Xir2 Bip Deploy En

BusinessObjects Enterprise™ XI Release 2 Deployment and Configuration Guide

BusinessObjects Enterprise XI Release 2

Patents Business Objects owns the following U.S. patents, which may cover products that are offered and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352.

Trademarks Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners.

Copyright Copyright © 2007 Business Objects. All rights reserved.

Third-party contributors

Business Objects products in this release may contain redistributions of software licensed from third-party contributors. Some of these individual components may also be available under alternative licenses. A partial listing of third-party contributors that have requested or permitted acknowledgments, as well as required notices, can be found at:http://www.businessobjects.com/thirdparty

Contents
Chapter 1 Getting Started 23
About this help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Who should use this help? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24About BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Where should I start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Planning or performing your first deployment . . . . . . . . . . . . . . . . . . . 25Configuring your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Changing your deployment’s architecture . . . . . . . . . . . . . . . . . . . . . . 26Improving your system’s performance . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 2 BusinessObjects Enterprise Architecture 29Chapter overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Architecture basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Client tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . 33Central Configuration Manager (CCM) . . . . . . . . . . . . . . . . . . . . . . . . 33Publishing Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Application server and BusinessObjects Enterprise SDK . . . . . . . 35Web Component Adapter (WCA) . . . . . . . . . . . . . . . . . . . . . . . . . 35

Web development platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Java platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Windows .NET platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Web application environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Central Management Server (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . 38

BusinessObjects Enterprise Deployment and Configuration Guide 3

Contents

Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Program Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Web Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Destination Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Desktop Intelligence Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Report Application Server (RAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Data tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Report viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Information flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

What happens when you schedule an object? . . . . . . . . . . . . . . . . . . . 46What happens when you view a report? . . . . . . . . . . . . . . . . . . . . . . . . 47

Report viewing with the Cache Server and Page Server . . . . . . . . 49Report viewing with the Report Application Server . . . . . . . . . . . . 50Viewing Web Intelligence documents . . . . . . . . . . . . . . . . . . . . . . . 51

Choosing between live or saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Live data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Saved data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Security management components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Web Component Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 3 Planning Your Deployment 57Planning your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Assessing your organization’s needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4 BusinessObjects Enterprise Deployment and Configuration Guide

Contents

Estimating the number and type of users . . . . . . . . . . . . . . . . . . . . . . 59Other user considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Estimating the number of simultaneous requests . . . . . . . . . . . . . . . . 61Estimating the number of concurrent active users and viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Concurrent active users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Calculating resource requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Analyzing service thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68List of Values Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . 69Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Calculating the minimum resource requirements . . . . . . . . . . . . . . . . . 71Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Report Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . 73Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Page Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Summary of resource calculations . . . . . . . . . . . . . . . . . . . . . . . . 73

Designing for high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Designing a multiple-server system for high availability . . . . . . . . 77

Common configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Single-machine architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Balanced processing architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79High availability clustered architecture . . . . . . . . . . . . . . . . . . . . . . . . . 80Firewalled architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81


Contents

Chapter 4 Creating a WebSphere cluster 83Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Creating a WebSphere cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Starting the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Creating a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Checking the assigned port number . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Adding the assigned port number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Setting heap size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Setting internal system configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 92Installing the applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Mapping BusinesssObjects WAR files to the cluster . . . . . . . . . . . . . . 95Regenerating the web server plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Chapter 5 Managing and Configuring Servers 97Server management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

BusinessObjects Enterprise administrative tools . . . . . . . . . . . . . . . . . 98Viewing and changing the status of servers . . . . . . . . . . . . . . . . . . . . . . . . 99

Starting, stopping, and restarting servers . . . . . . . . . . . . . . . . . . . . . . . 99Stopping a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . 102Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Printing, copying, and refreshing server status . . . . . . . . . . . . . . . . . . 104

Adding and deleting servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Adding a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring the application tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Configuring the Web Component Adapter . . . . . . . . . . . . . . . . . . . . . 108

Configuring the Java Web Component Adapter . . . . . . . . . . . . . . 109Changing the default session timeout value for the Java CMC . . 110Changing the default session timeout value for the Java InfoView . .111

Changing the connect port used by Tomcat . . . . . . . . . . . . . . . . . . . . 112Configuring the .NET Web Component Adapter . . . . . . . . . . . . . 113


Contents

Configuring the intelligence tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Clustering Central Management Servers . . . . . . . . . . . . . . . . . . . . . . 114Adding a new CMS cluster member . . . . . . . . . . . . . . . . . . . . . . . . . 116

Installing a new CMS and adding it to a cluster . . . . . . . . . . . . . 116Adding an installed CMS to a cluster . . . . . . . . . . . . . . . . . . . . . 117Adding clustered CMSs to the web.xml file . . . . . . . . . . . . . . . . . 119Preparing to migrate a CMS database . . . . . . . . . . . . . . . . . . . . 119Changing the name of a CMS cluster . . . . . . . . . . . . . . . . . . . . . 121

Copying data from one CMS database to another . . . . . . . . . . . . . . . 122Deleting and recreating the CMS database . . . . . . . . . . . . . . . . . . . . 127Selecting a new or existing CMS database . . . . . . . . . . . . . . . . . . . . 128Setting root directories and idle times of the File Repository Servers 130Modifying performance settings for Cache Servers and Event Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Configuring the processing tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Modifying performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Configuring the destinations for job servers . . . . . . . . . . . . . . . . . . . . 133

Enabling or disabling destinations for job servers . . . . . . . . . . . . 133Configuring the destination properties for job servers . . . . . . . . . 134Inbox destination properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Email (SMTP) destination properties . . . . . . . . . . . . . . . . . . . . . 136FTP destination properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Unmanaged Disk destination properties . . . . . . . . . . . . . . . . . . . 139

Configuring Windows processing servers for your data source . . . . . 140Configuring UNIX processing servers for your data source . . . . . . . . 141

Native drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141ODBC drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Advanced server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . 146Changing the default server port numbers . . . . . . . . . . . . . . . . . . . . . 147Configuring a multihomed machine . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring the CMS to bind to a network address . . . . . . . . . . . 150Configuring the remaining servers to bind to a network address 150

Adding and removing Windows server dependencies . . . . . . . . . . . . 150


Contents

Changing the server startup type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Changing the server user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Configuring servers for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Creating key and certificate files . . . . . . . . . . . . . . . . . . . . . . . . . 153Configuring the SSL protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Chapter 6 Working with Firewalls 157Firewalls overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

What is a firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158TCP/IP and packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Firewall types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160SOCKS proxy servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Understanding firewall integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Communication between servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Communication between servers and the CMS directory listing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Communication between the application tier and CMS . . . . . . . . 163

Firewall configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Typical firewall scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Application tier separated from the CMS by a firewall . . . . . . . . . 165Thick client separated from the CMS by a firewall . . . . . . . . . . . . 165

Configuring the system for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Configuring desktop products across a firewall . . . . . . . . . . . . . . . . . . 166Configuring for Network Address Translation . . . . . . . . . . . . . . . . . . . 167

Configuring NAT when application tier is separated from the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Configuring NAT when thick client is separated from the CMS . . 171

Configuring for packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Configuring packet filtering when application tier is separated from CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172


Contents

Configuring packet filtering when thick client is separated from the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Configuring for SOCKS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Configuring the CMS for SOCKS Servers . . . . . . . . . . . . . . . . . . 176Configuring the WCA for SOCKS servers . . . . . . . . . . . . . . . . . . 177

Chapter 7 Security Concepts 179Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Authentication and authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Primary authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Single sign-on support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Single sign-on to BusinessObjects Enterprise . . . . . . . . . . . . . . 184Single sign-on to database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184End-to-end single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Security plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185BusinessObjects Enterprise security plug-in . . . . . . . . . . . . . . . . 186

Processing extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Active trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Logon tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Ticket mechanism for distributed security . . . . . . . . . . . . . . . . . . . . . 189

Sessions and session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192CMS session tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Environment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Web browser to web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Web server to BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . 194

Auditing web activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Protection against malicious logon attempts . . . . . . . . . . . . . . . . . . . 194Password restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Logon restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195User restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Guest account restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

User creation opitons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196


Contents

Alias options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196User type options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Update options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Chapter 8 Modifying default security behavior 199Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Disabling the restoration of a timed out session . . . . . . . . . . . . . . . . . . . . 200

Disabling the restoration of a timed out session in Java InfoView 200Disabling the restoration of a timed out session in .NET InfoView . . . 201

Enabling reverse proxies for Java applications servers . . . . . . . . . . . . . . 202Enabling reverse proxies for BusinessObjects Java InfoView . . . . . . 202Enabling reverse proxies for BusinessObjects Web Services . . . . . . 203

Enabling reverse proxies on Tomcat . . . . . . . . . . . . . . . . . . . . . . 203Enabling reverse proxy on web application servers otherthan Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Enabling reverse proxies for BusinessObjects Live Office . . . . . . . . . 206Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207Deployment instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Disabling persistent cookies for InfoView . . . . . . . . . . . . . . . . . . . . . . . . . 208

Chapter 9 Using NT Authentication 211Using NT user accounts and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Windows NT security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Business Objects NT Users Group . . . . . . . . . . . . . . . . . . . . . . . 213NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213NT and single sign-on support . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

NT user account and group administration . . . . . . . . . . . . . . . . . . . . . . . . 214Mapping NT user accounts and groups . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Mapping NT user accounts and groups from Windows NT . . . . . . . . . 215Mapping NT user account or groups from Windows 2000 or 2003 . . . 216Mapping NT groups from the CMC . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Unmapping NT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220


Contents

Viewing mapped NT users and groups . . . . . . . . . . . . . . . . . . . . . . . 221Adding an NT account to a mapped NT group . . . . . . . . . . . . . . 222Creating a new NT group account . . . . . . . . . . . . . . . . . . . . . . . 222Disabling an NT user account . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Setting up NT single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Modifying IIS security settings for NT single sign-on . . . . . . . . . 224Enabling InfoView NT single sign-on from the CMC . . . . . . . . . . 224Modifying the web.config file for NT single sign-on . . . . . . . . . . . 225

Chapter 10 Using LDAP authentication 227Managing LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

LDAP security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228More about LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230Configuring the LDAP host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Configuring LDAP Server or Mutual Authentication and the SSL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

LDAP and SiteMinder Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Configuring the LDAP plug-in for SiteMinder . . . . . . . . . . . . . . . 236Modifying web.xml for LDAP and SiteMinder . . . . . . . . . . . . . . . 237

Mapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Unmapping LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Viewing mapped LDAP users and groups . . . . . . . . . . . . . . . . . . . . . 242Changing LDAP connection parameters and member groups . . . . . 242Managing multiple LDAP hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Troubleshooting LDAP accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Creating a new LDAP user account . . . . . . . . . . . . . . . . . . . . . . 243

Chapter 11 Using AD with NTLM or SiteMinder 245Using AD users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Windows AD security plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

AD and NTLM and SiteMinder workflows . . . . . . . . . . . . . . . . . . . . . 248


Contents

AD and NTLM basic workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 248AD, NTLM and single sign-on workflow . . . . . . . . . . . . . . . . . . . . 248AD and SiteMinder workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Mapping AD accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Setting up AD single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Modifying IIS security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Modifying the web.config file for impersonation and Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Modifying the web.config file for InfoView AD single sign-on . . . . 254

Configuring AD and SiteMinder workflow . . . . . . . . . . . . . . . . . . . . . . 255Configuring the Windows AD plug-in for SiteMinder . . . . . . . . . . 255Modifying web.xml for Java AD and SiteMinder . . . . . . . . . . . . . . 257Modifying web.xml for Java AD Single sign-on to InfoView . . . . . 258Modifying the web.xml file for Java AD and SiteMinder . . . . . . . . 258Modifying web.config for .NET InfoView and SiteMinder . . . . . . . 259Disabling SiteMinder for Java clients . . . . . . . . . . . . . . . . . . . . . . 260Disabling SiteMinder for .NET clients . . . . . . . . . . . . . . . . . . . . . . 261Troubleshooting single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Duplicate ssoEnabled tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Chapter 12 Using AD and Kerberos with IIS 265Configuring Kerberos for IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Kerberos, IIS and single sign-on options . . . . . . . . . . . . . . . . . . . . . . 266Workflows for Kerberos and IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Basic AD and Kerberos workflow . . . . . . . . . . . . . . . . . . . . . . . . . 267AD and Kerberos with single sign-on workflow . . . . . . . . . . . . . . 267Single sign-on to database workflow . . . . . . . . . . . . . . . . . . . . . . 267End-to-end Single sign-on workflow . . . . . . . . . . . . . . . . . . . . . . . 267

Setting up a service account on AD . . . . . . . . . . . . . . . . . . . . . . . . . . 268Setting up a service account with delegation on a Windows 2000 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268Setting up a service account with delegation on a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269


Contents

Granting the service account rights . . . . . . . . . . . . . . . . . . . . . . . 270Configuring the servers to use the service account . . . . . . . . . . 270

Enabling Kerberos authentication in the Windows AD plug-in . . . . . . 271Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Modifying web.config for impersonation and Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Modifying the AD plug-in settings for database single sign-on . 275

Configuring IIS and browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Configuring IIS for integrated Windows authentication . . . . . . . . 275Configuring the Internet Explorer browser on a client machine . 276

Configuring IIS for end-to-end single sign-on . . . . . . . . . . . . . . . . . . 277Configuring IIS 5 for Kerberos end-to-end single sign-on . . . . . . 277Configuring IIS 6 for Kerberos end-to-end single sign-on . . . . . . 279

Configuring IIS for database single sign-on . . . . . . . . . . . . . . . . . . . . 281Configuring IIS 5 for single sign-on to database only . . . . . . . . . 282Configuring IIS 6 for single sign-on to database . . . . . . . . . . . . . 283Modifying web.config for InfoView single sign-on . . . . . . . . . . . . 284Configuring web applications for database single sign-on . . . . . 285

Configuring the database server for single sign-on . . . . . . . . . . . . . . 286Configuring SQL Server for single sign-on . . . . . . . . . . . . . . . . . 286

Server cache expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Modifying the default cache expiry value . . . . . . . . . . . . . . . . . . 287

Chapter 13 Using AD and Kerberos with Java application servers 289Configuring Kerberos for Java application servers . . . . . . . . . . . . . . . . . 290

General workflow for configuring Kerberos . . . . . . . . . . . . . . . . . . . . 290Workflow for configuring Tomcat for Kerberos . . . . . . . . . . . . . . . . . . 291Workflow for configuring WebSphere for Kerberos . . . . . . . . . . . . . . 291Workflow for configuring WebLogic for Kerberos . . . . . . . . . . . . . . . . 291Workflow for configuring Oracle for Kerberos . . . . . . . . . . . . . . . . . . 291Setting up a service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Setting up a service account with delegation on a Windows 2000 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292


Contents

Creating an SPN for your CMS on a Windows 2000 domain . . . . 293Setting up a service account with delegation on a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Creating an SPN for your CMS on a Windows 2003 domain . . . . 294

Setting up constrained delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Setting up constrained delegation for a service account . . . . . . . 295

Configuring the servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Granting the service account rights . . . . . . . . . . . . . . . . . . . . . . . 295Adding the Service Account to the servers’ Local Administrators group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Configuring the servers to use the service account . . . . . . . . . . . 297

Kerberos authentication in the Windows AD plug-in . . . . . . . . . . . . . 297Configuring Kerberos for your Java application server . . . . . . . . . . . . 302

Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Creating the Kerberos configuration file for WebSphere . . . . . . . 304Creating the JAAS login configuration file for Tomcat or WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305Creating the JAAS login configuration file for Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306Creating the JAAS login configuration file for WebSphere . . . . . . 306Modifying your Java options for Kerberos on Tomcat . . . . . . . . . 307Modifying the Java options for Kerberos on WebLogic . . . . . . . . 307Modifying the Java options for Kerberos on Oracle Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308Modifying the Java options for Kerberos on WebSphere . . . . . . . 308

Troubleshooting Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309Enabling logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Testing your Java Kerberos configuration . . . . . . . . . . . . . . . . . . 310

Mapped AD user unable to log on to CMC or InfoView . . . . . . . . . . . 310Configuring Kerberos and single sign-on to the database for Java application servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311Configuring Kerberos and single sign-on for Java InfoView . . . . . . . . 312


Contents

Workflow for configuring Kerberos single sign-on to Java InfoView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java. . . . . . . . . . . . . . . . . . . . . . . . 314Step 2: Creating an SPN for your web application server . . . . . . 315Step 3: Reset the service account password . . . . . . . . . . . . . . . 315Step 4: Create and place a keytab file . . . . . . . . . . . . . . . . . . . . 316Step 5: Enabling Vintela single sign-on for Java in the web.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316Step 6: Increasing the header size limit of your Java application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Controlling logging with Vintela single sign-on for Java . . . . . . . 322What to specify in your log4j properties file . . . . . . . . . . . . . . . . . 323Alternate url to access InfoView . . . . . . . . . . . . . . . . . . . . . . . . . 324Modifying the Vintela logon error page . . . . . . . . . . . . . . . . . . . . 325Configuring Internet Explorer browsers . . . . . . . . . . . . . . . . . . . . 326

Chapter 14 Trusted Authentication 327Enabling Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Configuring the server for Trusted Authentication . . . . . . . . . . . . . . . 328Configuring Trusted Authentication for the client . . . . . . . . . . . . . . . . 329Configuring Trusted Authentication for Business Process BI . . . . . . 334Configuring Trusted Authentication on a separate web application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Chapter 15 Improving Performance 337Improving performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Assessing your system’s performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Assessing user needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339Analyzing server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Viewing current server metrics . . . . . . . . . . . . . . . . . . . . . . . . . . 340Viewing system metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Logging server activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345Evaluating your system’s performance . . . . . . . . . . . . . . . . . . . . . . . 346


Contents

Resolving performance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Configuring the intelligence tier for enhanced performance . . . . . . . . 351

Configuring the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351Modifying the polling time of the Event Server . . . . . . . . . . . . . . . 351Configuring the File Repository Servers . . . . . . . . . . . . . . . . . . . . 352Modifying Cache Server performance settings . . . . . . . . . . . . . . 352

Configuring the processing tier for enhanced performance . . . . . . . . 354Modifying performance settings for job servers . . . . . . . . . . . . . . 355Modifying Desktop Intelligence Report Server performance settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356Modifying performance settings for the Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357Modifying database settings for the RAS . . . . . . . . . . . . . . . . . . . 360Modifying performance settings for the RAS . . . . . . . . . . . . . . . . 362Modifying Page Server performance settings . . . . . . . . . . . . . . . 363

Scaling your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366Increasing overall system capacity . . . . . . . . . . . . . . . . . . . . . . . . 367Increasing scheduled reporting capacity . . . . . . . . . . . . . . . . . . . 367Increasing on-demand viewing capacity for Crystal reports . . . . . 369Increasing prompting capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Delegating XSL transformation to Internet Explorer . . . . . . . . . . . 370Enhancing custom web applications . . . . . . . . . . . . . . . . . . . . . . 370Improving web response speeds . . . . . . . . . . . . . . . . . . . . . . . . . 371Getting the most from existing resources . . . . . . . . . . . . . . . . . . . 371

Chapter 16 General Troubleshooting 373Troubleshooting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374Documentation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375Web accessibility issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Using an IIS web site other than the default . . . . . . . . . . . . . . . . . . . . 375.NET CSP and ASP pages display code . . . . . . . . . . . . . . . . . . . . . . . 376Unable to access the CMS from thick client . . . . . . . . . . . . . . . . . . . . 376Unable to View .NET InfoView or CMC . . . . . . . . . . . . . . . . . . . . . . . . 377


Contents

Determining if the IIS 6.0 ASP.NET component is installed . . . . 377Changing the connect port used by Tomcat . . . . . . . . . . . . . . . . . . . 378Unable to connect to CMS when logging on to the CMC . . . . . . . . . . 379Unable to open a report from InfoView . . . . . . . . . . . . . . . . . . . . . . . 379Single sign-on from an IE Windows 2000 client fails . . . . . . . . . . . . . 380Windows NT authentication cannot log you on . . . . . . . . . . . . . . . . . 380Mapped AD user unable to log on to CMC or InfoView . . . . . . . . . . . 381

Unable to sign on with AD and Kerberos . . . . . . . . . . . . . . . . . . 381TReport viewing and processing issues . . . . . . . . . . . . . . . . . . . 383

Troubleshooting reports with Crystal Reports . . . . . . . . . . . . . . . . . . 383Images and charts not displayed . . . . . . . . . . . . . . . . . . . . . . . . 385

Troubleshooting reports and looping database logon prompts . . . . . 385Ensuring that server resources are available on local drives . . . . . . . 388Page Server error when viewing a report . . . . . . . . . . . . . . . . . . . . . 389

InfoView considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390Supporting users in multiple time zones . . . . . . . . . . . . . . . . . . . . . . 390Setting default report destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 390Import Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390Unable to import users from BusinessObjects 6.5 . . . . . . . . . . . . . . . 390

Chapter 17 Managing Auditing 391How does auditing work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Configuring the auditing database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Which actions can I audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395Reference list of auditable actions . . . . . . . . . . . . . . . . . . . . . . . 395

Enabling auditing of user and system actions . . . . . . . . . . . . . . . . . . . . . 399Configuring the universe connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401Using sample audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402Controlling synchronization of audit actions . . . . . . . . . . . . . . . . . . . . . . . 403Optimizing system performance while auditing . . . . . . . . . . . . . . . . . . . . 404


Contents

Chapter 18 Auditing Reports 407Using auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Why are reports important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408Auditor report names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Average Number of Users Logged In . . . . . . . . . . . . . . . . . . . . . . 408Average Refresh Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409Average Session Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409Average Session Duration per Cluster . . . . . . . . . . . . . . . . . . . . . 409Average Session Duration per User . . . . . . . . . . . . . . . . . . . . . . . 409Cluster Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410Document Information Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410Document Scheduling and Viewing Status . . . . . . . . . . . . . . . . . 410Job Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410Jobs per Job Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Jobs per User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Job Servers on the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Last Login for User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Least Accessed Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Most Accessed Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Most Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Most Popular Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Most Popular Actions per Document . . . . . . . . . . . . . . . . . . . . . . 413Number of User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Number of Users in the System . . . . . . . . . . . . . . . . . . . . . . . . . . 413Password Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Peak Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Refresh and Edit Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Rights Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Total Users Logged In by Day . . . . . . . . . . . . . . . . . . . . . . . . . . . 414User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414User Activity per Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415Users Who Logged Off Incorrectly . . . . . . . . . . . . . . . . . . . . . . . . 415

Viewing sample auditing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415


Contents

Creating custom audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Auditing database schema reference . . . . . . . . . . . . . . . . . . . . . . . . 416

Audit_Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Audit_Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Server_Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Event_Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419Application_Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419Detail_Type table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Appendix A Customizing the appearance of Web Intelligence documents 427Customizing the appearance of Web Intelligence documents . . . . . . . . . 428

What you can do with the defaultconfig.xml file . . . . . . . . . . . . . . . . . 429Locating and modifying defaultconfig.xml . . . . . . . . . . . . . . . . . . . . . 430

Desktop Intelligence Enterprise Java InfoView . . . . . . . . . . . . . . 431Desktop Intelligence Enterprise .NET InfoView . . . . . . . . . . . . . 431

List of key values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432Example: Modifying the default font in table cells . . . . . . . . . . . . . . . 433

Appendix B Server deployment and firewall configuration 435About this appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436Understanding how BusinessObjects Enterprise servers communicate . 436

Using CORBA to communicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437Registering with the CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437Communicating with client applications . . . . . . . . . . . . . . . . . . . . . . . 438

Configuring BusinessObjects Enterprise servers . . . . . . . . . . . . . . . . . . . 439Configuring the CMS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Configuring non-CMS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

Configuring Job Servers for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . 442Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443


Contents

Configuring firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444Example: A firewall between the application server and BusinessObjects Enterprise servers . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Deploying BusinessObjects Enterprise on multihomed machines . . . . . . 448Multihomed machines with NICs on the same subnet . . . . . . . . . . . . 449Multihomed machines with NICs on different subnets . . . . . . . . . . . . 450

Example problem: BusinessObjects Enterprise servers deployed across subnets that are not network connected . . . . . . . . . . . . . . 450

Binding to a particular NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451Summary of unsupported deployment scenarios . . . . . . . . . . . . . . . . . . . 451

Appendix C Server Command Lines 453Command lines overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454Standard options for all servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

UNIX signal handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456Page Server and Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459Job servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461Report Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462Web Intelligence Report Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464Input and Output File Repository Servers . . . . . . . . . . . . . . . . . . . . . . . . . 465Event Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Appendix D Rights and Access Levels 467Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

No Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469View On Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470Full Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Default rights on the top-level folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471Object rights for the Report Application Server . . . . . . . . . . . . . . . . . . . . . 472


Contents

Appendix E UNIX Tools 473UNIX tools overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Script utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

ccm.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476ccm.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

cmsdbsetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477configpatch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477serverconfig.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478sockssetup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479uninstallBOBJE.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

Script templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480startservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481stopservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481silentinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Scripts used by BusinessObjects Enterprise . . . . . . . . . . . . . . . . . . . . . . 482bobjerestart.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482env.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482env-locale.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482initlaunch.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482patchlevel.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483postinstall.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483setup.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483setupinit.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Appendix F Enabling support for ASP.NET 2.0 485Enabling support for ASP.NET 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Appendix G Business Objects Information Resources 489Documentation and information services . . . . . . . . . . . . . . . . . . . . . . . . . 490Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

What’s in the documentation set? . . . . . . . . . . . . . . . . . . . . . . . . . . . 490Where is the documentation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490


Contents

Documentation from the products . . . . . . . . . . . . . . . . . . . . . . . . 490Documentation on the web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490Documentation on the product CD . . . . . . . . . . . . . . . . . . . . . . . . 490

Send us your feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491Customer support, consulting and training . . . . . . . . . . . . . . . . . . . . . . . . 491

How can we support you? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491Online Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Looking for the best deployment solution for your company? . . . . . . . 492Looking for training options? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Index 495


Getting Started

chapter

Getting StartedAbout this help1
About this help
This help provides you with information and procedures for deploying and configuring your BusinessObjects Enterprise system. Procedures are provided for common tasks. Conceptual information and technical details are provided for all advanced topics.For daily maintenance tasks and procedures for working with the CMC, see the BusinessObjects Enterprise Administrator’s Guide. For information about installing BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide.

Who should use this help?This help covers deployment and configuration tasks. We recommend consulting this guide if you are: • planning your first deployment • configuring your first deployment • making significant changes to the architecture of an existing deployment • improving your system’s performance.For a list of suggested topics for each of these scenarios, consult “Where should I start?” on page 25.This help is intended for system administrators who are responsible for configuring, managing, and maintaining a BusinessObjects Enterprise installation. Familiarity with your operating system and your network environment is beneficial, as is a general understanding of web application server management and scripting technologies. However, to assist all levels of administrative experience, this help aims to provide sufficient background and conceptual information to clarify all administrative tasks and features.

About BusinessObjects EnterpriseBusinessObjects Enterprise is a flexible, scalable, and reliable solution for delivering powerful, interactive reports to end users via any web application—intranet, extranet, Internet or corporate portal. Whether it is used for distributing weekly sales reports, providing customers with personalized service offerings, or integrating critical information into corporate portals, BusinessObjects Enterprise delivers tangible benefits that extend across and beyond the organization. As an integrated suite for reporting, analysis, and information delivery, BusinessObjects Enterprise provides a solution for increasing end-user productivity and reducing administrative efforts.


Getting StartedWhere should I start? 1

Where should I start?Depending on your situation, you may want to focus on specific sections of this help, and there may be other resources available for you. For each of the following situations, there is a list of suggested tasks and reading topics.

Planning or performing your first deploymentIf you are planning or performing your first deployment of BusinessObjects Enterprise, it is recommended that you perform the following tasks and read the corresponding sections:• To get familiar with the components, read “BusinessObjects Enterprise

Architecture” on page 29.• Assess your needs and design a deployment architecture that works best

for you. “Planning Your Deployment” on page 57 • “Working with Firewalls” on page 157• “Security Concepts” on page 179• If you plan to use third-party authentication, read the following sections

that apply to your deployment:• “Using NT Authentication” on page 211• “Using AD with NTLM or SiteMinder” on page 245• “Using AD and Kerberos with IIS” on page 265• “Using AD and Kerberos with Java application servers” on page 289• “Using LDAP authentication” on page 227

• “Improving Performance” on page 337• For more information about installing BusinessObjects Enterprise, see

the BusinessObjects Enterprise Installation Guide.• After you install, read “Managing and Configuring Servers” on page 97.

Configuring your deploymentIf you have just completed your installation of BusinessObjects Enterprise and need to perform initial configuration tasks, such as firewall configuration and user management, it is recommended that you read the following sections:• “Managing and Configuring Servers” on page 97• “Working with Firewalls” on page 157• “Security Concepts” on page 179


Getting StartedWhere should I start?1

• If you plan to use third-party authentication, read the following sections that apply to your deployment:• “Using NT Authentication” on page 211• “Using AD with NTLM or SiteMinder” on page 245• “Using AD and Kerberos with IIS” on page 265• “Using AD and Kerberos with Java application servers” on page 289• “Using LDAP authentication” on page 227

• “Improving Performance” on page 337• If you plan to audit your system, read “Managing Auditing” on page 391

and “Auditing Reports” on page 407.• For daily maintenance tasks and procedures for working with the CMC,

see the BusinessObjects Enterprise Administrator’s Guide. • If you encounter problems, read “General Troubleshooting” on page 373.

Changing your deployment’s architectureAre you expecting a significant increase in server traffic? Do you need to accommodate a sudden influx of users? Do you need to incorporate new kinds of content from new sources? Or do you need to update a deployment that didn’t adequately anticipate the volume of objects being processed on a daily basis? If you need to revise your deployment to account for significant changes in how you use the system, it is recommended that you read the following sections:• “Improving Performance” on page 337• If you are installing new server components, see “Managing and

Configuring Servers” on page 97.• If you are importing or configuring new users, see “Security Concepts” on

page 179.• If you encounter problems, read “General Troubleshooting” on page 373.• For daily maintenance tasks and procedures for working with the CMC,

see the BusinessObjects Enterprise Administrator’s Guide. For information about installing new components, you can find more information in the BusinessObjects Enterprise Installation Guide.

Improving your system’s performanceIf you want to assess your deployment’s efficiency and fine-tune it in order to maximize resources, it is recommended that you read the following sections:


Getting StartedWhere should I start? 1

• “Improving Performance” on page 337• If you want to monitor your existing system, read “Managing Auditing” on

page 391 and “Auditing Reports” on page 407.• If you want to resolve specific performance problems, read “General

Troubleshooting” on page 373.• For daily maintenance tasks and procedures for working with the CMC,

see the BusinessObjects Enterprise Administrator’s Guide.


Getting StartedWhere should I start?1


BusinessObjects Enterprise Architecture

chapter

BusinessObjects Enterprise ArchitectureChapter overview2
Chapter overview
This chapter briefly introduces BusinessObjects Enterprise administrators to the architecture of BusinessObjects Enterprise. This chapter covers the following topics:• Architecture basics• Client tier• Intelligence tier• Processing tier• Data tier• Report viewers• Information flowFor faster navigation, click on the title of the topic you are interested in.

Architecture basicsBusinessObjects Enterprise is a multi-tier system. Although the components are responsible for different tasks, they can be logically grouped based on the type of work they perform. If you are new to BusinessObjects Enterprise, use this section to gain familiarity with the BusinessObjects Enterprise framework, its components, and the general tasks that each component performs.In BusinessObjects Enterprise, there are five tiers:• The client tier• The application tier• The intelligence tier• The processing tier• The data tierTo provide flexibility, reliability, and scalability, the components that make up each of these tiers can be installed on one machine, or spread across many.The following diagram illustrates how each of the components fits within the multi-tier system. Other Business Objects products plug in to the BusinessObjects Enterprise framework in various ways. This section describes the framework itself. Consult each product’s installation or administration guides for details about how it integrates with the BusinessObjects Enterprise framework.

30 BusinessObjects Enterprise Administrator’s Guide

BusinessObjects Enterprise ArchitectureArchitecture basics 2

The “servers” run as services on Windows machines. On UNIX, the servers run as daemons. These services can be “vertically scaled” to take full advantage of the hardware that they are running on, and they can be “horizontally scaled” to take advantage of multiple computers over a network environment. This means that the services can all run on the same machine, or they can run on separate machines. The same service can also run in multiple instances on a single machine.For example, you can run the CMS and the Event Server on one machine, while you run the Report Application Server on a separate machine. This configuration is called “horizontal scaling.” If the Report Application Server is

BusinessObjects Enterprise Administrator’s Guide 31

BusinessObjects Enterprise ArchitectureClient tier2

running on a multi-processor computer, then you may choose to run multiple Report Application Servers on it. This configuration is called “vertical scaling.” The important thing to understand is that, even though these are called servers, they are actually services and daemons that do not need to run on separate computers.Tip: Note: BusinessObjects Enterprise supports reports created in versions 6 through XI of Crystal Reports. Once published to BusinessObjects Enterprise, reports are saved, processed, and displayed in version XI format.

Client tierThe client tier is the only part of the BusinessObjects Enterprise system that administrators and end users interact with directly. This tier is made up of the applications that enable people to administer, publish, and view reports and other objects.

The client tier includes:• InfoView• Central Management Console (CMC)• Central Configuration Manager (CCM)• Publishing Wizard• Import WizardFor faster navigation, click on the title of the topic you are interested in.

InfoViewBusinessObjects Enterprise comes with InfoView, a web-based interface that end users access to view, schedule, and keep track of published reports. Each BusinessObjects Enterprise request that a user makes is directed to the BusinessObjects Enterprise application tier. In .NET InfoView, the web server forwards the user request directly to an application server where the request


BusinessObjects Enterprise ArchitectureClient tier 2

is processed by the Web Component Adapter (WCA); typically, InfoView only uses the WCA when OLAP is installed. In this case, the web server will forward the .csp request to the WCA for processing.InfoView also serves as a demonstration of the ways in which you can use the BusinessObjects Enterprise Software Development Kit (SDK) to create a custom web application for end users. In the case of .NET, InfoView also demonstrates how you can use the BusinessObjects Enterprise .NET Server Components. For more information, see the developer documentation available on your product CD.

Central Management Console (CMC)The Central Management Console (CMC) allows you to perform user management tasks such as setting up authentication and adding users and groups. It also allows you to publish, organize, and set security levels for all of your BusinessObjects Enterprise content. Additionally, the CMC enables you to manage servers and create server groups. Because the CMC is a web-based application, you can perform all of these administrative tasks remotely. For more information, see the BusinessObjects Enterprise Administrator’s Guide.The CMC also serves as a demonstration of the ways in which you can use the administrative objects and libraries in the BusinessObjects Enterprise SDK to create custom web applications for administering BusinessObjects Enterprise. For more information, see the developer documentation available on your product CD.

Central Configuration Manager (CCM)The Central Configuration Manager (CCM) is a server-management tool that allows you to configure each of your BusinessObjects Enterprise server components. This tool allows you to start, stop, enable, and disable servers, and it allows you to view and to configure advanced server settings. On Windows, these settings include default port numbers, CMS database and clustering details, SOCKS server connections, and more. In addition, on Windows the CCM allows you to add or remove servers from your BusinessObjects Enterprise system.On UNIX, some of these functions are performed using other tools..


BusinessObjects Enterprise ArchitectureApplication tier2
Publishing Wizard
The Publishing Wizard is a locally installed Windows application that enables both administrators and end users to add reports to BusinessObjects Enterprise. By assigning object rights to BusinessObjects Enterprise folders, you control who can publish reports and where they can publish them to. The Publishing Wizard publishes reports from a Windows machine to BusinessObjects Enterprise servers running on Windows or on UNIX.For more information, see the BusinessObjects Enterprise Administrator’s Guide.

Import WizardThe Import Wizard is a locally installed Windows application that guides administrators through the process of importing users, groups, reports, and folders from an existing BusinessObjects Enterprise, Crystal Enterprise, or Crystal Info implementation to BusinessObjects Enterprise. The Import Wizard runs on Windows, but you can use it to import information into a new BusinessObjects Enterprise system running on Windows or on UNIX.For more information, see the BusinessObjects Enterprise Installation Guide.

Application tierThe application tier hosts the server-side components that process requests from the client tier as well as the components that communicate these requests to the appropriate server in the intelligence tier. The application tier includes support for report viewing and logic to understand and direct web requests to the appropriate BusinessObjects Enterprise server in the intelligence tier.For both the Java and .NET platforms, the application tier includes the following components:• Application server and BusinessObjects Enterprise SDK• Web Component Adapter (WCA)


BusinessObjects Enterprise ArchitectureApplication tier 2

Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.

Application server and BusinessObjects Enterprise SDKBusinessObjects Enterprise systems that use the BusinessObjects Enterprise Java SDK or the BusinessObjects Enterprise .NET SDK run on a third party application server. See the Platforms.txt file included with your product distribution for a complete list of tested application servers and version requirements.The application server acts as the gateway between the web server and the rest of the components in BusinessObjects Enterprise. The application server is responsible for processing requests from your browser. It also supports InfoView and other Business Objects applications, and uses the SDK to convert report pages (.epf files) to HTML format when users view pages with a DHTML viewer.

Web Component Adapter (WCA)The web server communicates directly with the application server that hosts the BusinessObjects Enterprise SDK. The Web Component Adapter (WCA) runs within the application server and provides all services that are not directly supported by the BusinessObjects Enterprise SDK. The web server passes requests directly to the application server, which then forwards the requests on to the WCA.The WCA has two primary roles:• It processes ASP.NET (.aspx) and Java Server Pages (.jsp) files


BusinessObjects Enterprise ArchitectureApplication tier2

• It also supports Business Objects applications such as the CMC (CMC) and Crystal report viewers (that are implemented through viewrpt.aspx requests).

Note: In Crystal Enterprise 10 on Windows, the communication between the web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.

Web development platformsBusinessObjects Enterprise supports the following web development platforms:• Java platform• Windows .NET platform

Java platformAll UNIX installations of BusinessObjects Enterprise include a Web Component Adapter (WCA). In this configuration, a Java application server is required to host the WCA and the BusinessObjects Enterprise Java SDK. The use of a web server is optional as you may choose to have static content hosted by the application server.

Windows .NET platformBusinessObjects Enterprise installations that use the .NET Framework include Primary Interop Assemblies (PIAs) that allow you to use the BusinessObjects Enterprise .NET SDK with ASP.NET, and a set of .NET Server Components that you can optionally use to simplify the development of custom applications. This configuration requires the use of a Microsoft Internet Information Services (IIS) web server.Note: • In Crystal Enterprise 10 on Windows, the communication between the

web server and the application server was handled through the Web Connector; the functionality of the Web Component Adapter (WCA) was provided through the Web Component Server (WCS). In BusinessObjects Enterprise XI, the web server communicates directly with the application server and the WCA handles the WCS functionality, both on Windows and Unix platforms.


BusinessObjects Enterprise ArchitectureIntelligence tier 2

• You do not need a Web Component Adapter for custom ASP.NET applications.

• If after your initial installtion, you upgrade to version 2.0 of the .NET Framework, you will also need to modify the web.config used by IIS. See “Enabling support for ASP.NET 2.0” on page 486.

Web application environmentsBusinessObjects Enterprise supports Java Server Pages (.jsp) and ASP.NET (.aspx) pages. BusinessObjects Enterprise includes web applications developed in .aspx, such as InfoView and the sample applications available via the BusinessObjects Enterprise Launchpad.Java Server Pages (.jsp) and ASP.NET (.aspx) pages allow you to develop cross-platform J2EE and ASP.NET applications that use the BusinessObjects Enterprise SDKs in conjunction with third party APIs.Note: For backward compatibility, BusinessObjects Enterprise continues to support Crystal Server Pages (.csp) and Active Server Pages (.asp).BusinessObjects Enterprise also includes Primary Interop Assemblies (PIAs) that enable you to use the BusinessObjects Enterprise SDK and Report Application Server SDK with ASP.NET. It also includes a set of .NET Server Components which simplify development of custom BusinessObjects Enterprise applications in ASP.NET.For more information, see the developer documentation available on your product CD.

Intelligence tierThe intelligence tier manages the BusinessObjects Enterprise system. It maintains all of the security information, sends requests to the appropriate servers, manages audit information, and stores report instances.

The intelligence tier includes the following components:• Central Management Server (CMS)• Event Server


BusinessObjects Enterprise ArchitectureIntelligence tier2

• File Repository Servers• Cache Server

Central Management Server (CMS)The CMS is responsible for maintaining a database of information about your BusinessObjects Enterprise system, which other components can access as required. The data stored by the CMS includes information about users and groups, security levels, BusinessObjects Enterprise content, and servers.The CMS also maintains the BusinessObjects Enterprise Repository, and a separate audit database of information about user actions. This data allows the CMS to perform its four main tasks:• Maintaining security

By maintaining a database of users and their associated object rights, the CMS enforces who has access to BusinessObjects Enterprise and the types of tasks they are able to perform. These tasks include enforcing and maintaining the licensing policy of your BusinessObjects Enterprise system.

• Managing objectsThe CMS keeps track of the location of objects and maintains the containment hierarchy, which includes folders, categories, and inboxes. By communicating with the Job Servers and Program Job Servers, the CMS is able to ensure that scheduled jobs run at the appropriate times.

• Managing serversBy staying in frequent contact with each of the servers in the system, the CMS is able to maintain a list of server status. Report viewers access this list, for instance, to identify which Cache Server is free to use for a report viewing request.

• Managing auditingBy collecting information about user actions from each BusinessObjects Enterprise server, and then writing these records to a central audit database, the CMS acts as the system auditor. This audit information allows system administrators to better manage their BusinessObjects Enterprise deployment.

Typically, you provide the CMS with database connectivity and credentials when you install BusinessObjects Enterprise, so the CMS can create its own system database and BusinessObjects Enterprise Repository database using your organization’s preferred database server. For details about setting up


BusinessObjects Enterprise ArchitectureIntelligence tier 2

CMS databases, see the BusinessObjects Enterprise Installation Guide. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.Note: • It is strongly recommended that you back up the CMS system database,

and the audit database frequently. The backup procedure depends upon your database software. If you are unsure of the procedure, consult with your database administrator.

• The CMS database should not be accessed directly. System information should only be retrieved using the calls that are provided in the BusinessObjects Enterprise Software Development Kit (SDK). For more information, see the developer documentation available on your product CD.

• You can access the audit database directly to create custom audit reports. See the BusinessObjects Enterprise Auditor’s Guide for more information.

On Windows, the Setup program can install and configure its own Microsoft Data Engine (MSDE) database if necessary. MSDE is a client/server data engine that provides local data storage and is compatible with Microsoft SQL Server. If you already have the MSDE or SQL Server installed, the installation program uses it to create the CMS system database. You can migrate your default CMS system database to a supported database server later. For more information about Auditing, see the BusinessObjects Enterprise Auditor’s Guide.

Event ServerThe Event Server manages file-based events. When you set up a file-based event within BusinessObjects Enterprise, the Event Server monitors the directory that you specified. When the appropriate file appears in the monitored directory, the Event Server triggers your file-based event: that is, the Event Server notifies the CMS that the file-based event has occurred. The CMS then starts any jobs that are dependent upon your file-based event.After notifying the CMS of the event, the Event Server resets itself and again monitors the directory for the appropriate file. When the file is newly created in the monitored directory, the Event Server again triggers your file-based event.Note: Schedule-based events, and custom events are managed by the CMS.


BusinessObjects Enterprise ArchitectureIntelligence tier2
File Repository Servers
There is an Input and an Output File Repository Server in every BusinessObjects Enterprise implementation.The Input File Repository Server manages all of the report objects and program objects that have been published to the system by administrators or end users (using the Publishing Wizard, the CMC, the Import Wizard, or a Business Objects designer component such as Crystal Reports or the Web Intelligence Java or HTML Report Panels).Tip: If you use the BusinessObjects Enterprise SDK, you can also publish reports from within your own code.The Output File Repository Server manages all of the report instances generated by the Report Job Server or the Web Intelligence Report Server, and the program instances generated by the Program Job Server.The File Repository Servers are responsible for listing files on the server, querying for the size of a file, querying for the size of the entire file repository, adding files to the repository, and removing files from the repository.Note: • The Input and Output File Repository Servers cannot share the same

directories. This is because one of the File Repository Servers could then delete files and directories belonging to the other.

• In larger deployments, there may be multiple Input and Output File Repository Servers, for redundancy. In this case, all Input File Repository Servers must share the same directory. Likewise, all Output File Repository Servers must share a directory.

• Objects with files associated with them, such as text files, Microsoft Word files, or PDFs, are stored on the Input File Repository Server.

Cache ServerThe Cache Server is responsible for handling all report viewing requests. The Cache Server checks whether or not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays exactly the required data, with data that has been refreshed from the database within the interval that you have specified as the default, the Cache Server returns that cached report page.If the Cache Server cannot fulfil the request with a cached report page, it passes the request along to the Page Server. The Page Server runs the report and returns the results to the Cache Server. The Cache Server then


BusinessObjects Enterprise ArchitectureProcessing tier 2

caches the report page for future use, and returns the data to the viewer. By storing report pages in a cache, BusinessObjects Enterprise avoids accessing the database each and every time a report is requested.If you are running multiple Page Servers for a single Cache Server, the Cache Server automatically balances the processing load across Page Servers.

Processing tierThe processing tier accesses the data and generates the reports. It is the only tier that interacts directly with the databases that contain the report data.

The processing tier includes:• Job servers• Web Intelligence Report Server• Report Application Server (RAS)• Page Server

Job serversA Job Server processes scheduled actions on objects at the request of the CMS. When you add a Job Server to the BusinessObjects Enterprise system, you can configure the Job Server to:• Process report objects• Process program objects


BusinessObjects Enterprise ArchitectureProcessing tier2

• Send objects or instances to specified destinationsIf you configure a Job Server to process report objects, it becomes a Report Job Server. If you configure a Job Server to process program objects, it becomes a Program Job Server, and so on. The processing tier includes:• Report Job Server• Program Job Server• Web Intelligence Job Server• Destination Job Server• List of Values Job Server• Desktop Intelligence Job Server

Report Job ServerIf you configure a Job Server to process report objects, it becomes a Report Job Server.The Report Job Server processes scheduled reports, as requested by the CMS, and generates report instances (instances are versions of a report object that contain saved data). To generate a report instance, the Report Job Server obtains the report object from the Input FRS and communicates with the database to retrieve the current data. Once it has generated the report instance, it stores the instance on the Output FRS.

Program Job ServerIf you configure a Job Server to process program objects, it becomes a Program Job Server.Program objects allow you to write, publish, and schedule custom applications, including scripts, Java programs or .NET programs that run against, and perform maintenance work on, BusinessObjects Enterprise.The Program Job Server processes scheduled program objects, as requested by the CMS. To run a program, the Program Job Server first retrieves the files from storage on the Input File Repository Server, and then runs the program. By definition, program objects are custom applications. Therefore the outcome of running a program will be dependent upon the particular program object that is run.Unlike report instances, which can be viewed in their completed format, program instances exist as records in the object history. BusinessObjects Enterprise stores the program’s standard out and standard error in a text output file. This file appears when you click a program instance in the object History.


BusinessObjects Enterprise ArchitectureProcessing tier 2

Web Intelligence Job ServerThe Web Intelligence Job Server processes scheduling requests it receives from the CMS for Web Intelligence documents. It forwards these requests to the Web Intelligence Report Server, which will generate the instance of the Web Intelligence document. The Web Intelligence Job Server does not actually generate object instances.

Destination Job ServerIf you configure a Job Server to send objects or instances, it becomes a Destination Job Server.A Destination Job Server processes requests that it receives from the CMS and sends the requested objects or instances to the specified destination:• If the request is for an object, it retrieves the object from the Input File

Repository Server.• If the request is for a report or program instance, it retrieves the instance

from the Output File Repository Server.The Destination Job Server can send objects and instances to destinations inside the BusinessObjects Enterprise system, for example, a user’s inbox, or outside the system, for example, by sending a file to an email address.The Destination Job Server does not run the actual report or program objects. It only handles objects and instances that already exist in the Input or Output File Repository Servers.

List of Values Job ServerThe List of Values Job Server processes scheduled list-of-value objects. These are objects that contain the values of specific fields in a Business View. Lists of values are use to implement dynamic prompts and cascading lists of values within Crystal Reports. List-of-value objects do not appear in CMC or InfoView. For more information, see the Business Views Administrator’s Guide.The List of Values Job Server behaves similarly to the Report Job Server in that it retrieves the scheduled objects from the Input File Repository Server (FRS) and saves the instance it generates to the Output FRS. There is never more than one instance of a list-of-values object. On demand list of value objects are processed by the Report Application Server.

Desktop Intelligence Job ServerThe Desktop Intelligence Job Server processes scheduling requests it receives from the CMS for Desktop Intelligence documents and generates the instance of the Desktop Intelligence document.


BusinessObjects Enterprise ArchitectureProcessing tier2
Web Intelligence Report Server
The Web Intelligence Report Server is used to create, edit, view, and analyze Web Intelligence documents. It also processes scheduled Web Intelligence documents and generates new instances of the document, which it stores on the Output File Repository Server (FRS). Depending on the user’s access rights and the refresh options of the document, the Web Intelligence Report Server will use cached information, or it will refresh the data in the document and then cache the new information.

Report Application Server (RAS)The Report Application Server (RAS) processes reports that users view with the Advanced DHTML viewer. The RAS also provides the ad hoc reporting capabilities that allow users to create and modify reports over the Web.The RAS is very similar to the Page Server: it too is primarily responsible for responding to page requests by processing reports and generating EPF pages. However, the RAS uses an internal caching mechanism that involves no interaction with the Cache Server.As with the Page Server, the RAS supports COM, ASP.NET, and Java viewer SDKs. The Report Application Server also includes an SDK for report-creation and modification, providing you with tools for building custom report interaction interfaces.

Page Server The Page Server is primarily responsible for responding to page requests by processing reports and generating Encapsulated Page Format (EPF) pages. The EPF pages contain formatting information that defines the layout of the report. The Page Server retrieves data for the report from an instance or directly from the database (depending on the user’s request and the rights he or she has to the report object). When retrieving data from the database, the Page Server automatically disconnects from the database after it fulfills its initial request and reconnects if necessary to retrieve additional data. (This behavior conserves database licenses.)The Cache Server and Page Server work closely together. Specifically, the Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server also interact to ensure cached EPF pages are reused as frequently as possible, and new pages are generated as soon as they are required. BusinessObjects Enterprise takes advantage of this behavior by ensuring that the majority of report-viewing requests are made to


BusinessObjects Enterprise ArchitectureData tier 2

the Cache Server and Page Server. (However, if a user’s default viewer is the Advanced DHTML viewer, the report is processed by the Report Application Server.)The Page Server also supports COM, ASP.NET, and Java viewer Software Development Kits (SDKs).

Data tierThe data tier is made up of the databases that contain the data used in the reports. BusinessObjects Enterprise supports a wide range of corporate databases.

See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements.

Report viewersBusinessObjects Enterprise includes report viewers that support different platforms and different browsers in the client tier, and which have different report viewing functionality. (For more information on the specific functionality or platform support provided by each report viewer, see the BusinessObjects Enterprise User’s Guide or the Crystal Reports Developer’s Guide.)All of the viewers fall into two categories:• client-side viewers

Client-side viewers are downloaded and installed in the users’ web browser.

• zero client viewersThe code to support zero client viewers resides in the application tier.

client-side viewers zero client viewers

Active X viewer DHTML viewerJava viewer Advanced DHTML viewer


BusinessObjects Enterprise ArchitectureInformation flow2

All report viewers help process requests for reports, and present report pages that appear in the user’s browser.

Client-side viewersClient-side viewers are downloaded and installed in the user’s browser. When a user requests a report, the application server processes the request, and retrieves the report pages (in .epf format) from the BusinessObjects Enterprise framework. The application server then passes the report pages to the client-side viewer, which processes the report pages and displays them directly in the browser.

Zero client viewersZero client viewers reside on the application server. When a user requests a report, the application server processes the request, and then retrieves the report pages (in .epf format) from the BusinessObjects Enterprise framework. The SDK creates a viewer object on the application server which processes the report pages and creates DHTML pages that represent both the viewer controls and the report itself. The viewer object then sends these pages through the web server to the user’s web browser.

Installing viewersIf they haven’t already done so, users are prompted to download and install the appropriate viewer software before the report is displayed in the browser. The Active X viewer is downloaded the first time a user requests a report, and then remains installed on the user’s machine. The user will be prompted to reinstall the ActiveX viewer only when a new version becomes available on the server.

Information flowThis section describes the interaction of the server components in order to demonstrate how report-processing is performed. This section covers two different scenarios:• What happens when you schedule an object?• What happens when you view a report?

