cancel
Showing results for 
Search instead for 
Did you mean: 

InfoView front-end connection to a different BO_CMS server

Former Member
0 Kudos

I have finally set my BO 3.1 server to use kerberos authentication with SSO. All is working fine.

I now want my users to launch InfoView from a different front-end server running on Tomcat (e.g.: http://frontend_server:8080/INfoViewApp) that will be redirected to my BO server running CMS also on Tomcat (e.g. http://BO_CMSserver:8080/INfoViewApp). We don't want our users to connect directly to our BO_CMSServer.

Is the configuration done in the web.mlx file in D:\Program Files (x86)\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF? of my front-end server?

Is there a step by step procedure such as this one [http://geek2live.net/posts/active-directory-sso-with-vintela-in-xi-3-1/]that I followed to make my SSO working.

Will SSO still be working easily ?

Tx

Jay

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Active Contributor
0 Kudos

I think there are multiple ways of doing this, but the thing to remember is how the HTTP SPN's are used.

You should have created at least 2 HTTP SPN's for the 1st webapp (FQDN and hostname) this is because when a browser resolves a URL it uses the hostname or FQDN to make an HTTP SPN TGS request to AD. So if you add different URL's you must add HTTP SPN's (in pairs of FQDN and hostname) for each new URL. If the URL appears the same (more of a passive redirect) then no additional SPN's are needed.

It's not as complicated as it 1st seems.

Now how to do this depends on what you are trying to do? create a new point of access (such as adding a webapp) consolidating URL's (such as using a hardware load balancer) or just changing a hostname URL.

Regards,

Tim

Former Member
0 Kudos

Hi Tim,

By the way, thanks for helping me out last time to set up my AD authentication with kerberos and SSO. I can launch InfoView (let's say on my BO server A: http://serverA:8080/InfoViewApp) from any remote workstation without logging in, simply being authenticated through SSO. That server doesn't have IIS, simply Tomcat.

I was asked to install an Tomcat web Tier, let's say Server B. This will prevent users connecting directly to Server A (where CMS is). So when my users go to http://serverB:8080/InfoViewApp, I want it to be configured so users are logged in and redirected to ServerA automatically for InfoView. Security team wants to make sure my ServerA doesn't become too busy and that users aren't connected directly to that one by default.

I'm trying to sound as clear as possible but it's not that easy ;o)

So how do I get my users to connect to a URL on my Tomcat web tier Server B that will rediretc them to server A still with SSO...

Jay

BasicTek
Active Contributor
0 Kudos

So I think you add server B using the web tier install (specify the CMS from server A), this won't actually redirect it will give you 2 distinct URL's to access to split the web/app load. Later you could put a load balancer in front or just split your users between the URL's, anyway since you have a 2nd URL that means you must add 2 SPN's on the vintela service account to make it work (serverBFQDN and severbhostname). Since it's using the same CMS you can set the same values in the web.xml.

My sso documents for distributed environments are all written for exactly this purpose. You can now access the latest version in the administration forum sticky post I have at the top of the page.

Regards,

Tim

Former Member
0 Kudos

Tim, you're perfectly resuming what I was trying to explain ;o)

Just got back from a short sleep, so where exactly are the sticky notes? Have to get back at root of this Administration forum? not too sure where to find you're note...

I'll follow you're procedure. You're probably 6-7 hours ahead of us over here in Monreal, so I'll check it out and get back to you before you leave for the week-end.

I guess that if we eventually want a load balanced CMS server (splitting Job servers), it's also explained in that document? I guess that goimg with that scenario in the future (two CMS), I'd have to move my input repository on a file server (SAN) so it's centralized instead of being locally stored on one server....

Big Thanks again

Regards

Jay

denis_konovalov
Active Contributor
0 Kudos

Hello Jay,

In essense, Tim's suggestion will create a simplier to manage environment, 2 App servers (Tomcats) with LB in front of them is quite simple and easier to troubleshoot than One Tomcat redirecting to another.

One balancing of CMS servers themselfs, you don't need to have any special config, simply follow instructions in Admin guide on how to Cluster 2 CMS servers. Once your CMS server 1 and server 2 are clustered, BO built in load balancing and fail over will take care of things.

With FRS - only one pair of FRS is active at any given time in a cluster. If you're going to have more than one pair, make sure all are pointing to a same shared location (can be SAN, NAS etc).

Good Luck,

Denis

BasicTek
Active Contributor
0 Kudos

so where exactly are the sticky notes? Have to get back at root of this Administration forum? not too sure where to find you're note...

1st post scroll down near the bottom for the link to SAP note 1261835

Regards,

Tim

Former Member
0 Kudos

Thanks TIm,

I've been through your documents and wow, they're a perfect reference for SSO. I updated my install guide for future reference when we go in Prod. I reproduced the steps to make my SSO configuration working with kerberos on my BO server. From a client workstation, when I browse to the InfoView URL of the BO server (let`s say Server A), I get automatically authenticated. So far so good.

I have then installed a new BO WebTier server (let's say Server B) (connecting to CMS of Server A). This was done because the Management wants the users to connect to that URL instead of the URL of the server A (with CMS running).

I'm not too sure how to proceed on that Tomcat WebTier server. When users browse to the URL of that Server B, how do I configure it so it connects to the InfoVIew of Server A.

Basically, from a Citrix AccessGateway I'll publish an Internet Explorer shortcut with the URL of the InfoVIew of Server B (http://ServerB:8080/InfoViewApp/login/logon.jsp). So I want that Server B to launch InfoView on Server A by default. This is to avoid having everyone connecting directly to Server A.

Thanks

Jay

denis_konovalov
Active Contributor
0 Kudos

Hello Jay,

I'm not sure what you trying to achieve here.

