Configuration Guide

5/28/2018 Configuration Guide

1/99

Feature Pack 1 for Duet Enterprise 1.0

SAP Configuration Guide

Version 1.0

June 2011


2/99

Introduction

Before you begin

Table of Contents

Introduction ...................................................................................................................................................... 1

Before you begin.......................................................................................................................................... 1

Coordination between SAP and Microsoft ......................................................................................................... 1Pre-Configuration Steps ...................................................................................................................................... 2

Activating Services ....................................................................................................................................... 2

Setting Profile Parameters for SSO ................................................................................................................. 3

Setting Profile Parameters for SSL.................................................................................................................. 3

Creating Users on SAP NetWeaver Gateway .................................................................................................... 3

Assigning Roles on SAP NetWeaver Gateway ................................................................................................... 3

Checking the Cryptolib Version ...................................................................................................................... 4

1. Configuring Duet Enterprise for Microsoft SharePoint and SAP .............................................................................. 5

1.1 Prerequisites .......................................................................................................................................... 5

1.1.1 Authorizations ............................................................................................................................... 5

1.1.2 Information Required from the Microsoft Administrator ...................................................................... 7

2. Using Duet Enterprise for Microsoft SharePoint and SAP Wizard ..................................................................... 7

3. Post Configuration Steps ........................................................................................................................... 7

2. Manually Configuring Duet Enterprise................................................................................................................ 9

2.1 Setting up Users on SAP NetWeaver Gateway ............................................................................................ 9

2.2 Activating BC Sets ................................................................................................................................ 11

2.3 Connection Settings: SAP NetWeaver Gateway to Microsoft SharePoint ....................................................... 12

Configuring the SLD ............................................................................................................................. 12

2.4 Establishing Connections between SAP NetWeaver Gateway to Both SAP Backend System and SharePoint Server ............................................................................................................................................................... 13

2.4.1 Configuring the SAP NetWeaver Gateway Host to use SAML Authentication ......................................... 14

2.4.2 Mapping User Data in the SAP System and the SharePoint Server ..................................................... 21

2.5 Creating Endpoints for Duet Enterprise Services ....................................................................................... 26

2.5.1 Creating and Activating Endpoints for all Scenarios .......................................................................... 26

3.5.2 Verifying End Points ..................................................................................................................... 26

2.5.3 Create the Duet Enterprise SAML Profile ......................................................................................... 27

2.5.3 Release Duet Enterprise Services .................................................................................................. 28

2.5.4 Loading and Preparing the BDC Models .......................................................................................... 30

2.5.5 View Archives of Uploaded BDC Files .............................................................................................. 39

2.6 Specifying SAP NetWeaver Gateway Configuration Settings to SAP Systems ................................................ 40

2.7 Create Type H RFC Destination to SAP NetWeaver Gateway ....................................................................... 40


3/99

Introduction

Before you begin

2.8 Configuring Notification Mails ................................................................................................................. 42

2.9 Setting Up Role Synchronization ............................................................................................................. 43

2.10 Activate the SharePoint Server as a Consumer ....................................................................................... 44

2.11 Activating SAP NetWeaver Gateway ...................................................................................................... 44

3. Configuring Duet Enterprise Specific Content ................................................................................................... 45

3.1 Configuring Workflow ............................................................................................................................ 45

3.1.1 Activate Workflow BC Set ............................................................................................................. 45

3.1.2 Maintain Workflow Context Data .................................................................................................... 46

3.1.3 Retrieve Endpoint Information ...................................................................................................... 47

3.1.4 Create a Logical Port .................................................................................................................... 48

3.1.5 Customizing Duet Workflows Patterns ............................................................................................ 49

3.1.6 Customizing Workflow Patterns ..................................................................................................... 50

3.1.7 Running Scheduled Reports (Jobs) ................................................................................................. 52

3.1.8 Creating Roles and Assigning Authorization Objects in SAP System .................................................... 54

3.1.9 Manage SAP System Aliases for Workflow ....................................................................................... 55

3.1.10 Check Event Handler .................................................................................................................. 57

3.1.11 Check Adapter Class .................................................................................................................. 58

3.1.12 Create Consumer Proxy .............................................................................................................. 58

3.2 Configuring Reporting ........................................................................................................................... 60

3.2.1 Activate Reporting BC Set............................................................................................................. 60

3.2.2 Defining the Number Range Interval for Reporting Objects ............................................................... 62

3.2.3 Managing System Time Points ....................................................................................................... 63

3.2.4 Retrieve URL for Logical Port ......................................................................................................... 64

3.2.5 Create a Logical Port .................................................................................................................... 64

3.2.6 Manage SAP System Aliases for Reporting ...................................................................................... 65

3.2.7 Manage Source Systems, Report Types and Formats on SAP NetWeaver Gateway ............................... 66

3.2.8 Configure a Report ...................................................................................................................... 67

3.2.9 Check Event Handler .................................................................................................................... 69

3.2.10 Check Adapter Class .................................................................................................................. 69

3.2.11 Create Consumer Proxy .............................................................................................................. 70

3.3 Configuring Starter Services .................................................................................................................. 72

3.3.1 Activate Starter Services BC Set .................................................................................................... 72

3.3.2 Configure the Service Provider for Starter Services Endpoints ........................................................... 75

3.3.3 Retrieve External Identifier ........................................................................................................... 77

3.3.4 Export the Profile ........................................................................................................................ 77


4/99

Introduction

Before you begin

3.3.5 Manage Web Services .................................................................................................................. 77

3.3.6 Create a System Connection ......................................................................................................... 78

3.3.7 Create the Account Maintenance User ............................................................................................ 79

3.3.8 Create a Business Scenario Configuration ....................................................................................... 79

3.3.9 Manage SAP System Aliases ......................................................................................................... 80

3.3.10 Add the System Alias and Roles to all Starter Services Relevant Object Groups ................................. 81

3.4 Configuring Time Management ............................................................................................................... 83

Prerequisites ....................................................................................................................................... 83

3.4.1 Activating BC Sets ....................................................................................................................... 83

3.4.2 Creating Roles and Assigning Authorization Objects ......................................................................... 84

3.4.6 Optional: Updating TIMA BDC Model with User Profile Information ..................................................... 85

3.4.7 Exporting BDC Models .................................................................................................................. 86

3.5 Configuring Sales Management .............................................................................................................. 87

Prerequisites ....................................................................................................................................... 87

3.5.1 Activating BC Sets ....................................................................................................................... 87

3.5.2 Creating Roles and Assigning Authorization Objects ......................................................................... 88

3.5.6 Exporting BDC Models .................................................................................................................. 89

3.6 Configure Code Lists ............................................................................................................................. 90

3.7 Caching Code Lists ............................................................................................................................... 91

3.8 Configure Document Upload Option ........................................................................................................ 92

3.9 Retrieving the URL for the "View Inquiry in SAP System" Link .................................................................... 93

4. Configurations of feature pack 1 for Duet Enterprise 1.0 .................................................................................... 94

Appendix 1 SAP NetWeaver Gateway ................................................................................................................ 95


5/99

Introduction

1

IntroductionDuet Enterprise enables customers and partners a way to consume and extend SAP applicationsthrough Microsoft SharePoint and Microsoft Office 2010.

The product brings together the two different worlds of process (SAP Applications) andcollaboration (Microsoft SharePoint), by providing an interoperability layer (SAP NetWeaverGateway) that ensures all the basic plumbing between the two systems is addressed, so thatcustomers and partners can focus on innovation.

Besides the ability to create Duet Enterprise composite solutions, ready-to-use capabilitiesensure quick time to value. For example, ability to use data from SAP applications to collaborateon the fly, or enable SAP workflow items to surface in Microsoft SharePoint or Outlook.

SAP NetWeaver Gateway is a framework that connects Duet Enterprise business users to SAPsystems. For more information, refer to SAP NetWeaver Gateway Overview, on SAP Help Portal.

This guide describes the system configuration activities and provides the steps for customizingsettings for feature pack 1 for Duet Enterprise 1.0.

This guide does not contain the installation and configuration procedures for Duet Enterprise on

the SharePoint server. The SharePoint related procedures are included in the Duet EnterpriseDeployment Guide for SharePoint Administrators.

This section contains:

Before you begin

Coordination between SAP and Microsoft

Before you beginDuet Enterprise 1.0 is a joint product of SAP and Microsoft. It must be deployed on both SAP

NetWeaver Gateway and on servers running Microsoft SharePoint Server 2010 by the SharePointadministrator.