What happens when you schedule an object?When you schedule an object, you instruct BusinessObjects Enterprise to process an object at a particular point in time, or on a recurring schedule. For example, if you have a report that is based on your web server logs, you can schedule the report to run every night on a recurring basis.


BusinessObjects Enterprise ArchitectureInformation flow 2

When a user schedules an object using InfoView, the following happens:1. InfoView sends the request to the web server.2. The web server passes the web request directly to the application server,

where it is evaluated by the BusinessObjects Enterprise SDK.3. The SDK passes the request to the CMS.4. The CMS checks to see if the user has sufficient rights to schedule the

object.5. If the user has sufficient rights, the CMS schedules the object to be run at

the specified time(s).6. When the time occurs, the CMS passes the job to the appropriate job

server. Depending on the type of object, the CMS will send the job to one of the following job servers:• If the object is Web Intelligence document, it sends the job to the

Web Intelligence Job Server, which sends the request to the Web Intelligence Report Server.

• If the object is a report, it sends the job to the Report Job Server.• If the object is program, it sends the job to the Program Job Server.

7. The job server retrieves the object from the Input File Repository Server and runs the object against the database, thereby creating an instance of the object.

8. The job server then saves the instance to the Output File Repository Server, and tells the CMS that it has completed the job successfully.If the job was for a Web Intelligence document, the Web Intelligence Report Server notifies the Web Intelligence Job Server. The Web Intelligence Job Server then notifies the CMS that the job was completed successfully.

Note: • The Cache Server and the Page Server do not participate in scheduling

reports or in creating instances of scheduled reports. This can be an important consideration when deciding how to configure BusinessObjects Enterprise, especially in large installations.

• When you schedule program objects or object packages, the interaction between servers follows the same pattern as it does for reports.

What happens when you view a report?This section describes the viewing mechanisms that are implemented in InfoView. It contains information on:



• Report viewing with the Cache Server and Page Server• Report viewing with the Report Application Server• Viewing Web Intelligence documentsWhen you view a report through BusinessObjects Enterprise, the processing flow varies depending upon your default report viewer, the type of report, and the rights you have to the report. In addition, the processing flow for custom applications may differ. In all cases, however, the request that begins at the web server must be forwarded to the application server.The actual request is constructed as a URL that includes the report’s unique ID. This ID is passed as a parameter to a server-side script that, when evaluated by the application server, verifies the user’s session and retrieves the logon token from the browser. The script then checks the user’s InfoView preferences and redirects the request to the viewing mechanism that corresponds to the user’s default viewer.Different report viewers require different viewing mechanisms:• The zero-client DHTML viewer is implemented through

report_view_dhtml.aspx.When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Cache Server and Page Server.

• The zero-client Advanced DHTML viewer is implemented through report_view_advanced.aspx.When evaluated by the application server, this script communicates with the framework (through the published SDK interfaces) in order to create a viewer object and retrieve a report source from the Report Application Server.

• The client-side report viewers (the ActiveX and Java viewers) are implemented through viewrpt.aspx, hosted by the WCA.The Crystal Web Request is executed internally through viewer code on the application server. The viewer code communicates with the framework in order to retrieve a report page (in .epf format) from the Cache Server and Page Server.If they haven’t already done so, users are prompted to download and install the appropriate viewer software.



Report viewing with the Cache Server and Page ServerThis section describes the process for viewing a Crystal report when using the zero-client DHTML, ActiveX, or Java viewer. This process uses the Cache Server and the Page Server.1. Upon receiving a report-viewing request, the Cache Server checks to see

if it has the requested pages cached. Cached pages are stored as Encapsulated Page Format (.epf) files.

2. If a cached page for the report (.epf file) is available:a. The Cache Server checks with the CMS to see if the user has rights

to view the cached page.b. If the user is granted the right to view the report, the Cache Server

sends the cached page (.epf file) to the application server.3. If a cached page for the report (.epf file) is unavailable:

a. The Cache Server requests new cached pages (.epf files) from the Page Server.

b. The Page Server checks with the CMS to see if the user has rights to view the report.

c. If the user is granted the right to view the report, the Page Server retrieves the report from the Input File Repository Server.

d. If the report is an instance, and the user only has View rights, the Page Server will generate pages of the report instance using the data stored in the report instance. That is, the Page Server will not retrieve the latest data from the database.If the report is an object, the user must have View On Demand rights to view the report successfully (because the Page Server needs to retrieve data from the database).

e. If the user has sufficient rights, the Page Server generates the cached page (.epf files) and forwards them to the Cache Server.

f. The Cache Server then caches the pages (.epf files).g. The Cache Server sends the pages (.epf files) to the application

server.4. The application server sends the report to the user’s Web browser in one

of two ways, depending on how the initial request was made:• If the initial request was made through a DHTML viewer

(report_view_dhtml.aspx), the viewer SDK (residing on the application server) is used to generate HTML that represents both the DHTML viewer and the report itself. The HTML pages are then returned through the web server to the user’s web browser.



• If the initial request was made through an Active X or Java viewer (viewrpt.aspx), the application server forwards the cached pages (.epf files) through the web server to the report viewer software in the user’s web browser.

Report viewing with the Report Application ServerThis section describes the process for viewing a Crystal report when using the Advanced DHTML viewer. This process flow uses the Report Application Server (RAS).1. Upon receiving a report-viewing request, the RAS checks to see if it has

the requested report data in cache. (The RAS has its own caching mechanism, which is separate from the Cache Server.)

2. If a cached version of the report (.epf file) is available:a. The RAS checks with the CMS to see if the user has rights to view

the report.b. If the user is granted the right to view the report, the RAS returns

cached pages (.epf files) to the application server.3. If a cached page of the report (.epf file) is unavailable:

a. The RAS checks with the CMS to see if the user has rights to view the report.

b. If the user is granted the right to view the report, the RAS retrieves the report object from the Input File Repository Server.

c. The RAS then processes the report object, obtains the data from the database, generates the cached pages (.epf files), caches the pages and sends the pages to the application server.

d. If the user is granted View rights to the report object, then the RAS will only ever generate pages of the latest report instance. That is, the RAS will not retrieve the latest data from the database.If the user is granted View On Demand rights to the report object, then the RAS will refresh the report against the database.Note: The interactive search and filter features provided by the Advanced DHTML viewer are available only if the user has View On Demand rights (or greater) to the report object.

4. When the application server receives the cached pages (.epf files) from the RAS, the viewer SDK generates HTML that represents both the Advanced DHTML viewer and the report itself.

5. The application server sends the HTML pages through the web server to the user’s web browser.



Viewing Web Intelligence documentsThis section describes the process for viewing a Web Intelligence document.1. InfoView sends the request to the web application server.2. The web application server sends the request to the application server,

which creates a new session with the Web Intelligence Report Server.3. The Web Intelligence Report Server checks if the user has rights to use

the Web Intelligence application.4. The web application server then sends the request to the Web

Intelligence Report Server.5. The Web Intelligence Report Server contacts the CMS to check whether

the user has the right to view the document, and to check when the document was last updated.

6. If the user has the right to view the document, the Web Intelligence Report Server checks whether it has up-to-date cached content for the document.

7. If cached content is available, the Web Intelligence Report Server sends the cached document information to the SDK.If cached content is not available, the following happens:a. The Web Intelligence Report Server obtains the document

information from the CMS and checks what rights the user has on the document.

b. The Web Intelligence Report Server obtains the Web Intelligence document from either the Input or Output File Repository Server and loads the document file.Note: Which FRS is used depends on whether the request was for a Web Intelligence document that was saved to BusinessObjects Enterprise or for an instance of the document. Documents are stored on the Input FRS. Instances are generated when an object is run according to a schedule, and they are stored on the Output FRS.

c. If the document is set to “refresh on open” and the user has the View On Demand rights, the Web Intelligence Report Server refreshes the data in the document with data from the database.Note: If the document is set to “refresh on open” but the user does not have View On Demand rights, an error message is displayed.

d. The Web Intelligence Report Server stores the document file and the new document information in cache.

e. The Web Intelligence Report Server sends the document information to the SDK.


BusinessObjects Enterprise ArchitectureChoosing between live or saved data2

8. The viewer script calls the SDK to get the requested page of the document. The request is passed to the Web Intelligence Report Server.

9. If the Web Intelligence Report Server has cached content for the page, it returns the cached XML to the SDK.If the Web Intelligence Report Server does not have the cached content for the page, it renders the page to XML using the current data for the document. It then returns the XML to the SDK.

10. The SDK applies an XSLT style sheet to the XML to transform it to HTML.11. The viewer script returns the HTML to the browser.

Choosing between live or saved dataWhen reporting over the Web, the choice to use live or saved data is one of the most important decisions you’ll make. Whichever choice you make, however, BusinessObjects Enterprise displays the first page as quickly as possible, so you can see your report while the rest of the data is being processed.

Live dataOn-demand reporting gives users real-time access to live data, straight from the database server. Use live data to keep users up-to-date on constantly changing data, so they can access information that’s accurate to the second. For instance, if the managers of a large distribution center need to keep track of inventory shipped on a continual basis, then live reporting is the way to give them the information they need.Before providing live data for all your reports, however, consider whether or not you want all of your users hitting the database server on a continual basis. If the data isn’t rapidly or constantly changing, then all those requests to the database do little more than increase network traffic and consume server resources. In such cases, you may prefer to schedule reports on a recurrent basis so that users can always view recent data (report instances) without hitting the database server.For more information about optimizing the performance of reports that are viewed on demand, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later).Tip: Users require View On Demand access to refresh reports against the database.


BusinessObjects Enterprise ArchitectureSecurity management components 2

Saved dataTo reduce the amount of network traffic and the number of hits on your database servers, you can schedule reports to be run at specified times. When the report has been run, users can view that report instance as needed, without triggering additional hits on the database.Report instances are useful for dealing with data that isn’t continually updated. When users navigate through report instances, and drill down for details on columns or charts, they don’t access the database server directly; instead, they access the saved data. Consequently, reports with saved data not only minimize data transfer over the network, but also lighten the database server’s workload.For example, if your sales database is updated once a day, you can run the report on a similar schedule. Sales representatives then always have access to current sales data, but they are not hitting the database every time they open a report.Tip: Users require only View access to display report instances.

Security management componentsSystem security within BusinessObjects Enterprise is distributed across most components, but it is managed primarily by the WCA, the CMS, the security plug-ins, and third-party authentication tools, such as SiteMinder and Kerberos. These components work together to authenticate and to authorize users who access BusinessObjects Enterprise, its folders, and its other objects.This section discusses key components as they relate to system security, including:• Web Component Adapter• CMS• Security plug-insNote: Because these components are responsible for additional tasks, several of the components discussed here are described in additional detail elsewhere in this chapter.


BusinessObjects Enterprise ArchitectureSecurity management components2
Web Component Adapter
The WCA is the gateway between the web server and the remaining BusinessObjects Enterprise components. As such, the WCA receives all HTTP requests that are sent to BusinessObjects Enterprise from users’ web browsers.The WCA ensures that each user has a valid logon token for the system. If the logon token is missing, or if it has expired, the WCA initiates the primary authentication process.The WCA is also responsible for maintaining the user’s session state in the WCA session variable. This session variable contains information that BusinessObjects Enterprise uses when fulfilling user’s requests.

CMSIn relation to system security, the Central Management Server (CMS) performs a number of important tasks. The majority of these tasks rely upon the database that the CMS uses to keep track of BusinessObjects Enterprise system data. This data includes security information, such as user accounts, group memberships, and object rights that define user and group privileges.When you first set up your system, the CMS allows you to create user accounts and groups within BusinessObjects Enterprise. And, with its third-party security plug-ins, the CMS allows you to reuse existing user accounts and groups that are stored in a third-party system (a Windows NT user database, an LDAP directory server, or a Windows AD server). The CMS supports third-party authentication, so users can log on to BusinessObjects Enterprise with their current Windows NT, LDAP, or Windows AD credentials.When users log on, the CMS coordinates the authentication process with its security plug-ins; the CMS then grants the user a logon token and an active session on the system. The CMS also responds to authorization requests made by the rest of the system. When a user requests a list of reports in a particular folder, the CMS authorizes the request only when it has verified that the user’s account or group membership provides sufficient privileges..For more information about the CMS and the CMS database, see “Central Management Server (CMS)” on page 38.


BusinessObjects Enterprise ArchitectureSecurity management components 2

Security plug-insSecurity plug-ins expand and customize the ways in which BusinessObjects Enterprise authenticates users. BusinessObjects Enterprise currently ships with the system default BusinessObjects Enterprise security plug-in and with the Windows NT, LDAP, and Windows AD security plug-ins. Each security plug-in offers several key benefits.Security plug-ins facilitate account creation and management by allowing you to map user accounts and groups from third-party systems into BusinessObjects Enterprise. You can map third-party user accounts or groups to existing BusinessObjects Enterprise user accounts or groups, or you can create new Enterprise user accounts or groups that corresponds to each mapped entry in the external system.The security plug-ins dynamically maintain third-party user and group listings. So, once you map a Windows NT, LDAP, or Windows AD group into BusinessObjects Enterprise, all users who belong to that group can log on to BusinessObjects Enterprise. When you make subsequent changes to the third-party group membership, you need not update or refresh the listing in BusinessObjects Enterprise. For instance, if you map a Windows NT group to BusinessObjects Enterprise, and then you add a new NT user to the NT group, the security plug-in dynamically creates an alias for that new user when he or she first logs on to BusinessObjects Enterprise with valid NT credentials.Moreover, security plug-ins enable you to assign rights to users and groups in a consistent manner, because the mapped users and groups are treated as if they were Enterprise accounts. For example, you might map some user accounts or groups from Windows NT, and some from an LDAP directory server. Then, when you need to assign rights or create new, custom groups within BusinessObjects Enterprise, you make all of your settings in the CMC.Each security plug-in acts as an authentication provider that verifies user credentials against the appropriate user database. When users log on to BusinessObjects Enterprise, they choose from the available authentication types that you have enabled and set up in the Authorization management area of the CMC: Enterprise (the system default), Windows NT, LDAP, or Windows AD.Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK.BusinessObjects Enterprise supports the following security plug-ins:• BusinessObjects security plug-in


BusinessObjects Enterprise ArchitectureSecurity management components2

• Windows NT security plug-in• LDAP security plug-in• Windows AD security plug-in


Planning Your Deployment

chapter

Planning Your DeploymentPlanning your deployment3
Planning your deployment
This section provides guidelines for assessing your organization’s needs, and suggestions for deployment scenarios. By putting effort into planning before you deploy your BusinessObjects Enterprise system, you can keep troubleshooting to a minimum and deliver a deployment tailored to your organization’s unique needs.The section includes many examples and suggestions for deployment, but it is important to note that each deployment of BusinessObjects Enterprise is unique. The flexibility of its service-based architecture allows you to tailor the deployment to serve your organization’s requirements as precisely as possible.Planning your deployment involves the following steps:1. Perform a detailed assessment of your needs and limitations. You need

to know who will be using the system and what they will be using it to accomplish. For more information, see “Assessing your organization’s needs” on page 58

2. Calculate the resources required to support your organization’s needs. How much load is supported by each server component? What hardware is required to support the load? For information about analyzing service thresholds and calculating server and hardware requirements, see “Calculating resource requirements” on page 64.

3. Choose an initial deployment architecture. What deployment architecture will serve your needs within the limits of your resources? For suggestions and common configurations, see “Common configurations” on page 78.

4. Test your deployment and adjust it to improve performance. It is good practice to deploy a test environment and fine-tune it before implementing your full production deployment. For more information, see “Improving Performance” on page 337.

Assessing your organization’s needsBefore you choose a system architecture and deploy BusinessObjects Enterprise, you need to perform a detailed assessment of your organization’s needs. Who will be using the system? How will they be using it? What types of documents will be managed through the system? What volume of content will be accessed through the system? By understanding your users and the volume of traffic they will generate, you can determine the resources required for your deployment.


Planning Your DeploymentAssessing your organization’s needs 3

To make an accurate assessment, you need to perform the following tasks:1. Determine the number of users on the system, and the type of users they

are. See “Estimating the number and type of users” on page 59.

2. Estimate the number of simultaneous requests.See “Estimating the number of simultaneous requests” on page 61.

3. Estimate the number of concurrent active users and simultaneous viewing sessions. See “Estimating the number of concurrent active users and viewing sessions” on page 62.

If you are assessing the performance of an existing system, you can use server metrics to determine how your system is currently being used. For information about assessing the performance of an existing deployment of BusinessObjects Enterprise, see “Assessing your system’s performance” on page 338.

Estimating the number and type of usersThe first step toward understanding how your BusinessObjects Enterprise system will be used is to determine the total number of users. You also need to estimate the number of concurrent users: users who are logged onto BusinessObjects Enterprise at the same time. You also need to understand how your users will use the system and how much traffic they will generate.To accurately determine the number and type of users of BusinessObjects Enterprise, perform the following steps:

To estimate the number and type of users1. Determine the total number of users of the system.

Include all users who will potentially have access to the system.2. Adjust the total number of users to account for future users.

How many new users do you expect to add to the system this year? In the next five years? By deploying a system that is robust enough to accommodate future growth, you can save time and money later.

3. Estimate the number of concurrent users.The number of concurrent users is typically 10% to 20% of the total number of potential users in the system. For example, if you have a total of 4000 users, you will probably have 400 to 800 concurrent users.


Planning Your DeploymentAssessing your organization’s needs3

Note: The number of concurrent users will be used to calculate the resource requirements for the Web Application Server and the number of concurrent active users. For information, see “Estimating the number of concurrent active users and viewing sessions” on page 62.

4. Divide the number of concurrent users into groups according to how they will use the system:• Heavy Users

Heavy users are logged onto the system all day. They interact with objects continuously throughout the day, averaging one request per second.

• Active UsersActive users log onto the system frequently throughout the day. They average one request every four seconds.

• Moderate UsersModerate users log onto the system at various points throughout the day. They average one request every eight seconds.

• Light UsersLight users log onto the system infrequently. They view a couple of objects and log out, averaging one request every 16 seconds.

Make note of the number of users that fall into each of these groups.

Other user considerationsWhen you draft your final deployment plan, it is also important to think about think about where your users are and when they will use the system:• Determine the number of users for each geographical location.

Where your users are can affect how you configure your system architecture. Make note of the number of users at various locations. You may want to establish local processing servers to account for significant load in areas with more users.

• Estimate traffic schedule. Knowing when your users are likely to use BusinessObjects Enterprise can also help you configure your deployment. If users around the world access the system throughout the day and night, then the system should be prepared for the continuous traffic. Or, you may run all of your scheduled objects in the evenings and your users don’t access them until the morning, so you may want to maintain different server configurations for day and night traffic. It is also important to consider traffic from different time zones.



Estimating the number of simultaneous requestsThe number of requests that the system needs to process simultaneously affects how you configure and expand your deployment. Specifically, you need the number of simultaneous requests when you calculate the resource requirements for the Central Management Server, the Web Application Server, the Cache Server, the Report Application Server, and the Page Server.The number of simultaneous requests is typically 10% to 20% of the number of concurrent users. For example, if you have 400 concurrent users, you will probably have between 40 and 80 simultaneous requests. However, your users may differ from the typical scenario. To make your estimates as accurate as possible, group your users according to how they will use the system. After you determine the number of users in each group, you can use common usage rates to calculate a final estimate of the number of simultaneous requests. For information about grouping your users, see “Estimating the number and type of users” on page 59.

To estimate the number of simultaneous requests1. Sort your estimated number of concurrent users into groups.

For information about grouping your users, see “Estimating the number and type of users” on page 59.

2. Calculate the number of simultaneous requests, using the following formula:((#of heavy users)*1) + ((# of active users)*.25) + ((#

of moderate users)*.12) + ((# of light users)*.06)

For example, if you have 400 concurrent users and 10 are heavy users, 40 are active users, 150 are moderate users, and 200 are light users, the formula will look like this:(10*1) + (40*.25) + (150*.12) + (200*.06) = 10 + 10 + 18 + 12 = 50 simultaneous requests

3. If necessary, round up the result for your final estimate of the number of simultaneous requests.

Note: This step procedure uses the following common usage rates tested by Business Objects:


Planning Your DeploymentAssessing your organization’s needs3

Estimating the number of concurrent active users and viewing sessions

A concurrent active user is a user that is logged onto the system and is running at least one open viewing session. A viewing session refers to the length of time that an object is viewed by one or more users. When a user interacts with an object in BusinessObjects Enterprise, a viewing session is created for the object. The session remains open until the object’s idle time expires. The number of concurrent active users is used to calculate resource requirements for the Central Management Server. The number of simultaneous viewing sessions is used to calculate resource requirements for Web Intelligence Report Servers and all types of Job Servers.

Concurrent active usersTo calculate an accurate estimate of the number of concurrent active users, you need to ask questions about how your users work and about the objects they use.• Users

Determine the number and type of concurrent users. (For information about estimating the number of concurrent users, see “Estimating the number and type of users” on page 59.) How many concurrent users do you have? What percentage of these users will have an active viewing session at the same time? To begin estimating the number of concurrent active users, you can add the number of users that you classified as heavy and active users when you sorted them into groups.

Concurrent users by type Number of simultaneous requests

% of simultaneous usage rate

For every 100 heavy users 100 100%For every 100 active users 25 25%For every 100 moderate users 12 12%For every 100 light users 6 6%



• Objects • Estimate the number of objects per user.

Will your users publish and view their own documents? Or will they spend more time viewing company-wide or departmental reports? How many objects will they use at once? You need to determine how many unique objects such as Crystal reports and Web Intelligence documents might be viewed at the same time by multiple users.

• Estimate the types of objects.The types of objects also affect the number of concurrent active users. Split the total number of objects per user into unique and shared objects. Will your users share documents and reports with others? Shared objects reduce the number of concurrent active users because they allow multiple users to use the same viewing session. Typically, static objects such as operational view-only Crystal reports are more likely to share viewing sessions than Web Intelligence documents or OLAP Intelligence reports, which are dynamically interactive. Keep this in mind when you calculate the shared component of your load requirements.

Viewing sessionsTo estimate the number of simultaneous viewing sessions, consider the following examples:• If every user logged onto the system is interacting with a single unique

object (such as a report, a document, or a dashboard), the number of viewing sessions is equal to the number of concurrent users. If you had 100 users viewing 100 unique objects, then the number of viewing sessions equals 100.

• If every user logged onto the system is interacting with more than one unique object, the number of viewing sessions is higher than the number of concurrent users. If every user viewed two unique objects, for example, then the number of viewing sessions will be twice the number of concurrent users.

• If every user logged onto the system is viewing one or more objects that are not unique (shared between users), the number of viewing sessions will be lower than the number of concurrent users. If you have 100 users and 50 of them are viewing a shared report, while the other half are interacting with a single unique object, then there will be 51 viewing sessions: one for the shared report and 50 for the unique objects.


Planning Your DeploymentCalculating resource requirements3

Based on your understanding of your users and the shared and unique content they need, you can use the following equation to determine a rough estimate of the number of viewing sessions:(# of unique objects)(number of concurrent users viewing

unique objects) + number of shared objects

For example, if you have 100 concurrent active users and 20 users are viewing 2 shared objects and 80 users are viewing 2 unique objects each, then you will have 162 simultaneous viewing sessions:(2)(80) + (2) = 162

If you have 100 concurrent active users and 80 users are viewing 2 shared objects and 20 users are viewing 2 unique objects each, then you will have 42 simultaneous viewing sessions:(2)(20) + (2) = 42

Calculating resource requirementsIn the previous sections, you estimated the number and type of users, the number of simultaneous requests, the number of concurrent active users, and the number of viewing sessions. Together, this information allows you to estimate the load that will be placed on your system. The next step is to determine the BusinessObjects Enterprise and hardware resources required to support the load. To estimate the system’s resource requirements, you need to use service threshold standards to estimate the following: • The number of BusinessObjects Enterprise server components (or

services) you need in order to accommodate the load.• The number of CPUs required to run the server components and support

the load.For a table summarizing resource calculations, see “Summary of resource calculations” on page 73.

Analyzing service thresholdsBefore you can calculate your resource estimates, you need to analyze the service thresholds for the following server components:• Central Management Server• Web Application Server• Cache Server• Report Job Server


Planning Your DeploymentCalculating resource requirements 3

• List of Values Job Server• Web Intelligence Report Server• Report Application Server• Page ServerIt is important to note that the service threshold numbers provided in this section are based on benchmark testing performed by Business Objects. The test machines had an average clock speed of 2.5 GHz with 2 GB memory per CPU.These threshold numbers are intended only as a baseline to help you determine the size and configuration of your system. These numbers are affected by many factors, such as: the size and complexity of objects; the number of users; your network speed; operating system; clock speed; application server; disk speed; memory; and many more factors. The sample threshold numbers provided here assume that each BusinessObjects Enterprise server is installed on a separate machine and that each machine is a single CPU box. After you perform the initial sizing calculations, you can adjust the sizing numbers and system configuration to accommodate your specific system requirements. It is important to monitor your system performance regularly and adjust the configuration accordingly. For more information about monitoring performance, see “Assessing your system’s performance” on page 338.Note: For more information about these server components and how they work together, see “BusinessObjects Enterprise Architecture” on page 29.Note: The Event Server is not a processing- or memory-intensive server, so it is not included in the discussion of service thresholds. However, it is good practice to install one Event Server for each CMS. For information about installing additional Event Servers, see “Scaling your system” on page 366.

Central Management ServerCentral Management Server thresholds depend on the number of CPUs and the number of services running on them. It’s good practice to configure for a higher number of users and simultaneous requests than your current system usage. • One Central Management Server can handle 600 concurrent active users

and 150 simultaneous requests.• One CPU can handle 500 concurrent active users and 150 simultaneous

requests.For example, to support 4000 concurrent active users generating 400 simultaneous requests, your deployment could include:



• Two quad boxes with four CMS services each. • Eight single CPU machines with one CMS service each. Note: This example is only a guideline. You need to consider CPU speed, network configuration, database connectivity, and so on.

Estimating CMS memory usageTo determine how much memory you need on the Central Management Server machine, estimate how many objects and instances you’ll have in the system and calculate the estimated memory usage. This table lists the estimated memory usage for the object types:

Note: • There are many factors that can increase the amount of memory required

for the Central Management Server. Report objects and instances in particular can vary in size considerably. For example, report instances that contain numerous prompts will be larger than average because every string prompt requires 256 bytes. In normal operation, the Central Management Server keeps only the most recently accessed objects in memory. During periods of rapid object access, such as batch reporting, the Central Management Server may exceed the specified amount of memory.

• Memory requirements depend on the number of individual accounts and objects that need to be loaded by the Central Management Server. For example, when you access a folder or a category, if the folder contains many objects and instances, it will take longer to load. By maintaining a detailed and organized folder structure, you can improve the speed of your system.

• The registry setting MaximumObjectsToKeepInMemory controls the number of objects kept in memory by the Central Management Server. Adjust this setting if memory resources on the Central Management Server are either scarce or plentiful.

Object Estimated Memory Usage

User 14 KB (7 KB memory and 7 KB virtual memory)Folder 10 KBReport object 20 KB average (Report object size can vary

considerably. Estimate higher for large or complex report objects.)

Report instance 20 KB average per instance



Web Application ServerEach Web Application Server handles different numbers of concurrent active users and simultaneous requests. When you’re configuring your Web Application Server (for example, IIS, Apache Tomcat, BEA WebLogic, or IBM WebSphere), consider the main functions of the Web Application Server within the BusinessObjects Enterprise system:• Processing the .NET/Java script• Translating the Encapsulated Page Files (page on demand) to DHTML

pages.• Communicating with the Crystal Reports Cache Server for report view

requests.• Managing session state information for the users.• Facilitating OLAP Intelligence view requests.• Communicating with the Web Intelligence Report Server for view

requests.Web Application Server thresholds generally depend on the number of CPUs and the number of services running on them. It’s good practice to configure for a higher number of users and simultaneous requests than your current system usage. • One service can handle virtually unlimited numbers of concurrent users

and simultaneous requests, but consult your web application server documentation for specific numbers.

• One CPU can handle 400 concurrent users• One CPU can handle 100 simultaneous requests if ActiveX is used as a

primary viewer.• One CPU can handle 50 simultaneous requests if DHTML is used as a

primary viewer.• One CPU can handle 40 simultaneous requests if OLAP Intelligence is

used as a primary document viewing engine (OLAP DHTML viewer).For example, to support 4000 concurrent users generating 400 simultaneous requests, your deployment could include one web application service installed across • 10 single-CPU machines.• Two quad boxes and a dual machine.• Five dual machines. Note: This example is only a guideline. You need to consider CPU speed, network configuration, database connectivity, and so on.


Cache Server
The Cache Server handles all report viewing requests. When the Cache Server receives a request, it checks whether of not it can fulfill the request with a cached report page. If the Cache Server finds a cached page that displays the required data and the data has been refreshed from the database within the specified interval, the Cache Server returns the cached report page to the Web Application Server. If not, then the page is requested from the Page Server.The thresholds for the Cache Server are:• 1 service can handle 400 simultaneous requests.• 1 CPU can handle 200 simultaneous requests.For example, to support 4000 concurrent users generating 400 simultaneous requests, your deployment could include:• one Cache Server service installed across a dual-CPU machine.• two Cache Server services installed across two single-CPU machines.Note: Since the Cache Server works directly with the Page Server, the maximum simultaneous requests for the Cache Servers should equal the maximum simultaneous requests for the Page Servers.

Report Job ServerThe Report Job Server processes report objects for the Central Management Server and generates report instances.The thresholds for the Report Job Server are:• One Job Server can handle 20 concurrent Crystal Reports jobs.• One CPU can handle five concurrent Crystal Reports jobs.Do not set individual Job Servers to process more than 20 simultaneous jobs. For example, if there are 40 simultaneous jobs and you have an 8-CPU computer, configure two Job Servers on the machine with each server set to handle 20 simultaneous jobs.Note: Complex reports that retrieve and process a large set of data should be scheduled. Jobs run as independent processes rather than threads on the Reports Job Server. This requires more resources for each job, but allows for efficient processing of a smaller set of large processing reports.

Reports Job Server threshold formulaYou can use the following formula to help determine the number of Report Job Servers you need:



((# of reports) x (average report processing time)) / ((time window) x (maximum number of jobs per job server) = # of job servers required

Note: Make sure you use the same time measurement (minutes, for example) for the average report processing time and the time window. (The time window is the maximum amount of time the system can take to process the reports.)For example:(200 reports x 1 minute) / (10 minutes x 20) = 1 job server

required

List of Values Job ServerThe List of Values (LOV) Job Server processes List of Values objects for the Central Management Server and generates object instances. List of Values objects are used for dynamic prompts and cascading lists of values for Crystal reports.The thresholds for the List of Values Job Server are:• One List of Values Job Server can handle 20 simultaneous requests.• One CPU can handle five simultaneous requests.

Web Intelligence Report ServerThe Web Intelligence Report Server is used to create, edit, view, and analyze Web Intelligence documents (stored in the File Repository Servers). It also processes scheduled Web Intelligence documents and generates new instances of documents. Depending on the user’s access rights and the refresh options set on the document, the Web Intelligence Report Server uses cached information or refreshes the data.Note: The Web Intelligence Report Server also processes Crystal xCelsius documents. If your users work with Crystal xCelsius, they may have significantly higher simultaneous viewing sessions and you will need to install more Web Intelligence Report Servers.The thresholds for the Web Intelligence Report Server are:• One Web Intelligence Report Server can support 25 simultaneous

viewing sessions.• One CPU can support 25 simultaneous viewing sessions.For example, if you expect users of Web Intelligence documents to need an average of 100 simultaneous viewing sessions, you could have four Web Intelligence Reports Server services installed on a quad machine.



Note: Memory requirements can be affected by the document design and the types of actions being performed. For example, a refresh request demands the greatest amount of memory for a Web Intelligence document because the database is queried and the entire dataset is transferred to the Web Intelligence Report Server.

Report Application ServerThe Report Application Server processes reports that InfoView users view with the Interactive DHTML viewer. It also provides the reporting capabilities that allow InfoView users to create and modify Crystal report over the web.The thresholds for the Report Application Server are:• One Report Application Server can handle 200 simultaneous requests.• One CPU can handle 25 to 75 simultaneous requests. For optimal

performance, use 25 simultaneous requests for your calculations.For example, if you expect 100 concurrent active users viewing or modifying a Crystal report, you could configure a quad machine with one Report Application Server installed for each CPU.

Page ServerThe Page Server retrieves data for the report from an instance or directly from the database (depending on the user’s request and access rights for the object). The Page Server responds to page requests made by the Cache Server. The Page Server and Cache Server interact to ensure cached EPF pages are reused as frequently as possible. The number of concurrent active users is not important for determining the number of Page Servers you need, because BusinessObjects Enterprise automatically creates new Page Server processes to accommodate extra traffic.Because Cache Servers work directly with Page Servers, the maximum simultaneous requests for the Cache Servers should equal the maximum simultaneous requests for the Page Servers.The thresholds for the Page Server are as follows:• One CPU can handle 25 to 75 simultaneous requests. The

recommended settings is 50.For example, to support 400 simultaneous requests, your deployment could include:• one Page Server service installed across an 8-way CPU machine.• two Page Server services installed across two quad CPU machines.



Note: Unless the machine is dedicated to serve multiple Page Server groups, do not install more than one Page Server on a single machine (even if the machine has four or more CPUs).

Dedicated Page Server machineIf you have a dedicated Page Server machine, it will dynamically adapt to different loads by creating and stopping Page Server processes as needed (within available resources). For a dedicated Page Server, it is good practice to change the Maximum Simultaneous Report Jobs setting to Unlimited. When you use the Unlimited setting, the maximum number of jobs is set to 25 jobs per CPU, with a minimum of 50. For example, • For 1 CPU, the Maximum Simultaneous Report Jobs is 50.• For 2 CPUs, the Maximum Simultaneous Report Jobs is 50.• For 4 CPUs, the Maximum Simultaneous Report Jobs is 100.• For 8 CPUs, the Maximum Simultaneous Report Jobs is 200.

Shared Page Server machineIf the Page Server shares resources with other services such as the Job Server or the Central Management Server, you may want to change the Maximum Simultaneous Report Jobs setting. The recommended range for this value is between 25 and 75 per available CPU. If machine resources are particular scarce, as in a full deployment on one standalone machine for example, you may need to choose a value below 25.

Calculating the minimum resource requirementsAfter you assess your organization’s needs and understand the service threshold limitations, you can determine the minimum resources needed to implement an effective BusinessObjects Enterprise deployment.To calculate the minimum resource requirements, you need the following information from the previous section:• The estimated number of concurrent users. • The estimated number of simultaneous requests.• The estimated number of concurrent active users and viewing sessions.• Service threshold information for each server type.This section provides examples of how to calculate the minimum required resources for your deployment. Note: You may also want to expand the system to account for high availability. For information about designing for high availability, see “Designing for high availability” on page 76.


Central Management Server
For this example, assume that you estimated a total of 8000 users of the system, with 800 concurrent active users.According to the service threshold benchmarks, a single Central Management Server on a single CPU can handle up to 500 concurrent active users. You will need more than one Central Management Server to support all requests. In this example, you would need to install two Central Management Server services across two single-CPU machines to support up to 1000 users. This exceeds the system’s needs by 200 concurrent active users but allows for future growth.

Web Application ServerAssume that the 800 concurrent users view Crystal report objects using the ActiveX viewer and generate an average of 100 simultaneous requests.One Web Application Server allows for 400 concurrent users per processor. It also allows for 100 simultaneous requests. Although the 100 simultaneous viewing ActiveX requests can be handled by a single CPU, this system requires two Web Application Server services because each service can handle only 400 concurrent users per server on a single-CPU machine.

Cache ServerAssume for this example that you have 800 concurrent users using the ActiveX viewer and there are 500 simultaneous requests. Each Cache Server can handle 200 simultaneous requests per CPU. This system requires three Cache Servers installed across three single-CPU machines.

Report Job ServerFor this example, assume that 1000 report objects are being scheduled to run during the night. On average, it takes nine minutes to run each report. You have five hours (300 minutes) to run all of the reports. The number of Crystal Reports Job Server services required is determined by performing the Crystal Reports Job Server threshold calculation. (For more information, see “Report Job Server” on page 68.) In this example, the calculation is:(1000 reports x 9 minutes to run each report) / (300 minutes

for the time window x 20 maximum jobs per service) = 2 Crystal Reports Job Servers installed on two quad machines



Web Intelligence Report ServerAssume for this example that you need to support 100 simultaneous viewing sessions. A single Web Intelligence Report Server can support 25 simultaneous viewing sessions on a single-CPU machine; the system requires four Web Intelligence Report Servers installed across four single-CPU machines.

Report Application ServerIf you have an average of 50 concurrent users working in the Report Application Server, running an average of 50 simultaneous requests, then your system will need one Report Application Server installed across two CPUs. You could install the single Report Application Server on a dual machine.

Page ServerAssume for this example that you have 500 simultaneous requests.One CPU can handle 50 simultaneous requests, this system requires 10 CPUs. You need only one Page Server service per machine, because it automatically creates new processes on each machine to account for high traffic. In this example, you could use 3 Page Servers installed across two quad machines and one dual machine.

Summary of resource calculationsThe following table summarizes the load supported by each server component. The table includes the following:• The server component.• The user and traffic loads that each server component can support.• The user and traffic loads that each CPU can handle when running the

server component. • A sample configuration.For more information about the service thresholds, see “Analyzing service thresholds” on page 64. For more information about making resource calculations, see “Calculating the minimum resource requirements” on page 71.


Server type Supported load per
server componentSupported load per CPU

Example

CMS • 600 concurrent active users per CMS

• 150 simultaneous requests per CMS

• 500 concurrent active users per CPU

• 150 simultaneous requests per CPU

• If you have 600 concurrent active users running an average of 100 simultaneous requests, you will need one CMS across two CPUs.

Web Application Server

• 400 concurrent users per Web Application Server

• 400 concurrent users per CPU

• 100 simultaneous requests using the ActiveX viewer per CPU

• 50 to 75 simultaneous requests using the DHTML viewer per CPU

• 40 OLAP Intelligence requests using the OLAP Intelligence DHTML viewer per service per CPU

• If you have 600 concurrent users using the ActiveX viewer and generating an average of 100 simultaneous requests, you will need two Web Application Servers running on a single CPU.

Cache Server • 400 simultaneous requests per Cache Server


• If you have 600 concurrent users running an average of 500 simultaneous requests, you will need three Cache Servers installed across three CPUs.

Report Job Server

• 20 simultaneous report jobs per Job Server

• 5 simultaneous report jobs per CPU

• If you need to run 40 report objects simultaneously every day at midnight, you will need two Job Servers, running on eight CPUs (two quad machines).



List of Values Job Server

• 20 simultaneous requests per List of Values Job Server


• If you need to run 10 objects that use List of Values objects simultaneously, you will need three Job Servers, running on ten CPUs (two quad machines and a dual machine).


• 25 simultaneous viewing sessions per Web Intelligence Report Server

• 25 simultaneous viewing sessions per CPU

• If you need to support 100 simultaneous viewing sessions, you will need four Web Intelligence Report Servers running across four CPUs (one quad machine).

Report Application Server

• 200 simultaneous requests per Report Application Server


• If you need to support 300 simultaneous requests, you will need two Report Application Servers running across 12 CPUs (three quad machines).

Page Server • 25 to 75 simultaneous viewing sessions per CPU. (Use 50 simultaneous viewing sessions for your initial calculations.)

• If you need to support 400 simultaneous viewing sessions, you will need 8 CPUs (two quad machines).

Server type Supported load per server component

Supported load per CPU

Example


Designing for high availability
After you calculate the minimum resource requirements for your system, you should consider expanding your deployment to account for high availability.High availability refers to a system that is almost continuously operational. When designing a system for high availability, you need to consider how much time is acceptable for the system to be down. To minimize the amount of down time, you need to plan for failover processing, system backup, and data storage.To provide a BusinessObjects Enterprise architecture that provides high availability, all of its services and sources of data must be continuously available and operational. You need to consider:• Fault tolerance

If a BusinessObjects Enterprise service fails, a fault tolerance system allows for continuous processing of system requests with no loss of service. To achieve this level of availability, you need to provide duplicate BusinessObjects Enterprise services. For example, if a Web Intelligence Job Server fails, you need a duplicate Web Intelligence Job Server to immediately take its place to process requests with no loss of service.

• Disaster recoveryA disaster recovery plan consists of precautions to be taken in the event of a full system failure. A disaster recovery plan needs to minimize the effects of the disaster on the organization so you can maintain or quickly resume important system functions. If your organization has multiple offices, it is good practice to keep the backup system in a different geographical location.A BusinessObjects Enterprise disaster recovery plan often involves implementing redundant servers in a backup system that mirrors the primary system. In the event that the primary system goes down, the backup system is still available and becomes the full production system.Note: When you back up your primary system, you need to back up: the Central Management Server system database; the content of the Input and Output File Repository Servers; the user ID and password for the Administrator account; the application code from the Web Application Server; and the registry settings (if manual changes were made).

You may not have the resources to implement a high degree of availability, but there are still best practices you can use to provide the best possible availability for your system.



Designing a multiple-server system for high availabilityYou can attain a high degree of availability with a multiple-server system. It depends largely on the resources available to you after the basic resource requirements of the system have been met. You can manage fault tolerance for a multiple-server environment by adding additional services to handle failover support. In a multiple-server environment, the duplicate services can be added to different machines. You can cluster services together so that if one service fails or if there is a hardware failure on the machine running the service, the duplicate service on a different machine continues to process requests with no impact to the system.Two common examples of fault tolerance in a multiple-server environment are:• CMS clustering

With CMS clustering, a set of two or more CMS server machines function as a single Central Management Server. In the event of a failure, the workload of the failed CMS is picked up by another available CMS within the cluster. For more information about CMS clustering, see “Clustering Central Management Servers” on page 114.

• Active and passive File Repository ServersYour deployment can have multiple Input and Output File Repository Servers. The first File Repository Server pair to register with the CMS cluster becomes the active FRS pair and the other FRS services are considered passive. Although all File Repository Server services run simultaneously, only the active FRS pair handles requests. In the event that an active FRS fails, a passive FRS that is registered with the CMS cluster is changed to active status. When the previously active FRS becomes operational again, it is registered as a passive FRS with the CMS.

For disaster recovery, the most important considerations for disaster recovery are backups and data recovery. Depending on your organization’s needs, it may also be important to minimize down time. If your system must remain available during a disaster, it’s good practice to maintain a full backup system that mirrors the primary system.If you set up a backup system, ensure that the two systems do not run at the same time. Otherwise, the primary and backup systems may not be synchronized properly. You can configure the primary and backup systems as


Planning Your DeploymentCommon configurations3

members of the same CMS cluster regardless of location, but ensure that the the primary and backup CMSs run off of the corresponding primary and backup system databases.

Common configurationsAfter you determine the needs of your users and the resources required for the deployment, you can develop an initial deployment architecture for BusinessObjects Enterprise.This section describes potential scenarios for administrators who are planning an installation of BusinessObjects Enterprise. It is important to note that the optimal configuration for your deployment will depend on many factors: hardware configuration, database software, reporting requirements, operating system, clock speed, hyperthreading, disk speed, application server configuration, load frequency, and many more. Every deployment is unique, and these examples are provided only as guidelines.For information about assessing your system’s unique needs, see “Assessing your organization’s needs” on page 58. For information about fine-tuning performance, see “Improving Performance” on page 337.It is also recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment.As a baseline, this section assumes that you have not yet distributed the BusinessObjects Enterprise servers across multiple machines; however, this section does assume familiarity with the BusinessObjects Enterprise architecture, installation, and server configuration. For preliminary installation information, see the BusinessObjects Enterprise Installation Guide.Tip: If you are deploying multi-processor machines, you may also want to run one or more BusinessObjects Enterprise servers in multiple instances on that machine. For details, see “Adding and deleting servers” on page 105.This section describes the following common configurations:• “Single-machine architecture” on page 79• “Balanced processing architecture” on page 79• “High availability clustered architecture” on page 80• “Firewalled architecture” on page 81For a detailed sample deployment that illustrates the concepts described in this chapter, see “Server deployment and firewall configuration” on page 435.


Planning Your DeploymentCommon configurations 3

Single-machine architectureUseful for testing purposes, this basic configuration separates the BusinessObjects Enterprise servers from the rest of your reporting environment and from your web server, and installs all BusinessObjects Enterprise servers on a single machine. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not need to share with database and web server processes. To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:• Install all of the BusinessObjects Enterprise servers on a single,

dedicated machine.• Run the CMS database on your database server.

If you are still using the MySQL CMS database on Windows, migrate the CMS database to a supported database server. See the Platforms.txt file included with your product distribution for a list of supported database servers.

For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install your BusinessObjects Enterprise servers on the same machine as your Java web application server and the Web Component Adapter.

Balanced processing architectureThis second configuration divides the BusinessObjects Enterprise processing load in a logical manner, based on the types of work performed by each server. By dividing architecture components into logical groups, you prevent the server components from competing with each other for the same hardware and processing resources.Note: It is recommended that you use three multi-processor machines (dual-CPU or better), with at least 2 GB RAM installed on each machine.To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:• Install the BusinessObjects Enterprise management components on one

machine. For example, you could install the Central Management Server and the Event Server on one machine.Note: Here, the Event Server is installed on the same machine as the Central Management Server. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.



• Install the web services components on the second machine. For example, you could install the web application server, the Web Component Adapter, and the Cache Server on the second machine. Note: In this example, the Cache Server is installed with the The Cache Server is included with the web services components because it communicates regularly with the Web Application Server. You could install it on the third machine instead.

• On the third machine, install the storage and processing components: the Page Server, the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, the Web Intelligence Report Server, the Report Application Server (RAS), and the Input and Output File Repository Servers.

For a UNIX installation (or for a Windows installation that uses the BusinessObjects Enterprise Java SDK), install the Java web application server and the Web Component Adapter on the same machine as your Cache Server.Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.

High availability clustered architectureOne of the most common configurations, this third configuration mirrors the balanced processing architecture. You maintain the logical breakdown of processing based on the types of work performed by each server, but you increase the number of available machines and servers for redundancy and fault-tolerance. If a server stops responding, or if you need to take one or two machines offline completely, you need not interrupt BusinessObjects Enterprise requests in order to service the system.Note: This example was tested using five multi-processor machines (dual-CPU or better), with at least 2 GB RAM installed on each machine.To set up this configuration for the default Windows installation of BusinessObjects Enterprise, perform the following steps:• Install the balanced processing setup first. Verify that BusinessObjects

Enterprise is functioning correctly. For details, see “Balanced processing architecture” on page 79.

• Install a second CMS/Event Server pair on the fourth machine. This machine must have a fast network connection (minimum 10 Mbps) to the CMS that you have already installed.


Planning Your DeploymentCommon configurations 3

Cluster the two CMS services, so they share the task of maintaining the CMS database. Ensure that each CMS accesses the CMS database in exactly the same manner (the same database client software, the same database user name and password, and so on). For more information about CMS clustering, see “Clustering Central Management Servers” on page 114.Note: Here, the Event Server is installed on the same machine as the CMS. In general, however, the Event Server should be installed on the machine where your monitored, file-based events occur.

• On the remaining machine, install a second Page Server, Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, Web Intelligence Report Server, and Report Application Server, along with a pair of Input and Output File Repository Servers.Ensure that all Page Servers and job servers, including the Web Intelligence Report Server, can access your reporting database in exactly the same manner. Install and configure any required database client software similarly on each machine, along with any ODBC DSNs that are required for your reports.

Note: As with the one-machine setup, install your BusinessObjects Enterprise servers on machines that are separate from your web server and database servers. This grants the BusinessObjects Enterprise servers their own set of processing resources, which they do not have to share with database and web server processes.

Firewalled architectureAnother common configuration is a firewalled architecture based on one of the previous configurations. For a detailed example of a firewalled deployment, see “Server deployment and firewall configuration” on page 435.For general information about configuring firewalls with BusinessObjects Enterprise, see “Working with Firewalls” on page 157.




Creating a WebSphere cluster

chapter

Creating a WebSphere clusterOverview4
Overview
WebSphere Application Server Network Deployment has the ability to balance the application workload through the use of vertical and horizontal scaling. A vertical cluster has cluster members on the same node, or physical machine. A horizontal cluster has cluster members on multiple nodes across many machines in a cell. While you can configure either type of cluster, or have a combination of vertical and horizontal clusters, this section explains how create a vertical cluster and deploy InfoView on this vertical cluster.When you cluster InfoView in the method described in this section you will create logon session affinity, not session failover. This means that under normal circumstances, once a session begins, all requests for that session go to the same cluster member. However, if the cluster member processing your session fails, your session will be automatically redirected to another functioning cluster. While you will not be required to log on again, you may loose your context, and may be required to navigate back to your original location.Note: Logon session affinity is only supported for InfoView. None of the other applications have support for this feature at this time.

Before you beginMake sure the following servers are installed:• IBM WebSphere Application Server Network Deployment with

administrative privileges.• IBM WebSphere Application Standalone Server with administrative

privileges.

Creating a WebSphere clusterCreating and setting up the WebSphere cluster includes these tasks:• “Starting the servers” on page 85• “Creating a cluster” on page 87• “Checking the assigned port number” on page 89• “Adding the assigned port number” on page 90• “Setting heap size” on page 90• “Setting internal system configuration” on page 92• “Installing the applications” on page 93


Creating a WebSphere clusterCreating a WebSphere cluster 4

• “Mapping BusinesssObjects WAR files to the cluster” on page 95• “Regenerating the web server plugin” on page 96

Starting the serversTo create a cluster, the deployment manager and the node agent must be running.

To start the servers in WindowsNote: You may be required to be a member of the local Administrators group to start the server.1. Start the deployment manager if it’s not already running:

a. In a command prompt, navigate to the <network_deployment_root> bin directory.

b. Issue the following command to check the status of the deployment manager server:serverStatus dmgr

Note: You can also use serverStatus -all to check the status of the deployment manager server.

c. If the Deployment Manager is not started, start it with the following command:startManager

2. Add the node to the Deployment Manager Cell:a. In the command prompt, navigate to the <App_Server_root> bin

directory.b. Issue the following command to federate the node into the cell and

start the node agent:addNode localhost 8879

3. Initialize the node agent:a. In the command prompt, navigate to the <App_Server_root>

directory.b. Issue the following command to check the status of the node agent:

serverStatus nodeagent

Note: You can also use serverStatus -all to check the status of the node agent.

c. If the node agent is not started, start it with the following command:startNode


Creating a WebSphere clusterCreating a WebSphere cluster4

4. Initialize the HTTP server:a. Open Windows Servicesb. Scroll down and select IBM HTTP Server 1.3.26c. If the status of the IBM HTTP Server is not set to Started, click the

start icon in the tool bar.The servers are now started and you are ready to create a cluster.

To start the servers in UNIXNote: You may require sudo authority on your UNIX machine to start the server. This type of authority is granted by your UNIX administrator. 1. Start the deployment manager if it’s not already running:

a. In a command prompt, navigate to the <network_deployment_root> bin directory.

b. Issue the following command to check the status of the deployment manager server:./serverStatus.sh dmgr

Note: You can also use ./serverStatus.sh -all to check the status of the deployment manager server.

c. If the Deployment Manager is not started, start it with the following command:./startManager.sh

2. Add the node to the Deployment Manager Cell:a. In the command prompt, navigate to the <App_Server_root> bin

directory.b. Issue the following command to federate the node into the cell and

start the node agent:./addNode.sh localhost 8879

3. Initialize the node agent:a. In the command prompt, navigate to the <App_Server_root>

directory.b. Issue the following command to check the status of the node agent:

./serverStatus.sh nodeagent

Note: You can also use ./serverStatus.sh -all to check the status of the node agent.

c. If the node agent is not started, start it with the following command:./startNode.sh



4. Initialize the HTTP server:a. Issue the following command to check if HTTP server is running:

ps -ef | grep httpd

Note: You should see a list of processes running with the name of "httpd".

b. If “httpd” is not running, start your HTTP server manually by issuing the following command:IHS_install_dir/bin/apachectl start

The servers are now started and you are ready to create a cluster.

Creating a clusterA cluster is a group of application servers (cluster members) that are distributed across one or more nodes. An application installed in the cluster runs on each cluster member, so workload management and failover are provided for the application. Following are the steps involved in creating a cluster:

To create a cluster1. Start the IBM WebSphere Administrative Console in your browser.

• For IBM WebSphere 5.1, type http://servername:9091/admin/• For IBM WebSphere 6.0, type http://servername:9060/admin/

2. Logon to the administrative console.3. Expand Servers and click Clusters.4. Click New.

The “Step 1 : Enter Basic Cluster Information” panel appears.5. In the Cluster Name field, type MyCluster.6. Verify that Prefer local enabled is selected.

This specifies whether EJB requests are routed to the node on which the client resides, if possible.

7. Select Create Replication Domain for this cluster.This will create a single replication domain for the cluster to allow replication of session data for a failover.