If you don;t want users to connect to Infoview on server A, then why do you want server B to redirect users to Infoview on A again ? Isn't it the same thing ?

If you deployed web tier install on server B, you already have Infoview on B, which connects to XI3.1 on server A, no addtional redirection is needed.

Former Member
0 Kudos

Hi Denis,

I'm a newbie with this BO platform and I just inherited this project migration from r2 to r3.1

I'm learning everyday...

So what you're saying is, when I browse to the URL of Server B (web tier) I'm connected automatically to the BO 3.1 Server A since I was asked where CMS was during installation of web tier... what a dummy I am.. Tx

So all the configuration I did on Server A for my Windows AD SSO with kerberos should be done on my web tier also (Server B):

This means web.xml and server.xml, Tomcat config. Also adding new HTTP/hostname and HTTP/FQDN on my service account for this new web tier server.

Since everyone will be connecting through that web tier Server B, should I remove all SSO config that was done on Server A or just leave it there?

BIG thanks to both of you and Tim.

can I split the pts between both of you?

Regards

Jay

denis_konovalov
Active Contributor
0 Kudos

Yes, you'll need to do it all on server B again

Leave all your settings on A as well, it'll be usefull in case of any troubleshooting down the road.

As to the points - I don;t really care. Not even sure what they do.

Former Member
0 Kudos

Denis,

I configured my web.xml file on my web tier Server B same as I did with CMS Server A. I also took a copy of both bscLogin.conf and krb5.ini, as well as BOSSODV.keytab that I placed under c:\winnt.

Tomcat configuration is the same.

I also made extra SPN entries for my service account:

setpspn - a HTTP/serverB

setpspn - a HTTP/serverB.idm.realm

When I browse to that server http://ServerB:8080/InfoViewApp, I now get the following message:

HTTP Status 500 -

com.wedgetail.idm.sso.ProtocolException:

com.wedgetail.idm.spnego.server.SpnegoE

GSSException: Failure unspecified at

GSS-API level.....

and son on.

Any idea what to look for?

Tx

Jay

Former Member
0 Kudos

Sorry, I just tried from a different workstation and it works. But running Windows XP, both Internet Explorer 8 running with and without Compatibility View.

Not too sure why a workstation allows me to launch InfoView with SSO and not the other...

Jay

denis_konovalov
Active Contributor
0 Kudos

Maybe one is memeber of the domain and the other is not ?

Or you login into both differently ?

Former Member
0 Kudos

I just rebooted he faulty workstation and i'm going through fine now.

I spent the last couple of hours trying to figure out what was the problem...

Cool, everything is working now.

I also published InfoView as web resource onto a Citrix Access Gateway if you know a little about that technology. It's a portal for remote users and works as a reverse proxy with a Netscaler in the loop.

Anyway, I should be on business now.

Tx again Denis

Jay

BasicTek
Active Contributor
0 Kudos

If you receive problems like that on XP pre SP3 then check SAP note 1183196 - Intermittent login failures with Kerberos single sign-on (SSO) using Vintela

This requires access to SMP with your s-user ID (also in the admin forum sticky)

Regards,

Tim

Former Member
0 Kudos

Thanks for the info Tim.

My faulty workstation has SP3 but I'll take a look at the note in case our service desk receives any calls regarding this type of error message.

Very much appreciated.

Jay

Former Member
0 Kudos

Denis,

I know I marked this question as answered since everything went fine but I'm now configuring my environment as suggested by clustering 2 CMS servers. The Admin guide doesn't give much detail regarding this option.

When adding a new node to a cluster, It only says to do a Custom install and specify the existing CMS. But when selecting the "Custom or Expand Install" option in the "Install Type" window, I give the Node Name and port number of my existing CMS server and I get a "MySQL Database Server Configuration" window even though my existing CMS uses a SQL Database!!

Should I select the "New" / "Use an existing database server" options in the "Install Type" window? and then specify the existing CMS Node Name...

Just want to make sure I'm doing it the right way since the installation will take at least an hour plus a few more hours for SP2..

Thanks in advance.

Jay

denis_konovalov
Active Contributor
0 Kudos

I do not remember exact option in Custom/Expanded install, but I think there should be one like "is this the first CMS in the cluster?" or something like that. You say NO and then provide existing CMS name to login into.

Then you will be asked to provide DB details.....

However, my preferred method for adding new servers in the cluster is - run New installation with MySQL as a stand alone box.

Once done, verify that all is working properly. Then stop sia created during install and add new sia pointing to existing CMS in the cluster you want to join.

When that's done you'll have 2 sia on a box, one local, not clustered. It'll be inactive, never run , except for troubleshooting.

And a clustered SIA.

MySQL can be disabled and stopped as well.

Little longer to configure, but safer

Former Member
0 Kudos

Thanks for the info Denis.

When creating the new SIA on that server and you configure it to point on the existing CMS, any suggestion regarding the following options:

- Create no servers on the new node

- Create CMS o nthe new node

- Create default server on the new node

What about Name and port?

Sorry for asking basic stuff I guess, but I just inherited the BO platform and I'm learning everyday in my lab for this XI 3.1 migration.

Big thanks again.

Jay

denis_konovalov
Active Contributor
0 Kudos

- Create no servers on the new node

You'll have only new node/sia with no servers in it, you'll need to create new servers or clone existing from existing SIA.

- Create CMS o nthe new node

Will create only CMS on new sia/node, if you plan of running only CMS on this node - it's a good choice for that.

- Create default server on the new node

All default servers are added.

For name and port, you can use node2 and default port 6410. For CMS it'll pickup machine name and you can again use default 6400.

Answers (0)