IBM WebSphere Portal Integrator for SAP

IntroductionThis article describes the setup of a simple scenario of the IBM WebSphere Portal Integrator for SAP to give you a quick start. It uses the standard page structure as it is created during install of the package.

Note: This is not the product documentation and comes as-is without warranty. It is an example and may not configure everything. Especially this does not handle session alignment.

Hostnames used in the scenarioSAP NetWeaver Portal 7.3 sapportalIBM WebSphere Portal 7.0.0.1 (CF6) on Linux, standalone

ibmportal

Install base of IBM Portal: /opt/WebSphere

PackagesPackage name Install locationSolution installer /tmp/SolutionInstaller.zipSAP integration /tmp/sap_integration.paa

Download packages from the catalog:https://greenhouse.lotus.com/plugins/plugincatalog.nsf/home_full.xsp

Installing & Setup of Solution InstallerFollow the guidance in the Solution installer package:– set WAS administrator and Portal administrator passwords to

wp_profile/ConfigEngine/properties/wkplc.properties (e.g. using vi)– Unzip SolutionInstaller.zip to /opt/tmp– Add wp_profile path to settings.properties (e.g. using vi)– verify UNIX EOL characters by executing “dos2unix -b install-SolutionInstaller.sh”– set run permissions “chmod 755 SolutionInstaller.sh”– run install script: “/opt/tmp/SolutionInstaller/commands/linux # ./install-SolutionInstaller.sh”– setup SolutionInstaller:

– change to ConfigEngine directory: wp_profile/ConfigEngine– run “./ConfigEngine.sh si-setup”– Verify that the output prints “BUILD SUCCESSFUL”

Installing IBM WebSphere Portal Integrator For SAP– Start IBM Portal

© IBM, 2011 1

IBM WebSphere Portal Integrator for SAP

– Install PAA: by running “/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh install-paa -DPAALocation=/tmp/sap_integration.paa”

– Verify that the output prints “BUILD SUCCESSFUL”– Deploy PAA by running: “/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh

deploy-paa -DappName=sap_integration”

– Verify that the output prints “BUILD SUCCESSFUL”

Configuring the AjaxProxy– create the AjaxProxy configuration file to allow GET connections to SAP Portal and allow

BasicAuthentication on these connections. In this scenario we store it to /tmp/proxy-config-sap.xml

<?xml version="1.0" encoding="UTF-8"?><proxy:proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:proxy="http://www.ibm.com/xmlns/prod/sw/ajax/proxy-config/1.0"> <proxy:mapping contextpath="/proxy" url="*"/> <proxy:mapping contextpath="/myproxy" url="*"/> <proxy:mapping contextpath="/common_proxy" url="*"/> <proxy:policy url="http://sapportal.boeblingen.de.ibm.com:50000/*" acf="none" basic-auth-support="true"> <proxy:actions> <proxy:method>GET</proxy:method> <proxy:method>HEAD</proxy:method> </proxy:actions> <proxy:cookies> <proxy:cookie>MYSAPSSO2</proxy:cookie> </proxy:cookies> <proxy:headers> <proxy:header>User-Agent</proxy:header> <proxy:header>Accept*</proxy:header> <proxy:header>Content*</proxy:header> <proxy:header>Authorization*</proxy:header> <proxy:header>set-cookie</proxy:header> </proxy:headers> </proxy:policy> <proxy:meta-data> <proxy:name>socket-timeout</proxy:name> <proxy:value>60000</proxy:value> </proxy:meta-data> <proxy:meta-data> <proxy:name>retries</proxy:name> <proxy:value>1</proxy:value> </proxy:meta-data>

© IBM, 2011 2

IBM WebSphere Portal Integrator for SAP

<proxy:meta-data> <proxy:name>max-connections-per-host</proxy:name> <proxy:value>5</proxy:value> </proxy:meta-data> <proxy:meta-data> <proxy:name>max-total-connections</proxy:name> <proxy:value>100</proxy:value> </proxy:meta-data> <proxy:meta-data> <proxy:name>forward-credentials-from-vault</proxy:name> <proxy:value>true</proxy:value> </proxy:meta-data></proxy:proxy-rules>

– Check in the configuration file file for AjaxProxy by running “/opt/WebSphere/wp_profile/ConfigEngine # ./ConfigEngine.sh checkin-wp-proxy-config -DproxyConfigFileName=/tmp/proxy-config-sap.xml”

– Verify that the output prints “BUILD SUCCESSFUL”

Finishing installationRestart IBM Portal to finish the installation.