8. Verify that Do not include an existing server in this cluster is selected. This will create the first cluster member as a new application server instead of using the server1 application server as the first member of your cluster.



9. Click Next.The “Step 2 : Create New Clustered Servers” panel appears.

10. Define a node for the cluster:a. In the Name field, type MgServer1.b. Click your node from the drop down menu.c. In the Weight field, type 2.d. Verify that Generate Unique Http ports is selected.e. Select Create Replication Entry in this server.

Note: Skip this step if you are using WebSphere 6.0.f. Select Existing application server and click was5hostNetwork/

was5host/server1 to select the template in the drop down menu. This will allow the server to use the setting of the server1 applications server as the template for your cluster members.

g. Click Apply.h. MgServer1 is now displayed in the table “Application servers”, at the

bottom of the page.11. In the same panel, define another node for the cluster:

a. Add another cluster member to the server by typing MgServer2 in the Name field.

b. Click on your node from the drop down menu.c. In the Weight field, type 2.d. Verify that Generate Unique Http ports is selected.e. Select Create Replication Entry in this server.

Note: Skip this step if you are using WebSphere 6.0.f. Click Apply.g. MgServer2 is now displayed in the table “Application servers”, at the

bottom of the page.12. Click Next.13. Review the configuration summary and click Finish.

The cluster is now created in the configuration. For each newly defined node go to Servers and click on Application Servers.

14. Save your changes:a. Click the hyperlink Save in the task bar at the top of the console to

open the “Save” page.



b. On the “Save” page, expand and review the list of files to be changed.

c. Click Save.

Checking the assigned port numberFollow the procedures below to check the assigned port numbers in WebSphere 5.1 or WebSphere 6.0:

To check the assigned ports in WebSphere 5.11. Expand Servers and click Application Servers.

The servers that you created (MgServer1 and MgServer2) in the section “Creating a cluster” on page 87 are now listed on the Application Servers page.

2. Click MgServer1.3. Go to the HTTP Transports page.

a. Under Additional Properties, go to Web Container.b. Under Additional Properties, click on HTTP Transports.The HTTP Transport ports configured for MgServer1 should be listed on this page. In the table, locate the host name “WCInboundDefault” and note its port number. You need to add this port and the port number configured for MgServer2 to the default_host aliases list.

To check the assigned ports in WebSphere 6.01. Expand Servers and click Application Servers.

The servers that you created (MgServer1 and MgServer2) in the section “Creating a cluster” on page 87 are now listed on the Application Servers page.

2. Click MgServer1.3. Go to the HTTP Transports page.

a. Under Container Settings, expand Web Container Settings.b. Click Web container transport chains to view the HTTP ports.The HTTP Transport ports configured for MgServer1 should be listed on this page. In the table, locate the port name “WCInboundDefault“ and note its port number. You need to add this port and the port number configured for MgServer2 to the default_host aliases list.


Adding the assigned port number
After checking the port number in section “Checking the assigned port number” on page 89, add the port numbers to the virtual hosts using the following procedure:

To add the assigned port number1. In the navigation menu, expand Environment, click Virtual Hosts.2. From the virtual hosts list, click default_host.3. Add port number to the host aliases list:

a. Under Additional Properties, click Host Aliases.b. Click New.c. In the HostName field, type *d. In the Port field, type the port number.e. Click OK.Note: Follow this step to add other port numbers to the host aliases list.

4. Save your configuration:a. Click the hyperlink Save in the task bar at the top of the console to

open the “Save” page.b. On the “Save” page, expand and review the list of files to be

changed.c. Click Save.

Setting heap sizeYou may be prompted to set the heap size. Follow the procedures below to set the heap size in WebSphere 5.1 or WebSphere 6.0:

To set the heap size in WebSphere 5.11. Expand Servers and click Application Servers.2. Click on the application server to set its heap size.3. Go to the JVM page.

a. Scroll down until you see Process Definition in the Additional Properties table.

b. Click on Process Definition.c. Scroll down and click on Java Virtual Machine in the Additional

Properties table.



4. Scroll down until you see Initial Heap Size.5. In the Initial Heap Size field, type 512.6. In the Maximum Heap Size field, type 1024.7. Click Apply and OK.8. Save your changes:

a. Click the hyperlink Save in the task bar at the top of the console to open the “Save” page.


c. Click Save.Note: Follow the same procedure to set heap sizes of any other servers.

To set the heap size in WebSphere 6.01. Expand Servers and click Application Servers.2. Click on the application server to set its heap size.3. Go to the JVM page.

a. Under the “Server Infastructure section”, click and expand Java and Process Management.

b. Click on Process Definition.c. In the Additional Properties section, click on Java Virtual

Machine.4. Scroll down until you see Initial Heap Size.5. In the Initial Heap Size field, type 512.6. In the Maximum Heap Size field, type 1024.7. Click Apply and OK.8. Save your changes:



c. Click Save.Note: Follow the same procedure to set heap sizes of any other servers.


Setting internal system configuration
For each node in a new cluster, set the path variable that applies to your environment and the PATH.

To set internal system configuration in Windows1. Expand Servers and click on Application Servers.2. Click on your server name.3. Go to the Custom Properties page.

• If you are using WebSphere 5.1, under Additional Properties, click on Custom Properties.

• If you are using WebSphere 6.0, under Server Infastructure, expand Administration and click on Custom Properties.

4. Click New.5. In the * Name field, type PATH. 6. In the * Value field, type the path that points to BusinessObjects folder.

Note: The default location of this folder is C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86. Modify the path if you changed the default location.

7. Click Apply.8. Click OK.9. Save your changes:



c. Click Save.

To set internal system configuration in UNIX1. Expand Servers and click on Application Servers.2. Click on your server name.3. Go to the Custom Properties page.

• If you are using WebSphere 5.1, under Additional Properties, click on Custom Properties.

• If you are using WebSphere 6.0, under Server Infastructure, expand Administration and click on Custom Properties.

4. Click New.



5. In the * Name field, type the name of the path variable that applies to your deployment. These are your options:

6. In the * Value field, type the path that points to BusinessObjects platform name folder.The location of this file is <INSTALLDIR>/bobje/enterprise115/solaris_sparc

Replace INSTALLDIR with the location of your installation and replace solaris_sparc with the platform name that applies to your installation. The platform name options are as follows:• aix_rs6000

• linux_x86

• hpux_pa_risc

7. Click Apply.8. Click OK.9. Save your changes:



c. Click Save.

Installing the applications To install the applications in Windows

1. Go to the administrative console.2. Expand Applications and click Install New Application3. Select Local path system and click Browse. 4. Navigate to the application directory, select and click Open. The Local

path field should now contain the path of the WAR file.

Operating System

Variable

For Solaris LD_LIBRARY_PATHFor AIX LIBPATHFor Linux LD_LIBRARY_PATHFor HPUX SHLIB_PATH



Note: The default location for the application files is c:\Program Files\Business objects\BusinessObjects Enterprise 11.5\java\applications\

5. Type the context root for the application file in the Context Root field.6. Click Next.7. Accept the defaults on each page and click Next until you get to “Step:3

Map modules to application servers”.Note: Each page may take several minutes to process.

8. Select the application server you created from the Clusters and Servers field.

9. Select the module to apply it to, and click Apply.10. Click Next, and click Finish.

Note: You will receive a message when the process is complete.

To install the applications in UNIX1. Go to the administrative console.2. Expand Applications and click Install New Application3. Select the Server Path button.4. Click Browse and then find the location of the war files.

Note: The application files can be found in the location <INSTALLDIR>/bobje/enterprise115/java/applications, where INSTALLDIR is the directory where you installed BusinessObjects Enterprise.

5. Click the button beside the file you want to deploy, and then click OK. 6. Type the context root for the application file in the Context Root field.7. Click Next.8. Accept the defaults on each page and click Next until you get to “Step:3

Map modules to application servers”.Note: Each page may take several minutes to process.

9. Select the application server you created from the Clusters and Servers field.

10. Select the module to apply it to, and click Apply.11. Click Next, and click Finish.

Note: You will receive a message when the process is complete.



Mapping BusinesssObjects WAR files to the clusterFollow the procedures below to map BusinessObjects WAR files to the cluster in WebSphere 5.1 or WebSphere 6.0:

To map BusinessObjects WAR files to the cluster in WebSphere 5.11. In the navigation menu, expand Applications and click on Enterprise

Applications.2. Click on desktop_war from the list.3. Go to the Map modules page.

a. Scroll down to Additional Properties.b. Click on Map modules to application servers.

4. In the list, scroll to select a cluster that you want to map the modules to.Note: This cluster can be the same cluster that you created in section “Creating a cluster” on page 87.

5. Select your module from the Module section of the table.6. Click Apply, and OK.7. Save your changes:



c. Click Save.

To map BusinessObjects WAR files to the cluster in WebSphere 6.01. In the navigation menu, expand Applications and click on Enterprise

Applications.2. Click on desktop_war from the list.3. Go to the Map modules page.

a. Scroll down to Additional Properties.b. Click on Map modules to servers.

4. In the list, scroll to select a cluster that you want to map the modules to.Note: This cluster can be the same cluster that you created in section “Creating a cluster” on page 87.

5. Select your module from the Module section of the table.6. Click Apply, and OK.



7. Save your changes:a. Click the hyperlink Save in the task bar at the top of the console to

open the “Save” page.b. On the “Save” page, expand and review the list of files to be

changed.c. Click Save.

Regenerating the web server pluginWhen you make changes to an application server, you must regenerate the Web server plugin configuration file to ensure that the correct set of requests are forwarded to the WebSphere Application Server. Follow the procedures below to regenerate the web server plugin in WebSphere 5.1 or WebSphere 6.0:

To regenerate the web server plugin in WebSphere 5.11. Follow these steps to update the web server plugin:

a. In the navigation menu, expand Environments and click on Update Web Server Plugin.

b. Click OK.Note: If the update is successful, a confirmation message will appear at the top of the page stating, “The web server plugin configuration was updated successfully”.

2. You can view or download the current web server plugin file by clicking on the hyperlink “View or download the current web server plugin configuration file”.

To regenerate the web server plugin in WebSphere 6.01. Follow these steps to update the web server plugin:

a. In the navigation menu, expand Servers and click on Web servers.b. Select your server from the list and click on Generate Plug-in.

2. You can view or download the current web server plugin file by clicking on the hyperlink “View or download the current web server plugin configuration file”.


Managing and Configuring Servers

chapter

Managing and Configuring ServersServer management overview5
Server management overview
This section provides information on a range of server tasks that allow you to customize the behavior of BusinessObjects Enterprise. It also includes information on the server settings that you can alter to accommodate the needs of your organization. The default values for these settings have been chosen to maximize the reliability, predictability, and consistency of operation of a typical BusinessObjects Enterprise installation. The default settings guarantee the highest degree of data accuracy and timeliness. For example, by default, data sharing between reports is disabled. When running reports on demand, disabling data sharing means that every user can always assume that they will receive the latest data. If you prefer to place more emphasis on the efficiency, economy, and scalability of BusinessObjects Enterprise, you can tune server settings to set your own balance between system reliability and performance. For example, enabling data sharing between reports markedly increases system performance when user loads are heavy. To take advantage of this feature while ensuring that every user receives data that meets your criteria for timeliness, you can also specify how long data will be shared between users.

BusinessObjects Enterprise administrative toolsBusinessObjects Enterprise includes two key administrative tools that allow you to view and to modify a variety of server settings:• Central Management Console (CMC)

The CMC is the web-based administration tool that allows you to view and to modify server settings while BusinessObjects Enterprise is running. For instance, you use the CMC to change the status of a server, change server settings, access server metrics, or create server groups. Because the CMC is a web-based interface, you can configure your BusinessObjects Enterprise servers remotely over the Internet or through your corporate intranet.

• Central Configuration Manager (CCM)The CCM is a program that allows you to view and to modify server settings while Business Objects servers are offline. For instance, you use the CCM to stop servers, to modify performance settings, and to change the default server port numbers. With BusinessObjects Enterprise, the CCM allows you to configure BusinessObjects Enterprise remotely over your corporate network.

You can accomplish some configuration tasks with both tools, while other tasks must be performed with a specific tool.


Managing and Configuring ServersViewing and changing the status of servers 5

Related topics:• For an overview of the multi-tier architecture and the BusinessObjects

Enterprise server components, see ”BusinessObjects Enterprise Architecture” in the BusinessObjects Enterprise Administrator’s Guide.

• With the BusinessObjects Enterprise Software Development Kit (SDK), you can now access and modify server metrics and settings from your own web applications. For more information, see the developer documentation available on your product CD.

Viewing and changing the status of serversThe status of a server is its current state of operation: a server can be started, stopped, enabled, or disabled. To respond to BusinessObjects Enterprise requests, a server must be started and enabled. A server that is disabled is still running as a process; however, it is not accepting requests from the rest of BusinessObjects Enterprise. A server that is stopped is no longer running as a process. This section shows how to modify the status of servers by using the CMC and the CCM. It includes:• “Starting, stopping, and restarting servers” on page 99• “Enabling and disabling servers” on page 102• “Stopping a Central Management Server” on page 102• “Printing, copying, and refreshing server status” on page 104

Starting, stopping, and restarting serversStarting, stopping, and restarting servers are common actions that you perform when you configure servers or take them offline for other reasons. For example, if you want to change the name of a CMS, then you must first stop the server. Once you have made your changes, you start the server again to effect your changes.The remainder of this section tells you when a certain configuration change requires that you first stop or restart the server. However, because these tasks appear frequently, the concepts and differences are explained first, and the general procedures are provided for reference.


Managing and Configuring ServersViewing and changing the status of servers5

Tip: When you stop (or restart) a server, you terminate the server’s process, thereby stopping the server completely. If you want to prevent a server from receiving requests without actually stopping the server process, you can also enable and disable servers. We recommend that you disable Job Servers and Program Job Servers before stopping them so that they can finish processing any jobs they have in progress. For details, see “Enabling and disabling servers” on page 102.

To start, stop, or restart servers with CMCNote: You cannot use CMC to stop the CMS. You must use the CCM instead. See “Stopping a Central Management Server” on page 102 for more information.1. Go to the Servers management area of the CMC.

A list of servers appears. The icon associated with each server identifies its status:• Running is indicated by a server with a green arrow.• Stopped is indicated by a server with a red arrow.• Disabled is indicated by a server with a red circle.In this example, the Page Server is stopped, the Event Server is disabled, and the remaining servers are running and enabled.

Action Description

Stopping a server You must stop BusinessObjects Enterprise servers before you can modify certain properties and settings.

Starting a server If you have stopped a server to configure it, you need to start it to effect your changes and to have the server resume processing requests.

Restarting a server Restarting a server is a shortcut to stopping a server completely and then starting it again. You can change certain settings without stopping the server; however, the changes typically do not take effect until your restart the server.



2. Select the check box for the server whose status you want to change.3. Depending upon the action you need to perform, click Start, Stop, or

Restart.You may be prompted for network credentials that allow you to start and stop services running on the remote machine.

4. Click Refresh to update the page.

To start, stop, or restart a Windows server with the CCM1. Start the CCM.2. Select the server that you want to start, stop, or restart.3. On the toolbar, click the appropriate button.

You may be prompted for network credentials that allow you to start and stop services. Note: When you provide your network credentials, they are first checked against the machine hosting the CMS. If the server that you want to start, stop, or restart is located on another machine, the same credentials are used to access the other machine. If you supply credentials that are valid on the remote machine but not on the machine running the CMS, then you receive an error message.

The CCM performs the action and refreshes the list of servers.

Toolbar Icon

Action

Start the selected server.

Stop the selected server.

Restart the selected server.



To start, stop, or restart a UNIX server with the CCMUse the ccm.sh script. For reference, see “ccm.sh” on page 474.

Stopping a Central Management ServerIf your BusinessObjects Enterprise installation has a single Central Management Server (CMS), shutting it down will make BusinessObjects Enterprise unavailable to your users and will interrupt the processing of reports and programs. Before stopping your CMS, you may wish to disable your processing servers so that they can finish any jobs in progress before BusinessObjects Enterprise shuts down. See “Enabling and disabling servers” on page 102 for more information.If you have a CMS cluster consisting of more than one active CMS, you can shut down a single CMS without losing data or affecting system functionality. The other CMS in the cluster will assume the workload of the stopped server. Using a CMS cluster enables you to perform maintenance on each of your Central Management Servers in turn without taking BusinessObjects Enterprise out of service.For more information on CMS clusters, see “Clustering Central Management Servers” on page 114.

Enabling and disabling serversWhen you disable a BusinessObjects Enterprise server, you prevent it from receiving and responding to new BusinessObjects Enterprise requests, but you do not actually stop the server process. This is especially useful when you want to allow a server to finish processing all of its current requests before you stop it completely.For example, you may want to stop a Job Server before rebooting the machine it is running on. However, you want to allow the server to fulfill any outstanding report requests that are in its queue. First, you disable the Job Server so it cannot accept any additional requests. Next, go to the Central Management Console to monitor when the server completes the jobs it has in progress. (From the Servers management area, choose the server name and then the metrics tab). Then, once it has finished processing current requests, you can safely stop the server.Note: The CMS must be running in order for you to enable and/or disable other servers.

To enable and disable servers with CMC1. Go to the Servers management area of the CMC.



The icon associated with each server identifies its status. In this example, the Event Server is disabled (but not stopped), and the remaining servers are running and enabled.

2. Select the check box for the server whose status you want to change.3. Depending upon the action you need to perform, click Enable or Disable.

To enable or disable a Windows server with the CCM1. Start the CCM.2. On the toolbar, click Enable/Disable.3. When prompted, log on to your CMS with the credentials that provide you

with administrative privileges to BusinessObjects Enterprise.4. Click Connect.

The Enable/Disable Servers dialog box appears.

This dialog box lists all of the BusinessObjects Enterprise servers that are registered with your CMS, including servers running on remote machines. By default, servers running on remote machines are displayed as MACHINE.servertype. In this example, all of the listed servers are currently enabled.



5. To disable a server, clear the check box in the Server Name column.6. Click OK to effect your changes and return to the CCM.

To enable or disable a UNIX server with the CCMUse the ccm.sh script. For reference, see “ccm.sh” on page 474.

Printing, copying, and refreshing server statusWhen using the CCM on Windows, you can print and copy the properties of a server, and refresh the list of servers.

To print the status of a server1. Start the CCM.2. Select the server(s).3. Click Print.

The Print dialog box appears.4. Click OK.

A brief listing of the server’s properties is printed, including the Display Name, Version, Command Line, Status, and other information.

To copy the status of a serverTo save the status of a server, you can copy the details from the CCM to a document or to an email message (if you want to send the status information to someone else).1. Start the CCM.2. Select the server(s).3. Click Copy.4. Paste the information into a document for future reference.

To refresh the list of servers• To ensure you are looking at the latest information, click Refresh.Note: Disabled servers may not appear in this list. Click Enable/Disable to view a list of servers and ensure that each is enabled.


Managing and Configuring ServersAdding and deleting servers 5

Adding and deleting serversThis section shows how to add and delete servers from a machine that is already running BusinessObjects Enterprise components. It includes the following sections:• “Adding a server” on page 105• “Deleting a server” on page 107Tip: If you are adding new hardware to BusinessObjects Enterprise by installing server components on new, additional machines, run the BusinessObjects Enterprise installation and setup program from your product distribution. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that you want to install on the local machine. For details, see the BusinessObjects Enterprise Installation Guide.Note: You can also add and delete servers from the Central Management Console. For more information, see the BusinessObjects Enterprise Administrator’s Guide.

Adding a serverThese steps add a new instance of a server to the local machine. You can run multiple instances of the same BusinessObjects Enterprise server on the same machine.

To add a Windows serverNote: To complete this procedure, you must log on as an Administrator of the local machine.1. Start the CCM on the BusinessObjects Enterprise machine upon which

you want to install a new server.2. On the toolbar, click Add Server.

The Add Business Objects Server Wizard displays its Welcome dialog box.

3. Click Next.


Managing and Configuring ServersAdding and deleting servers5

The “Server Type and Display Name Configuration” dialog box appears

.

4. Click the Server Type list and select the kind of server you want to add.5. Change the default Display Name field if you want a different name to

appear in the list of servers in the CCM.Note: The display name for each server on the local machine must be unique.

6. Change the default Server Name field if required.Each server on the system must have a unique name. The default naming convention is HOSTNAME.servertype (a number is appended if there is more than one server of the same type on the same host machine). This Server Name is displayed when you manage servers over the Web in the Central Management Console (CMC).Note: When you add Input or Output File Repository Servers, the wizard always precedes the server name you type with an “Input.” or “Output.” prefix. So, if you add an Input FRS with the name SERVER02, the CCM actually names the server Input.SERVER02. This “Input.” prefix is required by the system. If you subsequently modify the server’s name through its command line, do not remove the prefix.

7. Click Next.The “Set Configuration for this server” dialog box appears. The contents of this dialog vary slightly, depending upon the type of server that you are installing.

8. Type the name of the CMS that you want the server to communicate with.If your CMS is not listening on the default port (6400), include the appropriate port number, as in CMSname:port#

9. Click Next to accept any other default values, or modify them to suit your environment.


Managing and Configuring ServersAdding and deleting servers 5

Note: If port number options are displayed in this dialog box, do not modify them. Instead, change ports through each server’s command line. For details, see “Changing the default server port numbers” on page 147.

10. Confirm that the summary information is correct; then click Finish.The new server appears in the list, but it is neither started nor enabled automatically.

11. Use the CCM (or the CMC) to start and then to enable the new server when you want it to begin responding to BusinessObjects Enterprise requests. For details, see “Viewing and changing the status of servers” on page 99.

Tip: Auditing in BusinessObjects Enterprise is enabled on a per server basis. If you add a new server to your BusinessObjects Enterprise installation you must enable auditing of actions on each new server. If you do not, the actions performed on the new server will not be audited. See the BusinessObjects Enterprise Auditor’s Guide for more information.

To add a UNIX serverUse the serverconfig.sh script. For reference, see “serverconfig.sh” on page 478.

Deleting a server To delete a Windows server

1. Start the CCM on the BusinessObjects Enterprise machine that you want to delete a server from.

2. Stop the server that you want to delete from the system.3. With the server selected, click Delete Server on the toolbar.4. When prompted for confirmation, click Yes.

To delete a UNIX serverUse the serverconfig.sh script. For reference, see “serverconfig.sh” on page 478.


Managing and Configuring ServersConfiguring the application tier5
Configuring the application tier
This section includes technical information and procedures that show how you can modify settings for the application tier.

The majority of the settings discussed in this section allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements.Note: This section does not show how to configure your Web application server to deploy BusinessObjects Enterprise applications. This task is typically performed when you install BusinessObjects Enterprise. For details, see the BusinessObjects Enterprise Installation Guide. For further troubleshooting, see “Working with Firewalls” on page 157.

Configuring the Web Component AdapterThe WCA (Web Component Adapter) is a web application that provides support for the Central Management Console and CSP applications. It does not appear as a server in the Central Management Console or in the Central Configuration Manager.To configure the WCA, edit either of the following files, depending on whether you are running the system on a Java or .NET platform:• On a Java platform edit the web.xml file associated with the WCA. See

“Configuring the Java Web Component Adapter” on page 109.• On a .NET platform edit the web.config file associated with the WCA.

See “Configuring the .NET Web Component Adapter” on page 113.


Managing and Configuring ServersConfiguring the application tier 5

Configuring the Java Web Component AdapterTo configure the Java WCA you edit the web.xml file associated with the WCA:• Windows: C:\Program Files\Business

Objects\BusinessObjects Enterprise 11.5\java\applications directory

• UNIX: WEB-INF subdirectory of the webcompadapter.war archive file stored in the bobje_root/enterprise115/java/applications directory

For example, the context parameter that controls whether a group tree will be generated looks like this:<context-param><param-name>viewrpt.groupTreeGenerate</param-name>

<param-value>true</param-value><desctiption>”true” or “false” value determining whether

a group tree will be generated.</description></context-param>

To change the value of a context parameter, edit the value between the <param-value> </param-value> tags.

To configure web.xmlNote: Your Java Web Application Server may provide tools to allow you to edit web.xml directly from an administrative console.Otherwise use the following procedure to configure web.xml.1. Stop your application server.2. Extract the web.xml file from the webcompadapter.war archive.3. Edit the file by using a text editor such as Notepad or vi.4. Reinsert the file into the WEB-INF directory in webcompadapter.war.

Tip: To reinsert web.xml into WEB-INF using WinZip, right-click on the WEB-INF directory that contains your edited web.xml file and select “Add to Zip File...”. Adding the file in this way ensures that it is placed in the correct directory inside the archive.

5. Restart your application server.When you install more than one WCA, each webcomponentadapter.war file contains its own web.xml file containing configuration parameters for that WCA. However, you can only set the parameters listed in the following table individually for each WCA. The remaining parameters must be the same for all WCA in your system.



Changing the default session timeout value for the Java CMC The default session timeout value is 20 minutes in the CMC. Use this procedure if you want to modify the default session timeout value.

To change the session timeout value1. Verify that the Java SDK is installed and its location is in your PATH

environment variable.If you are able to execute the jar command, and receive usage information on the command, proceed to the next step. If you receive an error message, install the JAVA SDK and add its location to your PATH.

2. Stop the Web application server on the machine where webcompadapter.war is deployed.

Context Parameter Description

display-name Equivalent to WCA name.cspApplication.defaultPage The default page that will be loaded if no

filename is specified in a particular request.

cspApplication.dir This is the real path to the directory containing the CSP/WAS application(s) that you would like to host. This is a required field.

connection.cms This is the name (or name and port number) of the CMS that you would like your application(s) to connect to.

connection.listeningPort This field defaults to the port that the WCA related servlets are running on.

log.file Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path

log.ext File extension of logfile, defaults to .loglog.isRolling Determines whether or not the logs will be

rotated, defaults to true.log.size If log rolling is turned on, this will govern

the max size before logfile is rotated. Accepted suffix: MB, KB and GB.

log.level The default loglevel is “error.”log.entryPattern Please refer to log4j documentation for

accepted log entry patterns.



3. Extract the web.xml file from the directory where webcompadapter.war is deployed by running the following command: jar -xvf webcompadapter.war WEB-INF/web.xml

4. Open web.xml in a text editor like Notepad and search for the following section: <session-config> <session-timeout>20</session-timeout> </session-config>

5. Change the value between <session-timeout> to the number of minutes you require for the session to timeout.

6. Save web.xml. 7. Update the webcompadapter.war with the modified web.xml file. Use the

following command: jar -uvf webcompadapter.war WEB-INF/web.xml

8. Restart you web application server and redeploy webcompadapter.war.

Changing the default session timeout value for the Java InfoViewThe default session timeout value is 20 minutes in the InfoView. Use this procedure if you want to modify the default session timeout value.

To change the session timeout value for InfoView1. Verify that the Java SDK is installed and its location is in your PATH

environment variable.If you are able to execute the jar command, and receive usage information on the command, proceed to the next step. If you receive an error message, install the JAVA SDK and add its location to your PATH.

2. Stop the Web application server on the machine where desktop.war is deployed.

3. Extract the web.xml file from the directory where desktop.war is deployed or edit the deployed web.xml file.• To extract web.xml, issue the following command.

jar -xvf desktop.war WEB-INF/web.xml

Note: Instead of extracting the web.xml from the specified location, you can edit web.xml from the deployed location. If you installed Tomcat with your installation, you can find this file in this location:C:\Program Files\Business

Objects\Tomcat\webapps\businessobjects\enterprise115\desktoplaunch\WEB-INF



4. Open web.xml in a text editor like Notepad and search for the following section: <session-config> <session-timeout>20</session-timeout> </session-config>

5. Change the value between <session-timeout> to the number of minutes you require for the session to timeout.

6. Save web.xml. 7. Update the desktop.war with the modified web.xml file. Use the following

command: jar -uvf desktop.war WEB-INF/web.xml

Note: This step is not required if you did not extract the web.xml file.8. Restart you web application server and redeploy desktop.war.

Note: You don’t need to redeploy desktop.war if you edited the web.xml file from the deployed location; restarting your web application server will suffice.

Changing the connect port used by TomcatDuring the installation, the default port used for Tomcat is 8080. If this port is already in use by another instance of Tomcat, or if another application is using this port, you will need to change the connect port used by Tomcat.

To change the Tomcat connect port1. Stop Tomcat server by selecting the server name and clicking on the stop

button.2. Open the server.xml file for Tomcat in a text editor.

On Windows, this file can normally be found in the following directory:C:\Program Files\Business Objects\Tomcat\conf

3. Locate the following string:<Connector URIEncoding="UTF-8" acceptCount="100"

connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443" />

4. Change port 8080 to an available port number.5. Save and close the file.



Configuring the .NET Web Component AdapterTo configure the .NET WCA you edit the web.config file associated with the WCA. This file is located in the following directory:C:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\Web Content\application

To configure web.configNote: Your .NET Web Application Server may provide tools to allow you to edit web.config directly from an administrative console. 1. Stop your application server.2. Edit the web.config file by using a text editor such as Notepad.3. Restart your application server.

Parameter Description

display-name Equivalent to WCA name.cspApplication.defaultPage The default page that will be loaded if no

filename is specified in a particular request.

connection.cms This is the name (or name and port number) of the CMS that you would like your application(s) to connect to.

connection.listeningPort This field defaults to the port that the WCA related servlets are running on.

log.file Filename of the logfile including full real path to file, excluding extension. Defaults to WCA with no path

log.ext File extension of logfile, defaults to .loglog.isRolling Determines whether or not the logs will be

rotated, defaults to true.log.size If log rolling is turned on, this will govern

the max size before logfile is rotated. Accepted suffix: MB, KB and GB.

log.level The default loglevel is “error.”log.entryPattern Please refer to log4j documentation for

accepted log entry patterns.


Managing and Configuring ServersConfiguring the intelligence tier5
Configuring the intelligence tier
This section includes technical information and procedures that show how you can modify settings for the BusinessObjects Enterprise servers that make up the intelligence tier.

The majority of the settings discussed here allow you to integrate BusinessObjects Enterprise more effectively with your current hardware, software, and network configurations. Consequently, the settings that you choose will depend largely upon your own requirements.Configuring the intelligence tier includes the following tasks:• “Clustering Central Management Servers” on page 114• “Copying data from one CMS database to another” on page 122• “Deleting and recreating the CMS database” on page 127• “Selecting a new or existing CMS database” on page 128• “Setting root directories and idle times of the File Repository Servers” on

page 130• “Modifying performance settings for Cache Servers and Event Servers”

on page 131

Clustering Central Management ServersIf you have a large or mission-critical implementation of BusinessObjects Enterprise, you will probably want to run several CMS machines together in a CMS cluster. A CMS cluster consists of two or more CMS servers working together to maintain the system database. If a machine that is running one CMS fails, a machine with another CMS will continue to service BusinessObjects Enterprise requests. This “failover” support helps to ensure that BusinessObjects Enterprise users can still access information when there is an equipment failure.This section shows how to add a new CMS cluster member to a production system that is already up and running. When you add a new CMS to an existing cluster, you instruct the new CMS to connect to the existing CMS


Managing and Configuring ServersConfiguring the intelligence tier 5

database and to share the processing workload with any existing CMS machines. For information about your current CMS and CMS cluster, go to the Settings management area of the CMC and click the Cluster tab. Before clustering CMS machines, you must make sure that each CMS is installed on a system that meets the detailed requirements (including version levels and patch levels) for operating system, database server, database access method, database driver, and database client outlined in the platforms.txt file included in your product distribution. In addition, you must meet the following clustering requirements:• For best performance, the database server that you choose to host the

system database must be able to process small queries very quickly. The CMS communicates frequently with the system database and sends it many small queries. If the database server is unable to process these requests in a timely manner, BusinessObjects Enterprise performance will be greatly affected.

• For best performance, run each CMS cluster member on a machine that has the same amount of memory and the same type of CPU.

• Configure each machine similarly:• Install the same operating system, including the same version of

operating system service packs and patches. • Install the same version of BusinessObjects Enterprise (including

patches, if applicable).• Ensure that each CMS connects to the CMS database in the same

manner: whether you use native or ODBC drivers. Make sure that the drivers are the same on each machine, and are a supported version.

• Ensure that each CMS uses the same database client to connect to its system database, and that it is a supported version.

• Check that each CMS uses the same database user account and password to connect to the CMS database. This account must have create, delete, and update rights on the system database.

• Run each CMS service/daemon under the same account. (On Windows, the default is the “LocalSystem” account.)

• Verify that the current date and time are set correctly on each CMS machine (including settings for daylight savings time).

• Ensure that each and every CMS in a cluster is on the same Local Area Network.



• If you wish to enable auditing, each CMS must be configured to use the same auditing database and to connect to it in the same manner. The requirements for the auditing database are the same as those for the system database in terms of database servers, clients, access methods, drivers, and user IDs.

Tip: By default, a CMS cluster name reflects the name of the first CMS that you install, but the cluster name is prefixed by the @ symbol. For instance, if your existing CMS is called BUSINESSOBJECTSCMS, then the default cluster name is @BUSINESSOBJECTSCMS. To modify the default name, see “Restart your application server.” on page 119.

Adding a new CMS cluster memberThere are two ways to add a new CMS cluster member. Follow the appropriate procedure, depending upon whether or not you have already installed a second CMS:• “Installing a new CMS and adding it to a cluster” on page 116

See this section if you have not already installed the new CMS on its own machine.

• “Adding an installed CMS to a cluster” on page 117Follow this procedure if you have already installed a second, independent CMS on its own machine. While testing various server configurations, for instance, you might have set up an independent BusinessObjects Enterprise system with its own CMS. Follow this procedure when you want to incorporate this independent CMS into your production system.

Note: Back up your current CMS database before making any changes. If necessary, contact your database administrator.

Installing a new CMS and adding it to a clusterWhen you install a new CMS, you can quickly cluster it with your existing CMS. Run the BusinessObjects Enterprise installation and setup program on the machine where you want to install the new CMS cluster member. The setup program allows you to perform an Expand installation. During the Expand installation, you specify the existing CMS whose system you want to expand, and you select the components that want to install on the local machine. In this case, specify the name of the CMS that is running your existing system, and choose to install a new CMS on the local machine. Then provide the



Setup program with the information it needs to connect to your existing CMS database. When the Setup program installs the new CMS on the local machine, it automatically adds the server to your existing CMS cluster.For complete requirements for CMS added to a cluster, see “Clustering Central Management Servers” on page 114. For complete information on running the Setup program and performing the Expand installation, see the BusinessObjects Enterprise Installation Guide.

Adding an installed CMS to a clusterIn these steps, the independent CMS refers to the one that you want to add to a cluster. You will add the independent CMS to your production CMS cluster. By adding an independent CMS to a cluster, you disconnect the independent CMS from its own database and instruct it to share the system database that belongs to your production CMS.Before starting this procedure, ensure that you have a database user account with Create, Delete, and Update rights to the database storing the BusinessObjects Enterprise tables. Ensure also that you can connect to the database from the machine that is running the independent CMS (through your database client software or through ODBC, according to your configuration). Also ensure that the CMS you are adding to the cluster meets the requirements outlined in “Clustering Central Management Servers” on page 114.Note: Back up your current CMS database before beginning this procedure. If necessary, contact your database administrator.

To add an installed CMS to a cluster on Windows1. Use the CCM to stop the independent Central Management Server.2. With the CMS selected, click Specify CMS Data Source on the toolbar.



The CMS Database Setup dialog box appears.

3. Click Select a Data Source; then click OK.4. In the Select Database Driver dialog box, specify whether you want to

connect to the production CMS database through ODBC, or through one of the native drivers.

5. Click OK.6. The remaining steps depend upon the connection type you selected:

• If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that corresponds to your production CMS database; then click OK. If prompted, provide your database credentials and click OK. The CCM connects to the database server and adds the new CMS to the cluster.

• If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Once you provide this information, the CCM connects to the database server and adds the new CMS to the cluster.

The SvcMgr dialog box notifies you when the CMS database setup is complete.

7. Click OK.8. Start the Central Management Server.

To add an installed CMS to a cluster on UNIXUse the cmsdbsetup.sh script. For reference, see “cmsdbsetup.sh” on page 477.



Adding clustered CMSs to the web.xml fileIf you have added additional CMSs, and you are using a Java application server, you will need to modify the web.xml file with your changes.

To modify the web.xml to define CMS clusters1. Open the web.xml from the following location:

C:\Program Files\Business Objects\Tomcat\webapps\businessobjects\enterprise115\desktoplaunch\WEB-INF

2. Locate the following section in the file: <context-param> <param-name>proxy.contextpaths</param-name>

Note: This string appears more than once in the file. The first occurrence of this is an example and is in a comment. Ensure the string you edit is not commented out.Enter the context path for your reverse proxy in the

<param-value> for <param-name>proxy.contextpaths.

If you have multiple reverse proxy paths, separate each path with a comma.<context-param> <param-name>proxy.contextpaths</param-name> <param-value>/Path1,/Path2,/Path3</param-value> </context-param>


Enabling reverse proxies for BusinessObjects Web Services

This section describes the required procedures to enable reverse proxies for BusinessObjects Web Services.

Enabling reverse proxies on TomcatNote: The following information only applies if you are using Tomcat.



To enable reverse proxies1. Stop Tomcat.2. Open the server.xml for Tomcat.

On Windows, server.xml is located at <CATALINA_HOME>\confOn UNIX server.xml is located at <CATALINA_HOME>/confNote: • If you are using the version of Tomcat installed with BusinessObjects

Enterprise on Windows and you did not modify the default installation location, replace <CATALINA_HOME> with C:\Program Files\Business Objects\Tomcat

• If you are using the version of Tomcat installed with BusinessObjects Enterprise on UNIX and you did not modify the default installation location, replace <CATALINA_HOME> with <INSTALLDIR>/bobje/tomcat

3. Locate this string in the server.xml file:   

4. Uncomment the Connector element by removing .5. Modify the value of proxyPort to be the reverse proxy server listen port.6. Add a new proxyName attribute to the Connector’s attribute list. The

value of the proxyName must be the proxy server name which should be resolvable to the correct IP address by Tomcat. Here is a sample:

 <Connector port="8082"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"enableLookups="false"



acceptCount="100" debug="0" connectionTimeout="20000"proxyName="my_reverse_proxy_server.domain.com" proxyPort="ReverseProxyServerPort" disableUploadTimeout="true" />

Where my_reverse_proxy_server.domain.com and ReverseProxyServerPort should be substituted by the correct reverse proxy server name and its listen port.

7. Save and close the server.xml file.8. Restart Tomcat.9. Ensure the reverse proxy server maps its virtual path to the correct

Tomcat connector port.In the above example, the port is 8082.The following example shows a sample configuration for Apache HTTP Server 2.0 to reverse proxy BusinessObjects Web Services deployed on Tomcat:ProxyPass /dswsbobje http://internalServer:8082/

dswsbobjeProxyPassReverse /dswsbobje http://internalServer:8082/

dswsbobje

Enabling reverse proxy on web application servers other than TomcatNote: The following procedure requires that BusinessObjects Enterprise web applications are successfully configured against your chosen web application server.

To enable reverse proxies1. Stop the web application server.2. Specify the external URL of the Web Services in the dsws.properties file.

This file is located in dswsbobje web application. For example if your external is URL is http://my_reverse_proxy_server.domain.com/dswsbobje/, update the following properties in the dsws.properties file:• wsresource1=ReportEngine|reportengine web service alone|http://

my_reverse_proxy_server.domain.com/dswsbobje/services/reportengine

• wsresource2=BICatalog|bicatalog web service alone|http://my_reverse_proxy_server.domain.com/dswsbobje/services/bicatatog

• wsresource3=Publish|publish web service alone|http://my_reverse_proxy_server.domain.com/dswsbobje/services/publish



• wsresource4=QueryService|query web service alone|http://my_reverse_proxy_server.domain.com/dswsbobje/services/queryservice

• wsresource5=BIPlatform|BIPlatform web service|http://my_reverse_proxy_server.domain.com/dswsbobje/services/biplatform

• wsresource6=LiveOffice|Live Office web service|http://my_reverse_proxy_server.domain.com/dswsbobje/servicesliveoffice

3. Save and close the dsws.properties file.4. Restart the web application server.5. Ensure the reverse proxy server maps its virtual path to the correct web

application server connector port.The following example shows a sample configuration for Apache HTTP Server 2.0 to reverse proxy BusinessObjects Web Services deployed on the web application server of your choice:ProxyPass /dswsbobje http://internalServer:<listen

port>/dswsbobjeProxyPassReverse /dswsbobje http://

internalServer:<listen port>/dswsbobje

Where <listen port> is the listen port of your web application server.

Enabling reverse proxies for BusinessObjects Live Office Note: This section assumes reverse proxies for BusinessObjects Java InfoView and BusinessObjects Web Services have been successfully enabled.To enable BusinessObjects Live Office’s View Object in Web Browser feature for reverse proxies, adjust the default viewer URL. This can be done in the Central Management Console (CMC) or through Live Office options.

To adjust the default viewer URL using the CMC1. Log on to the CMC.2. Navigate to the Objects page and click Object Settings.3. In the URL field, set the correct default viewer URL and click Set URL.

Here is a sample default viewer URL:http://ReverseProxyServer:ReverseProxyServerPort/ProxiedInfoView/opendoc/openDocument.jsp?sIDType=CUID&iDocID=%SI_CUID%



Where ReverseProxyServer and ReverseProxyServerPort are the correct reverse proxy server name and its listen port. ProxiedInfoView is the correct virtual path for Java InfoView.

To adjust the default view URL using Live Office options1. On the LiveOffice menu click Options and then click the Enterprise tab.2. Select Specify the URL to view the report in repository: and type the

correct URL in the adjacent field.For example:http://ReverseProxyServer:ReverseProxyServerPort/ProxiedInfoView/opendoc/openDocument.jsp.Where ReverseProxyServer and ReverseProxyServerPort are the correct reverse proxy server name and its listen port. ProxiedInfoView is the correct virtual path for Java InfoView.

3. Click OK.

Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server

PrerequisitesEnsure that you have read and implemented the steps for “Enabling reverse proxies for Java applications servers” on page 202.

Deployment instructionsIn a regular deployment you create a service account and an SPN that maps to that service account for use with the application server machine. For details on this, refer to “Configuring Kerberos and single sign-on to the database for Java application servers” on page 311.In a deployment where the reverse proxy server sits between the client and the application sever, you must make the following change:• Follow the instructions for “Configuring Kerberos and single sign-on for

Java InfoView” on page 312 with modifications for step 2, setting an SPN for your web application server and step 4, creating and placing a keytab file. In these steps, the service account and the SPN need to be for the reverse proxy server rather than the application server. • In both steps, when executing the ktpass command, the <host>

should be the fully qualified domain name of the reverse proxy server.


Modifying default security behaviorDisabling persistent cookies for InfoView8
Disabling persistent cookies for InfoView
You may notice that whenever you go to the InfoView logon page, any time after you first successful log in, these three items are populated:• Your CMS name and port number.• Your User name.• Your authentication method.This behavior is made possible through the use of persistent cookies. Persistent cookies are text small files that are stored on your hard drive in the Cookies folder, under your profile name folder, and in the Temporary Internet Folder in your Windows directory. Although these cookies do not store your password, some companies have stringent security requirements which prohibit this behavior. The use of persistent cookies on the InfoView logon screen is the default, however, if you want you can disable this behavior in either the .NET or the Java InfoView client.

To disable persistent cookies for .NET InfoView1. Open the Web.config file for InfoView, from its deployed location:

C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView

2. Find this string in the file:<add key="persistentCookiesEnabled" value="true"/>

3. Change the value for persistentCookiesEnabled from true to false.

4. Save and close the file.5. Restart IIS.

To disable persistent cookies for Java InfoView1. Open the web.xml file for InfoView, from its deployed location on your

web application server.On Windows, this is the deployed location:<DeployedLocation>\businessobjects\enterprise115\desktop

launch\WEB-INF



Note:


Modifying default security behaviorDisabling persistent cookies for InfoView 8




2. Locate this string in the file:<param-name>persistentcookies.enabled</param-name>

3. Change the <param-value> for persistentcookies.enabled from true to false.



Modifying default security behaviorDisabling persistent cookies for InfoView8


Using NT Authentication

chapter

Using NT AuthenticationUsing NT user accounts and groups9
Using NT user accounts and groups
BusinessObjects Enterprise supports NT authentication with the Windows NT security plug-in, which is included by default when the product is installed on Windows. Support for NT authentication means that users or groups created with NT, Windows 2000 and Windows 2003 can be used to authenticate with BusinessObjects Enterprise. This allows you to map previously created NT user accounts and groups, instead of setting up each user and group within BusinessObjects Enterprise.

Windows NT security plug-inThe Windows NT security plug-in (secWindowsNT.dll) allows you to map user accounts and groups from your Windows NT user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows NT Authentication. Users are authenticated against the Windows NT user database, and have their membership in a mapped NT group verified before the CMS grants them an active BusinessObjects Enterprise session. This plug-in is compatible with NT 4 and Windows 2000 Active Directory user databases (when Windows 2000 Active Directory is configured in non-native mode only). If a Windows 2000 Active Directory user database is configured in native mode and contains universal groups that span several domains, you must use the Windows AD security plug-in. For information on mapping Windows NT users and groups to BusinessObjects Enterprise, see “Managing NT accounts” on page 248. For information on the Windows AD security plug-in, see “Windows AD security plug-in” on page 246.Once you have mapped your NT users and groups, all of the BusinessObjects Enterprise client tools support NT authentication, except for the Import Wizard. You can also create your own applications that support NT authentication. For more information, see the developer documentation available on your product CD.Note: The Windows NT security plug-in cannot authenticate users under the following conditions:• If the BusinessObjects Enterprise server components are running on

UNIX• If your system uses the BusinessObjects Enterprise Java SDK.


Using NT AuthenticationWindows NT security plug-in 9

Business Objects NT Users GroupIf you install BusinessObjects Enterprise on Windows as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Business Objects NT Users) is created on the local machine, and your NT user account is added to the group. The Business Objects NT Users group is then mapped to BusinessObjects Enterprise. As a result, you can log on to BusinessObjects Enterprise with your usual NT user credentials.

NT single sign-on The Windows NT security plug-in supports single sign-on, thereby allowing authenticated NT users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped NT group:• To obtain NT single sign-on functionality from a thick-client application

(such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK.In this scenario, the Windows NT security plug-in queries the operating system for the current user’s credentials when the client is launched.

• To obtain NT single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the user’s credentials to BusinessObjects Enterprise. Note:

• Although single sign-on is supported for InfoView, you will still see the logon screen for the CMC. When you see the CMC logon screen, leave the userid and password fields blank, select Windows NT from the authentication type drop down, and then click logon.

• IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation.For details on configuring IIS for single sign-on, see “Setting up NT single sign-on” on page 259. For information on NT single sign-on, see “Setting up NT single sign-on” on page 259.


Using NT AuthenticationNT user account and group administration9
NT and single sign-on support
BusinessObjects Enterprise also supports single sign-on support for InfoView and the CMC with NT authentication under the following conditions:• When IIS is the web server• When Internet Explorer is used as the web browserThis support means that your authenticated NT users can log on to BusinessObjects Enterprise without explicitly entering their credentials.The first two sections, “Windows NT security plug-in” on page 212 and “Mapping NT user accounts and groups” on page 215 provide overview information about how NT authentication works with BusinessObjects Enterprise.The remaining sections provide the procedural details related to using NT user accounts and groups and NT single sign-on for InfoView.• “Mapping NT user accounts and groups from Windows NT” on page 215• “Mapping NT user account or groups from Windows 2000 or 2003” on

page 216• “Mapping NT groups from the CMC” on page 217• “Modifying IIS security settings for NT single sign-on” on page 224• “Enabling InfoView NT single sign-on from the CMC” on page 224• “Modifying the web.config file for NT single sign-on” on page 225Note: • NT authentication only works for servers running on Windows systems. If

you install BusinessObjects Enterprise on a Windows NT, 2000, or 2003 machine, NT authentication is installed and enabled by default.

• NT accounts refer to Windows NT, 2000, or 2003 accounts.

NT user account and group administrationSetting up and maintaining NT authentication involves these tasks:• Mapping NT user accounts and groups

• “Mapping NT user accounts and groups from Windows NT” on page 215

• “Mapping NT user account or groups from Windows 2000 or 2003” on page 216

• “Mapping NT groups from the CMC” on page 217• “Setting up NT single sign-on” on page 223


Using NT AuthenticationMapping NT user accounts and groups 9

• “Unmapping NT groups” on page 220• “Viewing mapped NT users and groups” on page 221

Mapping NT user accounts and groupsTo simplify administration, BusinessObjects Enterprise supports user accounts and groups that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account.You can map NT accounts to BusinessObjects Enterprise three ways:• Through the User Manager in NT.• Through Computer Management in Windows 2000 or 2003.• Through the CMC.Note: NT accounts refer to Windows NT, 2000 and 2003 accounts.

Mapping NT user accounts and groups from Windows NTTo simplify administration, BusinessObjects Enterprise supports user accounts and group that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account.

To map NT users to BusinessObjects Enterprise from Windows NT1. From the Windows NT Administrative Tools program group, click User

Manager.Note: Ensure that you have selected the domain that contains the BusinessObjects NT Users group. This group is created automatically when you install BusinessObjects Enterprise on Windows.

2. Select the BusinessObjects NT Users group.3. From the User menu, click Properties.4. Click Add.5. Select the group(s) and/or user(s); then click Add.6. Click OK to add the group(s) and/or user(s).


Using NT AuthenticationMapping NT user accounts and groups9

7. Click OK to complete the process.Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:\\NTDomainName\NTusername orNTMachineName\LocalUserName

Users do not have to specify the NT Domain Name if it is specified in the “Default NT Domain” field on the Windows NT tab.

Mapping NT user account or groups from Windows 2000 or 2003

To simplify administration, BusinessObjects Enterprise supports user accounts and group that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account.

To map NT users to BusinessObjects Enterprise from Windows 2000 or 20031. From the Windows Administrative Tools program group, click Computer

Management.2. Under System Tools, select Local Users and Groups.3. Click the Groups folder.4. Select the BusinessObjects NT Users and from the Action menu,

select Properties.5. Click Add.6. Select the group(s) and/or user(s); then click Add.7. Click OK to add the group(s) and/or user(s).8. Click OK or Apply (and then Close) to complete the process.

Tip: Users will now be able to log on to InfoView using their NT account if they use the following format:\\NTDomainName\NTusername orNTMachineName\LocalUserName

Users do not have to specify the NT Domain Name if it is specified in the “Default NT Domain” field on the Windows NT tab.



Mapping NT groups from the CMCTo simplify administration, BusinessObjects Enterprise supports user accounts and groups that are created using Windows NT. However, before users can use their NT user name and password to log on to BusinessObjects Enterprise, their NT user account needs to be mapped to BusinessObjects Enterprise. When you map an NT account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account.Note: • When you map a NT group to BusinessObjects Enterprise, all the users

from the group are mapped. If you want to exclude specific users from having access to BusinessObjects Enterprise, you can change the specific user’s access after the group has been mapped.

• Before starting this procedure, ensure you have the NT domain and group information.

To map NT groups using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.



2. Click the Windows NT tab.

3. Ensure that the NT Authentication is enabled check box is selected.4. If you will be using single sign-on, select the Single Sign On is enabled

check box.Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Setting up NT single sign-on” on page 223. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.

5. To change the Default NT domain, click the domain name. Complete the Default NT Domain field, and then click Update.Note: By typing the default NT Domain Name, users do not have to specify the NT Domain Name when they log on to BusinessObjects Enterprise via NT authentication. Also, you don’t have to specify the NT domain name when you map groups.



6. In the Mapped NT Member Groups area, enter the NT domain\group in the Add NT Group (NT Domain\Group) field.Note: If you want to map a local NT group, you must type \\NTmachinename\groupname.

7. Click Add.The group is added to the list.

8. Select how aliases are mapped to Enterprise accounts.You have these choices:• “Assign each added NT alias to an account with the same

name”.• “Create a new account for every added NT alias”.Note: For more information on these options, see “Alias options” on page 196.

9. Select when new users and aliases are created.You have these choices:• “New aliases will be added and new users will be created”.• “No new aliases will be added and new users will not be

created”.Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Finish; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise. For more information on these options, see “Update options” on page 197.

10. Select what type of users are created. You have these choices:• “New users are created as named users”.• “New users are created as concurrent users”.

Note: For more information on what these options do, see “User type options” on page 196.

11. Click Finish.A message appears stating that it will take several seconds to update the member groups.

12. Click OK.


Unmapping NT groups
Similar to mapping, it is possible to unmap groups using the administrative tool in Windows NT/2000, or BusinessObjects Enterprise.

To unmap NT users and groups using Windows NT1. From the Administrative Tools program group, click User Manager.2. Select BusinessObjects NT Users.3. From the User menu, click Properties.4. Select the user(s) or group(s), and click Remove.5. Click OK.

