Duet e Depl Guide Installation Guide

Duet Enterprise SAP Deployment Guide

June 28st 2011

Copyright

Copyright 2011 SAP AG. All rights reserved. SAP Library document classification: PUBLIC No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Table of Contents 1. Introduction ................................................................................................................................................... 1

1.1 Before you begin .................................................................................................................................... 1

1.2 Coordination between SAP and Microsoft ................................................................................................... 2

1.3 SCL Overview ........................................................................................................................................ 2

1.4 Planning the System Landscape ............................................................................................................... 2

1.5 Hardware and System Requirements for Duet Enterprise ............................................................................. 3

1.5.1 Gathering Information for Installation .............................................................................................. 5

1.6 Performing Installation Using the Duet Enterprise for Microsoft SharePoint and SAP Wizard ............................. 6

Wizard Prerequisites............................................................................................................................... 7

1.6.1 Pre-Wizard Installation Procedures ................................................................................................ 10

1.6.2 Using the Duet Enterprise for Microsoft SharePoint and SAP Wizard ................................................... 11

1.6.2 Post Wizard Installation Procedures ............................................................................................... 11

1.7 Prerequisites ........................................................................................................................................ 12

1.7.1 Important SAP Notes ................................................................................................................... 12

1.7.2 Activating the Services ................................................................................................................. 13

1.7.3 Setting Profile Parameters ............................................................................................................ 14 2. Installing Duet Enterprise .............................................................................................................................. 15

2.1 Installing the SCL Components ............................................................................................................... 15

2.2 Configuring Settings for the SCL ............................................................................................................. 16

2.3 Setting Up User and Authorization Administrator for the SCL ..................................................................... 17

2.3.1 Create and Assign SCL Administrator Role ...................................................................................... 17

2.3.2 Create and Assign SCL User Role ................................................................................................... 19

2.4 Activating BC Sets ................................................................................................................................ 22

2.5 Specifying Configuration Settings of the SharePoint Server ........................................................................ 23

2.5.1 Configuring the SLD ..................................................................................................................... 23

2.5.2 Defining Settings for Idempotent Services ...................................................................................... 24

2.5.3 Creating RFC Destination for Outbound Queues ............................................................................... 24

2.5.4 Registering the bgRFC Destination for Outbound Queue ................................................................... 25

2.5.5 Creating bgRFC Supervisor Destination .......................................................................................... 26

2.5.6 Checking bgRFC Configurations ..................................................................................................... 26

2.5.7 Creating RFC Destination for WSIL Service ..................................................................................... 27

2.6 Establishing Connections to an SAP System and the SharePoint Server ....................................................... 28

2.6.1 Configuring the SCL Host to use SAML Authentication ...................................................................... 29

2.6.2 Mapping User Data in the SAP System and the SharePoint Server ..................................................... 36

2.7 Creating Endpoints for Duet Enterprise Services ....................................................................................... 41

2.7.1 Creating and Activating Endpoints for all Scenarios .......................................................................... 41

2.7.2 Create the Duet Enterprise SAML Profile ......................................................................................... 42

2.7.3 Release Duet Enterprise Services .................................................................................................. 43

2.7.4 Loading and Preparing the BDC Models .......................................................................................... 45

2.7.5 View Archives of Uploaded BDC Files .............................................................................................. 48

2.8 Specifying SCL Configuration Settings to SAP Systems .............................................................................. 49

2.8.1 Defining Trust between the SCL Host and your SAP Systems for Type 3 connections ............................ 49

2.8.2 Creating a Type 3 RFC destination on SCL Host to SAP System ......................................................... 50

2.9 Create Type G RFC Destination to the SCL ............................................................................................... 53

2.10 Configuring Notification Mails ............................................................................................................... 55

2.11 Setting Up Role Synchronization ........................................................................................................... 56

2.12 Activate the SharePoint Server as a Consumer ....................................................................................... 57

2.13 Activating the SCL .............................................................................................................................. 57 3. Configuring Duet Enterprise Specific Content ................................................................................................... 58

3.1 Configuring Workflow ............................................................................................................................ 58

3.1.1 Activate Workflow BC Set ............................................................................................................. 58

3.1.2 Maintain Workflow Context Data .................................................................................................... 59

3.1.3 Retrieve Endpoint Information ...................................................................................................... 60

3.1.4 Create a Logical Port .................................................................................................................... 61

3.1.5 Customizing Duet Workflows Patterns ............................................................................................ 62

3.1.6 Customizing Workflow Patterns ..................................................................................................... 63

3.1.7 Running Scheduled Reports (Jobs) ................................................................................................. 65

3.1.8 Creating Roles and Assigning Authorization Objects in SAP System .................................................... 67

3.1.9 Manage SAP System Aliases for Workflow ....................................................................................... 68

3.1.10 Check Event Handler .................................................................................................................. 70

3.1.11 Check Adapter Class .................................................................................................................. 71

3.1.12 Create Consumer Proxy .............................................................................................................. 71

3.2 Configuring Reporting ........................................................................................................................... 74

3.2.1 Activate Reporting BC Set............................................................................................................. 74

3.2.2 Defining the Number Range Interval for Reporting Objects ............................................................... 76

3.2.3 Managing System Time Points ....................................................................................................... 77

3.2.4 Retrieve URL for Logical Port ......................................................................................................... 78

3.2.5 Create a Logical Port .................................................................................................................... 78

3.2.6 Manage SAP System Aliases for Reporting ...................................................................................... 79

3.2.7 Manage Source Systems, Report Types and Formats on the SCL ....................................................... 80

3.2.8 Configure a Report ...................................................................................................................... 81

3.2.9 Check Event Handler .................................................................................................................... 83

3.2.10 Check Adapter Class .................................................................................................................. 83

3.2.11 Create Consumer Proxy .............................................................................................................. 84

3.3 Configuring Starter Services .................................................................................................................. 86

3.3.1 Activate Starter Services BC Set .................................................................................................... 86

3.3.2 Configure the Service Provider for Starter Services Endpoints ........................................................... 89

3.3.3 Retrieve External Identifier ........................................................................................................... 91

3.3.4 Export the Profile ........................................................................................................................ 91

3.3.5 Manage Web Services .................................................................................................................. 91

3.3.6 Create a System Connection ......................................................................................................... 92

3.3.7 Create the Account Maintenance User ............................................................................................ 93

3.3.8 Create a Business Scenario Configuration ....................................................................................... 93

3.3.9 Manage SAP System Aliases ......................................................................................................... 94

3.3.10 Add the System Alias and Roles to all Starter Services Relevant Object Groups ................................. 95

3.4 Configure Code Lists ............................................................................................................................. 97

3.5 Caching Code Lists ............................................................................................................................... 98

3.6 Configure Document Upload Option ........................................................................................................ 99

3.7 Configuring User Profile Synchronization ............................................................................................... 100

3.8 Retrieving the URL for the "View Inquiry in SAP System" Link .................................................................. 100 Appendix 1 Service Consumption Layer Overview ............................................................................................. 101

Cross-Phase Documentation ...................................................................................................................... 101

Overview of the Service Consumption Layer ................................................................................................ 102

Architecture of the Service Consumption Layer ...................................................................................... 102

How Service Consumption Layer Works ................................................................................................ 104 Appendix 2 - Duet Enterprise Deployment Worksheet ......................................................................................... 106

Deployment Worksheet ............................................................................................................................. 106

1. Introduction

1

1. Introduction Duet Enterprise enables customers and partners a way to consume and extend SAP applications through Microsoft SharePoint and Microsoft Office 2010 The product brings together the two different worlds of process (SAP Applications) and collaboration (Microsoft SharePoint), by providing an Interoperability layer (the service consumption layer (SAL) that ensures all the basic plumbing between the two systems is addressed so that customers and partners can focus on innovation. Besides the ability to create Duet Enterprise Composite solutions, Ready to Use Capabilities ensure quick time to value, for example, ability to Collaborate on the fly around data from SAP applications or enable SAP workflow items to surface in Microsoft SharePoint or Outlook with additional contextual information from SAP and can be collaborated around This guide provides the steps for installation and configuration of Duet Enterprise on the service consumption layer (SCL). The SCL is a framework that connects Duet Enterprise business users to SAP systems. This guide does not contain the installation and configuration procedures for Duet Enterprise on the SharePoint server. The SharePoint related procedures are included in the Duet Enterprise Deployment Guide for SharePoint Administrators. This section contains: x Before you begin x Coordination between SAP and Microsoft x SCL Overview x Planning the System Landscape x Hardware and software requirements for Duet Enterprise x Prerequisites

1.1 Before you Begin Duet Enterprise is a joint product of SAP and Microsoft. It must be deployed on both the SCL and on servers running SharePoint Server 2010 by the SharePoint administrator. Before you start the deployment, make sure you have read the Duet Enterprise SAP Master Guide where you can learn about the product in general, its landscape and prerequisites, and about the different types of documents available to help you perform the deployment. You can find the Duet Enterprise SAP Master Guide at SAP Service Marketplace at: http://service.sap.com/instguides o SAP Business Suite Applications o Duet Enterprise o Duet Enterprise 1.0.

