You are on page 1of 508

BusinessObjects Enterprise XI Release 2 Deployment and Configuration Guide

BusinessObjects Enterprise XI Release 2

Patents

Business Objects owns the following U.S. patents, which may cover products that are offered and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352. Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners. Copyright 2007 Business Objects. All rights reserved. Business Objects products in this release may contain redistributions of software licensed from third-party contributors. Some of these individual components may also be available under alternative licenses. A partial listing of third-party contributors that have requested or permitted acknowledgments, as well as required notices, can be found at: http://www.businessobjects.com/thirdparty

Trademarks

Copyright Third-party contributors

Contents
Chapter 1 Getting Started 23 About this help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Who should use this help? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 About BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Where should I start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Planning or performing your first deployment . . . . . . . . . . . . . . . . . . . 25 Configuring your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Changing your deployments architecture . . . . . . . . . . . . . . . . . . . . . . 26 Improving your systems performance . . . . . . . . . . . . . . . . . . . . . . . . . 26 Chapter 2 BusinessObjects Enterprise Architecture 29

Chapter overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Architecture basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Client tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . 33 Central Configuration Manager (CCM) . . . . . . . . . . . . . . . . . . . . . . . . 33 Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Application server and BusinessObjects Enterprise SDK . . . . . . . 35 Web Component Adapter (WCA) . . . . . . . . . . . . . . . . . . . . . . . . . 35 Web development platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Java platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Windows .NET platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Web application environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Central Management Server (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . 38

BusinessObjects Enterprise Deployment and Configuration Guide 3

Contents

Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Program Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Web Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Destination Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Desktop Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Report Application Server (RAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Data tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Report viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Information flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 What happens when you schedule an object? . . . . . . . . . . . . . . . . . . . 46 What happens when you view a report? . . . . . . . . . . . . . . . . . . . . . . . . 47 Report viewing with the Cache Server and Page Server . . . . . . . . 49 Report viewing with the Report Application Server . . . . . . . . . . . . 50 Viewing Web Intelligence documents . . . . . . . . . . . . . . . . . . . . . . . 51 Choosing between live or saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Live data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Security management components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Chapter 3 Planning Your Deployment 57

Planning your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Assessing your organizations needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Estimating the number and type of users . . . . . . . . . . . . . . . . . . . . . . 59 Other user considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Estimating the number of simultaneous requests . . . . . . . . . . . . . . . . 61 Estimating the number of concurrent active users and viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Concurrent active users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Calculating resource requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Analyzing service thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Calculating the minimum resource requirements . . . . . . . . . . . . . . . . . 71 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Summary of resource calculations . . . . . . . . . . . . . . . . . . . . . . . . 73 Designing for high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Designing a multiple-server system for high availability . . . . . . . . 77 Common configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Single-machine architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Balanced processing architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 High availability clustered architecture . . . . . . . . . . . . . . . . . . . . . . . . . 80 Firewalled architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

BusinessObjects Enterprise Deployment and Configuration Guide 5

Contents

Chapter 4

Creating a WebSphere cluster

83

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Creating a WebSphere cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Starting the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Creating a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Checking the assigned port number . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Adding the assigned port number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Setting heap size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Setting internal system configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Installing the applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Mapping BusinesssObjects WAR files to the cluster . . . . . . . . . . . . . . 95 Regenerating the web server plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Chapter 5 Managing and Configuring Servers 97

Server management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 BusinessObjects Enterprise administrative tools . . . . . . . . . . . . . . . . . 98 Viewing and changing the status of servers . . . . . . . . . . . . . . . . . . . . . . . . 99 Starting, stopping, and restarting servers . . . . . . . . . . . . . . . . . . . . . . . 99 Stopping a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . 102 Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Printing, copying, and refreshing server status . . . . . . . . . . . . . . . . . . 104 Adding and deleting servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Adding a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Configuring the application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Configuring the Web Component Adapter . . . . . . . . . . . . . . . . . . . . . 108 Configuring the Java Web Component Adapter . . . . . . . . . . . . . . 109 Changing the default session timeout value for the Java CMC . . 110 Changing the default session timeout value for the Java InfoView . . 111 Changing the connect port used by Tomcat . . . . . . . . . . . . . . . . . . . . 112 Configuring the .NET Web Component Adapter . . . . . . . . . . . . . 113

6 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Configuring the intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Clustering Central Management Servers . . . . . . . . . . . . . . . . . . . . . . 114 Adding a new CMS cluster member . . . . . . . . . . . . . . . . . . . . . . . . . 116 Installing a new CMS and adding it to a cluster . . . . . . . . . . . . . 116 Adding an installed CMS to a cluster . . . . . . . . . . . . . . . . . . . . . 117 Adding clustered CMSs to the web.xml file . . . . . . . . . . . . . . . . . 119 Preparing to migrate a CMS database . . . . . . . . . . . . . . . . . . . . 119 Changing the name of a CMS cluster . . . . . . . . . . . . . . . . . . . . . 121 Copying data from one CMS database to another . . . . . . . . . . . . . . . 122 Deleting and recreating the CMS database . . . . . . . . . . . . . . . . . . . . 127 Selecting a new or existing CMS database . . . . . . . . . . . . . . . . . . . . 128 Setting root directories and idle times of the File Repository Servers 130 Modifying performance settings for Cache Servers and Event Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Configuring the processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Modifying performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring the destinations for job servers . . . . . . . . . . . . . . . . . . . . 133 Enabling or disabling destinations for job servers . . . . . . . . . . . . 133 Configuring the destination properties for job servers . . . . . . . . . 134 Inbox destination properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Email (SMTP) destination properties . . . . . . . . . . . . . . . . . . . . . 136 FTP destination properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Unmanaged Disk destination properties . . . . . . . . . . . . . . . . . . . 139 Configuring Windows processing servers for your data source . . . . . 140 Configuring UNIX processing servers for your data source . . . . . . . . 141 Native drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 ODBC drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Advanced server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Changing the default server port numbers . . . . . . . . . . . . . . . . . . . . . 147 Configuring a multihomed machine . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Configuring the CMS to bind to a network address . . . . . . . . . . . 150 Configuring the remaining servers to bind to a network address 150 Adding and removing Windows server dependencies . . . . . . . . . . . . 150

BusinessObjects Enterprise Deployment and Configuration Guide 7

Contents

Changing the server startup type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Changing the server user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configuring servers for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Creating key and certificate files . . . . . . . . . . . . . . . . . . . . . . . . . 153 Configuring the SSL protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Chapter 6 Working with Firewalls 157

Firewalls overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 What is a firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 TCP/IP and packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Firewall types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 SOCKS proxy servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Understanding firewall integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between servers and the CMS directory listing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Communication between the application tier and CMS . . . . . . . . 163 Firewall configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Typical firewall scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Application tier separated from the CMS by a firewall . . . . . . . . . 165 Thick client separated from the CMS by a firewall . . . . . . . . . . . . 165 Configuring the system for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Configuring desktop products across a firewall . . . . . . . . . . . . . . . . . . 166 Configuring for Network Address Translation . . . . . . . . . . . . . . . . . . . 167 Configuring NAT when application tier is separated from the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Configuring NAT when thick client is separated from the CMS . . 171 Configuring for packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Configuring packet filtering when application tier is separated from CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

8 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Configuring packet filtering when thick client is separated from the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Configuring for SOCKS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Configuring the CMS for SOCKS Servers . . . . . . . . . . . . . . . . . . 176 Configuring the WCA for SOCKS servers . . . . . . . . . . . . . . . . . . 177 Chapter 7 Security Concepts 179

Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Primary authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Single sign-on support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Single sign-on to BusinessObjects Enterprise . . . . . . . . . . . . . . 184 Single sign-on to database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 End-to-end single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 BusinessObjects Enterprise security plug-in . . . . . . . . . . . . . . . . 186 Processing extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Active trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Logon tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Ticket mechanism for distributed security . . . . . . . . . . . . . . . . . . . . . 189 Sessions and session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 CMS session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Environment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Web browser to web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Web server to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . 194 Auditing web activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Protection against malicious logon attempts . . . . . . . . . . . . . . . . . . . 194 Password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Logon restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 User restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Guest account restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 User creation opitons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

BusinessObjects Enterprise Deployment and Configuration Guide 9

Contents

Alias options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 User type options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Update options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Chapter 8 Modifying default security behavior 199

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Disabling the restoration of a timed out session . . . . . . . . . . . . . . . . . . . . 200 Disabling the restoration of a timed out session in Java InfoView 200 Disabling the restoration of a timed out session in .NET InfoView . . . 201 Enabling reverse proxies for Java applications servers . . . . . . . . . . . . . . 202 Enabling reverse proxies for BusinessObjects Java InfoView . . . . . . 202 Enabling reverse proxies for BusinessObjects Web Services . . . . . . 203 Enabling reverse proxies on Tomcat . . . . . . . . . . . . . . . . . . . . . . 203 Enabling reverse proxy on web application servers other than Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Enabling reverse proxies for BusinessObjects Live Office . . . . . . . . . 206 Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Deployment instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Disabling persistent cookies for InfoView . . . . . . . . . . . . . . . . . . . . . . . . . 208 Chapter 9 Using NT Authentication 211

Using NT user accounts and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Windows NT security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Business Objects NT Users Group . . . . . . . . . . . . . . . . . . . . . . . 213 NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 NT and single sign-on support . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 NT user account and group administration . . . . . . . . . . . . . . . . . . . . . . . . 214 Mapping NT user accounts and groups . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Mapping NT user accounts and groups from Windows NT . . . . . . . . . 215 Mapping NT user account or groups from Windows 2000 or 2003 . . . 216 Mapping NT groups from the CMC . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Unmapping NT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

10 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Viewing mapped NT users and groups . . . . . . . . . . . . . . . . . . . . . . . 221 Adding an NT account to a mapped NT group . . . . . . . . . . . . . . 222 Creating a new NT group account . . . . . . . . . . . . . . . . . . . . . . . 222 Disabling an NT user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Setting up NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Modifying IIS security settings for NT single sign-on . . . . . . . . . 224 Enabling InfoView NT single sign-on from the CMC . . . . . . . . . . 224 Modifying the web.config file for NT single sign-on . . . . . . . . . . . 225 Chapter 10 Using LDAP authentication 227

Managing LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 LDAP security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 More about LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Configuring the LDAP host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Configuring LDAP Server or Mutual Authentication and the SSL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 LDAP and SiteMinder Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Configuring the LDAP plug-in for SiteMinder . . . . . . . . . . . . . . . 236 Modifying web.xml for LDAP and SiteMinder . . . . . . . . . . . . . . . 237 Mapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Unmapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Viewing mapped LDAP users and groups . . . . . . . . . . . . . . . . . . . . . 242 Changing LDAP connection parameters and member groups . . . . . 242 Managing multiple LDAP hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Troubleshooting LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Creating a new LDAP user account . . . . . . . . . . . . . . . . . . . . . . 243 Chapter 11 Using AD with NTLM or SiteMinder 245

Using AD users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Windows AD security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 AD and NTLM and SiteMinder workflows . . . . . . . . . . . . . . . . . . . . . 248

BusinessObjects Enterprise Deployment and Configuration Guide 11

Contents

AD and NTLM basic workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 AD, NTLM and single sign-on workflow . . . . . . . . . . . . . . . . . . . . 248 AD and SiteMinder workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Mapping AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Setting up AD single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Modifying IIS security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Modifying the web.config file for impersonation and Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Modifying the web.config file for InfoView AD single sign-on . . . . 254 Configuring AD and SiteMinder workflow . . . . . . . . . . . . . . . . . . . . . . 255 Configuring the Windows AD plug-in for SiteMinder . . . . . . . . . . 255 Modifying web.xml for Java AD and SiteMinder . . . . . . . . . . . . . . 257 Modifying web.xml for Java AD Single sign-on to InfoView . . . . . 258 Modifying the web.xml file for Java AD and SiteMinder . . . . . . . . 258 Modifying web.config for .NET InfoView and SiteMinder . . . . . . . 259 Disabling SiteMinder for Java clients . . . . . . . . . . . . . . . . . . . . . . 260 Disabling SiteMinder for .NET clients . . . . . . . . . . . . . . . . . . . . . . 261 Troubleshooting single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Duplicate ssoEnabled tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Chapter 12 Using AD and Kerberos with IIS 265

Configuring Kerberos for IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Kerberos, IIS and single sign-on options . . . . . . . . . . . . . . . . . . . . . . 266 Workflows for Kerberos and IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Basic AD and Kerberos workflow . . . . . . . . . . . . . . . . . . . . . . . . . 267 AD and Kerberos with single sign-on workflow . . . . . . . . . . . . . . 267 Single sign-on to database workflow . . . . . . . . . . . . . . . . . . . . . . 267 End-to-end Single sign-on workflow . . . . . . . . . . . . . . . . . . . . . . . 267 Setting up a service account on AD . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Setting up a service account with delegation on a Windows 2000 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Setting up a service account with delegation on a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

12 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Granting the service account rights . . . . . . . . . . . . . . . . . . . . . . . 270 Configuring the servers to use the service account . . . . . . . . . . 270 Enabling Kerberos authentication in the Windows AD plug-in . . . . . . 271 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Modifying web.config for impersonation and Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Modifying the AD plug-in settings for database single sign-on . 275 Configuring IIS and browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuring IIS for integrated Windows authentication . . . . . . . . 275 Configuring the Internet Explorer browser on a client machine . 276 Configuring IIS for end-to-end single sign-on . . . . . . . . . . . . . . . . . . 277 Configuring IIS 5 for Kerberos end-to-end single sign-on . . . . . . 277 Configuring IIS 6 for Kerberos end-to-end single sign-on . . . . . . 279 Configuring IIS for database single sign-on . . . . . . . . . . . . . . . . . . . . 281 Configuring IIS 5 for single sign-on to database only . . . . . . . . . 282 Configuring IIS 6 for single sign-on to database . . . . . . . . . . . . . 283 Modifying web.config for InfoView single sign-on . . . . . . . . . . . . 284 Configuring web applications for database single sign-on . . . . . 285 Configuring the database server for single sign-on . . . . . . . . . . . . . . 286 Configuring SQL Server for single sign-on . . . . . . . . . . . . . . . . . 286 Server cache expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Modifying the default cache expiry value . . . . . . . . . . . . . . . . . . 287 Chapter 13 Using AD and Kerberos with Java application servers 289

Configuring Kerberos for Java application servers . . . . . . . . . . . . . . . . . 290 General workflow for configuring Kerberos . . . . . . . . . . . . . . . . . . . . 290 Workflow for configuring Tomcat for Kerberos . . . . . . . . . . . . . . . . . . 291 Workflow for configuring WebSphere for Kerberos . . . . . . . . . . . . . . 291 Workflow for configuring WebLogic for Kerberos . . . . . . . . . . . . . . . . 291 Workflow for configuring Oracle for Kerberos . . . . . . . . . . . . . . . . . . 291 Setting up a service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Setting up a service account with delegation on a Windows 2000 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

BusinessObjects Enterprise Deployment and Configuration Guide 13

Contents

Creating an SPN for your CMS on a Windows 2000 domain . . . . 293 Setting up a service account with delegation on a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Creating an SPN for your CMS on a Windows 2003 domain . . . . 294 Setting up constrained delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Setting up constrained delegation for a service account . . . . . . . 295 Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Granting the service account rights . . . . . . . . . . . . . . . . . . . . . . . 295 Adding the Service Account to the servers Local Administrators group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Configuring the servers to use the service account . . . . . . . . . . . 297 Kerberos authentication in the Windows AD plug-in . . . . . . . . . . . . . 297 Configuring Kerberos for your Java application server . . . . . . . . . . . . 302 Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Creating the Kerberos configuration file for WebSphere . . . . . . . 304 Creating the JAAS login configuration file for Tomcat or WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Creating the JAAS login configuration file for Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Creating the JAAS login configuration file for WebSphere . . . . . . 306 Modifying your Java options for Kerberos on Tomcat . . . . . . . . . 307 Modifying the Java options for Kerberos on WebLogic . . . . . . . . 307 Modifying the Java options for Kerberos on Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Modifying the Java options for Kerberos on WebSphere . . . . . . . 308 Troubleshooting Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Enabling logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Testing your Java Kerberos configuration . . . . . . . . . . . . . . . . . . 310 Mapped AD user unable to log on to CMC or InfoView . . . . . . . . . . . 310 Configuring Kerberos and single sign-on to the database for Java application servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Configuring Kerberos and single sign-on for Java InfoView . . . . . . . . 312

14 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Workflow for configuring Kerberos single sign-on to Java InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java. . . . . . . . . . . . . . . . . . . . . . . . 314 Step 2: Creating an SPN for your web application server . . . . . . 315 Step 3: Reset the service account password . . . . . . . . . . . . . . . 315 Step 4: Create and place a keytab file . . . . . . . . . . . . . . . . . . . . 316 Step 5: Enabling Vintela single sign-on for Java in the web.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Step 6: Increasing the header size limit of your Java application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Controlling logging with Vintela single sign-on for Java . . . . . . . 322 What to specify in your log4j properties file . . . . . . . . . . . . . . . . . 323 Alternate url to access InfoView . . . . . . . . . . . . . . . . . . . . . . . . . 324 Modifying the Vintela logon error page . . . . . . . . . . . . . . . . . . . . 325 Configuring Internet Explorer browsers . . . . . . . . . . . . . . . . . . . . 326 Chapter 14 Trusted Authentication 327

Enabling Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Configuring the server for Trusted Authentication . . . . . . . . . . . . . . . 328 Configuring Trusted Authentication for the client . . . . . . . . . . . . . . . . 329 Configuring Trusted Authentication for Business Process BI . . . . . . 334 Configuring Trusted Authentication on a separate web application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Chapter 15 Improving Performance 337

Improving performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Assessing your systems performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Assessing user needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Analyzing server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Viewing current server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Viewing system metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Logging server activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Evaluating your systems performance . . . . . . . . . . . . . . . . . . . . . . . 346

BusinessObjects Enterprise Deployment and Configuration Guide 15

Contents

Resolving performance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Configuring the intelligence tier for enhanced performance . . . . . . . . 351 Configuring the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Modifying the polling time of the Event Server . . . . . . . . . . . . . . . 351 Configuring the File Repository Servers . . . . . . . . . . . . . . . . . . . . 352 Modifying Cache Server performance settings . . . . . . . . . . . . . . 352 Configuring the processing tier for enhanced performance . . . . . . . . 354 Modifying performance settings for job servers . . . . . . . . . . . . . . 355 Modifying Desktop Intelligence Report Server performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Modifying performance settings for the Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Modifying database settings for the RAS . . . . . . . . . . . . . . . . . . . 360 Modifying performance settings for the RAS . . . . . . . . . . . . . . . . 362 Modifying Page Server performance settings . . . . . . . . . . . . . . . 363 Scaling your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Increasing overall system capacity . . . . . . . . . . . . . . . . . . . . . . . . 367 Increasing scheduled reporting capacity . . . . . . . . . . . . . . . . . . . 367 Increasing on-demand viewing capacity for Crystal reports . . . . . 369 Increasing prompting capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Delegating XSL transformation to Internet Explorer . . . . . . . . . . . 370 Enhancing custom web applications . . . . . . . . . . . . . . . . . . . . . . 370 Improving web response speeds . . . . . . . . . . . . . . . . . . . . . . . . . 371 Getting the most from existing resources . . . . . . . . . . . . . . . . . . . 371 Chapter 16 General Troubleshooting 373

Troubleshooting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Documentation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Web accessibility issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Using an IIS web site other than the default . . . . . . . . . . . . . . . . . . . . 375 .NET CSP and ASP pages display code . . . . . . . . . . . . . . . . . . . . . . . 376 Unable to access the CMS from thick client . . . . . . . . . . . . . . . . . . . . 376 Unable to View .NET InfoView or CMC . . . . . . . . . . . . . . . . . . . . . . . . 377

16 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Determining if the IIS 6.0 ASP.NET component is installed . . . . 377 Changing the connect port used by Tomcat . . . . . . . . . . . . . . . . . . . 378 Unable to connect to CMS when logging on to the CMC . . . . . . . . . . 379 Unable to open a report from InfoView . . . . . . . . . . . . . . . . . . . . . . . 379 Single sign-on from an IE Windows 2000 client fails . . . . . . . . . . . . . 380 Windows NT authentication cannot log you on . . . . . . . . . . . . . . . . . 380 Mapped AD user unable to log on to CMC or InfoView . . . . . . . . . . . 381 Unable to sign on with AD and Kerberos . . . . . . . . . . . . . . . . . . 381 TReport viewing and processing issues . . . . . . . . . . . . . . . . . . . 383 Troubleshooting reports with Crystal Reports . . . . . . . . . . . . . . . . . . 383 Images and charts not displayed . . . . . . . . . . . . . . . . . . . . . . . . 385 Troubleshooting reports and looping database logon prompts . . . . . 385 Ensuring that server resources are available on local drives . . . . . . . 388 Page Server error when viewing a report . . . . . . . . . . . . . . . . . . . . . 389 InfoView considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Supporting users in multiple time zones . . . . . . . . . . . . . . . . . . . . . . 390 Setting default report destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Unable to import users from BusinessObjects 6.5 . . . . . . . . . . . . . . . 390 Chapter 17 Managing Auditing 391

How does auditing work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Configuring the auditing database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Which actions can I audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Reference list of auditable actions . . . . . . . . . . . . . . . . . . . . . . . 395 Enabling auditing of user and system actions . . . . . . . . . . . . . . . . . . . . . 399 Configuring the universe connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Using sample audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Controlling synchronization of audit actions . . . . . . . . . . . . . . . . . . . . . . . 403 Optimizing system performance while auditing . . . . . . . . . . . . . . . . . . . . 404

BusinessObjects Enterprise Deployment and Configuration Guide 17

Contents

Chapter 18

Auditing Reports

407

Using auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Why are reports important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Auditor report names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Average Number of Users Logged In . . . . . . . . . . . . . . . . . . . . . . 408 Average Refresh Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration per Cluster . . . . . . . . . . . . . . . . . . . . . 409 Average Session Duration per User . . . . . . . . . . . . . . . . . . . . . . . 409 Cluster Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Document Information Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Document Scheduling and Viewing Status . . . . . . . . . . . . . . . . . 410 Job Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Jobs per Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Jobs per User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Job Servers on the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Last Login for User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Least Accessed Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Accessed Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Popular Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Most Popular Actions per Document . . . . . . . . . . . . . . . . . . . . . . 413 Number of User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Number of Users in the System . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Password Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Peak Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Refresh and Edit Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Rights Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Total Users Logged In by Day . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 User Activity per Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Users Who Logged Off Incorrectly . . . . . . . . . . . . . . . . . . . . . . . . 415 Viewing sample auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

18 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Creating custom audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Auditing database schema reference . . . . . . . . . . . . . . . . . . . . . . . . 416 Audit_Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Audit_Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Server_Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Event_Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Application_Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Detail_Type table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Appendix A Customizing the appearance of Web Intelligence documents 427

Customizing the appearance of Web Intelligence documents . . . . . . . . . 428 What you can do with the defaultconfig.xml file . . . . . . . . . . . . . . . . . 429 Locating and modifying defaultconfig.xml . . . . . . . . . . . . . . . . . . . . . 430 Desktop Intelligence Enterprise Java InfoView . . . . . . . . . . . . . . 431 Desktop Intelligence Enterprise .NET InfoView . . . . . . . . . . . . . 431 List of key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Example: Modifying the default font in table cells . . . . . . . . . . . . . . . 433 Appendix B Server deployment and firewall configuration 435

About this appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Understanding how BusinessObjects Enterprise servers communicate . 436 Using CORBA to communicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Registering with the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Communicating with client applications . . . . . . . . . . . . . . . . . . . . . . . 438 Configuring BusinessObjects Enterprise servers . . . . . . . . . . . . . . . . . . . 439 Configuring the CMS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Configuring non-CMS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Configuring Job Servers for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . 442 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

BusinessObjects Enterprise Deployment and Configuration Guide 19

Contents

Configuring firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Example: A firewall between the application server and BusinessObjects Enterprise servers . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Deploying BusinessObjects Enterprise on multihomed machines . . . . . . 448 Multihomed machines with NICs on the same subnet . . . . . . . . . . . . 449 Multihomed machines with NICs on different subnets . . . . . . . . . . . . 450 Example problem: BusinessObjects Enterprise servers deployed across subnets that are not network connected . . . . . . . . . . . . . . 450 Binding to a particular NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Summary of unsupported deployment scenarios . . . . . . . . . . . . . . . . . . . 451 Appendix C Server Command Lines 453

Command lines overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Standard options for all servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 UNIX signal handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Page Server and Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 Input and Output File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . 465 Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Appendix D Rights and Access Levels 467

Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 No Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 View On Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Full Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Default rights on the top-level folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Object rights for the Report Application Server . . . . . . . . . . . . . . . . . . . . . 472

20 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Appendix E

UNIX Tools

473

UNIX tools overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Script utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 ccm.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 ccm.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 cmsdbsetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 configpatch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 serverconfig.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 sockssetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 uninstallBOBJE.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Script templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 startservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 stopservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 silentinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Scripts used by BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . 482 bobjerestart.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 env.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 env-locale.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 initlaunch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 patchlevel.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 postinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 setup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 setupinit.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Appendix F Enabling support for ASP.NET 2.0 485

Enabling support for ASP.NET 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Appendix G Business Objects Information Resources 489

Documentation and information services . . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Whats in the documentation set? . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Where is the documentation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

BusinessObjects Enterprise Deployment and Configuration Guide 21

Contents

Documentation from the products . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation on the web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Documentation on the product CD . . . . . . . . . . . . . . . . . . . . . . . . 490 Send us your feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Customer support, consulting and training . . . . . . . . . . . . . . . . . . . . . . . . 491 How can we support you? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Online Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 Looking for the best deployment solution for your company? . . . . . . . 492 Looking for training options? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Index 495

22 BusinessObjects Enterprise Deployment and Configuration Guide

Getting Started

chapter

Getting Started About this help

About this help


This help provides you with information and procedures for deploying and configuring your BusinessObjects Enterprise system. Procedures are provided for common tasks. Conceptual information and technical details are provided for all advanced topics. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide. For information about installing BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide.

Who should use this help?


This help covers deployment and configuration tasks. We recommend consulting this guide if you are:

planning your first deployment configuring your first deployment making significant changes to the architecture of an existing deployment improving your systems performance.

For a list of suggested topics for each of these scenarios, consult Where should I start? on page 25. This help is intended for system administrators who are responsible for configuring, managing, and maintaining a BusinessObjects Enterprise installation. Familiarity with your operating system and your network environment is beneficial, as is a general understanding of web application server management and scripting technologies. However, to assist all levels of administrative experience, this help aims to provide sufficient background and conceptual information to clarify all administrative tasks and features.

About BusinessObjects Enterprise


BusinessObjects Enterprise is a flexible, scalable, and reliable solution for delivering powerful, interactive reports to end users via any web application intranet, extranet, Internet or corporate portal. Whether it is used for distributing weekly sales reports, providing customers with personalized service offerings, or integrating critical information into corporate portals, BusinessObjects Enterprise delivers tangible benefits that extend across and beyond the organization. As an integrated suite for reporting, analysis, and information delivery, BusinessObjects Enterprise provides a solution for increasing end-user productivity and reducing administrative efforts.

24

BusinessObjects Enterprise Deployment and Configuration Guide

Getting Started Where should I start?

Where should I start?


Depending on your situation, you may want to focus on specific sections of this help, and there may be other resources available for you. For each of the following situations, there is a list of suggested tasks and reading topics.

Planning or performing your first deployment


If you are planning or performing your first deployment of BusinessObjects Enterprise, it is recommended that you perform the following tasks and read the corresponding sections:

To get familiar with the components, read BusinessObjects Enterprise Architecture on page 29. Assess your needs and design a deployment architecture that works best for you. Planning Your Deployment on page 57 Working with Firewalls on page 157 Security Concepts on page 179 If you plan to use third-party authentication, read the following sections that apply to your deployment:

Using NT Authentication on page 211 Using AD with NTLM or SiteMinder on page 245 Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using LDAP authentication on page 227

Improving Performance on page 337 For more information about installing BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide. After you install, read Managing and Configuring Servers on page 97.

Configuring your deployment


If you have just completed your installation of BusinessObjects Enterprise and need to perform initial configuration tasks, such as firewall configuration and user management, it is recommended that you read the following sections:

Managing and Configuring Servers on page 97 Working with Firewalls on page 157 Security Concepts on page 179

BusinessObjects Enterprise Deployment and Configuration Guide

25

Getting Started Where should I start?

If you plan to use third-party authentication, read the following sections that apply to your deployment:

Using NT Authentication on page 211 Using AD with NTLM or SiteMinder on page 245 Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using LDAP authentication on page 227

Improving Performance on page 337 If you plan to audit your system, read Managing Auditing on page 391 and Auditing Reports on page 407. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide. If you encounter problems, read General Troubleshooting on page 373.

Changing your deployments architecture


Are you expecting a significant increase in server traffic? Do you need to accommodate a sudden influx of users? Do you need to incorporate new kinds of content from new sources? Or do you need to update a deployment that didnt adequately anticipate the volume of objects being processed on a daily basis? If you need to revise your deployment to account for significant changes in how you use the system, it is recommended that you read the following sections:

Improving Performance on page 337 If you are installing new server components, see Managing and Configuring Servers on page 97. If you are importing or configuring new users, see Security Concepts on page 179. If you encounter problems, read General Troubleshooting on page 373. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide. For information about installing new components, you can find more information in the BusinessObjects Enterprise Installation Guide.

Improving your systems performance


If you want to assess your deployments efficiency and fine-tune it in order to maximize resources, it is recommended that you read the following sections:

26

BusinessObjects Enterprise Deployment and Configuration Guide

Getting Started Where should I start?

Improving Performance on page 337 If you want to monitor your existing system, read Managing Auditing on page 391 and Auditing Reports on page 407. If you want to resolve specific performance problems, read General Troubleshooting on page 373. For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrators Guide.

BusinessObjects Enterprise Deployment and Configuration Guide

27

Getting Started Where should I start?

28

BusinessObjects Enterprise Deployment and Configuration Guide

BusinessObjects Enterprise Architecture

chapter

BusinessObjects Enterprise Architecture Chapter overview

Chapter overview
This chapter briefly introduces BusinessObjects Enterprise administrators to the architecture of BusinessObjects Enterprise. This chapter covers the following topics:

Architecture basics Client tier Intelligence tier Processing tier Data tier Report viewers Information flow

For faster navigation, click on the title of the topic you are interested in.

Architecture basics
BusinessObjects Enterprise is a multi-tier system. Although the components are responsible for different tasks, they can be logically grouped based on the type of work they perform. If you are new to BusinessObjects Enterprise, use this section to gain familiarity with the BusinessObjects Enterprise framework, its components, and the general tasks that each component performs. In BusinessObjects Enterprise, there are five tiers:

The client tier The application tier The intelligence tier The processing tier The data tier

To provide flexibility, reliability, and scalability, the components that make up each of these tiers can be installed on one machine, or spread across many. The following diagram illustrates how each of the components fits within the multi-tier system. Other Business Objects products plug in to the BusinessObjects Enterprise framework in various ways. This section describes the framework itself. Consult each products installation or administration guides for details about how it integrates with the BusinessObjects Enterprise framework.

30

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Architecture basics

The servers run as services on Windows machines. On UNIX, the servers run as daemons. These services can be vertically scaled to take full advantage of the hardware that they are running on, and they can be horizontally scaled to take advantage of multiple computers over a network environment. This means that the services can all run on the same machine, or they can run on separate machines. The same service can also run in multiple instances on a single machine. For example, you can run the CMS and the Event Server on one machine, while you run the Report Application Server on a separate machine. This configuration is called horizontal scaling. If the Report Application Server is

BusinessObjects Enterprise Administrators Guide

31

BusinessObjects Enterprise Architecture Client tier

running on a multi-processor computer, then you may choose to run multiple Report Application Servers on it. This configuration is called vertical scaling. The important thing to understand is that, even though these are called servers, they are actually services and daemons that do not need to run on separate computers. Tip: Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.

Client tier
The client tier is the only part of the BusinessObjects Enterprise system that administrators and end users interact with directly. This tier is made up of the applications that enable people to administer, publish, and view reports and other objects.

The client tier includes:

InfoView Central Management Console (CMC) Central Configuration Manager (CCM) Publishing Wizard Import Wizard

For faster navigation, click on the title of the topic you are interested in.

InfoView
BusinessObjects Enterprise comes with InfoView, a web-based interface that end users access to view, schedule, and keep track of published reports. Each BusinessObjects Enterprise request that a user makes is directed to the BusinessObjects Enterprise application tier. In .NET InfoView, the web server forwards the user request directly to an application server where the request

32

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Client tier

is processed by the Web Component Adapter (WCA); typically, InfoView only uses the WCA when OLAP is installed. In this case, the web server will forward the .csp request to the WCA for processing. InfoView also serves as a demonstration of the ways in which you can use the BusinessObjects Enterprise Software Development Kit (SDK) to create a custom web application for end users. In the case of .NET, InfoView also demonstrates how you can use the BusinessObjects Enterprise .NET Server Components. For more information, see the developer documentation available on your product CD.

Central Management Console (CMC)


The Central Management Console (CMC) allows you to perform user management tasks such as setting up authentication and adding users and groups. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups. Because the CMC is a webbased application, you can perform all of these administrative tasks remotely. For more information, see the BusinessObjects Enterprise Administrators Guide. The CMC also serves as a demonstration of the ways in which you can use the administrative objects and libraries in the BusinessObjects Enterprise SDK to create custom web applications for administering BusinessObjects Enterprise. For more information, see the developer documentation available on your product CD.

Central Configuration Manager (CCM)


The Central Configuration Manager (CCM) is a server-management tool that allows you to configure each of your BusinessObjects Enterprise server components. This tool allows you to start, stop, enable, and disable servers, and it allows you to view and to configure advanced server settings. On Windows, these settings include default port numbers, CMS database and clustering details, SOCKS server connections, and more. In addition, on Windows the CCM allows you to add or remove servers from your BusinessObjects Enterprise system.On UNIX, some of these functions are performed using other tools. .

BusinessObjects Enterprise Administrators Guide

33

BusinessObjects Enterprise Architecture Application tier

Publishing Wizard
The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add reports to BusinessObjects Enterprise. By assigning object rights to BusinessObjects Enterprise folders, you control who can publish reports and where they can publish them to. The Publishing Wizard publishes reports from a Windows machine to BusinessObjects Enterprise servers running on Windows or on UNIX. For more information, see the BusinessObjects Enterprise Administrators Guide.

Import Wizard
The Import Wizard is a locally installed Windows application that guides administrators through the process of importing users, groups, reports, and folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or Crystal Info implementation to BusinessObjects Enterprise. The Import Wizard runs on Windows, but you can use it to import information into a new BusinessObjects Enterprise system running on Windows or on UNIX. For more information, see the BusinessObjects Enterprise Installation Guide.

Application tier
The application tier hosts the server-side components that process requests from the client tier as well as the components that communicate these requests to the appropriate server in the intelligence tier. The application tier includes support for report viewing and logic to understand and direct web requests to the appropriate BusinessObjects Enterprise server in the intelligence tier. For both the Java and .NET platforms, the application tier includes the following components:

Application server and BusinessObjects Enterprise SDK Web Component Adapter (WCA)

34

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Application tier

Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.

Application server and BusinessObjects Enterprise SDK


BusinessObjects Enterprise systems that use the BusinessObjects Enterprise Java SDK or the BusinessObjects Enterprise .NET SDK run on a third party application server. See the Platforms.txt file included with your product distribution for a complete list of tested application servers and version requirements. The application server acts as the gateway between the web server and the rest of the components in BusinessObjects Enterprise. The application server is responsible for processing requests from your browser. It also supports InfoView and other Business Objects applications, and uses the SDK to convert report pages (.epf files) to HTML format when users view pages with a DHTML viewer.

Web Component Adapter (WCA)


The web server communicates directly with the application server that hosts the BusinessObjects Enterprise SDK. The Web Component Adapter (WCA) runs within the application server and provides all services that are not directly supported by the BusinessObjects Enterprise SDK. The web server passes requests directly to the application server, which then forwards the requests on to the WCA. The WCA has two primary roles:

It processes ASP.NET (.aspx) and Java Server Pages (.jsp) files

BusinessObjects Enterprise Administrators Guide

35

BusinessObjects Enterprise Architecture Application tier

It also supports Business Objects applications such as the CMC (CMC) and Crystal report viewers (that are implemented through viewrpt.aspx requests).

Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.

Web development platforms


BusinessObjects Enterprise supports the following web development platforms:


Java platform

Java platform Windows .NET platform

All UNIX installations of BusinessObjects Enterprise include a Web Component Adapter (WCA). In this configuration, a Java application server is required to host the WCA and the BusinessObjects Enterprise Java SDK. The use of a web server is optional as you may choose to have static content hosted by the application server.

Windows .NET platform


BusinessObjects Enterprise installations that use the .NET Framework include Primary Interop Assemblies (PIAs) that allow you to use the BusinessObjects Enterprise .NET SDK with ASP.NET, and a set of .NET Server Components that you can optionally use to simplify the development of custom applications. This configuration requires the use of a Microsoft Internet Information Services (IIS) web server. Note:

In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.

36

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Intelligence tier

You do not need a Web Component Adapter for custom ASP.NET applications. If after your initial installtion, you upgrade to version 2.0 of the .NET Framework, you will also need to modify the web.config used by IIS. See Enabling support for ASP.NET 2.0 on page 486.

Web application environments


BusinessObjects Enterprise supports Java Server Pages (.jsp) and ASP.NET (.aspx) pages. BusinessObjects Enterprise includes web applications developed in .aspx, such as InfoView and the sample applications available via the BusinessObjects Enterprise Launchpad. Java Server Pages (.jsp) and ASP.NET (.aspx) pages allow you to develop cross-platform J2EE and ASP.NET applications that use the BusinessObjects Enterprise SDKs in conjunction with third party APIs. Note: For backward compatibility, BusinessObjects Enterprise continues to support Crystal Server Pages (.csp) and Active Server Pages (.asp). BusinessObjects Enterprise also includes Primary Interop Assemblies (PIAs) that enable you to use the BusinessObjects Enterprise SDK and Report Application Server SDK with ASP.NET. It also includes a set of .NET Server Components which simplify development of custom BusinessObjects Enterprise applications in ASP.NET. For more information, see the developer documentation available on your product CD.

Intelligence tier
The intelligence tier manages the BusinessObjects Enterprise system. It maintains all of the security information, sends requests to the appropriate servers, manages audit information, and stores report instances.

The intelligence tier includes the following components:

Central Management Server (CMS) Event Server

BusinessObjects Enterprise Administrators Guide

37

BusinessObjects Enterprise Architecture Intelligence tier

File Repository Servers Cache Server

Central Management Server (CMS)


The CMS is responsible for maintaining a database of information about your BusinessObjects Enterprise system, which other components can access as required. The data stored by the CMS includes information about users and groups, security levels, BusinessObjects Enterprise content, and servers. The CMS also maintains the BusinessObjects Enterprise Repository, and a separate audit database of information about user actions. This data allows the CMS to perform its four main tasks:

Maintaining security By maintaining a database of users and their associated object rights, the CMS enforces who has access to BusinessObjects Enterprise and the types of tasks they are able to perform. These tasks include enforcing and maintaining the licensing policy of your BusinessObjects Enterprise system.

Managing objects The CMS keeps track of the location of objects and maintains the containment hierarchy, which includes folders, categories, and inboxes. By communicating with the Job Servers and Program Job Servers, the CMS is able to ensure that scheduled jobs run at the appropriate times.

Managing servers By staying in frequent contact with each of the servers in the system, the CMS is able to maintain a list of server status. Report viewers access this list, for instance, to identify which Cache Server is free to use for a report viewing request.

Managing auditing By collecting information about user actions from each BusinessObjects Enterprise server, and then writing these records to a central audit database, the CMS acts as the system auditor. This audit information allows system administrators to better manage their BusinessObjects Enterprise deployment.

Typically, you provide the CMS with database connectivity and credentials when you install BusinessObjects Enterprise, so the CMS can create its own system database and BusinessObjects Enterprise Repository database using your organizations preferred database server. For details about setting up

38

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Intelligence tier

CMS databases, see the BusinessObjects Enterprise Installation Guide. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. Note:

It is strongly recommended that you back up the CMS system database, and the audit database frequently. The backup procedure depends upon your database software. If you are unsure of the procedure, consult with your database administrator. The CMS database should not be accessed directly. System information should only be retrieved using the calls that are provided in the BusinessObjects Enterprise Software Development Kit (SDK). For more information, see the developer documentation available on your product CD. You can access the audit database directly to create custom audit reports. See the BusinessObjects Enterprise Auditors Guide for more information.

On Windows, the Setup program can install and configure its own Microsoft Data Engine (MSDE) database if necessary. MSDE is a client/server data engine that provides local data storage and is compatible with Microsoft SQL Server. If you already have the MSDE or SQL Server installed, the installation program uses it to create the CMS system database. You can migrate your default CMS system database to a supported database server later. For more information about Auditing, see the BusinessObjects Enterprise Auditors Guide.

Event Server
The Event Server manages file-based events. When you set up a file-based event within BusinessObjects Enterprise, the Event Server monitors the directory that you specified. When the appropriate file appears in the monitored directory, the Event Server triggers your file-based event: that is, the Event Server notifies the CMS that the file-based event has occurred. The CMS then starts any jobs that are dependent upon your file-based event. After notifying the CMS of the event, the Event Server resets itself and again monitors the directory for the appropriate file. When the file is newly created in the monitored directory, the Event Server again triggers your file-based event. Note: Schedule-based events, and custom events are managed by the CMS.

BusinessObjects Enterprise Administrators Guide

39

BusinessObjects Enterprise Architecture Intelligence tier

File Repository Servers


There is an Input and an Output File Repository Server in every BusinessObjects Enterprise implementation. The Input File Repository Server manages all of the report objects and program objects that have been published to the system by administrators or end users (using the Publishing Wizard, the CMC, the Import Wizard, or a Business Objects designer component such as Crystal Reports or the Web Intelligence Java or HTML Report Panels). Tip: If you use the BusinessObjects Enterprise SDK, you can also publish reports from within your own code. The Output File Repository Server manages all of the report instances generated by the Report Job Server or the Web Intelligence Report Server, and the program instances generated by the Program Job Server. The File Repository Servers are responsible for listing files on the server, querying for the size of a file, querying for the size of the entire file repository, adding files to the repository, and removing files from the repository. Note:

The Input and Output File Repository Servers cannot share the same directories. This is because one of the File Repository Servers could then delete files and directories belonging to the other. In larger deployments, there may be multiple Input and Output File Repository Servers, for redundancy. In this case, all Input File Repository Servers must share the same directory. Likewise, all Output File Repository Servers must share a directory. Objects with files associated with them, such as text files, Microsoft Word files, or PDFs, are stored on the Input File Repository Server.

Cache Server
The Cache Server is responsible for handling all report viewing requests. The Cache Server checks whether or not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays exactly the required data, with data that has been refreshed from the database within the interval that you have specified as the default, the Cache Server returns that cached report page. If the Cache Server cannot fulfil the request with a cached report page, it passes the request along to the Page Server. The Page Server runs the report and returns the results to the Cache Server. The Cache Server then

40

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Processing tier

caches the report page for future use, and returns the data to the viewer. By storing report pages in a cache, BusinessObjects Enterprise avoids accessing the database each and every time a report is requested. If you are running multiple Page Servers for a single Cache Server, the Cache Server automatically balances the processing load across Page Servers.

Processing tier
The processing tier accesses the data and generates the reports. It is the only tier that interacts directly with the databases that contain the report data.

The processing tier includes:

Job servers Web Intelligence Report Server Report Application Server (RAS) Page Server

Job servers
A Job Server processes scheduled actions on objects at the request of the CMS. When you add a Job Server to the BusinessObjects Enterprise system, you can configure the Job Server to:

Process report objects Process program objects

BusinessObjects Enterprise Administrators Guide

41

BusinessObjects Enterprise Architecture Processing tier

Send objects or instances to specified destinations

If you configure a Job Server to process report objects, it becomes a Report Job Server. If you configure a Job Server to process program objects, it becomes a Program Job Server, and so on. The processing tier includes:

Report Job Server Program Job Server Web Intelligence Job Server Destination Job Server List of Values Job Server Desktop Intelligence Job Server

Report Job Server


If you configure a Job Server to process report objects, it becomes a Report Job Server. The Report Job Server processes scheduled reports, as requested by the CMS, and generates report instances (instances are versions of a report object that contain saved data). To generate a report instance, the Report Job Server obtains the report object from the Input FRS and communicates with the database to retrieve the current data. Once it has generated the report instance, it stores the instance on the Output FRS.

Program Job Server


If you configure a Job Server to process program objects, it becomes a Program Job Server. Program objects allow you to write, publish, and schedule custom applications, including scripts, Java programs or .NET programs that run against, and perform maintenance work on, BusinessObjects Enterprise. The Program Job Server processes scheduled program objects, as requested by the CMS. To run a program, the Program Job Server first retrieves the files from storage on the Input File Repository Server, and then runs the program. By definition, program objects are custom applications. Therefore the outcome of running a program will be dependent upon the particular program object that is run. Unlike report instances, which can be viewed in their completed format, program instances exist as records in the object history. BusinessObjects Enterprise stores the programs standard out and standard error in a text output file. This file appears when you click a program instance in the object History.

42

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Processing tier

Web Intelligence Job Server


The Web Intelligence Job Server processes scheduling requests it receives from the CMS for Web Intelligence documents. It forwards these requests to the Web Intelligence Report Server, which will generate the instance of the Web Intelligence document. The Web Intelligence Job Server does not actually generate object instances.

Destination Job Server


If you configure a Job Server to send objects or instances, it becomes a Destination Job Server. A Destination Job Server processes requests that it receives from the CMS and sends the requested objects or instances to the specified destination:

If the request is for an object, it retrieves the object from the Input File Repository Server. If the request is for a report or program instance, it retrieves the instance from the Output File Repository Server.

The Destination Job Server can send objects and instances to destinations inside the BusinessObjects Enterprise system, for example, a users inbox, or outside the system, for example, by sending a file to an email address. The Destination Job Server does not run the actual report or program objects. It only handles objects and instances that already exist in the Input or Output File Repository Servers.

List of Values Job Server


The List of Values Job Server processes scheduled list-of-value objects. These are objects that contain the values of specific fields in a Business View. Lists of values are use to implement dynamic prompts and cascading lists of values within Crystal Reports. List-of-value objects do not appear in CMC or InfoView. For more information, see the Business Views Administrators Guide. The List of Values Job Server behaves similarly to the Report Job Server in that it retrieves the scheduled objects from the Input File Repository Server (FRS) and saves the instance it generates to the Output FRS. There is never more than one instance of a list-of-values object. On demand list of value objects are processed by the Report Application Server.

Desktop Intelligence Job Server


The Desktop Intelligence Job Server processes scheduling requests it receives from the CMS for Desktop Intelligence documents and generates the instance of the Desktop Intelligence document.

BusinessObjects Enterprise Administrators Guide

43

BusinessObjects Enterprise Architecture Processing tier

Web Intelligence Report Server


The Web Intelligence Report Server is used to create, edit, view, and analyze Web Intelligence documents. It also processes scheduled Web Intelligence documents and generates new instances of the document, which it stores on the Output File Repository Server (FRS). Depending on the users access rights and the refresh options of the document, the Web Intelligence Report Server will use cached information, or it will refresh the data in the document and then cache the new information.

Report Application Server (RAS)


The Report Application Server (RAS) processes reports that users view with the Advanced DHTML viewer. The RAS also provides the ad hoc reporting capabilities that allow users to create and modify reports over the Web. The RAS is very similar to the Page Server: it too is primarily responsible for responding to page requests by processing reports and generating EPF pages. However, the RAS uses an internal caching mechanism that involves no interaction with the Cache Server. As with the Page Server, the RAS supports COM, ASP.NET, and Java viewer SDKs. The Report Application Server also includes an SDK for reportcreation and modification, providing you with tools for building custom report interaction interfaces.

Page Server
The Page Server is primarily responsible for responding to page requests by processing reports and generating Encapsulated Page Format (EPF) pages. The EPF pages contain formatting information that defines the layout of the report. The Page Server retrieves data for the report from an instance or directly from the database (depending on the users request and the rights he or she has to the report object). When retrieving data from the database, the Page Server automatically disconnects from the database after it fulfills its initial request and reconnects if necessary to retrieve additional data. (This behavior conserves database licenses.) The Cache Server and Page Server work closely together. Specifically, the Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server also interact to ensure cached EPF pages are reused as frequently as possible, and new pages are generated as soon as they are required. BusinessObjects Enterprise takes advantage of this behavior by ensuring that the majority of report-viewing requests are made to

44

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Data tier

the Cache Server and Page Server. (However, if a users default viewer is the Advanced DHTML viewer, the report is processed by the Report Application Server.) The Page Server also supports COM, ASP.NET, and Java viewer Software Development Kits (SDKs).

Data tier
The data tier is made up of the databases that contain the data used in the reports. BusinessObjects Enterprise supports a wide range of corporate databases.

See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.

Report viewers
BusinessObjects Enterprise includes report viewers that support different platforms and different browsers in the client tier, and which have different report viewing functionality. (For more information on the specific functionality or platform support provided by each report viewer, see the BusinessObjects Enterprise Users Guide or the Crystal Reports Developers Guide.) All of the viewers fall into two categories:

client-side viewers Client-side viewers are downloaded and installed in the users web browser. zero client viewers The code to support zero client viewers resides in the application tier.

client-side viewers Active X viewer Java viewer

zero client viewers DHTML viewer Advanced DHTML viewer

BusinessObjects Enterprise Administrators Guide

45

BusinessObjects Enterprise Architecture Information flow

All report viewers help process requests for reports, and present report pages that appear in the users browser. Client-side viewers Client-side viewers are downloaded and installed in the users browser. When a user requests a report, the application server processes the request, and retrieves the report pages (in .epf format) from the BusinessObjects Enterprise framework. The application server then passes the report pages to the client-side viewer, which processes the report pages and displays them directly in the browser. Zero client viewers Zero client viewers reside on the application server. When a user requests a report, the application server processes the request, and then retrieves the report pages (in .epf format) from the BusinessObjects Enterprise framework. The SDK creates a viewer object on the application server which processes the report pages and creates DHTML pages that represent both the viewer controls and the report itself. The viewer object then sends these pages through the web server to the users web browser. Installing viewers If they havent already done so, users are prompted to download and install the appropriate viewer software before the report is displayed in the browser. The Active X viewer is downloaded the first time a user requests a report, and then remains installed on the users machine. The user will be prompted to reinstall the ActiveX viewer only when a new version becomes available on the server.

Information flow
This section describes the interaction of the server components in order to demonstrate how report-processing is performed. This section covers two different scenarios:

What happens when you schedule an object? What happens when you view a report?

What happens when you schedule an object?


When you schedule an object, you instruct BusinessObjects Enterprise to process an object at a particular point in time, or on a recurring schedule. For example, if you have a report that is based on your web server logs, you can schedule the report to run every night on a recurring basis.

46

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Information flow

When a user schedules an object using InfoView, the following happens: 1. 2. 3. 4. 5. 6. InfoView sends the request to the web server. The web server passes the web request directly to the application server, where it is evaluated by the BusinessObjects Enterprise SDK. The SDK passes the request to the CMS. The CMS checks to see if the user has sufficient rights to schedule the object. If the user has sufficient rights, the CMS schedules the object to be run at the specified time(s). When the time occurs, the CMS passes the job to the appropriate job server. Depending on the type of object, the CMS will send the job to one of the following job servers:


7.

If the object is Web Intelligence document, it sends the job to the Web Intelligence Job Server, which sends the request to the Web Intelligence Report Server. If the object is a report, it sends the job to the Report Job Server. If the object is program, it sends the job to the Program Job Server.

The job server retrieves the object from the Input File Repository Server and runs the object against the database, thereby creating an instance of the object. The job server then saves the instance to the Output File Repository Server, and tells the CMS that it has completed the job successfully. If the job was for a Web Intelligence document, the Web Intelligence Report Server notifies the Web Intelligence Job Server. The Web Intelligence Job Server then notifies the CMS that the job was completed successfully.

8.

Note:

The Cache Server and the Page Server do not participate in scheduling reports or in creating instances of scheduled reports. This can be an important consideration when deciding how to configure BusinessObjects Enterprise, especially in large installations. When you schedule program objects or object packages, the interaction between servers follows the same pattern as it does for reports.

What happens when you view a report?


This section describes the viewing mechanisms that are implemented in InfoView. It contains information on:

BusinessObjects Enterprise Administrators Guide

47

BusinessObjects Enterprise Architecture Information flow

Report viewing with the Cache Server and Page Server Report viewing with the Report Application Server Viewing Web Intelligence documents

When you view a report through BusinessObjects Enterprise, the processing flow varies depending upon your default report viewer, the type of report, and the rights you have to the report. In addition, the processing flow for custom applications may differ. In all cases, however, the request that begins at the web server must be forwarded to the application server. The actual request is constructed as a URL that includes the reports unique ID. This ID is passed as a parameter to a server-side script that, when evaluated by the application server, verifies the users session and retrieves the logon token from the browser. The script then checks the users InfoView preferences and redirects the request to the viewing mechanism that corresponds to the users default viewer. Different report viewers require different viewing mechanisms:

The zero-client DHTML viewer is implemented through report_view_dhtml.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Cache Server and Page Server.

The zero-client Advanced DHTML viewer is implemented through report_view_advanced.aspx. When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Report Application Server.

The client-side report viewers (the ActiveX and Java viewers) are implemented through viewrpt.aspx, hosted by the WCA. The Crystal Web Request is executed internally through viewer code on the application server. The viewer code communicates with the framework in order to retrieve a report page (in .epf format) from the Cache Server and Page Server. If they havent already done so, users are prompted to download and install the appropriate viewer software.

48

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Information flow

Report viewing with the Cache Server and Page Server


This section describes the process for viewing a Crystal report when using the zero-client DHTML, ActiveX, or Java viewer. This process uses the Cache Server and the Page Server. 1. Upon receiving a report-viewing request, the Cache Server checks to see if it has the requested pages cached. Cached pages are stored as Encapsulated Page Format (.epf) files. If a cached page for the report (.epf file) is available: a. b. 3. The Cache Server checks with the CMS to see if the user has rights to view the cached page. If the user is granted the right to view the report, the Cache Server sends the cached page (.epf file) to the application server. The Cache Server requests new cached pages (.epf files) from the Page Server. The Page Server checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the Page Server retrieves the report from the Input File Repository Server. If the report is an instance, and the user only has View rights, the Page Server will generate pages of the report instance using the data stored in the report instance. That is, the Page Server will not retrieve the latest data from the database. If the report is an object, the user must have View On Demand rights to view the report successfully (because the Page Server needs to retrieve data from the database). e. f. g. 4. If the user has sufficient rights, the Page Server generates the cached page (.epf files) and forwards them to the Cache Server. The Cache Server then caches the pages (.epf files). The Cache Server sends the pages (.epf files) to the application server.

2.

If a cached page for the report (.epf file) is unavailable: a. b. c. d.

The application server sends the report to the users Web browser in one of two ways, depending on how the initial request was made:

If the initial request was made through a DHTML viewer (report_view_dhtml.aspx), the viewer SDK (residing on the application server) is used to generate HTML that represents both the DHTML viewer and the report itself. The HTML pages are then returned through the web server to the users web browser.

BusinessObjects Enterprise Administrators Guide

49

BusinessObjects Enterprise Architecture Information flow

If the initial request was made through an Active X or Java viewer (viewrpt.aspx), the application server forwards the cached pages (.epf files) through the web server to the report viewer software in the users web browser.

Report viewing with the Report Application Server


This section describes the process for viewing a Crystal report when using the Advanced DHTML viewer. This process flow uses the Report Application Server (RAS). 1. Upon receiving a report-viewing request, the RAS checks to see if it has the requested report data in cache. (The RAS has its own caching mechanism, which is separate from the Cache Server.) If a cached version of the report (.epf file) is available: a. b. 3. The RAS checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the RAS returns cached pages (.epf files) to the application server. The RAS checks with the CMS to see if the user has rights to view the report. If the user is granted the right to view the report, the RAS retrieves the report object from the Input File Repository Server. The RAS then processes the report object, obtains the data from the database, generates the cached pages (.epf files), caches the pages and sends the pages to the application server. If the user is granted View rights to the report object, then the RAS will only ever generate pages of the latest report instance. That is, the RAS will not retrieve the latest data from the database. If the user is granted View On Demand rights to the report object, then the RAS will refresh the report against the database. Note: The interactive search and filter features provided by the Advanced DHTML viewer are available only if the user has View On Demand rights (or greater) to the report object. 4. When the application server receives the cached pages (.epf files) from the RAS, the viewer SDK generates HTML that represents both the Advanced DHTML viewer and the report itself. The application server sends the HTML pages through the web server to the users web browser.

2.

If a cached page of the report (.epf file) is unavailable: a. b. c.

d.

5.

50

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Information flow

Viewing Web Intelligence documents


This section describes the process for viewing a Web Intelligence document. 1. 2. 3. 4. 5. InfoView sends the request to the web application server. The web application server sends the request to the application server, which creates a new session with the Web Intelligence Report Server. The Web Intelligence Report Server checks if the user has rights to use the Web Intelligence application. The web application server then sends the request to the Web Intelligence Report Server. The Web Intelligence Report Server contacts the CMS to check whether the user has the right to view the document, and to check when the document was last updated. If the user has the right to view the document, the Web Intelligence Report Server checks whether it has up-to-date cached content for the document. If cached content is available, the Web Intelligence Report Server sends the cached document information to the SDK. If cached content is not available, the following happens: a. The Web Intelligence Report Server obtains the document information from the CMS and checks what rights the user has on the document. The Web Intelligence Report Server obtains the Web Intelligence document from either the Input or Output File Repository Server and loads the document file. Note: Which FRS is used depends on whether the request was for a Web Intelligence document that was saved to BusinessObjects Enterprise or for an instance of the document. Documents are stored on the Input FRS. Instances are generated when an object is run according to a schedule, and they are stored on the Output FRS. c. If the document is set to refresh on open and the user has the View On Demand rights, the Web Intelligence Report Server refreshes the data in the document with data from the database. Note: If the document is set to refresh on open but the user does not have View On Demand rights, an error message is displayed. d. e. The Web Intelligence Report Server stores the document file and the new document information in cache. The Web Intelligence Report Server sends the document information to the SDK.

6.

7.

b.

BusinessObjects Enterprise Administrators Guide

51

BusinessObjects Enterprise Architecture Choosing between live or saved data

8. 9.

The viewer script calls the SDK to get the requested page of the document. The request is passed to the Web Intelligence Report Server. If the Web Intelligence Report Server has cached content for the page, it returns the cached XML to the SDK. If the Web Intelligence Report Server does not have the cached content for the page, it renders the page to XML using the current data for the document. It then returns the XML to the SDK.

10. The SDK applies an XSLT style sheet to the XML to transform it to HTML. 11. The viewer script returns the HTML to the browser.

Choosing between live or saved data


When reporting over the Web, the choice to use live or saved data is one of the most important decisions youll make. Whichever choice you make, however, BusinessObjects Enterprise displays the first page as quickly as possible, so you can see your report while the rest of the data is being processed.

Live data
On-demand reporting gives users real-time access to live data, straight from the database server. Use live data to keep users up-to-date on constantly changing data, so they can access information thats accurate to the second. For instance, if the managers of a large distribution center need to keep track of inventory shipped on a continual basis, then live reporting is the way to give them the information they need. Before providing live data for all your reports, however, consider whether or not you want all of your users hitting the database server on a continual basis. If the data isnt rapidly or constantly changing, then all those requests to the database do little more than increase network traffic and consume server resources. In such cases, you may prefer to schedule reports on a recurrent basis so that users can always view recent data (report instances) without hitting the database server. For more information about optimizing the performance of reports that are viewed on demand, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Tip: Users require View On Demand access to refresh reports against the database.

52

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Security management components

Saved data
To reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database. Report instances are useful for dealing with data that isnt continually updated. When users navigate through report instances, and drill down for details on columns or charts, they dont access the database server directly; instead, they access the saved data. Consequently, reports with saved data not only minimize data transfer over the network, but also lighten the database servers workload. For example, if your sales database is updated once a day, you can run the report on a similar schedule. Sales representatives then always have access to current sales data, but they are not hitting the database every time they open a report. Tip: Users require only View access to display report instances.

Security management components


System security within BusinessObjects Enterprise is distributed across most components, but it is managed primarily by the WCA, the CMS, the security plug-ins, and third-party authentication tools, such as SiteMinder and Kerberos. These components work together to authenticate and to authorize users who access BusinessObjects Enterprise, its folders, and its other objects. This section discusses key components as they relate to system security, including:

Web Component Adapter CMS Security plug-ins

Note: Because these components are responsible for additional tasks, several of the components discussed here are described in additional detail elsewhere in this chapter.

BusinessObjects Enterprise Administrators Guide

53

BusinessObjects Enterprise Architecture Security management components

Web Component Adapter


The WCA is the gateway between the web server and the remaining BusinessObjects Enterprise components. As such, the WCA receives all HTTP requests that are sent to BusinessObjects Enterprise from users web browsers. The WCA ensures that each user has a valid logon token for the system. If the logon token is missing, or if it has expired, the WCA initiates the primary authentication process. The WCA is also responsible for maintaining the users session state in the WCA session variable. This session variable contains information that BusinessObjects Enterprise uses when fulfilling users requests.

CMS
In relation to system security, the Central Management Server (CMS) performs a number of important tasks. The majority of these tasks rely upon the database that the CMS uses to keep track of BusinessObjects Enterprise system data. This data includes security information, such as user accounts, group memberships, and object rights that define user and group privileges. When you first set up your system, the CMS allows you to create user accounts and groups within BusinessObjects Enterprise. And, with its thirdparty security plug-ins, the CMS allows you to reuse existing user accounts and groups that are stored in a third-party system (a Windows NT user database, an LDAP directory server, or a Windows AD server). The CMS supports third-party authentication, so users can log on to BusinessObjects Enterprise with their current Windows NT, LDAP, or Windows AD credentials. When users log on, the CMS coordinates the authentication process with its security plug-ins; the CMS then grants the user a logon token and an active session on the system. The CMS also responds to authorization requests made by the rest of the system. When a user requests a list of reports in a particular folder, the CMS authorizes the request only when it has verified that the users account or group membership provides sufficient privileges.. For more information about the CMS and the CMS database, see Central Management Server (CMS) on page 38.

54

BusinessObjects Enterprise Administrators Guide

BusinessObjects Enterprise Architecture Security management components

Security plug-ins
Security plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits. Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system. The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials. Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC. Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK. BusinessObjects Enterprise supports the following security plug-ins:

BusinessObjects security plug-in

BusinessObjects Enterprise Administrators Guide

55

BusinessObjects Enterprise Architecture Security management components

Windows NT security plug-in LDAP security plug-in Windows AD security plug-in

56

BusinessObjects Enterprise Administrators Guide

Planning Your Deployment

chapter

Planning Your Deployment Planning your deployment

Planning your deployment


This section provides guidelines for assessing your organizations needs, and suggestions for deployment scenarios. By putting effort into planning before you deploy your BusinessObjects Enterprise system, you can keep troubleshooting to a minimum and deliver a deployment tailored to your organizations unique needs. The section includes many examples and suggestions for deployment, but it is important to note that each deployment of BusinessObjects Enterprise is unique. The flexibility of its service-based architecture allows you to tailor the deployment to serve your organizations requirements as precisely as possible. Planning your deployment involves the following steps: 1. Perform a detailed assessment of your needs and limitations. You need to know who will be using the system and what they will be using it to accomplish. For more information, see Assessing your organizations needs on page 58 Calculate the resources required to support your organizations needs. How much load is supported by each server component? What hardware is required to support the load? For information about analyzing service thresholds and calculating server and hardware requirements, see Calculating resource requirements on page 64. Choose an initial deployment architecture. What deployment architecture will serve your needs within the limits of your resources? For suggestions and common configurations, see Common configurations on page 78. Test your deployment and adjust it to improve performance. It is good practice to deploy a test environment and fine-tune it before implementing your full production deployment. For more information, see Improving Performance on page 337.

2.

3.

4.

Assessing your organizations needs


Before you choose a system architecture and deploy BusinessObjects Enterprise, you need to perform a detailed assessment of your organizations needs. Who will be using the system? How will they be using it? What types of documents will be managed through the system? What volume of content will be accessed through the system? By understanding your users and the volume of traffic they will generate, you can determine the resources required for your deployment.

58

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Assessing your organizations needs

To make an accurate assessment, you need to perform the following tasks: 1. Determine the number of users on the system, and the type of users they are. See Estimating the number and type of users on page 59. 2. 3. Estimate the number of simultaneous requests. See Estimating the number of simultaneous requests on page 61. Estimate the number of concurrent active users and simultaneous viewing sessions. See Estimating the number of concurrent active users and viewing sessions on page 62. If you are assessing the performance of an existing system, you can use server metrics to determine how your system is currently being used. For information about assessing the performance of an existing deployment of BusinessObjects Enterprise, see Assessing your systems performance on page 338.

Estimating the number and type of users


The first step toward understanding how your BusinessObjects Enterprise system will be used is to determine the total number of users. You also need to estimate the number of concurrent users: users who are logged onto BusinessObjects Enterprise at the same time. You also need to understand how your users will use the system and how much traffic they will generate. To accurately determine the number and type of users of BusinessObjects Enterprise, perform the following steps: 1. 2. To estimate the number and type of users Determine the total number of users of the system. Include all users who will potentially have access to the system. Adjust the total number of users to account for future users. How many new users do you expect to add to the system this year? In the next five years? By deploying a system that is robust enough to accommodate future growth, you can save time and money later. 3. Estimate the number of concurrent users. The number of concurrent users is typically 10% to 20% of the total number of potential users in the system. For example, if you have a total of 4000 users, you will probably have 400 to 800 concurrent users.

BusinessObjects Enterprise Deployment and Configuration Guide

59

Planning Your Deployment Assessing your organizations needs

Note: The number of concurrent users will be used to calculate the resource requirements for the Web Application Server and the number of concurrent active users. For information, see Estimating the number of concurrent active users and viewing sessions on page 62. 4. Divide the number of concurrent users into groups according to how they will use the system:

Heavy Users Heavy users are logged onto the system all day. They interact with objects continuously throughout the day, averaging one request per second.

Active Users Active users log onto the system frequently throughout the day. They average one request every four seconds. Moderate Users Moderate users log onto the system at various points throughout the day. They average one request every eight seconds. Light Users Light users log onto the system infrequently. They view a couple of objects and log out, averaging one request every 16 seconds.

Make note of the number of users that fall into each of these groups.

Other user considerations


When you draft your final deployment plan, it is also important to think about think about where your users are and when they will use the system:

Determine the number of users for each geographical location. Where your users are can affect how you configure your system architecture. Make note of the number of users at various locations. You may want to establish local processing servers to account for significant load in areas with more users.

Estimate traffic schedule. Knowing when your users are likely to use BusinessObjects Enterprise can also help you configure your deployment. If users around the world access the system throughout the day and night, then the system should be prepared for the continuous traffic. Or, you may run all of your scheduled objects in the evenings and your users dont access them until the morning, so you may want to maintain different server configurations for day and night traffic. It is also important to consider traffic from different time zones.

60

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Assessing your organizations needs

Estimating the number of simultaneous requests


The number of requests that the system needs to process simultaneously affects how you configure and expand your deployment. Specifically, you need the number of simultaneous requests when you calculate the resource requirements for the Central Management Server, the Web Application Server, the Cache Server, the Report Application Server, and the Page Server. The number of simultaneous requests is typically 10% to 20% of the number of concurrent users. For example, if you have 400 concurrent users, you will probably have between 40 and 80 simultaneous requests. However, your users may differ from the typical scenario. To make your estimates as accurate as possible, group your users according to how they will use the system. After you determine the number of users in each group, you can use common usage rates to calculate a final estimate of the number of simultaneous requests. For information about grouping your users, see Estimating the number and type of users on page 59. 1. To estimate the number of simultaneous requests Sort your estimated number of concurrent users into groups. For information about grouping your users, see Estimating the number and type of users on page 59. 2. Calculate the number of simultaneous requests, using the following formula:
((#of heavy users)*1) + ((# of active users)*.25) + ((# of moderate users)*.12) + ((# of light users)*.06)

For example, if you have 400 concurrent users and 10 are heavy users, 40 are active users, 150 are moderate users, and 200 are light users, the formula will look like this:
(10*1) + (40*.25) + (150*.12) + (200*.06) = 10 + 10 + 18 + 12 = 50 simultaneous requests

3.

If necessary, round up the result for your final estimate of the number of simultaneous requests.

Note: This step procedure uses the following common usage rates tested by Business Objects:

BusinessObjects Enterprise Deployment and Configuration Guide

61

Planning Your Deployment Assessing your organizations needs

Concurrent users by type

Number of simultaneous requests 100 25 12 6

% of simultaneous usage rate 100% 25% 12% 6%

For every 100 heavy users For every 100 active users For every 100 moderate users For every 100 light users

Estimating the number of concurrent active users and viewing sessions


A concurrent active user is a user that is logged onto the system and is running at least one open viewing session. A viewing session refers to the length of time that an object is viewed by one or more users. When a user interacts with an object in BusinessObjects Enterprise, a viewing session is created for the object. The session remains open until the objects idle time expires. The number of concurrent active users is used to calculate resource requirements for the Central Management Server. The number of simultaneous viewing sessions is used to calculate resource requirements for Web Intelligence Report Servers and all types of Job Servers.

Concurrent active users


To calculate an accurate estimate of the number of concurrent active users, you need to ask questions about how your users work and about the objects they use.

Users Determine the number and type of concurrent users. (For information about estimating the number of concurrent users, see Estimating the number and type of users on page 59.) How many concurrent users do you have? What percentage of these users will have an active viewing session at the same time? To begin estimating the number of concurrent active users, you can add the number of users that you classified as heavy and active users when you sorted them into groups.

62

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Assessing your organizations needs

Objects

Estimate the number of objects per user. Will your users publish and view their own documents? Or will they spend more time viewing company-wide or departmental reports? How many objects will they use at once? You need to determine how many unique objects such as Crystal reports and Web Intelligence documents might be viewed at the same time by multiple users.

Estimate the types of objects. The types of objects also affect the number of concurrent active users. Split the total number of objects per user into unique and shared objects. Will your users share documents and reports with others? Shared objects reduce the number of concurrent active users because they allow multiple users to use the same viewing session. Typically, static objects such as operational view-only Crystal reports are more likely to share viewing sessions than Web Intelligence documents or OLAP Intelligence reports, which are dynamically interactive. Keep this in mind when you calculate the shared component of your load requirements.

Viewing sessions
To estimate the number of simultaneous viewing sessions, consider the following examples:

If every user logged onto the system is interacting with a single unique object (such as a report, a document, or a dashboard), the number of viewing sessions is equal to the number of concurrent users. If you had 100 users viewing 100 unique objects, then the number of viewing sessions equals 100. If every user logged onto the system is interacting with more than one unique object, the number of viewing sessions is higher than the number of concurrent users. If every user viewed two unique objects, for example, then the number of viewing sessions will be twice the number of concurrent users. If every user logged onto the system is viewing one or more objects that are not unique (shared between users), the number of viewing sessions will be lower than the number of concurrent users. If you have 100 users and 50 of them are viewing a shared report, while the other half are interacting with a single unique object, then there will be 51 viewing sessions: one for the shared report and 50 for the unique objects.