The user or group will no longer be able to access BusinessObjects Enterprise.Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases, see “Security Concepts” on page 179.

To unmap NT users and groups using Windows 2000 or 20031. From the Administrative Tools program group, click Computer

Management.2. Under System Tools, select Local Users and Groups.3. Click the Groups folder.4. Select BusinessObjects NT Users.5. From the Action menu, click Properties.6. Select the user(s) or group(s), and click Remove.7. Click OK or Apply (and then Close) to complete the process.

The user or group will no longer be able to access BusinessObjects Enterprise.Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases see “Security Concepts” on page 179.

To unmap NT groups using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the Windows NT tab.3. In the Mapped NT Member Groups area, select the NT group you would

like to remove.4. Click Delete.



5. Click Update.The users in this group will not be able to access BusinessObjects Enterprise.Tip: To deny NT Authentication for all groups, clear the “NT Authentication is enabled” check box and click Update.Note: The only exceptions to this occur when a user has an alias to an Enterprise account. For more information on aliases see “Security Concepts” on page 179.

Viewing mapped NT users and groupsThere are two methods to view mapped users and groups in BusinessObjects Enterprise. The method you use depends on the way the groups and users have been mapped.

To view users and groups that have been added using Windows NT/2000, 2003 or BusinessObjects Enterprise1. Go to the Groups management area of the CMC.2. If you added users and groups through Windows NT/2000, then click

BusinessObjects NT Users.If you added users and groups through the CMC, then select the appropriate group.

3. Click the Users tab.4. Click OK to the message which states that accessing the user list may

take several seconds.5. Click Refresh.6. Click OK.

To view users and groups that have been added using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the Windows NT tab.

The “Mapped NT Member Groups” area displays the groups that have been mapped to BusinessObjects Enterprise.Note: You can view the groups and users by selecting the appropriate group from the Groups management area and then clicking the Users tab.


Adding an NT account to a mapped NT group
When you have added a new account in NT, and the NT group to which the account belongs to is already mapped to BusinessObjects Enterprise, there are three ways you can get the new NT account into BusinessObjects Enterprise. Choose the method that works best for your situation:• When the new NT user logs on to BusinessObjects Enterprise and

selects NT authentication, the system will add the user to BusinessObjects Enterprise. This is the simplest method and it doesn’t require any extra steps, but the user won’t be added until he or she logs on to BusinessObjects Enterprise.

• You can add the new user to BusinessObjects Enterprise and select Windows NT authentication. The user is added and is automatically assigned a Windows NT alias. For more information on aliases, see “Security Concepts” on page 179.

• You can go to the Windows NT tab in the Authentication management area and select the option to add all new aliases and create all new users, and then click Update. In this case all NT users will be added to BusinessObjects Enterprise. For details, see “Mapping NT user accounts and groups” on page 215. However, if the NT group contains many users who don’t require access to BusinessObjects Enterprise, you may want to add the user individually instead.

Creating a new NT group account• If you create a new NT group account, and the group account does not

belong to a group account that is mapped to BusinessObjects Enterprise, add it to BusinessObjects Enterprise. For more information, see “Mapping NT user accounts and groups” on page 215.

• If you create a new NT group account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the group list. For more information, see “Viewing mapped NT users and groups” on page 221.

Disabling an NT user accountIf you disable an NT user account (using Windows Administrative Tools), the user will not be able to log on to BusinessObjects Enterprise using the mapped NT account. However, if the user also has an account that uses Enterprise authentication, the user can still access BusinessObjects Enterprise using that account.



Setting up NT single sign-onYou can configure BusinessObjects Enterprise to allow users to use various BusinessObjects Enterprise applications without being prompted to log on. Users need only to enter their NT user name and password information once at the beginning of the NT session. For instance, if you have set up NT single sign-on, when you launch the CMC, NT authentication occurs in the background. You are not required to enter any additional information.Note: This feature is available if you are using a Microsoft Internet Information Server (IIS) and the users are using Internet Explorer as their web browser. See the Platforms.txt file included with your product distribution for a complete list of version requirements.BusinessObjects Enterprise provides its own form of “anonymous single sign-on,” which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. When a user launches InfoView, he or she can log on using the Guest account (Enterprise authentication). You can disable this feature—for more information, on this and other routine administrative tasks, see the BusinessObjects Enterprise Administrator’s Guide. However, even when you disable the Guest account, BusinessObjects Enterprise is designed to display a logon page. With single sign-on enabled, the user can select Windows NT from the Authentication list and click Log On without entering his or her user name or password. In the developer documentation, refer to the tutorial for an example on creating a web application that uses single sign-on.Setting up NT single sign-on to BusinessObjects Enterprise includes these tasks:• “Modifying IIS security settings for NT single sign-on” on page 224• “Enabling InfoView NT single sign-on from the CMC” on page 224• “Modifying the web.config file for NT single sign-on” on page 225Note: BusinessObjects Enterprise does not support the Kerberos protocol for Windows NT. For information on Kerberos, see these sections:• “Using AD and Kerberos with IIS” on page 265• “Using AD and Kerberos with Java application servers” on page 289• “Using AD with NTLM or SiteMinder” on page 245


Modifying IIS security settings for NT single sign-on
To modify the security setting on IIS1. From the Windows Administrative Tools program group, click Computer

Management.2. Expand Services and Applications.3. Expand Internet Information Services.4. Click on the web site that runs InfoView, and then select Properties.5. Click on the Directory Security tab.6. In the Anonymous access and authentication control area of the page,

click Edit.7. Deselect the Anonymous access and Basic authentication check

boxes. 8. Ensure that the Integrated Windows authentication check box is

selected.9. Click OK.10. Click OK.11. Proceed to “Modifying the web.config file for NT single sign-on” on

page 225. 12. Restart your IIS server.

Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in “Setting up NT single sign-on” on page 223.

Enabling InfoView NT single sign-on from the CMC To enable the Windows NT plug-in for single sign-on from the CMC

1. Go to the Authentication management area of the CMC.2. Click the Windows NT tab.3. Select the Single Sign On is enabled check box.

Note: If you select this option, you must also configure the IIS for single sign-on. For details, see “Modifying IIS security settings for NT single sign-on” on page 224. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because when users access one of the web applications they would automatically have the same access privileges as the IIS machine account.

4. Click Update.



Note: For NT single sign-on to function correctly, make sure you complete all tasks listed in “Setting up NT single sign-on” on page 223.

Modifying the web.config file for NT single sign-onModify either of the following web.conf files based on what you want to configure for single sign-on. To configure both CMC and InfoView for single sign-on, configure the web.config file in the Web Content directory; To configure only InfoView for single sign-on, configure the web.config file in the InfoView directory.

To modify the web.config file for NT single sign-on1. Open the appropriate Web.config file from this location:


2. Locate the following line in the <system.web> block:<Authentication mode="None" />

3. Replace “None” with “Windows”.<Authentication mode="Windows" />

4. Add the following line: <identity impersonate="true" />

5. Find the following string:<add key="cmsDefault" value="" />

6. Enter the CMS machine in the cmsDefault value field.7. Find the following string:

<add key=" ssoEnabled" value="false" />

8. Change the ssoEnabled value from false to true.9. Find the following string:

<add key="authenticationDefault" value="secEnterprise" />

10. Ensure the value for authenticationDefault is set to secWindowsNT.11. Save and close the file.12. Restart IIS.




Using LDAP authentication

chapter

Using LDAP authenticationManaging LDAP accounts10
Managing LDAP accounts
To use LDAP authentication, you need to first ensure that you have your respective LDAP directory set up. For more information about LDAP, refer to your LDAP documentation. For more information on the LDAP security plug-in, see “LDAP security plug-in” on page 228.Note: When you install BusinessObjects Enterprise, the LDAP authentication plug-in is installed automatically, but not enabled by default.This section describes tasks related to configuring LDAP on BusinessObjects Enterprise. In particular, it includes information on:• “Configuring LDAP authentication” on page 230• “Mapping LDAP groups” on page 238• “Unmapping LDAP groups” on page 241• “Viewing mapped LDAP users and groups” on page 242• “Changing LDAP connection parameters and member groups” on

page 242• “Managing multiple LDAP hosts” on page 243• “Troubleshooting LDAP accounts” on page 243

LDAP security plug-inThe LDAP security plug-in (secLDAP.dll) allows you to map user accounts and groups from your LDAP directory server to BusinessObjects Enterprise; it also enables the system to verify all logon requests that specify LDAP Authentication. Users are authenticated against the LDAP directory server, and have their membership in a mapped LDAP group verified before the CMS grants them an active BusinessObjects Enterprise session. User lists and group memberships are dynamically maintained by BusinessObjects Enterprise. You can specify that BusinessObjects Enterprise use a Secure Sockets Layer (SSL) connection to communicate to the LDAP directory server for additional security. LDAP authentication for BusinessObjects Enterprise is similar to NT and AD authentication in that you can map groups and set up authentication, authorization, and alias creation. Also as with NT or AD authentication, you can create new Enterprise accounts for existing LDAP users, and can assign LDAP aliases to existing users if the user names match the Enterprise user names. In addition, you can do the following:• Map users and groups from the LDAP directory service.• Map LDAP against AD.


Using LDAP authenticationManaging LDAP accounts 10

Note: • If you configure LDAP against AD, you will be able to map your

users, however, you will not be able to configure either single sign-on or single sign-on to the database.

• These are the restrictions if you configure LDAP against AD.• Users who are only members of a default groups from AD will

not be able to log in successfully. Users must also be a member of another explicitly created group in AD and, in addition, this group must be mapped. An example of such a group is the “domain users” group.

• If a mapped domain local group contains a user from a different domain in the forest, the user from a different domain in the forest will not be able to log in successfully.

• Users from universal group from a domain different than the DC specified as the LDAP host will not be able to log in successfully.

• Specify multiple host names and their ports.• Configure LDAP with SiteMinder.For information on mapping your LDAP users and groups to BusinessObjects Enterprise, see “Managing LDAP accounts” on page 218.Once you have mapped your LDAP users and groups, all of the BusinessObjects Enterprise client tools support LDAP authentication, except for the Import Wizard. You can also create your own applications that support LDAP authentication.

More about LDAPLightweight Directory Access Protocol (LDAP), a common, application-independent directory, enables users to share information among various applications. Based on an open standard, LDAP provides a means for accessing and updating information in a directory. LDAP is based on the X.500 standard, which uses a directory access protocol (DAP) to communicate between a directory client and a directory server. LDAP is an alternative to DAP because it uses fewer resources and simplifies and omits some X.500 operations and features.The directory structure within LDAP has entries arranged in a specific schema. Each entry is identified by its corresponding distinguished name (DN) or common name (CN). Other common attributes include the organizational unit name (OU), and the organization name (O). For example, a member group may be located in a directory tree as follows: cn=BusinessObjects Enterprise Users, ou=Enterprise Users A, o=Research. Refer to your LDAP documentation for more information.



Because LDAP is application-independent, any client with the proper authorization can access its directories. LDAP offers you the ability to set up users to log on to BusinessObjects Enterprise through LDAP authentication. It also enables users to be authorized when attempting to access objects in BusinessObjects Enterprise. As long as you have an LDAP server (or servers) running, and use LDAP in your existing networked computer systems, you can use LDAP authentication (along with Enterprise, NT, and Windows AD authentication).If desired, the LDAP security plug-in provided with BusinessObjects Enterprise can communicate with your LDAP server using an SSL connection established using either server authentication or mutual authentication. With server authentication, the LDAP server has a security certificate which BusinessObjects Enterprise uses to verify that it trusts the server, while the LDAP server allows connections from anonymous clients. With mutual authentication, both the LDAP server and BusinessObjects Enterprise have security certificates, and the LDAP server must also verify the client certificate before a connection can be established. The LDAP security plug-in provided with BusinessObjects Enterprise can be configured to communicate with your LDAP server via SSL, but always performs basic authentication when verifying users’ credentials. Before deploying LDAP authentication in conjunction with BusinessObjects Enterprise, ensure that you are familiar with the differences between these LDAP types. For details, see RFC2251, which is currently available at http://www.faqs.org/rfcs/rfc2251.html

Configuring LDAP authenticationTo simplify administration, BusinessObjects Enterprise supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log on to BusinessObjects Enterprise, you need to map their LDAP account to BusinessObjects Enterprise. When you map an LDAP account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account. Before setting up and enabling LDAP authentication, ensure that you have your LDAP directory set up. For more information, refer to your LDAP documentation.Configuring LDAP authentication includes the following steps:• “Configuring the LDAP host” on page 231.• “Configuring LDAP Server or Mutual Authentication and the SSL settings”

on page 233.• “Configuring the LDAP plug-in for SiteMinder” on page 236.



Note: If you configure LDAP against AD, you will be able to map your users, however, you will not be able to configure single sign-on or single sign-on to the database.

Configuring the LDAP host To configure the LDAP host

1. Go to the Authentication management area of the CMC, and then click on the LDAP tab.

2. Enter the name and port number of your LDAP hosts in the Add LDAP host (hostname:port) field (for example, “myserver:123”), click Add, and then click OK.Repeat this step to add more than one LDAP host of the same server type if you want to add hosts that can act as failover servers. If you want to remove a host, highlight the host name and click Delete. For more information on multiple hosts, refer to “Managing multiple LDAP hosts” on page 243.

3. Select your server type from the LDAP Server Type list. Note: If you are Mapping LDAP to AD, select Custom for your server type.

4. If you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes, click Show Attribute Mappings.By default, each supported server type’s server attribute mappings and search attributes are already set.

5. Click Next.6. In the Base LDAP Distinguished Name field, type the distinguished

name (for example, o=SomeBase) for your LDAP server, and then click Next.

7. In the LDAP Server Administration Credentials area, type the distinguished name and password for a user account that is authorized to administer your LDAP server.Note: If your LDAP Server allows anonymous binding, leave this area blank—BusinessObjects Enterprise servers and clients will bind to the primary host via anonymous logon.

8. If you have configured referrals on your LDAP host, enter the authentication information in the LDAP Referral Credentials area, and then enter the number of referral hops in the Maximum Referral Hops field. Note:



• The “LDAP Referral Credentials” area must be configured if all of the following apply:• The primary host has been configured to refer to another

directory server that handles queries for entries under a specified base.

• The host being referred to has been configured to not allow anonymous binding.

• A group from the host being referred to will be mapped to BusinessObjects Enterprise.

• Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password.

• If “Maximum Referral Hops” is set to zero, no referrals will be followed.

9. Click Next.10. Choose the type of Secure Sockets Layer (SSL) authentication used, and

then click Next.These are your SSL authentication choices:• Basic (no SSL) • Server Authentication• Mutual Authentication

Note: See “Configuring LDAP Server or Mutual Authentication and the SSL settings” on page 233 for further information.

11. Choose a method of LDAP single sign-on authentication from these choices:• Basic (No SSO)• SiteMinder

Note: If you select SiteMinder, see “Configuring the LDAP plug-in for SiteMinder” on page 236.



12. Select how aliases are mapped to Enterprise accounts.You have these choices:• Assign each added NT alias to an account with the same name• Create a new account for every added NT aliasNote: For more information on what these options do, see “Alias options” on page 196.

13. Select when aliases and users are created.You have these choices:• New aliases will be added and new users will be created• No new aliases will be added and new users will not be created

Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Finish. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on to BusinessObjects Enterprise. For more information on what these options do, see “Update options” on page 197.

14. Select how new users are created. You have these choices:• New users are created as named users• New users are created as concurrent usersNote: For more information on what these options do, see “User type options” on page 196.

15. Click Finish.

Configuring LDAP Server or Mutual Authentication and the SSL settingsThis section describes the CMC related information for configuring SSL with LDAP Server and Mutual Authentication. It assumes that you have completed the first 10 applicable steps in “Configuring the LDAP host” on page 231, and that you selected either of these for your SSL authentication choice:• Server Authentication• Mutual Authentication You can do this configuration after you complete all the steps in “Configuring the LDAP host” on page 231. For additional information or for information on configuring the LDAP host server, refer to http://www.techsupport.businessobjects.com/ or your LDAP vendor documentation.


http://www.techsupport.businessobjects.com

http://www.techsupport.businessobjects.com


To configure LDAP Server or Mutual Authentication1. Choose what level of SSL security you want to use from the available

options:Note: • Java applications will ignore the first and last setting and will accept

the server certificate only if it comes from a trusted Certificate Authority.

• Always accept server certificateThis is the lowest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. BusinessObjects Enterprise does not verify the certificate it receives.

• Accept server certificate if it comes from a trusted Certificate AuthorityThis is a medium security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database.

• Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the serverThis is the highest security option. Before BusinessObjects Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, BusinessObjects Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the “Add LDAP host” field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work.The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host.



2. In the SSL host box, type the host name of each machine, and then click Add.

Note: You must next add the host name of each machine in your BusinessObjects Enterprise system that uses the BusinessObjects Enterprise SDK. (This includes the machine running your Central Management Server and the machine running your WCA.)

3. Specify the SSL settings for each SSL host that has been added to the list, and specify the default settings that will be used for each host that is not on the list. Note: The default settings will be used for any setting (for any host) where you leave the “Use default value” box checked or for any machine whose name you do not explicitly add to the list of SSL hosts.• To specify the default settings:

a. Select default from the SSL list.b. Clear the Use default value boxes. c. Type your values for the “Path to the certificate and key

database files” and the “Password for the key database”.d. If you’re specifying settings for Mutual authentication, you can

also enter a value in the “Nickname for the client certificate in the cert7.db” field.

• To select settings for another host, select its name in the list on the left. Then type the appropriate values in the boxes on the right.

4. Click Next.



5. Choose a method of LDAP single sign-on authentication from these choices:• Basic (No SSO)• SiteMinderNote: For further details on configuring SiteMinder, see “Configuring the LDAP plug-in for SiteMinder” on page 236.

6. Choose how new LDAP users and aliases are created.7. Click Finish.

LDAP and SiteMinder WorkflowTo use SiteMinder and LDAP with BusinessObjects Enterprise you need to make configuration changes in two places:• In the LDAP plug-in the CMC.• In the web.xml file for your web application server.

Configuring the LDAP plug-in for SiteMinderThis section explains how to configure the CMC to use LDAP with SiteMinder. SiteMinder is a third-party user access and authentication tool that you can use with the LDAP security plug-in to create single sign-on to BusinessObjects Enterprise. This section assumes that you have completed “Configuring the LDAP host” on page 231 and chosen SiteMinder for your method of LDAP single sign-on authentication. Note: • Please ensure that the SiteMinder Administrator has enabled support for

4.x Agents. This must be done regardless of what supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.

To configure LDAP for single sign-on with SiteMinder1. On the Please configure your SiteMinder settings screen, in the Policy

Server Host box, type the name of each Policy Server, and then click Add.Note: This screen is visible after you select SiteMinder on the “Please choose a method of LDAP single sign-on authentication” screen.

2. For each Policy Server Host, specify the Accounting, Authentication and Authorization port numbers.



3. Enter the name of the Agent Name and the Shared Secret. Enter the shared secret again.Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.

4. Click Next.5. Proceed with configuring the LDAP options.

Modifying web.xml for LDAP and SiteMinder To enable LDAP and SiteMinder

1. Open the web.xml file for InfoView on your web application server.<DeployedLocation>businessobjects\enterprise115\desktopl

aunch\WEB-INF

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute.

2. Locate the following string in the file:<param-name>cms.default</param-name>

3. Enter the CMS name and port in the cms.default<param-value> field.Use the format servername:portnumber.

4. Locate the following string in the file:<param-name>authentication.default</param-name>

5. Set the <param-value> for the authentication.default to secLDAP.<param-value>secEnterprise</param-value>

6. Locate the following string in the file:<param-name>sso.enabled</param-name>

7. Change the <param-value> for sso.enabled from false to true.<param-value>true</param-value>

8. Locate the following string in the file:<param-name>siteminder.enabled</param-name>

9. Change the <param-value> for siteminder.enabled from false to true.<param-value>true</param-value>



10. Locate the following string in the file:<param-name>siteminder.authentication</param-name>

11. Set the <param-value> for siteminder.authentication to secLDAP.<param-value>secLDAP</param-value>

12. Save and close the file.13. Restart your web application server.

Troubleshooting SiteMinder single sign-onIf you are using SiteMinder with IIS, you may receive an error message in the Central Management Console regarding the failure of single sign-on. If you encounter this message, you may need to manually create two registry keys for SiteMinder: 1. Create the following key, set its type to REG_DWORD, and set its value to 1:

HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\EnableSiteMinderSingleSignOn

2. Create a second key, set its type to REG_SZ, and set its value to the authentication type that you want to use for Siteminder single sign-on (secLDAP or secWinAD):HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Admin Plugins\CrystalEnterprise.CMSAdmin\SiteMinderAuthentication

Ensure that the Siteminder Administrator has enabled support for 4.x Agents. This must be done regardless of what supported version of SiteMinder you are using.

Mapping LDAP groupsOnce you have configured LDAP authentication using the LDAP configuration wizard, you can map LDAP groups to Enterprise groups. See “Configuring LDAP authentication” on page 230. Note: If you have configured LDAP against AD, this procedure will map your AD groups.

To map LDAP groups using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the LDAP tab.



If LDAP authorization is configured, the LDAP summary page appears.

3. In the “Mapped LDAP Member Groups” area, specify your LDAP group (either by common name or distinguished name) in the Add LDAP group (by cn or dn) field; click Add. You can add more than one LDAP group by repeating this step. To remove a group, highlight the LDAP group and click Delete.



4. New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:• Assign each added LDAP alias to an account with the same

nameUse this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users.or

• Create a new account for every added LDAP aliasUse this option when you want to create a new account for each user.

5. Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:• New aliases will be added and new users will be created

Use this option to automatically create a new alias for every LDAP user mapped to BusinessObjects Enterprise. New LDAP accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the “Create a new account for every added LDAP alias” option.or

• No new aliases will be added and new users will not be createdUse this option when the LDAP directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.

6. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:• New users are created as named users

New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system



regardless of how many other people are connected. You must have a named user license available for each user account created using this option.or

• New users are created as concurrent usersNew user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.

7. Click Update.

Unmapping LDAP groupsSimilar to mapping, it is possible to unmap groups using BusinessObjects Enterprise.

To unmap LDAP groups using BusinessObjects Enterprise1. Go to the Authentication management area of the CMC.2. Click the LDAP tab.

If LDAP authorization is configured, the LDAP summary page will appear.3. In the “Mapped LDAP Member Groups” area, select the LDAP group you

would like to remove.4. Click Delete, and then click Update.

The users in this group will not be able to access BusinessObjects Enterprise.Tip: To deny LDAP Authentication for all groups, clear the “LDAP Authentication is enabled” check box and click Update.Note: The only exceptions to this occur when a user has an alias to an Enterprise account. To restrict access, disable or delete the user’s Enterprise account.


Viewing mapped LDAP users and groups
You can view your LDAP mapped groups in BusinessObjects Enterprise by clicking the LDAP tab (located in the Authentication management area). If LDAP authorization is configured, the Mapped LDAP Member Groups area displays the LDAP groups that have been mapped to BusinessObjects Enterprise.

Changing LDAP connection parameters and member groups

After you have configured LDAP authentication using the LDAP configuration wizard, you can change LDAP connection parameters and member groups using the LDAP Server Configuration Summary Page. For information on configuring LDAP authentication using the LDAP configuration wizard, see “Configuring LDAP authentication” on page 230.

To change connection settings1. Go to the Authentication management area of the CMC.2. Click the LDAP tab.

If LDAP authorization is configured, the LDAP Server Configuration Summary page appears. On this page you can change any of the connection parameter areas or fields. You can also modify the Mapped LDAP Member Groups area.

3. Delete currently mapped groups that will no longer be accessible under the new connection settings.

4. Click Update.5. Change your connection settings.6. Click Update.7. Change your Alias and New User options.8. Click Update.9. Map your new LDAP member groups.10. Click Update.



Managing multiple LDAP hostsUsing LDAP and BusinessObjects Enterprise, you can add fault tolerance to your system by adding multiple LDAP hosts. BusinessObjects Enterprise uses the first host that you add as the primary LDAP host. Subsequent hosts are treated as failover hosts.The primary LDAP host and all failover hosts must be configured in exactly the same way, and each LDAP host must refer to all additional hosts from which you wish to map groups. For more information about LDAP hosts and referrals, see your LDAP documentation.To add multiple LDAP Hosts, enter all hosts when you configure LDAP using the LDAP configuration wizard (see “Configuring LDAP authentication” on page 230 for details.) Or if you have already configured LDAP, go to the Authentication management area of the Central Management Console and click the LDAP tab. In the LDAP Server Configuration Summary area, click the name of the LDAP host to open the page that enables you to add or delete hosts.Note: • Make sure that you add the primary host first, followed by the remaining

failover hosts.• If you use failover LDAP hosts, you cannot use the highest level of SSL

security (that is, you cannot select “Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server.”) For more information, see “Configuring LDAP authentication” on page 230.

Troubleshooting LDAP accounts

Creating a new LDAP user account• If you create a new LDAP user account, and the account does not belong

to a group account that is mapped to BusinessObjects Enterprise, either map the group to BusinessObjects Enterprise, or add the new LDAP user account to a group that is already mapped to BusinessObjects Enterprise. For more information, see “Configuring LDAP authentication” on page 230.

• If you create a new LDAP user account, and the account belongs to a group account that is mapped to BusinessObjects Enterprise, refresh the user list. For more information, see “Viewing mapped LDAP users and groups” on page 242.




33

Using AD with NTLM or SiteMinder

chapter

Using AD with NTLM or SiteMinderUsing AD users and groups11
Using AD users and groups
BusinessObjects Enterprise supports Active Directory (AD) authentication with the Windows security plug-in, which is included by default when the product is installed on Windows. Support for AD authentication means that users and groups created in Microsoft Active Directory 2000 or 2003 can be used to authenticate with BusinessObjects Enterprise. This allows you, the administrator, to map previously created user accounts and groups, instead of setting up each user and group within BusinessObjects Enterprise.Note: • The AD authentication described in this section only works for servers

running on Windows systems. If you want to use AD authentication on Unix, you must configure LDAP against AD. For procedural details, see “Configuring LDAP authentication” on page 230.

• AD authentication with aggregation is not functional without a network connection.

• AD authentication with aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).

The section “Windows AD security plug-in” on page 246 provides overview information about how Active Directory authentication works with BusinessObjects Enterprise. The section that follows, “AD and NTLM and SiteMinder workflows” on page 248 provides a summary of the workflows for using AD with NTLM authentication and for using AD with SiteMinder.The remaining sections provide the procedural details related to the following:• Configuring AD with NTLM • Configuring AD, NTLM and single sign-on• Configuring AD with SiteMinder. Note: Using AD authentication with Kerberos is not covered in this section. For information on Kerberos, see these sections:

• “Using AD and Kerberos with IIS” on page 265• “Using AD and Kerberos with Java application servers” on page 289

Windows AD security plug-inWindows AD security plug-in enables you to map user accounts and groups from your Microsoft Active Directory (AD) 2000 or 2003 user database to BusinessObjects Enterprise. It also enables BusinessObjects Enterprise to


Using AD with NTLM or SiteMinderUsing AD users and groups 11

verify all logon requests that specify Windows AD Authentication. Users are authenticated against the Windows AD user database, and have their membership in a mapped AD group verified before the Central Management Server grants them an active BusinessObjects Enterprise session. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see “Managing AD accounts” on page 236.The AD security plug-in also enables you to use these authentication methods:• NTLM• KerberosNote: For information on using Kerberos, see “Using AD and Kerberos with IIS” on page 265 and “Using AD and Kerberos with Java application servers” on page 289.The AD security plug-in is compatible with both Microsoft Active Directory 2000 and 2003 domains running in either native mode or mixed mode. Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on the collaterals disk of your product distribution. This information can also found from the Start menu:

Start > Programs > BusinessObjects XI Release 2 > BusinessObjects Enterprise > BusinessObjects Enterprise Developer Documentation

• AD authentication only works for servers running on Windows systems.• The Windows AD plug-in for BusinessObjects Enterprise supports

multiple domains within the same forest but not multiple forests. All of the following must come from domains in the same forest:• Your CMS machine• Your AD Administration credentials• All groups and users you are mapping

• AD authentication and aggregation is not functional without a network connection.

• AD authentication and aggregation may not continue to function if the administration credentials become invalid. For example, if the administrator changes his or her password or if the account becomes disabled.


Single sign-on
The Windows AD security plug-in supports single sign-on, thereby allowing authenticated AD users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped AD group.• To obtain AD single sign-on functionality from a thick-client application

(such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK).In this scenario, the Windows AD security plug-in queries the operating system for the current user’s credentials when the client is launched.

• To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).

BusinessObjects Enterprise provides its own form of “anonymous single sign-on,” which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify InfoView) if you want to use AD single sign-on. For information on AD single sign-on, see “Setting up AD single sign-on” on page 246.

AD and NTLM and SiteMinder workflowsThese are the workflows for using AD with NTLM and AD with SiteMinder.

AD and NTLM basic workflowThe workflow for configuring BusinessObjects Enterprise to use IIS with AD and NTLM involves these steps:• Mapping AD accounts• Modifying IIS security settings• Modifying the web.config file for impersonation and Windows

authentication

AD, NTLM and single sign-on workflowThe workflow for configuring BusinessObjects Enterprise to use IIS with AD and NTLM involves these steps:



• Mapping AD accounts• Modifying IIS security settings• Modifying the web.config file for InfoView AD single sign-on

AD and SiteMinder workflowThe workflow for configuring BusinessObjects Enterprise to use IIS with AD and SiteMinder involves these steps:• Mapping AD accounts• Configuring the Windows AD plug-in for SiteMinder• Whichever of these steps that applies to your deployment type:

• Modifying web.config for .NET InfoView and SiteMinder• Modifying web.xml for Java AD and SiteMinder

Mapping AD accounts To simplify administration, BusinessObjects Enterprise supports AD authentication for user and group accounts. However, before users can use their AD user name and password to log on to BusinessObjects Enterprise, their AD user account needs to be mapped to BusinessObjects Enterprise. When you map an AD account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account.

To map AD users and groups and configure the Windows AD security plug-in for NTLM authentication1. Go to the Authentication management area of the CMC.2. Click the Windows AD tab.



3. Ensure that the Windows Active Directory Authentication is enabled check box is selected.

4. In the Windows AD Configuration Summary area, click the link beside AD Administration Name.Note: Before the Windows AD plug-in is configured, this link will appear as two double quotes. After the configuration has been saved, the link with be populated with the AD Administration names.

5. Enter the name and password of the domain user account you’ve set up on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups.Administration credentials can use one of the following formats:• NT name (DomainName\UserName)• UPN (user@DNS_domain_name)Administration credentials must be entered to enable AD authentication, map groups, check rights, and so on.

6. Complete the Default AD Domain field.Note: • Groups from the default domain can be mapped without specifying

the domain name prefix.• If you enter the Default AD Domain name, users from the default

domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication.



7. In the Mapped AD Member Groups area, enter the AD domain\group in the Add AD Group (Domain\Group) field.Groups can be mapped using one of the following formats:• Security Account Manager account name (SAM), also referred to as

NT name (DomainName\GroupName)• DN (cn=GroupName, ......, dc=DomainName, dc=com)Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore, they will not be able to access BusinessObjects Enterprise.

8. Click Add.The group is added to the list.

9. For basic NTLM authentication, follow these steps:a. EnsureUse NTLM authentication is selected.b. Clear Enable Single Sign On for selected authentication mode.

10. For NTLM authentication with single sign-on follow these steps:a. Ensure Use NTLM authentication is selected.b. Ensure Enable Single Sign On for selected authentication mode

is selected.11. Select how aliases are mapped to Enterprise accounts.

You have these choices: • “Assign each added AD alias to an account with the same

name”.• “Create a new account for every added AD alias”.

For further details on these options, see “Alias options” on page 196.12. Select when users and aliases are created.

You have these choices: • “New aliases will be added and new users will be created”.• “No new aliases will be added and new users will not be

created”.Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see “Update options” on page 197.



13. Select what type of users are created.You have these choices:• “New users are created as named users”.• “New users are created as concurrent users”.For further details on these options, see “User type options” on page 196.

14. Click Update.15. Click OK.

Setting up AD single sign-onInstallation of the Active Directory plug-in enables you to use AD single sign-on. However, there are a two additional tasks you will need to complete the configuration for single sign-on for BusinessObjects Enterprise.Completing the configuration for AD single sign-on involves these tasks for IIS:• “Modifying IIS security settings” on page 252• “Modifying the web.config file for impersonation and Windows

authentication” on page 253Completing the configuration for AD single sign-on involves these tasks for IIS:Note: • AD single sign-on is not supported on client machines running on

Windows 98.• By default, AD single sign-on is not enabled.For information on how to set up end-to-end single sign on with AD and Kerberos, see “End-to-end Single sign-on workflow” on page 267.

Modifying IIS security settings To modify the security setting on IIS

1. From the Windows Administrative Tools program group, click Computer Management.

2. Expand Services and Applications.3. Expand Internet Information Services.4. Expand the web site that runs your BusinessObjects Enterprise

applications.5. Right-click businessobjects, and then select Properties.



6. Click on the Directory Security tab.7. In the Anonymous access and authentication control area of the page,

click Edit.8. Ensure the following check boxes are cleared:

• Anonymous access • Basic authentication

9. Ensure Integrated Windows authentication is selected.10. Click OK.11. Click OK.12. Repeat the procedure starting from step 6 for crystalreportviewers115

and Styles.13. Restart your IIS server.

Modifying the web.config file for impersonation and Windows authentication

If you want to use AD authentication, you must modify the web.config file to change the authentication mode used and allow impersonation. This is in addition to changing how IIS is configured. Modify either of the following web.config files based on what application you want to configure. • To configure both the CMC and InfoView, configure the web.config file in

the Web Content directory. To configure only InfoView, configure the web.config file in the InfoView directory.Note: The values in web.config file are case-sensitive.

To modify web.config for basic AD authentication1. Open the appropriate Web.config file from either of the following

locations:• C:\Program Files\Business Objects\BusinessObjects

Enterprise 11.5\Web Content\• C:\Program Files\Business Objects\BusinessObjects

Enterprise 11.5\Web Content\Enterprise115\InfoView\

2. Find the following line in the <system.web> block:<authentication mode="None" />

3. Replace “None” with “Windows”.<authentication mode="Windows" />



4. Add the following line:<identity impersonate="true" />


Modifying the web.config file for InfoView AD single sign-onIf you want to have AD single sign-on for InfoView, you must modify the web.config file for the following reasons:• To change the authentication mode used.• To allow impersonation.• To enable single sign-on.• To specify the authentication default.These changes are in addition to changing how IIS is configured.Note: The values in web.config file are case-sensitive.

To modify web.config for AD single sign-on1. Open the Web.config file from this location:

C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\

2. Find the following line in the <system.web> block:<Authentication mode="None" />







<add key="authenticationDefault" value="secWinAD" />

10. Ensure the value for authenticationDefault is set to secWinAD.11. Save and close the file.



12. Restart IIS.

Note: For AD single sign-on to function correctly, make sure you complete all tasks listed in “Setting up AD single sign-on” on page 252.

Configuring AD and SiteMinder workflowThis section explains how to use AD and SiteMinder. SiteMinder is a third-party user access and authentication tool that you can use with the AD security plug-in to create single sign-on to BusinessObjects Enterprise. This section assumes that you have completed “Mapping AD accounts” on page 249.There are two things you must do to enable AD single sign-on with SiteMinder:• Configure the AD plug-in for single sign-on with SiteMinder• Modify either the Web.xml file to use Java and SiteMinder or the

Web.config file to use .NET and SiteMinderNote: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of which supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.

Configuring the Windows AD plug-in for SiteMinder To configure the AD plug-in for single sign-on with SiteMinder

1. From the CMC, click Authentication.2. Click on the Windows AD tab.3. Scroll down to the SiteMinder options area of the page.4. Click Disabled.

The Windows AD SiteMinder configuration page will appear.5. If you have not configured the Windows AD plug-in, you will receive a

warning and will be asked if you wish to continue. Click OK.



The AD SiteMinder configuration page will appear.

6. Click Use SiteMinder Single Sign On.7. In the Policy Server Host box, type the name of each Policy Server, and

click Add.8. For each Policy Server Host, specify the Accounting, Authentication and

Authorization port numbers.9. Enter the name of the Agent Name and the Shared Secret. Enter the

Shared Secret again.Note: Please ensure that the SiteMinder Administrator has enabled support for 4.x Agents. This must be done regardless of which supported version of SiteMinder you are using. For more information about SiteMinder and how to install it, refer to the SiteMinder documentation.

10. Click Update.



Modifying web.xml for Java AD and SiteMinder To enable Java AD SiteMinder

1. Open the web.xml file for InfoView, from its deployed location on your web application server.<DeployedLocation>businessobjects\enterprise115\desktopl

aunch\WEB-INF


2. Find the following string in the file:<param-name>cms.default</param-name>

3. Enter the CMS name and port number in the cms.default <param-value> field.Use the format servername:portnumber.

4. Find the following string in the file:<param-name>authentication.default</param-name>

5. Set the <param-value> for the authentication.default to secWinAD.<param-value>secWinAD</param-value>

6. Find the following string in the file:<param-name>sso.enabled</param-name>


8. Find the following string in the file:<param-name>siteminder.enabled</param-name>


10. Find the following string in the file:<param-name>siteminder.authentication</param-name>

11. Set the <param-value> for siteminder.authentication to secWinAD.<param-value>secWinAD</param-value>



Modifying web.xml for Java AD Single sign-on to InfoView
To enable Java AD single sign-on1. Open the web.xml file for InfoView, from its deployed location on your

web application server.<DeployedLocation>businessobjects\enterprise115\desktopl

aunch\WEB-INF









Modifying the web.xml file for Java AD and SiteMinder To enable the Java AD client for SiteMinder

1. Open the web.xml file for InfoView, from its deployed location on your web application server.<DeployedLocation>businessobjects\enterprise115\desktopl

aunch\WEB-INF

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\.If you



are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute.









10. Find the following string in the file:<param-name>siteminder.authentication</param-name>

11. Set the <param-value> for siteminder.authentication to secWinAD.<param-value>secWinAD</param-value>


Modifying web.config for .NET InfoView and SiteMinder To enable .NET InfoView client for SiteMinder

1. Open the web.config file for InfoView, from its deployed location for IIS.C:\Program Files\Business Objects\BusinessObjects


Note: The path mentioned is the default location. Modify your path accordingly if you changed the default location.

2. Find the following string in the file:



<add key="cmsDefault" value="" />

3. Enter the CMS name in the cmsDefault value field.4. Find the following string in the file:

<add key="authenticationDefault" value="secEnterprise" />

5. Set the value for the authenticationDefault to secWinAD.6. Find the following string in the file:

<add key="ssoEnabled" value="false" />

7. Change the value for ssoEnabled from false to true.8. Find the following string in the file:

<add key="siteminderEnabled" value="true" />

9. Ensure the value for siteminderEnabled is set to true.10. Find the following string in the file:

<add key="siteminderAuthentication" value="secLDAP" />

11. Set the value for sitemindeAuthentication to secWinAD.<param-value>secWinAD</param-value>


Disabling SiteMinder for Java clientsIf you want to prevent SiteMinder from being configured, or to disable it after it has been configured in the CMC, modify the web.xml file for Infoview.

To modify web.xml to disable SiteMinder1. Open the web.xml file for InfoView on your web application server.

<DeployedLocation>businessobjects\enterprise115\desktoplaunch\WEB-INF



3. Change the <param-value> from true to false.<param-value>false</param-value>




Disabling SiteMinder for .NET clientsIf you want to prevent SiteMinder from being configured, or to disable it after it has been configured in the CMC for .NET, modify the web.config file for InfoView.

To modify web.config to disable SiteMinder for .NET clients1. Open the web.config file for InfoView on your web application server.


2. Find the following string in the file:<add key="siteminderEnabled" value="true" />

3. Change the value from true to false.<param-value>false</param-value>


Troubleshooting single sign-onThis section contains some of the common configuration errors which can single sign-on not to function properly.• Disabled single sign-on• Security context problem• Duplicate ssoEnabled tags

Disabled single sign-onDespite the fact that single sign-on has been configured in the web.config files, users receive the following error:

The administrator has disabled Single Sign-On logons for this authentication plugin. Please log on using your username and password.

This problem occurs when single sign-on configuration is missing from the CMC but present in all the other required locations.

To enable single sign-on in the CMC1. Go to the Authentication area of the CMC.2. Click the Window AD.



3. In the Authentication Options area of the page, select “Enable Single Sign On for selected authentication mode.”

4. Restart IIS.

Security context problemAfter single sign-on has been set up, when the users attempt to access InfoView, they receive the following error:An error has occurred propagating the security context

between the security server and the client. Please contact your system administrator.

This can be caused because the impersonation setting has been set incorrectly or the setting is missing from the web.config file.

To fix this problem1. Open the web.config file at this location:


2. Make sure both of these lines exist in the file.<authentication mode="Windows"/>

<identity impersonate="true" />

If either line is missing, add it, if either has a different setting, change it to match the required setting.

3. Save and close the file4. Restart IIS.

Duplicate ssoEnabled tagsSingle sign-on has been configured in the web.config files, but the InfoView Log on screen appears with a blank user name and password, and with Windows AD authentication selected. If you click the Log on you are logged on successfully. No error message is displayed.This can occur if you have multiple contradictory values set for the key ssoEnable in the web.config file. Consider the following sample where the ssoEnable is set twice: the first time it is set to true, the second time it is set to false.<add key="cmsDefault" value="ABCADEI01" /><add key="ssoEnabled" value="true" /><add key="authenticationDefault" value="secWinAD" /><add key="cmsVisible" value="true" />



.

.

.<add key="siteminderEnabled" value="true" /><add key="siteminderAuthentication" value="secLDAP" /><add key="ssoEnabled" value="false" />

To remove the duplicate tag1. Open the web.config from the following location:

C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content

2. Search for the following throughout the file:ssoEnabled

3. If you find multiple occurrences, ensure the first one has the setting you want, then delete the duplicate tags.





Using AD and Kerberos with IIS

chapter

Using AD and Kerberos with IISConfiguring Kerberos for IIS12
Configuring Kerberos for IIS
This section contains the tasks related to configuring Kerberos and single sign-on for use with IIS. If you are using IIS and Kerberos but do not want to use single sign-on, the steps outlined in this section are required. For information on using IIS and Kerberos without single sign-on, see “Using AD with NTLM or SiteMinder” on page 245. If you are using Java, see “Using AD and Kerberos with Java application servers” on page 289.

Kerberos, IIS and single sign-on optionsIf you are using IIS and Kerberos, you have the following options for single sign-on:• Single sign-on

Single sign-on to BusinessObjects Enterprise means that once users have logged on to the operating system they can access BusinessObjects Enterprise without having to provide their logon credentials again. When they log on to the operating system, a logon token is created. The system uses this token to authenticate the users and grant them access to BusinessObjects Enterprise and its components.

• Single sign-on to the databaseOnce users are logged on to BusinessObjects Enterprise, single sign-on to the database enables them to perform actions that require database access. In particular, viewing reports and Web Intelligence documents, without having to provide their logon credentials again. BusinessObjects Enterprise currently supports single sign-on to the database with Windows AD using Kerberos. For details on which databases are supported for single-sign on, consult the platforms.txt file included with your product distribution.

• End-to-end single sign-onEnd-to-end single sign-on refers to a configuration where users have both single sign-on access to BusinessObjects Enterprise at the front-end, and single sign-on access to the databases at the back-end. Thus, users need to provide their logon credentials only once when they log on to the operating system, to have access to BusinessObjects Enterprise and to be able to perform actions that require database access, such as viewing reports.


Using AD and Kerberos with IISConfiguring Kerberos for IIS 12

Workflows for Kerberos and IIS This section summarizes the workflows for using IIS, Kerberos and AD on BusinessObjects Enterprise. For details on what these terms mean, see information about the levels of single sign-on that are supported for use with IIS in BusinessObjects Enterprise, see “Kerberos, IIS and single sign-on options” on page 266.

Basic AD and Kerberos workflow Configuring AD and Kerberos includes these steps:• Setting up a service account on AD• Granting the service account rights• Configuring the servers to use the service account• Configuring IIS for integrated Windows authentication• Modifying web.config for impersonation and Windows authentication• Enabling Kerberos authentication in the Windows AD plug-in

AD and Kerberos with single sign-on workflowConfiguring AD and Kerberos single sign-on includes these steps:• Setting up a service account on AD• Granting the service account rights• Configuring IIS for integrated Windows authentication• Configuring the servers to use the service account• Modifying web.config for InfoView single sign-on• Enabling Kerberos authentication in the Windows AD plug-in

Single sign-on to database workflowConfiguring single sign-on to database includes these steps:• Modifying the AD plug-in settings for database single sign-on• Configuring web applications for database single sign-on• Configuring IIS for database single sign-on• Configuring the database server for single sign-on

End-to-end Single sign-on workflowConfiguring end-to-end single sign-on includes these steps:• Modifying the AD plug-in settings for database single sign-on• Configuring IIS and browsers



• Configuring IIS for end-to-end single sign-on• Modifying web.config for InfoView single sign-on• “Configuring Kerberos for IIS” on page 266

Setting up a service account on ADTo configure BusinessObjects Enterprise for Kerberos and Windows AD authentication, you require a service account. This must be a domain account that has been trusted for delegation. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers. How you create this account varies slightly depending on what version of Active Directory Domain you are using:• If you are using a Windows 2000 Domain, see “Setting up a service

account with delegation on a Windows 2000 Domain” on page 268 • If you are using a Windows 2003 Domain, see “Setting up a service

account with delegation on a Windows 2003 Domain” on page 269.After you set up the service account, you will need to grant the account appropriate rights, see “Granting the service account rights” on page 270.

Setting up a service account with delegation on a Windows 2000 Domain To set up the service account on a Windows 2000 Domain

1. Create an account on the domain controller or use an existing account.For detailed instructions, refer to http://msdn.microsoft.com/

2. Right-click on the user account, then select Properties.3. Click the Account tab.4. Select these account options:

• Account is trusted for delegation• Use DES encryption types for this account

To run the SPN utility on Windows 20001. Download the utility from this location to your Domain controller:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp

2. Open a command prompt and enter this command:SETSPN.exe –A BOBJCentralMS/HOSTNAME serviceaccount



Replace HOSTNAME with the name of your machine running the CMS service. Replace serviceaccount with name of your service account. Note: The name of your service account is case-sensitive.

3. Verify that you receive a message similar to this one:Registering ServicePrincipalNames for

CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object


1. Create a new account on the domain controller or use an existing account.For detailed instructions, refer to http://msdn.microsoft.com/

2. Right-click on the user account, then select Properties.3. Click the Account tab.4. Select the following under Account Options:

• Use DES encryption types for this account5. Open a Command Prompt and enter this command:

SETSPN.exe –A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the name of your machine running the CMS service. Replace serviceaccount with name of your service account.

6. Verify that you receive a message similar to this one:Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

7. Click the Delegation tab.Note: You will not see the Delegation tab until after you have entered the SETSPN command.

8. Select Trust this user for delegation to any service (Kerberos only)9. Click OK.

Configuring the serversConfiguring the BusinessObjects Enterprise servers includes these steps:• “Granting the service account rights” on page 270• “Configuring the servers to use the service account” on page 270


Granting the service account rights
In order to support AD and Kerberos, you must grant the service account the right to act as part of the operating system. This must be done on each machine running the following servers:• CMS• Page Server• Report Application Server• Web Intelligence Report ServerNote: To complete this procedure, you require a service account that has been trusted for delegation. See “Setting up a service account on AD” on page 268.

To grant the service account rights1. Click Start > Control Panel > Administrative Tools > Local Security

Policy.2. Expand Local Policies, then click User Rights Assignment.3. Double-click Act as part of the operating system.4. Click Add.5. Enter the name of the service account you created, then click OK.6. Ensure that the Local Policy Setting check box is selected, and click

OK.7. Repeat the above steps on each machine running a BusinessObjects

Enterprise server.

Configuring the servers to use the service accountIn order to support Kerberos single sign-on, you must use CCM and configure the following servers to log on as the service account:• CMS server• Page Server• Report Application Server• Web Intelligence Report ServerNote: To complete this procedure, you require a service account that has been trusted for delegation. See “Setting up a service account on AD” on page 268.

To configure a server1. Start the CCM.2. Stop the server you want to configure, for example, the CMS server.



3. Double-click the server you want to configure. The Properties dialog box is displayed.

4. On the Properties tab:a. In the Log On As area, deselect the System Account check box.b. Enter the user name and password for the service account.c. Click Apply, then click OK.

5. Start the server again.6. Repeat steps 2 through 5 for each BusinessObjects server that has to be

configured.

Enabling Kerberos authentication in the Windows AD plug-in

In order to support Kerberos, you have to configure the Windows AD security plug-in the CMC to use Kerberos authentication. This includes:• Ensuring Windows AD authentication is enabled.• Entering the AD Administrator account.

Note: This account requires read access to Active Directory only; it does not require any other rights.

• Entering the service principal name (SPN) for the service account.• If you want to use single sign-on, you will also have to enable single sign-

on in the CMC.

Prerequisites Before you configure the Windows AD security plug-in for Kerberos, you must have completed the following tasks:• “Setting up a service account on AD” on page 268• “Granting the service account rights” on page 270• “Configuring the servers to use the service account” on page 270

To configure the Windows AD security plug-in for Kerberos1. Go to the Authentication management area of the CMC.2. Click the Windows AD tab.



3. Ensure that the Windows Active Directory Authentication is enabled check box is selected.

4. In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.

5. Enter the AD administrator’s credentials in the Name and Password fields.

Note: • Use the format DOMAIN\Account in the Name field.• The AD Administrator account requires read access to Active

Directory only; it does not require any other rights.6. Enter the default domain in the Default AD Domain field.

Note: Use The FQDN format for the AD default domain and enter the domain in uppercase.

7. Click Update.



8. In the Mapped AD Member Group area, enter the name of an AD group whose users require access to BusinessObjects Enterprise, and then click Add.Repeat this procedure to add additional AD groups. If you want to add individual users, rather than a group, see “Managing Users” in the BusinessObjects Enterprise Administrator’s Guide.

9. Under Authentication Options select the following:• Select the Use Kerberos authentication check box.

• If you want to configure single sign-on, select Enable Single Sign On for selected authentication mode.

• If you want to configure single sign-on to a database, select the Cache Security context (required for SSO to database) check box.

• In the service principal name: field, enter the service principal name of the service account.Note:



• The Service Principal Name is case sensitive. The case must match exactly what you have set up on your AD domain. This must be the same account that you use to run the BusinessObjects Enterprise. The domain name is entered in uppercase.

• This must be the same account that you use to run the BusinessObjects Enterprise servers. This is the AD account you created in this step: “Setting up a service account on AD” on page 268.

10. Select how aliases are mapped to Enterprise accounts.You have these choices: • “Assign each added AD alias to an account with the same

name”.• “Create a new account for every added AD alias”.


You have these choices: • “New aliases will be added and new users will be created”.• “No new aliases will be added and new users will not be

created”.Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update. If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see “Update options” on page 197.

12. Select what type of users are created.You have these choices:• “New users are created as named users”.• “New users are created as concurrent users”.For further details on these options, see “User type options” on page 196.

13. Click Update.

Modifying web.config for impersonation and Windows authentication To modify web.config for Windows authentication and impersonation

1. Open the Web.config file from the following location:C:\Program Files\Business Objects\BusinessObjects

Enterprise 11.5\Web Content\




3. Replace None with Windows.4. Find the following line:

<identity impersonate="false" />

5. Change the value to true.6. Save and close the file.

Modifying the AD plug-in settings for database single sign-on To modify the CMC settings for database single sign-on

1. Go the Authentication area of the CMC.2. Click the Windows AD tab.3. Scroll down to Authentication Options area of the page.4. Clear the Enable Single Sign On for selected authentication mode

check box on the Windows AD page in the Authentication management area in CMC.

Configuring IIS and browsersIn order to support Kerberos end-to-end single sign-on, you have to configure the BusinessObjects Enterprise clients. This includes:• “Configuring IIS for integrated Windows authentication” on page 275• “Configuring the Internet Explorer browser on a client machine” on

page 276

Configuring IIS for integrated Windows authenticationTo support Kerberos, you have to configure the BusinessObjects clients on IIS to use integrated Windows authentication.

To configure the clients for Windows authentication1. On IIS, in the Internet Information Services window, expand the tree on

the left and go to businessobjects under Default Web Site.2. Right-click businessobjects and select Properties.3. On the Directory Security tab, click Edit.4. If it is selected, clear Anonymous Access.5. Select Integrated Windows Authentication.6. Click OK, then click OK again.



7. Repeat the above for crystalreportviewers115 and styles.

Configuring the Internet Explorer browser on a client machineTo support Kerberos end-to-end single sign-on, you have to configure the Internet Explorer (IE) browser on the BusinessObjects Enterprise client machines. This includes:• Setting up the client machines for integrated Windows authentication.• Adding IIS to the trusted sites.Note: • In configuring IIS for database single sign-on, you do not need to

configure the browser for single sign-on. See also “Configuring IIS for database single sign-on” on page 281.