1. Introduction 1.2 Coordination between SAP and Microsoft

2

1.2 Coordination between SAP and Microsoft Deploying Duet Enterprise is a coordinated effort between Microsoft and SAP. To complete certain procedures, information must be shared between the administrators deploying the product. For this purpose, the Duet Enterprise Deployment Worksheet has been created which contains all the information that will be shared between the SAP and the Microsoft administrator. Even if one person is deploying Duet Enterprise in both the SharePoint and SAP environments, the deployment worksheet makes it easier to keep track of the information that will be needed in a later procedure. Note also, that some information provided by the SharePoint administrator will be used by the SharePoint administrator in a later procedure. Procedures where information must be gathered to/from the worksheet are marked with the

icon.

1.3 SCL Overview The SCL as a framework is provided as an SAP NetWeaver ABAP Add-On, which you install on top of your existing SAP Business Suite or Application Platform. When installed, it provides the following: x A runtime environment for SAP solutions that integrate desktop programs with SAP systems. x Runtime features including user interface, secure data access, database connectivity, and

network communications for managing applications running on top of the framework. x An infrastructure and tools for developing applications to run on the framework or enhance

SAP solutions which integrate desktop programs with SAP systems. x Connection to multiple SAP systems regardless of their versions. It is required that you have the SCL installed and running in your system before you can install Duet Enterprise. For more information regarding the SCL, refer to the SCL Overview section.

1.4 Planning the System Landscape A landscape is the logical representation of systems consisting of multiple, and distributed components. You implement SCL components in your existing SAP systems landscape. Consider the following when planning the system landscape: x Understanding SCL requirements. x Assessing your existing network infrastructure to help you to determine how to meet the

requirements of the SCL components. x Determining how the supported authentication and security mechanisms in SCL fit into your

existing security policy. x Determining the schedule for making the implementation available to a large number of

users.

1. Introduction 1.5 Hardware and System Requirements for Duet Enterprise

3

The following is an illustration of the SCL system landscape:

Integrated Desktop Programs

SAP system

`

`

`

Service ConsumptionLayer Components

SAP system

SharePoint Server

You implement SCL components such that the SharePoint server components are in a host separate from the host of SCL components interfacing with your SAP systems. Install, and configure Duet Enterprise in the testing landscape, after you complete all configurations and testing, you can make Duet Enterprise available in your production landscape for use by a large audience. To build your own Enterprise Service based application on top of Duet Enterprise, you require an Enterprise Service Repository (ESR). For more information, refer to System Landscape on the SAP Help Portal.

1.5 Hardware and System Requirements for Duet Enterprise The following are the minimum hardware requirements for Duet Enterprise:

Requirements Specification

Processor Dual Core (2 logical CPUs) or higher, 2 GHz or higher

Random access memory (RAM)

8 GB or higher

Hard disk capacity

80 GB primary, or higher


4

The following are the minimum software requirements for Duet Enterprise:


NetWeaver stack

NW 7.0 Eph 2 SP05

.NET framework

.NET 3.0/3.5

Microsoft SharePoint

SharePoint Enterprise 2010 ( 64- bit) OS Windows 2008 ( 64- bit)

Microsoft Office Client

Office 2010 Pro Plus*

Client -Browser IE 7.0 or higher, Firefox 3.x, Safari 4.x

Database/s (Server MS)

- SQL 2008 or SQL 2005 (Enterprise, Standard) Server 64 bit only

SAP system R/3 4.6c or higher

Kernel Part II (for Basis 7.02)

Kernel Patch Level 35

WEBCUIF WEBCUIF 7.00 WEBCUIF 7.1. SP02

The following are the minimum requirements for the SAP systems:


Software x SAP Business Suite x Application Platform x SAP NetWeaver Application Server 7.0 (NW 04s) SP 15, or

SAP NetWeaver Application Server 6.40 (NW04) SP22 for Workflow x ERP 2004, Release SAP_BASIS 640 (SP level 0022), or

ERP 6.0 (2005), Release SAP_BASIS 700 (SP Level 15) for Reports. x NW BI 3.5: Release SAP_BW 350 (SP Level 0022), or

NW BI 7.0: Release SAP_BW 700 (SP Level 17) for Reports. Starter Services require ERP 2004 and higher. x ERP 2004: SA_BASIS 640 (SP level 0022) or higher x ECC-SE 604 SP06

In addition, make sure that you read and implement the most current SAP notes that apply to the required software listed above. You can find these notes at service.sap.com/notes.


5

Relevant SAP notes that apply to SAP NetWeaver ABAP 7.02 SP3 for deploying Duet Enterprise.

Note Number

Description Explanation

1465067 Corrections and Enhancement note for the SCL SP1

This note describes all corrections and enhancements done for the Service Consumption Layer SP01.

1451537 Property EnableEncryption is unknown for profile-based EPs

This note is used to correct the program error in the SOAMANAGER when displaying selected Binding WSDL URLs for profile-based endpoints.

1480794 Business Scenario XML file Sample Services uses Enterprise Service Oriented Architecture (eSOA) services for various business flows. End points for these services have to be configured with an SAP Assertion Logon method as a security mechanism in the SAP ERP system so that these services can be consumed from Service Consumption Layer (SCL) system. This note describes the procedure for doing this.

1.5.1 Gathering Information for Installation You need to collect information about the SCL host for configuration purposes. Note: The SAP and the Microsoft components deployed must belong to the same service pack version. The following table provides a list of some of the information you need to collect.

Required Information Example

Fully qualified domain name (FQDN) Name of the SAP NetWeaver Application Server ABAP system or the load balancing device.

duet.domain.com

Administrator credentials Login information of the administrator of the SAP NetWeaver Application Server ABAP to install and maintain the system.

SCL administrator

HTTP/HTTPS Ports HTTP and HTTPs port numbers of the central instance of the SAP NetWeaver Application Server ABAP.

8000 for http, and 8001 for https

1. Introduction 1.6 Performing Installation Using the Duet Enterprise for Microsoft SharePoint and SAP Wizard

6

SAP system For each SAP system to which you want to connect, the SCL server you need the following information: x System ID, System number x Server name x HTTP / HTTPs port x Administrator credentials

Server Name = duet

System ID = DUE

System Number = 00

HTTP = 80

HTTPS = 8001

Consumer-specific information For several steps you will require information from the SharePoint administrator. Some of the information will only be available once SAP specific data has been handed over to the SharePoint administrator, other data can be provided right away. For example: x HTTPS URL: https://ilvms025.tlv.sap.corp:10001 x ADS Information for Usermapping Sync x AD Server: dev24dc1 x Port: 389 x User: devwdf24\d044410 x Password: xxx x User Base DN: CN=Users,DC=dev24,DC=dev-

wdf,DC=sap,DC=corp

1.6 Performing Installation Using the Duet Enterprise for Microsoft SharePoint and SAP Wizard Note: Before you open the wizard, make sure you have implemented all notes appearing under Composite Note 1539888. The Duet Enterprise for Microsoft SharePoint and SAP Wizard, together with the pre- and post- wizard installation procedures covers all the steps necessary to deploy Duet Enterprise in your system. If the wizard runs smoothly, there is no need to continue with the rest of the tasks that are outlined in this document. To start the wizard, you require some basic information from the SharePoint administrator. You will be able to obtain this information using the Duet Deployment Worksheet located at http://go.microsoft.com/fwlink/?LinkId=207604. Information that has to be handed over to the SharePoint administrator is clearly mentioned throughout the wizard. In the wizard, you can skip as many steps as you want if they should not be automated due to security / traceability reasons (for example, when you only want to run the wizard in your Sandbox / Test environment, but only part of it in your productive environment). Also, if you encounter an error for a certain step, skip this step, perform it manually, and continue using the wizard.