Before you start the configuration, make sure you have read the Duet Enterprise SAP

Installation Guide, where you can learn about the hardware and software requirements, theprerequisites, and general installation procedure. You can find the Duet Enterprise SAPInstallation Guide at SAP Service Marketplace at: http://service.sap.com/instguides SAPBusiness Suite Applications Duet Enterprise Feature Pack 1 forDuet Enterprise 1.0.

Coordination between SAP and MicrosoftDeploying Duet Enterprise is a coordinated effort between Microsoft and SAP. To completecertain procedures, information must be shared between the administrators deploying the

product. For this purpose, the Duet Enterprise Deployment Worksheethas been created whichcontains all the information that will be shared between the SAP and the Microsoft administrator

Even if one person is deploying Duet Enterprise in both the SharePoint and SAP environments,the deployment worksheet makes it easier to keep track of the information that will be neededin a later procedure. Note also, that some information provided by the SharePoint administratorwill be used by the SharePoint administrator in a later procedure.

Procedures where information must be gathered to/from the worksheet are marked with the

icon.
http://help.sap.com/saphelp_gateway20/helpdata/en/47/25dd9e63c54f268ec132195773326c/frameset.htmhttp://go.microsoft.com/fwlink/?LinkId=205392http://go.microsoft.com/fwlink/?LinkId=205392http://go.microsoft.com/fwlink/?LinkId=205392http://help.sap.com/saphelp_gateway20/helpdata/en/47/25dd9e63c54f268ec132195773326c/frameset.htm


6/99

Pre-Configuration Steps

Activating Services

2

Pre-Configuration StepsAfter you install Duet Enterprise and before you begin the configuration, ensure you perform thefollowing activities:

Activating Services Setting Profile Parameters for SSO

Setting Profile Parameters for SSL

Creating Users on SAP NetWeaver Gateway

Assigning Roles on SAP NetWeaver Gateway

Checking the Cryptolib Version

Activating ServicesDuring a new installation, many SAP NetWeaver services are installed. You must activate themmanually, on both SAP NetWeaver Gateway and SAP system.

To activate the services on SAP NetWeaver Gateway, proceed as follows:

1. In the SAP NetWeaver Gateway system, open transaction SICF.

The Maintain Servicespage appears.

2. In the Hierarchy Typefield, enter SI CFSERCI VE.

3. Click the Execute icon.

4. Expand the def aul t _host until you reach / sap/ bc/ sr t / xi p/ sap.

5. Right-click on sapand select Activate Service.

You are prompted to confirm if you want to activate the service.

6. Click .

7. Repeat the above procedure for the following services:

/sap/bc/srt/wsil

/sap/bc/srt/xip/sap

/sap/bc/srt/wsdl

/sap/bc/webdynpro/sap/saml2

/sap/bc/srt/rfc`

/sap/public/bc

/sap/public/bc/ur

/sap/public/myssocnt

/sap/bc/webdynpro/sap/appl_soap_management

To activate the services on the SAP system, proceed as follows:

Note: Not all the services listed below exist in all SAP system releases.

1. On the SAP system, open transaction SI CF.

The Maintain Servicespage is displayed.

2. In the Hierarchy Typefield, enter SI CFSERCI VE.


7/99


Setting Profile Parameters for SSO

3


4. Expand the def aul t _host until you reach / sap/ bc/ sr t / xi p/ sap.

5. Right-click on sapand select Activate Service.

You are prompted to confirm if you want to activate the service.

6. Click .

7. Repeat the procedure for the following services:

/sap/bc/srt/wsil

/sap/bc/srt/xip/sap

/sap/bc/srt/wsdl

/sap/bc/srt/rfc

/sap/public/bc

/sap/public/bc/ur

/sap/public/mysssocnt

/sap/bc/webdynpro/sap/appl_soap_management

Setting Profile Parameters for SSOIn both your SAP system and in the SAP NetWeaver Gateway system, you set the following SSOprofile parameters to the values mentioned below:

Profile Parameter Value

login/accept_sso2_ticket 1

login/create_sso2_ticket 2

You maintain these profile parameters via transaction RZ10. For information on profileparameters and profile parameter maintenance, refer to

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/c4/3a6247505211d189550000e829fbbd/fr

ameset.htm, on SAP Help Portal.

Setting Profile Parameters for SSLTo set the profile parameters for SSL, refer tohttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23691cbf5a1902e10000000a42189c/frameset.htm, on SAP Help Portal.

Creating Users on SAP NetWeaver GatewayTo create Users on the SAP NetWeaver Gateway system, refer to Setting Up User andAuthorization Administrators, on SAP Help Portal.

Assigning Roles on SAP NetWeaver GatewayIf you want an administrator, developer or other roles, the corresponding roles have to beconfigured in the SAP NetWeaver Gateway system. For more information, refer to Creating andAssigning Roles. If you want to configure roles for reporting, workflow or starter services, referto Roles in the SAP NetWeaver Gateway Landscape.
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/c4/3a6247505211d189550000e829fbbd/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23691cbf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23691cbf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/52/67170b439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/52/67170b439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/26/d064c346b64e0ebc870792eaacc74f/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/26/d064c346b64e0ebc870792eaacc74f/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/7d/8f270062454a3392931476957b2d10/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/26/d064c346b64e0ebc870792eaacc74f/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/26/d064c346b64e0ebc870792eaacc74f/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/52/67170b439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/52/67170b439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23691cbf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23691cbf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/c4/3a6247505211d189550000e829fbbd/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/c4/3a6247505211d189550000e829fbbd/frameset.htm


8/99


Checking the Cryptolib Version

4

Checking the Cryptolib VersionMake sure the SAP Cryptolib is on the right level (You need SSFLIB Version 1.555.28 or higher,using an updated SAPCrypto Lib.)

To check the Cryptolib level:

1.

On the SAP backend system, open transaction STRUST.The Trust Managerpage appears.

2. From the Menu bar, select Environment> Display SSF Version.

An information message appears. The SSFLIB version is displayed on the first line of themessage.

Repeat the above steps on SAP NetWeaver Gateway system.


9/99

1. Configuring Duet Enterprise for Microsoft SharePoint and SAP

1.1 Prerequisites

5

1. Configuring Duet Enterprise for MicrosoftSharePoint and SAPThe wizard enables you to configure Duet Enterprise for Microsoft SharePoint and SAP.This section, together with the prerequisites and post configuration procedures, covers all the

steps necessary to configure feature pack 1 for Duet Enterprise 1.0 in your system.While running the wizard, you can skip some steps, if they should not be automated due tosecurity / traceability reasons (for example, when you only want to run the wizard in yourSandbox / Test environment, but only part of it in your productive environment).

Also, if you encounter an error for a certain step, skip this step, perform it manually, andcontinue using the wizard.

The wizard performs all the configuration steps on SAP NetWeaver Gateway system, and somerequired steps on the SAP system (like establishing trusts or creating logical ports).

Note: If the wizard runs smoothly, there is no need to continue with the manualtasks that areoutlined in section 2 and 3 of this document.

1.1 PrerequisitesBefore you run this wizard, ensure that the following prerequisites are met:

Enhancement package 2 for SAP NetWeaver 7.0, SP08 or higher is installed in yourlandscape.

You have the required authorizations to run the wizard. For more information, refer toAuthorizationssection.

You have the required basic information from the Microsoft SharePoint administrator, to runthe wizard. For more information, refer toInformation Required from the MicrosoftAdministrator.

End-users and groups are created (at least one user and group; used for activating BC sets).

You have implemented all notes appearing under composite note 1599573.

1.1.1 AuthorizationsTo run the wizard, several authorizations are required on SAP NetWeaver Gateway and SAPsystem. On SAP NetWeaver Gateway, the authorization template /IWTNG/LCMWIZARD can beused which contains all required permissions. You can create a role out of the template followingthe instructions outlined below:

1. Open transaction pfcg in the SAP NetWeaver Gateway system.

2. Enter a name for the role in the Rolefield.

3. Choose Single Role.

4. Save the Role.5. Choose the Authorizationtab.

6. Choose Change Authorization Data.7. Choose the template /IWTNG/LCMWIZARDin the Role Templatessection.8. If you want to assign additional authorization objects to this role, choose . .

The Manual selection of authorizationspage appears.

9. Enter the authorization object in the Authorization Objectfield and press Enter.

The authorization object is inserted.


10/99


1.1 Prerequisites

6

10.Click on the Authorization objectfields.

The Field Valuespage appears.

11.Enter the required values.

12.Choose Generateto create a new role.