BusinessObjects Enterprise Deployment and Configuration Guide

63

Planning Your Deployment Calculating resource requirements

Based on your understanding of your users and the shared and unique content they need, you can use the following equation to determine a rough estimate of the number of viewing sessions:
(# of unique objects)(number of concurrent users viewing unique objects) + number of shared objects

For example, if you have 100 concurrent active users and 20 users are viewing 2 shared objects and 80 users are viewing 2 unique objects each, then you will have 162 simultaneous viewing sessions:
(2)(80) + (2) = 162

If you have 100 concurrent active users and 80 users are viewing 2 shared objects and 20 users are viewing 2 unique objects each, then you will have 42 simultaneous viewing sessions:
(2)(20) + (2) = 42

Calculating resource requirements


In the previous sections, you estimated the number and type of users, the number of simultaneous requests, the number of concurrent active users, and the number of viewing sessions. Together, this information allows you to estimate the load that will be placed on your system. The next step is to determine the BusinessObjects Enterprise and hardware resources required to support the load. To estimate the systems resource requirements, you need to use service threshold standards to estimate the following:

The number of BusinessObjects Enterprise server components (or services) you need in order to accommodate the load. The number of CPUs required to run the server components and support the load.

For a table summarizing resource calculations, see Summary of resource calculations on page 73.

Analyzing service thresholds


Before you can calculate your resource estimates, you need to analyze the service thresholds for the following server components:

Central Management Server Web Application Server Cache Server Report Job Server

64

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Calculating resource requirements

List of Values Job Server Web Intelligence Report Server Report Application Server Page Server

It is important to note that the service threshold numbers provided in this section are based on benchmark testing performed by Business Objects. The test machines had an average clock speed of 2.5 GHz with 2 GB memory per CPU. These threshold numbers are intended only as a baseline to help you determine the size and configuration of your system. These numbers are affected by many factors, such as: the size and complexity of objects; the number of users; your network speed; operating system; clock speed; application server; disk speed; memory; and many more factors. The sample threshold numbers provided here assume that each BusinessObjects Enterprise server is installed on a separate machine and that each machine is a single CPU box. After you perform the initial sizing calculations, you can adjust the sizing numbers and system configuration to accommodate your specific system requirements. It is important to monitor your system performance regularly and adjust the configuration accordingly. For more information about monitoring performance, see Assessing your systems performance on page 338. Note: For more information about these server components and how they work together, see BusinessObjects Enterprise Architecture on page 29. Note: The Event Server is not a processing- or memory-intensive server, so it is not included in the discussion of service thresholds. However, it is good practice to install one Event Server for each CMS. For information about installing additional Event Servers, see Scaling your system on page 366.

Central Management Server


Central Management Server thresholds depend on the number of CPUs and the number of services running on them. Its good practice to configure for a higher number of users and simultaneous requests than your current system usage.

One Central Management Server can handle 600 concurrent active users and 150 simultaneous requests. One CPU can handle 500 concurrent active users and 150 simultaneous requests.

For example, to support 4000 concurrent active users generating 400 simultaneous requests, your deployment could include:

BusinessObjects Enterprise Deployment and Configuration Guide

65

Planning Your Deployment Calculating resource requirements

Two quad boxes with four CMS services each. Eight single CPU machines with one CMS service each.

Note: This example is only a guideline. You need to consider CPU speed, network configuration, database connectivity, and so on.

Estimating CMS memory usage


To determine how much memory you need on the Central Management Server machine, estimate how many objects and instances youll have in the system and calculate the estimated memory usage. This table lists the estimated memory usage for the object types: Object User Folder Report object Estimated Memory Usage 14 KB (7 KB memory and 7 KB virtual memory) 10 KB 20 KB average (Report object size can vary considerably. Estimate higher for large or complex report objects.) 20 KB average per instance

Report instance Note:

There are many factors that can increase the amount of memory required for the Central Management Server. Report objects and instances in particular can vary in size considerably. For example, report instances that contain numerous prompts will be larger than average because every string prompt requires 256 bytes. In normal operation, the Central Management Server keeps only the most recently accessed objects in memory. During periods of rapid object access, such as batch reporting, the Central Management Server may exceed the specified amount of memory.

Memory requirements depend on the number of individual accounts and objects that need to be loaded by the Central Management Server. For example, when you access a folder or a category, if the folder contains many objects and instances, it will take longer to load. By maintaining a detailed and organized folder structure, you can improve the speed of your system. The registry setting MaximumObjectsToKeepInMemory controls the number of objects kept in memory by the Central Management Server. Adjust this setting if memory resources on the Central Management Server are either scarce or plentiful.

66

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Calculating resource requirements

Web Application Server


Each Web Application Server handles different numbers of concurrent active users and simultaneous requests. When youre configuring your Web Application Server (for example, IIS, Apache Tomcat, BEA WebLogic, or IBM WebSphere), consider the main functions of the Web Application Server within the BusinessObjects Enterprise system:

Processing the .NET/Java script Translating the Encapsulated Page Files (page on demand) to DHTML pages. Communicating with the Crystal Reports Cache Server for report view requests. Managing session state information for the users. Facilitating OLAP Intelligence view requests. Communicating with the Web Intelligence Report Server for view requests.

Web Application Server thresholds generally depend on the number of CPUs and the number of services running on them. Its good practice to configure for a higher number of users and simultaneous requests than your current system usage.

One service can handle virtually unlimited numbers of concurrent users and simultaneous requests, but consult your web application server documentation for specific numbers. One CPU can handle 400 concurrent users One CPU can handle 100 simultaneous requests if ActiveX is used as a primary viewer. One CPU can handle 50 simultaneous requests if DHTML is used as a primary viewer. One CPU can handle 40 simultaneous requests if OLAP Intelligence is used as a primary document viewing engine (OLAP DHTML viewer).

For example, to support 4000 concurrent users generating 400 simultaneous requests, your deployment could include one web application service installed across

10 single-CPU machines. Two quad boxes and a dual machine. Five dual machines.

Note: This example is only a guideline. You need to consider CPU speed, network configuration, database connectivity, and so on.

BusinessObjects Enterprise Deployment and Configuration Guide

67

Planning Your Deployment Calculating resource requirements

Cache Server
The Cache Server handles all report viewing requests. When the Cache Server receives a request, it checks whether of not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays the required data and the data has been refreshed from the database within the specified interval, the Cache Server returns the cached report page to the Web Application Server. If not, then the page is requested from the Page Server. The thresholds for the Cache Server are:

1 service can handle 400 simultaneous requests. 1 CPU can handle 200 simultaneous requests.

For example, to support 4000 concurrent users generating 400 simultaneous requests, your deployment could include: one Cache Server service installed across a dual-CPU machine. two Cache Server services installed across two single-CPU machines.

Note: Since the Cache Server works directly with the Page Server, the maximum simultaneous requests for the Cache Servers should equal the maximum simultaneous requests for the Page Servers.

Report Job Server


The Report Job Server processes report objects for the Central Management Server and generates report instances. The thresholds for the Report Job Server are:

One Job Server can handle 20 concurrent Crystal Reports jobs. One CPU can handle five concurrent Crystal Reports jobs.

Do not set individual Job Servers to process more than 20 simultaneous jobs. For example, if there are 40 simultaneous jobs and you have an 8-CPU computer, configure two Job Servers on the machine with each server set to handle 20 simultaneous jobs. Note: Complex reports that retrieve and process a large set of data should be scheduled. Jobs run as independent processes rather than threads on the Reports Job Server. This requires more resources for each job, but allows for efficient processing of a smaller set of large processing reports.

Reports Job Server threshold formula


You can use the following formula to help determine the number of Report Job Servers you need:

68

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Calculating resource requirements

((# of reports) x (average report processing time)) / ((time window) x (maximum number of jobs per job server) = # of job servers required

Note: Make sure you use the same time measurement (minutes, for example) for the average report processing time and the time window. (The time window is the maximum amount of time the system can take to process the reports.) For example:
(200 reports x 1 minute) / (10 minutes x 20) = 1 job server required

List of Values Job Server


The List of Values (LOV) Job Server processes List of Values objects for the Central Management Server and generates object instances. List of Values objects are used for dynamic prompts and cascading lists of values for Crystal reports. The thresholds for the List of Values Job Server are:

One List of Values Job Server can handle 20 simultaneous requests. One CPU can handle five simultaneous requests.

Web Intelligence Report Server


The Web Intelligence Report Server is used to create, edit, view, and analyze Web Intelligence documents (stored in the File Repository Servers). It also processes scheduled Web Intelligence documents and generates new instances of documents. Depending on the users access rights and the refresh options set on the document, the Web Intelligence Report Server uses cached information or refreshes the data. Note: The Web Intelligence Report Server also processes Crystal xCelsius documents. If your users work with Crystal xCelsius, they may have significantly higher simultaneous viewing sessions and you will need to install more Web Intelligence Report Servers. The thresholds for the Web Intelligence Report Server are:

One Web Intelligence Report Server can support 25 simultaneous viewing sessions. One CPU can support 25 simultaneous viewing sessions.

For example, if you expect users of Web Intelligence documents to need an average of 100 simultaneous viewing sessions, you could have four Web Intelligence Reports Server services installed on a quad machine.

BusinessObjects Enterprise Deployment and Configuration Guide

69

Planning Your Deployment Calculating resource requirements

Note: Memory requirements can be affected by the document design and the types of actions being performed. For example, a refresh request demands the greatest amount of memory for a Web Intelligence document because the database is queried and the entire dataset is transferred to the Web Intelligence Report Server.

Report Application Server


The Report Application Server processes reports that InfoView users view with the Interactive DHTML viewer. It also provides the reporting capabilities that allow InfoView users to create and modify Crystal report over the web. The thresholds for the Report Application Server are:

One Report Application Server can handle 200 simultaneous requests. One CPU can handle 25 to 75 simultaneous requests. For optimal performance, use 25 simultaneous requests for your calculations.

For example, if you expect 100 concurrent active users viewing or modifying a Crystal report, you could configure a quad machine with one Report Application Server installed for each CPU.

Page Server
The Page Server retrieves data for the report from an instance or directly from the database (depending on the users request and access rights for the object). The Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server interact to ensure cached EPF pages are reused as frequently as possible. The number of concurrent active users is not important for determining the number of Page Servers you need, because BusinessObjects Enterprise automatically creates new Page Server processes to accommodate extra traffic. Because Cache Servers work directly with Page Servers, the maximum simultaneous requests for the Cache Servers should equal the maximum simultaneous requests for the Page Servers. The thresholds for the Page Server are as follows:

One CPU can handle 25 to 75 simultaneous requests. The recommended settings is 50.

For example, to support 400 simultaneous requests, your deployment could include:

one Page Server service installed across an 8-way CPU machine. two Page Server services installed across two quad CPU machines.

70

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Calculating resource requirements

Note: Unless the machine is dedicated to serve multiple Page Server groups, do not install more than one Page Server on a single machine (even if the machine has four or more CPUs).

Dedicated Page Server machine


If you have a dedicated Page Server machine, it will dynamically adapt to different loads by creating and stopping Page Server processes as needed (within available resources). For a dedicated Page Server, it is good practice to change the Maximum Simultaneous Report Jobs setting to Unlimited. When you use the Unlimited setting, the maximum number of jobs is set to 25 jobs per CPU, with a minimum of 50. For example,

For 1 CPU, the Maximum Simultaneous Report Jobs is 50. For 2 CPUs, the Maximum Simultaneous Report Jobs is 50. For 4 CPUs, the Maximum Simultaneous Report Jobs is 100. For 8 CPUs, the Maximum Simultaneous Report Jobs is 200.

Shared Page Server machine


If the Page Server shares resources with other services such as the Job Server or the Central Management Server, you may want to change the Maximum Simultaneous Report Jobs setting. The recommended range for this value is between 25 and 75 per available CPU. If machine resources are particular scarce, as in a full deployment on one standalone machine for example, you may need to choose a value below 25.

Calculating the minimum resource requirements


After you assess your organizations needs and understand the service threshold limitations, you can determine the minimum resources needed to implement an effective BusinessObjects Enterprise deployment. To calculate the minimum resource requirements, you need the following information from the previous section:

The estimated number of concurrent users. The estimated number of simultaneous requests. The estimated number of concurrent active users and viewing sessions. Service threshold information for each server type.

This section provides examples of how to calculate the minimum required resources for your deployment. Note: You may also want to expand the system to account for high availability. For information about designing for high availability, see Designing for high availability on page 76.

BusinessObjects Enterprise Deployment and Configuration Guide

71

Planning Your Deployment Calculating resource requirements

Central Management Server


For this example, assume that you estimated a total of 8000 users of the system, with 800 concurrent active users. According to the service threshold benchmarks, a single Central Management Server on a single CPU can handle up to 500 concurrent active users. You will need more than one Central Management Server to support all requests. In this example, you would need to install two Central Management Server services across two single-CPU machines to support up to 1000 users. This exceeds the systems needs by 200 concurrent active users but allows for future growth.

Web Application Server


Assume that the 800 concurrent users view Crystal report objects using the ActiveX viewer and generate an average of 100 simultaneous requests. One Web Application Server allows for 400 concurrent users per processor. It also allows for 100 simultaneous requests. Although the 100 simultaneous viewing ActiveX requests can be handled by a single CPU, this system requires two Web Application Server services because each service can handle only 400 concurrent users per server on a single-CPU machine.

Cache Server
Assume for this example that you have 800 concurrent users using the ActiveX viewer and there are 500 simultaneous requests. Each Cache Server can handle 200 simultaneous requests per CPU. This system requires three Cache Servers installed across three single-CPU machines.

Report Job Server


For this example, assume that 1000 report objects are being scheduled to run during the night. On average, it takes nine minutes to run each report. You have five hours (300 minutes) to run all of the reports. The number of Crystal Reports Job Server services required is determined by performing the Crystal Reports Job Server threshold calculation. (For more information, see Report Job Server on page 68.) In this example, the calculation is:
(1000 reports x 9 minutes to run each report) / (300 minutes for the time window x 20 maximum jobs per service) = 2 Crystal Reports Job Servers installed on two quad machines

72

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Calculating resource requirements

Web Intelligence Report Server


Assume for this example that you need to support 100 simultaneous viewing sessions. A single Web Intelligence Report Server can support 25 simultaneous viewing sessions on a single-CPU machine; the system requires four Web Intelligence Report Servers installed across four singleCPU machines.

Report Application Server


If you have an average of 50 concurrent users working in the Report Application Server, running an average of 50 simultaneous requests, then your system will need one Report Application Server installed across two CPUs. You could install the single Report Application Server on a dual machine.

Page Server
Assume for this example that you have 500 simultaneous requests. One CPU can handle 50 simultaneous requests, this system requires 10 CPUs. You need only one Page Server service per machine, because it automatically creates new processes on each machine to account for high traffic. In this example, you could use 3 Page Servers installed across two quad machines and one dual machine.

Summary of resource calculations


The following table summarizes the load supported by each server component. The table includes the following:

The server component. The user and traffic loads that each server component can support. The user and traffic loads that each CPU can handle when running the server component. A sample configuration.

For more information about the service thresholds, see Analyzing service thresholds on page 64. For more information about making resource calculations, see Calculating the minimum resource requirements on page 71.

BusinessObjects Enterprise Deployment and Configuration Guide

73

Planning Your Deployment Calculating resource requirements

Server type CMS

Supported load per Supported load per server component CPU

Example

600 concurrent active users per CMS 150 simultaneous requests per CMS 400 concurrent users per Web Application Server

500 concurrent active users per CPU 150 simultaneous requests per CPU

If you have 600 concurrent active users running an average of 100 simultaneous requests, you will need one CMS across two CPUs. If you have 600 concurrent users using the ActiveX viewer and generating an average of 100 simultaneous requests, you will need two Web Application Servers running on a single CPU.

Web Application Server

400 concurrent users per CPU 100 simultaneous requests using the ActiveX viewer per CPU 50 to 75 simultaneous requests using the DHTML viewer per CPU 40 OLAP Intelligence requests using the OLAP Intelligence DHTML viewer per service per CPU 200 simultaneous requests per CPU

Cache Server

400 simultaneous requests per Cache Server

If you have 600 concurrent users running an average of 500 simultaneous requests, you will need three Cache Servers installed across three CPUs. If you need to run 40 report objects simultaneously every day at midnight, you will need two Job Servers, running on eight CPUs (two quad machines).

Report Job Server

20 simultaneous report jobs per Job Server

5 simultaneous report jobs per CPU

74

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Calculating resource requirements

Server type List of Values Job Server

Supported load per Supported load per server component CPU

Example

20 simultaneous requests per List of Values Job Server

5 simultaneous requests per CPU

If you need to run 10 objects that use List of Values objects simultaneously, you will need three Job Servers, running on ten CPUs (two quad machines and a dual machine). If you need to support 100 simultaneous viewing sessions, you will need four Web Intelligence Report Servers running across four CPUs (one quad machine). If you need to support 300 simultaneous requests, you will need two Report Application Servers running across 12 CPUs (three quad machines). If you need to support 400 simultaneous viewing sessions, you will need 8 CPUs (two quad machines).

Web Intelligence Report Server

25 simultaneous viewing sessions per Web Intelligence Report Server

25 simultaneous viewing sessions per CPU

Report Application Server

200 simultaneous requests per Report Application Server

25 simultaneous requests per CPU

Page Server

25 to 75 simultaneous viewing sessions per CPU. (Use 50 simultaneous viewing sessions for your initial calculations.)

BusinessObjects Enterprise Deployment and Configuration Guide

75

Planning Your Deployment Calculating resource requirements

Designing for high availability


After you calculate the minimum resource requirements for your system, you should consider expanding your deployment to account for high availability. High availability refers to a system that is almost continuously operational. When designing a system for high availability, you need to consider how much time is acceptable for the system to be down. To minimize the amount of down time, you need to plan for failover processing, system backup, and data storage. To provide a BusinessObjects Enterprise architecture that provides high availability, all of its services and sources of data must be continuously available and operational. You need to consider:

Fault tolerance If a BusinessObjects Enterprise service fails, a fault tolerance system allows for continuous processing of system requests with no loss of service. To achieve this level of availability, you need to provide duplicate BusinessObjects Enterprise services. For example, if a Web Intelligence Job Server fails, you need a duplicate Web Intelligence Job Server to immediately take its place to process requests with no loss of service.

Disaster recovery A disaster recovery plan consists of precautions to be taken in the event of a full system failure. A disaster recovery plan needs to minimize the effects of the disaster on the organization so you can maintain or quickly resume important system functions. If your organization has multiple offices, it is good practice to keep the backup system in a different geographical location. A BusinessObjects Enterprise disaster recovery plan often involves implementing redundant servers in a backup system that mirrors the primary system. In the event that the primary system goes down, the backup system is still available and becomes the full production system. Note: When you back up your primary system, you need to back up: the Central Management Server system database; the content of the Input and Output File Repository Servers; the user ID and password for the Administrator account; the application code from the Web Application Server; and the registry settings (if manual changes were made).

You may not have the resources to implement a high degree of availability, but there are still best practices you can use to provide the best possible availability for your system.

76

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Calculating resource requirements

Designing a multiple-server system for high availability


You can attain a high degree of availability with a multiple-server system. It depends largely on the resources available to you after the basic resource requirements of the system have been met. You can manage fault tolerance for a multiple-server environment by adding additional services to handle failover support. In a multiple-server environment, the duplicate services can be added to different machines. You can cluster services together so that if one service fails or if there is a hardware failure on the machine running the service, the duplicate service on a different machine continues to process requests with no impact to the system. Two common examples of fault tolerance in a multiple-server environment are:

CMS clustering With CMS clustering, a set of two or more CMS server machines function as a single Central Management Server. In the event of a failure, the workload of the failed CMS is picked up by another available CMS within the cluster. For more information about CMS clustering, see Clustering Central Management Servers on page 114.

Active and passive File Repository Servers Your deployment can have multiple Input and Output File Repository Servers. The first File Repository Server pair to register with the CMS cluster becomes the active FRS pair and the other FRS services are considered passive. Although all File Repository Server services run simultaneously, only the active FRS pair handles requests. In the event that an active FRS fails, a passive FRS that is registered with the CMS cluster is changed to active status. When the previously active FRS becomes operational again, it is registered as a passive FRS with the CMS.

For disaster recovery, the most important considerations for disaster recovery are backups and data recovery. Depending on your organizations needs, it may also be important to minimize down time. If your system must remain available during a disaster, its good practice to maintain a full backup system that mirrors the primary system. If you set up a backup system, ensure that the two systems do not run at the same time. Otherwise, the primary and backup systems may not be synchronized properly. You can configure the primary and backup systems as

BusinessObjects Enterprise Deployment and Configuration Guide

77

Planning Your Deployment Common configurations

members of the same CMS cluster regardless of location, but ensure that the the primary and backup CMSs run off of the corresponding primary and backup system databases.

Common configurations
After you determine the needs of your users and the resources required for the deployment, you can develop an initial deployment architecture for BusinessObjects Enterprise. This section describes potential scenarios for administrators who are planning an installation of BusinessObjects Enterprise. It is important to note that the optimal configuration for your deployment will depend on many factors: hardware configuration, database software, reporting requirements, operating system, clock speed, hyperthreading, disk speed, application server configuration, load frequency, and many more. Every deployment is unique, and these examples are provided only as guidelines. For information about assessing your systems unique needs, see Assessing your organizations needs on page 58. For information about fine-tuning performance, see Improving Performance on page 337. It is also recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment. As a baseline, this section assumes that you have not yet distributed the BusinessObjects Enterprise servers across multiple machines; however, this section does assume familiarity with the BusinessObjects Enterprise architecture, installation, and server configuration. For preliminary installation information, see the BusinessObjects Enterprise Installation Guide. Tip: If you are deploying multi-processor machines, you may also want to run one or more BusinessObjects Enterprise servers in multiple instances on that machine. For details, see Adding and deleting servers on page 105. This section describes the following common configurations:

Single-machine architecture on page 79 Balanced processing architecture on page 79 High availability clustered architecture on page 80 Firewalled architecture on page 81

For a detailed sample deployment that illustrates the concepts described in this chapter, see Server deployment and firewall configuration on page 435.

78

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Common configurations

Single-machine architecture
Useful for testing purposes, this basic configuration separates the BusinessObjects Enterprise servers from the rest of your reporting environment and from your web server, and installs all BusinessObjects Enterprise servers on a single machine. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not need to share with database and web server processes. To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:

Install all of the BusinessObjects Enterprise servers on a single, dedicated machine. Run the CMS database on your database server. If you are still using the MySQL CMS database on Windows, migrate the CMS database to a supported database server. See the Platforms.txt file included with your product distribution for a list of supported database servers.

For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install your BusinessObjects Enterprise servers on the same machine as your Java web application server and the Web Component Adapter.

Balanced processing architecture


This second configuration divides the BusinessObjects Enterprise processing load in a logical manner, based on the types of work performed by each server. By dividing architecture components into logical groups, you prevent the server components from competing with each other for the same hardware and processing resources. Note: It is recommended that you use three multi-processor machines (dualCPU or better), with at least 2 GB RAM installed on each machine. To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:

Install the BusinessObjects Enterprise management components on one machine. For example, you could install the Central Management Server and the Event Server on one machine. Note: Here, the Event Server is installed on the same machine as the Central Management Server. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.

BusinessObjects Enterprise Deployment and Configuration Guide

79

Planning Your Deployment Common configurations

Install the web services components on the second machine. For example, you could install the web application server, the Web Component Adapter, and the Cache Server on the second machine. Note: In this example, the Cache Server is installed with the The Cache Server is included with the web services components because it communicates regularly with the Web Application Server. You could install it on the third machine instead.

On the third machine, install the storage and processing components: the Page Server, the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, the Web Intelligence Report Server, the Report Application Server (RAS), and the Input and Output File Repository Servers.

For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install the Java web application server and the Web Component Adapter on the same machine as your Cache Server. Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.

High availability clustered architecture


One of the most common configurations, this third configuration mirrors the balanced processing architecture. You maintain the logical breakdown of processing based on the types of work performed by each server, but you increase the number of available machines and servers for redundancy and fault-tolerance. If a server stops responding, or if you need to take one or two machines offline completely, you need not interrupt BusinessObjects Enterprise requests in order to service the system. Note: This example was tested using five multi-processor machines (dualCPU or better), with at least 2 GB RAM installed on each machine. To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:

Install the balanced processing setup first. Verify that BusinessObjects Enterprise is functioning correctly. For details, see Balanced processing architecture on page 79. Install a second CMS/Event Server pair on the fourth machine. This machine must have a fast network connection (minimum 10 Mbps) to the CMS that you have already installed.

80

BusinessObjects Enterprise Deployment and Configuration Guide

Planning Your Deployment Common configurations

Cluster the two CMS services, so they share the task of maintaining the CMS database. Ensure that each CMS accesses the CMS database in exactly the same manner (the same database client software, the same database user name and password, and so on). For more information about CMS clustering, see Clustering Central Management Servers on page 114. Note: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.

On the remaining machine, install a second Page Server, Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, Web Intelligence Report Server, and Report Application Server, along with a pair of Input and Output File Repository Servers. Ensure that all Page Servers and job servers, including the Web Intelligence Report Server, can access your reporting database in exactly the same manner. Install and configure any required database client software similarly on each machine, along with any ODBC DSNs that are required for your reports.

Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.

Firewalled architecture
Another common configuration is a firewalled architecture based on one of the previous configurations. For a detailed example of a firewalled deployment, see Server deployment and firewall configuration on page 435. For general information about configuring firewalls with BusinessObjects Enterprise, see Working with Firewalls on page 157.

BusinessObjects Enterprise Deployment and Configuration Guide

81

Planning Your Deployment Common configurations

82

BusinessObjects Enterprise Deployment and Configuration Guide

Creating a WebSphere cluster

chapter

Creating a WebSphere cluster Overview

Overview
WebSphere Application Server Network Deployment has the ability to balance the application workload through the use of vertical and horizontal scaling. A vertical cluster has cluster members on the same node, or physical machine. A horizontal cluster has cluster members on multiple nodes across many machines in a cell. While you can configure either type of cluster, or have a combination of vertical and horizontal clusters, this section explains how create a vertical cluster and deploy InfoView on this vertical cluster. When you cluster InfoView in the method described in this section you will create logon session affinity, not session failover. This means that under normal circumstances, once a session begins, all requests for that session go to the same cluster member. However, if the cluster member processing your session fails, your session will be automatically redirected to another functioning cluster. While you will not be required to log on again, you may loose your context, and may be required to navigate back to your original location. Note: Logon session affinity is only supported for InfoView. None of the other applications have support for this feature at this time.

Before you begin


Make sure the following servers are installed:

IBM WebSphere Application Server Network Deployment with administrative privileges. IBM WebSphere Application Standalone Server with administrative privileges.

Creating a WebSphere cluster


Creating and setting up the WebSphere cluster includes these tasks:


84

Starting the servers on page 85 Creating a cluster on page 87 Checking the assigned port number on page 89 Adding the assigned port number on page 90 Setting heap size on page 90 Setting internal system configuration on page 92 Installing the applications on page 93

BusinessObjects Enterprise Deployment and Configuration Guide

Creating a WebSphere cluster Creating a WebSphere cluster

Mapping BusinesssObjects WAR files to the cluster on page 95 Regenerating the web server plugin on page 96

Starting the servers


To create a cluster, the deployment manager and the node agent must be running. To start the servers in Windows Note: You may be required to be a member of the local Administrators group to start the server. 1. Start the deployment manager if its not already running: a. b. In a command prompt, navigate to the <network_deployment_root> bin directory. Issue the following command to check the status of the deployment manager server:
serverStatus dmgr

Note: You can also use serverStatus -all to check the status of the deployment manager server. c. If the Deployment Manager is not started, start it with the following command:
startManager

2.

Add the node to the Deployment Manager Cell: a. b. In the command prompt, navigate to the <App_Server_root> bin directory. Issue the following command to federate the node into the cell and start the node agent:
addNode localhost 8879

3.

Initialize the node agent: a. b. In the command prompt, navigate to the <App_Server_root> directory. Issue the following command to check the status of the node agent:
serverStatus nodeagent

Note: You can also use serverStatus -all to check the status of the node agent. c. If the node agent is not started, start it with the following command:
startNode

BusinessObjects Enterprise Deployment and Configuration Guide

85

Creating a WebSphere cluster Creating a WebSphere cluster

4.

Initialize the HTTP server: a. b. c. Open Windows Services Scroll down and select IBM HTTP Server 1.3.26 If the status of the IBM HTTP Server is not set to Started, click the start icon in the tool bar.

The servers are now started and you are ready to create a cluster. To start the servers in UNIX Note: You may require sudo authority on your UNIX machine to start the server. This type of authority is granted by your UNIX administrator. 1. Start the deployment manager if its not already running: a. b. In a command prompt, navigate to the <network_deployment_root> bin directory. Issue the following command to check the status of the deployment manager server:
./serverStatus.sh dmgr

Note: You can also use ./serverStatus.sh -all to check the status of the deployment manager server. c. If the Deployment Manager is not started, start it with the following command:
./startManager.sh

2.

Add the node to the Deployment Manager Cell: a. b. In the command prompt, navigate to the <App_Server_root> bin directory. Issue the following command to federate the node into the cell and start the node agent:
./addNode.sh localhost 8879

3.

Initialize the node agent: a. b. In the command prompt, navigate to the <App_Server_root> directory. Issue the following command to check the status of the node agent:
./serverStatus.sh nodeagent

Note: You can also use ./serverStatus.sh -all to check the status of the node agent. c. If the node agent is not started, start it with the following command:
./startNode.sh

86

BusinessObjects Enterprise Deployment and Configuration Guide

Creating a WebSphere cluster Creating a WebSphere cluster

4.

Initialize the HTTP server: a. Issue the following command to check if HTTP server is running:
ps -ef | grep httpd

Note: You should see a list of processes running with the name of "httpd". b. If httpd is not running, start your HTTP server manually by issuing the following command:
IHS_install_dir/bin/apachectl start

The servers are now started and you are ready to create a cluster.

Creating a cluster
A cluster is a group of application servers (cluster members) that are distributed across one or more nodes. An application installed in the cluster runs on each cluster member, so workload management and failover are provided for the application. Following are the steps involved in creating a cluster: 1. To create a cluster Start the IBM WebSphere Administrative Console in your browser.


2. 3. 4. 5. 6.

For IBM WebSphere 5.1, type http://servername:9091/admin/ For IBM WebSphere 6.0, type http://servername:9060/admin/

Logon to the administrative console. Expand Servers and click Clusters. Click New. The Step 1 : Enter Basic Cluster Information panel appears. In the Cluster Name field, type MyCluster. Verify that Prefer local enabled is selected. This specifies whether EJB requests are routed to the node on which the client resides, if possible.

7.

Select Create Replication Domain for this cluster. This will create a single replication domain for the cluster to allow replication of session data for a failover.

8.

Verify that Do not include an existing server in this cluster is selected. This will create the first cluster member as a new application server instead of using the server1 application server as the first member of your cluster.

BusinessObjects Enterprise Deployment and Configuration Guide

87

Creating a WebSphere cluster Creating a WebSphere cluster

9.

Click Next. The Step 2 : Create New Clustered Servers panel appears.

10. Define a node for the cluster: a. b. c. d. e. f. In the Name field, type MgServer1. Click your node from the drop down menu. In the Weight field, type 2. Verify that Generate Unique Http ports is selected. Select Create Replication Entry in this server. Note: Skip this step if you are using WebSphere 6.0. Select Existing application server and click was5hostNetwork/ was5host/server1 to select the template in the drop down menu. This will allow the server to use the setting of the server1 applications server as the template for your cluster members. g. h. Click Apply. MgServer1 is now displayed in the table Application servers, at the bottom of the page. Add another cluster member to the server by typing MgServer2 in the Name field. Click on your node from the drop down menu. In the Weight field, type 2. Verify that Generate Unique Http ports is selected. Select Create Replication Entry in this server. Note: Skip this step if you are using WebSphere 6.0. f. g. Click Apply. MgServer2 is now displayed in the table Application servers, at the bottom of the page.

11. In the same panel, define another node for the cluster: a. b. c. d. e.

12. Click Next. 13. Review the configuration summary and click Finish. The cluster is now created in the configuration. For each newly defined node go to Servers and click on Application Servers. 14. Save your changes: a. Click the hyperlink Save in the task bar at the top of the console to open the Save page.

88

BusinessObjects Enterprise Deployment and Configuration Guide

Creating a WebSphere cluster Creating a WebSphere cluster

b. c.

On the Save page, expand and review the list of files to be changed. Click Save.

Checking the assigned port number


Follow the procedures below to check the assigned port numbers in WebSphere 5.1 or WebSphere 6.0: 1. To check the assigned ports in WebSphere 5.1 Expand Servers and click Application Servers. The servers that you created (MgServer1 and MgServer2) in the section Creating a cluster on page 87 are now listed on the Application Servers page. 2. 3. Click MgServer1. Go to the HTTP Transports page. a. b. Under Additional Properties, go to Web Container. Under Additional Properties, click on HTTP Transports.

The HTTP Transport ports configured for MgServer1 should be listed on this page. In the table, locate the host name WCInboundDefault and note its port number. You need to add this port and the port number configured for MgServer2 to the default_host aliases list. 1. To check the assigned ports in WebSphere 6.0 Expand Servers and click Application Servers. The servers that you created (MgServer1 and MgServer2) in the section Creating a cluster on page 87 are now listed on the Application Servers page. 2. 3. Click MgServer1. Go to the HTTP Transports page. a. b. Under Container Settings, expand Web Container Settings. Click Web container transport chains to view the HTTP ports.

The HTTP Transport ports configured for MgServer1 should be listed on this page. In the table, locate the port name WCInboundDefault and note its port number. You need to add this port and the port number configured for MgServer2 to the default_host aliases list.

BusinessObjects Enterprise Deployment and Configuration Guide

89

Creating a WebSphere cluster Creating a WebSphere cluster

Adding the assigned port number


After checking the port number in section Checking the assigned port number on page 89, add the port numbers to the virtual hosts using the following procedure: 1. 2. 3. To add the assigned port number In the navigation menu, expand Environment, click Virtual Hosts. From the virtual hosts list, click default_host. Add port number to the host aliases list: a. b. c. d. e. 4. Under Additional Properties, click Host Aliases. Click New. In the HostName field, type * In the Port field, type the port number. Click OK.

Note: Follow this step to add other port numbers to the host aliases list. Save your configuration: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.

Setting heap size


You may be prompted to set the heap size. Follow the procedures below to set the heap size in WebSphere 5.1 or WebSphere 6.0: 1. 2. 3. To set the heap size in WebSphere 5.1 Expand Servers and click Application Servers. Click on the application server to set its heap size. Go to the JVM page. a. b. c. Scroll down until you see Process Definition in the Additional Properties table. Click on Process Definition. Scroll down and click on Java Virtual Machine in the Additional Properties table.

90

BusinessObjects Enterprise Deployment and Configuration Guide

Creating a WebSphere cluster Creating a WebSphere cluster

4. 5. 6. 7. 8.

Scroll down until you see Initial Heap Size. In the Initial Heap Size field, type 512. In the Maximum Heap Size field, type 1024. Click Apply and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.

Note: Follow the same procedure to set heap sizes of any other servers. 1. 2. 3. To set the heap size in WebSphere 6.0 Expand Servers and click Application Servers. Click on the application server to set its heap size. Go to the JVM page. a. b. c. 4. 5. 6. 7. 8. Under the Server Infastructure section, click and expand Java and Process Management. Click on Process Definition. In the Additional Properties section, click on Java Virtual Machine.

Scroll down until you see Initial Heap Size. In the Initial Heap Size field, type 512. In the Maximum Heap Size field, type 1024. Click Apply and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.

Note: Follow the same procedure to set heap sizes of any other servers.

BusinessObjects Enterprise Deployment and Configuration Guide

91

Creating a WebSphere cluster Creating a WebSphere cluster

Setting internal system configuration


For each node in a new cluster, set the path variable that applies to your environment and the PATH. 1. 2. 3. To set internal system configuration in Windows Expand Servers and click on Application Servers. Click on your server name. Go to the Custom Properties page.


4. 5. 6.

If you are using WebSphere 5.1, under Additional Properties, click on Custom Properties. If you are using WebSphere 6.0, under Server Infastructure, expand Administration and click on Custom Properties.

Click New. In the * Name field, type PATH. In the * Value field, type the path that points to BusinessObjects folder. Note: The default location of this folder is C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86. Modify the path if you changed the default location.

7. 8. 9.

Click Apply. Click OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.

1. 2. 3.

To set internal system configuration in UNIX Expand Servers and click on Application Servers. Click on your server name. Go to the Custom Properties page.


4.

If you are using WebSphere 5.1, under Additional Properties, click on Custom Properties. If you are using WebSphere 6.0, under Server Infastructure, expand Administration and click on Custom Properties.

Click New.

92

BusinessObjects Enterprise Deployment and Configuration Guide

Creating a WebSphere cluster Creating a WebSphere cluster

5.

In the * Name field, type the name of the path variable that applies to your deployment. These are your options:

Operating Variable System For Solaris LD_LIBRARY_PATH For AIX For Linux For HPUX 6. LIBPATH LD_LIBRARY_PATH SHLIB_PATH

In the * Value field, type the path that points to BusinessObjects platform name folder. The location of this file is <INSTALLDIR>/bobje/enterprise115/ solaris_sparc
Replace INSTALLDIR with the location of your installation and replace solaris_sparc with the platform name that applies to your installation. The platform name options are as follows:


7. 8. 9.

aix_rs6000 linux_x86 hpux_pa_risc

Click Apply. Click OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.

Installing the applications


1. 2. 3. 4. To install the applications in Windows Go to the administrative console. Expand Applications and click Install New Application Select Local path system and click Browse. Navigate to the application directory, select and click Open. The Local path field should now contain the path of the WAR file.

BusinessObjects Enterprise Deployment and Configuration Guide

93

Creating a WebSphere cluster Creating a WebSphere cluster

Note: The default location for the application files is c:\Program Files\Business objects\BusinessObjects Enterprise 11.5\java\applications\ 5. 6. 7. Type the context root for the application file in the Context Root field. Click Next. Accept the defaults on each page and click Next until you get to Step:3 Map modules to application servers. Note: Each page may take several minutes to process. 8. 9. Select the application server you created from the Clusters and Servers field. Select the module to apply it to, and click Apply. Note: You will receive a message when the process is complete. 1. 2. 3. 4. To install the applications in UNIX Go to the administrative console. Expand Applications and click Install New Application Select the Server Path button. Click Browse and then find the location of the war files. Note: The application files can be found in the location <INSTALLDIR>/bobje/enterprise115/java/applications, where INSTALLDIR is the directory where you installed BusinessObjects Enterprise. 5. 6. 7. 8. Click the button beside the file you want to deploy, and then click OK. Type the context root for the application file in the Context Root field. Click Next. Accept the defaults on each page and click Next until you get to Step:3 Map modules to application servers. Note: Each page may take several minutes to process. 9. Select the application server you created from the Clusters and Servers field.

10. Click Next, and click Finish.

10. Select the module to apply it to, and click Apply. 11. Click Next, and click Finish. Note: You will receive a message when the process is complete.

94

BusinessObjects Enterprise Deployment and Configuration Guide

Creating a WebSphere cluster Creating a WebSphere cluster

Mapping BusinesssObjects WAR files to the cluster


Follow the procedures below to map BusinessObjects WAR files to the cluster in WebSphere 5.1 or WebSphere 6.0: 1. 2. 3. To map BusinessObjects WAR files to the cluster in WebSphere 5.1 In the navigation menu, expand Applications and click on Enterprise Applications. Click on desktop_war from the list. Go to the Map modules page. a. b. 4. Scroll down to Additional Properties. Click on Map modules to application servers.

In the list, scroll to select a cluster that you want to map the modules to. Note: This cluster can be the same cluster that you created in section Creating a cluster on page 87.

5. 6. 7.

Select your module from the Module section of the table. Click Apply, and OK. Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.

1. 2. 3.

To map BusinessObjects WAR files to the cluster in WebSphere 6.0 In the navigation menu, expand Applications and click on Enterprise Applications. Click on desktop_war from the list. Go to the Map modules page. a. b. Scroll down to Additional Properties. Click on Map modules to servers.

4.

In the list, scroll to select a cluster that you want to map the modules to. Note: This cluster can be the same cluster that you created in section Creating a cluster on page 87.

5. 6.

Select your module from the Module section of the table. Click Apply, and OK.

BusinessObjects Enterprise Deployment and Configuration Guide

95

Creating a WebSphere cluster Creating a WebSphere cluster

7.

Save your changes: a. b. c. Click the hyperlink Save in the task bar at the top of the console to open the Save page. On the Save page, expand and review the list of files to be changed. Click Save.

Regenerating the web server plugin


When you make changes to an application server, you must regenerate the Web server plugin configuration file to ensure that the correct set of requests are forwarded to the WebSphere Application Server. Follow the procedures below to regenerate the web server plugin in WebSphere 5.1 or WebSphere 6.0: 1. To regenerate the web server plugin in WebSphere 5.1 Follow these steps to update the web server plugin: a. b. In the navigation menu, expand Environments and click on Update Web Server Plugin. Click OK.

Note: If the update is successful, a confirmation message will appear at the top of the page stating, The web server plugin configuration was updated successfully. 2. You can view or download the current web server plugin file by clicking on the hyperlink View or download the current web server plugin configuration file. To regenerate the web server plugin in WebSphere 6.0 Follow these steps to update the web server plugin: a. b. 2. In the navigation menu, expand Servers and click on Web servers. Select your server from the list and click on Generate Plug-in.

1.

You can view or download the current web server plugin file by clicking on the hyperlink View or download the current web server plugin configuration file.

96

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers

chapter

Managing and Configuring Servers Server management overview

Server management overview


This section provides information on a range of server tasks that allow you to customize the behavior of BusinessObjects Enterprise. It also includes information on the server settings that you can alter to accommodate the needs of your organization. The default values for these settings have been chosen to maximize the reliability, predictability, and consistency of operation of a typical BusinessObjects Enterprise installation. The default settings guarantee the highest degree of data accuracy and timeliness. For example, by default, data sharing between reports is disabled. When running reports on demand, disabling data sharing means that every user can always assume that they will receive the latest data. If you prefer to place more emphasis on the efficiency, economy, and scalability of BusinessObjects Enterprise, you can tune server settings to set your own balance between system reliability and performance. For example, enabling data sharing between reports markedly increases system performance when user loads are heavy. To take advantage of this feature while ensuring that every user receives data that meets your criteria for timeliness, you can also specify how long data will be shared between users.

BusinessObjects Enterprise administrative tools


BusinessObjects Enterprise includes two key administrative tools that allow you to view and to modify a variety of server settings:

Central Management Console (CMC) The CMC is the web-based administration tool that allows you to view and to modify server settings while BusinessObjects Enterprise is running. For instance, you use the CMC to change the status of a server, change server settings, access server metrics, or create server groups. Because the CMC is a web-based interface, you can configure your BusinessObjects Enterprise servers remotely over the Internet or through your corporate intranet.

Central Configuration Manager (CCM) The CCM is a program that allows you to view and to modify server settings while Business Objects servers are offline. For instance, you use the CCM to stop servers, to modify performance settings, and to change the default server port numbers. With BusinessObjects Enterprise, the CCM allows you to configure BusinessObjects Enterprise remotely over your corporate network.

You can accomplish some configuration tasks with both tools, while other tasks must be performed with a specific tool.

98

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Viewing and changing the status of servers

Related topics:

For an overview of the multi-tier architecture and the BusinessObjects Enterprise server components, see BusinessObjects Enterprise Architecture in the BusinessObjects Enterprise Administrators Guide. With the BusinessObjects Enterprise Software Development Kit (SDK), you can now access and modify server metrics and settings from your own web applications. For more information, see the developer documentation available on your product CD.

Viewing and changing the status of servers


The status of a server is its current state of operation: a server can be started, stopped, enabled, or disabled. To respond to BusinessObjects Enterprise requests, a server must be started and enabled. A server that is disabled is still running as a process; however, it is not accepting requests from the rest of BusinessObjects Enterprise. A server that is stopped is no longer running as a process. This section shows how to modify the status of servers by using the CMC and the CCM. It includes:

Starting, stopping, and restarting servers on page 99 Enabling and disabling servers on page 102 Stopping a Central Management Server on page 102 Printing, copying, and refreshing server status on page 104

Starting, stopping, and restarting servers


Starting, stopping, and restarting servers are common actions that you perform when you configure servers or take them offline for other reasons. For example, if you want to change the name of a CMS, then you must first stop the server. Once you have made your changes, you start the server again to effect your changes. The remainder of this section tells you when a certain configuration change requires that you first stop or restart the server. However, because these tasks appear frequently, the concepts and differences are explained first, and the general procedures are provided for reference.

BusinessObjects Enterprise Deployment and Configuration Guide

99

Managing and Configuring Servers Viewing and changing the status of servers

Action Stopping a server

Description

You must stop BusinessObjects Enterprise servers before you can modify certain properties and settings. If you have stopped a server to configure it, you need Starting a server to start it to effect your changes and to have the server resume processing requests. Restarting a server Restarting a server is a shortcut to stopping a server completely and then starting it again. You can change certain settings without stopping the server; however, the changes typically do not take effect until your restart the server. Tip: When you stop (or restart) a server, you terminate the servers process, thereby stopping the server completely. If you want to prevent a server from receiving requests without actually stopping the server process, you can also enable and disable servers. We recommend that you disable Job Servers and Program Job Servers before stopping them so that they can finish processing any jobs they have in progress. For details, see Enabling and disabling servers on page 102. To start, stop, or restart servers with CMC Note: You cannot use CMC to stop the CMS. You must use the CCM instead. See Stopping a Central Management Server on page 102 for more information. 1. Go to the Servers management area of the CMC. A list of servers appears. The icon associated with each server identifies its status:

Running is indicated by a server with a green arrow. Stopped is indicated by a server with a red arrow. Disabled is indicated by a server with a red circle.

In this example, the Page Server is stopped, the Event Server is disabled, and the remaining servers are running and enabled.

100

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Viewing and changing the status of servers

2. 3.

Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Start, Stop, or Restart. You may be prompted for network credentials that allow you to start and stop services running on the remote machine.

4. 1. 2. 3.

Click Refresh to update the page. To start, stop, or restart a Windows server with the CCM Start the CCM. Select the server that you want to start, stop, or restart. On the toolbar, click the appropriate button.

Toolbar Action Icon Start the selected server. Stop the selected server. Restart the selected server. You may be prompted for network credentials that allow you to start and stop services. Note: When you provide your network credentials, they are first checked against the machine hosting the CMS. If the server that you want to start, stop, or restart is located on another machine, the same credentials are used to access the other machine. If you supply credentials that are valid on the remote machine but not on the machine running the CMS, then you receive an error message. The CCM performs the action and refreshes the list of servers.

BusinessObjects Enterprise Deployment and Configuration Guide

101

Managing and Configuring Servers Viewing and changing the status of servers

To start, stop, or restart a UNIX server with the CCM Use the ccm.sh script. For reference, see ccm.sh on page 474.

Stopping a Central Management Server


If your BusinessObjects Enterprise installation has a single Central Management Server (CMS), shutting it down will make BusinessObjects Enterprise unavailable to your users and will interrupt the processing of reports and programs. Before stopping your CMS, you may wish to disable your processing servers so that they can finish any jobs in progress before BusinessObjects Enterprise shuts down. See Enabling and disabling servers on page 102 for more information. If you have a CMS cluster consisting of more than one active CMS, you can shut down a single CMS without losing data or affecting system functionality. The other CMS in the cluster will assume the workload of the stopped server. Using a CMS cluster enables you to perform maintenance on each of your Central Management Servers in turn without taking BusinessObjects Enterprise out of service. For more information on CMS clusters, see Clustering Central Management Servers on page 114.

Enabling and disabling servers


When you disable a BusinessObjects Enterprise server, you prevent it from receiving and responding to new BusinessObjects Enterprise requests, but you do not actually stop the server process. This is especially useful when you want to allow a server to finish processing all of its current requests before you stop it completely. For example, you may want to stop a Job Server before rebooting the machine it is running on. However, you want to allow the server to fulfill any outstanding report requests that are in its queue. First, you disable the Job Server so it cannot accept any additional requests. Next, go to the Central Management Console to monitor when the server completes the jobs it has in progress. (From the Servers management area, choose the server name and then the metrics tab). Then, once it has finished processing current requests, you can safely stop the server. Note: The CMS must be running in order for you to enable and/or disable other servers. 1. To enable and disable servers with CMC Go to the Servers management area of the CMC.

102

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Viewing and changing the status of servers

The icon associated with each server identifies its status. In this example, the Event Server is disabled (but not stopped), and the remaining servers are running and enabled.

2. 3. 1. 2. 3. 4.

Select the check box for the server whose status you want to change. Depending upon the action you need to perform, click Enable or Disable. To enable or disable a Windows server with the CCM Start the CCM. On the toolbar, click Enable/Disable. When prompted, log on to your CMS with the credentials that provide you with administrative privileges to BusinessObjects Enterprise. Click Connect. The Enable/Disable Servers dialog box appears.

This dialog box lists all of the BusinessObjects Enterprise servers that are registered with your CMS, including servers running on remote machines. By default, servers running on remote machines are displayed as MACHINE.servertype. In this example, all of the listed servers are currently enabled.

BusinessObjects Enterprise Deployment and Configuration Guide

103

Managing and Configuring Servers Viewing and changing the status of servers

5. 6.

To disable a server, clear the check box in the Server Name column. Click OK to effect your changes and return to the CCM.

To enable or disable a UNIX server with the CCM Use the ccm.sh script. For reference, see ccm.sh on page 474.

Printing, copying, and refreshing server status


When using the CCM on Windows, you can print and copy the properties of a server, and refresh the list of servers. 1. 2. 3. 4. To print the status of a server Start the CCM. Select the server(s). Click Print. The Print dialog box appears. Click OK. A brief listing of the servers properties is printed, including the Display Name, Version, Command Line, Status, and other information. To copy the status of a server To save the status of a server, you can copy the details from the CCM to a document or to an email message (if you want to send the status information to someone else). 1. 2. 3. 4. Start the CCM. Select the server(s). Click Copy. Paste the information into a document for future reference. To refresh the list of servers To ensure you are looking at the latest information, click Refresh.

Note: Disabled servers may not appear in this list. Click Enable/Disable to view a list of servers and ensure that each is enabled.

104

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Adding and deleting servers

Adding and deleting servers


This section shows how to add and delete servers from a machine that is already running BusinessObjects Enterprise components. It includes the following sections:

Adding a server on page 105 Deleting a server on page 107

Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on new, additional machines, run the BusinessObjects Enterprise installation and setup program from your product distribution. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that you want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide. Note: You can also add and delete servers from the Central Management Console. For more information, see the BusinessObjects Enterprise Administrators Guide.

Adding a server
These steps add a new instance of a server to the local machine. You can run multiple instances of the same BusinessObjects Enterprise server on the same machine. To add a Windows server Note: To complete this procedure, you must log on as an Administrator of the local machine. 1. 2. Start the CCM on the BusinessObjects Enterprise machine upon which you want to install a new server. On the toolbar, click Add Server. The Add Business Objects Server Wizard displays its Welcome dialog box. 3. Click Next.

BusinessObjects Enterprise Deployment and Configuration Guide

105

Managing and Configuring Servers Adding and deleting servers

The Server Type and Display Name Configuration dialog box appears

4. 5.

Click the Server Type list and select the kind of server you want to add. Change the default Display Name field if you want a different name to appear in the list of servers in the CCM. Note: The display name for each server on the local machine must be unique.

6.

Change the default Server Name field if required. Each server on the system must have a unique name. The default naming convention is HOSTNAME.servertype (a number is appended if there is more than one server of the same type on the same host machine). This Server Name is displayed when you manage servers over the Web in the Central Management Console (CMC). Note: When you add Input or Output File Repository Servers, the wizard always precedes the server name you type with an Input. or Output. prefix. So, if you add an Input FRS with the name SERVER02, the CCM actually names the server Input.SERVER02. This Input. prefix is required by the system. If you subsequently modify the servers name through its command line, do not remove the prefix.

7.

Click Next. The Set Configuration for this server dialog box appears. The contents of this dialog vary slightly, depending upon the type of server that you are installing.

8.

Type the name of the CMS that you want the server to communicate with. If your CMS is not listening on the default port (6400), include the appropriate port number, as in CMSname:port#

9.

Click Next to accept any other default values, or modify them to suit your environment.

106

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Adding and deleting servers

Note: If port number options are displayed in this dialog box, do not modify them. Instead, change ports through each servers command line. For details, see Changing the default server port numbers on page 147. 10. Confirm that the summary information is correct; then click Finish. The new server appears in the list, but it is neither started nor enabled automatically. 11. Use the CCM (or the CMC) to start and then to enable the new server when you want it to begin responding to BusinessObjects Enterprise requests. For details, see Viewing and changing the status of servers on page 99. Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis. If you add a new server to your BusinessObjects Enterprise installation you must enable auditing of actions on each new server. If you do not, the actions performed on the new server will not be audited. See the BusinessObjects Enterprise Auditors Guide for more information. To add a UNIX server Use the serverconfig.sh script. For reference, see serverconfig.sh on page 478.

Deleting a server
1. 2. 3. 4. To delete a Windows server Start the CCM on the BusinessObjects Enterprise machine that you want to delete a server from. Stop the server that you want to delete from the system. With the server selected, click Delete Server on the toolbar. When prompted for confirmation, click Yes.

To delete a UNIX server Use the serverconfig.sh script. For reference, see serverconfig.sh on page 478.

BusinessObjects Enterprise Deployment and Configuration Guide

107

Managing and Configuring Servers Configuring the application tier

Configuring the application tier


This section includes technical information and procedures that show how you can modify settings for the application tier.

The majority of the settings discussed in this section allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Note: This section does not show how to configure your Web application server to deploy BusinessObjects Enterprise applications. This task is typically performed when you install BusinessObjects Enterprise. For details, see the BusinessObjects Enterprise Installation Guide. For further troubleshooting, see Working with Firewalls on page 157.

Configuring the Web Component Adapter


The WCA (Web Component Adapter) is a web application that provides support for the Central Management Console and CSP applications. It does not appear as a server in the Central Management Console or in the Central Configuration Manager. To configure the WCA, edit either of the following files, depending on whether you are running the system on a Java or .NET platform:

On a Java platform edit the web.xml file associated with the WCA. See Configuring the Java Web Component Adapter on page 109. On a .NET platform edit the web.config file associated with the WCA. See Configuring the .NET Web Component Adapter on page 113.

108

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the application tier

Configuring the Java Web Component Adapter


To configure the Java WCA you edit the web.xml file associated with the WCA:

Windows: C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\java\applications directory UNIX: WEB-INF subdirectory of the webcompadapter.war archive file stored in the bobje_root/enterprise115/java/applications directory

For example, the context parameter that controls whether a group tree will be generated looks like this:
<context-param> <param-name>viewrpt.groupTreeGenerate</param-name> <param-value>true</param-value> <desctiption>true or false value determining whether a group tree will be generated.</description> </context-param>

To change the value of a context parameter, edit the value between the <param-value> </param-value> tags. To configure web.xml Note: Your Java Web Application Server may provide tools to allow you to edit web.xml directly from an administrative console.Otherwise use the following procedure to configure web.xml. 1. 2. 3. 4. Stop your application server. Extract the web.xml file from the webcompadapter.war archive. Edit the file by using a text editor such as Notepad or vi. Reinsert the file into the WEB-INF directory in webcompadapter.war. Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the WEB-INF directory that contains your edited web.xml file and select Add to Zip File.... Adding the file in this way ensures that it is placed in the correct directory inside the archive. 5. Restart your application server. When you install more than one WCA, each webcomponentadapter.war file contains its own web.xml file containing configuration parameters for that WCA. However, you can only set the parameters listed in the following table individually for each WCA. The remaining parameters must be the same for all WCA in your system.

BusinessObjects Enterprise Deployment and Configuration Guide

109

Managing and Configuring Servers Configuring the application tier

Context Parameter display-name cspApplication.defaultPage

Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the real path to the directory containing the CSP/WAS application(s) that you would like to host. This is a required field. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. The default loglevel is error. Please refer to log4j documentation for accepted log entry patterns.

cspApplication.dir

connection.cms

connection.listeningPort log.file

log.ext log.isRolling log.size

log.level log.entryPattern

Changing the default session timeout value for the Java CMC
The default session timeout value is 20 minutes in the CMC. Use this procedure if you want to modify the default session timeout value. 1. To change the session timeout value Verify that the Java SDK is installed and its location is in your PATH environment variable. If you are able to execute the jar command, and receive usage information on the command, proceed to the next step. If you receive an error message, install the JAVA SDK and add its location to your PATH. 2. Stop the Web application server on the machine where webcompadapter.war is deployed.

110

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the application tier

3.

Extract the web.xml file from the directory where webcompadapter.war is deployed by running the following command:
jar -xvf webcompadapter.war WEB-INF/web.xml

4.

Open web.xml in a text editor like Notepad and search for the following section:
<session-config> <session-timeout>20</session-timeout> </session-config>

5. 6. 7.

Change the value between <session-timeout> to the number of minutes you require for the session to timeout. Save web.xml. Update the webcompadapter.war with the modified web.xml file. Use the following command:
jar -uvf webcompadapter.war WEB-INF/web.xml

8.

Restart you web application server and redeploy webcompadapter.war.

Changing the default session timeout value for the Java InfoView
The default session timeout value is 20 minutes in the InfoView. Use this procedure if you want to modify the default session timeout value. 1. To change the session timeout value for InfoView Verify that the Java SDK is installed and its location is in your PATH environment variable. If you are able to execute the jar command, and receive usage information on the command, proceed to the next step. If you receive an error message, install the JAVA SDK and add its location to your PATH. 2. 3. Stop the Web application server on the machine where desktop.war is deployed. Extract the web.xml file from the directory where desktop.war is deployed or edit the deployed web.xml file.

To extract web.xml, issue the following command.


jar -xvf desktop.war WEB-INF/web.xml

Note: Instead of extracting the web.xml from the specified location, you can edit web.xml from the deployed location. If you installed Tomcat with your installation, you can find this file in this location:
C:\Program Files\Business Objects\Tomcat\webapps\businessobjects\enterprise115\ desktoplaunch\WEB-INF

BusinessObjects Enterprise Deployment and Configuration Guide

111

Managing and Configuring Servers Configuring the application tier

4.

Open web.xml in a text editor like Notepad and search for the following section:
<session-config> <session-timeout>20</session-timeout> </session-config>

5. 6. 7.

Change the value between <session-timeout> to the number of minutes you require for the session to timeout. Save web.xml. Update the desktop.war with the modified web.xml file. Use the following command:
jar -uvf desktop.war WEB-INF/web.xml

Note: This step is not required if you did not extract the web.xml file. 8. Restart you web application server and redeploy desktop.war. Note: You dont need to redeploy desktop.war if you edited the web.xml file from the deployed location; restarting your web application server will suffice.

Changing the connect port used by Tomcat


During the installation, the default port used for Tomcat is 8080. If this port is already in use by another instance of Tomcat, or if another application is using this port, you will need to change the connect port used by Tomcat. 1. 2. To change the Tomcat connect port Stop Tomcat server by selecting the server name and clicking on the stop button. Open the server.xml file for Tomcat in a text editor. On Windows, this file can normally be found in the following directory: C:\Program Files\Business Objects\Tomcat\conf 3. Locate the following string:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443" />

4. 5.

Change port 8080 to an available port number. Save and close the file.

112

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the application tier

Configuring the .NET Web Component Adapter


To configure the .NET WCA you edit the web.config file associated with the WCA. This file is located in the following directory:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\application

To configure web.config Note: Your .NET Web Application Server may provide tools to allow you to edit web.config directly from an administrative console. 1. 2. 3. Stop your application server. Edit the web.config file by using a text editor such as Notepad. Restart your application server. Description Equivalent to WCA name. The default page that will be loaded if no filename is specified in a particular request. This is the name (or name and port number) of the CMS that you would like your application(s) to connect to. This field defaults to the port that the WCA related servlets are running on. Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path File extension of logfile, defaults to .log Determines whether or not the logs will be rotated, defaults to true. If log rolling is turned on, this will govern the max size before logfile is rotated. Accepted suffix: MB, KB and GB. The default loglevel is error. Please refer to log4j documentation for accepted log entry patterns.

Parameter display-name cspApplication.defaultPage

connection.cms

connection.listeningPort log.file

log.ext log.isRolling log.size

log.level log.entryPattern

BusinessObjects Enterprise Deployment and Configuration Guide

113

Managing and Configuring Servers Configuring the intelligence tier

Configuring the intelligence tier


This section includes technical information and procedures that show how you can modify settings for the BusinessObjects Enterprise servers that make up the intelligence tier.

The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the intelligence tier includes the following tasks:

Clustering Central Management Servers on page 114 Copying data from one CMS database to another on page 122 Deleting and recreating the CMS database on page 127 Selecting a new or existing CMS database on page 128 Setting root directories and idle times of the File Repository Servers on page 130 Modifying performance settings for Cache Servers and Event Servers on page 131

Clustering Central Management Servers


If you have a large or mission-critical implementation of BusinessObjects Enterprise, you will probably want to run several CMS machines together in a CMS cluster. A CMS cluster consists of two or more CMS servers working together to maintain the system database. If a machine that is running one CMS fails, a machine with another CMS will continue to service BusinessObjects Enterprise requests. This failover support helps to ensure that BusinessObjects Enterprise users can still access information when there is an equipment failure. This section shows how to add a new CMS cluster member to a production system that is already up and running. When you add a new CMS to an existing cluster, you instruct the new CMS to connect to the existing CMS

114

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

database and to share the processing workload with any existing CMS machines. For information about your current CMS and CMS cluster, go to the Settings management area of the CMC and click the Cluster tab. Before clustering CMS machines, you must make sure that each CMS is installed on a system that meets the detailed requirements (including version levels and patch levels) for operating system, database server, database access method, database driver, and database client outlined in the platforms.txt file included in your product distribution. In addition, you must meet the following clustering requirements:

For best performance, the database server that you choose to host the system database must be able to process small queries very quickly. The CMS communicates frequently with the system database and sends it many small queries. If the database server is unable to process these requests in a timely manner, BusinessObjects Enterprise performance will be greatly affected. For best performance, run each CMS cluster member on a machine that has the same amount of memory and the same type of CPU. Configure each machine similarly:

Install the same operating system, including the same version of operating system service packs and patches. Install the same version of BusinessObjects Enterprise (including patches, if applicable). Ensure that each CMS connects to the CMS database in the same manner: whether you use native or ODBC drivers. Make sure that the drivers are the same on each machine, and are a supported version. Ensure that each CMS uses the same database client to connect to its system database, and that it is a supported version. Check that each CMS uses the same database user account and password to connect to the CMS database. This account must have create, delete, and update rights on the system database. Run each CMS service/daemon under the same account. (On Windows, the default is the LocalSystem account.) Verify that the current date and time are set correctly on each CMS machine (including settings for daylight savings time).

Ensure that each and every CMS in a cluster is on the same Local Area Network.

BusinessObjects Enterprise Deployment and Configuration Guide

115

Managing and Configuring Servers Configuring the intelligence tier

If you wish to enable auditing, each CMS must be configured to use the same auditing database and to connect to it in the same manner. The requirements for the auditing database are the same as those for the system database in terms of database servers, clients, access methods, drivers, and user IDs.

Tip: By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. To modify the default name, see Restart your application server. on page 119.

Adding a new CMS cluster member


There are two ways to add a new CMS cluster member. Follow the appropriate procedure, depending upon whether or not you have already installed a second CMS:

Installing a new CMS and adding it to a cluster on page 116 See this section if you have not already installed the new CMS on its own machine. Adding an installed CMS to a cluster on page 117 Follow this procedure if you have already installed a second, independent CMS on its own machine. While testing various server configurations, for instance, you might have set up an independent BusinessObjects Enterprise system with its own CMS. Follow this procedure when you want to incorporate this independent CMS into your production system.

Note: Back up your current CMS database before making any changes. If necessary, contact your database administrator.

Installing a new CMS and adding it to a cluster


When you install a new CMS, you can quickly cluster it with your existing CMS. Run the BusinessObjects Enterprise installation and setup program on the machine where you want to install the new CMS cluster member. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that want to install on the local machine. In this case, specify the name of the CMS that is running your existing system, and choose to install a new CMS on the local machine. Then provide the

116

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

Setup program with the information it needs to connect to your existing CMS database. When the Setup program installs the new CMS on the local machine, it automatically adds the server to your existing CMS cluster. For complete requirements for CMS added to a cluster, see Clustering Central Management Servers on page 114. For complete information on running the Setup program and performing the Expand installation, see the BusinessObjects Enterprise Installation Guide.

Adding an installed CMS to a cluster


In these steps, the independent CMS refers to the one that you want to add to a cluster. You will add the independent CMS to your production CMS cluster. By adding an independent CMS to a cluster, you disconnect the independent CMS from its own database and instruct it to share the system database that belongs to your production CMS. Before starting this procedure, ensure that you have a database user account with Create, Delete, and Update rights to the database storing the BusinessObjects Enterprise tables. Ensure also that you can connect to the database from the machine that is running the independent CMS (through your database client software or through ODBC, according to your configuration). Also ensure that the CMS you are adding to the cluster meets the requirements outlined in Clustering Central Management Servers on page 114. Note: Back up your current CMS database before beginning this procedure. If necessary, contact your database administrator. 1. 2. To add an installed CMS to a cluster on Windows Use the CCM to stop the independent Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar.

BusinessObjects Enterprise Deployment and Configuration Guide

117

Managing and Configuring Servers Configuring the intelligence tier

The CMS Database Setup dialog box appears.

3. 4.

Click Select a Data Source; then click OK. In the Select Database Driver dialog box, specify whether you want to connect to the production CMS database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:

5. 6.

If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that corresponds to your production CMS database; then click OK. If prompted, provide your database credentials and click OK. The CCM connects to the database server and adds the new CMS to the cluster. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Once you provide this information, the CCM connects to the database server and adds the new CMS to the cluster.

The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server.

To add an installed CMS to a cluster on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 477.

118

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

Adding clustered CMSs to the web.xml file


If you have added additional CMSs, and you are using a Java application server, you will need to modify the web.xml file with your changes. 1. To modify the web.xml to define CMS clusters Open the web.xml from the following location:
C:\Program Files\Business Objects\Tomcat\webapps\businessobjects\enterprise115\ desktoplaunch\WEB-INF

2.

Locate the following section in the file:


<!-- EXAMPLE: <context-param> <param-name>cms.clusters</param-name>

3. 4.

Remove the comment tags from this section in the file. In the first param-value tag, list the names of each cms cluster. Begin each cluster name with a @ and separate each cluster name with a comma.

5.

In the second param-name tag, add the name of the first cms cluster. Note: Do not start the cluster name with a @.Each cluster name must be entered in the same case as in the previous step.

6.

In the second param-value tag, list the name of each CMS in that cluster and enter the port number for the CMS if required. Note: Separate each CMS name with a comma. The port number is separted from the CMS name with a colon; The port number is assumed to be 6400 unless it is specified. Note: Repeat the procedure for each CMS cluster you have.

7. 8.

Save your changes. Restart your application server.

Preparing to migrate a CMS database


Before migrating a CMS database, take the source and the destination environments offline by disabling and subsequently stopping all servers. Back up both CMS databases, and back up the root directories used by all Input and Output File Repository Servers. If necessary, contact your database or network administrator. Ensure that you have a database user account that has permission to read all data in the source database, and a database user account that has Create, Delete, and Update rights to the destination database. Also ensure also that

BusinessObjects Enterprise Deployment and Configuration Guide

119

Managing and Configuring Servers Configuring the intelligence tier

you can connect to both databasesthrough your database client software or through ODBC, according to your configurationfrom the CMS machine whose database you are replacing. Make a note of the license keys you purchased for the current version of BusinessObjects Enterprise. During migration, license keys that are present in the destination database are retained only if the source database contains no license keys that are valid for the current version of BusinessObjects Enterprise. License keys in the destination database are replaced with license keys from the source database when the source license keys are valid for the current version of BusinessObjects Enterprise. License keys from earlier versions of Crystal Enterprise are not copied. If you are copying CMS data from a different CMS database (version 8.0, 8.5, 9, or 10 of Crystal Enterprise or version XI of BusinessObjects Enterprise) into your current CMS database, your current CMS database is the destination database whose tables are deleted before they are replaced with the copied data. In this scenario, make note of the current root directories used by the Input and Output File Repository Servers in the source environment. The database migration does not actually move report files from one directory location to another. After you migrate the database, you will connect your new Input and Output File Repository Servers to the old root directories, thus making the report files available for the new system to process. Log on with an administrative account to the CMS machine whose database you want to replace. Complete the procedure that corresponds to the version of the source environment:

Copying data from one CMS database to another on page 122

If you are copying a CMS database from its current location to a different database server, your current CMS database is the source environment. Its contents are copied to the destination database, which is then established as the active database for the current CMS. This is the procedure to follow if you want to move the default CMS database on Windows from the local Microsoft Data Engine (MSDE) to a dedicated database server, such as Microsoft SQL Server, Informix, Oracle, DB2, or Sybase. Log on with an administrative account to the machine that is running the CMS whose database you want to move. Complete the following procedure:

Copying data from one CMS database to another on page 122 When you migrate a CMS database from an earlier version of Crystal Enterprise, the database and database schema are upgraded to the format required by the current version of BusinessObjects Enterprise.

Note:

120

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

When you copy data from one database to another, the destination database is initialized before the new data is copied in. That is, if your destination database does not contain the four BusinessObjects Enterprise XI system tables, these tables are created. If the destination database does contain BusinessObjects Enterprise XI system tables, the tables will be permanently deleted, new system tables will be created, and data from the source database will be copied into the new tables. Other tables in the database, including previous versions of Crystal Enterprise system tables, are unaffected.

Changing the name of a CMS cluster


By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. This procedure allows you to change the name of a cluster that is already installed and running. To change the cluster name, you need only stop one of the CMS cluster members. The remaining CMS cluster members are dynamically notified of the change. For optimal performance, after changing the name of the CMS cluster reconfigure each Business Objects server so that it registers with the CMS cluster, rather than with an individual CMS. 1. 2. 3. 4. 5. 6. To change the cluster name on Windows Use the CCM to stop any Central Management Server that is a member of the cluster. With the CMS selected, click Properties on the toolbar. Click the Configuration tab. Select the Change Cluster Name to check box. Type the new name for the cluster. Click OK and then start the Central Management Server. The CMS cluster name is now changed. All other CMS cluster members are dynamically notified of the new cluster name (although it may take several minutes for your changes to propagate across cluster members). 7. Go to the Servers management area of the CMC and check that all of your servers remain enabled. If necessary, enable any servers that have been disabled by your changes.

BusinessObjects Enterprise Deployment and Configuration Guide

121

Managing and Configuring Servers Configuring the intelligence tier

To change the cluster name on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 477. 1. 2. 3. 4. To register servers with the CMS cluster on Windows Use the CCM to stop a Business Objects server. Select the server from the list, and then click Properties. Click the Configuration tab. In the CMS Name box, type the name of the cluster. The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE in the box. 5. Click OK, and then start the server. Repeat for each Business Objects server in your installation. To registers servers with the CMS cluster on UNIX Use ccm.sh to stop each server. Use a text editor such as vi to open the ccm.config file found in the root directory of your BusinessObjects Enterprise installation. Find the -ns command in the launch string for each server, and change the name of the CMS to the name of the CMS cluster. The name of the cluster begins with the @ symbol. For example, if the cluster name was changed to ENTERPRISE, type @ENTERPRISE. Do not include a port number with the cluster name. 4. Save the file, and then use ccm.sh to restart the servers.

1. 2. 3.