7

The wizard does not only perform configuration steps on the SCL server, but also some required steps on the SAP system (like establishing trusts or creating logical ports). The Wizard assumes the following starting point: x NetWeaver 7.02 SP5+ is installed x End-users and groups are created (at least one user and group; used for activating BC sets) x Profile settings are set for SSO [1.6.2 Setting Profile Parameters] and SSL

[http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm]

Wizard Prerequisites Authorizations To execute the Wizard, several authorizations are required on the SCL and SAP system. On the SCL, the authorization template /IWTNG/LCMWIZARD can be used which contains all required permissions. You can create a role out of the template following the instructions outlined in section 2.3.1 Create and Assign SCL Administrator Role > To create the administrator role and assign it to users using the template /IWTNG/LCMWIZARD instead of the template /IWFND/RT_ADMIN instructed there On the SAP System the following permissions are required to create RFC destinations, exchange certificate and create logical ports:

Authorization Template Permissions

S_ADMI_FCD S_ADMI_FCD=NADM

S_CTS_ADMI CTS_ADMFCT=TABL

S_DATASET PROGRAM=SAPLRSPOR ACTVT=06,33,34,; FILENAME=*

S_GUI ACTVT=61

S_RFC RFC_TYPE=FUGR RFC_NAME=RSPOR, SAIO, SBDC, SBUF, SCCA, SCUST_RFC_GENERATE, SICM, SSFP ACTVT=16

S_RFC_ADM ACTVT=01 RFCTYPE= RFCDEST=* [, ] ICF_VALUE=


8

S_RFCACL RFC_SYSID=* [SID of SCL Server]

S_RZL_ADM ACTVT=01

S_SRT_LPR TCODE=LPCONFIG; PROXY=/OSP/CO_REP_ADAPTER_WSVI_DOCUM; /OSP/CO_RMWRAPPER_VI_DOCUMENT; CO_OSPWACTION_ITEM_VI_DOCUMENT; LP_NAME=LP_PORT_REPORTING [Name of Logical Port]

S_TCODE TCD=LPCONFIG, STRUSTSSO2

S_TRANSPRT TTYPE= ; ACTVT=03;

Customizing Tables There is a possibility that when starting the Wizard via /IWTNG/LCM, the required customizing entries from tables /IWTNG/LCMCONFIG, /IWTNG/LCMSTCONF and /IWTNG/LCMSTEPS are not transported from client 000 to the productive client you are currently working on. In this case, the following error message is displayed: In View cluster :BC-RFC3-RFCDESCR :BC-RFCH-RFCDESCR :BC-RFCH-PATH required customization entries missing :BC-RFC3-RFCDESCR :BC-RFCH-RFCDESCR :BC-RFCH-PATH.

To solve this: 1. Go to Note 1544169 which contains a BC set with the required customizing. Implement the

correction instructions in the note 2. Open transaction SCPR20. 3. From the BC SET menu, select Upload.

The Business Configuration Sets: Activation page is displayed. 4. In the Short Text field, press F4 and select the BC set file attached to the note. 5. Click Activate.

The required customizing tables are populated and the Wizard should work.


9

Information Required from the Microsoft Administrator To complete the wizard, you will require some input from the Microsoft Administrator. The information should be available in the Duet Enterprise Worksheet at http://go.microsoft.com/fwlink/?LinkId=207604 The following table shows the relevant information required for the wizard.

Table 1 Information provided by the SharePoint administrator

Field Example

URL of Web application for report publishing

https:// contoso.corp.com:443

Note: This information is only needed by the SharePoint administrator to perform a procedure during deployment.

SSL certificate file name and location

\\contoso\UpdatedModels\DuetSSLCert.cer

STS certificate file name and location

\\contoso\UpdatedModels\DuetSTSCert.cer

AD DS Server name contosoDC

Tip:

This must be the NetBIOS name of the computer running the Active Directory Domain Services (AD DS) where the user accounts that are used by SharePoint are stored.

Note: If the usernames in the AD DS and the SAP System are the same, you do not need to connect the SCL to the AD DS. Instead, follow the instructions in the Mapping User Data when the User IDs in SharePoint and the SCL Host are the Same section.

Port number of AD DS

389

AD DS account and password

Attribute in AD DS where SAP user name is maintained

This name is an attribute in AD DS. For example, sAMAccountName.


10

Field Example

User Base Domain Name

URL to OBAFileReciever for reporting

https://contoso:445/sites/Reports/_VTI_bin/OBAFileReciever.asmx?WSDL

Tip:

The SAP administrator must have a SharePoint user account that is granted a minimum of Read access to this file.

URL to OBAWorkflowService for Workflow

Table 3 - Accounts needed for SharePoint

Account name Description

Report publisher account

SAP workflows service account

1.6.1 Pre-Wizard Installation Procedures If you execute the Wizard, installation will be complete by the end of it. Nevertheless, following steps must be created manually before you run the wizard.

x Create Users on the SCL System. See 2.3 Setting Up User and Authorization Administrator for the SCL)

x Set Profile Parameters for SSO (login/accept_sso2_ticket & login/create_sso2_ticket) and SSL. See 1.7.2 Setting Profile Parameters.for the SSO parameters and http://help.sap.com/saphelp_nw70ehp1/helpdata/en/85/46453c3ff4110ee10000000a11405a/frameset.htm for the SSL parameters.

x Make sure the SAP Cryptolib is on the right level (You need SSFLIB Version 1.555.28 or higher, using an updated SAPCrypto Lib.) To check the Cryptolib level: a. Open transaction STRUST

The Trust Manager page is displayed. b. From the Menu bar, select Environment > Display SSF Version.

An Information message is displayed. The SSFLIB version is displayed on the first line of the message.


11

x If Reporting, Workflow or Starter Services should be configured, the corresponding roles have to be configured. See 2.3.2 Create and Assign SCL User Role.

1.6.2 Using the Duet Enterprise for Microsoft SharePoint and SAP Wizard To use the wizard: 1. Open transaction /n/IWTNG/LCM. 2. Click Next at the top and provide the required information.

Additional help and explanations is available for each step by clicking the icon.

1.6.2 Post Wizard Installation Procedures After installation, the following procedures need to be performed:

1. Activate the SCL. See 2.13 Activating the SCL. a. On the SCL, open the Service Consumption Layer Administration IMG. b. Click the Display icon. c. Select General Settings > Activate or Deactivate SCL. d. Click the Execute icon.

A message is displayed. e. Click Activate.

A message about the status is displayed. 2. Verify that the Groups mentioned below are deactivated.

a. On the SCL, open transaction SIMGH. b. Select the Service Consumption Layer Administration IMG. c. Click the Display icon. d. Select General Settings > Manage Business Object Groups. e. Click the Execute icon.

The Display View Manage Business Object Groups: Overview page is displayed. f. Clear the Active checkbox for the following groups: x IWCOD x IWDOC x IWEMP x IWF_SAMPLE_USR x IWF_TEST_APP x IWF_TEST_APP_2 x IWREPT x IWRPMD x IW_BOM x IW_MAT x IW_WF

1. Introduction 1.7 Prerequisites

12

3. For configuring Reporting, activate the local reports. a. Open transaction SE38.

The ABAP Editor: Initial Screen is displayed. b. In the Program field, enter /IWCNT/DEMO_REP_LP_CONFIG. c. Click Execute.

This program will configure the required RFC destinations and logical ports. d. To restart ICM (and reset the buffer), form the SCL, open transaction SMICM > [Menu]

Administration > ICM > Exit Soft > Global. 4. For configuring Workflow, perform the procedures described in the following sections in this

document: x 3.1.5 Customizing Duet Workflows Patterns x 3.1.6 Customizing Workflow Patterns x 3.1.7 Running Scheduled Reports (Jobs) x 3.1.8 Creating Roles and Assigning Authorization Objects in SAP System

5. For configuring Starter Services, perform the procedures described in the following sections in this document: x 3.5 Caching Code Lists x 3.6 Configure Document Upload Option x 3.7 Retrieving the URL for the "View Inquiry in SAP System" Link

6. Configure the user profile synchronization, as described in section 3.7 Configuring User Profile Synchrnonization.

At this stage, Duet Enterprise should be completely deployed in your machine.