On the SAP system the following permissions are required to create RFC destinations, exchangecertificate and create logical ports:

Authorization Template Permissions

S_ADMI_FCD S_ADMI_FCD=NADM

S_CTS_ADMI CTS_ADMFCT=TABL

S_DATASET PROGRAM=SAPLRSPOR

ACTVT=06,33,34,;

FILENAME=*

S_GUI ACTVT=61

S_RFC RFC_TYPE=FUGR

RFC_NAME=RSPOR, SAIO, SBDC, SBUF, SCCA,SCUST_RFC_GENERATE, SICM, SSFP

ACTVT=16

S_RFC_ADM ACTVT=01

RFCTYPE=

RFCDEST=*

[, ]

ICF_VALUE=

S_RFCACL RFC_SYSID=*

[SID of GW Server]

S_RZL_ADM ACTVT=01

S_SRT_LPR TCODE=LPCONFIG;

PROXY=/OSP/CO_REP_ADAPTER_WSVI_DOCUM;

/OSP/CO_RMWRAPPER_VI_DOCUMENT;

CO_OSPWACTION_ITEM_VI_DOCUMENT;

LP_NAME=LP_PORT_REPORTING[Name of Logical Port]

S_TCODE TCD=LPCONFIG, STRUSTSSO2

S_TRANSPRT TTYPE= ;

ACTVT=03;


11/99


2. Using Duet Enterprise for Microsoft SharePoint and SAP Wizard

7

Customizing TablesThere is a possibility that when starting the wizard via /IWTNG/LCM, the required customizingentries from tables /IWTNG/LCMCONFIG, /IWTNG/LCMSTCONF and /IWTNG/LCMSTEPS are nottransported from client 000 to the productive client you are currently working on.

In this case, the following error message is displayed:

I n Vi ew cl ust er : BC- RFC3- RFCDESCR : BC- RFCH- RFCDESCR : BC- RFCH- PATH r equi r edcust omi zat i on ent r i es mi ssi ng : BC- RFC3- RFCDESCR : BC- RFCH- RFCDESCR : BC- RFCH- PATH.

To solve this:

1. Go to Note 1544169which contains a BC set with the required customizing. Implementthe correction instructions in the note

2. Open transaction SCPR20.

3. From the BC SETmenu, select Upload.

4. The Business Configuration Sets: Activationpage is displayed.

5. In the Short Textfield, press F4and select the BC set file attached to the note.

6. Click Activate.7. The required customizing tables are populated and the Wizard should work.

1.1.2 Information Required from theMicrosoft Administrator

Before you start the wizard, you require some basic information from the Microsoft SharePoint

administrator. You can obtain this information using the Duet Deployment Worksheet located athttp://go.microsoft.com/fwlink/?LinkId=205392 . Information that has to be handed over to theSharePoint administrator is clearly mentioned throughout the wizard.

2. Using Duet Enterprise for MicrosoftSharePoint and SAP Wizard1. Open transaction /n/IWTNG/LCM.

2. Click Nextat the top and follow the instructions on the wizard.

Additional help and explanation is available for each step by clicking the icon.

3. Post Configuration StepsAfter configuring Duet Enterprise using the wizard, perform the following activities:

1. Activate SAP NetWeaver Gateway. For more information, refer to Activating SAP NetWeaverGateway.

2. For configuring Time Management services, perform the procedures described in the sectionUpdating TIMA BDC Model with User Profile Information.

3. For configuring Reporting, activate the local reports.

a. Open transaction SE38.

The ABAP Editor: Initial Screenis displayed.
http://go.microsoft.com/fwlink/?LinkId=205392http://help.sap.com/saphelp_gateway20/helpdata/en/b9/c32e4c337240a5ada185716e557048/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/b9/c32e4c337240a5ada185716e557048/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/b9/c32e4c337240a5ada185716e557048/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/b9/c32e4c337240a5ada185716e557048/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/b9/c32e4c337240a5ada185716e557048/frameset.htmhttp://go.microsoft.com/fwlink/?LinkId=205392


12/99


3. Post Configuration Steps

8

b. In the Program field, enter /IWCNT/DEMO_REP_LP_CONFIG.

c. Click Execute.

This program will configure the required RFC destinations and logical ports.

Note: This is required to demo local reports from SAP NetWeaver Gateway.

4. For configuring Workflow, perform the procedures described in the following sections in this

document:

3.1.5 Customizing Duet Workflows Patterns

3.1.6 Customizing Workflow Patterns

3.1.7 Running Scheduled Reports (Jobs)

3.1.8 Creating Roles and Assigning Authorization Objects in SAP System

5. For configuring Starter Services, perform the procedures described in the following sectionsin this document:

3.5 Caching Code Lists

3.6 Configure Document Upload Option

3.7 Retrieving the URL for the "View Inquiry in SAP System" Link

At this stage, Duet Enterprise should be completely deployed in your machine.


13/99

2. Manually Configuring Duet Enterprise

2.1 Setting up Users on SAP NetWeaver Gateway

9

2. Manually Configuring Duet EnterpriseThis section provides the step-by-step instructions for manually configuring Duet Enterprise.

Note: You must perform the steps in the order listed.

This section includes:

Setting Up Users on SAP NetWeaver Gateway

Activating BC Sets

Establishing Connections to an SAP System and the SharePoint Server

Specifying Configuration Settings of the SharePoint Server

Creating Endpoints for Duet Enterprise Services

Specifying SAP NetWeaver Gateway Configuration Settings to SAP Systems

Create Type H RFC Destination to SAP NetWeaver Gateway

Setting up Role Synchronization

Activating the SharePoint Server

Activating SAP NetWeaver Gateway

2.1 Setting up Users on SAP NetWeaverGatewayAfter installation, you create users and assign authorizations on the SAP NetWeaver Gatewaysystem. Use the predefined templates to create administrator, developer and user roles.

Note: After installation, there are no end-users on SAP NetWeaver Gateway. Since all SAPsystem end-users have to be available on SAP NetWeaver Gateway as well, it is recommended

to connect the SAP NetWeaver Gateway system to a Central User Administration or SAP IdentityManagement and synchronize the user. If that is not possible, you have to create the usersmanually.

The list of tasks that you perform is as follows:

1. Create an administrator role and assign a user to it on the SAP NetWeaver Gatewaysystem. For more information on how to create and assign administrator roles, refer toUser, Developer, and Administrator Authorizations.

2. You then create users roles and profiles. For more information, refer to the section SAPNetWeaver Gateway User Rolein User, Developer, and Administrator Authorizations.

Note: For the users performing the Grant user access to SAP workflow tasksprocedure in SharePoint ONLY, make sure you assign the authorization objectS_Service

to the role.3. Create a service user to access WSDL from Microsoft SharePoint. For more information,

refer to Creating a Service User to Access WSDL from SharePoint.

For Duet Enterprise, you use the following role templates to create roles:

Template Name Template For

/IWFND/RT_ADMIN SAP NetWeaver Gateway Framework Administrator
http://help.sap.com/saphelp_gateway20/helpdata/en/c0/af543a0ce04b7690c196294db1b802/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/c0/af543a0ce04b7690c196294db1b802/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/c0/af543a0ce04b7690c196294db1b802/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/c0/af543a0ce04b7690c196294db1b802/frameset.htm


14/99


2.1 Setting up Users on SAP NetWeaver Gateway

10

/IWFND/RT_DEVELOPER SAP NetWeaver Gateway Developer

/IWCNT/RT_USER_LEMA SAP NetWeaver Gateway Leave Management User

/IWCNT/RT_ADMIN_REPSAP NetWeaver Gateway Reporting ManagementAdministrator

/IWCNT/RT_USER_REP SAP NetWeaver Gateway Reporting Management User

/IWCNT/RT_USER_SS SAP NetWeaver Gateway Sample Services User

/IWCNT/RT_USER_TIMA SAP NetWeaver Gateway Time Management User

/IWCNT/RT_USER_WF SAP NetWeaver Gateway Workflow User

/IWCNT/RT_USER_ACT SAP NetWeaver Gateway Activity Management User

/IWCNT/RT_USER_ACCNT SAP NetWeaver Gateway User for Account Management

/IWCNT/RT_USER_CONT SAP NetWeaver Gateway User for Contact Management

/IWTNG/RT_USER_TIMA Duet Enterprise Time Management

/IWTNG/RT_USER_SAMA Duet Enterprise Sales Management

/IWTNG/RT_BCONS_BDC BDC Bowser Business Consultant

Creating a Service User to Access WSDL from SharePointWSDL is essentially an XML format for describing Web services interfaces. Using WSDL, aservice provider can describe the functionality, quality of service requirements, and otherfeatures of a Web service, so that a potential requestor can understand how to correctly interactwith the service.

