key="cmsVisible" value="true" />
262
11
. . . <!-<add <add <!-<add
Set to false to disable Siteminder sso --> key="siteminderEnabled" value="true" /> key="siteminderAuthentication" value="secLDAP" /> Set to true to enable other Single Sign On --> key="ssoEnabled" value="false" />
1.
To remove the duplicate tag Open the web.config from the following location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content
2. 3. 4. 5.
Search for the following throughout the file:

ssoEnabled
If you find multiple occurrences, ensure the first one has the setting you want, then delete the duplicate tags. Save and close the file. Restart IIS.
263
11
264
Using AD and Kerberos with IIS
chapter
12
Using AD and Kerberos with IIS Configuring Kerberos for IIS
Configuring Kerberos for IIS

This section contains the tasks related to configuring Kerberos and single sign-on for use with IIS. If you are using IIS and Kerberos but do not want to use single sign-on, the steps outlined in this section are required. For information on using IIS and Kerberos without single sign-on, see Using AD with NTLM or SiteMinder on page 245. If you are using Java, see Using AD and Kerberos with Java application servers on page 289.
Kerberos, IIS and single sign-on options

If you are using IIS and Kerberos, you have the following options for single sign-on:
Single sign-on Single sign-on to BusinessObjects Enterprise means that once users have logged on to the operating system they can access BusinessObjects Enterprise without having to provide their logon credentials again. When they log on to the operating system, a logon token is created. The system uses this token to authenticate the users and grant them access to BusinessObjects Enterprise and its components.
Single sign-on to the database Once users are logged on to BusinessObjects Enterprise, single sign-on to the database enables them to perform actions that require database access. In particular, viewing reports and Web Intelligence documents, without having to provide their logon credentials again. BusinessObjects Enterprise currently supports single sign-on to the database with Windows AD using Kerberos. For details on which databases are supported for single-sign on, consult the platforms.txt file included with your product distribution.
End-to-end single sign-on End-to-end single sign-on refers to a configuration where users have both single sign-on access to BusinessObjects Enterprise at the frontend, and single sign-on access to the databases at the back-end. Thus, users need to provide their logon credentials only once when they log on to the operating system, to have access to BusinessObjects Enterprise and to be able to perform actions that require database access, such as viewing reports.
266
12
Workflows for Kerberos and IIS

This section summarizes the workflows for using IIS, Kerberos and AD on BusinessObjects Enterprise. For details on what these terms mean, see information about the levels of single sign-on that are supported for use with IIS in BusinessObjects Enterprise, see Kerberos, IIS and single sign-on options on page 266.
Basic AD and Kerberos workflow

Configuring AD and Kerberos includes these steps:
Setting up a service account on AD Granting the service account rights Configuring the servers to use the service account Configuring IIS for integrated Windows authentication Modifying web.config for impersonation and Windows authentication Enabling Kerberos authentication in the Windows AD plug-in
AD and Kerberos with single sign-on workflow

Configuring AD and Kerberos single sign-on includes these steps:
Setting up a service account on AD Granting the service account rights Configuring IIS for integrated Windows authentication Configuring the servers to use the service account Modifying web.config for InfoView single sign-on Enabling Kerberos authentication in the Windows AD plug-in
Single sign-on to database workflow

Configuring single sign-on to database includes these steps:
Modifying the AD plug-in settings for database single sign-on Configuring web applications for database single sign-on Configuring IIS for database single sign-on Configuring the database server for single sign-on
End-to-end Single sign-on workflow

Configuring end-to-end single sign-on includes these steps:
Modifying the AD plug-in settings for database single sign-on Configuring IIS and browsers
267
12
Configuring IIS for end-to-end single sign-on Modifying web.config for InfoView single sign-on Configuring Kerberos for IIS on page 266
Setting up a service account on AD

To configure BusinessObjects Enterprise for Kerberos and Windows AD authentication, you require a service account. This must be a domain account that has been trusted for delegation. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers. How you create this account varies slightly depending on what version of Active Directory Domain you are using:
If you are using a Windows 2000 Domain, see Setting up a service account with delegation on a Windows 2000 Domain on page 268 If you are using a Windows 2003 Domain, see Setting up a service account with delegation on a Windows 2003 Domain on page 269.
After you set up the service account, you will need to grant the account appropriate rights, see Granting the service account rights on page 270.
Setting up a service account with delegation on a Windows 2000 Domain

1. 2. 3. 4. To set up the service account on a Windows 2000 Domain Create an account on the domain controller or use an existing account. For detailed instructions, refer to http://msdn.microsoft.com/ Right-click on the user account, then select Properties. Click the Account tab. Select these account options:

1.
Account is trusted for delegation Use DES encryption types for this account
To run the SPN utility on Windows 2000 Download the utility from this location to your Domain controller:
http://www.microsoft.com/windows2000/techinfo/reskit/ tools/existing/setspn-o.asp
2.
Open a command prompt and enter this command:

SETSPN.exe A BOBJCentralMS/HOSTNAME serviceaccount
268
12
Replace HOSTNAME with the name of your machine running the CMS service. Replace serviceaccount with name of your service account. Note: The name of your service account is case-sensitive. 3. Verify that you receive a message similar to this one:
Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

1. To set up the service account on a Windows 2003 Domain Create a new account on the domain controller or use an existing account. For detailed instructions, refer to http://msdn.microsoft.com/ 2. 3. 4. 5. Right-click on the user account, then select Properties. Click the Account tab. Select the following under Account Options:
Use DES encryption types for this account
Open a Command Prompt and enter this command:

Replace HOSTNAME with the name of your machine running the CMS service. Replace serviceaccount with name of your service account. 6. Verify that you receive a message similar to this one: Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/ HOSTNAME.DOMAIN.COM Updated object 7. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command. 8. 9. Select Trust this user for delegation to any service (Kerberos only) Click OK.
Configuring the servers

Configuring the BusinessObjects Enterprise servers includes these steps:
Granting the service account rights on page 270 Configuring the servers to use the service account on page 270
269
12
Granting the service account rights

In order to support AD and Kerberos, you must grant the service account the right to act as part of the operating system. This must be done on each machine running the following servers:
CMS Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on AD on page 268. 1. 2. 3. 4. 5. 6. 7. To grant the service account rights Click Start > Control Panel > Administrative Tools > Local Security Policy. Expand Local Policies, then click User Rights Assignment. Double-click Act as part of the operating system. Click Add. Enter the name of the service account you created, then click OK. Ensure that the Local Policy Setting check box is selected, and click OK. Repeat the above steps on each machine running a BusinessObjects Enterprise server.
Configuring the servers to use the service account

In order to support Kerberos single sign-on, you must use CCM and configure the following servers to log on as the service account:
CMS server Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on AD on page 268. 1. 2. To configure a server Start the CCM. Stop the server you want to configure, for example, the CMS server.
270
12
3. 4.
Double-click the server you want to configure. The Properties dialog box is displayed. On the Properties tab: a. b. c. In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, then click OK.
5. 6.
Start the server again. Repeat steps 2 through 5 for each BusinessObjects server that has to be configured.
Enabling Kerberos authentication in the Windows AD plug-in

In order to support Kerberos, you have to configure the Windows AD security plug-in the CMC to use Kerberos authentication. This includes:

Prerequisites
Ensuring Windows AD authentication is enabled. Entering the AD Administrator account. Note: This account requires read access to Active Directory only; it does not require any other rights. Entering the service principal name (SPN) for the service account. If you want to use single sign-on, you will also have to enable single signon in the CMC.
Before you configure the Windows AD security plug-in for Kerberos, you must have completed the following tasks:

1. 2.
Setting up a service account on AD on page 268 Granting the service account rights on page 270 Configuring the servers to use the service account on page 270 To configure the Windows AD security plug-in for Kerberos Go to the Authentication management area of the CMC. Click the Windows AD tab.
271
12
3.
Ensure that the Windows Active Directory Authentication is enabled check box is selected.
4. 5.
In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name. Enter the AD administrators credentials in the Name and Password fields.
Note:

6.
Use the format DOMAIN\Account in the Name field. The AD Administrator account requires read access to Active Directory only; it does not require any other rights.
Enter the default domain in the Default AD Domain field. Note: Use The FQDN format for the AD default domain and enter the domain in uppercase.
7.
Click Update.
272
12
8.
In the Mapped AD Member Group area, enter the name of an AD group whose users require access to BusinessObjects Enterprise, and then click Add. Repeat this procedure to add additional AD groups. If you want to add individual users, rather than a group, see Managing Users in the BusinessObjects Enterprise Administrators Guide.
9.
Under Authentication Options select the following:
Select the Use Kerberos authentication check box.
If you want to configure single sign-on, select Enable Single Sign On for selected authentication mode. If you want to configure single sign-on to a database, select the Cache Security context (required for SSO to database) check box. In the service principal name: field, enter the service principal name of the service account. Note:
273
12
The Service Principal Name is case sensitive. The case must match exactly what you have set up on your AD domain. This must be the same account that you use to run the BusinessObjects Enterprise. The domain name is entered in uppercase. This must be the same account that you use to run the BusinessObjects Enterprise servers. This is the AD account you created in this step: Setting up a service account on AD on page 268.
Assign each added AD alias to an account with the same name. Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.
New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.
New users are created as named users. New users are created as concurrent users.
For further details on these options, see User type options on page 196. 13. Click Update.
Modifying web.config for impersonation and Windows authentication

1. To modify web.config for Windows authentication and impersonation Open the Web.config file from the following location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\
274
12
2. 3. 4. 5. 6.

Replace None with Windows. Find the following line:

<identity impersonate="false" />
Change the value to true. Save and close the file.
Modifying the AD plug-in settings for database single sign-on

1. 2. 3. 4. To modify the CMC settings for database single sign-on Go the Authentication area of the CMC. Click the Windows AD tab. Scroll down to Authentication Options area of the page. Clear the Enable Single Sign On for selected authentication mode check box on the Windows AD page in the Authentication management area in CMC.
Configuring IIS and browsers

In order to support Kerberos end-to-end single sign-on, you have to configure the BusinessObjects Enterprise clients. This includes:
Configuring IIS for integrated Windows authentication on page 275 Configuring the Internet Explorer browser on a client machine on page 276
Configuring IIS for integrated Windows authentication

To support Kerberos, you have to configure the BusinessObjects clients on IIS to use integrated Windows authentication. 1. 2. 3. 4. 5. 6. To configure the clients for Windows authentication On IIS, in the Internet Information Services window, expand the tree on the left and go to businessobjects under Default Web Site. Right-click businessobjects and select Properties. On the Directory Security tab, click Edit. If it is selected, clear Anonymous Access. Select Integrated Windows Authentication. Click OK, then click OK again.
275
12
7.
Repeat the above for crystalreportviewers115 and styles.
Configuring the Internet Explorer browser on a client machine

To support Kerberos end-to-end single sign-on, you have to configure the Internet Explorer (IE) browser on the BusinessObjects Enterprise client machines. This includes:
Setting up the client machines for integrated Windows authentication. Adding IIS to the trusted sites. In configuring IIS for database single sign-on, you do not need to configure the browser for single sign-on. See also Configuring IIS for database single sign-on on page 281. You can automate the following steps through a registry key. For details, refer to your Windows documentation. To configure the IE browser on the client machines On the client machine, open an Internet Explorer browser window. Enable integrated windows authentication. a. b. c. d. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Advanced tab. Navigate to the Security settings. Click the Enable integrated windows authentication option, and click Apply.
Note:
1. 2.
3.
Add IIS to the Trusted sites. You can enter the full domain name of the site. a. b. c. d. e. f. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Security tab. Click Sites. Click Advanced. Type in the web site for IIS, and click Add. Click OK, then click OK twice more to close the Internet Options dialog box.
4.
Close the Internet Explorer browser windows and then open them again for the changes to take effect.
276
12
5.
Repeat the above steps on each BusinessObjects Enterprise client machine.
Configuring IIS for end-to-end single sign-on

To support Kerberos end-to-end single sign-on, the worker processes of IIS have to run under a domain account that is trusted for delegation. Refer to either of the following procedures, depending on whether you are using IIS 5 or IIS 6:
Configuring IIS 5 for Kerberos end-to-end single sign-on on page 277 Configuring IIS 6 for Kerberos end-to-end single sign-on on page 279
Note: Instead of configuring IIS worker processes for end-to-end single signon you can configure them to use database single sign-on. You may want to do this, for example, if you dont want to run IIS worker processes under an account that has been trusted for delegation. For more information, see:
Configuring IIS for database single sign-on on page 281 Configuring web applications for database single sign-on on page 285
Configuring IIS 5 for Kerberos end-to-end single sign-on

To support Kerberos end-to-end single sign-on, you have to set IIS and the Aspnet_wp.exe worker process to run as a domain account that has been trusted for delegation. You can run IIS either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:
If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which will result in an error condition.
The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:
To configure IIS 5 for database single sign-on on page 282 To run IIS 5 worker process under a user domain account on page 278
277
12
1.
To run IIS 5 worker process under the machine domain account On the domain controller, set the domain account of IIS machine to be trusted for delegation. Changing this property can take several minutes to propagate. Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters in the <processModel> block in the
\WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.c onfig file:
2.
userName="SYSTEM" Password="AutoGenerate"
In the above path name, version represents the software version. Note:

3.
Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.
If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
Running IIS 5 worker processes under a user domain account

1. To run IIS 5 worker process under a user domain account Set the Aspnet_wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the
userName="domainaccount" Password="password"
Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account. In the above path name, version represents the software version. Note: For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.
278
12
2.
Configuring IIS 6 for Kerberos end-to-end single sign-on

To support Kerberos for end-to-end single sign-on, you have to set IIS and w3wp.exe worker process to run as an account that has been trusted for delegation. You can run IIS either under the machine domain account or under user domain account. Each approach has advantages and disadvantages:
If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and may expire, which will result in an error condition.
The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:
To run IIS 6 worker processes under the machine domain account on page 279 To run IIS 6 worker processes under a user domain account on page 280
Running the IIS 6 worker processes under a domain account

1. To run IIS 6 worker processes under the machine domain account On the domain controller, set the account of IIS machine to be trusted for delegation. Note:
Changing this property can take several minutes to propagate. If you dont want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for database single sign-on on page 281.
279
12
2.
Configure the account for the w3wp.exe worker process: a. b. c. In the Internet Service Manager window, right-click the machine name and select Application Pool > New. Type in a name for the application pool. In the tree panel on the left, expand to Default Web Site > businessobjects > EnterpriseX (where X equals your version number). Right-click InfoView and select Properties. On the Home Directory tab, select the new application pool name from the list, and click Apply. Right-click the application
pool
d. e. f. g.
you created, and select Properties.
On the Identity tab, select LocalSystem from the list, and click Apply. Configuring the w3wp.exe account to run as a LocalSystem account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS worker processes run under does not belong to a mapped group.
Note:

3.
Running the IIS 6 worker processes under a user domain account

1. To run IIS 6 worker processes under a user domain account Set the w3wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the
userName="domainaccount" Password="password"
In the above path name, version represents the software version. Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.
280
12
Note: If you dont want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for database single sign-on on page 281. For security reasons, make sure that the account which IIS worker processes run under does not belong to a mapped group. 2. Add the domain account to IIS_WPG local group, and give it the relevant rights to access the needed files. For more information, see http:// msdn.Microsoft.com/ If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
3.
Configuring IIS for database single sign-on

When using Kerberos with Windows AD, you can choose whether you want to provide end-to-end single sign-on, or whether you want users to provide their logon credentials when they log in to BusinessObjects Enterprise. When users log on to BusinessObjects Enterprise, the system generates a logon token to provide single sign-on access to the databases. Below is a summary of the tasks required to set up a single sign-on to database:
Configure IIS worker processes to run as a domain account. Refer to either of the following procedures, depending on whether you are using IIS 5 or IIS 6:
Configuring IIS 5 for single sign-on to database only on page 282 Configuring IIS 6 for single sign-on to database on page 283
Configure the web applications for single sign-on to the database. See Configuring web applications for database single sign-on on page 285. Modify the Windows AD options. See Modifying the AD plug-in settings for database single sign-on on page 275.
281
12
Configuring IIS 5 for single sign-on to database only

To support database single sign-on, you have to set the Aspnet_wp.exe worker process to run as a domain account. You can run IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:
If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which would result in an error condition.
The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsoft s web site: http:// www.microsoft.com/ 1. To configure IIS 5 for database single sign-on Make sure your BusinessObjects Enterprise web site on IIS is running as a domain account. Note: Unless you specified a different web site during installation, this will be the Default Web Site under IIS. 2. Locate and open the machine.cong file. This file can be found at the following location:
C:\Winnt\Microsoft.NET\Framework\version\CONFIG\ where,
version
represents the software version number.
3. 4.
Find the processModel Attributes area in the file. Set UserName and password as follows:

5.
userName="SYSTEM" Password="AutoGenerate".
Save and close the file. Note:

6.
Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.
282
12
For example, if you access the machine via www.domainname.com but the machine name is web.domainname.com, you will have to add an a SPN for HTTP access on the web server machine.
Configuring IIS 6 for single sign-on to database

To support single sign-on to the database, you have to set the w3wp.exe worker process to run as a machine or user domain account, You can run IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:
If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which would result in an error condition.
The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ 1. To configure IIS 6 for database single sign-on Make sure the BusinessObjects Enterprise IIS web site is running as a domain account. Note: Unless you specified a different site during installation, this will be the Default Web Site under IIS. 2. Configure the account for the w3wp.exe worker process: a. b. c. d. e. f. g. h. In the Internet Information Services Manager window, expand the computer name. Right-click Application Pool and select New > Application Pool. Type in a name for the application pool. In the tree panel on the left, expand to Default Web Site > businessobjects > Enterprise115. Right-click InfoView and select Properties. On the Directory tab select the new application pool name from the application pool list, and then click Apply. Right-click the application pool you created, and select Properties. On the Identity tab, select LocalSystem from the list, and click Apply.
283
12
Note:

3.
Configuring the w3wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.
For example, if you access the machine via www.domainname.com but the machine name is web.domainname.com, you will have to add an a SPN for HTTP access on the web server machine.
Modifying web.config for InfoView single sign-on

In order for the end-to-end single sign on to work, you have to configure the BusinessObjects Enterprise web applications to impersonate the user. If you want to use database single sign-on instead of end-to-end single signon, you have to set the BusinessObjects Enterprise web applications to not impersonate a user. See Configuring web applications for database single sign-on on page 285. Note: The values in web.config file are case-sensitive. 1. To modify web.config for InfoView single sign-on Open the appropriate Web.config file from the following location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\
2. 3. 4. 5. 6. 7.




284
12
8. 9.
<add key="authenticationDefault" value="secWinAD" />
10. Ensure the value for authenticationDefault is set to secWinAD. 11. Save and close the file. 12. Restart IIS. Note: For AD single sign-on to function correctly, make sure you complete all tasks that apply to the type of single sign-on you are using, as outlined in Workflows for Kerberos and IIS on page 267.
Configuring web applications for database single sign-on

If you want to use database single sign-on instead of end-to-end single signon, you have to set BusinessObjects Enterprise web applications to not impersonate the user. To do this, edit their Web.config files on IIS as follows: Note: If you want to use database single sign-on, see also Configuring IIS for database single sign-on on page 281. 1. To configure the web applications for database single sign-on To set the CMC to not impersonate the user, add the following line to the <system.web> block in the C:\Program Files\Business
Objects\BusinessObjects Enterprise 11.5\Web Content\Web.config file:
<identity impersonate="false" /> 2. 3. 4. Locate the following line:

Change the value from None to Windows. To set InfoView to not impersonate the users, add the following line to the <system.web> block in the C:\Program Files\Business
Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\Web.config file:
<identity impersonate="false" /> 5. 6. 7. Locate the following line:

Change the value from None to Windows. Save and close the files.
Note: Make sure you set identity impersonate to false.
285
12
Users will now be able to log on to BusinessObjects Enterprise by providing their logon credentials in the InfoView or CMC logon dialog box and selecting the authentication method that applies to them. Once they are logged on, the users will have database single sign-on access associated with BusinessObjects Enterprise.
Configuring the database server for single sign-on

This section provides information that is specific to setting up single sign-on to SQL Server databases. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. For general information and for information about single sign-on to other supported databases, refer to the database vendors support documentation.
Configuring SQL Server for single sign-on

In order for Kerberos single sign-on to work, the machines running SQL Server database must be trusted for delegation. Setting up security delegation varies depending on whether SQL Server has been configured to run under the LocalSystem account or under a service account:
If SQL Server is running under the LocalSystem account, no additional configuration is required. SQL Server registers itself when it starts and the system registers the SPN. When SQL Server shuts down, the system automatically un-registers the SPNs for the LocalSystem account. If SQL Server is running under a service account, you have to configure to be trusted for delegation. To run SQL Server under a service account In Active Directory, set up the SQL Server service account for security delegation: a. b. c. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. Right-click the domain account and select Properties. On the Accounts tab, make sure the following options are selected:
1.
In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account. In Windows 2003, ensure that these two options have been selected for the account: Trust this user for delegation to specified service only and Use Kerberos only.
286
12
Note: If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account. 2. Set the machine running SQL Server as follows: a. b. 3. Computer is trusted for delegation Click Apply, and click OK.
Add an SPN for the service account of the SQL Server:

setspn -A MSSQLSvc/host:port serviceaccount
Where host:port is the name of the machine running SQL Server and the port, and serviceaccount is the name of the SQL Server service account.
Server cache expiry

When the system is using AD and Kerberos single sign-on, it uses the cache expiry for certain BusinessObjects Enterprise servers to determine whether a logon ticket is still valid. This applies to the CMS, Page Server, Report Application Server, and Web Intelligence Report Server. The CMS uses the cache expiry as follows:
If the CMS cache expiry is greater than that of the ticket, the system renews the ticket until the CMS cache expiry is reached. If the CMS cache expiry is less than that of the ticket, the ticket will expire when the CMS cache expiry is reached. If the CMS cache expiry is zero, the system will use the globally set ticket expiry.
The other servers use either their cache expiry or the ticket expiry, whichever has the lowest value. Regardless of whether the cache expiry for the server is greater or less than that of the ticket, the ticket will expire when the lowest expiry value is reached. The system comes configured with default values for the server cache expiry. To change the default values for the cache expiry, see Modifying the default cache expiry value on page 287. Note: If you are running multiple instances of a server, you can control the cache expiry for each instance individually.
Modifying the default cache expiry value

1. 2. To change the default cache expiry value Go to the Servers management area of the CMC. Click the link for the server.
287
12
3. 4. 5.
Click the Single Sign-On tab. Type in a new cache expiry value. Click Update.
288
Using AD and Kerberos with Java application servers
chapter
13
Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers
Configuring Kerberos for Java application servers

This section contains the tasks related to configuring Kerberos for use with these Java application servers: Tomcat, WebSphere, WebLogic, and Oracle Application Server. Note: SAP Web Application Server with Java AD with Kerberos is not supported. This section contains this information:
Two type of workflows.
The general workflow that you must follow regardless of the web application server your are using. The workflow specific to your Java web application server. This second workflow is necessary because the implementation of Java Authentication and Authorization Service (JAAS) varies between different application servers.
The procedural details for each step in the workflow. Two samples of Krb5.ini files. Troubleshooting information.
Note: If you are using IIS and Kerberos, see Workflows for Kerberos and IIS on page 267.
General workflow for configuring Kerberos

This section outlines the process of setting up BusinessObjects Enterprise and your Java application server to use AD with Kerberos authentication. Configuration process overview Setting up Kerberos includes these steps:
Setting up a service account Granting the service account rights Configuring the servers to use the service account Kerberos authentication in the Windows AD plug-in
290
13
Workflow for configuring Tomcat for Kerberos

If you are using Tomcat, and you want to use Kerberos, you must complete these steps, in addition to the General workflow for configuring Kerberos on page 290.
Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server Creating the JAAS login configuration file for Tomcat or WebLogic Modifying your Java options for Kerberos on Tomcat
Workflow for configuring WebSphere for Kerberos

If you are using WebSphere, and you want to use Kerberos, you must complete these steps, in addition to the General workflow for configuring Kerberos on page 290.
Configuring Kerberos and single sign-on for Java InfoView Creating the JAAS login configuration file for WebSphere Modifying the Java options for Kerberos on WebSphere
Workflow for configuring WebLogic for Kerberos

If you are using WebLogic, and you want to use Kerberos, you must complete these steps, in addition to the General workflow for configuring Kerberos on page 290
Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server. Creating the JAAS login configuration file for Tomcat or WebLogic Modifying the Java options for Kerberos on WebLogic
Workflow for configuring Oracle for Kerberos

If you are using Oracle, and you want to use Kerberos, you must complete these steps, in addition to the General workflow for configuring Kerberos on page 290.
Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server Creating the JAAS login configuration file for Oracle Application Server Modifying the Java options for Kerberos on Oracle Application Server
291
13
Setting up a service account

To configure BusinessObjects Enterprise using Kerberos and Windows AD authentication, you require a service account. This must be a domain account that has been trusted for delegation. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers. After you set up the service account, you will need to grant the account appropriate rights, see Granting the service account rights on page 295. How you create this account varies slightly depending on what version of Active Directory Domain you are using:
If you are using a Windows 2000 Domain, see Setting up a service account with delegation on a Windows 2000 Domain on page 292 and Creating an SPN for your CMS on a Windows 2000 domain on page 293. If you are using a Windows 2003 Domain, see Setting up a service account with delegation on a Windows 2003 Domain on page 293 and Creating an SPN for your CMS on a Windows 2003 domain on page 294. If you are using a Windows 2003 Domain, you also have the option of setting up constrained delegation. See Setting up constrained delegation on page 294 for more information.
Note: In a forest with multiple domains you can create this service account in any domain. All domains that trust the domain you have created the service account in will be able to authenticate.

1. 2. 3. 4. To set up the service account on a Windows 2000 Domain Create an account on the domain controller or use an existing account. For detailed instructions, refer to http://msdn.microsoft.com/ Right-click on the user account, then select Properties. Click the Account tab. Select these account options:
Account is trusted for delegation Use DES encryption types for this account
292
13
Creating an SPN for your CMS on a Windows 2000 domain

1. To run the SPN utility on Windows 2000 Download the utility from this location to your Domain controller:
http://www.microsoft.com/windows2000/techinfo/reskit/ tools/existing/setspn-o.asp
Note: The SETSPN utility is a program that allows you to manage the Service Principal Name (SPN) for service accounts in Active Directory. 2. Open a command prompt and enter this command:
Replace HOSTNAME with the fully qualified domain name of your machine running the CMS service. For example, MACHINE.DOMAIN.COM. Replace serviceaccount with name of your service account that runs the CMS service. Note: The name of your service account is case-sensitive. 3. Verify that you receive a message similar to this one:
Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

1. To set up the service account on a Windows 2003 Domain Create a new account on the domain controller or use an existing account. For detailed instructions, refer to http://msdn.microsoft.com/ 2. 3. 4. 5. 6. Right-click on the user account, then select Properties. Click the Account tab. Select the following under Account Options:
Use DES encryption types for this account
Run the SPN utility. For details, see Creating an SPN for your CMS on a Windows 2003 domain on page 294. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command.
7.
Select this option: Trust this user for delegation to any service (Kerberos only)
293
13
Note: If you are using a 2003 Active Directory domain, and you need to restrict delegation, see Setting up constrained delegation on page 294. 8. Click OK.
Creating an SPN for your CMS on a Windows 2003 domain

1. To run the SPN utility Open a Command Prompt and enter this command:
Replace HOSTNAME with the fully qualified domain name of your machine running the CMS service. For example, MACHINE.DOMAIN.COM. Replace serviceaccount with name of your service account that runs the CMS service. Note: The name of your service account is case-sensitive. 2. Verify that you receive a message similar to this one: Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/ HOSTNAME.DOMAIN.COM Updated object 3. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command.
Setting up constrained delegation

If your company has a policy against trusting a specific service account for delegation to any service, and you are using Active Directory on Windows 2003, you may set up constrained delegation. Setting up constrained delegation is done after you create the service account. Constrained delegation allows you to limit what services an account can delegate to, rather then allowing an authorized user to delegate to all services.You can set up constrained delegation in these ways:
Setting up constrained delegation for a service account on page 295
This method allows you to limit the amount of delegation permitted. Constrained delegation for a service account allows you to do further limit delegation to a specific service for a specific user on a specific computer. Because constrained delegation for a service account is more restrictive, it is considered a more secure option. Note: Constrained delegation is only supported on Active Directory 2003.
294
13
Setting up constrained delegation for a service account

1. 2. Select the name of the computer or account you created to use as the service account, then click OK. Create a SPN for the CMS server. Type the following command:
SETSPN.exe A BOBJCentralMS/HOSTNAME CMS_Machine_Name

3. 4. 5. 6. 7. 8. 9.
Replace HOSTNAME with the fully qualified name of your machine running the CMS service: For example, machine_name.domain_name.com. Replace CMS_Machine_Name with the name of machine running the CMS service.
Open Active Directory. Expand Users and Computers. Select the Users folder. Select the service account user. Right-click, then select Properties. Click on the Delegation tab. Select Trust this user for delegation to specified services only.
10. Ensure Use Kerberos only is selected. 11. Click Add. 12. Click Users and Computers. 13. Enter the CMS_machine_name you specified in step 2, then click OK. 14. Select BOBJCentralMS from the list of services, then click OK. 15. Click OK.
Configuring the servers

Configuring the BusinessObjects Enterprise servers includes these steps:
Granting the service account rights on page 295 Configuring the servers to use the service account on page 297
Granting the service account rights

In order to support Kerberos, you must grant the service account the right to act as part of the operating system. This must be done on each machine running these servers:
CMS
295
13
Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on page 292. 1. 2. 3. 4. 5. 6. 7. To grant the service account rights Click Start > Administrative Tools > Local Security Policy. Click Local Policies, then click User Rights Assignment. Double-click Act as part of the operating system. Click Add. Type the name of the user to add, and click OK. Ensure that the Local Policy Setting check box is selected, and click OK. Repeat the above steps on each machine running a BusinessObjects Enterprise server.
Note: It is important that the Effective Right ends up being checked after Act as part of the operating system is selected. Typically, you will need to restart the server for this to occur. If, after restarting the server, this option is still not on, your Local Policy settings are being overridden by your Domain Policy settings.
Adding the Service Account to the servers Local Administrators group

In order to support Kerberos, the service account must be part of the local Administrators group for each server that has one of the following services deployed:
CMS Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. For details, see Setting up a service account on page 292. You must also have administrative rights on the server. 1. 2. To add an account to the Administrators Group On the desired machine, right-click My Computer and then click Manage. Go to System Tools > Local Users and Groups > Groups.
296
13
3. 4. 5. 6. 7.
Right-click Administrators and then click Add to Group... Click Add... and enter the logon name of the service account. Click Check Names to ensure the account resolves. Click Ok and then click OK again. Repeat these steps for each Business Objects server that has to be configured.
Configuring the servers to use the service account

In order to support Kerberos, you must use the CCM and configure the following servers to log on as the service account:
CMS server Page Server Report Application Server Web Intelligence Report Server
Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on page 292. 1. 2. 3. 4. To configure a server Start the CCM. Stop the server you want to configure, for example, the CMS server. Double-click the server you want to configure. The Properties dialog box is displayed. On the Properties tab: a. b. c. 5. 6. In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, and click OK.
Start the server again. Repeat steps 2 through 5 for each BusinessObjects server that has to be configured.
Kerberos authentication in the Windows AD plug-in

In order to support Kerberos, you have to configure the Windows AD security plug-in the CMC to use Kerberos authentication. This includes:
Ensuring Windows AD authentication is enabled. Entering the AD Administrator account.
297
13
This account requires read access to Active Directory only; it does not require any other rights.
Enabling Kerberos authentication and single sign-on, if single sign-on is desired.
Note: If you enable single sign-on in the CMC, you also must configure it in the web.xml file. For details, see Configuring Kerberos and single sign-on for Java InfoView on page 312.
Entering the service principal name (SPN) for the service account.
Prerequisites
Before you configure the Windows AD security plug-in for Kerberos, you must have completed these tasks:

1. 2. 3.
Setting up a service account on page 292 Granting the service account rights on page 295 Configuring the servers to use the service account on page 297 To configure the Windows AD security plug-in for Kerberos Go to the Authentication management area of the CMC. Click the Windows AD tab. Ensure that the Windows Active Directory Authentication is enabled check box is selected.
4.
In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.
298
13
5.
Enter the credentials that have read access to Active Directory in the Name and Password fields.
Note:

6.
Use the format Domain\Account in the Name field. The account requires read access to Active Directory only; it does not require any other rights.
Enter the default domain in the Default AD Domain field. Note: Use The FQDN format and enter the domain in uppercase. Note: In a deployment with multiple domains, the Default AD Domain may be any of the desired domains. The best practice is to use the domain with the largest number of users that will be authenticating with their AD account.
7.
In the Mapped AD Member Group area, enter the name of an AD group whose users require access to BusinessObjects Enterprise, and then click Add. Repeat this procedure to add additional AD groups. If you want to add individual users, rather than a group, see Managing Users in the BusinessObjects Enterprise Administrators Guide.
299
13
8.
In the Authentication Options area, select Use Kerberos authentication.
Note:

9.
If you want to configure single sign-on, select Enable Single Sign On for selected authentication mode. If you want to configure single sign-on to a database, select the Cache Security context (required for SSO to database) check box.
In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account you created in the section Creating an SPN for your CMS on a Windows 2000 domain on page 293 or Creating an SPN for your CMS on a Windows 2003 domain on page 294. Use the following format, where svcacct is the name of your service account or SPN, and DNS.COM is your fully qualified domain in uppercase. For example, the Service Account would be svcacct@DNS.COM and the SPN would be BOBJCentralMS/MACHINE.DOMAIN.COM@DOMAIN.COM
300
13
Note:
If you plan to enable Single Sign-On to Java InfoView with users from multiple domains, you must enter the SPN in this field. The service account is case sensitive. The case of the account you enter here must match with what is set up in your Active Directory Domain. If your UPN and SAM name are not identical, enter the UPN name. This must be the same account that you use to run the BusinessObjects Enterprise servers or the SPN that maps to this account. See Setting up a service account on page 292. When manually logging on to Java InfoView, users from other domains must log on with their AD account in UPN format. This is what is displayed in the logon name field in the AD Users and Computers snap-in. For example: user@child.parentdomain.com
Assign each added AD alias to an account with the same name Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.
New aliases will be added and new users will be created No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.
Note: For further details on these options, see User type options on page 196. 13. Click Update.
301
13
Configuring Kerberos for your Java application server

The specific process of configuring Kerberos for a Java application server varies slightly depending on which Java application server is used. However, the general process of configuring Kerberos on your application server involves these steps:
Creating the Kerberos configuration file. Creating the JAAS login configuration file. Modifying the Java Options. Restarting you Java application server. SAP Web Application Server and Java AD with Kerberos is not supported. The default Active Directory domain must be in uppercase DNS format. You are no longer required to download and install MIT Kerberos for Windows. You also no longer require a keytab for your service account.
Note:
Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server
Follow these steps to create the Kerberos configuration file if youre using Tomcat, Oracle Application Server or WebLogic. 1. To configure Kerberos for Java AD Create the file krb5.ini, if it does not exist, and store it under the following platform dependant location: Platform Windows Location
c:\WINNT
Note: You can store this file in a different location, however if you do, you will need to specify its location in your java options. See Modifying your Java options for Kerberos on Tomcat on page 307 for procedural details.
302
13
2.
Add the following required information in the Kerberos configuration file:

[libdefaults] default_realm = DNS.COM dns_lookup_kdc = true dns_lookup_realm = true [realms] DNS.COM = { default_domain = DNS.COM kdc = hostname.DNS.COM }
Note:
DNS.COM is the DNS name of your domain which must be entered in
FQDN format and entered in uppercase.

kdc is the Host name of the Domain Controller.
You can add multiple domain entries to the [realms] section if your users log in from multiple domains. To see a sample of this file with multiple domain entries, see Sample single domain Krb5.ini file on page 305 or Sample multiple domain Krb5.ini file on page 304. For further information see http://java.sun.com/j2se/1.5.0/docs/guide/ security/jgss/tutorials/KerberosReq.html. In a multiple domain configuration, under [libdefaults] the default_realm value may be any of the desired domains. The best practice is to use the domain with the greatest number of users that will be authenticating with their AD accounts.
303
13
Creating the Kerberos configuration file for WebSphere

1. To configure Kerberos for WebSphere Create the file krb5.ini, if it does not exist, and store it under the following platform dependant location: Platform Windows Location
c:\WINNT
Note: You can store this file in a different location, however if you do, you will need to specify its location in your java options. See Modifying the Java options for Kerberos on WebSphere on page 308 for procedural details. 2. Add the following required information in the Kerberos configuration file:
[libdefaults] default_realm = DNS.COM dns_lookup_kdc = true dns_lookup_realm = true default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] DNS.COM = { default_domain = DNS.COM kdc = hostname.DNS.COM }
Note:
DNS.COM is the DNS name of your domain. This must be entered in
uppercase in FQDN format. These lines are required for the default encryption types for WebSphere, and are different than the encryption types for WebLogic, Oracle Application Server and Tomcat: default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc
3.
For samples of this file see Sample single domain Krb5.ini file on page 305 and Sample multiple domain Krb5.ini file on page 304.
Save and close the file.
Sample multiple domain Krb5.ini file
Following is a sample file with multiple domains.

[domain_realm] .domain03.com = DOMAIN03.COM domain03.com = DOMAIN03.com
304
13
.child1.domain03.com = CHILD1.DOMAIN03.COM child1.domain03.com = CHILD1.DOMAIN03.com .child2.domain03.com = CHILD2.DOMAIN03.COM child2.domain03.com = CHILD2.DOMAIN03.com .domain04.com = DOMAIN04.COM domain04.com = DOMAIN04.com [libdefaults] default_realm = DOMAIN03.COM dns_lookup_kdc = true dns_lookup_realm = true [logging] [realms] DOMAIN03.COM = { admin_server = testvmw2k07 kdc = testvmw2k07 default_domain = domain03.com } CHILD1.DOMAIN03.COM = { admin_server = testvmw2k08 kdc = testvmw2k08 default_domain = child1.domain03.com } CHILD2.DOMAIN03.COM = { admin_server = testvmw2k09 kdc = testvmw2k09 default_domain = child2.domain03.com } DOMAIN04.COM = { admin_server = testvmw2k011 kdc = testvmw2k011 default_domain = domain04.com }
Sample single domain Krb5.ini file

Following is a sample krb5.ini file with a single domain.
[libdefaults] default_realm = ABCD.MFROOT.ORG dns_lookup_kdc = true dns_lookup_realm = true [realms] ABCD.MFROOT.ORG = { kdc = ABCDIR20.ABCD.MFROOT.ORG kdc = ABCDIR21.ABCD.MFROOT.ORG kdc = ABCDIR22.ABCD.MFROOT.ORG kdc = ABCDIR23.ABCD.MFROOT.ORG default_domain = ABCD.MFROOT.ORG }
Creating the JAAS login configuration file for Tomcat or WebLogic

1. To create the JAAS login configuration file for Tomcat or WebLogic Create a file called bscLogin.conf if it does not exist.
305
13
Store it in this location:

C:\WINNT
This is the default location for the bscLogin.conf file. You can specify a different location for this file, but if you do, you must also specify in this location in your java arguments. See Modifying the Java options for Kerberos on WebLogic on page 307 for details. 2. Add the following code to your JAAS bscLogin.conf configuration file:
com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required; };
Note: For more information on how to configure JAAS authentication, see the following: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ LoginConfigFile.html 3. Save and close the file.
Creating the JAAS login configuration file for Oracle Application Server
1. To create the JAAS login configuration file for Oracle Locate the jazn-data.xml file. Note: This default location for this file is C:\OraHome_1\j2ee \home\config. If you installed Oracle Application Server in a different location, find the file specific to your installation. 2. Add the following content to the file between the <jazn-loginconfig> tags:
<application> <name>com.businessobjects.security.jgss.initiate</name> <login-modules> <login-module> <class>com.sun.security.auth.module.Krb5LoginModule</ class> <control-flag>required</control-flag> </login-module> </login-modules> </application>
3.
Save and close the file.
Creating the JAAS login configuration file for WebSphere

1. 2. To create the JAAS login configuration file for WebSphere Create a file called bscLogin.conf if it does not exist. Store it in this location:
306
13
C:\WINNT
3.
Add the following code to your JAAS bscLogin.conf configuration file:

com.businessobjects.security.jgss.initiate { com.ibm.security.auth.module.Krb5LoginModule required;};
Note: For more information on how to configure JAAS authentication, see the following: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ LoginConfigFile.html 4. Save and close the file.
Modifying your Java options for Kerberos on Tomcat

There are two ways you can modify your java options as required for Kerberos, either in the java.security file or on the Java tab for Tomcat. 1. To change the options in the java. security file In the following file, JAVA_HOME\jre\lib\security\java.security, add a line which specifies the location of the file bscLogin.conf:
# Default login configuration file # #login.config.url.1=file:${user.home}/.java.login.config login.config.url.1=file:C:/winnt/bscLogin.conf
2. 1. 2. 3.
Restart Tomcat. To modify the Java options from the Java tab for Tomcat From the Start menu, select Programs >Tomcat > Tomcat Configuration. Click the Java tab. Add the following options:
-Djava.security.auth.login.config=C:\XXX\bscLogin.conf -Djava.security.krb5.conf=C:\XXX\krb5.ini
Replace XXX with the location you stored the file. 4. 5. Close the Tomcat configuration file. Restart Tomcat.
Modifying the Java options for Kerberos on WebLogic

If you are using Kerberos with WebLogic, your Java options need to be modified to specify the location of the Kerberos configuration file and the kerberos login module.
307
13
1. 2.
To modify the Java options from the Java tab for WebLogic Stop the domain of WebLogic that runs your BusinessObjects Enterprise applications. Open the script that starts the domain of WebLogic that runs your BusinessObjects Enterprise applications. Script name startWeblogic.cmd startWebLogic.sh
Operating System Windows Unix 3.
Add the following information to the Java_Options section of the file:

set JAVA_OPTIONS=-Djava.security.auth.login.config=C:/ XXX/bscLogin.conf -Djava.security.krb5.conf=C:/XXX/ krb5.ini
Replace XXX with the location you stored the file. 4. Restart the domain of WebLogic that runs your BusinessObjects Enterprise applications.
Modifying the Java options for Kerberos on Oracle Application Server

If you are using Kerberos with Oracle Application Server, the Java options need to be modified to specify the location of the kerberos configuration file. 1. 2. 3. 4. 5. To modify the Java options for Oracle Application Server Logon to the administration console of your Oracle Application Server. Click on the name of the OC4J instance that runs your BusinessObjects Enterprise applications. Select Server Properties. Scroll down to the Multiple VM Configuration section. In the Command Line Options section, append the following at the end of the Java Options text field: -Djava.security.krb5.conf=C:/XXX/krb5.ini Replace XXX with the location you stored the file. 6. Restart your OC4J instance.
Modifying the Java options for Kerberos on WebSphere

1. To modify Java options for Kerberos on WebSphere Log into the administrative console for WebSphere.
308
For IBM WebSphere 5.1, type this:
13
http://servername:9090/admin.
2.
For IBM WebSphere 6.0, type this:

http://servername:9060/ibm/console
Expand Server, a click on Application Servers and then servername. Note: Replace servername with the name of the application server you created to use with BusinessObjects Enterprise.
3.
Go to the JVM page.
If you are using WebSphere 5.1, follow these steps to get to the JVM page. a. On the server page, scroll down until you see Process Definition in the Additional Properties column. Scroll down and click on Java Virtual Machine.
b. Click on Process Definition. c.
If you are using WebSphere 6.0, follow these steps to get to the JVM page. a. c. On the server page, select Java and Process Management. Select Java Virtual Machine. b. Select Process Definition.
4.
Click Generic JVM arguments then type the location of your Krb5.ini and the location of your bscLogin.conf file. -Djava.security.auth.login.config=C:\XXX\bscLogin.conf -Djava.security.krb5.conf=C:\XXX\krb5.ini Replace XXX with the location you stored the file.
5. 6. 7.
Click Apply, and then click Save. Stop the server. Restart the server.
Troubleshooting Kerberos
These steps may help you if you encounter problems when configuring kerberos:
Enabling logging Testing your Java SDK Kerberos configuration
309
13
Enabling logging
1. 2. 3. To enable logging From the Start menu, select Programs >Tomcat > Tomcat Configuration. Click the Java tab. Add the following options:
-Dcrystal.enterprise.trace.configuration=verbose
This will create a log file in the following location:

C:\Documents and Settings\<user name>\.businessobjects\jce_verbose.log
Testing your Java Kerberos configuration
To test your Java Kerberos configuration Run the following command to test your Kerberos configuration, where servact is the service account and domain under which the CMS is running, and password is the password associated with the service account.
C:\Program Files\Business Objects\j2sdk1.4.2_04\bin\kinit.exe" servact@TESTM03.COM Password
If you still have a problem, ensure that the case you entered for your domain and service principal name match exactly with what is set in Active Directory.
Mapped AD user unable to log on to CMC or InfoView

The following two issues may occur, despite the fact that the users have been mapped to BusinessObjects Enterprise:
Logon failure due to different AD UPN and SAM names on page 310 Pre-authentication error on page 311
Logon failure due to different AD UPN and SAM names

A users Active Directory ID has successfully been mapped to BusinessObjects Enterprise. Despite this fact, they are unable to successfully log on to CMC or InfoView with Java AD authentication and Kerberos in the following format:
DOMAIN\ABC123
310
13
This problem, which happens with the Sun, IBM or BEA JRE, can occur when the user is set up in Active Directory with a UPN and SAM name are not the same, either in case or otherwise. Following are two examples which may cause a problem:
The UPN is abc123@company.com but the SAM name is DOMAIN\ABC123. The UPN is jsmith@company but the SAM name is DOMAIN\johnsmit Have users log in using UPN rather than SAM name. Ensure the SAM account name and the UPN name are the same.
There are two ways to address this problem:
Pre-authentication error
A user who has previously been able to log on, can no longer log on successfully. The user will receive this error: Account Information Not Recognized. The Tomcat error logs reveal the following error: Pre-authentication information was invalid (24) This can occur because the Kerberos user database didnt get a change made to UPN in AD. This may mean that the Kerberos user database and the AD information are out of sync. To resolve this problem, reset the users password in AD. This will ensure the changes are propagated correctly. Note: This problem is not an issue with J2SE 5.0.
Configuring Kerberos and single sign-on to the database for Java application servers
Single sign-on to the database is supported for deployments that meet all these requirements:
The deployment of BusinessObjects Enterprise is on a Java web application server. The Java web application server has been configured with AD with Kerberos. The database to which single sign-on is required is a supported version of SQL Server. The groups or users that need access to the database must have been granted permissions within SQL Server.
The final step is to modify the krb5.ini file to support single sign-on to the database for Java.
311
13
Note:
These instructions explain how to configure single sign-on to the database for Java application servers. If you want to configure endto-end single sign-on to the database for Java application servers, you must also configuration required for Vintela single sign-on for Java. For details, see Restart your web application server. on page 312. If you want to configure single sign-on to a database, ensure that you have set the cache security context. For detailed instructions, go to Kerberos authentication in the Windows AD plug-in on page 297.
1.
To enable single sign-on to the database for Java application servers Open the krb5.ini file that is being used for your deployment of BusinessObjects Enterprise. The default location for this file is the WINNT directory on your web application server. Tip: If you cannot find the file in the WINNT directory, check this Java argument for the location of the file:
-Djava.security.auth.login.config
This variable is specified when AD with Kerberos is configured on your Java web application server. 2. 3. 4. 5. Go to the [libdefaults] section of the file. Enter this string prior to the start of the [realms] section of the file:
forwardable = true
Configuring Kerberos and single sign-on for Java InfoView

The following procedure explains how to enable Kerberos single sign-on for Java InfoView. Vintela single sign-on for Java is installed as part of Service Pack 2 of BusinessObjects Enterprise XI Release 2. Note: If you plan to use single sign-on to Java InfoView in a reverse proxy environment, there are a couple of changes required in the following procedure. For details, see Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server on page 207 before proceeding.
312
13
Prerequisites
Before you configure single sign-on for Java InfoView, you must complete configuration prerequisites: these prerequisites are the steps from the General workflow for configuring Kerberos on page 290 and the steps that apply specifically to your type of Java application server. Also, ensure that single sign-on is enabled in the Authentication page of the CMC. For details, go to Kerberos authentication in the Windows AD plug-in on page 297. See these sections for the configuration steps that apply specifically to your Java application server:
Workflow for configuring Tomcat for Kerberos on page 291 Workflow for configuring WebSphere for Kerberos on page 291 Workflow for configuring WebLogic for Kerberos on page 291 Workflow for configuring Oracle for Kerberos on page 291
Note: Single sign-on to Java InfoView is only supported when BusinessObjects Enterprise services are installed on a supported Windows platform. Supported application servers can be deployed on supported platforms other than Windows. For a complete list of supported platforms, see the Platforms.txt file included on your product CD.
Workflow for configuring Kerberos single sign-on to Java InfoView

To configure Kerberos single sign-on for Java InfoView you must complete the six steps in this table. Step 1 Create a service account. Detailed steps are included in the section Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java. on page 314 Set an SPN for your web application server Detailed steps are included in the section Step 2: Creating an SPN for your web application server on page 315 Reset the service account password Detailed steps are included in the section Step 3: Reset the service account password on page 315
Step 2
Step 3
313
13
Step 4
Create and place a keytab file Detailed steps are included in the section Step 4: Create and place a keytab file on page 316 Edit the web.xml file Detailed steps are included in the section Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 Ensure the HTTP header size of your Java application server is sufficient. Detailed steps are included in the section Step 6: Increasing the header size limit of your Java application server on page 321
Step 5
Step 6
The following sections describe how to complete each of these steps. In addition to the steps you must complete, you may also want to change either of these configurable items available with Vintela single sign-on for Java:
The level of error logging recorded. The text users receive if their authentication with Vintela single sign-on for Java fails. Modifying the Vintela logon error page on page 325 Controlling logging with Vintela single sign-on for Java on page 322
For details, see these sections:
The final section Alternate url to access InfoView on page 324, explains why there is an alternate page provided and lists the url for this page.
Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java.
To set up user authentication for a service, you must register the service as a user in AD on the Domain Controller. 1. 2. 3. 4. To register the service: On the Domain Controller open the Active Directory Users and Computers snap in. Click the Users folder to display a list of users and on the Action menu, click New and then click User. Enter a name and logon name for the new service, and then click Next. On the next screen, enter a password for the service. Ensure that the option called User must change password at next logon is not selected.
314
13
5. 6. 7.
Click Next and then click Finish. Right-click the user you have entered in the User folder list, and then click Properties to open the Properties dialog box. Click the Account tab and then select Account is trusted for delegation and Password never expires. This prevents the service account from ever expiring, which would cause Kerberos errors.
8. 9.
Select Use DES encryption types for this account. This will allow you to configure the KerberosFilter using a keytab file. Click OK.
Note: In some Active Directory Users and Computers snap ins, the option called Account is trusted for delegation is not available until a mapped Service Principal Name has been created. If you do not see this option, complete the steps in the next section, then open the user account in the AD Users and Computers snap in and select the Delegation tab. You can enable it from here.
Step 2: Creating an SPN for your web application server

Note: Make sure that the SPN you are creating does not already exist and is mapped to another account. If so, you must remove this SPN with the setspn utility. 1. 2. To create an SPN for your web application server Launch a command prompt and navigate to your Support Tools folder. Execute the following command: ktpass -princ HTTP/host@REALM -mapuser user Where: <host> is the fully-qualified domain name of the server where the Java Application Server is installed. (For example, server.example.com) <REALM> is the Active Directory realm in which the server is located. (For example, EXAMPLE.COM). <user> is the logon name of the user account you created above.
Step 3: Reset the service account password

To prevent Kerberos integrity-check failures, you should reset the password of the user account you created in step 1.
315
13
1.
To reset the password On the Domain Controller with Active Directory installed, on the Start menu click Programs > Administrative Tools > Active Directory Users and Computers. Right-click the user account that you created previously and click Reset Password. Enter and confirm the same password that you entered previously. Ensure that User must change password at next logon is not selected an click OK.
2. 3. 4.
Step 4: Create and place a keytab file

You can configure the KerberosFilter to either use a password or a keytab file. A keytab file allows the KerberosFilter to be configured without exposing the password of the user account on the web application machine. A keytab file is the recommended method because it is more secure than an exposed password. 1. To create and place keytab file Run ktpass with the following arguments at command prompt: ktpass -out keytab_filename -princ HTTP/host@REALM -pass user_password -kvno 255 Where: keytab_filename is the name of the keytab file we want to generate. (Ex host.keytab) HTTP/host@REALM is the SPN used (for example, HTTP/ MACHINE.DOMIAN.COM@DOMAIN.COM) user_password is the password of the user used in the Map a Service Principle Name (SPN) section 2. Copy the generated keytab file onto the java application machine and place in your chosen location. Note:
The keytab is usually found in the same folder as your ktpass support tool unless you specified a different location. Typically the keytab is stored in C:/WINNT or C:/Windows.
Step 5: Enabling Vintela single sign-on for Java in the web.xml file
Note: If you are using WebLogic as your application server, read WebLogicspecific instructions on page 319 before proceeding.
316
13
1.
To enable Vintela single sign-on in the web.xml file Open the web.xml file for InfoView from its deployed location on your web application server. This is where the InfoView web.xml file is on Windows: <DeployedLocation>\businessobjects\enterprise115\desktoplaunch\ WEB-INF
If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.
2.
Find the following parameters and make the appropriate changes: <param-name> Original <param-value> cms.default New <param-value>
your CMS name and port your CMS name and port number number. SecWinAD false true false
authentication.d SecEnterprise efault siteminder.enabl true ed vintela.enabled sso.enabled 3. false false
Find the following section in the web.xml file:

<!- - Uncomment the following filter and mapping to enable the filter for Vintela SSO. Set idm.realm to the Active Directory realm where the server is in and idm.princ to the service principal name. - - >
4.
Remove the comment start tag that immediately follows this comment as well as its corresponding end tag.
317
13
5.
In this section find the following parameters and make the appropriate changes. <paramname> idm.realm Original <param-value> YOUR_REALM New <param-value> Default realm for AD. This should be the same value you set when you configured the default_realm in your krb5.ini file Note: Value must be in upper case The SPN you created. It must follow the format: HTTP/ Hostname Where Hostname is the fully qualified domain name of your machine. false true, unless you are planning to use SSL.
idm.princ
YOUR_PRINCIPAL
idm.allowNTLM false idm.allowUnsec true ured 6.
Add the idm.keytab parameter. In the Vintela section of the web.xml file add the following lines. Note: Place it after the idm.princ parameter and values.
<init-param> <param-name>idm.keytab</param-name> <param-value>PATH_TO_YOUR_KEYTAB_FILE</param-value> </init-param>
Where Path_To_Your_Keytab_File is the directory path to the location of your keytab file. Ex.C:\WINNT\host.keytab Note: Only add the above parameter if you have chosen to use a keytab file. If you have chosen to use a password do not add this parameter. 7. 8. Save and Close the file. Restart your web application server.
Note: If you are using WebLogic, go to Modifying the web.xml in the war package on page 320.
318
13
WebLogic-specific instructions
If you are using WebLogic as your application server, you may not find the commented section in the Vintela xml properties that is mentioned in Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316. This is because WebLogic Builder, which is used in preparing the war files for deployment, removes the commented portions of the web.xml file. Therefore, you must add the following xml to the web.xml file before proceeding with Step 5:
<filter> <filter-name>authFilter</filter-name> filter class>com.businessobjects.sdk.credential.WrappedResponse AuthFilter</filter-class> <init-param> <param-name>idm.realm</param-name> <param-value>YOUR_REALM</param-value> </init-param> <init-param> <param-name>idm.princ</param-name> <param-value>YOUR_PRINCIPAL</param-value> </init-param> <init-param> <param-name>idm.allowUnsecured</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>idm.allowNTLM</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>idm.logger.name</param-name> <param-value>simple</param-value> <description> The unique name for this logger. </description> </init-param> <init-param>
319
13
<param-name>idm.logger.props</param-name> <param-value>error-log.properties</param-value> <description> Configures logging from the specified file. </description> </init-param> <init-param> <param-name>error.page</param-name> param-value> <param-value>/InfoView/logon/vintelaError.jsp</ <description> The URL of the page to show if an error occurs during authentication. </description> </init-param> </filter> <filter-mapping> <filter-name>authFilter</filter-name> <url-pattern>/InfoView/logon/logon.do</url-pattern> </filter-mapping>
Return to Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 and complete the steps there.
Modifying the web.xml in the war package

Note: Every time you restart WebLogic the web.xml will be overwritten and you will lose the above section. In order to circumvent this issue it is suggested you modify the web.xml in the actual war package. 1. To modify the web.xml file in the war package Locate the desktop.war file. On Windows, the file is located at <DeployedLocation>\Business Objects\BusinessObjects Enterprise 11.5\java\applications If you did not modify the default installation location, replace
<DeployedLocation> with C:\Program Files\
2.
Create a folder called WEB-INF and place the modified web.xml file in this folder.
320
13
Note: You must configure the web.xml file with the steps described in Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 first. 3. 4. 5. Open a command window. Change directories to the folder containing the deksktop.war Execute the following command:
<DeployedLocation>\j2sdk1.4.2_08\bin\jar uf desktop.war WEB-INF/web.xml
If you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects 6. Go back to Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 and complete the tasks outlined there.
Step 6: Increasing the header size limit of your Java application server
Active Directory creates a Kerberos token which is used in the authentication process. This token is stored in the HTTP header. Your Java application server will have a default HTTP header size and you should ensure a minimum size of 16384 bytes to avoid failures. 1. To configure the HTTP header size with Tomcat On the server with Tomcat installed, open the server.xml file. On Windows, this file is located at <TomcatDeployedLocation>/conf
If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <TomcatDeployedLocation> with C:\ProgramFiles\Business Objects\Tomcat\ If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.
2.
Find the corresponding <Connector > tag for the port number you have configured. If you are using the default port of 8080, find the <Connector > tag with port=8080 in it. For example:
321
13
3.
Add the following value within the <Connector > tag:

maxHttpHeaderSize=16384
For example:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" maxHttpHeaderSize=16384 minSpareThreads="25" port="8080" redirectPort="8443" />
4. 5.
Save and close the server.xml file. Restart Tomcat.
Note: For other Java application servers, consult your java application servers documentation.
Controlling logging with Vintela single sign-on for Java

Vintela single sign-on for Java uses Apache log4j logging. The name of the log file and the level of logging recorded are controlled by these:
The settings related to Vintela logging in the web.xml for InfoView. The setting in the log4j properties file.
For more efficient problem determination, you may want to use the log files that are used to capture error or warning messages.
322
13
The table which follows summarizes what you can control about error logging with Vintela in the web.xml file for InfoView: <param-name> idm.logger.name Use of parameter The name of the log file is specified in the <param-value> for this parameter. This must be a unique name not in used by any other implementation of log4j logging on your web application. The <param-value> for this parameter can be set to three things: (blank), BASIC or
AnythingElse.
idm.logger.props
If the <param-value> for idm.logger.props is set to (blank), no logging will be performed. If the <param-value> for idm.logger.props is set to BASIC, basic errors will be logged and errors will be sent to the standard output. If the <param-value> for idm.logger.props is set to anything other than or BASIC, Vintela will look for a properties file that matches the value you set. Vintela will look for this properties file in the WEB-INF directory for InfoView. For example, if you specify BOE for your <param-value>, Vintela will look in the WEBINF directory for Infoview for this file:
BOE.properties
You must create the properties file if you specify that one is to be used. For details see What to specify in your log4j properties file on page 323.
What to specify in your log4j properties file

If you specify that you want to use a properties file in the <param-value> for idm.logger.props in the web.xml file for InfoView, you must also create the properties file you specified in the WEB-INF directory for InfoView. These are the basic requirements:
Defining which logger to use. Defining what level of logging to perform in this properties file.
323
13
For details on the syntax to use in the file and details on the of valid options of an Apache log4j properties file, see the following url:
http://jakarta.apache.org/log4j/docs/api/index.html
To change the level of logging provided with Vintela single sign-on for Java 1. Open the web.xml file for InfoView from its deployed location on your web application server. This is where the InfoView web.xml file is on Windows: <DeployedLocation>\businessobjects\enterprise115\desktoplaunch\ WEB-INF
If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.
2.
If you want to have the output from error logging written to a file, find this string:
<param-name>idm.logger.name</param-name>
3. 4.
In the <param-value> for idm.logger.name, enter the name for your log file. If you want to use a properties file to define the logger used and level of logging recorded, find this string:
<param-name>idm.logger.props</param-name>
5.
In the <param-value> for idm.logger.props, enter the name for your properties file. Note: If you set this value to anything other than or BASIC, you must also define the logger used and define level of logging in the properties file you specify. For details, on the logging parameters available, see the table in the section Controlling logging with Vintela single sign-on for Java on page 322
6.
Save and close your file.
Alternate url to access InfoView

A second url is available to access InfoView. This url is provided for the administrator or a user to access InfoView, without single sign-on, after single sign-on has been enabled.
324
13
This is the default url used to access InfoView:

http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/logon.do
This is the url you should use if you want to access InfoView without single sign-on, after single sign-on has been enabled:
http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/ logonForm.do
Modifying the Vintela logon error page

When authentication using Vintela single-sign-on for Java fails, Internet Explorer will attempt NTLM authentication. This will happen each time another logon attempt is made until the browser session ends, even if the underlying cause of failure has been resolved. To reduce the number of support calls received by an administrator, an error page will be displayed for the user. This error page informs users of this behavior and instructs them to close their browser so that the next attempt can be successful, provided the underlying cause of the problem has been resolved. 1. To customize the text displayed on the Vintela error page Open the file vintelaError.jsp file found in this location: <DeployedLocation>\businessobjects\enterprise115\desktoplaunch\I nfoView\logon\ If you installed Tomcat with your installation, and did not modify the default location, you can replace DeployedLocation with this: C:\Program Files\Business Objects\Tomcat\webapps If you modified the default location for Tomcat, or used another supported Java application server, substitute the path applicable for deployment. 2. 3. 4. Change the text of the message as required. Save and close the file. Restart your web application server.
A second url is available to access InfoView. This url is provided for the administrator or a user to access InfoView, without single sign-on, after single sign-on has been enabled.
This is the default url used to access InfoView:

http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/logon.do
325
13
This is the url you should use if you want to access InfoView without single sign-on, after single sign-on has been enabled:
http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/ logonform.do
Configuring Internet Explorer browsers

In order to support Kerberos single sign-on, you must configure BusinessObjects Enterprise clients. This includes:
Configuring IIS for database single sign-on on page 281. Configuring the Internet Explorer (IE) browser on the client machines. Note: You can automate this through a registry key or use the following steps.
1. 2.
Configuring the IE browser on the client machines On the client machine open and IE browser window. Enable integrated Windows authentication 1. 2. 3. On the Tools menu click Internet Options. Click the Advanced tab. Scroll to Security, select Enable Integrated Windows Authentication, and then click Apply.
3.
Add IIS to the trusted sites. You can enter the full domain name of the site. 1. 2. 3. 4. 5. On the Tools menu click Internet Options. Click the Security tab. Click Sites and then click Advanced. Type the web site for IIS and click Add. Click Ok until the Internet Options dialog box closes.
4. 5.
Close and reopen the IE browser window for these changes to take effect. Repeat all of these steps on each BusinessObjects Enterprise client machine.
326
33
Trusted Authentication
chapter
14
Trusted Authentication Enabling Trusted Authentication
Enabling Trusted Authentication

Users prefer to log on to the system once, without needing to provide passwords several times during a session. Trusted Authentication provides a Java single sign-on solution for integrating your BusinessObjects Enterprise authentication solution with third-party authentication solutions. Applications that have established trust with the Central Management Server can use Trusted Authentication to allow users to log on without providing their passwords. To enable Trusted Authentication, you must configure both the server, through the CMC, and the client, in the web.xml file.
Configuring the server for Trusted Authentication on page 328 Configuring Trusted Authentication for the client on page 329
If you are using Business Process BI Web Service, you also must configure the BusinessProcessBI.properties file. See Configuring Trusted Authentication for Business Process BI on page 334 for details. Note: Before you are able to use Trusted Authentication, you must have either created Enterprise users or mapped the third-party users you will be using to sign on to BusinessObjects Enterprise.
Configuring the server for Trusted Authentication

1. 2. 3. 4. 5. 6. To configure the server to use Trusted Authentication Log on to the Central Management Console with administrative rights. Go to the Authentication management area of the CMC. Click the Enterprise tab. Scroll down until you see Trusted Authentication. Click Trusted Authentication is enabled. Enter a string in the Shared Secret field. Note: The shared secret is used by the client and the CMS to establish trust. You must also configure the client after you finish the Trusted Authentication configuration for the server. See Configuring Trusted Authentication for the client on page 329 for details. 7. Specify a timeout value for your trusted authentication requests. Note: The timeout value is the maximum amount of time, in milliseconds, that the clock on the client and clock and the CMS can differ. If you enter 0, the amount of time the two clock times can differ is unlimited. It is not recommended you set this value to 0 as this may increase your vulnerability to replay attacks.
328
14
8.
Click Update.
Configuring Trusted Authentication for the client

1. To configure Trusted Authentication for the client Open the web.xml file for InfoView from its deployed location on your web application server.
If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: C:\Program Files\Business Objects\Tomcat\webapps\ If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: <INSTALLDIR>/bobje/tomcat/webapps If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.
2. 3.

Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber Find this string in the file: <param-name>sso.enabled</param-name> Change the <param-value> for sso.enabled from false to true.
4. 5. 6.

329
14
7.
Change the <param-value> for siteminder.enabled from true to false.

8. 9.

<param-name>trusted.auth.user.retrieval</param-name>
Specify the way in which you want to use to retrieve the user name.
330
14
Enter the <param-value> from the table that corresponds with the user retrieval method you want to use. <param-value> REMOTE_USER How the User name will be retrieved The user name will be retrieved from a call to getRemoteUser() on the HttpServletRequest object for the current request in a servlet or JSP. The user name is retrieved from the contents of a specified HTTP header. Note: You must define which http header you want to use retrieve the user name. You define the http header to use is defined in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from the contents of contents of a specified parameter of the request URL. Note: You must define which query string parameter you want to use to retrieve the user name. You define query string parameter to use in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from the contents of contents of a specified cookie. Note: You must define which cookie you want to use to retrieve the user name. You define the cookie to use in the trusted.auth.user.param in the web.xml file for InfoView.
HTTP_HEADER
QUERY_STRING
COOKIE
331
14
<param-value> WEB_SESSION
How the User name will be retrieved The user name is retrieved from the contents of a specified session variable. Note: You must define which web session variable want to use to retrieve the user name. You define the web session variable to use in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from a call to getUserPrincipal().getName() on the HttpServletRequest object for the current request in a servlet or JSP.
USER_PRINCIPAL
Note:
There are various mechanisms that populate the user name. Configure or set up your web application server so that your user names are exposed before you use these user retrieval name methods. See http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/ http/HttpServletRequest.html for further information. Some web application servers require that you have the environment variable REMOTE_USER set to true on your web application server. See the documentation specific to your web application server for details on whether this is required. If it is required, ensure the environment variable is set to true if you are using this method of user name retrieval.
10. If you selected HTTP header, URL query string, cookie or web session, find this string:
<param-name>trusted.auth.user.param</param-name>
Note: This step is not required if your retrieval method is USER_PRINCIPAL or REMOTE_USER. 11. Enter the variable name to use to retrieve the user name in the <paramvalue> for trusted.auth.user.param.
If you are using the HTTP header as your method of retrieving the user name, enter the name for the HTTP header variable. If you are using a URL query string parameter as your method of retrieving the user name, enter the name for the parameter. If you are using a cookie as your method of retrieving the user name, enter the name for the cookie.
332
14
If you are using a web session variable as your method of retrieving the user name, enter the name for the web session variable.
Note: This step is not required if your retrieval method is USER_PRINCIPAL or REMOTE_USER. 12. Decide how you want to retrieve the shared secret.
To retrieve the shared secret from a file. a. Create a file called TrustedPrincipal.conf. b. Store the file in the platform specific directory of Business Objects. This table specified the location where the TrustedPrincipal.conf file should be stored, based on your platform.
Platform Windows, default installation
Location of TrustedPrincipal.conf C:\Program Files\Business Objects\BusinessObjects
Enterprise 11.5\win32_x86\ plugins\auth\secEnterprise
Windows, modified <INSTALLDIR>/BusinessObjects default install directory Enterprise 11.5\win32_x86\ plugins\auth\secEnterprise Note: Replace INSTALLDIR with your installation directory. AIX
aix_rs6000/plugins/auth/ secEnterprise
<INSTALLDIR>/bobje/enterprise115/
Solaris
solaris_sparc/plugins/auth/ secEnterprise hpux_pa-risc /plugins/auth/secEnterprise linux_x86/plugins/auth/ secEnterprise
HP_UX
Linux
c.
Define the string you want to use for the shared secret. Enter the following in the file, where String is the shared secret string you want to use.
SharedSecret=String
333
14
d. Save and close this file.
To retrieve the shared secret from a session variable. a. Find this string in the web.xml file:
<param-name>trusted.auth.shared.secret</paramname>
b. Enter the session variable name from which to retrieve the shared secret in the </param-value> for
trusted.auth.shared.secret.
Note: Business Process BI Web Services does not support retrieving the shared secret from a session variable. 13. Save and close the file. 14. Restart your web application server.
Configuring Trusted Authentication for Business Process BI

If you are using Business Process BI and you are using Trusted Authentication, you must configure the BusinessProcessBI.properties file in addition to configuring the CMC and the web.xml. 1. To configure Trusted Authentication for Business Process BI Open the BusinessProcessBI.properties file from the following location on your web application server:
<DeployedLocation>businessobjects\enterprise115\Business ProcessBI\WEB-INF\classes
Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\. If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. 4. 5. Find this line:
bisecurity.trustedAuthentication.enabled = false
Change the value false to true. Save and close the file. Restart your web application server.
334
14
Configuring Trusted Authentication on a separate web application server

Follow these steps if you plan to use Trusted Authentication and you want deploy Business Process BI Services on a different web application server without the BusinessObjects Enterprise components. This step is required because, although there are no BusinessObjects Enterprise components installed on you web application server, the default behavior is to look in specific folder for the TrustedPrincipal.conf file. To configure Trusted Authentication when Business Process BI Services on a different web application server 1. Copy the BusinessProcessBI.war file from the machine where it was installed to the machine where you want it deployed. 2. Create the directory structure applicable to the platform of your deployment. These are the choices:
<INSTALLDIR>\BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterprise <INSTALLDIR>/bobje/enterprise115/solaris_sparc/ plugins/auth/secEnterprise <INSTALLDIR>/bobje/enterprise115/aix_rs6000/plugins/ auth/secEnterprise <INSTALLDIR>/bobje/enterprise115/linux_x86/plugins/ auth/secEnterprise
<INSTALLDIR>/bobje/enterprise115/hpux_pa_risc/plugins/auth/
secEnterprise
Note: INSTALLDIR can be any location you want. 3. 4. 5. Place your configured TrustedPrincipal.conf in the folder you just created. Specify the location of INSTALLDIR in this java argument:
-Dbobj.enterprise.home=<INSTALLDIR>
Deploy the war file.
Note: If GetDocumentURL methods are used, InfoView must also be deployed, but not necessarily on the same web application servers. See the Business Process BI Services Guide for more information.
335
14
336
Improving Performance
chapter
15
Improving Performance Improving performance
Improving performance
It is good practice to regularly assess the performance of your system and make changes to account for future growth and potential problem areas. First, you need to assess the current performance of your system. You can assess your systems performance by talking to your users and delegated administrators, and by studying your system metrics. When you have an idea of potential problem areas, you can compare your systems performance to expected service thresholds. After you identify performance issues, you can take steps to account for them by scaling your system or adjusting your configuration settings.
Assessing your systems performance on page 338 Resolving performance issues on page 348
Note: This section is for improving the performance of an existing deployment. For information about If you havent deployed your system yet, see Planning Your Deployment on page 57.
Assessing your systems performance

Before you change your settings to enhance performance, you need to determine how well your system is currently performing. BusinessObjects Enterprise provides server metrics that allow you to monitor and assess your current processing problem areas. To effectively assess your systems performance, you need to:
Assess user needs. Get qualitative feedback from your users. See Assessing user needs on page 339. Analyze server metrics. Check the server and system logs. For detailed instructions, see Analyzing server metrics on page 339. Evaluate the performance of each server component. Compare the current system usage to recommended service thresholds. Determine the required number of processors, services, and machines. For more information, see Evaluating your systems performance on page 346.
338
Improving Performance Assessing your systems performance
15
Assessing user needs

Talk to your users and delegated administrators. They can help you determine which areas of your system are currently experiencing performance issues, if any. They can also let you know where to anticipate higher system traffic in the future. And there may be areas of the system that are not being used at all. For example, if your organization is hiring new people in the finance department, the usage of financial reports will probably increase. If the financial reports are Web Intelligence documents, you may need to add a Web Intelligence Report Server to handle the extra processing. Or if youre planning to switch from Web Intelligence documents to Crystal reports, you may not need a Web Intelligence Report Server at all. It is good practice to conduct a company-wide survey concerning BusinessObjects Enterprise usage in order to capture all of the current problems and future changes. Ask your users about current performance concerns, their average daily usage, and their anticipated future usage:
What types of tasks are they performing and how often? Have they noticed slow performance when performing particular tasks? What types of objects do they use most often? Have they noticed slow performance when using particular types of objects? Do they anticipate increasing or decreasing their use of the system in the near future? Are they hiring new people? Do they plan to use BusinessObjects Enterprise to perform more tasks in the future?
It is good practice to regularly re-assess your organizations needs. Follow the steps you used when planning your deployment. For detailed instructions, see Assessing your organizations needs on page 58. When you have a sense of the organizations performance issues, you can verify them by viewing the current system metrics.
Analyzing server metrics

After you assess user needs, you can verify your users current performance concerns by monitoring system activity. Server metrics may also reveal other areas where high server traffic may be an issue.
339
15
The CMC allows you to view server metrics over the Web. These metrics include general information about each machine, along with details that are specific to the type of server. The CMC also allows you to view system metrics, which include information about your product version, your CMS, and your current system activity. Tip: For an example of how to use server metrics in your own web applications, see the View Server Summary sample on the BusinessObjects Enterprise Admin Launchpad.
Viewing current server metrics

The Servers management area of the CMC displays server metrics that provide statistics and information about each BusinessObjects Enterprise server. The general information displayed for each server includes information about the machine that the server is running onits name, operating system, total hard disk space, free hard disk space, total RAM, number of CPUs, and local time. The general information also includes the time the server started and the version number of the server. 1. 2. 3. To view server metrics Go to the Servers management area of the CMC. Click the link to the server whose metrics you want to view. Click the Metrics tab.
The Metrics tabs for the following servers include additional, server-specific information: Input and Output File Repository Servers For each File Repository Server, the Metrics tab provides the following metrics:
the number of bytes sent and received the number of active files and active client connections the total available hard disk space
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the root directory of the files that the server maintains the maximum idle time
Each File Repository Server also has an Active Files tab, which lists the file name, the number of readers, and the number of writers for each active file. Cache Server For each Cache Server, the Metrics tab provides the following metrics:
340
15
the total threads running the number of bytes transferred the number of current connections the current cache size the number of requests served the cache hit rate the number of requests that are queued
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the maximum number of simultaneous processing threads the number of minutes before an idle job is closed whether or not the database is accessed whenever a viewers file (object) is refreshed the location of the cache files the maximum cache size the number of minutes between refreshes from the database
The Metrics tab also provides a table that lists the Page Servers that the Cache Server has connections to, along with the number of connections made to each Page Server. Central Management Server For the CMS, the Metrics tab lists only the general information about the machine it is running on. The Properties tab, however, shows a list of users who have active sessions on the system. Click any users link to view the associated account details. Connection Server For the Connection Server, the Metrics tab lists the current settings, which you can change on the Properties tab:
HTTP and CORBA protocol settings trace settings connection pooling the timeout duration for inactive jobs
Job Servers The Metrics tabs of these servers lists the following metrics:
the location of its temporary files the processing mode the current number of jobs that are being processed
341
15
the total number of requests received the total number of failed job creations
Note: This applies to all types of Job Servers, including Crystal Reports Job Servers, Program Job Servers, Destination Job Servers, List of Values Job Servers, Desktop Intelligence Job Servers, and Web Intelligence Job Servers. Desktop Intelligence Cache Server For each Desktop Intelligence Cache Server, the Metrics tab provides the following metrics:
the current cache size the number of bytes transferred the number of current connections the number of requests served the cache hit rate the number of requests that are queued
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the location of the cache files whether or not report jobs are shared the number of minutes before an idle job is closed whether or not the database is accessed whenever a viewers file (object) is refreshed the number of documents to keep in the cache when the cache is full the maximum cache size whether or not to share report data between clients the number of minutes between refreshes from the database
The Metrics tab also provides a table that lists the processing servers that the Desktop Intelligence Cache Server has connections to, along with the number of connections made to each server. Note: This server processes information only for Desktop Intelligence documents. Desktop Intelligence Report server For the Desktop Intelligence Report Server, the Metrics tab provides the following metrics:
the number of current connections the current number of open processing threads running the total number of requests served
342
15
the total bytes transferred the number of requests queued the maximum number of child processes the number of failed requests
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the location of temporary files the number of minutes before an idle connection is closed the maximum number of simultaneous report jobs the maximum number of operations allowed before resetting a report job whether a viewer refresh always hits the database whether or not report jobs are shared the number of minutes before an idle report job is closed the number of preloaded report jobs whether or not to share report data between clients the oldest processed data given to a client VBA settings
Note: This server processes information only for Desktop Intelligence documents. Event Server For the Event Server, the Metrics tab displays statistics for each file that the server is monitoring, including the file name and the last time the event occurred. Crystal Reports Page Server For the Page Server, the Metrics tab provides the following metrics:
the number of current connections the number of requests queued the current number of processing threads running the total number of requests served the number of failed requests the total bytes transferred
The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the maximum number of simultaneous report jobs the number of minutes before an idle connection is closed
343
15
the maximum number of database records shown when previewing or refreshing a report whether a viewer refresh always hits the database the setting for the Report Job Database Connection the location of temporary files the maximum number of subprocesses the minutes before a report job is closed the oldest processed data given to a client
Note: This server processes information only for Crystal Reports objects. Report Application Server The Metrics tab of the Report Application Server (RAS) shows the number of reports that are open, and the number of reports that have been opened. It also shows the number of open connections, along with the number of open connections that have been created. Web Intelligence Report Server For the Web Intelligence Report Server, the Metrics tab provides the number of current requests and the total number of requests. The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:
the maximum number of connections the number of minutes before an idle connection is closed whether or not to enable document caching whether or not to enable real-time caching the number of minutes allowed for document caching the size of the document cache whether or not to enable list of values caching the batch size for lists of values the maximum size allowable for custom sorting a list of values the size of the universe cache the percentage of documents to keep in the cache when the cache is full the maximum number of minutes allowed for scanning the document cache the maximum number of downloaded documents to cache the maximum size of binary and character files
Note: This server processes information only for Web Intelligence documents.
344
15
Viewing system metrics

The Settings management area of the CMC displays system metrics that provide general information about your BusinessObjects Enterprise installation. The Properties tab includes information about the product version and build. It also lists the data source, database name, and database user name of the CMS database. The Metrics tab lists current account activity, along with statistics about current and processed jobs. The Cluster tab lists the name of the CMS you are connected to, the name of the CMS cluster, and the names of other cluster members. 1. 2. To view system metrics Go to the Settings management area of the CMC. View the contents of the Properties, Metrics, and Cluster tabs. For more information about licenses and account activity, see the Managing Licenses chapter of the BusinessObjects Enterprise Administrators Guide. For information about CMS clusters, see Clustering Central Management Servers on page 114.
Related topics:
Logging server activity

BusinessObjects Enterprise allows you to log specific information about BusinessObjects Enterprise web activity. For details on locating and customizing the web activity logs, see Configuring the Web Component Adapter on page 108.
In addition, each of the BusinessObjects Enterprise servers is designed to log messages to your operating systems standard system log.
On Windows NT/2000, BusinessObjects Enterprise logs to the Event Log service. You can view the results with the Event Viewer (in the Application Log). On UNIX, BusinessObjects Enterprise logs to the syslog daemon as a User application. Each server prepends its name and PID to any messages that it logs.
345
15
This example shows two messages logged to the syslog daemon on UNIX:
Each server also logs assert messages to the logging directory of your product installation. The programmatic information logged to these files is typically useful only to Business Objects support staff for advanced debugging purposes. The location of these log files depends upon your operating system:
On Windows, the default logging directory is C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Logging On UNIX, the default logging directory INSTALL_ROOT/bobje/logging directory of your installation.
The important point to note is that these log files are cleaned up automatically, so there will never be more than approximately 1 MB of logged data per server.
Evaluating your systems performance

After you collect enough anecdotal and statistical information about your BusinessObjects Enterprise deployment, you can begin to isolate problem areas. Use the server metrics to verify the user feedback. Do the server metrics confirm your users performance concerns? If not, the performance issue may be caused by something besides your BusinessObjects Enterprise configuration, such as your network speed, the structure of the database, or the complexity of your report design. Then compare the current usage to the recommended service thresholds. By comparing these numbers, you can rate each servers performance and create a list of minor, moderate, and major performance risks. 1. To evaluate your systems performance Make a list of all server components in your deployment.
346
15
2.
For each server component, compare the information you received from your users to the server metrics in the Central Management Console. Note: For information, see Analyzing server metrics on page 339. Compare the servers current traffic metrics to the recommended service thresholds. Pay particular attention to the number of simultaneous requests and user connections. For a list of the recommended service thresholds, see Analyzing service thresholds on page 64. For information about making resource calculations, see Calculating the minimum resource requirements on page 71.
3.
4.
Sort the server components into the following categories: Minor performance risk: A server component is considered a minor risk if a low percentage of your users report performance problems and the server metrics do not reflect the same problems. Moderate performance risk: A server component is considered a moderate risk if the server metrics show that the current usage is close to the limit of the recommended service thresholds. You may also want to flag a server component as a moderate risk if a high percentage of users report performance issues, or if you expect an increase in usage that will cause the current usage numbers to meet the service thresholds. Major performance risk: A server component is considered a major performance risk if the server metrics show that current usage significantly exceeds the minimum service thresholds. You may also want to flag a server component as a major risk if you expect a substantial increase in usage that will cause the usage numbers to exceed the service thresholds.
5.
After you isolate the key problem areas and the severity of the performance issues, proceed to the next section: Resolving performance issues on page 348.
347
15
Improving Performance Resolving performance issues
Resolving performance issues

After you assess your system and determine the potential trouble areas, you can develop a strategy for resolving performance issues. The appropriate solution for each server depends on the level of performance risk and the type of server. Note: For more information about evaluating your systems performance, see Evaluating your systems performance on page 346.
For minor or moderate performance issues, users encounter occasional performance issues or your system approaches the limits of the recommended service thresholds. You may be able to resolve these issues by fine-tuning your system configuration. For more information, see Configuring the intelligence tier for enhanced performance on page 351 and Configuring the processing tier for enhanced performance on page 354.
For major performance issues, your server traffic significantly exceeds the recommended service thresholds. You should consider expanding the system by adding servers to account for the problem areas. For more information about scaling considerations, see Scaling your system on page 366. For installation instructions, see the BusinessObjects Enterprise Installation Guide.
For example, when you install a default deployment of Business Objects Enterprise, one Web Intelligence Report Server is installed by default. This deployment will easily meet your needs if you have under 20 concurrent active users accessing the Web Intelligence Report Server by working with xCelsius or Web Intelligence documents. If you have 20 to 30 users accessing the Web Intelligence Report Server, you may encounter some performance issues because you are reaching the limits of the recommended service threshold. To account for some of these problems, you can tweak the Web Intelligence Report Server settings. (For details, see Modifying performance settings for the Web Intelligence Report Server on page 357.) However, if your traffic is significantly higher than the service threshold (such as 50 concurrent active users using the Web Intelligence Report Server) then you need to scale your system to include more instances of the Web Intelligence Report Server service. The following table provides a quick reference for troubleshooting performance for each type of server component:
348
15
Server type CMS
Performance risk
Solutions
Minor/moderate
Because the CMS manages the entire system, problems that appear to be CMS issues may be caused by the server components managed by the CMS. It is good practice to check the performance of all other services before adding new CMS services. For other information about advanced CMS configuration, see Advanced server configuration options on page 146. Install additional CMS services. For information, see Increasing overall system capacity on page 367. Change how often the Event Server checks for file events. For more information, see Modifying the polling time of the Event Server on page 351. It is unlikely that you will encounter major performance issues with the Event Server. However, it is good practice to install one Event Server for each CMS. For information about installing additional Event Servers, see Scaling your system on page 366. You can resolve many issues by changing Cache Server properties such as the maximum cache size and the number of minutes between database refreshes. For more information, see Modifying Cache Server performance settings on page 352. If your system exceeds 400 simultaneous requests, install an additional Cache Server. See Scaling your system on page 366. If the number of simultaneous jobs does not exceed the recommended threshold of 20 jobs, check the Maximum Jobs Allowed setting. For more information, see Modifying performance settings for job servers on page 355. If the Job Server is running more than 20 simultaneous jobs on average, install another Job Server service. See Scaling your system on page 366.
Event Server
Major
Minor/moderate
Major
Cache Server
Minor/moderate
Job Servers
Major
Minor/moderate
Major
349
15
Server type Desktop Intelligence Report Server
Performance risk
Solutions
Minor/moderate
If the number of concurrent active users does not exceed 25, try changing the settings. See Modifying Desktop Intelligence Report Server performance settings on page 356. If the number of concurrent active users exceeds 25, install addition servers. See Scaling your system on page 366. If the number of concurrent active users does not exceed 25, try changing the settings. See Modifying performance settings for the Web Intelligence Report Server on page 357. If the number of concurrent active users exceeds 25, install addition servers. See Increasing Web Intelligence document processing capacity on page 368. If the problem seems to be related to database access, see Modifying database settings for the RAS on page 360. To adjust the Report Application Servers settings for connection idle time and the maximum number of simultaneous threads, see Modifying performance settings for the RAS on page 362. If your users run more than 200 simultaneous requests, install additional Report Application Servers. For more information, see Increasing on-demand viewing capacity for Crystal reports on page 369. You can change how a Page Server handles data and user connections by fine-tuning its settings. See Modifying Page Server performance settings on page 363. If the Page Server is handling more than 400 simultaneous viewing sessions, install more Page Servers. For more information, see Increasing on-demand viewing capacity for Crystal reports on page 369.
Major
Minor/moderate
Major
Minor/moderate
Major
Page Server
Minor/moderate
Major
350
15
Configuring the intelligence tier for enhanced performance

This section provides instructions for configuring settings for components from the intelligence tier. You can adjust the settings to account for minor and moderate performance issues. Note: For more information about the intelligence tier, see Intelligence tier on page 37. Configuring the intelligence tier includes:
Configuring the CMS on page 351 Modifying the polling time of the Event Server on page 351 Configuring the File Repository Servers on page 352 Modifying Cache Server performance settings on page 352
Configuring the CMS

Because the CMS manages the entire system, problems that appear to be CMS issues are often caused by the server components managed by the CMS. It is good practice to check the performance of all other services before changing the CMS settings or adding and clustering new CMS services. For information about changing CMS settings, see Configuring the application tier on page 108. For information about configuring and clustering CMS servers, see Clustering Central Management Servers on page 114
Modifying the polling time of the Event Server

The Properties tab of the Event Server allows you to change the frequency with which the Event Server checks for file events. This File Polling Interval in Seconds setting determines the number of seconds that the server waits between polls. The minimum value is 1 (one). It is important to note that, the lower the value, the more resources the server requires. Tip: On Windows, you can also change this setting in the CCM. Stop the Event Server and view its Properties. Then click the Configuration tab. 1. 2. 3. 4. To modify the polling time Go to the Servers management area of the CMC. Click the link to the Event Server whose settings you want to change. Make your changes on the Properties tab. The value that you type must be 1 or greater. Click Update.
351
15
5.
Return to the Servers management area of the CMC.
Configuring the File Repository Servers

The Properties tabs of the Input and Output File Repository Servers allow you to set the maximum idle time. For more information, see Setting root directories and idle times of the File Repository Servers on page 130.
Modifying Cache Server performance settings

The Properties tab of the Cache Server allows you to set the location of the cache files, the maximum cache size, the maximum number of simultaneous processing threads, the number of minutes before an idle job is closed, and the number of minutes between refreshes from the database. 1. 2. 3. To modify Cache Server performance settings Go to the Servers management area of the CMC. Click the link to the Cache Server whose settings you want to change. Make your changes on the Properties tab. In this example, the Cache Server retains its default settings.
4.
Click either Apply or Update:
352
15
Location of the Cache Files

The Location of the Cache Files setting specifies the absolute path to the directory on the Cache Server machine where the cached report pages (.epf files) are stored. Note: The cache directory must be on a drive that is local to the server.
Maximum Cache Size Allowed

The Maximum Cache Size Allowed setting limits the amount of hard disk space (in KBytes) that is used to cache reports. When the Cache Server has to handle large numbers of reports, or reports that are especially complex, a larger cache size is needed. The default value is 5000 Kbytes, which is large enough to optimize performance for most installations.
Maximum Simultaneous Processing Threads

The Maximum Simultaneous Processing Threads setting limits the number of concurrent reporting requests that the Cache Server processes. The default value is set to Automatic, and is acceptable for most, if not all, reporting scenarios. With this setting, the Cache Server sets the maximum number of threads using the number of processors in your system as a guide. If your Cache Server responds slowly under high load, and resource utilization on the machine is high (that is, either memory usage is high or CPU utilization is high, particularly in the kernel), you may wish to decrease the number of threads to improve performance. If the Cache Server is slow under high load but CPU utilization is low, increasing the number of threads may improve performance. However, the ideal setting for your reporting environment is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.
Minutes Before an Idle Connection is Closed

The Minutes Before an Idle Connection is Closed setting alters the length of time that the Cache Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely, and setting a value that is too high can cause requests to be queued while the server waits for idle jobs to be closed.
353
15
Share Report Data Between Clients

This setting appears only for Desktop Intelligence servers. Select to allow users to share data from Desktop Intelligence documents with other users.
Viewer Refresh Always Yields Current Data

When enabled, the Viewer Refresh Always Yields Current Data setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the Minutes Between Refreshes from Database setting.
Oldest On-Demand Data Given To a Client (in minutes)

The Oldest On-Demand Data Given To a Client (in minutes) setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements.
Always Share Report Jobs

This setting appears only for Desktop Intelligence servers. Select to allow users to share report jobs with other users by default.
Amount of Cache to Keep When Document Cache is Full

This setting appears only for the Desktop Intelligence Cache Server. Select a percentage of the cache to keep. This setting helps reduce the load on the Cache Server if you have a large deployment.
Configuring the processing tier for enhanced performance

This section provides instructions for configuring settings for components from the processing tier. You can adjust the settings to account for minor and moderate performance issues. Note: For more information about the processing tier, see Processing tier on page 41. Configuring the processing tier includes:
Modifying performance settings for job servers on page 355
354
15
Modifying Desktop Intelligence Report Server performance settings on page 356 Modifying performance settings for the Web Intelligence Report Server on page 357 Modifying database settings for the RAS on page 360 Modifying performance settings for the RAS on page 362 Modifying Page Server performance settings on page 363
Modifying performance settings for job servers

By default, the job servers run jobs as independent processes rather than as threads. This method allows for more efficient processing of large, complex reports. Use the following procedure to modify the performance settings for any of the job servers, that is the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and the Web Intelligence Job Server. 1. 2. 3. 4. 5. To modify performance settings for job servers Go to the Servers management area of the CMC. Click the link to the job server whose settings you want to change. Make your changes on the Properties tab. Click Update. Return to the Servers management area of the CMC.
Maximum Jobs Allowed

The Maximum Jobs Allowed setting limits the number of concurrent independent processes (child processes) that the server allowsthat is, it limits the number of scheduled objects that the server will process at any one time. You can tailor the maximum number of jobs to suit your reporting environment. The default Maximum Jobs Allowed setting is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.
355
15
Temp Directory
You can also change the default directory where the server stores its temporary files.
Modifying Desktop Intelligence Report Server performance settings

The Properties tab of the Desktop Intelligence Report Server in the Central Management Console allows you to configure many of the same settings as the Page Server, plus additional report sharing settings. 1. 2. 3. 4. To modify Desktop Intelligence Report Server performance settings Go to the Servers management area of the CMC. Click the link to the Desktop Intelligence Report Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update:
Share Report Data Between Clients

This setting appears only for Desktop Intelligence server. Select to allow users to share data from Desktop Intelligence documents with other users.