1.7 Prerequisites During the installation, several basic configuration steps have to be performed and will be outlined. However, the following steps can be performed before you begin, independently of any Duet Enterprise specific configuration.

1.7.1 Important SAP Notes Make sure you read and implement the following SAP Notes. You can find these SAP Notes on SAP Service Marketplace at: http://service.sap.com/notes.

SAP Note Number

Title Comment

1465330 Duet Enterprise 1.0: Release Information Note

Contains essential information about the implementation of Duet Enterprise 1.0.


13

1.7.2 Activating the Services When performing a new installation, the following NetWeaver services are installed but must be manually activated. To activate the services on the SCL: 1. On the SCL, open transaction SICF.

The Maintain Services page is displayed.

2. In the Hierarchy Type field, enter SICFSERVICE. 3. Click the Execute icon.

4. Expand the default_host until you reach /sap/bc/srt/xip/sap. 5. Right-click on sap and select Activate Service.

You are prompted to confirm you want to activate the service.

6. Click .

7. Repeat the procedure for the following services: x /sap/bc/srt/wsil x /sap/bc/srt/xip/sap x /sap/bc/srt/wsdl x /sap/bc/webdynpro/sap/saml2 x /sap/bc/srt/rfc x /sap/public/bc x /sap/public/bc/ur x /sap/public/myssocnt x /sap/bc/webdynpro/sap/appl_soap_management

To activate the services on the SAP system: Note: Not all the services listed below exist in all SAP system releases. 1. On the SAP system, open transaction SICF.

The Maintain Services page is displayed. 2. In the Hierarchy Type field, enter SICFSERCIVE. 3. Click the Execute icon.

4. Expand the default_host until you reach /sap/bc/srt/xip/sap. 5. Right-click on sap and select Activate Service.

You are prompted to confirm you want to activate the service.

6. Click .

7. Repeat the procedure for the following services: x /sap/bc/srt/wsil x /sap/bc/srt/xip/sap x /sap/bc/srt/wsdl x /sap/bc/webdynpro/sap/saml2


14

x /sap/bc/srt/rfc x /sap/public/bc x /sap/public/bc/ur x /sap/public/mysssocnt x /sap/bc/webdynpro/sap/appl_soap_management x /sap/bc/srt/pm

1.7.3 Setting Profile Parameters 1. From the SAP system, use transaction RZ10 to set the login/accept_sso2_ticket

parameter value to 1 and the login/create_sso2_ticket parameter to 2. 2. Repeat procedure for the SCL system.

See http://help.sap.com/saphelp_nw70ehp2/helpdata/en/c4/3a6247505211d189550000e829fbbd/frameset.htm for details

2. Installing Duet Enterprise 2.1 Installing the SCL Components

15

2. Installing Duet Enterprise This section provides the step-by-step instructions for installing and configuring Duet Enterprise. You must perform the steps in the order listed. This section includes: x Installing the SCL components x Configuring Settings for the SCL x Setting Up User and Authorization Administrator for the SCL x Activating BC Sets x Establishing Connections to an SAP System and the SharePoint Server x Specifying Configuration Settings of the SharePoint Server x Creating Endpoints for Duet Enterprise Services x Specifying SCL Configuration Settings to SAP Systems x Creating a Type G RFC Destination to the SCL x Setting up Role Synchronization x Activating the SharePoint Server x Activating the SCL

2.1 Installing the SCL Components You install the SCL components using the SAP Add-On Installation Tool (SAINT), which lets you import the SCL installation packages from your DVD into your SAP system landscape. Note: Make sure you import the latest installation package for both the SAP and the Microsoft components. For more information about the SAINT, see Add-On Installation Tool, on the SAP Help Portal. The following are the SCL installation packages: x IW_FND.sar: Installs the framework components that support the running and developing

of applications and SAP solutions that integrate end user programs with SAP systems. x IW_CNT.sar: Installs content that exposes services based on the capabilities of your

existing SAP system. The content is provided in predefined groups. Examples of such content are: customer, account, and leave request grouped under CRM. System integrators, other vendors, and other SAP development teams can also provide similar content.

x IW_TNG.sar: Installs the Duet Enterprise specific content. These installation packages have a compressed format, so first you unpack them into your local file system. Later, you import them using the installation tool. For detailed information about unpacking the installation packages, see Loading Installation Packages from the Application Server, on the SAP Help Portal.

2. Installing Duet Enterprise 2.2 Configuring Settings for the SCL

16

To install the SCL components: 1. Download all versions of the .SAR files located at:

service.sap.com/swdc > Installations and Upgrades > Installation and Upgrades Entry by Application Group > SAP Application Components > Duet Enterprise > Duet Enterprise 1.0 > Installation. Download DVD1 (containing the IW_FND and WI_CNT .SAR files) and DVD2 (containing the IW_TNG .SAR file) at that location.

2. Download the .SAR files of the latest Service Pack from the following location: service.sap.com/patches> Support Packages and Patches A - Z Index > D > DUET ENTERPRISE > DUET ENTERPRISE 1.0 > Comprised Software Component Versions. Download the SAP IW CNT 100, the SAP IW CNT 100, and the SAP IW FND 100 files.

3. Extract all >SAR files to \\\sapmnt\trans\eps\in 4. Log on to the SAP system in which you want to install the SCL components, and enter the

transaction SAINT. For detailed information about importing the installation packages, see Installing and Upgrading Add-ons, on the SAP Help Portal.

5. Download the Microsoft latest Service Pack from the following location: service.sap.com/patches> Support Packages and Patches A - Z Index > D > DUET ENTERPRISE > DUET ENTERPRISE 1.0 > Comprised Software Component Versions > DUET ENTERPRISE CONTENT 1.0 > Windows Server on x64 64bit. Download the Duet Enterprise 1.0 SP 02 file.

6. Deploy the Duet Enterprise 1.0 SP 02 file to the SharePoint server. For more information, refer to http://technet.microsoft.com/en-us/library/ff972427.aspx.

2.2 Configuring Settings for the SCL Once you have installed the SCL components, you must configure your system to allow the consumer servers applications to retrieve the data requested by users. The following is an overview of the sequence of the configuration tasks: 1. Set up users and authorizations.

You create an administrator role and profile for SCL components, and assign a user to this role. Later, you create users roles and profiles for SCL content, and assign them to the users.

2. Establish connections to your SAP system from SCL, including the following: x Optionally, define connections to the system landscape. x Define a Remote Function Call (RFC) destination to enable communication with the SAP

Systems. x Register the RFC destination. x Create RFC supervisor destination. x Create RFC destination for Web service Internet Language (WSIL) service.

3. Specify configuration settings to connect to the consumer server. 4. Configure the default content for use in consumer server applications.

2. Installing Duet Enterprise 2.3 Setting Up User and Authorization Administrator for the SCL

17

2.3 Setting Up User and Authorization Administrator for the SCL The first configuration task after installation is to set up an administrator role for SCL components and assign users to it. SCL provides predefined roles as templates. These templates are in the format /IWCNT/RT_ADMIN, and /IWCNT/RT_USER_. Use the templates to create user roles for SCL components. Note: After installation, there are no end-users on the SCL. Since all SAP system end-users have to be available on the SCL as well, it is recommended to connect the SCL to a Central User Administration or SAP Identity Management and synchronize the user. If that is not possible, you have to create the users manually.

2.3.1 Create and Assign SCL Administrator Role You create a role for an administrator user with permissions and privileges for several tasks including the following: x Analyze logs and identify potential issues with the SCL landscape. x Install, configure, and maintain SCL components and applications that run on top of SCL. x Configure and maintain users data including, roles, and user mapping. For more information about SAP user administrator types, see Setting up User and Authorization Administrators in the SAP Help Portal. Note: For all steps in the IMG there is always consumer independent documentation available. If you want to get more information, click the Display icon before executing each step.

To create the administrator role and assign it to users: 1. On the SCL, open the Service Consumption Layer Administration IMG.