Note: For more information regarding the WSDL, refer to the SDN at

http://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/d99b2014-0b01-0010-a8a0-aa830dbdf5e8

In this procedure, you will provide information to the SharePoint administrator.

Open the Duet Enterprise Worksheet located at http://go.microsoft.com/fwlink/?LinkId=207604 .

You must access the WSDL from SharePoint using a specific user created for that purpose.

To create the user:

1. On SAP NetWeaver Gateway system, open transaction SU01.

2. Enter a user name, for example, SP_Access.

3. Click Create.

4. Maintain all required data including password.

5. Do not assign any roles.

6. Click Save.

7. Enter this user name and password in the Duet Enterprise Worksheet, in the User name forWSDL accessand Password for WSDL accessrows.
http://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/d99b2014-0b01-0010-a8a0-aa830dbdf5e8http://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/d99b2014-0b01-0010-a8a0-aa830dbdf5e8http://go.microsoft.com/fwlink/?LinkId=207604http://go.microsoft.com/fwlink/?LinkId=207604http://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/d99b2014-0b01-0010-a8a0-aa830dbdf5e8http://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/d99b2014-0b01-0010-a8a0-aa830dbdf5e8


15/99


2.2 Activating BC Sets

11

Checkpoint: Log on to the SAP NetWeaver Gateway system using the user you just created.By providing the password you just maintained, you should see the SAP Easy Access page.

2.2 Activating BC SetsA Business Configuration Set (BC Set) is a management tool that allows users to record, save,

and share customized settings. By creating a BC Set, the user is provided with a snapshot of thecustomized settings of a system that can be used later on as a template.

Duet Enterprise provides BC sets to make the content specific configuration easier byautomating several of the procedures.

It is recommended that you use and activate these BC sets:

/IWTNG/BC_GENERAL_CUSTOMIZING

/IWTNG/BC_WORFKLOW

/IWTNG/BC_SAMPLE_SERVICES

/IWTNG/BC_REPORTING

/IWTNG/BC_TIME_MANAGEMENT

/IWTNG/BC_SALES_MANAGEMENT /IWTNG/BC_BDC_LANG_PROP_SERVICE

Note: You do not need to activate the BC sets to perform configuration. You can perform allconfigurations manually.

This section describes how to activate the /IWTNG/BC_GENERAL_CUSTOMIZING BC set. Foractivating the other BC Sets, refer to the Configuring Duet Enterprise Specific Contentsection.

After activating the BC Set, you can continue with the regular deployment flow. Procedures thathave been automated by the BC set contain a note asking you to skip them.

To activate the /IWTNG/BC_GENERAL_CUSTOMIZING BC set:

1.

On the SAP NetWeaver Gateway system, open transaction SCPR20.The Business Configuration Sets: Activationpage appears.

2. In the BC Set field, press F4.

3. Select the /IWTNG/BC_GENERAL_CUSTOMIZING BC set.

4. Click the Activate BC Seticon.

The Prompt for Customizing Requestpage appears.

5. In the Request field, press F4.

6. Select a customizing request and click the checkmark.

The Activation Optionspage appears.

7. In the Select Activation Modesection, select the Expert Moderadio button.

8. Click the checkmark.

The /IWTNG/BC_GENERAL_CUSTOMIZING BC set is activated.

Checkpoint: Refer to chapter Defining Consumer Issuer Certificateto check if customizingentries were done like outlined in each chapter.


16/99


2.3 Connection Settings: SAP NetWeaver Gateway to Microsoft SharePoint

12

2.3 Connection Settings: SAP NetWeaverGateway to Microsoft SharePointYou configure settings for SAP NetWeaver Gateway components and define how these settingsinterface with the SharePoint server. In this section only the basic configuration activities to set

up the connection between SAP NetWeaver Gateway and SharePoint is listed.Requirements:

Make sure that you installed the SAP NetWeaver Gateway components.

To specify the setting between SAP NetWeaver Gateway and SharePoint, proceed as follows:

1. Configure the SLD. For more information, refer Configuring the SLD.

2. Define settings for idempotent services (This means that the service call will be executedexactly once.) For more information, refer Defining Settings for Idempotent Services.

3. Define consumer issuer certificate. For more information, refer to Defining Consumer IssuerCertificate.

4. Create RFC destination for outbound queues. For more information, refer Creating a bgRFCDestination for Outbound Queues.

5. Register RFC destination. For more information, refer Registering the bgRFC Destination forthe Outbound Queue.

6. Create bgRFC supervisor destination. For more information, refer Creating the bgRFCSupervisor Destination.

7. Check bgRFC configurations. For more information, refer Checking bgRFC Configurations.

8. Create RFC destination for WSIL service. For more information, refer Creating an RFCDestination for the WSIL Service.

9. Configure Web Service message-based authentication. For more information, refer to EnableMessage-Based Authentication.

Configuring the SLDSystem Landscape Directory (SLD) contains component information, a landscape description,and a name reservation, based on the standard Common Information Model (CIM), which isindependent of your implementation.

SLD communicates with a client application using HTTP.

Optionally, you can configure SAP NetWeaver Gateway to connect to the SLD and to send dataperiodically about the system landscape.

Note: Connecting SAP NetWeaver Gateway to an SLD is optional. You can connect SAPNetWeaver Gateway to an SLD only if there is an SLD in your system landscape.

To establish connection to SLD from SAP NetWeaver Gateway:

1. Log on to the SAP NetWeaver Gateway system, and open transaction SPRO.

2. Open the SAP Reference IMGand navigate to: SAP NetWeaver Gateway ConfigurationConnection Settings Connect SAP NetWeaver Gateway to SLD .

3. Click the Execute icon to configure the connection.

For more information regarding the SLD, refer to the following link on the SAP Help Portal:Architecture Overview of Data Supplier. For more information on how to register an ABAP-basedSAP system and its clients in the landscape description of the SLD, refer to the following link onthe SAP Help Portal: Registering ABAP-Based SAP Systems.
http://help.sap.com/saphelp_gateway20/helpdata/en/19/71dd7038da4a828c69927cc06ddc39/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/19/71dd7038da4a828c69927cc06ddc39/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/0f/ff5077b3cb44ec88d39cc7812b6734/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/0f/ff5077b3cb44ec88d39cc7812b6734/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/27/1e5fac751a4462a6ac804a2cee6ad5/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/27/1e5fac751a4462a6ac804a2cee6ad5/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/ad/edb5e1050042f1b53dc9f9264f2754/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/ad/edb5e1050042f1b53dc9f9264f2754/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/e8/d35162445b4134bde42f0d5f860178/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/e3/b782c060024340b3e2be9250bc24e1/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/e3/b782c060024340b3e2be9250bc24e1/frameset.htmhttp://help.sap.com/saphelp_47x200/helpdata/en/8a/361fb70681234fb7d3af841ec2383e/content.htmhttp://help.sap.com/saphelp_47x200/helpdata/en/fe/3dac3e66c7e16fe10000000a114084/frameset.htmhttp://help.sap.com/saphelp_47x200/helpdata/en/8a/361fb70681234fb7d3af841ec2383e/content.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/e3/b782c060024340b3e2be9250bc24e1/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/e3/b782c060024340b3e2be9250bc24e1/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/e8/d35162445b4134bde42f0d5f860178/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/ad/edb5e1050042f1b53dc9f9264f2754/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/ad/edb5e1050042f1b53dc9f9264f2754/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/27/1e5fac751a4462a6ac804a2cee6ad5/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/27/1e5fac751a4462a6ac804a2cee6ad5/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/0f/ff5077b3cb44ec88d39cc7812b6734/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/0f/ff5077b3cb44ec88d39cc7812b6734/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/19/71dd7038da4a828c69927cc06ddc39/frameset.htm


17/99


2.4 Establishing Connections between SAP NetWeaver Gateway to Both SAP Backend System and SharePoint Server

13

2.4 Establishing Connections between SAPNetWeaver Gateway to Both SAP BackendSystem and SharePoint ServerNote: There are many instances where the IMG refers to a Consumer. For Duet Enterprise, the

Consumer is SharePoint.

You must define and configure settings for connecting the SAP NetWeaver Gateway to both yourSAP backend system and to the SharePoint server.

There are different ways in which these two systems can communicate between themselves:

SharePoint to SAP NetWeaver Gateway connection

SharePoint communicates with the SAP NetWeaver Gateway via HTTPS Web service calls.For this to be possible, services and end-points need to be created and released on the SAPNetWeaver Gateway server (refer to Release Duet Enterprise Services). You also need toconfigure SAML (refer to Configuring the SAP NetWeaver Gateway Host to use SAMLAuthentication).

