cancel
Showing results for 
Search instead for 
Did you mean: 

BOE 3.0 - Trusted Auth using Siteminder + Apache2-Weblogic Bridge

Former Member
0 Kudos

Hello Folks,

On of my customers is having trouble getting Trusted Authentication to work.

This is a multi-platform BOE 3.0 setup. The CMS and all other BOE servers are on Windows Server 2003 and the Web Application Server is Weblogic 9.2 which is hosted on Solaris 10. This Weblogic server is fronted by an Apache 2.0.59 Web Server which is on another Solaris 10 system and is protected by Siteminder 5.5.

Since Siteminder 6.0 is the only supported version for BOE 3.0 at present they are not integrating it directly with BOE and are using it merely to pass SM_USER to Apache and hence to Weblogic.

We have verified that the variable SM_USER is being passed properly to Apache and Weblogic using a code written by the customer however, we have had no luck in getting Trusted Authentication to work so far.

If we enable the guest account with BOE then, InfoView allows to logon as guest however, if we disable it, we get a message that it has been disabled. So, we assume that InfoView is not picking the SM_USER and is merely trying to logon as null.

I have setup a similar environment in-house on RHEL 4 and my setup works fine. I haven't written the full information here as the post would become quite large. Please feel free to let me know in case you need any information to help troubleshoot.

Thanks

Manish

Accepted Solutions (0)

Answers (5)

Answers (5)

0 Kudos

Hi Manish,

I am running into the similar sort of problem and the deployment of BO infrastructure is exacltly like you had described in your mail.

WAS Weblogic (Linux) which is fronted by Apache (Linex) and BO itself is on Windows platform.

Is it possible for you to shed some light on torbleshooting side of it. Trust Authentication is based on WEB_SESSION based for testing but finally I will like to have HTTP_HEADER method for TA to work.

Regards-

Neel

Former Member
0 Kudos

Tim,

I'm working on SSO integration with Windows AD for BO 3.1

Since my client BO Enterprise is on Linux, I am looking for some custom solution on a top of Trusted Authentication.

I configured Trusted Auth based on BO 3.1 admin guide and your suggestions in threads, but it does not work. Unfortunatelly,

I could not find TrustedAuthCheck.jsp. Can you send me the script to check my configuration?

Thanks,

Inna

Former Member
0 Kudos

Issue was related to access permissions on the TrustedPrincipal.conf. Giving appropriate permissions resolved the issue.

Former Member
0 Kudos

Issue resolved folks. After running the TrustedAuthCheck, the issue came out to be the access permission on the TrustedPrincipal.conf.

Fixing the permissions resolved the issue.

Former Member
0 Kudos

Is there a new TrustedAuthCheck.jsp for 3.0 as well? The one I'm using from R2 is not working.

also...

What location do you put it?

Thanks much.

(I had just figured out the trustedprinciple thing by doing a search on secenterprise.dll ~hehe)

BasicTek
Active Contributor
0 Kudos

Sorry for the late response but I needed to verify that I was allowed to release this. Aparently it's fine to use scripts such as the one I'm adding just as long as you understand the disclaimer.

WARNING:

The Sample Code you are receiving (the "Software") is provided as a sample only and should not be deployed in production environments without further testing. The Software has not been through a full QA regression test cycle. Your use of this Software is subject to the following Limitations of Warranties and Liability. If you do not agree with the terms and conditions do not use the Software. If the Software is designed for use with a Business Objects application (the "Business Objects Application"), you are granted a non-exclusive license to use the Software only with the Business Objects Application provided that you still possess a valid license from Business Objects for the Business Objects Application. Except as provided below, the Software provided to you, and use of the Software and the Business Objects Application by you, is subject to the terms and conditions of the end user license agreement from Business Objects accompanying the original Business Objects Application.