2. Click the Display icon. 3. Select User Settings > Define Role for SCL Administrator.

4. Click the Execute icon. The Role Maintenance page is displayed.

5. In the Role field, enter any of the basis roles, for example:

x SAP_BC_BASIS_ADMIN x SAP_BC_CTS_ADMIN x SAP_BC_BASIS_MONITORING x SAP_BC_BATCH_ADMIN x SAP_BC_BDC_ADMIN x SAP_BC_WEBSERVICE You can choose any of the listed standard administrator roles, or enter an existing one.

6. Click Copy Role to create a copy of the standard role.

7. In the Query dialog box, enter a name for the new role in to role, for example, Z_SAP_BC_BASIS_ADMIN . Click Copy all. The Change Roles dialog box is displayed and the role is created.


18

8. In the Role Maintenance page, click the Edit icon. 9. Select the Authorizations tab.

10. Click Change Authorization Data under the Maintain Authorization Data and Generate Profiles section.

11. Select Edit > Insert Authorization(s) > From template.

The Choose Template page is displayed. 12. Select /IWFND/RT_ADMIN from the list.

13. Click the checkmark.

14. Click Generate.

The Generate profile dialog box is displayed. 15. Select the Generate option.

16. In the Assign Profile name for Generated Authorization Profile dialog, maintain the profile name according to your requirements. For example T-SCL550.

17. Click the checkmark. The Change role: Authorizations page is displayed. The status of the profile is displayed as Generated.

18. Go back to the Change Roles page, and select the Users tab in the User Assignment section.

19. Enter the names of the users you want to assign to this role.

20. Click Save. 21. Click User comparison.

The Complete Role Master Record page is displayed. 22. Click Complete comparison.

23. Click Save. 24. Check that the role was properly created and assigned.

Checkpoint: Log on to the SCL system using the user you just assigned. You should be able to access transaction SIMGH and search for the entry Service Consumption Layer Administration

You can logon to the SCL host with the administrator user you have created to configure the SCL components and content, and install consumer applications.


19

Creating a Service User to Access WSDL from SharePoint WSDL is essentially an XML format for describing Web services interfaces. Using WSDL, a service provider can describe the functionality, quality of service requirements, and other features of a Web service, so that a potential requestor can understand how to correctly interact with the service. Note: For more information regarding the WSDL, refer to the SDN at http://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/d99b2014-0b01-0010-a8a0-aa830dbdf5e8

In this procedure, you will provide information to the SharePoint administrator. Open the Duet Enterprise Worksheet located at http://go.microsoft.com/fwlink/?LinkId=207604.

You must access the WSDL from SharePoint using a specific user created for that purpose. To create the user: 1. On the SCL, open transaction SU01. 2. Enter a user name. For example, SP_Access.

3. Click Create. 4. Maintain all required data including password. 5. Do not assign any roles.

6. Click Save.

7. Enter this user name and password in the Duet Enterprise Worksheet, in the User name for WSDL access and Password for WSDL access rows. Checkpoint: Log on to the SCL system using the user you just created. Providing the password you just maintained, you should see the SAP Easy Access page.

2.3.2 Create and Assign SCL User Role You create a role for a user with permissions and privileges for several tasks including the following: x Analyze logs and identify potential issues with the SCL landscape. x Install, configure, and maintain SCL components and applications that run on top of SCL. x Configure and maintain users data including, roles, and user mapping. Use the following templates from the template list to create user roles for default SCL content: x /IWCNT/RT_USER_REP: for a Reporting user x /IWCNT/RT_USER_WF: for a Workflow user x /IWCNT/RT_USER_SS: for a Starter Services user

Note: You must be an SCL administrator or have an SAP user administrator to create the roles.

For more information, see Changing roles on the SAP Help Portal.


20

To create users roles and assign them to users: 1. On the SCL, open the Service Consumption Layer Administration IMG.

2. Click the Display icon.

3. Select User Settings > Define Role for SCL User.

4. Click the Execute icon to configure roles in the Role Maintenance.

5. In the Role field, enter SAP_BC_ENDUSER, and then click Copy Role.

The Query page is displayed. 6. In the to role field, enter a name for the new role, for example, Z_WORKFLOW. 7. Click Copy all.

The Role Maintenance page is displayed showing the role you just created.

8. Click Edit to change the role. 9. Select the Authorizations tab.

10. Click Change Authorization Data under the Maintain Authorization Data and Generate Profiles section.

11. Select Edit Insert Authorization(s) From template.

The Choose Template page is displayed. 12. Select the /IWCNT/RT_USER_WF template from the list.

13. Click Generate.

The Generate profile dialog box is displayed. 14. Select the Generate option.

15. In the Assign Profile name for Generated Authorization Profile dialog, maintain the profile name according to your requirements. For example T- SCLWF550003.


The Change role: Authorizations page is displayed. The status of the profile is displayed as Generated.

17. Go back to the Change Roles page, and select the Users tab in the User Assignment section.

18. Enter the names of all users that have the Workflow, Reporting or Starter Services role assigned to it.



22. Click Save.

Once you have assigned the users to the relevant roles, you can log on with this user and work with it.


21

Note: Repeat these steps for all roles that you need. For example, Z_REPORTS for users that should get Reporting and Z_SAMPLESERVICES for users that should get Starter Services. Note: For the users performing the Grant user access to SAP workflow tasks procedure in SharePoint ONLY, make sure you assign the authorization object S_Service to the role.

To assign the SAP_BC_WEBSERVICE_CONSUMER role to all end users: 1. On the SCL, open the Service Consumption Layer Administration IMG.


3. Select User Settings > Define Role for SCL User.

4. Click the Execute icon to configure roles in the Role Maintenance.

5. In the Role field, enter SAP_BC_WEBSERVICE_CONSUMER and click Edit. 6. Select the Users tab in the Role section. 7. Enter the names of the users you want to assign to this role.



11. Click Save.

Checkpoint: Take some of the users assigned to the different roles (for example, Z_REPORTS and SAP_BC_WEBSERVICE_CONSUMER), and make sure that you can log on successfully.

To allow certain users to fetch roles from the SAP system: 1. Create a user as described in the To create users roles and assign them to users

procedure above. 2. In step 12, instead of selecting the /IWCNT/RT_USER_WF template, select the

S_USER_AGR the authorization object. 3. Continue with the procedure.

2. Installing Duet Enterprise 2.4 Activating BC Sets

22

2.4 Activating BC Sets A Business Configuration Set (BC Set) is a management tool that allows users to record, save, and share customized settings. By creating a BC Set, the user is provided with a snapshot of the customized settings of a system that can be used later on as a template. Duet Enterprise provides four BC sets to make the content specific configuration easier by automating several of the procedures. It is recommended that you use and activate these four BC sets: x /IWTNG/BC_GENERAL_CUSTOMIZING x /IWTNG/BC_WORFKLOW x /IWTNG/BC_SAMPLE_SERVICES x /IWTNG/BC_REPORTING

Note: You do not need to activate the BC sets to perform configuration. You can perform all configurations manually.

This section describes how to activate the /IWTNG/BC_GENERAL_CUSTOMIZING BC set. For activating the other BC Sets, refer to the Configuring Duet Enterprise Specific Content section. After activating the BC Set, you can continue with the regular deployment flow. Procedures that have been automated by the BC set contain a note asking you to skip them. To activate the /IWTNG/BC_GENERAL_CUSTOMIZING BC set: 1. On the SCL, open transaction SCPR20.

The Business Configuration Sets: Activation page is displayed. 2. In the BC Set field, press F4. 3. Select the /IWTNG/BC_GENERAL_CUSTOMIZING BC set.

4. Click the Activate icon. The Prompt for Customizing Request page is displayed.

5. In the Request field, press F4.

6. Select a customizing request and click the checkmark. The Activation Options page is displayed.

7. In the Select Activation Mode section, select the Expert Mode radio button.


The /IWTNG/BC_GENERAL_CUSTOMIZING BC set is activated. Checkpoint: Refer to chapter Defining Consumer Issuer Certificate to check if customizing entries were done like outlined in each chapter.