SAP NetWeaver Gateway to SharePoint connectionSAP NetWeaver Gateway system sends data to SharePoint via HTTPS logical ports which arescenario specific. For this, an SSL trust has to be established (refer to Create ConsumerProxyfor Reporting and Create Consumer Proxyfor Workflow).

SAP NetWeaver Gateway to SAP system connection

The SAP NetWeaver Gateway can communicate with the SAP systems in two ways: viaHTTP/Web service calls (Type H RFC destinations) and classic ABAP RFC calls (Type 3 RFCdestinations).

a. Type H RFC calls are used for Starter Services (refer to Create Type H RFCDestination to SAP NetWeaver Gateway). For this, the SAP NetWeaver Gateway

system has to trust the certificates of the SAP system (refer to the Duet Enterprise

Security Guide at SAP Service Marketplace at: http://service.sap.com/instguides SAP Business Suite Applications Duet Enterprise Feature Pack 1 for DuetEnterprise 1.0.)

b. Type 3 RFC destinations are used by Reporting, Workflow and Starter Services.(Refer to Creating a Type 3 RFC Destination on SAP NetWeaver Gateway Host to SAPSystem). For this the SAP NetWeaver Gateway system has to be configured as atrusted system in the SAP system. (Refer to Defining Trust between the SAPNetWeaver Gateway Host and Your SAP Systems for Type 3 Connections)

SAP system to SAP NetWeaver Gateway system connection

The SAP system uses HTTPS / Web service calls to communicate to the SAP NetWeaverGateway system. This is used by Workflow (refer to Create a Logical Port)and Reporting

(refer to Create a Logical Port). For this a SSL trust has to be established (refer to the DuetEnterprise Security Guide at SAP Service Marketplace at: http://service.sap.com/instguidesSAP Business Suite Applications Duet Enterprise Feature Pack 1 for Duet Enterprise

1.0) and the SAP NetWeaver Gateway system has to accept certificates from the SAP system(see Configuring the SAP NetWeaver Gateway Host to Accept Assertion Tickets from SAPBusiness Suite Systems)
http://help.sap.com/saphelp_gateway20/helpdata/en/0a/a6ff82d7d94b1fa7b87f29ecaa0e01/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/0a/a6ff82d7d94b1fa7b87f29ecaa0e01/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/46/17f2532ab9471aa450906fbf62fef7/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/46/17f2532ab9471aa450906fbf62fef7/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/66/5fa4b584dc4fbdb862259541b17bc9/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/66/5fa4b584dc4fbdb862259541b17bc9/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/66/5fa4b584dc4fbdb862259541b17bc9/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/66/5fa4b584dc4fbdb862259541b17bc9/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/46/17f2532ab9471aa450906fbf62fef7/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/46/17f2532ab9471aa450906fbf62fef7/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/0a/a6ff82d7d94b1fa7b87f29ecaa0e01/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/0a/a6ff82d7d94b1fa7b87f29ecaa0e01/frameset.htm


18/99



14

2.4.1 Configuring the SAP NetWeaver GatewayHost to use SAML AuthenticationYou configure the SAP NetWeaver Gateway host to enable authentication for users from theSharePoint server using SAML tokens.

Requirements

Make sure that you have configured the following:

User mapping records.

A Security Token Service to issue SAML tokens.

The use of SSL between the SAP NetWeaver Gateway host and the consumer server.

The use of SSL between the SAP NetWeaver Gateway host and the Security Token Providersystem.

The use of SAML authentication in the SharePoint server and clients.

The following is an overview of the sequence of tasks for configuring the use of SAML in the SAPNetWeaver Gateway host:

1. Enable message-based Web service authentication.

2. Specify the Security Token Provider system as a trusted system.

For more information about configuring the Security Token Provider system as a trusted systemin the SAP NetWeaver Gateway landscape, refer to SAP NetWeaver Gateway Security Guide.

Enable Message-Based AuthenticationMessage-based Web services go to the Internet Communication Framework(ICF) to perform thelogon using a technical user DELAY_L_ stored in the ICF. As the ICF cannot access SOAPdata, it cannot logon directly using the authentication data in the SOAP document.

You must create the DELAY_L_ user without any authorizations in a secure storage.

The user DELAY_L_ gains access, and the SAP NetWeaver Gateway host evaluates thesent token. If the user name and password match, the SAP NetWeaver Gateway host performs auser exchange and logs on the user specified in the token.

To enable message-based authentication:


2. Open the SAP Reference IMGand navigate to: SAP NetWeaver Gateway ConfigurationConnection Settings SAP NetWeaverGatewayto Consumer Configure Web Service

Message-Based Authentication .


The WSS_SETUPpage appears.

4. SelectICF Node Update.Note: If this is the first time you run this activity, the ICF Node Update checkbox is not

available. Skip this step, and after the procedure is complete, go back to Connection Settings

SAP NetWeaverGatewayto Consumer Configure Web Service Message-Based

Authenticationand clickthe Execute icon again.

This option specifies and repairs the user, DELAY_L_ in all ICF nodes. This may benecessary if the user DELAY_L_ has been locked or changed, or if its password hasbeen changed.
http://help.sap.com/saphelp_gateway20/helpdata/en/89/ea6a0543dc4e13b20b3462f57d7404/frameset.htmhttp://help.sap.com/saphelp_nw04/helpdata/EN/36/020d3a0154b909e10000000a114084/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/EN/36/020d3a0154b909e10000000a114084/content.htmhttp://www.sdn.sap.com/irj/sdn/standards-messaging?rid=/webcontent/uuid/c84b6d8c-0901-0010-41b1-cc799efc76f2http://www.sdn.sap.com/irj/sdn/standards-messaging?rid=/webcontent/uuid/c84b6d8c-0901-0010-41b1-cc799efc76f2http://www.sdn.sap.com/irj/sdn/standards-messaging?rid=/webcontent/uuid/c84b6d8c-0901-0010-41b1-cc799efc76f2http://help.sap.com/saphelp_nw04/helpdata/EN/36/020d3a0154b909e10000000a114084/content.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/89/ea6a0543dc4e13b20b3462f57d7404/frameset.htm


19/99



15

5. Select Provider Configurationin the Secure Conversation Bootstrap Endpointssection. This is a dedicated service required to obtain the SecureContentToken.

6. Specify the following in the WS Security Optionssection:

Algorithm Suite: Select TripleDesSha256RSA15for the algorithm suite.

Note: Make sure that TripleDesSha256RSA15 is listed. If it is not listed, check the

SSFLIB Version using transaction STRUST, and then go to EnvironmentDisplay SSFVersion.

You need SSFLIB Version 1.555.28 or higher, using an updated SAPCrypto Lib.

Clock Skew: Specify the value 120, this is the tolerance to compensate for timedifference between the consumer server and the SAP NetWeaver Gateway host.

Select Detect message replaysto detect and prevent Web service messages that arebeing called repeatedly.

SAML 1.1 Trust: Choose Use SAML Trust.

7. In the Test Runsection, unselect Test Run, and click Execute. You can run this report

multiple times.

The result displays many details, including, the list of services activated and the message:Configuration for WS Security logon successfully checked.

Note: On the first run there might be an error due to missing users. It is recommended torun it a second time to ensure that no errors are displayed.

Note: If the provider configuration cannot be created, open transaction SICF and activatenode /sap/bc/srt/xip/sap.

Checkpoint:

1. Run the WSS_SETUP again by executing steps 1 to 4.

2. Leave all settings as default and click on execute.

The following lines should be displayed in the WS Security Optionssection: Algorithm Suite:TripleDesSha256Rsa15

Clock Skew(sec):120

Detect message replays

SAML 1.1 Trust:SAML2

Specify the Security Token Provider System as a Trusted System

To complete this procedure, you will require input from the SharePoint

administrator. Open the Duet Enterprise Worksheet located at

http://go.microsoft.com/fwlink/?LinkId=207604 .

From the SAP NetWeaver Gateway host you define the STS host as a trusted system byimporting its signed certificate as proof of the identity of the STS system.

For information about configuring the STS host as a trusted system, see the Security Guide atSAP Service Marketplace at: http://service.sap.com/instguides SAP Business SuiteApplications Duet Enterprise Feature Pack 1 for Duet Enterprise 1.0.
http://go.microsoft.com/fwlink/?LinkId=207604http://go.microsoft.com/fwlink/?LinkId=207604


20/99



16

Requirements:

Make sure that you have:

Activated HTTP security session using transaction SICF_SESSIONS. A list of all of theclients that exist in the system appears. Select the relevant client and choose Activate.

Information about the STS issuer name, and STS public-key certificate, as you need to

provide details of the STS system in the SAP NetWeaver Gateway host. This information hasto be provided by the SharePoint administrator.