When enabled, the Viewer Refresh Always Yields Current Data setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the Minutes Between Refreshes from Database setting.
Oldest On-Demand Data Given To a Client (in minutes)

The Oldest On-Demand Data Given To a Client (in minutes) setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements.
356
15
Always Share Report Jobs

This setting appears only for Desktop Intelligence servers. Select to allow users to share report jobs with other users by default. For more information on other settings, see Modifying Page Server performance settings on page 363.
Modifying performance settings for the Web Intelligence Report Server

Use the following procedure to configure the performance settings for the Web Intelligence Report Server. 1. 2. 3. 4. To modify performance settings for the Web Intelligence report server Go to the Servers management area of the CMC. Click the link to the Web Intelligence Report Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update:

5.
Return to the Servers management area of the CMC and restart the Job Server.
357
15
Maximum Simultaneous Connections

The maximum number of simultaneous connections that the server allows at one time, from sources such the Web Intelligence SDK or the Web Intelligence Job Server. If this limit is reached, the user will receive an error message, unless another server is available to handle the request.
Connection Time Out

The number of minutes before an idle connection to the Web Intelligence Report Server will be closed.
List of Values Batch Size

The maximum number of values that can be returned per list of values batch. For example, if the number of values in a list of values exceeds this size, then the list of values will be returned to the user in several batches of this size or less. The minimum value that you can enter is 10. Although there is no limit on the maximum value, Business Objects recommends that you limit it to 30000.
Universe Cache Size

The number of universes to be cached on the Web Intelligence Report Server.
358
15
List of Values Caching

Enables or disables caching per user session of list of values in Web Intelligence Report Server. The default is for the feature to be on.
Enable Viewing Caching

When this parameter is on, real-time caching is possible for Web Intelligence documents when they are viewed, or when they are generated as a result of having been run as a scheduled job. When this parameter is off both real-time caching of Web Intelligence documents and viewing of cached Web Intelligence documents is impossible. Real-time caching is done only if both this parameter and the Enable Real Time Caching parameters are on.
Enable Real Time Caching

When this parameter is on, the Web Intelligence Report Server caches Web Intelligence documents when the documents are viewed. The server also caches the documents when they are run as a scheduled job, provided the pre-cache was enabled in the document. When the parameter is off, the Web Intelligence Report Server does not cache the Web Intelligence documents when the documents are viewed. Nor does it cache the documents when they are run as a scheduled job. This parameter is taken into account only when the Enable Viewing Caching is set to on. Note: To improve system performance, set the Maximum Number Of Downloaded Documents To Cache to zero when this option is selected, but enter a value for Maximum Number Of Downloaded Documents To Cache when this option deselected.
Document Cache Duration

The amount of time (in minutes) that content is stored in cache.
Document Cache Size

The size (in kilobytes) of the document cache.
Amount of Cache To Keep When Document Cache is Full

If the storage size is bigger than the allocated storage size, the system will delete documents with the oldest last accessed time. Then if the cache size is still exceeds the maximum storage size, the Web Intelligence Report Server will clean up the cache until the amount of cache percentage is reached.
359
15
Document Cache Scan Interval

The number of minutes that the system waits before checking the document cache for cleanup.
Maximum Number of Downloaded Documents To Cache

The number of Web Intelligence documents that can be stored in cache. Note: To improve system performance, set this value to zero when Enable Real Time Caching is selected, but enter a value when Enable Real Time Caching is deselected.
Modifying database settings for the RAS

The Database tab of the Report Application Server (RAS) in the Central Management Console lets you modify the way the server runs reports against your databases. 1. 2. 3. 4. To modify database interaction settings for the RAS Go to the Servers management area of the CMC. Click the link to the RAS whose settings you want to change. Make your changes on the Database tab. Click either Apply or Update:
Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Database.
Number of database records to read when previewing or refreshing a report

The Number of database records to read when previewing or refreshing a report area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is particularly useful if you provide users with ad hoc query and reporting tools, and you want to prevent them from running queries that return excessively large record sets. When the RAS retrieves records from the database, the query results are returned in batches. The Number of records per batch setting allows you to determine the number of records that are contained in each batch. The batch size cannot be equal to or less than zero.
360
15
Number of records to browse

The Number of records to browse setting allows you to specify the number of distinct records that will be returned from the database when browsing through a particular fields values. The data will be retrieved first from the clients cacheif it is availableand then from the servers cache. If the data is not in either cache, it is retrieved from the database.
Oldest on-demand data given to a client (in minutes)

The Oldest on-demand data given to a client (in minutes) setting controls how long the RAS uses previously processed data to meet requests. If the RAS receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the RAS will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the oldest on-demand data given to a client consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0. This is the default on the RAS, to support the data needs of users performing ad hoc reporting.
Report Job Database Connection

The Report Job Database Connection settings can be used to make a tradeoff between the number of database licenses you use and the performance you can expect for certain types of reports. If you select Disconnect when all records have been retrieved or the job is closed, the Report Application Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that RAS stays connected to your database server, and therefore limits the number of database licenses consumed by the RAS. However, if the RAS needs to reconnect to the database to generate an ondemand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected Disconnect when the job is closed. (The latter option ensures that RAS stays connected to the database server until the report job is closed.)
361
15
Modifying performance settings for the RAS

The Server tab of the Report Application Server (RAS) in the Central Management Console allows you to modify the number of minutes before an idle connection is closed, and the maximum number of simultaneous processing threads. Note: The RAS server must have been installed and configured in order to use the List of Values Job Server. For more information, see Processing tier on page 41. 1. 2. 3. 4. To modify performance settings for the RAS Go to the Servers management area of the CMC. Click the link to the RAS whose settings you want to change. Make your changes on the Server tab. Click either Apply or Update:
Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Server.

The Minutes Before an Idle Connection is Closed setting alters the length of time that the RAS waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely, and setting a value that is too high can affect the servers scalability (for instance, if the ReportClientDocument object is not closed explicitly, the server will be waiting unnecessarily for an idle job to close). Maximum Simultaneous Report Jobs The Maximum Simultaneous Report Jobs setting limits the number of concurrent reporting requests that a RAS processes. The default value is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way.
362
15
It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.
Modifying Page Server performance settings

The Properties tab of the Page Server in the Central Management Console lets you set the location of temporary files, the maximum number of simultaneous report jobs, the minutes before an idle connection is closed, the minutes before a processing job is closed, the number of database records to read when previewing or refreshing a report, the oldest processed data to give a client, and when to disconnect from the report job database. Note: For Desktop Intelligence documents, Page Server features are handled by the Desktop Intelligence Report Server. 1. 2. 3. 4. To modify Page Server performance settings Go to the Servers management area of the CMC. Click the link to the Page Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update:
363
15
Location of Temp Files

The Location of Temp Files setting specifies the absolute path to a directory on the Page Server machine.This directory must have plenty of free hard disk space. If not enough disk space is available, job processing may be slower than usual, or job processing may fail.
Maximum Simultaneous Report Jobs

The Maximum Simultaneous Report Jobs setting limits the number of concurrent reporting requests that any single Page Server processes. The default value of 75 is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

The Minutes Before an Idle Connection is Closed setting alters the length of time that the Page Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a
364
15
value too low can cause a users request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary.
Minutes before an Idle Report Job is Closed

The Minutes before an Idle Report Job is Closed setting alters the length of time that the Page Server keeps a report job active. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary. (Note that this setting works in conjunction with the Report Job Database Connection setting.)
Database Records to Read When Previewing Or Refreshing a Report

The Database Records to Read When Previewing Or Refreshing a Report area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is useful when you want to prevent users from running on-demand reports containing queries that return excessively large record sets. You may prefer to schedule such reports, both to make the reports available more quickly to users and to reduce the load on your database from these large queries.
Oldest On-Demand Data Given to a Client (in minutes)

The Oldest On-Demand Data Given To a Client (in minutes): setting controls how long the Page Server uses previously processed data to meet requests. If the Page Server receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the Page Server will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the oldest processed data given to a client consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0.

When enabled, the Viewer Refresh Always Yields Current Data setting ensures that, when users explicitly refresh a report, all previously processed data is ignored, and new data is retrieved directly from the database. When
365
15
disabled, the setting ensures that the Page Server will treat requests generated by a viewer refresh in exactly the same way as it treats as new requests.
Report Job Database Connection

The Report Job Database Connection settings can be used to make a tradeoff between the number of database licenses you use and the performance you can expect for certain types of reports. If you select Disconnect when all records have been retrieved or the job is closed, the Page Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that Page Server stays connected to your database server, and therefore limits the number of database licenses consumed by the Page Server. However, if the Page Server needs to reconnect to the database to generate an on-demand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected Disconnect when the job is closed. (The latter option ensures that Page Server stays connected to the database server until the report job is closed. Note that you can set the Minutes before a Report Job is Closed above.)
Scaling your system

The BusinessObjects Enterprise architecture allows for a multitude of server configurations, ranging from stand-alone, single-machine environments, to large-scale deployments supporting global organizations. For information about adding and deleting servers from your BusinessObjects Enterprise installation, see Adding and deleting servers on page 105 This section provides information about system scalability and the BusinessObjects Enterprise servers that are responsible for particular aspects of your system. Each subsection focuses on one aspect of your systems capacity, discusses the relevant components, and provides a number of ways in which you might modify your configuration accordingly. Before modifying these aspects of your system, it is strongly recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment. General scalability considerations include the following:
366
15
Increasing overall system capacity on page 367 Increasing scheduled reporting capacity on page 367 Increasing on-demand viewing capacity for Crystal reports on page 369 Increasing prompting capacity on page 369 Enhancing custom web applications on page 370 Improving web response speeds on page 371 Getting the most from existing resources on page 371
Increasing overall system capacity

As the number of report objects and users on your system increases, you can increase the overall system capacity by clustering two (or more) Central Management Servers (CMS). You can install multiple CMS services/daemons on the same machine. However, to provide server redundancy and faulttolerance, you should ideally install each cluster member on its own machine. CMS clusters can improve overall system performance because every BusinessObjects Enterprise request results, at some point, in a server component querying the CMS for information that is stored in the CMS database. When you cluster two CMS machines, you instruct the new CMS to share in the task of maintaining and querying the CMS database. For more information, see Clustering Central Management Servers on page 114.
Increasing scheduled reporting capacity

Increasing Crystal reports processing capacity
All Crystal reports that are scheduled are eventually processed by a Job Server. You can expand BusinessObjects Enterprise by running individual Report Job Servers on multiple machines, or by running multiple Report Job Servers on a single multi-processor machine. If the majority of your reports are scheduled to run on a regular basis, there are several strategies you can adopt to maximize your systems processing capacity:
Install the Job Server in close proximity to (but not on the same machine as) the database server against which the reports run. Ensure also that the File Repository Servers are readily accessible to all Job Server (so they can read report objects from the Input FRS and write report instances to the Output FRS quickly). Depending upon your network configuration, these strategies may improve the processing speed of the Job Server, because there is less distance for data to travel over your corporate network.
367
15
Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database servers resources to group data, incorporating parameter fields, and so on. For more information, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Use event-based scheduling to create dependencies between large or complex reports. For instance, if you run several very complex reports on a regular, nightly basis, you can use Schedule events to ensure that the reports are processed sequentially. This is a useful way of minimizing the processing load that your database server is subject to at any given point in time. If some reports are much larger or more complex than others, consider distributing the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Job Servers. Then, when you schedule recurrent reports, you can specify that it be processed by a particular server group to ensure that especially large reports are distributed evenly across resources. Increase the hardware resources that are available to a Job Server. If the Job Server is currently running on a machine along with other BusinessObjects Enterprise components, consider moving the Job Server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple Job Servers on the same machine (typically no more than one service/daemon per CPU).
Increasing Web Intelligence document processing capacity

All Web Intelligence documents that are scheduled are eventually processed by a Web Intelligence Job Server and Web Intelligence Report Server. You can expand BusinessObjects Enterprise by running individual Web Intelligence Report Servers on multiple machines, or by running multiple Web Intelligence Report Servers on a single multi-processor machine. When running multiple Web Intelligence Report Servers, you dont need to duplicate the Web Intelligence Job Server. One Web Intelligence Job Server can be used to drive multiple Web Intelligence Report Servers. However, if you are working with server groups, a Web Intelligence Job Server must exist in the same group as the Web Intelligence Report Servers. Note: When deciding whether to increase the number Web Intelligence Report Servers, keep in mind that Web Intelligence Report Server processes both scheduling and viewing requests, whereas requests for Crystal reports are processed by three separate servers, the Report Job Server, the Cache Server and Page Server.
368
15
Increasing on-demand viewing capacity for Crystal reports

When you provide many users with View On Demand access to reports, you allow each user to view live report data by refreshing reports against your database server. For most requests, the Page Server retrieves the data and performs the report processing, and the Cache Server stores recently viewed report pages for possible reuse. However, if users use the Advanced DHTML viewer, the Report Application Server (RAS) processes the request. If your reporting requirements demand that users have continual access to the latest data, you can increase capacity in the following ways:
Increase the maximum allowed size of the cache. For details, see Modifying Cache Server performance settings on page 352. Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database servers resources to group data, incorporating parameter fields, and so on. For more information, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Increase the number of Page Servers that service requests on behalf of Cache Servers. You can do this by installing additional Page Servers on multiple machines. However, do not install more than one Page Server per machine. The Page Server has been re-designed to optimize the processing capability of a machine. It is therefore no longer recommended that you install multiple Page Servers on one machine. Increase the number of Page Servers, Cache Servers, and Report Application Servers on the system, and then distribute the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Cache Server/Page Server pairs along with one or more Report Application Servers. You can then specify individual reports that should always be processed by a particular server group.
Increasing prompting capacity

When reports use a list of values, the RAS processes on-demand list-ofvalues objects for the report when the report is being viewed. Scheduled listof-values objects are processed by the List of Values Job Server without using RAS.
369
15
To avoid contention with other applications that use the RAS, you can add a RAS server that will be dedicated to processing list-of-value objects. In CMC you can then create a RAS server group and assign the dedicated RAS to the RAS server group. In Business View Manager, you then assign the list-ofvalues objects to be processed by the RAS server group.
Delegating XSL transformation to Internet Explorer

If your users access InfoView via the Internet Explorer 6.0 browser, you can instruct the Web Intelligence Report Server to delegate the transformation of XML to XSL to the browser. This substantially decreases the load on the server, primarily during document display, but also during display of the portal itself. By default, the XSL transformation delegation is not activated. 1. To delegate XSL transformation to the browser for document display: On the application server, set the CLIENT_XSLT variable in webiviewer.properties, located in the WEB-INF\classes subfolder of the application server as follows:
CLIENT_XSLT=Y
2.
Restart the application server.
Enhancing custom web applications

If you are developing your own custom desktops or administrative tools with the BusinessObjects Enterprise Software Development Kit (SDK), be sure to review the libraries and APIs. You can now, for instance, incorporate complete security and scheduling options into your own web applications. You can also modify server settings from within your own code in order to further integrate BusinessObjects Enterprise with your existing intranet tools and overall reporting environment. To improve the scalability of your system, consider distributing administrative efforts by developing web applications for delegated content administration. You can grant select users the ability to manage particular BusinessObjects Enterprise folders, content, users, and groups on behalf of their team, department, or regional office. In addition, be sure to check the developer documentation available on your BusinessObjects Enterprise product CD for performance tips and other scalability considerations. The query optimization section in particular provides some preliminary steps to ensuring that custom applications make efficient use of the query language.
370
15
Improving web response speeds

Because all user interaction with BusinessObjects Enterprise occurs over the Web, you may need to investigate a number of areas to determine exactly where you can improve web response speeds. These are some common aspects of your deployment that you should consider before deciding how to expand BusinessObjects Enterprise:
Assess your web servers ability to serve the number of users who connect regularly to BusinessObjects Enterprise. Use the administrative tools provided with your web server software (or with your operating system) to determine how well your web server performs. If the web server is indeed limiting web response speeds, consider increasing the web servers hardware. If web response speeds are slowed only by report viewing activities, see Increasing scheduled reporting capacity on page 367 and Increasing on-demand viewing capacity for Crystal reports on page 369. Take into account the number of users who regularly access your system. If you are running a large deployment, ensure that you have set up a CMS cluster. For details, see Increasing overall system capacity on page 367.
If you find that a single application server inadequately services the number of scripting requests made by users who access your system on a regular basis, consider the following options:
Increase the hardware resources that are available to the application server. If the application server is currently running on the web server, or on a single machine with other BusinessObjects Enterprise components, consider moving the application server to a dedicated machine.
Note: BusinessObjects Enterprise does not support the session-replication functionality provided by some Java web application servers.
Getting the most from existing resources

One of the most effective ways to improve the performance and scalability of your system is to ensure that you get the most from the resources that you allocate to BusinessObjects Enterprise.
Optimizing network speed and database efficiency

When thinking about the overall performance and scalability of BusinessObjects Enterprise, dont forget that BusinessObjects Enterprise depends upon your existing IT infrastructure. BusinessObjects Enterprise uses your network for communication between servers and for communication between BusinessObjects Enterprise and client machines on your network. Make sure that your network has the bandwidth and speed
371
15
necessary to provide BusinessObjects Enterprise users with acceptable levels of performance. Consult your network administrator for more information. BusinessObjects Enterprise processes reports against your database servers. If your databases are not optimized for the reports you need to run, then the performance of BusinessObjects Enterprise may suffer. Consult your database administrator for more information.
Using the appropriate processing server

When users view a report using the Advanced DHTML viewer, the report is processed by the Report Application Server rather than the Page Server and Cache Server. The Report Application Server is optimized for report modification. For simple report viewing you can achieve better system performance if users select the DHTML viewer, the Active X viewer, or the Java viewer. These report viewers process reports against the Page Server. If the ability to modify reports is not needed at your site, you can disable the Advanced DHTML viewer for all users of BusinessObjects Enterprise. 1. 2. 3. 4. Disabling the Advanced DHTML Viewer In the Central Management Console, select Business Objects Applications. Select Web Desktop. On the Properties tab, go to the Viewers area. Clear the option labeled Allow users to use the Advanced DHTML Viewer. Click Update.
Optimizing BusinessObjects Enterprise for report viewing

BusinessObjects Enterprise allows you to enable data sharing, which permits different users accessing the same report object to use the same data when viewing a report on demand or when refreshing a report. Enabling data sharing reduces the number of database calls, thereby reducing the time needed to provide report pages to subsequent users of the same report while greatly improving overall system performance under load. However, to get full value from data sharing, you must permit data to be reused for some period of time. This means that some users may see old data when they view a report on demand, or refresh a report instance that they are viewing. For details on data sharing options for reports, see the BusinessObjects Enterprise Administrators Guide. For more information on configuring BusinessObjects Enterprise to optimize report viewing in your system, see the planning section in the BusinessObjects Enterprise Installation Guide.
372
General Troubleshooting
chapter
16
General Troubleshooting Troubleshooting overview
Troubleshooting overview
BusinessObjects Enterprise is designed to integrate with a multitude of different operating systems, web servers, network and firewall configurations, database servers, and reporting environments. Thus, any troubleshooting that you may need to undertake will likely reflect the particularities of your deployment environment. This section includes general troubleshooting steps along with solutions to some specific configuration issues. In general, consider the following key points when troubleshooting:
Ensure that client and server machines are running supported operating systems, database servers, database clients, and appropriate server software. For details, consult the Platforms.txt file, included with your product distribution. Verify that the problem is reproducible, and take note of the exact steps that cause the problem to recur. On Windows, use the sample reports and sample data included with the product to confirm whether or not the same problem exists.
Determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another. If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration.
If the problem relates to connectivity or functionality over the Web, check that BusinessObjects Enterprise is integrated properly with your web environment. For details, see BusinessObjects Enterprise Installation Guide and Web accessibility issues on page 375. If the problem relates to report viewing or report processing, verify your database connectivity and functionality from each of the affected machines. Use Crystal Reports to verify that the report can be viewed properly. If the Job or Page Servers are running on Windows, open the report in Crystal Reports on the server machine and check that you can refresh the report against the database. For details, see TReport viewing and processing issues on page 383. Look for solutions in the documentation included with your product. For details, see Documentation resources on page 375. Check out the Business Objects Customer Support technical support web site for white papers, files and updates, user forums, and Knowledge Base articles: http://support.businessobjects.com/
374
General Troubleshooting Documentation resources
16
Documentation resources
The BusinessObjects Enterprise Release Notes are provided in the root directory of your product distribution, as is the Platforms.txt file. These documents list supported third-party software along with any known issues or implementation-specific configuration details. BusinessObjects Enterprise also includes a number of manuals. CHM and PDF files are located in the doc directory of your product distribution. Access the HTML versions from the BusinessObjects Enterprise Administrator Launchpad, or from within the CMC or InfoView. Additional Compiled HTML Help (CHM) files are provided with the following client tools:
Central Configuration Manager Publishing Wizard Repository Migration Wizard Import Wizard Crystal Report Offline Viewer
Press F1 or click Help to launch the online help from within these applications.
Web accessibility issues

Using an IIS web site other than the default
On Windows, the BusinessObjects Enterprise installation creates virtual directories on the Internet Information Server (IIS) Default Web Site unless you specify to use a different site during the installation. If you are using a different site, but forgot to specify it during the installation, you must copy the virtual directory configuration from the default web site to the web site you are using. BusinessObjects Enterprise also sets up several application mappings on the default site. These can be viewed and copied from the default web site to the web site you are using. Restart the web server once you have made these changes. For more information, see BusinessObjects Enterprise Installation Guide.
375
16
General Troubleshooting Web accessibility issues
.NET CSP and ASP pages display code

In a BusinessObjects Enterprise XI .NET installation, all ASP and CSP encoded web pages are not rendered. Instead, the actual code is displayed. This situation may happen when there is a problem with the .NET Framework. To fix a problem, re-register the .NET Framework with with the website. Registering the .NET Framework 1. 2. 3. To re-rigster the .NET Framework Open command prompt window. Go to the directory where .NET is installed. For example:
c:\winnt\microsoft.NET\Framework\v.1.1.4322
Enter the command applies to your deployment.
If you have multiple web sites on IIS, in addition to those running BusinessObjects Enterprise, type the following: aspnet_regiis.exe -c C:\<Installdir> If IIS is only running BusinessObjects Enterprise, type the following: aspnet_regiis.exe -i
Unable to access the CMS from thick client

When you use a thick client application such as Crystal Reports, Designer, or Business View Manager attempts to establish a connection to a CMS configured to communicate via SSL, you receive a Transport Error message. This error message appears because the thick client application is not using the Secure Sockets Layer (SSL) to connect to an Enterprise deployment configured to use Server to Server SSL. To resolve this error message, run the SSLConfig utility on the client computer. 1. To configure the thick client to use SSL On the server with the CMS, type the following command:
SSLConfig.exe -display
The output should be similar to this:

********************** COM/.Net SDK ********************** '==Begin Current SSL Settings === CommunicationProtocol = ssl SSLCertDirectory = C:/SSL SSLCertificate = servercert.der
376
16
SSLTrustCertificate = cacert.der SSLKey = server.key SSLPassphrase = passphrase.txt '== End Current SSL Settings ===
2. 3. 4.
Copy the files from this location and add them to the appropriate folder (UNC or Local). Copy the SSLConfig.exe utility to a location on the client computer and open a command prompt to the directory where you copied the file. Type the following command and replace the variable with the specifics from the SSL configuration you displayed in a previous step:
"SSLCONFIG -dir <certdir> -mycert <sdkcert> -rootcert <rootcert> -mykey <privatekey> -passphrase <passphrase> -protocol <protocol>"
Tip: If your configuration was identical to the sample output from step 1, you would enter the command as follows:
SSLCONFIG -dir C:/SSL -mycert servercert.der rootcert cacert.der -mykey server.key -passphrase passphrase.txt -protocol ssl
Note: If any of your directories contain spaces, be sure to enclose the path with a double quotation marks.
Unable to View .NET InfoView or CMC

After installing BusinessObjects Enterprise XI R2 on Microsoft 2003 server with IIS 6, you are not able to view the .NET InfoView. Instead of the InfoView or CMC Sign-on page, you see the message The page cannot be displayed. This error can occur if the ASP.NET component of IIS application server is not installed. See Determining if the IIS 6.0 ASP.NET component is installed on page 377 for procedural details.
Determining if the IIS 6.0 ASP.NET component is installed

1. 2. 3. 4. 5. To verify that the ASP.NET component is installed From the Start menu, select Settings >Control Panel. Select Add or Remove Programs. Select Add/Remove Windows Components. Select Application Server, and then click Details. Check whether the check box beside ASP.NET is selected.
If the box is checked, ASP.NET is installed. If the box is clear, check the box and then click OK.
377
16
6. 7. 8.
Click Next. The component will be installed. Click Finish. If you have changed the configuration for IIS, restart IIS.
Changing the connect port used by Tomcat

During the installation, the default port used for Tomcat is 8080. If this port is already in use by another instance of Tomcat, or if another application is using this port, you will need to change the connect port used by Tomcat. 1. 2. To change the Tomcat connect port Stop Tomcat. Open the server.xml file for Tomcat in a text editor. On Windows, this file can normally be found in the following directory: C:\Program Files\Business Objects\Tomcat\conf 3. Locate the following string:
4. 5.
Change port 8080 to an available port number. Save and close the file.
378
16
Unable to connect to CMS when logging on to the CMC

If you attempt to log on to the CMC while the Central Management Server (CMS) is not running, the following error message appears:
Unable to connect to CMS (<servername>) to retrieve cluster members. Logon can not continue.
Use the CCM to start the CMS. (If the CMS was already started, use the CCM to restart it.)
Unable to open a report from InfoView

When running BusinessObjects Enterprise on Windows 2003 with IIS, you receive the following error when you load a Report:
Failed to read data from report file C:\WINDOWS\TEMP\tmp.rpt. Reason: Failed to open print engine for C:\WINDOWS\TEMP\tmpreport\<report>. Ensure that CRPE32 is installed on this computer.
This error message occurs on Windows 2003 computers running IIS version 6.0 where the default application pool is running under the Network Service Account. However, the Network Service Account does not have sufficient rights to the files and registry needed to create a copy of the report in the enterprise system. To resolve this error message, use the Local System Account to run the default application pool as this account has sufficient rights. 1. 2. 3. 4. 5. 6. 7. 8. To run IIS under Local System account Open the IIS Console. Expand the Application Pools folder. Right-click DefaultAppPool, and then click Properties. Click the Identity tab. Ensure the Predefined radio button is selected. Select the Local System account from the drop-down list. Click OK. Restart IIS.
379
16
Single sign-on from an IE Windows 2000 client fails

After configuring Single Sign-On (SSO) for BusinessObjects Enterprise XI, trying to connect to InfoView from a Windows 2000 client computer results in a logon prompt. Both Windows 2003 and Windows XP client computers work correctly and do not display a logon prompt. This problem occurs because the following option has not been selected on the version of Internet Explorer that comes with Windows 2000: Enable Integrated Windows Authentication 1. 2. 3. 4. 5. To change the Internet Options to allow SSO Open Internet Explorer. From the Tools menu, select Internet Options. Click the Advanced tab. Scroll down to Security Options. Select Enable Integrated Windows Authentication, and then click OK.
Windows NT authentication cannot log you on

When you attempt to log on to the Central Management Console (CMC) or to InfoView, the following error occurs:
NT Authentication could not log you on. Please make sure your logon information is correct. If your account is in any domain other than "DOMAIN NAME" you must enter your user name as DomainName\UserName.
This error may occur for various reasons. Investigate these common solutions:
Ensure that the specified authentication type corresponds to the user name and password provided on the log on page. To log on with a Windows NT user name, verify that the authentication type is set to Windows NT Authentication and not Enterprise. Netscape users must provide a valid Windows NT user name in the form of Domain\User. Microsoft Internet Explorer users must provide a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS. If Windows NT Integrated security (NT Challenge/Response) is enabled in Internet Information Services (IIS) and in the Web Component Adapter (WCA), then users must use Microsoft Internet Explorer. In addition, users must log on to the client machine with a valid NT domain user
380
16
account before logging on to BusinessObjects Enterprise. Users must log on to BusinessObjects Enterprise with a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS.
The web server and all BusinessObjects Enterprise components must be running on Windows NT/2000 for Windows NT authentication to work.
Mapped AD user unable to log on to CMC or InfoView

A users Active Directory ID has successfully been mapped to BusinessObjects Enterprise. Despite this fact, they are unable to successfully log on to CMC or InfoView with Java AD authentication and Kerberos in the following format:
DOMAIN\ABC123
This problem, which happens with with the Sun, IBM or BEA JRE, can occur when the user is set up in Active Directory with a UPN and SAM name are not the same either in case or otherwise. Following are two examples which may cause a problem:
The UPN is abc123@company.com but the SAM name is DOMAIN\ABC123. The UPN is jsmith@company but the SAM name is DOMAIN\johnsmit Have users log in using UPN rather than SAM name. Ensure the SAM account name and the UPN name is the same.
There are two ways to address this problem:
Unable to sign on with AD and Kerberos

A users who is A users Active Directory ID has successfully has been mapped to BusinessObjects Enterprise. However, when they open InfoView in IIS and attempt to log on, they receive the following message:
An error has occurred propagating the security context between the security server and the client. Please contact your system administrator.
This problem can happen for two reasons:
Because the web.config file used by IIS has not been configured properly. Because IIS has not been configured properly.
381
16
Follow these steps to resolve this problem. Modify either of the following web.conf file based on what you want to configure for AD and Kerberos. To configure both the CMC and InfoView configure the web.config file in the Web Content directory; To configure only InfoView , configure the web.config file in the InfoView directory. 1. To configure the web.config for AD and Kerberos Open the appropriate Web.config file from either of the following locations:

2. 3. 4. 5. 6. 1. 2. 3. 4. 5. 6. 7. 8.
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\ C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView
Locate the following line in the <system.web> block:


<Authentication mode="Windows" />

Save and close the web.config. Restart IIS. To modify the security setting on IIS From the Windows Administrative Tools program group, click Computer Management. Expand Services and Applications. Expand Internet Information Services. Expand the web site that runs your BusinessObjects Enterprise applications. Right-click businessobjects, and then select Properties. Click on the Directory Security tab. In the Anonymous access and authentication control area of the page, click Edit. Ensure the following check boxes are cleared:

9.
Anonymous access Basic authentication
Ensure Integrated Windows authentication is selected.
382
16
10. Click OK. 11. Click OK. 12. Repeat the procedure starting from step 6 for crystalreportvewiers115 and styles. 13. Restart your IIS server.
TReport viewing and processing issues

When troubleshooting reports, it is especially useful to determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another. If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration. In particular, check the database client configurations, the drivers and versions, and the accounts under which the processing servers are running. If the reports are based off ODBC data sources, compare the ODBC driver versions, the DSN configurations, and the versions of the MDAC layer. Check to see if the Page Server or Job Server is running under an account that has the appropriate access rights to the report database server. If the report database server is on a remote machine, change the Page Server or Job Server to use a valid domain account with enough rights to view or process the report. If you follow these steps and the problem persists, contact Business Objects technical support. Before you call, take note of the database client and version you are running, the database server version that you are connecting to, and the driver name and version that you are using to connect.
Troubleshooting reports with Crystal Reports

On Windows, you can install Crystal Reports on all Job Server, Page Server, and RAS machines in order to speed up the troubleshooting of reports and database connectivity. In this way, you use Crystal Reports to simulate the steps that are performed by the BusinessObjects Enterprise processing servers when a scheduled report is processed, or when a report is viewed on demand over the Web. By locating the step where Crystal Reports is unable to open, refresh, or save the report, you may be able to locate the source of the problem. Note: The exact steps and menu options may differ, depending on your version of Crystal Reports.
383
16
1.
To troubleshoot a report Start Crystal Reports on the appropriate machine:
If the report runs successfully on demand, but fails when scheduled, start Crystal Reports on the Job Server. If the report fails when viewed on demand, but runs successfully when scheduled, start Crystal Reports on the Page Server. If the report fails when viewed on demand with the Advanced DHTML viewer, start Crystal Reports on the RAS. If the report fails in all cases, first complete these troubleshooting steps on one processing server; then verify whether or not the problem is resolved on all processing servers. If not, repeat the steps on a different processing server.
2.
Open the report from the CMS. On the File menu, click Open. Click Enterprise Folders and log on to your CMS. If you cannot open the report, verify network connectivity between the server you are working on, the CMS, and the Input File Repository Server.
3.
Test your database connection and authentication. On the Database menu, click Log On/Off Server. If you cannot log on to the database server, check the configuration of the database client software and ensure that the report contains a valid database user name and password.
4.
If the reports parameters or record selection need to be modified by BusinessObjects Enterprise users when they schedule or view the report, change the parameter values or record selection formula accordingly. If the values are invalid, Crystal Reports will report an error. Verify that the tables used in the report match the tables in the database. On the File menu, clear the Save Data with Report check box. On the Database menu, click Verify Database. Correct any issues reported by Crystal Reports, and then save the report.
5.
6.
Refresh the report and, if current data is not returned from the database, check these possible causes:
If the report fails, ensure that the database credentials provide READ rights to all tables in the report. If the database credentials are valid, the reports SQL statement is evaluated at this time. Check the join information. Note any ODBC errors that are produced.
384
16
If the SQL statement is valid, data begins to return to Crystal Reports. As this happens, the temporary files increase in size. Verify resource allocation in case the machine is running out of memory or disk space.
7.
Go to the last page of the report. Crystal Reports will report any errors that it encounters within the report (such as formulas, subreports, and other objects).
8.
Export the report to Crystal Reports format (or any other desired format). This step ensures that Crystal Reports is able to create temporary files that are required in order to complete the processing of a report.
9.
If the report now refreshes successfully, save it back to the CMS.
10. Close the report. 11. Close Crystal Reports. 12. Repeat the activity that caused the original report to fail: view the report on demand over the Web, or schedule the report for processing.
Images and charts not displayed