• You can automate the following steps through a registry key. For details, refer to your Windows documentation.

To configure the IE browser on the client machines1. On the client machine, open an Internet Explorer browser window.2. Enable integrated windows authentication.

a. Click Tools > Internet Options. The Internet Options dialog box appears.

b. Click the Advanced tab.c. Navigate to the Security settings.d. Click the Enable integrated windows authentication option, and

click Apply.3. Add IIS to the Trusted sites. You can enter the full domain name of the

site.a. Click Tools > Internet Options. The Internet Options dialog box

appears.b. Click the Security tab.c. Click Sites.d. Click Advanced.e. Type in the web site for IIS, and click Add.f. Click OK, then click OK twice more to close the Internet Options

dialog box.4. Close the Internet Explorer browser windows and then open them again

for the changes to take effect.



5. Repeat the above steps on each BusinessObjects Enterprise client machine.

Configuring IIS for end-to-end single sign-onTo support Kerberos end-to-end single sign-on, the worker processes of IIS have to run under a domain account that is trusted for delegation. Refer to either of the following procedures, depending on whether you are using IIS 5 or IIS 6:• “Configuring IIS 5 for Kerberos end-to-end single sign-on” on page 277• “Configuring IIS 6 for Kerberos end-to-end single sign-on” on page 279Note: Instead of configuring IIS worker processes for end-to-end single sign-on you can configure them to use database single sign-on. You may want to do this, for example, if you don’t want to run IIS worker processes under an account that has been trusted for delegation. For more information, see:• “Configuring IIS for database single sign-on” on page 281• “Configuring web applications for database single sign-on” on page 285

Configuring IIS 5 for Kerberos end-to-end single sign-onTo support Kerberos end-to-end single sign-on, you have to set IIS and the Aspnet_wp.exe worker process to run as a domain account that has been trusted for delegation.You can run IIS either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:• If you use a machine domain account, the password will be automatically

generated and won’t expire, nor will it be exposed or modified. • If you use a user domain account you have more control over the rights

for the account, but the password can be exposed or modified, and it may expire, which will result in an error condition.

The approach you use depends on how you want to manage your system security.For complete information about security risks associated with system or user domain accounts, refer to Microsoft’s web site: http://www.microsoft.com/Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:• “To configure IIS 5 for database single sign-on” on page 282• “To run IIS 5 worker process under a user domain account” on page 278


http://www.microsoft.com


To run IIS 5 worker process under the machine domain account1. On the domain controller, set the domain account of IIS machine to be

trusted for delegation.Changing this property can take several minutes to propagate.

2. Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:• userName="SYSTEM"

• Password="AutoGenerate"

In the above path name, version represents the software version.Note: • Configuring the Aspnet_wp.exe account to run as a machine

domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts.

• For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.

3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.

Running IIS 5 worker processes under a user domain account To run IIS 5 worker process under a user domain account

1. Set the Aspnet_wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:• userName="domainaccount"

• Password="password"

Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.In the above path name, version represents the software version.Note: For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.





Configuring IIS 6 for Kerberos end-to-end single sign-onTo support Kerberos for end-to-end single sign-on, you have to set IIS and w3wp.exe worker process to run as an account that has been trusted for delegation. You can run IIS either under the machine domain account or under user domain account. Each approach has advantages and disadvantages:• If you use a machine domain account, the password will be automatically


for the account, but the password can be exposed or modified, and may expire, which will result in an error condition.

The approach you use depends on how you want to manage your system security.For complete information about security risks associated with system or user domain accounts, refer to Microsoft’s web site: http://www.microsoft.com/Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:• “To run IIS 6 worker processes under the machine domain account” on

page 279• “To run IIS 6 worker processes under a user domain account” on

page 280

Running the IIS 6 worker processes under a domain account To run IIS 6 worker processes under the machine domain account

1. On the domain controller, set the account of IIS machine to be trusted for delegation.Note: • Changing this property can take several minutes to propagate. • If you don’t want to use end-to-end single sign-on but want to provide

single sign-on to the database, skip step 1. See also “Configuring IIS for database single sign-on” on page 281.



2. Configure the account for the w3wp.exe worker process:a. In the Internet Service Manager window, right-click the machine

name and select Application Pool > New.b. Type in a name for the application pool.c. In the tree panel on the left, expand to Default Web Site >

businessobjects > EnterpriseX (where X equals your version number).

d. Right-click InfoView and select Properties.e. On the Home Directory tab, select the new application pool name

from the list, and click Apply.f. Right-click the application pool you created, and select Properties.g. On the Identity tab, select LocalSystem from the list, and click

Apply.Note: • Configuring the w3wp.exe account to run as a LocalSystem account

will cause all ASP.NET web applications on the web server to run as privileged system accounts.

• For security reasons, make sure that the account which IIS worker processes run under does not belong to a mapped group.



Running the IIS 6 worker processes under a user domain account To run IIS 6 worker processes under a user domain account

1. Set the w3wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:• userName="domainaccount"

• Password="password"

In the above path name, version represents the software version.Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.



Note: If you don’t want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also “Configuring IIS for database single sign-on” on page 281. For security reasons, make sure that the account which IIS worker processes run under does not belong to a mapped group.

2. Add the domain account to IIS_WPG local group, and give it the relevant rights to access the needed files. For more information, see http://msdn.Microsoft.com/



Configuring IIS for database single sign-onWhen using Kerberos with Windows AD, you can choose whether you want to provide end-to-end single sign-on, or whether you want users to provide their logon credentials when they log in to BusinessObjects Enterprise. When users log on to BusinessObjects Enterprise, the system generates a logon token to provide single sign-on access to the databases.Below is a summary of the tasks required to set up a single sign-on to database:• Configure IIS worker processes to run as a domain account.

Refer to either of the following procedures, depending on whether you are using IIS 5 or IIS 6:• “Configuring IIS 5 for single sign-on to database only” on page 282• “Configuring IIS 6 for single sign-on to database” on page 283

• Configure the web applications for single sign-on to the database. See “Configuring web applications for database single sign-on” on page 285.

• Modify the Windows AD options.See “Modifying the AD plug-in settings for database single sign-on” on page 275.


Configuring IIS 5 for single sign-on to database only
To support database single sign-on, you have to set the Aspnet_wp.exe worker process to run as a domain account. You can run IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:• If you use a machine domain account, the password will be automatically


for the account, but the password can be exposed or modified, and it may expire, which would result in an error condition.

The approach you use depends on how you want to manage your system security. For complete information about security risks associated with system or user domain accounts, refer to Microsoft ‘s web site: http://www.microsoft.com/

To configure IIS 5 for database single sign-on 1. Make sure your BusinessObjects Enterprise web site on IIS is running as

a domain account.Note: Unless you specified a different web site during installation, this will be the Default Web Site under IIS.

2. Locate and open the machine.cong file.This file can be found at the following location: C:\Winnt\Microsoft.NET\Framework\version\CONFIG\ where, version represents the software version number.

3. Find the processModel Attributes area in the file.4. Set UserName and password as follows:

• userName="SYSTEM"

• Password="AutoGenerate".5. Save and close the file.

Note: • Configuring the Aspnet_wp.exe account to run as a machine

domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts.

• For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.

6. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:





setspn -A HTTP/serverhost.domainname.com serverhost

For example, if you access the machine via www.domainname.com but the machine name is web.domainname.com, you will have to add an a SPN for HTTP access on the web server machine.

Configuring IIS 6 for single sign-on to database To support single sign-on to the database, you have to set the w3wp.exe worker process to run as a machine or user domain account, You can run IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:• If you use a machine domain account, the password will be automatically


for the account, but the password can be exposed or modified, and it may expire, which would result in an error condition.

The approach you use depends on how you want to manage your system security.For complete information about security risks associated with system or user domain accounts, refer to Microsoft’s web site: http://www.microsoft.com/

To configure IIS 6 for database single sign-on 1. Make sure the BusinessObjects Enterprise IIS web site is running as a

domain account.Note: Unless you specified a different site during installation, this will be the Default Web Site under IIS.

2. Configure the account for the w3wp.exe worker process:a. In the Internet Information Services Manager window, expand the

computer name.b. Right-click Application Pool and select New > Application Pool.c. Type in a name for the application pool.d. In the tree panel on the left, expand to Default Web Site >

businessobjects > Enterprise115.e. Right-click InfoView and select Properties.f. On the Directory tab select the new application pool name from the

application pool list, and then click Apply.g. Right-click the application pool you created, and select Properties.h. On the Identity tab, select LocalSystem from the list, and click

Apply.





Note: • Configuring the w3wp.exe account to run as a machine domain

account will cause all ASP.NET web applications on the web server to run as privileged system accounts.

• For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.


For example, if you access the machine via www.domainname.com but the machine name is web.domainname.com, you will have to add an a SPN for HTTP access on the web server machine.

Modifying web.config for InfoView single sign-onIn order for the end-to-end single sign on to work, you have to configure the BusinessObjects Enterprise web applications to impersonate the user. If you want to use database single sign-on instead of end-to-end single sign-on, you have to set the BusinessObjects Enterprise web applications to not impersonate a user. See “Configuring web applications for database single sign-on” on page 285.Note: The values in web.config file are case-sensitive.

To modify web.config for InfoView single sign-on1. Open the appropriate Web.config file from the following location:

C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\










<add key="authenticationDefault" value="secWinAD" />

10. Ensure the value for authenticationDefault is set to secWinAD.11. Save and close the file.12. Restart IIS.Note: For AD single sign-on to function correctly, make sure you complete all tasks that apply to the type of single sign-on you are using, as outlined in “Workflows for Kerberos and IIS” on page 267.

Configuring web applications for database single sign-onIf you want to use database single sign-on instead of end-to-end single sign-on, you have to set BusinessObjects Enterprise web applications to not impersonate the user. To do this, edit their Web.config files on IIS as follows:Note: If you want to use database single sign-on, see also “Configuring IIS for database single sign-on” on page 281.

To configure the web applications for database single sign-on1. To set the CMC to not impersonate the user, add the following line to the

<system.web> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Web.config file:<identity impersonate="false" />

2. Locate the following line:<Authentication mode="None" />

3. Change the value from “None” to ”Windows”.4. To set InfoView to not impersonate the users, add the following line to the

<system.web> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\Web.config file:<identity impersonate="false" />

5. Locate the following line:<Authentication mode="None" />

6. Change the value from “None” to ”Windows”.7. Save and close the files.Note: Make sure you set identity impersonate to false.



Users will now be able to log on to BusinessObjects Enterprise by providing their logon credentials in the InfoView or CMC logon dialog box and selecting the authentication method that applies to them. Once they are logged on, the users will have database single sign-on access associated with BusinessObjects Enterprise.

Configuring the database server for single sign-onThis section provides information that is specific to setting up single sign-on to SQL Server databases.See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. For general information and for information about single sign-on to other supported databases, refer to the database vendors support documentation.

Configuring SQL Server for single sign-onIn order for Kerberos single sign-on to work, the machines running SQL Server database must be trusted for delegation. Setting up security delegation varies depending on whether SQL Server has been configured to run under the LocalSystem account or under a service account:• If SQL Server is running under the LocalSystem account, no additional

configuration is required. SQL Server registers itself when it starts and the system registers the SPN. When SQL Server shuts down, the system automatically un-registers the SPNs for the LocalSystem account.

• If SQL Server is running under a service account, you have to configure to be trusted for delegation.

To run SQL Server under a service account1. In Active Directory, set up the SQL Server service account for security

delegation:a. Select Start > Programs > Administrative Tools > Active

Directory Users and Computers.b. Right-click the domain account and select Properties.c. On the Accounts tab, make sure the following options are selected:

• In Windows 2000, ensure that the Account is trusted for delegation option has been selected for the account.

• In Windows 2003, ensure that these two options have been selected for the account: Trust this user for delegation to specified service only and Use Kerberos only.



Note: If you are using Windows 2003, you may have to first add a service principal name (SPN) for the domain account.

2. Set the machine running SQL Server as follows:a. Computer is trusted for delegationb. Click Apply, and click OK.

3. Add an SPN for the service account of the SQL Server:setspn -A MSSQLSvc/host:port serviceaccount

Where host:port is the name of the machine running SQL Server and the port, and serviceaccount is the name of the SQL Server service account.

Server cache expiryWhen the system is using AD and Kerberos single sign-on, it uses the cache expiry for certain BusinessObjects Enterprise servers to determine whether a logon ticket is still valid. This applies to the CMS, Page Server, Report Application Server, and Web Intelligence Report Server.The CMS uses the cache expiry as follows:• If the CMS cache expiry is greater than that of the ticket, the system

renews the ticket until the CMS cache expiry is reached.• If the CMS cache expiry is less than that of the ticket, the ticket will expire

when the CMS cache expiry is reached.• If the CMS cache expiry is zero, the system will use the globally set ticket

expiry.The other servers use either their cache expiry or the ticket expiry, whichever has the lowest value. Regardless of whether the cache expiry for the server is greater or less than that of the ticket, the ticket will expire when the lowest expiry value is reached.The system comes configured with default values for the server cache expiry. To change the default values for the cache expiry, see “Modifying the default cache expiry value” on page 287.Note: If you are running multiple instances of a server, you can control the cache expiry for each instance individually.

Modifying the default cache expiry value To change the default cache expiry value

1. Go to the Servers management area of the CMC.2. Click the link for the server.



3. Click the Single Sign-On tab.4. Type in a new cache expiry value.5. Click Update.


Using AD and Kerberos with Java application servers

chapter

Using AD and Kerberos with Java application serversConfiguring Kerberos for Java application servers13
Configuring Kerberos for Java application servers
This section contains the tasks related to configuring Kerberos for use with these Java application servers: Tomcat, WebSphere, WebLogic, and Oracle Application Server.Note: SAP Web Application Server with Java AD with Kerberos is not supported.This section contains this information:• Two type of workflows.

• The general workflow that you must follow regardless of the web application server your are using.

• The workflow specific to your Java web application server. This second workflow is necessary because the implementation of Java Authentication and Authorization Service (JAAS) varies between different application servers.

• The procedural details for each step in the workflow.• Two samples of Krb5.ini files.• Troubleshooting information.Note: If you are using IIS and Kerberos, see “Workflows for Kerberos and IIS” on page 267.

General workflow for configuring Kerberos This section outlines the process of setting up BusinessObjects Enterprise and your Java application server to use AD with Kerberos authentication.

Configuration process overviewSetting up Kerberos includes these steps:• Setting up a service account• Granting the service account rights• Configuring the servers to use the service account• Kerberos authentication in the Windows AD plug-in


Using AD and Kerberos with Java application serversConfiguring Kerberos for Java application servers 13

Workflow for configuring Tomcat for KerberosIf you are using Tomcat, and you want to use Kerberos, you must complete these steps, in addition to the “General workflow for configuring Kerberos” on page 290.• Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle

Application Server• Creating the JAAS login configuration file for Tomcat or WebLogic• Modifying your Java options for Kerberos on Tomcat

Workflow for configuring WebSphere for KerberosIf you are using WebSphere, and you want to use Kerberos, you must complete these steps, in addition to the “General workflow for configuring Kerberos” on page 290.• Configuring Kerberos and single sign-on for Java InfoView• Creating the JAAS login configuration file for WebSphere• Modifying the Java options for Kerberos on WebSphere

Workflow for configuring WebLogic for KerberosIf you are using WebLogic, and you want to use Kerberos, you must complete these steps, in addition to the “General workflow for configuring Kerberos” on page 290• Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle

Application Server.• Creating the JAAS login configuration file for Tomcat or WebLogic• Modifying the Java options for Kerberos on WebLogic

Workflow for configuring Oracle for KerberosIf you are using Oracle, and you want to use Kerberos, you must complete these steps, in addition to the “General workflow for configuring Kerberos” on page 290.• Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle

Application Server• Creating the JAAS login configuration file for Oracle Application Server• Modifying the Java options for Kerberos on Oracle Application Server


Setting up a service account
To configure BusinessObjects Enterprise using Kerberos and Windows AD authentication, you require a service account. This must be a domain account that has been trusted for delegation. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers. After you set up the service account, you will need to grant the account appropriate rights, see “Granting the service account rights” on page 295.How you create this account varies slightly depending on what version of Active Directory Domain you are using:• If you are using a Windows 2000 Domain, see “Setting up a service

account with delegation on a Windows 2000 Domain” on page 292 and “Creating an SPN for your CMS on a Windows 2000 domain” on page 293.

• If you are using a Windows 2003 Domain, see “Setting up a service account with delegation on a Windows 2003 Domain” on page 293 and “Creating an SPN for your CMS on a Windows 2003 domain” on page 294.

• If you are using a Windows 2003 Domain, you also have the option of setting up constrained delegation. See “Setting up constrained delegation” on page 294 for more information.

Note: In a forest with multiple domains you can create this service account in any domain. All domains that trust the domain you have created the service account in will be able to authenticate.


1. Create an account on the domain controller or use an existing account.For detailed instructions, refer to http://msdn.microsoft.com/

2. Right-click on the user account, then select Properties.3. Click the Account tab.4. Select these account options:

• Account is trusted for delegation• Use DES encryption types for this account



Creating an SPN for your CMS on a Windows 2000 domain To run the SPN utility on Windows 2000

1. Download the utility from this location to your Domain controller:http://www.microsoft.com/windows2000/techinfo/reskit/

tools/existing/setspn-o.asp

Note: The SETSPN utility is a program that allows you to manage the Service Principal Name (SPN) for service accounts in Active Directory.

2. Open a command prompt and enter this command:SETSPN.exe –A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the fully qualified domain name of your machine running the CMS service. For example, MACHINE.DOMAIN.COM. Replace serviceaccount with name of your service account that runs the CMS service.Note: The name of your service account is case-sensitive.

3. Verify that you receive a message similar to this one:Registering ServicePrincipalNames for

CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object


1. Create a new account on the domain controller or use an existing account.For detailed instructions, refer to http://msdn.microsoft.com/

2. Right-click on the user account, then select Properties.3. Click the Account tab.4. Select the following under Account Options:

• Use DES encryption types for this account5. Run the SPN utility. For details, see “Creating an SPN for your CMS on a

Windows 2003 domain” on page 294.6. Click the Delegation tab.

Note: You will not see the Delegation tab until after you have entered the SETSPN command.

7. Select this option:Trust this user for delegation to any service (Kerberos only)



Note: If you are using a 2003 Active Directory domain, and you need to restrict delegation, see “Setting up constrained delegation” on page 294.

8. Click OK.

Creating an SPN for your CMS on a Windows 2003 domain To run the SPN utility

1. Open a Command Prompt and enter this command:SETSPN.exe –A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the fully qualified domain name of your machine running the CMS service. For example, MACHINE.DOMAIN.COM. Replace serviceaccount with name of your service account that runs the CMS service.Note: The name of your service account is case-sensitive.

2. Verify that you receive a message similar to this one:Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

3. Click the Delegation tab.Note: You will not see the Delegation tab until after you have entered the SETSPN command.

Setting up constrained delegationIf your company has a policy against trusting a specific service account for delegation to any service, and you are using Active Directory on Windows 2003, you may set up constrained delegation. Setting up constrained delegation is done after you create the service account. Constrained delegation allows you to limit what services an account can delegate to, rather then allowing an authorized user to delegate to all services.You can set up constrained delegation in these ways:• “Setting up constrained delegation for a service account” on page 295This method allows you to limit the amount of delegation permitted. Constrained delegation for a service account allows you to do further limit delegation to a specific service for a specific user on a specific computer. Because constrained delegation for a service account is more restrictive, it is considered a more secure option.Note: Constrained delegation is only supported on Active Directory 2003.



Setting up constrained delegation for a service account1. Select the name of the computer or account you created to use as the

service account, then click OK.2. Create a SPN for the CMS server.

Type the following command:SETSPN.exe –A BOBJCentralMS/HOSTNAME CMS_Machine_Name

• Replace HOSTNAME with the fully qualified name of your machine running the CMS service: For example, machine_name.domain_name.com.

• Replace CMS_Machine_Name with the name of machine running the CMS service.

3. Open Active Directory.4. Expand Users and Computers.5. Select the Users folder.6. Select the service account user.7. Right-click, then select Properties.8. Click on the Delegation tab.9. Select Trust this user for delegation to specified services only.10. Ensure Use Kerberos only is selected.11. Click Add.12. Click Users and Computers.13. Enter the CMS_machine_name you specified in step 2, then click OK.14. Select BOBJCentralMS from the list of services, then click OK.15. Click OK.

Configuring the serversConfiguring the BusinessObjects Enterprise servers includes these steps:• “Granting the service account rights” on page 295• “Configuring the servers to use the service account” on page 297

Granting the service account rightsIn order to support Kerberos, you must grant the service account the right to act as part of the operating system. This must be done on each machine running these servers:• CMS



• Page Server• Report Application Server• Web Intelligence Report ServerNote: To complete this procedure, you require a service account that has been trusted for delegation. See “Setting up a service account” on page 292.

To grant the service account rights1. Click Start > Administrative Tools > Local Security Policy.2. Click Local Policies, then click User Rights Assignment.3. Double-click Act as part of the operating system.4. Click Add.5. Type the name of the user to add, and click OK.6. Ensure that the Local Policy Setting check box is selected, and click

OK.7. Repeat the above steps on each machine running a BusinessObjects

Enterprise server.Note: It is important that the Effective Right ends up being checked after Act as part of the operating system is selected. Typically, you will need to restart the server for this to occur. If, after restarting the server, this option is still not on, your Local Policy settings are being overridden by your Domain Policy settings.

Adding the Service Account to the servers’ Local Administrators groupIn order to support Kerberos, the service account must be part of the local Administrators group for each server that has one of the following services deployed:• CMS• Page Server• Report Application Server• Web Intelligence Report ServerNote: To complete this procedure, you require a service account that has been trusted for delegation. For details, see “Setting up a service account” on page 292. You must also have administrative rights on the server.

To add an account to the Administrators Group1. On the desired machine, right-click My Computer and then click

Manage.2. Go to System Tools > Local Users and Groups > Groups.



3. Right-click Administrators and then click Add to Group...4. Click Add... and enter the logon name of the service account.5. Click Check Names to ensure the account resolves.6. Click Ok and then click OK again.7. Repeat these steps for each Business Objects server that has to be

configured.

Configuring the servers to use the service accountIn order to support Kerberos, you must use the CCM and configure the following servers to log on as the service account:• CMS server• Page Server• Report Application Server• Web Intelligence Report ServerNote: To complete this procedure, you require a service account that has been trusted for delegation. See “Setting up a service account” on page 292.

To configure a server1. Start the CCM.2. Stop the server you want to configure, for example, the CMS server.3. Double-click the server you want to configure. The Properties dialog box

is displayed.4. On the Properties tab:

a. In the Log On As area, deselect the System Account check box.b. Enter the user name and password for the service account.c. Click Apply, and click OK.

5. Start the server again.6. Repeat steps 2 through 5 for each BusinessObjects server that has to be

configured.

Kerberos authentication in the Windows AD plug-in In order to support Kerberos, you have to configure the Windows AD security plug-in the CMC to use Kerberos authentication. This includes:• Ensuring Windows AD authentication is enabled.• Entering the AD Administrator account.



This account requires read access to Active Directory only; it does not require any other rights.

• Enabling Kerberos authentication and single sign-on, if single sign-on is desired.

Note: If you enable single sign-on in the CMC, you also must configure it in the web.xml file. For details, see “Configuring Kerberos and single sign-on for Java InfoView” on page 312.• Entering the service principal name (SPN) for the service account.

Prerequisites Before you configure the Windows AD security plug-in for Kerberos, you must have completed these tasks:• “Setting up a service account” on page 292• “Granting the service account rights” on page 295• “Configuring the servers to use the service account” on page 297

To configure the Windows AD security plug-in for Kerberos1. Go to the Authentication management area of the CMC.2. Click the Windows AD tab.3. Ensure that the Windows Active Directory Authentication is enabled

check box is selected.

4. In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.



5. Enter the credentials that have read access to Active Directory in the Name and Password fields.

Note: • Use the format Domain\Account in the Name field.• The account requires read access to Active Directory only; it does

not require any other rights.6. Enter the default domain in the Default AD Domain field.

Note: Use The FQDN format and enter the domain in uppercase.Note: In a deployment with multiple domains, the Default AD Domain may be any of the desired domains. The best practice is to use the domain with the largest number of users that will be authenticating with their AD account.

7. In the Mapped AD Member Group area, enter the name of an AD group whose users require access to BusinessObjects Enterprise, and then click Add.Repeat this procedure to add additional AD groups. If you want to add individual users, rather than a group, see “Managing Users” in the BusinessObjects Enterprise Administrator’s Guide.



8. In the Authentication Options area, select Use Kerberos authentication.

Note: • If you want to configure single sign-on, select Enable Single Sign

On for selected authentication mode.• If you want to configure single sign-on to a database, select the

Cache Security context (required for SSO to database) check box.

9. In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account you created in the section “Creating an SPN for your CMS on a Windows 2000 domain” on page 293 or “Creating an SPN for your CMS on a Windows 2003 domain” on page 294.Use the following format, where svcacct is the name of your service account or SPN, and DNS.COM is your fully qualified domain in uppercase.For example, the Service Account would be [email protected] and the SPN would be BOBJCentralMS/[email protected]



Note: • If you plan to enable Single Sign-On to Java InfoView with users from

multiple domains, you must enter the SPN in this field.• The service account is case sensitive. The case of the account you

enter here must match with what is set up in your Active Directory Domain.

• If your UPN and SAM name are not identical, enter the UPN name.• This must be the same account that you use to run the

BusinessObjects Enterprise servers or the SPN that maps to this account. See “Setting up a service account” on page 292.

• When manually logging on to Java InfoView, users from other domains must log on with their AD account in UPN format. This is what is displayed in the logon name field in the AD Users and Computers snap-in.For example: [email protected]

10. Select how aliases are mapped to Enterprise accounts.You have these choices: • Assign each added AD alias to an account with the same name• Create a new account for every added AD alias.


You have these choices: • New aliases will be added and new users will be created• No new aliases will be added and new users will not be created.

Note: If you choose the first option, the users and aliases will be created in BusinessObjects Enterprise when you click Update; If you choose the second option, the users and aliases will be created in BusinessObjects Enterprise when the user first signs on. For further details on these options, see “Update options” on page 197.

12. Select what type of users are created.You have these choices:• New users are created as named users • New users are created as concurrent usersNote: For further details on these options, see “User type options” on page 196.

13. Click Update.


Configuring Kerberos for your Java application server
The specific process of configuring Kerberos for a Java application server varies slightly depending on which Java application server is used. However, the general process of configuring Kerberos on your application server involves these steps:• Creating the Kerberos configuration file.• Creating the JAAS login configuration file.• Modifying the Java Options.• Restarting you Java application server.Note: • SAP Web Application Server and Java AD with Kerberos is not

supported.• The default Active Directory domain must be in uppercase DNS format.• You are no longer required to download and install MIT Kerberos for

Windows. You also no longer require a keytab for your service account.

Creating the Kerberos configuration file for Tomcat, WebLogic or Oracle Application Server

Follow these steps to create the Kerberos configuration file if you’re using Tomcat, Oracle Application Server or WebLogic.

To configure Kerberos for Java AD1. Create the file krb5.ini, if it does not exist, and store it under the

following platform dependant location:

Note: You can store this file in a different location, however if you do, you will need to specify its location in your java options. See “Modifying your Java options for Kerberos on Tomcat” on page 307 for procedural details.

Platform Location

Windows c:\WINNT



2. Add the following required information in the Kerberos configuration file:[libdefaults] default_realm = DNS.COM dns_lookup_kdc = true dns_lookup_realm = true[realms]DNS.COM = { default_domain = DNS.COM

kdc = hostname.DNS.COM}

Note: • DNS.COM is the DNS name of your domain which must be entered in

FQDN format and entered in uppercase.• kdc is the Host name of the Domain Controller.• You can add multiple domain entries to the [realms] section if your

users log in from multiple domains. To see a sample of this file with multiple domain entries, see “Sample single domain Krb5.ini file” on page 305 or “Sample multiple domain Krb5.ini file” on page 304. For further information see http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html.

• In a multiple domain configuration, under [libdefaults] the default_realm value may be any of the desired domains. The best practice is to use the domain with the greatest number of users that will be authenticating with their AD accounts.


Creating the Kerberos configuration file for WebSphere
To configure Kerberos for WebSphere1. Create the file krb5.ini, if it does not exist, and store it under the

following platform dependant location:

Note: You can store this file in a different location, however if you do, you will need to specify its location in your java options. See “Modifying the Java options for Kerberos on WebSphere” on page 308 for procedural details.

2. Add the following required information in the Kerberos configuration file:[libdefaults] default_realm = DNS.COM dns_lookup_kdc = true dns_lookup_realm = true

default_tkt_enctypes = des-cbc-crcdefault_tgs_enctypes = des-cbc-crc

[realms]DNS.COM = { default_domain = DNS.COM

kdc = hostname.DNS.COM}

Note: • DNS.COM is the DNS name of your domain. This must be entered in

uppercase in FQDN format.• These lines are required for the default encryption types for

WebSphere, and are different than the encryption types for WebLogic, Oracle Application Server and Tomcat:default_tkt_enctypes = des-cbc-crcdefault_tgs_enctypes = des-cbc-crc

• For samples of this file see “Sample single domain Krb5.ini file” on page 305 and “Sample multiple domain Krb5.ini file” on page 304.

3. Save and close the file.

Sample multiple domain Krb5.ini fileFollowing is a sample file with multiple domains.[domain_realm] .domain03.com = DOMAIN03.COM domain03.com = DOMAIN03.com

Platform Location

Windows c:\WINNT



.child1.domain03.com = CHILD1.DOMAIN03.COM child1.domain03.com = CHILD1.DOMAIN03.com .child2.domain03.com = CHILD2.DOMAIN03.COM child2.domain03.com = CHILD2.DOMAIN03.com .domain04.com = DOMAIN04.COM domain04.com = DOMAIN04.com [libdefaults] default_realm = DOMAIN03.COM dns_lookup_kdc = true dns_lookup_realm = true [logging]

[realms]DOMAIN03.COM = { admin_server = testvmw2k07 kdc = testvmw2k07 default_domain = domain03.com}CHILD1.DOMAIN03.COM = { admin_server = testvmw2k08 kdc = testvmw2k08 default_domain = child1.domain03.com}CHILD2.DOMAIN03.COM = { admin_server = testvmw2k09 kdc = testvmw2k09 default_domain = child2.domain03.com}DOMAIN04.COM = { admin_server = testvmw2k011 kdc = testvmw2k011 default_domain = domain04.com}

Sample single domain Krb5.ini fileFollowing is a sample krb5.ini file with a single domain.[libdefaults]

default_realm = ABCD.MFROOT.ORGdns_lookup_kdc = truedns_lookup_realm = true

[realms]ABCD.MFROOT.ORG = {

kdc = ABCDIR20.ABCD.MFROOT.ORGkdc = ABCDIR21.ABCD.MFROOT.ORGkdc = ABCDIR22.ABCD.MFROOT.ORGkdc = ABCDIR23.ABCD.MFROOT.ORGdefault_domain = ABCD.MFROOT.ORG

}

Creating the JAAS login configuration file for Tomcat or WebLogic To create the JAAS login configuration file for Tomcat or WebLogic

1. Create a file called bscLogin.conf if it does not exist.



Store it in this location:C:\WINNT

This is the default location for the bscLogin.conf file. You can specify a different location for this file, but if you do, you must also specify in this location in your java arguments. See “Modifying the Java options for Kerberos on WebLogic” on page 307 for details.

2. Add the following code to your JAAS bscLogin.conf configuration file:com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required;};

Note: For more information on how to configure JAAS authentication, see the following:http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/

LoginConfigFile.html3. Save and close the file.

Creating the JAAS login configuration file for Oracle Application Server To create the JAAS login configuration file for Oracle

1. Locate the jazn-data.xml file.Note: This default location for this file is C:\OraHome_1\j2ee\home\config. If you installed Oracle Application Server in a different location, find the file specific to your installation.

2. Add the following content to the file between the <jazn-loginconfig> tags:<application><name>com.businessobjects.security.jgss.initiate</name><login-modules><login-module><class>com.sun.security.auth.module.Krb5LoginModule</

class><control-flag>required</control-flag></login-module></login-modules></application>

3. Save and close the file.

Creating the JAAS login configuration file for WebSphere To create the JAAS login configuration file for WebSphere

1. Create a file called bscLogin.conf if it does not exist.2. Store it in this location:



C:\WINNT

3. Add the following code to your JAAS bscLogin.conf configuration file:com.businessobjects.security.jgss.initiate {com.ibm.security.auth.module.Krb5LoginModule

required;};

Note: For more information on how to configure JAAS authentication, see the following:http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/

LoginConfigFile.html4. Save and close the file.

Modifying your Java options for Kerberos on TomcatThere are two ways you can modify your java options as required for Kerberos, either in the java.security file or on the Java tab for Tomcat.

To change the options in the java. security file1. In the following file, JAVA_HOME\jre\lib\security\java.security, add a line

which specifies the location of the file bscLogin.conf:# Default login configuration file##login.config.url.1=file:${user.home}/.java.login.configlogin.config.url.1=file:C:/winnt/bscLogin.conf

2. Restart Tomcat.

To modify the Java options from the Java tab for Tomcat1. From the Start menu, select Programs >Tomcat > Tomcat

Configuration.2. Click the Java tab.3. Add the following options:

-Djava.security.auth.login.config=C:\XXX\bscLogin.conf -Djava.security.krb5.conf=C:\XXX\krb5.ini

Replace XXX with the location you stored the file.4. Close the Tomcat configuration file.5. Restart Tomcat.

Modifying the Java options for Kerberos on WebLogicIf you are using Kerberos with WebLogic, your Java options need to be modified to specify the location of the Kerberos configuration file and the kerberos login module.



To modify the Java options from the Java tab for WebLogic1. Stop the domain of WebLogic that runs your BusinessObjects Enterprise

applications.2. Open the script that starts the domain of WebLogic that runs your

BusinessObjects Enterprise applications.

3. Add the following information to the Java_Options section of the file:set JAVA_OPTIONS=-Djava.security.auth.login.config=C:/

XXX/bscLogin.conf -Djava.security.krb5.conf=C:/XXX/krb5.ini

Replace XXX with the location you stored the file. 4. Restart the domain of WebLogic that runs your BusinessObjects

Enterprise applications.

Modifying the Java options for Kerberos on Oracle Application ServerIf you are using Kerberos with Oracle Application Server, the Java options need to be modified to specify the location of the kerberos configuration file.

To modify the Java options for Oracle Application Server1. Logon to the administration console of your Oracle Application Server.2. Click on the name of the OC4J instance that runs your BusinessObjects

Enterprise applications. 3. Select Server Properties. 4. Scroll down to the Multiple VM Configuration section. 5. In the Command Line Options section, append the following at the end

of the Java Options text field:-Djava.security.krb5.conf=C:/XXX/krb5.iniReplace XXX with the location you stored the file.

6. Restart your OC4J instance.

Modifying the Java options for Kerberos on WebSphere To modify Java options for Kerberos on WebSphere

1. Log into the administrative console for WebSphere.• For IBM WebSphere 5.1, type this:

Operating System Script name

Windows startWeblogic.cmdUnix startWebLogic.sh



http://servername:9090/admin.

• For IBM WebSphere 6.0, type this:http://servername:9060/ibm/console

2. Expand Server, a click on Application Servers and then servername.Note: Replace servername with the name of the application server you created to use with BusinessObjects Enterprise.

3. Go to the JVM page.• If you are using WebSphere 5.1, follow these steps to get to the JVM

page.a. On the server page, scroll down until you see Process

Definition in the Additional Properties column.b. Click on Process Definition.c. Scroll down and click on Java Virtual Machine.

• If you are using WebSphere 6.0, follow these steps to get to the JVM page.a. On the server page, select Java and Process Management.b. Select Process Definition.c. Select Java Virtual Machine.

4. Click Generic JVM arguments then type the location of your Krb5.ini and the location of your bscLogin.conf file.-Djava.security.auth.login.config=C:\XXX\bscLogin.conf -Djava.security.krb5.conf=C:\XXX\krb5.iniReplace XXX with the location you stored the file.

5. Click Apply, and then click Save.6. Stop the server.7. Restart the server.

Troubleshooting Kerberos These steps may help you if you encounter problems when configuring kerberos:• Enabling logging• Testing your Java SDK Kerberos configuration


Enabling logging
To enable logging1. From the Start menu, select Programs >Tomcat > Tomcat

Configuration.2. Click the Java tab.3. Add the following options:

-Dcrystal.enterprise.trace.configuration=verbose

This will create a log file in the following location:C:\Documents and Settings\<user

name>\.businessobjects\jce_verbose.log

Testing your Java Kerberos configuration To test your Java Kerberos configuration

• Run the following command to test your Kerberos configuration, where servact is the service account and domain under which the CMS is running, and password is the password associated with the service account.C:\Program Files\Business

Objects\j2sdk1.4.2_04\bin\kinit.exe" [email protected] Password

If you still have a problem, ensure that the case you entered for your domain and service principal name match exactly with what is set in Active Directory.

Mapped AD user unable to log on to CMC or InfoViewThe following two issues may occur, despite the fact that the users have been mapped to BusinessObjects Enterprise:• “Logon failure due to different AD UPN and SAM names” on page 310• “Pre-authentication error” on page 311

Logon failure due to different AD UPN and SAM namesA user’s Active Directory ID has successfully been mapped to BusinessObjects Enterprise. Despite this fact, they are unable to successfully log on to CMC or InfoView with Java AD authentication and Kerberos in the following format:• DOMAIN\ABC123



This problem, which happens with the Sun, IBM or BEA JRE, can occur when the user is set up in Active Directory with a UPN and SAM name are not the same, either in case or otherwise. Following are two examples which may cause a problem:• The UPN is [email protected] but the SAM name is

DOMAIN\ABC123.• The UPN is jsmith@company but the SAM name is DOMAIN\johnsmitThere are two ways to address this problem:• Have users log in using UPN rather than SAM name. • Ensure the SAM account name and the UPN name are the same.

Pre-authentication errorA user who has previously been able to log on, can no longer log on successfully. The user will receive this error: Account Information Not Recognized. The Tomcat error logs reveal the following error:Pre-authentication information was invalid (24)”This can occur because the Kerberos user database didn’t get a change made to UPN in AD. This may mean that the Kerberos user database and the AD information are out of sync.To resolve this problem, reset the user’s password in AD. This will ensure the changes are propagated correctly.Note: This problem is not an issue with J2SE 5.0.

Configuring Kerberos and single sign-on to the database for Java application servers

Single sign-on to the database is supported for deployments that meet all these requirements:• The deployment of BusinessObjects Enterprise is on a Java web

application server.• The Java web application server has been configured with AD with

Kerberos. • The database to which single sign-on is required is a supported version

of SQL Server.• The groups or users that need access to the database must have been

granted permissions within SQL Server.The final step is to modify the krb5.ini file to support single sign-on to the database for Java.



Note: • These instructions explain how to configure single sign-on to the

database for Java application servers. If you want to configure end-to-end single sign-on to the database for Java application servers, you must also configuration required for Vintela single sign-on for Java. For details, see “Restart your web application server.” on page 312.

• If you want to configure single sign-on to a database, ensure that you have set the cache security context. For detailed instructions, go to “Kerberos authentication in the Windows AD plug-in” on page 297.

To enable single sign-on to the database for Java application servers1. Open the krb5.ini file that is being used for your deployment of

BusinessObjects Enterprise.The default location for this file is the WINNT directory on your web application server. Tip: If you cannot find the file in the WINNT directory, check this Java argument for the location of the file:-Djava.security.auth.login.config

This variable is specified when AD with Kerberos is configured on your Java web application server.

2. Go to the [libdefaults] section of the file.3. Enter this string prior to the start of the [realms] section of the file:

forwardable = true


Configuring Kerberos and single sign-on for Java InfoView

The following procedure explains how to enable Kerberos single sign-on for Java InfoView. Vintela single sign-on for Java is installed as part of Service Pack 2 of BusinessObjects Enterprise XI Release 2.Note: If you plan to use single sign-on to Java InfoView in a reverse proxy environment, there are a couple of changes required in the following procedure. For details, see “Deploying AD and Kerberos single sign-on to java InfoView with a reverse proxy server” on page 207 before proceeding.



PrerequisitesBefore you configure single sign-on for Java InfoView, you must complete configuration prerequisites: these prerequisites are the steps from the “General workflow for configuring Kerberos” on page 290 and the steps that apply specifically to your type of Java application server.Also, ensure that single sign-on is enabled in the Authentication page of the CMC. For details, go to “Kerberos authentication in the Windows AD plug-in” on page 297.See these sections for the configuration steps that apply specifically to your Java application server:• “Workflow for configuring Tomcat for Kerberos” on page 291• “Workflow for configuring WebSphere for Kerberos” on page 291• “Workflow for configuring WebLogic for Kerberos” on page 291• “Workflow for configuring Oracle for Kerberos” on page 291Note: Single sign-on to Java InfoView is only supported when BusinessObjects Enterprise services are installed on a supported Windows platform. Supported application servers can be deployed on supported platforms other than Windows. For a complete list of supported platforms, see the Platforms.txt file included on your product CD.

Workflow for configuring Kerberos single sign-on to Java InfoViewTo configure Kerberos single sign-on for Java InfoView you must complete the six steps in this table.

Step 1 Create a service account.Detailed steps are included in the section “Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java.” on page 314

Step 2 Set an SPN for your web application serverDetailed steps are included in the section “Step 2: Creating an SPN for your web application server” on page 315

Step 3 Reset the service account passwordDetailed steps are included in the section “Step 3: Reset the service account password” on page 315



The following sections describe how to complete each of these steps.In addition to the steps you must complete, you may also want to change either of these configurable items available with Vintela single sign-on for Java:• The level of error logging recorded. • The text users receive if their authentication with Vintela single sign-on

for Java fails. For details, see these sections:• “Modifying the Vintela logon error page” on page 325• “Controlling logging with Vintela single sign-on for Java” on page 322The final section “Alternate url to access InfoView” on page 324, explains why there is an alternate page provided and lists the url for this page.

Step 1: Create a service account with delegation to be used for Vintela single sign-on for Java.

To set up user authentication for a service, you must register the service as a user in AD on the Domain Controller.

1. To register the service: On the Domain Controller open the Active Directory Users and Computers snap in.

2. Click the Users folder to display a list of users and on the Action menu, click New and then click User.

3. Enter a name and logon name for the new service, and then click Next.4. On the next screen, enter a password for the service.

Ensure that the option called User must change password at next logon is not selected.

Step 4 Create and place a keytab fileDetailed steps are included in the section “Step 4: Create and place a keytab file” on page 316

Step 5 Edit the web.xml fileDetailed steps are included in the section “Step 5: Enabling Vintela single sign-on for Java in the web.xml file” on page 316

Step 6 Ensure the HTTP header size of your Java application server is sufficient.Detailed steps are included in the section “Step 6: Increasing the header size limit of your Java application server” on page 321



5. Click Next and then click Finish.6. Right-click the user you have entered in the User folder list, and then click

Properties to open the Properties dialog box.7. Click the Account tab and then select Account is trusted for delegation

and Password never expires. This prevents the service account from ever expiring, which would cause Kerberos errors.

8. Select Use DES encryption types for this account. This will allow you to configure the KerberosFilter using a keytab file.

9. Click OK.Note: In some Active Directory Users and Computers snap ins, the option called Account is trusted for delegation is not available until a mapped Service Principal Name has been created. If you do not see this option, complete the steps in the next section, then open the user account in the AD Users and Computers snap in and select the Delegation tab. You can enable it from here.

Step 2: Creating an SPN for your web application serverNote: Make sure that the SPN you are creating does not already exist and is mapped to another account. If so, you must remove this SPN with the setspn utility.

To create an SPN for your web application server1. Launch a command prompt and navigate to your Support Tools folder.2. Execute the following command:

ktpass -princ HTTP/host@REALM -mapuser userWhere:<host> is the fully-qualified domain name of the server where the Java Application Server is installed. (For example, server.example.com)<REALM> is the Active Directory realm in which the server is located. (For example, EXAMPLE.COM).<user> is the logon name of the user account you created above.

Step 3: Reset the service account passwordTo prevent Kerberos integrity-check failures, you should reset the password of the user account you created in step 1.



To reset the password1. On the Domain Controller with Active Directory installed, on the Start

menu click Programs > Administrative Tools > Active Directory Users and Computers.

2. Right-click the user account that you created previously and click Reset Password.

3. Enter and confirm the same password that you entered previously.4. Ensure that User must change password at next logon is not selected

an click OK.

Step 4: Create and place a keytab fileYou can configure the KerberosFilter to either use a password or a keytab file. A keytab file allows the KerberosFilter to be configured without exposing the password of the user account on the web application machine. A keytab file is the recommended method because it is more secure than an exposed password.

To create and place keytab file1. Run ktpass with the following arguments at command prompt:

ktpass -out keytab_filename -princ HTTP/host@REALM -pass user_password -kvno 255Where:keytab_filename is the name of the keytab file we want to generate. (Ex host.keytab)HTTP/host@REALM is the SPN used (for example, HTTP/[email protected])user_password is the password of the user used in the Map a Service Principle Name (SPN) section

2. Copy the generated keytab file onto the java application machine and place in your chosen location. Note: • The keytab is usually found in the same folder as your ktpass support

tool unless you specified a different location.• Typically the keytab is stored in C:/WINNT or C:/Windows.

Step 5: Enabling Vintela single sign-on for Java in the web.xml fileNote: If you are using WebLogic as your application server, read “WebLogic-specific instructions” on page 319 before proceeding.



To enable Vintela single sign-on in the web.xml file1. Open the web.xml file for InfoView from its deployed location on your web

application server.This is where the InfoView web.xml file is on Windows:<DeployedLocation>\businessobjects\enterprise115\desktoplaunch\WEB-INF• If you are using the version of Tomcat installed with BusinessObjects

Enterprise on Windows, and you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps

• If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path.

2. Find the following parameters and make the appropriate changes:

3. Find the following section in the web.xml file:<!- - Uncomment the following filter and mapping to

enable the filter for Vintela SSO. Set idm.realm to the Active Directory realm where the server is in and idm.princ to the service principal name. - - >

4. Remove the comment start tag that immediately follows this comment as well as it’s corresponding end tag.

<param-name> Original <param-value> New <param-value>

cms.default your CMS name and port number

your CMS name and port number.

authentication.default

SecEnterprise SecWinAD

siteminder.enabled

true false

vintela.enabled false truesso.enabled false false



uld en lm

P/

r

to

5. In this section find the following parameters and make the appropriate changes.

6. Add the idm.keytab parameter. In the Vintela section of the web.xml file add the following lines.Note: Place it after the idm.princ parameter and values.<init-param>

<param-name>idm.keytab</param-name><param-value>PATH_TO_YOUR_KEYTAB_FILE</param-value>

</init-param>

Where Path_To_Your_Keytab_File is the directory path to the location of your keytab file. Ex.C:\WINNT\host.keytabNote: Only add the above parameter if you have chosen to use a keytab file. If you have chosen to use a password do not add this parameter.

7. Save and Close the file.8. Restart your web application server.Note: If you are using WebLogic, go to “Modifying the web.xml in the war package” on page 320.

<param-name>

Original <param-value> New <param-value>

idm.realm YOUR_REALM Default realm for AD. This shobe the same value you set whyou configured the default_reain your krb5.ini fileNote: Value must be in uppercase

idm.princ YOUR_PRINCIPAL The SPN you created. It must follow the format: HTTHostnameWhere Hostname is the fully qualified domain name of youmachine.

idm.allowNTLM false falseidm.allowUnsecured

true true, unless you are planning use SSL.



WebLogic-specific instructionsIf you are using WebLogic as your application server, you may not find the commented section in the Vintela xml properties that is mentioned in “Step 5: Enabling Vintela single sign-on for Java in the web.xml file” on page 316. This is because WebLogic Builder, which is used in preparing the war files for deployment, removes the commented portions of the web.xml file.Therefore, you must add the following xml to the web.xml file before proceeding with Step 5:<filter>

<filter-name>authFilter</filter-name>

filter class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>

<init-param>

<param-name>idm.realm</param-name>

<param-value>YOUR_REALM</param-value>

</init-param>

<init-param>

<param-name>idm.princ</param-name>

<param-value>YOUR_PRINCIPAL</param-value>

</init-param>

<init-param>

<param-name>idm.allowUnsecured</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>idm.allowNTLM</param-name>

<param-value>false</param-value>

</init-param>

<init-param>

<param-name>idm.logger.name</param-name>

<param-value>simple</param-value>

<description>

The unique name for this logger.

</description> </init-param>

<init-param>



<param-name>idm.logger.props</param-name> <param-value>error-log.properties</param-value>

<description>

Configures logging from the specified file.

</description>

</init-param>

<init-param>

<param-name>error.page</param-name>

<param-value>/InfoView/logon/vintelaError.jsp</param-value>

<description>

The URL of the page to show if an error occurs during authentication.

</description>

</init-param>

</filter>

<filter-mapping>

<filter-name>authFilter</filter-name>

<url-pattern>/InfoView/logon/logon.do</url-pattern>

</filter-mapping>

Return to “Step 5: Enabling Vintela single sign-on for Java in the web.xml file” on page 316 and complete the steps there.

Modifying the web.xml in the war packageNote: Every time you restart WebLogic the web.xml will be overwritten and you will lose the above section. In order to circumvent this issue it is suggested you modify the web.xml in the actual war package.

To modify the web.xml file in the war package1. Locate the desktop.war file.

On Windows, the file is located at <DeployedLocation>\Business Objects\BusinessObjects Enterprise 11.5\java\applications

If you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\

2. Create a folder called WEB-INF and place the modified web.xml file in this folder.



Note: You must configure the web.xml file with the steps described in “Step 5: Enabling Vintela single sign-on for Java in the web.xml file” on page 316 first.

3. Open a command window.4. Change directories to the folder containing the deksktop.war5. Execute the following command:

<DeployedLocation>\j2sdk1.4.2_08\bin\jar –uf desktop.war WEB-INF/web.xml

If you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects

6. Go back to “Step 5: Enabling Vintela single sign-on for Java in the web.xml file” on page 316 and complete the tasks outlined there.

Step 6: Increasing the header size limit of your Java application serverActive Directory creates a Kerberos token which is used in the authentication process. This token is stored in the HTTP header. Your Java application server will have a default HTTP header size and you should ensure a minimum size of 16384 bytes to avoid failures.

To configure the HTTP header size with Tomcat1. On the server with Tomcat installed, open the server.xml file.

On Windows, this file is located at <TomcatDeployedLocation>/conf• If you are using the version of Tomcat installed with BusinessObjects

Enterprise on Windows, and you did not modify the default installation location, replace <TomcatDeployedLocation> with C:\ProgramFiles\Business Objects\Tomcat\


2. Find the corresponding <Connector …> tag for the port number you have configured.If you are using the default port of 8080, find the <Connector …> tag with port=”8080” in it.For example:<Connector URIEncoding="UTF-8" acceptCount="100"




3. Add the following value within the <Connector …> tag:maxHttpHeaderSize=”16384”For example:<Connector URIEncoding="UTF-8" acceptCount="100"

connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" maxHttpHeaderSize=”16384” minSpareThreads="25" port="8080" redirectPort="8443" />

4. Save and close the server.xml file.5. Restart Tomcat.Note: For other Java application servers, consult your java application server’s documentation.

Controlling logging with Vintela single sign-on for JavaVintela single sign-on for Java uses Apache log4j logging. The name of the log file and the level of logging recorded are controlled by these: • The settings related to Vintela logging in the web.xml for InfoView.• The setting in the log4j properties file.For more efficient problem determination, you may want to use the log files that are used to capture error or warning messages.



The table which follows summarizes what you can control about error logging with Vintela in the web.xml file for InfoView:

What to specify in your log4j properties fileIf you specify that you want to use a properties file in the <param-value> for idm.logger.props in the web.xml file for InfoView, you must also create the properties file you specified in the WEB-INF directory for InfoView. These are the basic requirements:• Defining which logger to use.• Defining what level of logging to perform in this properties file.

<param-name> Use of parameter

idm.logger.name The name of the log file is specified in the <param-value> for this parameter. This must be a unique name not in used by any other implementation of log4j logging on your web application.

idm.logger.props The <param-value> for this parameter can be set to three things: “ ” (blank), “BASIC” or “AnythingElse”.

• If the <param-value> for idm.logger.props is set to “ ” (blank), no logging will be performed.

• If the <param-value> for idm.logger.props is set to “BASIC”, basic errors will be logged and errors will be sent to the standard output.