LIMITATIONS OF WARRANTIES AND LIABILITY: THIS SOFTWARE IS PROVIDED AND LICENSED BY BUSINESS OBJECTS ON AN "AS IS" BASIS, WITHOUT ANY OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABLE QUALITY, SATISFACTORY QUALITY, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR THOSE ARISING BY LAW, STATUTE, USAGE OF TRADE, COURSE OF DEALING OR OTHERWISE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THE SOFTWARE IS ASSUMED BY YOU. NEITHER BUSINESS OBJECTS NOR ITS DEALERS OR SUPPLIERS SHALL HAVE ANY LIABILITY TO YOU OR ANY OTHER PERSON OR ENTITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR PROFIT, LOST OR DAMAGED DATA OR OTHER COMMERCIAL OR ECONOMIC LOSS, EVEN IF BUSINESS OBJECTS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR THEY ARE FORESEEABLE. BUSINESS OBJECTS IS ALSO NOT RESPONSIBLE FOR CLAIMS BY A THIRD PARTY THAT THE SOFTWARE INFRINGES THE THIRD PARTY'S COPYRIGHT, PATENT OR OTHER INTELLECTUAL PROPERTY. THE LIMITATIONS SET FORTH HEREIN SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM OR A FUNDAMENTAL BREACH. SOME STATES/COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES OR OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

© Business Objects, an SAP Company - Technical Support

<%
/*
 * Trusted Authentication test page for for BusinessObjects Enterprise XI 3.0
 *
 * It will list Trusted Authentication configuration settings and attempt
 * logon using Trusted Auth.
 *
 * 
 */
%>
<HTML>
<HEAD>
<TITLE>Trusted Authentication Check</TITLE>
</HEAD>
<BODY>
<h2>Trusted Authentication check for BusinessObjects XI 3.0</h2>
<%@ 
    page import="com.businessobjects.infoview.common.Utilities,
                 com.businessobjects.sdk.credential.CredExtractor,
                 com.businessobjects.webutil.CookieHelper,
                 com.crystaldecisions.sdk.framework.*,
                 java.security.Principal,
                 org.ietf.jgss.GSSCredential" 
%><%
/*
 * Note: XI Release 2 Java InfoView had Trusted Authentication at the bottom of 
 *       the authentication precedence, and you had to turn off other SSO to 
 *       enable Trusted Auth.  
 *     
 *       XI 3.0 Java InfoView has Trusted Authentication near the top of the 
 *       precedence, so other SSO need not be disabled (Vintela, however, is 
 *       attempted before Trusted Auth).  
 *    
 *       If Trusted Auth fails in XI 3.0, no errors are logged, but other 
 *       SSO methods are tried (and may end up with logon using Guest account). 
 *       This script will attempt logon with Trusted Auth, so should return
 *       some form of a error message if it fails.
 */

/*
 * Trusted Authentication User Retrieval Types
 */
final String _IIS            = "REMOTE_USER";
final String _HEADER         = "HTTP_HEADER";
final String _PARAMETER      = "QUERY_STRING";
final String _COOKIE         = "COOKIE";
final String _SESSION        = "WEB_SESSION";
final String _USER_PRINCIPAL = "USER_PRINCIPAL";
final String _VINTELA        = "VINTELA";

final String[] USER_RETRIEVAL_TYPES = new String[] {
        _IIS,
        _HEADER,
        _PARAMETER,
        _COOKIE,
        _SESSION,
        _USER_PRINCIPAL,
        _VINTELA
};

final String[] USER_RETRIEVAL_TYPES_REQUIRE_USER_PARAM = new String[] {
        _HEADER,
        _PARAMETER,
        _COOKIE,
        _SESSION,
};


boolean vintelaEnabled;
String retrieveUser;
String userNameParam;
String secretParam;
String cmsName;

boolean isFromSession;
String sharedSecret;

boolean retrieveUserValid;
boolean userParamRequired;

String userName;

/*
 * Check if Vintela will be attempted.
 */
vintelaEnabled = Utilities.getServletContextBool(false, "vintela.enabled", 
    session.getServletContext());

out.println("<strong>Vintela context-param values</strong><br>");
out.println("'vintela.enabled' = " + vintelaEnabled + " ");
if(vintelaEnabled) {
    out.println("&gt;&gt;&gt;&gt; Vintela auth will be attempted first.");
} else {
    out.println("&gt;&gt;&gt;&gt; OK.");
}
out.println("<BR>");
out.println("<BR>");