Copying data from one CMS database to another


BusinessObjects Enterprise enables you to copy the contents of one CMS database into another database. This procedure is also referred to as migrating a CMS database. You can migrate CMS data from a different CMS database (versions 8.5 through 10 of Crystal Enterprise and version XI of BusinessObjects Enterprise) into your current CMS database. Or, you can migrate the data from your current CMS database into a different data source. Throughout this section, the source CMS database refers to the database that holds the data you are copying; this data is copied into the destination database. The destination database is initialized before the new data is copied in, so any existing contents of the destination database are

122

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

permanently deleted (all BusinessObjects Enterprise tables are destroyed permanently and then recreated). Once the data has been copied, the destination database is established as the current database for the CMS. Note: Prior to BusinessObjects Enterprise XI, the CMS was known as Crystal Management Server, and also as the Automated Process Scheduler (APS). Tip: If you want to import users, groups, folders, and reports from one system to another, without deleting the contents of the current CMS database, see Using the Import Wizard in BusinessObjects Enterprise Administrators Guide. Depending on the platform of your system and the version of your CMS database, migrating a CMS database will include several of the following tasks:

Restart your application server. on page 119 Changing the name of a CMS cluster on page 121

When you finish copying data from the source database to the destination database, complete these steps before allowing users to access the system. When migrating from an older version of Crystal Enterprise, servers that existed in the source installation do not appear in the migrated install. This occurs because there cannot be a mix of old and new servers in a BusinessObjects Enterprise installation. Server groups from the old installation appear in the new system, but they will be empty. New servers are automatically detected and added to the servers list (outside of any group) in a disabled state. You must enable these servers before they can be used. You may add the new servers to the imported groups as appropriate. Reports that depend on a particular server group for scheduled processing will not execute until a job server is added to that group. Reports that depend on a particular server group for processing are not available until servers are added to that group. 1. To complete a CMS database migration on Windows If errors occurred during migration, a db_migration log file was created in the logging directory on the machine where you ran the CCM to carry out the migration. The CCM will notify you if you need to check the log file. The default logging directory is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Logging\

BusinessObjects Enterprise Deployment and Configuration Guide

123

Managing and Configuring Servers Configuring the intelligence tier

2.

If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways:

Copy the contents of the original input root directory into the root directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use. Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories. If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option in both servers command lines to have them register with your new CMS.

3. 4. 5.

Use the Central Configuration Manager (CCM) to start the CMS on the local machine. Make sure your web application server is running. Log on to the CCM with the default Administrator account, using Enterprise authentication. Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system.

6. 7. 8.

Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly. In the CCM, start and enable the Input File Repository Server and the Output File Repository Server. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are both started and enabled. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location.

9.

10. Return to the Central Configuration Manager. 11. If objects in your source database require updating, the Update Objects button on the toolbar will show a flashing red exclamation mark. Click Update Objects.

124

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

12. When prompted, log on to your CMS with credentials that provide you with administrative privileges to BusinessObjects Enterprise. The Update Objects dialog box tells you how many objects require updating. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. Because your Central Management Server was stopped when the migration occurred, you need to update the objects now. 13. If there are objects that require updating, click Update, otherwise click Cancel. 14. Start and enable the remaining BusinessObjects Enterprise servers. Verify that BusinessObjects Enterprise requests are handled correctly, and check that you can view and schedule reports successfully. 1. To complete a CMS database migration on UNIX If errors occurred during migration, a db_migration log file was created in the logging directory on the machine where you ran cmsdbsetup.sh to carry out the migration. The script will notify you if you need to check the log file. The default logging directory is:
BusinessObjects_root/logging

where BusinessObjects_root is the absolute path to the root Business Objects directory of your BusinessObjects Enterprise installation. 2. If you migrated CMS data from a different CMS database into your current CMS database, you need to make your old input and output directories available to the new Input and Output File Repository Servers. You can do this in several ways:

Copy the contents of the original input root directory into the root directory that the new Input File Repository Server is already configured to use. Then copy the contents of the original output directory into the root directory that the new Output File Repository is already configured to use. Reconfigure the new Input and Output File Repository Servers to use the old input and output root directories. If the old Input and Output File Repository Servers are running on a dedicated machine, you can run the BusinessObjects Enterprise setup program to upgrade the servers directly. Then you need not move the input and output directories. Instead, modify the -ns option

BusinessObjects Enterprise Deployment and Configuration Guide

125

Managing and Configuring Servers Configuring the intelligence tier

in both servers command lines to have them register with your new CMS. For more information, see Setting root directories and idle times of the File Repository Servers on page 130. 3. 4. 5. Use the ccm.sh script to start the CMS on the local machine. See ccm.sh on page 474 for more information. Ensure that the Java web application server that hosts your Web Component Adapter is running. Log on to the Central Management Console with the default Administrator account, using Enterprise authentication. Tip: If you just replaced your CMS database with data from an older system, keep in mind that you now need to provide the Administrator password that was valid in the older system. 6. 7. 8. Go to the Authorization management area and check that your BusinessObjects Enterprise license keys are entered correctly. Use the ccm.sh script to start and enable the Input File Repository Server and the Output File Repository Server. Go to the Servers management area of the Central Management Console and verify that the Input File Repository Server and the Output File Repository Server are started and enabled. Click the link to each File Repository Server and, on the Properties tab, check that the Root Directory points to the correct location.

9.

10. Run the ccm.sh script again. If you migrated a source database from an earlier version of BusinessObjects Enterprise, enter the following command:
./ccm.sh -updateobjects authentication info

See ccm.sh on page 474 for information on the authentication information required by ccm.sh. Objects typically require updating because their internal representation has changed in the new version of BusinessObjects Enterprise, or because the objects require new properties to support the additional features offered by BusinessObjects Enterprise XI. 11. Use ccm.sh to start and enable the remaining BusinessObjects Enterprise servers. 12. Verify that BusinessObjects Enterprise requests are handled correctly, and check that you can view and schedule reports successfully.

126

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

Deleting and recreating the CMS database


This procedure shows how to recreate (re-initialize) the current CMS database. By performing this task, you destroy all data that is already present in the database. This procedure is useful, for instance, if you have installed BusinessObjects Enterprise in a development environment for designing and testing your own, custom web applications. You can re-initialize the CMS database in your development environment every time you need to clear the system of all its data. When you recreate the CMS database with the CCM, your existing license keys should be retained in the database. However, if you need to enter license keys again, log on to the CMC with the default Administrator account (which will have been reset to have no password). Go to the Authorization management area and enter your information on the License Keys tab. Note: Remember that all data in your current CMS database will be destroyed if you follow this procedure. Consider backing up your current CMS database before beginning. If necessary, contact your database administrator. 1. 2. 3. 4. To recreate the CMS database on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar. In the CMS Database Setup dialog box, click Recreate the current Data Source. Click OK and, when prompted to confirm, click Yes. The SvcMgr dialog box notifies you when the CMS database setup is complete. 5. 6. Click OK. You are returned to the CCM. Start the Central Management Server. While it is starting, the CMS writes required system data to the newly emptied data source. You may need to click the Refresh button in the CCM to see that the CMS has successfully started. To recreate the CMS database on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 477.

BusinessObjects Enterprise Deployment and Configuration Guide

127

Managing and Configuring Servers Configuring the intelligence tier

Selecting a new or existing CMS database


Follow the procedure below if you want to disconnect a CMS from its current database and connect it to an alternate database. When you complete the steps in the procedure, none of the data in the current database is copied into the alternate database. If the alternate database is empty, the CCM initializes it by writing system data that is required by BusinessObjects Enterprise. If the alternate database already contains BusinessObjects Enterprise system data, the CMS uses that data when it starts. Generally, there are only a few times when you need to complete these steps:

If you have changed the password for the current CMS database, these steps allow you to disconnect from, and then reconnect to, the current database. When prompted, you can provide the CMS with the new password. If you want to select and initialize an empty database for BusinessObjects Enterprise, these steps allow you to select that new data source. If you have restored a CMS database from backup (using your standard database administration tools and procedures) in a way that renders the original database connection invalid, you will need to reconnect the CMS to the restored database. (This might occur, for instance, if you restored the original CMS database to a newly installed database server.)

Note: These steps are essentially the same as adding a CMS to an existing cluster. However, in this case, there are no other CMS machines already maintaining the database. For complete details about CMS clusters, see Clustering Central Management Servers on page 114. 1. 2. To select a new or existing database for a CMS on Windows Use the CCM to stop the Central Management Server. With the CMS selected, click Specify CMS Data Source on the toolbar.

128

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

The CMS Database Setup dialog box appears.

3. 4.

Click Select a Data Source; then click OK. In the Select Database Driver dialog box, specify whether you want to connect to the new database through ODBC, or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:

5. 6.

If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that you want to use as the CMS database; then click OK. (Click New to configure a new DSN.) When prompted, provide your database credentials and click OK. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.

The SvcMgr dialog box notifies you when the CMS database setup is complete. 7. 8. Click OK. Start the Central Management Server.

To select a new or existing database for a CMS on UNIX Use the cmsdbsetup.sh script. For reference, see cmsdbsetup.sh on page 477.

BusinessObjects Enterprise Deployment and Configuration Guide

129

Managing and Configuring Servers Configuring the intelligence tier

Setting root directories and idle times of the File Repository Servers
The Properties tabs of the Input and Output File Repository Servers enable you to change the locations of the default root directories. These root directories contain all of the report objects and instances on the system. You may change these settings if you want to use different directories after installing BusinessObjects Enterprise, or if you upgrade to a different drive (thus rendering the old directory paths invalid). Note:

The Input and Output File Repository Servers must not share the same root directory, because modifications to the files and subdirectories belonging to one server could have adverse effects on the other server. In other words, if the Input and Output File Repository Servers share the same root directory, then one server might damage files belonging to the other. If you run multiple File Repository Servers, all Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution. The root directory should be on a drive that is local to the server.

You can also set the maximum idle time of each File Repository Server. This setting limits the length of time that the server waits before it closes inactive connections. Before you change this setting, it is important to understand that setting a value too low can cause a user's request to be closed prematurely. Setting a value too high can cause excessive consumption of system resources such as processing time and disk space. 1. 2. To modify settings for a File Repository Server Go to the Servers management area of the CMC. Click the link to the File Repository Server you want to change. By default, the File Repository Servers are named Input and Output, respectively. If you run multiple instances of each server, their names should be prefixed with Input. and Output. as appropriate. 3. Make your changes on the Properties tab. In this example, the Input File Repository Server is set to use
D:\InputFRS\ as its root directory. The server will remain idle for a

maximum of 10 minutes.

130

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the intelligence tier

4.

Click either Apply or Update:

Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.

Modifying performance settings for Cache Servers and Event Servers


For information about changing performance settings for Cache Servers and Event Servers, see Modifying Cache Server performance settings on page 352 and Modifying the polling time of the Event Server on page 351.

BusinessObjects Enterprise Deployment and Configuration Guide

131

Managing and Configuring Servers Configuring the processing tier

Configuring the processing tier


This section includes technical information and procedures that show how you can modify settings for the BusinessObjects Enterprise servers that make up the processing tier. The processing tier includes different job servers, Page Servers, Report Application Servers, and Web Intelligence Job Servers and Web Intelligence Report Servers.

The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements. Configuring the processing tier includes:

Modifying performance settings on page 132 Configuring the destinations for job servers on page 133 Configuring Windows processing servers for your data source on page 140 Configuring UNIX processing servers for your data source on page 141

Modifying performance settings


You can change performance settings for Job Servers, Desktop Intelligence Report Servers, Web Intelligence Report Servers, Report Application Servers, and Page Servers. For information about assessing your systems performance and using these configuration settings, see Improving Performance on page 337.

132

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the processing tier

Configuring the destinations for job servers


By default, when the system runs a scheduled report or a program object, it stores the output instance it creates on the Output File Repository Server (FRS). However, you can specify a different destination. If you do, the system will store one output instance on the Output FRS, and one at the specified destination. You also specify a destination when you use the Send to feature, which sends an existing object to a specified destination. In order for the system to work with destinations other than the default, the destination must have been enabled and configured on the respective job server. For example, to be able to schedule a report object for output to an unmanaged disk, you have to enable and configure the Unmanaged Disk destination on the Job Server. To send a report instance by email, you have to configure the Email (SMTP) destination on the Destination Job Server. Configuring destinations for job servers includes:

Enabling or disabling destinations for job servers on page 133 Configuring the destination properties for job servers on page 134

For information about selecting destinations for objects see the BusinessObjects Enterprise Administrators Guide.

Enabling or disabling destinations for job servers


This procedure applies to the Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and Web Intelligence Job Server. For a job server to store output instances in a destination other than the default, you have to enable and configure the other destinations on the job servers. See also Configuring the destination properties for job servers on page 134. Note: On the Destination Job Server, the Inbox destination is enabled by default. This allows you to use the Send to feature and to distribute reports to users within the BusinessObjects Enterprise system. If you want, you can enable and configure additional destinations on the Destination Job Server. 1. 2. 3. To enable or disable destinations for a job server Go to the Servers management area of the CMC. Click the link for the job server for which you want to enable or disable a destination. Click the Destinations tab.

BusinessObjects Enterprise Deployment and Configuration Guide

133

Managing and Configuring Servers Configuring the processing tier

4. 5.

Select the check box for each destination you want to support. Click Enable. To disable destinations, click Disable. When a destination is disabled a red circle is shown beside the name.

6.

If you enabled the destination, you must also configure the destination. See Configuring the destination properties for job servers on page 134.

Configuring the destination properties for job servers


This procedure applies to the following servers:

Job Server Program Job Server Report Job Server Destination Job Server Web Intelligence Job Server Desktop Intelligence Job Server

For a job server to store output instances in a destination other than the default, you have to enable and configure the other destinations on the job servers. See also Enabling or disabling destinations for job servers on page 133. 1. 2. 3. 4. 5. To set the destination properties for a job server Go to the Servers management area of the CMC. Click the link for the job server whose setting you want to change. Click the Destinations tab. Click the link for the destination whose setting you want to set, for example, FTP. Set the properties for the destination. For information about the properties for each destination, see:


6. 7.

Inbox destination properties on page 135 Unmanaged Disk destination properties on page 139 FTP destination properties on page 138 Email (SMTP) destination properties on page 136

Click Update. Make sure the destination has been enabled. See Enabling or disabling destinations for job servers on page 133.

134

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the processing tier

Inbox destination properties


The Inbox destination stores an object or instance in the user inboxes on the BusinessObjects Enterprise system. A user inbox is automatically created when you add a user. For more information, see Configuring the destination properties for job servers on page 134 and Setting rights in the BusinessObjects Enterprise Administrators Guide. Note: On the Destination Job Server, the Inbox destination is enabled by default. This allows you to use the Send to feature and to distribute reports to users within the BusinessObjects Enterprise system. If you want, you can enable and configure additional destinations on the Destination Job Server.

Send document as Select the option you want:

ShortcutThe system sends a shortcut to the specified destination. CopyThe system sends a copy of the instance, for example, the .rpt file, to the destination.

Send List Specify which users or user groups you want to receive instances from that have been generated or processed by the job server.

BusinessObjects Enterprise Deployment and Configuration Guide

135

Managing and Configuring Servers Configuring the processing tier

Email (SMTP) destination properties


In this example, the SMTP server resides in the businessobjects.com domain. Its name is EMAIL_SERV and it is listening on the standard SMTP port. Plain text authentication is being used, and an account called BusinessObjectsJobAccount has been created on the SMTP server for use by the Job Server.

See also Configuring the destination properties for job servers on page 134. Domain Name Enter the fully qualified domain of the SMTP server. Server Name Enter the name of the SMTP server. Port Enter the port that the SMTP server is listening on. (This standard SMTP port is 25.) Authentication Select Plain or Login if the job server must be authenticated using one of these methods in order to send email. SMTP User Name Provide the Job Server with a user name that has permission to send email and attachments through the SMTP server. SMTP Password Provide the Job Server with the password for the SMTP server. From Provide the return email address. Users can override this default when they schedule an object.

136

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the processing tier

To, Cc, Subject, and Message Set the default values for users who schedule reports to this SMTP destination. Users can override these defaults when they schedule an object. Add viewer hyperlink to message body Click Add if you want to add the URL for the viewer in which you want the email recipient to view the report. You can set the default URL by clicking Object Settings on the main page of the Objects management area of the CMC. If you send a hyperlink, the email recipient must log on to BusinessObjects Enterprise to see the report.) Users can override this default when they schedule an object. Attach report instance to email message Clear this check box if you do not want to attach a copy of the report or program instance attached to the email. Users can override these defaults when they schedule an object. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file name. You can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list, and click Add. Add file extension Adds the .%EXT% extension to the specified filename. This is similar to selecting File Extension from the list and clicking Add. By adding an extension to the file name, Windows will know which program to use to open the file when users want to view the file.

BusinessObjects Enterprise Deployment and Configuration Guide

137

Managing and Configuring Servers Configuring the processing tier

FTP destination properties


In this example, reports scheduled to this destination are randomly named and uploaded to the ftp.businessobjects.com site.

See also Configuring the destination properties for job servers on page 134. Host Enter your FTP host information. Port Enter the FTP port number (the standard FTP port is 21). FTP User Name Specify a user who has the necessary rights to upload a report to the FTP server. FTP Password Enter the users password. Account Enter the FTP account information, if required. Account is part of the standard FTP protocol, but it is rarely implemented. Provide the appropriate account only if your FTP server requires it. Destination Directory Enter the FTP directory that you want the object to be saved to. A relative path is interpreted relative to the root directory on the FTP server.

138

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the processing tier

Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name. Specified File Name Select this option if you want to enter a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add.

Unmanaged Disk destination properties


An unmanaged disk is disk on a system outside the BusinessObjects Enterprise system. See also Configuring the destination properties for job servers on page 134.

Destination Directory Type the absolute path to the directory. The directory can be on a local drive of the Job Server machine, or on any other machine that you can specify with a UNC path. Default File Name (randomly generated) Select this option if you want BusinessObjects Enterprise to generate a random file name.

BusinessObjects Enterprise Deployment and Configuration Guide

139

Managing and Configuring Servers Configuring the processing tier

Specified File Name Select this option if you want to specify a file nameyou can also add a variable to the file name. To add a variable, choose a placeholder for a variable property from the list and click Add. When each instance runs, the variable is replaced with the appropriate information. For example, when you add the variable Owner, the file name of each object includes the object owners name. User Name Specify a user who has permission to write files to the destination directory. Password Type the password for the user. In this example, the destination directory is on a network drive that is accessible to the Job Server machine through a UNC path. Each file name will be randomly generated, and a user name and password have been specified to grant the Job Server permission to write files to the remote directory.

Configuring Windows processing servers for your data source


When started on Windows, the report processing servers by default log on to the local system as services with the Windows LocalSystem account. This account determines the permissions that each service is granted on the local machine. This account does not grant the service any network permissions. In the majority of cases, this account is irrelevant in relation to the servers task of processing reports against your data source. (The database logon credentials are stored with the report object.) Thus, you can usually leave each servers default logon account unchanged or, if you prefer, you can change it to a Windows user account with the appropriate permissions. However, there are certain cases when you must change the logon account used by the processing servers. These cases arise either because the server needs additional network permissions to access the database, or because the database client software is configured for a particular Windows user account. This table lists the various database/ driver combinations and shows when you must complete additional configuration. Tip: Running a service under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services.

140

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the processing tier

For details on changing the user accounts, see Changing the server user account on page 152. For a complete list of supported databases and drivers, refer to the platform.txt file included with your installation.

Configuring UNIX processing servers for your data source


The Job Servers and Page Server support native and ODBC connections to a number of reporting databases. This section discusses the environment variables, software, and configuration files that must be available to the servers in order for them to process reports successfully. Whether your reports use native or ODBC drivers, ensure that the reporting environment configured on the server accurately reflects the reporting environment configured on the Windows machine that you use when designing reports with Crystal Reports. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.

Native drivers
If you design reports using native drivers, you must install the appropriate database client software on each Job Server and/or Page Server machine that will process the reports. The server loads the client software at runtime in order to access the database that is specified in the report. The server locates the client software by searching the library path environment variable that corresponds to your operating system (LD_LIBRARY_PATH on Sun Solaris, LIBPATH on IBM AIX, and so on), so this variable must be defined for the login environment of each Job Server and Page Server. Depending on your database, additional environment variables may be required for the Job Server and Page Server to use the client software. These include:

Oracle The ORACLE_HOME environment variable must define the top-level directory of the Oracle client installation. Sybase The SYBASE environment variable must define the top-level directory of the Sybase client installation. The SYBPLATFORM environment variable must define the platform architecture.

DB2 The DB2INSTANCE environment variable must define the DB2 instance that is used for database access. Use the DB2 instance initialization script to ensure that the DB2 environment is correct.

BusinessObjects Enterprise Deployment and Configuration Guide

141

Managing and Configuring Servers Configuring the processing tier

Note: For complete details regarding these and other required environment variables, see the documentation included with your database client software. As an example, suppose that you are running reports against both Sybase and Oracle. The Sybase database client is installed in /opt/sybase, and the Oracle client is installed in /opt/oracle/app/oracle/product/8.1.7. You installed BusinessObjects Enterprise under the crystal user account (as recommended in the BusinessObjects Enterprise Installation Guide). If the crystal users default shell is a C shell, add these commands to the crystal users login script:
setenv LD_LIBRARY_PATH /opt/oracle/app/oracle/product/8.1.7/ lib:opt/sybase/lib:$LD_LIBRARY_PATH setenv ORACLE_HOME /opt/oracle/app/oracle/product/8.1.7 setenv SYBASE /opt/sybase setenv SYBPLATFORM sun_svr4 If the crystal users default shell is a Bourne shell, modify the syntax

accordingly:
LD_LIBRARY_PATH=/opt/oracle/app/oracle/product/8.1.7/ lib:opt/sybase/lib:$LD_LIBRARY_PATH;export LD_LIBRARY_PATH ORACLE_HOME=/opt/oracle/app/oracle/product/8.1.7;export ORACLE_HOME SYBASE=/opt/sybase;export SYBASE SYBPLATFORM=sun_svr4;export SYBPLATFORM

ODBC drivers
If you design reports off ODBC data sources (on Windows), you must set up the corresponding data sources on the Job Server and Page Server machines. In addition, you must ensure that each server is set up properly for ODBC. During the installation, BusinessObjects Enterprise installs ODBC drivers for UNIX, creates configuration files and templates related to ODBC reporting, and sets up the required ODBC environment variables. This section discusses the installed environment, along with the information that you need to edit. Note: If you report off DB2 using ODBC, your database administrator must first bind the UNIX version of the driver to every database that you report against (and not just each database server). The bind packages are installed below the crystal/enterprise/platform/odbc/lib directory; their filenames are iscsso.bnd, iscswhso.bnd, isrrso.bnd, isrrwhso.bnd, isurso.bnd, and isurwhso.bnd. Because Crystal Reports runs on Windows, ensure that the Windows version of the driver has been bound to each database.

142

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the processing tier

On UNIX, BusinessObjects Enterprise does not include the Informix client-dependent ODBC driver (CRinf16) that is installed on Windows. The UNIX version does, however, include the clientless ODBC driver for Informix connectivity.

ODBC environment variables


The environment variables related to ODBC reporting are: the library path that corresponds to your operating system (LD_LIBRARY_PATH on Sun Solaris, LIBPATH on IBM AIX, and so on), ODBC_HOME, and ODBCINI. The BusinessObjects Enterprise installation includes a file called env.csh that is sourced automatically every time you start the BusinessObjects Enterprise servers with the CCM. Thus, the environment for the Job Server and Page Server is set up automatically:

The INSTALL_ROOT/bobje/enterprise115/platform/odbc/lib directory of your installation is added to the library path environment variable. The ODBC_HOME environment variable is set to the INSTALL_ROOT/bobje/ enterprise115/platform/odbc directory of your installation. The ODBCINI environment variable is defined as the path to the .odbc.ini file that was created by the BusinessObjects Enterprise installation.

Modify the environment variables in the env.csh script only if you have customized your configuration of ODBC. The main ODBC configuration file that you need to modify is the system information file.

Working with the ODBC system information file


The system information file (.odbc.ini) is created in the HOME directory of the user account under which you installed BusinessObjects Enterprise (typically the crystal user account). In this file, you define each of the ODBC data sources (DSNs) that the Job Server and Page Server need in order to process your reports. The BusinessObjects Enterprise installation completes most of the required informationsuch as the location of the ODBC directory and the name and location of each installed ODBC driverand shows where you need to provide additional information. Tip: A template of the system information file is installed to INSTALL_ROOT/
bobje/defaultodbc.ini

The following example shows the contents of a system information file that defines a single ODBC DSN for servers running on UNIX. This DSN allows the Job Server and Page Server to process reports based on a System DSN (on Windows) called CRDB2:
[ODBC Data Sources] CRDB2=MERANT 3.70 DB2 ODBC Driver

BusinessObjects Enterprise Deployment and Configuration Guide

143

Managing and Configuring Servers Configuring the processing tier

[CRDB2] Driver=/opt/bobje/enterprise115/platform/odbc/lib/crdb216.so Description=MERANT 3.70 DB2 ODBC Driver Database=myDB2server LogonID=username [ODBC] Trace=0 TraceFile=odbctrace.out TraceDll=/opt/bobje/enterprise115/platform/odbc/lib/ odbctrac.so InstallDir=/opt/bobje/enterprise115/platform/odbc

As shown in the example above, the system information file is structured in three major sections:

The first section, denoted by [ODBC Data Sources], lists all the DSNs that are defined later in the file. Each entry in this section is provided as dsn=driver, and there must be one entry for every DSN that is defined in the file. The value of dsn must correspond exactly to the name of the System DSN (on Windows) that the report was based off. The second section sequentially defines each DSN that is listed in the first section. The beginning of each definition is denoted by [dsn]. In the example above, [CRDB2] marks the beginning of the single DSN that is defined in the file. Each DSN is defined through a number of option=value pairs. The options that you must define depend upon the ODBC driver that you are using. These pairs essentially correspond to the Name=Data pairs that Windows stores for each System DSN in the registry:
\\HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\odbc.ini\dsn

However, the options for a particular ODBC driver on UNIX may not correspond by name to the options available for a Windows version of the same driver. For example, some Windows drivers store a UID value in the registry, and on UNIX you may need to specify this value with the LogonID option. The final section of the file, denoted by [ODBC], includes ODBC tracing information. You need not modify this section. When the installation creates the system information file, it completes some fields and sets up a number of default DSNsone for each of the installed ODBC drivers. The standard options that are commonly required for each driver are included in the file (Database=, LogonID=, and so on). Edit the file and provide the corresponding values that are specific to your reporting environment. This example shows the entire contents of a system information file created when BusinessObjects Enterprise was installed to the /usr/local directory.

144

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Configuring the processing tier

[ODBC Data Sources] CRDB2=MERANT 3.70 DB2 ODBC Driver CRINF_CL=MERANT 3.70 Informix Dynamic Server ODBC Driver CROR8=MERANT 3.70 Oracle8 ODBC Driver CRSS=MERANT 3.70 SQL Server ODBC Driver CRSYB=MERANT 3.70 Sybase ASE ODBC Driver CRTXT=MERANT 3.70 Text ODBC Driver [CRDB2] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crdb216.so Description=MERANT 3.70 DB2 ODBC Driver Database= LogonID= [CRINF_CL] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crifcl16.so Description=MERANT 3.70 Informix Dynamic Server ODBC Driver ServerName= HostName= PortNumber= Database= LogonID= [CROR8] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ cror816.so Description=MERANT 3.70 Oracle8 ODBC Driver ServerName= ProcedureRetResults=1 LogonID= [CRSS] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crmsss16.so Description=MERANT 3.70 SQL Server ODBC Driver Address= Database= QuotedId=Yes LogonID= [CRSYB] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crase16.so Description=MERANT 3.70 Sybase ASE ODBC Driver NetworkAddress= Database= LogonID= [CRTXT] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ crtxt16.so Description=MERANT 3.70 Text ODBC Driver Database=

BusinessObjects Enterprise Deployment and Configuration Guide

145

Managing and Configuring Servers Advanced server configuration options

[ODBC] Trace=0 TraceFile=odbctrace.out TraceDll=/usr/local/bobje/enterprise115/platform/odbc/lib/ odbctrac.so InstallDir=/usr/local/bobje/enterprise115/platform/odbc

Adding a DSN to the default ODBC system information file


When you need to add a new DSN to the installed system information file (.odbc.ini), first add the new DSN to the bottom of the [ODBC Data Sources] list. Then add the corresponding [dsn] definition just before the [ODBC] section. For example, suppose that you have a Crystal report that uses ODBC drivers to report off your Oracle8 database. The report is based off a System DSN (on Windows) called SalesDB. To create the corresponding DSN, first append this line to the [ODBC Data Sources] section of the system information file:
SalesDB=MERANT 3.70 Oracle8 ODBC Driver

Then define the new DSN by adding the following lines just before the system information files [ODBC] section:
[SalesDB] Driver=/usr/local/bobje/enterprise115/platform/odbc/lib/ cror816.so Description=MERANT 3.70 Oracle8 ODBC Driver ServerName=MyServer ProcedureRetResults=1 LogonID=MyUserName

Once you have added this information, the new DSN is available to the Job Server and Page Server, so they can process reports that are based off the SalesDB System DSN (on Windows).

Advanced server configuration options


This section includes additional configuration tasks that you may want to perform, depending upon your reporting environment. It includes:

Changing the default server port numbers on page 147 Configuring a multihomed machine on page 149 Adding and removing Windows server dependencies on page 150 Changing the server startup type on page 151 Changing the server user account on page 152 Configuring servers for SSL on page 152

146

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Advanced server configuration options

Changing the default server port numbers


During installation, the CMS is set up to use default port numbers. The default CMS port number is 6400. This ports fall within the range of ports reserved by Business Objects (6400 to 6410). Thus, BusinessObjects Enterprise communication on these ports should not conflict with third-party applications that you have in place. (Although unlikely, it is possible that your custom applications use these ports. If so, you can change the default CMS port.) The Web Component Adapter is not a server. However, you can configure its listening port by changing the connection.listeningPort context parameter in web.xml. See Configuring the Web Component Adapter on page 108. When started and enabled, each of the other BusinessObjects Enterprise servers dynamically binds to an available port (higher than 1024), registers with this port on the CMS, and then listens for BusinessObjects Enterprise requests. If necessary, you can instruct each server component to listen on a specific port (rather than dynamically selecting any available port). On Windows, you view and modify server command lines with the CCM. The Command field appears on each servers Properties tab. On UNIX, you view and modify server command lines (also referred to as launch strings) in the ccm.config file, which is installed in the bobje directory. This table summarizes the command-line options as they relate to port usage for specific server types. Option
-port

CMS Specifies the primary BusinessObjects Enterprise port on which the CMS listens for requests from all other servers. The default is 6400. port that the CMS uses for identifying other servers and for registering with itself and/or a cluster. Selected dynamically if unspecified. n/a

Other Servers Used only in multihomed environments or for certain NAT firewall environments. In both cases, specify -port interface only. (-port number has no meaning for these servers). Specifies the port on which the server listens for BusinessObjects Enterprise requests. The server registers this port with the CMS. Selected dynamically if unspecified. Specifies the CMS that the server will register with.

-requestPort Specifies the secondary

-ns

BusinessObjects Enterprise Deployment and Configuration Guide

147

Managing and Configuring Servers Advanced server configuration options

Before modifying any port numbers, consider the following:

CMS port number, you must change the -ns option in every other servers command line, to ensure that each server connects to the appropriate port of the CMS. (The -ns option stands for nameserver. The CMS functions as the nameserver in BusinessObjects Enterprise, because it maintains a list that includes the host name and port number of each server that is started, enabled, and thus available to accept BusinessObjects Enterprise requests.) You must also set the name and port number of the CMS with the connection.cms context parameter in web.xml. See Configuring the Web Component Adapter on page 108. If you are working with multihomed machines or in certain NAT firewall configurations, you may wish to specify -port interface:number for the CMS and -port interface for the other servers. For details, see Configuring a multihomed machine on page 149 or Configuring desktop products across a firewall on page 166. On Windows, the CCM displays default port numbers on each servers Configuration tab. This displayed port corresponds to the -port option. For servers other than the CMS, this default port is not actually in use (each server registers its -requestPort number with the CMS instead). To change the default CMS port for BusinessObjects Enterprise servers Use the CCM (on Windows) or ccm.sh (on UNIX) to stop all the BusinessObjects Enterprise servers. Add (or modify) the following option in the CMS command line:
-port number

1. 2.

Replace number with the port that you want the CMS to listen on. (The default port is 6400.) 3. Add (or modify) the following option in the command line of all of the remaining non-CMS BusinessObjects Enterprise servers:
-ns hostname:number

Replace hostname with the host name of the machine that is running the CMS. The host name must resolve to a valid IP address within your network. Replace number with the port that the CMS is listening on. 4. Start and enable all the BusinessObjects Enterprise servers. The CMS begins listening on the port specified by number, and the nonCMS servers broadcast to that port when attempting to register with the CMS. 5. Set the name and port number of the CMS with the connection.cms context parameter in web.xml. See Configuring the Web Component Adapter on page 108.

148

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Advanced server configuration options

1. 2.

To change the port a server registers with the CMS Use the CCM (on Windows) or ccm.sh (on UNIX) to stop the server. Add (or modify) the following option in the servers command line:
-requestPort number

Replace number with the port that you want the server to listen on. 3. Start and enable the server. The server binds to the new port specified by number. It then registers with the CMS and begins listening for BusinessObjects Enterprise requests on the new port. By default, each server registers itself with the CMS by IP address, rather than by name. This typically provides the most reliable behavior. If you need each server to register with the CMS by fully qualified domain name instead, use the -requestPort option in conjunction with -port interface (where interface is the servers fully qualified domain name). Having the servers register by name can be useful if a NAT firewall resides between the server and the CMS. For more information, see Configuring desktop products across a firewall on page 166. You may also need to specify -port interface when BusinessObjects Enterprise is running on a multihomed machine.

Configuring a multihomed machine


A multihomed machine is one that has multiple network addresses. You may accomplish this with multiple network interfaces, each with one or more IP addresses, or with a single network interface that has been assigned multiple IP addresses. If you have multiple interface cards, each with a single IP address, change the binding order so that the card at the top of the binding order is the one you want the BusinessObjects Enterprise servers to bind to. If your interface card has multiple IP addresses, use the -port command-line option to specify an IP address for the BusinessObjects Enterprise server. Tip: This section shows how to restrict all servers to the same network address, but it is possible to bind individual servers to different addresses. For instance, you might want to bind the File Repository Servers to a private address that is not routable from users machines. Advanced configurations such as this require your DNS configuration to route communications effectively between all the BusinessObjects Enterprise server components. In this example, the DNS must route communications from the other BusinessObjects Enterprise servers to the private address of the File Repository Servers.

BusinessObjects Enterprise Deployment and Configuration Guide

149

Managing and Configuring Servers Advanced server configuration options

Configuring the CMS to bind to a network address


When you use the -port command-line option to configure the CMS to bind to a specific IP address, you must also include the port number these servers use (even if the server is using the default port). Add the following option to both of their command lines:
-port interface:port

If the machine has multiple network interfaces, interface can be the fully qualified domain name or the IP address of the interface that you want the server to bind to. If the machine has a single network interface, interface must be the IP address that you want the server to bind to. Note:

To retain the default port numbers, replace port with 6400 for the CMS. If you change the default port numbers, you will need to make additional configuration changes. For details, see Changing the default server port numbers on page 147. To configure the WCA, use interface:port when setting the connection.listeningPort context parameter in web.xml. (See Configuring the Web Component Adapter on page 108.)

Configuring the remaining servers to bind to a network address


The remaining BusinessObjects Enterprise servers select their ports dynamically by default, so you need only add the following option to their command lines:
-port interface

Replace interface with the same value that you specified for the CMS. Ensure that each servers -ns parameter points to the CMS, and that the DNS resolves the value to the appropriate network address.

Adding and removing Windows server dependencies


When installed on Windows, each server in BusinessObjects Enterprise is dependent on at least three services: the Event Log, NT LM Security Support Provider, and Remote Procedure Call (RPC) services. If you are having problems with a server, check to ensure that all three services appear on the servers Dependency tab. 1. 2. 3. To add and remove server dependencies Use the CCM to stop the server whose dependencies you want to modify. With the server selected, click Properties on the toolbar. Click the Dependency tab.

150

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Advanced server configuration options

As shown here, at least three services should be listed: Event Log, NT LM Security Support Provider, and Remote Procedure Call (RPC).

4.

To add a dependency to the list, click Add. The Add Dependency dialog box provides you with a list of all available dependencies. Select the dependency or dependencies, as required, and then click Add.

5. 6. 7.

To remove a dependency from the list, select it and click Remove. Click OK. Restart the server.

Changing the server startup type


When installed on Windows, each server is configured to start automatically. As with other Windows services, there are three startup types:

Automatic starts the server each time the machine is started. Manual requires you to start the server before it will run. Disabled requires you to change the startup type to automatic or manual before it can run. To change the server startup type on Windows Start the CCM. Stop the server whose startup type you want to modify. With the server selected, click Properties on the toolbar.

1. 2. 3.

BusinessObjects Enterprise Deployment and Configuration Guide

151

Managing and Configuring Servers Advanced server configuration options

4. 5. 6.

Click the Startup Type list and select Automatic, Disabled, or Manual. Click OK. Restart the server.

To change the server startup type on UNIX On UNIX, this requires root privileges. For more information, see UNIX Tools on page 473.

Changing the server user account


If the incorrect user account is running on a server on Windows, change it in the Central Configuration Manager (CCM). Tip: The Program Job Server must be configured to use the Local System account, or a user account that has the rights Act as part of the operating system and Replace a process level token. 1. 2. 3. 4. To change a servers user account Use the CCM to stop the server. Click Properties. Clear the System Account check box. Enter the Windows user name and password information. When started, the server process will log on to the local machine with this user account. In addition, all reports processed by this server will be formatted using the printer settings associated with the user account that you enter. 5. 6. Click Apply, and then click OK. Start the server.

Configuring servers for SSL


You can use the Secure Sockets Layer (SSL) protocol for all network communication between clients and servers in your BusinessObjects Enterprise deployment. To set up SSL for all server communication you need to perform the following steps:

Deploy BusinessObjects Enterprise with SSL enabled. Create key and certificate files for each machine in your deployment. Configure the location of these files in the Central Configuration Manager (CCM) and your web application server.

152

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Advanced server configuration options

Note: If you are using thick clients, such as Crystal Reports or Designer you will also need to configure these for SSL if you will be connecting to the CMS from these thick client. Otherwise, you will get errors when you attempt to connect to a CMS that has been configured for SSL from a thick client that has not been configured the same way.

Creating key and certificate files


To set up SSL protocol for your server communication, use the SSLC command line tool to create a key file and a certificate file for each machine in your deployment. Note:

You need to create certificates and keys for all machines in the deployment, including machines running thick client components such as Crystal Reports. For these client machines, use the sslconfig command line tool to do the configuration. For maximum security, all private keys should be protected and should not be transferred through unsecured communication channels. For more information about using the SSLC command line tool, consult the SSLC documentation. To create key and certificate files for a machine Run the SSLC.exe command line tool. The SSLC tool is installed with your BusinessObjects Enterprise software. (On Windows, for example, it is installed by default in
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86.)

1.

2.

Type the following command:


sslc req -config sslc.cnf -new -out cacert.req

This command creates two files, a Certificate Authority (CA) certificate request (cacert.req) and a private key (privkey.pem). 3. To decrypt the private key, type the following command:
sslc rsa -in privkey.pem -out cakey.pem

This command creates the decrypted key, cakey.pem. 4. To sign the CA certificate, type the following command:
sslc x509 -in cacert.req -out cacert.pem -req -signkey cakey.pem -days 365

This command creates a self-signed certificate, cacert.pem, that expires after 365 days. Choose the number of days that suits your security needs.

BusinessObjects Enterprise Deployment and Configuration Guide

153

Managing and Configuring Servers Advanced server configuration options

5.

Open the sslc.cnf file, stored in the same folder as the SSLC command line tool. Perform the following steps based on settings in the sslc.cnf file.

Place the cakey.pem and cacert.pem files in the directories specified by sslc.cnf file's certificate and private_key options. By default, the settings in the sslc.cnf file are:
certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem

Create a file with the name specified by the sslc.cnf file's database setting. Note: By default, this file is $dir/index.txt. The file can be empty.

Create a file with the name specified by the sslc.cnf file's serial setting. Ensure that this file provides an octet-string serial number (in hexadecimal format). Note: To ensure that you can create and sign more certificates, choose a large hexadecimal number with an even number of digits, such as 11111111111111111111111111111111.)

6.

Create the directory specified by the sslc.cnf file's new_certs_dir setting.

To create a certificate request and a private key, type the following command:
sslc req -config sslc.cnf -new -out servercert.req

The certificate and key files generated are placed under the current working folder. 7. 8. Make a copy of the private key.
copy privkey.pem server.key

To sign the certificate with the CA certificate, type the following command:
sslc ca -config sslc.cnf -days 365 -out servercert.pem in servercert.req

This command creates the servercert.pem file, which contains the signed certificate. 9. Use the following commands to convert the certificates to DER encoded certificates:

154

BusinessObjects Enterprise Deployment and Configuration Guide

Managing and Configuring Servers Advanced server configuration options

sslc x509 -in cacert.pem -out cacert.der -outform DER sslc x509 -in servercert.pem -out servercert.der -outform DER

Note: The CA certificate (cacert.der) and its corresponding private key (cakey.pem) need to be generated only once per deployment. All machines in the same deployment must share the same CA certificates. All other certificates need to be signed by the private key of any of the CA certificates. 10. Create a text file for storing the plain text passphrase used for decrypting the generated private key. 11. Store the following key and certificate files in a secure location (under the same directory) that can be accessed by the machines in your BusinessObjects Enterprise deployment:

the trusted certificate file (cacert.der) the generated server certificate file (servercert.der) the server key file (server.key) the passphrase file

This location will be used to configure SSL for the CCM and your web application server.

Configuring the SSL protocol


After you create keys and certificates for each machine in your deployment, and store them in a secure location, you need to provide the Central Configuration Manager (CCM) and your web application server with the secure location. 1. 2. 3. To configure the SSL protocol in the CCM In the CCM, right-click a server and choose Properties. In the Properties dialog box, click the Protocol tab. Provide the file path for the directory where you stored the key and certificate files. Note: Make sure you provide the directory for the machine that the server is running on. 4. 1. Repeat steps 1 to 3 for all servers. To configure the SSL protocol for the web application server If you have a J2EE web application server, run the Java SDK with the following system properties set. For example:

BusinessObjects Enterprise Deployment and Configuration Guide

155

Managing and Configuring Servers Advanced server configuration options

-Dbusinessobjects.orb.oci.protocol=ssl -DcertDir=d:\ssl DtrustedCert=cacert.der -DsslCert=clientcert.der DsslKey=client.key -Dpassphrase=passphrase.txt

The following table shows the descriptions that correspond to these examples: Example
DcertDir=d:\ssl DtrustedCert=cacert.der

Description The directory to store all the certificates and keys. Trusted certificate file. If specifying more than one, separate with semicolons. Certificate used by the SDK. Private key of the SDK certificate. The file that stores the passphrase for the private key.

DsslCert=clientcert.der DsslKey=client.key Dpassphrase=passphrase.txt

2.

If you have an IIS web application server, run the sslconfig tool from the command line and follow the configuration steps.

156

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls

chapter

Working with Firewalls Firewalls overview

Firewalls overview
BusinessObjects Enterprise works with firewall systems to provide reporting across intranets and the Internet without compromising network security. This section provides general information about what a firewall is and types of firewalls:

What is a firewall? on page 158 Firewall types on page 159

If you are already familiar with firewalls and the configuration used in your network, proceed directly to Understanding firewall integration on page 162.

What is a firewall?
A firewall is a security system that protects one or more computers from unauthorized network access. A firewall restricts people to entering and leaving your network at a carefully controlled point. It also prevents attackers from getting close to your other defenses. Typically, a firewall protects a companys intranet from being improperly accessed through the Internet. A firewall can enforce a security policy, log Internet activity, and be a focus for security decisions. A firewall cant protect against malicious insiders or connections that dont go through it. A firewall also cant set itself up correctly or protect against completely new threats. To help explain how firewalls work, some basic networking terms are described here:

TCP/IP and packets on page 158 Ports on page 159

If you are already familiar with these topics see Understanding firewall integration on page 162.

TCP/IP and packets


TCP/IP (Transmission Control Protocol/Internet Protocol) is the communications protocol used on the Internet. The units of data transmitted through a TCP/IP network are called packets. Packets are typically too small to contain all the data that is sent at any one time, so multiple packets are required, each containing a portion of the overall data. When data is sent by TCP/IP, the packets are constructed such that a layer for each protocol is wrapped around each packet. Typically, TCP/IP packets have the following layers:

Application layer (for example, FTP, telnet, and HTTP).

158

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Firewalls overview

Transport layer (TCP or UDP). Internet layer (IP). Network Access layer (for example, ethernet and ATM).

At the application layer, the packet consists simply of the data to be transferred. As the packet moves through the layers, each layer adds a header to the packet, preserving the data from the previous level. These headers are used to determine the packets destination and to ensure that it arrives intact. When the packet reaches its destination, the process is reversed: the layers are sequentially removed until the transferred data is available to the destination application.

Ports
Ports are logical connection points that a computer uses to send and receive packets. With TCP/IP, ports allow a client program to specify a particular server program on a computer in a network. High-level applications that use TCP/IP have ports with pre-assigned numbers. For instance, when you visit a typical HTTP site over the Web, you communicate with the web server on port 80, which is the pre-assigned port for HTTP communication. Other application processes are given port numbers dynamically for each connection. When a service or daemon initially is started, it binds to its designated port number. When any client program wants to use that server, it must also request to bind to the designated port number. Valid port numbers range from 0 to 65536, but ports 0 to 1024 are reserved for use by certain privileged services.

Firewall types
Firewalls primarily function using at least one of the following methods:

Packet filtering on page 160 Network Address Translation on page 160 SOCKS proxy servers on page 161

BusinessObjects Enterprise works with these firewall types. Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method.

BusinessObjects Enterprise Deployment and Configuration Guide

159

Working with Firewalls Firewalls overview

Packet filtering
Packet filtering rejects TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized services. Packet filtering can reject packets based on the following:

The address the data is coming from. The address the data is going to. The session and application ports being used to transfer the data. The data contained within the packet. Stateful packet filters remember the state of connections at the network and session layers by recording the established session information that passes through the filter gateway. The filter then uses that information to discriminate valid return packets from invalid connection attempts. Stateless packet filters do not retain information about connections in use; instead, they make determinations packet-by-packet based only on the information contained within the packet. Firewalls that employ packet filtering will work with BusinessObjects Enterprise.

Typically there are two types of packet filtering:

Network Address Translation


Network Address Translation (NAT) converts private IP addresses in a private network to globally unique, public IP addresses for use external to that network. NAT is also called IP masquerading. The main purpose of NAT is to hide internal hosts. As outgoing packets are routed through the firewall, NAT hides internal hosts by converting their IP addresses to an external address. Once the translation is complete, the firewall sends the data payload on to its original destination; thus, NAT makes it appear that all traffic from your site comes from one (or more) external IP addresses. The firewall maintains a translation table to keep track of the address conversions that it has performed. When an incoming response arrives at the firewall, the firewall uses this translation table to determine which internal host should receive the response. Because this type of firewall essentially sends and receives data on behalf of internal hosts, NAT can also be described as a simple proxy.

160

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Firewalls overview

There are two basic types of NAT:

Static translation (port forwarding) grants a specific internal host a fixed translation that never changes. For example, if you run an email server inside a firewall, you can establish a static route through the firewall for that service. Dynamic translation (automatic, hide mode, or IP masquerade) shares a small group of external IP addresses amongst a large group of internal clients for the purpose of expanding the internal network address space. Because a translation entry does not exist until an internal client establishes a connection out through the firewall, external computers have no way to address an internal host that is protected using a dynamically translated IP address. Note: Some protocols do not function correctly when the port is changed. These protocols will not work through a dynamically translated connection.

BusinessObjects Enterprise and static translation NAT can be configured so that they work together.

SOCKS proxy servers


Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method. SOCKS is a networking protocol that enables computers on one side of a SOCKS server to access computers on the other side of a SOCKS server without requiring a direct IP connection. A SOCKS server redirects connection requests from computers on one side of it to computers on the other side of it. A SOCKS server typically authenticates and authorizes requests, establishes a proxy connection, and relays data between the internal and external networks. BusinessObjects Enterprise supports and works with SOCKS servers. SOCKS servers work by listening for service requests from internal clients. When an external request is made, the SOCKS server sends the requests to the internal network as if the SOCKS server itself was the originating client. When the SOCKS server receives a response from the internal server, it returns that response to the original client as if it were the originating external server. This effectively hides the identity and the number of clients on the internal network from examination by anyone on the external network.

BusinessObjects Enterprise Deployment and Configuration Guide

161

Working with Firewalls Understanding firewall integration

Understanding firewall integration


This section gives a conceptual overview of internal communications between BusinessObjects Enterprise servers and the implications for firewall configuration. It also reviews the most common firewall scenarios. It includes:

Communication between servers on page 162 Typical firewall scenarios on page 164 Firewall configuration overview on page 164

For detailed step-by-step instructions on how to configure your system to work in a firewalled environment, see Configuring the system for firewalls on page 166.

Communication between servers


It is helpful to understand the basics of internal communications between BusinessObjects Enterprise servers before configuring your BusinessObjects Enterprise system to work with firewalls. BusinessObjects Enterprise connections include:

Communication between servers and the CMS directory listing service on page 162 Communication between the application tier and CMS on page 163

Some examples also apply to communications between a BusinessObjects Enterprise server and the BusinessObjects Enterprise SDK (or other BusinessObjects Enterprise SDKs, such as the Report Application Server SDK or the Viewer SDK). Where applicable, these examples are indicated in the descriptions.

Communication between servers and the CMS directory listing service


The Central Management Server (CMS) manages a directory listing service for the application server and the servers in the Intelligence tier and the Processing tier. See BusinessObjects Enterprise Architecture on page 29 for a listing of these servers. When a BusinessObjects Enterprise server first connects to the BusinessObjects Enterprise framework, it registers its IP address and port number with the CMS. By default this port number is dynamically chosen. When one BusinessObjects Enterprise server needs to communicate with another, it contacts the directory listing service on the CMS to obtain the connection information. The first server then uses this information to communicate directly with the second server.

162

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Understanding firewall integration

For example, before running a scheduled report, the Job Server must communicate with the Input File Repository Server (FRS) to obtain the report object. To do so: 1. 2. 3. The Job Server contacts the CMS and requests connection information for the Input FRS. The CMS replies to the Job Server with the IP address and port number of the Input FRS. The Job Server uses this information to connect directly to the Input FRS. All subsequent communications between the two servers continues using the same address and port. This communication model is also used when a BusinessObjects Enterprise SDK or the WCA communicates directly with a server in the Intelligence tier or the Processing tier. Communications between the CMS and the BusinessObjects Enterprise SDK and WCA follow another model. See Communication between the application tier and CMS on page 163. Using the -requestport command, you can configure any BusinessObjects Enterprise server to register a fixed port number with the CMS, rather than using one that is dynamically selected.

Note:

Communication between the application tier and CMS


Not all BusinessObjects Enterprise components use the directory listing service on the CMS to make their initial connections with other elements of BusinessObjects Enterprise. The WSA contacts the CMS using a pre-defined address and port number. The CMS replies with its address and a second port number, which by default is selected dynamically. Subsequent communications continue using this address and second port number. You can use the -requestport command to configure the CMS to reply with a fixed port number for subsequent communications, rather than one that is dynamically selected. Using the -port option, you can also customize the CMS to listen on a specific port for initial communications, rather than using the pre-defined default value (port 6400 for the CMS). Note:

Before changing the default port numbers, see Changing the default server port numbers on page 147 for additional configuration information.

BusinessObjects Enterprise Deployment and Configuration Guide

163

Working with Firewalls Understanding firewall integration

You may also change the default port that the CMS uses to listen for initial communications from the Configuration tab of the Properties dialog in the Central Configuration Manager.

Firewall configuration overview


By default BusinessObjects Enterprise uses dynamically chosen port numbers for communications between components. You must change this default when you place a stateful firewall that uses packet filtering or Network Address Translation (NAT) between BusinessObjects Enterprise components because these firewalls provide protection by permitting communications from outside the firewall with only specified addresses and ports inside the firewall. To enable BusinessObjects Enterprise to communicate across such a firewall, you must: 1. 2. Configure its components to use fixed addresses and ports. Configure your firewall to allow communications to the services behind the firewall using these addresses and ports.

The process is similar when you configure your BusinessObjects Enterprise system to communicate across SOCKS proxy filters. But BusinessObjects Enterprise provides direct support for SOCKS proxy filters, so you need only configure each component to be aware of the location and type of the proxies that they communicate with. Note: When this section mentions firewalling different BusinessObjects Enterprise components, it assumes that the components reside on separate computers. If the components reside on the same computer, their communication is uninterrupted by firewalls, and no additional configuration is required.

Typical firewall scenarios


If all users of your BusinessObjects Enterprise system are on your internal network, there is no need to perform any special configuration of your firewalls or of BusinessObjects Enterprise. Simply place all BusinessObjects Enterprise components on computers inside your firewall. However, if you need to provide access to BusinessObjects Enterprise to external users, you must consider where to place each BusinessObjects Enterprise component, and how to configure both BusinessObjects Enterprise and your firewalls in order to provide this access. This section outlines the following common firewall scenarios:

164

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Understanding firewall integration

Application tier separated from the CMS by a firewall on page 165 Thick client separated from the CMS by a firewall on page 165

These scenarios are general cases: once you understand the firewalling issues involved, you should be able to support BusinessObjects Enterprise in wide variety of contexts.

Application tier separated from the CMS by a firewall


In most cases, clients access protected information through a web server running in a Demilitarized Zone (DMZ). A DMZ is a network area that is neither part of the internal network nor directly part of the Internet. Typically, the DMZ is set up between two firewalls: an outer firewall and an inner firewall. You may chose to place your application server in the DMZ, while placing the CMS and all other BusinessObjects Enterprise servers on the internal network. BusinessObjects Enterprise requires that the CMS and the remaining server components are not separated from one another by firewalls. Note: Placing your application server in the DMZ is less secure than placing it on your internal network. For maximum security, you may prefer to place your BusinessObjects Enterprise application server on your internal network. For more information, see:

Configuring NAT when application tier is separated from the CMS on page 168 Configuring packet filtering when application tier is separated from CMS on page 172 Configuring for SOCKS servers on page 175

Thick client separated from the CMS by a firewall


You can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import Wizard or Publishing Wizard. However, the thick clients communicate directly with the CMS. This means that if there is a firewall between the computer running one of these thick clients and the CMS, this operation fails. You must configure your CMS, your File Repository Servers, and your firewall if you want to support this network configuration. For more information, see:

Configuring NAT when thick client is separated from the CMS on page 171

BusinessObjects Enterprise Deployment and Configuration Guide

165

Working with Firewalls Configuring the system for firewalls

Configuring packet filtering when thick client is separated from the CMS on page 174

Configuring the system for firewalls


This section gives practical step-by-step instructions for configuring your BusinessObjects Enterprise system to work in a firewalled environment. It includes:

Configuring desktop products across a firewall on page 166 Configuring for Network Address Translation on page 167 Configuring for packet filtering on page 172 Configuring for SOCKS servers on page 175

For a conceptual overview of communications between BusinessObjects Enterprise components and of supported firewall configurations, see Understanding firewall integration on page 162. Note: If you have multiple BusinessObjects Enterprise servers of a given type, the overall procedure for configuring your system to work with firewalls will not change. Configure each server as described in the section that describes your firewall environment, and then specify a firewall rule for the server.

You can use different ports than in the previous examples. However, it is not recommended you use port 6400 except as is shown in the example since port 6400 is the default port number for the CMS.

Configuring desktop products across a firewall


This section explains how to configure desktop products such as Desktop Intelligence and Designer across a firewall. 1. 2. 3. 4. 5. To specify the request ports for BusinessObjects Enterprise Go to the CCM and stop the CMS. Right-click on the CMS, and then select Properties. Add the following entry at the end of the command field:
-port <FQDN>:6400 -requestport 6401

Click OK, and then restart the CMS. Repeat steps 1 through 4 for the Input FRS but add this entry to the Command field:
-port <FQDN> -requestport 6402

166

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Configuring the system for firewalls

6.

Repeat steps 1 through 4 for the Output FRS but add this entry to the Command field:
-port <FQDN> -requestport 6403

Note:

Replace FQDN with the fully qualified domain name of the server running your BusinessObjects Enterprise servers. You can use different ports than in the previous examples. However, it is not recommended you use port 6400 except as is shown in the example since port 6400 is the default port number for the CMS. To make the required changes on the firewall Go to the area where you specify ports in your firewall software. Note: Consult your specific firewall documentation for details. Open the following TCP BI-Directional ports between the server running your BusinessObjects Enterprise servers and the desktop:

1. 2.


3.

6400 6401 6402 6403

Save your changes.

Configuring for Network Address Translation


If you use Network Address Translation (NAT) only on the outer firewall of the DMZ, then no special configuration is required for BusinessObjects Enterprise to communicate properly. However, if you separate BusinessObjects Enterprise components using NAT, you need to configure these components to communicate properly through the firewall. Note: You can configure BusinessObjects Enterprise to communicate properly across NAT firewalls that use static IP translation; however, BusinessObjects Enterprise cannot communicate across a firewall whose IP translation is dynamic. Depending on your system configuring, configuring for Network Address Translation can include one or both of the following tasks:

Configuring NAT when application tier is separated from the CMS on page 168 Configuring NAT when thick client is separated from the CMS on page 171

BusinessObjects Enterprise Deployment and Configuration Guide

167

Working with Firewalls Configuring the system for firewalls

Configuring NAT when application tier is separated from the CMS


If the application server is separated from the CMS and other BusinessObjects Enterprise servers by NAT, you must ensure that whenever a BusinessObjects Enterprise server passes an address across the firewall to the application server, it passes a fully qualified domain name (FQDN) that is routable by the firewall.

Ports
The application server must be able to communicate with every BusinessObjects Enterprise server behind the firewall. Therefore, you must open a port on the firewall for each server. The application server must be a supported Java application server or IIS. Configuring BusinessObjects Enterprise for Network Address Translation when the application tier is separated from the CMS by a firewall includes:

Configuring the BusinessObjects Enterprise servers on page 168 Configuring the hosts files on page 169 Specifying firewall rules for NAT on page 170

Configuring the BusinessObjects Enterprise servers


The procedure for configuring the BusinessObjects Enterprise servers varies for Windows and UNIX.


1. 2. 3. 4.

To configure BusinessObjects Enterprise servers on Windows on page 168 To configure BusinessObjects Enterprise servers on UNIX on page 169 To configure BusinessObjects Enterprise servers on Windows Start the CCM. Stop the server. On the toolbar, click Properties. In the Command box, add the following option: -port FQDN -requestport
portnum

For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. 5. 6. Click OK to return to the CCM. Start the server.

168

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Configuring the system for firewalls

7. 1.

Repeat for each BusinessObjects Enterprise server behind the firewall. To configure BusinessObjects Enterprise servers on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the Business Objects install directory, for example /INSTALLDIR/bobje.

2. 3.

Stop the server. Edit the ccm.config file to insert the following command line: -port FQDN -requestport
portnum

For the -port command, replace FQDN with the fully qualified domain name of the machine that is running the server. This machine must be routable from the application server. For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. 4. 5. Use ccm.sh to start the server. Repeat for each BusinessObjects Enterprise server behind the firewall.

Configuring the hosts files


On each machine running a BusinessObjects Enterprise server, you must configure the hosts file so that the server can map the FQDN it receives from the Central Management Server (CMS) to an internally routable IP address. This is necessary to enable communication between servers inside the firewall. The procedure for configuring the hosts file is different for Windows and UNIX. See:


1. 2.

To configure the hosts files on Windows on page 169 To configure the hosts files on UNIX on page 170 To configure the hosts files on Windows Open the hosts file using a text editor like Notepad. The hosts file is located at \WINNT\system32\drivers\etc\hosts. Follow the instructions in the hosts file to add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server or servers. Use the internally routable IP address of the machine and its externally routable fully qualified domain name. Save the hosts file.

3.

BusinessObjects Enterprise Deployment and Configuration Guide

169

Working with Firewalls Configuring the system for firewalls

To configure the hosts files on UNIX Note: Your UNIX operating system must be configured to first consult the hosts file to resolve domain names, before consulting DNS. Consult your UNIX systems documentation for details. 1. 2. Open the hosts file using an editor like vi. The hosts file is located in the following directory \etc Add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server. Use the translated IP address of the machine and its fully qualified domain name. Save the hosts file. On the firewall machine, add a route from the translated IP address to the actual internal IP address:
route add translatedIPaddress actualIPaddress
actualIPaddress

3. 4.

Where translatedIPDaddress is the actual translated IP address, and is the actual internal IP address for the a server.

Specifying firewall rules for NAT


When there is a firewall between the application server and the rest of the BusinessObjects Enterprise servers, you need to specify the inbound access rules and one outbound rule. The outbound rule is needed because the application server may register listeners with any of the BusinessObjects Enterprise servers For details of how to specify these rules, consult your firewall documentation. For details about the rules see:

Inbound Rules on page 170 Outbound Rules on page 171

The fixed port numbers specified in the chart are the port numbers you specify for servers using -requestport. See Configuring the BusinessObjects Enterprise servers on page 168 for details. Inbound Rules Source Computer Application server Application server Application server Port Any Any Any Destination Computer Port CMS CMS Other BusinessObjects Enterprise server 6400 fixed fixed Action Allow Allow Allow

170

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Configuring the system for firewalls

Source Computer Any Any

Port Any Any

Destination Computer Port CMS Other BusinessObjects Enterprise Server Any Any

Action Reject Reject

Note: There must be one inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number. Outbound Rules Source Computer Machines hosting BusinessObjects Enterprise server Port Any Destination Computer Port Application server Any Action Allow

This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server.

Configuring NAT when thick client is separated from the CMS


You can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import or Publishing Wizards. However, if there is a firewall between the computer running one of these thick clients and the Central Management Server (CMS), this operation fails. Configuring your BusinessObjects Enterprise system to support this configuration when the firewall uses Network Address Translation (NAT) is very similar to configuring your system to support a NAT firewall between the application tier and the Central Management Server. For full instructions, follow the detailed steps in Configuring NAT when application tier is separated from the CMS on page 168 but:

Configure only the Central Management Server and the Input File Repository Server. Establish inbound firewall rules for communication between the Crystal Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule.

BusinessObjects Enterprise Deployment and Configuration Guide

171

Working with Firewalls Configuring the system for firewalls

Configuring for packet filtering


If you use packet filtering only on the outer firewall of the DMZ, then no special configuration is required for BusinessObjects Enterprise to communicate properly. However, if you separate BusinessObjects Enterprise components using packet filtering, you need to configure them to communicate properly through the firewall. This section includes:

Configuring packet filtering when application tier is separated from CMS on page 172 Configuring packet filtering when thick client is separated from the CMS on page 174.

Configuring packet filtering when application tier is separated from CMS


If your firewall performs packet filtering, you must configure the CMS and every BusinessObjects Enterprise server inside the inner firewall to respond to communications from the application server on a fixed port. This includes:

Configuring the BusinessObjects Enterprise servers on page 172 Specifying firewall rules for packet filtering on page 173

Configuring the BusinessObjects Enterprise servers


The procedure for configuring the BusinessObjects Enterprise servers varies for Windows and UNIX. See:


1. 2. 3. 4.

To configure BusinessObjects Enterprise servers on Windows on page 172 To configure BusinessObjects Enterprise servers on UNIX on page 173 To configure BusinessObjects Enterprise servers on Windows Start the CCM. Stop the first server. On the toolbar, click Properties. In the Command box, add the following option:
-requestport portnum

For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.

172

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Configuring the system for firewalls

Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port cmsport to the command line, where cmsport is the new port number for the default value of 6400. For example:
-port cmsport -requestport portnum

If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see Changing the default server port numbers on page 147. 5. 6. 7. 1. Click OK to return to the CCM. Start the server. Repeat for each BusinessObjects Enterprise server behind the firewall. To configure BusinessObjects Enterprise servers on UNIX Run ccm.sh. By default the script and the ccm.config file are installed in the BusinessObjects install directory, for example /export/home/ businessobjects. 2. 3. Stop the server. Edit the ccm.config file to insert the following command line:
-requestport portnum

For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number. Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port 6400 to the command line, substituting your new port number for the default value of 6400. If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see Changing the default server port numbers on page 147. 4. 5. Use ccm.sh to start the server. Repeat for each BusinessObjects Enterprise server.

Specifying firewall rules for packet filtering


When there is a firewall between the application server and the rest of the BusinessObjects Enterprise servers you need to specify the inbound access rules and one outbound rule. The outbound rule is needed because the application server may register listeners with any of the BusinessObjects Enterprise servers.

BusinessObjects Enterprise Deployment and Configuration Guide

173

Working with Firewalls Configuring the system for firewalls

For details of how to specify these rules, consult your firewall documentation. For details about the rules see:

Inbound Rules on page 174 Outbound Rules on page 174

The fixed port numbers specified in the chart are the port numbers you specify for the CMS and other BusinessObjects Enterprise servers using requestport. Inbound Rules Source Computer Application server Application server Application server Any Any Port Any Any Any Any Any Destination Computer Port CMS CMS Other BusinessObjects Enterprise server CMS Other BusinessObjects Enterprise servers 6400 fixed fixed Any Any Action Allow Allow Allow Reject Reject

Note: There must be an inbound firewall rule for each BusinessObjects Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number. Outbound Rules Source Computer Machines hosting BusinessObjects Enterprise server Port Any Destination Computer Port Application server Any Action Allow

This outbound rule is needed because the application server may register listeners on servers behind the firewall. These listeners may initiate communication with the application server.

Configuring packet filtering when thick client is separated from the CMS
You can publish reports or analytic objects to BusinessObjects Enterprise by saving these objects to BusinessObjects Enterprise from within Crystal Reports or OLAP Intelligence, or by using the Import or Publishing Wizards. However, if there is a firewall between the computer running one of these thick clients and the CMS, this operation fails.

174

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Configuring the system for firewalls

Configuring your BusinessObjects Enterprise system to support this configuration when the firewall uses packet filtering is very similar to configuring your system to support a packet filtering firewall between the application tier and the Central Management Server (CMS). For full instructions, follow the detailed steps in Configuring packet filtering when application tier is separated from CMS on page 172 but:

Configure only the Central Management Server and the Input File Repository Server to use fixed port numbers for communication. Establish inbound firewall rules for communication between the Crystal Reports or OLAP Intelligence machine and the CMS and Input File Repository Server. You do not need to establish an outbound firewall rule.

Configuring for SOCKS servers


Note: Business Objects will be moving away from supporting SOCKS proxy servers. As a result SOCKS proxy servers are still supported in BusinessObjects Enterprise XI. SOCKS proxy servers will be deprecated in a future release of BusinessObjects Enterprise. If you are using SOCKS proxy servers now, we recommend you switch to a different firewall method. BusinessObjects Enterprise provides direct support for SOCKS proxy server firewalls on Windows installations that use the BusinessObjects Enterprise .NET SDK. There is limited support of SOCKS for the UNIX installation of BusinessObjects Enterprise, or for a Windows installation that uses the BusinessObjects Enterprise Java SDK. You can configure the Web Component Adapter to communicate through a SOCKS server, but the Java SDK has no support for SOCKS. Therefore you may be able to configure your system to support a custom CSP application and SOCKS, but you cannot use JSP pages through a SOCKS firewall. Note: The EBUS layer of the Java SDK does not support communications using the SOCKs protocol. The means that applications written using the Java SDK cannot be on the outside of a firewall from any components that must be accessed, if the only means of traversing the firewall is using the SOCKs protocol. Therefore only perform the test cases that utilize socks when using IIS on a windows deployment This list describes when to use the procedures that are provided in the remainder of this section:

Configuring the CMS for SOCKS Servers Complete these steps if one or more SOCKS servers separate the WCA from the CMS.

BusinessObjects Enterprise Deployment and Configuration Guide

175

Working with Firewalls Configuring the system for firewalls

Configuring the WCA for SOCKS servers When configuring your WCA for SOCKS, complete these steps regardless of the location of your SOCKS server(s).

BusinessObjects Enterprise requires that the CMS and the remaining server components are not separated from one another by firewalls. The remaining server components automatically obtain their SOCKS configuration from the CMS, as required, so you dont need to configure them separately.

Configuring the CMS for SOCKS Servers


Complete these steps if one or more SOCKS servers separate the application server from the CMS. The remaining BusinessObjects Enterprise servers automatically obtain their SOCKS configuration from the CMS, as required, so you dont need to configure them separately. 1. 2. 3. 4. 5. 6. 7. To configure the CMS on Windows Start the CCM. Stop all of the Business Objects servers, including the Central Management Server. Select the CMS and, on the toolbar, click Properties. On the Connection tab, click Add. In the SOCKS Proxy dialog box, type the Server Name or IP Address of your SOCKS server. In the Server Port field, type the number of the port that the SOCKS server is listening on. Select the SOCKS version that you are running (Ver 4 or Ver 5). If you are using version 5 and you would like to secure access to the server, select the authentication check box, and then enter your user name and password. 8. Click OK. If you have more than one SOCKS server, repeat steps 4 to 8 for each additional server. Then click Up and Down to order the SOCKS servers from the outermost (closest to the application server or Web Component Server) to the innermost (closest to the CMS). 9. Click OK in all three dialog boxes to return to the CCM. 10. Start the BusinessObjects Enterprise server components.

176

BusinessObjects Enterprise Deployment and Configuration Guide

Working with Firewalls Configuring the system for firewalls

Configuring the WCA for SOCKS servers


Complete these steps if one or more SOCKS servers separates the Web Component Adapter (WCA) from the Central Management Server (CMS). These steps provide the WCA with the required information about each SOCKS server, in order, from the outermost to the innermost. The outermost SOCKS server is the one closest to the web server. The innermost SOCKS server is the last SOCKS server that the WCA communicates with before the CMS. The procedure for configuring the WCA is different for Windows and Unix. See:


1.

To configure the WCA on UNIX on page 177 To configure the WCA on Windows on page 177 To configure the WCA on UNIX Run the sockssetup.sh script to configure the BusinessObjects Enterprise servers and WCA to work with the SOCKS servers. To configure the WCA on Windows Add the SOCKS information to the WCA. Edit the web.xml deployment descriptor file associated with the webcompadapter.war to insert a SOCKS URI (universal resource identifier). This URI tells your WCA how to contact the CMS through your SOCKS server(s). See Configuring the Web Component Adapter on page 108 for details on editing web.xml.

1.

2.

Edit the file C:\Inetpub\wwwroot\Web.config. a. b. Go to the line: <add key=connection.socksUri value-*/> Add the following SOCKS server information:
*Socks://Version;User:Password@SOCKSserver:Port/ CMSmachine:Port

c. 3. a. b. c. d. e. f. g.

Save the file. Start the CCM. Stop the CMS. Double-click the CMS. The Properties dialog box appears. Click Configuration tab. Enter the SOCKS information. Start the server again. Repeat step 3 for all the BusinessObjects Enterprise server.

Configure the BusinessObjects Enterprise server:

BusinessObjects Enterprise Deployment and Configuration Guide

177

Working with Firewalls Configuring the system for firewalls

178

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts

chapter

Security Concepts Security overview

Security overview
The BusinessObjects Enterprise architecture addresses the many security concerns that affect todays businesses and organizations. The current release supports features such as distributed security, single sign-on, resource access security, granular object rights, and third-party Windows NT, LDAP, and Windows AD authentication in order to protect against unauthorized access. Because BusinessObjects Enterprise provides the framework for an increasing number of components from the Enterprise family of Business Objects products, this section details the security features and related functionality to show how the framework itself enforces and maintains security. As such, this section does not provide explicit procedural details; instead, it focuses on conceptual information and provides links to key procedures. Related topics:

For key procedures that show how to modify the default accounts, passwords, and other security settings, see BusinessObjects Enterprise Administrators Guide. For procedures that show how to set up authentication for Enterprise users, see BusinessObjects Enterprise Administrators Guide. For the basic information on how to set up third-party authentication to work with BusinessObjects Enterprise, see the following sections:

Using NT Authentication on page 211 Using LDAP authentication on page 227 Using AD with NTLM or SiteMinder on page 245

For information more in depth information how to use Kerberos with AD authentication, see the following sections: Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289

Authentication and authorization


Authentication is the process of verifying the identity of a user who attempts to access the system, and authorization is the process of verifying that the user has been granted sufficient rights to perform the requested action upon the specified object.