You use the SAML 2.0 wizard, a browser application, to do the following:

Specify the local provider information.

Configure HTTP security in the SAP NetWeaver Gateway host.

Specify the Web service policy

To specify the local provider details:

Note: If you have SAML 2.0 support enabled, you can skip steps 6-9 in this procedure.


2. Open the SAP Reference IMGand navigate to: SAP NetWeaver Gateway ConfigurationConnection Settings SAP NetWeaver Gateway to Consumer Configure Consumer STS.


The SAML 2.0 Local Provider Configurationwizard appears using the URL: ht t ps: / / sap/ bc/ webdynpr o/ sap/ saml 2

Note: You need the user and password to logon.

4. Click Enable SAML 2.0 Support.

The SAML 2.0 Local Provider Configuration appears.

5. Enter the following inInitial Settingsand click Next:

Provider Name: Enter the provider name, making sure there are no spaces in thename. For example, Gat eway_Pr ovi der .

Operation Mode: Do not change the specified value, Service Provider.

6. In General Settings, enter 120 in Clock Skew Toleranceand click Next.

7. In Service Provider Settings, specify the following (default settings):

In the Selection Modefield under Identity Provider Discovery, select Manual.

In the Affiliation Namefield under, do not make any change.

In the Supported Bindingsfield under Assertion Consumer Service, select HTTPPOST, HTTPArtifact, and PAOS.

In the Supported Bindingsunder Single Logout Service, select HTTPRedirect,HTTP POST, HTTP Artifact, and SOAP.

Under Artifact Resolution Service, select Enabledin Mode, and specify 60inArtifact Validity Period.

8. Click Finish.

A summary of the local provider details in the SAML 2.0 Configuration wizard of ABAPSystem:/ appears.


21/99



17

To configure HTTP security in the SAP NetWeaver Gateway host:

1. Select the Trusted Providerstab and do the following:

In Showunder List of Trusted Providers, choose Secure Token Services, click Add,

and then select Manually. The New Trusted Secure Token Services Providerwizardis displayed.

In the Namefield, enter Shar ePoi nt and click Next. This a unique name identified bythe SAML Issuer attribute in a SAML assertion.

Click Browseand then Upload Fileand specify the location of file for the signedcertificate from the STS system, and then click OK. Upload the STS file from SharePoint.

Open the Duet Enterprise Worksheet and copy the file information from the SSLcertificate file name and locationrow.

2. Click Nextin Signature and Encryption.

Information about the signing certificate appears.

3. Click Next.

The Endpointpage appears.

4. Click Add; the following details about the STS system display: In the Provide Location URLfield, enter the URL of the STS system. For example,

http:///_vti_bin/sts/spsecuritytokenservice.svc/windows

In the MEX URLfield, enter the MEX URLfor the STS system: For example, ,http:///_vti_bin/sts/spsecuritytokenservice.svc?wsdl

Note: The name of the has to be handed over from the

SharePoint administrator in the Duet Enterprise Worksheet, in row URL to Webapplication for report router site.

5. Click Finish.

6. From the Trusted Providertab, select the STS system, and then click Edit.

The Details of Security Token Provider page appears.

7. For Supported SAML Versions, select SAML 1.1, and make sure that SAML 2.0 is notselected.

8. Set the Assertion-Validity (Holder-of-Key)to the value defined in SharePoint, by default600.

9. Select the Identity Federationtab, and then click Add.

10.Select Unspecifiedfrom the list in Supported NameID Formatsand click OK.

11.In Sourceunder Details of NameID Formats ,select Mapping inUSREXTIDTable from the list.

12.Click Saveand then click Enable.

To specify the Web service policy:

1. From the Policiestab, select Web Service Policiesfrom the list. The list contains STSentries from the table WSS_STS_URL_TAB.

2. Click Add.

The SAML 2.0 Configurationwindow appears.

3. In the Policy name field, enter Shar ePoi nt .

4. Select the name of the STS provider from the list in Security Token Service Provider.


22/99



18

5. Select the placeholder URL of the STS system from the list in STS Location URL. The MEXURL is automatically added.

6. In SAML Type, select Asymmetric consumer key, STS as a tester, and inSAMLVersion select SAML 1.1, and then click OK.

Note: Write down the Policy name as you will need it when importing the SAML profile in

SOAMANAGER.

Defining Consumer Issuer Certificate

Note: If you activated the BC_GENERAL BC set, these settings should already be available.There is no need to perform this procedure.

You must configure the SAP NetWeaver Gateway host to identify the SAML token issuer for theusers in a specific consumer server.

By doing so, you enable the SAP NetWeaver Gateway host to map users correctly between thespecific consumer and SAP NetWeaver Gateway.

To define consumer issuer certificate:


2. Open the SAP Reference IMGand navigate to: SAP NetWeaver Gateway Configuration

Connection Settings SAP NetWeaver Gateway to Consumer Define Consumer IssuerCertificate .


The Define Consumer Detailspage appears.

4. Click New Entries.

5. In the Consumer Typefield, press F4, and select SHAREPOINT_INT.

6. In the Issuer Namefield, enter Shar ePoi nt .

Note: This entry is case sensitive.

7. In the Issuer Certificatefield, enter CN=Shar ePoi nt Secur i t y Token Ser vi ce,

OU=Shar ePoi nt , O=Mi cr osof t , C=US

8. Click Save.

SAP NetWeaver Gateway maps users in a specific consumer server to SAP NetWeaverGateway users based on the SAML token issued by an STS.

Configuring the Use of SSL between the SAP NetWeaverGateway Host and SharePoint

To complete this procedure, you will require input from the SharePoint

administrator. Open the Duet Enterprise Worksheet located athttp://go.microsoft.com/fwlink/?LinkId=205392

You configure the SAP NetWeaver Gateway host, SAP NetWeaver AS ABAP, to use SSL forcommunications with SharePoint.

For more information about SSL settings in the SAP NetWeaver Gateway landscape, see theSecurity Guide at SAP Service Marketplace at: http://service.sap.com/instguides SAPBusiness Suite Applications Duet Enterprise Feature Pack 1 forDuet Enterprise 1.0.
http://go.microsoft.com/fwlink/?LinkId=205392http://go.microsoft.com/fwlink/?LinkId=205392


23/99



19

Requirements

Make sure that you have:

Information about the SSL public-key certificate, you need to provide details of the SSLsystem in the SAP NetWeaver Gateway host.

To implement SSL for use between the SAP NetWeaver Gateway host and the consumer server,

you must configure SSL in the two systems. Configure the SharePoint server to use SSL.

To configure SSL for use in the SharePoint server, see the specific SharePoint serverdocumentation.

Configure the SAP NetWeaver Gateway host to use SSL.

If you have already configured the SAP NetWeaver Gateway host to use SSL, you can skipthe following procedures.

To configure the use of SSL in the SAP NetWeaver Gateway host:



Connection Settings SAP NetWeaver Gateway to Consumer Manage Security Trusts .


The Trust Managerpage appears.

4. Generate key pairs for SSL.

To generate the key pairs, proceed as follows:

a) Right-click on SSL server Standard.

b) Click Create.

c) Maintain the correct data for Name, Org, Comp, Country, CA, Algorithm andKey Length and click the checkmark.

d) If needed adjust the Distinguished Namefor the displayed hosts and clickthe checkmark.

Note: A self signed certificate is created. If required, you can sign this certificate by aCertificate Authority.


24/99



20

Note: Make sure that an HTTPS port is set in the profile parameters as shown in the Configuringthe AS ABAP for Supporting SSL help topic found at:http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm.

To verify that the HTTPS port is active:

1. Open transaction SMICM.The ICM Monitorpage appears.

2. From the menu bar, select Goto > Services.

The ICM MonitorService Displaypage appears.

3. In the Active Services table, check that the HTTPS entry is Active.

4. Export the SSL server certificate.

To export the SSL server certificate, proceed as follows:

a. Under SSL server (Standard), double-click the certificate displayed.

The Owncertificate appears.

b. Double click on the certificate.

The certificate appears in the Certificate area.

c. Click Export Certificate.

d. In the File pathfield, enter a file name, for example, C:\GW-SSL.cer.

e. In the File formatsection, select the Binaryradio button.

f. Click the checkmark to export the certificate to the file system.

g. Add the certificate name and location to the Duet Enterprise Worksheet, in theSSL Certificate location and file namerow.

5. Import the certificate.

a. Right-click SSL client SSL Client (Anonymous) and select Create.

b. Click the checkmark.

c. Double-click the certificate displayed.

d. Click Import Certificate.