/*
 * Retrieve Trusted Authentication context parameters
 */
retrieveUser  = session.getServletContext().getInitParameter("trusted.auth.user.retrieval");
userNameParam = session.getServletContext().getInitParameter("trusted.auth.user.param");
secretParam   = session.getServletContext().getInitParameter("trusted.auth.shared.secret" );
cmsName       = session.getServletContext().getInitParameter("cms.default");

out.println("<strong>Trusted Authentication context-param values</strong><BR>");
out.println("trusted.auth.user.retrieval = '" + retrieveUser + "'<BR>");
out.println("trusted.auth.user.param = '" + userNameParam + "'<BR>");
out.println("trusted.auth.shared.secret = '" + secretParam + "'<BR>");
out.println("cms.default = '" + cmsName + "'<BR>");
out.println("<BR>");

/*
 * Check shared secret retrieval.
 */
out.println("<strong>Trusted Authentication shared secret retrieval</strong><br>");

sharedSecret = null;
if( null != secretParam && !"".equals( secretParam ) ) {
    sharedSecret = (String) request.getSession().getAttribute( secretParam );
    isFromSession = true;
    out.println("Shared secret is from HTTP Session, secret is '" + sharedSecret + "'<BR>");
} else {
    String trustedAuthHome;

    isFromSession = false;

    out.println("Shared secret is read from TrustedPrincipal.conf file ");

    trustedAuthHome = System.getProperty("bobj.trustedauth.home");

    if(trustedAuthHome == null) {
        out.println("in default folder "
                + "(&lt;install&gt;\BusinessObjects Enterprise 12.0\win32_x86 for Windows).<BR>");
    } else {
        out.println("in folder '" + trustedAuthHome + "'.<BR>");
    }
}
out.println("<br>");

/*
 * Check for 'trusted.auth.user.retrieval' valid value.
 */
out.println("<strong>Trusted Authentication user name retrieval</strong><br>");
retrieveUserValid = false;
for(int i = 0, m = USER_RETRIEVAL_TYPES.length ; i < m ; i++) {
    if(USER_RETRIEVAL_TYPES<i>.equals(retrieveUser)) {
        retrieveUserValid = true;
        break;
    }
}
out.println("trusted.auth.user.retrieval = '" + retrieveUser + "' &gt;&gt;&gt;&gt; " 
        + (retrieveUserValid ? "Valid" : "<strong>Not Valid</strong>") + "<BR>");

/*
 * Check if trusted.auth.user.param is required, and if set.
 */
userParamRequired = false;
for(int i = 0, m = USER_RETRIEVAL_TYPES_REQUIRE_USER_PARAM.length ; i < m ; i++) {
    if(USER_RETRIEVAL_TYPES_REQUIRE_USER_PARAM<i>.equals(retrieveUser)) {
        userParamRequired = true;
        break;
    }
}
if(userParamRequired) {
  out.println("Using user name param = '" + userNameParam + "'<BR>");
}

/*
 * Look up the User.
 */
userName = null;

if(_IIS.equals(retrieveUser)) {
    out.println("Look for User Name in IIS-added header: ");
    // from the IIS-added header
    userName = request.getRemoteUser();
    // Skip Domain Name to the left of the backslash
    if( null != userName && !"".equals( userName ) && userName.indexOf( '\' ) > -1 ) {
        userName = userName.substring(userName.indexOf('\') + 1, userName.length());
    }
} else if(_HEADER.equals(retrieveUser)) {
    out.println("Look for User Name in HTTP header: ");
    // from HTTP header
    userName = request.getHeader( userNameParam );
} else if(_PARAMETER.equals(retrieveUser)) {
    out.println("Look for User Name in HTTP GET or POST Parameter: ");
    // from the URI query string
    userName = request.getParameter( userNameParam );
} else if(_COOKIE.equals(retrieveUser)) {
    out.println("Look for User Name in HTTP Cookie: ");
    // from cookie
    userName = CookieHelper.getCookieValue( request.getCookies(), userNameParam );
} else if(_SESSION.equals(retrieveUser)) {
    out.println("Look for User Name in HTTP Session Attribute: ");
    // from web session
    userName = (String) session.getAttribute( userNameParam );
} else if(_USER_PRINCIPAL.equals(retrieveUser)) {
    out.println("Look for User Name in User Principal: ");
    Principal userPrincipal = request.getUserPrincipal();
    if( null != userPrincipal )
        userName = userPrincipal.getName();
} else if(_VINTELA.equals(retrieveUser)) {
    out.println("Look for User Name in Vintela credential: ");
    // from Vintela credentials
    try {
        CredExtractor credExtractor = new CredExtractor(request);
        GSSCredential creds = credExtractor.GetCredential();
        userName = creds.getName().toString();
        // skip everything after and including the @ symbol
        if( null != userName && !"".equals( userName ) && userName.indexOf( '@' ) > -1 )
            userName = userName.substring(0, userName.indexOf('@'));
    } catch(Exception e) {
    }
} else {
    out.println("Bad user retrieval, will not look for User Name: ");
}

out.println("User Name Found = '<strong>" + userName + "</strong>'<BR>");

out.println("<BR>");