180

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Authentication and authorization

This section describes the authentication and authorization processes in order to provide a general idea of how system security works within BusinessObjects Enterprise. Each of the components and key terms is discussed in greater detail later in this section. The detailed information on how to implement these different methods of authentication is discussed in the following section: The current release supports these methods of authentication:

Enterprise authentication Windows NT authentication LDAP authentication Windows AD authentication Trusted Authentication

If you want to use any of the third-party methods of authentication or Trusted Authentication, you will need to configure them before you use them. See the following sections, for procedural details on how to implement these authentication methods:

Using AD with NTLM or SiteMinder on page 245 Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289

Because BusinessObjects Enterprise is fully customizable, the authentication and authorization processes may vary from system to system. This section uses InfoView as a model and describes its default behavior. If you are developing your own BusinessObjects Enterprise end-user or administrative applications using the BusinessObjects Enterprise Software Development Kit (SDK), you can customize the systems behavior to meet your needs. For complete details, see the developer documentation available on your product CD.

Primary authentication
Primary authentication occurs when a user first attempts to access the system. One of two things can happen during primary authentication:

If single sign-on is not configured, the user provides their credentials, such as their user name, password and authentication type. These details are entered by the users on the logon screen. If a method of single sign-on is configured, the credentials for the users are silently propagated. These details are extracted using other methods such as Kerberos, SiteMinder.

BusinessObjects Enterprise Deployment and Configuration Guide

181

Security Concepts Authentication and authorization

The authentication type may be Enterprise, Windows NT, LDAP, or Windows AD authentication, depending upon which type(s) you have enabled and set up in the Authentication management area of the Central Management Console (CMC). The users web browser sends the information by HTTP to your web server, which routes the information to the CMS or the appropriate BusinessObjects Enterprise server.

The web application server passes the users information to logon.do or logon.aspx and runs the script. Internally, this script communicates with the SDK and, ultimately, the appropriate security plug-in to authenticate the user against the user database. For instance, if the user specifies Enterprise Authentication, the SDK ensures that the BusinessObjects Enterprise security plug-in performs the authentication. The Central Management Server (CMS) uses the BusinessObjects Enterprise security plug-in to verify the user name and password against the system database. Alternatively, if the user specifies Windows NT, LDAP, or Windows AD authentication, the SDK uses the corresponding security plug-in to authenticate the user. If the security plug-in reports a successful match of credentials, the CMS grants the user an active identity on the system and the system performs several actions:

The CMS creates an enterprise session for the user. While the session is active, this session consumes one user license on the system. The CMS generates and encodes a logon token and sends it to the web application server. The web application server stores the users information in memory in a session variable. While active, this session stores information that allows BusinessObjects Enterprise to respond to the users requests. Note: The session variable does not contain the users password. The web application server persists the logon token in a cookie on the client's browser. This cookie is only used for failover purposes, such as when you have a clustered CMS or when InfoView is clustered for session affinity, not as a part of the normal operation of the system. Note: Although it is not the default behavior, it is possible to disable the logon token, However, if you disable the logon token, you will disable failover.

Each of these steps contributes to the distributed security of BusinessObjects Enterprise, because each step consists of storing information that is used for secondary identification and authorization purposes. This is the model used in

182

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Authentication and authorization

InfoView. However, if you are developing your own client application and you prefer not to store session state on the web application server you can design your application such that it avoids using session variables. Note:

The third-party Windows NT, LDAP, and Windows AD security plug-ins work only once you have mapped groups from the external user database to BusinessObjects Enterprise. For procedural details, see the following sections:

Using AD with NTLM or SiteMinder on page 245 Using LDAP authentication on page 227 Using NT Authentication on page 211

In a single sign-on situation, BusinessObjects Enterprise retrieves users credentials and group information directly from the Windows NT, Windows AD or SiteMinder. Hence, users are not prompted for their credentials.

Single sign-on support


The term single sign-on is used to describe different scenarios. At its most basic level, it refers to a situation where a user can access two or more applications or systems while providing their log-on credentials only once, thus making it easier for users to interact with the system. Single sign-on to BusinessObjects Enterprise can be provided by BusinessObjects Enterprise, or by different authentication tools depending on your application server type and operating system. These are the methods of single sign-on if you are using IIS on Windows:

Windows NT Windows AD with NTLM

This method of single sign-on if you are using either IIS or a Java application server on Windows. Windows AD with Kerberos This method of single sign-on if you are using Java application server on Windows: Windows AD with SiteMinder. These method of single sign-on support is available on Windows or Unix, with either any supported web application server for the platform. LDAP with SiteMinder. Trusted Authentication.

BusinessObjects Enterprise Deployment and Configuration Guide

183

Security Concepts Authentication and authorization

Within the context of BusinessObjects Enterprise, we distinguish the following levels of single sign-on:

Single sign-on to BusinessObjects Enterprise on page 184 Single sign-on to database on page 184 End-to-end single sign-on on page 185

Single sign-on to BusinessObjects Enterprise


Single sign-on to BusinessObjects Enterprise means that once users have logged on to the operating system they can access BusinessObjects Enterprise without having to provide their logon credentials again. When a user logs on to the operating system, a security context for that user is created. This context can be propagated to BOE in order to perform SSO resulting in the user being logged on as a BOE user that corresponds to the OS user. The term anonymous single sign-on also refers to single sign-on to BusinessObjects Enterprise, but it specifically refers to the single sign-on functionality for the Guest user account. When the Guest user account is enabled, which it is by default, anyone can log on to BusinessObjects Enterprise as Guest and will have access to BusinessObjects Enterprise. For more information, see the Managing Accounts and Groups chapter of the BusinessObjects Enterprise Administrators Guide. See these sections, for information on configuring single sign-on to BusinessObjects Enterprise:

Setting up NT single sign-on on page 259 Configuring LDAP authentication on page 218 Setting up AD single sign-on on page 246

Single sign-on to database


Once users are logged on to BusinessObjects Enterprise, single sign-on to the database enables them to perform actions that require database access, in particular, viewing and refreshing reports, without having to provide their logon credentials again. Single sign-on to the database can be combined with single sign-on to BusinessObjects Enterprise, to provide users with even easier access to the resources they need. See End-to-end single sign-on on page 185. In BusinessObjects Enterprise XI single sign-on to the database is supported through Windows AD using Kerberos. You may want to use single sign-on to the database rather than end-to-end single sign-on, if you dont want the account for IIS to be trusted for delegation.

184

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Authentication and authorization

See these sections for information on configuring single sign-on to the database with BusinessObjects Enterprise:

Configuring Kerberos single sign-on on page 267 Configuring IIS for single sign-on to databases only on page 279 Configuring web applications for single sign-on to the databases on page 283.

Note: Single sign-on to the database with BusinessObjects Enterprise is supported if you are using IIS with Kerberos and SQL Server for you database.

End-to-end single sign-on


End-to-end single sign-on refers to a configuration where users have both single sign-on access to BusinessObjects Enterprise at the front-end, and single sign-on access to the databases at the back-end. Thus, users need to provide their logon credentials only once, when they log on to the operating system, to have access to BusinessObjects Enterprise and to be able to perform actions that require database access, such as viewing reports. In BusinessObjects Enterprise XI end-to-end single sign-on is supported through Windows AD and Kerberos. For more information, see Configuring Kerberos single sign-on on page 267.

Security plug-ins
Security plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits. Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system. The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to

BusinessObjects Enterprise Deployment and Configuration Guide

185

Security Concepts Authentication and authorization

BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials. Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC. Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD. Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK. BusinessObjects Enterprise supports the following security plug-ins:

BusinessObjects Enterprise security plug-in on page 186 LDAP security plug-in on page 228 Windows AD security plug-in on page 246

BusinessObjects Enterprise security plug-in


The BusinessObjects Enterprise security plug-in (secEnterprise.dll) is installed and enabled by default when you install BusinessObjects Enterprise. This plug-in allows you to create and maintain user accounts and groups within BusinessObjects Enterprise; it also enables the system to verify all logon requests that specify Enterprise Authentication. In this case, user names and passwords are authenticated against the BusinessObjects Enterprise user list, and users are allowed or disallowed access to the system based solely on that information. For details on setting up Enterprise users and groups, see the BusinessObjects Enterprise Administrators Guide.

Default accounts
When you first install BusinessObjects Enterprise, this plug-in sets up two default Enterprise accounts: Administrator and Guest. Neither account has a default password.

186

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Authentication and authorization

Single sign-on
The BusinessObjects Enterprise authentication provider supports anonymous single sign-on for the Guest account. Thus, when users connect to BusinessObjects Enterprise without specifying a user name and password, the system logs them on automatically under the Guest account. If you assign a secure password to the Guest account, or if you disable the Guest account entirely, you disable this default behavior. For details, see the BusinessObjects Enterprise Administrators Guide.

Processing extensions
BusinessObjects Enterprise offers you the ability to further secure your reporting environment through the use of customized processing extensions. A processing extension is a dynamically loaded library of code that applies business logic to particular BusinessObjects Enterprise view or schedule requests before they are processed by the system. Note: On Windows systems, dynamically loaded libraries are referred to as dynamic-link libraries (.dll file extension). On UNIX systems, dynamically loaded libraries are often referred to as shared libraries (.so file extension). You must include the file extension when you name your processing extensions. Through its support for processing extensions, the BusinessObjects Enterprise administration SDK essentially exposes a handle that allows developers to intercept the request. Developers can then append selection formulas to the request before the report is processed. A typical example is a report-processing extension that enforces row-level security. This type of security restricts data access by row within one or more database tables. The developer writes a dynamically loaded library that intercepts view or schedule requests for a report (before the requests are processed by the Job Server, Page Server, or Report Application Server). The developers code first determines the user who owns the processing job; then it looks up the users data-access privileges in a third-party system. The code then generates and appends a record selection formula to the report in order to limit the data returned from the database. In this case, the processing extension serves as a way to incorporate customized row-level security into the BusinessObjects Enterprise environment. Tip: In BusinessObjects Enterprise XI, you can also set and enforce rowlevel security through the use of Business Views. For more information, see the Business Views Administrator's Guide.

BusinessObjects Enterprise Deployment and Configuration Guide

187

Security Concepts Active trust relationship

The CMC provides methods for registering your processing extensions with BusinessObjects Enterprise and for applying processing extensions to particular object. For details, see the BusinessObjects Enterprise Administrators Guide. By enabling processing extensions, you configure the appropriate BusinessObjects Enterprise server components to dynamically load your processing extensions at runtime. Included in the SDK is a fully documented API that developers can use to write processing extensions. For more information, see the developer documentation available on your product CD. Note: In the current release, processing extensions can be applied only to Crystal report (.rpt) objects.

Active trust relationship


In a networked environment, a trust relationship between two domains is generally a connection that allows one domain accurately to recognize users who have been authenticated by the other domain. While maintaining security, the trust relationship allows users to access resources in multiple domains without repeatedly having to provide their credentials. Within the BusinessObjects Enterprise environment, the active trust relationship works similarly to provide each user with seamless access to resources across the system. Once the user has been authenticated and granted an active session, all other BusinessObjects Enterprise components can process the users requests and actions without prompting for credentials. As such, the active trust relationship provides the basis for BusinessObjects Enterprises distributed security.

Logon tokens
A logon token is an encoded string that defines its own usage attributes and contains a users session information. The logon tokens usage attributes are specified when the logon token is generated. These attributes allow restrictions to be placed upon the logon token to reduce the chance of the logon token being used by malicious users. The current logon token usage attributes are:

Number of minutes This attribute restricts the lifetime of the logon token. Number of logons This attribute restricts the number of times that the logon token can be used to log on to BusinessObjects Enterprise.

188

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Active trust relationship

Both attributes hinder malicious users from gaining unauthorized access to BusinessObjects Enterprise with logon tokens retrieved from legitimate users. Note: Storing a logon token in a cookie is a potential security risk if the network between the browser and application or web server is insecure for example if the connection is made over a public network and is not using SSL or Trusted Authentication. It is good practice to use Secure Sockets Layer (SSL) to reduce security risk between the browser and application or web server. For BusinessObjects Enterprise, the default is to create a logon token to be used for failover. This information is stored by default in a cookie and this information allows you to have failover in InfoView when your user session expires. Failover for InfoView, in this context, means that when your session expires, you are logged back in to InfoView. However, you can disable the default behavior of storing logon tokens in a cookie, but this will also disable failover in InfoView. When the default behavior is disabled, and the logon token is not stored in a cookie, the user session will be limited by the web server or web browser timeout. When that session expires, the user will be required to log in again to BusinessObjects Enterprise. For BusinessObjects Enterprise, the default is to have logon tokens enabled in the web client, however, you can disable logon tokens for InfoView. When you disable the logon tokens in the client, the user session will be limited by the web server or web browser timeout. When that session expires, the user will be required to log in again to BusinessObjects Enterprise. Related topics:

Configuring servers for SSL on page 152 Disabling the restoration of a timed out session in .NET InfoView on page 201 Disabling the restoration of a timed out session in Java InfoView on page 200

Ticket mechanism for distributed security


Enterprise systems dedicated to serving a large number of users typically require some form of distributed security. An enterprise system may require distributed security, for instance, to support features such as load balancing, stateless environments, or transfer of trust (the ability to allow another component to act on behalf of the user).

BusinessObjects Enterprise Deployment and Configuration Guide

189

Security Concepts Active trust relationship

BusinessObjects Enterprise addresses distributed security by implementing a ticket mechanism (one that is similar to the Kerberos ticket mechanism). The CMS grants tickets that authorize components to perform actions on behalf of a particular user. In BusinessObjects Enterprise, the ticket is referred to as the logon token. This logon token is most commonly used over the Web. When a user is first authenticated by BusinessObjects Enterprise, he or she receives a logon token from the CMS. The users web browser caches this logon token. When the user makes a new request, other BusinessObjects Enterprise components can read the logon token from the users web browser. This use of the logon token provides the distributed security that is required for load balancing to be implemented in conjunction with effective faultprotection. The users active identity is stored as a session variable on the web application server that processed the request; consequently, the users active identity is not immediately accessible by the other web application server. For this reason, the users logon token is used to route all of the users requests to the web application server that is storing the users session. By doing so, security is maintained while providing optimal performance: the users identity is verified, but the system does not have to repeatedly prompt the user for his or her credentials; in addition, the user is prevented from unnecessarily consuming resources on both Web Component Adapters. If the web application server that is storing the users active session is taken offline, the logon token again serves a critical purpose. If one web application server ceases to respond to a users requests, InfoView and the CMC are designed such that the request is redirected to the remaining web application server. The client application logs the user on with the valid logon token, and the remaining web application server can authenticate the user and create a new, active session without prompting the user for his or her credentials. The remaining web application server can then authorize and carry out the users request. In this way, the logon token enables the systems load-balancing and fault-tolerance mechanisms to maintain a secure environment without affecting the users experience. In this scenario, when the original web application server is brought back online, the system automatically resumes its load balancing responsibilities by routing each subsequent request to the least used web application server.

190

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Sessions and session tracking

Sessions and session tracking


In general, a session is a client-server connection that enables the exchange of information between the two computers. A sessions state is a set of data that describes the sessions attributes, its configuration, or its content. When you establish a client-server connection over the Web, the nature of HTTP limits the duration of each session to a single page of information; thus, your web browser retains the state of each session in memory only for as long as any single Web page is displayed. As soon as you move from one web page to another, the state of the first session is discarded and replaced with the state of the next session. Consequently, Web sites and Web applications must somehow store the state of one session if they need to reuse its information in another. BusinessObjects Enterprise uses two common methods to store session state:

CookiesA cookie is a small text file that stores session state on the client side: the users web browser caches the cookie for later use. The BusinessObjects Enterprise logon token is an example of this method. Session variablesA session variable is a portion of memory that stores session state on the server side. When BusinessObjects Enterprise grants a user an active identity on the system, information such as the users authentication type is stored in a session variable. So long as the session is maintained, the system neither has to prompt the user for the information a second time nor has to repeat any task that is necessary for the completion of the next request. There are two different types of sessions: a web session (sometimes referred to as an Enterprise session) and a Web Component Adapter (WCA) session. For Java deployments, the web session is used to handle .jsp requests; for .NET deployments, the web session is used to handle .aspx requests. The WCA session is used by the Web Component Adapter. The WCA is a web application, that is deployed on the same machine as your web application server. The WCA allows your web application server to run BusinessObjects Enterprise applications, such a OLAP Intelligence, and allows you to host the Central Management Console (CMC). It also allows you to run legacy CSP applications.

Note: Ideally, the system should preserve the session variable while the user is active on the system. And, to ensure security and to minimize resource usage, the system should destroy the session variable as soon as the user has finished working on the system. However, because the interaction

BusinessObjects Enterprise Deployment and Configuration Guide

191

Security Concepts Sessions and session tracking

between a web browser and a web server can be stateless, it can be difficult to know when users leave the system, if they do not log off explicitly. To address this issue, BusinessObjects Enterprise implements session tracking.

Session tracking
There are two different types of sessions used for session tracking: a web session and a Web Component Adapter (WCA) session. The web session is used to process .NET requests or to process Java requests. For Java deployments, the web session is used to handle .jsp requests; for .NET deployments, the web session is used to handle .aspx requests.The WCA session is used whenever the CMC or legacy CSP applications are used. Note: The WCA is a web application that is deployed on the same machine as your web application server. The WCA allows your web application server to run BusinessObjects Enterprise applications, such a OLAP Intelligence, and allows you to host the Central Management Console (CMC). It also allows you to run legacy CSP applications. The WCA session server-side script pages (Crystal Server Pages) programmatically save variables to the web session. By default, the web session retains the session until the user explicitly logs off, or until 20 minutes after the users last request (whichever occurs first). Note: The web application server session timeout can be programmatically configured in the server-side .aspx or .jsp pages to timeout earlier if the default of 20 minutes is not desired. For information on changing the WCA timeout, see Changing the default session timeout value for the Java CMC on page 110. For information on changing the web session timeout see Changing the default session timeout value for the Java InfoView on page 111. The .NET timeout values for the WCA session and the web are set in web.config.

To change the .NET WCA timeout, edit the web.config file in this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content

To change the .NET web session timeout, edit the web.config file in this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise11.5\WebAdmin

192

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Environment protection

CMS session tracking


The CMS implements a simple tracking algorithm. When a user logs on, he or she is granted a CMS session, which the CMS preserves until the user logs off, or until the web application server session variable is released. The web application server session is designed to notify the CMS on a recurring basis that it is still active, so the CMS session is retained so long as the web application server session exists. If the web application server session fails to communicate with the CMS for a ten-minute time period, the CMS destroys the CMS session. This handles scenarios where client-side components shut down irregularly.

Environment protection
Environment protection refers to the security of the overall environment in which client and server components communicate. Although the Internet and web-based systems are increasingly popular due to their flexibility and range of functionality, they operate in an environment that can be difficult to secure. When you deploy BusinessObjects Enterprise, environment protection is divided into two areas of communication:

Web browser to web server Web server to BusinessObjects Enterprise

Web browser to web server


When data is transmitted between the web browser and the web server, some degree of security is usually required. Relevant security measures usually involve two general tasks:

Ensuring that the communication of data is secure. Ensuring that only valid users retrieve information from the web server.

Note: These tasks are typically handled by web servers through various security mechanisms, including the Secure Sockets Layer (SSL) protocol, Windows NT Challenge/Response authentication, and other such mechanisms. It is good practice to use Secure Sockets Layer (SSL) to reduce security risk between the browser and application or web server. For procedural information, see Configuring servers for SSL on page 152. You must secure communication between the web browser and the web server independently of BusinessObjects Enterprise. For details on securing client connections, refer to your web server documentation.

BusinessObjects Enterprise Deployment and Configuration Guide

193

Security Concepts Auditing web activity

Web server to BusinessObjects Enterprise


Firewalls are commonly used to secure the area of communication between the web server and the rest of the corporate intranet (including BusinessObjects Enterprise). BusinessObjects Enterprise supports firewalls that use IP filtering or static network address translation (NAT), or SOCKS proxy servers. Supported environments can involve multiple firewalls, web servers, or application servers. For complete details on BusinessObjects Enterprise and firewall interaction, see Working with Firewalls on page 157.

Auditing web activity


BusinessObjects Enterprise provides insight into your system by recording web activity and allowing you to inspect and to monitor the details. The web application server allows you to select the web attributessuch as time, date, IP address, port number, and so onthat you want to record. The auditing data is logged to disk and stored in comma-delimited text files, so you can easily report off the data or import it into other applications.

Protection against malicious logon attempts


No matter how secure a system is, there is often at least one location that is vulnerable to attack: the location where users connect to the system. It is nearly impossible to protect this location completely, because the process of simply guessing a valid user name and password remains a viable way to attempt to crack the system. BusinessObjects Enterprise implements several techniques to reduce the probability of a malicious user achieving access to the system. The various restrictions listed below apply only to Enterprise accountsthat is, the restrictions do not apply to accounts that you have mapped to an external user database (Windows NT, LDAP, or Windows AD). Generally, however, your external system will enable you to place similar restrictions on the external accounts.

194

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Auditing web activity

Password restrictions
Password restrictions ensure that Enterprise users create passwords that are relatively complex. You can enable the following options:

Enforce mixed-case passwords This option ensures that passwords contain at least two of the following character classes: upper case letters, lower case letters, numbers, or punctuation.

Must contain at least N characters By enforcing a minimum complexity for passwords, you decrease a malicious users chances of simply guessing a valid users password.

Logon restrictions
Logon restrictions serve primarily to prevent dictionary attacks (a method whereby a malicious user obtains a valid user name and attempts to learn the corresponding password by trying every word in a dictionary). With the speed of modern hardware, malicious programs can guess millions of passwords per minute. To prevent dictionary attacks, BusinessObjects Enterprise has an internal mechanism that enforces a time delay (0.51.0 second) between logon attempts. In addition, BusinessObjects Enterprise provides several customizable options that you can use to reduce the risk of a dictionary attack:

Disable accounts after N failed attempts to log on Reset failed logon count after N minute(s) Re-enable account after N minute(s)

User restrictions
User restrictions ensure that Enterprise users create new passwords on a regular basis. You can enable the following options:

Must change password every N day(s) Cannot reuse the N most recent password(s) Must wait N minute(s) to change password

These options are useful in a number of ways. Firstly, any malicious user attempting a dictionary attack will have to recommence every time passwords change. And, because password changes are based on each users first logon time, the malicious user cannot easily determine when any particular

BusinessObjects Enterprise Deployment and Configuration Guide

195

Security Concepts Auditing web activity

password will change. Additionally, even if a malicious user does guess or otherwise obtain another users credentials, they are valid only for a limited time.

Guest account restrictions


The BusinessObjects Enterprise authentication provider supports anonymous single sign-on for the Guest account. Thus, when users connect to BusinessObjects Enterprise without specifying a user name and password, the system logs them on automatically under the Guest account. If you assign a secure password to the Guest account, or if you disable the Guest account entirely, you disable this default behavior. For details, see the BusinessObjects Enterprise Administrators Guide.

User creation opitons


The options which follow apply when creating either LDAP, NT or AD users.


Alias options

Alias options on page 196 User type options on page 196 Update options on page 197

These two options are available when mapping third-party users:

Assign each added AD alias to an account with the same name. Create a new account for every added AD alias.

Note: The type of alias option you see will vary, based on what type of thirdparty user being configured. If you are mapping AD accounts, you will see AD alias options. If you are mapping LDAP accounts, you will see LDAP alias options. If you are mapping NT accounts, you will see NT alias options. These options control whether or not multiple aliases are linked to the same account or whether a separate account is created for each alias you add.

User type options


These two options are available when mapping third-party users:

New users are created as named users New users are created as concurrent users

These choices control the type of users created. There are two user types available with BusinessObjects Enterprise: names and concurrent.

196

BusinessObjects Enterprise Deployment and Configuration Guide

Security Concepts Auditing web activity

Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.

Update options
You have these choices when you select Select when users and aliases are created:

New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.

Note: The type of alias option you see will vary, based on what type of thirdparty user being configured. If you are mapping AD accounts, you will see AD alias options. If you are mapping LDAP accounts, you will see LDAP alias options. If you are mapping NT accounts, you will see NT alias options.

If you choose the first option, the users and aliases will be created in BusinessObjects Enterprisewhen you click Finish; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise Tip: To deny AD authentication for all users, clear the Windows Active Directory Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias other than the one assigned for AD authentication. To restrict access, disable or delete the users Enterprise account. For more information, see the BusinessObjects Enterprise Administrators Guide.

BusinessObjects Enterprise Deployment and Configuration Guide

197

Security Concepts Auditing web activity

198

BusinessObjects Enterprise Deployment and Configuration Guide

Modifying default security behavior

chapter

Modifying default security behavior Overview

Overview
This section describes how to disable the restoration of a timed out session and persistent cookies and how to enable reverse proxies work in BusinessObjects Enterprise. Note: You do not need to do anything specific in BusinessObjects Enterprise to enable reverse proxies unless you are using one of these web application servers with Apache 2.0: Tomcat, Oracle Application Server, or SAP Web Application Server.

Disabling the restoration of a timed out session


If you do not wish to have logon token used to log you back in when the session variable has timed out in InfoView, you can be disable this behavior. This is done in the web.xml file if you are using a Java client, or in Web.config if you are using a .NET client. For details on how logon tokens are used in BusinessObjects Enterprise, see Logon tokens on page 188. Related topics:

Disabling the restoration of a timed out session in Java InfoView on page 200 Disabling the restoration of a timed out session in .NET InfoView on page 201

Disabling the restoration of a timed out session in Java InfoView


1. To disable restoration of a timed out session for the Java InfoView client Open the web.xml file for InfoView, from its deployed location on your web application server.
On Windows, this is the deployed location: <DeployedLocation>\businessobjects\enterprise115\desktop launch\WEB-INF On Unix, this is the deployed location: <DeployedLocation>/businessobjects/enterprise115/ desktoplaunch/WEB-INF

Note:

200

BusinessObjects Enterprise Deployment and Configuration Guide

Modifying default security behavior Disabling the restoration of a timed out session

If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
C:\Program Files\Business Objects\Tomcat\webapps\

If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
<INSTALLDIR>/bobje/tomcat/webapps

2. 3.

If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.

Locate this string in the file:


<param-name>logontoken.enabled</param-name>

Change the <param-value> for logontoken.enabled from true to false.


<param-value>false</param-value>

4. 5.

Save and close the file. Restart your application server.

Disabling the restoration of a timed out session in .NET InfoView


To disable the restoration of a timed out session in a .NET InfoView client 1. Open the Web.config file for InfoView, from its deployed location on your web application server.
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

2. 3. 4. 5.

Find this string in the file:


<add key="logonTokenEnabled" value="true"/>

Change the value for logonTokenEnabled from true to false. Save and close the file. Restart IIS.

BusinessObjects Enterprise Deployment and Configuration Guide

201

Modifying default security behavior Enabling reverse proxies for Java applications servers

Enabling reverse proxies for Java applications servers


Reverse proxies refer to a configuration where you set up one web server, say IIS or Apache, and all the requests go to it. When the web server receives requests, it then forwards all the requests to the web application servers behind it for processing. The application servers are often behind a firewall. Note: Consult the Apache documentation for information on setting up a reverse proxy. This is required before you do any of the configuration in this section and is outside of the scope of this section.

Enabling reverse proxies for BusinessObjects Java InfoView


If you are using Apache 2.0 as your reverse proxy server, you need to modify the web.xml file for InfoView to enable reverse proxies on these web application servers:

Tomcat Oracle Application Server SAP Web Application Server

If you are using Apache 2.2 or later, you can either follow these steps or configure the Apache server to rewrite the path string in Set-Cookie headers by using ProxyPassReverseCookiePath. For instructions, consult your Apache documentation. Note:

These steps are not required if you are using WebSphere or WebLogic.

1.

To enable reverse proxies Open the web.xml file from the following location:
On Windows, this is the deployed location: <DeployedLocation>\businessobjects\enterprise115\desktop launch\WEB-INF On Unix, this is the deployed location: <DeployedLocation>/businessobjects/enterprise115/ desktoplaunch/WEB-INF

Note:

202

BusinessObjects Enterprise Deployment and Configuration Guide

Modifying default security behavior Enabling reverse proxies for Java applications servers

If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
C:\Program Files\Business Objects\Tomcat\webapps\

If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
<INSTALLDIR>/bobje/tomcat/webapps

2.

If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.

Find the following string in the file:


--> <context-param> <param-name>proxy.contextpaths</param-name>

Note: This string appears more than once in the file. The first occurrence of this is an example and is in a comment. Ensure the string you edit is not commented out.
Enter the context path for your reverse proxy in the <param-value> for <param-name>proxy.contextpaths.

If you have multiple reverse proxy paths, separate each path with a comma.
<context-param> <param-name>proxy.contextpaths</param-name> <param-value>/Path1,/Path2,/Path3</param-value> </context-param>

3. 4.

Save and close the file. Restart your application server.

Enabling reverse proxies for BusinessObjects Web Services


This section describes the required procedures to enable reverse proxies for BusinessObjects Web Services.

Enabling reverse proxies on Tomcat


Note: The following information only applies if you are using Tomcat.

BusinessObjects Enterprise Deployment and Configuration Guide

203

Modifying default security behavior Enabling reverse proxies for Java applications servers

1. 2.

To enable reverse proxies Stop Tomcat. Open the server.xml for Tomcat. On Windows, server.xml is located at <CATALINA_HOME>\conf On UNIX server.xml is located at <CATALINA_HOME>/conf Note:

If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows and you did not modify the default installation location, replace <CATALINA_HOME> with C:\Program Files\Business Objects\Tomcat If you are using the version of Tomcat installed with BusinessObjects Enterprise on UNIX and you did not modify the default installation location, replace <CATALINA_HOME> with <INSTALLDIR>/bobje/ tomcat
<!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> <!-- See proxy documentation for more information about using this. --> <!-<Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" debug="0" connectionTimeout="20000" proxyPort="80" disableUploadTimeout="true" /> -->

3.

Locate this string in the server.xml file:

4. 5. 6.

Uncomment the Connector element by removing <!-- and -->. Modify the value of proxyPort to be the reverse proxy server listen port. Add a new proxyName attribute to the Connectors attribute list. The value of the proxyName must be the proxy server name which should be resolvable to the correct IP address by Tomcat. Here is a sample:

<!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> <!-- See proxy documentation for more information about using this. --> <Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false"

204

BusinessObjects Enterprise Deployment and Configuration Guide

Modifying default security behavior Enabling reverse proxies for Java applications servers

acceptCount="100" debug="0" connectionTimeout="20000" proxyName="my_reverse_proxy_server.domain.com" proxyPort="ReverseProxyServerPort" disableUploadTimeout="true" />

Where my_reverse_proxy_server.domain.com and ReverseProxyServerPort should be substituted by the correct reverse proxy server name and its listen port. 7. 8. 9. Save and close the server.xml file. Restart Tomcat. Ensure the reverse proxy server maps its virtual path to the correct Tomcat connector port. In the above example, the port is 8082. The following example shows a sample configuration for Apache HTTP Server 2.0 to reverse proxy BusinessObjects Web Services deployed on Tomcat:
ProxyPass /dswsbobje http://internalServer:8082/ dswsbobje ProxyPassReverse /dswsbobje http://internalServer:8082/ dswsbobje

Enabling reverse proxy on web application servers other than Tomcat


Note: The following procedure requires that BusinessObjects Enterprise web applications are successfully configured against your chosen web application server. 1. 2. To enable reverse proxies Stop the web application server. Specify the external URL of the Web Services in the dsws.properties file. This file is located in dswsbobje web application. For example if your external is URL is http://my_reverse_proxy_server.domain.com/ dswsbobje/, update the following properties in the dsws.properties file:

wsresource1=ReportEngine|reportengine web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ reportengine wsresource2=BICatalog|bicatalog web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ bicatatog wsresource3=Publish|publish web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/publish

BusinessObjects Enterprise Deployment and Configuration Guide

205

Modifying default security behavior Enabling reverse proxies for Java applications servers


3. 4. 5.

wsresource4=QueryService|query web service alone|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ queryservice wsresource5=BIPlatform|BIPlatform web service|http:// my_reverse_proxy_server.domain.com/dswsbobje/services/ biplatform wsresource6=LiveOffice|Live Office web service|http:// my_reverse_proxy_server.domain.com/dswsbobje/servicesliveoffice

Save and close the dsws.properties file. Restart the web application server. Ensure the reverse proxy server maps its virtual path to the correct web application server connector port. The following example shows a sample configuration for Apache HTTP Server 2.0 to reverse proxy BusinessObjects Web Services deployed on the web application server of your choice:
ProxyPass /dswsbobje http://internalServer:<listen port>/dswsbobje ProxyPassReverse /dswsbobje http:// internalServer:<listen port>/dswsbobje

Where <listen port> is the listen port of your web application server.

Enabling reverse proxies for BusinessObjects Live Office


Note: This section assumes reverse proxies for BusinessObjects Java InfoView and BusinessObjects Web Services have been successfully enabled. To enable BusinessObjects Live Offices View Object in Web Browser feature for reverse proxies, adjust the default viewer URL. This can be done in the Central Management Console (CMC) or through Live Office options. 1. 2. 3. To adjust the default viewer URL using the CMC Log on to the CMC. Navigate to the Objects page and click Object Settings. In the URL field, set the correct default viewer URL and click Set URL. Here is a sample default viewer URL: http://ReverseProxyServer:ReverseProxyServerPort/ ProxiedInfoView/opendoc/ openDocument.jsp?sIDType=CUID&iDocID=%SI_CUID%

206

BusinessObjects Enterprise Deployment and Configuration Guide

Modifying default security behavior Enabling reverse proxies for Java applications servers

Where ReverseProxyServer and ReverseProxyServerPort are the correct reverse proxy server name and its listen port. ProxiedInfoView is the correct virtual path for Java InfoView. To adjust the default view URL using Live Office options 1. 2. On the LiveOffice menu click Options and then click the Enterprise tab. Select Specify the URL to view the report in repository: and type the correct URL in the adjacent field. For example: http://ReverseProxyServer:ReverseProxyServerPort/ProxiedInfoView/ opendoc/openDocument.jsp. Where ReverseProxyServer and ReverseProxyServerPort are the correct reverse proxy server name and its listen port. ProxiedInfoView is the correct virtual path for Java InfoView. 3. Click OK.

Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server
Prerequisites
Ensure that you have read and implemented the steps for Enabling reverse proxies for Java applications servers on page 202.

Deployment instructions
In a regular deployment you create a service account and an SPN that maps to that service account for use with the application server machine. For details on this, refer to Configuring Kerberos and single sign-on to the database for Java application servers on page 311. In a deployment where the reverse proxy server sits between the client and the application sever, you must make the following change:

Follow the instructions for Configuring Kerberos and single sign-on for Java InfoView on page 312 with modifications for step 2, setting an SPN for your web application server and step 4, creating and placing a keytab file. In these steps, the service account and the SPN need to be for the reverse proxy server rather than the application server.

In both steps, when executing the ktpass command, the <host> should be the fully qualified domain name of the reverse proxy server.

BusinessObjects Enterprise Deployment and Configuration Guide

207

Modifying default security behavior Disabling persistent cookies for InfoView

Disabling persistent cookies for InfoView


You may notice that whenever you go to the InfoView logon page, any time after you first successful log in, these three items are populated:

Your CMS name and port number. Your User name. Your authentication method.

This behavior is made possible through the use of persistent cookies. Persistent cookies are text small files that are stored on your hard drive in the Cookies folder, under your profile name folder, and in the Temporary Internet Folder in your Windows directory. Although these cookies do not store your password, some companies have stringent security requirements which prohibit this behavior. The use of persistent cookies on the InfoView logon screen is the default, however, if you want you can disable this behavior in either the .NET or the Java InfoView client. 1. To disable persistent cookies for .NET InfoView Open the Web.config file for InfoView, from its deployed location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

2. 3. 4. 5. 1.

Find this string in the file:


<add key="persistentCookiesEnabled" value="true"/>

Change the value for persistentCookiesEnabled from true to false. Save and close the file. Restart IIS. To disable persistent cookies for Java InfoView Open the web.xml file for InfoView, from its deployed location on your web application server.
On Windows, this is the deployed location: <DeployedLocation>\businessobjects\enterprise115\desktop launch\WEB-INF On Unix, this is the deployed location: <DeployedLocation>/businessobjects/enterprise115/ desktoplaunch/WEB-INF

Note:

208

BusinessObjects Enterprise Deployment and Configuration Guide

Modifying default security behavior Disabling persistent cookies for InfoView

If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this:
C:\Program Files\Business Objects\Tomcat\webapps\

If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: <INSTALLDIR>/bobje/tomcat/webapps If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.

2. 3. 4. 5.

Locate this string in the file:


<param-name>persistentcookies.enabled</param-name>

Change the <param-value> for persistentcookies.enabled from true to false. Save and close the file. Restart your application server.

BusinessObjects Enterprise Deployment and Configuration Guide

209

Modifying default security behavior Disabling persistent cookies for InfoView

210

BusinessObjects Enterprise Deployment and Configuration Guide

Using NT Authentication

chapter

Using NT Authentication Using NT user accounts and groups

Using NT user accounts and groups


BusinessObjects Enterprise supports NT authentication with the Windows NT security plug-in, which is included by default when the product is installed on Windows. Support for NT authentication means that users or groups created with NT, Windows 2000 and Windows 2003 can be used to authenticate with BusinessObjects Enterprise. This allows you to map previously created NT user accounts and groups, instead of setting up each user and group within BusinessObjects Enterprise.

Windows NT security plug-in


The Windows NT security plug-in (secWindowsNT.dll) allows you to map user accounts and groups from your Windows NT user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows NT Authentication. Users are authenticated against the Windows NT user database, and have their membership in a mapped NT group verified before the CMS grants them an active BusinessObjects Enterprise session. This plug-in is compatible with NT 4 and Windows 2000 Active Directory user databases (when Windows 2000 Active Directory is configured in non-native mode only). If a Windows 2000 Active Directory user database is configured in native mode and contains universal groups that span several domains, you must use the Windows AD security plug-in. For information on mapping Windows NT users and groups to BusinessObjects Enterprise, see Managing NT accounts on page 248. For information on the Windows AD security plug-in, see Windows AD security plug-in on page 246. Once you have mapped your NT users and groups, all of the BusinessObjects Enterprise client tools support NT authentication, except for the Import Wizard. You can also create your own applications that support NT authentication. For more information, see the developer documentation available on your product CD. Note: The Windows NT security plug-in cannot authenticate users under the following conditions:

If the BusinessObjects Enterprise server components are running on UNIX If your system uses the BusinessObjects Enterprise Java SDK.

212

BusinessObjects Enterprise Deployment and Configuration Guide

Using NT Authentication Windows NT security plug-in

Business Objects NT Users Group


If you install BusinessObjects Enterprise on Windows as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Business Objects NT Users) is created on the local machine, and your NT user account is added to the group. The Business Objects NT Users group is then mapped to BusinessObjects Enterprise. As a result, you can log on to BusinessObjects Enterprise with your usual NT user credentials.

NT single sign-on
The Windows NT security plug-in supports single sign-on, thereby allowing authenticated NT users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped NT group:

To obtain NT single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK. In this scenario, the Windows NT security plug-in queries the operating system for the current users credentials when the client is launched.

To obtain NT single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS). In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the users credentials to BusinessObjects Enterprise. Note:

Although single sign-on is supported for InfoView, you will still see the logon screen for the CMC. When you see the CMC logon screen, leave the userid and password fields blank, select Windows NT from the authentication type drop down, and then click logon. IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation. For details on configuring IIS for single sign-on, see Setting up NT single sign-on on page 259. For information on NT single sign-on, see Setting up NT single sign-on on page 259.

BusinessObjects Enterprise Deployment and Configuration Guide

213

Using NT Authentication NT user account and group administration

NT and single sign-on support


BusinessObjects Enterprise also supports single sign-on support for InfoView and the CMC with NT authentication under the following conditions:

When IIS is the web server When Internet Explorer is used as the web browser

This support means that your authenticated NT users can log on to BusinessObjects Enterprise without explicitly entering their credentials. The first two sections, Windows NT security plug-in on page 212 and Mapping NT user accounts and groups on page 215 provide overview information about how NT authentication works with BusinessObjects Enterprise. The remaining sections provide the procedural details related to using NT user accounts and groups and NT single sign-on for InfoView.

Mapping NT user accounts and groups from Windows NT on page 215 Mapping NT user account or groups from Windows 2000 or 2003 on page 216 Mapping NT groups from the CMC on page 217 Modifying IIS security settings for NT single sign-on on page 224 Enabling InfoView NT single sign-on from the CMC on page 224 Modifying the web.config file for NT single sign-on on page 225 NT authentication only works for servers running on Windows systems. If you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003 machine, NT authentication is installed and enabled by default. NT accounts refer to Windows NT, 2000, or 2003 accounts.

Note:

NT user account and group administration


Setting up and maintaining NT authentication involves these tasks:

Mapping NT user accounts and groups

Mapping NT user accounts and groups from Windows NT on page 215 Mapping NT user account or groups from Windows 2000 or 2003 on page 216 Mapping NT groups from the CMC on page 217

Setting up NT single sign-on on page 223

214

BusinessObjects Enterprise Deployment and Configuration Guide

Using NT Authentication Mapping NT user accounts and groups

Unmapping NT groups on page 220 Viewing mapped NT users and groups on page 221

Mapping NT user accounts and groups


To simplify administration, BusinessObjects Enterprise supports user accounts and groups that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. You can map NT accounts to BusinessObjects Enterprise three ways:

Through the User Manager in NT. Through Computer Management in Windows 2000 or 2003. Through the CMC.

Note: NT accounts refer to Windows NT, 2000 and 2003 accounts.

Mapping NT user accounts and groups from Windows NT


To simplify administration, BusinessObjects Enterprise supports user accounts and group that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. 1. To map NT users to BusinessObjects Enterprise from Windows NT From the Windows NT Administrative Tools program group, click User Manager. Note: Ensure that you have selected the domain that contains the BusinessObjects NT Users group. This group is created automatically when you install BusinessObjects Enterprise on Windows. 2. 3. 4. 5. 6. Select the BusinessObjects NT Users group. From the User menu, click Properties. Click Add. Select the group(s) and/or user(s); then click Add. Click OK to add the group(s) and/or user(s).

BusinessObjects Enterprise Deployment and Configuration Guide

215

Using NT Authentication Mapping NT user accounts and groups

7.

Click OK to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:
\\NTDomainName\NTusername or NTMachineName\LocalUserName

Users do not have to specify the NT Domain Name if it is specified in the Default NT Domain field on the Windows NT tab.

Mapping NT user account or groups from Windows 2000 or 2003


To simplify administration, BusinessObjects Enterprise supports user accounts and group that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. To map NT users to BusinessObjects Enterprise from Windows 2000 or 2003 1. From the Windows Administrative Tools program group, click Computer Management. 2. 3. 4. 5. 6. 7. 8. Under System Tools, select Local Users and Groups. Click the Groups folder. Select the BusinessObjects NT Users and from the Action menu, select Properties. Click Add. Select the group(s) and/or user(s); then click Add. Click OK to add the group(s) and/or user(s). Click OK or Apply (and then Close) to complete the process. Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:
\\NTDomainName\NTusername or NTMachineName\LocalUserName

Users do not have to specify the NT Domain Name if it is specified in the Default NT Domain field on the Windows NT tab.

216

BusinessObjects Enterprise Deployment and Configuration Guide

Using NT Authentication Mapping NT user accounts and groups

Mapping NT groups from the CMC


To simplify administration, BusinessObjects Enterprise supports user accounts and groups that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. Note:

When you map a NT group to BusinessObjects Enterprise, all the users from the group are mapped. If you want to exclude specific users from having access to BusinessObjects Enterprise, you can change the specific users access after the group has been mapped. Before starting this procedure, ensure you have the NT domain and group information. To map NT groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC.

1.

BusinessObjects Enterprise Deployment and Configuration Guide

217

Using NT Authentication Mapping NT user accounts and groups

2.

Click the Windows NT tab.

3. 4.

Ensure that the NT Authentication is enabled check box is selected. If you will be using single sign-on, select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see Setting up NT single sign-on on page 223. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.

5.

To change the Default NT domain, click the domain name. Complete the Default NT Domain field, and then click Update. Note: By typing the default NT Domain Name, users do not have to specify the NT Domain Name when they log on to BusinessObjects Enterprise via NT authentication. Also, you dont have to specify the NT domain name when you map groups.

218

BusinessObjects Enterprise Deployment and Configuration Guide

Using NT Authentication Mapping NT user accounts and groups

6.

In the Mapped NT Member Groups area, enter the NT domain\group in the Add NT Group (NT Domain\Group) field. Note: If you want to map a local NT group, you must type \\NTmachinename\groupname.

7. 8.

Click Add. The group is added to the list. Select how aliases are mapped to Enterprise accounts. You have these choices:

Assign each added NT alias to an account with the same name. Create a new account for every added NT alias.

Note: For more information on these options, see Alias options on page 196. 9. Select when new users and aliases are created. You have these choices:

New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Finish; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise. For more information on these options, see Update options on page 197.

10. Select what type of users are created. You have these choices:

New users are created as named users. New users are created as concurrent users. Note: For more information on what these options do, see User type options on page 196.

11. Click Finish. A message appears stating that it will take several seconds to update the member groups. 12. Click OK.

BusinessObjects Enterprise Deployment and Configuration Guide

219

Using NT Authentication Mapping NT user accounts and groups

Unmapping NT groups
Similar to mapping, it is possible to unmap groups using the administrative tool in Windows NT/2000, or BusinessObjects Enterprise. 1. 2. 3. 4. 5. To unmap NT users and groups using Windows NT From the Administrative Tools program group, click User Manager. Select BusinessObjects NT Users. From the User menu, click Properties. Select the user(s) or group(s), and click Remove. Click OK. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases, see Security Concepts on page 179. 1. 2. 3. 4. 5. 6. 7. To unmap NT users and groups using Windows 2000 or 2003 From the Administrative Tools program group, click Computer Management. Under System Tools, select Local Users and Groups. Click the Groups folder. Select BusinessObjects NT Users. From the Action menu, click Properties. Select the user(s) or group(s), and click Remove. Click OK or Apply (and then Close) to complete the process. The user or group will no longer be able to access BusinessObjects Enterprise. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases see Security Concepts on page 179. 1. 2. 3. 4. To unmap NT groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the Windows NT tab. In the Mapped NT Member Groups area, select the NT group you would like to remove. Click Delete.

220

BusinessObjects Enterprise Deployment and Configuration Guide

Using NT Authentication Mapping NT user accounts and groups

5.

Click Update. The users in this group will not be able to access BusinessObjects Enterprise. Tip: To deny NT Authentication for all groups, clear the NT Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases see Security Concepts on page 179.

Viewing mapped NT users and groups


There are two methods to view mapped users and groups in BusinessObjects Enterprise. The method you use depends on the way the groups and users have been mapped. To view users and groups that have been added using Windows NT/ 2000, 2003 or BusinessObjects Enterprise 1. Go to the Groups management area of the CMC. 2. If you added users and groups through Windows NT/2000, then click BusinessObjects NT Users. If you added users and groups through the CMC, then select the appropriate group. 3. 4. 5. 6. Click the Users tab. Click OK to the message which states that accessing the user list may take several seconds. Click Refresh. Click OK.

To view users and groups that have been added using BusinessObjects Enterprise 1. Go to the Authentication management area of the CMC. 2. Click the Windows NT tab. The Mapped NT Member Groups area displays the groups that have been mapped to BusinessObjects Enterprise. Note: You can view the groups and users by selecting the appropriate group from the Groups management area and then clicking the Users tab.

BusinessObjects Enterprise Deployment and Configuration Guide

221

Using NT Authentication Mapping NT user accounts and groups

Adding an NT account to a mapped NT group


When you have added a new account in NT, and the NT group to which the account belongs to is already mapped to BusinessObjects Enterprise, there are three ways you can get the new NT account into BusinessObjects Enterprise. Choose the method that works best for your situation:

When the new NT user logs on to BusinessObjects Enterprise and selects NT authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesnt require any extra steps, but the user wont be added until he or she logs on to BusinessObjects Enterprise. You can add the new user to BusinessObjects Enterprise and select Windows NT authentication. The user is added and is automatically assigned a Windows NT alias. For more information on aliases, see Security Concepts on page 179. You can go to the Windows NT tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all NT users will be added to BusinessObjects Enterprise. For details, see Mapping NT user accounts and groups on page 215. However, if the NT group contains many users who dont require access to BusinessObjects Enterprise, you may want to add the user individually instead.

Creating a new NT group account

If you create a new NT group account, and the group account does not belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see Mapping NT user accounts and groups on page 215. If you create a new NT group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see Viewing mapped NT users and groups on page 221.

Disabling an NT user account


If you disable an NT user account (using Windows Administrative Tools), the user will not be able to log on to BusinessObjects Enterprise using the mapped NT account. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account.

222

BusinessObjects Enterprise Deployment and Configuration Guide

Using NT Authentication Mapping NT user accounts and groups

Setting up NT single sign-on


You can configure BusinessObjects Enterprise to allow users to use various BusinessObjects Enterprise applications without being prompted to log on. Users need only to enter their NT user name and password information once at the beginning of the NT session. For instance, if you have set up NT single sign-on, when you launch the CMC, NT authentication occurs in the background. You are not required to enter any additional information. Note: This feature is available if you are using a Microsoft Internet Information Server (IIS) and the users are using Internet Explorer as their web browser. See the Platforms.txt file included with your product distribution for a complete list of version requirements. BusinessObjects Enterprise provides its own form of anonymous single signon, which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. When a user launches InfoView, he or she can log on using the Guest account (Enterprise authentication). You can disable this featurefor more information, on this and other routine administrative tasks, see the BusinessObjects Enterprise Administrators Guide. However, even when you disable the Guest account, BusinessObjects Enterprise is designed to display a logon page. With single sign-on enabled, the user can select Windows NT from the Authentication list and click Log On without entering his or her user name or password. In the developer documentation, refer to the tutorial for an example on creating a web application that uses single sign-on. Setting up NT single sign-on to BusinessObjects Enterprise includes these tasks:

Modifying IIS security settings for NT single sign-on on page 224 Enabling InfoView NT single sign-on from the CMC on page 224 Modifying the web.config file for NT single sign-on on page 225

Note: BusinessObjects Enterprise does not support the Kerberos protocol for Windows NT. For information on Kerberos, see these sections: Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289 Using AD with NTLM or SiteMinder on page 245

BusinessObjects Enterprise Deployment and Configuration Guide

223

Using NT Authentication Mapping NT user accounts and groups

Modifying IIS security settings for NT single sign-on


1. 2. 3. 4. 5. 6. 7. 8. 9. To modify the security setting on IIS From the Windows Administrative Tools program group, click Computer Management. Expand Services and Applications. Expand Internet Information Services. Click on the web site that runs InfoView, and then select Properties. Click on the Directory Security tab. In the Anonymous access and authentication control area of the page, click Edit. Deselect the Anonymous access and Basic authentication check boxes. Ensure that the Integrated Windows authentication check box is selected. Click OK.

10. Click OK. 11. Proceed to Modifying the web.config file for NT single sign-on on page 225. 12. Restart your IIS server. Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in Setting up NT single sign-on on page 223.

Enabling InfoView NT single sign-on from the CMC


1. 2. 3. To enable the Windows NT plug-in for single sign-on from the CMC Go to the Authentication management area of the CMC. Click the Windows NT tab. Select the Single Sign On is enabled check box. Note: If you select this option, you must also configure the IIS for single sign-on. For details, see Modifying IIS security settings for NT single sign-on on page 224. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because when users access one of the web applications they would automatically have the same access privileges as the IIS machine account. 4. Click Update.

224

BusinessObjects Enterprise Deployment and Configuration Guide

Using NT Authentication Mapping NT user accounts and groups

Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in Setting up NT single sign-on on page 223.

Modifying the web.config file for NT single sign-on


Modify either of the following web.conf files based on what you want to configure for single sign-on. To configure both CMC and InfoView for single sign-on, configure the web.config file in the Web Content directory; To configure only InfoView for single sign-on, configure the web.config file in the InfoView directory. 1. To modify the web.config file for NT single sign-on Open the appropriate Web.config file from this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

2. 3. 4. 5. 6. 7. 8. 9.

Locate the following line in the <system.web> block:


<Authentication mode="None" />

Replace None with Windows.


<Authentication mode="Windows" />

Add the following line:


<identity impersonate="true" />

Find the following string:


<add key="cmsDefault" value="" />

Enter the CMS machine in the cmsDefault value field. Find the following string:
<add key=" ssoEnabled" value="false" />

Change the ssoEnabled value from false to true. Find the following string:
<add key="authenticationDefault" value="secEnterprise" />

10. Ensure the value for authenticationDefault is set to secWindowsNT. 11. Save and close the file. 12. Restart IIS.

BusinessObjects Enterprise Deployment and Configuration Guide

225

Using NT Authentication Mapping NT user accounts and groups

226

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication

chapter

10

Using LDAP authentication Managing LDAP accounts

Managing LDAP accounts


To use LDAP authentication, you need to first ensure that you have your respective LDAP directory set up. For more information about LDAP, refer to your LDAP documentation. For more information on the LDAP security plugin, see LDAP security plug-in on page 228. Note: When you install BusinessObjects Enterprise, the LDAP authentication plug-in is installed automatically, but not enabled by default. This section describes tasks related to configuring LDAP on BusinessObjects Enterprise. In particular, it includes information on:

Configuring LDAP authentication on page 230 Mapping LDAP groups on page 238 Unmapping LDAP groups on page 241 Viewing mapped LDAP users and groups on page 242 Changing LDAP connection parameters and member groups on page 242 Managing multiple LDAP hosts on page 243 Troubleshooting LDAP accounts on page 243

LDAP security plug-in


The LDAP security plug-in (secLDAP.dll) allows you to map user accounts and groups from your LDAP directory server to BusinessObjects Enterprise; it also enables the system to verify all logon requests that specify LDAP Authentication. Users are authenticated against the LDAP directory server, and have their membership in a mapped LDAP group verified before the CMS grants them an active BusinessObjects Enterprise session. User lists and group memberships are dynamically maintained by BusinessObjects Enterprise. You can specify that BusinessObjects Enterprise use a Secure Sockets Layer (SSL) connection to communicate to the LDAP directory server for additional security. LDAP authentication for BusinessObjects Enterprise is similar to NT and AD authentication in that you can map groups and set up authentication, authorization, and alias creation. Also as with NT or AD authentication, you can create new Enterprise accounts for existing LDAP users, and can assign LDAP aliases to existing users if the user names match the Enterprise user names. In addition, you can do the following:

Map users and groups from the LDAP directory service. Map LDAP against AD.

228

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication Managing LDAP accounts

10

Note:

If you configure LDAP against AD, you will be able to map your users, however, you will not be able to configure either single sign-on or single sign-on to the database. These are the restrictions if you configure LDAP against AD.

Users who are only members of a default groups from AD will not be able to log in successfully. Users must also be a member of another explicitly created group in AD and, in addition, this group must be mapped. An example of such a group is the domain users group. If a mapped domain local group contains a user from a different domain in the forest, the user from a different domain in the forest will not be able to log in successfully. Users from universal group from a domain different than the DC specified as the LDAP host will not be able to log in successfully.

Specify multiple host names and their ports. Configure LDAP with SiteMinder.

For information on mapping your LDAP users and groups to BusinessObjects Enterprise, see Managing LDAP accounts on page 218. Once you have mapped your LDAP users and groups, all of the BusinessObjects Enterprise client tools support LDAP authentication, except for the Import Wizard. You can also create your own applications that support LDAP authentication.

More about LDAP


Lightweight Directory Access Protocol (LDAP), a common, applicationindependent directory, enables users to share information among various applications. Based on an open standard, LDAP provides a means for accessing and updating information in a directory. LDAP is based on the X.500 standard, which uses a directory access protocol (DAP) to communicate between a directory client and a directory server. LDAP is an alternative to DAP because it uses fewer resources and simplifies and omits some X.500 operations and features. The directory structure within LDAP has entries arranged in a specific schema. Each entry is identified by its corresponding distinguished name (DN) or common name (CN). Other common attributes include the organizational unit name (OU), and the organization name (O). For example, a member group may be located in a directory tree as follows: cn=BusinessObjects Enterprise Users, ou=Enterprise Users A, o=Research. Refer to your LDAP documentation for more information.

BusinessObjects Enterprise Deployment and Configuration Guide

229

10

Using LDAP authentication Managing LDAP accounts

Because LDAP is application-independent, any client with the proper authorization can access its directories. LDAP offers you the ability to set up users to log on to BusinessObjects Enterprise through LDAP authentication. It also enables users to be authorized when attempting to access objects in BusinessObjects Enterprise. As long as you have an LDAP server (or servers) running, and use LDAP in your existing networked computer systems, you can use LDAP authentication (along with Enterprise, NT, and Windows AD authentication). If desired, the LDAP security plug-in provided with BusinessObjects Enterprise can communicate with your LDAP server using an SSL connection established using either server authentication or mutual authentication. With server authentication, the LDAP server has a security certificate which BusinessObjects Enterprise uses to verify that it trusts the server, while the LDAP server allows connections from anonymous clients. With mutual authentication, both the LDAP server and BusinessObjects Enterprise have security certificates, and the LDAP server must also verify the client certificate before a connection can be established. The LDAP security plug-in provided with BusinessObjects Enterprise can be configured to communicate with your LDAP server via SSL, but always performs basic authentication when verifying users credentials. Before deploying LDAP authentication in conjunction with BusinessObjects Enterprise, ensure that you are familiar with the differences between these LDAP types. For details, see RFC2251, which is currently available at http:// www.faqs.org/rfcs/rfc2251.html

Configuring LDAP authentication


To simplify administration, BusinessObjects Enterprise supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log on to BusinessObjects Enterprise, you need to map their LDAP account to BusinessObjects Enterprise. When you map an LDAP account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. Before setting up and enabling LDAP authentication, ensure that you have your LDAP directory set up. For more information, refer to your LDAP documentation. Configuring LDAP authentication includes the following steps:

Configuring the LDAP host on page 231. Configuring LDAP Server or Mutual Authentication and the SSL settings on page 233. Configuring the LDAP plug-in for SiteMinder on page 236.

230

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication Managing LDAP accounts

10

Note: If you configure LDAP against AD, you will be able to map your users, however, you will not be able to configure single sign-on or single sign-on to the database.

Configuring the LDAP host


1. 2. To configure the LDAP host Go to the Authentication management area of the CMC, and then click on the LDAP tab. Enter the name and port number of your LDAP hosts in the Add LDAP host (hostname:port) field (for example, myserver:123), click Add, and then click OK. Repeat this step to add more than one LDAP host of the same server type if you want to add hosts that can act as failover servers. If you want to remove a host, highlight the host name and click Delete. For more information on multiple hosts, refer to Managing multiple LDAP hosts on page 243. 3. Select your server type from the LDAP Server Type list. Note: If you are Mapping LDAP to AD, select Custom for your server type. 4. If you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes, click Show Attribute Mappings. By default, each supported server types server attribute mappings and search attributes are already set. 5. 6. Click Next. In the Base LDAP Distinguished Name field, type the distinguished name (for example, o=SomeBase) for your LDAP server, and then click Next. In the LDAP Server Administration Credentials area, type the distinguished name and password for a user account that is authorized to administer your LDAP server. Note: If your LDAP Server allows anonymous binding, leave this area blankBusinessObjects Enterprise servers and clients will bind to the primary host via anonymous logon. 8. If you have configured referrals on your LDAP host, enter the authentication information in the LDAP Referral Credentials area, and then enter the number of referral hops in the Maximum Referral Hops field. Note:

7.

BusinessObjects Enterprise Deployment and Configuration Guide

231

10

Using LDAP authentication Managing LDAP accounts

The LDAP Referral Credentials area must be configured if all of the following apply:

The primary host has been configured to refer to another directory server that handles queries for entries under a specified base. The host being referred to has been configured to not allow anonymous binding. A group from the host being referred to will be mapped to BusinessObjects Enterprise.

Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password. If Maximum Referral Hops is set to zero, no referrals will be followed.

9.

Click Next.

10. Choose the type of Secure Sockets Layer (SSL) authentication used, and then click Next. These are your SSL authentication choices:

Basic (no SSL) Server Authentication Mutual Authentication Note: See Configuring LDAP Server or Mutual Authentication and the SSL settings on page 233 for further information.

11. Choose a method of LDAP single sign-on authentication from these choices:

Basic (No SSO) SiteMinder Note: If you select SiteMinder, see Configuring the LDAP plug-in for SiteMinder on page 236.

232

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication Managing LDAP accounts

10

12. Select how aliases are mapped to Enterprise accounts. You have these choices:

Assign each added NT alias to an account with the same name Create a new account for every added NT alias

Note: For more information on what these options do, see Alias options on page 196. 13. Select when aliases and users are created. You have these choices:

New aliases will be added and new users will be created No new aliases will be added and new users will not be created Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Finish. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise. For more information on what these options do, see Update options on page 197.

14. Select how new users are created. You have these choices:

New users are created as named users New users are created as concurrent users

Note: For more information on what these options do, see User type options on page 196. 15. Click Finish.

Configuring LDAP Server or Mutual Authentication and the SSL settings


This section describes the CMC related information for configuring SSL with LDAP Server and Mutual Authentication. It assumes that you have completed the first 10 applicable steps in Configuring the LDAP host on page 231, and that you selected either of these for your SSL authentication choice:

Server Authentication Mutual Authentication

You can do this configuration after you complete all the steps in Configuring the LDAP host on page 231. For additional information or for information on configuring the LDAP host server, refer to http:// www.techsupport.businessobjects.com/ or your LDAP vendor documentation.

BusinessObjects Enterprise Deployment and Configuration Guide

233

10

Using LDAP authentication Managing LDAP accounts

1.

To configure LDAP Server or Mutual Authentication Choose what level of SSL security you want to use from the available options: Note:

Java applications will ignore the first and last setting and will accept the server certificate only if it comes from a trusted Certificate Authority. Always accept server certificate This is the lowest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. BusinessObjects Enterprise does not verify the certificate it receives.

Accept server certificate if it comes from a trusted Certificate Authority This is a medium security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database.

Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server This is the highest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the Add LDAP host field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work. The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host.

234

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication Managing LDAP accounts

10

2.

In the SSL host box, type the host name of each machine, and then click Add.

Note: You must next add the host name of each machine in your BusinessObjects Enterprise system that uses the BusinessObjects Enterprise SDK. (This includes the machine running your Central Management Server and the machine running your WCA.) 3. Specify the SSL settings for each SSL host that has been added to the list, and specify the default settings that will be used for each host that is not on the list. Note: The default settings will be used for any setting (for any host) where you leave the Use default value box checked or for any machine whose name you do not explicitly add to the list of SSL hosts.

To specify the default settings: a. c. Select default from the SSL list. Type your values for the Path to the certificate and key database files and the Password for the key database. b. Clear the Use default value boxes.

d. If youre specifying settings for Mutual authentication, you can also enter a value in the Nickname for the client certificate in the cert7.db field.

4.

To select settings for another host, select its name in the list on the left. Then type the appropriate values in the boxes on the right.

Click Next.

BusinessObjects Enterprise Deployment and Configuration Guide

235

10

Using LDAP authentication Managing LDAP accounts

5.

Choose a method of LDAP single sign-on authentication from these choices:

Basic (No SSO) SiteMinder

Note: For further details on configuring SiteMinder, see Configuring the LDAP plug-in for SiteMinder on page 236. 6. 7. Choose how new LDAP users and aliases are created. Click Finish.

LDAP and SiteMinder Workflow


To use SiteMinder and LDAP with BusinessObjects Enterprise you need to make configuration changes in two places:

In the LDAP plug-in the CMC. In the web.xml file for your web application server.

Configuring the LDAP plug-in for SiteMinder


This section explains how to configure the CMC to use LDAP with SiteMinder. SiteMinder is a third-party user access and authentication tool that you can use with the LDAP security plug-in to create single sign-on to BusinessObjects Enterprise. This section assumes that you have completed Configuring the LDAP host on page 231 and chosen SiteMinder for your method of LDAP single sign-on authentication. Note:

Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation. To configure LDAP for single sign-on with SiteMinder On the Please configure your SiteMinder settings screen, in the Policy Server Host box, type the name of each Policy Server, and then click Add. Note: This screen is visible after you select SiteMinder on the Please choose a method of LDAP single sign-on authentication screen.

1.

2.

For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers.

236

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication Managing LDAP accounts

10

3.

Enter the name of the Agent Name and the Shared Secret. Enter the shared secret again. Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.

4. 5.

Click Next. Proceed with configuring the LDAP options.

Modifying web.xml for LDAP and SiteMinder


1. To enable LDAP and SiteMinder Open the web.xml file for InfoView on your web application server.
<DeployedLocation>businessobjects\enterprise115\desktopl aunch\WEB-INF

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. 4. 5. 6. 7. 8. 9. Locate the following string in the file:
<param-name>cms.default</param-name>

Enter the CMS name and port in the cms.default<param-value> field. Use the format servername:portnumber. Locate the following string in the file:
<param-name>authentication.default</param-name>

Set the <param-value> for the authentication.default to secLDAP.


<param-value>secEnterprise</param-value>

Locate the following string in the file:


<param-name>sso.enabled</param-name>

Change the <param-value> for sso.enabled from false to true.


<param-value>true</param-value>

Locate the following string in the file:


<param-name>siteminder.enabled</param-name>

Change the <param-value> for siteminder.enabled from false to true.


<param-value>true</param-value>

BusinessObjects Enterprise Deployment and Configuration Guide

237

10

Using LDAP authentication Managing LDAP accounts

10. Locate the following string in the file:


<param-name>siteminder.authentication</param-name>

11. Set the <param-value> for siteminder.authentication to secLDAP.


<param-value>secLDAP</param-value>

12. Save and close the file. 13. Restart your web application server.

Troubleshooting SiteMinder single sign-on


If you are using SiteMinder with IIS, you may receive an error message in the Central Management Console regarding the failure of single sign-on. If you encounter this message, you may need to manually create two registry keys for SiteMinder: 1. Create the following key, set its type to REG_DWORD, and set its value to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\EnableSiteMinderSingl eSignOn

2.

Create a second key, set its type to REG_SZ, and set its value to the authentication type that you want to use for Siteminder single sign-on (secLDAP or secWinAD):
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\SiteMinderAuthenticat ion

Ensure that the Siteminder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using.

Mapping LDAP groups


Once you have configured LDAP authentication using the LDAP configuration wizard, you can map LDAP groups to Enterprise groups. See Configuring LDAP authentication on page 230. Note: If you have configured LDAP against AD, this procedure will map your AD groups. 1. 2. To map LDAP groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the LDAP tab.

238

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication Managing LDAP accounts

10

If LDAP authorization is configured, the LDAP summary page appears.

3.

In the Mapped LDAP Member Groups area, specify your LDAP group (either by common name or distinguished name) in the Add LDAP group (by cn or dn) field; click Add. You can add more than one LDAP group by repeating this step. To remove a group, highlight the LDAP group and click Delete.

BusinessObjects Enterprise Deployment and Configuration Guide

239

10

Using LDAP authentication Managing LDAP accounts

4.

New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:

Assign each added LDAP alias to an account with the same name Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users. or

Create a new account for every added LDAP alias Use this option when you want to create a new account for each user.

5.

Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:

New aliases will be added and new users will be created Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the Create a new account for every added LDAP alias option. or

No new aliases will be added and new users will not be created Use this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.

6.

New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:

New users are created as named users New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system

240

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication Managing LDAP accounts

10

regardless of how many other people are connected. You must have a named user license available for each user account created using this option. or

New users are created as concurrent users New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.

7.

Click Update.

Unmapping LDAP groups


Similar to mapping, it is possible to unmap groups using BusinessObjects Enterprise. 1. 2. 3. 4. To unmap LDAP groups using BusinessObjects Enterprise Go to the Authentication management area of the CMC. Click the LDAP tab. If LDAP authorization is configured, the LDAP summary page will appear. In the Mapped LDAP Member Groups area, select the LDAP group you would like to remove. Click Delete, and then click Update. The users in this group will not be able to access BusinessObjects Enterprise. Tip: To deny LDAP Authentication for all groups, clear the LDAP Authentication is enabled check box and click Update. Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the users Enterprise account.

BusinessObjects Enterprise Deployment and Configuration Guide

241

10

Using LDAP authentication Managing LDAP accounts

Viewing mapped LDAP users and groups


You can view your LDAP mapped groups in BusinessObjects Enterprise by clicking the LDAP tab (located in the Authentication management area). If LDAP authorization is configured, the Mapped LDAP Member Groups area displays the LDAP groups that have been mapped to BusinessObjects Enterprise.

Changing LDAP connection parameters and member groups


After you have configured LDAP authentication using the LDAP configuration wizard, you can change LDAP connection parameters and member groups using the LDAP Server Configuration Summary Page. For information on configuring LDAP authentication using the LDAP configuration wizard, see Configuring LDAP authentication on page 230. 1. 2. To change connection settings Go to the Authentication management area of the CMC. Click the LDAP tab. If LDAP authorization is configured, the LDAP Server Configuration Summary page appears. On this page you can change any of the connection parameter areas or fields. You can also modify the Mapped LDAP Member Groups area. 3. 4. 5. 6. 7. 8. 9. Delete currently mapped groups that will no longer be accessible under the new connection settings. Click Update. Change your connection settings. Click Update. Change your Alias and New User options. Click Update. Map your new LDAP member groups.

10. Click Update.

242

BusinessObjects Enterprise Deployment and Configuration Guide

Using LDAP authentication Managing LDAP accounts

10

Managing multiple LDAP hosts


Using LDAP and BusinessObjects Enterprise, you can add fault tolerance to your system by adding multiple LDAP hosts. BusinessObjects Enterprise uses the first host that you add as the primary LDAP host. Subsequent hosts are treated as failover hosts. The primary LDAP host and all failover hosts must be configured in exactly the same way, and each LDAP host must refer to all additional hosts from which you wish to map groups. For more information about LDAP hosts and referrals, see your LDAP documentation. To add multiple LDAP Hosts, enter all hosts when you configure LDAP using the LDAP configuration wizard (see Configuring LDAP authentication on page 230 for details.) Or if you have already configured LDAP, go to the Authentication management area of the Central Management Console and click the LDAP tab. In the LDAP Server Configuration Summary area, click the name of the LDAP host to open the page that enables you to add or delete hosts. Note:

Make sure that you add the primary host first, followed by the remaining failover hosts. If you use failover LDAP hosts, you cannot use the highest level of SSL security (that is, you cannot select Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server.) For more information, see Configuring LDAP authentication on page 230.

Troubleshooting LDAP accounts


Creating a new LDAP user account

If you create a new LDAP user account, and the account does not belong to a group account that is mapped to BusinessObjects Enterprise, either map the group to BusinessObjects Enterprise, or add the new LDAP user account to a group that is already mapped to BusinessObjects Enterprise. For more information, see Configuring LDAP authentication on page 230. If you create a new LDAP user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see Viewing mapped LDAP users and groups on page 242.

BusinessObjects Enterprise Deployment and Configuration Guide

243

10

Using LDAP authentication Managing LDAP accounts

244

BusinessObjects Enterprise Deployment and Configuration Guide

33

Using AD with NTLM or SiteMinder

chapter

11

Using AD with NTLM or SiteMinder Using AD users and groups

Using AD users and groups


BusinessObjects Enterprise supports Active Directory (AD) authentication with the Windows security plug-in, which is included by default when the product is installed on Windows. Support for AD authentication means that users and groups created in Microsoft Active Directory 2000 or 2003 can be used to authenticate with BusinessObjects Enterprise. This allows you, the administrator, to map previously created user accounts and groups, instead of setting up each user and group within BusinessObjects Enterprise. Note:

The AD authentication described in this section only works for servers running on Windows systems. If you want to use AD authentication on Unix, you must configure LDAP against AD. For procedural details, see Configuring LDAP authentication on page 230. AD authentication with aggregation is not functional without a network connection. AD authentication with aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).