The Import Certificatepage appears.

e. Enter the SharePoint SSL server certificate. To find the certificate, see the DuetEnterprise Worksheet, SSL certificate file name and locationrow.

Note: The imported certificate must be in .CER format.

f. Click the checkmark.

g. Click Add to Certificate List.

h. Click Save.

i. Repeat this procedure steps for all the certificates you received from theSharePoint administrator.

Checkpoint: To verify that the SharePoint SSL certificate was successfully created,

create an RFC type H destination to the SharePoint server (for further information, referto the Create Type H RFC Destination to SAP NetWeaver Gatewaysection). Perform aconnection test, and make sure that you do not get any ICM_HTTPS_SSL certificateerror.
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm


25/99



21

2.4.2 Mapping User Data in the SAP System andthe SharePoint ServerUser mapping maps a user ID in the SharePoint server to the user ID in the SAP system for thesame user.

User mapping is required if users have different user IDs in the SAP NetWeaver Gateway hostand in the SharePoint server; passwords are not mapped. If the user ID on the SharePoint isdomain\username and in the SAP system it is only username this is still considered as beingdifferent user IDs.

The user's ID in the SharePoint server and the users ID in the SAP NetWeaver Gateway host arestored in the user's logon ticket for single sign-on. When the user tries to access an SAP system,the system extracts the user ID from the logon ticket.

Mapping User Data when the User IDs in SharePoint and SAPNetWeaver Gateway are the SameIf the usernames on SharePoint are the same as on SAP NetWeaver Gateway server, you do not

have to connect SAP NetWeaver Gateway to the Active Directory Domain Service to performmapping.

To map the SAP user names to SharePoint:


2. Open the SAP Reference IMGand navigate to: SAP NetWeaver Gateway ConfigurationConsumer Settings Map SAP User Names to Consumer .


The Enter Correct SNC Names in Table View VUSREXTIDpage is displayed.

4. In the External ID Type field, select SA.5. In the Prefix of External Namefield, enter SharePoi nt : : domai n, where domai nis the

domain in which the users are located, for example, SharePoint::devwdf24

6. In the Suffix of External Namefield, delete any existing data.

7. In the Optional: Name of Issuerfield, enter CN=Shar ePoi nt Secur i t y Token Ser vi ce,OU=Shar ePoi nt , O=Mi cr osof t , C=US(This is the Issuer name of the SharePoint SecurityToken Service certificate that you previously imported when running the SAML2 Wizard.)

Note: You cannot use the F4 help here.

8. Select the BAdI Implementationradio button.

9. In the BAdI Implementation field, press F4 and select Simple bulk user mapping.

10.Under Further Options, deselect the Test Modecheckbox.

11.Click Execute.

The Enter Correct SNC Names in Table View VURSEXTIDpage is displayed.

12.Check that the Number of External Names Added is greater than 0.

Checkpoint:

a. Open transaction SM30.

b. In the Table/Viewfield, enter VUSREXTI D.


26/99



22

c. Click Display.

The Determine Work Area: Entrypage appears.

d. In the External ID Typefield, enter SA.

e. Click the checkmark.

The Assignment of External ID to Users table appears. It should include a list of al

the users that were mapped.

Mapping User Data when the User IDs in SharePoint and theSAP NetWeaver Gateway Host are DifferentTo create an RFC destination for the LDAP connection:

1. On SAP NetWeaver Gateway, open transaction SM59.

The Configuration of RFC Connectionspage appears.

2. Click Create.

The RFC Destinationpage appears.

3. In the RFC Destinationfield, enter a name for the RFC destination, for example, RFC-DEV24DC1.

4. In the Connection Type field, enterT.

5. Click Edit.

6. In the Description field, enter a description, for example, Connect i on t o DEVWDF24 f orLDAP Sync.

7. Select the Technical Settingstab.

8. Under the Activation Typesection, select the Registered Server Programradio button.

9. In the Program IDfield, enter a program ID, for example, PROG- DEVWDF24.

10.In the Gateway Optionssection, enter the following information:

Gateway Host: , for example,vmw2065.wdf.sap.corp

Gateway service: , for example,sapgw

11.Click Connection Test.

The test will fail at first with a Logon Connection Errormessage.

To create a user for the LDAP connection:



Consumer Settings Configure LDAP Server for Mapping Users .

3. Click Execute.

The Directory Service Connectionpage appears.

4. Click System Users.

The Display View LDAP System User: Detailspage appears.


27/99



23

5. Click Edit.


TheNew Entries: Details of Added Entries page appears.

7. In the User ID field, enter the name of a system user, for example, GW- DEV24.

8. In the Distinguished Name field, enter the service user used to connect to the ADS andread user entries, for example, devwdf 24\ d044410.

9. In the Credentialscheckbox, click Edit.

The System Userdialog box appears.

10.In the Passwordfield, enter the password for the user name previously entered.

11.In the Repeat Password field, enter the password for the user name previously enteredagain.

12.Click the checkmark.

To configure the LDAP server the LDAP connection:


2. Open the SAP Reference IMGand navigate to: SAP NetWeaver Gateway ConfigurationConsumer Settings Configure LDAP Server for Mapping Users .

3. Click Execute.


4. Click LDAP Servers.

The Display View Server Names: Detailspage appears.

5. Click Edit.


TheNew Entries: Details of Added Entries page appears.

7. In the Server Name field, enter a name for the server, for example, SRV- DEV24DC1.

8. In the Host Name field, enter the name of the ADS server, for example,dev24dc1. wdf . sap. cor p.

9. In the Port Number field, enter the port number of the ADS server, for example, 389.

10.From the Product Name drop-down list, select Microsoft Windows 2003 ActiveDirectory (Domain Mode)(even if you have ADS 2008, see Note 983808).

11.From the Product Version drop-down list, select LDAP Version 3.

12.From the LDAP Application drop-down list, select User.

13.Select the Defaultcheckbox.

14.In the Base entry field, enter: the base entry on which the users are stored in the ADS, forexample, CN=Users,DC=dev24,DC=dev-wdf,DC=sap,DC=corp.

15.In the System logon field, press F4 and select the previously created user (GW-DEV24).

16.Click Save.


28/99



24

To activate the LDAP connection:



Consumer Settings Configure LDAP Server for Mapping Users .

3. Click Execute.


4. Click LDAP Connectors.

The Display View LDAP Connector (Maintenance View): Detailspage appears.

5. Click Edit.

A message is displayed warning you that the table is cross-client.



TheNew Entries: Details of Added Entries page appears.8. In the Connector Name field, press F4 and select the previously created RFC destination,

for example, RFC-DEV24DC1.

9. In the Application Server field, press F4 and select the active instance, for example,vmw2065_DUE_00.

10.From the Status drop-down list, select Connector is active.

From the Trace Level drop-down list, select Trace Off.

11.Leave the Max. Retention Period and theCode Pagefields blank.

12.In the Page Size field, enter a page size (entries per page) if your ADS has more than 1000

entries, for example, 200.

13.Click Save.

14.Click Start Connector.

The Current Statusicon should change to yellow.

15.Click Save.

The Current Statusicon should change to green

To configure the user mapping types:



Consumer Settings Select User Mapping Type .

3. Click Execute.

A message informing that individual entries cannot be put into the change request appears.


The Change View Configuration table for Bulk User Mapping: Overviewpageappears.


29/99



25


TheNew Entries: Overview of Added Entries page appears.

6. In the LDAP/FILE based user mapping column, open the drop-down list and select LDAPbased user mapping.

7. In the Config Index column, check the currently existing entries, and enter the next

highest number. If this is the first entry, enter 1.8. In the LDAP server: symbolic name column, enter the value specified in the To configure

the LDAP server the LDAP connection section above, for example, SRV- DEV24DC1.

9. In the LDAP Attribute for BE Name column, enter the ADS field in which the SAPusernames are stored. If the user name used in the ADS and in the SAP System is the same,enter SAMACCOUNTNAME.

10.Select the Active/Inactive checkbox.

11.Click Save.

Checkpoint: Verify that the RFC destination is now working.


The Configuration of RFC Connectionspage appears.

b. Open the TCI/IP Connectionsmodule.

c. Select the RFC destination previously created, RFC-DEV24DC1.

d. Click Connection Test.

The Connection Test should now work fine.

To map the SAP user names to SharePoint:



Consumer Settings Map SAP User Names to Consumer .

3. Click Execute.

The Enter Correct SNC Names in Table View VUSREXTIDpage appears.