After single sign-on has been enabled in BusinessObjects Enterprise XI, images or charts are not displayed in the reports when viewed with the DHTML or ActiveX viewer. This behavior may occur because the temporary image file cannot be accessed by the account under which the IIS application pool is running. To fix this problem, ensure that the service account has modif' rights to the following directory:
C:\Windows\Temp
Troubleshooting reports and looping database logon prompts

A common issue when viewing reports over the Web is a persistent database logon prompt that is displayed repeatedly by the users browser. Regardless of the credentials provided by the user, the report will not display. This problem is typically caused by the configuration of the Page Server or the Report Application Server (RAS). This section provides a series of troubleshooting steps that should resolve this problem and others that are specific to reports and database connectivity. 1. To troubleshoot reports and looping database logon prompts Verify the report with Crystal Reports.
385
16
Use Crystal Reports to verify the report. If you have the Crystal Reports Designer installed on the Page Server, Job Server, or RAS machine, test database connectivity by opening the report in Crystal Reports on the server. For details, see Troubleshooting reports with Crystal Reports on page 383. 2. Change the servers logon account. BusinessObjects Enterprise servers require access to various local and/ or remote resources and to the database server. Experience shows that running the Page Server, Job Server, RAS, and Web Component Adapter (WCA) under a Domain Administrator account allows them to access the components necessary to connect successfully to data sources. To change a servers logon account, see Configuring Windows processing servers for your data source on page 140. Tip: Running a background application under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services. 3. Verify the servers access to ODBC Data Source Names (DSNs). Base reports off System DSNs (and not File or User DSNs), and set up each System DSN identically on every Job Server, Page Server, and RAS machine that will process the report. If the report is based off an ODBC data source, the processing server must have permission to access the corresponding DSN configuration. This information is stored in the Windows registry. The Job Server, Page Server, and RAS require Full Control or Special Access to the ODBC registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI
Consult your Windows documentation for information about working with the registry. Additional configuration may be required, depending upon the database that you are reporting off of. For details, see Configuring Windows processing servers for your data source on page 140. 4. Determine the configuration of the database client software. If you are not using ODBC, the database client software must be installed on each machine that will process reports. On Windows, many database clients store their configuration in the registry below HKEY_LOCAL_MACHINE. If your database client stores its configuration below
HKEY_CURRENT_USER, the BusinessObjects Enterprise services cannot
use the database client software to communicate with the database. 5. Verify the NTFS permissions granted to the Job Server, Page Server, and RAS.
386
16
Insufficient NTFS rights on the server may cause a number of problems to arise when you view reports over the Web. As in step 2, changing each servers logon account to that of a Domain Administrator account should resolve such problems. For the minimum set of NTFS permissions required by BusinessObjects Enterprise, see the BusinessObjects Enterprise Deployment and Configuration Guide. 6. Check whether or not NT authentication is performed by the database. If you report against a database that uses NT authentication for access control (Microsoft SQL Server, Sybase, and so on), the Job Server, Page Server, and RAS must run under a Windows NT/2000 domain user account that has access to the appropriate database tables. (In this scenario, each servers logon account determines the level of access it is granted by the database. BusinessObjects Enterprise does not pass endusers NT tokens through to the database server.) To retain the access control levels that are set up within the database, you can instead change each ODBC DSN so that it implements SQL Server Login instead of NT authentication. 7. Check the available environment variables. Environment variables are used by the operating system to govern and manage system files for particular users. On Windows, BusinessObjects Enterprise servers are generally most affected by the TMP and TEMP environment variables. Because the servers are run as services, they cannot access the User Environment variables that are created by default. Therefore, it is recommended that you create System Environment variables if they do not already exist. Consult your Windows documentation for details. 8. Reference remote data sources with UNC paths. Ensure that servers have access to remote databases through UNC paths, instead of through mapped drives. For example, if you design a report off a PC database that resides on a network drive, ensure that the report references its data source with the appropriate UNC path. For details, see Ensuring that server resources are available on local drives on page 388. 9. Ensure that you have enough database client licenses. If all database client licenses are in use, the BusinessObjects Enterprise servers are unable to retrieve data from the database. 10. Check that database connections are closed in a timely fashion.
387
16
If a database connection is not closed quickly, the database may not service another request until the connection has been closed. To decrease the Minutes Before an Idle Job is Closed setting, see Modifying Page Server performance settings on page 363. 11. Use multi-threaded database drivers. Multi-threaded database drivers allow the processing servers to connect to the database without having to wait for the database to fulfill initial requests. ODBC connections are typically recommended because they provide multithreaded connections to the database. However, Crystal Reports now includes a number of thread-safe native and OLEDB drivers. A list of these thread-safe drivers is available in the Crystal Reports Release Notes. 12. Check for problems with particular data sources. If your report is based on a Lotus Notes database, you may need to perform additional configuration. Download the latest instructions from the Business Objects Customer Support Knowledge Base. IBM offers several client applications for connecting to DB2. The recommended client is IBM DB2 Direct Connect, whose ODBC drivers were written for actual programmatic interaction with products like BusinessObjects Enterprise. See the Business Objects Customer Support Knowledge Base for discussions of this and other DB2 clients. If you encounter problems with any other specific data sources, check the Knowledge Base for the latest information.
Ensuring that server resources are available on local drives

When the BusinessObjects Enterprise servers are running on Windows, many can be configured to use specific directories to store files. For example, you can specify the root directory for each File Repository Server, the temporary directories for the Cache and Page Servers, or the directory from which the Job Servers load processing extensions. In all cases, the directory that you specify must be on a local drive (such as C:\InputFRS or C:\Cache). Do not use Universal Naming Convention (UNC) paths or mapped drives. Although some BusinessObjects Enterprise servers can recognize and use UNC paths, do not configure the servers to access network resources in this manner. Use local drives instead, because UNC paths can limit performance due to limitations in the underlying protocol.
388
16
Tip: If your report runs against a PC database that resides on a network drive, then the report itself must reference its data source through a UNC path. In this case, the service must run under a domain user account with network permissions. For details, see Configuring Windows processing servers for your data source on page 140. Similarly, if you configure a server to use a mapped drive, the server may appear to function correctly. However, servers cannot access mapped resources when the machine is restarted. Drives are mapped according to your user profile when you log on to Windows NT/2000, but, once a drive is mapped, it is available to the entire operating system. So, when you log on and map a local or network drive, the mapped drive is accessible to the LocalSystem account, and hence to the BusinessObjects Enterprise servers running on the local machine. When you log off the local machine, the servers may retain access to the mapped drive for some time (Windows will release the drive mapping if no application maintains a persistent connection to the mapped resource). However, when you restart the local machine, the mapped drive is not restored until you log back on. Note: Changing a servers log on account from the LocalSystem account to a Windows NT/2000 user account with network privileges will not resolve the problem, because the servers do not actually log on to the network with that account. Instead, the servers perform account impersonation. This provides access to some profile-specific resources (such as printers and email profiles), but not others (such as ODBC User Data Source Names and mapped drives).
Page Server error when viewing a report

When you attempt to run or preview a report, the following error message appears:
There are no Page Servers connected to the Cache Server or all the connected Page Servers are disabled. Please try to reconnect later. [On Page Server : <servername>.Cacheserver]
This error indicates that the Page Server is not started and enabled. Use the CCM to start the Page Server and then enable it. (If the Page Server was already started and enabled, use the CCM to restart it.)
389
16
General Troubleshooting InfoView considerations
InfoView considerations
Supporting users in multiple time zones
Avoid granting Schedule access to the default Guest account if you deploy InfoView for users in different time zones. Instead, ensure that each user who is allowed to schedule reports has a dedicated account on the system, and that each user's InfoView preferences include the appropriate time-zone setting. Dedicated accounts are recommended because the default Guest account does not allow users to modify account preferences that would affect other users. For more information about using specific time-zone properties in your custom web applications, see the BusinessObjects Enterprise SDK documentation.
Setting default report destinations

By default, a report's destination that is set in the CMC will be the selected destination when a report is scheduled in InfoView. A user can also select alternate destinations in InfoView by updating the Destination option. Note that the destination set in InfoView applies only to the scheduled instance. Thus, when a user schedules another instance in InfoView, the destination that is set in the CMC will be selected, unless the user changes the Destination option. If the user selects the Default destination setting in InfoView, reports are processed on the Job Server and sent to the File Repository Server. The Default destination setting in InfoView is equivalent to the Default destination setting in the CMC.
Import Wizard
Unable to import users from BusinessObjects 6.5
When using the Import Wizard, you get the following error after you enter your BusinessObjects 6.5 credentials:
"Error logging on to server. Please check logon information and try again. Unspecified error."
This error occurs because you because your new server that hosts BusinessObjects Enterprise does not have the same System DSN used on the BusinessObjects 6.x system. To fix this problem, create an exact copy of the System DSN used for the security domain on the BusinessObjects 6.x on the new destination BusinessObjects Enterprise machine.
390
Managing Auditing
chapter
17
Managing Auditing How does auditing work?
How does auditing work?

The Central Management Server (CMS) acts as the system auditor, while each BusinessObjects Enterprise server that controls actions that you can monitor is an auditee. To audit an action in BusinessObjects Enterprise, there are a few steps you must complete:
You must configure the auditing database. If you installed Auditor, and provided the authentication details for your auditing database when you installed BusinessObjects Enterprise, you have already configured the auditing database. If you did not install Auditor, you must configure the auditing database before you can use Auditor. For step by step instructions, see Configuring the auditing database on page 393. Note: Auditor is installed by default when you install and use a keycode that authorizes you to Auditor, unless you cleared the Auditing Database check box during the install, or did a custom install and specifically excluded Auditor.
You must first determine which server controls that action. To determine which server controls an action, see Reference list of auditable actions on page 395. You must enable auditing of that action in the Servers management area of the Central Management Console (CMC). For step by step instructions, see Enabling auditing of user and system actions on page 399. You must configure the universe connection. The auditing reports are written against the Activity universe, this universe connection must be configured so it can connect to the auditing database. For step by step instructions, see Configuring the universe connection on page 401.
As the auditee, the BusinessObjects Enterprise server will then begin to record these audit actions in a local log file. As the auditor, the CMS controls the overall audit process. Each server writes audit records to a log file local to the server. At regular intervals the CMS communicates with the auditee servers to request copies of records from the auditees local log files. When the CMS receives these records it writes data from the log files to the central auditing database.
392
Managing Auditing Configuring the auditing database
17
The CMS also controls the synchronization of audit actions that occur on different machines. Each auditee provides a time stamp for the audit actions that it records in its log file. To ensure that the time stamps of actions on different servers are consistent, the CMS periodically broadcasts its system time to the auditees. The auditees then compare this time to their internal clocks. If differences exist, they make a correction to the time stamp they record in their log files for subsequent audit actions. Once the data is in the auditing database, you can run the sample reports against the database or design custom reports to suit your own needs.
Configuring the auditing database

If you entered the authentication details for your auditing database when you installed Auditor, your auditing database is already configured and connected to your Central Management Server (CMS). If you did not enter the authentication details for your auditing database when you installed, you must configure your CMS to connect to an auditing database. You can use any database server supported for the CMS system database for your auditing database. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. If you plan to use MySQL for your auditing database, you will require version 3.51 of the MySQL Connector/ODBC (MyODBC) driver. If you do not already have this installed, you can download it from the following location:
http://dev.mysql.com/downloads/connector/odbc/3.51.html
It is recommended that you develop a back up strategy for your auditing database. If necessary, contact your database administrator for more information. Note:
The CMS system database and the auditing database are independent. If you choose, you can use different database software for the CMS system database and the auditing database, or you can install these databases on separate servers. If you have a CMS cluster, every CMS in the cluster must be connected to the same auditing database, using the same connection method and the same connection name. Note that connection names are case sensitive. (See Clustering Central Management Servers on page 114 for more information on setting up CMS clusters.)
393
17
1. 2. 3. 4.
To configure the auditing database on Windows Start the Central Configuration Manager (CCM). Stop the CMS. Click Specify Auditing Data Source. In the Select Database Driver dialog box, specify whether you want to connect to the new database through SQL Server (ODBC), or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:
5. 6.
If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that you want to use as the auditing database; then click OK. (Click New to configure a new Data Source Name (DSN).) Use a System DSN, and not a User DSN or File DSN. By default, server services are configured to run under the System account, which only recognizes System DSNs. When prompted, provide your database credentials and click OK. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.
The SvcMgr dialog box notifies you when the auditing database setup is complete. 7. 8. Click OK. Start the CMS. When the CMS starts, it will create the auditing database.
Note: You can also configure the auditing database using the Properties option for the CMS. Stop the CMS, select Properties, and then go to the Configuration tab. Select Write server audit information to specified data source, and then click Specify. To configure the auditing database on UNIX For more information on UNIX scripts, see UNIX Tools on page 473. 1. 2. Use ccm.sh to stop the CMS. Run cmsdbsetup.sh.
394
17
3. 4. 5. 6.
Choose the selectaudit option, and then supply the requested information about your database server. Run serverconfig.sh. Choose the Modify a server option. Select the CMS, and enable auditing. Enter the port number of the CMS when prompted (the default value is 6400).
Use ccm.sh to start the CMS. When the CMS starts, it will create the auditing database. Note:
The CMS acts as both an auditor and as an auditee when you configure it to audit an action that the CMS itself controls. In a CMS cluster, the cluster will nominate one CMS to act as system auditor. If the machine that is running this CMS fails, another CMS from the cluster will take over and begin acting as auditor.
Which actions can I audit?

You can audit the actions of individual users of BusinessObjects Enterprise as they log in and out of the system, access data, or create file-based events. You can also monitor system actions like the success or failure of scheduled objects. For each action, BusinessObjects Enterprise records the time of the action, the name and user group of the user who initiated the action, the server where it was performed, and a variety of other parameters more fully documented in Reference list of auditable actions on page 395.
Reference list of auditable actions

This section contains the list of the audit actions you can enable in BusinessObjects Enterprise. It is organized according to the types of actions that you can audit, to help you find the server where you enable auditing of these actions. Note: The list of auditable actions for Desktop Intelligence only apply when the documents are created and modified from within BusinessObjects Enterprise. For more information about the actions that are audited, and the data that is recorded for each audit action, see the Auditing database schema reference on page 416.
395
17
User Actions
Actions Objects An object is created. An object is deleted. An object is modified. A report has been viewed successfully. A report could not be viewed. A report is opened successfully using: the Advanced DHTML viewer. BusinessObjects Enterprise Server CMS
Crystal reports
Cache Server RAS
a custom application that uses RAS SDK.
A report fails to open. A report has been created successfully using: a custom application that uses the RAS SDK. A report fails to be created. A report is saved successfully (using a custom application based on the RAS SDK). A report fails to save using a custom application based on the RAS API. Get list of universes. Web Web Intelligence Intelligence A user has begun creating a new Web Report Server documents Intelligence document, which triggers a request to the server for the list of available universes. Save document to repository. A user has saved a Web Intelligence document within BusinessObjects Enterprise. Read Document. User opens an existing Web Intelligence document. Selection of universe.
A user has selected a universe as they create a new Web Intelligence document, or as they edit an existing Web Intelligence document.
396
17
Actions
BusinessObjects Enterprise Server
Refresh document. Web Intelligence Web Report Server Intelligence User manually refreshes a Web documents Intelligence document, or the user opens a Web Intelligence document that is set to refresh on open. Edit document. User enters Edit document mode for an existing Web Intelligence document. Apply format.
User applies a formatting change to an existing Web Intelligence document in a query panel.
Get page. Server renders the pages of a Web Intelligence document in response to a user request to display all or part of a document. Generate SQL. Server generates an SQL query in response to a user action that requires data to be retrieved from a database. Drill out of scope.
User drills past the scope of the data currently in memory, and triggers a call to the database for more data. List of values. A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. Select prompt.
397
17
Actions Desktop A job has been run successfully. Intelligence Either a Desktop Intelligence document documents has been scheduled or a publication based of that document has been scheduled.
BusinessObjects Enterprise Server Desktop Intelligence Job Server
A job has failed to run. Users A job failed but will try to run again. A concurrent user logon succeeds. A named user logon succeeds. A user logon fails. A users password is changed. User logs off. Send an object to a destination A job has been run successfully. (A user has successfully sent an object to a destination.) A job has failed to run. (An object has failed to be sent to a destination.) A job failed but will try to run again. An event is registered. (Event is created, and registered with system) An event is updated. (The name, description, or filename of an event is modified.) An event is unregistered. (Event is removed from system.) Destination Job Server CMS
File-based events
Event Server
398
Managing Auditing Enabling auditing of user and system actions
17
System Actions
Actions Scheduled objects A job has been run successfully. For example, a scheduled Crystal report or publication has run successfully. A job has failed to run. For example, a scheduled Crystal report or publication has failed to run. BusinessObjects Enterprise Server Job Servers
Tip: To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of A job has failed to run on the Job Server, and Communication with a running instance is lost. on the Central Management Server. A job failed but will try to run again. Communication with a running instance is lost. For CMS example, a scheduled Crystal report has failed to run because communication with the instance was lost, and the scheduled time for running the report expired. Note: You do not need to enable this option to audit every failure of a scheduled Web Intelligence document. An event is triggered. Event Server
File-based events
Enabling auditing of user and system actions

After you determine which BusinessObjects Enterprise server controls the action, you must enable auditing on the server from the Servers management area of the Central Management Console (CMC). If you have multiple BusinessObjects Enterprise servers of a given type, be sure to enable identical audit actions on every server. This makes sure that you collect information on all user or system actions in your BusinessObjects Enterprise system. For example, if you are interested in the total number of concurrent user logons, enable auditing of concurrent user logons on each of your Central Management Servers. If you enable auditing on only one Central Management Server, you will only collect audit information about actions that occur on that server.
399
17
Managing Auditing Enabling auditing of user and system actions
In some special cases you may wish to enable auditing on only one server of a given type. For example, if you are interested in the success or failure of only one kind of scheduled report and you have configured your system so that these reports are processed on one particular Job Server, it is not necessary to enable auditing on every Job Server in your system. You only need to enable auditing on the Job Server where the reports are processed. Note: You must configure the auditing database before you can collect data on audit actions. See Configuring the auditing database on page 393 for information on how to configure the auditing database. 1. 2. To enable audit actions Go to the organize Servers area of the CMC. Click the server that controls the action that you wish to audit. (See the Reference list of auditable actions on page 395 to find the correct server.) 3. Click the Auditing tab.
4. 5. 6.
Select the Auditing is enabled check box. Select the audit actions that you wish to record. Ensure that your audit log file is located on a hard drive that has sufficient space to store the log files. (See Optimizing system performance while auditing on page 404 for information on adjusting the size of log files.)
400
Managing Auditing Configuring the universe connection
17
7. Tip:
Click Update. To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of A job has failed to run on the Job Server, and Communication with a running instance is lost. on the Central Management Server. Auditing is enabled independently on each server. If you want to audit all actions of a given type, enable identical audit actions on every server that supports those actions. Otherwise your audit record will be incomplete. For example, if you want to track the total number of concurrent logons to your BusinessObjects Enterprise system, you must enable logging of concurrent logons on every Central Management Server in your system.
Configuring the universe connection

The auditing reports use the Activity universe. Before you can view these reports, you must configure the universe connection. This involves two steps: first you must create a data source for your auditing database, next you must specify this data source for your universe connection. 1. 2. 3. 4. 5. 6. 7. To create a data source Go to the Start menu and select Settings >Control Panel. Double-click on Administrative tools. Double-click Data sources. Click the System DSN tab, and then click Add. Select the driver for your auditing database from the list, and then click Finish. Enter the authentication parameters, the database server name, and your auditing database name, and then click OK. Click OK.
Tip: You may want to write down the name of your data source as it will be required when you create or edit the universe connection. 1. 2. 3. To configure the Activity universe connection Start Designer from the BusinessObjects Enterprise program group. Click on the connections icon in the toolbar. The Connection List dialog box appears. Click Add, and then click Next.
401
17
Managing Auditing Using sample audit reports
4. 5. 6. 7. 8. 9.
Expand the database type and the version that corresponds with the your auditing database. Select the driver or client to use. Enter a name for your connection. Enter the User Name and Password for your connection. Select the Data source name from the list, and then click Next. Click Next on the Perform a Test dialog box.
10. Click Next on the Advanced Parameters dialog box. 11. Click Finish on the Custom Parameters dialog box. 12. Click Finish to exit and finalize your connection.
Using sample audit reports

BusinessObjects Enterprise includes two sets of sample audit reports:
One set was created using Crystal Reports. One set was created using Web Intelligence.
Both sets of reports are available in the collateral folder on your product distribution in the file auditing.biar. These sample reports are published to the Auditor folder when you install BusinessObjects Enterprise with a product keycode which authorizes you to use Auditor. The Crystal Reports audit reports are available as object packages with the report sections as individual documents. The Web Intelligence audit reports are available as Web Intelligence documents with the report sections as tabs within the documents. Both sets of reports are based on the Activity universe. Note: You can also deploy the auditing samples to another node. To do this, use the Import Wizard to deploy the auditing.biar to the CMS on the node where you want the reports. For further details, see the Import Wizard help. If you configured the auditing database when you installed BusinessObjects Enterprise, you must do these things before using the sample audit reports:
Enable the auditing of the user and server actions needed to provide data for the sample reports. For information on how to enable auditing on servers, see Enabling auditing of user and system actions on page 399.
Configure the universe connection used for the sample reports. For procedural details, see Configuring the universe connection on page 401.
402
Managing Auditing Controlling synchronization of audit actions
17
If you did not configure the database when you installed BusinessObjects Enterprise, before you use the reports, you must do these things:
Configure the auditing database before you use the sample reports. For information on how to configure the auditing database, see Configuring the auditing database on page 393 Enable the auditing of the user and server actions needed to provide data for the sample reports. For information on how to enable auditing on servers, see Enabling auditing of user and system actions on page 399
Configure the universe connection used for the sample reports. For procedural details, see Configuring the universe connection on page 401.
After you enable auditing of the user and server actions, the auditing database will then begin to be populated with the audit data you specified. Note: If you have recently enabled auditing, the sample audit reports may contain little or no data the first time you view them.
Controlling synchronization of audit actions

The CMS controls the synchronization of audit actions that occur on different machines. The CMS periodically broadcasts its system time to the auditees in UTC (Coordinated Universal Time). The auditees compare this time to their internal clocks, and then make the appropriate correction to the time stamp (in UTC) they record for subsequent audit actions. This correction affects only the time stamp that the auditee records in its audit log file. The auditee does not adjust the system time of the machine on which it is running. By default, the CMS broadcasts its system time every 60 minutes. You can change the interval using the command-line option:
-AuditeeTimeSyncInterval minutes
You can turn off this option by setting minutes to zero. For more information on the CMS, see the Server Command Lines chapter in the BusinessObjects Enterprise Administrators Reference Guide. This built-in method of time synchronization will be accurate enough for most applications. For more accurate and robust time synchronization, configure the auditee and auditor machines to use an Network Time Protocol (NTP) client, and then turn off internal synchronization by setting:
-AuditeeTimeSyncInterval 0
403
17
Managing Auditing Optimizing system performance while auditing
Tip: If you have a CMS cluster, apply the same command-line options to each server. Only one CMS in the cluster acts as the auditor. However, if this CMS fails, another CMS takes over auditing. This CMS will apply its own command-line options. If these options are different than those of the original auditor, audit behavior may not be what you expect.
Optimizing system performance while auditing

Enabling auditing should have minimal effect on the performance of BusinessObjects Enterprise. However, you can optimize system performance by fine-tuning these command-line options:
-AuditInterval minutes, where minutes is between 1 and 15. (The
default value is 5.) The CMS requests audit records from each audited server every audit interval.
-AuditBatchSize number, where number is between 50 and 500. (The
default value is 200.) The CMS requests this fixed number of records from each audited server, every time interval.
-auditMaxEventsPerFile number (number has a default value of 500
and must be greater than 0). The maximum number of records that an audited server will store in a single audit log file. When this maximum value is exceeded, the server opens a new log file. Note: Log files remain on the audited server until all records have been requested by the CMS. Changing each of these options has a different impact on system performance. For example, increasing the audit interval reduces frequency with which the CMS writes events to the auditing database. Decreasing the audit batch size decreases the rate at which records are moved from the audit log files on the audited servers to the auditing database, thereby increasing the length of time that it takes these records to get transferred to the central auditing database. Increasing the maximum number of audit events stored in each audit log file reduces the number of file open and close operations performed by audited servers. You can use these options to optimize audit performance to meet your needs. For example, if you frequently need up-to-date information about audited actions, you can choose a short audit interval and a large audit batch size. In this case, all audit records are quickly transferred to the auditing database, and you can always report accurately on the latest audit actions. However, choosing these options may have an impact on the performance of BusinessObjects Enterprise.
404
17
Alternatively, you may only need to review audit results periodically (weekly, for example). In this case you can choose to increase the audit interval, and to decrease the number of audit records in each batch. Choosing these options minimizes the impact that auditing has on the performance of BusinessObjects Enterprise. However, depending upon activity levels in your system, these options can create a backlog of records stored in audit log files. This backlog is cleared at times of low system activity (such as overnight, or over a weekend), but means that at times your audit reports may not contain records of the most recent audit actions.
405
17
406
Auditing Reports
chapter
18
Auditing Reports Using auditing reports
Using auditing reports

If you are an administrator who wants to view reports from the auditing database, you have these choices:
You can use the auditing reports that are included with BusinessObjects Enterprise. You can modify the auditing reports that are included with BusinessObjects Enterprise. You can create your own auditing reports.
Why are reports important?

Auditor includes reports that can answer questions you may have about your BusinessObjects Enterprise deployment. Each report contains one or more report sections that focus on a very specific area.
Auditor report names

This section contains the following:
the list of the report names the report sections included with the reports the report prompts
Average Number of Users Logged In

Report sections Report prompts
Average Number of Logged In select reporting year Sessions Users Logged In Average Number of Users Logged In select reporting month
408
18
Average Refresh Time

Report sections Average Refresh Time by Document Average Refresh Time by User Average Refresh Time by Server Report prompts Name of document
Average Session Duration

Report sections Year Quarter Month Week Day Hour Report prompts choose user
Average Session Duration per Cluster

Report sections Average Session Duration in Minutes over the Period Average Session Duration in Minutes per Week Average Session Duration in Minutes per Day Report prompts select reporting timeframe
Average Session Duration per User

Report sections Average Session Duration in Minutes over the Year Report prompts select reporting year
409
18
Report sections Average Session Duration in Minutes per Month per User Average Session Duration in Minutes per Week per User
Report prompts
Cluster Nodes
Report sections Servers in the Cluster Report prompts None
Document Information Detail

Report sections None Report prompts select document
Document Scheduling and Viewing Status

Report sections None Report prompts select start date select end date
Job Summary
Report sections Jobs per Status Successful Jobs Failed Jobs Report prompts
410
18
Jobs per Job Server

Report sections Jobs per Job Server KindSummary Jobs per Job Server Kind Jobs per Job Server Report prompts None
Jobs per User

Report sections Jobs per User - Summary Jobs per User Job Duration per User Report prompts None
Job Servers on the System

Report sections Jobs per User - Summary Jobs per User Job duration per User Job Failure per User Report prompts None
Last Login for User

Report sections None Report prompts select user
411
18
Least Accessed Documents

Report sections Least Accessed Documents By times Read Least Accessed Documents By Edits Least Accessed Documents By Refreshes Report prompts None
Most Accessed Documents

Report sections Most Accessed Documents By times Read Most Accessed Documents By Edits Most Accessed Documents By Refreshes Report prompts None
Most Active Users

Report sections Most Active Users by Logins Most Active Users by Refreshes Report prompts None
Most Popular Actions

Report Sections Most Popular Actions - By Quarter Most Popular Actions - By Month Report Prompts select year select year
Most Popular Actions - By Year select year
412
18
Report Sections Most Popular Actions - By Week
Report Prompts select year
Most Popular Actions - By Day select year
Most Popular Actions per Document

Report sections Most Popular Actions per Document- By User Most Popular Actions per Document- By Session Most Popular Actions per Document- By Action Most Popular Actions per Document- By Month Report prompts select document (s)
Number of User Sessions

Report sections None Report prompts select year(s)
Number of Users in the System

T
Report sections None
Report prompts None
Password Modifications
Report sections Password Modifications - By Month Password Modifications - By Week Password Modifications - By Details Report prompts select start date select end date
413
18
Peak Usage
Report sections Users Login Peaks Session Login Peaks Number of Action Peaks Report prompts select year
Refresh and Edit Activity

Report sections None Report prompts select user
Rights Modification
Report sections Rights Modification - By User Report prompts select start date
Rights Modification - By Object select end date
Total Users Logged In by Day

Report sections Report prompts
Total Users Logged In by Day - enter a date Total Number of Logged In Users Total Users Logged In by Day Total Number of Logged in Sessions
User Activity
Report sections User Activity by Month User Activity by Week User Activity by Day Report prompts select start date select end data
414
Auditing Reports Viewing sample auditing reports
18
User Activity per Session

Report sections User Activity per Session Per Cluster User Activity per Session Per Session User Activity per Session Per Action Name User Activity per Session Per Date Report prompts choose user(s)
Users Who Logged Off Incorrectly

Report sections Statistics Users Who Logged Off Incorrectly Report prompts
Viewing sample auditing reports

1. 2. 3. 4. To view sample audit reports Log on to InfoView. Expand Public Folders. Select Auditing Reports to display the list of sample audit reports. Open the report you want to view.
To open a Web Intelligence audit report, click on the report you want to view. To open a Crystal Reports audit report, open the object package, and then open the report you want to view.
415
18
Auditing Reports Creating custom audit reports
Creating custom audit reports

This section contains information to help you understand the auditing database, the Activity universe and the information it records about audit actions. With this information, you can use Crystal Reports, Web Intelligence or Desktop Intelligence to create custom audit reports of user and system actions.
Auditing database schema reference

The auditing database contains six tables:
Audit_Event on page 416 Audit_Detail on page 417 Server_Process on page 418 Detail_Type table on page 420 Event_Type on page 419 Application_Type on page 419
The following diagram shows the Activity universe which is based on the auditing database.
Audit_Event
The Auditt_Event table stores one record per action that is audited and contains general information about each audit event.
416
18
Field
Server_CUID
Description Server process ID. Combined with the Event_ID to form the primary key for the Audit_Event table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID to form the primary key for the Audit_Event table. Name of user who performed the action. Time for start of action in UTC (Coordinated Universal Time) to the nearest millisecond. The time stamp is created by the server recording the action in its log file, and includes any correction necessary to synchronize with CMS time. You may want to correct this time to your local time zone when creating audit reports. Duration, in seconds, of the action that is audited. Number that uniquely identifies the type of action the entry represents. Foreign key for the Event_Type table. Info Object ID of object associated with the action. This number uniquely identifies an object. Field reserved for error codes generated by the Web Intelligence Report Server.
Event_ID
User_Name Start_Timestamp
Duration Event_Type_ID
Object_CUID Error_Code
Audit_Detail
The Audit_Detail table records more details about each audit action recorded in the Audit_Event table. For example, when a user logon fails, the reasons for that failure are recorded as audit details. There may be more than one record in this table for each audit action recorded in the Audit_Event table.
417
18
Field
Server_CUID
Description Server process ID. Combined with the Event_ID and the Detail_ID to form the primary key for the Audit_Detail table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID and the Detail_ID to form the primary key for the Audit_Detail table. The Detail_ID field is used to number the individual details associated with each audit action. That is, if there are two details associated with a particular audit action, the first will have a Detail_ID of 1, and the second will have a Detail_ID of 2. Number that uniquely identifies the type of detail about the audit action that the entry represents. Foreign key for the Detail_Type table. Information about the audit detail being recorded. For example, if the Detail_Type_Description were universe name, the detail text would contain the name of that universe.
Event_ID
Detail_ID
Detail_Type_ID
Detail_Text
Server_Process
The Server_Process table contains information about the servers running within your BusinessObjects Enterprise system which can generate audit events. Field
Server_CUID Server_Name
Description Server process ID. Primary key for the Server_Process table. Machine name of the server that produced the action. That is, the host name. that generated the audit action. Foreign key to the Application_Type table.
Application_Type_ID A unique ID that identifies the type of application
418
18
Field
Server_FullName
Description Friendly name of the server that produced the action. The servers friendly name is the name displayed in the CMC. The default friendly name is
hostname.servertype.
Server_Version
Version of BusinessObjects Enterprise on server that produced the action.
Event_Type
The Event_Type table contains a static list of the kinds of events that can be audited in your BusinessObjects Enterprise system. This table provides information roughly equivalent to that provided by AuditIDs and AuditStrings in Crystal Enterprise Field
Event_Type_ID
Description Number that uniquely identifies the type of audit event that the entry represents.
Event_Type_Description Description of the type of audit event.
Application_Type
The Application_Type table contains a static list of the applications that can produce audit events. In BusinessObjects Enterprise XI, the applications that can be audited are servers. Field Name
Application_Type_ID
Description A unique ID that identifies the type of application that generated the audit action. The description of the application generating the audit event.
Application_Type_Description
419
18
Detail_Type table
The Detail_Type table contains a static list of the standard details that can be recorded about audited events. For example, a user logon can fail for a number of different reasons. These reasons are listed as entries in the Detail_Type table. The information in the Detail_Type table is equivalent to the information that was recorded in variable AuditStrings in Crystal Enterprise 10. Field
Detail_Type_ID Detail_Type_Description
Description Number that uniquely identifies the type of audit detail that the entry represents. The description of the type of audit detail generated by the audit event.
Event_Type table reference