Seting up ivew integration– Navigate to “Applications”, “IBM WebSphere Portal Integrator for SAP”, “iView”

– Open the “Edit shared settings” dialog of the portlet by clicking the small arrow in the upper right corner of the portlet and choosing the relevant menu entry.

– Create a a non-shared Credential Vault slot which will later be used to store the user's SAP credentials. Note: In our setup we use the same slot later for the navigation integration as well. But one could decide to use different slots.

– Add the name “SAPIntegrationCV” to the field “Slot ID”

– Click the button “Create Credential slot”

– Before using the slot you now need to restart IBM Portal.

– Add a Content URL of SAP Portal to be displayed in the portlet. Ask your SAP Portal administrator for this URL. We want to display the “Universal work list” which in our environment is this URL: http://sapportal.boeblingen.de.ibm.com:50000/irj/portal/interop?NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29

– In this scenario we will later configure the navigational integration to pass the SAP SSO token to the user's browser. So we would not need to set a Credential Vault slot in this dialog or to add the parameter “sap.SSOTokenDomain”, we would be done already. But for demonstration purposes we will do and later re-configure the portlet.

© IBM, 2011 3

IBM WebSphere Portal Integrator for SAP

– Select the Credential vault slot to be used to connect to SAP Portal. Select “SAPIntegrationCV” from the drop down box. If we would have not created the Credential Vault slot before, we could now add a name to the text filed and use the drop down entry to use the text field content. This would mean we can configure the portlet even before having a Credential Vault slot, but we still would need to create the slot before using the portlet.

– For testing purposes we are adding the SSO domain “.ibm.com” to the field SAP SSP Domain. This makes the portlet pass the SAP Portal SSO cookie to the users browser. We will later configure the navigational integration as well and make it pass the cookie. Then we will remove the SSO domain here from the portlet as we do not need it anymore. If we would use the portlet only and use the SSO Domain here, we would also need to add the integration LogoutFilter now.

– The SAP Portal SSO cookie is not being renamed in our instance of SAP Portal, so we do not set a value to the field “SAP SSO cookie name”, to stay to the default.

– Click the button “Save parameters”.

– Click the link “Done”.

– Now an error is shown because our Credential Vault slot to be used does not hold Credentials for the current user already. For this we go to the “Personalize” dialog by clicking the small arrow in the upper right corner of the portlet and choosing the relevant menu entry.

– Add the SAP user ID to the field “User ID” and the password to “Password”. Confirm the password by re-entering in “Confirm Password”.

– Click the button “Save”

– Click the link “Done”Now the portlet shows the SAP Portal resource you entered the URL for:

© IBM, 2011 4

IBM WebSphere Portal Integrator for SAP

Setting up navigation integrationThe navigation is included later as child pages of the label “SAP navigation”. All parameters for connections to the SAP Portal are to be stored as page parameters of that label. Note that these parameters are more or less the same as for the portlet, but to configured here as well to separate both integrations. If you want to share parameters you can do so by using the ConfigService extension. See the documentation for that.

– Use Portal Administration “Manage Pages” to navigate to “Applications”, “IBM WebSphere

© IBM, 2011 5

IBM WebSphere Portal Integrator for SAP

Portal Integrator for SAP”

– Click “Edit page properties” for the label “SAP Navigation”

– Click “Advanced parameters”, “I want to set parameters”

– For our environment we add/change following parameters (for a description see the documention):

sap.BaseUri http://sapportal.boeblingen.de.ibm.com:50000

Base Portal URI including port

sap.CredentialSlotId SAPIntegrationCV Credential Vault slot holding the SAP credentials. We created the slot during portlet setup.

sap.SSOTokenUrl http://sapportal.boeblingen.de.ibm.com:50000/irj/portal/interop?NavigationTarget=navurl://b8820e07de4b98a23cbedc5c275bcc29

Used to force an authentication challenge to get the SSO token

sap.SSOTokenDomain .ibm.com SSO Domain to be used to pass the SAP Portal SSO cookie to the user's browsers. Leave out if you do not want the browsers to be authenticated automatically.