2. Installing Duet Enterprise 2.5 Specifying Configuration Settings of the SharePoint Server

23

2.5 Specifying Configuration Settings of the SharePoint Server You configure settings for SCL components and define how these settings interface with the SharePoint server. Requirements: Make sure that you installed the SCL components. The following is an overview of the configuration tasks: x Configure the SLD x Define settings for idempotent services (This means that the service call will be executed

exactly once.) x Define consumer issuer certificate x Create RFC destination for outbound queues x Register RFC destination x Create bgRFC supervisor destination x Check bgRFC configurations x Create RFC destination for WSIL service x Configure Web Service message-based authentication x Prepare the models for consumer server

2.5.1 Configuring the SLD System Landscape Directory (SLD) contains component information, a landscape description, and a name reservation, based on the standard Common Information Model (CIM), which is independent of your implementation. SLD communicates with a client application using HTTP. Optionally, you can configure SCL to connect to the SLD and to send data periodically about the system landscape. Note: Connecting the SCL to an SLD is optional. You can connect an SCL to an SLD only if there is an SLD in your system landscape. To establish connection to the SLD from the SCL: 1. On the SCL, open the Service Consumption Layer Administration IMG.

2. Click the Display icon. 3. Select Connection Settings > Connect SCL to SLD.

4. Click the Execute icon to configure the connection.

For more information regarding the SLD, refer to the following link on the SAP Help Portal: Architecture Overview of Data Supplier. For more information on how to register an ABAP-based SAP system and its clients in the landscape description of the SLD, refer to the following link on the SAP Help Portal: Registering ABAP-Based SAP Systems.


24

2.5.2 Defining Settings for Idempotent Services You configure idempotent services by scheduling a background job that ensures that request messages in SCL occur once. Idempotency guarantees delivery of synchronous messages exactly once. To define settings for idempotent services: 1. On the SCL, open the Service Consumption Layer Administration IMG.

2. Click the Display icon. 3. Select Connection Settings > SCL to Consumer > Define Settings for Idempotent

Services.

4. Click the Execute icon.

The Program SRT_WS_IDP_CUSTOMIZE page is displayed. 5. Enter the default values: for Period Hours in Document, the value is 6, and for

Document ID, the value is 12.

6. Click the Execute icon. A message confirming that the job has been scheduled is displayed.


Checkpoint: a. Open transaction SM37.

The Simple Job Selection page is displayed. b. In the Job name field, enter SAP_BC_IDP_WS_SWITCH* . c. In the User name field, enter *. d. In the Job status section, select the Sched. checkbox. e. Click on Execute

You should see some entries for the two jobs SAP_BC_IDP_WS_SWITCH_BD and SAP_BC_IDP_WS_SWITCH_BDID.

2.5.3 Creating RFC Destination for Outbound Queues You must create a background remote function call (bgRFC) destination for communications in an outbound queue or an inbound queue respectively. To create bgRFC destination for Outbound Queue: 1. On the SCL, open the Service Consumption Layer Administration IMG.

2. Click the Display icon. 3. Select Connection Settings > SCL to Consumer > Create RFC Destination for

Outbound Queues.

4. Click the Execute icon. The Configuration of RFC Connections page is displayed.


25

5. Click the Create icon. The RFC Destination page is displayed.

6. In the RFC Destination field, enter IWFND_BGRFC_DEST. 7. In the Connection Type field, enter 3. 8. In the Description 1 field, enter RFC Destination for Outbound Queues. 9. Press Enter, and select the Special Options tab. 10. In the Select Transfer Protocol section, select Classic with bgRFC from the list. 11. Click Save.

A warning message is displayed. 12. Click Yes, and select Connection test.

Information about the connection type is displayed.

2.5.4 Registering the bgRFC Destination for Outbound Queue You register the bgRFC destination to efficiently handle communications. To register the RFC Destination for Outbound Queue: 1. On the SCL, open transaction SIMGH. 2. Select the Service Consumption Layer Administration IMG.


4. Select Connection Settings > SCL to Consumer > Register RFC Destination for Outbound Queues.


The bgRFC Configuration page is displayed. 6. Select the Define Inbound Dest. tab.

7. Click Create.

The Configure Inbound Destination page is displayed. 8. In the Inb. Dest. Name field, enter IWFND_BGRFC_DEST. 9. Press Enter and then click Save. 10. In the New Prefix field, enter IWFND_CNP and click Create, repeat the step using IWCNT_WF. 11. Click Save.

12. Select the Scheduler Destination tab.

13. Click Create.

A message asking if you want an outbound or inbound destination is displayed. 14. Click Inbound.

The Create Scheduler Settings for Inbound Destination page is displayed. 15. In the Destination field, enter IWFND_BGRFC_DEST. 16. Click Save.

17. In the bgRFC destination page, click Save.


26

2.5.5 Creating bgRFC Supervisor Destination The supervisor destination for bgRFC that you create receives the configuration settings for the bgRFC scheduler. In addition, it starts or stops the schedulers as required. Note: The bgRFC supervisor user you specify must have authorizations from authorization object S_RFC. These are defined in role SAP_BC_BGRFC_SUPERVISOR. To create the bgRFC Supervisor Destination: 1. On the SCL, open the Service Consumption Layer Administration IMG.

2. Click the Display icon. 3. Select Connection Settings > SCL to Consumer > Create bgRFC Supervisor

Destination.

4. Click the Execute icon. The bgRFC Configuration page is displayed.

5. Select the Define Supervisor Dest. tab.

6. Click Create. The Create bgRFC Destination for Supervisor page is displayed.

7. In the Destination Name field, enter BGRFC_SUPERVISOR. 8. In the User Name field, enter a user name, for example, BgRFC_user. 9. Select the Create User checkbox. 10. Press Enter. 11. Select the Generate Password checkbox.

12. Click Save.

13. In the bgRFC destination page, click Save.

2.5.6 Checking bgRFC Configurations You must check the settings specified to ensure the efficiency the bgRFC. To check the bgRFC settings: 1. On the SCL, open the Service Consumption Layer Administration IMG.

2. Click the Display icon. 3. Select Connection Settings > SCL to Consumer > Check BgRFC Configurations.

4. Click the Execute icon. The BgRFC Configuration Check Results page is displayed.



27

2.5.7 Creating RFC Destination for WSIL Service You create an RFC destination for the Web Service Inspection Language (WSIL) service on the SCL server. To create an RFC destination for WSIL services: 1. On the SCL, open the Service Consumption Layer Administration IMG.


3. Select Connection Settings > SCL to Consumer > Create RFC Destination for WSIL Service.


The Configuration of RFC Connections page is displayed.

5. Click Create.

The RFC Destination page is displayed. 6. In the RFC Destination field, enter IWFND_WSIL_LOCAL_DEST.

7. In the Connection Type field, enter H and then click the checkmark. 8. In the Description field, enter RFC Destination for WSIL Service. 9. Press Enter. 10. In the Target Host field, enter the SCL Host. 11. In the Service No. field, enter the HTTP Port. 12. In the Path Prefix field, enter the path of the local WSIL Service. For example,

/sap/bc/srt/wsil. Note: The SAP/BC/SRT/WSIL service must be activated via SICF. To obtain the WSIL URL: a. Log on to the SCL system you specified as a provider, and enter transaction SICF. b. In the Type Hierarchy field, enter SERVICE. c. Enter WSIL for the service name. d. Click Execute.

The WSIL service should now be listed. The default value for the URL is: http:///sap/bc/srt/wsil

Note: The WSIL service lists the configuration of all Web services exposed by the system. Note: You can double-click on the service to obtain the URL.

13. Click Connection Test.

14. Click Save.

Checkpoint: Click Connection test. The result in the Test Result tab should contain the Status HTTP Response 200.