The following tables list the Event_Type_ID and Event_Type_Description of all events that can be audited in your system. For your convenience, these events are ordered according to the server that generates each type of event. CMS audit events Event_Type_ ID Event_Type_Description Description 65537 Concurrent user logon succeeded. Named user logon succeeded. User logged off. User password has been changed. User logon failed. Logon failed because there was no valid license key available. The user logged on successfully, using a concurrent user license. The user logged on successfully, using a named user license.
65538
65540 65541 65539
420
18
Event_Type_ ID Event_Type_Description Description 65542 New folder created. A new folder is created, or an existing folder is copied. Note that this audit string will not be recorded when a new user account is created, even though creating a user creates a user folder. A folder is deleted. Note that this audit string will be recorded when a user account (and therefore the users folder) is deleted. The name, location, or description of the folder was changed. A scheduled report or scheduled program failed to run because communication with the running instance was lost, and the scheduled time for running the job expired. Note: This action must be audited by the CMS as Job Servers are not aware of losing communications with a job. Cache Server audit events Event_Type_ ID Event_Type_Description 196609 Crystal report viewed successfully. A report could not be viewed. Description User successfully viewed a Crystal report that has saved or live data. User attempted to view a Crystal report, but was not successful.
65543
Folder deleted.
65544
Folder modified.
65545
Job failed. Reason: Unresponsive Job Server Child process.
196610
421
18
Job Server audit events For scheduled objects, the audit messages give you information about the status of scheduled actions. For example, the audit messages can tell you if a scheduled report ran successfully. For the Destination Job Server, the audit messages give you information on whether an object was sent to a destination, as requested by a user. Event_Type Event_Type_Description _ ID 327681 Job successful. Description The object ran as scheduled (or requested) and the job completed successfully. The scheduled job did not complete successfully. The scheduled job did not complete successfully. The job will be retried by the CMS at a later time. For more information on scheduling jobs, see the BusinessObjects Enterprise Administrators Guide.
327682 327683
Job failed. Job failed. Job will be retried by the CMS.
Event Server audit events Event_Type_ ID Event_Type_Description 262145 Event registered Description User creates a file-based event that can be used to schedule objects. User deletes a file-based event. Event object was modified by a user, or by the system. Events are updated when a user modifies the name or description of the file-based event. File-based event was initiated.
262146 262147
Event unregistered Event updated
262148
Event triggered
422
18
Application_Type table reference

Application_Type_ID Application_Type_Description 1 8 11 12 13 14 15 16 18 19 Unknown Application Web Intelligence Report Server Central Management Server (CMS) Cache Server Report Job Server Report Application Server (RAS) Event Server Program Job Server Destination Job Server Web Intelligence Job Server
Report Application Server audit events The Report Application Server (RAS) is used to view reports opened with the Advanced DHTML viewer, and to create reports using custom applications developed with the RAS SDK.
423
18
Event_Type_ ID Event_Type_Description 458753
Description
Report was opened for User opened a report for viewing and/or modification viewing or modification. Note: In a few cases, this Event_Type_ID may be generated when the report opens but cannot be viewed. This may occur when:
There are problems with the database setup for the report. For example, you may see this message when the database driver for the report is not present on the client machine A processing extension associated with the report aborts viewing, or fails. The report used Business Views and the user did not have permissions to refresh the underlying data connections. The machine running the RAS ran out of space in its temporary directory.
458754
Report was saved to the CMS.
An existing report was saved. Note: This

Event_Type_ID is
generated when a custom application created using the RAS SDK saves a report (using the Save method). Consult your RAS SDK documentation for details.
424
18
Event_Type_ ID Event_Type_Description 458755 Report was created and saved to the CMS
Description A new report was created and saved. This Event_Type_ID is generated when a custom application created using the RAS SDK saves a new report (using the Save As method). Consult your RAS SDK documentation for details. The report could not be opened by the RAS. An existing report could not be saved by RAS. This Event_Type_ID is generated when a custom application created using the RAS SDK cannot save a new report (using the Save As method). Consult your RAS SDK documentation for details. A newly created report could not be saved by RAS.
458756 458757
Report could not be opened. Report could not be saved to the CMS.
458758
Report could not be created in the CMS.
Web Intelligence Report Server audit events Event_Type_ ID Event_Type_Description Description 6 Get list of universes User accesses a list of universes as part of a document creation workflow. User saves a Web Intelligence document to BusinessObjects Enterprise. User opens an existing Web Intelligence document. User selects a universe as part of a document creation workflow. This event occurs when a user opens the query panel.
Save document to repository Read document Selection of universe
11 13
425
18
Event_Type_ ID Event_Type_Description Description 19 Document refresh User manually refreshes a Web Intelligence document, or user opens a Web Intelligence document that has the refresh on open document property assigned. A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. User has moved into Edit document mode. User applies a formatting change to a document, in a query panel. User action results in a request to server to generate the necessary data and layout to display all or part of a Web Intelligence document. Appears when a user refreshes a document. User drills past the scope of the data currently in memory, and triggers a call to the database for more data.
21
List of values
22 28
Edit document Apply format
40
Get page
41 42
Generate SQL Drill out of scope
426
Customizing the appearance of Web Intelligence documents
appendix
Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents
Customizing the appearance of Web Intelligence documents

You can customize the default appearance of all new Web Intelligence documents created using the Web Intelligence Java Report Panel or the HTML - Query Panel. To do so, you must edit a file called defaultconfig.xml. By editing defaultconfig.xml, you can change the default appearance of many interface elements:
fonts and font sizes for tables, cells, chart axes, and so on background colors (wallpaper) lines and borders for cells and tables color palettes
The new settings take effect only for reports created after the defaultconfig.xml file is modified and saved. Earlier reports are not affected by the new settings. In the defaultconfig.xml file, settings are grouped by key value. (See List of key values on page 432.) To modify a setting, open the defaultconfig.xml file in a text editor and modify the parameter you want. Back up the original file before you start. For an example of how to modify the defaultconfig.xml file, see Example: Modifying the default font in table cells on page 433. Note:
You cannot use defaultconfig.xml to customize the appearance of the HTML Report panel. The defaultconfig.xml is also used by the REBean Editing SDK. For more information, see the developer documentation.
428
What you can do with the defaultconfig.xml file

With the defaultconfig.xml file, you can change certain aspects of the look and feel of Web Intelligence reports. You can make the reports adhere to your corporate visual guidelines. Heres what a Web Intelligence report looks like before changes are made to the defaultconfig.xml file:
429
By modifying a few settingsstable header and body cell fonts, alternative row settings, chart axes values, label fonts, and section cell bordersdefault Web Intelligence tables and charts can look like this:
Locating and modifying defaultconfig.xml

To customize the default appearance of a new Web Intelligence document, you must edit the defaultconfig.xml associated with the report panel used to create that document. Each report panel has its own defaultconfig.xml file.
430
Desktop Intelligence Enterprise Java InfoView

If you deploy the Desktop Intelligence Enterprise Java InfoView, you can customize the default appearance of documents created using the Java Report Panel or the HTML-Query Report Panel. On Windows, you must edit the defaultconfig.xml files inside the desktop.war file. For additional information on modifying XML and .war files, see the BusinessObjects Enterprise Installation Guide. 1. 2. To update defaultconfig.xml in the .war file Stop the web application server if it is running. Find the desktop.war file. On Windows, its found at C:\Progam
Files\Business Objects\BusinessObjects Enterprise 11.5\java\applications\desktop.war. On UNIX, its found at / bobje/enterprise11/java/applications/desktop.war.
3.
Extract defaultconfig.xml from the desktop.war file. For the Java Report Panel, extract
webiApplet\AppletConfig\defaultconfig.xml
For the HTML-Query Report Panel, extract WEBINF\classes\defaultconfig.xml
Tip: On Windows, you can use a tool such as WinZip to extract and replace files in a .war file. 4. 5. Make a backup of the defaultconfig.xml file. Open defaultconfig.xml, and make your changes. See List of key values on page 432 for information on the values you can change, and Example: Modifying the default font in table cells on page 433 for an example. 6. 7. 8. Save and close defaultconfig.xml. Reinsert defaultconfig.xml into desktop.war. Ensure that you insert the file into the correct directory within the .war file. Restart your web application server and redeploy desktop.war. See the BusinessObjects Enterprise Installation Guide for details.
Desktop Intelligence Enterprise .NET InfoView

If you deploy the Desktop Intelligence Enterprise .NET InfoView, you can customize the appearance of new documents created using the Java Report Panel. To customize the appearance of reports created with the Java Report Panel, edit the copy of defaultconfig.xml found at:
C:\Program Files\Common Files\Business Objects\3.0\java\webiApplet\AppletConfig
431
List of key values

In the defaultconfig.xml file, settings are grouped by key value. The following table lists the key values and the corresponding interface elements. Key value Block*defaultBg Block*selectionBg Cell*selectionColor cell_skin0,report_skin0, section_skin0,bloc_skin0 freeCell*default freeCell*section graph*Data graph*Graph graph*Palette*0 graph*Palette*1 graph*Wall graph*YGrid graph*ZGrid graph*XLabels graph*YLabels graph*ZLabels graph*XValues graph*YValues graph*ZValues page*default Section*arrowColor Section*background Section*selectionColor table*AltBody table*body table*BodyForm Interface element Background colors for blocks Background colors for selected blocks Selected cell color Combo default skin Free cells (not section cells) Section cells Removing black line around bar charts General settings for graphs Adding a new color palette Adding a new color palette Default background colors for charts Color for horizontal grid (Y axis) Removing X-axis and Z-axis grid X-axis labels in a graph Y-axis labels in a graph Z-axis labels in a graph X-axis values in a graph Y-axis values in a graph Z-axis values in a graph Default page layout. For example: A4, Letter; portrait or landscape. Color of section arrow General settings for sections Color of selected section arrow Alternate body cells in a table Body cells in a table Body cells in a form
432
Key value table*ExtraHeader table*Footer table*Form table*Header table*HeaderForm table*Table UI*default
Interface element Object name cells in a crosstable Footer cells in a table General settings for forms Header cells in a table Header cells in a form General settings for tables Custom fonts
Example: Modifying the default font in table cells

You can modify the default font to another font available on your system, including non-standard fonts that you install on the server. The default font is Arial. This setting is found in the table*Body key value in the defaultconfig.xml file. Languages and fonts must be supported on the client machine for correct display. In addition, all fonts must be defined in the fontalias.xml file. Note: To change the default appearance of Web Intelligence documents created in a report panel, you must modify and deploy the correct copy of the defaultconfig.xml file. See Locating and modifying defaultconfig.xml on page 430 for more information. 1. 2. 3. To modify the default font Make a backup of the defaultconfig.xml file. Open the defaultconfig.xml file. Find the table*Body key value. Heres what it looks like:
433
4.
To change the default font for specified languages, enter the font name after FACE=. For example, to change only Japanese to a font named SpecialFont, you would enter:
<FONT xml:lang="ja" FACE="SpecialFont" ...
5.
To change the overall default font for all non-specified languages, enter the new font name after FONT FACE=. Note: You must modify the default font values separately for each language you want to change.
6. 7.
Modify any other attributes you want, such as font size. Save and close the defaultconfig.xml file.
434
Server deployment and firewall configuration
appendix
Server deployment and firewall configuration About this appendix
About this appendix

This appendix uses a sample deployment to demonstrate how to configure Business Objects Enterprise servers and firewalls in complex deployment scenarios. It is important to note that the optimal configuration for your deployment will depend on many factors: hardware configuration, database software, reporting requirements, operating system, clock speed, hyperthreading, disk speed, application server configuration, load frequency, and many more. Every deployment is unique, and these examples are provided only as guidelines. For information about developing your own deployment plan, see Planning Your Deployment on page 57. This appendix contains:
Information on how BusinessObjects Enterprise components communicate across the network. Instructions for configuring BusinessObjects Enterprise servers. Instructions for configuring firewalls to allow BusinessObjects Enterprise components to communicate with each other. Help for deploying BusinessObjects Enterprise servers on machines with more than one Network Interface Card (NIC). A list of unsupported deployment scenarios. BusinessObjects Enterprise servers and clients are separated from each other by one or more firewalls. BusinessObjects Enterprise servers are deployed on machines with more than one Network Interface Card.
This appendix is relevant to the following deployment scenarios:
If all BusinessObjects Enterprise components are deployed entirely on the same subnet, and if no server is deployed on a multi-homed machine, then you do not need the information in this appendix.
Understanding how BusinessObjects Enterprise servers communicate

This section explains how BusinessObjects Enterprise servers communicate with each other using CORBA. This information will help you to understand how to configure BusinessObjects Enterprise servers and the firewalls that separate them.
436
Server deployment and firewall configuration Understanding how BusinessObjects Enterprise servers communicate
Using CORBA to communicate

BusinessObjects Enterprise clients and servers use CORBA to communicate with each other. A BusinessObjects Enterprise server extends a service that other clients or servers can discover and invoke. BusinessObjects Enterprise clients and servers store a reference to a servers service. The reference is a CORBA reference called an Interoperable Object Reference (IOR). The IOR contains the host name or host IP address plus the port number of the machine that the service runs on.
Registering with the CMS

All BusinessObjects Enterprise servers must register with the CMS when they start up. This process uses the following steps: 1. The server contacts the CMS. A BusinessObjects Enterprise server contacts the CMS on the CMSs bootstrap port. The CMS bootstrap port is specified in the BusinessObjects Enterprise servers -ns <cms host name:nameserver_port> option. The CMS returns an IOR that refers to its CMS factory service. BusinessObjects Enterprise servers use the CMS factory service for all CORBA communication with the CMS. 2. The server builds its service IOR. A BusinessObjects Enterprise servers service IOR contains the services host name or IP address and port number.
If the -port <host name or host address> option is set, the BusinessObjects Enterprise server uses the specified host name or host address in the IOR. If its -port option is not set, the server makes a system call to its host machine to discover its IP address. (On a multihomed machine, this call typically returns the machines main IP address). If the -requestport <port number> option is set, the BusinessObjects Enterprise server uses the specified port number in the IOR. Otherwise, the BusinessObjects Enterprise server chooses chose a port at random. If your BusinessObjects Enterprise components are separated from each other by firewalls, you should use the -requestport option. Then you can open that specific port in your firewall.
3.
The server registers with the CMS.
437
Server deployment and firewall configuration Understanding how BusinessObjects Enterprise servers communicate
The BusinessObjects Enterprise server registers with the CMS via the CMS factory service. The CMS creates a server infoObject to represent the BusinessObjects Enterprise server. The infoObject contains the BusinessObjects Enterprise servers host name, the IOR it passed in, and other information. (You can look in the System Objects table in the CMS Repository to see a list of server infoObjects.) Note: The CMS uses two ports. Every BusinessObjects Enterprise server must be able to contact the CMS on both ports.
Communicating with client applications

Client applications can be web applications such as Infoview or the CMC that are hosted in an application server. They can also be thick clients such as Crystal Reports or Desktop Intelligence. (All client applications contain the BusinessObjects Enterprise SDK.) BusinessObjects Enterprise servers publish services. Client applications use these services to interact with the BusinessObjects Enterprise system. BusinessObjects Enterprise servers can live anywhere on the network. When a client application needs to use a BusinessObjects Enterprise servers service, it first asks the CMS for the servers IOR, then uses the IOR to invoke the servers service. Note: Each client application must be able to contact both the CMS bootstrap port and the CMS Factory service. 1. The client application requests a service from the CMS. Users enter the CMS host name and (optionally) the bootstrap port number when they log on to the BusinessObjects Enterprise system. Port 6400 is used if no bootstrap port number is entered. The CMS returns the IOR for the requested service. The IOR contains the services host and port. 2. The client contacts the service on the host and port that was specified in the service IOR. The IOR may be passed through one or more firewalls. The host and port number in the IOR are passed as opaque strings through the firewall, and no Network Address Translation (NAT) will be applied to them. Therefore, the services host and port must be routable from the client. If the firewall uses NAT, then the IOR should contain the services host name instead of the host IP address. Note: The services host and port must be routable from the client. If the firewall uses NAT, the IOR should contain the services host name, not the host IP address.
438
Server deployment and firewall configuration Configuring BusinessObjects Enterprise servers
Configuring BusinessObjects Enterprise servers

BusinessObjects Enterprise servers have many configuration parameters as detailed in the end user administration guide. This section describes only the -port, -requestport, and -ns option. These options affect:
Whether the IOR contains a specific port or a randomly-selected port This is important if BusinessObjects Enterprise components must contact each other through a firewall. Whether the IOR contains host IP address or host name This is important if your firewall uses NAT. Whether the server listens on any port or only the specified port Whether the server listens on any NIC or only the specified NIC This can be important when you deploy multiple CMS servers on the same machine, or when you deploy a BusinessObjects Enterprise server on a machine with more than one NIC.
Note: When you change a servers configuration parameters you must force the BusinessObjects Enterprise system to recognize the changes. See Frequently Asked Questions on page 443.
Configuring the CMS server

Syntax
-port <FQDN:port|host_address:port> -requestport <port>
Examples
-port servername.example.com:6401 -requestport 6499 -port 10.50.1.2:6400 -requestport 6410 -port servername.example.com
439
Parameter
-port
Description (CMS server) Description Optional. Forces the CMS to listen on the specified host and port. Forces the CMS factory service IOR to contain the specified host name or host IP address. If not specified CMS server makes a system call to determine the IP address of its host machine, and uses port 6400 by default. CMS factory service IOR will contain the host IP address. Allowed settings -port FQDN -port FQDN:port -port host_address -port host_address:port Relationship to other servers Other CMS servers must know how to contact the CMS. A servers -ns option contains the CMS host and port that the server will contact when it starts up. If you change the -port parameter on the CMS, you must update the -ns parameter of all other servers in the cluster. Optional. Forces the CMS to accept CORBA communication on the specified port only. If not specified CMS will accept CORBA communication on any port. The CMS factory service IOR will contain a randomly-chosen port.
When to use If BusinessObjects Enterprise components must communicate across firewalls that use NAT. If you do not specify -port, the service IOR will contain the servers IP address. If you specify -port <fqdn>, the service IOR will contain the servers host name. This allows firewalls that use NAT to resolve the host name to a routable address. If more than one CMS server is deployed on the same machine. If you deploy multiple CMS servers on the same machine, you must bind each CMS Name Server to its own port.
(specifies the bootstrap host and port)
-requestport Description
(CMS Factory service)
CMS must communicate across firewalls, even non-NAT ones You must specify -requestport if a firewall separates this CMS from any BusinessObjects Enterprise servers, client applications, or the Application server. Open the specified port in the firewall.
440
Configuring non-CMS servers

Syntax
-port FQDN -requestport port -ns cmsFQDN:port
Example
-port servername -requestport 6409 -ns servername.example.com:6400 -requestport 6409
Parameter
-port
Description (non-CMS server) Description Optional. Binds the service to the specified NIC. The service accepts communication only on the specified NIC. The server itself can still use any NIC when initiating communication. (It uses the host machines routing tables to ensure it chooses the right NIC.) If not specified Server can listen on any NIC. IOR will contain IP address, not host name. Allowed settings -port FQDN (IOR uses the host name) -port host_address (IOR uses the IPaddress)
When to use If this server must communicate across firewalls that use NAT. If you do not specify -port, the service IOR will contain the servers IP address. If you specify -port <fqdn>, the service IOR will contain the servers host name. This allows firewalls that use NAT are able to resolve the host name to a routable address.
(Specifies host for the IOR. Has nothing to do with port numbers)
441
Parameter (specifies port number)
Description (non-CMS server) Optional. Forces the server to accept communication on the specified port only. The server can still talk out any port. If not specified Server will accept communication on any port. The services IOR will contain a randomly-chosen port Description Required. Tells the server where to find the CMS. Allowed settings Must match the -port option set on the CMS server. If the CMS server does not have the -port option set, use the host name on which the CMS server is deployed plus port 6400. The CMS bootstrap host and port must be routable from this servers host machine.
When to use Server must communicate across firewalls, even non-NAT ones You must specify -requestport if a firewall separates this server from the CMS or any other BusinessObjects Enterprise servers. Open the specified port in the firewall. Always specified. (If CMS clusters are used, the server is guaranteed to use the host and port specified in the -ns parameter only for the very first contact with the CMS. At this point, a list of the bootstrap ports from all CMS servers in the cluster is added to the registry on the servers host machine. Any one of those CMS might be used in subsequent start-ups.)
-requestport Description
-ns
(the bootstrap host and port for the CMS that this server must contact when it starts up.)
Configuring Job Servers for firewalls

If a firewall separates a Job Server from any other BusinessObjects Enterprise server, perform the following steps:
On each Job Server, specify a port range for the Job Server children:
-requestJSChildPorts <lowestport>-<highestport>
All Job Server children will be bound to a port from within the specified range. Note that the port range should never exceed the -maxJobs setting. Note: If -requestJSChildPorts is not set, then Job Server children will be bound to a randomly-selected port.
On the firewall, open the specified port range. Allow communication in both directions between the Job Server children and all BusinessObjects Enterprise servers. On the firewall, open the following additional ports (for Destination Job Servers):
442
port 21 and 22 for FTP in and FTP out (for sending objects to an FTP destination) port 25 for SMTP out (for sending objects to an email destination) (UNIX only) ports 512 and 514 for rexec/rsh out (for sending objects to a disk destination)
Note: For the purposes of configuring your firewall, assume that the Job Server must talk to every other server.
Frequently Asked Questions

This section contains common questions about configuring BusinessObjects Enterprise servers and firewalls. Do I need to allow BusinessObjects Enterprise components inside the firewall to access components outside the firewall? No platform server needs to initiate contact with the client. I added or changed -port and/or -requestport options, but the changes were not picked up. If you change a servers parameters, you must: 1. 2. 3. In the CMC, delete the server. Restart the server. Re-enable the server.
Note: If you change the CMS bootstrap host and/or port, you must update the -ns option for the other BusinessObjects Enterprise servers in the cluster. Should the -name option match the -port option? No, the -name option does not have to match the -port option. However, the -name option must be unique in the CMS cluster, and must contain at least one "." character. Im deploying a CMS or other BusinessObjects Enterprise server on a multihomed machine. Should I do anything special? See Configuring a multihomed machine on page 149. Should I configure a server with its host name or its fully qualified domain name? The service's IOR must contain a host and port number that is routable from all other BusinessObjects Enterprise components that need to use the server. In general, it is better to use the server machine's fully qualified domain name (FQDN). However, in some cases you might actually want to use the server machine's host name.
443
Server deployment and firewall configuration Configuring firewalls
Consider the following example. Your File Repository Server is on a machine called myhost.domain.com with an IP address of 987.654.32.1. From the application servers point of view, myhost.domain.com resolves to 987.654.32.1. In this case, you can use the FQDN for the -port option on the FRS. However if you use only the host name myhost for the -port option, the application server might not be able to resolve myhost to the correct address. The host name may resolve to an incorrect address, such as myhost.olddomain.com. However, there are situations where you may need to configure a server with its host name instead of its FQDN. For example, you might have a firewall between the application server and the CMS. On the client side of the firewall, the host name could resolve to myhost.fwdomain.com. On the CMS side of the firewall, the host name could resolve to myhost.secure.com. You could configure your network so that myhost.fwdomain.com:6400 is forwarded to myhost.secure.com:6400. In this case, you can configure the FRS with the host name instead of the fully qualified domain name.
Configuring firewalls
This section explains how to configure firewalls in different deployment scenarios. This appendix talks about firewalls as hardware devices that are deployed on the network. However, these concepts also apply to software firewalls running on any BusinessObjects Enterprise or non-BusinessObjects Enterprise machine. For example, you may also need to open holes in any software firewall that is running on the same machine as your BusinessObjects Enterprise servers. The following table summarizes general guidelines for configuring firewalls to work with BusinessObjects Enterprise servers:
444
Server CMS server
Configuration Set -port <FQDN>:<port> if the CMS must communicate across firewalls. If the firewalls use NAT, you must use the host name. If the firewalls do not use NAT, you can use the host name or the IP address. Remember servers (probably) cant communicate across firewalls that use PAT or NAT in Hide Mode. In some cases you might need to use -port to force the server to bind to a specific NIC. Set -requestport if the CMS must communicate across firewalls This applies to all deployments in which BusinessObjects Enterprise components must communicate through firewalls. Setting requestport forces a service to listen on the specific port. You can then open that port on the firewall. Note: CMS servers may be clustered. If so, you need to configure the firewall for each CMS in the cluster.
BusinessObjects Set -port <FQDN> if the server must communicate Enterprise server across firewalls that use NAT (non-CMS server) Remember servers (probably) cant communicate across firewalls that use PAT or NAT in Hide Mode. In some cases you might need to use -port to force the server to bind to a specific NIC. Set -requestPort <port> if the server must communicate across firewalls Description is the same as for the CMS server. Additional servers If you add another server on the same machine, you need to open another hole in the firewall. Also note that each new server must have a friendly name that is unique across the entire deployment. That is, no other server registered with the Name Server should have that friendly name. For example, assume you used the Central Configuration Manager -> Add Server to add a second Page server to a machine. If that second Page server needs to communicate across a firewall, you must open a hole in the firewall. Special consideration for Job Servers See Configuring Job Servers for firewalls on page 442.
445
Not every BusinessObjects Enterprise component needs to initiate communication with every other BusinessObjects Enterprise component. However, without knowing exactly which components need to communicate in which workflows, it is safer to assume all of these points are true. You must then open the corresponding ports in any firewalls that separate these components.
Every BusinessObjects Enterprise server must be able to initiate communication with the CMS (both on the bootstrap host and port and the CMS factory service). Every CMS (both bootstrap port and factory service) must be able to initiate communication with every BusinessObjects Enterprise server. Every BusinessObjects Enterprise server must be able to initiate communication with ever other BusinessObjects Enterprise server. Note: This is not always true, but it is easier to assume that it is. Most servers need to talk to both the input and the output FRS. Some types of Job Servers need to talk to their related processing servers. EPM (Performance Management) servers typically need to talk to each other.
Job Servers children need a port range. These servers spawn child processes. These child processes will be assigned a random port unless you specify a port range. Remember that Destination Job Servers use additional ports. See Configuring Job Servers for firewalls on page 442. Every BusinessObjects Enterprise web client and thick client must be able to initiate communication with every BusinessObjects Enterprise server. Every BusinessObjects Enterprise client must be able to initiate communication with the Application Server, and vice versa. This is only a concern on IIS, where the Application Server and the Web Server can be deployed separately.
Should you assume that every BusinessObjects Enterprise server must be able to initiate communication with every BusinessObjects Enterprise client? No. No Platform server needs to initiate contact with the client.
446
Example: A firewall between the application server and BusinessObjects Enterprise servers
When you put a firewall between the application server and the BusinessObjects Enterprise servers, you must open a port for every BusinessObjects Enterprise server. Consider the following example. Assume that an application server (210.32.24.1) and the rest of the BusinessObjects Enterprise servers are on different subnets, with a firewall between them. The firewall uses Network Address Translation (NAT). In this example, the servers are configured as follows:
Server CMS (192.169.10.1) Page Server (192.168.10.2) Cache Server (192.168.10.3)
Configuration
-port host1 -requestport 6499 -port host2 -requestport 6401 -ns host1:6400 -port host3 -request 6401 -ns host1:6400
When configuring the CMS in this situation, consider the following:
-port FQDN was specified because communication must cross a firewall
that uses NAT. Port 6400 will be used for the bootstrap port, because no other port was specified.
-requestport 6499 was specified because communication must cross
a firewall. Port 6499 will be opened in the firewall. When configuring other servers in this situation, consider the following:
-port FQDN was specified because communication must cross a firewall
that uses NAT. Of course, you never specify a port number on this option for non-CMS servers.
-requestport port was specified because communication must cross
a firewall. We will open the specified ports in the firewall.\

-ns must always be specified. It matches the -port host:port parameter that was configured on the CMS server.
When configuring the firewall in this situation, consider the following:
447
Server deployment and firewall configuration Deploying BusinessObjects Enterprise on multihomed machines
Why are we opening this?
Source
Destination 192.168.10.1:6400
Permissions allow
Application server initiates 210.32.24.1:any communication with CMS Factory Service Application server initiates communication with CMS Application server initiates communication to Page Server Application server initiates communication to Cache Server Do BusinessObjects Enterprise servers ever initiate communication with application server? 210.32.24.1:any 210.32.24.1:any 210.32.24.1:any
192.168.10.1:6499 192.168.10.2:6401 192.168.10.3:6401
allow allow allow
No. However the RAS viewer initiates communication with one or more clients.
Deploying BusinessObjects Enterprise on multihomed machines

This section describes special considerations for deploying a BusinessObjects Enterprise server on a multhihomed machine. Note: To deploy BusinessObjects Enterprise on multihomed machines, you may need a patch. See This scenario requires a patch on page 450 Can BusinessObjects Enterprise servers benefit from the increased bandwidth of having multiple NICs on the same subnet? Traffic coming in to the server will always come in on the host and port specified in the services IOR (this is true whether or not you configure a server with -port). However, the server can use any NIC to initiate communication. The -port option binds a service to a particular NIC. Can the server still "talk out" any NIC? When you use the -port option, a service binds to a particular NIC. The service will accept communication only on the specified NIC. Once the request is made and the connection is established, all inbound and outbound communication for that connection will happen on that NIC.
448
However, if the server needs to initiate communication to another BusinessObjects Enterprise component, it can use any NIC. The server will use its host machines routing tables to ensure it initiates communication via the correct NIC.
Multihomed machines with NICs on the same subnet