– Click button “Done”

– Click button “OK”.

– Log out of IBM Portal.

– When logging back in the SAP Portal navigation is integrated:

© IBM, 2011 6

IBM WebSphere Portal Integrator for SAP

– Now add the Login- and Logoutfilter to pass the SAP Portal SSO cookie to the user's browsers:

– Log in to the IBM WebSphere Application server administration console

– Navigate to “Recource Environment Providers” , “WP AuthenticationService”, “Custom properties”.

– Add the Login- and LogoutFlter

– Click “Save” and log out

– Restart IBM Portal to get the filters effective.

– Now if you click a integrated navigation link the SAP Portal page is displayed without an authentication challenge:

© IBM, 2011 7

IBM WebSphere Portal Integrator for SAP

Set access to appropriate audienceAs we do not want non-SAP users to access the SAP integration for security and performance reasons, we limit the access rights to the group “sap_users” which in our scenario all appropriate users are a member of.For the page “IBM WebSphere Portal Integrator for SAP” we set this group to the role “User”. Therefore we remove the “Allow inheritance” for the role “User” and click “Apply”:

© IBM, 2011 8

IBM WebSphere Portal Integrator for SAP

Click “Edit” for the role “User” and add the group “sap_user”:

Go back to the roles overview and click “Apply” to save the changes. Then click “Done”. Now only for members of the group “sap_user” the navigation will be retrieved on login.As the access level is inherited from here to our sub-pages we do not need to set something special for the integration label. “User” is sufficient. For the portlet and the page where the portlet is placed on the user needs to be “Privileged user” so the user is allowed to enter

© IBM, 2011 9

IBM WebSphere Portal Integrator for SAP

credentials. If we would use a shared Credential vault slot for all users, we could stay with the role “User” instead.

For the page “iView” remove the “Allow inheritance” for the role “User” and click “Apply”:Click “Edit” for the role “Privileged User” and add the group “sap_user”:

© IBM, 2011 10

IBM WebSphere Portal Integrator for SAP

Go back to the roles overview and click “Apply” to save the changes. Then click “Done”.

Now you need to configure access rights to the portlet application. Go to “Portlet Management”, “Applications” and click the small button holding a key for the application “sap.portal.integrator.war”. Click “Edit” for the role “Privileged user” and add the group “sap_users”:Go back to the roles overview and click “Apply” to save the changes. Then click “Done”.

© IBM, 2011 11

IBM WebSphere Portal Integrator for SAP

Removing Token domain from portletThe LoginFilter is passing the SAP Portal SSO cookie to the user's browser. So in this scenario here we do not need the portlet passing the token as well. It was just configured for demonstration purposes. For a re-configuration open the “Edit Shared Settings” mode of the portlet and click “Clear parameters”. Now configure the portlet by adding the Content URL, but leave out the Credential Vault slot and the SSO Token Domain. Click “Save parameters”.

Testing with another userFor test purposes our group “sap_user” has a member called “sap_user_1”. Log out with the administrator user and log back in with that test user. In the integration portlet enter the mode “Personalize” and enter the user's SAP Portal credentials. Now log out and log back in. The integration shows another navigation structure – but only if the user has other Access Rights in SAP Portal than the user before.

FinishingAccording to your needs you may want to move the integration label to another place within IBM WebSphere Portal. You can do so by using the administration dialog “Manage Pages” or by using XMLAccess. After that you may need to restart for caches to be cleared, depending on your caching scenario.Also you may want to place multiple instances of the integration portlet on different pages showing other SAP Portal content within IBM WebSphere Portal. If you do so you may want to think about moving some configuration parameter values to the WP ConfigService. See the portal documentation for this.Depending on your scenario you also may want to separate the access rights between the navigation and the portlet(s). Use the access control configuration as we have shown in this article.

© IBM, 2011 12