• If the <param-value> for idm.logger.props is set to anything other than “ ” or “BASIC”, Vintela will look for a properties file that matches the value you set. Vintela will look for this properties file in the WEB-INF directory for InfoView. For example, if you specify BOE for your <param-value>, Vintela will look in the WEB-INF directory for Infoview for this file:BOE.properties

You must create the properties file if you specify that one is to be used. For details see “What to specify in your log4j properties file” on page 323.



For details on the syntax to use in the file and details on the of valid options of an Apache log4j properties file, see the following url:http://jakarta.apache.org/log4j/docs/api/index.html

To change the level of logging provided with Vintela single sign-on for Java1. Open the web.xml file for InfoView from its deployed location on your web

application server.This is where the InfoView web.xml file is on Windows:<DeployedLocation>\businessobjects\enterprise115\desktoplaunch\WEB-INF• If you are using the version of Tomcat installed with BusinessObjects

Enterprise on Windows, and you did not modify the default installation location, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps


2. If you want to have the output from error logging written to a file, find this string:<param-name>idm.logger.name</param-name>

3. In the <param-value> for idm.logger.name, enter the name for your log file.

4. If you want to use a properties file to define the logger used and level of logging recorded, find this string:<param-name>idm.logger.props</param-name>

5. In the <param-value> for idm.logger.props, enter the name for your properties file.Note: If you set this value to anything other than “ ” or “BASIC”, you must also define the logger used and define level of logging in the properties file you specify. For details, on the logging parameters available, see the table in the section “Controlling logging with Vintela single sign-on for Java” on page 322

6. Save and close your file.

Alternate url to access InfoViewA second url is available to access InfoView. This url is provided for the administrator or a user to access InfoView, without single sign-on, after single sign-on has been enabled.



• This is the default url used to access InfoView:http://HostName:portnumber/businessobjects/

enterprise115/desktoplaunch/InfoView/logon/logon.do

• This is the url you should use if you want to access InfoView without single sign-on, after single sign-on has been enabled:http://HostName:portnumber/businessobjects/

enterprise115/desktoplaunch/InfoView/logon/logonForm.do

Modifying the Vintela logon error pageWhen authentication using Vintela single-sign-on for Java fails, Internet Explorer will attempt NTLM authentication. This will happen each time another logon attempt is made until the browser session ends, even if the underlying cause of failure has been resolved. To reduce the number of support calls received by an administrator, an error page will be displayed for the user.This error page informs users of this behavior and instructs them to close their browser so that the next attempt can be successful, provided the underlying cause of the problem has been resolved.

To customize the text displayed on the Vintela error page1. Open the file vintelaError.jsp file found in this location:

<DeployedLocation>\businessobjects\enterprise115\desktoplaunch\InfoView\logon\If you installed Tomcat with your installation, and did not modify the default location, you can replace DeployedLocation with this:C:\Program Files\Business Objects\Tomcat\webapps

If you modified the default location for Tomcat, or used another supported Java application server, substitute the path applicable for deployment.

2. Change the text of the message as required.3. Save and close the file.4. Restart your web application server.A second url is available to access InfoView. This url is provided for the administrator or a user to access InfoView, without single sign-on, after single sign-on has been enabled. • This is the default url used to access InfoView:

http://HostName:portnumber/businessobjects/enterprise115/desktoplaunch/InfoView/logon/logon.do



• This is the url you should use if you want to access InfoView without single sign-on, after single sign-on has been enabled:http://HostName:portnumber/businessobjects/

enterprise115/desktoplaunch/InfoView/logon/logonform.do

Configuring Internet Explorer browsersIn order to support Kerberos single sign-on, you must configure BusinessObjects Enterprise clients. This includes:• “Configuring IIS for database single sign-on” on page 281.• Configuring the Internet Explorer (IE) browser on the client machines.

Note: You can automate this through a registry key or use the following steps.

Configuring the IE browser on the client machines1. On the client machine open and IE browser window.2. Enable integrated Windows authentication

1. On the Tools menu click Internet Options.2. Click the Advanced tab.3. Scroll to Security, select Enable Integrated Windows

Authentication, and then click Apply.3. Add IIS to the trusted sites. You can enter the full domain name of the

site.1. On the Tools menu click Internet Options.2. Click the Security tab.3. Click Sites and then click Advanced.4. Type the web site for IIS and click Add.5. Click Ok until the Internet Options dialog box closes.

4. Close and reopen the IE browser window for these changes to take effect.

5. Repeat all of these steps on each BusinessObjects Enterprise client machine.


33

Trusted Authentication

chapter

Trusted AuthenticationEnabling Trusted Authentication14
Enabling Trusted Authentication
Users prefer to log on to the system once, without needing to provide passwords several times during a session. Trusted Authentication provides a Java single sign-on solution for integrating your BusinessObjects Enterprise authentication solution with third-party authentication solutions. Applications that have established trust with the Central Management Server can use Trusted Authentication to allow users to log on without providing their passwords. To enable Trusted Authentication, you must configure both the server, through the CMC, and the client, in the web.xml file.• “Configuring the server for Trusted Authentication” on page 328• “Configuring Trusted Authentication for the client” on page 329If you are using Business Process BI Web Service, you also must configure the BusinessProcessBI.properties file. See “Configuring Trusted Authentication for Business Process BI” on page 334 for details.Note: Before you are able to use Trusted Authentication, you must have either created Enterprise users or mapped the third-party users you will be using to sign on to BusinessObjects Enterprise.

Configuring the server for Trusted Authentication To configure the server to use Trusted Authentication

1. Log on to the Central Management Console with administrative rights.2. Go to the Authentication management area of the CMC.3. Click the Enterprise tab.4. Scroll down until you see Trusted Authentication.5. Click Trusted Authentication is enabled.6. Enter a string in the Shared Secret field.

Note: The shared secret is used by the client and the CMS to establish trust. You must also configure the client after you finish the Trusted Authentication configuration for the server. See “Configuring Trusted Authentication for the client” on page 329 for details.

7. Specify a timeout value for your trusted authentication requests.Note: The timeout value is the maximum amount of time, in milliseconds, that the clock on the client and clock and the CMS can differ. If you enter 0, the amount of time the two clock times can differ is unlimited. It is not recommended you set this value to 0 as this may increase your vulnerability to replay attacks.


Trusted AuthenticationEnabling Trusted Authentication 14

8. Click Update.

Configuring Trusted Authentication for the client To configure Trusted Authentication for the client

1. Open the web.xml file for InfoView from its deployed location on your web application server.On Windows, this is the deployed location:<DeployedLocation>\businessobjects\enterprise115\desktop

launch\WEB-INF






2. Find this string in the file:<param-name>cms.default</param-name>

3. Enter the CMS name and port number in the cms.default <param-value> field.Use the format servername:portnumber

4. Find this string in the file:<param-name>sso.enabled</param-name>


6. Find this string in the file:<param-name>siteminder.enabled</param-name>



7. Change the <param-value> for siteminder.enabled from true to false.<param-value>false</param-value>

8. Find this string in the file:<param-name>trusted.auth.user.retrieval</param-name>

9. Specify the way in which you want to use to retrieve the user name.



Enter the <param-value> from the table that corresponds with the user retrieval method you want to use.

<param-value> How the User name will be retrieved

REMOTE_USER The user name will be retrieved from a call to getRemoteUser() on the HttpServletRequest object for the current request in a servlet or JSP.

HTTP_HEADER The user name is retrieved from the contents of a specified HTTP header.Note: You must define which http header you want to use retrieve the user name. You define the http header to use is defined in the trusted.auth.user.param in the web.xml file for InfoView.

QUERY_STRING The user name is retrieved from the contents of contents of a specified parameter of the request URL.Note: You must define which query string parameter you want to use to retrieve the user name. You define query string parameter to use in the trusted.auth.user.param in the web.xml file for InfoView.

COOKIE The user name is retrieved from the contents of contents of a specified cookie.Note: You must define which cookie you want to use to retrieve the user name. You define the cookie to use in the trusted.auth.user.param in the web.xml file for InfoView.



Note: • There are various mechanisms that populate the user name.

Configure or set up your web application server so that your user names are exposed before you use these user retrieval name methods. See http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpServletRequest.html for further information.

• Some web application servers require that you have the environment variable REMOTE_USER set to true on your web application server. See the documentation specific to your web application server for details on whether this is required. If it is required, ensure the environment variable is set to true if you are using this method of user name retrieval.

10. If you selected HTTP header, URL query string, cookie or web session, find this string:<param-name>trusted.auth.user.param</param-name>

Note: This step is not required if your retrieval method is USER_PRINCIPAL or REMOTE_USER.

11. Enter the variable name to use to retrieve the user name in the <param-value> for trusted.auth.user.param.• If you are using the HTTP header as your method of retrieving the

user name, enter the name for the HTTP header variable.• If you are using a URL query string parameter as your method of

retrieving the user name, enter the name for the parameter.• If you are using a cookie as your method of retrieving the user name,

enter the name for the cookie.

WEB_SESSION The user name is retrieved from the contents of a specified session variable.Note: You must define which web session variable want to use to retrieve the user name. You define the web session variable to use in the trusted.auth.user.param in the web.xml file for InfoView.

USER_PRINCIPAL The user name is retrieved from a call to getUserPrincipal().getName() on the HttpServletRequest object for the current request in a servlet or JSP.

<param-value> How the User name will be retrieved



• If you are using a web session variable as your method of retrieving the user name, enter the name for the web session variable.

Note: This step is not required if your retrieval method is USER_PRINCIPAL or REMOTE_USER.

12. Decide how you want to retrieve the shared secret.• To retrieve the shared secret from a file.

a. Create a file called TrustedPrincipal.conf.b. Store the file in the platform specific directory of Business

Objects. This table specified the location where the TrustedPrincipal.conf file should be stored, based on your platform.

c. Define the string you want to use for the shared secret. Enter the following in the file, where String is the shared secret string you want to use.SharedSecret=String

Platform Location of TrustedPrincipal.conf

Windows, default installation

C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterprise

Windows, modified default install directory

<INSTALLDIR>/BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterpriseNote: Replace INSTALLDIR with your installation directory.

AIX <INSTALLDIR>/bobje/enterprise115/aix_rs6000/plugins/auth/secEnterprise

Solaris <INSTALLDIR>/bobje/enterprise115/solaris_sparc/plugins/auth/secEnterprise

HP_UX <INSTALLDIR>/bobje/enterprise115/hpux_pa-risc/plugins/auth/secEnterprise

Linux <INSTALLDIR>/bobje/enterprise115/linux_x86/plugins/auth/secEnterprise



d. Save and close this file.• To retrieve the shared secret from a session variable.

a. Find this string in the web.xml file:<param-name>trusted.auth.shared.secret</param-

name>

b. Enter the session variable name from which to retrieve the shared secret in the </param-value> for trusted.auth.shared.secret.

Note: Business Process BI Web Services does not support retrieving the shared secret from a session variable.


Configuring Trusted Authentication for Business Process BI

If you are using Business Process BI and you are using Trusted Authentication, you must configure the BusinessProcessBI.properties file in addition to configuring the CMC and the web.xml.

To configure Trusted Authentication for Business Process BI1. Open the BusinessProcessBI.properties file from the following location

on your web application server:<DeployedLocation>businessobjects\enterprise115\Business

ProcessBI\WEB-INF\classes

Note: If you are using the version of Tomcat installed with BusinessObjects Enterprise, replace <DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps\. If you are using any other supported web application server, consult the documentation for your web application server to determine the appropriate path to substitute.

2. Find this line:bisecurity.trustedAuthentication.enabled = false

3. Change the value false to true.4. Save and close the file.5. Restart your web application server.



Configuring Trusted Authentication on a separate web application server

Follow these steps if you plan to use Trusted Authentication and you want deploy Business Process BI Services on a different web application server without the BusinessObjects Enterprise components. This step is required because, although there are no BusinessObjects Enterprise components installed on you web application server, the default behavior is to look in specific folder for the TrustedPrincipal.conf file.

To configure Trusted Authentication when Business Process BI Services on a different web application server 1. Copy the BusinessProcessBI.war file from the machine where it was

installed to the machine where you want it deployed.2. Create the directory structure applicable to the platform of your

deployment.These are the choices:• <INSTALLDIR>\BusinessObjects Enterprise

11.5\win32_x86\plugins\auth\secEnterprise• <INSTALLDIR>/bobje/enterprise115/solaris_sparc/

plugins/auth/secEnterprise• <INSTALLDIR>/bobje/enterprise115/aix_rs6000/plugins/

auth/secEnterprise• <INSTALLDIR>/bobje/enterprise115/linux_x86/plugins/

auth/secEnterprise

• <INSTALLDIR>/bobje/enterprise115/hpux_pa_risc/plugins/auth/secEnterprise

Note: INSTALLDIR can be any location you want.3. Place your configured TrustedPrincipal.conf in the folder you just created.4. Specify the location of INSTALLDIR in this java argument:

-Dbobj.enterprise.home=<INSTALLDIR>

5. Deploy the war file.Note: If GetDocumentURL methods are used, InfoView must also be deployed, but not necessarily on the same web application servers. See the Business Process BI Services Guide for more information.




Improving Performance

chapter

Improving PerformanceImproving performance15
Improving performance
It is good practice to regularly assess the performance of your system and make changes to account for future growth and potential problem areas.First, you need to assess the current performance of your system. You can assess your system’s performance by talking to your users and delegated administrators, and by studying your system metrics. When you have an idea of potential problem areas, you can compare your system’s performance to expected service thresholds. After you identify performance issues, you can take steps to account for them by scaling your system or adjusting your configuration settings. • “Assessing your system’s performance” on page 338• “Resolving performance issues” on page 348Note: This section is for improving the performance of an existing deployment. For information about If you haven’t deployed your system yet, see “Planning Your Deployment” on page 57.

Assessing your system’s performanceBefore you change your settings to enhance performance, you need to determine how well your system is currently performing. BusinessObjects Enterprise provides server metrics that allow you to monitor and assess your current processing problem areas.To effectively assess your system’s performance, you need to:• Assess user needs.

Get qualitative feedback from your users. See “Assessing user needs” on page 339.

• Analyze server metrics.Check the server and system logs. For detailed instructions, see “Analyzing server metrics” on page 339.

• Evaluate the performance of each server component. Compare the current system usage to recommended service thresholds. Determine the required number of processors, services, and machines. For more information, see “Evaluating your system’s performance” on page 346.


Improving PerformanceAssessing your system’s performance 15

Assessing user needsTalk to your users and delegated administrators. They can help you determine which areas of your system are currently experiencing performance issues, if any. They can also let you know where to anticipate higher system traffic in the future. And there may be areas of the system that are not being used at all. For example, if your organization is hiring new people in the finance department, the usage of financial reports will probably increase. If the financial reports are Web Intelligence documents, you may need to add a Web Intelligence Report Server to handle the extra processing. Or if you’re planning to switch from Web Intelligence documents to Crystal reports, you may not need a Web Intelligence Report Server at all. It is good practice to conduct a company-wide survey concerning BusinessObjects Enterprise usage in order to capture all of the current problems and future changes. Ask your users about current performance concerns, their average daily usage, and their anticipated future usage:• What types of tasks are they performing and how often? • Have they noticed slow performance when performing particular tasks?• What types of objects do they use most often? • Have they noticed slow performance when using particular types of

objects? • Do they anticipate increasing or decreasing their use of the system in the

near future? • Are they hiring new people? • Do they plan to use BusinessObjects Enterprise to perform more tasks in

the future?It is good practice to regularly re-assess your organization’s needs. Follow the steps you used when planning your deployment. For detailed instructions, see “Assessing your organization’s needs” on page 58.When you have a sense of the organization’s performance issues, you can verify them by viewing the current system metrics.

Analyzing server metricsAfter you assess user needs, you can verify your users’ current performance concerns by monitoring system activity. Server metrics may also reveal other areas where high server traffic may be an issue.


Improving PerformanceAssessing your system’s performance15

The CMC allows you to view server metrics over the Web. These metrics include general information about each machine, along with details that are specific to the type of server. The CMC also allows you to view system metrics, which include information about your product version, your CMS, and your current system activity.Tip: For an example of how to use server metrics in your own web applications, see the “View Server Summary” sample on the BusinessObjects Enterprise Admin Launchpad.

Viewing current server metricsThe Servers management area of the CMC displays server metrics that provide statistics and information about each BusinessObjects Enterprise server. The general information displayed for each server includes information about the machine that the server is running on—its name, operating system, total hard disk space, free hard disk space, total RAM, number of CPUs, and local time. The general information also includes the time the server started and the version number of the server.

To view server metrics1. Go to the Servers management area of the CMC.2. Click the link to the server whose metrics you want to view.3. Click the Metrics tab.The Metrics tabs for the following servers include additional, server-specific information:

Input and Output File Repository ServersFor each File Repository Server, the Metrics tab provides the following metrics:• the number of bytes sent and received• the number of active files and active client connections• the total available hard disk spaceThe Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:• the root directory of the files that the server maintains• the maximum idle timeEach File Repository Server also has an Active Files tab, which lists the file name, the number of readers, and the number of writers for each active file.

Cache ServerFor each Cache Server, the Metrics tab provides the following metrics:



• the total threads running• the number of bytes transferred• the number of current connections• the current cache size• the number of requests served• the cache hit rate• the number of requests that are queuedThe Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:• the maximum number of simultaneous processing threads• the number of minutes before an idle job is closed• whether or not the database is accessed whenever a viewer’s file (object)

is refreshed• the location of the cache files• the maximum cache size• the number of minutes between refreshes from the databaseThe Metrics tab also provides a table that lists the Page Servers that the Cache Server has connections to, along with the number of connections made to each Page Server.

Central Management ServerFor the CMS, the Metrics tab lists only the general information about the machine it is running on. The Properties tab, however, shows a list of users who have active sessions on the system. Click any user’s link to view the associated account details.

Connection ServerFor the Connection Server, the Metrics tab lists the current settings, which you can change on the Properties tab:• HTTP and CORBA protocol settings• trace settings• connection pooling• the timeout duration for inactive jobs

Job ServersThe Metrics tabs of these servers lists the following metrics:• the location of its temporary files • the processing mode• the current number of jobs that are being processed



• the total number of requests received• the total number of failed job creationsNote: This applies to all types of Job Servers, including Crystal Reports Job Servers, Program Job Servers, Destination Job Servers, List of Values Job Servers, Desktop Intelligence Job Servers, and Web Intelligence Job Servers.

Desktop Intelligence Cache ServerFor each Desktop Intelligence Cache Server, the Metrics tab provides the following metrics:• the current cache size• the number of bytes transferred• the number of current connections• the number of requests served• the cache hit rate• the number of requests that are queuedThe Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:• the location of the cache files• whether or not report jobs are shared• the number of minutes before an idle job is closed• whether or not the database is accessed whenever a viewer’s file (object)

is refreshed• the number of documents to keep in the cache when the cache is full• the maximum cache size• whether or not to share report data between clients• the number of minutes between refreshes from the databaseThe Metrics tab also provides a table that lists the processing servers that the Desktop Intelligence Cache Server has connections to, along with the number of connections made to each server.Note: This server processes information only for Desktop Intelligence documents.

Desktop Intelligence Report serverFor the Desktop Intelligence Report Server, the Metrics tab provides the following metrics:• the number of current connections• the current number of open processing threads running• the total number of requests served



• the total bytes transferred• the number of requests queued• the maximum number of child processes• the number of failed requestsThe Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:• the location of temporary files• the number of minutes before an idle connection is closed• the maximum number of simultaneous report jobs• the maximum number of operations allowed before resetting a report job• whether a viewer refresh always hits the database• whether or not report jobs are shared• the number of minutes before an idle report job is closed• the number of preloaded report jobs• whether or not to share report data between clients• the oldest processed data given to a client• VBA settingsNote: This server processes information only for Desktop Intelligence documents.

Event ServerFor the Event Server, the Metrics tab displays statistics for each file that the server is monitoring, including the file name and the last time the event occurred.

Crystal Reports Page ServerFor the Page Server, the Metrics tab provides the following metrics:• the number of current connections• the number of requests queued• the current number of processing threads running• the total number of requests served• the number of failed requests• the total bytes transferredThe Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:• the maximum number of simultaneous report jobs• the number of minutes before an idle connection is closed



• the maximum number of database records shown when previewing or refreshing a report

• whether a viewer refresh always hits the database• the setting for the Report Job Database Connection• the location of temporary files• the maximum number of subprocesses• the minutes before a report job is closed• the oldest processed data given to a clientNote: This server processes information only for Crystal Reports objects.Report Application ServerThe Metrics tab of the Report Application Server (RAS) shows the number of reports that are open, and the number of reports that have been opened. It also shows the number of open connections, along with the number of open connections that have been created.

Web Intelligence Report ServerFor the Web Intelligence Report Server, the Metrics tab provides the number of current requests and the total number of requests. The Metrics tab also displays the current values for the following settings, which can be changed on the Properties tab:• the maximum number of connections• the number of minutes before an idle connection is closed• whether or not to enable document caching• whether or not to enable real-time caching• the number of minutes allowed for document caching • the size of the document cache• whether or not to enable list of values caching• the batch size for lists of values• the maximum size allowable for custom sorting a list of values• the size of the universe cache• the percentage of documents to keep in the cache when the cache is full• the maximum number of minutes allowed for scanning the document

cache• the maximum number of downloaded documents to cache• the maximum size of binary and character filesNote: This server processes information only for Web Intelligence documents.



Viewing system metricsThe Settings management area of the CMC displays system metrics that provide general information about your BusinessObjects Enterprise installation. The Properties tab includes information about the product version and build. It also lists the data source, database name, and database user name of the CMS database. The Metrics tab lists current account activity, along with statistics about current and processed jobs. The Cluster tab lists the name of the CMS you are connected to, the name of the CMS cluster, and the names of other cluster members.

To view system metrics1. Go to the Settings management area of the CMC.2. View the contents of the Properties, Metrics, and Cluster tabs.

Related topics:• For more information about licenses and account activity, see the

Managing Licenses chapter of the BusinessObjects Enterprise Administrator’s Guide.

• For information about CMS clusters, see “Clustering Central Management Servers” on page 114.

Logging server activityBusinessObjects Enterprise allows you to log specific information about BusinessObjects Enterprise web activity. For details on locating and customizing the web activity logs, see “Configuring the Web Component Adapter” on page 108.• In addition, each of the BusinessObjects Enterprise servers is designed

to log messages to your operating system’s standard system log.• On Windows NT/2000, BusinessObjects Enterprise logs to the Event

Log service. You can view the results with the Event Viewer (in the Application Log).

• On UNIX, BusinessObjects Enterprise logs to the syslog daemon as a User application. Each server prepends its name and PID to any messages that it logs.



This example shows two messages logged to the syslog daemon on UNIX:

Each server also logs assert messages to the logging directory of your product installation. The programmatic information logged to these files is typically useful only to Business Objects support staff for advanced debugging purposes. The location of these log files depends upon your operating system:• On Windows, the default logging directory is C:\Program

Files\Business Objects\BusinessObjects Enterprise 11.5\Logging

• On UNIX, the default logging directory INSTALL_ROOT/bobje/logging directory of your installation.

The important point to note is that these log files are cleaned up automatically, so there will never be more than approximately 1 MB of logged data per server.

Evaluating your system’s performanceAfter you collect enough anecdotal and statistical information about your BusinessObjects Enterprise deployment, you can begin to isolate problem areas. Use the server metrics to verify the user feedback. Do the server metrics confirm your users’ performance concerns? If not, the performance issue may be caused by something besides your BusinessObjects Enterprise configuration, such as your network speed, the structure of the database, or the complexity of your report design. Then compare the current usage to the recommended service thresholds. By comparing these numbers, you can rate each server’s performance and create a list of minor, moderate, and major performance risks.

To evaluate your system’s performance1. Make a list of all server components in your deployment.



2. For each server component, compare the information you received from your users to the server metrics in the Central Management Console.Note: For information, see “Analyzing server metrics” on page 339.

3. Compare the server’s current traffic metrics to the recommended service thresholds. Pay particular attention to the number of simultaneous requests and user connections. For a list of the recommended service thresholds, see “Analyzing service thresholds” on page 64.For information about making resource calculations, see “Calculating the minimum resource requirements” on page 71.

4. Sort the server components into the following categories:Minor performance risk: A server component is considered a minor risk if a low percentage of your users report performance problems and the server metrics do not reflect the same problems.Moderate performance risk: A server component is considered a moderate risk if the server metrics show that the current usage is close to the limit of the recommended service thresholds. You may also want to flag a server component as a moderate risk if a high percentage of users report performance issues, or if you expect an increase in usage that will cause the current usage numbers to meet the service thresholds.Major performance risk: A server component is considered a major performance risk if the server metrics show that current usage significantly exceeds the minimum service thresholds. You may also want to flag a server component as a major risk if you expect a substantial increase in usage that will cause the usage numbers to exceed the service thresholds.

5. After you isolate the key problem areas and the severity of the performance issues, proceed to the next section: “Resolving performance issues” on page 348.


Improving PerformanceResolving performance issues15
Resolving performance issues
After you assess your system and determine the potential trouble areas, you can develop a strategy for resolving performance issues. The appropriate solution for each server depends on the level of performance risk and the type of server. Note: For more information about evaluating your system’s performance, see “Evaluating your system’s performance” on page 346.• For minor or moderate performance issues, users encounter occasional

performance issues or your system approaches the limits of the recommended service thresholds. You may be able to resolve these issues by fine-tuning your system configuration.For more information, see “Configuring the intelligence tier for enhanced performance” on page 351 and “Configuring the processing tier for enhanced performance” on page 354.

• For major performance issues, your server traffic significantly exceeds the recommended service thresholds. You should consider expanding the system by adding servers to account for the problem areas. For more information about scaling considerations, see “Scaling your system” on page 366. For installation instructions, see the BusinessObjects Enterprise Installation Guide.

For example, when you install a default deployment of Business Objects Enterprise, one Web Intelligence Report Server is installed by default. This deployment will easily meet your needs if you have under 20 concurrent active users accessing the Web Intelligence Report Server by working with xCelsius or Web Intelligence documents. If you have 20 to 30 users accessing the Web Intelligence Report Server, you may encounter some performance issues because you are reaching the limits of the recommended service threshold. To account for some of these problems, you can tweak the Web Intelligence Report Server settings. (For details, see “Modifying performance settings for the Web Intelligence Report Server” on page 357.) However, if your traffic is significantly higher than the service threshold (such as 50 concurrent active users using the Web Intelligence Report Server) then you need to scale your system to include more instances of the Web Intelligence Report Server service.The following table provides a quick reference for troubleshooting performance for each type of server component:


Improving PerformanceResolving performance issues 15

Server type Performance risk Solutions

CMS • Minor/moderate • Because the CMS manages the entire system, problems that appear to be CMS issues may be caused by the server components managed by the CMS. It is good practice to check the performance of all other services before adding new CMS services. For other information about advanced CMS configuration, see “Advanced server configuration options” on page 146.

• Major • Install additional CMS services. For information, see “Increasing overall system capacity” on page 367.

Event Server • Minor/moderate • Change how often the Event Server checks for file events. For more information, see “Modifying the polling time of the Event Server” on page 351.

• Major • It is unlikely that you will encounter major performance issues with the Event Server. However, it is good practice to install one Event Server for each CMS. For information about installing additional Event Servers, see “Scaling your system” on page 366.

Cache Server • Minor/moderate • You can resolve many issues by changing Cache Server properties such as the maximum cache size and the number of minutes between database refreshes. For more information, see “Modifying Cache Server performance settings” on page 352.

• Major • If your system exceeds 400 simultaneous requests, install an additional Cache Server. See “Scaling your system” on page 366.

Job Servers • Minor/moderate • If the number of simultaneous jobs does not exceed the recommended threshold of 20 jobs, check the Maximum Jobs Allowed setting. For more information, see “Modifying performance settings for job servers” on page 355.

• Major • If the Job Server is running more than 20 simultaneous jobs on average, install another Job Server service. See “Scaling your system” on page 366.



Desktop Intelligence Report Server

• Minor/moderate • If the number of concurrent active users does not exceed 25, try changing the settings. See “Modifying Desktop Intelligence Report Server performance settings” on page 356.

• Major • If the number of concurrent active users exceeds 25, install addition servers. See “Scaling your system” on page 366.


• Minor/moderate • If the number of concurrent active users does not exceed 25, try changing the settings. See “Modifying performance settings for the Web Intelligence Report Server” on page 357.

• Major • If the number of concurrent active users exceeds 25, install addition servers. See “Increasing Web Intelligence document processing capacity” on page 368.

Report Application Server

• Minor/moderate • If the problem seems to be related to database access, see “Modifying database settings for the RAS” on page 360. To adjust the Report Application Server’s settings for connection idle time and the maximum number of simultaneous threads, see “Modifying performance settings for the RAS” on page 362.

• Major • If your users run more than 200 simultaneous requests, install additional Report Application Servers. For more information, see “Increasing on-demand viewing capacity for Crystal reports” on page 369.

Page Server • Minor/moderate • You can change how a Page Server handles data and user connections by fine-tuning its settings. See “Modifying Page Server performance settings” on page 363.

• Major • If the Page Server is handling more than 400 simultaneous viewing sessions, install more Page Servers. For more information, see “Increasing on-demand viewing capacity for Crystal reports” on page 369.

Server type Performance risk Solutions



Configuring the intelligence tier for enhanced performance

This section provides instructions for configuring settings for components from the intelligence tier. You can adjust the settings to account for minor and moderate performance issues.Note: For more information about the intelligence tier, see “Intelligence tier” on page 37.Configuring the intelligence tier includes:• “Configuring the CMS” on page 351• “Modifying the polling time of the Event Server” on page 351• “Configuring the File Repository Servers” on page 352• “Modifying Cache Server performance settings” on page 352

Configuring the CMSBecause the CMS manages the entire system, problems that appear to be CMS issues are often caused by the server components managed by the CMS. It is good practice to check the performance of all other services before changing the CMS settings or adding and clustering new CMS services. For information about changing CMS settings, see “Configuring the application tier” on page 108. For information about configuring and clustering CMS servers, see “Clustering Central Management Servers” on page 114

Modifying the polling time of the Event ServerThe Properties tab of the Event Server allows you to change the frequency with which the Event Server checks for file events. This “File Polling Interval in Seconds” setting determines the number of seconds that the server waits between polls. The minimum value is 1 (one). It is important to note that, the lower the value, the more resources the server requires.Tip: On Windows, you can also change this setting in the CCM. Stop the Event Server and view its Properties. Then click the Configuration tab.

To modify the polling time1. Go to the Servers management area of the CMC.2. Click the link to the Event Server whose settings you want to change. 3. Make your changes on the Properties tab.

The value that you type must be 1 or greater.4. Click Update.



5. Return to the Servers management area of the CMC.

Configuring the File Repository ServersThe Properties tabs of the Input and Output File Repository Servers allow you to set the maximum idle time. For more information, see “Setting root directories and idle times of the File Repository Servers” on page 130.

Modifying Cache Server performance settingsThe Properties tab of the Cache Server allows you to set the location of the cache files, the maximum cache size, the maximum number of simultaneous processing threads, the number of minutes before an idle job is closed, and the number of minutes between refreshes from the database.

To modify Cache Server performance settings1. Go to the Servers management area of the CMC.2. Click the link to the Cache Server whose settings you want to change. 3. Make your changes on the Properties tab.

In this example, the Cache Server retains its default settings.

4. Click either Apply or Update:• Click Apply to submit changes and restart the server so that the

changes take effect immediately.• Click Update to save the changes. You must restart the server for the

changes to take effect.



Location of the Cache FilesThe “Location of the Cache Files” setting specifies the absolute path to the directory on the Cache Server machine where the cached report pages (.epf files) are stored.Note: The cache directory must be on a drive that is local to the server.

Maximum Cache Size AllowedThe “Maximum Cache Size Allowed” setting limits the amount of hard disk space (in KBytes) that is used to cache reports. When the Cache Server has to handle large numbers of reports, or reports that are especially complex, a larger cache size is needed. The default value is 5000 Kbytes, which is large enough to optimize performance for most installations.

Maximum Simultaneous Processing ThreadsThe “Maximum Simultaneous Processing Threads” setting limits the number of concurrent reporting requests that the Cache Server processes. The default value is set to “Automatic”, and is acceptable for most, if not all, reporting scenarios. With this setting, the Cache Server sets the maximum number of threads using the number of processors in your system as a guide. If your Cache Server responds slowly under high load, and resource utilization on the machine is high (that is, either memory usage is high or CPU utilization is high, particularly in the kernel), you may wish to decrease the number of threads to improve performance. If the Cache Server is slow under high load but CPU utilization is low, increasing the number of threads may improve performance. However, the ideal setting for your reporting environment is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

Minutes Before an Idle Connection is ClosedThe “Minutes Before an Idle Connection is Closed” setting alters the length of time that the Cache Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely, and setting a value that is too high can cause requests to be queued while the server waits for idle jobs to be closed.



Share Report Data Between ClientsThis setting appears only for Desktop Intelligence servers. Select to allow users to share data from Desktop Intelligence documents with other users.

Viewer Refresh Always Yields Current DataWhen enabled, the “Viewer Refresh Always Yields Current Data” setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the “Minutes Between Refreshes from Database” setting.

Oldest On-Demand Data Given To a Client (in minutes)The “Oldest On-Demand Data Given To a Client (in minutes)” setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements.

Always Share Report JobsThis setting appears only for Desktop Intelligence servers. Select to allow users to share report jobs with other users by default.

Amount of Cache to Keep When Document Cache is FullThis setting appears only for the Desktop Intelligence Cache Server. Select a percentage of the cache to keep. This setting helps reduce the load on the Cache Server if you have a large deployment.

Configuring the processing tier for enhanced performanceThis section provides instructions for configuring settings for components from the processing tier. You can adjust the settings to account for minor and moderate performance issues.Note: For more information about the processing tier, see “Processing tier” on page 41.Configuring the processing tier includes:• “Modifying performance settings for job servers” on page 355



• “Modifying Desktop Intelligence Report Server performance settings” on page 356

• “Modifying performance settings for the Web Intelligence Report Server” on page 357

• “Modifying database settings for the RAS” on page 360• “Modifying performance settings for the RAS” on page 362• “Modifying Page Server performance settings” on page 363

Modifying performance settings for job serversBy default, the job servers run jobs as independent processes rather than as threads. This method allows for more efficient processing of large, complex reports.Use the following procedure to modify the performance settings for any of the job servers, that is the Report Job Server, Program Job Server, Destination Job Server, List of Values Job Server, and the Web Intelligence Job Server.

To modify performance settings for job servers1. Go to the Servers management area of the CMC.2. Click the link to the job server whose settings you want to change. 3. Make your changes on the Properties tab.4. Click Update.5. Return to the Servers management area of the CMC.

Maximum Jobs AllowedThe “Maximum Jobs Allowed” setting limits the number of concurrent independent processes (child processes) that the server allows—that is, it limits the number of scheduled objects that the server will process at any one time. You can tailor the maximum number of jobs to suit your reporting environment.The default “Maximum Jobs Allowed” setting is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.



Temp DirectoryYou can also change the default directory where the server stores its temporary files.

Modifying Desktop Intelligence Report Server performance settingsThe Properties tab of the Desktop Intelligence Report Server in the Central Management Console allows you to configure many of the same settings as the Page Server, plus additional report sharing settings.

To modify Desktop Intelligence Report Server performance settings1. Go to the Servers management area of the CMC.2. Click the link to the Desktop Intelligence Report Server whose settings

you want to change.3. Make your changes on the Properties tab.4. Click either Apply or Update:

• Click Apply to submit changes and restart the server so that the changes take effect immediately.

• Click Update to save the changes. You must restart the server for the changes to take effect.

Share Report Data Between ClientsThis setting appears only for Desktop Intelligence server. Select to allow users to share data from Desktop Intelligence documents with other users.

Viewer Refresh Always Yields Current DataWhen enabled, the “Viewer Refresh Always Yields Current Data” setting ensures that, when users explicitly refresh a report, all cached pages are ignored, and new data is retrieved directly from the database. When disabled, this setting prevents users from retrieving new data more frequently than is permitted by the time specified in the “Minutes Between Refreshes from Database” setting.

Oldest On-Demand Data Given To a Client (in minutes)The “Oldest On-Demand Data Given To a Client (in minutes)” setting determines how long cached report pages are used before new data is requested from the database. This setting is respected for report instances with saved data, and for report objects that do not have on-demand subreports or parameters and that do not prompt for database logon information. Generally, the default value of 15 minutes is acceptable: as with other performance settings, the optimal value is largely dependent upon your reporting requirements.



Always Share Report JobsThis setting appears only for Desktop Intelligence servers. Select to allow users to share report jobs with other users by default. For more information on other settings, see “Modifying Page Server performance settings” on page 363.

Modifying performance settings for the Web Intelligence Report ServerUse the following procedure to configure the performance settings for the Web Intelligence Report Server.

To modify performance settings for the Web Intelligence report server1. Go to the Servers management area of the CMC.2. Click the link to the Web Intelligence Report Server whose settings you

want to change. 3. Make your changes on the Properties tab.4. Click either Apply or Update:



5. Return to the Servers management area of the CMC and restart the Job Server.



Maximum Simultaneous ConnectionsThe maximum number of simultaneous connections that the server allows at one time, from sources such the Web Intelligence SDK or the Web Intelligence Job Server. If this limit is reached, the user will receive an error message, unless another server is available to handle the request.

Connection Time OutThe number of minutes before an idle connection to the Web Intelligence Report Server will be closed.

List of Values Batch SizeThe maximum number of values that can be returned per list of values batch. For example, if the number of values in a list of values exceeds this size, then the list of values will be returned to the user in several batches of this size or less.The minimum value that you can enter is 10. Although there is no limit on the maximum value, Business Objects recommends that you limit it to 30000.

Universe Cache SizeThe number of universes to be cached on the Web Intelligence Report Server.



List of Values CachingEnables or disables caching per user session of list of values in Web Intelligence Report Server. The default is for the feature to be on.

Enable Viewing CachingWhen this parameter is on, real-time caching is possible for Web Intelligence documents when they are viewed, or when they are generated as a result of having been run as a scheduled job.When this parameter is off both real-time caching of Web Intelligence documents and viewing of cached Web Intelligence documents is impossible.Real-time caching is done only if both this parameter and the Enable Real Time Caching parameters are on.

Enable Real Time CachingWhen this parameter is on, the Web Intelligence Report Server caches Web Intelligence documents when the documents are viewed. The server also caches the documents when they are run as a scheduled job, provided the pre-cache was enabled in the document.When the parameter is off, the Web Intelligence Report Server does not cache the Web Intelligence documents when the documents are viewed. Nor does it cache the documents when they are run as a scheduled job.This parameter is taken into account only when the Enable Viewing Caching is set to on.Note: To improve system performance, set the Maximum Number Of Downloaded Documents To Cache to zero when this option is selected, but enter a value for Maximum Number Of Downloaded Documents To Cache when this option deselected.

Document Cache DurationThe amount of time (in minutes) that content is stored in cache.

Document Cache SizeThe size (in kilobytes) of the document cache.

Amount of Cache To Keep When Document Cache is FullIf the storage size is bigger than the allocated storage size, the system will delete documents with the oldest “last accessed time.” Then if the cache size is still exceeds the maximum storage size, the Web Intelligence Report Server will clean up the cache until the amount of cache percentage is reached.



Document Cache Scan IntervalThe number of minutes that the system waits before checking the document cache for cleanup.

Maximum Number of Downloaded Documents To CacheThe number of Web Intelligence documents that can be stored in cache.Note: To improve system performance, set this value to zero when Enable Real Time Caching is selected, but enter a value when Enable Real Time Caching is deselected.

Modifying database settings for the RASThe Database tab of the Report Application Server (RAS) in the Central Management Console lets you modify the way the server runs reports against your databases.

To modify database interaction settings for the RAS1. Go to the Servers management area of the CMC.2. Click the link to the RAS whose settings you want to change.3. Make your changes on the Database tab.4. Click either Apply or Update:



Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Database.

Number of database records to read when previewing or refreshing a reportThe “Number of database records to read when previewing or refreshing a report” area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is particularly useful if you provide users with ad hoc query and reporting tools, and you want to prevent them from running queries that return excessively large record sets.When the RAS retrieves records from the database, the query results are returned in batches. The “Number of records per batch” setting allows you to determine the number of records that are contained in each batch. The batch size cannot be equal to or less than zero.



Number of records to browseThe “Number of records to browse” setting allows you to specify the number of distinct records that will be returned from the database when browsing through a particular field’s values. The data will be retrieved first from the client’s cache—if it is available—and then from the server’s cache. If the data is not in either cache, it is retrieved from the database.

Oldest on-demand data given to a client (in minutes)The “Oldest on-demand data given to a client (in minutes)” setting controls how long the RAS uses previously processed data to meet requests. If the RAS receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the RAS will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the “oldest on-demand data given to a client” consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0. This is the default on the RAS, to support the data needs of users performing ad hoc reporting.

Report Job Database ConnectionThe “Report Job Database Connection” settings can be used to make a trade-off between the number of database licenses you use and the performance you can expect for certain types of reports. If you select “Disconnect when all records have been retrieved or the job is closed”, the Report Application Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that RAS stays connected to your database server, and therefore limits the number of database licenses consumed by the RAS.However, if the RAS needs to reconnect to the database to generate an on-demand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected “Disconnect when the job is closed”. (The latter option ensures that RAS stays connected to the database server until the report job is closed.)


Modifying performance settings for the RAS
The Server tab of the Report Application Server (RAS) in the Central Management Console allows you to modify the number of minutes before an idle connection is closed, and the maximum number of simultaneous processing threads.Note: The RAS server must have been installed and configured in order to use the List of Values Job Server. For more information, see “Processing tier” on page 41.

To modify performance settings for the RAS1. Go to the Servers management area of the CMC.2. Click the link to the RAS whose settings you want to change.3. Make your changes on the Server tab.4. Click either Apply or Update:



Tip: On Windows, you can also change these settings in the CCM. Stop the RAS and view its Properties. Click the Parameters tab. From the Option Type list, select Server.

Minutes Before an Idle Connection is ClosedThe “Minutes Before an Idle Connection is Closed” setting alters the length of time that the RAS waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely, and setting a value that is too high can affect the server’s scalability (for instance, if the ReportClientDocument object is not closed explicitly, the server will be waiting unnecessarily for an idle job to close).Maximum Simultaneous Report JobsThe “Maximum Simultaneous Report Jobs” setting limits the number of concurrent reporting requests that a RAS processes. The default value is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way.



It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

Modifying Page Server performance settingsThe Properties tab of the Page Server in the Central Management Console lets you set the location of temporary files, the maximum number of simultaneous report jobs, the minutes before an idle connection is closed, the minutes before a processing job is closed, the number of database records to read when previewing or refreshing a report, the oldest processed data to give a client, and when to disconnect from the report job database. Note: For Desktop Intelligence documents, Page Server features are handled by the Desktop Intelligence Report Server.

To modify Page Server performance settings1. Go to the Servers management area of the CMC.2. Click the link to the Page Server whose settings you want to change.3. Make your changes on the Properties tab.4. Click either Apply or Update:





Location of Temp FilesThe “Location of Temp Files” setting specifies the absolute path to a directory on the Page Server machine.This directory must have plenty of free hard disk space. If not enough disk space is available, job processing may be slower than usual, or job processing may fail.

Maximum Simultaneous Report JobsThe “Maximum Simultaneous Report Jobs” setting limits the number of concurrent reporting requests that any single Page Server processes. The default value of 75 is acceptable for most, if not all, reporting scenarios. The ideal setting for your reporting environment, however, is highly dependent upon your hardware configuration, your database software, and your reporting requirements. Thus, it is difficult to discuss the recommended or optimum settings in a general way. It is recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects services consultant can then assess your reporting environment and assist you in customizing these advanced configuration and performance settings.

Minutes Before an Idle Connection is ClosedThe “Minutes Before an Idle Connection is Closed” setting alters the length of time that the Page Server waits for further requests from an idle connection. Before you change this setting, it is important to understand that setting a



value too low can cause a user’s request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary.

Minutes before an Idle Report Job is ClosedThe “Minutes before an Idle Report Job is Closed” setting alters the length of time that the Page Server keeps a report job active. Before you change this setting, it is important to understand that setting a value too low can cause a user’s request to be closed prematurely. Setting a value that is too high can cause system resources to be consumed for longer than necessary. (Note that this setting works in conjunction with the “Report Job Database Connection” setting.)

Database Records to Read When Previewing Or Refreshing a ReportThe “Database Records to Read When Previewing Or Refreshing a Report” area allows you to limit the number of records that the server retrieves from the database when a user runs a query or report. This setting is useful when you want to prevent users from running on-demand reports containing queries that return excessively large record sets. You may prefer to schedule such reports, both to make the reports available more quickly to users and to reduce the load on your database from these large queries.

Oldest On-Demand Data Given to a Client (in minutes)The “Oldest On-Demand Data Given To a Client (in minutes):” setting controls how long the Page Server uses previously processed data to meet requests. If the Page Server receives a request that can be met using data that was generated to meet a previous request, and the time elapsed since that data was generated is less than the value set here, then the Page Server will reuse this data to meet the subsequent request. Reusing data in this way significantly improves system performance when multiple users need the same information. When setting the value of the “oldest processed data given to a client” consider how important it is that your users receive up-to-date data. If it is very important that all users receive fresh data (perhaps because important data changes very frequently) you may need to disallow this kind of data reuse by setting the value to 0.

Viewer Refresh Always Yields Current DataWhen enabled, the “Viewer Refresh Always Yields Current Data” setting ensures that, when users explicitly refresh a report, all previously processed data is ignored, and new data is retrieved directly from the database. When



disabled, the setting ensures that the Page Server will treat requests generated by a viewer refresh in exactly the same way as it treats as new requests.

Report Job Database ConnectionThe “Report Job Database Connection” settings can be used to make a trade-off between the number of database licenses you use and the performance you can expect for certain types of reports. If you select “Disconnect when all records have been retrieved or the job is closed”, the Page Server will automatically disconnect from the report database as soon as it has retrieved the data it needs to fulfill a request. Selecting this option limits the amount of time that Page Server stays connected to your database server, and therefore limits the number of database licenses consumed by the Page Server. However, if the Page Server needs to reconnect to the database to generate an on-demand sub-report or to process a group-by-on-server command for that report, performance for these reports will be significantly slower than if you had selected “Disconnect when the job is closed”. (The latter option ensures that Page Server stays connected to the database server until the report job is closed. Note that you can set the “Minutes before a Report Job is Closed” above.)

Scaling your systemThe BusinessObjects Enterprise architecture allows for a multitude of server configurations, ranging from stand-alone, single-machine environments, to large-scale deployments supporting global organizations.For information about adding and deleting servers from your BusinessObjects Enterprise installation, see “Adding and deleting servers” on page 105This section provides information about system scalability and the BusinessObjects Enterprise servers that are responsible for particular aspects of your system. Each subsection focuses on one aspect of your system’s capacity, discusses the relevant components, and provides a number of ways in which you might modify your configuration accordingly.Before modifying these aspects of your system, it is strongly recommended that you contact your Business Objects sales representative and request information about the BusinessObjects Enterprise Sizing Guide. A Business Objects Services consultant can then assess your reporting environment and assist in determining the configuration that will best integrate with your current environment.General scalability considerations include the following:



• “Increasing overall system capacity” on page 367• “Increasing scheduled reporting capacity” on page 367• “Increasing on-demand viewing capacity for Crystal reports” on page 369• “Increasing prompting capacity” on page 369• “Enhancing custom web applications” on page 370• “Improving web response speeds” on page 371• “Getting the most from existing resources” on page 371

Increasing overall system capacityAs the number of report objects and users on your system increases, you can increase the overall system capacity by clustering two (or more) Central Management Servers (CMS). You can install multiple CMS services/daemons on the same machine. However, to provide server redundancy and fault-tolerance, you should ideally install each cluster member on its own machine.CMS clusters can improve overall system performance because every BusinessObjects Enterprise request results, at some point, in a server component querying the CMS for information that is stored in the CMS database. When you cluster two CMS machines, you instruct the new CMS to share in the task of maintaining and querying the CMS database.For more information, see “Clustering Central Management Servers” on page 114.

Increasing scheduled reporting capacityIncreasing Crystal reports processing capacityAll Crystal reports that are scheduled are eventually processed by a Job Server. You can expand BusinessObjects Enterprise by running individual Report Job Servers on multiple machines, or by running multiple Report Job Servers on a single multi-processor machine.If the majority of your reports are scheduled to run on a regular basis, there are several strategies you can adopt to maximize your system’s processing capacity:• Install the Job Server in close proximity to (but not on the same machine

as) the database server against which the reports run. Ensure also that the File Repository Servers are readily accessible to all Job Server (so they can read report objects from the Input FRS and write report instances to the Output FRS quickly). Depending upon your network configuration, these strategies may improve the processing speed of the Job Server, because there is less distance for data to travel over your corporate network.



• Verify the efficiency of your reports. When designing reports in Crystal Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database server’s resources to group data, incorporating parameter fields, and so on. For more information, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later).

• Use event-based scheduling to create dependencies between large or complex reports. For instance, if you run several very complex reports on a regular, nightly basis, you can use Schedule events to ensure that the reports are processed sequentially. This is a useful way of minimizing the processing load that your database server is subject to at any given point in time.

• If some reports are much larger or more complex than others, consider distributing the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Job Servers. Then, when you schedule recurrent reports, you can specify that it be processed by a particular server group to ensure that especially large reports are distributed evenly across resources.

• Increase the hardware resources that are available to a Job Server. If the Job Server is currently running on a machine along with other BusinessObjects Enterprise components, consider moving the Job Server to a dedicated machine. If the new machine has multiple CPUs, you can install multiple Job Servers on the same machine (typically no more than one service/daemon per CPU).

Increasing Web Intelligence document processing capacityAll Web Intelligence documents that are scheduled are eventually processed by a Web Intelligence Job Server and Web Intelligence Report Server. You can expand BusinessObjects Enterprise by running individual Web Intelligence Report Servers on multiple machines, or by running multiple Web Intelligence Report Servers on a single multi-processor machine.When running multiple Web Intelligence Report Servers, you don’t need to duplicate the Web Intelligence Job Server. One Web Intelligence Job Server can be used to drive multiple Web Intelligence Report Servers. However, if you are working with server groups, a Web Intelligence Job Server must exist in the same group as the Web Intelligence Report Servers.Note: When deciding whether to increase the number Web Intelligence Report Servers, keep in mind that Web Intelligence Report Server processes both scheduling and viewing requests, whereas requests for Crystal reports are processed by three separate servers, the Report Job Server, the Cache Server and Page Server.



Increasing on-demand viewing capacity for Crystal reportsWhen you provide many users with View On Demand access to reports, you allow each user to view live report data by refreshing reports against your database server. For most requests, the Page Server retrieves the data and performs the report processing, and the Cache Server stores recently viewed report pages for possible reuse. However, if users use the Advanced DHTML viewer, the Report Application Server (RAS) processes the request.If your reporting requirements demand that users have continual access to the latest data, you can increase capacity in the following ways:• Increase the maximum allowed size of the cache. For details, see

“Modifying Cache Server performance settings” on page 352.• Verify the efficiency of your reports. When designing reports in Crystal

Reports, there are a number of ways in which you can improve the performance of the report itself, by modifying record selection formulas, using the database server’s resources to group data, incorporating parameter fields, and so on. For more information, see the “Designing Optimized Web Reports” section in the Crystal Reports User’s Guide (version 8.5 and later).

• Increase the number of Page Servers that service requests on behalf of Cache Servers. You can do this by installing additional Page Servers on multiple machines. However, do not install more than one Page Server per machine. The Page Server has been re-designed to optimize the processing capability of a machine. It is therefore no longer recommended that you install multiple Page Servers on one machine.

• Increase the number of Page Servers, Cache Servers, and Report Application Servers on the system, and then distribute the processing load through the use of server groups. For instance, you might create two server groups, each containing one or more Cache Server/Page Server pairs along with one or more Report Application Servers. You can then specify individual reports that should always be processed by a particular server group.

Increasing prompting capacityWhen reports use a list of values, the RAS processes on-demand list-of-values objects for the report when the report is being viewed. Scheduled list-of-values objects are processed by the List of Values Job Server without using RAS.



To avoid contention with other applications that use the RAS, you can add a RAS server that will be dedicated to processing list-of-value objects. In CMC you can then create a RAS server group and assign the dedicated RAS to the RAS server group. In Business View Manager, you then assign the list-of-values objects to be processed by the RAS server group.

Delegating XSL transformation to Internet ExplorerIf your users access InfoView via the Internet Explorer 6.0 browser, you can instruct the Web Intelligence Report Server to delegate the transformation of XML to XSL to the browser. This substantially decreases the load on the server, primarily during document display, but also during display of the portal itself.By default, the XSL transformation delegation is not activated.