In some scenarios BusinessObjects Enterprise servers are deployed on machines with more than one NIC, and each NIC is on the same subnet. This is typically done for load balancing. In this case is possible that:
Each NIC had its own IP address, or Every NIC shares a common IP address, plus has its own IP address (This implementation can occur with some load balancing products such as Microsoft Load Balancer.)
What happens if -port is not specified You do not always have to set the -port option when you deploy BusinessObjects Enterprise servers on multihomed machines. This section explains what happens if you do not specify -port. What IP address goes in the IOR? If you do not specify -port, the BusinessObjects Enterprise server will make a system call to its host machine to discover its IP address. The IP address returned from the system call will be used in the services IOR. (On some Windows OS versions, the host machine will pick the IP address of the first NIC in the binding order. ) BusinessObjects Enterprise server can receive communication from any NIC If you do not specify -port, the BusinessObjects Enterprise server can listen on any NIC. Considerations when -port <FQDN> is specified If communication crosses a firewall that uses NAT, you probably need to specify -port <FQDN> so that the service IOR contains the host name instead of the host IP address. However, if this option is set, your service will only accept communication from a single NIC. Host name is resolved to a specific IP address If you set -port <FQDN>, the services IOR contains the host name. However, the host name must still be resolved to an IP address before it is routed. If more than one NIC has the same host name, is up the host machine to choose the IP address.
449
This scenario requires a patch The CMS must be patched if other BusinessObjects Enterprise servers are deployed on machines with multiple NICs that connect to the same subnet. 1. When a server starts, it registers with the CMS. The CMS stores the servers host name and other information. The CMS stores the host name that the server used to register. 2. Later, the server may make another call to the CMS to log on. This logon might occur during a schedule, view, or other operation. It does not have to occur during a regular user logon. 3. If the server sends the logon request to the CMS via a different NIC than the registration request, the CMS will reject the logon. The logon will fail.
Multihomed machines with NICs on different subnets

BusinessObjects Enterprise servers can be deployed on multihomed machines where each NIC is on a different subnet. For example, you can have a machine with both a public and a private network. Or you can have a laptop with both a wireless and a LAN connection. The example below illustrates potential deployment problems on machines with multiple NICs on different subnets.
Example problem: BusinessObjects Enterprise servers deployed across subnets that are not network connected
This problem exists because the BusinessObjects Enterprise servers are deployed across different subnets which are not reachable from each other. In the example below, machines on one subnet are not routable from machines on the other subnet. The application server is on one subnet and the FRS is on the other. The CMS is deployed on a mulihomed machine that is connected to both subnets. You will see this problem whether or not you configure the CMS with the port option. Whether or not -port is set, the CMS always puts only one IP address in its IOR. If you cannot route between the two subnets, then either the application server or the FRS cannot reach the CMS's factory service IOR. To resolve this issue, you need to set up a network path between the two subnets.
450
Server deployment and firewall configuration Summary of unsupported deployment scenarios
Binding to a particular NIC

Typically, you only set -port <fqdn> when your BusinessObjects Enterprise components must communicate across a firewall that uses NAT, and that firewall cannot route internal IP addresses. However, in some deployment scenarios that use multihomed machines, you may need to use -port to force a server to bind to a particular NIC. For example, the CMS is deployed on a machine with two NICs. NICA connects to the main subnet on which all the BusinessObjects Enterprise components are deployed. NICB connects to the backup subnet. The CMSs IOR must contain NICA, not NICB. If NICA has a higher binding order than NICB, the CMS will probably use NICA in its IOR (this might depend on many factors including OS version). If the CMS does not use NICA in its IOR by default, you must configure the CMS server with the option -port NICA:port.
Summary of unsupported deployment scenarios

Deployment Scenario Why is this not supported? Port Address Translation You cannot separate BusinessObjects Enterprise (PAT) or NAT in Hide components with Firewalls using PAT or NAT in mode Hide mode, because these technologies swap out the port number in the TCP connection. BusinessObjects Enterprise clients hold an IOR to BusinessObjects Enterprise services; that IOR has a port number that must be routable from the client. BusinessObjects This scenario must be patched. See This Enterprise servers (non- scenario requires a patch on page 450. CMS servers) deployed on multihomed machines with NICs on the same subnet. BusinessObjects Enterprise servers deployed on multihomed machines but divided by firewalls that use NAT. You must plan this scenario carefully. You need to use the -port <FQDN> option on all servers so the IORs can be routed through the firewalls, but this also causes your servers to bind to the specified NIC.
451
Server deployment and firewall configuration Summary of unsupported deployment scenarios
Deployment Scenario Firewalls and SSL
Why is this not supported? If you are deploying BusinessObjects Enterprise components in an environment where they use SSL to communicate, and the communication must cross firewalls, then you need a patch. If you deploy BusinessObjects Enterprise clients and servers across different subnets, there must be a network path between the subnets. The BusinessObjects Enterprise components must be able to contact each other.
BusinessObjects Enterprise components deployed across two or more subnets, where there is no network path between the subnets.
452
Server Command Lines
appendix
Server Command Lines Command lines overview
Command lines overview

When you start or configure a server through the Central Management Console (CMC) or the Central Configuration Manager (CCM), the server is started (or restarted) with a default command line that includes a typical set of options and values. In the majority of cases, you need not modify the default command lines directly. Moreover, you can manipulate the most common settings through the various server configuration screens in the CMC and the CCM. For reference, this section provides a full listing of the command-line options supported by each server. You can modify each servers command line directly if you need to further customize the behavior of BusinessObjects Enterprise. Throughout this section, values provided in square brackets [ ] are optional. To view or modify a servers command line The procedure for viewing or modifying a servers command line depends upon your operating system:
On Windows, use the CCM to stop the server. Then open the servers Properties to modify the command line. Start the server again when you have finished. On UNIX, run ccm.sh to stop the server. Then edit ccm.config to modify the servers command line. Start the server again when you have finished. Note: On UNIX, each servers command line is actually passed as an argument to the crystalrestart.sh script. This script launches the server and monitors it in case an automatic restart is required. For more information, see UNIX Tools on page 473.
454
Server Command Lines Standard options for all servers
Standard options for all servers

These command-line options apply to all of the BusinessObjects Enterprise servers, unless otherwise indicated. See the remainder of this section for options specific to each type of server. Option
-name
Valid Arguments Behavior string Specify the friendly name of the server. The server registers this name with the Central Management Server (CMS), and the name is displayed in the CMC. The default friendly name is hostname.servertype Note:
Do not modify -name for a CMS. If you modify -name for an Input or Output File Repository Server, you must include Input. or Output. as the prefix to the value you type for string (for example, -name Input.Server01 or -name Output.UK).
-ns
cmsname[:port Specify the CMS that the server should register with. Add port if the CMS is not listening on the default (6400). This ] option does not apply to the CMS itself. Specify the port that the server listens on. The server registers this port with the CMS. If unspecified, the server chooses any free port > 1024. Note: This port is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide.
-requestPort port
455
Server Command Lines Central Management Server
Option
-port
Valid Arguments Behavior [interface:][ Bind WCA or CMS to the specified port, or to the port] specified network interface and port. Binds other servers to the specified network interface. Useful on multihomed machines or in certain NAT firewall environments. Note:
Use -port port or -port interface:port for WCA and CMS. Use -port interface for other servers. The port command is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide. If you change the default port value for the CMS, you must perform additional system configuration. For more information please see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide.
-restart -fg
Server restarts if it exits with an unusual exit code. UNIX only. Run the daemon in the foreground. When passing the servers command line to the crystalrestart.sh script, you must use this option (see ccm.config). If you run the servers command line directly, do not use this option, because the foreground process blocks the shell until the server exits.
UNIX signal handling

On UNIX, the BusinessObjects Enterprise daemons handle the following signals:
SIGTERM results in a graceful server shutdown (exit code = 0). SIGSEGV, SIGBUS, SIGSYS, SIGFPE, and SIGILL result in a rapid
shutdown (exit code = 1).

This section provides the command-line options that are specific to the CMS. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\CrystalMS.exe
The default path to the server on UNIX is:
456
INSTALL_ROOT/bobje/enterprise11/platform/boe_cmsd
457
Option
-threads -reinitializedb
Valid Behavior Arguments number Use a thread pool of the specified size. The default is one thread per request. Cause the CMS to delete the system database and recreate it with only the default system objects. Force the CMS to quit after processing the reinitializedb option. number Specify the number of threads the CMS creates to receive client requests. A client may be another Business Objects server, the Report Publishing Wizard, Crystal Reports, or a custom client application that you have created. The default value is 5. Normally you will not need to increase this value, unless you create a custom application with many clients. Specify the maximum number of objects that the CMS stores in its memory cache. Increasing the number of objects reduces the number of database calls required and greatly improves CMS performance. However, placing too many objects in memory may result in the CMS having too little memory remaining to process queries. The upper limit is 100000. Specify the number of CMS worker threads sending requests to the database. Each thread has a connection to the database, so you must be careful not to exceed your database capacity. In most cases, the maximum value you should set is 10. Specify interval at which the CMS requests audit information from audited servers. The default value is 5 minutes. (Maximum value is 15 minutes, and minimum value is 1 minute.). Specify the maximum number of audit records that the CMS requests from each audited server, per audit interval. The default value is 200 records. (Maximum value is 500, and minimum value is 50.)
-quit -receiverPool
-maxobjectsincache
number
-ndbqthreads
number
-AuditInterval
minutes
-AuditBatchSize
number
458
Server Command Lines Page Server and Cache Server
Option
-auditMaxEventsPerFile
Valid Behavior Arguments number Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file. Specify the interval between time synchronization events. The CMS broadcasts its system time to audited servers at the interval specified by AuditeeTimeSyncInterval. The audited servers compare their internal clocks to the CMS time, and then adjust the timestamps they give to all subsequent audit records so that the time of these records synchronizes with the CMS time. The default interval is 60 minutes. (Maximum value is 1 day, or 1440 minutes. Minimum value is 15 minutes. Setting the interval to 0 turns off time synchronization.)
-AuditeeTimeSyncInterval minutes
Page Server and Cache Server

The Page Server and the Cache Server are controlled in much the same way from the command line. The command-line options determine whether the server starts as a Page Server, a Cache Server, or both. Options that apply only to one server type are noted below. The default paths to the servers on Windows are:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
The default paths to the servers on UNIX are:

INSTALL_ROOT/bobje/enterprise/platform/boe_cachesd INSTALL_ROOT/bobje/enterprise11/platform/boe_pagesd
459
Server Command Lines Page Server and Cache Server
Option
-cache -dir
Valid Arguments
Behavior Enable Cache Server functionality.
absolutepath Specify the cache directory for a Cache Server and the temp directory for the Page Server. The directories created are absolutepath/cache and
absolutepath/temp
-deleteCache -psdir -refresh -maxDBResultRecords
Delete the cache directory every time the server starts and stops. absolutepath Specify the temp directory for the Page Server. This option overrides -dir. minutes number Share cached pages for the specified number of minutes. Limit the number of database records that are returned from the database. The default limit is 20000 records. If a user views an on-demand report containing more than 20000 records, an error message indicates that the report contains too many database records. To increase the enforced limit, increase number accordingly; to disable the limit, replace number with 0 (zero). Disable automatic database disconnection for the Page Server. By default the Page Server will automatically disconnect from the reporting database after retrieving data, to free up database licenses. This may affect performance if your site uses many reports with on-demand subreports, or group-by-on-server. absolutepath Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide. number On the Cache Server, specifies the maximum number of audit actions recorded in the audit log file. The default value is 500. If this maximum number of records is exceeded, the server will open a new log file.
-noautomaticdbdisconnect
-report_ProcessExtPath
-auditMaxEventsPerFile
460
Server Command Lines Job servers
Job servers
This section provides the command-line options that are specific to the job servers, which include Job Servers, Program Job Servers, Destination Job Server, and List of Values Job Server. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
The default paths to the server on UNIX are:

INSTALL_ROOT/bobje/enterprise11/platform/boe_reportjobsd INSTALL_ROOT/bobje/enterprise11/platform/boe_programjobsd
Option
-dir -lib
Valid Arguments absolutepath
Behavior Specify the data directory for the Job Server.
processinglibr Specify the processing library to load: ary procReport or
procProgram
Loading procReport starts the Job Server as a Report Job Server. Loading procProgram starts the Job Server as a Program Job Server. This option is used in conjunction with -objectType.
-objectType
progID
The program ID of the processing library, which determines the class of object supported by the Job Server: CrystalEnterprise.Report or
CrystalEnterprise.Program Used with -lib to specify whether the
Job Server becomes a Report Job Server or a Program Job Server.
-maxJobs
number
Set the maximum number of concurrent jobs that the server will handle. The default is five. Specify the range of ports that child processes should use in a firewall environment. For example, 6800-6805 limits child processes to six ports.
-requestJSChildPorts
lowerboundupperbound
461
Server Command Lines Report Application Server
Option
Valid Arguments
Behavior Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide. Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
-report_ProcessExtPath absolutepath
-auditMaxEventsPerFile number

This section provides the command-line options that are specific to the Report Application Server. The default path to the server on Windows is:
C:\Program Files\Common Files\Business Objects\3.0\ bin\crystalras.exe

INSTALL_ROOT/bobje/enterprise11/platform/ras/boe_crystalrasd
Option
-ipport
Valid Arguments port
Behavior Specify the port number for receiving TCP/IP requests when running in stand-alone mode (outside of BusinessObjects Enterprise). Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide.
-report_ProcessExtPath absolutepat
462
Server Command Lines Report Application Server
Option
-ProcessAffinityMask
Valid Arguments mask
Behavior Use a mask to specify exactly which CPUs that RAS will use when it runs on a multiprocessor machine. The mask is in the format 0xffffffff, where each f represents a processor, and the list of processors reads from right to left (that is, the last f represents the first processor). For each f, substitute either 0 (use of CPU not permitted) or 1 (use of CPU is permitted). For example, if you run the RAS on a 4 processor machine and want it to use the 3rd and 4th processor, use the mask 0x1100. To use the 2nd and 3rd processor, use 0x0110. Note:
RAS uses the first permitted processors in the string, up to the maximum specified by your license. If you have a two processor license, 0x1110 has the same effect as 0x0110. The default value of the mask is -1, which has the same meaning as 0x1111.
Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
463
Server Command Lines Web Intelligence Report Server

This section provides the command-line options that are specific to the Web Intelligence Report Server. The default paths to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe

INSTALL_ROOT/bobje/enterprise11/platform/ras/boe_crystalrasd
Option
-ConnectionTimeout Minutes -MaxConnections
Valid Arguments minutes number
Behavior Specify the number of minutes before the server will timeout. Specify the maximum number of simultaneous connections that the server allows at one time. Enables caching of Web Intelligence documents when the document is being viewed. Enables real time caching of Web Intelligence documents.
-DocExpressEnable
-DocExpressRealTime CachingEnable -DocExpressCache DurationMinutes -DocExpressMaxCache SizeKB -EnableListOfValues Cache -ListOfValuesBatchSize number -UniverseMaxCacheSize -WIDMaxCacheSize
minutes kilobytes
Specify the amount of time (in minutes) that content is stored in cache. Specify the size of the document cache. Enables the caching per user sessions of lists of values Specify the maximum number of values that can be returned per list of values batch. Specify the number of universes to be cached. Specify the maximum number of Web Intelligence documents that can be stored in cache.
number number
464
Server Command Lines Input and Output File Repository Servers
Input and Output File Repository Servers

This section provides the command-line options that are specific to the Input and Output File Repository Servers. The default paths to the servers on Windows are:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
The default paths to the program that provides both servers on UNIX are:
INSTALL_ROOT/bobje/enterprise11/platform/boe_inputfilesd INSTALL_ROOT/bobje/enterprise11/platform/boe_outputfilesd Note: If you modify -name for an Input or Output File Repository Server, you
must include Input. or Output. as the prefix to the value you type (for example, -name Input.Server01 or -name Output.UK). Option
-rootDir
Valid Arguments
Behavior
absolutepath Set the root directory for the various subfolders and files that are managed by the server. File paths used to refer to files in the File Repository Server are interpreted relative to this root directory. Note: All Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). Additionally, the input root directory must not be the same as the output root directory. It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution.
-tempDir
absolutepath Set the location of the temporary directory that the FRS uses to transfer files. Use this command line option if you want to control the location of the FRS temporary directory, or if the default temporary directory name generated by the FRS exceeds the file system path limit (which will prevent the FRS from starting). minutes Specify the number of minutes after which an idle session is cleaned up.
-maxidle
465
Server Command Lines Event Server
Event Server
This section provides the command-line options that are specific to the Event Server. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe

INSTALL_ROOT/bobje/enterprise11/platform/boe_eventsd
Option
-poll -cleanup
Valid Arguments seconds minutes
Behavior Specify the frequency (in seconds) with which the server checks for File events. Specify the frequency (in minutes) with which the server cleans up listener proxies. Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.
466
Rights and Access Levels
appendix
Rights and Access Levels Rights
Rights
This table lists the rights available within the Advanced Rights page of the Central Management Console (CMC). Other BusinessObjects Enterprise plug-in components may in future add their own, object-specific rights to this list. The table matches the descriptions used in the CMC with the programmatic name that developers use when assigning rights with the BusinessObjects Enterprise SDK. Description used in the CMC Respect current security by inheriting rights from parent groups Respect current security by inheriting rights from parent folders Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Define server groups to process jobs Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the reports data Refresh the reports data Export the reports data View objects that the user owns Edit objects that the user owns Modify the rights users have to objects that the user owns Name used in the SDK AdvancedInheritGroups AdvancedInheritFolders ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightPickMachines ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport ceRightOwnerView ceRightOwnerEdit ceRightOwnerModifyRights
468
Rights and Access Levels Access levels
Description used in the CMC Delete objects that the user owns Delete instances that the user owns View document instances that the user owns
Name used in the SDK ceRightOwnerDelete ceRightOwnerDeleteInstance ceRightOwnerViewInstance
Pause and resume document instances ceRightOwnerPauseResumeSche that the user owns dule
Access levels
This section lists the rights that constitute each of the predefined access levels that are available through the Advanced Rights page of the Central Management Console (CMC). Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see Object rights for the Report Application Server on page 472.
No Access
This access level ensures that all rights remain unspecified. That is, rights are neither explicitly granted nor explicitly denied. When rights are unspecified, the system denies the right by default.
View
Description used in the CMC View objects View document instances Name used in the SDK ceRightView ceRightViewInstance
Schedule
Description used in the CMC View objects Schedule the document to run Name used in the SDK ceRightView ceRightSchedule
469
Rights and Access Levels Access levels
Description used in the CMC Define server groups to process jobs Copy objects to another folder Schedule to destinations View document instances Print the reports data Export the reports data Edit objects that the user owns Pause and resume document instances that the user owns
Name used in the SDK ceRightPickMachines ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerPauseResumeSchedule
Delete instances that the user owns ceRightOwnerDeleteInstance
View On Demand
Description used in the CMC View objects Schedule the document to run Define server groups to process jobs Copy objects to another folder Schedule to destinations View document instances Print the reports data Refresh the reports data Export the reports data Edit objects that the user owns Delete instances that the user owns Pause and resume document instances that the user owns Name used in the SDK ceRightView ceRightSchedule ceRightPickMachines ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightRefreshOnDemandRepo rt ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerDeleteInstance ceRightOwnerPauseResumeSchedule
470
Rights and Access Levels Default rights on the top-level folder
Full Control
Description used in the CMC Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the reports data Refresh the reports data Export the reports data Name used in the SDK ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemandRe port ceReportRightPageServerExport
Define server groups to process jobs ceRightPickMachines
Default rights on the top-level folder

The top-level BusinessObjects Enterprise folder serves as the root for all other folders and objects that you add to the system. This folder provides the following rights by default:
The Everyone group is granted the Schedule access level. The Administrators group is granted the Full Control access level.
471
Rights and Access Levels Object rights for the Report Application Server
Object rights for the Report Application Server

To allow users to create or modify reports over the Web through the Report Application Server (RAS), you must have RAS Report Modification licenses available on your system. You must also grant users a minimum set of object rights. When you grant users these rights to a report object, they can select the report as a data source for a new report or modify the report directly:
View objects (or View document instances, as appropriate) Edit objects Refresh the reports data Export the reports data
User must also have permission to add objects to at least one folder before they can save new reports back to BusinessObjects Enterprise. To ensure that users retain the ability to perform additional reporting tasks (such as copying, scheduling, printing, and so on), its recommended that you first assign the appropriate access level and update your changes. Then, change the access level to Advanced, and add any of the required rights that are not already granted. For instance, if users already have View On Demand rights to a report object, you allow them to modify the report by changing the access level to Advanced and explicitly granting the additional Edit objects right. When users view reports through the Advanced DHTML viewer and the RAS, the View access level is sufficient to display the report, but View On Demand is required to actually use the advanced search features. The extra Edit objects right is not required.
472
UNIX Tools
appendix
UNIX Tools UNIX tools overview
UNIX tools overview

The UNIX distribution of BusinessObjects Enterprise includes a number of scripts that, together, provide you with all the configuration options that are available in the Windows version of the Central Configuration Manager (CCM). There are a number of other scripts that provide you with UNIXspecific options or serve as templates for your own scripts. Also, there are several secondary scripts that are used by BusinessObjects Enterprise. Each script is described here and the command-line options are provided where applicable.
Script utilities
This section describes the administrative scripts that assist you in working with BusinessObjects Enterprise on UNIX. The remainder of this help discusses the concepts behind each of the tasks that you can perform with these scripts. This reference section provides you the main command-line options and their arguments.
ccm.sh
The ccm.sh script is installed to the bobje directory of your installation. This script provides you with a command-line version of the CCM. This section lists the command-line options and provides some examples. Note:
Arguments in square brackets [ ] are optional. By default, servers are named with a hostname.servertype convention. If the option requires the server name, use servertype as the server name. If the option requires the fully qualified server name, use hostname.servertype. If you are unsure of a servers fully qualified name, look in the ccm.config file, locate the servers launch string, and use the value that appears after the -name option.
474
UNIX Tools Script utilities
CCM Option
-help -start -stop
Arguments denoted by other authentication information are provided in the second table. Valid Arguments n/a
all or servername all or servername
Description Display command-line help. Start each server as a process. Use the short form of the server name. Stop each server by terminating its Process ID. Use the short form of the server name. Stop each server by terminating its Process ID; then each server is started. Use the short form of the server name.
-restart
all or servername
-enable
all or hostname.servertype Enable a started server so that it [other authentication registers with the system and starts information] listening on the appropriate port. Use the fully qualified form of the server name. all or hostname.servertype Disable a server so that it stops [other authentication responding to BusinessObjects information] Enterprise requests but remains started as a process. Use the fully qualified form of the server name.
-disable
-display
server [other authentication information]
Reports the servers current status (enabled or disabled). The CMS must be running before you can use this option. Update objects migrated from a previous version of BusinessObjects Enterprise into your current CMS system database. Use this option after running cmsdbsetup.sh.
-updateobjects [other authentication
information]
475
This table describes the options that make up the argument denoted by other authentication information. Authentication Option
-cms
Valid arguments cmsname:port#
Description Specify the CMS that you want to log on to. If not specified, the CCM defaults to the local machine and the default port (6400). Specify an account that provides administrative rights to BusinessObjects Enterprise. If not specified, the default Administrator account is attempted. Specify the corresponding password. If not specified, a blank password is attempted. Note: To specify the -password argument, you must also specify the username argument. type for the administrative account. If not specified, secEnterprise is attempted.
-username
username
-password
password
-authentication secEnterprise, secLDAP Specify the appropriate authentication
The CCM reads the server launch strings and other configuration values from the ccm.config file. For details, see ccm.config on page 477.
Examples
These two commands start and enable all the servers. The Central Management Server (CMS) is started on the local machine and the default port (6400):
ccm.sh -start all ccm.sh -enable all
These two commands start and enable all the servers. The CMS is started on port 6701, rather than on the default port:
ccm.sh -start all ccm.sh -enable all -cms MACHINE01:6701
These two commands start and enable all the servers with a specified administrative account named SysAdmin:
ccm.sh -start all ccm.sh -enable all -cms MACHINE01:6701 -username SysAdmin password 35%bC5@5 -authentication LDAP
This single command logs on with a specified administrative account to disable a Job Server that is running on a second machine:
476
ccm.sh -disable MACHINE02.businessobjects.com.reportserver cms MACHINE01:6701 -username SysAdmin -password 35%bC5@5 -authentication secLDAP
ccm.config
This configuration file defines the server launch strings and other values that are used by the CCM when you run its commands. This file is maintained by the CCM itself, and by the other BusinessObjects Enterprise script utilities. You typically edit this file only when you need to modify a servers command line. For details, see Command lines overview on page 454.
cmsdbsetup.sh
The cmsdbsetup.sh script is installed to the bobje directory of your installation. The script provides a text-based program that enables you to configure the CMS database, CMS clusters, and to set up the audit database. You can add a CMS to a cluster by selecting a new data source for its CMS database. You can also delete and recreate (re-initialize) a CMS database, copy data from another data source, or change the existing cluster name. Note: Before running this script, back up your current CMS database. Also be sure to see Clustering Central Management Servers on page 114 for additional information about CMS clusters and configuring the CMS database. The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. To check the name of your CMS (or any other server), view the contents of ccm.config and look for the servers launch string. The servers current name appears after the -name option. For more information about configuring the CMS database or setting up the auditing database, see Managing Auditing on page 391.
configpatch.sh
The configpatch.sh script is installed to the bobje/enterprise/ generic directory of your installation. Use the configpatch.sh script when installing patches that require updates to system configuration values. After installing the patch, run configpatch.sh with the appropriate .cf file name as an argument. The readme.txt file that accompanies BusinessObjects Enterprise patches tells you when to run configpatch.sh, and the name of the .cf file to use.
477
serverconfig.sh
The serverconfig.sh script is installed to the bobje directory of your installation. This script provides a text-based program that enables you to view server information and to add and delete servers from your installation. This script adds, deletes, modifies, and lists information from the ccm.config file. When you modify a server using serverconfig.sh, you can change the location of its temporary files. For the Central Management Server, you can change its port number or enable auditing. For the Input File Repository Server or the Output File Repository Server, you can enter the root directory. 1. 2. To add/delete/modify/list UNIX servers Go to the bobje directory of your installation. Issue the following command:
./serverconfig.sh
The script prompts you with a list of options:

3. 4.
1 - Add a server 2 - Delete a server 3 - Modify a server 4 - List all servers in the config file
Type the number that corresponds to the action you want to perform. If you are adding, deleting, or modifying a server, provide the script with any additional information that it requests. Tip: The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. However, in this script you can enter hostname to check the name of your CMS (or any other server), view the contents of ccm.config, and look for the servers launch string. The servers current name appears after the name option.
5.
Once you have added or modified a server, use the CCM to ensure that the server is both started and enabled.
For more information about working with servers, see Managing and Configuring Servers on page 97.
478
sockssetup.sh
The sockssetup.sh script is installed to the bobje directory of your installation. The script provides a text-based program that enables you to configure the Web Component Adapter (WCA) and the Central Management Server (CMS) when they must communicate across one or more SOCKS proxy server firewalls. For technical information about BusinessObjects Enterprise and firewalls, see Working with Firewalls on page 157. 1. 2. 3. To modify SOCKS configuration Go to the bobje directory of your installation. Issue the following command:
./sockssetup.sh
Type wca to configure the communication between the WCA and the CMS. Or, type servers to configure SOCKS information between the remaining servers. The script may prompt you for the name or friendly name of the server. By default, each servers name is hostname.servertype. To check the name of a server, view the contents of ccm.config and look for the servers launch string. The servers current name appears after the name option. The friendly name of the WCA by default is hostname.wca. To check the name of the WCA, look for the <display-name> of the WCA as listed in the web.xml file in the WEB-INF directory of the webcompadapter.war archive. (This archive is found in the businessobjects_root/enterprise/JavaSDK/applications directory, where businessobjects_root is the root directory of your BusinessObjects Enterprise installation.)
4.
Specify one of the available actions:

5.
Type show to display any SOCKS servers that have already been entered with this script. A blank list is displayed if no servers have been added. Type create to add a new SOCKS server to the list. Type modify to change one of the SOCKS servers in the list. Type delete to remove a SOCKS server from the list. Type moveup or movedown to modify the sequence of SOCKS servers.
Proceed through the script and provide any additional information that it requests:
479
UNIX Tools Script templates
If you are creating a new entry in the list, you will typically need to provide the name or IP address of the SOCKS server, the port number it is listening on, the version number of the SOCKS server (4 or 5), and any authentication information that the BusinessObjects Enterprise servers will require in order to establish a connection with your SOCKS server. If you choose to delete, modify, or move an existing entry, you will be asked to specify the server by index. Type the number that corresponds to the SOCKS server you want to modify.
For details about SOCKS and the importance of the sequence of servers, see Configuring for SOCKS servers on page 175.
uninstallBOBJE.sh
The uninstallBOBJE.sh script is installed to the bobje directory of your installation. This script deletes all of the files installed during your original installation of BusinessObjects Enterprise by running the scripts in the bobje/uninstall directory. Do not run the scripts in the uninstall directory yourself: each of these scripts removes only the files associated with a single BusinessObjects Enterprise component, which may leave your BusinessObjects Enterprise system in an indeterminate state. Before running this script, you must disable and stop all of the BusinessObjects Enterprise servers. Note:
The uninstallBOBJE.sh script will not remove files created during the installation process, or files created by the system or by users after installation. To remove these files, after running installBOBJE.sh, perform an rm -rf command on the bobje directory. If you performed the system installation type, you will also need to delete the run control scripts from the appropriate /etc/rc# directories.
Script templates
These scripts are provided primarily as templates upon which you can base your own automation scripts.
480
UNIX Tools Script templates
startservers
The startservers script is installed to the bobje directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that starts the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see ccm.sh on page 474.
stopservers
The stopservers script is installed to the bobje directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that stops the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see ccm.sh on page 474.
silentinstall.sh
The silentinstall.sh script is installed to the bobje directory of your installation. Once you have set up BusinessObjects Enterprise on one machine, you can use this template to create your own scripts that install BusinessObjects Enterprise automatically on other machines. Essentially, once you have edited the silentinstall.sh template accordingly, it defines the required environment variables, runs the installation and setup scripts, and sets up BusinessObjects Enterprise according to your specifications, without requiring any further input. The silent installation is particularly useful when you need to perform multiple installations and do not want to interrupt people who are currently working on machines in your system. You can also use the silent installation script in your own scripts. For example, if your organization uses scripts to install software on machines, you can add the silent BusinessObjects Enterprise installation command to your scripts. For information about script parameters, see the comments in the silentinstall.sh script. Note:
Because the silentinstall.sh file is installed with BusinessObjects Enterprise, you cannot install silently the first time you install BusinessObjects Enterprise.
481
UNIX Tools Scripts used by BusinessObjects Enterprise
The silent installation is not recommended if you need to perform custom installations. The installation options are simplified and do not allow for the same level of customization provided in the BusinessObjects Enterprise install script.
Scripts used by BusinessObjects Enterprise

These secondary scripts are often run in the background when you run the main BusinessObjects Enterprise script utilities. You need not run these scripts yourself.
bobjerestart.sh
This script is run internally by the CCM when it starts the BusinessObjects Enterprise server components. If a server process ends abruptly without returning its normal exit code, this script automatically restarts a new server process in its place. Do not run this script yourself.
env.sh
The env.sh script is installed to the bobje directory of your installation. This script sets up the BusinessObjects Enterprise environment variables that are required by some of the other scripts. BusinessObjects Enterprise scripts run env.sh as required. When you install BusinessObjects Enterprise on UNIX, you must configure your Java application server to source this script on startup. See the BusinessObjects Enterprise Installation Guide for more details.
env-locale.sh
The env-locale.sh script is used for converting the script language strings between different types of encoding (for example, UTF8 or EUC or Shift-JIS). This script is run by env.sh as needed.
initlaunch.sh
The initlaunch.sh script runs env.sh to set up the BusinessObjects Enterprise environment variables, and then runs any command that you have added as a command-line argument for the script. This script is intended primarily for use as a debugging tool by Business Objects SA.
482
patchlevel.sh
The patchlevel.sh is installed to the bobje/enterprise/generic directory of your installation. This script reports on the patch level of your UNIX distribution. This script is intended primarily for use by Business Objects SA support staff. Option
list query check
Valid Arguments Description n/a patch # textfile List all the installed patches. Query the operating system for the presence of a particular patch by numeric ID. Check that all the patches listed in textfile are installed on your operating system.
postinstall.sh
The postinstall.sh script is installed to the bobje directory of your installation. This script runs automatically at the end of the installation script and launches the setup.sh script. You need not run this script yourself.
setup.sh
The setup.sh script is installed to the bobje directory of your installation. This script provides a text-based program that allows you to set up your BusinessObjects Enterprise installation. This script is run automatically when you install BusinessObjects Enterprise. It prompts you for the information that is required in order to set up BusinessObjects Enterprise for the first time. For complete details on responding to the setup script when you install BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide.
setupinit.sh
The setupinit.sh script is installed to the bobje directory of your installation when you perform a system installation. This script copies the run control scripts to your rc# directories for automated startup. When you run a system installation you are directed to run this script after the setup.sh script completes. Note: You must have root privileges to run this script.
483
484
Enabling support for ASP.NET 2.0
appendix
Enabling support for ASP.NET 2.0 Enabling support for ASP.NET 2.0
Enabling support for ASP.NET 2.0

If you have upgraded to ASP.NET 2.0 after you installed BusinessObjects Enterprise, you will need to modify the web.xml to add support for ASP.NET 2.0. Note: If you install ASP.NET 2.0 before you install BusinessObjects Enterprise, this step is not required. The required tag <xhtmlConformance mode="Legacy"/> will be added to the Web.config file by the BusinessObjects Enterprise installer during the installation. 1. To enable ASP.NET 2.0 support Open the Web.config file from the following location:
2.
Locate the following two comments in the file:
<!-To run on ASP.NET 2.0, InfoView requires the setting: <xhtmlConformance mode="Legacy"/> For asp.net 2.0, the installer will automatically replace (or has replaced) the comment below with this setting. -->
3. 4. 5.