The section Windows AD security plug-in on page 246 provides overview information about how Active Directory authentication works with BusinessObjects Enterprise. The section that follows, AD and NTLM and SiteMinder workflows on page 248 provides a summary of the workflows for using AD with NTLM authentication and for using AD with SiteMinder. The remaining sections provide the procedural details related to the following:

Configuring AD with NTLM Configuring AD, NTLM and single sign-on Configuring AD with SiteMinder.

Note: Using AD authentication with Kerberos is not covered in this section. For information on Kerberos, see these sections:

Using AD and Kerberos with IIS on page 265 Using AD and Kerberos with Java application servers on page 289

Windows AD security plug-in


Windows AD security plug-in enables you to map user accounts and groups from your Microsoft Active Directory (AD) 2000 or 2003 user database to BusinessObjects Enterprise. It also enables BusinessObjects Enterprise to

246

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

verify all logon requests that specify Windows AD Authentication. Users are authenticated against the Windows AD user database, and have their membership in a mapped AD group verified before the Central Management Server grants them an active BusinessObjects Enterprise session. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see Managing AD accounts on page 236. The AD security plug-in also enables you to use these authentication methods:

NTLM Kerberos

Note: For information on using Kerberos, see Using AD and Kerberos with IIS on page 265 and Using AD and Kerberos with Java application servers on page 289. The AD security plug-in is compatible with both Microsoft Active Directory 2000 and 2003 domains running in either native mode or mixed mode. Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on the collaterals disk of your product distribution. This information can also found from the Start menu:
Start > Programs > BusinessObjects XI Release 2 > BusinessObjects Enterprise > BusinessObjects Enterprise Developer Documentation

AD authentication only works for servers running on Windows systems. The Windows AD plug-in for BusinessObjects Enterprise supports multiple domains within the same forest but not multiple forests. All of the following must come from domains in the same forest:

Your CMS machine Your AD Administration credentials All groups and users you are mapping

AD authentication and aggregation is not functional without a network connection. AD authentication and aggregation may not continue to function if the administration credentials become invalid. For example, if the administrator changes his or her password or if the account becomes disabled.

BusinessObjects Enterprise Deployment and Configuration Guide

247

11

Using AD with NTLM or SiteMinder Using AD users and groups

Single sign-on
The Windows AD security plug-in supports single sign-on, thereby allowing authenticated AD users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped AD group.

To obtain AD single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK). In this scenario, the Windows AD security plug-in queries the operating system for the current users credentials when the client is launched.

To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).

BusinessObjects Enterprise provides its own form of anonymous single signon, which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify InfoView) if you want to use AD single sign-on. For information on AD single sign-on, see Setting up AD single sign-on on page 246.

AD and NTLM and SiteMinder workflows


These are the workflows for using AD with NTLM and AD with SiteMinder.

AD and NTLM basic workflow


The workflow for configuring BusinessObjects Enterprise to use IIS with AD and NTLM involves these steps:

Mapping AD accounts Modifying IIS security settings Modifying the web.config file for impersonation and Windows authentication

AD, NTLM and single sign-on workflow


The workflow for configuring BusinessObjects Enterprise to use IIS with AD and NTLM involves these steps:

248

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

Mapping AD accounts Modifying IIS security settings Modifying the web.config file for InfoView AD single sign-on

AD and SiteMinder workflow


The workflow for configuring BusinessObjects Enterprise to use IIS with AD and SiteMinder involves these steps:

Mapping AD accounts Configuring the Windows AD plug-in for SiteMinder Whichever of these steps that applies to your deployment type:

Modifying web.config for .NET InfoView and SiteMinder Modifying web.xml for Java AD and SiteMinder

Mapping AD accounts
To simplify administration, BusinessObjects Enterprise supports AD authentication for user and group accounts. However, before users can use their AD user name and password to log on to BusinessObjects Enterprise, their AD user account needs to be mapped to BusinessObjects Enterprise. When you map an AD account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. To map AD users and groups and configure the Windows AD security plug-in for NTLM authentication 1. Go to the Authentication management area of the CMC. 2. Click the Windows AD tab.

BusinessObjects Enterprise Deployment and Configuration Guide

249

11

Using AD with NTLM or SiteMinder Using AD users and groups

3. 4.

Ensure that the Windows Active Directory Authentication is enabled check box is selected. In the Windows AD Configuration Summary area, click the link beside AD Administration Name. Note: Before the Windows AD plug-in is configured, this link will appear as two double quotes. After the configuration has been saved, the link with be populated with the AD Administration names.

5.

Enter the name and password of the domain user account youve set up on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups. Administration credentials can use one of the following formats:

NT name (DomainName\UserName) UPN (user@DNS_domain_name)

Administration credentials must be entered to enable AD authentication, map groups, check rights, and so on. 6. Complete the Default AD Domain field. Note:

Groups from the default domain can be mapped without specifying the domain name prefix. If you enter the Default AD Domain name, users from the default domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication.

250

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

7.

In the Mapped AD Member Groups area, enter the AD domain\group in the Add AD Group (Domain\Group) field. Groups can be mapped using one of the following formats:

Security Account Manager account name (SAM), also referred to as NT name (DomainName\GroupName) DN (cn=GroupName, ......, dc=DomainName, dc=com)

Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore, they will not be able to access BusinessObjects Enterprise. 8. 9. Click Add. The group is added to the list. For basic NTLM authentication, follow these steps: a. b. a. b. EnsureUse NTLM authentication is selected. Clear Enable Single Sign On for selected authentication mode. Ensure Use NTLM authentication is selected. Ensure Enable Single Sign On for selected authentication mode is selected.

10. For NTLM authentication with single sign-on follow these steps:

11. Select how aliases are mapped to Enterprise accounts. You have these choices:

Assign each added AD alias to an account with the same name. Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.

12. Select when users and aliases are created. You have these choices:

New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.

BusinessObjects Enterprise Deployment and Configuration Guide

251

11

Using AD with NTLM or SiteMinder Using AD users and groups

13. Select what type of users are created. You have these choices:

New users are created as named users. New users are created as concurrent users.

For further details on these options, see User type options on page 196. 14. Click Update. 15. Click OK.

Setting up AD single sign-on


Installation of the Active Directory plug-in enables you to use AD single signon. However, there are a two additional tasks you will need to complete the configuration for single sign-on for BusinessObjects Enterprise. Completing the configuration for AD single sign-on involves these tasks for IIS:

Modifying IIS security settings on page 252 Modifying the web.config file for impersonation and Windows authentication on page 253

Completing the configuration for AD single sign-on involves these tasks for IIS: Note:

AD single sign-on is not supported on client machines running on Windows 98. By default, AD single sign-on is not enabled.

For information on how to set up end-to-end single sign on with AD and Kerberos, see End-to-end Single sign-on workflow on page 267.

Modifying IIS security settings


1. 2. 3. 4. 5. To modify the security setting on IIS From the Windows Administrative Tools program group, click Computer Management. Expand Services and Applications. Expand Internet Information Services. Expand the web site that runs your BusinessObjects Enterprise applications. Right-click businessobjects, and then select Properties.

252

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

6. 7. 8.

Click on the Directory Security tab. In the Anonymous access and authentication control area of the page, click Edit. Ensure the following check boxes are cleared:


9.

Anonymous access Basic authentication

Ensure Integrated Windows authentication is selected.

10. Click OK. 11. Click OK. 12. Repeat the procedure starting from step 6 for crystalreportviewers115 and Styles. 13. Restart your IIS server.

Modifying the web.config file for impersonation and Windows authentication


If you want to use AD authentication, you must modify the web.config file to change the authentication mode used and allow impersonation. This is in addition to changing how IIS is configured. Modify either of the following web.config files based on what application you want to configure.

To configure both the CMC and InfoView, configure the web.config file in the Web Content directory.

To configure only InfoView, configure the web.config file in the InfoView directory. Note: The values in web.config file are case-sensitive. 1. To modify web.config for basic AD authentication Open the appropriate Web.config file from either of the following locations:


2. 3.

C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\ C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\

Find the following line in the <system.web> block:


<authentication mode="None" />

Replace None with Windows.


<authentication mode="Windows" />

BusinessObjects Enterprise Deployment and Configuration Guide

253

11

Using AD with NTLM or SiteMinder Using AD users and groups

4. 5. 6.

Add the following line:


<identity impersonate="true" />

Save and close the file. Restart IIS.

Modifying the web.config file for InfoView AD single sign-on


If you want to have AD single sign-on for InfoView, you must modify the web.config file for the following reasons:

To change the authentication mode used. To allow impersonation. To enable single sign-on. To specify the authentication default.

These changes are in addition to changing how IIS is configured. Note: The values in web.config file are case-sensitive. 1. To modify web.config for AD single sign-on Open the Web.config file from this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\

2. 3. 4. 5. 6. 7. 8. 9.

Find the following line in the <system.web> block:


<Authentication mode="None" />

Replace None with Windows.


<authentication mode="Windows" />

Add the following line:


<identity impersonate="true" />

Find the following string:


<add key="cmsDefault" value="" />

Enter the CMS machine in the cmsDefault value field. Find the following string:
<add key=" ssoEnabled" value="false" />

Change the ssoEnabled value from false to true. Find the following string:
<add key="authenticationDefault" value="secWinAD" />

10. Ensure the value for authenticationDefault is set to secWinAD. 11. Save and close the file.

254

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

12. Restart IIS. Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in Setting up AD single sign-on on page 252.

Configuring AD and SiteMinder workflow


This section explains how to use AD and SiteMinder. SiteMinder is a thirdparty user access and authentication tool that you can use with the AD security plug-in to create single sign-on to BusinessObjects Enterprise. This section assumes that you have completed Mapping AD accounts on page 249. There are two things you must do to enable AD single sign-on with SiteMinder:

Configure the AD plug-in for single sign-on with SiteMinder Modify either the Web.xml file to use Java and SiteMinder or the Web.config file to use .NET and SiteMinder

Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of which supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.

Configuring the Windows AD plug-in for SiteMinder


1. 2. 3. 4. 5. To configure the AD plug-in for single sign-on with SiteMinder From the CMC, click Authentication. Click on the Windows AD tab. Scroll down to the SiteMinder options area of the page. Click Disabled. The Windows AD SiteMinder configuration page will appear. If you have not configured the Windows AD plug-in, you will receive a warning and will be asked if you wish to continue. Click OK.

BusinessObjects Enterprise Deployment and Configuration Guide

255

11

Using AD with NTLM or SiteMinder Using AD users and groups

The AD SiteMinder configuration page will appear.

6. 7. 8. 9.

Click Use SiteMinder Single Sign On. In the Policy Server Host box, type the name of each Policy Server, and click Add. For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers. Enter the name of the Agent Name and the Shared Secret. Enter the Shared Secret again. Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of which supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.

10. Click Update.

256

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

Modifying web.xml for Java AD and SiteMinder


1. To enable Java AD SiteMinder Open the web.xml file for InfoView, from its deployed location on your web application server.
<DeployedLocation>businessobjects\enterprise115\desktopl aunch\WEB-INF

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
<param-name>cms.default</param-name>

Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber. Find the following string in the file:
<param-name>authentication.default</param-name>

4. 5.

Set the <param-value> for the authentication.default to secWinAD.


<param-value>secWinAD</param-value>

6. 7. 8. 9.

Find the following string in the file:


<param-name>sso.enabled</param-name>

Change the <param-value> for sso.enabled from false to true.


<param-value>true</param-value>

Find the following string in the file:


<param-name>siteminder.enabled</param-name>

Change the <param-value> for siteminder.enabled from false to true.


<param-value>true</param-value>

10. Find the following string in the file:


<param-name>siteminder.authentication</param-name>

11. Set the <param-value> for siteminder.authentication to secWinAD.


<param-value>secWinAD</param-value>

12. Save and close the file. 13. Restart your web application server.

BusinessObjects Enterprise Deployment and Configuration Guide

257

11

Using AD with NTLM or SiteMinder Using AD users and groups

Modifying web.xml for Java AD Single sign-on to InfoView


1. To enable Java AD single sign-on Open the web.xml file for InfoView, from its deployed location on your web application server.
<DeployedLocation>businessobjects\enterprise115\desktopl aunch\WEB-INF

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
<param-name>cms.default</param-name>

Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber. Find the following string in the file:
<param-name>authentication.default</param-name>

4. 5. 6. 7. 8. 9.

Set the <param-value> for the authentication.default to secWinAD.


<param-value>secWinAD</param-value>

Find the following string in the file:


<param-name>sso.enabled</param-name>

Change the <param-value> for sso.enabled from false to true.


<param-value>true</param-value>

Save and close the file. Restart your web application server.

Modifying the web.xml file for Java AD and SiteMinder


1. To enable the Java AD client for SiteMinder Open the web.xml file for InfoView, from its deployed location on your web application server.
<DeployedLocation>businessobjects\enterprise115\desktopl aunch\WEB-INF

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you

258

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
<param-name>cms.default</param-name>

Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber. Find the following string in the file:
<param-name>authentication.default</param-name>

4. 5. 6. 7. 8. 9.

Set the <param-value> for the authentication.default to secWinAD.


<param-value>secWinAD</param-value>

Find the following string in the file:


<param-name>sso.enabled</param-name>

Change the <param-value> for sso.enabled from false to true.


<param-value>true</param-value>

Find the following string in the file:


<param-name>siteminder.enabled</param-name>

Change the <param-value> for siteminder.enabled from false to true.


<param-value>true</param-value>

10. Find the following string in the file:


<param-name>siteminder.authentication</param-name>

11. Set the <param-value> for siteminder.authentication to secWinAD.


<param-value>secWinAD</param-value>

12. Save and close the file. 13. Restart your web application server.

Modifying web.config for .NET InfoView and SiteMinder


1. To enable .NET InfoView client for SiteMinder Open the web.config file for InfoView, from its deployed location for IIS.
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

Note: The path mentioned is the default location. Modify your path accordingly if you changed the default location. 2. Find the following string in the file:

BusinessObjects Enterprise Deployment and Configuration Guide

259

11

Using AD with NTLM or SiteMinder Using AD users and groups

<add key="cmsDefault" value="" />

3. 4. 5. 6. 7. 8. 9.

Enter the CMS name in the cmsDefault value field. Find the following string in the file:
<add key="authenticationDefault" value="secEnterprise" />

Set the value for the authenticationDefault to secWinAD. Find the following string in the file:
<add key="ssoEnabled" value="false" />

Change the value for ssoEnabled from false to true. Find the following string in the file:
<add key="siteminderEnabled" value="true" />

Ensure the value for siteminderEnabled is set to true.


<add key="siteminderAuthentication" value="secLDAP" />

10. Find the following string in the file: 11. Set the value for sitemindeAuthentication to secWinAD.
<param-value>secWinAD</param-value>

12. Save and close the file. 13. Restart IIS.

Disabling SiteMinder for Java clients


If you want to prevent SiteMinder from being configured, or to disable it after it has been configured in the CMC, modify the web.xml file for Infoview. 1. To modify web.xml to disable SiteMinder Open the web.xml file for InfoView on your web application server.
<DeployedLocation>businessobjects\enterprise115\desktopl aunch\WEB-INF

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. Find the following string in the file:
<param-name>siteminder.enabled</param-name>

Change the <param-value> from true to false.


<param-value>false</param-value>

260

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

4. 5.

Save and close the file. Restart your web application server.

Disabling SiteMinder for .NET clients


If you want to prevent SiteMinder from being configured, or to disable it after it has been configured in the CMC for .NET, modify the web.config file for InfoView. 1. To modify web.config to disable SiteMinder for .NET clients Open the web.config file for InfoView on your web application server.
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

2. 3. 4. 5.

Find the following string in the file:


<add key="siteminderEnabled" value="true" />

Change the value from true to false.


<param-value>false</param-value>

Save and close the file. Restart IIS.

Troubleshooting single sign-on


This section contains some of the common configuration errors which can single sign-on not to function properly.

Disabled single sign-on Security context problem Duplicate ssoEnabled tags

Disabled single sign-on


Despite the fact that single sign-on has been configured in the web.config files, users receive the following error:
The administrator has disabled Single Sign-On logons for this authentication plugin. Please log on using your username and password.

This problem occurs when single sign-on configuration is missing from the CMC but present in all the other required locations. 1. 2. To enable single sign-on in the CMC Go to the Authentication area of the CMC. Click the Window AD.

BusinessObjects Enterprise Deployment and Configuration Guide

261

11

Using AD with NTLM or SiteMinder Using AD users and groups

3. 4.

In the Authentication Options area of the page, select Enable Single Sign On for selected authentication mode. Restart IIS.

Security context problem


After single sign-on has been set up, when the users attempt to access InfoView, they receive the following error:
An error has occurred propagating the security context between the security server and the client. Please contact your system administrator.

This can be caused because the impersonation setting has been set incorrectly or the setting is missing from the web.config file. 1. To fix this problem Open the web.config file at this location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

2.

Make sure both of these lines exist in the file.


<authentication mode="Windows"/> <identity impersonate="true" />

If either line is missing, add it, if either has a different setting, change it to match the required setting. 3. 4. Save and close the file Restart IIS.

Duplicate ssoEnabled tags


Single sign-on has been configured in the web.config files, but the InfoView Log on screen appears with a blank user name and password, and with Windows AD authentication selected. If you click the Log on you are logged on successfully. No error message is displayed. This can occur if you have multiple contradictory values set for the key ssoEnable in the web.config file. Consider the following sample where the ssoEnable is set twice: the first time it is set to true, the second time it is set to false.
<add <add <add <add key="cmsDefault" value="ABCADEI01" /> key="ssoEnabled" value="true" /> key="authenticationDefault" value="secWinAD" /> key="cmsVisible" value="true" />

262

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD with NTLM or SiteMinder Using AD users and groups

11

. . . <!-<add <add <!-<add

Set to false to disable Siteminder sso --> key="siteminderEnabled" value="true" /> key="siteminderAuthentication" value="secLDAP" /> Set to true to enable other Single Sign On --> key="ssoEnabled" value="false" />

1.

To remove the duplicate tag Open the web.config from the following location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content

2. 3. 4. 5.

Search for the following throughout the file:


ssoEnabled

If you find multiple occurrences, ensure the first one has the setting you want, then delete the duplicate tags. Save and close the file. Restart IIS.

BusinessObjects Enterprise Deployment and Configuration Guide

263

11

Using AD with NTLM or SiteMinder Using AD users and groups

264

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS

chapter

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

Configuring Kerberos for IIS


This section contains the tasks related to configuring Kerberos and single sign-on for use with IIS. If you are using IIS and Kerberos but do not want to use single sign-on, the steps outlined in this section are required. For information on using IIS and Kerberos without single sign-on, see Using AD with NTLM or SiteMinder on page 245. If you are using Java, see Using AD and Kerberos with Java application servers on page 289.

Kerberos, IIS and single sign-on options


If you are using IIS and Kerberos, you have the following options for single sign-on:

Single sign-on Single sign-on to BusinessObjects Enterprise means that once users have logged on to the operating system they can access BusinessObjects Enterprise without having to provide their logon credentials again. When they log on to the operating system, a logon token is created. The system uses this token to authenticate the users and grant them access to BusinessObjects Enterprise and its components.

Single sign-on to the database Once users are logged on to BusinessObjects Enterprise, single sign-on to the database enables them to perform actions that require database access. In particular, viewing reports and Web Intelligence documents, without having to provide their logon credentials again. BusinessObjects Enterprise currently supports single sign-on to the database with Windows AD using Kerberos. For details on which databases are supported for single-sign on, consult the platforms.txt file included with your product distribution.

End-to-end single sign-on End-to-end single sign-on refers to a configuration where users have both single sign-on access to BusinessObjects Enterprise at the frontend, and single sign-on access to the databases at the back-end. Thus, users need to provide their logon credentials only once when they log on to the operating system, to have access to BusinessObjects Enterprise and to be able to perform actions that require database access, such as viewing reports.

266

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

Workflows for Kerberos and IIS


This section summarizes the workflows for using IIS, Kerberos and AD on BusinessObjects Enterprise. For details on what these terms mean, see information about the levels of single sign-on that are supported for use with IIS in BusinessObjects Enterprise, see Kerberos, IIS and single sign-on options on page 266.

Basic AD and Kerberos workflow


Configuring AD and Kerberos includes these steps:

Setting up a service account on AD Granting the service account rights Configuring the servers to use the service account Configuring IIS for integrated Windows authentication Modifying web.config for impersonation and Windows authentication Enabling Kerberos authentication in the Windows AD plug-in

AD and Kerberos with single sign-on workflow


Configuring AD and Kerberos single sign-on includes these steps:

Setting up a service account on AD Granting the service account rights Configuring IIS for integrated Windows authentication Configuring the servers to use the service account Modifying web.config for InfoView single sign-on Enabling Kerberos authentication in the Windows AD plug-in

Single sign-on to database workflow


Configuring single sign-on to database includes these steps:

Modifying the AD plug-in settings for database single sign-on Configuring web applications for database single sign-on Configuring IIS for database single sign-on Configuring the database server for single sign-on

End-to-end Single sign-on workflow


Configuring end-to-end single sign-on includes these steps:

Modifying the AD plug-in settings for database single sign-on Configuring IIS and browsers

BusinessObjects Enterprise Deployment and Configuration Guide

267

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

Configuring IIS for end-to-end single sign-on Modifying web.config for InfoView single sign-on Configuring Kerberos for IIS on page 266

Setting up a service account on AD


To configure BusinessObjects Enterprise for Kerberos and Windows AD authentication, you require a service account. This must be a domain account that has been trusted for delegation. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers. How you create this account varies slightly depending on what version of Active Directory Domain you are using:

If you are using a Windows 2000 Domain, see Setting up a service account with delegation on a Windows 2000 Domain on page 268 If you are using a Windows 2003 Domain, see Setting up a service account with delegation on a Windows 2003 Domain on page 269.

After you set up the service account, you will need to grant the account appropriate rights, see Granting the service account rights on page 270.

Setting up a service account with delegation on a Windows 2000 Domain


1. 2. 3. 4. To set up the service account on a Windows 2000 Domain Create an account on the domain controller or use an existing account. For detailed instructions, refer to http://msdn.microsoft.com/ Right-click on the user account, then select Properties. Click the Account tab. Select these account options:


1.

Account is trusted for delegation Use DES encryption types for this account

To run the SPN utility on Windows 2000 Download the utility from this location to your Domain controller:
http://www.microsoft.com/windows2000/techinfo/reskit/ tools/existing/setspn-o.asp

2.

Open a command prompt and enter this command:


SETSPN.exe A BOBJCentralMS/HOSTNAME serviceaccount

268

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

Replace HOSTNAME with the name of your machine running the CMS service. Replace serviceaccount with name of your service account. Note: The name of your service account is case-sensitive. 3. Verify that you receive a message similar to this one:
Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

Setting up a service account with delegation on a Windows 2003 Domain


1. To set up the service account on a Windows 2003 Domain Create a new account on the domain controller or use an existing account. For detailed instructions, refer to http://msdn.microsoft.com/ 2. 3. 4. 5. Right-click on the user account, then select Properties. Click the Account tab. Select the following under Account Options:

Use DES encryption types for this account

Open a Command Prompt and enter this command:


SETSPN.exe A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the name of your machine running the CMS service. Replace serviceaccount with name of your service account. 6. Verify that you receive a message similar to this one: Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/ HOSTNAME.DOMAIN.COM Updated object 7. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command. 8. 9. Select Trust this user for delegation to any service (Kerberos only) Click OK.

Configuring the servers


Configuring the BusinessObjects Enterprise servers includes these steps:

Granting the service account rights on page 270 Configuring the servers to use the service account on page 270

BusinessObjects Enterprise Deployment and Configuration Guide

269

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

Granting the service account rights


In order to support AD and Kerberos, you must grant the service account the right to act as part of the operating system. This must be done on each machine running the following servers:

CMS Page Server Report Application Server Web Intelligence Report Server

Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on AD on page 268. 1. 2. 3. 4. 5. 6. 7. To grant the service account rights Click Start > Control Panel > Administrative Tools > Local Security Policy. Expand Local Policies, then click User Rights Assignment. Double-click Act as part of the operating system. Click Add. Enter the name of the service account you created, then click OK. Ensure that the Local Policy Setting check box is selected, and click OK. Repeat the above steps on each machine running a BusinessObjects Enterprise server.

Configuring the servers to use the service account


In order to support Kerberos single sign-on, you must use CCM and configure the following servers to log on as the service account:

CMS server Page Server Report Application Server Web Intelligence Report Server

Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on AD on page 268. 1. 2. To configure a server Start the CCM. Stop the server you want to configure, for example, the CMS server.

270

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

3. 4.

Double-click the server you want to configure. The Properties dialog box is displayed. On the Properties tab: a. b. c. In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, then click OK.

5. 6.

Start the server again. Repeat steps 2 through 5 for each BusinessObjects server that has to be configured.

Enabling Kerberos authentication in the Windows AD plug-in


In order to support Kerberos, you have to configure the Windows AD security plug-in the CMC to use Kerberos authentication. This includes:


Prerequisites

Ensuring Windows AD authentication is enabled. Entering the AD Administrator account. Note: This account requires read access to Active Directory only; it does not require any other rights. Entering the service principal name (SPN) for the service account. If you want to use single sign-on, you will also have to enable single signon in the CMC.

Before you configure the Windows AD security plug-in for Kerberos, you must have completed the following tasks:


1. 2.

Setting up a service account on AD on page 268 Granting the service account rights on page 270 Configuring the servers to use the service account on page 270 To configure the Windows AD security plug-in for Kerberos Go to the Authentication management area of the CMC. Click the Windows AD tab.

BusinessObjects Enterprise Deployment and Configuration Guide

271

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

3.

Ensure that the Windows Active Directory Authentication is enabled check box is selected.

4. 5.

In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name. Enter the AD administrators credentials in the Name and Password fields.

Note:


6.

Use the format DOMAIN\Account in the Name field. The AD Administrator account requires read access to Active Directory only; it does not require any other rights.

Enter the default domain in the Default AD Domain field. Note: Use The FQDN format for the AD default domain and enter the domain in uppercase.

7.

Click Update.

272

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

8.

In the Mapped AD Member Group area, enter the name of an AD group whose users require access to BusinessObjects Enterprise, and then click Add. Repeat this procedure to add additional AD groups. If you want to add individual users, rather than a group, see Managing Users in the BusinessObjects Enterprise Administrators Guide.

9.

Under Authentication Options select the following:

Select the Use Kerberos authentication check box.

If you want to configure single sign-on, select Enable Single Sign On for selected authentication mode. If you want to configure single sign-on to a database, select the Cache Security context (required for SSO to database) check box. In the service principal name: field, enter the service principal name of the service account. Note:

BusinessObjects Enterprise Deployment and Configuration Guide

273

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

The Service Principal Name is case sensitive. The case must match exactly what you have set up on your AD domain. This must be the same account that you use to run the BusinessObjects Enterprise. The domain name is entered in uppercase. This must be the same account that you use to run the BusinessObjects Enterprise servers. This is the AD account you created in this step: Setting up a service account on AD on page 268.

10. Select how aliases are mapped to Enterprise accounts. You have these choices:

Assign each added AD alias to an account with the same name. Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.

11. Select when users and aliases are created. You have these choices:

New aliases will be added and new users will be created. No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.

12. Select what type of users are created. You have these choices:

New users are created as named users. New users are created as concurrent users.

For further details on these options, see User type options on page 196. 13. Click Update.

Modifying web.config for impersonation and Windows authentication


1. To modify web.config for Windows authentication and impersonation Open the Web.config file from the following location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\

274

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

2. 3. 4. 5. 6.

Find the following line in the <system.web> block:


<Authentication mode="None" />

Replace None with Windows. Find the following line:


<identity impersonate="false" />

Change the value to true. Save and close the file.

Modifying the AD plug-in settings for database single sign-on


1. 2. 3. 4. To modify the CMC settings for database single sign-on Go the Authentication area of the CMC. Click the Windows AD tab. Scroll down to Authentication Options area of the page. Clear the Enable Single Sign On for selected authentication mode check box on the Windows AD page in the Authentication management area in CMC.

Configuring IIS and browsers


In order to support Kerberos end-to-end single sign-on, you have to configure the BusinessObjects Enterprise clients. This includes:

Configuring IIS for integrated Windows authentication on page 275 Configuring the Internet Explorer browser on a client machine on page 276

Configuring IIS for integrated Windows authentication


To support Kerberos, you have to configure the BusinessObjects clients on IIS to use integrated Windows authentication. 1. 2. 3. 4. 5. 6. To configure the clients for Windows authentication On IIS, in the Internet Information Services window, expand the tree on the left and go to businessobjects under Default Web Site. Right-click businessobjects and select Properties. On the Directory Security tab, click Edit. If it is selected, clear Anonymous Access. Select Integrated Windows Authentication. Click OK, then click OK again.

BusinessObjects Enterprise Deployment and Configuration Guide

275

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

7.

Repeat the above for crystalreportviewers115 and styles.

Configuring the Internet Explorer browser on a client machine


To support Kerberos end-to-end single sign-on, you have to configure the Internet Explorer (IE) browser on the BusinessObjects Enterprise client machines. This includes:

Setting up the client machines for integrated Windows authentication. Adding IIS to the trusted sites. In configuring IIS for database single sign-on, you do not need to configure the browser for single sign-on. See also Configuring IIS for database single sign-on on page 281. You can automate the following steps through a registry key. For details, refer to your Windows documentation. To configure the IE browser on the client machines On the client machine, open an Internet Explorer browser window. Enable integrated windows authentication. a. b. c. d. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Advanced tab. Navigate to the Security settings. Click the Enable integrated windows authentication option, and click Apply.

Note:

1. 2.

3.

Add IIS to the Trusted sites. You can enter the full domain name of the site. a. b. c. d. e. f. Click Tools > Internet Options. The Internet Options dialog box appears. Click the Security tab. Click Sites. Click Advanced. Type in the web site for IIS, and click Add. Click OK, then click OK twice more to close the Internet Options dialog box.

4.

Close the Internet Explorer browser windows and then open them again for the changes to take effect.

276

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

5.

Repeat the above steps on each BusinessObjects Enterprise client machine.

Configuring IIS for end-to-end single sign-on


To support Kerberos end-to-end single sign-on, the worker processes of IIS have to run under a domain account that is trusted for delegation. Refer to either of the following procedures, depending on whether you are using IIS 5 or IIS 6:

Configuring IIS 5 for Kerberos end-to-end single sign-on on page 277 Configuring IIS 6 for Kerberos end-to-end single sign-on on page 279

Note: Instead of configuring IIS worker processes for end-to-end single signon you can configure them to use database single sign-on. You may want to do this, for example, if you dont want to run IIS worker processes under an account that has been trusted for delegation. For more information, see:

Configuring IIS for database single sign-on on page 281 Configuring web applications for database single sign-on on page 285

Configuring IIS 5 for Kerberos end-to-end single sign-on


To support Kerberos end-to-end single sign-on, you have to set IIS and the Aspnet_wp.exe worker process to run as a domain account that has been trusted for delegation. You can run IIS either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:

If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which will result in an error condition.

The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:

To configure IIS 5 for database single sign-on on page 282 To run IIS 5 worker process under a user domain account on page 278

BusinessObjects Enterprise Deployment and Configuration Guide

277

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

1.

To run IIS 5 worker process under the machine domain account On the domain controller, set the domain account of IIS machine to be trusted for delegation. Changing this property can take several minutes to propagate. Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters in the <processModel> block in the
\WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.c onfig file:

2.

userName="SYSTEM" Password="AutoGenerate"

In the above path name, version represents the software version. Note:


3.

Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.

If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.

Running IIS 5 worker processes under a user domain account


1. To run IIS 5 worker process under a user domain account Set the Aspnet_wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the
\WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.c onfig file:

userName="domainaccount" Password="password"

Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account. In the above path name, version represents the software version. Note: For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.

278

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

2.

If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.

Configuring IIS 6 for Kerberos end-to-end single sign-on


To support Kerberos for end-to-end single sign-on, you have to set IIS and w3wp.exe worker process to run as an account that has been trusted for delegation. You can run IIS either under the machine domain account or under user domain account. Each approach has advantages and disadvantages:

If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and may expire, which will result in an error condition.

The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:

To run IIS 6 worker processes under the machine domain account on page 279 To run IIS 6 worker processes under a user domain account on page 280

Running the IIS 6 worker processes under a domain account


1. To run IIS 6 worker processes under the machine domain account On the domain controller, set the account of IIS machine to be trusted for delegation. Note:

Changing this property can take several minutes to propagate. If you dont want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for database single sign-on on page 281.

BusinessObjects Enterprise Deployment and Configuration Guide

279

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

2.

Configure the account for the w3wp.exe worker process: a. b. c. In the Internet Service Manager window, right-click the machine name and select Application Pool > New. Type in a name for the application pool. In the tree panel on the left, expand to Default Web Site > businessobjects > EnterpriseX (where X equals your version number). Right-click InfoView and select Properties. On the Home Directory tab, select the new application pool name from the list, and click Apply. Right-click the application
pool

d. e. f. g.

you created, and select Properties.

On the Identity tab, select LocalSystem from the list, and click Apply. Configuring the w3wp.exe account to run as a LocalSystem account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS worker processes run under does not belong to a mapped group.

Note:


3.

If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.

Running the IIS 6 worker processes under a user domain account


1. To run IIS 6 worker processes under a user domain account Set the w3wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the
\WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.c onfig file:

userName="domainaccount" Password="password"

In the above path name, version represents the software version. Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.

280

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

Note: If you dont want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for database single sign-on on page 281. For security reasons, make sure that the account which IIS worker processes run under does not belong to a mapped group. 2. Add the domain account to IIS_WPG local group, and give it the relevant rights to access the needed files. For more information, see http:// msdn.Microsoft.com/ If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost

3.

For example, if access is via www.domainname.com but the machine name is web.domainname.com.

Configuring IIS for database single sign-on


When using Kerberos with Windows AD, you can choose whether you want to provide end-to-end single sign-on, or whether you want users to provide their logon credentials when they log in to BusinessObjects Enterprise. When users log on to BusinessObjects Enterprise, the system generates a logon token to provide single sign-on access to the databases. Below is a summary of the tasks required to set up a single sign-on to database:

Configure IIS worker processes to run as a domain account. Refer to either of the following procedures, depending on whether you are using IIS 5 or IIS 6:

Configuring IIS 5 for single sign-on to database only on page 282 Configuring IIS 6 for single sign-on to database on page 283

Configure the web applications for single sign-on to the database. See Configuring web applications for database single sign-on on page 285. Modify the Windows AD options. See Modifying the AD plug-in settings for database single sign-on on page 275.

BusinessObjects Enterprise Deployment and Configuration Guide

281

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

Configuring IIS 5 for single sign-on to database only


To support database single sign-on, you have to set the Aspnet_wp.exe worker process to run as a domain account. You can run IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:

If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which would result in an error condition.

The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsoft s web site: http:// www.microsoft.com/ 1. To configure IIS 5 for database single sign-on Make sure your BusinessObjects Enterprise web site on IIS is running as a domain account. Note: Unless you specified a different web site during installation, this will be the Default Web Site under IIS. 2. Locate and open the machine.cong file. This file can be found at the following location:
C:\Winnt\Microsoft.NET\Framework\version\CONFIG\ where,
version

represents the software version number.

3. 4.

Find the processModel Attributes area in the file. Set UserName and password as follows:


5.

userName="SYSTEM" Password="AutoGenerate".

Save and close the file. Note:


6.

Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.

If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:

282

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

setspn -A HTTP/serverhost.domainname.com serverhost

For example, if you access the machine via www.domainname.com but the machine name is web.domainname.com, you will have to add an a SPN for HTTP access on the web server machine.

Configuring IIS 6 for single sign-on to database


To support single sign-on to the database, you have to set the w3wp.exe worker process to run as a machine or user domain account, You can run IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:

If you use a machine domain account, the password will be automatically generated and wont expire, nor will it be exposed or modified. If you use a user domain account you have more control over the rights for the account, but the password can be exposed or modified, and it may expire, which would result in an error condition.

The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsofts web site: http://www.microsoft.com/ 1. To configure IIS 6 for database single sign-on Make sure the BusinessObjects Enterprise IIS web site is running as a domain account. Note: Unless you specified a different site during installation, this will be the Default Web Site under IIS. 2. Configure the account for the w3wp.exe worker process: a. b. c. d. e. f. g. h. In the Internet Information Services Manager window, expand the computer name. Right-click Application Pool and select New > Application Pool. Type in a name for the application pool. In the tree panel on the left, expand to Default Web Site > businessobjects > Enterprise115. Right-click InfoView and select Properties. On the Directory tab select the new application pool name from the application pool list, and then click Apply. Right-click the application pool you created, and select Properties. On the Identity tab, select LocalSystem from the list, and click Apply.

BusinessObjects Enterprise Deployment and Configuration Guide

283

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

Note:


3.

Configuring the w3wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts. For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.

If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:
setspn -A HTTP/serverhost.domainname.com serverhost

For example, if you access the machine via www.domainname.com but the machine name is web.domainname.com, you will have to add an a SPN for HTTP access on the web server machine.

Modifying web.config for InfoView single sign-on


In order for the end-to-end single sign on to work, you have to configure the BusinessObjects Enterprise web applications to impersonate the user. If you want to use database single sign-on instead of end-to-end single signon, you have to set the BusinessObjects Enterprise web applications to not impersonate a user. See Configuring web applications for database single sign-on on page 285. Note: The values in web.config file are case-sensitive. 1. To modify web.config for InfoView single sign-on Open the appropriate Web.config file from the following location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\

2. 3. 4. 5. 6. 7.

Find the following line in the <system.web> block:


<Authentication mode="None" />

Replace None with Windows.


<authentication mode="Windows" />

Add the following line:


<identity impersonate="true" />

Find the following string:


<add key="cmsDefault" value="" />

Enter the CMS machine in the cmsDefault value field. Find the following string:
<add key=" ssoEnabled" value="false" />

284

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

8. 9.

Change the ssoEnabled value from false to true. Find the following string:
<add key="authenticationDefault" value="secWinAD" />

10. Ensure the value for authenticationDefault is set to secWinAD. 11. Save and close the file. 12. Restart IIS. Note: For AD single sign-on to function correctly, make sure you complete all tasks that apply to the type of single sign-on you are using, as outlined in Workflows for Kerberos and IIS on page 267.

Configuring web applications for database single sign-on


If you want to use database single sign-on instead of end-to-end single signon, you have to set BusinessObjects Enterprise web applications to not impersonate the user. To do this, edit their Web.config files on IIS as follows: Note: If you want to use database single sign-on, see also Configuring IIS for database single sign-on on page 281. 1. To configure the web applications for database single sign-on To set the CMC to not impersonate the user, add the following line to the <system.web> block in the C:\Program Files\Business
Objects\BusinessObjects Enterprise 11.5\Web Content\Web.config file:

<identity impersonate="false" /> 2. 3. 4. Locate the following line:


<Authentication mode="None" />

Change the value from None to Windows. To set InfoView to not impersonate the users, add the following line to the <system.web> block in the C:\Program Files\Business
Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\Web.config file:

<identity impersonate="false" /> 5. 6. 7. Locate the following line:


<Authentication mode="None" />

Change the value from None to Windows. Save and close the files.

Note: Make sure you set identity impersonate to false.

BusinessObjects Enterprise Deployment and Configuration Guide

285

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

Users will now be able to log on to BusinessObjects Enterprise by providing their logon credentials in the InfoView or CMC logon dialog box and selecting the authentication method that applies to them. Once they are logged on, the users will have database single sign-on access associated with BusinessObjects Enterprise.

Configuring the database server for single sign-on


This section provides information that is specific to setting up single sign-on to SQL Server databases. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. For general information and for information about single sign-on to other supported databases, refer to the database vendors support documentation.

Configuring SQL Server for single sign-on


In order for Kerberos single sign-on to work, the machines running SQL Server database must be trusted for delegation. Setting up security delegation varies depending on whether SQL Server has been configured to run under the LocalSystem account or under a service account:

If SQL Server is running under the LocalSystem account, no additional configuration is required. SQL Server registers itself when it starts and the system registers the SPN. When SQL Server shuts down, the system automatically un-registers the SPNs for the LocalSystem account. If SQL Server is running under a service account, you have to configure to be trusted for delegation. To run SQL Server under a service account In Active Directory, set up the SQL Server service account for security delegation: a. b. c. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. Right-click the domain account and select Properties. On the Accounts tab, make sure the following options are selected:

1.

In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account. In Windows 2003, ensure that these two options have been selected for the account: Trust this user for delegation to specified service only and Use Kerberos only.

286

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with IIS Configuring Kerberos for IIS

12

Note: If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account. 2. Set the machine running SQL Server as follows: a. b. 3. Computer is trusted for delegation Click Apply, and click OK.

Add an SPN for the service account of the SQL Server:


setspn -A MSSQLSvc/host:port serviceaccount

Where host:port is the name of the machine running SQL Server and the port, and serviceaccount is the name of the SQL Server service account.

Server cache expiry


When the system is using AD and Kerberos single sign-on, it uses the cache expiry for certain BusinessObjects Enterprise servers to determine whether a logon ticket is still valid. This applies to the CMS, Page Server, Report Application Server, and Web Intelligence Report Server. The CMS uses the cache expiry as follows:

If the CMS cache expiry is greater than that of the ticket, the system renews the ticket until the CMS cache expiry is reached. If the CMS cache expiry is less than that of the ticket, the ticket will expire when the CMS cache expiry is reached. If the CMS cache expiry is zero, the system will use the globally set ticket expiry.

The other servers use either their cache expiry or the ticket expiry, whichever has the lowest value. Regardless of whether the cache expiry for the server is greater or less than that of the ticket, the ticket will expire when the lowest expiry value is reached. The system comes configured with default values for the server cache expiry. To change the default values for the cache expiry, see Modifying the default cache expiry value on page 287. Note: If you are running multiple instances of a server, you can control the cache expiry for each instance individually.

Modifying the default cache expiry value


1. 2. To change the default cache expiry value Go to the Servers management area of the CMC. Click the link for the server.

BusinessObjects Enterprise Deployment and Configuration Guide

287

12

Using AD and Kerberos with IIS Configuring Kerberos for IIS

3. 4. 5.

Click the Single Sign-On tab. Type in a new cache expiry value. Click Update.

288

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers

chapter

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Configuring Kerberos for Java application servers


This section contains the tasks related to configuring Kerberos for use with these Java application servers: Tomcat, WebSphere, WebLogic, and Oracle Application Server. Note: SAP Web Application Server with Java AD with Kerberos is not supported. This section contains this information:

Two type of workflows.

The general workflow that you must follow regardless of the web application server your are using. The workflow specific to your Java web application server. This second workflow is necessary because the implementation of Java Authentication and Authorization Service (JAAS) varies between different application servers.

The procedural details for each step in the workflow. Two samples of Krb5.ini files. Troubleshooting information.

Note: If you are using IIS and Kerberos, see Workflows for Kerberos and IIS on page 267.

General workflow for configuring Kerberos


This section outlines the process of setting up BusinessObjects Enterprise and your Java application server to use AD with Kerberos authentication. Configuration process overview Setting up Kerberos includes these steps:

Setting up a service account Granting the service account rights Configuring the servers to use the service account Kerberos authentication in the Windows AD plug-in

290

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

Workflow for configuring Tomcat for Kerberos


If you are using Tomcat, and you want to use Kerberos, you must complete these steps, in addition to the General workflow for configuring Kerberos on page 290.

Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server Creating the JAAS login configuration file for Tomcat or WebLogic Modifying your Java options for Kerberos on Tomcat

Workflow for configuring WebSphere for Kerberos


If you are using WebSphere, and you want to use Kerberos, you must complete these steps, in addition to the General workflow for configuring Kerberos on page 290.

Configuring Kerberos and single sign-on for Java InfoView Creating the JAAS login configuration file for WebSphere Modifying the Java options for Kerberos on WebSphere

Workflow for configuring WebLogic for Kerberos


If you are using WebLogic, and you want to use Kerberos, you must complete these steps, in addition to the General workflow for configuring Kerberos on page 290

Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server. Creating the JAAS login configuration file for Tomcat or WebLogic Modifying the Java options for Kerberos on WebLogic

Workflow for configuring Oracle for Kerberos


If you are using Oracle, and you want to use Kerberos, you must complete these steps, in addition to the General workflow for configuring Kerberos on page 290.

Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server Creating the JAAS login configuration file for Oracle Application Server Modifying the Java options for Kerberos on Oracle Application Server

BusinessObjects Enterprise Deployment and Configuration Guide

291

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Setting up a service account


To configure BusinessObjects Enterprise using Kerberos and Windows AD authentication, you require a service account. This must be a domain account that has been trusted for delegation. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers. After you set up the service account, you will need to grant the account appropriate rights, see Granting the service account rights on page 295. How you create this account varies slightly depending on what version of Active Directory Domain you are using:

If you are using a Windows 2000 Domain, see Setting up a service account with delegation on a Windows 2000 Domain on page 292 and Creating an SPN for your CMS on a Windows 2000 domain on page 293. If you are using a Windows 2003 Domain, see Setting up a service account with delegation on a Windows 2003 Domain on page 293 and Creating an SPN for your CMS on a Windows 2003 domain on page 294. If you are using a Windows 2003 Domain, you also have the option of setting up constrained delegation. See Setting up constrained delegation on page 294 for more information.

Note: In a forest with multiple domains you can create this service account in any domain. All domains that trust the domain you have created the service account in will be able to authenticate.

Setting up a service account with delegation on a Windows 2000 Domain


1. 2. 3. 4. To set up the service account on a Windows 2000 Domain Create an account on the domain controller or use an existing account. For detailed instructions, refer to http://msdn.microsoft.com/ Right-click on the user account, then select Properties. Click the Account tab. Select these account options:

Account is trusted for delegation Use DES encryption types for this account

292

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

Creating an SPN for your CMS on a Windows 2000 domain


1. To run the SPN utility on Windows 2000 Download the utility from this location to your Domain controller:
http://www.microsoft.com/windows2000/techinfo/reskit/ tools/existing/setspn-o.asp

Note: The SETSPN utility is a program that allows you to manage the Service Principal Name (SPN) for service accounts in Active Directory. 2. Open a command prompt and enter this command:
SETSPN.exe A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the fully qualified domain name of your machine running the CMS service. For example, MACHINE.DOMAIN.COM. Replace serviceaccount with name of your service account that runs the CMS service. Note: The name of your service account is case-sensitive. 3. Verify that you receive a message similar to this one:
Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

Setting up a service account with delegation on a Windows 2003 Domain


1. To set up the service account on a Windows 2003 Domain Create a new account on the domain controller or use an existing account. For detailed instructions, refer to http://msdn.microsoft.com/ 2. 3. 4. 5. 6. Right-click on the user account, then select Properties. Click the Account tab. Select the following under Account Options:

Use DES encryption types for this account

Run the SPN utility. For details, see Creating an SPN for your CMS on a Windows 2003 domain on page 294. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command.

7.

Select this option: Trust this user for delegation to any service (Kerberos only)

BusinessObjects Enterprise Deployment and Configuration Guide

293

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Note: If you are using a 2003 Active Directory domain, and you need to restrict delegation, see Setting up constrained delegation on page 294. 8. Click OK.

Creating an SPN for your CMS on a Windows 2003 domain


1. To run the SPN utility Open a Command Prompt and enter this command:
SETSPN.exe A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the fully qualified domain name of your machine running the CMS service. For example, MACHINE.DOMAIN.COM. Replace serviceaccount with name of your service account that runs the CMS service. Note: The name of your service account is case-sensitive. 2. Verify that you receive a message similar to this one: Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/ HOSTNAME.DOMAIN.COM Updated object 3. Click the Delegation tab. Note: You will not see the Delegation tab until after you have entered the SETSPN command.

Setting up constrained delegation


If your company has a policy against trusting a specific service account for delegation to any service, and you are using Active Directory on Windows 2003, you may set up constrained delegation. Setting up constrained delegation is done after you create the service account. Constrained delegation allows you to limit what services an account can delegate to, rather then allowing an authorized user to delegate to all services.You can set up constrained delegation in these ways:

Setting up constrained delegation for a service account on page 295

This method allows you to limit the amount of delegation permitted. Constrained delegation for a service account allows you to do further limit delegation to a specific service for a specific user on a specific computer. Because constrained delegation for a service account is more restrictive, it is considered a more secure option. Note: Constrained delegation is only supported on Active Directory 2003.

294

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

Setting up constrained delegation for a service account


1. 2. Select the name of the computer or account you created to use as the service account, then click OK. Create a SPN for the CMS server. Type the following command:
SETSPN.exe A BOBJCentralMS/HOSTNAME CMS_Machine_Name


3. 4. 5. 6. 7. 8. 9.

Replace HOSTNAME with the fully qualified name of your machine running the CMS service: For example, machine_name.domain_name.com. Replace CMS_Machine_Name with the name of machine running the CMS service.

Open Active Directory. Expand Users and Computers. Select the Users folder. Select the service account user. Right-click, then select Properties. Click on the Delegation tab. Select Trust this user for delegation to specified services only.

10. Ensure Use Kerberos only is selected. 11. Click Add. 12. Click Users and Computers. 13. Enter the CMS_machine_name you specified in step 2, then click OK. 14. Select BOBJCentralMS from the list of services, then click OK. 15. Click OK.

Configuring the servers


Configuring the BusinessObjects Enterprise servers includes these steps:

Granting the service account rights on page 295 Configuring the servers to use the service account on page 297

Granting the service account rights


In order to support Kerberos, you must grant the service account the right to act as part of the operating system. This must be done on each machine running these servers:

CMS

BusinessObjects Enterprise Deployment and Configuration Guide

295

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Page Server Report Application Server Web Intelligence Report Server

Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on page 292. 1. 2. 3. 4. 5. 6. 7. To grant the service account rights Click Start > Administrative Tools > Local Security Policy. Click Local Policies, then click User Rights Assignment. Double-click Act as part of the operating system. Click Add. Type the name of the user to add, and click OK. Ensure that the Local Policy Setting check box is selected, and click OK. Repeat the above steps on each machine running a BusinessObjects Enterprise server.

Note: It is important that the Effective Right ends up being checked after Act as part of the operating system is selected. Typically, you will need to restart the server for this to occur. If, after restarting the server, this option is still not on, your Local Policy settings are being overridden by your Domain Policy settings.

Adding the Service Account to the servers Local Administrators group


In order to support Kerberos, the service account must be part of the local Administrators group for each server that has one of the following services deployed:

CMS Page Server Report Application Server Web Intelligence Report Server

Note: To complete this procedure, you require a service account that has been trusted for delegation. For details, see Setting up a service account on page 292. You must also have administrative rights on the server. 1. 2. To add an account to the Administrators Group On the desired machine, right-click My Computer and then click Manage. Go to System Tools > Local Users and Groups > Groups.

296

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

3. 4. 5. 6. 7.

Right-click Administrators and then click Add to Group... Click Add... and enter the logon name of the service account. Click Check Names to ensure the account resolves. Click Ok and then click OK again. Repeat these steps for each Business Objects server that has to be configured.

Configuring the servers to use the service account


In order to support Kerberos, you must use the CCM and configure the following servers to log on as the service account:

CMS server Page Server Report Application Server Web Intelligence Report Server

Note: To complete this procedure, you require a service account that has been trusted for delegation. See Setting up a service account on page 292. 1. 2. 3. 4. To configure a server Start the CCM. Stop the server you want to configure, for example, the CMS server. Double-click the server you want to configure. The Properties dialog box is displayed. On the Properties tab: a. b. c. 5. 6. In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, and click OK.

Start the server again. Repeat steps 2 through 5 for each BusinessObjects server that has to be configured.

Kerberos authentication in the Windows AD plug-in


In order to support Kerberos, you have to configure the Windows AD security plug-in the CMC to use Kerberos authentication. This includes:

Ensuring Windows AD authentication is enabled. Entering the AD Administrator account.

BusinessObjects Enterprise Deployment and Configuration Guide

297

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

This account requires read access to Active Directory only; it does not require any other rights.

Enabling Kerberos authentication and single sign-on, if single sign-on is desired.

Note: If you enable single sign-on in the CMC, you also must configure it in the web.xml file. For details, see Configuring Kerberos and single sign-on for Java InfoView on page 312.

Entering the service principal name (SPN) for the service account.

Prerequisites
Before you configure the Windows AD security plug-in for Kerberos, you must have completed these tasks:


1. 2. 3.

Setting up a service account on page 292 Granting the service account rights on page 295 Configuring the servers to use the service account on page 297 To configure the Windows AD security plug-in for Kerberos Go to the Authentication management area of the CMC. Click the Windows AD tab. Ensure that the Windows Active Directory Authentication is enabled check box is selected.

4.

In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.

298

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

5.

Enter the credentials that have read access to Active Directory in the Name and Password fields.

Note:


6.

Use the format Domain\Account in the Name field. The account requires read access to Active Directory only; it does not require any other rights.

Enter the default domain in the Default AD Domain field. Note: Use The FQDN format and enter the domain in uppercase. Note: In a deployment with multiple domains, the Default AD Domain may be any of the desired domains. The best practice is to use the domain with the largest number of users that will be authenticating with their AD account.

7.

In the Mapped AD Member Group area, enter the name of an AD group whose users require access to BusinessObjects Enterprise, and then click Add. Repeat this procedure to add additional AD groups. If you want to add individual users, rather than a group, see Managing Users in the BusinessObjects Enterprise Administrators Guide.

BusinessObjects Enterprise Deployment and Configuration Guide

299

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

8.

In the Authentication Options area, select Use Kerberos authentication.

Note:


9.

If you want to configure single sign-on, select Enable Single Sign On for selected authentication mode. If you want to configure single sign-on to a database, select the Cache Security context (required for SSO to database) check box.

In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account you created in the section Creating an SPN for your CMS on a Windows 2000 domain on page 293 or Creating an SPN for your CMS on a Windows 2003 domain on page 294. Use the following format, where svcacct is the name of your service account or SPN, and DNS.COM is your fully qualified domain in uppercase. For example, the Service Account would be svcacct@DNS.COM and the SPN would be BOBJCentralMS/MACHINE.DOMAIN.COM@DOMAIN.COM

300

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

Note:

If you plan to enable Single Sign-On to Java InfoView with users from multiple domains, you must enter the SPN in this field. The service account is case sensitive. The case of the account you enter here must match with what is set up in your Active Directory Domain. If your UPN and SAM name are not identical, enter the UPN name. This must be the same account that you use to run the BusinessObjects Enterprise servers or the SPN that maps to this account. See Setting up a service account on page 292. When manually logging on to Java InfoView, users from other domains must log on with their AD account in UPN format. This is what is displayed in the logon name field in the AD Users and Computers snap-in. For example: user@child.parentdomain.com

10. Select how aliases are mapped to Enterprise accounts. You have these choices:

Assign each added AD alias to an account with the same name Create a new account for every added AD alias. For further details on these options, see Alias options on page 196.

11. Select when users and aliases are created. You have these choices:

New aliases will be added and new users will be created No new aliases will be added and new users will not be created. Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see Update options on page 197.

12. Select what type of users are created. You have these choices:

New users are created as named users New users are created as concurrent users

Note: For further details on these options, see User type options on page 196. 13. Click Update.

BusinessObjects Enterprise Deployment and Configuration Guide

301

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Configuring Kerberos for your Java application server


The specific process of configuring Kerberos for a Java application server varies slightly depending on which Java application server is used. However, the general process of configuring Kerberos on your application server involves these steps:

Creating the Kerberos configuration file. Creating the JAAS login configuration file. Modifying the Java Options. Restarting you Java application server. SAP Web Application Server and Java AD with Kerberos is not supported. The default Active Directory domain must be in uppercase DNS format. You are no longer required to download and install MIT Kerberos for Windows. You also no longer require a keytab for your service account.

Note:

Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server
Follow these steps to create the Kerberos configuration file if youre using Tomcat, Oracle Application Server or WebLogic. 1. To configure Kerberos for Java AD Create the file krb5.ini, if it does not exist, and store it under the following platform dependant location: Platform Windows Location
c:\WINNT

Note: You can store this file in a different location, however if you do, you will need to specify its location in your java options. See Modifying your Java options for Kerberos on Tomcat on page 307 for procedural details.

302

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

2.

Add the following required information in the Kerberos configuration file:


[libdefaults] default_realm = DNS.COM dns_lookup_kdc = true dns_lookup_realm = true [realms] DNS.COM = { default_domain = DNS.COM kdc = hostname.DNS.COM }

Note:

DNS.COM is the DNS name of your domain which must be entered in

FQDN format and entered in uppercase.


kdc is the Host name of the Domain Controller.

You can add multiple domain entries to the [realms] section if your users log in from multiple domains. To see a sample of this file with multiple domain entries, see Sample single domain Krb5.ini file on page 305 or Sample multiple domain Krb5.ini file on page 304. For further information see http://java.sun.com/j2se/1.5.0/docs/guide/ security/jgss/tutorials/KerberosReq.html. In a multiple domain configuration, under [libdefaults] the default_realm value may be any of the desired domains. The best practice is to use the domain with the greatest number of users that will be authenticating with their AD accounts.

BusinessObjects Enterprise Deployment and Configuration Guide

303

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Creating the Kerberos configuration file for WebSphere


1. To configure Kerberos for WebSphere Create the file krb5.ini, if it does not exist, and store it under the following platform dependant location: Platform Windows Location
c:\WINNT

Note: You can store this file in a different location, however if you do, you will need to specify its location in your java options. See Modifying the Java options for Kerberos on WebSphere on page 308 for procedural details. 2. Add the following required information in the Kerberos configuration file:
[libdefaults] default_realm = DNS.COM dns_lookup_kdc = true dns_lookup_realm = true default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] DNS.COM = { default_domain = DNS.COM kdc = hostname.DNS.COM }

Note:

DNS.COM is the DNS name of your domain. This must be entered in

uppercase in FQDN format. These lines are required for the default encryption types for WebSphere, and are different than the encryption types for WebLogic, Oracle Application Server and Tomcat: default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc

3.

For samples of this file see Sample single domain Krb5.ini file on page 305 and Sample multiple domain Krb5.ini file on page 304.

Save and close the file.

Sample multiple domain Krb5.ini file

Following is a sample file with multiple domains.


[domain_realm] .domain03.com = DOMAIN03.COM domain03.com = DOMAIN03.com

304

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

.child1.domain03.com = CHILD1.DOMAIN03.COM child1.domain03.com = CHILD1.DOMAIN03.com .child2.domain03.com = CHILD2.DOMAIN03.COM child2.domain03.com = CHILD2.DOMAIN03.com .domain04.com = DOMAIN04.COM domain04.com = DOMAIN04.com [libdefaults] default_realm = DOMAIN03.COM dns_lookup_kdc = true dns_lookup_realm = true [logging] [realms] DOMAIN03.COM = { admin_server = testvmw2k07 kdc = testvmw2k07 default_domain = domain03.com } CHILD1.DOMAIN03.COM = { admin_server = testvmw2k08 kdc = testvmw2k08 default_domain = child1.domain03.com } CHILD2.DOMAIN03.COM = { admin_server = testvmw2k09 kdc = testvmw2k09 default_domain = child2.domain03.com } DOMAIN04.COM = { admin_server = testvmw2k011 kdc = testvmw2k011 default_domain = domain04.com }

Sample single domain Krb5.ini file


Following is a sample krb5.ini file with a single domain.
[libdefaults] default_realm = ABCD.MFROOT.ORG dns_lookup_kdc = true dns_lookup_realm = true [realms] ABCD.MFROOT.ORG = { kdc = ABCDIR20.ABCD.MFROOT.ORG kdc = ABCDIR21.ABCD.MFROOT.ORG kdc = ABCDIR22.ABCD.MFROOT.ORG kdc = ABCDIR23.ABCD.MFROOT.ORG default_domain = ABCD.MFROOT.ORG }

Creating the JAAS login configuration file for Tomcat or WebLogic


1. To create the JAAS login configuration file for Tomcat or WebLogic Create a file called bscLogin.conf if it does not exist.

BusinessObjects Enterprise Deployment and Configuration Guide

305

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Store it in this location:


C:\WINNT

This is the default location for the bscLogin.conf file. You can specify a different location for this file, but if you do, you must also specify in this location in your java arguments. See Modifying the Java options for Kerberos on WebLogic on page 307 for details. 2. Add the following code to your JAAS bscLogin.conf configuration file:
com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required; };

Note: For more information on how to configure JAAS authentication, see the following: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ LoginConfigFile.html 3. Save and close the file.

Creating the JAAS login configuration file for Oracle Application Server
1. To create the JAAS login configuration file for Oracle Locate the jazn-data.xml file. Note: This default location for this file is C:\OraHome_1\j2ee \home\config. If you installed Oracle Application Server in a different location, find the file specific to your installation. 2. Add the following content to the file between the <jazn-loginconfig> tags:
<application> <name>com.businessobjects.security.jgss.initiate</name> <login-modules> <login-module> <class>com.sun.security.auth.module.Krb5LoginModule</ class> <control-flag>required</control-flag> </login-module> </login-modules> </application>

3.

Save and close the file.

Creating the JAAS login configuration file for WebSphere


1. 2. To create the JAAS login configuration file for WebSphere Create a file called bscLogin.conf if it does not exist. Store it in this location:

306

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

C:\WINNT

3.

Add the following code to your JAAS bscLogin.conf configuration file:


com.businessobjects.security.jgss.initiate { com.ibm.security.auth.module.Krb5LoginModule required;};

Note: For more information on how to configure JAAS authentication, see the following: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ LoginConfigFile.html 4. Save and close the file.

Modifying your Java options for Kerberos on Tomcat


There are two ways you can modify your java options as required for Kerberos, either in the java.security file or on the Java tab for Tomcat. 1. To change the options in the java. security file In the following file, JAVA_HOME\jre\lib\security\java.security, add a line which specifies the location of the file bscLogin.conf:
# Default login configuration file # #login.config.url.1=file:${user.home}/.java.login.config login.config.url.1=file:C:/winnt/bscLogin.conf

2. 1. 2. 3.

Restart Tomcat. To modify the Java options from the Java tab for Tomcat From the Start menu, select Programs >Tomcat > Tomcat Configuration. Click the Java tab. Add the following options:
-Djava.security.auth.login.config=C:\XXX\bscLogin.conf -Djava.security.krb5.conf=C:\XXX\krb5.ini

Replace XXX with the location you stored the file. 4. 5. Close the Tomcat configuration file. Restart Tomcat.

Modifying the Java options for Kerberos on WebLogic


If you are using Kerberos with WebLogic, your Java options need to be modified to specify the location of the Kerberos configuration file and the kerberos login module.

BusinessObjects Enterprise Deployment and Configuration Guide

307

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

1. 2.

To modify the Java options from the Java tab for WebLogic Stop the domain of WebLogic that runs your BusinessObjects Enterprise applications. Open the script that starts the domain of WebLogic that runs your BusinessObjects Enterprise applications. Script name startWeblogic.cmd startWebLogic.sh

Operating System Windows Unix 3.

Add the following information to the Java_Options section of the file:


set JAVA_OPTIONS=-Djava.security.auth.login.config=C:/ XXX/bscLogin.conf -Djava.security.krb5.conf=C:/XXX/ krb5.ini

Replace XXX with the location you stored the file. 4. Restart the domain of WebLogic that runs your BusinessObjects Enterprise applications.

Modifying the Java options for Kerberos on Oracle Application Server


If you are using Kerberos with Oracle Application Server, the Java options need to be modified to specify the location of the kerberos configuration file. 1. 2. 3. 4. 5. To modify the Java options for Oracle Application Server Logon to the administration console of your Oracle Application Server. Click on the name of the OC4J instance that runs your BusinessObjects Enterprise applications. Select Server Properties. Scroll down to the Multiple VM Configuration section. In the Command Line Options section, append the following at the end of the Java Options text field: -Djava.security.krb5.conf=C:/XXX/krb5.ini Replace XXX with the location you stored the file. 6. Restart your OC4J instance.

Modifying the Java options for Kerberos on WebSphere


1. To modify Java options for Kerberos on WebSphere Log into the administrative console for WebSphere.

308

For IBM WebSphere 5.1, type this:

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

http://servername:9090/admin.

2.

For IBM WebSphere 6.0, type this:


http://servername:9060/ibm/console

Expand Server, a click on Application Servers and then servername. Note: Replace servername with the name of the application server you created to use with BusinessObjects Enterprise.

3.

Go to the JVM page.

If you are using WebSphere 5.1, follow these steps to get to the JVM page. a. On the server page, scroll down until you see Process Definition in the Additional Properties column. Scroll down and click on Java Virtual Machine.

b. Click on Process Definition. c.

If you are using WebSphere 6.0, follow these steps to get to the JVM page. a. c. On the server page, select Java and Process Management. Select Java Virtual Machine. b. Select Process Definition.

4.

Click Generic JVM arguments then type the location of your Krb5.ini and the location of your bscLogin.conf file. -Djava.security.auth.login.config=C:\XXX\bscLogin.conf -Djava.security.krb5.conf=C:\XXX\krb5.ini Replace XXX with the location you stored the file.

5. 6. 7.

Click Apply, and then click Save. Stop the server. Restart the server.

Troubleshooting Kerberos
These steps may help you if you encounter problems when configuring kerberos:

Enabling logging Testing your Java SDK Kerberos configuration

BusinessObjects Enterprise Deployment and Configuration Guide

309

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Enabling logging
1. 2. 3. To enable logging From the Start menu, select Programs >Tomcat > Tomcat Configuration. Click the Java tab. Add the following options:
-Dcrystal.enterprise.trace.configuration=verbose

This will create a log file in the following location:


C:\Documents and Settings\<user name>\.businessobjects\jce_verbose.log

Testing your Java Kerberos configuration

To test your Java Kerberos configuration Run the following command to test your Kerberos configuration, where servact is the service account and domain under which the CMS is running, and password is the password associated with the service account.
C:\Program Files\Business Objects\j2sdk1.4.2_04\bin\kinit.exe" servact@TESTM03.COM Password

If you still have a problem, ensure that the case you entered for your domain and service principal name match exactly with what is set in Active Directory.

Mapped AD user unable to log on to CMC or InfoView


The following two issues may occur, despite the fact that the users have been mapped to BusinessObjects Enterprise:

Logon failure due to different AD UPN and SAM names on page 310 Pre-authentication error on page 311

Logon failure due to different AD UPN and SAM names


A users Active Directory ID has successfully been mapped to BusinessObjects Enterprise. Despite this fact, they are unable to successfully log on to CMC or InfoView with Java AD authentication and Kerberos in the following format:

DOMAIN\ABC123

310

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

This problem, which happens with the Sun, IBM or BEA JRE, can occur when the user is set up in Active Directory with a UPN and SAM name are not the same, either in case or otherwise. Following are two examples which may cause a problem:

The UPN is abc123@company.com but the SAM name is DOMAIN\ABC123. The UPN is jsmith@company but the SAM name is DOMAIN\johnsmit Have users log in using UPN rather than SAM name. Ensure the SAM account name and the UPN name are the same.

There are two ways to address this problem:

Pre-authentication error
A user who has previously been able to log on, can no longer log on successfully. The user will receive this error: Account Information Not Recognized. The Tomcat error logs reveal the following error: Pre-authentication information was invalid (24) This can occur because the Kerberos user database didnt get a change made to UPN in AD. This may mean that the Kerberos user database and the AD information are out of sync. To resolve this problem, reset the users password in AD. This will ensure the changes are propagated correctly. Note: This problem is not an issue with J2SE 5.0.

Configuring Kerberos and single sign-on to the database for Java application servers
Single sign-on to the database is supported for deployments that meet all these requirements:

The deployment of BusinessObjects Enterprise is on a Java web application server. The Java web application server has been configured with AD with Kerberos. The database to which single sign-on is required is a supported version of SQL Server. The groups or users that need access to the database must have been granted permissions within SQL Server.

The final step is to modify the krb5.ini file to support single sign-on to the database for Java.

BusinessObjects Enterprise Deployment and Configuration Guide

311

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Note:

These instructions explain how to configure single sign-on to the database for Java application servers. If you want to configure endto-end single sign-on to the database for Java application servers, you must also configuration required for Vintela single sign-on for Java. For details, see Restart your web application server. on page 312. If you want to configure single sign-on to a database, ensure that you have set the cache security context. For detailed instructions, go to Kerberos authentication in the Windows AD plug-in on page 297.

1.

To enable single sign-on to the database for Java application servers Open the krb5.ini file that is being used for your deployment of BusinessObjects Enterprise. The default location for this file is the WINNT directory on your web application server. Tip: If you cannot find the file in the WINNT directory, check this Java argument for the location of the file:
-Djava.security.auth.login.config

This variable is specified when AD with Kerberos is configured on your Java web application server. 2. 3. 4. 5. Go to the [libdefaults] section of the file. Enter this string prior to the start of the [realms] section of the file:
forwardable = true

Save and close the file. Restart your web application server.

Configuring Kerberos and single sign-on for Java InfoView


The following procedure explains how to enable Kerberos single sign-on for Java InfoView. Vintela single sign-on for Java is installed as part of Service Pack 2 of BusinessObjects Enterprise XI Release 2. Note: If you plan to use single sign-on to Java InfoView in a reverse proxy environment, there are a couple of changes required in the following procedure. For details, see Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server on page 207 before proceeding.

312

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

Prerequisites
Before you configure single sign-on for Java InfoView, you must complete configuration prerequisites: these prerequisites are the steps from the General workflow for configuring Kerberos on page 290 and the steps that apply specifically to your type of Java application server. Also, ensure that single sign-on is enabled in the Authentication page of the CMC. For details, go to Kerberos authentication in the Windows AD plug-in on page 297. See these sections for the configuration steps that apply specifically to your Java application server:

Workflow for configuring Tomcat for Kerberos on page 291 Workflow for configuring WebSphere for Kerberos on page 291 Workflow for configuring WebLogic for Kerberos on page 291 Workflow for configuring Oracle for Kerberos on page 291

Note: Single sign-on to Java InfoView is only supported when BusinessObjects Enterprise services are installed on a supported Windows platform. Supported application servers can be deployed on supported platforms other than Windows. For a complete list of supported platforms, see the Platforms.txt file included on your product CD.

Workflow for configuring Kerberos single sign-on to Java InfoView


To configure Kerberos single sign-on for Java InfoView you must complete the six steps in this table. Step 1 Create a service account. Detailed steps are included in the section Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java. on page 314 Set an SPN for your web application server Detailed steps are included in the section Step 2: Creating an SPN for your web application server on page 315 Reset the service account password Detailed steps are included in the section Step 3: Reset the service account password on page 315

Step 2

Step 3

BusinessObjects Enterprise Deployment and Configuration Guide

313

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

Step 4

Create and place a keytab file Detailed steps are included in the section Step 4: Create and place a keytab file on page 316 Edit the web.xml file Detailed steps are included in the section Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 Ensure the HTTP header size of your Java application server is sufficient. Detailed steps are included in the section Step 6: Increasing the header size limit of your Java application server on page 321

Step 5

Step 6

The following sections describe how to complete each of these steps. In addition to the steps you must complete, you may also want to change either of these configurable items available with Vintela single sign-on for Java:

The level of error logging recorded. The text users receive if their authentication with Vintela single sign-on for Java fails. Modifying the Vintela logon error page on page 325 Controlling logging with Vintela single sign-on for Java on page 322

For details, see these sections:

The final section Alternate url to access InfoView on page 324, explains why there is an alternate page provided and lists the url for this page.

Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java.
To set up user authentication for a service, you must register the service as a user in AD on the Domain Controller. 1. 2. 3. 4. To register the service: On the Domain Controller open the Active Directory Users and Computers snap in. Click the Users folder to display a list of users and on the Action menu, click New and then click User. Enter a name and logon name for the new service, and then click Next. On the next screen, enter a password for the service. Ensure that the option called User must change password at next logon is not selected.

314

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

5. 6. 7.