2. Installing Duet Enterprise 2.6 Establishing Connections to an SAP System and the SharePoint Server

28

2.6 Establishing Connections to an SAP System and the SharePoint Server Note: For Duet Enterprise, the Consumer is SharePoint. The IMG refers to Consumer because it is a generic tool. You must define and configure settings for connecting the SCL to both your SAP system and to the SharePoint server. There are different ways in which these two systems can communicate between themselves: x SharePoint to SCL connection

SharePoint communicates with the SCL via HTTPS Web service calls. For this to be possible, Services and end-points need to be created and released on the SCL server (refer to Release Duet Enterprise Services). You also need to configure SAML (refer to Configuring the SCL Host to use SAML Authentication)

x SCL to SharePoint connection The SCL sends data to SharePoint via HTTPS logical ports which are scenario specific. For this, an SSL trust has to be established (refer to Create Consumer Proxy for Reporting and Create Consumer Proxy for Workflow).

x SCL to SAP system connection The SCL can communicate with the SAP systems in two ways: via HTTP/Web service calls (Type G RFC destinations) and classic ABAP RFC calls (Type 3 RFC destinations). a. Type G RFC calls are used for Starter Services (refer to Create Type G RFC Destination to

the SCL). For this, the SCL system has to trust the certificates of the SAP system (refer to the Duet Enterprise Security Guide at SAP Service Marketplace at: http://service.sap.com/instguides o SAP Business Suite Applications o Duet Enterprise o Duet Enterprise 1.0.)

b. Type 3 RFC destinations are used by Reporting, Workflow and Starter Services. (Refer to Create a Type 3 RFC destination on SCL Host to SAP System). For this the SCL has to be configured as a trusted system in the SAP system. (Refer to Defining Trust between the SCL Host and your SAP Systems for Type 3 connections)

x SAP system to SCL connection The SAP system uses HTTPS / Web service calls to communicate to the SCL. This is used by Workflow (refer to Create a Logical Port) and Reporting (refer to Create a Logical Port). For this a SSL trust has to be established (refer to the Duet Enterprise Security Guide at SAP Service Marketplace at: http://service.sap.com/instguides o SAP Business Suite Applications o Duet Enterprise o Duet Enterprise 1.0) and the SCL has to accept certificates from the SAP system (see Configuring the SCL Host to Accept Assertion Tickets from SAP Systems)


29

2.6.1 Configuring the SCL Host to use SAML Authentication You configure the SCL host to enable authentication for users from the SharePoint server using SAML tokens. Requirements Make sure that you have configured the following: x User mapping records. x A Security Token Service to issue SAML tokens. x The use of SSL between the SCL host and the consumer server. x The use of SSL between the SCL host and the Security Token Provider system. x The use of SAML authentication in the consumer server and clients. The following is an overview of the sequence of tasks for configuring the use of SAML in the SCL host: 1. Enable message-based Web service authentication. 2. Specify the Security Token Provider system as a trusted system. For more information about configuring the Security Token Provider system as a trusted system in the SCL landscape, refer to the Service Consumption Layer: SAP Security Guide at SAP Service Marketplace at: http://service.sap.com/instguides o SAP Business Suite Applications o Duet Enterprise o Duet Enterprise 1.0.

Enable Message-Based Authentication Message-based Web services go to the Internet Communication Framework (ICF) to perform the logon using a technical user DELAY_L_ stored in the ICF. As the ICF cannot access SOAP data, it cannot logon directly using the authentication data in the SOAP document. You must create the DELAY_L_ user without any authorizations in a secure storage. The user DELAY_L_ gains access, and the SCL host evaluates the sent token. If the user name and password match, the SCL host performs a user exchange and logs on the user specified in the token. To enable message-based authentication: 1. On the SCL, open the Service Consumption Layer Administration IMG.


3. Select Connection Settings > SCL to Consumer > Configure Web Service Message-Based Authentication.

4. Click the Execute icon

The Configuration of WSS_SETUP page is displayed. 5. Select ICF Node Update.

Note: If this is the first time you run this activity, the ICF Node Update checkbox is not available. Skip this step, and after the procedure is complete, go back to Connection Settings > SCL to Consumer > Configure Web Service Message-Based Authentication and click the Execute icon again.


30

This option specifies and repairs the user, DELAY_L_ in all ICF nodes. This may be necessary if the user DELAY_L_ has been locked or changed, or if its password has been changed.

6. Select Provider Configuration in the Secure Token Service (Service Conversation) section. This is a dedicated service required to obtain the SecureContentToken.

7. Specify the following in the WS Security Options section: x Algorithm Suite: Select TripleDesSha256RSA15 for the algorithm suite.

Note: Make sure that TripleDesSha256RSA15 is listed. If it is not listed, check the SSFLIB Version using transaction STRUST, then go to Environment Display SSF Version. You need SSFLIB Version 1.555.28 or higher, using an updated SAPCrypto Lib.

x Clock Skew: Specify the value 120, this is the tolerance to compensate for time difference between the consumer server and the SCL host.

x Select Detect message replays to detect and prevent Web service messages that are being called repeatedly.

x SAML 1.1 Trust: Choose Use SAML Trust. 8. In the Test Run section, unselect Test Run, and click Execute. You can run this report

multiple times.

The result displays many details, including, the list of services activated and the message: Configuration for WS Security logon successfully checked. Note: On the first run there might be an error due to missing users. It is recommended to run it a second time to ensure that no errors are displayed. Note: If the provider configuration cannot be created, open transaction SICF and activate node /sap/bc/srt/xip/sap. Checkpoint: a. Run the WSS_SETUP again by executing steps 1 to 4. b. Leave all settings as default and click on execute.

The following lines should be displayed in the WS Security Options section: x Algorithm Suite:TripleDesSha256Rsa15 x Clock Skew(sec):120 x Detect message replays x SAML 1.1 Trust:SAML2

Specify the Security Token Provider System as a Trusted System

To complete this procedure, you will require input from the SharePoint administrator. Open the Duet Enterprise Worksheet located at http://go.microsoft.com/fwlink/?LinkId=207604.

From the SCL host you define the STS host as a trusted system by importing its signed certificate as proof of the identity of the STS system.


31

For information about configuring the STS host as a trusted system, see the Service Consumption Layer: SAP Security Guide at SAP Service Marketplace at: http://service.sap.com/instguides o SAP Business Suite Applications o Duet Enterprise o Duet Enterprise 1.0. Requirements: Make sure that you have: x Activated HTTP security session using transaction SICF_SESSIONS. A list of all of the

clients that exist in the system appears. Select the relevant client and choose Activate. x Information about the STS issuer name, and STS public-key certificate, as you need to

provide details of the STS system in the SCL host. This information has to be provided by the SharePoint administrator.

x You use the SAML 2.0 wizard, a browser application, to do the following: x Specify the local provider information. x Configure HTTP security in the SCL host. x Specify the Web service policy

To specify the local provider details: Note: If you have SAML 2.0 support enabled, you can skip steps 6-9 in this procedure. 1. On the SCL, open the Service Consumption Layer Administration IMG.


3. Select Connection Settings > SCL to Consumer > Configure Consumer STS.


The SAML 2.0 Local Provider Configuration wizard is displayed using the URL: https://sap/bc/webdynpro/sap/saml2 Note: You need the user and password to logon.

5. Click Enable SAML 2.0 Support. The SAML 2.0 Local Provider Configuration is displayed.

6. Enter the following in Initial Settings and click Next: x Provider Name: Enter the provider name, making sure there are no spaces in the

name. For example, SCL_Provider. x Operation Mode: Do not change the specified value, Service Provider.

7. In General Settings, enter 120 in Clock Skew Tolerance and click Next. 8. In Service Provider Settings, specify the following (default settings): x In the Selection Mode field under Identity Provider Discovery, select Manual. x In the Affiliation Name field under, do not make any change. x In the Supported Bindings field under Assertion Consumer Service, select HTTP

POST, HTTP Artifact, and PAOS. x In the Supported Bindings under Single Logout Service, select HTTP Redirect,

HTTP POST, HTTP Artifact, and SOAP. x Under Artifact Resolution Service, select Enabled in Mode, and specify 60 in

Artifact Validity Period.


32

9. Click Finish. A summary of the local provider details in the SAML 2.0 Configuration wizard of ABAP System:/ is displayed.

To configure HTTP security in the SCL host: 1. Select the Trusted Providers tab and do the following: x In Show under List of Trusted Providers, choose Secure Token Services, click Add,

and then select Manually. The New Trusted Secure Token Services Provider wizard is displayed.

x In the Name field, enter SharePoint and click Next. This a unique name identified by the SAML Issuer attribute in a SAML assertion.

x Click Browse and then Upload File and specify the location of file for the signed certificate from the STS system, and then click OK. Upload the STS file from SharePoint. Open the Duet Enterprise Worksheet and copy the file information from the SSL certificate file name and location row.