Copy the string <xhtmlConformance mode="Legacy"/> from the first comment. Replace the comment  with string copied in the previous step. When your change is complete, the file should look like this:
<!-To run on ASP.NET 2.0, InfoView requires the setting: <xhtmlConformance mode="Legacy"/> For asp.net 2.0, the installer will automatically replace (or has replaced) the comment below with this setting. --> <xhtmlConformance mode="Legacy"/>
6. 7.
486
487
488
Business Objects Information Resources
appendix
Business Objects Information Resources Documentation and information services
Documentation and information services

Business Objects offers a full documentation set covering its products and their deployment. Additional support and services are also available to help maximize the return on your business intelligence investment. The following sections detail where to get Business Objects documentation and how to use the resources at Business Objects to meet your needs for technical support, education, and consulting.
Documentation
You can find answers to your questions on how to install, configure, deploy, and use Business Objects products from the documentation.
Whats in the documentation set?

View or download the Business Objects Documentation Roadmap, available with the product documentation at http://www.businessobjects.com/support/. The Documentation Roadmap references all Business Objects guides and lets you see at a glance what information is available, from where, and in what format.
Where is the documentation?

You can access electronic documentation at any time from the product interface, the web, or from your product CD.
Documentation from the products

Online help and guides in Adobe PDF format are available from the product Help menus. Where only online help is provided, the online help file contains the entire contents of the PDF version of the guide.
Documentation on the web

The full electronic documentation set is available to customers on the web from support web site at: http://www.businessobjects.com/support/.
Documentation on the product CD

Look in the docs directory of your product CD for versions of guides in Adobe PDF format.
490
Business Objects Information Resources Customer support, consulting and training
Send us your feedback

Do you have a suggestion on how we can improve our documentation? Is there something you particularly like or have found useful? Drop us a line, and we will do our best to ensure that your suggestion is included in the next release of our documentation: documentation@businessobjects.com. Note: If your issue concerns a Business Objects product and not the documentation, please contact our Customer Support experts. For information about Customer Support visit: http://www.businessobjects.com/ support/.
Customer support, consulting and training

A global network of Business Objects technology experts provides customer support, education, and consulting to ensure maximum business intelligence benefit to your business.
How can we support you?

Business Objects offers customer support plans to best suit the size and requirements of your deployment. We operate customer support centers in the following countries:
USA Australia Canada United Kingdom Japan
Online Customer Support

The Business Objects Customer Support web site contains information about Customer Support programs and services. It also has links to a wide range of technical information including knowledgebase articles, downloads, and support forums. http://www.businessobjects.com/support/
491
Business Objects Information Resources Useful addresses at a glance
Looking for the best deployment solution for your company?

Business Objects consultants can accompany you from the initial analysis stage to the delivery of your deployment project. Expertise is available in relational and multidimensional databases, in connectivities, database design tools, customized embedding technology, and more. For more information, contact your local sales office, or contact us at: http://www.businessobjects.com/services/consulting/
Looking for training options?

From traditional classroom learning to targeted e-learning seminars, we can offer a training package to suit your learning needs and preferred learning style. Find more information on the Business Objects Education web site: http://www.businessobjects.com/services/training
Useful addresses at a glance

Address Business Objects product information http://www.businessobjects.com Product documentation http://www.businessobjects.com/ support Business Objects Documentation mailbox documentation@businessobjects.com Online Customer Support http://www.businessobjects.com/ support/ Content Information about the full range of Business Objects products. Business Objects product documentation, including the Business Objects Documentation Roadmap. Send us feedback or questions about documentation. Information on Customer Support programs, as well as links to technical articles, downloads, and online forums.
492
Address Business Objects Consulting Services http://www.businessobjects.com/ services/consulting/ Business Objects Education Services http://www.businessobjects.com/ services/training
Content Information on how Business Objects can help maximize your business intelligence investment. Information on Business Objects training options and modules.
493
494
Index
A
access levels available in the CMC 469 for RAS 472 active sessions, viewing 341, 341 active trust relationship 188 AD authentication plug-in 246 adding CMS cluster members 114 servers 105 administration configuration tools 98, 338 Administrators group, default rights 471 affinity, and SSL 189 anonymous single sign-on 184 application servers 35 application tier 34 applications CCM 33 CMC 33 Import Wizard 34 InfoView 32 Publishing Wizard 34 applications, installing 93 apsdbsetup.sh 477 architecture balanced processing 79 firewalled 81 high availability 80 single-machine 79 ASP pages display code 376 ASP.NET 2.0 modifying web.config to support 486 ASP.NET component, verifying 377 attributes, logon tokens 188 audit actions enabling auditing of 399 reference list 395 synchronizing records 403 audit enablement 399 auditable actions CMS 399 Destination Job Server 398 Event Server 398 Job Server 399 auditee 392 auditing configuring database 393 database schema 416 enabling 399 information flow 392 optimizing performance 404 reporting results 402, 416 synchronizing records 403 user and system actions 395 web activity 194 auditing database configuring 393 database schema 416 Application_Type table 419 Audit_Detail table 417 Audit_Event table 416 Detail_Type table 420 Event_Type table 419 Server_Process table 418 auditor 392 Auditor report names 408 Average Number of Users Logged In 408 Average Refresh Time 409 Average Session Duration 409 Average Session Duration per Cluster 409 Average Session Duration per User 409 Cluster Nodes 410 Document Information Detail 410 Document Scheduling and Viewing Status 410 Job Servers on the System 411 Job Summary 410
495
Index
Jobs per Job Server 411 Jobs per User 411 Last Login for User 411 Least Accessed Documents 412 Modifications 413 Most Accessed Documents 412 Most Active Users 412 Most Popular Actions 412 Most Popular Actions per Document 413 Number of User Sessions 413 Number of Users in the System 413 Peak Usage 414 Refresh and Edit Activity 414 Rights Modification 414 Total Users Logged in by Day 414 User Activity 414 User Activity per Session 415 Users Who Logged Off Incorrectly 415 authentication BusinessObjects Enterprise security plug-in 186 Kerberos configuration IBM WebSphere 304 IIS 266 Java AD 302 Java application server 290, 302 Java options, modify 307 See also IIS, IIS 5, IIS 6 Windows AD 297 LDAP security plug-in 228 primary 181 security plug-ins 55, 185 troubleshooting log on 380 Trusted Authentication 328 Windows AD security plug-in 246 Windows NT Challenge/Response 213, 248 Windows NT security plug-in 212
B
Business Objects consulting services 492, 493 support services 491 training services 492, 493 Business Objects applications CCM 33
CMC 33 CMS 38 Import Wizard 34 InfoView 32 Publishing Wizard 34 BusinessObjects Enterprise communication between servers 162 firewall integration 162 primary authentication process 181 single sign-on 187 single sign-on with NT 213 BusinessObjects Enterprise SDK 187 Java SDK 35 .NET SDK 35 BusinessObjects Enterprise security plug-in 186 BusinessObjects Enterprise servers Cache Server 40 configuring hosts file for firewall 169 description 30 Event Server 39 File Repository Servers 40 Job Server 42 Page Server 44 Program Job Server 42 Report Application Server 44 BusinessObjects Enterprise servers, configure configure IIS and browsers 275 configure servers to use service account 297 configuring the servers configuring servers to use service account 270 granting service account rights 270 grant service account rights 295 setting service account 268, 292 BusinessObjects Enterprise Sizing Guide 366 BusinessObjects WAR files deploying 93 mapping to cluster in WebSphere 5.1 95 in WebSphere 6.0 95
C
cacert.der 153 Cache Server 40 command-line options 459
496
Index
configuring 131, 352 metrics 340, 342 performance 68 performance settings 131, 352 viewing with 49 Cache Server auditable actions 396 cakey.pem 153 CCM adding a server 105 changing server startup type 151 server user account 152 Windows server dependencies 150 copying server status 104 deleting a server 107 enabling and disabling servers 102 printing server status 104 refreshing the list of servers 104 starting, stopping, and restarting servers 99 CCM, for UNIX 474 ccm.sh 474 Central Configuration Manager. See CCM Central Management Console. See CMC Central Management Server. See CMS certificate files 153 Changing Tomcat connect port 112, 378 client side viewers 45 client tier 32 clusters 114, 116, 117 changing names 121 requirements 114 viewing details 345 clusters, creating 87 CMC enabling and disabling servers 102 starting, stopping, and restarting servers 99 unable to connect 379 CMC timeout setting 110 CMS adding to a cluster 117 and authentication 181 and distributed security 189 as nameserver 147 changing cluster name 121
clustering 114 installing new cluster member 116 requirements 114 CMS tasks 38 command-line options 456 configuring 127, 128, 147 NAT 168 SOCKS 176 database 38 default port 147 limitations 65 metrics 341, 345 performance 65 security 54 security plug-ins 54 session variables 191 and authentication 181 tracking 193 stopping 102 unable to connect 379 when enabling and disabling other servers 102 CMS auditable actions 399 CMS clustering 77 CMS database changing password 128 configuring 122 copying 122 deleting 127 migrating 122 recreating 127 selecting 128 command lines, overview 454 command-line options all servers 455 Cache Server 459 CMS 456 Event Server 466 Input and Output File Repository Servers 465 Job Server 461 Page Server 459 Program Job Server 461 Report Application Server 462 Web Intelligence Job Server 461 Web Intelligence Report Server 464
497
Index
command-line options, SSL 152 communication between browser and Web application server 181 between BusinessObjects Enterprise servers 162 components, security management 53 computer contstrained delegation 294 concurrent active users 62 configuration planning 58 sample 436 configuration, common scenarios 78 Configure the thick client to use SSL 376 configuring auditing database 393 auditing database on UNIX 394 auditing database on windows 394 Cache Server 131, 352 CMS clusters 114, 121 CMS database 122, 127, 128 Event Server 351 File Repository Servers 130, 352 firewalls 166 intelligence tier 114 Job Server 133, 140, 355, 355 Page Server 132, 140, 356, 363 processing tier 132 server settings 98, 338 servers 98, 338 universe connection 401 configuring trusted authentication 329 Connection Server metrics 341 constrained delegation service account 295, 295 consultants, Business Objects 492 cookies and session tracking 191 logon tokens 188 CORBA 437 creating custom audit reports 416 Crystal reports troubleshooting reports 383
Crystal Reports Cache Server. See Cache Server Crystal Reports Page Server. See Page Server Crystal Reports sample audit reports 402 Crystal xCelsius 69 performance 69 CSP pages display code 376 custom audit report creation 416 custom web applications, enhancing 370 customer support 491 customizing your configuration 366
D
daemons, signal handling 456 data live 52 saved 53 data sharing 98, 338 on Cache Server 131, 352 on Page Server 132, 356, 363 on RAS 360 data sources on UNIX 141 on Windows 140 data tier 45 databases configuring servers for 140 copying CMS data 122 initializing the CMS 127 modifying RAS interactions 360 selecting for the CMS 128 single sign-on access 184 troubleshooting logon 385 default settings authentication 186 Enterprise accounts 186 NT account 213 ports 147 security plug-in 186 default timeout 110 defaultconfig.xml about 428 customizing elements 432 finding correct version to change 430 modifying for Java Report Panel 431
498
Index
modifying for .NET InfoView 431 deleting CMS database 127 servers 107 dependencies of servers on Windows 150 deployment planning 58 sample 436 deployment manager adding nodes 85, 86 starting 85 Designer firewall settings 166 Desktop Intelligence firewall settings 166 Destination Job Server destinations configuring 134 enabling or disabling 133 enabling Inbox destination 133 performance settings 355 Destination Job Server auditable actions 398 destinations for job servers configuring 134 enabling or disabling 133 troubleshooting 390 directory servers about LDAP 229 security plug-in 228 disabling destinations for job servers 133 servers 102 Disabling logon tokens 196 disabling logon tokens 196, 200 disabling restoration of a timed out session 200 disabling the restoration of a timed out session 200 disabling the restoration of a timed out session in Java 200 disabling the restoration of a timed out session in .NET 201 disaster recovery 76 DLL. See dynamic-link libraries documentation additional 375
feedback on 491 on product CD 490 on the web 490 roadmap 490 DSNs on UNIX 143 dynamic-link libraries as processing extensions 187
E
education. See training email destination setting defaults 136 enable ASP.NET 2.0 support 486 enable .NET 2.0 support 486 enabling destinations for a job server 133 servers 102 enabling auditing 399 encoding logon tokens 188 end-to-end single sign-on 185 environment variables ODBC 143 env.sh 482 ePortfolio. See InfoView errors Page Server 389 troubleshooting 374 Event Log 150, 345 Event Server auditable actions 399 configuring 351 metrics 343 polling time 351 Event Server auditable actions 398 Event Server, command-line options 466 events polling time 351 Everyone group, default rights 471 expanding the system 366 extensions, processing 187
F
fault tolerance 76 feedback, on documentation 491
499
Index
File Repository Servers command-line options 465 maximum idle times 130, 352 metrics 340 Properties page 130, 352 root directories 130, 352 firewall rules specifying for NAT 170 specifying for packet filtering 173 firewall types 159 NAT 160 packet filtering 160 SOCKS 161 firewall, desktop product 166 firewalls 158, 194, 436 configuration scenarios 164 configuring 166 NAT 167 packet filtering 172 SOCKS 175 thick client 171 with application tier 168 with WCA 177 forcing servers to register by name 149 integration with BusinessObjects Enterprise 162 Job Servers 442 server communications, and 162 folders default rights 471 root 471 FTP destination setting defaults 138 Full Control access level 471
hosts file, configuring for NAT firewall 169 HTTP 181, 191 HTTP server, check status 87 HTTP server, starting 86
I
IBM WebSphere Kerberos configuration 304 idle times Cache Server 131, 352 File Repository Servers 130, 352 Page Server 132, 356, 363 IIS database single sign-on configuration 281 end-to-end single sign on configuration 277 single sign-on configuration 275 IIS 5 database single sign-on configuration 282 end-to-end single sign on configuration 277 IIS 6 database single sign-on configuration 283 end-to-end single sign on configuration 279 IIS 6, run under local system 379 Import Wizard 34 information flow, between servers 46 information resources 490 InfoView considerations 390 Java version 108 troubleshooting 390 initializing CMS database 127 initlaunch.sh 483 Input File Repository Server maximum idle time 130, 352 metrics 340 root directory 130, 352 intelligence tier 37 configuring 114 internal system configuration, setting 92 Internet Explorer, configuring 276 Internet Information Services (IIS), default web site 375 IOR 437
G
Guest account, default rights 471
H
heap sizes, setting in WebSphere 5.1 90 in WebSphere 6.0 91 help, documentation resources 375 high availability 76
500
Index
J
JAAS login configuration files, create Oracle 306 Tomcat/WebLogic 305 WebSphere 306 Java CMC timeout 110 Java InfoView timeout 111 Java InfoView, customizing appearance of Web Intelligence documents 431 Java Options, modify Kerberos 307 Oracle 308 WebLogic 307 Java platform 36 Java SDK 36 Job Server command-line options 461 configuring 140 for firewalls 442 on UNIX 141 destinations configuring 134 enabling or disabling 133 performance settings 355 Job servers types 41 job servers configuring destinations 134 performance settings 355 Job Servers auditable actions 399
Kerberos troubleshooting enable logging 310 testing Java Kerberos configuration 310 key files 153
L
LDAP 229 about 229 and SSL 229 LDAP accounts 229 managing 228 modifying connection parameters 242 member groups 242 troubleshooting 243, 243 LDAP authentication configuring 230 LDAP authentication plug-in 228 LDAP groups mapping 238 unmapping 241 viewing mapped groups 242 LDAP hosts configuring 231 managing multiple 243 LDAP security plug-in 228 LDAP single sign-on, configuring 236, 255 Least Accessed Documents 412 license keys and CMS database migration 119 reinitializing the CMS database 127 Lightweight Directory Access Protocol. See LDAP List of Values Job Server auditable actions 399 description 43 destinations configuring 134 enabling or disabling 133 performance 69 performance settings 355 live data 52 load managing 60 load balancing and distributed security 189
K
Kerberos configuration IBM WebSphere 304 IIS 266 Java AD 302 Java application server 290, 302 Java options, modify 307 See also IIS, IIS 5, IIS 6 Windows AD 297 Kerberos configuration files IBM WebSphere 304 Java AD 302 Kerberos single sign-on 53
501
Index
CMS clustering 114 Local System account 140 log on processing server accounts 140 protection against malicious attempts 194 logging server activity 345 web activity 194 logon tokens 188 and authentication 181 and distributed security 189 and session tracking 191 logon.csp 181
M
malicious logon attempts, protection against 194 mapped drives 388 mapped groups viewing Windows NT 221 mapping Windows AD accounts and groups 249 Windows NT accounts 215 metrics viewing 339 migrating CMS database 122 from BusinessObjects Enterprise 6.x 495 modify InfoView timeout 111 Most Accessed Documents 412 Most Active Users 412 Most Popular Actions 412 Most Popular Actions per Document 413 multihomed machines 149
.NET InfoView, customizing appearance of Web Intelligence documents 431 .NET pages display code 376 Network Address Translation application tier, and 168 configuring 167 server hosts file 169 servers behind firewall 168 definition 160 specifying firewall rules 170 thick client, and 171 No Access level 469 node agent, start 85 NT authentication and UNIX 212 NT authentication plug-in 212 NT LM Security Support Provider 150 NT single sign-on 225 NT single sign-on and Windows NT security plugin 213 number of logons, logon tokens 188 number of minutes, logon tokens 188 Number of User Sessions 413 Number of Users in the System 413
O
object rights 468, 472 ODBC CMS database 117 connectivity 120 drivers 140 environment variables 143 processing server accounts 140 reporting on UNIX 142 system information file 143 .odbc.ini 143 Online Customer Support 491 optimizing system 404 Optimizing system performance 404 Oracle application Server reverse proxies 202 Output File Repository Server maximum idle time 130, 352 metrics 340 root directory 130, 352
N
nameserver, role of CMS 147 NAT. See Network Address Translation native drivers 140 on UNIX 141 needs assessment 58 .NET 20 support 486 .NET InfoView or CMC, unable to view 377
502
Index
P
packet filtering 160 configuring for 172 packets, firewalls and 158 Page Server command-line options 459 configuring for data source 140 configuring on UNIX 141 metrics 343 performance 70 performance settings 132, 356, 363 Properties page 132, 356, 363 viewing with 49 Password Modifications 413 passwords changing for CMS database 128 restrictions 195 patchlevel.sh 483 Peak Usage 414 performance 366, 404 assessment 338 Cache Server 68 Cache Server settings 131, 352 CMS clusters 114 common scenarios 78 general considerations 367 List of Values Job Server 69 load balancing 189 of jobs per server 355 Page Server 70 Page Server settings 132, 356, 363 RAS settings 362 Report Job Server 68 Web Application Server 67 Web Intelligence Report Server 69 Windows NT Challenge/Response authentication 213, 248 performance improvement, delegating XSL transformation 370 performance while auditing 404 planning deployment 58 platforms Java 36
Windows .NET 36 plug-ins, security 55, 185 polling time, setting for Event Server 351 port numbers adding 90 checking in WebSphere 5.1 89 in WebSphere 6.0 89 port numbers, changing 147 ports definition 159 firewalls, and 159 opening on firewall 168 postinstall.sh 483 primary authentication 181 processing extensions 187 processing servers, configuring 141 processing threads Cache Server 131, 352 Page Server 132, 356, 363 processing tier 41 configuring 132 Program Job Server 399 destinations configuring 134 enabling or disabling 133 Program Job Server auditable actions 399 Program Job Server, command-line options 461 Properties tab for job servers 355
Q
.qry files 388
R
RAS database settings 360 metrics 344 performance settings 362 Properties page 362 Refresh and Edit Activity 414 refreshing cache files 131, 352 registry keys 238 Remote Procedure Call 150
503
Index
remote resources, troubleshooting 388 Report Application Server auditable actions 396 command-line options 462 performance 70 required object rights 472 viewing report 50 Report Job Server 399 auditable actions 399 performance 68 Report Job Server, performance settings 355 report objects, rights for creating/modifying 472 report viewers 45 report_view_advanced.aspx 48 report_view_dhtml.aspx 48 reports audit 402, 416 custom 416 sample 402 configuring servers for data sources 140 modifying RAS SQL options 360 scheduling 46 troubleshooting 383, 385 viewing 47 required steps to audit actions 392 requirements, clustering 114 resource requirements 73 resources 490 estimating 64 requirements 71 restarting servers 99 restart.sh 482 restrictions guest account 196 logon 195 password 195 user 195 reverse proxies 202 rights advance, reference 468 Report Application Server 472 top-level folder 471 Rights Modification 414 root directories, File Repository Servers 130, 352
row-level security, processing extensions 187
S
sample audit reports 402 saved data 53 scalability 366 common scenarios 78 scaling the system 366 Schedule access level 469 scheduling increasing capacity 367 information flow 46 secEnterprise.dll 186 secLDAP.dll 228 Secure Sockets Layer 152 Secure Sockets Layer (SSL) 193, 229 and LDAP 229 and load balancing 189 security 180 active trust relationship 188 auditing web activity 194 components 53 distributed 189 environment protection 193 firewalls 194 Guest account restrictions 196 logon restrictions 195, 195 password restrictions 195, 195 plug-ins 55, 185 processing extensions 187 protection against malicious logon attempts 194 restrictions 195 session tracking 191 user restrictions 195 web browser to web server 193 web servers 193 security plug-ins 55, 185 Enterprise authentication 186 LDAP authentication 228 Windows AD authentication 246 Windows NT authentication 212 secWindows.dll 212 selecting CMS database 128 sending
504
Index
to inboxes, default configuration 133 Server cache expiry, modifying default expiry value 287 server dependencies, changing 150 serverconfig.sh 478 servers 98, 338 activity, logging 345 adding 105 adding nodes 85 application tier 34 changing status 99 user account on Windows 152 changing startup type 151 command lines 454 communication 162 application tier and CMS 163 CMS directory listing 162 configuring 98, 338 default settings 98, 338 deleting 107 dependencies, adding or removing 150 deployment manager 85 disabling 102 enabling 102 information flow 46 intelligence tier 37 limitations 64 logging activity 345 managing 97 metrics, viewing 340 node agent 85 processing tier 41 refreshing list using the CCM 104 registering by name 149 restarting 99 standard command-line options 455 starting 85, 99 status changing 99 copying 104 printing 104 stopping 99 troubleshooting 388 UNIX signal handling 456
user account, changing 152 service account contstrained delegation 295 service thresholds 64 session variables 191 and authentication 181 primary authentication 181 sessions tracking 191 viewing active 341 setup.sh 483 shared libraries, as processing extensions 187 signal handling 456 silentinstall.sh 481 simultaneous requests 61 single sign-on anonymous 184 authentication Enterprise 187 LDAP 230 NT 213 Windows AD 248 end-to-end 185 Java, Kerberos configuration 311, 312 setting up AD 255 LDAP 236 SiteMinder 236, 255 Windows AD 252 Windows NT 223 to BusinessObjects Enterprise 184 to database 184 troubleshooting 238 single sign-on options database single sign-on 266 modify AD plug-in settings 275 setting up database single sign-on 267 web applications configuration 285 end-to-end single sign-on 266 configuring IIS for end-to-end single signon 277 configuring Internet Explorer 276 setting up end-to-end single sign-on 267
505
Index
single sign-on 266 configuring IIS for single sign-on 275 database server configuration 286 setting up basic single sign-on 267 SQL server configuration 286 SiteMinder configuring LDAP plug-in 236 error 238 setting up single sign-on with LDAP 236, 255 troubleshooting 238 Window AD 255 Siteminder AD 255 SMTP destinations, setting defaults 136 SOCKS 161 configuring 175 CMS 176 WCA 177 sockssetup.sh 479 SPN Vintella 315 web application server 315 SPN utility Windows 2003 293, 294 SSL 152 certificates 153 configuring servers 152, 152 keys 153 SSL. See Secure Sockets Layer (SSL) SSL, thick client configuration 376 sslc.cnf 152 sslc.exe 152 starting servers 99 startservers 481 startup types changing for servers 151 configuring servers 151 statistics, auditing web activity 194 status, viewing and changing for servers 99 steps to audit actions 392 stopping CMS 102 servers 99 stopservers 481
support customer 491 locations 491 technical 491 web site 491 synchronizing audit actions 403 syslog 345 system actions, list of auditable 399 system data, copying 122 system database, migrating 122 system information file (ODBC) 143 system metrics, viewing 345 system security 180
T
TCP/IP, firewalls and 158 technical support 491 temporary files, configuring Page Server 132, 356, 363 the 200 thick client, firewall configuration 165 NAT 171 third-party security plug-ins 55, 185 tickets for distributed security 189 logon tokens 188 tiers application 34 client 32 data 45 intelligence 37 processing 41 time zones 60 supporting multiple 390 timeout CMC modify 110 Infoview modify 111 Tomcat reverse proxies 202 Tomcat connect port, changing 112, 378 tools, UNIX 474 Total Users Logged in by Day 414 tracking, sessions 191 training, on Business Objects products 492 transfer of trust 189
506
Index
troubleshooting 374 InfoView deployments 390 LDAP accounts 243 report viewing and processing 383 single sign-on 238 web accessibility 375 trust, active trust relationship 188 trusted authenitcation configuring in web.xml 329 Trusted Authentication 328
U
UNC paths 388 uninstall 480 uninstallCE.sh 480 universe connection configuration 401 UNIX and NT authentication 212 application server 35 installation 36 syslog 345 WCA 36 UNIX tools, overview 474 unmanaged disk destination setting defaults 139 unmapping Windows NT accounts 220 user accounts configuring servers 152 user actions, list of auditable 396 User Activity 414 User Activity per Session 415 user databases, NT4 and Windows 2000 Active Directory 212 users concurrent active users 62 estimating 59 types 59 viewing active sessions 341, 341 Users Who Logged Off Incorrectly 415
client-side 45 in InfoView 47 zero client 45 viewing active users 341, 341 BusinessObjects Enterprise architecture 47 CMS cluster details 345 current metrics 339 information flow 47 server metrics 340 system metrics 345 with the Cache Server 49 with the Page Server 49 viewing sessions 62 viewrpt.aspx 48
W
WCA and logon tokens 54 and security 54 auditing web activity 194 configuring for SOCKS 177 description 35 WCA session variables 191 tracking 192 web customer support 491 getting documentation via 490 useful addresses 492 Web application environments 37 Web Application Server performance 67 Web application server authentication 181 Web Component Adapter. See WCA web desktop. See InfoView Web Intelligence Job Server 461 Report Server 464 Web Intelligence documents changing default appearance 428 customizing for Java InfoView 431 customizing for .NET InfoView 431 delegating XSL transformation 370 finding correct defaultconfig.xml 430
V
View access level 469 viewers
507
Index
list of customizable elements 432 Web Intelligence Job Server auditable actions 399 destinations enabling or disabling 133 performance settings 355 Web Intelligence Report Server auditable actions 396, 397 performance 69 performance settings 357 Web Intelligence sample audit reports 402 web response speeds, improving 371 Web server plugin, regenerating in WebSphere 5.1 96 in WebSphere 6.0 96 web servers 37 improving response speeds 371 securing 193 web sites support 491 training 492 web.config .Windows authentication 274 WebSphere cluster, creating 87 installing applications 93 WebSphere deployment 308, 309 Windows Event Log 345 Local System account 140 server dependencies 150 Windows 2000 Active Directory 212 Windows 2000, unmapping accounts in 220 Windows AD database single sign-on, modify AD plug-in settings 275 Kerberos authentication 271, 297 single sign-on, modifying web.config 284 Windows AD accounts See also Windows AD users mapping 249 Windows AD groups mapping 249 Windows AD security plug-in 246 Windows AD single sign-on 252
to BusinessObjects Enterprise 252 Windows AD users See also Windows AD accounts Windows .NET platform 36 Windows NT accounts adding to mapped groups 222 disabling 222 managing 214 mapping 215 in CMC 217 in Windows 2000 216 in Windows NT 215 unmapping 220 Windows NT Challenge/Response authentication 193, 213, 248 Windows NT groups creating 222 mapping 215 unmapping 220, 220 viewing 221 Windows NT security plug-in 212 and UNIX 212 Windows NT single sign-on, setting up 223 Windows NT users, viewing 221
X
XSL transformation for Web Intelligence documents 370
Z
zero client viewers 45
508

Businessobjects Enterprise™ Xi Release 2 Deployment and Configuration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Businessobjects Enterprise™ Xi Release 2 Deployment and Configuration Guide

Uploaded by

Copyright:

Available Formats

BusinessObjects Enterprise XI Release 2 Deployment and Configuration Guide

BusinessObjects Enterprise XI Release 2

Copyright Third-party contributors

BusinessObjects Enterprise Deployment and Configuration Guide 3

Planning your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Assessing your organizations needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 5

Creating a WebSphere cluster

6 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 7

8 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 9

10 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 11

12 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 13

14 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 15

16 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 17

18 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 19

20 BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Deployment and Configuration Guide 21

22 BusinessObjects Enterprise Deployment and Configuration Guide

Getting Started About this help

About this help

Who should use this help?

About BusinessObjects Enterprise

BusinessObjects Enterprise Deployment and Configuration Guide

Getting Started Where should I start?

Where should I start?

Planning or performing your first deployment

Configuring your deployment

BusinessObjects Enterprise Deployment and Configuration Guide

Getting Started Where should I start?

Changing your deployments architecture

Improving your systems performance

BusinessObjects Enterprise Deployment and Configuration Guide

Getting Started Where should I start?

BusinessObjects Enterprise Deployment and Configuration Guide

Getting Started Where should I start?

BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Architecture

BusinessObjects Enterprise Architecture Chapter overview

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Architecture basics

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Client tier

The client tier includes:

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Client tier

Central Management Console (CMC)

Central Configuration Manager (CCM)

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Application tier

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Application tier

Application server and BusinessObjects Enterprise SDK

Web Component Adapter (WCA)

It processes ASP.NET (.aspx) and Java Server Pages (.jsp) files

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Application tier