Click Next and then click Finish. Right-click the user you have entered in the User folder list, and then click Properties to open the Properties dialog box. Click the Account tab and then select Account is trusted for delegation and Password never expires. This prevents the service account from ever expiring, which would cause Kerberos errors.

8. 9.

Select Use DES encryption types for this account. This will allow you to configure the KerberosFilter using a keytab file. Click OK.

Note: In some Active Directory Users and Computers snap ins, the option called Account is trusted for delegation is not available until a mapped Service Principal Name has been created. If you do not see this option, complete the steps in the next section, then open the user account in the AD Users and Computers snap in and select the Delegation tab. You can enable it from here.

Step 2: Creating an SPN for your web application server


Note: Make sure that the SPN you are creating does not already exist and is mapped to another account. If so, you must remove this SPN with the setspn utility. 1. 2. To create an SPN for your web application server Launch a command prompt and navigate to your Support Tools folder. Execute the following command: ktpass -princ HTTP/host@REALM -mapuser user Where: <host> is the fully-qualified domain name of the server where the Java Application Server is installed. (For example, server.example.com) <REALM> is the Active Directory realm in which the server is located. (For example, EXAMPLE.COM). <user> is the logon name of the user account you created above.

Step 3: Reset the service account password


To prevent Kerberos integrity-check failures, you should reset the password of the user account you created in step 1.

BusinessObjects Enterprise Deployment and Configuration Guide

315

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

1.

To reset the password On the Domain Controller with Active Directory installed, on the Start menu click Programs > Administrative Tools > Active Directory Users and Computers. Right-click the user account that you created previously and click Reset Password. Enter and confirm the same password that you entered previously. Ensure that User must change password at next logon is not selected an click OK.

2. 3. 4.

Step 4: Create and place a keytab file


You can configure the KerberosFilter to either use a password or a keytab file. A keytab file allows the KerberosFilter to be configured without exposing the password of the user account on the web application machine. A keytab file is the recommended method because it is more secure than an exposed password. 1. To create and place keytab file Run ktpass with the following arguments at command prompt: ktpass -out keytab_filename -princ HTTP/host@REALM -pass user_password -kvno 255 Where: keytab_filename is the name of the keytab file we want to generate. (Ex host.keytab) HTTP/host@REALM is the SPN used (for example, HTTP/ MACHINE.DOMIAN.COM@DOMAIN.COM) user_password is the password of the user used in the Map a Service Principle Name (SPN) section 2. Copy the generated keytab file onto the java application machine and place in your chosen location. Note:

The keytab is usually found in the same folder as your ktpass support tool unless you specified a different location. Typically the keytab is stored in C:/WINNT or C:/Windows.

Step 5: Enabling Vintela single sign-on for Java in the web.xml file
Note: If you are using WebLogic as your application server, read WebLogicspecific instructions on page 319 before proceeding.

316

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

1.

To enable Vintela single sign-on in the web.xml file Open the web.xml file for InfoView from its deployed location on your web application server. This is where the InfoView web.xml file is on Windows: <DeployedLocation>\businessobjects\enterprise115\desktoplaunch\ WEB-INF

If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.

2.

Find the following parameters and make the appropriate changes: <param-name> Original <param-value> cms.default New <param-value>

your CMS name and port your CMS name and port number number. SecWinAD false true false

authentication.d SecEnterprise efault siteminder.enabl true ed vintela.enabled sso.enabled 3. false false

Find the following section in the web.xml file:


<!- - Uncomment the following filter and mapping to enable the filter for Vintela SSO. Set idm.realm to the Active Directory realm where the server is in and idm.princ to the service principal name. - - >

4.

Remove the comment start tag that immediately follows this comment as well as its corresponding end tag.

BusinessObjects Enterprise Deployment and Configuration Guide

317

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

5.

In this section find the following parameters and make the appropriate changes. <paramname> idm.realm Original <param-value> YOUR_REALM New <param-value> Default realm for AD. This should be the same value you set when you configured the default_realm in your krb5.ini file Note: Value must be in upper case The SPN you created. It must follow the format: HTTP/ Hostname Where Hostname is the fully qualified domain name of your machine. false true, unless you are planning to use SSL.

idm.princ

YOUR_PRINCIPAL

idm.allowNTLM false idm.allowUnsec true ured 6.

Add the idm.keytab parameter. In the Vintela section of the web.xml file add the following lines. Note: Place it after the idm.princ parameter and values.
<init-param> <param-name>idm.keytab</param-name> <param-value>PATH_TO_YOUR_KEYTAB_FILE</param-value> </init-param>

Where Path_To_Your_Keytab_File is the directory path to the location of your keytab file. Ex.C:\WINNT\host.keytab Note: Only add the above parameter if you have chosen to use a keytab file. If you have chosen to use a password do not add this parameter. 7. 8. Save and Close the file. Restart your web application server.

Note: If you are using WebLogic, go to Modifying the web.xml in the war package on page 320.

318

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

WebLogic-specific instructions
If you are using WebLogic as your application server, you may not find the commented section in the Vintela xml properties that is mentioned in Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316. This is because WebLogic Builder, which is used in preparing the war files for deployment, removes the commented portions of the web.xml file. Therefore, you must add the following xml to the web.xml file before proceeding with Step 5:
<filter> <filter-name>authFilter</filter-name> filter class>com.businessobjects.sdk.credential.WrappedResponse AuthFilter</filter-class> <init-param> <param-name>idm.realm</param-name> <param-value>YOUR_REALM</param-value> </init-param> <init-param> <param-name>idm.princ</param-name> <param-value>YOUR_PRINCIPAL</param-value> </init-param> <init-param> <param-name>idm.allowUnsecured</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>idm.allowNTLM</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>idm.logger.name</param-name> <param-value>simple</param-value> <description> The unique name for this logger. </description> </init-param> <init-param>

BusinessObjects Enterprise Deployment and Configuration Guide

319

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

<param-name>idm.logger.props</param-name> <param-value>error-log.properties</param-value> <description> Configures logging from the specified file. </description> </init-param> <init-param> <param-name>error.page</param-name> param-value> <param-value>/InfoView/logon/vintelaError.jsp</ <description> The URL of the page to show if an error occurs during authentication. </description> </init-param> </filter> <filter-mapping> <filter-name>authFilter</filter-name> <url-pattern>/InfoView/logon/logon.do</url-pattern> </filter-mapping>

Return to Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 and complete the steps there.

Modifying the web.xml in the war package


Note: Every time you restart WebLogic the web.xml will be overwritten and you will lose the above section. In order to circumvent this issue it is suggested you modify the web.xml in the actual war package. 1. To modify the web.xml file in the war package Locate the desktop.war file. On Windows, the file is located at <DeployedLocation>\Business Objects\BusinessObjects Enterprise 11.5\java\applications If you did not modify the default installation location, replace
<DeployedLocation> with C:\Program Files\

2.

Create a folder called WEB-INF and place the modified web.xml file in this folder.

320

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

Note: You must configure the web.xml file with the steps described in Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 first. 3. 4. 5. Open a command window. Change directories to the folder containing the deksktop.war Execute the following command:
<DeployedLocation>\j2sdk1.4.2_08\bin\jar uf desktop.war WEB-INF/web.xml

If you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects 6. Go back to Step 5: Enabling Vintela single sign-on for Java in the web.xml file on page 316 and complete the tasks outlined there.

Step 6: Increasing the header size limit of your Java application server
Active Directory creates a Kerberos token which is used in the authentication process. This token is stored in the HTTP header. Your Java application server will have a default HTTP header size and you should ensure a minimum size of 16384 bytes to avoid failures. 1. To configure the HTTP header size with Tomcat On the server with Tomcat installed, open the server.xml file. On Windows, this file is located at <TomcatDeployedLocation>/conf

If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <TomcatDeployedLocation> with C:\ProgramFiles\Business Objects\Tomcat\ If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.

2.

Find the corresponding <Connector > tag for the port number you have configured. If you are using the default port of 8080, find the <Connector > tag with port=8080 in it. For example:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443" />

BusinessObjects Enterprise Deployment and Configuration Guide

321

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

3.

Add the following value within the <Connector > tag:


maxHttpHeaderSize=16384

For example:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" maxHttpHeaderSize=16384 minSpareThreads="25" port="8080" redirectPort="8443" />

4. 5.

Save and close the server.xml file. Restart Tomcat.

Note: For other Java application servers, consult your java application servers documentation.

Controlling logging with Vintela single sign-on for Java


Vintela single sign-on for Java uses Apache log4j logging. The name of the log file and the level of logging recorded are controlled by these:

The settings related to Vintela logging in the web.xml for InfoView. The setting in the log4j properties file.

For more efficient problem determination, you may want to use the log files that are used to capture error or warning messages.

322

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

The table which follows summarizes what you can control about error logging with Vintela in the web.xml file for InfoView: <param-name> idm.logger.name Use of parameter The name of the log file is specified in the <param-value> for this parameter. This must be a unique name not in used by any other implementation of log4j logging on your web application. The <param-value> for this parameter can be set to three things: (blank), BASIC or
AnythingElse.

idm.logger.props

If the <param-value> for idm.logger.props is set to (blank), no logging will be performed. If the <param-value> for idm.logger.props is set to BASIC, basic errors will be logged and errors will be sent to the standard output. If the <param-value> for idm.logger.props is set to anything other than or BASIC, Vintela will look for a properties file that matches the value you set. Vintela will look for this properties file in the WEB-INF directory for InfoView. For example, if you specify BOE for your <param-value>, Vintela will look in the WEBINF directory for Infoview for this file:
BOE.properties

You must create the properties file if you specify that one is to be used. For details see What to specify in your log4j properties file on page 323.

What to specify in your log4j properties file


If you specify that you want to use a properties file in the <param-value> for idm.logger.props in the web.xml file for InfoView, you must also create the properties file you specified in the WEB-INF directory for InfoView. These are the basic requirements:

Defining which logger to use. Defining what level of logging to perform in this properties file.

BusinessObjects Enterprise Deployment and Configuration Guide

323

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

For details on the syntax to use in the file and details on the of valid options of an Apache log4j properties file, see the following url:
http://jakarta.apache.org/log4j/docs/api/index.html

To change the level of logging provided with Vintela single sign-on for Java 1. Open the web.xml file for InfoView from its deployed location on your web application server. This is where the InfoView web.xml file is on Windows: <DeployedLocation>\businessobjects\enterprise115\desktoplaunch\ WEB-INF

If you are using the version of Tomcat installed with BusinessObjects Enterprise on Windows, and you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.

2.

If you want to have the output from error logging written to a file, find this string:
<param-name>idm.logger.name</param-name>

3. 4.

In the <param-value> for idm.logger.name, enter the name for your log file. If you want to use a properties file to define the logger used and level of logging recorded, find this string:
<param-name>idm.logger.props</param-name>

5.

In the <param-value> for idm.logger.props, enter the name for your properties file. Note: If you set this value to anything other than or BASIC, you must also define the logger used and define level of logging in the properties file you specify. For details, on the logging parameters available, see the table in the section Controlling logging with Vintela single sign-on for Java on page 322

6.

Save and close your file.

Alternate url to access InfoView


A second url is available to access InfoView. This url is provided for the administrator or a user to access InfoView, without single sign-on, after single sign-on has been enabled.

324

BusinessObjects Enterprise Deployment and Configuration Guide

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

13

This is the default url used to access InfoView:


http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/logon.do

This is the url you should use if you want to access InfoView without single sign-on, after single sign-on has been enabled:
http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/ logonForm.do

Modifying the Vintela logon error page


When authentication using Vintela single-sign-on for Java fails, Internet Explorer will attempt NTLM authentication. This will happen each time another logon attempt is made until the browser session ends, even if the underlying cause of failure has been resolved. To reduce the number of support calls received by an administrator, an error page will be displayed for the user. This error page informs users of this behavior and instructs them to close their browser so that the next attempt can be successful, provided the underlying cause of the problem has been resolved. 1. To customize the text displayed on the Vintela error page Open the file vintelaError.jsp file found in this location: <DeployedLocation>\businessobjects\enterprise115\desktoplaunch\I nfoView\logon\ If you installed Tomcat with your installation, and did not modify the default location, you can replace DeployedLocation with this: C:\Program Files\Business Objects\Tomcat\webapps If you modified the default location for Tomcat, or used another supported Java application server, substitute the path applicable for deployment. 2. 3. 4. Change the text of the message as required. Save and close the file. Restart your web application server.

A second url is available to access InfoView. This url is provided for the administrator or a user to access InfoView, without single sign-on, after single sign-on has been enabled.

This is the default url used to access InfoView:


http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/logon.do

BusinessObjects Enterprise Deployment and Configuration Guide

325

13

Using AD and Kerberos with Java application servers Configuring Kerberos for Java application servers

This is the url you should use if you want to access InfoView without single sign-on, after single sign-on has been enabled:
http://HostName:portnumber/businessobjects/ enterprise115/desktoplaunch/InfoView/logon/ logonform.do

Configuring Internet Explorer browsers


In order to support Kerberos single sign-on, you must configure BusinessObjects Enterprise clients. This includes:

Configuring IIS for database single sign-on on page 281. Configuring the Internet Explorer (IE) browser on the client machines. Note: You can automate this through a registry key or use the following steps.

1. 2.

Configuring the IE browser on the client machines On the client machine open and IE browser window. Enable integrated Windows authentication 1. 2. 3. On the Tools menu click Internet Options. Click the Advanced tab. Scroll to Security, select Enable Integrated Windows Authentication, and then click Apply.

3.

Add IIS to the trusted sites. You can enter the full domain name of the site. 1. 2. 3. 4. 5. On the Tools menu click Internet Options. Click the Security tab. Click Sites and then click Advanced. Type the web site for IIS and click Add. Click Ok until the Internet Options dialog box closes.

4. 5.

Close and reopen the IE browser window for these changes to take effect. Repeat all of these steps on each BusinessObjects Enterprise client machine.

326

BusinessObjects Enterprise Deployment and Configuration Guide

33

Trusted Authentication

chapter

14

Trusted Authentication Enabling Trusted Authentication

Enabling Trusted Authentication


Users prefer to log on to the system once, without needing to provide passwords several times during a session. Trusted Authentication provides a Java single sign-on solution for integrating your BusinessObjects Enterprise authentication solution with third-party authentication solutions. Applications that have established trust with the Central Management Server can use Trusted Authentication to allow users to log on without providing their passwords. To enable Trusted Authentication, you must configure both the server, through the CMC, and the client, in the web.xml file.

Configuring the server for Trusted Authentication on page 328 Configuring Trusted Authentication for the client on page 329

If you are using Business Process BI Web Service, you also must configure the BusinessProcessBI.properties file. See Configuring Trusted Authentication for Business Process BI on page 334 for details. Note: Before you are able to use Trusted Authentication, you must have either created Enterprise users or mapped the third-party users you will be using to sign on to BusinessObjects Enterprise.

Configuring the server for Trusted Authentication


1. 2. 3. 4. 5. 6. To configure the server to use Trusted Authentication Log on to the Central Management Console with administrative rights. Go to the Authentication management area of the CMC. Click the Enterprise tab. Scroll down until you see Trusted Authentication. Click Trusted Authentication is enabled. Enter a string in the Shared Secret field. Note: The shared secret is used by the client and the CMS to establish trust. You must also configure the client after you finish the Trusted Authentication configuration for the server. See Configuring Trusted Authentication for the client on page 329 for details. 7. Specify a timeout value for your trusted authentication requests. Note: The timeout value is the maximum amount of time, in milliseconds, that the clock on the client and clock and the CMS can differ. If you enter 0, the amount of time the two clock times can differ is unlimited. It is not recommended you set this value to 0 as this may increase your vulnerability to replay attacks.

328

BusinessObjects Enterprise Deployment and Configuration Guide

Trusted Authentication Enabling Trusted Authentication

14

8.

Click Update.

Configuring Trusted Authentication for the client


1. To configure Trusted Authentication for the client Open the web.xml file for InfoView from its deployed location on your web application server.
On Windows, this is the deployed location: <DeployedLocation>\businessobjects\enterprise115\desktop launch\WEB-INF On Unix, this is the deployed location: <DeployedLocation>/businessobjects/enterprise115/ desktoplaunch/WEB-INF

If your web application server is on Windows, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: C:\Program Files\Business Objects\Tomcat\webapps\ If your web application server is on UNIX, and you are using the version of Tomcat installed with BusinessObjects Enterprise, and you did not modify the default installation location, replace <DeployedLocation> with this: <INSTALLDIR>/bobje/tomcat/webapps If you are using any other supported web application server on Windows or Unix, consult the documentation for your web application server to determine the appropriate path to substitute.

2. 3.

Find this string in the file:


<param-name>cms.default</param-name>

Enter the CMS name and port number in the cms.default <paramvalue> field. Use the format servername:portnumber Find this string in the file: <param-name>sso.enabled</param-name> Change the <param-value> for sso.enabled from false to true.
<param-value>true</param-value>

4. 5. 6.

Find this string in the file:


<param-name>siteminder.enabled</param-name>

BusinessObjects Enterprise Deployment and Configuration Guide

329

14

Trusted Authentication Enabling Trusted Authentication

7.

Change the <param-value> for siteminder.enabled from true to false.


<param-value>false</param-value>

8. 9.

Find this string in the file:


<param-name>trusted.auth.user.retrieval</param-name>

Specify the way in which you want to use to retrieve the user name.

330

BusinessObjects Enterprise Deployment and Configuration Guide

Trusted Authentication Enabling Trusted Authentication

14

Enter the <param-value> from the table that corresponds with the user retrieval method you want to use. <param-value> REMOTE_USER How the User name will be retrieved The user name will be retrieved from a call to getRemoteUser() on the HttpServletRequest object for the current request in a servlet or JSP. The user name is retrieved from the contents of a specified HTTP header. Note: You must define which http header you want to use retrieve the user name. You define the http header to use is defined in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from the contents of contents of a specified parameter of the request URL. Note: You must define which query string parameter you want to use to retrieve the user name. You define query string parameter to use in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from the contents of contents of a specified cookie. Note: You must define which cookie you want to use to retrieve the user name. You define the cookie to use in the trusted.auth.user.param in the web.xml file for InfoView.

HTTP_HEADER

QUERY_STRING

COOKIE

BusinessObjects Enterprise Deployment and Configuration Guide

331

14

Trusted Authentication Enabling Trusted Authentication

<param-value> WEB_SESSION

How the User name will be retrieved The user name is retrieved from the contents of a specified session variable. Note: You must define which web session variable want to use to retrieve the user name. You define the web session variable to use in the trusted.auth.user.param in the web.xml file for InfoView. The user name is retrieved from a call to getUserPrincipal().getName() on the HttpServletRequest object for the current request in a servlet or JSP.

USER_PRINCIPAL

Note:

There are various mechanisms that populate the user name. Configure or set up your web application server so that your user names are exposed before you use these user retrieval name methods. See http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/ http/HttpServletRequest.html for further information. Some web application servers require that you have the environment variable REMOTE_USER set to true on your web application server. See the documentation specific to your web application server for details on whether this is required. If it is required, ensure the environment variable is set to true if you are using this method of user name retrieval.

10. If you selected HTTP header, URL query string, cookie or web session, find this string:
<param-name>trusted.auth.user.param</param-name>

Note: This step is not required if your retrieval method is USER_PRINCIPAL or REMOTE_USER. 11. Enter the variable name to use to retrieve the user name in the <paramvalue> for trusted.auth.user.param.

If you are using the HTTP header as your method of retrieving the user name, enter the name for the HTTP header variable. If you are using a URL query string parameter as your method of retrieving the user name, enter the name for the parameter. If you are using a cookie as your method of retrieving the user name, enter the name for the cookie.

332

BusinessObjects Enterprise Deployment and Configuration Guide

Trusted Authentication Enabling Trusted Authentication

14

If you are using a web session variable as your method of retrieving the user name, enter the name for the web session variable.

Note: This step is not required if your retrieval method is USER_PRINCIPAL or REMOTE_USER. 12. Decide how you want to retrieve the shared secret.

To retrieve the shared secret from a file. a. Create a file called TrustedPrincipal.conf. b. Store the file in the platform specific directory of Business Objects. This table specified the location where the TrustedPrincipal.conf file should be stored, based on your platform.

Platform Windows, default installation

Location of TrustedPrincipal.conf C:\Program Files\Business Objects\BusinessObjects

Enterprise 11.5\win32_x86\ plugins\auth\secEnterprise

Windows, modified <INSTALLDIR>/BusinessObjects default install directory Enterprise 11.5\win32_x86\ plugins\auth\secEnterprise Note: Replace INSTALLDIR with your installation directory. AIX
aix_rs6000/plugins/auth/ secEnterprise

<INSTALLDIR>/bobje/enterprise115/

Solaris

solaris_sparc/plugins/auth/ secEnterprise hpux_pa-risc /plugins/auth/secEnterprise linux_x86/plugins/auth/ secEnterprise

<INSTALLDIR>/bobje/enterprise115/

HP_UX

<INSTALLDIR>/bobje/enterprise115/

Linux

<INSTALLDIR>/bobje/enterprise115/

c.

Define the string you want to use for the shared secret. Enter the following in the file, where String is the shared secret string you want to use.
SharedSecret=String

BusinessObjects Enterprise Deployment and Configuration Guide

333

14

Trusted Authentication Enabling Trusted Authentication

d. Save and close this file.

To retrieve the shared secret from a session variable. a. Find this string in the web.xml file:
<param-name>trusted.auth.shared.secret</paramname>

b. Enter the session variable name from which to retrieve the shared secret in the </param-value> for
trusted.auth.shared.secret.

Note: Business Process BI Web Services does not support retrieving the shared secret from a session variable. 13. Save and close the file. 14. Restart your web application server.

Configuring Trusted Authentication for Business Process BI


If you are using Business Process BI and you are using Trusted Authentication, you must configure the BusinessProcessBI.properties file in addition to configuring the CMC and the web.xml. 1. To configure Trusted Authentication for Business Process BI Open the BusinessProcessBI.properties file from the following location on your web application server:
<DeployedLocation>businessobjects\enterprise115\Business ProcessBI\WEB-INF\classes

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\. If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute. 2. 3. 4. 5. Find this line:
bisecurity.trustedAuthentication.enabled = false

Change the value false to true. Save and close the file. Restart your web application server.

334

BusinessObjects Enterprise Deployment and Configuration Guide

Trusted Authentication Enabling Trusted Authentication

14

Configuring Trusted Authentication on a separate web application server


Follow these steps if you plan to use Trusted Authentication and you want deploy Business Process BI Services on a different web application server without the BusinessObjects Enterprise components. This step is required because, although there are no BusinessObjects Enterprise components installed on you web application server, the default behavior is to look in specific folder for the TrustedPrincipal.conf file. To configure Trusted Authentication when Business Process BI Services on a different web application server 1. Copy the BusinessProcessBI.war file from the machine where it was installed to the machine where you want it deployed. 2. Create the directory structure applicable to the platform of your deployment. These are the choices:

<INSTALLDIR>\BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterprise <INSTALLDIR>/bobje/enterprise115/solaris_sparc/ plugins/auth/secEnterprise <INSTALLDIR>/bobje/enterprise115/aix_rs6000/plugins/ auth/secEnterprise <INSTALLDIR>/bobje/enterprise115/linux_x86/plugins/ auth/secEnterprise

<INSTALLDIR>/bobje/enterprise115/hpux_pa_risc/plugins/auth/
secEnterprise

Note: INSTALLDIR can be any location you want. 3. 4. 5. Place your configured TrustedPrincipal.conf in the folder you just created. Specify the location of INSTALLDIR in this java argument:
-Dbobj.enterprise.home=<INSTALLDIR>

Deploy the war file.

Note: If GetDocumentURL methods are used, InfoView must also be deployed, but not necessarily on the same web application servers. See the Business Process BI Services Guide for more information.

BusinessObjects Enterprise Deployment and Configuration Guide

335

14

Trusted Authentication Enabling Trusted Authentication

336

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance

chapter

15

Improving Performance Improving performance

Improving performance
It is good practice to regularly assess the performance of your system and make changes to account for future growth and potential problem areas. First, you need to assess the current performance of your system. You can assess your systems performance by talking to your users and delegated administrators, and by studying your system metrics. When you have an idea of potential problem areas, you can compare your systems performance to expected service thresholds. After you identify performance issues, you can take steps to account for them by scaling your system or adjusting your configuration settings.

Assessing your systems performance on page 338 Resolving performance issues on page 348

Note: This section is for improving the performance of an existing deployment. For information about If you havent deployed your system yet, see Planning Your Deployment on page 57.

Assessing your systems performance


Before you change your settings to enhance performance, you need to determine how well your system is currently performing. BusinessObjects Enterprise provides server metrics that allow you to monitor and assess your current processing problem areas. To effectively assess your systems performance, you need to:

Assess user needs. Get qualitative feedback from your users. See Assessing user needs on page 339. Analyze server metrics. Check the server and system logs. For detailed instructions, see Analyzing server metrics on page 339. Evaluate the performance of each server component. Compare the current system usage to recommended service thresholds. Determine the required number of processors, services, and machines. For more information, see Evaluating your systems performance on page 346.

338

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Assessing your systems performance

15

Assessing user needs


Talk to your users and delegated administrators. They can help you determine which areas of your system are currently experiencing performance issues, if any. They can also let you know where to anticipate higher system traffic in the future. And there may be areas of the system that are not being used at all. For example, if your organization is hiring new people in the finance department, the usage of financial reports will probably increase. If the financial reports are Web Intelligence documents, you may need to add a Web Intelligence Report Server to handle the extra processing. Or if youre planning to switch from Web Intelligence documents to Crystal reports, you may not need a Web Intelligence Report Server at all. It is good practice to conduct a company-wide survey concerning BusinessObjects Enterprise usage in order to capture all of the current problems and future changes. Ask your users about current performance concerns, their average daily usage, and their anticipated future usage:

What types of tasks are they performing and how often? Have they noticed slow performance when performing particular tasks? What types of objects do they use most often? Have they noticed slow performance when using particular types of objects? Do they anticipate increasing or decreasing their use of the system in the near future? Are they hiring new people? Do they plan to use BusinessObjects Enterprise to perform more tasks in the future?

It is good practice to regularly re-assess your organizations needs. Follow the steps you used when planning your deployment. For detailed instructions, see Assessing your organizations needs on page 58. When you have a sense of the organizations performance issues, you can verify them by viewing the current system metrics.

Analyzing server metrics


After you assess user needs, you can verify your users current performance concerns by monitoring system activity. Server metrics may also reveal other areas where high server traffic may be an issue.

BusinessObjects Enterprise Deployment and Configuration Guide

339

15

Improving Performance Assessing your systems performance

The CMC allows you to view server metrics over the Web. These metrics include general information about each machine, along with details that are specific to the type of server. The CMC also allows you to view system metrics, which include information about your product version, your CMS, and your current system activity. Tip: For an example of how to use server metrics in your own web applications, see the View Server Summary sample on the BusinessObjects Enterprise Admin Launchpad.

Viewing current server metrics


The Servers management area of the CMC displays server metrics that provide statistics and information about each BusinessObjects Enterprise server. The general information displayed for each server includes information about the machine that the server is running onits name, operating system, total hard disk space, free hard disk space, total RAM, number of CPUs, and local time. The general information also includes the time the server started and the version number of the server. 1. 2. 3. To view server metrics Go to the Servers management area of the CMC. Click the link to the server whose metrics you want to view. Click the Metrics tab.

The Metrics tabs for the following servers include additional, server-specific information: Input and Output File Repository Servers For each File Repository Server, the Metrics tab provides the following metrics:

the number of bytes sent and received the number of active files and active client connections the total available hard disk space

The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the root directory of the files that the server maintains the maximum idle time

Each File Repository Server also has an Active Files tab, which lists the file name, the number of readers, and the number of writers for each active file. Cache Server For each Cache Server, the Metrics tab provides the following metrics:

340

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Assessing your systems performance

15

the total threads running the number of bytes transferred the number of current connections the current cache size the number of requests served the cache hit rate the number of requests that are queued

The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the maximum number of simultaneous processing threads the number of minutes before an idle job is closed whether or not the database is accessed whenever a viewers file (object) is refreshed the location of the cache files the maximum cache size the number of minutes between refreshes from the database

The Metrics tab also provides a table that lists the Page Servers that the Cache Server has connections to, along with the number of connections made to each Page Server. Central Management Server For the CMS, the Metrics tab lists only the general information about the machine it is running on. The Properties tab, however, shows a list of users who have active sessions on the system. Click any users link to view the associated account details. Connection Server For the Connection Server, the Metrics tab lists the current settings, which you can change on the Properties tab:

HTTP and CORBA protocol settings trace settings connection pooling the timeout duration for inactive jobs

Job Servers The Metrics tabs of these servers lists the following metrics:

the location of its temporary files the processing mode the current number of jobs that are being processed

BusinessObjects Enterprise Deployment and Configuration Guide

341

15

Improving Performance Assessing your systems performance

the total number of requests received the total number of failed job creations

Note: This applies to all types of Job Servers, including Crystal Reports Job Servers, Program Job Servers, Destination Job Servers, List of Values Job Servers, Desktop Intelligence Job Servers, and Web Intelligence Job Servers. Desktop Intelligence Cache Server For each Desktop Intelligence Cache Server, the Metrics tab provides the following metrics:

the current cache size the number of bytes transferred the number of current connections the number of requests served the cache hit rate the number of requests that are queued

The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the location of the cache files whether or not report jobs are shared the number of minutes before an idle job is closed whether or not the database is accessed whenever a viewers file (object) is refreshed the number of documents to keep in the cache when the cache is full the maximum cache size whether or not to share report data between clients the number of minutes between refreshes from the database

The Metrics tab also provides a table that lists the processing servers that the Desktop Intelligence Cache Server has connections to, along with the number of connections made to each server. Note: This server processes information only for Desktop Intelligence documents. Desktop Intelligence Report server For the Desktop Intelligence Report Server, the Metrics tab provides the following metrics:

the number of current connections the current number of open processing threads running the total number of requests served

342

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Assessing your systems performance

15

the total bytes transferred the number of requests queued the maximum number of child processes the number of failed requests

The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the location of temporary files the number of minutes before an idle connection is closed the maximum number of simultaneous report jobs the maximum number of operations allowed before resetting a report job whether a viewer refresh always hits the database whether or not report jobs are shared the number of minutes before an idle report job is closed the number of preloaded report jobs whether or not to share report data between clients the oldest processed data given to a client VBA settings

Note: This server processes information only for Desktop Intelligence documents. Event Server For the Event Server, the Metrics tab displays statistics for each file that the server is monitoring, including the file name and the last time the event occurred. Crystal Reports Page Server For the Page Server, the Metrics tab provides the following metrics:

the number of current connections the number of requests queued the current number of processing threads running the total number of requests served the number of failed requests the total bytes transferred

The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab: the maximum number of simultaneous report jobs the number of minutes before an idle connection is closed

BusinessObjects Enterprise Deployment and Configuration Guide

343

15

Improving Performance Assessing your systems performance

the maximum number of database records shown when previewing or refreshing a report whether a viewer refresh always hits the database the setting for the Report Job Database Connection the location of temporary files the maximum number of subprocesses the minutes before a report job is closed the oldest processed data given to a client

Note: This server processes information only for Crystal Reports objects. Report Application Server The Metrics tab of the Report Application Server (RAS) shows the number of reports that are open, and the number of reports that have been opened. It also shows the number of open connections, along with the number of open connections that have been created. Web Intelligence Report Server For the Web Intelligence Report Server, the Metrics tab provides the number of current requests and the total number of requests. The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:

the maximum number of connections the number of minutes before an idle connection is closed whether or not to enable document caching whether or not to enable real-time caching the number of minutes allowed for document caching the size of the document cache whether or not to enable list of values caching the batch size for lists of values the maximum size allowable for custom sorting a list of values the size of the universe cache the percentage of documents to keep in the cache when the cache is full the maximum number of minutes allowed for scanning the document cache the maximum number of downloaded documents to cache the maximum size of binary and character files

Note: This server processes information only for Web Intelligence documents.

344

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Assessing your systems performance

15

Viewing system metrics


The Settings management area of the CMC displays system metrics that provide general information about your BusinessObjects Enterprise installation. The Properties tab includes information about the product version and build. It also lists the data source, database name, and database user name of the CMS database. The Metrics tab lists current account activity, along with statistics about current and processed jobs. The Cluster tab lists the name of the CMS you are connected to, the name of the CMS cluster, and the names of other cluster members. 1. 2. To view system metrics Go to the Settings management area of the CMC. View the contents of the Properties, Metrics, and Cluster tabs. For more information about licenses and account activity, see the Managing Licenses chapter of the BusinessObjects Enterprise Administrators Guide. For information about CMS clusters, see Clustering Central Management Servers on page 114.

Related topics:

Logging server activity


BusinessObjects Enterprise allows you to log specific information about BusinessObjects Enterprise web activity. For details on locating and customizing the web activity logs, see Configuring the Web Component Adapter on page 108.

In addition, each of the BusinessObjects Enterprise servers is designed to log messages to your operating systems standard system log.

On Windows NT/2000, BusinessObjects Enterprise logs to the Event Log service. You can view the results with the Event Viewer (in the Application Log). On UNIX, BusinessObjects Enterprise logs to the syslog daemon as a User application. Each server prepends its name and PID to any messages that it logs.

BusinessObjects Enterprise Deployment and Configuration Guide

345

15

Improving Performance Assessing your systems performance

This example shows two messages logged to the syslog daemon on UNIX:

Each server also logs assert messages to the logging directory of your product installation. The programmatic information logged to these files is typically useful only to Business Objects support staff for advanced debugging purposes. The location of these log files depends upon your operating system:

On Windows, the default logging directory is C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Logging On UNIX, the default logging directory INSTALL_ROOT/bobje/logging directory of your installation.

The important point to note is that these log files are cleaned up automatically, so there will never be more than approximately 1 MB of logged data per server.

Evaluating your systems performance


After you collect enough anecdotal and statistical information about your BusinessObjects Enterprise deployment, you can begin to isolate problem areas. Use the server metrics to verify the user feedback. Do the server metrics confirm your users performance concerns? If not, the performance issue may be caused by something besides your BusinessObjects Enterprise configuration, such as your network speed, the structure of the database, or the complexity of your report design. Then compare the current usage to the recommended service thresholds. By comparing these numbers, you can rate each servers performance and create a list of minor, moderate, and major performance risks. 1. To evaluate your systems performance Make a list of all server components in your deployment.

346

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Assessing your systems performance

15

2.

For each server component, compare the information you received from your users to the server metrics in the Central Management Console. Note: For information, see Analyzing server metrics on page 339. Compare the servers current traffic metrics to the recommended service thresholds. Pay particular attention to the number of simultaneous requests and user connections. For a list of the recommended service thresholds, see Analyzing service thresholds on page 64. For information about making resource calculations, see Calculating the minimum resource requirements on page 71.

3.

4.

Sort the server components into the following categories: Minor performance risk: A server component is considered a minor risk if a low percentage of your users report performance problems and the server metrics do not reflect the same problems. Moderate performance risk: A server component is considered a moderate risk if the server metrics show that the current usage is close to the limit of the recommended service thresholds. You may also want to flag a server component as a moderate risk if a high percentage of users report performance issues, or if you expect an increase in usage that will cause the current usage numbers to meet the service thresholds. Major performance risk: A server component is considered a major performance risk if the server metrics show that current usage significantly exceeds the minimum service thresholds. You may also want to flag a server component as a major risk if you expect a substantial increase in usage that will cause the usage numbers to exceed the service thresholds.

5.

After you isolate the key problem areas and the severity of the performance issues, proceed to the next section: Resolving performance issues on page 348.

BusinessObjects Enterprise Deployment and Configuration Guide

347

15

Improving Performance Resolving performance issues

Resolving performance issues


After you assess your system and determine the potential trouble areas, you can develop a strategy for resolving performance issues. The appropriate solution for each server depends on the level of performance risk and the type of server. Note: For more information about evaluating your systems performance, see Evaluating your systems performance on page 346.

For minor or moderate performance issues, users encounter occasional performance issues or your system approaches the limits of the recommended service thresholds. You may be able to resolve these issues by fine-tuning your system configuration. For more information, see Configuring the intelligence tier for enhanced performance on page 351 and Configuring the processing tier for enhanced performance on page 354.

For major performance issues, your server traffic significantly exceeds the recommended service thresholds. You should consider expanding the system by adding servers to account for the problem areas. For more information about scaling considerations, see Scaling your system on page 366. For installation instructions, see the BusinessObjects Enterprise Installation Guide.

For example, when you install a default deployment of Business Objects Enterprise, one Web Intelligence Report Server is installed by default. This deployment will easily meet your needs if you have under 20 concurrent active users accessing the Web Intelligence Report Server by working with xCelsius or Web Intelligence documents. If you have 20 to 30 users accessing the Web Intelligence Report Server, you may encounter some performance issues because you are reaching the limits of the recommended service threshold. To account for some of these problems, you can tweak the Web Intelligence Report Server settings. (For details, see Modifying performance settings for the Web Intelligence Report Server on page 357.) However, if your traffic is significantly higher than the service threshold (such as 50 concurrent active users using the Web Intelligence Report Server) then you need to scale your system to include more instances of the Web Intelligence Report Server service. The following table provides a quick reference for troubleshooting performance for each type of server component:

348

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Server type CMS

Performance risk

Solutions

Minor/moderate

Because the CMS manages the entire system, problems that appear to be CMS issues may be caused by the server components managed by the CMS. It is good practice to check the performance of all other services before adding new CMS services. For other information about advanced CMS configuration, see Advanced server configuration options on page 146. Install additional CMS services. For information, see Increasing overall system capacity on page 367. Change how often the Event Server checks for file events. For more information, see Modifying the polling time of the Event Server on page 351. It is unlikely that you will encounter major performance issues with the Event Server. However, it is good practice to install one Event Server for each CMS. For information about installing additional Event Servers, see Scaling your system on page 366. You can resolve many issues by changing Cache Server properties such as the maximum cache size and the number of minutes between database refreshes. For more information, see Modifying Cache Server performance settings on page 352. If your system exceeds 400 simultaneous requests, install an additional Cache Server. See Scaling your system on page 366. If the number of simultaneous jobs does not exceed the recommended threshold of 20 jobs, check the Maximum Jobs Allowed setting. For more information, see Modifying performance settings for job servers on page 355. If the Job Server is running more than 20 simultaneous jobs on average, install another Job Server service. See Scaling your system on page 366.

Event Server

Major

Minor/moderate

Major

Cache Server

Minor/moderate

Job Servers

Major

Minor/moderate

Major

BusinessObjects Enterprise Deployment and Configuration Guide

349

15

Improving Performance Resolving performance issues

Server type Desktop Intelligence Report Server

Performance risk

Solutions

Minor/moderate

If the number of concurrent active users does not exceed 25, try changing the settings. See Modifying Desktop Intelligence Report Server performance settings on page 356. If the number of concurrent active users exceeds 25, install addition servers. See Scaling your system on page 366. If the number of concurrent active users does not exceed 25, try changing the settings. See Modifying performance settings for the Web Intelligence Report Server on page 357. If the number of concurrent active users exceeds 25, install addition servers. See Increasing Web Intelligence document processing capacity on page 368. If the problem seems to be related to database access, see Modifying database settings for the RAS on page 360. To adjust the Report Application Servers settings for connection idle time and the maximum number of simultaneous threads, see Modifying performance settings for the RAS on page 362. If your users run more than 200 simultaneous requests, install additional Report Application Servers. For more information, see Increasing on-demand viewing capacity for Crystal reports on page 369. You can change how a Page Server handles data and user connections by fine-tuning its settings. See Modifying Page Server performance settings on page 363. If the Page Server is handling more than 400 simultaneous viewing sessions, install more Page Servers. For more information, see Increasing on-demand viewing capacity for Crystal reports on page 369.

Web Intelligence Report Server

Major

Minor/moderate

Major

Report Application Server

Minor/moderate

Major

Page Server

Minor/moderate

Major

350

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Configuring the intelligence tier for enhanced performance


This section provides instructions for configuring settings for components from the intelligence tier. You can adjust the settings to account for minor and moderate performance issues. Note: For more information about the intelligence tier, see Intelligence tier on page 37. Configuring the intelligence tier includes:

Configuring the CMS on page 351 Modifying the polling time of the Event Server on page 351 Configuring the File Repository Servers on page 352 Modifying Cache Server performance settings on page 352

Configuring the CMS


Because the CMS manages the entire system, problems that appear to be CMS issues are often caused by the server components managed by the CMS. It is good practice to check the performance of all other services before changing the CMS settings or adding and clustering new CMS services. For information about changing CMS settings, see Configuring the application tier on page 108. For information about configuring and clustering CMS servers, see Clustering Central Management Servers on page 114

Modifying the polling time of the Event Server


The Properties tab of the Event Server allows you to change the frequency with which the Event Server checks for file events. This File Polling Interval in Seconds setting determines the number of seconds that the server waits between polls. The minimum value is 1 (one). It is important to note that, the lower the value, the more resources the server requires. Tip: On Windows, you can also change this setting in the CCM. Stop the Event Server and view its Properties. Then click the Configuration tab. 1. 2. 3. 4. To modify the polling time Go to the Servers management area of the CMC. Click the link to the Event Server whose settings you want to change. Make your changes on the Properties tab. The value that you type must be 1 or greater. Click Update.

BusinessObjects Enterprise Deployment and Configuration Guide

351

15

Improving Performance Resolving performance issues

5.

Return to the Servers management area of the CMC.

Configuring the File Repository Servers


The Properties tabs of the Input and Output File Repository Servers allow you to set the maximum idle time. For more information, see Setting root directories and idle times of the File Repository Servers on page 130.

Modifying Cache Server performance settings


The Properties tab of the Cache Server allows you to set the location of the cache files, the maximum cache size, the maximum number of simultaneous processing threads, the number of minutes before an idle job is closed, and the number of minutes between refreshes from the database. 1. 2. 3. To modify Cache Server performance settings Go to the Servers management area of the CMC. Click the link to the Cache Server whose settings you want to change. Make your changes on the Properties tab. In this example, the Cache Server retains its default settings.

4.

Click either Apply or Update:

Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.

352

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Location of the Cache Files


The Location of the Cache Files setting specifies the absolute path to the directory on the Cache Server machine where the cached report pages (.epf files) are stored. Note: The cache directory must be on a drive that is local to the server.

Maximum Cache Size Allowed


The Maximum Cache Size Allowed setting limits the amount of hard disk space (in KBytes) that is used to cache reports. When the Cache Server has to handle large numbers of reports, or reports that are especially complex, a larger cache size is needed. The default value is 5000 Kbytes, which is large enough to optimize performance for most installations.

Maximum Simultaneous Processing Threads


The Maximum Simultaneous Processing Threads setting limits the number of concurrent reporting requests that the Cache Server processes. The default value is set to Automatic, and is acceptable for most, if not all, reporting scenarios. With this setting, the Cache Server sets the maximum number of threads using the number of processors in your system as a guide. If your Cache Server responds slowly under high load, and resource utilization on the machine is high (that is, either memory usage is high or CPU utilization is high, particularly in the kernel), you may wish to decrease the number of threads to improve performance. If the Cache Server is slow under high load but CPU utilization is low, increasing the number of threads may improve performance. However, the ideal setting for your reporting environment is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

Minutes Before an Idle Connection is Closed


The Minutes Before an Idle Connection is Closed setting alters the length of time that the Cache Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely, and setting a value that is too high can cause requests to be queued while the server waits for idle jobs to be closed.

BusinessObjects Enterprise Deployment and Configuration Guide

353

15

Improving Performance Resolving performance issues

Share Report Data Between Clients


This setting appears only for Desktop Intelligence servers. Select to allow users to share data from Desktop Intelligence documents with other users.

Viewer Refresh Always Yields Current Data


When enabled, the Viewer Refresh Always Yields Current Data setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the Minutes Between Refreshes from Database setting.

Oldest On-Demand Data Given To a Client (in minutes)


The Oldest On-Demand Data Given To a Client (in minutes) setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements.

Always Share Report Jobs


This setting appears only for Desktop Intelligence servers. Select to allow users to share report jobs with other users by default.

Amount of Cache to Keep When Document Cache is Full


This setting appears only for the Desktop Intelligence Cache Server. Select a percentage of the cache to keep. This setting helps reduce the load on the Cache Server if you have a large deployment.

Configuring the processing tier for enhanced performance


This section provides instructions for configuring settings for components from the processing tier. You can adjust the settings to account for minor and moderate performance issues. Note: For more information about the processing tier, see Processing tier on page 41. Configuring the processing tier includes:

Modifying performance settings for job servers on page 355

354

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Modifying Desktop Intelligence Report Server performance settings on page 356 Modifying performance settings for the Web Intelligence Report Server on page 357 Modifying database settings for the RAS on page 360 Modifying performance settings for the RAS on page 362 Modifying Page Server performance settings on page 363

Modifying performance settings for job servers


By default, the job servers run jobs as independent processes rather than as threads. This method allows for more efficient processing of large, complex reports. Use the following procedure to modify the performance settings for any of the job servers, that is the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and the Web Intelligence Job Server. 1. 2. 3. 4. 5. To modify performance settings for job servers Go to the Servers management area of the CMC. Click the link to the job server whose settings you want to change. Make your changes on the Properties tab. Click Update. Return to the Servers management area of the CMC.

Maximum Jobs Allowed


The Maximum Jobs Allowed setting limits the number of concurrent independent processes (child processes) that the server allowsthat is, it limits the number of scheduled objects that the server will process at any one time. You can tailor the maximum number of jobs to suit your reporting environment. The default Maximum Jobs Allowed setting is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

BusinessObjects Enterprise Deployment and Configuration Guide

355

15

Improving Performance Resolving performance issues

Temp Directory
You can also change the default directory where the server stores its temporary files.

Modifying Desktop Intelligence Report Server performance settings


The Properties tab of the Desktop Intelligence Report Server in the Central Management Console allows you to configure many of the same settings as the Page Server, plus additional report sharing settings. 1. 2. 3. 4. To modify Desktop Intelligence Report Server performance settings Go to the Servers management area of the CMC. Click the link to the Desktop Intelligence Report Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update:

Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.

Share Report Data Between Clients


This setting appears only for Desktop Intelligence server. Select to allow users to share data from Desktop Intelligence documents with other users.

Viewer Refresh Always Yields Current Data


When enabled, the Viewer Refresh Always Yields Current Data setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the Minutes Between Refreshes from Database setting.

Oldest On-Demand Data Given To a Client (in minutes)


The Oldest On-Demand Data Given To a Client (in minutes) setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements.

356

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Always Share Report Jobs


This setting appears only for Desktop Intelligence servers. Select to allow users to share report jobs with other users by default. For more information on other settings, see Modifying Page Server performance settings on page 363.

Modifying performance settings for the Web Intelligence Report Server


Use the following procedure to configure the performance settings for the Web Intelligence Report Server. 1. 2. 3. 4. To modify performance settings for the Web Intelligence report server Go to the Servers management area of the CMC. Click the link to the Web Intelligence Report Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update:


5.

Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.

Return to the Servers management area of the CMC and restart the Job Server.

BusinessObjects Enterprise Deployment and Configuration Guide

357

15

Improving Performance Resolving performance issues

Maximum Simultaneous Connections


The maximum number of simultaneous connections that the server allows at one time, from sources such the Web Intelligence SDK or the Web Intelligence Job Server. If this limit is reached, the user will receive an error message, unless another server is available to handle the request.

Connection Time Out


The number of minutes before an idle connection to the Web Intelligence Report Server will be closed.

List of Values Batch Size


The maximum number of values that can be returned per list of values batch. For example, if the number of values in a list of values exceeds this size, then the list of values will be returned to the user in several batches of this size or less. The minimum value that you can enter is 10. Although there is no limit on the maximum value, Business Objects recommends that you limit it to 30000.

Universe Cache Size


The number of universes to be cached on the Web Intelligence Report Server.

358

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

List of Values Caching


Enables or disables caching per user session of list of values in Web Intelligence Report Server. The default is for the feature to be on.

Enable Viewing Caching


When this parameter is on, real-time caching is possible for Web Intelligence documents when they are viewed, or when they are generated as a result of having been run as a scheduled job. When this parameter is off both real-time caching of Web Intelligence documents and viewing of cached Web Intelligence documents is impossible. Real-time caching is done only if both this parameter and the Enable Real Time Caching parameters are on.

Enable Real Time Caching


When this parameter is on, the Web Intelligence Report Server caches Web Intelligence documents when the documents are viewed. The server also caches the documents when they are run as a scheduled job, provided the pre-cache was enabled in the document. When the parameter is off, the Web Intelligence Report Server does not cache the Web Intelligence documents when the documents are viewed. Nor does it cache the documents when they are run as a scheduled job. This parameter is taken into account only when the Enable Viewing Caching is set to on. Note: To improve system performance, set the Maximum Number Of Downloaded Documents To Cache to zero when this option is selected, but enter a value for Maximum Number Of Downloaded Documents To Cache when this option deselected.

Document Cache Duration


The amount of time (in minutes) that content is stored in cache.

Document Cache Size


The size (in kilobytes) of the document cache.

Amount of Cache To Keep When Document Cache is Full


If the storage size is bigger than the allocated storage size, the system will delete documents with the oldest last accessed time. Then if the cache size is still exceeds the maximum storage size, the Web Intelligence Report Server will clean up the cache until the amount of cache percentage is reached.

BusinessObjects Enterprise Deployment and Configuration Guide

359

15

Improving Performance Resolving performance issues

Document Cache Scan Interval


The number of minutes that the system waits before checking the document cache for cleanup.

Maximum Number of Downloaded Documents To Cache


The number of Web Intelligence documents that can be stored in cache. Note: To improve system performance, set this value to zero when Enable Real Time Caching is selected, but enter a value when Enable Real Time Caching is deselected.

Modifying database settings for the RAS


The Database tab of the Report Application Server (RAS) in the Central Management Console lets you modify the way the server runs reports against your databases. 1. 2. 3. 4. To modify database interaction settings for the RAS Go to the Servers management area of the CMC. Click the link to the RAS whose settings you want to change. Make your changes on the Database tab. Click either Apply or Update:

Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.

Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Database.

Number of database records to read when previewing or refreshing a report


The Number of database records to read when previewing or refreshing a report area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is particularly useful if you provide users with ad hoc query and reporting tools, and you want to prevent them from running queries that return excessively large record sets. When the RAS retrieves records from the database, the query results are returned in batches. The Number of records per batch setting allows you to determine the number of records that are contained in each batch. The batch size cannot be equal to or less than zero.

360

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Number of records to browse


The Number of records to browse setting allows you to specify the number of distinct records that will be returned from the database when browsing through a particular fields values. The data will be retrieved first from the clients cacheif it is availableand then from the servers cache. If the data is not in either cache, it is retrieved from the database.

Oldest on-demand data given to a client (in minutes)


The Oldest on-demand data given to a client (in minutes) setting controls how long the RAS uses previously processed data to meet requests. If the RAS receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the RAS will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the oldest on-demand data given to a client consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0. This is the default on the RAS, to support the data needs of users performing ad hoc reporting.

Report Job Database Connection


The Report Job Database Connection settings can be used to make a tradeoff between the number of database licenses you use and the performance you can expect for certain types of reports. If you select Disconnect when all records have been retrieved or the job is closed, the Report Application Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that RAS stays connected to your database server, and therefore limits the number of database licenses consumed by the RAS. However, if the RAS needs to reconnect to the database to generate an ondemand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected Disconnect when the job is closed. (The latter option ensures that RAS stays connected to the database server until the report job is closed.)

BusinessObjects Enterprise Deployment and Configuration Guide

361

15

Improving Performance Resolving performance issues

Modifying performance settings for the RAS


The Server tab of the Report Application Server (RAS) in the Central Management Console allows you to modify the number of minutes before an idle connection is closed, and the maximum number of simultaneous processing threads. Note: The RAS server must have been installed and configured in order to use the List of Values Job Server. For more information, see Processing tier on page 41. 1. 2. 3. 4. To modify performance settings for the RAS Go to the Servers management area of the CMC. Click the link to the RAS whose settings you want to change. Make your changes on the Server tab. Click either Apply or Update:

Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.

Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Server.

Minutes Before an Idle Connection is Closed


The Minutes Before an Idle Connection is Closed setting alters the length of time that the RAS waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely, and setting a value that is too high can affect the servers scalability (for instance, if the ReportClientDocument object is not closed explicitly, the server will be waiting unnecessarily for an idle job to close). Maximum Simultaneous Report Jobs The Maximum Simultaneous Report Jobs setting limits the number of concurrent reporting requests that a RAS processes. The default value is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way.

362

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

Modifying Page Server performance settings


The Properties tab of the Page Server in the Central Management Console lets you set the location of temporary files, the maximum number of simultaneous report jobs, the minutes before an idle connection is closed, the minutes before a processing job is closed, the number of database records to read when previewing or refreshing a report, the oldest processed data to give a client, and when to disconnect from the report job database. Note: For Desktop Intelligence documents, Page Server features are handled by the Desktop Intelligence Report Server. 1. 2. 3. 4. To modify Page Server performance settings Go to the Servers management area of the CMC. Click the link to the Page Server whose settings you want to change. Make your changes on the Properties tab. Click either Apply or Update:

Click Apply to submit changes and restart the server so that the changes take effect immediately. Click Update to save the changes. You must restart the server for the changes to take effect.

BusinessObjects Enterprise Deployment and Configuration Guide

363

15

Improving Performance Resolving performance issues

Location of Temp Files


The Location of Temp Files setting specifies the absolute path to a directory on the Page Server machine.This directory must have plenty of free hard disk space. If not enough disk space is available, job processing may be slower than usual, or job processing may fail.

Maximum Simultaneous Report Jobs


The Maximum Simultaneous Report Jobs setting limits the number of concurrent reporting requests that any single Page Server processes. The default value of 75 is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

Minutes Before an Idle Connection is Closed


The Minutes Before an Idle Connection is Closed setting alters the length of time that the Page Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a

364

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

value too low can cause a users request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary.

Minutes before an Idle Report Job is Closed


The Minutes before an Idle Report Job is Closed setting alters the length of time that the Page Server keeps a report job active. Before you change this setting, it is important to understand that setting a value too low can cause a users request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary. (Note that this setting works in conjunction with the Report Job Database Connection setting.)

Database Records to Read When Previewing Or Refreshing a Report


The Database Records to Read When Previewing Or Refreshing a Report area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is useful when you want to prevent users from running on-demand reports containing queries that return excessively large record sets. You may prefer to schedule such reports, both to make the reports available more quickly to users and to reduce the load on your database from these large queries.

Oldest On-Demand Data Given to a Client (in minutes)


The Oldest On-Demand Data Given To a Client (in minutes): setting controls how long the Page Server uses previously processed data to meet requests. If the Page Server receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the Page Server will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the oldest processed data given to a client consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0.

Viewer Refresh Always Yields Current Data


When enabled, the Viewer Refresh Always Yields Current Data setting ensures that, when users explicitly refresh a report, all previously processed data is ignored, and new data is retrieved directly from the database. When

BusinessObjects Enterprise Deployment and Configuration Guide

365

15

Improving Performance Resolving performance issues

disabled, the setting ensures that the Page Server will treat requests generated by a viewer refresh in exactly the same way as it treats as new requests.

Report Job Database Connection


The Report Job Database Connection settings can be used to make a tradeoff between the number of database licenses you use and the performance you can expect for certain types of reports. If you select Disconnect when all records have been retrieved or the job is closed, the Page Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that Page Server stays connected to your database server, and therefore limits the number of database licenses consumed by the Page Server. However, if the Page Server needs to reconnect to the database to generate an on-demand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected Disconnect when the job is closed. (The latter option ensures that Page Server stays connected to the database server until the report job is closed. Note that you can set the Minutes before a Report Job is Closed above.)

Scaling your system


The BusinessObjects Enterprise architecture allows for a multitude of server configurations, ranging from stand-alone, single-machine environments, to large-scale deployments supporting global organizations. For information about adding and deleting servers from your BusinessObjects Enterprise installation, see Adding and deleting servers on page 105 This section provides information about system scalability and the BusinessObjects Enterprise servers that are responsible for particular aspects of your system. Each subsection focuses on one aspect of your systems capacity, discusses the relevant components, and provides a number of ways in which you might modify your configuration accordingly. Before modifying these aspects of your system, it is strongly recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment. General scalability considerations include the following:

366

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Increasing overall system capacity on page 367 Increasing scheduled reporting capacity on page 367 Increasing on-demand viewing capacity for Crystal reports on page 369 Increasing prompting capacity on page 369 Enhancing custom web applications on page 370 Improving web response speeds on page 371 Getting the most from existing resources on page 371

Increasing overall system capacity


As the number of report objects and users on your system increases, you can increase the overall system capacity by clustering two (or more) Central Management Servers (CMS). You can install multiple CMS services/daemons on the same machine. However, to provide server redundancy and faulttolerance, you should ideally install each cluster member on its own machine. CMS clusters can improve overall system performance because every BusinessObjects Enterprise request results, at some point, in a server component querying the CMS for information that is stored in the CMS database. When you cluster two CMS machines, you instruct the new CMS to share in the task of maintaining and querying the CMS database. For more information, see Clustering Central Management Servers on page 114.

Increasing scheduled reporting capacity


Increasing Crystal reports processing capacity
All Crystal reports that are scheduled are eventually processed by a Job Server. You can expand BusinessObjects Enterprise by running individual Report Job Servers on multiple machines, or by running multiple Report Job Servers on a single multi-processor machine. If the majority of your reports are scheduled to run on a regular basis, there are several strategies you can adopt to maximize your systems processing capacity:

Install the Job Server in close proximity to (but not on the same machine as) the database server against which the reports run. Ensure also that the File Repository Servers are readily accessible to all Job Server (so they can read report objects from the Input FRS and write report instances to the Output FRS quickly). Depending upon your network configuration, these strategies may improve the processing speed of the Job Server, because there is less distance for data to travel over your corporate network.

BusinessObjects Enterprise Deployment and Configuration Guide

367

15

Improving Performance Resolving performance issues

Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database servers resources to group data, incorporating parameter fields, and so on. For more information, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Use event-based scheduling to create dependencies between large or complex reports. For instance, if you run several very complex reports on a regular, nightly basis, you can use Schedule events to ensure that the reports are processed sequentially. This is a useful way of minimizing the processing load that your database server is subject to at any given point in time. If some reports are much larger or more complex than others, consider distributing the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Job Servers. Then, when you schedule recurrent reports, you can specify that it be processed by a particular server group to ensure that especially large reports are distributed evenly across resources. Increase the hardware resources that are available to a Job Server. If the Job Server is currently running on a machine along with other BusinessObjects Enterprise components, consider moving the Job Server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple Job Servers on the same machine (typically no more than one service/daemon per CPU).

Increasing Web Intelligence document processing capacity


All Web Intelligence documents that are scheduled are eventually processed by a Web Intelligence Job Server and Web Intelligence Report Server. You can expand BusinessObjects Enterprise by running individual Web Intelligence Report Servers on multiple machines, or by running multiple Web Intelligence Report Servers on a single multi-processor machine. When running multiple Web Intelligence Report Servers, you dont need to duplicate the Web Intelligence Job Server. One Web Intelligence Job Server can be used to drive multiple Web Intelligence Report Servers. However, if you are working with server groups, a Web Intelligence Job Server must exist in the same group as the Web Intelligence Report Servers. Note: When deciding whether to increase the number Web Intelligence Report Servers, keep in mind that Web Intelligence Report Server processes both scheduling and viewing requests, whereas requests for Crystal reports are processed by three separate servers, the Report Job Server, the Cache Server and Page Server.

368

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Increasing on-demand viewing capacity for Crystal reports


When you provide many users with View On Demand access to reports, you allow each user to view live report data by refreshing reports against your database server. For most requests, the Page Server retrieves the data and performs the report processing, and the Cache Server stores recently viewed report pages for possible reuse. However, if users use the Advanced DHTML viewer, the Report Application Server (RAS) processes the request. If your reporting requirements demand that users have continual access to the latest data, you can increase capacity in the following ways:

Increase the maximum allowed size of the cache. For details, see Modifying Cache Server performance settings on page 352. Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database servers resources to group data, incorporating parameter fields, and so on. For more information, see the Designing Optimized Web Reports section in the Crystal Reports Users Guide (version 8.5 and later). Increase the number of Page Servers that service requests on behalf of Cache Servers. You can do this by installing additional Page Servers on multiple machines. However, do not install more than one Page Server per machine. The Page Server has been re-designed to optimize the processing capability of a machine. It is therefore no longer recommended that you install multiple Page Servers on one machine. Increase the number of Page Servers, Cache Servers, and Report Application Servers on the system, and then distribute the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Cache Server/Page Server pairs along with one or more Report Application Servers. You can then specify individual reports that should always be processed by a particular server group.

Increasing prompting capacity


When reports use a list of values, the RAS processes on-demand list-ofvalues objects for the report when the report is being viewed. Scheduled listof-values objects are processed by the List of Values Job Server without using RAS.

BusinessObjects Enterprise Deployment and Configuration Guide

369

15

Improving Performance Resolving performance issues

To avoid contention with other applications that use the RAS, you can add a RAS server that will be dedicated to processing list-of-value objects. In CMC you can then create a RAS server group and assign the dedicated RAS to the RAS server group. In Business View Manager, you then assign the list-ofvalues objects to be processed by the RAS server group.

Delegating XSL transformation to Internet Explorer


If your users access InfoView via the Internet Explorer 6.0 browser, you can instruct the Web Intelligence Report Server to delegate the transformation of XML to XSL to the browser. This substantially decreases the load on the server, primarily during document display, but also during display of the portal itself. By default, the XSL transformation delegation is not activated. 1. To delegate XSL transformation to the browser for document display: On the application server, set the CLIENT_XSLT variable in webiviewer.properties, located in the WEB-INF\classes subfolder of the application server as follows:
CLIENT_XSLT=Y

2.

Restart the application server.

Enhancing custom web applications


If you are developing your own custom desktops or administrative tools with the BusinessObjects Enterprise Software Development Kit (SDK), be sure to review the libraries and APIs. You can now, for instance, incorporate complete security and scheduling options into your own web applications. You can also modify server settings from within your own code in order to further integrate BusinessObjects Enterprise with your existing intranet tools and overall reporting environment. To improve the scalability of your system, consider distributing administrative efforts by developing web applications for delegated content administration. You can grant select users the ability to manage particular BusinessObjects Enterprise folders, content, users, and groups on behalf of their team, department, or regional office. In addition, be sure to check the developer documentation available on your BusinessObjects Enterprise product CD for performance tips and other scalability considerations. The query optimization section in particular provides some preliminary steps to ensuring that custom applications make efficient use of the query language.

370

BusinessObjects Enterprise Deployment and Configuration Guide

Improving Performance Resolving performance issues

15

Improving web response speeds


Because all user interaction with BusinessObjects Enterprise occurs over the Web, you may need to investigate a number of areas to determine exactly where you can improve web response speeds. These are some common aspects of your deployment that you should consider before deciding how to expand BusinessObjects Enterprise:

Assess your web servers ability to serve the number of users who connect regularly to BusinessObjects Enterprise. Use the administrative tools provided with your web server software (or with your operating system) to determine how well your web server performs. If the web server is indeed limiting web response speeds, consider increasing the web servers hardware. If web response speeds are slowed only by report viewing activities, see Increasing scheduled reporting capacity on page 367 and Increasing on-demand viewing capacity for Crystal reports on page 369. Take into account the number of users who regularly access your system. If you are running a large deployment, ensure that you have set up a CMS cluster. For details, see Increasing overall system capacity on page 367.

If you find that a single application server inadequately services the number of scripting requests made by users who access your system on a regular basis, consider the following options:

Increase the hardware resources that are available to the application server. If the application server is currently running on the web server, or on a single machine with other BusinessObjects Enterprise components, consider moving the application server to a dedicated machine.

Note: BusinessObjects Enterprise does not support the session-replication functionality provided by some Java web application servers.

Getting the most from existing resources


One of the most effective ways to improve the performance and scalability of your system is to ensure that you get the most from the resources that you allocate to BusinessObjects Enterprise.

Optimizing network speed and database efficiency


When thinking about the overall performance and scalability of BusinessObjects Enterprise, dont forget that BusinessObjects Enterprise depends upon your existing IT infrastructure. BusinessObjects Enterprise uses your network for communication between servers and for communication between BusinessObjects Enterprise and client machines on your network. Make sure that your network has the bandwidth and speed

BusinessObjects Enterprise Deployment and Configuration Guide

371

15

Improving Performance Resolving performance issues

necessary to provide BusinessObjects Enterprise users with acceptable levels of performance. Consult your network administrator for more information. BusinessObjects Enterprise processes reports against your database servers. If your databases are not optimized for the reports you need to run, then the performance of BusinessObjects Enterprise may suffer. Consult your database administrator for more information.

Using the appropriate processing server


When users view a report using the Advanced DHTML viewer, the report is processed by the Report Application Server rather than the Page Server and Cache Server. The Report Application Server is optimized for report modification. For simple report viewing you can achieve better system performance if users select the DHTML viewer, the Active X viewer, or the Java viewer. These report viewers process reports against the Page Server. If the ability to modify reports is not needed at your site, you can disable the Advanced DHTML viewer for all users of BusinessObjects Enterprise. 1. 2. 3. 4. Disabling the Advanced DHTML Viewer In the Central Management Console, select Business Objects Applications. Select Web Desktop. On the Properties tab, go to the Viewers area. Clear the option labeled Allow users to use the Advanced DHTML Viewer. Click Update.

Optimizing BusinessObjects Enterprise for report viewing


BusinessObjects Enterprise allows you to enable data sharing, which permits different users accessing the same report object to use the same data when viewing a report on demand or when refreshing a report. Enabling data sharing reduces the number of database calls, thereby reducing the time needed to provide report pages to subsequent users of the same report while greatly improving overall system performance under load. However, to get full value from data sharing, you must permit data to be reused for some period of time. This means that some users may see old data when they view a report on demand, or refresh a report instance that they are viewing. For details on data sharing options for reports, see the BusinessObjects Enterprise Administrators Guide. For more information on configuring BusinessObjects Enterprise to optimize report viewing in your system, see the planning section in the BusinessObjects Enterprise Installation Guide.

372

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting

chapter

16

General Troubleshooting Troubleshooting overview

Troubleshooting overview
BusinessObjects Enterprise is designed to integrate with a multitude of different operating systems, web servers, network and firewall configurations, database servers, and reporting environments. Thus, any troubleshooting that you may need to undertake will likely reflect the particularities of your deployment environment. This section includes general troubleshooting steps along with solutions to some specific configuration issues. In general, consider the following key points when troubleshooting:

Ensure that client and server machines are running supported operating systems, database servers, database clients, and appropriate server software. For details, consult the Platforms.txt file, included with your product distribution. Verify that the problem is reproducible, and take note of the exact steps that cause the problem to recur. On Windows, use the sample reports and sample data included with the product to confirm whether or not the same problem exists.

Determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another. If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration.

If the problem relates to connectivity or functionality over the Web, check that BusinessObjects Enterprise is integrated properly with your web environment. For details, see BusinessObjects Enterprise Installation Guide and Web accessibility issues on page 375. If the problem relates to report viewing or report processing, verify your database connectivity and functionality from each of the affected machines. Use Crystal Reports to verify that the report can be viewed properly. If the Job or Page Servers are running on Windows, open the report in Crystal Reports on the server machine and check that you can refresh the report against the database. For details, see TReport viewing and processing issues on page 383. Look for solutions in the documentation included with your product. For details, see Documentation resources on page 375. Check out the Business Objects Customer Support technical support web site for white papers, files and updates, user forums, and Knowledge Base articles: http://support.businessobjects.com/

374

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting Documentation resources

16

Documentation resources
The BusinessObjects Enterprise Release Notes are provided in the root directory of your product distribution, as is the Platforms.txt file. These documents list supported third-party software along with any known issues or implementation-specific configuration details. BusinessObjects Enterprise also includes a number of manuals. CHM and PDF files are located in the doc directory of your product distribution. Access the HTML versions from the BusinessObjects Enterprise Administrator Launchpad, or from within the CMC or InfoView. Additional Compiled HTML Help (CHM) files are provided with the following client tools:

Central Configuration Manager Publishing Wizard Repository Migration Wizard Import Wizard Crystal Report Offline Viewer

Press F1 or click Help to launch the online help from within these applications.

Web accessibility issues


Using an IIS web site other than the default
On Windows, the BusinessObjects Enterprise installation creates virtual directories on the Internet Information Server (IIS) Default Web Site unless you specify to use a different site during the installation. If you are using a different site, but forgot to specify it during the installation, you must copy the virtual directory configuration from the default web site to the web site you are using. BusinessObjects Enterprise also sets up several application mappings on the default site. These can be viewed and copied from the default web site to the web site you are using. Restart the web server once you have made these changes. For more information, see BusinessObjects Enterprise Installation Guide.

BusinessObjects Enterprise Deployment and Configuration Guide

375

16

General Troubleshooting Web accessibility issues

.NET CSP and ASP pages display code


In a BusinessObjects Enterprise XI .NET installation, all ASP and CSP encoded web pages are not rendered. Instead, the actual code is displayed. This situation may happen when there is a problem with the .NET Framework. To fix a problem, re-register the .NET Framework with with the website. Registering the .NET Framework 1. 2. 3. To re-rigster the .NET Framework Open command prompt window. Go to the directory where .NET is installed. For example:
c:\winnt\microsoft.NET\Framework\v.1.1.4322

Enter the command applies to your deployment.

If you have multiple web sites on IIS, in addition to those running BusinessObjects Enterprise, type the following: aspnet_regiis.exe -c C:\<Installdir> If IIS is only running BusinessObjects Enterprise, type the following: aspnet_regiis.exe -i

Unable to access the CMS from thick client


When you use a thick client application such as Crystal Reports, Designer, or Business View Manager attempts to establish a connection to a CMS configured to communicate via SSL, you receive a Transport Error message. This error message appears because the thick client application is not using the Secure Sockets Layer (SSL) to connect to an Enterprise deployment configured to use Server to Server SSL. To resolve this error message, run the SSLConfig utility on the client computer. 1. To configure the thick client to use SSL On the server with the CMS, type the following command:
SSLConfig.exe -display

The output should be similar to this:


********************** COM/.Net SDK ********************** '==Begin Current SSL Settings === CommunicationProtocol = ssl SSLCertDirectory = C:/SSL SSLCertificate = servercert.der

376

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting Web accessibility issues

16

SSLTrustCertificate = cacert.der SSLKey = server.key SSLPassphrase = passphrase.txt '== End Current SSL Settings ===

2. 3. 4.

Copy the files from this location and add them to the appropriate folder (UNC or Local). Copy the SSLConfig.exe utility to a location on the client computer and open a command prompt to the directory where you copied the file. Type the following command and replace the variable with the specifics from the SSL configuration you displayed in a previous step:
"SSLCONFIG -dir <certdir> -mycert <sdkcert> -rootcert <rootcert> -mykey <privatekey> -passphrase <passphrase> -protocol <protocol>"

Tip: If your configuration was identical to the sample output from step 1, you would enter the command as follows:
SSLCONFIG -dir C:/SSL -mycert servercert.der rootcert cacert.der -mykey server.key -passphrase passphrase.txt -protocol ssl

Note: If any of your directories contain spaces, be sure to enclose the path with a double quotation marks.

Unable to View .NET InfoView or CMC


After installing BusinessObjects Enterprise XI R2 on Microsoft 2003 server with IIS 6, you are not able to view the .NET InfoView. Instead of the InfoView or CMC Sign-on page, you see the message The page cannot be displayed. This error can occur if the ASP.NET component of IIS application server is not installed. See Determining if the IIS 6.0 ASP.NET component is installed on page 377 for procedural details.

Determining if the IIS 6.0 ASP.NET component is installed


1. 2. 3. 4. 5. To verify that the ASP.NET component is installed From the Start menu, select Settings >Control Panel. Select Add or Remove Programs. Select Add/Remove Windows Components. Select Application Server, and then click Details. Check whether the check box beside ASP.NET is selected.

If the box is checked, ASP.NET is installed. If the box is clear, check the box and then click OK.