4. In the External ID Type field, select SA.

5. In the Prefix of External Namefield, enter SharePoi nt : :

6. In the Suffix of External Namefield, delete any existing data.

7. In the Optional: Name of Issuerfield, enter CN=Shar ePoi nt Secur i t y Token Ser vi ce,OU=Shar ePoi nt , O=Mi cr osof t , C=US(This is the Issuer name of the SharePoint SecurityToken Service certificate that you previously imported when running the SAML2 Wizard.)

Note: You cannot use the F4 help here.8. Select the BAdI Implementationradio button.

9. In the BAdI Implementation field, press F4 and select SharePoint Integration bulkuser mapping.

10.Under Further Options, deselect the Test Modecheckbox.

11.Click Execute.

The Enter Correct SNC Names in Table View VURSEXTIDpage appears.


30/99


2.5 Creating Endpoints for Duet Enterprise Services

26

12.Check that the Number of External Names Added is greater than 0.

Checkpoint:


b. In the Table/Viewfield, enter VUSREXTI D.

c. Click Display.

The Determine Work Area: Entrypage appears.

d. In the External ID Typefield, enter SA.

e. Click the checkmark.

The Assignment of External ID to Users table appears. It should include a listof all the users that were mapped.

2.5 Creating Endpoints for Duet EnterpriseServicesYou must create endpoints for the Web services used by SharePoint to access the SAML tokenprofiles. This configuration defines the link between SharePoint and SAP NetWeaver Gateway.

PrerequisitesAn RFC destination for WSIL must be created. For information about creating an RFCdestination, refer to the Creating an RFC Destination for the WSIL Servicesection.

2.5.1 Creating and Activating Endpoints for allScenarios1. On the SAP NetWeaver Gateway system, open transaction soamanager.

The SOA managementpage appears.

2. Navigate to Technical Administrationtab page Profiles .

3. Click Import.

4. Find the profile DUET_ENTERPRISE_ASSERTION.XML file on the DVD and click Import.

3.5.2 Verifying End PointsTo check the endpoints you created in the previous section, proceed as follows:

1. On the SAP NetWeaver Gateway system, open transaction soamanager.

2. Navigate to Service Administration tab Web Service Configuration .

3. Search for a service that has been previously added to the Business Scenario.

4. Select the service from the list and click Set Selected.

The Details of the Service Definitiondisplays at the bottom of the screen.

5. Navigate to the Configurationstab.

All endpoints and services are listed here. Endpoints are displayed here with a GUID as ID,and the Creation Type field is set to Created based on profile.

6. Choose Displayto view the configurations.
http://help.sap.com/saphelp_gateway20/helpdata/en/e3/b782c060024340b3e2be9250bc24e1/frameset.htmhttp://help.sap.com/saphelp_gateway20/helpdata/en/e3/b782c060024340b3e2be9250bc24e1/frameset.htm


31/99



27

2.5.3 Create the Duet Enterprise SAML ProfileSecurity Assertion Markup Language (SAML) is a standard that defines a language to exchangesecurity information between partners.

You create a SAML profile to enable authentication for users from the SharePoint server usingSAML tokens.

1. On the SAP NetWeaver Gateway system, open transaction soamanager.

The SOA managementpage appears.


3. Click Import.

4. Find the profile DUET_ENTERPRISE_SAML.XML file on the DVD and click Import.


32/99



28

2.5.3 Release Duet Enterprise Services1. Save the following files onto your local file system:

scenar i o_DUET_ENTERPRI SE_ALL: This file is available on the Duet Enterprise 1.0DVD.

scenar i o_DUET_ENTERPRI SE_FP1_SERVI CES: This file is available on the featurepack 1 for Duet Enterprise 1.0 DVD, in the EXTRA_FILESfolder.


3. Open the SAP Reference IMGand navigate to: SAP NetWeaver Gateway ConfigurationConnection Settings SAP NetWeaver Gateway to Consumer Configure Service

Endpoint .


The SOA Managementpage appears.


6. Check that both the DUET_ENTERPRISE_SAML and the DUET_ENTERPRISE_ASSERTIONprofiles appear in the Profiles page.

7. Choose Back.

8. On the SOA Manager main page, select the Service Administrationtab page.

9. Click the Business Scenario Configurationlink.

The Business Scenario Configurationpage appears.

10.Click Import.

11.In the Enter File Pathfield, enter the path to the scenar i o_DUET_ENTERPRI SE_ALL file yousaved in step 1.

12.Click Import.

The Business Scenariowizard appears.

13.Click Nextto move to the Service Definitionsstep.

14.Make sure the following services appear in the list displayed:

Configured as SAML

Reporting:

IWXManageReports_In_V1

Workflow:

IWXUserSubscriptionService

IWXWorkFlowConsumerService

Time Management:IWXManageEmployeeTimeIn

IWXReadEmployeeTimeSheetPickersIn

IWXReadUserProfilesIn

Sales Management:

IWXReadAccountsIn

IWXManageContactsIn


33/99



29

IWXManageContactRelationshipIn

IWXManageActivityIn

IWXReadActivityPickersIn

IWXManageAttachmentIn

Starter Services:

IWXManageCustomerIn

IWXManageCustomerInquiryIn

IWXManageCustomerQuotationIn

IWXManageEmployeeIn

IWXManageProductIn

General

IWXRead_UserRoles_in

IWXRoleSearch_In

Configured as SAP Assertion:

ActionItemVi_DocumentRepAdapterWSVi_Document

RMWrapperVi_Document

Note: The Time and Sales Management services will appear only if you installed featurepack 1 for Duet Enterprise 1.0 in your landscape.

15.Click Nextto move to the Service Groups step.

16.Click Finish.

A dialog box is displayed asking if you want to activate the profile immediately.

17.Click Yes.

18.Repeat steps 11 -17 for the file scenar i o_DUET_ENTERPRI SE_FP1_SERVI CES.

19.Click Start request queue processingto start the queue processing and release allendpoints.

20.If you get errors for the three SAP Assertion services (ActionItemVi_Document,RepAdapterWSVi_Document, RMWrapperVi_Document), check the SSL configuration on theSAP NetWeaver Gateway server described in section To configure the use of SSL in theSAP NetWeaver Gateway host, in the Configuring the Use of SSL between the SAP

NetWeaver Gateway Host and SharePointsection. After fixing the SSL configuration, clickDeactivateand then Activatefor the DUET_ENTERPRISE_ALL Business Scenarioconfiguration.

Checkpoint:

1. On the SAP NetWeaver Gateway, open transaction soamanager.

2. In the SOAMANAGER, select the Service Administrationtab page and click theWebService Configuration link.

The Web Service Configurationpage appears.

3. In the Search Patternfield, enter any of the services listed above (for example,IWXManageReports_In_V1).

4. Click Go.

5. Select this service from the Search Resultstable and click Apply Selection.


34/99



30

6. In the Details of Service Definitionsection, select the Configurationstab.

7. A table should be displayed with at least one Endpoint with Creation type Created based onprofile and Endpoint Binding_T_HTTPS_A_WSSE.

8. Select the Overviewtab.

9. From the Select Binding drop-down list, select xxx: : Bi ndi ng_T_HTTPS_A_WSSE.

10.Click the Open WSDL document for selected binding or service link.

11.Make sure that the following lines are displayed in the WSDL document:

http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-

1.1#SAMLV1.1

ICFBUFFER_INIT

4. Activate the DUET_ENTERPRI SE_ALLscenario again.

5. Perform the checks mentioned above again.

2.5.4 Loading and Preparing the BDC ModelsTo retrieve data from the SAP system and display them in Microsoft SharePoint, SAP deliversBDC (Business Data Catalog) models and resources. These BDC models are in the form of XMLfiles that contain links to the SAP system, which can be consumed by the SharePointenvironment.

To complete this procedure, you will require the Duet Enterprise Worksheet located

at http://go.microsoft.com/fwlink/?LinkId=205392 .

For feature pack 1 scenarios, such as Time and Sales Management, export the BDC modelsusing the BDC Browser tool developed with feature pack 1 for Duet Enterprise 1.0. For moreinformation, refer to the section Exporting Feature Pack 1 Content Using BDC Browser.

For scenarios delivered prior to feature pack 1 for Duet Enterprise 1.0, for example, workflow,reporting, sample services, and so on, refer to the section Exporting Workflow, Reporting andStarted Services Content.
http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey%3c/wst:KeyTypehttp://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1%3C/wst:TokenTypehttp://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1%3C/wst:TokenTypehttp://go.microsoft.com/fwlink/?LinkId=205392http://go.microsoft.com/fwlink/?LinkId=205392http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1%3C/wst:TokenTypehttp://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1%3C/wst:TokenTypehttp://docs.oasis-open.org/ws-sx/ws-trust/200512/Public

Documents

Configuration Guide