/*
 * Try logging on with Trusted Authentication.
 */

out.println("<strong>Attempt Logon with Trusted Authentication:</strong><BR>");
try{
    IEnterpriseSession enterpriseSession;
    ITrustedPrincipal trustedPrincipal;
 
    if(isFromSession) {    
        trustedPrincipal = CrystalEnterprise.getSessionMgr().createTrustedPrincipal(userName, cmsName, sharedSecret);
    } else {
        trustedPrincipal = CrystalEnterprise.getSessionMgr().createTrustedPrincipal(userName, cmsName);
    }
    enterpriseSession = CrystalEnterprise.getSessionMgr().logon(trustedPrincipal);
    out.println("Trusted authentication logon successful!<BR>");
    enterpriseSession.logoff();
} catch (Exception eek) {
    out.println("Exception encountered during logon attempt: " + eek.getMessage() + "<BR>");
}

%>
</BODY>
</HTML>

Regards,

Tim

Former Member
0 Kudos

Tim,

I'm working on SSO integration with Windows AD for BO 3.1

Since my client BO Enterprise is on Linux, I am looking for some custom solution on a top of Trusted Authentication.

I configured Trusted Auth based on BO 3.1 admin guide and your suggestions in threads, but it does not work. Unfortunatelly,

I could not find TrustedAuthCheck.jsp. Can you send me the script to check my configuration?

Thanks,

Inna

Former Member
0 Kudos

Perhaps I'm blind, but I cannot find this TrustedAuthCheck.jsp file for download.

Can someone suggest where I might be able to locate it?

Also, is it functional with BoXi 3.1 sp3?

Cheers!

BasicTek
Active Contributor
0 Kudos

Manish,

I'm sure this will work if the user is being sent properly. Have you tested any trusted auth scripts to verify the user is being received properly? How about just testing QUERY_STRING? Does this work?

Regards,

Tim

Former Member
0 Kudos

I'm having a similiar issue in my environments as well.

From what I can tell at this point the file structure of Webapps and locations of files associated with the logon process has changed to the point that location references are different. (from what they were in XI r1 and r2)

example:

XIr2~

I would have a java file in the following location that would intercept web session data and pass it back to the application.

'\Program Files\Business Objects\Tomcat\webapps\businessobjects\enterprise115\desktoplaunch\InfoView\logon'

XI 3.0

The file structure here has changed, while the structure is better its possible I am not placing the java file in the correct location in addition to changes that may be needed to reference the correct url string/path.

'\Program Files\Business Objects\Tomcat55\webapps\InfoViewApp'

or this?

'\Program Files\Business Objects\Tomcat55\webapps\PlatformServices\jsp\Shared_Logon'

While the top location does have the logon.jsp, the lower one has the logon.jsp, logon.jsp, & logonSvcChgPwd.jsp files.

I'm using a combination of hardware (netscaler), trusted authentication, with smartcards in my existing environments and while this has been working great in R2, 3.0 has changed enough that I have to revamp things and I have to think its the file structure and references that are causing my problems right now.

I mention all this as siteminder uses a java file to (from what I recall) do something similiar in fashion to what we are doing. The file basically acts as a collector or redirector once the information has been recieved and then passed back to the application in the web_session, http_string, or some other info used for the creditial checks.

BasicTek
Active Contributor
0 Kudos

In 3.0 the path for trustedprincipal.conf has changed from boinstall\boe115\win32_x86\plugins\auth\secenterprise to boinstall\boe12\win32_x86\ or the root directory. we have fixed this in the 3.0 admin guide.

Also the URL to redirect to should be InfoViewApp/logon/logon.do instead of the expected InfoViewApp/logon.jsp

Other than that the steps for configuration should be pretty much the same.

Regards,

Tim