BusinessObjects Enterprise Deployment and Configuration Guide

377

16

General Troubleshooting Web accessibility issues

6. 7. 8.

Click Next. The component will be installed. Click Finish. If you have changed the configuration for IIS, restart IIS.

Changing the connect port used by Tomcat


During the installation, the default port used for Tomcat is 8080. If this port is already in use by another instance of Tomcat, or if another application is using this port, you will need to change the connect port used by Tomcat. 1. 2. To change the Tomcat connect port Stop Tomcat. Open the server.xml file for Tomcat in a text editor. On Windows, this file can normally be found in the following directory: C:\Program Files\Business Objects\Tomcat\conf 3. Locate the following string:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443" />

4. 5.

Change port 8080 to an available port number. Save and close the file.

378

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting Web accessibility issues

16

Unable to connect to CMS when logging on to the CMC


If you attempt to log on to the CMC while the Central Management Server (CMS) is not running, the following error message appears:
Unable to connect to CMS (<servername>) to retrieve cluster members. Logon can not continue.

Use the CCM to start the CMS. (If the CMS was already started, use the CCM to restart it.)

Unable to open a report from InfoView


When running BusinessObjects Enterprise on Windows 2003 with IIS, you receive the following error when you load a Report:
Failed to read data from report file C:\WINDOWS\TEMP\tmp.rpt. Reason: Failed to open print engine for C:\WINDOWS\TEMP\tmpreport\<report>. Ensure that CRPE32 is installed on this computer.

This error message occurs on Windows 2003 computers running IIS version 6.0 where the default application pool is running under the Network Service Account. However, the Network Service Account does not have sufficient rights to the files and registry needed to create a copy of the report in the enterprise system. To resolve this error message, use the Local System Account to run the default application pool as this account has sufficient rights. 1. 2. 3. 4. 5. 6. 7. 8. To run IIS under Local System account Open the IIS Console. Expand the Application Pools folder. Right-click DefaultAppPool, and then click Properties. Click the Identity tab. Ensure the Predefined radio button is selected. Select the Local System account from the drop-down list. Click OK. Restart IIS.

BusinessObjects Enterprise Deployment and Configuration Guide

379

16

General Troubleshooting Web accessibility issues

Single sign-on from an IE Windows 2000 client fails


After configuring Single Sign-On (SSO) for BusinessObjects Enterprise XI, trying to connect to InfoView from a Windows 2000 client computer results in a logon prompt. Both Windows 2003 and Windows XP client computers work correctly and do not display a logon prompt. This problem occurs because the following option has not been selected on the version of Internet Explorer that comes with Windows 2000: Enable Integrated Windows Authentication 1. 2. 3. 4. 5. To change the Internet Options to allow SSO Open Internet Explorer. From the Tools menu, select Internet Options. Click the Advanced tab. Scroll down to Security Options. Select Enable Integrated Windows Authentication, and then click OK.

Windows NT authentication cannot log you on


When you attempt to log on to the Central Management Console (CMC) or to InfoView, the following error occurs:
NT Authentication could not log you on. Please make sure your logon information is correct. If your account is in any domain other than "DOMAIN NAME" you must enter your user name as DomainName\UserName.

This error may occur for various reasons. Investigate these common solutions:

Ensure that the specified authentication type corresponds to the user name and password provided on the log on page. To log on with a Windows NT user name, verify that the authentication type is set to Windows NT Authentication and not Enterprise. Netscape users must provide a valid Windows NT user name in the form of Domain\User. Microsoft Internet Explorer users must provide a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS. If Windows NT Integrated security (NT Challenge/Response) is enabled in Internet Information Services (IIS) and in the Web Component Adapter (WCA), then users must use Microsoft Internet Explorer. In addition, users must log on to the client machine with a valid NT domain user

380

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting Web accessibility issues

16

account before logging on to BusinessObjects Enterprise. Users must log on to BusinessObjects Enterprise with a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS.

The web server and all BusinessObjects Enterprise components must be running on Windows NT/2000 for Windows NT authentication to work.

Mapped AD user unable to log on to CMC or InfoView


A users Active Directory ID has successfully been mapped to BusinessObjects Enterprise. Despite this fact, they are unable to successfully log on to CMC or InfoView with Java AD authentication and Kerberos in the following format:

DOMAIN\ABC123

This problem, which happens with with the Sun, IBM or BEA JRE, can occur when the user is set up in Active Directory with a UPN and SAM name are not the same either in case or otherwise. Following are two examples which may cause a problem:

The UPN is abc123@company.com but the SAM name is DOMAIN\ABC123. The UPN is jsmith@company but the SAM name is DOMAIN\johnsmit Have users log in using UPN rather than SAM name. Ensure the SAM account name and the UPN name is the same.

There are two ways to address this problem:

Unable to sign on with AD and Kerberos


A users who is A users Active Directory ID has successfully has been mapped to BusinessObjects Enterprise. However, when they open InfoView in IIS and attempt to log on, they receive the following message:
An error has occurred propagating the security context between the security server and the client. Please contact your system administrator.

This problem can happen for two reasons:

Because the web.config file used by IIS has not been configured properly. Because IIS has not been configured properly.

BusinessObjects Enterprise Deployment and Configuration Guide

381

16

General Troubleshooting Web accessibility issues

Follow these steps to resolve this problem. Modify either of the following web.conf file based on what you want to configure for AD and Kerberos. To configure both the CMC and InfoView configure the web.config file in the Web Content directory; To configure only InfoView , configure the web.config file in the InfoView directory. 1. To configure the web.config for AD and Kerberos Open the appropriate Web.config file from either of the following locations:


2. 3. 4. 5. 6. 1. 2. 3. 4. 5. 6. 7. 8.

C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\ C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

Locate the following line in the <system.web> block:


<Authentication mode="None" />

Replace None with Windows.


<Authentication mode="Windows" />

Add the following line:


<identity impersonate="true" />

Save and close the web.config. Restart IIS. To modify the security setting on IIS From the Windows Administrative Tools program group, click Computer Management. Expand Services and Applications. Expand Internet Information Services. Expand the web site that runs your BusinessObjects Enterprise applications. Right-click businessobjects, and then select Properties. Click on the Directory Security tab. In the Anonymous access and authentication control area of the page, click Edit. Ensure the following check boxes are cleared:


9.

Anonymous access Basic authentication

Ensure Integrated Windows authentication is selected.

382

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting Web accessibility issues

16

10. Click OK. 11. Click OK. 12. Repeat the procedure starting from step 6 for crystalreportvewiers115 and styles. 13. Restart your IIS server.

TReport viewing and processing issues


When troubleshooting reports, it is especially useful to determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another. If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration. In particular, check the database client configurations, the drivers and versions, and the accounts under which the processing servers are running. If the reports are based off ODBC data sources, compare the ODBC driver versions, the DSN configurations, and the versions of the MDAC layer. Check to see if the Page Server or Job Server is running under an account that has the appropriate access rights to the report database server. If the report database server is on a remote machine, change the Page Server or Job Server to use a valid domain account with enough rights to view or process the report. If you follow these steps and the problem persists, contact Business Objects technical support. Before you call, take note of the database client and version you are running, the database server version that you are connecting to, and the driver name and version that you are using to connect.

Troubleshooting reports with Crystal Reports


On Windows, you can install Crystal Reports on all Job Server, Page Server, and RAS machines in order to speed up the troubleshooting of reports and database connectivity. In this way, you use Crystal Reports to simulate the steps that are performed by the BusinessObjects Enterprise processing servers when a scheduled report is processed, or when a report is viewed on demand over the Web. By locating the step where Crystal Reports is unable to open, refresh, or save the report, you may be able to locate the source of the problem. Note: The exact steps and menu options may differ, depending on your version of Crystal Reports.

BusinessObjects Enterprise Deployment and Configuration Guide

383

16

General Troubleshooting Web accessibility issues

1.

To troubleshoot a report Start Crystal Reports on the appropriate machine:

If the report runs successfully on demand, but fails when scheduled, start Crystal Reports on the Job Server. If the report fails when viewed on demand, but runs successfully when scheduled, start Crystal Reports on the Page Server. If the report fails when viewed on demand with the Advanced DHTML viewer, start Crystal Reports on the RAS. If the report fails in all cases, first complete these troubleshooting steps on one processing server; then verify whether or not the problem is resolved on all processing servers. If not, repeat the steps on a different processing server.

2.

Open the report from the CMS. On the File menu, click Open. Click Enterprise Folders and log on to your CMS. If you cannot open the report, verify network connectivity between the server you are working on, the CMS, and the Input File Repository Server.

3.

Test your database connection and authentication. On the Database menu, click Log On/Off Server. If you cannot log on to the database server, check the configuration of the database client software and ensure that the report contains a valid database user name and password.

4.

If the reports parameters or record selection need to be modified by BusinessObjects Enterprise users when they schedule or view the report, change the parameter values or record selection formula accordingly. If the values are invalid, Crystal Reports will report an error. Verify that the tables used in the report match the tables in the database. On the File menu, clear the Save Data with Report check box. On the Database menu, click Verify Database. Correct any issues reported by Crystal Reports, and then save the report.

5.

6.

Refresh the report and, if current data is not returned from the database, check these possible causes:

If the report fails, ensure that the database credentials provide READ rights to all tables in the report. If the database credentials are valid, the reports SQL statement is evaluated at this time. Check the join information. Note any ODBC errors that are produced.

384

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting Web accessibility issues

16

If the SQL statement is valid, data begins to return to Crystal Reports. As this happens, the temporary files increase in size. Verify resource allocation in case the machine is running out of memory or disk space.

7.

Go to the last page of the report. Crystal Reports will report any errors that it encounters within the report (such as formulas, subreports, and other objects).

8.

Export the report to Crystal Reports format (or any other desired format). This step ensures that Crystal Reports is able to create temporary files that are required in order to complete the processing of a report.

9.

If the report now refreshes successfully, save it back to the CMS.

10. Close the report. 11. Close Crystal Reports. 12. Repeat the activity that caused the original report to fail: view the report on demand over the Web, or schedule the report for processing.

Images and charts not displayed


After single sign-on has been enabled in BusinessObjects Enterprise XI, images or charts are not displayed in the reports when viewed with the DHTML or ActiveX viewer. This behavior may occur because the temporary image file cannot be accessed by the account under which the IIS application pool is running. To fix this problem, ensure that the service account has modif' rights to the following directory:
C:\Windows\Temp

Troubleshooting reports and looping database logon prompts


A common issue when viewing reports over the Web is a persistent database logon prompt that is displayed repeatedly by the users browser. Regardless of the credentials provided by the user, the report will not display. This problem is typically caused by the configuration of the Page Server or the Report Application Server (RAS). This section provides a series of troubleshooting steps that should resolve this problem and others that are specific to reports and database connectivity. 1. To troubleshoot reports and looping database logon prompts Verify the report with Crystal Reports.

BusinessObjects Enterprise Deployment and Configuration Guide

385

16

General Troubleshooting Web accessibility issues

Use Crystal Reports to verify the report. If you have the Crystal Reports Designer installed on the Page Server, Job Server, or RAS machine, test database connectivity by opening the report in Crystal Reports on the server. For details, see Troubleshooting reports with Crystal Reports on page 383. 2. Change the servers logon account. BusinessObjects Enterprise servers require access to various local and/ or remote resources and to the database server. Experience shows that running the Page Server, Job Server, RAS, and Web Component Adapter (WCA) under a Domain Administrator account allows them to access the components necessary to connect successfully to data sources. To change a servers logon account, see Configuring Windows processing servers for your data source on page 140. Tip: Running a background application under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services. 3. Verify the servers access to ODBC Data Source Names (DSNs). Base reports off System DSNs (and not File or User DSNs), and set up each System DSN identically on every Job Server, Page Server, and RAS machine that will process the report. If the report is based off an ODBC data source, the processing server must have permission to access the corresponding DSN configuration. This information is stored in the Windows registry. The Job Server, Page Server, and RAS require Full Control or Special Access to the ODBC registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI

Consult your Windows documentation for information about working with the registry. Additional configuration may be required, depending upon the database that you are reporting off of. For details, see Configuring Windows processing servers for your data source on page 140. 4. Determine the configuration of the database client software. If you are not using ODBC, the database client software must be installed on each machine that will process reports. On Windows, many database clients store their configuration in the registry below HKEY_LOCAL_MACHINE. If your database client stores its configuration below
HKEY_CURRENT_USER, the BusinessObjects Enterprise services cannot

use the database client software to communicate with the database. 5. Verify the NTFS permissions granted to the Job Server, Page Server, and RAS.

386

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting Web accessibility issues

16

Insufficient NTFS rights on the server may cause a number of problems to arise when you view reports over the Web. As in step 2, changing each servers logon account to that of a Domain Administrator account should resolve such problems. For the minimum set of NTFS permissions required by BusinessObjects Enterprise, see the BusinessObjects Enterprise Deployment and Configuration Guide. 6. Check whether or not NT authentication is performed by the database. If you report against a database that uses NT authentication for access control (Microsoft SQL Server, Sybase, and so on), the Job Server, Page Server, and RAS must run under a Windows NT/2000 domain user account that has access to the appropriate database tables. (In this scenario, each servers logon account determines the level of access it is granted by the database. BusinessObjects Enterprise does not pass endusers NT tokens through to the database server.) To retain the access control levels that are set up within the database, you can instead change each ODBC DSN so that it implements SQL Server Login instead of NT authentication. 7. Check the available environment variables. Environment variables are used by the operating system to govern and manage system files for particular users. On Windows, BusinessObjects Enterprise servers are generally most affected by the TMP and TEMP environment variables. Because the servers are run as services, they cannot access the User Environment variables that are created by default. Therefore, it is recommended that you create System Environment variables if they do not already exist. Consult your Windows documentation for details. 8. Reference remote data sources with UNC paths. Ensure that servers have access to remote databases through UNC paths, instead of through mapped drives. For example, if you design a report off a PC database that resides on a network drive, ensure that the report references its data source with the appropriate UNC path. For details, see Ensuring that server resources are available on local drives on page 388. 9. Ensure that you have enough database client licenses. If all database client licenses are in use, the BusinessObjects Enterprise servers are unable to retrieve data from the database. 10. Check that database connections are closed in a timely fashion.

BusinessObjects Enterprise Deployment and Configuration Guide

387

16

General Troubleshooting Web accessibility issues

If a database connection is not closed quickly, the database may not service another request until the connection has been closed. To decrease the Minutes Before an Idle Job is Closed setting, see Modifying Page Server performance settings on page 363. 11. Use multi-threaded database drivers. Multi-threaded database drivers allow the processing servers to connect to the database without having to wait for the database to fulfill initial requests. ODBC connections are typically recommended because they provide multithreaded connections to the database. However, Crystal Reports now includes a number of thread-safe native and OLEDB drivers. A list of these thread-safe drivers is available in the Crystal Reports Release Notes. 12. Check for problems with particular data sources. If your report is based on a Lotus Notes database, you may need to perform additional configuration. Download the latest instructions from the Business Objects Customer Support Knowledge Base. IBM offers several client applications for connecting to DB2. The recommended client is IBM DB2 Direct Connect, whose ODBC drivers were written for actual programmatic interaction with products like BusinessObjects Enterprise. See the Business Objects Customer Support Knowledge Base for discussions of this and other DB2 clients. If you encounter problems with any other specific data sources, check the Knowledge Base for the latest information.

Ensuring that server resources are available on local drives


When the BusinessObjects Enterprise servers are running on Windows, many can be configured to use specific directories to store files. For example, you can specify the root directory for each File Repository Server, the temporary directories for the Cache and Page Servers, or the directory from which the Job Servers load processing extensions. In all cases, the directory that you specify must be on a local drive (such as C:\InputFRS or C:\Cache). Do not use Universal Naming Convention (UNC) paths or mapped drives. Although some BusinessObjects Enterprise servers can recognize and use UNC paths, do not configure the servers to access network resources in this manner. Use local drives instead, because UNC paths can limit performance due to limitations in the underlying protocol.

388

BusinessObjects Enterprise Deployment and Configuration Guide

General Troubleshooting Web accessibility issues

16

Tip: If your report runs against a PC database that resides on a network drive, then the report itself must reference its data source through a UNC path. In this case, the service must run under a domain user account with network permissions. For details, see Configuring Windows processing servers for your data source on page 140. Similarly, if you configure a server to use a mapped drive, the server may appear to function correctly. However, servers cannot access mapped resources when the machine is restarted. Drives are mapped according to your user profile when you log on to Windows NT/2000, but, once a drive is mapped, it is available to the entire operating system. So, when you log on and map a local or network drive, the mapped drive is accessible to the LocalSystem account, and hence to the BusinessObjects Enterprise servers running on the local machine. When you log off the local machine, the servers may retain access to the mapped drive for some time (Windows will release the drive mapping if no application maintains a persistent connection to the mapped resource). However, when you restart the local machine, the mapped drive is not restored until you log back on. Note: Changing a servers log on account from the LocalSystem account to a Windows NT/2000 user account with network privileges will not resolve the problem, because the servers do not actually log on to the network with that account. Instead, the servers perform account impersonation. This provides access to some profile-specific resources (such as printers and email profiles), but not others (such as ODBC User Data Source Names and mapped drives).

Page Server error when viewing a report


When you attempt to run or preview a report, the following error message appears:
There are no Page Servers connected to the Cache Server or all the connected Page Servers are disabled. Please try to reconnect later. [On Page Server : <servername>.Cacheserver]

This error indicates that the Page Server is not started and enabled. Use the CCM to start the Page Server and then enable it. (If the Page Server was already started and enabled, use the CCM to restart it.)

BusinessObjects Enterprise Deployment and Configuration Guide

389

16

General Troubleshooting InfoView considerations

InfoView considerations
Supporting users in multiple time zones
Avoid granting Schedule access to the default Guest account if you deploy InfoView for users in different time zones. Instead, ensure that each user who is allowed to schedule reports has a dedicated account on the system, and that each user's InfoView preferences include the appropriate time-zone setting. Dedicated accounts are recommended because the default Guest account does not allow users to modify account preferences that would affect other users. For more information about using specific time-zone properties in your custom web applications, see the BusinessObjects Enterprise SDK documentation.

Setting default report destinations


By default, a report's destination that is set in the CMC will be the selected destination when a report is scheduled in InfoView. A user can also select alternate destinations in InfoView by updating the Destination option. Note that the destination set in InfoView applies only to the scheduled instance. Thus, when a user schedules another instance in InfoView, the destination that is set in the CMC will be selected, unless the user changes the Destination option. If the user selects the Default destination setting in InfoView, reports are processed on the Job Server and sent to the File Repository Server. The Default destination setting in InfoView is equivalent to the Default destination setting in the CMC.

Import Wizard
Unable to import users from BusinessObjects 6.5
When using the Import Wizard, you get the following error after you enter your BusinessObjects 6.5 credentials:
"Error logging on to server. Please check logon information and try again. Unspecified error."

This error occurs because you because your new server that hosts BusinessObjects Enterprise does not have the same System DSN used on the BusinessObjects 6.x system. To fix this problem, create an exact copy of the System DSN used for the security domain on the BusinessObjects 6.x on the new destination BusinessObjects Enterprise machine.

390

BusinessObjects Enterprise Deployment and Configuration Guide

Managing Auditing

chapter

17

Managing Auditing How does auditing work?

How does auditing work?


The Central Management Server (CMS) acts as the system auditor, while each BusinessObjects Enterprise server that controls actions that you can monitor is an auditee. To audit an action in BusinessObjects Enterprise, there are a few steps you must complete:

You must configure the auditing database. If you installed Auditor, and provided the authentication details for your auditing database when you installed BusinessObjects Enterprise, you have already configured the auditing database. If you did not install Auditor, you must configure the auditing database before you can use Auditor. For step by step instructions, see Configuring the auditing database on page 393. Note: Auditor is installed by default when you install and use a keycode that authorizes you to Auditor, unless you cleared the Auditing Database check box during the install, or did a custom install and specifically excluded Auditor.

You must first determine which server controls that action. To determine which server controls an action, see Reference list of auditable actions on page 395. You must enable auditing of that action in the Servers management area of the Central Management Console (CMC). For step by step instructions, see Enabling auditing of user and system actions on page 399. You must configure the universe connection. The auditing reports are written against the Activity universe, this universe connection must be configured so it can connect to the auditing database. For step by step instructions, see Configuring the universe connection on page 401.

As the auditee, the BusinessObjects Enterprise server will then begin to record these audit actions in a local log file. As the auditor, the CMS controls the overall audit process. Each server writes audit records to a log file local to the server. At regular intervals the CMS communicates with the auditee servers to request copies of records from the auditees local log files. When the CMS receives these records it writes data from the log files to the central auditing database.

392

BusinessObjects Enterprise Deployment and Configuration Guide

Managing Auditing Configuring the auditing database

17

The CMS also controls the synchronization of audit actions that occur on different machines. Each auditee provides a time stamp for the audit actions that it records in its log file. To ensure that the time stamps of actions on different servers are consistent, the CMS periodically broadcasts its system time to the auditees. The auditees then compare this time to their internal clocks. If differences exist, they make a correction to the time stamp they record in their log files for subsequent audit actions. Once the data is in the auditing database, you can run the sample reports against the database or design custom reports to suit your own needs.

Configuring the auditing database


If you entered the authentication details for your auditing database when you installed Auditor, your auditing database is already configured and connected to your Central Management Server (CMS). If you did not enter the authentication details for your auditing database when you installed, you must configure your CMS to connect to an auditing database. You can use any database server supported for the CMS system database for your auditing database. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. If you plan to use MySQL for your auditing database, you will require version 3.51 of the MySQL Connector/ODBC (MyODBC) driver. If you do not already have this installed, you can download it from the following location:
http://dev.mysql.com/downloads/connector/odbc/3.51.html

It is recommended that you develop a back up strategy for your auditing database. If necessary, contact your database administrator for more information. Note:

The CMS system database and the auditing database are independent. If you choose, you can use different database software for the CMS system database and the auditing database, or you can install these databases on separate servers. If you have a CMS cluster, every CMS in the cluster must be connected to the same auditing database, using the same connection method and the same connection name. Note that connection names are case sensitive. (See Clustering Central Management Servers on page 114 for more information on setting up CMS clusters.)

BusinessObjects Enterprise Deployment and Configuration Guide

393

17

Managing Auditing Configuring the auditing database

1. 2. 3. 4.

To configure the auditing database on Windows Start the Central Configuration Manager (CCM). Stop the CMS. Click Specify Auditing Data Source. In the Select Database Driver dialog box, specify whether you want to connect to the new database through SQL Server (ODBC), or through one of the native drivers. Click OK. The remaining steps depend upon the connection type you selected:

5. 6.

If you selected ODBC, the Windows Select Data Source dialog box appears. Select the ODBC data source that you want to use as the auditing database; then click OK. (Click New to configure a new Data Source Name (DSN).) Use a System DSN, and not a User DSN or File DSN. By default, server services are configured to run under the System account, which only recognizes System DSNs. When prompted, provide your database credentials and click OK. If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.

The SvcMgr dialog box notifies you when the auditing database setup is complete. 7. 8. Click OK. Start the CMS. When the CMS starts, it will create the auditing database.

Note: You can also configure the auditing database using the Properties option for the CMS. Stop the CMS, select Properties, and then go to the Configuration tab. Select Write server audit information to specified data source, and then click Specify. To configure the auditing database on UNIX For more information on UNIX scripts, see UNIX Tools on page 473. 1. 2. Use ccm.sh to stop the CMS. Run cmsdbsetup.sh.

394

BusinessObjects Enterprise Deployment and Configuration Guide

Managing Auditing Configuring the auditing database

17

3. 4. 5. 6.

Choose the selectaudit option, and then supply the requested information about your database server. Run serverconfig.sh. Choose the Modify a server option. Select the CMS, and enable auditing. Enter the port number of the CMS when prompted (the default value is 6400).

Use ccm.sh to start the CMS. When the CMS starts, it will create the auditing database. Note:

The CMS acts as both an auditor and as an auditee when you configure it to audit an action that the CMS itself controls. In a CMS cluster, the cluster will nominate one CMS to act as system auditor. If the machine that is running this CMS fails, another CMS from the cluster will take over and begin acting as auditor.

Which actions can I audit?


You can audit the actions of individual users of BusinessObjects Enterprise as they log in and out of the system, access data, or create file-based events. You can also monitor system actions like the success or failure of scheduled objects. For each action, BusinessObjects Enterprise records the time of the action, the name and user group of the user who initiated the action, the server where it was performed, and a variety of other parameters more fully documented in Reference list of auditable actions on page 395.

Reference list of auditable actions


This section contains the list of the audit actions you can enable in BusinessObjects Enterprise. It is organized according to the types of actions that you can audit, to help you find the server where you enable auditing of these actions. Note: The list of auditable actions for Desktop Intelligence only apply when the documents are created and modified from within BusinessObjects Enterprise. For more information about the actions that are audited, and the data that is recorded for each audit action, see the Auditing database schema reference on page 416.

BusinessObjects Enterprise Deployment and Configuration Guide

395

17

Managing Auditing Configuring the auditing database

User Actions
Actions Objects An object is created. An object is deleted. An object is modified. A report has been viewed successfully. A report could not be viewed. A report is opened successfully using: the Advanced DHTML viewer. BusinessObjects Enterprise Server CMS

Crystal reports

Cache Server RAS

a custom application that uses RAS SDK.

A report fails to open. A report has been created successfully using: a custom application that uses the RAS SDK. A report fails to be created. A report is saved successfully (using a custom application based on the RAS SDK). A report fails to save using a custom application based on the RAS API. Get list of universes. Web Web Intelligence Intelligence A user has begun creating a new Web Report Server documents Intelligence document, which triggers a request to the server for the list of available universes. Save document to repository. A user has saved a Web Intelligence document within BusinessObjects Enterprise. Read Document. User opens an existing Web Intelligence document. Selection of universe.

A user has selected a universe as they create a new Web Intelligence document, or as they edit an existing Web Intelligence document.

396

BusinessObjects Enterprise Deployment and Configuration Guide

Managing Auditing Configuring the auditing database

17

Actions

BusinessObjects Enterprise Server

Refresh document. Web Intelligence Web Report Server Intelligence User manually refreshes a Web documents Intelligence document, or the user opens a Web Intelligence document that is set to refresh on open. Edit document. User enters Edit document mode for an existing Web Intelligence document. Apply format.

User applies a formatting change to an existing Web Intelligence document in a query panel.

Get page. Server renders the pages of a Web Intelligence document in response to a user request to display all or part of a document. Generate SQL. Server generates an SQL query in response to a user action that requires data to be retrieved from a database. Drill out of scope.

User drills past the scope of the data currently in memory, and triggers a call to the database for more data. List of values. A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. Select prompt.

BusinessObjects Enterprise Deployment and Configuration Guide

397

17

Managing Auditing Configuring the auditing database

Actions Desktop A job has been run successfully. Intelligence Either a Desktop Intelligence document documents has been scheduled or a publication based of that document has been scheduled.

BusinessObjects Enterprise Server Desktop Intelligence Job Server

A job has failed to run. Users A job failed but will try to run again. A concurrent user logon succeeds. A named user logon succeeds. A user logon fails. A users password is changed. User logs off. Send an object to a destination A job has been run successfully. (A user has successfully sent an object to a destination.) A job has failed to run. (An object has failed to be sent to a destination.) A job failed but will try to run again. An event is registered. (Event is created, and registered with system) An event is updated. (The name, description, or filename of an event is modified.) An event is unregistered. (Event is removed from system.) Destination Job Server CMS

File-based events

Event Server

398

BusinessObjects Enterprise Deployment and Configuration Guide

Managing Auditing Enabling auditing of user and system actions

17

System Actions
Actions Scheduled objects A job has been run successfully. For example, a scheduled Crystal report or publication has run successfully. A job has failed to run. For example, a scheduled Crystal report or publication has failed to run. BusinessObjects Enterprise Server Job Servers

Tip: To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of A job has failed to run on the Job Server, and Communication with a running instance is lost. on the Central Management Server. A job failed but will try to run again. Communication with a running instance is lost. For CMS example, a scheduled Crystal report has failed to run because communication with the instance was lost, and the scheduled time for running the report expired. Note: You do not need to enable this option to audit every failure of a scheduled Web Intelligence document. An event is triggered. Event Server

File-based events

Enabling auditing of user and system actions


After you determine which BusinessObjects Enterprise server controls the action, you must enable auditing on the server from the Servers management area of the Central Management Console (CMC). If you have multiple BusinessObjects Enterprise servers of a given type, be sure to enable identical audit actions on every server. This makes sure that you collect information on all user or system actions in your BusinessObjects Enterprise system. For example, if you are interested in the total number of concurrent user logons, enable auditing of concurrent user logons on each of your Central Management Servers. If you enable auditing on only one Central Management Server, you will only collect audit information about actions that occur on that server.

BusinessObjects Enterprise Deployment and Configuration Guide

399

17

Managing Auditing Enabling auditing of user and system actions

In some special cases you may wish to enable auditing on only one server of a given type. For example, if you are interested in the success or failure of only one kind of scheduled report and you have configured your system so that these reports are processed on one particular Job Server, it is not necessary to enable auditing on every Job Server in your system. You only need to enable auditing on the Job Server where the reports are processed. Note: You must configure the auditing database before you can collect data on audit actions. See Configuring the auditing database on page 393 for information on how to configure the auditing database. 1. 2. To enable audit actions Go to the organize Servers area of the CMC. Click the server that controls the action that you wish to audit. (See the Reference list of auditable actions on page 395 to find the correct server.) 3. Click the Auditing tab.

4. 5. 6.

Select the Auditing is enabled check box. Select the audit actions that you wish to record. Ensure that your audit log file is located on a hard drive that has sufficient space to store the log files. (See Optimizing system performance while auditing on page 404 for information on adjusting the size of log files.)

400

BusinessObjects Enterprise Deployment and Configuration Guide

Managing Auditing Configuring the universe connection

17

7. Tip:

Click Update. To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of A job has failed to run on the Job Server, and Communication with a running instance is lost. on the Central Management Server. Auditing is enabled independently on each server. If you want to audit all actions of a given type, enable identical audit actions on every server that supports those actions. Otherwise your audit record will be incomplete. For example, if you want to track the total number of concurrent logons to your BusinessObjects Enterprise system, you must enable logging of concurrent logons on every Central Management Server in your system.

Configuring the universe connection


The auditing reports use the Activity universe. Before you can view these reports, you must configure the universe connection. This involves two steps: first you must create a data source for your auditing database, next you must specify this data source for your universe connection. 1. 2. 3. 4. 5. 6. 7. To create a data source Go to the Start menu and select Settings >Control Panel. Double-click on Administrative tools. Double-click Data sources. Click the System DSN tab, and then click Add. Select the driver for your auditing database from the list, and then click Finish. Enter the authentication parameters, the database server name, and your auditing database name, and then click OK. Click OK.

Tip: You may want to write down the name of your data source as it will be required when you create or edit the universe connection. 1. 2. 3. To configure the Activity universe connection Start Designer from the BusinessObjects Enterprise program group. Click on the connections icon in the toolbar. The Connection List dialog box appears. Click Add, and then click Next.

BusinessObjects Enterprise Deployment and Configuration Guide

401

17

Managing Auditing Using sample audit reports

4. 5. 6. 7. 8. 9.

Expand the database type and the version that corresponds with the your auditing database. Select the driver or client to use. Enter a name for your connection. Enter the User Name and Password for your connection. Select the Data source name from the list, and then click Next. Click Next on the Perform a Test dialog box.

10. Click Next on the Advanced Parameters dialog box. 11. Click Finish on the Custom Parameters dialog box. 12. Click Finish to exit and finalize your connection.

Using sample audit reports


BusinessObjects Enterprise includes two sets of sample audit reports:

One set was created using Crystal Reports. One set was created using Web Intelligence.

Both sets of reports are available in the collateral folder on your product distribution in the file auditing.biar. These sample reports are published to the Auditor folder when you install BusinessObjects Enterprise with a product keycode which authorizes you to use Auditor. The Crystal Reports audit reports are available as object packages with the report sections as individual documents. The Web Intelligence audit reports are available as Web Intelligence documents with the report sections as tabs within the documents. Both sets of reports are based on the Activity universe. Note: You can also deploy the auditing samples to another node. To do this, use the Import Wizard to deploy the auditing.biar to the CMS on the node where you want the reports. For further details, see the Import Wizard help. If you configured the auditing database when you installed BusinessObjects Enterprise, you must do these things before using the sample audit reports:

Enable the auditing of the user and server actions needed to provide data for the sample reports. For information on how to enable auditing on servers, see Enabling auditing of user and system actions on page 399.

Configure the universe connection used for the sample reports. For procedural details, see Configuring the universe connection on page 401.

402

BusinessObjects Enterprise Deployment and Configuration Guide

Managing Auditing Controlling synchronization of audit actions

17

If you did not configure the database when you installed BusinessObjects Enterprise, before you use the reports, you must do these things:

Configure the auditing database before you use the sample reports. For information on how to configure the auditing database, see Configuring the auditing database on page 393 Enable the auditing of the user and server actions needed to provide data for the sample reports. For information on how to enable auditing on servers, see Enabling auditing of user and system actions on page 399

Configure the universe connection used for the sample reports. For procedural details, see Configuring the universe connection on page 401.

After you enable auditing of the user and server actions, the auditing database will then begin to be populated with the audit data you specified. Note: If you have recently enabled auditing, the sample audit reports may contain little or no data the first time you view them.

Controlling synchronization of audit actions


The CMS controls the synchronization of audit actions that occur on different machines. The CMS periodically broadcasts its system time to the auditees in UTC (Coordinated Universal Time). The auditees compare this time to their internal clocks, and then make the appropriate correction to the time stamp (in UTC) they record for subsequent audit actions. This correction affects only the time stamp that the auditee records in its audit log file. The auditee does not adjust the system time of the machine on which it is running. By default, the CMS broadcasts its system time every 60 minutes. You can change the interval using the command-line option:
-AuditeeTimeSyncInterval minutes

You can turn off this option by setting minutes to zero. For more information on the CMS, see the Server Command Lines chapter in the BusinessObjects Enterprise Administrators Reference Guide. This built-in method of time synchronization will be accurate enough for most applications. For more accurate and robust time synchronization, configure the auditee and auditor machines to use an Network Time Protocol (NTP) client, and then turn off internal synchronization by setting:
-AuditeeTimeSyncInterval 0

BusinessObjects Enterprise Deployment and Configuration Guide

403

17

Managing Auditing Optimizing system performance while auditing

Tip: If you have a CMS cluster, apply the same command-line options to each server. Only one CMS in the cluster acts as the auditor. However, if this CMS fails, another CMS takes over auditing. This CMS will apply its own command-line options. If these options are different than those of the original auditor, audit behavior may not be what you expect.

Optimizing system performance while auditing


Enabling auditing should have minimal effect on the performance of BusinessObjects Enterprise. However, you can optimize system performance by fine-tuning these command-line options:

-AuditInterval minutes, where minutes is between 1 and 15. (The

default value is 5.) The CMS requests audit records from each audited server every audit interval.
-AuditBatchSize number, where number is between 50 and 500. (The

default value is 200.) The CMS requests this fixed number of records from each audited server, every time interval.
-auditMaxEventsPerFile number (number has a default value of 500

and must be greater than 0). The maximum number of records that an audited server will store in a single audit log file. When this maximum value is exceeded, the server opens a new log file. Note: Log files remain on the audited server until all records have been requested by the CMS. Changing each of these options has a different impact on system performance. For example, increasing the audit interval reduces frequency with which the CMS writes events to the auditing database. Decreasing the audit batch size decreases the rate at which records are moved from the audit log files on the audited servers to the auditing database, thereby increasing the length of time that it takes these records to get transferred to the central auditing database. Increasing the maximum number of audit events stored in each audit log file reduces the number of file open and close operations performed by audited servers. You can use these options to optimize audit performance to meet your needs. For example, if you frequently need up-to-date information about audited actions, you can choose a short audit interval and a large audit batch size. In this case, all audit records are quickly transferred to the auditing database, and you can always report accurately on the latest audit actions. However, choosing these options may have an impact on the performance of BusinessObjects Enterprise.

404

BusinessObjects Enterprise Deployment and Configuration Guide

Managing Auditing Optimizing system performance while auditing

17

Alternatively, you may only need to review audit results periodically (weekly, for example). In this case you can choose to increase the audit interval, and to decrease the number of audit records in each batch. Choosing these options minimizes the impact that auditing has on the performance of BusinessObjects Enterprise. However, depending upon activity levels in your system, these options can create a backlog of records stored in audit log files. This backlog is cleared at times of low system activity (such as overnight, or over a weekend), but means that at times your audit reports may not contain records of the most recent audit actions.

BusinessObjects Enterprise Deployment and Configuration Guide

405

17

Managing Auditing Optimizing system performance while auditing

406

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports

chapter

18

Auditing Reports Using auditing reports

Using auditing reports


If you are an administrator who wants to view reports from the auditing database, you have these choices:

You can use the auditing reports that are included with BusinessObjects Enterprise. You can modify the auditing reports that are included with BusinessObjects Enterprise. You can create your own auditing reports.

Why are reports important?


Auditor includes reports that can answer questions you may have about your BusinessObjects Enterprise deployment. Each report contains one or more report sections that focus on a very specific area.

Auditor report names


This section contains the following:

the list of the report names the report sections included with the reports the report prompts

Average Number of Users Logged In


Report sections Report prompts

Average Number of Logged In select reporting year Sessions Users Logged In Average Number of Users Logged In select reporting month

408

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Using auditing reports

18

Average Refresh Time


Report sections Average Refresh Time by Document Average Refresh Time by User Average Refresh Time by Server Report prompts Name of document

Average Session Duration


Report sections Year Quarter Month Week Day Hour Report prompts choose user

Average Session Duration per Cluster


Report sections Average Session Duration in Minutes over the Period Average Session Duration in Minutes per Week Average Session Duration in Minutes per Day Report prompts select reporting timeframe

Average Session Duration per User


Report sections Average Session Duration in Minutes over the Year Report prompts select reporting year

BusinessObjects Enterprise Deployment and Configuration Guide

409

18

Auditing Reports Using auditing reports

Report sections Average Session Duration in Minutes per Month per User Average Session Duration in Minutes per Week per User

Report prompts

Cluster Nodes
Report sections Servers in the Cluster Report prompts None

Document Information Detail


Report sections None Report prompts select document

Document Scheduling and Viewing Status


Report sections None Report prompts select start date select end date

Job Summary
Report sections Jobs per Status Successful Jobs Failed Jobs Report prompts

410

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Using auditing reports

18

Jobs per Job Server


Report sections Jobs per Job Server KindSummary Jobs per Job Server Kind Jobs per Job Server Report prompts None

Jobs per User


Report sections Jobs per User - Summary Jobs per User Job Duration per User Report prompts None

Job Servers on the System


Report sections Jobs per User - Summary Jobs per User Job duration per User Job Failure per User Report prompts None

Last Login for User


Report sections None Report prompts select user

BusinessObjects Enterprise Deployment and Configuration Guide

411

18

Auditing Reports Using auditing reports

Least Accessed Documents


Report sections Least Accessed Documents By times Read Least Accessed Documents By Edits Least Accessed Documents By Refreshes Report prompts None

Most Accessed Documents


Report sections Most Accessed Documents By times Read Most Accessed Documents By Edits Most Accessed Documents By Refreshes Report prompts None

Most Active Users


Report sections Most Active Users by Logins Most Active Users by Refreshes Report prompts None

Most Popular Actions


Report Sections Most Popular Actions - By Quarter Most Popular Actions - By Month Report Prompts select year select year

Most Popular Actions - By Year select year

412

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Using auditing reports

18

Report Sections Most Popular Actions - By Week

Report Prompts select year

Most Popular Actions - By Day select year

Most Popular Actions per Document


Report sections Most Popular Actions per Document- By User Most Popular Actions per Document- By Session Most Popular Actions per Document- By Action Most Popular Actions per Document- By Month Report prompts select document (s)

Number of User Sessions


Report sections None Report prompts select year(s)

Number of Users in the System


T

Report sections None

Report prompts None

Password Modifications
Report sections Password Modifications - By Month Password Modifications - By Week Password Modifications - By Details Report prompts select start date select end date

BusinessObjects Enterprise Deployment and Configuration Guide

413

18

Auditing Reports Using auditing reports

Peak Usage
Report sections Users Login Peaks Session Login Peaks Number of Action Peaks Report prompts select year

Refresh and Edit Activity


Report sections None Report prompts select user

Rights Modification
Report sections Rights Modification - By User Report prompts select start date

Rights Modification - By Object select end date

Total Users Logged In by Day


Report sections Report prompts

Total Users Logged In by Day - enter a date Total Number of Logged In Users Total Users Logged In by Day Total Number of Logged in Sessions

User Activity
Report sections User Activity by Month User Activity by Week User Activity by Day Report prompts select start date select end data

414

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Viewing sample auditing reports

18

User Activity per Session


Report sections User Activity per Session Per Cluster User Activity per Session Per Session User Activity per Session Per Action Name User Activity per Session Per Date Report prompts choose user(s)

Users Who Logged Off Incorrectly


Report sections Statistics Users Who Logged Off Incorrectly Report prompts

Viewing sample auditing reports


1. 2. 3. 4. To view sample audit reports Log on to InfoView. Expand Public Folders. Select Auditing Reports to display the list of sample audit reports. Open the report you want to view.

To open a Web Intelligence audit report, click on the report you want to view. To open a Crystal Reports audit report, open the object package, and then open the report you want to view.

BusinessObjects Enterprise Deployment and Configuration Guide

415

18

Auditing Reports Creating custom audit reports

Creating custom audit reports


This section contains information to help you understand the auditing database, the Activity universe and the information it records about audit actions. With this information, you can use Crystal Reports, Web Intelligence or Desktop Intelligence to create custom audit reports of user and system actions.

Auditing database schema reference


The auditing database contains six tables:

Audit_Event on page 416 Audit_Detail on page 417 Server_Process on page 418 Detail_Type table on page 420 Event_Type on page 419 Application_Type on page 419

The following diagram shows the Activity universe which is based on the auditing database.

Audit_Event
The Auditt_Event table stores one record per action that is audited and contains general information about each audit event.

416

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Creating custom audit reports

18

Field
Server_CUID

Description Server process ID. Combined with the Event_ID to form the primary key for the Audit_Event table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID to form the primary key for the Audit_Event table. Name of user who performed the action. Time for start of action in UTC (Coordinated Universal Time) to the nearest millisecond. The time stamp is created by the server recording the action in its log file, and includes any correction necessary to synchronize with CMS time. You may want to correct this time to your local time zone when creating audit reports. Duration, in seconds, of the action that is audited. Number that uniquely identifies the type of action the entry represents. Foreign key for the Event_Type table. Info Object ID of object associated with the action. This number uniquely identifies an object. Field reserved for error codes generated by the Web Intelligence Report Server.

Event_ID

User_Name Start_Timestamp

Duration Event_Type_ID

Object_CUID Error_Code

Audit_Detail
The Audit_Detail table records more details about each audit action recorded in the Audit_Event table. For example, when a user logon fails, the reasons for that failure are recorded as audit details. There may be more than one record in this table for each audit action recorded in the Audit_Event table.

BusinessObjects Enterprise Deployment and Configuration Guide

417

18

Auditing Reports Creating custom audit reports

Field
Server_CUID

Description Server process ID. Combined with the Event_ID and the Detail_ID to form the primary key for the Audit_Detail table. A unique ID generated by the server to identify the audit event. Combined with Server_CUID and the Detail_ID to form the primary key for the Audit_Detail table. The Detail_ID field is used to number the individual details associated with each audit action. That is, if there are two details associated with a particular audit action, the first will have a Detail_ID of 1, and the second will have a Detail_ID of 2. Number that uniquely identifies the type of detail about the audit action that the entry represents. Foreign key for the Detail_Type table. Information about the audit detail being recorded. For example, if the Detail_Type_Description were universe name, the detail text would contain the name of that universe.

Event_ID

Detail_ID

Detail_Type_ID

Detail_Text

Server_Process
The Server_Process table contains information about the servers running within your BusinessObjects Enterprise system which can generate audit events. Field
Server_CUID Server_Name

Description Server process ID. Primary key for the Server_Process table. Machine name of the server that produced the action. That is, the host name. that generated the audit action. Foreign key to the Application_Type table.

Application_Type_ID A unique ID that identifies the type of application

418

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Creating custom audit reports

18

Field
Server_FullName

Description Friendly name of the server that produced the action. The servers friendly name is the name displayed in the CMC. The default friendly name is
hostname.servertype.

Server_Version

Version of BusinessObjects Enterprise on server that produced the action.

Event_Type
The Event_Type table contains a static list of the kinds of events that can be audited in your BusinessObjects Enterprise system. This table provides information roughly equivalent to that provided by AuditIDs and AuditStrings in Crystal Enterprise Field
Event_Type_ID

Description Number that uniquely identifies the type of audit event that the entry represents.

Event_Type_Description Description of the type of audit event.

Application_Type
The Application_Type table contains a static list of the applications that can produce audit events. In BusinessObjects Enterprise XI, the applications that can be audited are servers. Field Name
Application_Type_ID

Description A unique ID that identifies the type of application that generated the audit action. The description of the application generating the audit event.

Application_Type_Description

BusinessObjects Enterprise Deployment and Configuration Guide

419

18

Auditing Reports Creating custom audit reports

Detail_Type table
The Detail_Type table contains a static list of the standard details that can be recorded about audited events. For example, a user logon can fail for a number of different reasons. These reasons are listed as entries in the Detail_Type table. The information in the Detail_Type table is equivalent to the information that was recorded in variable AuditStrings in Crystal Enterprise 10. Field
Detail_Type_ID Detail_Type_Description

Description Number that uniquely identifies the type of audit detail that the entry represents. The description of the type of audit detail generated by the audit event.

Event_Type table reference


The following tables list the Event_Type_ID and Event_Type_Description of all events that can be audited in your system. For your convenience, these events are ordered according to the server that generates each type of event. CMS audit events Event_Type_ ID Event_Type_Description Description 65537 Concurrent user logon succeeded. Named user logon succeeded. User logged off. User password has been changed. User logon failed. Logon failed because there was no valid license key available. The user logged on successfully, using a concurrent user license. The user logged on successfully, using a named user license.

65538

65540 65541 65539

420

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Creating custom audit reports

18

Event_Type_ ID Event_Type_Description Description 65542 New folder created. A new folder is created, or an existing folder is copied. Note that this audit string will not be recorded when a new user account is created, even though creating a user creates a user folder. A folder is deleted. Note that this audit string will be recorded when a user account (and therefore the users folder) is deleted. The name, location, or description of the folder was changed. A scheduled report or scheduled program failed to run because communication with the running instance was lost, and the scheduled time for running the job expired. Note: This action must be audited by the CMS as Job Servers are not aware of losing communications with a job. Cache Server audit events Event_Type_ ID Event_Type_Description 196609 Crystal report viewed successfully. A report could not be viewed. Description User successfully viewed a Crystal report that has saved or live data. User attempted to view a Crystal report, but was not successful.

65543

Folder deleted.

65544

Folder modified.

65545

Job failed. Reason: Unresponsive Job Server Child process.

196610

BusinessObjects Enterprise Deployment and Configuration Guide

421

18

Auditing Reports Creating custom audit reports

Job Server audit events For scheduled objects, the audit messages give you information about the status of scheduled actions. For example, the audit messages can tell you if a scheduled report ran successfully. For the Destination Job Server, the audit messages give you information on whether an object was sent to a destination, as requested by a user. Event_Type Event_Type_Description _ ID 327681 Job successful. Description The object ran as scheduled (or requested) and the job completed successfully. The scheduled job did not complete successfully. The scheduled job did not complete successfully. The job will be retried by the CMS at a later time. For more information on scheduling jobs, see the BusinessObjects Enterprise Administrators Guide.

327682 327683

Job failed. Job failed. Job will be retried by the CMS.

Event Server audit events Event_Type_ ID Event_Type_Description 262145 Event registered Description User creates a file-based event that can be used to schedule objects. User deletes a file-based event. Event object was modified by a user, or by the system. Events are updated when a user modifies the name or description of the file-based event. File-based event was initiated.

262146 262147

Event unregistered Event updated

262148

Event triggered

422

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Creating custom audit reports

18

Application_Type table reference


Application_Type_ID Application_Type_Description 1 8 11 12 13 14 15 16 18 19 Unknown Application Web Intelligence Report Server Central Management Server (CMS) Cache Server Report Job Server Report Application Server (RAS) Event Server Program Job Server Destination Job Server Web Intelligence Job Server

Report Application Server audit events The Report Application Server (RAS) is used to view reports opened with the Advanced DHTML viewer, and to create reports using custom applications developed with the RAS SDK.

BusinessObjects Enterprise Deployment and Configuration Guide

423

18

Auditing Reports Creating custom audit reports

Event_Type_ ID Event_Type_Description 458753

Description

Report was opened for User opened a report for viewing and/or modification viewing or modification. Note: In a few cases, this Event_Type_ID may be generated when the report opens but cannot be viewed. This may occur when:

There are problems with the database setup for the report. For example, you may see this message when the database driver for the report is not present on the client machine A processing extension associated with the report aborts viewing, or fails. The report used Business Views and the user did not have permissions to refresh the underlying data connections. The machine running the RAS ran out of space in its temporary directory.

458754

Report was saved to the CMS.

An existing report was saved. Note: This


Event_Type_ID is

generated when a custom application created using the RAS SDK saves a report (using the Save method). Consult your RAS SDK documentation for details.

424

BusinessObjects Enterprise Deployment and Configuration Guide

Auditing Reports Creating custom audit reports

18

Event_Type_ ID Event_Type_Description 458755 Report was created and saved to the CMS

Description A new report was created and saved. This Event_Type_ID is generated when a custom application created using the RAS SDK saves a new report (using the Save As method). Consult your RAS SDK documentation for details. The report could not be opened by the RAS. An existing report could not be saved by RAS. This Event_Type_ID is generated when a custom application created using the RAS SDK cannot save a new report (using the Save As method). Consult your RAS SDK documentation for details. A newly created report could not be saved by RAS.

458756 458757

Report could not be opened. Report could not be saved to the CMS.

458758

Report could not be created in the CMS.

Web Intelligence Report Server audit events Event_Type_ ID Event_Type_Description Description 6 Get list of universes User accesses a list of universes as part of a document creation workflow. User saves a Web Intelligence document to BusinessObjects Enterprise. User opens an existing Web Intelligence document. User selects a universe as part of a document creation workflow. This event occurs when a user opens the query panel.

Save document to repository Read document Selection of universe

11 13

BusinessObjects Enterprise Deployment and Configuration Guide

425

18

Auditing Reports Creating custom audit reports

Event_Type_ ID Event_Type_Description Description 19 Document refresh User manually refreshes a Web Intelligence document, or user opens a Web Intelligence document that has the refresh on open document property assigned. A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document. User has moved into Edit document mode. User applies a formatting change to a document, in a query panel. User action results in a request to server to generate the necessary data and layout to display all or part of a Web Intelligence document. Appears when a user refreshes a document. User drills past the scope of the data currently in memory, and triggers a call to the database for more data.

21

List of values

22 28

Edit document Apply format

40

Get page

41 42

Generate SQL Drill out of scope

426

BusinessObjects Enterprise Deployment and Configuration Guide

Customizing the appearance of Web Intelligence documents

appendix

Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents

Customizing the appearance of Web Intelligence documents


You can customize the default appearance of all new Web Intelligence documents created using the Web Intelligence Java Report Panel or the HTML - Query Panel. To do so, you must edit a file called defaultconfig.xml. By editing defaultconfig.xml, you can change the default appearance of many interface elements:

fonts and font sizes for tables, cells, chart axes, and so on background colors (wallpaper) lines and borders for cells and tables color palettes

The new settings take effect only for reports created after the defaultconfig.xml file is modified and saved. Earlier reports are not affected by the new settings. In the defaultconfig.xml file, settings are grouped by key value. (See List of key values on page 432.) To modify a setting, open the defaultconfig.xml file in a text editor and modify the parameter you want. Back up the original file before you start. For an example of how to modify the defaultconfig.xml file, see Example: Modifying the default font in table cells on page 433. Note:

You cannot use defaultconfig.xml to customize the appearance of the HTML Report panel. The defaultconfig.xml is also used by the REBean Editing SDK. For more information, see the developer documentation.

428

BusinessObjects Enterprise Deployment and Configuration Guide

Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents

What you can do with the defaultconfig.xml file


With the defaultconfig.xml file, you can change certain aspects of the look and feel of Web Intelligence reports. You can make the reports adhere to your corporate visual guidelines. Heres what a Web Intelligence report looks like before changes are made to the defaultconfig.xml file:

BusinessObjects Enterprise Deployment and Configuration Guide

429

Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents

By modifying a few settingsstable header and body cell fonts, alternative row settings, chart axes values, label fonts, and section cell bordersdefault Web Intelligence tables and charts can look like this:

Locating and modifying defaultconfig.xml


To customize the default appearance of a new Web Intelligence document, you must edit the defaultconfig.xml associated with the report panel used to create that document. Each report panel has its own defaultconfig.xml file.

430

BusinessObjects Enterprise Deployment and Configuration Guide

Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents

Desktop Intelligence Enterprise Java InfoView


If you deploy the Desktop Intelligence Enterprise Java InfoView, you can customize the default appearance of documents created using the Java Report Panel or the HTML-Query Report Panel. On Windows, you must edit the defaultconfig.xml files inside the desktop.war file. For additional information on modifying XML and .war files, see the BusinessObjects Enterprise Installation Guide. 1. 2. To update defaultconfig.xml in the .war file Stop the web application server if it is running. Find the desktop.war file. On Windows, its found at C:\Progam
Files\Business Objects\BusinessObjects Enterprise 11.5\java\applications\desktop.war. On UNIX, its found at / bobje/enterprise11/java/applications/desktop.war.

3.

Extract defaultconfig.xml from the desktop.war file. For the Java Report Panel, extract
webiApplet\AppletConfig\defaultconfig.xml

For the HTML-Query Report Panel, extract WEBINF\classes\defaultconfig.xml

Tip: On Windows, you can use a tool such as WinZip to extract and replace files in a .war file. 4. 5. Make a backup of the defaultconfig.xml file. Open defaultconfig.xml, and make your changes. See List of key values on page 432 for information on the values you can change, and Example: Modifying the default font in table cells on page 433 for an example. 6. 7. 8. Save and close defaultconfig.xml. Reinsert defaultconfig.xml into desktop.war. Ensure that you insert the file into the correct directory within the .war file. Restart your web application server and redeploy desktop.war. See the BusinessObjects Enterprise Installation Guide for details.

Desktop Intelligence Enterprise .NET InfoView


If you deploy the Desktop Intelligence Enterprise .NET InfoView, you can customize the appearance of new documents created using the Java Report Panel. To customize the appearance of reports created with the Java Report Panel, edit the copy of defaultconfig.xml found at:
C:\Program Files\Common Files\Business Objects\3.0\java\webiApplet\AppletConfig

BusinessObjects Enterprise Deployment and Configuration Guide

431

Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents

List of key values


In the defaultconfig.xml file, settings are grouped by key value. The following table lists the key values and the corresponding interface elements. Key value Block*defaultBg Block*selectionBg Cell*selectionColor cell_skin0,report_skin0, section_skin0,bloc_skin0 freeCell*default freeCell*section graph*Data graph*Graph graph*Palette*0 graph*Palette*1 graph*Wall graph*YGrid graph*ZGrid graph*XLabels graph*YLabels graph*ZLabels graph*XValues graph*YValues graph*ZValues page*default Section*arrowColor Section*background Section*selectionColor table*AltBody table*body table*BodyForm Interface element Background colors for blocks Background colors for selected blocks Selected cell color Combo default skin Free cells (not section cells) Section cells Removing black line around bar charts General settings for graphs Adding a new color palette Adding a new color palette Default background colors for charts Color for horizontal grid (Y axis) Removing X-axis and Z-axis grid X-axis labels in a graph Y-axis labels in a graph Z-axis labels in a graph X-axis values in a graph Y-axis values in a graph Z-axis values in a graph Default page layout. For example: A4, Letter; portrait or landscape. Color of section arrow General settings for sections Color of selected section arrow Alternate body cells in a table Body cells in a table Body cells in a form

432

BusinessObjects Enterprise Deployment and Configuration Guide

Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents

Key value table*ExtraHeader table*Footer table*Form table*Header table*HeaderForm table*Table UI*default

Interface element Object name cells in a crosstable Footer cells in a table General settings for forms Header cells in a table Header cells in a form General settings for tables Custom fonts

Example: Modifying the default font in table cells


You can modify the default font to another font available on your system, including non-standard fonts that you install on the server. The default font is Arial. This setting is found in the table*Body key value in the defaultconfig.xml file. Languages and fonts must be supported on the client machine for correct display. In addition, all fonts must be defined in the fontalias.xml file. Note: To change the default appearance of Web Intelligence documents created in a report panel, you must modify and deploy the correct copy of the defaultconfig.xml file. See Locating and modifying defaultconfig.xml on page 430 for more information. 1. 2. 3. To modify the default font Make a backup of the defaultconfig.xml file. Open the defaultconfig.xml file. Find the table*Body key value. Heres what it looks like:

BusinessObjects Enterprise Deployment and Configuration Guide

433

Customizing the appearance of Web Intelligence documents Customizing the appearance of Web Intelligence documents

4.

To change the default font for specified languages, enter the font name after FACE=. For example, to change only Japanese to a font named SpecialFont, you would enter:
<FONT xml:lang="ja" FACE="SpecialFont" ...

5.

To change the overall default font for all non-specified languages, enter the new font name after FONT FACE=. Note: You must modify the default font values separately for each language you want to change.

6. 7.

Modify any other attributes you want, such as font size. Save and close the defaultconfig.xml file.

434

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration

appendix

Server deployment and firewall configuration About this appendix

About this appendix


This appendix uses a sample deployment to demonstrate how to configure Business Objects Enterprise servers and firewalls in complex deployment scenarios. It is important to note that the optimal configuration for your deployment will depend on many factors: hardware configuration, database software, reporting requirements, operating system, clock speed, hyperthreading, disk speed, application server configuration, load frequency, and many more. Every deployment is unique, and these examples are provided only as guidelines. For information about developing your own deployment plan, see Planning Your Deployment on page 57. This appendix contains:

Information on how BusinessObjects Enterprise components communicate across the network. Instructions for configuring BusinessObjects Enterprise servers. Instructions for configuring firewalls to allow BusinessObjects Enterprise components to communicate with each other. Help for deploying BusinessObjects Enterprise servers on machines with more than one Network Interface Card (NIC). A list of unsupported deployment scenarios. BusinessObjects Enterprise servers and clients are separated from each other by one or more firewalls. BusinessObjects Enterprise servers are deployed on machines with more than one Network Interface Card.

This appendix is relevant to the following deployment scenarios:

If all BusinessObjects Enterprise components are deployed entirely on the same subnet, and if no server is deployed on a multi-homed machine, then you do not need the information in this appendix.

Understanding how BusinessObjects Enterprise servers communicate


This section explains how BusinessObjects Enterprise servers communicate with each other using CORBA. This information will help you to understand how to configure BusinessObjects Enterprise servers and the firewalls that separate them.

436

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration Understanding how BusinessObjects Enterprise servers communicate

Using CORBA to communicate


BusinessObjects Enterprise clients and servers use CORBA to communicate with each other. A BusinessObjects Enterprise server extends a service that other clients or servers can discover and invoke. BusinessObjects Enterprise clients and servers store a reference to a servers service. The reference is a CORBA reference called an Interoperable Object Reference (IOR). The IOR contains the host name or host IP address plus the port number of the machine that the service runs on.

Registering with the CMS


All BusinessObjects Enterprise servers must register with the CMS when they start up. This process uses the following steps: 1. The server contacts the CMS. A BusinessObjects Enterprise server contacts the CMS on the CMSs bootstrap port. The CMS bootstrap port is specified in the BusinessObjects Enterprise servers -ns <cms host name:nameserver_port> option. The CMS returns an IOR that refers to its CMS factory service. BusinessObjects Enterprise servers use the CMS factory service for all CORBA communication with the CMS. 2. The server builds its service IOR. A BusinessObjects Enterprise servers service IOR contains the services host name or IP address and port number.

If the -port <host name or host address> option is set, the BusinessObjects Enterprise server uses the specified host name or host address in the IOR. If its -port option is not set, the server makes a system call to its host machine to discover its IP address. (On a multihomed machine, this call typically returns the machines main IP address). If the -requestport <port number> option is set, the BusinessObjects Enterprise server uses the specified port number in the IOR. Otherwise, the BusinessObjects Enterprise server chooses chose a port at random. If your BusinessObjects Enterprise components are separated from each other by firewalls, you should use the -requestport option. Then you can open that specific port in your firewall.

3.

The server registers with the CMS.

BusinessObjects Enterprise Deployment and Configuration Guide

437

Server deployment and firewall configuration Understanding how BusinessObjects Enterprise servers communicate

The BusinessObjects Enterprise server registers with the CMS via the CMS factory service. The CMS creates a server infoObject to represent the BusinessObjects Enterprise server. The infoObject contains the BusinessObjects Enterprise servers host name, the IOR it passed in, and other information. (You can look in the System Objects table in the CMS Repository to see a list of server infoObjects.) Note: The CMS uses two ports. Every BusinessObjects Enterprise server must be able to contact the CMS on both ports.

Communicating with client applications


Client applications can be web applications such as Infoview or the CMC that are hosted in an application server. They can also be thick clients such as Crystal Reports or Desktop Intelligence. (All client applications contain the BusinessObjects Enterprise SDK.) BusinessObjects Enterprise servers publish services. Client applications use these services to interact with the BusinessObjects Enterprise system. BusinessObjects Enterprise servers can live anywhere on the network. When a client application needs to use a BusinessObjects Enterprise servers service, it first asks the CMS for the servers IOR, then uses the IOR to invoke the servers service. Note: Each client application must be able to contact both the CMS bootstrap port and the CMS Factory service. 1. The client application requests a service from the CMS. Users enter the CMS host name and (optionally) the bootstrap port number when they log on to the BusinessObjects Enterprise system. Port 6400 is used if no bootstrap port number is entered. The CMS returns the IOR for the requested service. The IOR contains the services host and port. 2. The client contacts the service on the host and port that was specified in the service IOR. The IOR may be passed through one or more firewalls. The host and port number in the IOR are passed as opaque strings through the firewall, and no Network Address Translation (NAT) will be applied to them. Therefore, the services host and port must be routable from the client. If the firewall uses NAT, then the IOR should contain the services host name instead of the host IP address. Note: The services host and port must be routable from the client. If the firewall uses NAT, the IOR should contain the services host name, not the host IP address.

438

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration Configuring BusinessObjects Enterprise servers

Configuring BusinessObjects Enterprise servers


BusinessObjects Enterprise servers have many configuration parameters as detailed in the end user administration guide. This section describes only the -port, -requestport, and -ns option. These options affect:

Whether the IOR contains a specific port or a randomly-selected port This is important if BusinessObjects Enterprise components must contact each other through a firewall. Whether the IOR contains host IP address or host name This is important if your firewall uses NAT. Whether the server listens on any port or only the specified port Whether the server listens on any NIC or only the specified NIC This can be important when you deploy multiple CMS servers on the same machine, or when you deploy a BusinessObjects Enterprise server on a machine with more than one NIC.

Note: When you change a servers configuration parameters you must force the BusinessObjects Enterprise system to recognize the changes. See Frequently Asked Questions on page 443.

Configuring the CMS server


Syntax
-port <FQDN:port|host_address:port> -requestport <port>

Examples
-port servername.example.com:6401 -requestport 6499 -port 10.50.1.2:6400 -requestport 6410 -port servername.example.com

BusinessObjects Enterprise Deployment and Configuration Guide

439

Server deployment and firewall configuration Configuring BusinessObjects Enterprise servers

Parameter
-port

Description (CMS server) Description Optional. Forces the CMS to listen on the specified host and port. Forces the CMS factory service IOR to contain the specified host name or host IP address. If not specified CMS server makes a system call to determine the IP address of its host machine, and uses port 6400 by default. CMS factory service IOR will contain the host IP address. Allowed settings -port FQDN -port FQDN:port -port host_address -port host_address:port Relationship to other servers Other CMS servers must know how to contact the CMS. A servers -ns option contains the CMS host and port that the server will contact when it starts up. If you change the -port parameter on the CMS, you must update the -ns parameter of all other servers in the cluster. Optional. Forces the CMS to accept CORBA communication on the specified port only. If not specified CMS will accept CORBA communication on any port. The CMS factory service IOR will contain a randomly-chosen port.

When to use If BusinessObjects Enterprise components must communicate across firewalls that use NAT. If you do not specify -port, the service IOR will contain the servers IP address. If you specify -port <fqdn>, the service IOR will contain the servers host name. This allows firewalls that use NAT to resolve the host name to a routable address. If more than one CMS server is deployed on the same machine. If you deploy multiple CMS servers on the same machine, you must bind each CMS Name Server to its own port.

(specifies the bootstrap host and port)

-requestport Description

(CMS Factory service)

CMS must communicate across firewalls, even non-NAT ones You must specify -requestport if a firewall separates this CMS from any BusinessObjects Enterprise servers, client applications, or the Application server. Open the specified port in the firewall.

440

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration Configuring BusinessObjects Enterprise servers

Configuring non-CMS servers


Syntax
-port FQDN -requestport port -ns cmsFQDN:port

Example
-port servername -requestport 6409 -ns servername.example.com:6400 -requestport 6409

Parameter
-port

Description (non-CMS server) Description Optional. Binds the service to the specified NIC. The service accepts communication only on the specified NIC. The server itself can still use any NIC when initiating communication. (It uses the host machines routing tables to ensure it chooses the right NIC.) If not specified Server can listen on any NIC. IOR will contain IP address, not host name. Allowed settings -port FQDN (IOR uses the host name) -port host_address (IOR uses the IPaddress)

When to use If this server must communicate across firewalls that use NAT. If you do not specify -port, the service IOR will contain the servers IP address. If you specify -port <fqdn>, the service IOR will contain the servers host name. This allows firewalls that use NAT are able to resolve the host name to a routable address.

(Specifies host for the IOR. Has nothing to do with port numbers)

BusinessObjects Enterprise Deployment and Configuration Guide

441

Server deployment and firewall configuration Configuring BusinessObjects Enterprise servers

Parameter (specifies port number)

Description (non-CMS server) Optional. Forces the server to accept communication on the specified port only. The server can still talk out any port. If not specified Server will accept communication on any port. The services IOR will contain a randomly-chosen port Description Required. Tells the server where to find the CMS. Allowed settings Must match the -port option set on the CMS server. If the CMS server does not have the -port option set, use the host name on which the CMS server is deployed plus port 6400. The CMS bootstrap host and port must be routable from this servers host machine.

When to use Server must communicate across firewalls, even non-NAT ones You must specify -requestport if a firewall separates this server from the CMS or any other BusinessObjects Enterprise servers. Open the specified port in the firewall. Always specified. (If CMS clusters are used, the server is guaranteed to use the host and port specified in the -ns parameter only for the very first contact with the CMS. At this point, a list of the bootstrap ports from all CMS servers in the cluster is added to the registry on the servers host machine. Any one of those CMS might be used in subsequent start-ups.)

-requestport Description

-ns

(the bootstrap host and port for the CMS that this server must contact when it starts up.)

Configuring Job Servers for firewalls


If a firewall separates a Job Server from any other BusinessObjects Enterprise server, perform the following steps:

On each Job Server, specify a port range for the Job Server children:
-requestJSChildPorts <lowestport>-<highestport>

All Job Server children will be bound to a port from within the specified range. Note that the port range should never exceed the -maxJobs setting. Note: If -requestJSChildPorts is not set, then Job Server children will be bound to a randomly-selected port.

On the firewall, open the specified port range. Allow communication in both directions between the Job Server children and all BusinessObjects Enterprise servers. On the firewall, open the following additional ports (for Destination Job Servers):

442

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration Configuring BusinessObjects Enterprise servers

port 21 and 22 for FTP in and FTP out (for sending objects to an FTP destination) port 25 for SMTP out (for sending objects to an email destination) (UNIX only) ports 512 and 514 for rexec/rsh out (for sending objects to a disk destination)

Note: For the purposes of configuring your firewall, assume that the Job Server must talk to every other server.

Frequently Asked Questions


This section contains common questions about configuring BusinessObjects Enterprise servers and firewalls. Do I need to allow BusinessObjects Enterprise components inside the firewall to access components outside the firewall? No platform server needs to initiate contact with the client. I added or changed -port and/or -requestport options, but the changes were not picked up. If you change a servers parameters, you must: 1. 2. 3. In the CMC, delete the server. Restart the server. Re-enable the server.

Note: If you change the CMS bootstrap host and/or port, you must update the -ns option for the other BusinessObjects Enterprise servers in the cluster. Should the -name option match the -port option? No, the -name option does not have to match the -port option. However, the -name option must be unique in the CMS cluster, and must contain at least one "." character. Im deploying a CMS or other BusinessObjects Enterprise server on a multihomed machine. Should I do anything special? See Configuring a multihomed machine on page 149. Should I configure a server with its host name or its fully qualified domain name? The service's IOR must contain a host and port number that is routable from all other BusinessObjects Enterprise components that need to use the server. In general, it is better to use the server machine's fully qualified domain name (FQDN). However, in some cases you might actually want to use the server machine's host name.

BusinessObjects Enterprise Deployment and Configuration Guide

443

Server deployment and firewall configuration Configuring firewalls

Consider the following example. Your File Repository Server is on a machine called myhost.domain.com with an IP address of 987.654.32.1. From the application servers point of view, myhost.domain.com resolves to 987.654.32.1. In this case, you can use the FQDN for the -port option on the FRS. However if you use only the host name myhost for the -port option, the application server might not be able to resolve myhost to the correct address. The host name may resolve to an incorrect address, such as myhost.olddomain.com. However, there are situations where you may need to configure a server with its host name instead of its FQDN. For example, you might have a firewall between the application server and the CMS. On the client side of the firewall, the host name could resolve to myhost.fwdomain.com. On the CMS side of the firewall, the host name could resolve to myhost.secure.com. You could configure your network so that myhost.fwdomain.com:6400 is forwarded to myhost.secure.com:6400. In this case, you can configure the FRS with the host name instead of the fully qualified domain name.

Configuring firewalls
This section explains how to configure firewalls in different deployment scenarios. This appendix talks about firewalls as hardware devices that are deployed on the network. However, these concepts also apply to software firewalls running on any BusinessObjects Enterprise or non-BusinessObjects Enterprise machine. For example, you may also need to open holes in any software firewall that is running on the same machine as your BusinessObjects Enterprise servers. The following table summarizes general guidelines for configuring firewalls to work with BusinessObjects Enterprise servers:

444

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration Configuring firewalls

Server CMS server

Configuration Set -port <FQDN>:<port> if the CMS must communicate across firewalls. If the firewalls use NAT, you must use the host name. If the firewalls do not use NAT, you can use the host name or the IP address. Remember servers (probably) cant communicate across firewalls that use PAT or NAT in Hide Mode. In some cases you might need to use -port to force the server to bind to a specific NIC. Set -requestport if the CMS must communicate across firewalls This applies to all deployments in which BusinessObjects Enterprise components must communicate through firewalls. Setting requestport forces a service to listen on the specific port. You can then open that port on the firewall. Note: CMS servers may be clustered. If so, you need to configure the firewall for each CMS in the cluster.

BusinessObjects Set -port <FQDN> if the server must communicate Enterprise server across firewalls that use NAT (non-CMS server) Remember servers (probably) cant communicate across firewalls that use PAT or NAT in Hide Mode. In some cases you might need to use -port to force the server to bind to a specific NIC. Set -requestPort <port> if the server must communicate across firewalls Description is the same as for the CMS server. Additional servers If you add another server on the same machine, you need to open another hole in the firewall. Also note that each new server must have a friendly name that is unique across the entire deployment. That is, no other server registered with the Name Server should have that friendly name. For example, assume you used the Central Configuration Manager -> Add Server to add a second Page server to a machine. If that second Page server needs to communicate across a firewall, you must open a hole in the firewall. Special consideration for Job Servers See Configuring Job Servers for firewalls on page 442.