To delegate XSL transformation to the browser for document display:1. On the application server, set the CLIENT_XSLT variable in

webiviewer.properties, located in the WEB-INF\classes subfolder of the application server as follows:CLIENT_XSLT=Y

2. Restart the application server.

Enhancing custom web applicationsIf you are developing your own custom desktops or administrative tools with the BusinessObjects Enterprise Software Development Kit (SDK), be sure to review the libraries and APIs. You can now, for instance, incorporate complete security and scheduling options into your own web applications. You can also modify server settings from within your own code in order to further integrate BusinessObjects Enterprise with your existing intranet tools and overall reporting environment.To improve the scalability of your system, consider distributing administrative efforts by developing web applications for delegated content administration. You can grant select users the ability to manage particular BusinessObjects Enterprise folders, content, users, and groups on behalf of their team, department, or regional office.In addition, be sure to check the developer documentation available on your BusinessObjects Enterprise product CD for performance tips and other scalability considerations. The query optimization section in particular provides some preliminary steps to ensuring that custom applications make efficient use of the query language.



Improving web response speedsBecause all user interaction with BusinessObjects Enterprise occurs over the Web, you may need to investigate a number of areas to determine exactly where you can improve web response speeds. These are some common aspects of your deployment that you should consider before deciding how to expand BusinessObjects Enterprise:• Assess your web server’s ability to serve the number of users who

connect regularly to BusinessObjects Enterprise. Use the administrative tools provided with your web server software (or with your operating system) to determine how well your web server performs. If the web server is indeed limiting web response speeds, consider increasing the web server’s hardware.

• If web response speeds are slowed only by report viewing activities, see “Increasing scheduled reporting capacity” on page 367 and “Increasing on-demand viewing capacity for Crystal reports” on page 369.

• Take into account the number of users who regularly access your system. If you are running a large deployment, ensure that you have set up a CMS cluster. For details, see “Increasing overall system capacity” on page 367.

If you find that a single application server inadequately services the number of scripting requests made by users who access your system on a regular basis, consider the following options:• Increase the hardware resources that are available to the application

server. If the application server is currently running on the web server, or on a single machine with other BusinessObjects Enterprise components, consider moving the application server to a dedicated machine.

Note: BusinessObjects Enterprise does not support the session-replication functionality provided by some Java web application servers.

Getting the most from existing resourcesOne of the most effective ways to improve the performance and scalability of your system is to ensure that you get the most from the resources that you allocate to BusinessObjects Enterprise.

Optimizing network speed and database efficiencyWhen thinking about the overall performance and scalability of BusinessObjects Enterprise, don’t forget that BusinessObjects Enterprise depends upon your existing IT infrastructure. BusinessObjects Enterprise uses your network for communication between servers and for communication between BusinessObjects Enterprise and client machines on your network. Make sure that your network has the bandwidth and speed



necessary to provide BusinessObjects Enterprise users with acceptable levels of performance. Consult your network administrator for more information.BusinessObjects Enterprise processes reports against your database servers. If your databases are not optimized for the reports you need to run, then the performance of BusinessObjects Enterprise may suffer. Consult your database administrator for more information.

Using the appropriate processing serverWhen users view a report using the Advanced DHTML viewer, the report is processed by the Report Application Server rather than the Page Server and Cache Server. The Report Application Server is optimized for report modification. For simple report viewing you can achieve better system performance if users select the DHTML viewer, the Active X viewer, or the Java viewer. These report viewers process reports against the Page Server.If the ability to modify reports is not needed at your site, you can disable the Advanced DHTML viewer for all users of BusinessObjects Enterprise.

Disabling the Advanced DHTML Viewer1. In the Central Management Console, select Business Objects

Applications.2. Select Web Desktop. 3. On the Properties tab, go to the Viewers area. Clear the option labeled

Allow users to use the Advanced DHTML Viewer.4. Click Update.

Optimizing BusinessObjects Enterprise for report viewingBusinessObjects Enterprise allows you to enable data sharing, which permits different users accessing the same report object to use the same data when viewing a report on demand or when refreshing a report. Enabling data sharing reduces the number of database calls, thereby reducing the time needed to provide report pages to subsequent users of the same report while greatly improving overall system performance under load. However, to get full value from data sharing, you must permit data to be reused for some period of time. This means that some users may see “old” data when they view a report on demand, or refresh a report instance that they are viewing. For details on data sharing options for reports, see the BusinessObjects Enterprise Administrator’s Guide. For more information on configuring BusinessObjects Enterprise to optimize report viewing in your system, see the planning section in the BusinessObjects Enterprise Installation Guide.


General Troubleshooting

chapter

General TroubleshootingTroubleshooting overview16
Troubleshooting overview
BusinessObjects Enterprise is designed to integrate with a multitude of different operating systems, web servers, network and firewall configurations, database servers, and reporting environments. Thus, any troubleshooting that you may need to undertake will likely reflect the particularities of your deployment environment. This section includes general troubleshooting steps along with solutions to some specific configuration issues.In general, consider the following key points when troubleshooting:• Ensure that client and server machines are running supported operating

systems, database servers, database clients, and appropriate server software. For details, consult the Platforms.txt file, included with your product distribution.

• Verify that the problem is reproducible, and take note of the exact steps that cause the problem to recur.On Windows, use the sample reports and sample data included with the product to confirm whether or not the same problem exists.

• Determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another.If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration.

• If the problem relates to connectivity or functionality over the Web, check that BusinessObjects Enterprise is integrated properly with your web environment. For details, see BusinessObjects Enterprise Installation Guide and “Web accessibility issues” on page 375.

• If the problem relates to report viewing or report processing, verify your database connectivity and functionality from each of the affected machines. Use Crystal Reports to verify that the report can be viewed properly. If the Job or Page Servers are running on Windows, open the report in Crystal Reports on the server machine and check that you can refresh the report against the database. For details, see “TReport viewing and processing issues” on page 383.

• Look for solutions in the documentation included with your product. For details, see “Documentation resources” on page 375.

• Check out the Business Objects Customer Support technical support web site for white papers, files and updates, user forums, and Knowledge Base articles:http://support.businessobjects.com/


http://support.businessobjects.com/

General TroubleshootingDocumentation resources 16

Documentation resourcesThe BusinessObjects Enterprise Release Notes are provided in the root directory of your product distribution, as is the Platforms.txt file. These documents list supported third-party software along with any known issues or implementation-specific configuration details.BusinessObjects Enterprise also includes a number of manuals.CHM and PDF files are located in the doc directory of your product distribution. Access the HTML versions from the BusinessObjects Enterprise Administrator Launchpad, or from within the CMC or InfoView.Additional Compiled HTML Help (CHM) files are provided with the following client tools:• Central Configuration Manager• Publishing Wizard• Repository Migration Wizard• Import Wizard• Crystal Report Offline ViewerPress F1 or click Help to launch the online help from within these applications.

Web accessibility issues

Using an IIS web site other than the defaultOn Windows, the BusinessObjects Enterprise installation creates virtual directories on the Internet Information Server (IIS) “Default Web Site” unless you specify to use a different site during the installation. If you are using a different site, but forgot to specify it during the installation, you must copy the virtual directory configuration from the default web site to the web site you are using. BusinessObjects Enterprise also sets up several application mappings on the default site. These can be viewed and copied from the default web site to the web site you are using. Restart the web server once you have made these changes. For more information, see BusinessObjects Enterprise Installation Guide.


General TroubleshootingWeb accessibility issues16
.NET CSP and ASP pages display code
In a BusinessObjects Enterprise XI .NET installation, all ASP and CSP encoded web pages are not rendered. Instead, the actual code is displayed. This situation may happen when there is a problem with the .NET Framework. To fix a problem, re-register the .NET Framework with with the website.Registering the .NET Framework

To re-rigster the .NET Framework1. Open command prompt window.2. Go to the directory where .NET is installed. For example:

c:\winnt\microsoft.NET\Framework\v.1.1.4322

3. Enter the command applies to your deployment.• If you have multiple web sites on IIS, in addition to those running

BusinessObjects Enterprise, type the following:• aspnet_regiis.exe -c “C:\<Installdir>• If IIS is only running BusinessObjects Enterprise, type the following:• aspnet_regiis.exe -i

Unable to access the CMS from thick clientWhen you use a thick client application such as Crystal Reports, Designer, or Business View Manager attempts to establish a connection to a CMS configured to communicate via SSL, you receive a “Transport Error” message.This error message appears because the thick client application is not using the Secure Sockets Layer (SSL) to connect to an Enterprise deployment configured to use Server to Server SSL. To resolve this error message, run the SSLConfig utility on the client computer.

To configure the thick client to use SSL1. On the server with the CMS, type the following command:

SSLConfig.exe -display

The output should be similar to this: ********************** COM/.Net SDK ********************** '==Begin Current SSL Settings === CommunicationProtocol = ssl SSLCertDirectory = C:/SSL SSLCertificate = servercert.der


General TroubleshootingWeb accessibility issues 16

SSLTrustCertificate = cacert.der SSLKey = server.key SSLPassphrase = passphrase.txt '== End Current SSL Settings ===

2. Copy the files from this location and add them to the appropriate folder (UNC or Local).

3. Copy the SSLConfig.exe utility to a location on the client computer and open a command prompt to the directory where you copied the file.

4. Type the following command and replace the variable with the specifics from the SSL configuration you displayed in a previous step:"SSLCONFIG -dir <certdir> -mycert <sdkcert> -rootcert

<rootcert> -mykey <privatekey> -passphrase <passphrase> -protocol <protocol>"

Tip: If your configuration was identical to the sample output from step 1, you would enter the command as follows:

SSLCONFIG -dir C:/SSL -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -protocol ssl

Note: If any of your directories contain spaces, be sure to enclose the path with a double quotation marks.

Unable to View .NET InfoView or CMCAfter installing BusinessObjects Enterprise XI R2 on Microsoft 2003 server with IIS 6, you are not able to view the .NET InfoView. Instead of the InfoView or CMC Sign-on page, you see the message “The page cannot be displayed”. This error can occur if the ASP.NET component of IIS application server is not installed. See “Determining if the IIS 6.0 ASP.NET component is installed” on page 377 for procedural details.

Determining if the IIS 6.0 ASP.NET component is installed To verify that the ASP.NET component is installed

1. From the Start menu, select Settings >Control Panel.2. Select Add or Remove Programs.3. Select Add/Remove Windows Components.4. Select Application Server, and then click Details.5. Check whether the check box beside ASP.NET is selected.

• If the box is checked, ASP.NET is installed.• If the box is clear, check the box and then click OK.



6. Click Next.The component will be installed.

7. Click Finish.8. If you have changed the configuration for IIS, restart IIS.

Changing the connect port used by TomcatDuring the installation, the default port used for Tomcat is 8080. If this port is already in use by another instance of Tomcat, or if another application is using this port, you will need to change the connect port used by Tomcat.

To change the Tomcat connect port1. Stop Tomcat.2. Open the server.xml file for Tomcat in a text editor.

On Windows, this file can normally be found in the following directory:C:\Program Files\Business Objects\Tomcat\conf

3. Locate the following string:<Connector URIEncoding="UTF-8" acceptCount="100"


4. Change port 8080 to an available port number.5. Save and close the file.



Unable to connect to CMS when logging on to the CMCIf you attempt to log on to the CMC while the Central Management Server (CMS) is not running, the following error message appears:Unable to connect to CMS (<servername>) to retrieve cluster

members. Logon can not continue.

Use the CCM to start the CMS. (If the CMS was already started, use the CCM to restart it.)

Unable to open a report from InfoViewWhen running BusinessObjects Enterprise on Windows 2003 with IIS, you receive the following error when you load a Report:

Failed to read data from report file C:\WINDOWS\TEMP\tmp.rpt.

Reason: Failed to open print engine for C:\WINDOWS\TEMP\tmpreport\<report>. Ensure that CRPE32 is installed on this computer.

This error message occurs on Windows 2003 computers running IIS version 6.0 where the default application pool is running under the Network Service Account. However, the Network Service Account does not have sufficient rights to the files and registry needed to create a copy of the report in the enterprise system. To resolve this error message, use the Local System Account to run the default application pool as this account has sufficient rights.

To run IIS under Local System account1. Open the IIS Console. 2. Expand the Application Pools folder.3. Right-click DefaultAppPool, and then click Properties. 4. Click the Identity tab.5. Ensure the Predefined radio button is selected. 6. Select the Local System account from the drop-down list. 7. Click OK.8. Restart IIS.


Single sign-on from an IE Windows 2000 client fails
After configuring Single Sign-On (SSO) for BusinessObjects Enterprise XI, trying to connect to InfoView from a Windows 2000 client computer results in a logon prompt. Both Windows 2003 and Windows XP client computers work correctly and do not display a logon prompt.This problem occurs because the following option has not been selected on the version of Internet Explorer that comes with Windows 2000:Enable Integrated Windows Authentication

To change the Internet Options to allow SSO1. Open Internet Explorer.2. From the Tools menu, select Internet Options.3. Click the Advanced tab. 4. Scroll down to Security Options.5. Select Enable Integrated Windows Authentication, and then click OK.

Windows NT authentication cannot log you onWhen you attempt to log on to the Central Management Console (CMC) or to InfoView, the following error occurs:NT Authentication could not log you on. Please make sure your

logon information is correct. If your account is in any domain other than "DOMAIN NAME" you must enter your user name as DomainName\UserName.

This error may occur for various reasons. Investigate these common solutions:• Ensure that the specified authentication type corresponds to the user

name and password provided on the log on page. To log on with a Windows NT user name, verify that the authentication type is set to Windows NT Authentication and not Enterprise.

• Netscape users must provide a valid Windows NT user name in the form of Domain\User.

• Microsoft Internet Explorer users must provide a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS.

• If Windows NT Integrated security (NT Challenge/Response) is enabled in Internet Information Services (IIS) and in the Web Component Adapter (WCA), then users must use Microsoft Internet Explorer. In addition, users must log on to the client machine with a valid NT domain user



account before logging on to BusinessObjects Enterprise. Users must log on to BusinessObjects Enterprise with a valid Windows NT user name. It must be in the form of Domain\User if the user account does not reside in the default domain of the CMS.

• The web server and all BusinessObjects Enterprise components must be running on Windows NT/2000 for Windows NT authentication to work.

Mapped AD user unable to log on to CMC or InfoViewA user’s Active Directory ID has successfully been mapped to BusinessObjects Enterprise. Despite this fact, they are unable to successfully log on to CMC or InfoView with Java AD authentication and Kerberos in the following format:• DOMAIN\ABC123This problem, which happens with with the Sun, IBM or BEA JRE, can occur when the user is set up in Active Directory with a UPN and SAM name are not the same either in case or otherwise. Following are two examples which may cause a problem:• The UPN is [email protected] but the SAM name is

DOMAIN\ABC123.• The UPN is jsmith@company but the SAM name is DOMAIN\johnsmitThere are two ways to address this problem:• Have users log in using UPN rather than SAM name. • Ensure the SAM account name and the UPN name is the same.

Unable to sign on with AD and KerberosA users who is A user’s Active Directory ID has successfully has been mapped to BusinessObjects Enterprise. However, when they open InfoView in IIS and attempt to log on, they receive the following message:An error has occurred propagating the security context

between the security server and the client. Please contact your system administrator.

This problem can happen for two reasons:• Because the web.config file used by IIS has not been configured

properly.• Because IIS has not been configured properly.



Follow these steps to resolve this problem. Modify either of the following web.conf file based on what you want to configure for AD and Kerberos. To configure both the CMC and InfoView configure the web.config file in the Web Content directory; To configure only InfoView , configure the web.config file in the InfoView directory.

To configure the web.config for AD and Kerberos1. Open the appropriate Web.config file from either of the following

locations:• C:\Program Files\Business Objects\BusinessObjects

Enterprise 11.5\Web Content\• C:\Program Files\Business Objects\BusinessObjects


2. Locate the following line in the <system.web> block:<Authentication mode="None" />

3. Replace “None” with “Windows”.<Authentication mode="Windows" />


5. Save and close the web.config.6. Restart IIS.

To modify the security setting on IIS1. From the Windows Administrative Tools program group, click Computer

Management.2. Expand Services and Applications.3. Expand Internet Information Services.4. Expand the web site that runs your BusinessObjects Enterprise

applications.5. Right-click businessobjects, and then select Properties.6. Click on the Directory Security tab.7. In the Anonymous access and authentication control area of the page,

click Edit.8. Ensure the following check boxes are cleared:

• Anonymous access • Basic authentication

9. Ensure Integrated Windows authentication is selected.



10. Click OK.11. Click OK.12. Repeat the procedure starting from step 6 for crystalreportvewiers115

and styles.13. Restart your IIS server.

TReport viewing and processing issuesWhen troubleshooting reports, it is especially useful to determine whether the problem is isolated to one machine or is occurring on multiple machines. For instance, if a report fails to run on one processing server, see if it runs on another.If the problem is isolated to one machine, pay close attention to any configuration differences in the two machines, including operating system versions, patch levels, and general network integration.In particular, check the database client configurations, the drivers and versions, and the accounts under which the processing servers are running. If the reports are based off ODBC data sources, compare the ODBC driver versions, the DSN configurations, and the versions of the MDAC layer. Check to see if the Page Server or Job Server is running under an account that has the appropriate access rights to the report database server. If the report database server is on a remote machine, change the Page Server or Job Server to use a valid domain account with enough rights to view or process the report.If you follow these steps and the problem persists, contact Business Objects technical support. Before you call, take note of the database client and version you are running, the database server version that you are connecting to, and the driver name and version that you are using to connect.

Troubleshooting reports with Crystal ReportsOn Windows, you can install Crystal Reports on all Job Server, Page Server, and RAS machines in order to speed up the troubleshooting of reports and database connectivity. In this way, you use Crystal Reports to simulate the steps that are performed by the BusinessObjects Enterprise processing servers when a scheduled report is processed, or when a report is viewed on demand over the Web. By locating the step where Crystal Reports is unable to open, refresh, or save the report, you may be able to locate the source of the problem.Note: The exact steps and menu options may differ, depending on your version of Crystal Reports.



To troubleshoot a report1. Start Crystal Reports on the appropriate machine:

• If the report runs successfully on demand, but fails when scheduled, start Crystal Reports on the Job Server.

• If the report fails when viewed on demand, but runs successfully when scheduled, start Crystal Reports on the Page Server.

• If the report fails when viewed on demand with the Advanced DHTML viewer, start Crystal Reports on the RAS.

• If the report fails in all cases, first complete these troubleshooting steps on one processing server; then verify whether or not the problem is resolved on all processing servers. If not, repeat the steps on a different processing server.

2. Open the report from the CMS.On the File menu, click Open. Click Enterprise Folders and log on to your CMS. If you cannot open the report, verify network connectivity between the server you are working on, the CMS, and the Input File Repository Server.

3. Test your database connection and authentication.On the Database menu, click Log On/Off Server. If you cannot log on to the database server, check the configuration of the database client software and ensure that the report contains a valid database user name and password.

4. If the report’s parameters or record selection need to be modified by BusinessObjects Enterprise users when they schedule or view the report, change the parameter values or record selection formula accordingly. If the values are invalid, Crystal Reports will report an error.

5. Verify that the tables used in the report match the tables in the database.On the File menu, clear the “Save Data with Report” check box. On the Database menu, click Verify Database. Correct any issues reported by Crystal Reports, and then save the report.

6. Refresh the report and, if current data is not returned from the database, check these possible causes:• If the report fails, ensure that the database credentials provide READ

rights to all tables in the report.• If the database credentials are valid, the report’s SQL statement is

evaluated at this time. Check the join information. Note any ODBC errors that are produced.



• If the SQL statement is valid, data begins to return to Crystal Reports. As this happens, the temporary files increase in size. Verify resource allocation in case the machine is running out of memory or disk space.

7. Go to the last page of the report.Crystal Reports will report any errors that it encounters within the report (such as formulas, subreports, and other objects).

8. Export the report to Crystal Reports format (or any other desired format).This step ensures that Crystal Reports is able to create temporary files that are required in order to complete the processing of a report.

9. If the report now refreshes successfully, save it back to the CMS.10. Close the report.11. Close Crystal Reports.12. Repeat the activity that caused the original report to fail: view the report

on demand over the Web, or schedule the report for processing.

Images and charts not displayedAfter single sign-on has been enabled in BusinessObjects Enterprise XI, images or charts are not displayed in the reports when viewed with the DHTML or ActiveX viewer. This behavior may occur because the temporary image file cannot be accessed by the account under which the IIS application pool is running. To fix this problem, ensure that the service account has modif' rights to the following directory:C:\Windows\Temp

Troubleshooting reports and looping database logon prompts

A common issue when viewing reports over the Web is a persistent database logon prompt that is displayed repeatedly by the user’s browser. Regardless of the credentials provided by the user, the report will not display. This problem is typically caused by the configuration of the Page Server or the Report Application Server (RAS). This section provides a series of troubleshooting steps that should resolve this problem and others that are specific to reports and database connectivity.

To troubleshoot reports and looping database logon prompts1. Verify the report with Crystal Reports.



Use Crystal Reports to verify the report. If you have the Crystal Reports Designer installed on the Page Server, Job Server, or RAS machine, test database connectivity by opening the report in Crystal Reports on the server. For details, see “Troubleshooting reports with Crystal Reports” on page 383.

2. Change the server’s logon account.BusinessObjects Enterprise servers require access to various local and/or remote resources and to the database server. Experience shows that running the Page Server, Job Server, RAS, and Web Component Adapter (WCA) under a Domain Administrator account allows them to access the components necessary to connect successfully to data sources. To change a server’s logon account, see “Configuring Windows processing servers for your data source” on page 140.Tip: Running a background application under an Administrator account does not inadvertently grant administrative privileges to another user, because users cannot impersonate services.

3. Verify the server’s access to ODBC Data Source Names (DSNs).Base reports off System DSNs (and not File or User DSNs), and set up each System DSN identically on every Job Server, Page Server, and RAS machine that will process the report.If the report is based off an ODBC data source, the processing server must have permission to access the corresponding DSN configuration. This information is stored in the Windows registry. The Job Server, Page Server, and RAS require Full Control or Special Access to the ODBC registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI

Consult your Windows documentation for information about working with the registry. Additional configuration may be required, depending upon the database that you are reporting off of. For details, see “Configuring Windows processing servers for your data source” on page 140.

4. Determine the configuration of the database client software.If you are not using ODBC, the database client software must be installed on each machine that will process reports. On Windows, many database clients store their configuration in the registry below HKEY_LOCAL_MACHINE. If your database client stores its configuration below HKEY_CURRENT_USER, the BusinessObjects Enterprise services cannot use the database client software to communicate with the database.

5. Verify the NTFS permissions granted to the Job Server, Page Server, and RAS.



Insufficient NTFS rights on the server may cause a number of problems to arise when you view reports over the Web. As in step 2, changing each server’s logon account to that of a Domain Administrator account should resolve such problems. For the minimum set of NTFS permissions required by BusinessObjects Enterprise, see the BusinessObjects Enterprise Deployment and Configuration Guide.

6. Check whether or not NT authentication is performed by the database.If you report against a database that uses NT authentication for access control (Microsoft SQL Server, Sybase, and so on), the Job Server, Page Server, and RAS must run under a Windows NT/2000 domain user account that has access to the appropriate database tables. (In this scenario, each server’s logon account determines the level of access it is granted by the database. BusinessObjects Enterprise does not pass end-users’ NT tokens through to the database server.)To retain the access control levels that are set up within the database, you can instead change each ODBC DSN so that it implements SQL Server Login instead of NT authentication.

7. Check the available environment variables.Environment variables are used by the operating system to govern and manage system files for particular users. On Windows, BusinessObjects Enterprise servers are generally most affected by the TMP and TEMP environment variables. Because the servers are run as services, they cannot access the User Environment variables that are created by default. Therefore, it is recommended that you create System Environment variables if they do not already exist. Consult your Windows documentation for details.

8. Reference remote data sources with UNC paths.Ensure that servers have access to remote databases through UNC paths, instead of through mapped drives. For example, if you design a report off a PC database that resides on a network drive, ensure that the report references its data source with the appropriate UNC path. For details, see “Ensuring that server resources are available on local drives” on page 388.

9. Ensure that you have enough database client licenses.If all database client licenses are in use, the BusinessObjects Enterprise servers are unable to retrieve data from the database.

10. Check that database connections are closed in a timely fashion.



If a database connection is not closed quickly, the database may not service another request until the connection has been closed. To decrease the “Minutes Before an Idle Job is Closed” setting, see “Modifying Page Server performance settings” on page 363.

11. Use multi-threaded database drivers.Multi-threaded database drivers allow the processing servers to connect to the database without having to wait for the database to fulfill initial requests. ODBC connections are typically recommended because they provide multithreaded connections to the database. However, Crystal Reports now includes a number of thread-safe native and OLEDB drivers. A list of these thread-safe drivers is available in the Crystal Reports Release Notes.

12. Check for problems with particular data sources.If your report is based on a Lotus Notes database, you may need to perform additional configuration. Download the latest instructions from the Business Objects Customer Support Knowledge Base.IBM offers several client applications for connecting to DB2. The recommended client is IBM DB2 Direct Connect, whose ODBC drivers were written for actual programmatic interaction with products like BusinessObjects Enterprise. See the Business Objects Customer Support Knowledge Base for discussions of this and other DB2 clients.If you encounter problems with any other specific data sources, check the Knowledge Base for the latest information.

Ensuring that server resources are available on local drivesWhen the BusinessObjects Enterprise servers are running on Windows, many can be configured to use specific directories to store files. For example, you can specify the root directory for each File Repository Server, the temporary directories for the Cache and Page Servers, or the directory from which the Job Servers load processing extensions. In all cases, the directory that you specify must be on a local drive (such as C:\InputFRS or C:\Cache). Do not use Universal Naming Convention (UNC) paths or mapped drives.Although some BusinessObjects Enterprise servers can recognize and use UNC paths, do not configure the servers to access network resources in this manner. Use local drives instead, because UNC paths can limit performance due to limitations in the underlying protocol.



Tip: If your report runs against a PC database that resides on a network drive, then the report itself must reference its data source through a UNC path. In this case, the service must run under a domain user account with network permissions. For details, see “Configuring Windows processing servers for your data source” on page 140.Similarly, if you configure a server to use a mapped drive, the server may appear to function correctly. However, servers cannot access mapped resources when the machine is restarted. Drives are mapped according to your user profile when you log on to Windows NT/2000, but, once a drive is mapped, it is available to the entire operating system. So, when you log on and map a local or network drive, the mapped drive is accessible to the LocalSystem account, and hence to the BusinessObjects Enterprise servers running on the local machine. When you log off the local machine, the servers may retain access to the mapped drive for some time (Windows will release the drive mapping if no application maintains a persistent connection to the mapped resource). However, when you restart the local machine, the mapped drive is not restored until you log back on.Note: Changing a server’s log on account from the LocalSystem account to a Windows NT/2000 user account with network privileges will not resolve the problem, because the servers do not actually log on to the network with that account. Instead, the servers perform “account impersonation.” This provides access to some profile-specific resources (such as printers and email profiles), but not others (such as ODBC User Data Source Names and mapped drives).

Page Server error when viewing a reportWhen you attempt to run or preview a report, the following error message appears:There are no Page Servers connected to the Cache Server or

all the connected Page Servers are disabled. Please try to reconnect later. [On Page Server : <servername>.Cacheserver]

This error indicates that the Page Server is not started and enabled. Use the CCM to start the Page Server and then enable it. (If the Page Server was already started and enabled, use the CCM to restart it.)


General TroubleshootingInfoView considerations16
InfoView considerations
Supporting users in multiple time zonesAvoid granting Schedule access to the default Guest account if you deploy InfoView for users in different time zones. Instead, ensure that each user who is allowed to schedule reports has a dedicated account on the system, and that each user's InfoView preferences include the appropriate time-zone setting. Dedicated accounts are recommended because the default Guest account does not allow users to modify account preferences that would affect other users. For more information about using specific time-zone properties in your custom web applications, see the BusinessObjects Enterprise SDK documentation.

Setting default report destinationsBy default, a report's destination that is set in the CMC will be the selected destination when a report is scheduled in InfoView. A user can also select alternate destinations in InfoView by updating the Destination option. Note that the destination set in InfoView applies only to the scheduled instance. Thus, when a user schedules another instance in InfoView, the destination that is set in the CMC will be selected, unless the user changes the Destination option. If the user selects the Default destination setting in InfoView, reports are processed on the Job Server and sent to the File Repository Server. The Default destination setting in InfoView is equivalent to the Default destination setting in the CMC.

Import Wizard

Unable to import users from BusinessObjects 6.5When using the Import Wizard, you get the following error after you enter your BusinessObjects 6.5 credentials: "Error logging on to server. Please check logon information

and try again. Unspecified error."

This error occurs because you because your new server that hosts BusinessObjects Enterprise does not have the same System DSN used on the BusinessObjects 6.x system. To fix this problem, create an exact copy of the System DSN used for the security domain on the BusinessObjects 6.x on the new destination BusinessObjects Enterprise machine.


Managing Auditing

chapter

Managing AuditingHow does auditing work?17
How does auditing work?
The Central Management Server (CMS) acts as the system auditor, while each BusinessObjects Enterprise server that controls actions that you can monitor is an auditee. To audit an action in BusinessObjects Enterprise, there are a few steps you must complete:• You must configure the auditing database. If you installed Auditor, and

provided the authentication details for your auditing database when you installed BusinessObjects Enterprise, you have already configured the auditing database. If you did not install Auditor, you must configure the auditing database before you can use Auditor. For step by step instructions, see “Configuring the auditing database” on page 393.Note: Auditor is installed by default when you install and use a keycode that authorizes you to Auditor, unless you cleared the “Auditing Database” check box during the install, or did a custom install and specifically excluded Auditor.

• You must first determine which server controls that action. To determine which server controls an action, see “Reference list of auditable actions” on page 395.

• You must enable auditing of that action in the Servers management area of the Central Management Console (CMC). For step by step instructions, see “Enabling auditing of user and system actions” on page 399.

• You must configure the universe connection. The auditing reports are written against the Activity universe, this universe connection must be configured so it can connect to the auditing database. For step by step instructions, see “Configuring the universe connection” on page 401.

As the auditee, the BusinessObjects Enterprise server will then begin to record these audit actions in a local log file.As the auditor, the CMS controls the overall audit process. Each server writes audit records to a log file local to the server. At regular intervals the CMS communicates with the auditee servers to request copies of records from the auditee’s local log files. When the CMS receives these records it writes data from the log files to the central auditing database.


Managing AuditingConfiguring the auditing database 17

The CMS also controls the synchronization of audit actions that occur on different machines. Each auditee provides a time stamp for the audit actions that it records in its log file. To ensure that the time stamps of actions on different servers are consistent, the CMS periodically broadcasts its system time to the auditees. The auditees then compare this time to their internal clocks. If differences exist, they make a correction to the time stamp they record in their log files for subsequent audit actions.Once the data is in the auditing database, you can run the sample reports against the database or design custom reports to suit your own needs.

Configuring the auditing databaseIf you entered the authentication details for your auditing database when you installed Auditor, your auditing database is already configured and connected to your Central Management Server (CMS). If you did not enter the authentication details for your auditing database when you installed, you must configure your CMS to connect to an auditing database. You can use any database server supported for the CMS system database for your auditing database. See the Platforms.txt file included with your product distribution for a complete list of tested database software and version requirements. If you plan to use MySQL for your auditing database, you will require version 3.51 of the MySQL Connector/ODBC (MyODBC) driver. If you do not already have this installed, you can download it from the following location:http://dev.mysql.com/downloads/connector/odbc/3.51.html

It is recommended that you develop a back up strategy for your auditing database. If necessary, contact your database administrator for more information.Note: • The CMS system database and the auditing database are independent. If

you choose, you can use different database software for the CMS system database and the auditing database, or you can install these databases on separate servers.

• If you have a CMS cluster, every CMS in the cluster must be connected to the same auditing database, using the same connection method and the same connection name. Note that connection names are case sensitive. (See “Clustering Central Management Servers” on page 114 for more information on setting up CMS clusters.)


Managing AuditingConfiguring the auditing database17

To configure the auditing database on Windows1. Start the Central Configuration Manager (CCM).2. Stop the CMS.3. Click Specify Auditing Data Source.4. In the Select Database Driver dialog box, specify whether you want to

connect to the new database through SQL Server (ODBC), or through one of the native drivers.


• If you selected ODBC, the Windows “Select Data Source” dialog box appears. Select the ODBC data source that you want to use as the auditing database; then click OK. (Click New to configure a new Data Source Name (DSN).) Use a System DSN, and not a User DSN or File DSN. By default, server services are configured to run under the System account, which only recognizes System DSNs. When prompted, provide your database credentials and click OK.

• If you selected a native driver, you are prompted for your database Server Name, your Login ID, and your Password. Provide this information and then click OK.

The SvcMgr dialog box notifies you when the auditing database setup is complete.

7. Click OK.8. Start the CMS. When the CMS starts, it will create the auditing database.Note: You can also configure the auditing database using the Properties option for the CMS. Stop the CMS, select Properties, and then go to the Configuration tab. Select “Write server audit information to specified data source”, and then click Specify.

To configure the auditing database on UNIXFor more information on UNIX scripts, see “UNIX Tools” on page 473.1. Use ccm.sh to stop the CMS. 2. Run cmsdbsetup.sh.



3. Choose the selectaudit option, and then supply the requested information about your database server.

4. Run serverconfig.sh.5. Choose the “Modify a server” option. 6. Select the CMS, and enable auditing. Enter the port number of the CMS

when prompted (the default value is 6400).Use ccm.sh to start the CMS. When the CMS starts, it will create the auditing database.Note: • The CMS acts as both an auditor and as an auditee when you configure it

to audit an action that the CMS itself controls.• In a CMS cluster, the cluster will nominate one CMS to act as system

auditor. If the machine that is running this CMS fails, another CMS from the cluster will take over and begin acting as auditor.

Which actions can I audit?You can audit the actions of individual users of BusinessObjects Enterprise as they log in and out of the system, access data, or create file-based events. You can also monitor system actions like the success or failure of scheduled objects. For each action, BusinessObjects Enterprise records the time of the action, the name and user group of the user who initiated the action, the server where it was performed, and a variety of other parameters more fully documented in “Reference list of auditable actions” on page 395.

Reference list of auditable actionsThis section contains the list of the audit actions you can enable in BusinessObjects Enterprise. It is organized according to the types of actions that you can audit, to help you find the server where you enable auditing of these actions. Note: The list of auditable actions for Desktop Intelligence only apply when the documents are created and modified from within BusinessObjects Enterprise. For more information about the actions that are audited, and the data that is recorded for each audit action, see the “Auditing database schema reference” on page 416.



User Actions

Actions BusinessObjects Enterprise Server

Objects An object is created. CMSAn object is deleted.An object is modified.

Crystal reports

A report has been viewed successfully. Cache ServerA report could not be viewed.A report is opened successfully using:• the Advanced DHTML viewer.• a custom application that uses RAS SDK.

RAS

A report fails to open.A report has been created successfully using:• a custom application that uses the RAS

SDK.A report fails to be created. A report is saved successfully (using a custom application based on the RAS SDK).A report fails to save using a custom application based on the RAS API.

Web Intelligence documents

Get list of universes.• A user has begun creating a new Web

Intelligence document, which triggers a request to the server for the list of available universes.


Save document to repository.• A user has saved a Web Intelligence

document within BusinessObjects Enterprise.

Read Document.• User opens an existing Web Intelligence

document.Selection of universe.• A user has selected a universe as they

create a new Web Intelligence document, or as they edit an existing Web Intelligence document.



Web Intelligence documents

Refresh document.• User manually refreshes a Web

Intelligence document, or the user opens a Web Intelligence document that is set to “refresh on open”.


Edit document.• User enters “Edit document” mode for an

existing Web Intelligence document.Apply format.• User applies a formatting change to an

existing Web Intelligence document in a query panel.

Get page.• Server renders the pages of a Web

Intelligence document in response to a user request to display all or part of a document.

Generate SQL.• Server generates an SQL query in

response to a user action that requires data to be retrieved from a database.

Drill out of scope.• User drills past the scope of the data

currently in memory, and triggers a call to the database for more data.

List of values.• A list of values is retrieved from the

database to populate a picklist associated with a prompt used to filter the data in a document.

Select prompt.




Desktop Intelligence documents

A job has been run successfully.• Either a Desktop Intelligence document

has been scheduled or a publication based of that document has been scheduled.

Desktop Intelligence Job Server

A job has failed to run.A job failed but will try to run again.

Users A concurrent user logon succeeds. CMSA named user logon succeeds.A user logon fails.A user’s password is changed.User logs off.

Send an object to a destination

A job has been run successfully.(A user has successfully sent an object to a destination.)

Destination Job Server

A job has failed to run.(An object has failed to be sent to a destination.)A job failed but will try to run again.

File-based events

An event is registered. (Event is created, and registered with system)

Event Server

An event is updated. (The name, description, or filename of an event is modified.) An event is unregistered. (Event is removed from system.)



Managing AuditingEnabling auditing of user and system actions 17

System Actions

Enabling auditing of user and system actionsAfter you determine which BusinessObjects Enterprise server controls the action, you must enable auditing on the server from the Servers management area of the Central Management Console (CMC).If you have multiple BusinessObjects Enterprise servers of a given type, be sure to enable identical audit actions on every server. This makes sure that you collect information on all user or system actions in your BusinessObjects Enterprise system. For example, if you are interested in the total number of concurrent user logons, enable auditing of concurrent user logons on each of your Central Management Servers. If you enable auditing on only one Central Management Server, you will only collect audit information about actions that occur on that server.


Scheduled objects

A job has been run successfully. For example, a scheduled Crystal report or publication has run successfully.

Job Servers

A job has failed to run. For example, a scheduled Crystal report or publication has failed to run.Tip: To audit every failure of a scheduled Crystal report, a scheduled program, or a scheduled List of Values, enable auditing of “A job has failed to run” on the Job Server, and “Communication with a running instance is lost.” on the Central Management Server.A job failed but will try to run again. Communication with a running instance is lost. For example, a scheduled Crystal report has failed to run because communication with the instance was lost, and the scheduled time for running the report expired.Note: You do not need to enable this option to audit every failure of a scheduled Web Intelligence document.

CMS

File-based events

An event is triggered. Event Server


Managing AuditingEnabling auditing of user and system actions17

In some special cases you may wish to enable auditing on only one server of a given type. For example, if you are interested in the success or failure of only one kind of scheduled report and you have configured your system so that these reports are processed on one particular Job Server, it is not necessary to enable auditing on every Job Server in your system. You only need to enable auditing on the Job Server where the reports are processed. Note: You must configure the auditing database before you can collect data on audit actions. See “Configuring the auditing database” on page 393 for information on how to configure the auditing database.

To enable audit actions 1. Go to the organize Servers area of the CMC.2. Click the server that controls the action that you wish to audit.

(See the “Reference list of auditable actions” on page 395 to find the correct server.)

3. Click the Auditing tab.

4. Select the Auditing is enabled check box.5. Select the audit actions that you wish to record.6. Ensure that your audit log file is located on a hard drive that has sufficient

space to store the log files. (See “Optimizing system performance while auditing” on page 404 for information on adjusting the size of log files.)


Managing AuditingConfiguring the universe connection 17

7. Click Update.Tip: • To audit every failure of a scheduled Crystal report, a scheduled program,

or a scheduled List of Values, enable auditing of “A job has failed to run” on the Job Server, and “Communication with a running instance is lost.” on the Central Management Server.

• Auditing is enabled independently on each server. If you want to audit all actions of a given type, enable identical audit actions on every server that supports those actions. Otherwise your audit record will be incomplete. For example, if you want to track the total number of concurrent logons to your BusinessObjects Enterprise system, you must enable logging of concurrent logons on every Central Management Server in your system.

Configuring the universe connectionThe auditing reports use the Activity universe. Before you can view these reports, you must configure the universe connection. This involves two steps: first you must create a data source for your auditing database, next you must specify this data source for your universe connection.

To create a data source1. Go to the Start menu and select Settings >Control Panel.2. Double-click on Administrative tools.3. Double-click Data sources.4. Click the System DSN tab, and then click Add.5. Select the driver for your auditing database from the list, and then click

Finish.6. Enter the authentication parameters, the database server name, and your

auditing database name, and then click OK.7. Click OK.Tip: You may want to write down the name of your data source as it will be required when you create or edit the universe connection.

To configure the Activity universe connection1. Start Designer from the BusinessObjects Enterprise program group.2. Click on the connections icon in the toolbar.

The Connection List dialog box appears.3. Click Add, and then click Next.


Managing AuditingUsing sample audit reports17

4. Expand the database type and the version that corresponds with the your auditing database.

5. Select the driver or client to use.6. Enter a name for your connection.7. Enter the User Name and Password for your connection.8. Select the Data source name from the list, and then click Next.9. Click Next on the Perform a Test dialog box.10. Click Next on the Advanced Parameters dialog box.11. Click Finish on the Custom Parameters dialog box.12. Click Finish to exit and finalize your connection.

Using sample audit reportsBusinessObjects Enterprise includes two sets of sample audit reports:• One set was created using Crystal Reports.• One set was created using Web Intelligence. Both sets of reports are available in the collateral folder on your product distribution in the file auditing.biar.These sample reports are published to the Auditor folder when you install BusinessObjects Enterprise with a product keycode which authorizes you to use Auditor. The Crystal Reports audit reports are available as object packages with the report sections as individual documents. The Web Intelligence audit reports are available as Web Intelligence documents with the report sections as tabs within the documents. Both sets of reports are based on the Activity universe.Note: You can also deploy the auditing samples to another node. To do this, use the Import Wizard to deploy the auditing.biar to the CMS on the node where you want the reports. For further details, see the Import Wizard help.If you configured the auditing database when you installed BusinessObjects Enterprise, you must do these things before using the sample audit reports:• Enable the auditing of the user and server actions needed to provide data

for the sample reports.For information on how to enable auditing on servers, see “Enabling auditing of user and system actions” on page 399.

• Configure the universe connection used for the sample reports.For procedural details, see “Configuring the universe connection” on page 401.


Managing AuditingControlling synchronization of audit actions 17

If you did not configure the database when you installed BusinessObjects Enterprise, before you use the reports, you must do these things:• Configure the auditing database before you use the sample reports.

For information on how to configure the auditing database, see “Configuring the auditing database” on page 393

• Enable the auditing of the user and server actions needed to provide data for the sample reports.For information on how to enable auditing on servers, see “Enabling auditing of user and system actions” on page 399

• Configure the universe connection used for the sample reports.For procedural details, see “Configuring the universe connection” on page 401.

After you enable auditing of the user and server actions, the auditing database will then begin to be populated with the audit data you specified. Note: If you have recently enabled auditing, the sample audit reports may contain little or no data the first time you view them.

Controlling synchronization of audit actionsThe CMS controls the synchronization of audit actions that occur on different machines. The CMS periodically broadcasts its system time to the auditees in UTC (Coordinated Universal Time). The auditees compare this time to their internal clocks, and then make the appropriate correction to the time stamp (in UTC) they record for subsequent audit actions. This correction affects only the time stamp that the auditee records in its audit log file. The auditee does not adjust the system time of the machine on which it is running.By default, the CMS broadcasts its system time every 60 minutes. You can change the interval using the command-line option: -AuditeeTimeSyncInterval minutes

You can turn off this option by setting minutes to zero. For more information on the CMS, see the Server Command Lines chapter in the BusinessObjects Enterprise Administrator’s Reference Guide. This built-in method of time synchronization will be accurate enough for most applications. For more accurate and robust time synchronization, configure the auditee and auditor machines to use an Network Time Protocol (NTP) client, and then turn off internal synchronization by setting: -AuditeeTimeSyncInterval 0


Managing AuditingOptimizing system performance while auditing17

Tip: If you have a CMS cluster, apply the same command-line options to each server. Only one CMS in the cluster acts as the auditor. However, if this CMS fails, another CMS takes over auditing. This CMS will apply its own command-line options. If these options are different than those of the original auditor, audit behavior may not be what you expect.

Optimizing system performance while auditing

Enabling auditing should have minimal effect on the performance of BusinessObjects Enterprise. However, you can optimize system performance by fine-tuning these command-line options:• -AuditInterval minutes, where minutes is between 1 and 15. (The

default value is 5.) The CMS requests audit records from each audited server every audit interval.

• -AuditBatchSize number, where number is between 50 and 500. (The default value is 200.) The CMS requests this fixed number of records from each audited server, every time interval.

• -auditMaxEventsPerFile number (number has a default value of 500 and must be greater than 0). The maximum number of records that an audited server will store in a single audit log file. When this maximum value is exceeded, the server opens a new log file.

Note: Log files remain on the audited server until all records have been requested by the CMS.Changing each of these options has a different impact on system performance. For example, increasing the audit interval reduces frequency with which the CMS writes events to the auditing database. Decreasing the audit batch size decreases the rate at which records are moved from the audit log files on the audited servers to the auditing database, thereby increasing the length of time that it takes these records to get transferred to the central auditing database. Increasing the maximum number of audit events stored in each audit log file reduces the number of file open and close operations performed by audited servers. You can use these options to optimize audit performance to meet your needs. For example, if you frequently need up-to-date information about audited actions, you can choose a short audit interval and a large audit batch size. In this case, all audit records are quickly transferred to the auditing database, and you can always report accurately on the latest audit actions. However, choosing these options may have an impact on the performance of BusinessObjects Enterprise.


Managing AuditingOptimizing system performance while auditing 17

Alternatively, you may only need to review audit results periodically (weekly, for example). In this case you can choose to increase the audit interval, and to decrease the number of audit records in each batch. Choosing these options minimizes the impact that auditing has on the performance of BusinessObjects Enterprise. However, depending upon activity levels in your system, these options can create a backlog of records stored in audit log files. This backlog is cleared at times of low system activity (such as overnight, or over a weekend), but means that at times your audit reports may not contain records of the most recent audit actions.


Managing AuditingOptimizing system performance while auditing17


Auditing Reports

chapter

Auditing ReportsUsing auditing reports18
Using auditing reports
If you are an administrator who wants to view reports from the auditing database, you have these choices:• You can use the auditing reports that are included with BusinessObjects

Enterprise.• You can modify the auditing reports that are included with

BusinessObjects Enterprise.• You can create your own auditing reports.

Why are reports important?Auditor includes reports that can answer questions you may have about your BusinessObjects Enterprise deployment. Each report contains one or more report sections that focus on a very specific area.

Auditor report namesThis section contains the following:• the list of the report names• the report sections included with the reports• the report prompts

Average Number of Users Logged In

Report sections Report prompts

Average Number of Logged In Sessions

select reporting year

Users Logged In select reporting monthAverage Number of Users Logged In


Auditing ReportsUsing auditing reports 18

Average Refresh Time

Average Session Duration

Average Session Duration per Cluster

Average Session Duration per User


Average Refresh Time by Document

Name of document

Average Refresh Time by UserAverage Refresh Time by Server


Year choose userQuarterMonthWeekDayHour


Average Session Duration in Minutes over the Period

select reporting timeframe

Average Session Duration in Minutes per WeekAverage Session Duration in Minutes per Day


Average Session Duration in Minutes over the Year

select reporting year



Cluster Nodes

Document Information Detail

Document Scheduling and Viewing Status

Job Summary

Average Session Duration in Minutes per Month per UserAverage Session Duration in Minutes per Week per User



Servers in the Cluster None


None select document


None select start dateselect end date


Jobs per StatusSuccessful JobsFailed Jobs



Jobs per Job Server

Jobs per User

Job Servers on the System

Last Login for User


Jobs per Job Server Kind- Summary

None

Jobs per Job Server KindJobs per Job Server


Jobs per User - Summary NoneJobs per UserJob Duration per User


Jobs per User - Summary NoneJobs per UserJob duration per UserJob Failure per User


None select user


Least Accessed Documents
Most Accessed Documents

Most Active Users

Most Popular Actions


Least Accessed Documents - By times Read

None

Least Accessed Documents - By EditsLeast Accessed Documents - By Refreshes


Most Accessed Documents - By times Read

None

Most Accessed Documents - By EditsMost Accessed Documents - By Refreshes


Most Active Users by Logins NoneMost Active Users by Refreshes

Report Sections Report Prompts

Most Popular Actions - By Year select yearMost Popular Actions - By Quarter

select year

Most Popular Actions - By Month

select year



Most Popular Actions per Document

Number of User Sessions

Number of Users in the SystemT

Password Modifications

Most Popular Actions - By Week

select year

Most Popular Actions - By Day select year

Report Sections Report Prompts


Most Popular Actions per Document- By User

select document (s)

Most Popular Actions per Document- By SessionMost Popular Actions per Document- By Action Most Popular Actions per Document- By Month


None select year(s)


None None


Password Modifications - By Month

select start date

Password Modifications - By Week

select end date

Password Modifications - By Details


Peak Usage
Refresh and Edit Activity

Rights Modification

Total Users Logged In by Day

User Activity


Users Login Peaks select yearSession Login PeaksNumber of Action Peaks


None select user


Rights Modification - By User select start dateRights Modification - By Object select end date


Total Users Logged In by Day -Total Number of Logged In Users

enter a date

Total Users Logged In by Day - Total Number of Logged in Sessions


User Activity by Month select start dateUser Activity by Week select end dataUser Activity by Day


Auditing ReportsViewing sample auditing reports 18

User Activity per Session

Users Who Logged Off Incorrectly

Viewing sample auditing reports To view sample audit reports

1. Log on to InfoView.2. Expand Public Folders.3. Select Auditing Reports to display the list of sample audit reports.4. Open the report you want to view.

• To open a Web Intelligence audit report, click on the report you want to view.

• To open a Crystal Reports audit report, open the object package, and then open the report you want to view.


User Activity per Session Per Cluster

choose user(s)

User Activity per Session Per Session User Activity per Session Per Action Name User Activity per Session Per Date


StatisticsUsers Who Logged Off Incorrectly


Auditing ReportsCreating custom audit reports18
Creating custom audit reports
This section contains information to help you understand the auditing database, the Activity universe and the information it records about audit actions. With this information, you can use Crystal Reports, Web Intelligence or Desktop Intelligence to create custom audit reports of user and system actions.

Auditing database schema referenceThe auditing database contains six tables:• “Audit_Event” on page 416• “Audit_Detail” on page 417• “Server_Process” on page 418• “Detail_Type table” on page 420• “Event_Type” on page 419• “Application_Type” on page 419The following diagram shows the Activity universe which is based on the auditing database.

Audit_EventThe Auditt_Event table stores one record per action that is audited and contains general information about each audit event.


Auditing ReportsCreating custom audit reports 18

Audit_Detail The Audit_Detail table records more details about each audit action recorded in the Audit_Event table. For example, when a user logon fails, the reasons for that failure are recorded as audit details.There may be more than one record in this table for each audit action recorded in the Audit_Event table.

Field DescriptionServer_CUID Server process ID.

Combined with the Event_ID to form the primary key for the Audit_Event table.

Event_ID A unique ID generated by the server to identify the audit event. Combined with Server_CUID to form the primary key for the Audit_Event table.

User_Name Name of user who performed the action.Start_Timestamp Time for start of action in UTC (Coordinated

Universal Time) to the nearest millisecond. The time stamp is created by the server recording the action in its log file, and includes any correction necessary to synchronize with CMS time. You may want to correct this time to your local time zone when creating audit reports.

Duration Duration, in seconds, of the action that is audited.Event_Type_ID Number that uniquely identifies the type of action

the entry represents. Foreign key for the Event_Type table.

Object_CUID Info Object ID of object associated with the action. This number uniquely identifies an object.

Error_Code Field reserved for error codes generated by the Web Intelligence Report Server.



Server_ProcessThe Server_Process table contains information about the servers running within your BusinessObjects Enterprise system which can generate audit events.


Combined with the Event_ID and the Detail_ID to form the primary key for the Audit_Detail table.

Event_ID A unique ID generated by the server to identify the audit event. Combined with Server_CUID and the Detail_ID to form the primary key for the Audit_Detail table.

Detail_ID The Detail_ID field is used to number the individual details associated with each audit action. That is, if there are two details associated with a particular audit action, the first will have a Detail_ID of 1, and the second will have a Detail_ID of 2.

Detail_Type_ID Number that uniquely identifies the type of detail about the audit action that the entry represents. Foreign key for the Detail_Type table.

Detail_Text Information about the audit detail being recorded. For example, if the Detail_Type_Description were “universe name”, the detail text would contain the name of that universe.


Primary key for the Server_Process table.Server_Name Machine name of the server that produced the

action. That is, the host name.Application_Type_ID A unique ID that identifies the type of application

that generated the audit action. Foreign key to the Application_Type table.



Event_TypeThe Event_Type table contains a static list of the kinds of events that can be audited in your BusinessObjects Enterprise system. This table provides information roughly equivalent to that provided by AuditIDs and AuditStrings in Crystal Enterprise

Application_TypeThe Application_Type table contains a static list of the applications that can produce audit events. In BusinessObjects Enterprise XI, the applications that can be audited are servers.

Server_FullName Friendly name of the server that produced the action. The server’s friendly name is the name displayed in the CMC. The default friendly name is hostname.servertype.