2. Click Next in Signature and Encryption. Information about the signing certificate is displayed.

3. Click Next. The Endpoint page is displayed.

4. Click Add; the following details about the STS system display: x In the Provide Location URL field, enter the URL of the STS system. For example,

http:///_vti_bin/sts/spsecuritytokenservice.svc/windows x In the MEX URL field, enter the MEX URL for the STS system: For example, ,

http:///_vti_bin/sts/spsecuritytokenservice.svc?wsdl Note: The name of the has to be handed over from the SharePoint administrator in the Duet Enterprise Worksheet, in row URL to Web application for report router site.

5. Click Finish. 6. From the Trusted Provider tab, select the STS system, and then click Edit.

The Details of Security Token Provider page is displayed. 7. For Supported SAML Versions, select SAML 1.1, and make sure that SAML 2.0 is not

selected. 8. Set the Assertion-Validity (Holder-of-Key) to the value defined in SharePoint, by default

600. 9. Select the Identity Federation tab, and then click Add. 10. Select Unspecified from the list in Supported NameID Formats and click OK. 11. In Source under Details of NameID Formats , select Mapping in

USREXTID Table from the list. 12. Click Save and then click Enable.


33

To specify the Web service policy: 1. From the Policies tab, select Web Service Policies from the list. The list contains STS

entries from the table WSS_STS_URL_TAB. 2. Click Add.

The SAML 2.0 Configuration window is displayed. 3. In the Policy name field, enter SharePoint. 4. Select the name of the STS provider from the list in Security Token Service Provider. 5. Select the placeholder URL of the STS system from the list in STS Location URL. The MEX

URL is automatically added. 6. In SAML Type, select Asymmetric consumer key, STS as a tester, and in SAML

Version select SAML 1.1, and then click OK. Note: Write down the Policy name as you will need it when importing the SAML profile in SOAMANAGER.

Defining Consumer Issuer Certificate Note: If you activated the BC_GENERAL BC set, these settings should already be available. There is no need to perform this procedure. You must configure the SCL host to identify the SAML token issuer for the users in a specific consumer server. By doing so, you enable the SCL host to map users correctly between the specific consumer and SCL. To define consumer issuer certificate: 1. On the SCL, open the Service Consumption Layer Administration IMG.


3. Select Connection Settings > SCL to Consumer > Define Consumer Issuer Certificate.


The Define Consumer Details page is displayed. 5. Click New Entries. 6. In the Consumer Type field, press F4, and select SHAREPOINT_INT. 7. In the Issuer Name field, enter SharePoint.

Note: this entry is case sensitive. 8. In the Issuer Certificate field, enter CN=SharePoint Security Token Service,

OU=SharePoint, O=Microsoft, C=US 9. Click Save.

The SCL maps users in a specific consumer server to SCL users based on the SAML token issued by an STS.


34

Configuring the Use of SSL between the SCL Host and SharePoint

To complete this procedure, you will require input from the SharePoint administrator. Open the Duet Enterprise Worksheet located at http://go.microsoft.com/fwlink/?LinkId=207604

You configure the SCL host, SAP NetWeaver AS ABAP, to use SSL for communications with SharePoint. For more information about SSL settings in the SCL landscape, see the Service Consumption Layer: SAP Security Guide at SAP Service Marketplace at: http://service.sap.com/instguides o SAP Business Suite Applications o Duet Enterprise o Duet Enterprise 1.0. Requirements Make sure that you have: x Information about the SSL public-key certificate, you need to provide details of the SSL

system in the SCL host. To implement SSL for use between the SCL host and the consumer server, you must configure SSL in the two systems. x Configure the SharePoint server to use SSL.

To configure SSL for use in the SharePoint server, see the specific SharePoint server documentation.

x Configure the SCL host to use SSL. If you have already configured the SCL host to use SSL, you can skip the following procedures.

To configure the use of SSL in the SCL host: 1. On the SCL, open the Service Consumption Layer Administration IMG, and select

Connection Settings > SCL to Consumer > Manage Security Trust.


The Trust Manager page is displayed. 3. Generate key pairs for SSL.

a. Right-click on SSL server Standard. b. Click Create. c. Maintain the correct data for Name, Org, Comp, Country, CA, Algorithm and Key Length

and click the checkmark. d. If needed adjust the Distinguished Name for the displayed hosts and click the

checkmark. Note: A self signed certificate is created. If required, you can sign this certificate by a Certificate Authority.


35

Note: Make sure that an HTTPS port is set in the profile parameters as shown in the Configuring the AS ABAP for Supporting SSL help topic found at: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm. To verify that the HTTPS port is active: i. Open transaction SMICM.

The ICM Monitor page is displayed. ii. From the menu bar, select Goto > Services.

The ICM Monitor Service Display page is displayed. iii. In the Active Services table, check that the HTTPS entry is Active.

4. Export the SSL server certificate. a. Under SSL server (Standard), double-click the certificate displayed.

The Own certificate is displayed. b. Double click on the certificate.

The certificate is displayed in the Certificate area. c. Click Export Certificate. d. In the File path field, enter a file name, for example, C:\SCL-SSL.cer. e. In the File format section, select the Binary radio button. f. Click the checkmark to export the certificate to the file system. g. Add the certificate name and location to the Duet Enterprise Worksheet, in the SSL

Certificate location and file name row. 5. Import the certificate.

a. Right-click SSL client SSL Client (Anonymous) and select Create. b. Click the checkmark. c. Double-click the certificate displayed. d. Click Import Certificate.

The Import Certificate page is displayed. e. Enter the SharePoint SSL server certificate. To find the certificate, see the Duet

Enterprise Worksheet, SSL certificate file name and location row. Note: The imported certificate must be in .CER format.

f. Click the checkmark. g. Click Add to Certificate List. h. Click Save. i. Repeat this procedure steps for all the certificates you received from the SharePoint

administrator. Checkpoint: To verify that the SharePoint SSL certificate was successfully created, create an RFC type G destination to the SharePoint server (for further information, refer to the Create Type G RFC Destination to the SCL section). Perform a connection test, and make sure that you do not get any ICM_HTTPS_SSL certificate error.


36

2.6.2 Mapping User Data in the SAP System and the SharePoint Server User mapping maps a user ID in the SharePoint server to the user ID in the SAP system for the same user. User mapping is required if users have different user IDs in the SCL host and in the SharePoint server; passwords are not mapped. If the user ID on the SharePoint is domain\username and in the SAP system it is only username this is still considered as being different user IDs. The user's ID in the SharePoint server and the users ID in the SCL host are stored in the user's logon ticket for single sign-on. When the user tries to access an SAP system, the system extracts the user ID from the logon ticket.

Mapping User Data when the User IDs in SharePoint and the SCL Host are the Same If the usernames on SharePoint are the same as on the SCL server, you do not have to connect the SCL to the Active Directory Domain Service to perform mapping. Instead, you can use the BAdI included in Note 1542681 and perform the steps below. To map the SAP user names to SharePoint: 1. On the SCL, open transaction SIMGH. 2. Select the Service Consumption Layer Administration IMG.

3. Click Display.

4. Select Consumer Settings > Map SAP User Names to Consumer.

5. Click Execute.

The Enter Correct SNC Names in Table View VUSREXTID page is displayed. 6. In the External ID Type field, select SA. 7. In the Prefix of External Name field, enter SharePoint:: domain, where DOMAIN is the

domain in which the users are located, for example, SharePoint::devwdf24 8. In the Suffix of External Name field, delete any existing data. 9. In the Optional: Name of Issuer field, enter CN=SharePoint Security Token Service,

OU=SharePoint, O=Microsoft, C=US (This is the Issuer name of the SharePoint Security Token Service certificate that you previously imported when running the SAML2 Wizard.) Note: You cannot use the F4 help here.

10. Select the BAdI Implementation radio button. 11. In the BAdI Implementation field, press F4 and select Simple bulk user mapping. 12. Under Further Options, deselect the Test Mode checkbox.

13. Click Execute.

The Enter Correct SNC Names in Table View VURSEXTID page is displayed. 14. Check that the Number of External Names Added is greater than 0.

Checkpoint: a. Open transaction SM30. b. In the Table/View field, enter VUSREXTID.


37

Documents

Duet e Depl Guide Installation Guide