BusinessObjects Enterprise Deployment and Configuration Guide

445

Server deployment and firewall configuration Configuring firewalls

Not every BusinessObjects Enterprise component needs to initiate communication with every other BusinessObjects Enterprise component. However, without knowing exactly which components need to communicate in which workflows, it is safer to assume all of these points are true. You must then open the corresponding ports in any firewalls that separate these components.

Every BusinessObjects Enterprise server must be able to initiate communication with the CMS (both on the bootstrap host and port and the CMS factory service). Every CMS (both bootstrap port and factory service) must be able to initiate communication with every BusinessObjects Enterprise server. Every BusinessObjects Enterprise server must be able to initiate communication with ever other BusinessObjects Enterprise server. Note: This is not always true, but it is easier to assume that it is. Most servers need to talk to both the input and the output FRS. Some types of Job Servers need to talk to their related processing servers. EPM (Performance Management) servers typically need to talk to each other.

Job Servers children need a port range. These servers spawn child processes. These child processes will be assigned a random port unless you specify a port range. Remember that Destination Job Servers use additional ports. See Configuring Job Servers for firewalls on page 442. Every BusinessObjects Enterprise web client and thick client must be able to initiate communication with every BusinessObjects Enterprise server. Every BusinessObjects Enterprise client must be able to initiate communication with the Application Server, and vice versa. This is only a concern on IIS, where the Application Server and the Web Server can be deployed separately.

Should you assume that every BusinessObjects Enterprise server must be able to initiate communication with every BusinessObjects Enterprise client? No. No Platform server needs to initiate contact with the client.

446

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration Configuring firewalls

Example: A firewall between the application server and BusinessObjects Enterprise servers
When you put a firewall between the application server and the BusinessObjects Enterprise servers, you must open a port for every BusinessObjects Enterprise server. Consider the following example. Assume that an application server (210.32.24.1) and the rest of the BusinessObjects Enterprise servers are on different subnets, with a firewall between them. The firewall uses Network Address Translation (NAT). In this example, the servers are configured as follows:

Server CMS (192.169.10.1) Page Server (192.168.10.2) Cache Server (192.168.10.3)

Configuration
-port host1 -requestport 6499 -port host2 -requestport 6401 -ns host1:6400 -port host3 -request 6401 -ns host1:6400

When configuring the CMS in this situation, consider the following:

-port FQDN was specified because communication must cross a firewall

that uses NAT. Port 6400 will be used for the bootstrap port, because no other port was specified.
-requestport 6499 was specified because communication must cross

a firewall. Port 6499 will be opened in the firewall. When configuring other servers in this situation, consider the following:
-port FQDN was specified because communication must cross a firewall

that uses NAT. Of course, you never specify a port number on this option for non-CMS servers.
-requestport port was specified because communication must cross

a firewall. We will open the specified ports in the firewall.\


-ns must always be specified. It matches the -port host:port parameter that was configured on the CMS server.

When configuring the firewall in this situation, consider the following:

BusinessObjects Enterprise Deployment and Configuration Guide

447

Server deployment and firewall configuration Deploying BusinessObjects Enterprise on multihomed machines

Why are we opening this?

Source

Destination 192.168.10.1:6400

Permissions allow

Application server initiates 210.32.24.1:any communication with CMS Factory Service Application server initiates communication with CMS Application server initiates communication to Page Server Application server initiates communication to Cache Server Do BusinessObjects Enterprise servers ever initiate communication with application server? 210.32.24.1:any 210.32.24.1:any 210.32.24.1:any

192.168.10.1:6499 192.168.10.2:6401 192.168.10.3:6401

allow allow allow

No. However the RAS viewer initiates communication with one or more clients.

Deploying BusinessObjects Enterprise on multihomed machines


This section describes special considerations for deploying a BusinessObjects Enterprise server on a multhihomed machine. Note: To deploy BusinessObjects Enterprise on multihomed machines, you may need a patch. See This scenario requires a patch on page 450 Can BusinessObjects Enterprise servers benefit from the increased bandwidth of having multiple NICs on the same subnet? Traffic coming in to the server will always come in on the host and port specified in the services IOR (this is true whether or not you configure a server with -port). However, the server can use any NIC to initiate communication. The -port option binds a service to a particular NIC. Can the server still "talk out" any NIC? When you use the -port option, a service binds to a particular NIC. The service will accept communication only on the specified NIC. Once the request is made and the connection is established, all inbound and outbound communication for that connection will happen on that NIC.

448

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration Deploying BusinessObjects Enterprise on multihomed machines

However, if the server needs to initiate communication to another BusinessObjects Enterprise component, it can use any NIC. The server will use its host machines routing tables to ensure it initiates communication via the correct NIC.

Multihomed machines with NICs on the same subnet


In some scenarios BusinessObjects Enterprise servers are deployed on machines with more than one NIC, and each NIC is on the same subnet. This is typically done for load balancing. In this case is possible that:

Each NIC had its own IP address, or Every NIC shares a common IP address, plus has its own IP address (This implementation can occur with some load balancing products such as Microsoft Load Balancer.)

What happens if -port is not specified You do not always have to set the -port option when you deploy BusinessObjects Enterprise servers on multihomed machines. This section explains what happens if you do not specify -port. What IP address goes in the IOR? If you do not specify -port, the BusinessObjects Enterprise server will make a system call to its host machine to discover its IP address. The IP address returned from the system call will be used in the services IOR. (On some Windows OS versions, the host machine will pick the IP address of the first NIC in the binding order. ) BusinessObjects Enterprise server can receive communication from any NIC If you do not specify -port, the BusinessObjects Enterprise server can listen on any NIC. Considerations when -port <FQDN> is specified If communication crosses a firewall that uses NAT, you probably need to specify -port <FQDN> so that the service IOR contains the host name instead of the host IP address. However, if this option is set, your service will only accept communication from a single NIC. Host name is resolved to a specific IP address If you set -port <FQDN>, the services IOR contains the host name. However, the host name must still be resolved to an IP address before it is routed. If more than one NIC has the same host name, is up the host machine to choose the IP address.

BusinessObjects Enterprise Deployment and Configuration Guide

449

Server deployment and firewall configuration Deploying BusinessObjects Enterprise on multihomed machines

This scenario requires a patch The CMS must be patched if other BusinessObjects Enterprise servers are deployed on machines with multiple NICs that connect to the same subnet. 1. When a server starts, it registers with the CMS. The CMS stores the servers host name and other information. The CMS stores the host name that the server used to register. 2. Later, the server may make another call to the CMS to log on. This logon might occur during a schedule, view, or other operation. It does not have to occur during a regular user logon. 3. If the server sends the logon request to the CMS via a different NIC than the registration request, the CMS will reject the logon. The logon will fail.

Multihomed machines with NICs on different subnets


BusinessObjects Enterprise servers can be deployed on multihomed machines where each NIC is on a different subnet. For example, you can have a machine with both a public and a private network. Or you can have a laptop with both a wireless and a LAN connection. The example below illustrates potential deployment problems on machines with multiple NICs on different subnets.

Example problem: BusinessObjects Enterprise servers deployed across subnets that are not network connected
This problem exists because the BusinessObjects Enterprise servers are deployed across different subnets which are not reachable from each other. In the example below, machines on one subnet are not routable from machines on the other subnet. The application server is on one subnet and the FRS is on the other. The CMS is deployed on a mulihomed machine that is connected to both subnets. You will see this problem whether or not you configure the CMS with the port option. Whether or not -port is set, the CMS always puts only one IP address in its IOR. If you cannot route between the two subnets, then either the application server or the FRS cannot reach the CMS's factory service IOR. To resolve this issue, you need to set up a network path between the two subnets.

450

BusinessObjects Enterprise Deployment and Configuration Guide

Server deployment and firewall configuration Summary of unsupported deployment scenarios

Binding to a particular NIC


Typically, you only set -port <fqdn> when your BusinessObjects Enterprise components must communicate across a firewall that uses NAT, and that firewall cannot route internal IP addresses. However, in some deployment scenarios that use multihomed machines, you may need to use -port to force a server to bind to a particular NIC. For example, the CMS is deployed on a machine with two NICs. NICA connects to the main subnet on which all the BusinessObjects Enterprise components are deployed. NICB connects to the backup subnet. The CMSs IOR must contain NICA, not NICB. If NICA has a higher binding order than NICB, the CMS will probably use NICA in its IOR (this might depend on many factors including OS version). If the CMS does not use NICA in its IOR by default, you must configure the CMS server with the option -port NICA:port.

Summary of unsupported deployment scenarios


Deployment Scenario Why is this not supported? Port Address Translation You cannot separate BusinessObjects Enterprise (PAT) or NAT in Hide components with Firewalls using PAT or NAT in mode Hide mode, because these technologies swap out the port number in the TCP connection. BusinessObjects Enterprise clients hold an IOR to BusinessObjects Enterprise services; that IOR has a port number that must be routable from the client. BusinessObjects This scenario must be patched. See This Enterprise servers (non- scenario requires a patch on page 450. CMS servers) deployed on multihomed machines with NICs on the same subnet. BusinessObjects Enterprise servers deployed on multihomed machines but divided by firewalls that use NAT. You must plan this scenario carefully. You need to use the -port <FQDN> option on all servers so the IORs can be routed through the firewalls, but this also causes your servers to bind to the specified NIC.

BusinessObjects Enterprise Deployment and Configuration Guide

451

Server deployment and firewall configuration Summary of unsupported deployment scenarios

Deployment Scenario Firewalls and SSL

Why is this not supported? If you are deploying BusinessObjects Enterprise components in an environment where they use SSL to communicate, and the communication must cross firewalls, then you need a patch. If you deploy BusinessObjects Enterprise clients and servers across different subnets, there must be a network path between the subnets. The BusinessObjects Enterprise components must be able to contact each other.

BusinessObjects Enterprise components deployed across two or more subnets, where there is no network path between the subnets.

452

BusinessObjects Enterprise Deployment and Configuration Guide

Server Command Lines

appendix

Server Command Lines Command lines overview

Command lines overview


When you start or configure a server through the Central Management Console (CMC) or the Central Configuration Manager (CCM), the server is started (or restarted) with a default command line that includes a typical set of options and values. In the majority of cases, you need not modify the default command lines directly. Moreover, you can manipulate the most common settings through the various server configuration screens in the CMC and the CCM. For reference, this section provides a full listing of the command-line options supported by each server. You can modify each servers command line directly if you need to further customize the behavior of BusinessObjects Enterprise. Throughout this section, values provided in square brackets [ ] are optional. To view or modify a servers command line The procedure for viewing or modifying a servers command line depends upon your operating system:

On Windows, use the CCM to stop the server. Then open the servers Properties to modify the command line. Start the server again when you have finished. On UNIX, run ccm.sh to stop the server. Then edit ccm.config to modify the servers command line. Start the server again when you have finished. Note: On UNIX, each servers command line is actually passed as an argument to the crystalrestart.sh script. This script launches the server and monitors it in case an automatic restart is required. For more information, see UNIX Tools on page 473.

454

BusinessObjects Enterprise Deployment and Configuration Guide

Server Command Lines Standard options for all servers

Standard options for all servers


These command-line options apply to all of the BusinessObjects Enterprise servers, unless otherwise indicated. See the remainder of this section for options specific to each type of server. Option
-name

Valid Arguments Behavior string Specify the friendly name of the server. The server registers this name with the Central Management Server (CMS), and the name is displayed in the CMC. The default friendly name is hostname.servertype Note:

Do not modify -name for a CMS. If you modify -name for an Input or Output File Repository Server, you must include Input. or Output. as the prefix to the value you type for string (for example, -name Input.Server01 or -name Output.UK).

-ns

cmsname[:port Specify the CMS that the server should register with. Add port if the CMS is not listening on the default (6400). This ] option does not apply to the CMS itself. Specify the port that the server listens on. The server registers this port with the CMS. If unspecified, the server chooses any free port > 1024. Note: This port is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide.

-requestPort port

BusinessObjects Enterprise Deployment and Configuration Guide

455

Server Command Lines Central Management Server

Option
-port

Valid Arguments Behavior [interface:][ Bind WCA or CMS to the specified port, or to the port] specified network interface and port. Binds other servers to the specified network interface. Useful on multihomed machines or in certain NAT firewall environments. Note:

Use -port port or -port interface:port for WCA and CMS. Use -port interface for other servers. The port command is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide. If you change the default port value for the CMS, you must perform additional system configuration. For more information please see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrators Guide.

-restart -fg

Server restarts if it exits with an unusual exit code. UNIX only. Run the daemon in the foreground. When passing the servers command line to the crystalrestart.sh script, you must use this option (see ccm.config). If you run the servers command line directly, do not use this option, because the foreground process blocks the shell until the server exits.

UNIX signal handling


On UNIX, the BusinessObjects Enterprise daemons handle the following signals:

SIGTERM results in a graceful server shutdown (exit code = 0). SIGSEGV, SIGBUS, SIGSYS, SIGFPE, and SIGILL result in a rapid

shutdown (exit code = 1).

Central Management Server


This section provides the command-line options that are specific to the CMS. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\CrystalMS.exe

The default path to the server on UNIX is:

456

BusinessObjects Enterprise Deployment and Configuration Guide

Server Command Lines Central Management Server

INSTALL_ROOT/bobje/enterprise11/platform/boe_cmsd

BusinessObjects Enterprise Deployment and Configuration Guide

457

Server Command Lines Central Management Server

Option
-threads -reinitializedb

Valid Behavior Arguments number Use a thread pool of the specified size. The default is one thread per request. Cause the CMS to delete the system database and recreate it with only the default system objects. Force the CMS to quit after processing the reinitializedb option. number Specify the number of threads the CMS creates to receive client requests. A client may be another Business Objects server, the Report Publishing Wizard, Crystal Reports, or a custom client application that you have created. The default value is 5. Normally you will not need to increase this value, unless you create a custom application with many clients. Specify the maximum number of objects that the CMS stores in its memory cache. Increasing the number of objects reduces the number of database calls required and greatly improves CMS performance. However, placing too many objects in memory may result in the CMS having too little memory remaining to process queries. The upper limit is 100000. Specify the number of CMS worker threads sending requests to the database. Each thread has a connection to the database, so you must be careful not to exceed your database capacity. In most cases, the maximum value you should set is 10. Specify interval at which the CMS requests audit information from audited servers. The default value is 5 minutes. (Maximum value is 15 minutes, and minimum value is 1 minute.). Specify the maximum number of audit records that the CMS requests from each audited server, per audit interval. The default value is 200 records. (Maximum value is 500, and minimum value is 50.)

-quit -receiverPool

-maxobjectsincache

number

-ndbqthreads

number

-AuditInterval

minutes

-AuditBatchSize

number

458

BusinessObjects Enterprise Deployment and Configuration Guide

Server Command Lines Page Server and Cache Server

Option
-auditMaxEventsPerFile

Valid Behavior Arguments number Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file. Specify the interval between time synchronization events. The CMS broadcasts its system time to audited servers at the interval specified by AuditeeTimeSyncInterval. The audited servers compare their internal clocks to the CMS time, and then adjust the timestamps they give to all subsequent audit records so that the time of these records synchronizes with the CMS time. The default interval is 60 minutes. (Maximum value is 1 day, or 1440 minutes. Minimum value is 15 minutes. Setting the interval to 0 turns off time synchronization.)

-AuditeeTimeSyncInterval minutes

Page Server and Cache Server


The Page Server and the Cache Server are controlled in much the same way from the command line. The command-line options determine whether the server starts as a Page Server, a Cache Server, or both. Options that apply only to one server type are noted below. The default paths to the servers on Windows are:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe

The default paths to the servers on UNIX are:


INSTALL_ROOT/bobje/enterprise/platform/boe_cachesd INSTALL_ROOT/bobje/enterprise11/platform/boe_pagesd

BusinessObjects Enterprise Deployment and Configuration Guide

459

Server Command Lines Page Server and Cache Server

Option
-cache -dir

Valid Arguments

Behavior Enable Cache Server functionality.

absolutepath Specify the cache directory for a Cache Server and the temp directory for the Page Server. The directories created are absolutepath/cache and
absolutepath/temp

-deleteCache -psdir -refresh -maxDBResultRecords

Delete the cache directory every time the server starts and stops. absolutepath Specify the temp directory for the Page Server. This option overrides -dir. minutes number Share cached pages for the specified number of minutes. Limit the number of database records that are returned from the database. The default limit is 20000 records. If a user views an on-demand report containing more than 20000 records, an error message indicates that the report contains too many database records. To increase the enforced limit, increase number accordingly; to disable the limit, replace number with 0 (zero). Disable automatic database disconnection for the Page Server. By default the Page Server will automatically disconnect from the reporting database after retrieving data, to free up database licenses. This may affect performance if your site uses many reports with on-demand subreports, or group-by-on-server. absolutepath Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide. number On the Cache Server, specifies the maximum number of audit actions recorded in the audit log file. The default value is 500. If this maximum number of records is exceeded, the server will open a new log file.

-noautomaticdbdisconnect

-report_ProcessExtPath

-auditMaxEventsPerFile

460

BusinessObjects Enterprise Deployment and Configuration Guide

Server Command Lines Job servers

Job servers
This section provides the command-line options that are specific to the job servers, which include Job Servers, Program Job Servers, Destination Job Server, and List of Values Job Server. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe

The default paths to the server on UNIX are:


INSTALL_ROOT/bobje/enterprise11/platform/boe_reportjobsd INSTALL_ROOT/bobje/enterprise11/platform/boe_programjobsd

Option
-dir -lib

Valid Arguments absolutepath

Behavior Specify the data directory for the Job Server.

processinglibr Specify the processing library to load: ary procReport or

procProgram

Loading procReport starts the Job Server as a Report Job Server. Loading procProgram starts the Job Server as a Program Job Server. This option is used in conjunction with -objectType.
-objectType

progID

The program ID of the processing library, which determines the class of object supported by the Job Server: CrystalEnterprise.Report or

CrystalEnterprise.Program Used with -lib to specify whether the

Job Server becomes a Report Job Server or a Program Job Server.

-maxJobs

number

Set the maximum number of concurrent jobs that the server will handle. The default is five. Specify the range of ports that child processes should use in a firewall environment. For example, 6800-6805 limits child processes to six ports.

-requestJSChildPorts

lowerboundupperbound

BusinessObjects Enterprise Deployment and Configuration Guide

461

Server Command Lines Report Application Server

Option

Valid Arguments

Behavior Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide. Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.

-report_ProcessExtPath absolutepath

-auditMaxEventsPerFile number

Report Application Server


This section provides the command-line options that are specific to the Report Application Server. The default path to the server on Windows is:
C:\Program Files\Common Files\Business Objects\3.0\ bin\crystalras.exe

The default path to the server on UNIX is:


INSTALL_ROOT/bobje/enterprise11/platform/ras/boe_crystalrasd

Option
-ipport

Valid Arguments port

Behavior Specify the port number for receiving TCP/IP requests when running in stand-alone mode (outside of BusinessObjects Enterprise). Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrators Guide.

-report_ProcessExtPath absolutepat

462

BusinessObjects Enterprise Deployment and Configuration Guide

Server Command Lines Report Application Server

Option
-ProcessAffinityMask

Valid Arguments mask

Behavior Use a mask to specify exactly which CPUs that RAS will use when it runs on a multiprocessor machine. The mask is in the format 0xffffffff, where each f represents a processor, and the list of processors reads from right to left (that is, the last f represents the first processor). For each f, substitute either 0 (use of CPU not permitted) or 1 (use of CPU is permitted). For example, if you run the RAS on a 4 processor machine and want it to use the 3rd and 4th processor, use the mask 0x1100. To use the 2nd and 3rd processor, use 0x0110. Note:

-auditMaxEventsPerFile number

RAS uses the first permitted processors in the string, up to the maximum specified by your license. If you have a two processor license, 0x1110 has the same effect as 0x0110. The default value of the mask is -1, which has the same meaning as 0x1111.

Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.

BusinessObjects Enterprise Deployment and Configuration Guide

463

Server Command Lines Web Intelligence Report Server

Web Intelligence Report Server


This section provides the command-line options that are specific to the Web Intelligence Report Server. The default paths to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe

The default path to the server on UNIX is:


INSTALL_ROOT/bobje/enterprise11/platform/ras/boe_crystalrasd

Option
-ConnectionTimeout Minutes -MaxConnections

Valid Arguments minutes number

Behavior Specify the number of minutes before the server will timeout. Specify the maximum number of simultaneous connections that the server allows at one time. Enables caching of Web Intelligence documents when the document is being viewed. Enables real time caching of Web Intelligence documents.

-DocExpressEnable

-DocExpressRealTime CachingEnable -DocExpressCache DurationMinutes -DocExpressMaxCache SizeKB -EnableListOfValues Cache -ListOfValuesBatchSize number -UniverseMaxCacheSize -WIDMaxCacheSize

minutes kilobytes

Specify the amount of time (in minutes) that content is stored in cache. Specify the size of the document cache. Enables the caching per user sessions of lists of values Specify the maximum number of values that can be returned per list of values batch. Specify the number of universes to be cached. Specify the maximum number of Web Intelligence documents that can be stored in cache.

number number

464

BusinessObjects Enterprise Deployment and Configuration Guide

Server Command Lines Input and Output File Repository Servers

Input and Output File Repository Servers


This section provides the command-line options that are specific to the Input and Output File Repository Servers. The default paths to the servers on Windows are:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe

The default paths to the program that provides both servers on UNIX are:
INSTALL_ROOT/bobje/enterprise11/platform/boe_inputfilesd INSTALL_ROOT/bobje/enterprise11/platform/boe_outputfilesd Note: If you modify -name for an Input or Output File Repository Server, you

must include Input. or Output. as the prefix to the value you type (for example, -name Input.Server01 or -name Output.UK). Option
-rootDir

Valid Arguments

Behavior

absolutepath Set the root directory for the various subfolders and files that are managed by the server. File paths used to refer to files in the File Repository Server are interpreted relative to this root directory. Note: All Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). Additionally, the input root directory must not be the same as the output root directory. It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution.

-tempDir

absolutepath Set the location of the temporary directory that the FRS uses to transfer files. Use this command line option if you want to control the location of the FRS temporary directory, or if the default temporary directory name generated by the FRS exceeds the file system path limit (which will prevent the FRS from starting). minutes Specify the number of minutes after which an idle session is cleaned up.

-maxidle

BusinessObjects Enterprise Deployment and Configuration Guide

465

Server Command Lines Event Server

Event Server
This section provides the command-line options that are specific to the Event Server. The default path to the server on Windows is:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe

The default path to the server on UNIX is:


INSTALL_ROOT/bobje/enterprise11/platform/boe_eventsd

Option
-poll -cleanup

Valid Arguments seconds minutes

Behavior Specify the frequency (in seconds) with which the server checks for File events. Specify the frequency (in minutes) with which the server cleans up listener proxies. Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by auditMaxEventsPerFile is exceeded, the server opens a new log file.

-auditMaxEventsPerFile number

466

BusinessObjects Enterprise Deployment and Configuration Guide

Rights and Access Levels

appendix

Rights and Access Levels Rights

Rights
This table lists the rights available within the Advanced Rights page of the Central Management Console (CMC). Other BusinessObjects Enterprise plug-in components may in future add their own, object-specific rights to this list. The table matches the descriptions used in the CMC with the programmatic name that developers use when assigning rights with the BusinessObjects Enterprise SDK. Description used in the CMC Respect current security by inheriting rights from parent groups Respect current security by inheriting rights from parent folders Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Define server groups to process jobs Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the reports data Refresh the reports data Export the reports data View objects that the user owns Edit objects that the user owns Modify the rights users have to objects that the user owns Name used in the SDK AdvancedInheritGroups AdvancedInheritFolders ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightPickMachines ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemand Report ceReportRightPageServerExport ceRightOwnerView ceRightOwnerEdit ceRightOwnerModifyRights

468

BusinessObjects Enterprise Deployment and Configuration Guide

Rights and Access Levels Access levels

Description used in the CMC Delete objects that the user owns Delete instances that the user owns View document instances that the user owns

Name used in the SDK ceRightOwnerDelete ceRightOwnerDeleteInstance ceRightOwnerViewInstance

Pause and resume document instances ceRightOwnerPauseResumeSche that the user owns dule

Access levels
This section lists the rights that constitute each of the predefined access levels that are available through the Advanced Rights page of the Central Management Console (CMC). Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see Object rights for the Report Application Server on page 472.

No Access
This access level ensures that all rights remain unspecified. That is, rights are neither explicitly granted nor explicitly denied. When rights are unspecified, the system denies the right by default.

View
Description used in the CMC View objects View document instances Name used in the SDK ceRightView ceRightViewInstance

Schedule
Description used in the CMC View objects Schedule the document to run Name used in the SDK ceRightView ceRightSchedule

BusinessObjects Enterprise Deployment and Configuration Guide

469

Rights and Access Levels Access levels

Description used in the CMC Define server groups to process jobs Copy objects to another folder Schedule to destinations View document instances Print the reports data Export the reports data Edit objects that the user owns Pause and resume document instances that the user owns

Name used in the SDK ceRightPickMachines ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerPauseResumeSchedule

Delete instances that the user owns ceRightOwnerDeleteInstance

View On Demand
Description used in the CMC View objects Schedule the document to run Define server groups to process jobs Copy objects to another folder Schedule to destinations View document instances Print the reports data Refresh the reports data Export the reports data Edit objects that the user owns Delete instances that the user owns Pause and resume document instances that the user owns Name used in the SDK ceRightView ceRightSchedule ceRightPickMachines ceRightCopy ceRightSetDestination ceRightViewInstance ceReportRightPrintReport ceReportRightRefreshOnDemandRepo rt ceReportRightPageServerExport ceRightOwnerEdit ceRightOwnerDeleteInstance ceRightOwnerPauseResumeSchedule

470

BusinessObjects Enterprise Deployment and Configuration Guide

Rights and Access Levels Default rights on the top-level folder

Full Control
Description used in the CMC Add objects to the folder View objects Edit objects Modify the rights users have to objects Schedule the document to run Delete objects Delete instances Copy objects to another folder Schedule to destinations View document instances Pause and Resume document instances Print the reports data Refresh the reports data Export the reports data Name used in the SDK ceRightAdd ceRightView ceRightEdit ceRightModifyRights ceRightSchedule ceRightDelete ceRightDeleteInstance ceRightCopy ceRightSetDestination ceRightViewInstance ceRightPauseResumeSchedule ceReportRightPrintReport ceReportRightRefreshOnDemandRe port ceReportRightPageServerExport

Define server groups to process jobs ceRightPickMachines

Default rights on the top-level folder


The top-level BusinessObjects Enterprise folder serves as the root for all other folders and objects that you add to the system. This folder provides the following rights by default:

The Everyone group is granted the Schedule access level. The Administrators group is granted the Full Control access level.

BusinessObjects Enterprise Deployment and Configuration Guide

471

Rights and Access Levels Object rights for the Report Application Server

Object rights for the Report Application Server


To allow users to create or modify reports over the Web through the Report Application Server (RAS), you must have RAS Report Modification licenses available on your system. You must also grant users a minimum set of object rights. When you grant users these rights to a report object, they can select the report as a data source for a new report or modify the report directly:

View objects (or View document instances, as appropriate) Edit objects Refresh the reports data Export the reports data

User must also have permission to add objects to at least one folder before they can save new reports back to BusinessObjects Enterprise. To ensure that users retain the ability to perform additional reporting tasks (such as copying, scheduling, printing, and so on), its recommended that you first assign the appropriate access level and update your changes. Then, change the access level to Advanced, and add any of the required rights that are not already granted. For instance, if users already have View On Demand rights to a report object, you allow them to modify the report by changing the access level to Advanced and explicitly granting the additional Edit objects right. When users view reports through the Advanced DHTML viewer and the RAS, the View access level is sufficient to display the report, but View On Demand is required to actually use the advanced search features. The extra Edit objects right is not required.

472

BusinessObjects Enterprise Deployment and Configuration Guide

UNIX Tools

appendix

UNIX Tools UNIX tools overview

UNIX tools overview


The UNIX distribution of BusinessObjects Enterprise includes a number of scripts that, together, provide you with all the configuration options that are available in the Windows version of the Central Configuration Manager (CCM). There are a number of other scripts that provide you with UNIXspecific options or serve as templates for your own scripts. Also, there are several secondary scripts that are used by BusinessObjects Enterprise. Each script is described here and the command-line options are provided where applicable.

Script utilities
This section describes the administrative scripts that assist you in working with BusinessObjects Enterprise on UNIX. The remainder of this help discusses the concepts behind each of the tasks that you can perform with these scripts. This reference section provides you the main command-line options and their arguments.

ccm.sh
The ccm.sh script is installed to the bobje directory of your installation. This script provides you with a command-line version of the CCM. This section lists the command-line options and provides some examples. Note:

Arguments in square brackets [ ] are optional. By default, servers are named with a hostname.servertype convention. If the option requires the server name, use servertype as the server name. If the option requires the fully qualified server name, use hostname.servertype. If you are unsure of a servers fully qualified name, look in the ccm.config file, locate the servers launch string, and use the value that appears after the -name option.

474

BusinessObjects Enterprise Deployment and Configuration Guide

UNIX Tools Script utilities

CCM Option
-help -start -stop

Arguments denoted by other authentication information are provided in the second table. Valid Arguments n/a
all or servername all or servername

Description Display command-line help. Start each server as a process. Use the short form of the server name. Stop each server by terminating its Process ID. Use the short form of the server name. Stop each server by terminating its Process ID; then each server is started. Use the short form of the server name.

-restart

all or servername

-enable

all or hostname.servertype Enable a started server so that it [other authentication registers with the system and starts information] listening on the appropriate port. Use the fully qualified form of the server name. all or hostname.servertype Disable a server so that it stops [other authentication responding to BusinessObjects information] Enterprise requests but remains started as a process. Use the fully qualified form of the server name.

-disable

-display

server [other authentication information]

Reports the servers current status (enabled or disabled). The CMS must be running before you can use this option. Update objects migrated from a previous version of BusinessObjects Enterprise into your current CMS system database. Use this option after running cmsdbsetup.sh.

-updateobjects [other authentication

information]

BusinessObjects Enterprise Deployment and Configuration Guide

475

UNIX Tools Script utilities

This table describes the options that make up the argument denoted by other authentication information. Authentication Option
-cms

Valid arguments cmsname:port#

Description Specify the CMS that you want to log on to. If not specified, the CCM defaults to the local machine and the default port (6400). Specify an account that provides administrative rights to BusinessObjects Enterprise. If not specified, the default Administrator account is attempted. Specify the corresponding password. If not specified, a blank password is attempted. Note: To specify the -password argument, you must also specify the username argument. type for the administrative account. If not specified, secEnterprise is attempted.

-username

username

-password

password

-authentication secEnterprise, secLDAP Specify the appropriate authentication

The CCM reads the server launch strings and other configuration values from the ccm.config file. For details, see ccm.config on page 477.

Examples
These two commands start and enable all the servers. The Central Management Server (CMS) is started on the local machine and the default port (6400):
ccm.sh -start all ccm.sh -enable all

These two commands start and enable all the servers. The CMS is started on port 6701, rather than on the default port:
ccm.sh -start all ccm.sh -enable all -cms MACHINE01:6701

These two commands start and enable all the servers with a specified administrative account named SysAdmin:
ccm.sh -start all ccm.sh -enable all -cms MACHINE01:6701 -username SysAdmin password 35%bC5@5 -authentication LDAP

This single command logs on with a specified administrative account to disable a Job Server that is running on a second machine:

476

BusinessObjects Enterprise Deployment and Configuration Guide

UNIX Tools Script utilities

ccm.sh -disable MACHINE02.businessobjects.com.reportserver cms MACHINE01:6701 -username SysAdmin -password 35%bC5@5 -authentication secLDAP

ccm.config
This configuration file defines the server launch strings and other values that are used by the CCM when you run its commands. This file is maintained by the CCM itself, and by the other BusinessObjects Enterprise script utilities. You typically edit this file only when you need to modify a servers command line. For details, see Command lines overview on page 454.

cmsdbsetup.sh
The cmsdbsetup.sh script is installed to the bobje directory of your installation. The script provides a text-based program that enables you to configure the CMS database, CMS clusters, and to set up the audit database. You can add a CMS to a cluster by selecting a new data source for its CMS database. You can also delete and recreate (re-initialize) a CMS database, copy data from another data source, or change the existing cluster name. Note: Before running this script, back up your current CMS database. Also be sure to see Clustering Central Management Servers on page 114 for additional information about CMS clusters and configuring the CMS database. The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. To check the name of your CMS (or any other server), view the contents of ccm.config and look for the servers launch string. The servers current name appears after the -name option. For more information about configuring the CMS database or setting up the auditing database, see Managing Auditing on page 391.

configpatch.sh
The configpatch.sh script is installed to the bobje/enterprise/ generic directory of your installation. Use the configpatch.sh script when installing patches that require updates to system configuration values. After installing the patch, run configpatch.sh with the appropriate .cf file name as an argument. The readme.txt file that accompanies BusinessObjects Enterprise patches tells you when to run configpatch.sh, and the name of the .cf file to use.

BusinessObjects Enterprise Deployment and Configuration Guide

477

UNIX Tools Script utilities

serverconfig.sh
The serverconfig.sh script is installed to the bobje directory of your installation. This script provides a text-based program that enables you to view server information and to add and delete servers from your installation. This script adds, deletes, modifies, and lists information from the ccm.config file. When you modify a server using serverconfig.sh, you can change the location of its temporary files. For the Central Management Server, you can change its port number or enable auditing. For the Input File Repository Server or the Output File Repository Server, you can enter the root directory. 1. 2. To add/delete/modify/list UNIX servers Go to the bobje directory of your installation. Issue the following command:
./serverconfig.sh

The script prompts you with a list of options:


3. 4.

1 - Add a server 2 - Delete a server 3 - Modify a server 4 - List all servers in the config file

Type the number that corresponds to the action you want to perform. If you are adding, deleting, or modifying a server, provide the script with any additional information that it requests. Tip: The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. However, in this script you can enter hostname to check the name of your CMS (or any other server), view the contents of ccm.config, and look for the servers launch string. The servers current name appears after the name option.

5.

Once you have added or modified a server, use the CCM to ensure that the server is both started and enabled.

For more information about working with servers, see Managing and Configuring Servers on page 97.

478

BusinessObjects Enterprise Deployment and Configuration Guide

UNIX Tools Script utilities

sockssetup.sh
The sockssetup.sh script is installed to the bobje directory of your installation. The script provides a text-based program that enables you to configure the Web Component Adapter (WCA) and the Central Management Server (CMS) when they must communicate across one or more SOCKS proxy server firewalls. For technical information about BusinessObjects Enterprise and firewalls, see Working with Firewalls on page 157. 1. 2. 3. To modify SOCKS configuration Go to the bobje directory of your installation. Issue the following command:
./sockssetup.sh

Type wca to configure the communication between the WCA and the CMS. Or, type servers to configure SOCKS information between the remaining servers. The script may prompt you for the name or friendly name of the server. By default, each servers name is hostname.servertype. To check the name of a server, view the contents of ccm.config and look for the servers launch string. The servers current name appears after the name option. The friendly name of the WCA by default is hostname.wca. To check the name of the WCA, look for the <display-name> of the WCA as listed in the web.xml file in the WEB-INF directory of the webcompadapter.war archive. (This archive is found in the businessobjects_root/enterprise/JavaSDK/applications directory, where businessobjects_root is the root directory of your BusinessObjects Enterprise installation.)

4.

Specify one of the available actions:


5.

Type show to display any SOCKS servers that have already been entered with this script. A blank list is displayed if no servers have been added. Type create to add a new SOCKS server to the list. Type modify to change one of the SOCKS servers in the list. Type delete to remove a SOCKS server from the list. Type moveup or movedown to modify the sequence of SOCKS servers.

Proceed through the script and provide any additional information that it requests:

BusinessObjects Enterprise Deployment and Configuration Guide

479

UNIX Tools Script templates

If you are creating a new entry in the list, you will typically need to provide the name or IP address of the SOCKS server, the port number it is listening on, the version number of the SOCKS server (4 or 5), and any authentication information that the BusinessObjects Enterprise servers will require in order to establish a connection with your SOCKS server. If you choose to delete, modify, or move an existing entry, you will be asked to specify the server by index. Type the number that corresponds to the SOCKS server you want to modify.

For details about SOCKS and the importance of the sequence of servers, see Configuring for SOCKS servers on page 175.

uninstallBOBJE.sh
The uninstallBOBJE.sh script is installed to the bobje directory of your installation. This script deletes all of the files installed during your original installation of BusinessObjects Enterprise by running the scripts in the bobje/uninstall directory. Do not run the scripts in the uninstall directory yourself: each of these scripts removes only the files associated with a single BusinessObjects Enterprise component, which may leave your BusinessObjects Enterprise system in an indeterminate state. Before running this script, you must disable and stop all of the BusinessObjects Enterprise servers. Note:

The uninstallBOBJE.sh script will not remove files created during the installation process, or files created by the system or by users after installation. To remove these files, after running installBOBJE.sh, perform an rm -rf command on the bobje directory. If you performed the system installation type, you will also need to delete the run control scripts from the appropriate /etc/rc# directories.

Script templates
These scripts are provided primarily as templates upon which you can base your own automation scripts.

480

BusinessObjects Enterprise Deployment and Configuration Guide

UNIX Tools Script templates

startservers
The startservers script is installed to the bobje directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that starts the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see ccm.sh on page 474.

stopservers
The stopservers script is installed to the bobje directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that stops the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see ccm.sh on page 474.

silentinstall.sh
The silentinstall.sh script is installed to the bobje directory of your installation. Once you have set up BusinessObjects Enterprise on one machine, you can use this template to create your own scripts that install BusinessObjects Enterprise automatically on other machines. Essentially, once you have edited the silentinstall.sh template accordingly, it defines the required environment variables, runs the installation and setup scripts, and sets up BusinessObjects Enterprise according to your specifications, without requiring any further input. The silent installation is particularly useful when you need to perform multiple installations and do not want to interrupt people who are currently working on machines in your system. You can also use the silent installation script in your own scripts. For example, if your organization uses scripts to install software on machines, you can add the silent BusinessObjects Enterprise installation command to your scripts. For information about script parameters, see the comments in the silentinstall.sh script. Note:

Because the silentinstall.sh file is installed with BusinessObjects Enterprise, you cannot install silently the first time you install BusinessObjects Enterprise.

BusinessObjects Enterprise Deployment and Configuration Guide

481

UNIX Tools Scripts used by BusinessObjects Enterprise

The silent installation is not recommended if you need to perform custom installations. The installation options are simplified and do not allow for the same level of customization provided in the BusinessObjects Enterprise install script.

Scripts used by BusinessObjects Enterprise


These secondary scripts are often run in the background when you run the main BusinessObjects Enterprise script utilities. You need not run these scripts yourself.

bobjerestart.sh
This script is run internally by the CCM when it starts the BusinessObjects Enterprise server components. If a server process ends abruptly without returning its normal exit code, this script automatically restarts a new server process in its place. Do not run this script yourself.

env.sh
The env.sh script is installed to the bobje directory of your installation. This script sets up the BusinessObjects Enterprise environment variables that are required by some of the other scripts. BusinessObjects Enterprise scripts run env.sh as required. When you install BusinessObjects Enterprise on UNIX, you must configure your Java application server to source this script on startup. See the BusinessObjects Enterprise Installation Guide for more details.

env-locale.sh
The env-locale.sh script is used for converting the script language strings between different types of encoding (for example, UTF8 or EUC or Shift-JIS). This script is run by env.sh as needed.

initlaunch.sh
The initlaunch.sh script runs env.sh to set up the BusinessObjects Enterprise environment variables, and then runs any command that you have added as a command-line argument for the script. This script is intended primarily for use as a debugging tool by Business Objects SA.

482

BusinessObjects Enterprise Deployment and Configuration Guide

UNIX Tools Scripts used by BusinessObjects Enterprise

patchlevel.sh
The patchlevel.sh is installed to the bobje/enterprise/generic directory of your installation. This script reports on the patch level of your UNIX distribution. This script is intended primarily for use by Business Objects SA support staff. Option
list query check

Valid Arguments Description n/a patch # textfile List all the installed patches. Query the operating system for the presence of a particular patch by numeric ID. Check that all the patches listed in textfile are installed on your operating system.

postinstall.sh
The postinstall.sh script is installed to the bobje directory of your installation. This script runs automatically at the end of the installation script and launches the setup.sh script. You need not run this script yourself.

setup.sh
The setup.sh script is installed to the bobje directory of your installation. This script provides a text-based program that allows you to set up your BusinessObjects Enterprise installation. This script is run automatically when you install BusinessObjects Enterprise. It prompts you for the information that is required in order to set up BusinessObjects Enterprise for the first time. For complete details on responding to the setup script when you install BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide.

setupinit.sh
The setupinit.sh script is installed to the bobje directory of your installation when you perform a system installation. This script copies the run control scripts to your rc# directories for automated startup. When you run a system installation you are directed to run this script after the setup.sh script completes. Note: You must have root privileges to run this script.

BusinessObjects Enterprise Deployment and Configuration Guide

483

UNIX Tools Scripts used by BusinessObjects Enterprise

484

BusinessObjects Enterprise Deployment and Configuration Guide

Enabling support for ASP.NET 2.0

appendix

Enabling support for ASP.NET 2.0 Enabling support for ASP.NET 2.0

Enabling support for ASP.NET 2.0


If you have upgraded to ASP.NET 2.0 after you installed BusinessObjects Enterprise, you will need to modify the web.xml to add support for ASP.NET 2.0. Note: If you install ASP.NET 2.0 before you install BusinessObjects Enterprise, this step is not required. The required tag <xhtmlConformance mode="Legacy"/> will be added to the Web.config file by the BusinessObjects Enterprise installer during the installation. 1. To enable ASP.NET 2.0 support Open the Web.config file from the following location:
C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

2.

Locate the following two comments in the file:

<!-To run on ASP.NET 2.0, InfoView requires the setting: <xhtmlConformance mode="Legacy"/> For asp.net 2.0, the installer will automatically replace (or has replaced) the comment below with this setting. -->

3. 4. 5.

<!--BOASPNET20REPLACE-->

Copy the string <xhtmlConformance mode="Legacy"/> from the first comment. Replace the comment <!--BOASPNET20REPLACE--> with string copied in the previous step. When your change is complete, the file should look like this:
<!-To run on ASP.NET 2.0, InfoView requires the setting: <xhtmlConformance mode="Legacy"/> For asp.net 2.0, the installer will automatically replace (or has replaced) the comment below with this setting. --> <xhtmlConformance mode="Legacy"/>

6. 7.

Save and close the file. Restart IIS.

486

BusinessObjects Enterprise Deployment and Configuration Guide

Enabling support for ASP.NET 2.0 Enabling support for ASP.NET 2.0

BusinessObjects Enterprise Deployment and Configuration Guide

487

Enabling support for ASP.NET 2.0 Enabling support for ASP.NET 2.0

488

BusinessObjects Enterprise Deployment and Configuration Guide

Business Objects Information Resources

appendix

Business Objects Information Resources Documentation and information services

Documentation and information services


Business Objects offers a full documentation set covering its products and their deployment. Additional support and services are also available to help maximize the return on your business intelligence investment. The following sections detail where to get Business Objects documentation and how to use the resources at Business Objects to meet your needs for technical support, education, and consulting.

Documentation
You can find answers to your questions on how to install, configure, deploy, and use Business Objects products from the documentation.

Whats in the documentation set?


View or download the Business Objects Documentation Roadmap, available with the product documentation at http://www.businessobjects.com/support/. The Documentation Roadmap references all Business Objects guides and lets you see at a glance what information is available, from where, and in what format.

Where is the documentation?


You can access electronic documentation at any time from the product interface, the web, or from your product CD.

Documentation from the products


Online help and guides in Adobe PDF format are available from the product Help menus. Where only online help is provided, the online help file contains the entire contents of the PDF version of the guide.

Documentation on the web


The full electronic documentation set is available to customers on the web from support web site at: http://www.businessobjects.com/support/.

Documentation on the product CD


Look in the docs directory of your product CD for versions of guides in Adobe PDF format.

490

BusinessObjects Enterprise Deployment and Configuration Guide

Business Objects Information Resources Customer support, consulting and training

Send us your feedback


Do you have a suggestion on how we can improve our documentation? Is there something you particularly like or have found useful? Drop us a line, and we will do our best to ensure that your suggestion is included in the next release of our documentation: documentation@businessobjects.com. Note: If your issue concerns a Business Objects product and not the documentation, please contact our Customer Support experts. For information about Customer Support visit: http://www.businessobjects.com/ support/.

Customer support, consulting and training


A global network of Business Objects technology experts provides customer support, education, and consulting to ensure maximum business intelligence benefit to your business.

How can we support you?


Business Objects offers customer support plans to best suit the size and requirements of your deployment. We operate customer support centers in the following countries:

USA Australia Canada United Kingdom Japan

Online Customer Support


The Business Objects Customer Support web site contains information about Customer Support programs and services. It also has links to a wide range of technical information including knowledgebase articles, downloads, and support forums. http://www.businessobjects.com/support/

BusinessObjects Enterprise Deployment and Configuration Guide

491

Business Objects Information Resources Useful addresses at a glance

Looking for the best deployment solution for your company?


Business Objects consultants can accompany you from the initial analysis stage to the delivery of your deployment project. Expertise is available in relational and multidimensional databases, in connectivities, database design tools, customized embedding technology, and more. For more information, contact your local sales office, or contact us at: http://www.businessobjects.com/services/consulting/

Looking for training options?


From traditional classroom learning to targeted e-learning seminars, we can offer a training package to suit your learning needs and preferred learning style. Find more information on the Business Objects Education web site: http://www.businessobjects.com/services/training

Useful addresses at a glance


Address Business Objects product information http://www.businessobjects.com Product documentation http://www.businessobjects.com/ support Business Objects Documentation mailbox documentation@businessobjects.com Online Customer Support http://www.businessobjects.com/ support/ Content Information about the full range of Business Objects products. Business Objects product documentation, including the Business Objects Documentation Roadmap. Send us feedback or questions about documentation. Information on Customer Support programs, as well as links to technical articles, downloads, and online forums.

492

BusinessObjects Enterprise Deployment and Configuration Guide

Business Objects Information Resources Useful addresses at a glance

Address Business Objects Consulting Services http://www.businessobjects.com/ services/consulting/ Business Objects Education Services http://www.businessobjects.com/ services/training

Content Information on how Business Objects can help maximize your business intelligence investment. Information on Business Objects training options and modules.

BusinessObjects Enterprise Deployment and Configuration Guide

493

Business Objects Information Resources Useful addresses at a glance

494

BusinessObjects Enterprise Deployment and Configuration Guide

Index
A
access levels available in the CMC 469 for RAS 472 active sessions, viewing 341, 341 active trust relationship 188 AD authentication plug-in 246 adding CMS cluster members 114 servers 105 administration configuration tools 98, 338 Administrators group, default rights 471 affinity, and SSL 189 anonymous single sign-on 184 application servers 35 application tier 34 applications CCM 33 CMC 33 Import Wizard 34 InfoView 32 Publishing Wizard 34 applications, installing 93 apsdbsetup.sh 477 architecture balanced processing 79 firewalled 81 high availability 80 single-machine 79 ASP pages display code 376 ASP.NET 2.0 modifying web.config to support 486 ASP.NET component, verifying 377 attributes, logon tokens 188 audit actions enabling auditing of 399 reference list 395 synchronizing records 403 audit enablement 399 auditable actions CMS 399 Destination Job Server 398 Event Server 398 Job Server 399 auditee 392 auditing configuring database 393 database schema 416 enabling 399 information flow 392 optimizing performance 404 reporting results 402, 416 synchronizing records 403 user and system actions 395 web activity 194 auditing database configuring 393 database schema 416 Application_Type table 419 Audit_Detail table 417 Audit_Event table 416 Detail_Type table 420 Event_Type table 419 Server_Process table 418 auditor 392 Auditor report names 408 Average Number of Users Logged In 408 Average Refresh Time 409 Average Session Duration 409 Average Session Duration per Cluster 409 Average Session Duration per User 409 Cluster Nodes 410 Document Information Detail 410 Document Scheduling and Viewing Status 410 Job Servers on the System 411 Job Summary 410

BusinessObjects Enterprise Deployment and Configuration Guide

495

Index

Jobs per Job Server 411 Jobs per User 411 Last Login for User 411 Least Accessed Documents 412 Modifications 413 Most Accessed Documents 412 Most Active Users 412 Most Popular Actions 412 Most Popular Actions per Document 413 Number of User Sessions 413 Number of Users in the System 413 Peak Usage 414 Refresh and Edit Activity 414 Rights Modification 414 Total Users Logged in by Day 414 User Activity 414 User Activity per Session 415 Users Who Logged Off Incorrectly 415 authentication BusinessObjects Enterprise security plug-in 186 Kerberos configuration IBM WebSphere 304 IIS 266 Java AD 302 Java application server 290, 302 Java options, modify 307 See also IIS, IIS 5, IIS 6 Windows AD 297 LDAP security plug-in 228 primary 181 security plug-ins 55, 185 troubleshooting log on 380 Trusted Authentication 328 Windows AD security plug-in 246 Windows NT Challenge/Response 213, 248 Windows NT security plug-in 212

B
Business Objects consulting services 492, 493 support services 491 training services 492, 493 Business Objects applications CCM 33

CMC 33 CMS 38 Import Wizard 34 InfoView 32 Publishing Wizard 34 BusinessObjects Enterprise communication between servers 162 firewall integration 162 primary authentication process 181 single sign-on 187 single sign-on with NT 213 BusinessObjects Enterprise SDK 187 Java SDK 35 .NET SDK 35 BusinessObjects Enterprise security plug-in 186 BusinessObjects Enterprise servers Cache Server 40 configuring hosts file for firewall 169 description 30 Event Server 39 File Repository Servers 40 Job Server 42 Page Server 44 Program Job Server 42 Report Application Server 44 BusinessObjects Enterprise servers, configure configure IIS and browsers 275 configure servers to use service account 297 configuring the servers configuring servers to use service account 270 granting service account rights 270 grant service account rights 295 setting service account 268, 292 BusinessObjects Enterprise Sizing Guide 366 BusinessObjects WAR files deploying 93 mapping to cluster in WebSphere 5.1 95 in WebSphere 6.0 95

C
cacert.der 153 Cache Server 40 command-line options 459

496

BusinessObjects Enterprise Deployment and Configuration Guide

Index

configuring 131, 352 metrics 340, 342 performance 68 performance settings 131, 352 viewing with 49 Cache Server auditable actions 396 cakey.pem 153 CCM adding a server 105 changing server startup type 151 server user account 152 Windows server dependencies 150 copying server status 104 deleting a server 107 enabling and disabling servers 102 printing server status 104 refreshing the list of servers 104 starting, stopping, and restarting servers 99 CCM, for UNIX 474 ccm.sh 474 Central Configuration Manager. See CCM Central Management Console. See CMC Central Management Server. See CMS certificate files 153 Changing Tomcat connect port 112, 378 client side viewers 45 client tier 32 clusters 114, 116, 117 changing names 121 requirements 114 viewing details 345 clusters, creating 87 CMC enabling and disabling servers 102 starting, stopping, and restarting servers 99 unable to connect 379 CMC timeout setting 110 CMS adding to a cluster 117 and authentication 181 and distributed security 189 as nameserver 147 changing cluster name 121

clustering 114 installing new cluster member 116 requirements 114 CMS tasks 38 command-line options 456 configuring 127, 128, 147 NAT 168 SOCKS 176 database 38 default port 147 limitations 65 metrics 341, 345 performance 65 security 54 security plug-ins 54 session variables 191 and authentication 181 tracking 193 stopping 102 unable to connect 379 when enabling and disabling other servers 102 CMS auditable actions 399 CMS clustering 77 CMS database changing password 128 configuring 122 copying 122 deleting 127 migrating 122 recreating 127 selecting 128 command lines, overview 454 command-line options all servers 455 Cache Server 459 CMS 456 Event Server 466 Input and Output File Repository Servers 465 Job Server 461 Page Server 459 Program Job Server 461 Report Application Server 462 Web Intelligence Job Server 461 Web Intelligence Report Server 464

BusinessObjects Enterprise Deployment and Configuration Guide

497

Index

command-line options, SSL 152 communication between browser and Web application server 181 between BusinessObjects Enterprise servers 162 components, security management 53 computer contstrained delegation 294 concurrent active users 62 configuration planning 58 sample 436 configuration, common scenarios 78 Configure the thick client to use SSL 376 configuring auditing database 393 auditing database on UNIX 394 auditing database on windows 394 Cache Server 131, 352 CMS clusters 114, 121 CMS database 122, 127, 128 Event Server 351 File Repository Servers 130, 352 firewalls 166 intelligence tier 114 Job Server 133, 140, 355, 355 Page Server 132, 140, 356, 363 processing tier 132 server settings 98, 338 servers 98, 338 universe connection 401 configuring trusted authentication 329 Connection Server metrics 341 constrained delegation service account 295, 295 consultants, Business Objects 492 cookies and session tracking 191 logon tokens 188 CORBA 437 creating custom audit reports 416 Crystal reports troubleshooting reports 383

Crystal Reports Cache Server. See Cache Server Crystal Reports Page Server. See Page Server Crystal Reports sample audit reports 402 Crystal xCelsius 69 performance 69 CSP pages display code 376 custom audit report creation 416 custom web applications, enhancing 370 customer support 491 customizing your configuration 366

D
daemons, signal handling 456 data live 52 saved 53 data sharing 98, 338 on Cache Server 131, 352 on Page Server 132, 356, 363 on RAS 360 data sources on UNIX 141 on Windows 140 data tier 45 databases configuring servers for 140 copying CMS data 122 initializing the CMS 127 modifying RAS interactions 360 selecting for the CMS 128 single sign-on access 184 troubleshooting logon 385 default settings authentication 186 Enterprise accounts 186 NT account 213 ports 147 security plug-in 186 default timeout 110 defaultconfig.xml about 428 customizing elements 432 finding correct version to change 430 modifying for Java Report Panel 431

498

BusinessObjects Enterprise Deployment and Configuration Guide

Index

modifying for .NET InfoView 431 deleting CMS database 127 servers 107 dependencies of servers on Windows 150 deployment planning 58 sample 436 deployment manager adding nodes 85, 86 starting 85 Designer firewall settings 166 Desktop Intelligence firewall settings 166 Destination Job Server destinations configuring 134 enabling or disabling 133 enabling Inbox destination 133 performance settings 355 Destination Job Server auditable actions 398 destinations for job servers configuring 134 enabling or disabling 133 troubleshooting 390 directory servers about LDAP 229 security plug-in 228 disabling destinations for job servers 133 servers 102 Disabling logon tokens 196 disabling logon tokens 196, 200 disabling restoration of a timed out session 200 disabling the restoration of a timed out session 200 disabling the restoration of a timed out session in Java 200 disabling the restoration of a timed out session in .NET 201 disaster recovery 76 DLL. See dynamic-link libraries documentation additional 375

feedback on 491 on product CD 490 on the web 490 roadmap 490 DSNs on UNIX 143 dynamic-link libraries as processing extensions 187

E
education. See training email destination setting defaults 136 enable ASP.NET 2.0 support 486 enable .NET 2.0 support 486 enabling destinations for a job server 133 servers 102 enabling auditing 399 encoding logon tokens 188 end-to-end single sign-on 185 environment variables ODBC 143 env.sh 482 ePortfolio. See InfoView errors Page Server 389 troubleshooting 374 Event Log 150, 345 Event Server auditable actions 399 configuring 351 metrics 343 polling time 351 Event Server auditable actions 398 Event Server, command-line options 466 events polling time 351 Everyone group, default rights 471 expanding the system 366 extensions, processing 187

F
fault tolerance 76 feedback, on documentation 491

BusinessObjects Enterprise Deployment and Configuration Guide

499

Index

File Repository Servers command-line options 465 maximum idle times 130, 352 metrics 340 Properties page 130, 352 root directories 130, 352 firewall rules specifying for NAT 170 specifying for packet filtering 173 firewall types 159 NAT 160 packet filtering 160 SOCKS 161 firewall, desktop product 166 firewalls 158, 194, 436 configuration scenarios 164 configuring 166 NAT 167 packet filtering 172 SOCKS 175 thick client 171 with application tier 168 with WCA 177 forcing servers to register by name 149 integration with BusinessObjects Enterprise 162 Job Servers 442 server communications, and 162 folders default rights 471 root 471 FTP destination setting defaults 138 Full Control access level 471

hosts file, configuring for NAT firewall 169 HTTP 181, 191 HTTP server, check status 87 HTTP server, starting 86

I
IBM WebSphere Kerberos configuration 304 idle times Cache Server 131, 352 File Repository Servers 130, 352 Page Server 132, 356, 363 IIS database single sign-on configuration 281 end-to-end single sign on configuration 277 single sign-on configuration 275 IIS 5 database single sign-on configuration 282 end-to-end single sign on configuration 277 IIS 6 database single sign-on configuration 283 end-to-end single sign on configuration 279 IIS 6, run under local system 379 Import Wizard 34 information flow, between servers 46 information resources 490 InfoView considerations 390 Java version 108 troubleshooting 390 initializing CMS database 127 initlaunch.sh 483 Input File Repository Server maximum idle time 130, 352 metrics 340 root directory 130, 352 intelligence tier 37 configuring 114 internal system configuration, setting 92 Internet Explorer, configuring 276 Internet Information Services (IIS), default web site 375 IOR 437

G
Guest account, default rights 471

H
heap sizes, setting in WebSphere 5.1 90 in WebSphere 6.0 91 help, documentation resources 375 high availability 76

500

BusinessObjects Enterprise Deployment and Configuration Guide

Index

J
JAAS login configuration files, create Oracle 306 Tomcat/WebLogic 305 WebSphere 306 Java CMC timeout 110 Java InfoView timeout 111 Java InfoView, customizing appearance of Web Intelligence documents 431 Java Options, modify Kerberos 307 Oracle 308 WebLogic 307 Java platform 36 Java SDK 36 Job Server command-line options 461 configuring 140 for firewalls 442 on UNIX 141 destinations configuring 134 enabling or disabling 133 performance settings 355 Job servers types 41 job servers configuring destinations 134 performance settings 355 Job Servers auditable actions 399

Kerberos troubleshooting enable logging 310 testing Java Kerberos configuration 310 key files 153

L
LDAP 229 about 229 and SSL 229 LDAP accounts 229 managing 228 modifying connection parameters 242 member groups 242 troubleshooting 243, 243 LDAP authentication configuring 230 LDAP authentication plug-in 228 LDAP groups mapping 238 unmapping 241 viewing mapped groups 242 LDAP hosts configuring 231 managing multiple 243 LDAP security plug-in 228 LDAP single sign-on, configuring 236, 255 Least Accessed Documents 412 license keys and CMS database migration 119 reinitializing the CMS database 127 Lightweight Directory Access Protocol. See LDAP List of Values Job Server auditable actions 399 description 43 destinations configuring 134 enabling or disabling 133 performance 69 performance settings 355 live data 52 load managing 60 load balancing and distributed security 189

K
Kerberos configuration IBM WebSphere 304 IIS 266 Java AD 302 Java application server 290, 302 Java options, modify 307 See also IIS, IIS 5, IIS 6 Windows AD 297 Kerberos configuration files IBM WebSphere 304 Java AD 302 Kerberos single sign-on 53

BusinessObjects Enterprise Deployment and Configuration Guide

501

Index

CMS clustering 114 Local System account 140 log on processing server accounts 140 protection against malicious attempts 194 logging server activity 345 web activity 194 logon tokens 188 and authentication 181 and distributed security 189 and session tracking 191 logon.csp 181

M
malicious logon attempts, protection against 194 mapped drives 388 mapped groups viewing Windows NT 221 mapping Windows AD accounts and groups 249 Windows NT accounts 215 metrics viewing 339 migrating CMS database 122 from BusinessObjects Enterprise 6.x 495 modify InfoView timeout 111 Most Accessed Documents 412 Most Active Users 412 Most Popular Actions 412 Most Popular Actions per Document 413 multihomed machines 149

.NET InfoView, customizing appearance of Web Intelligence documents 431 .NET pages display code 376 Network Address Translation application tier, and 168 configuring 167 server hosts file 169 servers behind firewall 168 definition 160 specifying firewall rules 170 thick client, and 171 No Access level 469 node agent, start 85 NT authentication and UNIX 212 NT authentication plug-in 212 NT LM Security Support Provider 150 NT single sign-on 225 NT single sign-on and Windows NT security plugin 213 number of logons, logon tokens 188 number of minutes, logon tokens 188 Number of User Sessions 413 Number of Users in the System 413

O
object rights 468, 472 ODBC CMS database 117 connectivity 120 drivers 140 environment variables 143 processing server accounts 140 reporting on UNIX 142 system information file 143 .odbc.ini 143 Online Customer Support 491 optimizing system 404 Optimizing system performance 404 Oracle application Server reverse proxies 202 Output File Repository Server maximum idle time 130, 352 metrics 340 root directory 130, 352

N
nameserver, role of CMS 147 NAT. See Network Address Translation native drivers 140 on UNIX 141 needs assessment 58 .NET 20 support 486 .NET InfoView or CMC, unable to view 377

502

BusinessObjects Enterprise Deployment and Configuration Guide

Index

P
packet filtering 160 configuring for 172 packets, firewalls and 158 Page Server command-line options 459 configuring for data source 140 configuring on UNIX 141 metrics 343 performance 70 performance settings 132, 356, 363 Properties page 132, 356, 363 viewing with 49 Password Modifications 413 passwords changing for CMS database 128 restrictions 195 patchlevel.sh 483 Peak Usage 414 performance 366, 404 assessment 338 Cache Server 68 Cache Server settings 131, 352 CMS clusters 114 common scenarios 78 general considerations 367 List of Values Job Server 69 load balancing 189 of jobs per server 355 Page Server 70 Page Server settings 132, 356, 363 RAS settings 362 Report Job Server 68 Web Application Server 67 Web Intelligence Report Server 69 Windows NT Challenge/Response authentication 213, 248 performance improvement, delegating XSL transformation 370 performance while auditing 404 planning deployment 58 platforms Java 36

Windows .NET 36 plug-ins, security 55, 185 polling time, setting for Event Server 351 port numbers adding 90 checking in WebSphere 5.1 89 in WebSphere 6.0 89 port numbers, changing 147 ports definition 159 firewalls, and 159 opening on firewall 168 postinstall.sh 483 primary authentication 181 processing extensions 187 processing servers, configuring 141 processing threads Cache Server 131, 352 Page Server 132, 356, 363 processing tier 41 configuring 132 Program Job Server 399 destinations configuring 134 enabling or disabling 133 Program Job Server auditable actions 399 Program Job Server, command-line options 461 Properties tab for job servers 355

Q
.qry files 388

R
RAS database settings 360 metrics 344 performance settings 362 Properties page 362 Refresh and Edit Activity 414 refreshing cache files 131, 352 registry keys 238 Remote Procedure Call 150

BusinessObjects Enterprise Deployment and Configuration Guide

503

Index

remote resources, troubleshooting 388 Report Application Server auditable actions 396 command-line options 462 performance 70 required object rights 472 viewing report 50 Report Job Server 399 auditable actions 399 performance 68 Report Job Server, performance settings 355 report objects, rights for creating/modifying 472 report viewers 45 report_view_advanced.aspx 48 report_view_dhtml.aspx 48 reports audit 402, 416 custom 416 sample 402 configuring servers for data sources 140 modifying RAS SQL options 360 scheduling 46 troubleshooting 383, 385 viewing 47 required steps to audit actions 392 requirements, clustering 114 resource requirements 73 resources 490 estimating 64 requirements 71 restarting servers 99 restart.sh 482 restrictions guest account 196 logon 195 password 195 user 195 reverse proxies 202 rights advance, reference 468 Report Application Server 472 top-level folder 471 Rights Modification 414 root directories, File Repository Servers 130, 352

row-level security, processing extensions 187

S
sample audit reports 402 saved data 53 scalability 366 common scenarios 78 scaling the system 366 Schedule access level 469 scheduling increasing capacity 367 information flow 46 secEnterprise.dll 186 secLDAP.dll 228 Secure Sockets Layer 152 Secure Sockets Layer (SSL) 193, 229 and LDAP 229 and load balancing 189 security 180 active trust relationship 188 auditing web activity 194 components 53 distributed 189 environment protection 193 firewalls 194 Guest account restrictions 196 logon restrictions 195, 195 password restrictions 195, 195 plug-ins 55, 185 processing extensions 187 protection against malicious logon attempts 194 restrictions 195 session tracking 191 user restrictions 195 web browser to web server 193 web servers 193 security plug-ins 55, 185 Enterprise authentication 186 LDAP authentication 228 Windows AD authentication 246 Windows NT authentication 212 secWindows.dll 212 selecting CMS database 128 sending

504

BusinessObjects Enterprise Deployment and Configuration Guide

Index

to inboxes, default configuration 133 Server cache expiry, modifying default expiry value 287 server dependencies, changing 150 serverconfig.sh 478 servers 98, 338 activity, logging 345 adding 105 adding nodes 85 application tier 34 changing status 99 user account on Windows 152 changing startup type 151 command lines 454 communication 162 application tier and CMS 163 CMS directory listing 162 configuring 98, 338 default settings 98, 338 deleting 107 dependencies, adding or removing 150 deployment manager 85 disabling 102 enabling 102 information flow 46 intelligence tier 37 limitations 64 logging activity 345 managing 97 metrics, viewing 340 node agent 85 processing tier 41 refreshing list using the CCM 104 registering by name 149 restarting 99 standard command-line options 455 starting 85, 99 status changing 99 copying 104 printing 104 stopping 99 troubleshooting 388 UNIX signal handling 456

user account, changing 152 service account contstrained delegation 295 service thresholds 64 session variables 191 and authentication 181 primary authentication 181 sessions tracking 191 viewing active 341 setup.sh 483 shared libraries, as processing extensions 187 signal handling 456 silentinstall.sh 481 simultaneous requests 61 single sign-on anonymous 184 authentication Enterprise 187 LDAP 230 NT 213 Windows AD 248 end-to-end 185 Java, Kerberos configuration 311, 312 setting up AD 255 LDAP 236 SiteMinder 236, 255 Windows AD 252 Windows NT 223 to BusinessObjects Enterprise 184 to database 184 troubleshooting 238 single sign-on options database single sign-on 266 modify AD plug-in settings 275 setting up database single sign-on 267 web applications configuration 285 end-to-end single sign-on 266 configuring IIS for end-to-end single signon 277 configuring Internet Explorer 276 setting up end-to-end single sign-on 267

BusinessObjects Enterprise Deployment and Configuration Guide

505

Index

single sign-on 266 configuring IIS for single sign-on 275 database server configuration 286 setting up basic single sign-on 267 SQL server configuration 286 SiteMinder configuring LDAP plug-in 236 error 238 setting up single sign-on with LDAP 236, 255 troubleshooting 238 Window AD 255 Siteminder AD 255 SMTP destinations, setting defaults 136 SOCKS 161 configuring 175 CMS 176 WCA 177 sockssetup.sh 479 SPN Vintella 315 web application server 315 SPN utility Windows 2003 293, 294 SSL 152 certificates 153 configuring servers 152, 152 keys 153 SSL. See Secure Sockets Layer (SSL) SSL, thick client configuration 376 sslc.cnf 152 sslc.exe 152 starting servers 99 startservers 481 startup types changing for servers 151 configuring servers 151 statistics, auditing web activity 194 status, viewing and changing for servers 99 steps to audit actions 392 stopping CMS 102 servers 99 stopservers 481

support customer 491 locations 491 technical 491 web site 491 synchronizing audit actions 403 syslog 345 system actions, list of auditable 399 system data, copying 122 system database, migrating 122 system information file (ODBC) 143 system metrics, viewing 345 system security 180

T
TCP/IP, firewalls and 158 technical support 491 temporary files, configuring Page Server 132, 356, 363 the 200 thick client, firewall configuration 165 NAT 171 third-party security plug-ins 55, 185 tickets for distributed security 189 logon tokens 188 tiers application 34 client 32 data 45 intelligence 37 processing 41 time zones 60 supporting multiple 390 timeout CMC modify 110 Infoview modify 111 Tomcat reverse proxies 202 Tomcat connect port, changing 112, 378 tools, UNIX 474 Total Users Logged in by Day 414 tracking, sessions 191 training, on Business Objects products 492 transfer of trust 189

506

BusinessObjects Enterprise Deployment and Configuration Guide

Index

troubleshooting 374 InfoView deployments 390 LDAP accounts 243 report viewing and processing 383 single sign-on 238 web accessibility 375 trust, active trust relationship 188 trusted authenitcation configuring in web.xml 329 Trusted Authentication 328

U
UNC paths 388 uninstall 480 uninstallCE.sh 480 universe connection configuration 401 UNIX and NT authentication 212 application server 35 installation 36 syslog 345 WCA 36 UNIX tools, overview 474 unmanaged disk destination setting defaults 139 unmapping Windows NT accounts 220 user accounts configuring servers 152 user actions, list of auditable 396 User Activity 414 User Activity per Session 415 user databases, NT4 and Windows 2000 Active Directory 212 users concurrent active users 62 estimating 59 types 59 viewing active sessions 341, 341 Users Who Logged Off Incorrectly 415

client-side 45 in InfoView 47 zero client 45 viewing active users 341, 341 BusinessObjects Enterprise architecture 47 CMS cluster details 345 current metrics 339 information flow 47 server metrics 340 system metrics 345 with the Cache Server 49 with the Page Server 49 viewing sessions 62 viewrpt.aspx 48

W
WCA and logon tokens 54 and security 54 auditing web activity 194 configuring for SOCKS 177 description 35 WCA session variables 191 tracking 192 web customer support 491 getting documentation via 490 useful addresses 492 Web application environments 37 Web Application Server performance 67 Web application server authentication 181 Web Component Adapter. See WCA web desktop. See InfoView Web Intelligence Job Server 461 Report Server 464 Web Intelligence documents changing default appearance 428 customizing for Java InfoView 431 customizing for .NET InfoView 431 delegating XSL transformation 370 finding correct defaultconfig.xml 430

V
View access level 469 viewers

BusinessObjects Enterprise Deployment and Configuration Guide

507

Index

list of customizable elements 432 Web Intelligence Job Server auditable actions 399 destinations enabling or disabling 133 performance settings 355 Web Intelligence Report Server auditable actions 396, 397 performance 69 performance settings 357 Web Intelligence sample audit reports 402 web response speeds, improving 371 Web server plugin, regenerating in WebSphere 5.1 96 in WebSphere 6.0 96 web servers 37 improving response speeds 371 securing 193 web sites support 491 training 492 web.config .Windows authentication 274 WebSphere cluster, creating 87 installing applications 93 WebSphere deployment 308, 309 Windows Event Log 345 Local System account 140 server dependencies 150 Windows 2000 Active Directory 212 Windows 2000, unmapping accounts in 220 Windows AD database single sign-on, modify AD plug-in settings 275 Kerberos authentication 271, 297 single sign-on, modifying web.config 284 Windows AD accounts See also Windows AD users mapping 249 Windows AD groups mapping 249 Windows AD security plug-in 246 Windows AD single sign-on 252

to BusinessObjects Enterprise 252 Windows AD users See also Windows AD accounts Windows .NET platform 36 Windows NT accounts adding to mapped groups 222 disabling 222 managing 214 mapping 215 in CMC 217 in Windows 2000 216 in Windows NT 215 unmapping 220 Windows NT Challenge/Response authentication 193, 213, 248 Windows NT groups creating 222 mapping 215 unmapping 220, 220 viewing 221 Windows NT security plug-in 212 and UNIX 212 Windows NT single sign-on, setting up 223 Windows NT users, viewing 221

X
XSL transformation for Web Intelligence documents 370

Z
zero client viewers 45

508

BusinessObjects Enterprise Deployment and Configuration Guide