Server_Version Version of BusinessObjects Enterprise on server that produced the action.

Field Description

Field DescriptionEvent_Type_ID Number that uniquely identifies the type of

audit event that the entry represents. Event_Type_Description Description of the type of audit event.

Field Name DescriptionApplication_Type_ID A unique ID that identifies the type of

application that generated the audit action.

Application_Type_Description The description of the application generating the audit event.


Detail_Type table
The Detail_Type table contains a static list of the standard details that can be recorded about audited events. For example, a user logon can fail for a number of different reasons. These reasons are listed as entries in the Detail_Type table. The information in the Detail_Type table is equivalent to the information that was recorded in variable AuditStrings in Crystal Enterprise 10.

Event_Type table referenceThe following tables list the Event_Type_ID and Event_Type_Description of all events that can be audited in your system. For your convenience, these events are ordered according to the server that generates each type of event.

CMS audit events

Field DescriptionDetail_Type_ID Number that uniquely identifies the type of

audit detail that the entry represents. Detail_Type_Description The description of the type of audit detail

generated by the audit event.

Event_Type_ ID Event_Type_Description Description

65537 Concurrent user logon succeeded.

The user logged on successfully, using a concurrent user license.

65538 Named user logon succeeded.

The user logged on successfully, using a named user license.

65540 User logged off.65541 User password has been

changed.65539 User logon failed. Logon failed because there

was no valid license key available.



Cache Server audit events

65542 New folder created. A new folder is created, or an existing folder is copied. Note that this audit string will not be recorded when a new user account is created, even though creating a user creates a user folder.

65543 Folder deleted. A folder is deleted.Note that this audit string will be recorded when a user account (and therefore the user’s folder) is deleted.

65544 Folder modified. The name, location, or description of the folder was changed.

65545 Job failed. Reason: Unresponsive Job Server Child process.

A scheduled report or scheduled program failed to run because communication with the running instance was lost, and the scheduled time for running the job expired. Note: This action must be audited by the CMS as Job Servers are not aware of losing communications with a job.


196609 Crystal report viewed successfully.

User successfully viewed a Crystal report that has saved or live data.

196610 A report could not be viewed.

User attempted to view a Crystal report, but was not successful.




Job Server audit eventsFor scheduled objects, the audit messages give you information about the status of scheduled actions. For example, the audit messages can tell you if a scheduled report ran successfully. For the Destination Job Server, the audit messages give you information on whether an object was sent to a destination, as requested by a user.

Event Server audit events

Event_Type_ ID

Event_Type_Description Description

327681 Job successful. The object ran as scheduled (or requested) and the job completed successfully.

327682 Job failed. The scheduled job did not complete successfully.

327683 Job failed. Job will be retried by the CMS.

The scheduled job did not complete successfully. The job will be retried by the CMS at a later time. For more information on scheduling jobs, see the BusinessObjects Enterprise Administrator’s Guide.


262145 Event registered User creates a file-based event that can be used to schedule objects.

262146 Event unregistered User deletes a file-based event.

262147 Event updated Event object was modified by a user, or by the system. Events are updated when a user modifies the name or description of the file-based event.

262148 Event triggered File-based event was initiated.



Application_Type table reference

Report Application Server audit eventsThe Report Application Server (RAS) is used to view reports opened with the Advanced DHTML viewer, and to create reports using custom applications developed with the RAS SDK.

Application_Type_ID Application_Type_Description

1 Unknown Application8 Web Intelligence Report Server11 Central Management Server

(CMS)12 Cache Server13 Report Job Server14 Report Application Server (RAS)15 Event Server16 Program Job Server18 Destination Job Server19 Web Intelligence Job Server




458753 Report was opened for viewing and/or modification

User opened a report for viewing or modification.Note: In a few cases, this Event_Type_ID may be generated when the report opens but cannot be viewed. This may occur when:• There are problems

with the database setup for the report. For example, you may see this message when the database driver for the report is not present on the client machine

• A processing extension associated with the report aborts viewing, or fails.

• The report used Business Views and the user did not have permissions to refresh the underlying data connections.

• The machine running the RAS ran out of space in its temporary directory.

458754 Report was saved to the CMS.

An existing report was saved.Note: This Event_Type_ID is generated when a custom application created using the RAS SDK saves a report (using the Save method). Consult your RAS SDK documentation for details.



Web Intelligence Report Server audit events

458755 Report was created and saved to the CMS

A new report was created and saved. This Event_Type_ID is generated when a custom application created using the RAS SDK saves a new report (using the Save As method). Consult your RAS SDK documentation for details.

458756 Report could not be opened.

The report could not be opened by the RAS.

458757 Report could not be saved to the CMS.

An existing report could not be saved by RAS. This Event_Type_ID is generated when a custom application created using the RAS SDK cannot save a new report (using the Save As method). Consult your RAS SDK documentation for details.

458758 Report could not be created in the CMS.

A newly created report could not be saved by RAS.


6 Get list of universes User accesses a list of universes as part of a document creation workflow.

9 Save document to repository

User saves a Web Intelligence document to BusinessObjects Enterprise.

11 Read document User opens an existing Web Intelligence document.

13 Selection of universe User selects a universe as part of a document creation workflow. This event occurs when a user opens the query panel.




19 Document refresh User manually refreshes a Web Intelligence document, or user opens a Web Intelligence document that has the “refresh on open” document property assigned.

21 List of values A list of values is retrieved from the database to populate a picklist associated with a prompt used to filter the data in a document.

22 Edit document User has moved into Edit document mode.

28 Apply format User applies a formatting change to a document, in a query panel.

40 Get page User action results in a request to server to generate the necessary data and layout to display all or part of a Web Intelligence document.

41 Generate SQL Appears when a user refreshes a document.

42 Drill out of scope User drills past the scope of the data currently in memory, and triggers a call to the database for more data.



Customizing the appearance of Web Intelligence documents

appendix

Customizing the appearance of Web Intelligence documentsCustomizing the appearance of Web Intelligence documentsA
Customizing the appearance of Web Intelligence documents
You can customize the default appearance of all new Web Intelligence documents created using the Web Intelligence Java Report Panel or the HTML - Query Panel. To do so, you must edit a file called defaultconfig.xml.By editing defaultconfig.xml, you can change the default appearance of many interface elements:• fonts and font sizes for tables, cells, chart axes, and so on• background colors (“wallpaper”)• lines and borders for cells and tables• color palettesThe new settings take effect only for reports created after the defaultconfig.xml file is modified and saved. Earlier reports are not affected by the new settings.In the defaultconfig.xml file, settings are grouped by “key value.” (See “List of key values” on page 432.) To modify a setting, open the defaultconfig.xml file in a text editor and modify the parameter you want. Back up the original file before you start.For an example of how to modify the defaultconfig.xml file, see “Example: Modifying the default font in table cells” on page 433.Note: • You cannot use defaultconfig.xml to customize the appearance of the

HTML Report panel.• The defaultconfig.xml is also used by the REBean Editing SDK. For more

information, see the developer documentation.


Customizing the appearance of Web Intelligence documentsCustomizing the appearance of Web Intelligence documents A

What you can do with the defaultconfig.xml fileWith the defaultconfig.xml file, you can change certain aspects of the look and feel of Web Intelligence reports. You can make the reports adhere to your corporate visual guidelines.Here’s what a Web Intelligence report looks like before changes are made to the defaultconfig.xml file:



By modifying a few settings—stable header and body cell fonts, alternative row settings, chart axes values, label fonts, and section cell borders—default Web Intelligence tables and charts can look like this:

Locating and modifying defaultconfig.xmlTo customize the default appearance of a new Web Intelligence document, you must edit the defaultconfig.xml associated with the report panel used to create that document. Each report panel has its own defaultconfig.xml file.



Desktop Intelligence Enterprise Java InfoViewIf you deploy the Desktop Intelligence Enterprise Java InfoView, you can customize the default appearance of documents created using the Java Report Panel or the HTML-Query Report Panel. On Windows, you must edit the defaultconfig.xml files inside the desktop.war file. For additional information on modifying XML and .war files, see the BusinessObjects Enterprise Installation Guide.

To update defaultconfig.xml in the .war file1. Stop the web application server if it is running.2. Find the desktop.war file. On Windows, it’s found at C:\Progam

Files\Business Objects\BusinessObjects Enterprise 11.5\java\applications\desktop.war. On UNIX, it’s found at /bobje/enterprise11/java/applications/desktop.war.

3. Extract defaultconfig.xml from the desktop.war file.For the Java Report Panel, extract webiApplet\AppletConfig\defaultconfig.xml

For the HTML-Query Report Panel, extract WEB-INF\classes\defaultconfig.xml

Tip: On Windows, you can use a tool such as WinZip to extract and replace files in a .war file.

4. Make a backup of the defaultconfig.xml file.5. Open defaultconfig.xml, and make your changes.

See “List of key values” on page 432 for information on the values you can change, and “Example: Modifying the default font in table cells” on page 433 for an example.

6. Save and close defaultconfig.xml.7. Reinsert defaultconfig.xml into desktop.war. Ensure that you insert the

file into the correct directory within the .war file.8. Restart your web application server and redeploy desktop.war. See the

BusinessObjects Enterprise Installation Guide for details.

Desktop Intelligence Enterprise .NET InfoViewIf you deploy the Desktop Intelligence Enterprise .NET InfoView, you can customize the appearance of new documents created using the Java Report Panel. To customize the appearance of reports created with the Java Report Panel, edit the copy of defaultconfig.xml found at:C:\Program Files\Common Files\Business Objects\3.0\java\webiApplet\AppletConfig


List of key values
In the defaultconfig.xml file, settings are grouped by “key value.” The following table lists the key values and the corresponding interface elements.

Key value Interface element

Block*defaultBg Background colors for blocksBlock*selectionBg Background colors for selected blocksCell*selectionColor Selected cell colorcell_skin0,report_skin0, section_skin0,bloc_skin0

Combo default skin

freeCell*default Free cells (not section cells)freeCell*section Section cellsgraph*Data Removing black line around bar chartsgraph*Graph General settings for graphsgraph*Palette*0 Adding a new color palettegraph*Palette*1 Adding a new color palettegraph*Wall Default background colors for chartsgraph*YGrid Color for horizontal grid (Y axis)graph*ZGrid Removing X-axis and Z-axis gridgraph*XLabels X-axis labels in a graphgraph*YLabels Y-axis labels in a graphgraph*ZLabels Z-axis labels in a graphgraph*XValues X-axis values in a graphgraph*YValues Y-axis values in a graphgraph*ZValues Z-axis values in a graphpage*default Default page layout. For example: A4,

Letter; portrait or landscape.Section*arrowColor Color of section arrowSection*background General settings for sectionsSection*selectionColor Color of selected section arrowtable*AltBody Alternate body cells in a tabletable*body Body cells in a tabletable*BodyForm Body cells in a form



Example: Modifying the default font in table cellsYou can modify the default font to another font available on your system, including non-standard fonts that you install on the server. The default font is Arial.This setting is found in the table*Body key value in the defaultconfig.xml file.Languages and fonts must be supported on the client machine for correct display. In addition, all fonts must be defined in the fontalias.xml file.Note: To change the default appearance of Web Intelligence documents created in a report panel, you must modify and deploy the correct copy of the defaultconfig.xml file. See “Locating and modifying defaultconfig.xml” on page 430 for more information.

To modify the default font1. Make a backup of the defaultconfig.xml file.2. Open the defaultconfig.xml file.3. Find the table*Body key value.

Here’s what it looks like:

table*ExtraHeader Object name cells in a crosstabletable*Footer Footer cells in a tabletable*Form General settings for formstable*Header Header cells in a tabletable*HeaderForm Header cells in a formtable*Table General settings for tablesUI*default Custom fonts

Key value Interface element



4. To change the default font for specified languages, enter the font name after FACE=.For example, to change only Japanese to a font named “SpecialFont,” you would enter:<FONT xml:lang="ja" FACE="SpecialFont" ...

5. To change the overall default font for all non-specified languages, enter the new font name after FONT FACE=.Note: You must modify the default font values separately for each language you want to change.

6. Modify any other attributes you want, such as font size.7. Save and close the defaultconfig.xml file.


Server deployment and firewall configuration

appendix

Server deployment and firewall configurationAbout this appendixB
About this appendix
This appendix uses a sample deployment to demonstrate how to configure Business Objects Enterprise servers and firewalls in complex deployment scenarios.It is important to note that the optimal configuration for your deployment will depend on many factors: hardware configuration, database software, reporting requirements, operating system, clock speed, hyperthreading, disk speed, application server configuration, load frequency, and many more. Every deployment is unique, and these examples are provided only as guidelines. For information about developing your own deployment plan, see “Planning Your Deployment” on page 57.This appendix contains:• Information on how BusinessObjects Enterprise components

communicate across the network.• Instructions for configuring BusinessObjects Enterprise servers.• Instructions for configuring firewalls to allow BusinessObjects Enterprise

components to communicate with each other.• Help for deploying BusinessObjects Enterprise servers on machines with

more than one Network Interface Card (NIC).• A list of unsupported deployment scenarios.This appendix is relevant to the following deployment scenarios:• BusinessObjects Enterprise servers and clients are separated from each

other by one or more firewalls.• BusinessObjects Enterprise servers are deployed on machines with more

than one Network Interface Card.If all BusinessObjects Enterprise components are deployed entirely on the same subnet, and if no server is deployed on a multi-homed machine, then you do not need the information in this appendix.

Understanding how BusinessObjects Enterprise servers communicate

This section explains how BusinessObjects Enterprise servers communicate with each other using CORBA. This information will help you to understand how to configure BusinessObjects Enterprise servers and the firewalls that separate them.


Server deployment and firewall configurationUnderstanding how BusinessObjects Enterprise servers communicate B

Using CORBA to communicateBusinessObjects Enterprise clients and servers use CORBA to communicate with each other. A BusinessObjects Enterprise server extends a service that other clients or servers can discover and invoke. BusinessObjects Enterprise clients and servers store a reference to a server’s service. The reference is a CORBA reference called an Interoperable Object Reference (IOR). The IOR contains the host name or host IP address plus the port number of the machine that the service runs on.

Registering with the CMSAll BusinessObjects Enterprise servers must register with the CMS when they start up. This process uses the following steps: 1. The server contacts the CMS.

A BusinessObjects Enterprise server contacts the CMS on the CMS’s bootstrap port. The CMS bootstrap port is specified in the BusinessObjects Enterprise server’s -ns <cms host name:nameserver_port> option. The CMS returns an IOR that refers to its CMS factory service. BusinessObjects Enterprise servers use the CMS factory service for all CORBA communication with the CMS.

2. The server builds its service IOR.A BusinessObjects Enterprise server’s service IOR contains the service’s host name or IP address and port number.• If the -port <host name or host address> option is set, the

BusinessObjects Enterprise server uses the specified host name or host address in the IOR. If its -port option is not set, the server makes a system call to its host machine to discover its IP address. (On a multihomed machine, this call typically returns the machine’s main IP address).

• If the -requestport <port number> option is set, the BusinessObjects Enterprise server uses the specified port number in the IOR. Otherwise, the BusinessObjects Enterprise server chooses chose a port at random. If your BusinessObjects Enterprise components are separated from each other by firewalls, you should use the -requestport option. Then you can open that specific port in your firewall.

3. The server registers with the CMS.


Server deployment and firewall configurationUnderstanding how BusinessObjects Enterprise servers communicateB

The BusinessObjects Enterprise server registers with the CMS via the CMS factory service. The CMS creates a server infoObject to represent the BusinessObjects Enterprise server. The infoObject contains the BusinessObjects Enterprise server’s host name, the IOR it passed in, and other information. (You can look in the System Objects table in the CMS Repository to see a list of server infoObjects.)

Note: The CMS uses two ports. Every BusinessObjects Enterprise server must be able to contact the CMS on both ports.

Communicating with client applicationsClient applications can be web applications such as Infoview or the CMC that are hosted in an application server. They can also be thick clients such as Crystal Reports or Desktop Intelligence. (All client applications contain the BusinessObjects Enterprise SDK.)BusinessObjects Enterprise servers publish services. Client applications use these services to interact with the BusinessObjects Enterprise system. BusinessObjects Enterprise servers can live anywhere on the network. When a client application needs to use a BusinessObjects Enterprise server’s service, it first asks the CMS for the server’s IOR, then uses the IOR to invoke the server’s service.Note: Each client application must be able to contact both the CMS bootstrap port and the CMS Factory service.1. The client application requests a service from the CMS.

Users enter the CMS host name and (optionally) the bootstrap port number when they log on to the BusinessObjects Enterprise system. Port 6400 is used if no bootstrap port number is entered. The CMS returns the IOR for the requested service. The IOR contains the service’s host and port.

2. The client contacts the service on the host and port that was specified in the service IOR.The IOR may be passed through one or more firewalls. The host and port number in the IOR are passed as opaque strings through the firewall, and no Network Address Translation (NAT) will be applied to them. Therefore, the service’s host and port must be routable from the client. If the firewall uses NAT, then the IOR should contain the service’s host name instead of the host IP address.Note: The service’s host and port must be routable from the client. If the firewall uses NAT, the IOR should contain the service’s host name, not the host IP address.


Server deployment and firewall configurationConfiguring BusinessObjects Enterprise servers B

Configuring BusinessObjects Enterprise servers

BusinessObjects Enterprise servers have many configuration parameters as detailed in the end user administration guide. This section describes only the -port, -requestport, and -ns option. These options affect:• Whether the IOR contains a specific port or a randomly-selected port

This is important if BusinessObjects Enterprise components must contact each other through a firewall.

• Whether the IOR contains host IP address or host nameThis is important if your firewall uses NAT.

• Whether the server listens on any port or only the specified port• Whether the server listens on any NIC or only the specified NIC

This can be important when you deploy multiple CMS servers on the same machine, or when you deploy a BusinessObjects Enterprise server on a machine with more than one NIC.

Note: When you change a server’s configuration parameters you must force the BusinessObjects Enterprise system to recognize the changes. See “Frequently Asked Questions” on page 443.

Configuring the CMS server

Syntax-port <FQDN:port|host_address:port> -requestport <port>

Examples-port servername.example.com:6401-requestport 6499 -port 10.50.1.2:6400 -requestport 6410-port servername.example.com


Server deployment and firewall configurationConfiguring BusinessObjects Enterprise serversB
Parameter Description (CMS server) When to use-port(specifies the bootstrap host and port)
DescriptionOptional. Forces the CMS to listen on the specified host and port. Forces the CMS factory service IOR to contain the specified host name or host IP address.If not specifiedCMS server makes a system call to determine the IP address of its host machine, and uses port 6400 by default. CMS factory service IOR will contain the host IP address.Allowed settings-port FQDN-port FQDN:port-port host_address-port host_address:portRelationship to other serversOther CMS servers must know how to contact the CMS. A server’s -ns option contains the CMS host and port that the server will contact when it starts up. If you change the -port parameter on the CMS, you must update the -ns parameter of all other servers in the cluster.

If BusinessObjects Enterprise components must communicate across firewalls that use NAT.If you do not specify -port, the service IOR will contain the server’s IP address. If you specify -port <fqdn>, the service IOR will contain the server’s host name. This allows firewalls that use NAT to resolve the host name to a routable address.If more than one CMS server is deployed on the same machine.If you deploy multiple CMS servers on the same machine, you must bind each CMS Name Server to its own port.

-requestport(CMS Factory service)

DescriptionOptional. Forces the CMS to accept CORBA communication on the specified port only. If not specifiedCMS will accept CORBA communication on any port. The CMS factory service IOR will contain a randomly-chosen port.

CMS must communicate across firewalls, even non-NAT onesYou must specify -requestport if a firewall separates this CMS from any BusinessObjects Enterprise servers, client applications, or the Application server. Open the specified port in the firewall.



Configuring non-CMS servers

Syntax-port FQDN -requestport port -ns cmsFQDN:port

Example-port servername -requestport 6409 -ns

servername.example.com:6400 -requestport 6409

Parameter Description (non-CMS server) When to use-port(Specifies host for the IOR. Has nothing to do with port numbers)

DescriptionOptional. Binds the service to the specified NIC. The service accepts communication only on the specified NIC. The server itself can still use any NIC when initiating communication. (It uses the host machine’s routing tables to ensure it chooses the right NIC.) If not specifiedServer can listen on any NIC. IOR will contain IP address, not host name. Allowed settings-port FQDN (IOR uses the host name)-port host_address (IOR uses the IPaddress)

If this server must communicate across firewalls that use NAT.If you do not specify -port, the service IOR will contain the server’s IP address. If you specify -port <fqdn>, the service IOR will contain the server’s host name. This allows firewalls that use NAT are able to resolve the host name to a routable address.


Server deployment and firewall configurationConfiguring BusinessObjects Enterprise serversB

Configuring Job Servers for firewallsIf a firewall separates a Job Server from any other BusinessObjects Enterprise server, perform the following steps:• On each Job Server, specify a port range for the Job Server children:

-requestJSChildPorts <lowestport>-<highestport>

All Job Server children will be bound to a port from within the specified range. Note that the port range should never exceed the -maxJobs setting.Note: If -requestJSChildPorts is not set, then Job Server children will be bound to a randomly-selected port.

• On the firewall, open the specified port range. Allow communication in both directions between the Job Server children and all BusinessObjects Enterprise servers.

• On the firewall, open the following additional ports (for Destination Job Servers):

-requestport(specifies port number)

DescriptionOptional. Forces the server to accept communication on the specified port only. The server can still talk out any port. If not specifiedServer will accept communication on any port. The service’s IOR will contain a randomly-chosen port

Server must communicate across firewalls, even non-NAT onesYou must specify -requestport if a firewall separates this server from the CMS or any other BusinessObjects Enterprise servers. Open the specified port in the firewall.

-ns(the bootstrap host and port for the CMS that this server must contact when it starts up.)

DescriptionRequired. Tells the server where to find the CMS.Allowed settingsMust match the -port option set on the CMS server. If the CMS server does not have the -port option set, use the host name on which the CMS server is deployed plus port 6400.The CMS bootstrap host and port must be routable from this server’s host machine.

Always specified.(If CMS clusters are used, the server is guaranteed to use the host and port specified in the -ns parameter only for the very first contact with the CMS. At this point, a list of the bootstrap ports from all CMS servers in the cluster is added to the registry on the server’s host machine. Any one of those CMS might be used in subsequent start-ups.)

Parameter Description (non-CMS server) When to use



• port 21 and 22 for FTP in and FTP out (for sending objects to an FTP destination)

• port 25 for SMTP out (for sending objects to an email destination)• (UNIX only) ports 512 and 514 for rexec/rsh out (for sending objects

to a disk destination)Note: For the purposes of configuring your firewall, assume that the Job Server must talk to every other server.

Frequently Asked QuestionsThis section contains common questions about configuring BusinessObjects Enterprise servers and firewalls.Do I need to allow BusinessObjects Enterprise components inside the firewall to access components outside the firewall?No platform server needs to initiate contact with the client. I added or changed -port and/or -requestport options, but the changes were not picked up.If you change a server’s parameters, you must:1. In the CMC, delete the server.2. Restart the server.3. Re-enable the server.Note: If you change the CMS bootstrap host and/or port, you must update the -ns option for the other BusinessObjects Enterprise servers in the cluster.Should the -name option match the -port option?No, the -name option does not have to match the -port option. However, the -name option must be unique in the CMS cluster, and must contain at least one "." character.I’m deploying a CMS or other BusinessObjects Enterprise server on a multihomed machine. Should I do anything special?See “Configuring a multihomed machine” on page 149.Should I configure a server with its host name or its fully qualified domain name?The service's IOR must contain a host and port number that is routable from all other BusinessObjects Enterprise components that need to use the server. In general, it is better to use the server machine's fully qualified domain name (FQDN). However, in some cases you might actually want to use the server machine's host name.


Server deployment and firewall configurationConfiguring firewallsB

Consider the following example. Your File Repository Server is on a machine called myhost.domain.com with an IP address of 987.654.32.1. From the application server’s point of view, myhost.domain.com resolves to 987.654.32.1. In this case, you can use the FQDN for the -port option on the FRS. However if you use only the host name myhost for the -port option, the application server might not be able to resolve myhost to the correct address. The host name may resolve to an incorrect address, such as myhost.olddomain.com. However, there are situations where you may need to configure a server with its host name instead of its FQDN. For example, you might have a firewall between the application server and the CMS. On the client side of the firewall, the host name could resolve to myhost.fwdomain.com. On the CMS side of the firewall, the host name could resolve to myhost.secure.com. You could configure your network so that myhost.fwdomain.com:6400 is forwarded to myhost.secure.com:6400. In this case, you can configure the FRS with the host name instead of the fully qualified domain name.

Configuring firewallsThis section explains how to configure firewalls in different deployment scenarios. This appendix talks about firewalls as hardware devices that are deployed on the network. However, these concepts also apply to software firewalls running on any BusinessObjects Enterprise or non-BusinessObjects Enterprise machine. For example, you may also need to open holes in any software firewall that is running on the same machine as your BusinessObjects Enterprise servers.The following table summarizes general guidelines for configuring firewalls to work with BusinessObjects Enterprise servers:


Server deployment and firewall configurationConfiguring firewalls B

Server Configuration

CMS server Set -port <FQDN>:<port> if the CMS must communicate across firewalls. If the firewalls use NAT, you must use the host name. If the firewalls do not use NAT, you can use the host name or the IP address. Remember servers (probably) can’t communicate across firewalls that use PAT or NAT in Hide Mode.In some cases you might need to use -port to force the server to bind to a specific NIC.Set -requestport if the CMS must communicate across firewallsThis applies to all deployments in which BusinessObjects Enterprise components must communicate through firewalls. Setting requestport forces a service to listen on the specific port. You can then open that port on the firewall.Note: CMS servers may be clustered. If so, you need to configure the firewall for each CMS in the cluster.

BusinessObjects Enterprise server (non-CMS server)

Set -port <FQDN> if the server must communicate across firewalls that use NATRemember servers (probably) can’t communicate across firewalls that use PAT or NAT in Hide Mode.In some cases you might need to use -port to force the server to bind to a specific NIC.Set -requestPort <port> if the server must communicate across firewalls Description is the same as for the CMS server.

Additional servers If you add another server on the same machine, you need to open another hole in the firewall. Also note that each new server must have a friendly name that is unique across the entire deployment. That is, no other server registered with the Name Server should have that friendly name.For example, assume you used the Central Configuration Manager -> Add Server to add a second Page server to a machine. If that second Page server needs to communicate across a firewall, you must open a hole in the firewall.

Special consideration for Job Servers

See “Configuring Job Servers for firewalls” on page 442.


Server deployment and firewall configurationConfiguring firewallsB

Not every BusinessObjects Enterprise component needs to initiate communication with every other BusinessObjects Enterprise component. However, without knowing exactly which components need to communicate in which workflows, it is safer to assume all of these points are true. You must then open the corresponding ports in any firewalls that separate these components.• Every BusinessObjects Enterprise server must be able to initiate

communication with the CMS (both on the bootstrap host and port and the CMS factory service).

• Every CMS (both bootstrap port and factory service) must be able to initiate communication with every BusinessObjects Enterprise server.

• Every BusinessObjects Enterprise server must be able to initiate communication with ever other BusinessObjects Enterprise server.Note: This is not always true, but it is easier to assume that it is. Most servers need to talk to both the input and the output FRS. Some types of Job Servers need to talk to their related processing servers. EPM (Performance Management) servers typically need to talk to each other.

• Job Servers children need a port range.These servers spawn child processes. These child processes will be assigned a random port unless you specify a port range.

• Remember that Destination Job Servers use additional ports.See “Configuring Job Servers for firewalls” on page 442.

• Every BusinessObjects Enterprise web client and thick client must be able to initiate communication with every BusinessObjects Enterprise server.

• Every BusinessObjects Enterprise client must be able to initiate communication with the Application Server, and vice versa.This is only a concern on IIS, where the Application Server and the Web Server can be deployed separately.

• Should you assume that every BusinessObjects Enterprise server must be able to initiate communication with every BusinessObjects Enterprise client?No. No Platform server needs to initiate contact with the client.


Server deployment and firewall configurationConfiguring firewalls B

Example: A firewall between the application server and BusinessObjects Enterprise servers

When you put a firewall between the application server and the BusinessObjects Enterprise servers, you must open a port for every BusinessObjects Enterprise server.Consider the following example. Assume that an application server (210.32.24.1) and the rest of the BusinessObjects Enterprise servers are on different subnets, with a firewall between them. The firewall uses Network Address Translation (NAT). In this example, the servers are configured as follows:

When configuring the CMS in this situation, consider the following:• -port FQDN was specified because communication must cross a firewall

that uses NAT. Port 6400 will be used for the bootstrap port, because no other port was specified.

• -requestport 6499 was specified because communication must cross a firewall. Port 6499 will be opened in the firewall.

When configuring other servers in this situation, consider the following:• -port FQDN was specified because communication must cross a firewall

that uses NAT. Of course, you never specify a port number on this option for non-CMS servers.

• -requestport port was specified because communication must cross a firewall. We will open the specified ports in the firewall.\

• -ns must always be specified. It matches the -port host:port parameter that was configured on the CMS server.

When configuring the firewall in this situation, consider the following:

Server Configuration

CMS (192.169.10.1)

-port host1 -requestport 6499

Page Server (192.168.10.2)

-port host2 -requestport 6401 -ns host1:6400

Cache Server (192.168.10.3)

-port host3 -request 6401 -ns host1:6400


Server deployment and firewall configurationDeploying BusinessObjects Enterprise on multihomed machinesB

Deploying BusinessObjects Enterprise on multihomed machines

This section describes special considerations for deploying a BusinessObjects Enterprise server on a multhihomed machine.Note: To deploy BusinessObjects Enterprise on multihomed machines, you may need a patch. See “This scenario requires a patch” on page 450Can BusinessObjects Enterprise servers benefit from the increased bandwidth of having multiple NICs on the same subnet?Traffic coming in to the server will always come in on the host and port specified in the service’s IOR (this is true whether or not you configure a server with -port). However, the server can use any NIC to initiate communication. The -port option binds a service to a particular NIC. Can the server still "talk out" any NIC?When you use the -port option, a service binds to a particular NIC. The service will accept communication only on the specified NIC. Once the request is made and the connection is established, all inbound and outbound communication for that connection will happen on that NIC.

Why are we opening this? Source Destination Permissions

Application server initiates communication with CMS Factory Service

210.32.24.1:any 192.168.10.1:6400 allow

Application server initiates communication with CMS

210.32.24.1:any 192.168.10.1:6499 allow

Application server initiates communication to Page Server

210.32.24.1:any 192.168.10.2:6401 allow

Application server initiates communication to Cache Server

210.32.24.1:any 192.168.10.3:6401 allow

Do BusinessObjects Enterprise servers ever initiate communication with application server?

No. However the RAS viewer initiates communication with one or more clients.


Server deployment and firewall configurationDeploying BusinessObjects Enterprise on multihomed machines B

However, if the server needs to initiate communication to another BusinessObjects Enterprise component, it can use any NIC. The server will use its host machine’s routing tables to ensure it initiates communication via the correct NIC.

Multihomed machines with NICs on the same subnetIn some scenarios BusinessObjects Enterprise servers are deployed on machines with more than one NIC, and each NIC is on the same subnet. This is typically done for load balancing. In this case is possible that:• Each NIC had its own IP address, or• Every NIC shares a common IP address, plus has its own IP address

(This implementation can occur with some load balancing products such as Microsoft Load Balancer.)

What happens if -port is not specifiedYou do not always have to set the -port option when you deploy BusinessObjects Enterprise servers on multihomed machines. This section explains what happens if you do not specify -port.What IP address goes in the IOR?If you do not specify -port, the BusinessObjects Enterprise server will make a system call to its host machine to discover its IP address. The IP address returned from the system call will be used in the service’s IOR. (On some Windows OS versions, the host machine will pick the IP address of the first NIC in the binding order. )BusinessObjects Enterprise server can receive communication from any NICIf you do not specify -port, the BusinessObjects Enterprise server can listen on any NIC. Considerations when -port <FQDN> is specifiedIf communication crosses a firewall that uses NAT, you probably need to specify -port <FQDN> so that the service IOR contains the host name instead of the host IP address.However, if this option is set, your service will only accept communication from a single NIC.Host name is resolved to a specific IP addressIf you set -port <FQDN>, the service’s IOR contains the host name. However, the host name must still be resolved to an IP address before it is routed. If more than one NIC has the same host name, is up the host machine to choose the IP address.


Server deployment and firewall configurationDeploying BusinessObjects Enterprise on multihomed machinesB

This scenario requires a patchThe CMS must be patched if other BusinessObjects Enterprise servers are deployed on machines with multiple NICs that connect to the same subnet.1. When a server starts, it registers with the CMS. The CMS stores the

server’s host name and other information. The CMS stores the host name that the server used to register.

2. Later, the server may make another call to the CMS to log on. This logon might occur during a schedule, view, or other operation. It does not have to occur during a regular user logon.

3. If the server sends the logon request to the CMS via a different NIC than the registration request, the CMS will reject the logon. The logon will fail.

Multihomed machines with NICs on different subnetsBusinessObjects Enterprise servers can be deployed on multihomed machines where each NIC is on a different subnet. For example, you can have a machine with both a public and a private network. Or you can have a laptop with both a wireless and a LAN connection.The example below illustrates potential deployment problems on machines with multiple NICs on different subnets.

Example problem: BusinessObjects Enterprise servers deployed across subnets that are not network connected

This problem exists because the BusinessObjects Enterprise servers are deployed across different subnets which are not reachable from each other. In the example below, machines on one subnet are not routable from machines on the other subnet. The application server is on one subnet and the FRS is on the other. The CMS is deployed on a mulihomed machine that is connected to both subnets. You will see this problem whether or not you configure the CMS with the -port option. Whether or not -port is set, the CMS always puts only one IP address in its IOR. If you cannot route between the two subnets, then either the application server or the FRS cannot reach the CMS's factory service IOR. To resolve this issue, you need to set up a network path between the two subnets.


Server deployment and firewall configurationSummary of unsupported deployment scenarios B

Binding to a particular NICTypically, you only set -port <fqdn> when your BusinessObjects Enterprise components must communicate across a firewall that uses NAT, and that firewall cannot route internal IP addresses. However, in some deployment scenarios that use multihomed machines, you may need to use -port to force a server to bind to a particular NIC. For example, the CMS is deployed on a machine with two NICs. NICA connects to the main subnet on which all the BusinessObjects Enterprise components are deployed. NICB connects to the backup subnet. The CMS’s IOR must contain NICA, not NICB. If NICA has a higher binding order than NICB, the CMS will probably use NICA in its IOR (this might depend on many factors including OS version). If the CMS does not use NICA in its IOR by default, you must configure the CMS server with the option -port NICA:port.

Summary of unsupported deployment scenarios

Deployment Scenario Why is this not supported?

Port Address Translation (PAT) or NAT in Hide mode

You cannot separate BusinessObjects Enterprise components with Firewalls using PAT or NAT in Hide mode, because these technologies swap out the port number in the TCP connection. BusinessObjects Enterprise clients hold an IOR to BusinessObjects Enterprise services; that IOR has a port number that must be routable from the client.

BusinessObjects Enterprise servers (non-CMS servers) deployed on multihomed machines with NICs on the same subnet.

This scenario must be patched. See “This scenario requires a patch” on page 450.

BusinessObjects Enterprise servers deployed on multihomed machines but divided by firewalls that use NAT.

You must plan this scenario carefully. You need to use the -port <FQDN> option on all servers so the IORs can be routed through the firewalls, but this also causes your servers to bind to the specified NIC.


Server deployment and firewall configurationSummary of unsupported deployment scenariosB

Firewalls and SSL If you are deploying BusinessObjects Enterprise components in an environment where they use SSL to communicate, and the communication must cross firewalls, then you need a patch.

BusinessObjects Enterprise components deployed across two or more subnets, where there is no network path between the subnets.

If you deploy BusinessObjects Enterprise clients and servers across different subnets, there must be a network path between the subnets. The BusinessObjects Enterprise components must be able to contact each other.

Deployment Scenario Why is this not supported?


Server Command Lines

appendix

Server Command LinesCommand lines overviewC
Command lines overview
When you start or configure a server through the Central Management Console (CMC) or the Central Configuration Manager (CCM), the server is started (or restarted) with a default command line that includes a typical set of options and values. In the majority of cases, you need not modify the default command lines directly. Moreover, you can manipulate the most common settings through the various server configuration screens in the CMC and the CCM. For reference, this section provides a full listing of the command-line options supported by each server. You can modify each server’s command line directly if you need to further customize the behavior of BusinessObjects Enterprise.Throughout this section, values provided in square brackets [ ] are optional.

To view or modify a server’s command lineThe procedure for viewing or modifying a server’s command line depends upon your operating system:• On Windows, use the CCM to stop the server. Then open the server’s

Properties to modify the command line. Start the server again when you have finished.

• On UNIX, run ccm.sh to stop the server. Then edit ccm.config to modify the server’s command line. Start the server again when you have finished.Note: On UNIX, each server’s command line is actually passed as an argument to the crystalrestart.sh script. This script launches the server and monitors it in case an automatic restart is required. For more information, see “UNIX Tools” on page 473.


Server Command LinesStandard options for all servers C

Standard options for all serversThese command-line options apply to all of the BusinessObjects Enterprise servers, unless otherwise indicated. See the remainder of this section for options specific to each type of server.

Option Valid Arguments Behavior-name string Specify the friendly name of the server. The server

registers this name with the Central Management Server (CMS), and the name is displayed in the CMC. The default friendly name is hostname.servertypeNote: • Do not modify -name for a CMS.• If you modify -name for an Input or Output File

Repository Server, you must include “Input.” or “Output.” as the prefix to the value you type for string (for example, -name Input.Server01 or -name Output.UK).

-ns cmsname[:port]

Specify the CMS that the server should register with. Add port if the CMS is not listening on the default (6400). This option does not apply to the CMS itself.

-requestPort port Specify the port that the server listens on. The server registers this port with the CMS. If unspecified, the server chooses any free port > 1024.Note: This port is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrator’s Guide.


Server Command LinesCentral Management ServerC

UNIX signal handlingOn UNIX, the BusinessObjects Enterprise daemons handle the following signals:• SIGTERM results in a graceful server shutdown (exit code = 0).• SIGSEGV, SIGBUS, SIGSYS, SIGFPE, and SIGILL result in a rapid

shutdown (exit code = 1).

Central Management ServerThis section provides the command-line options that are specific to the CMS. The default path to the server on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\win32_x86\CrystalMS.exe

The default path to the server on UNIX is:

-port [interface:][port]

Bind WCA or CMS to the specified port, or to the specified network interface and port. Binds other servers to the specified network interface. Useful on multihomed machines or in certain NAT firewall environments.Note: • Use -port port or -port interface:port for WCA

and CMS. Use -port interface for other servers. The port command is used for different purposes by different servers. Before changing, see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrator’s Guide.

• If you change the default port value for the CMS, you must perform additional system configuration. For more information please see the section on changing the default server port numbers in the BusinessObjects Enterprise Administrator’s Guide.

-restart Server restarts if it exits with an unusual exit code. -fg UNIX only. Run the daemon in the foreground. When

passing the server’s command line to the crystalrestart.sh script, you must use this option (see ccm.config). If you run the server’s command line directly, do not use this option, because the foreground process blocks the shell until the server exits.

Option Valid Arguments Behavior


Server Command LinesCentral Management Server C

INSTALL_ROOT/bobje/enterprise11/platform/boe_cmsd


Server Command LinesCentral Management ServerC

Option Valid Arguments

Behavior

-threads number Use a thread pool of the specified size. The default is one thread per request.

-reinitializedb Cause the CMS to delete the system database and recreate it with only the default system objects.

-quit Force the CMS to quit after processing the -reinitializedb option.

-receiverPool number Specify the number of threads the CMS creates to receive client requests. A client may be another Business Objects server, the Report Publishing Wizard, Crystal Reports, or a custom client application that you have created. The default value is 5. Normally you will not need to increase this value, unless you create a custom application with many clients.

-maxobjectsincache number Specify the maximum number of objects that the CMS stores in its memory cache. Increasing the number of objects reduces the number of database calls required and greatly improves CMS performance. However, placing too many objects in memory may result in the CMS having too little memory remaining to process queries. The upper limit is 100000.

-ndbqthreads number Specify the number of CMS worker threads sending requests to the database. Each thread has a connection to the database, so you must be careful not to exceed your database capacity. In most cases, the maximum value you should set is 10.

-AuditInterval minutes Specify interval at which the CMS requests audit information from audited servers. The default value is 5 minutes. (Maximum value is 15 minutes, and minimum value is 1 minute.).

-AuditBatchSize number Specify the maximum number of audit records that the CMS requests from each audited server, per audit interval. The default value is 200 records. (Maximum value is 500, and minimum value is 50.)


Server Command LinesPage Server and Cache Server C

Page Server and Cache ServerThe Page Server and the Cache Server are controlled in much the same way from the command line. The command-line options determine whether the server starts as a Page Server, a Cache Server, or both. Options that apply only to one server type are noted below.The default paths to the servers on Windows are:C:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\win32_x86\cacheserver.exeC:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\win32_x86\pageserver.exe

The default paths to the servers on UNIX are:INSTALL_ROOT/bobje/enterprise/platform/boe_cachesdINSTALL_ROOT/bobje/enterprise11/platform/boe_pagesd

-auditMaxEventsPerFile number Specify the maximum number of records in the audit log file. The default value is 500. If the number specified by -auditMaxEventsPerFile is exceeded, the server opens a new log file.

-AuditeeTimeSyncInterval minutes Specify the interval between time synchronization events. The CMS broadcasts its system time to audited servers at the interval specified by -AuditeeTimeSyncInterval. The audited servers compare their internal clocks to the CMS time, and then adjust the timestamps they give to all subsequent audit records so that the time of these records synchronizes with the CMS time. The default interval is 60 minutes. (Maximum value is 1 day, or 1440 minutes. Minimum value is 15 minutes. Setting the interval to 0 turns off time synchronization.)


Behavior


Server Command LinesPage Server and Cache ServerC


Behavior

-cache Enable Cache Server functionality.-dir absolutepath Specify the cache directory for a Cache

Server and the temp directory for the Page Server. The directories created are absolutepath/cache and absolutepath/temp

-deleteCache Delete the cache directory every time the server starts and stops.

-psdir absolutepath Specify the temp directory for the Page Server. This option overrides -dir.

-refresh minutes Share cached pages for the specified number of minutes.

-maxDBResultRecords number Limit the number of database records that are returned from the database. The default limit is 20000 records. If a user views an on-demand report containing more than 20000 records, an error message indicates that the report contains too many database records. To increase the enforced limit, increase number accordingly; to disable the limit, replace number with 0 (zero).

-noautomaticdbdisconnect Disable automatic database disconnection for the Page Server. By default the Page Server will automatically disconnect from the reporting database after retrieving data, to free up database licenses. This may affect performance if your site uses many reports with on-demand subreports, or group-by-on-server.

-report_ProcessExtPath absolutepath Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrator’s Guide.

-auditMaxEventsPerFile number On the Cache Server, specifies the maximum number of audit actions recorded in the audit log file. The default value is 500. If this maximum number of records is exceeded, the server will open a new log file.


Server Command LinesJob servers C

Job serversThis section provides the command-line options that are specific to the job servers, which include Job Servers, Program Job Servers, Destination Job Server, and List of Values Job Server.The default path to the server on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\win32_x86\JobServer.exe

The default paths to the server on UNIX are:INSTALL_ROOT/bobje/enterprise11/platform/boe_reportjobsdINSTALL_ROOT/bobje/enterprise11/platform/boe_programjobsd

Option Valid Arguments Behavior-dir absolutepath Specify the data directory for the Job

Server.-lib processinglibr

arySpecify the processing library to load:• procReport or• procProgram

Loading procReport starts the Job Server as a Report Job Server. Loading procProgram starts the Job Server as a Program Job Server. This option is used in conjunction with -objectType.

-objectType progID The program ID of the processing library, which determines the class of object supported by the Job Server:• CrystalEnterprise.Report or• CrystalEnterprise.Program

Used with -lib to specify whether the Job Server becomes a Report Job Server or a Program Job Server.

-maxJobs number Set the maximum number of concurrent jobs that the server will handle. The default is five.

-requestJSChildPorts lowerbound-upperbound

Specify the range of ports that child processes should use in a firewall environment. For example, 6800-6805 limits child processes to six ports.


Server Command LinesReport Application ServerC

Report Application ServerThis section provides the command-line options that are specific to the Report Application Server. The default path to the server on Windows is:C:\Program Files\Common Files\Business Objects\3.0\

bin\crystalras.exe

The default path to the server on UNIX is:INSTALL_ROOT/bobje/enterprise11/platform/ras/boe_crystalrasd

-report_ProcessExtPath absolutepath Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrator’s Guide.


Option Valid Arguments Behavior


Behavior

-ipport port Specify the port number for receiving TCP/IP requests when running in stand-alone mode (outside of BusinessObjects Enterprise).

-report_ProcessExtPath absolutepath

Specify the default directory for processing extensions. For details, see the BusinessObjects Enterprise Administrator’s Guide.


Server Command LinesReport Application Server C

-ProcessAffinityMask mask Use a mask to specify exactly which CPUs that RAS will use when it runs on a multi-processor machine.The mask is in the format 0xffffffff, where each f represents a processor, and the list of processors reads from right to left (that is, the last f represents the first processor). For each f, substitute either 0 (use of CPU not permitted) or 1 (use of CPU is permitted).For example, if you run the RAS on a 4 processor machine and want it to use the 3rd and 4th processor, use the mask 0x1100. To use the 2nd and 3rd processor, use 0x0110. Note: • RAS uses the first permitted processors in

the string, up to the maximum specified by your license. If you have a two processor license, 0x1110 has the same effect as 0x0110.

• The default value of the mask is -1, which has the same meaning as 0x1111.



Behavior


Server Command LinesWeb Intelligence Report ServerC
This section provides the command-line options that are specific to the Web Intelligence Report Server.The default paths to the server on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\win32_x86\WIReportServer.exe

The default path to the server on UNIX is:INSTALL_ROOT/bobje/enterprise11/platform/ras/boe_crystalrasd


Behavior

-ConnectionTimeoutMinutes

minutes Specify the number of minutes before the server will timeout.

-MaxConnections number Specify the maximum number of simultaneous connections that the server allows at one time.

-DocExpressEnable Enables caching of Web Intelligence documents when the document is being viewed.

-DocExpressRealTimeCachingEnable

Enables real time caching of Web Intelligence documents.

-DocExpressCacheDurationMinutes

minutes Specify the amount of time (in minutes) that content is stored in cache.

-DocExpressMaxCacheSizeKB

kilobytes Specify the size of the document cache.

-EnableListOfValuesCache

Enables the caching per user sessions of lists of values

-ListOfValuesBatchSize number Specify the maximum number of values that can be returned per list of values batch.

-UniverseMaxCacheSize number Specify the number of universes to be cached.

-WIDMaxCacheSize number Specify the maximum number of Web Intelligence documents that can be stored in cache.


Server Command LinesInput and Output File Repository Servers C

Input and Output File Repository ServersThis section provides the command-line options that are specific to the Input and Output File Repository Servers.The default paths to the servers on Windows are:C:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\win32_x86\inputfileserver.exeC:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\win32_x86\outputfileserver.exe

The default paths to the program that provides both servers on UNIX are:INSTALL_ROOT/bobje/enterprise11/platform/boe_inputfilesdINSTALL_ROOT/bobje/enterprise11/platform/boe_outputfilesd

Note: If you modify -name for an Input or Output File Repository Server, you must include “Input.” or “Output.” as the prefix to the value you type (for example, -name Input.Server01 or -name Output.UK).


Behavior

-rootDir absolutepath Set the root directory for the various subfolders and files that are managed by the server. File paths used to refer to files in the File Repository Server are interpreted relative to this root directory.Note: All Input File Repository Servers must share the same root directory, and all Output File Repository Servers must share the same root directory (otherwise there is a risk of having inconsistent instances). Additionally, the input root directory must not be the same as the output root directory. It is recommended that you replicate the root directories using a RAID array or an alternative hardware solution.

-tempDir absolutepath Set the location of the temporary directory that the FRS uses to transfer files. Use this command line option if you want to control the location of the FRS temporary directory, or if the default temporary directory name generated by the FRS exceeds the file system path limit (which will prevent the FRS from starting).

-maxidle minutes Specify the number of minutes after which an idle session is cleaned up.


Server Command LinesEvent ServerC
Event Server
This section provides the command-line options that are specific to the Event Server.The default path to the server on Windows is:C:\Program Files\Business Objects\BusinessObjects Enterprise

11.5\win32_x86\EventServer.exe

The default path to the server on UNIX is:INSTALL_ROOT/bobje/enterprise11/platform/boe_eventsd


Behavior

-poll seconds Specify the frequency (in seconds) with which the server checks for File events.

-cleanup minutes Specify the frequency (in minutes) with which the server cleans up listener proxies.



Rights and Access Levels

appendix

Rights and Access LevelsRightsD
Rights
This table lists the rights available within the Advanced Rights page of the Central Management Console (CMC). Other BusinessObjects Enterprise plug-in components may in future add their own, object-specific rights to this list. The table matches the descriptions used in the CMC with the programmatic name that developers use when assigning rights with the BusinessObjects Enterprise SDK.

Description used in the CMC Name used in the SDK

Respect current security by inheriting rights from parent groups

AdvancedInheritGroups

Respect current security by inheriting rights from parent folders

AdvancedInheritFolders

Add objects to the folder ceRightAddView objects ceRightViewEdit objects ceRightEditModify the rights users have to objects ceRightModifyRightsSchedule the document to run ceRightScheduleDelete objects ceRightDeleteDefine server groups to process jobs ceRightPickMachinesDelete instances ceRightDeleteInstanceCopy objects to another folder ceRightCopySchedule to destinations ceRightSetDestinationView document instances ceRightViewInstancePause and Resume document instances

ceRightPauseResumeSchedule

Print the report’s data ceReportRightPrintReportRefresh the report’s data ceReportRightRefreshOnDemand

ReportExport the report’s data ceReportRightPageServerExportView objects that the user owns ceRightOwnerViewEdit objects that the user owns ceRightOwnerEditModify the rights users have to objects that the user owns

ceRightOwnerModifyRights


Rights and Access LevelsAccess levels D

Access levelsThis section lists the rights that constitute each of the predefined access levels that are available through the Advanced Rights page of the Central Management Console (CMC).Note: There is no predefined access level to grant users the rights required to create or modify reports through the Report Application Server (RAS). For details, see “Object rights for the Report Application Server” on page 472.

No AccessThis access level ensures that all rights remain unspecified. That is, rights are neither explicitly granted nor explicitly denied. When rights are unspecified, the system denies the right by default.

View

Schedule

Delete objects that the user owns ceRightOwnerDeleteDelete instances that the user owns ceRightOwnerDeleteInstanceView document instances that the user owns

ceRightOwnerViewInstance

Pause and resume document instances that the user owns

ceRightOwnerPauseResumeSchedule



View objects ceRightViewView document instances ceRightViewInstance


View objects ceRightViewSchedule the document to run ceRightSchedule


Rights and Access LevelsAccess levelsD

View On Demand

Define server groups to process jobs

ceRightPickMachines

Copy objects to another folder ceRightCopySchedule to destinations ceRightSetDestinationView document instances ceRightViewInstancePrint the report’s data ceReportRightPrintReportExport the report’s data ceReportRightPageServerExportEdit objects that the user owns ceRightOwnerEditDelete instances that the user owns ceRightOwnerDeleteInstancePause and resume document instances that the user owns




View objects ceRightViewSchedule the document to run ceRightScheduleDefine server groups to process jobs

ceRightPickMachines

Copy objects to another folder ceRightCopySchedule to destinations ceRightSetDestinationView document instances ceRightViewInstancePrint the report’s data ceReportRightPrintReportRefresh the report’s data ceReportRightRefreshOnDemandRepo

rtExport the report’s data ceReportRightPageServerExportEdit objects that the user owns ceRightOwnerEditDelete instances that the user owns

ceRightOwnerDeleteInstance

Pause and resume document instances that the user owns



Rights and Access LevelsDefault rights on the top-level folder D

Full Control

Default rights on the top-level folderThe top-level BusinessObjects Enterprise folder serves as the root for all other folders and objects that you add to the system. This folder provides the following rights by default:• The Everyone group is granted the Schedule access level.• The Administrators group is granted the Full Control access level.


Add objects to the folder ceRightAddView objects ceRightViewEdit objects ceRightEditModify the rights users have to objects

ceRightModifyRights

Schedule the document to run ceRightScheduleDelete objects ceRightDeleteDefine server groups to process jobs ceRightPickMachinesDelete instances ceRightDeleteInstanceCopy objects to another folder ceRightCopySchedule to destinations ceRightSetDestinationView document instances ceRightViewInstancePause and Resume document instances

ceRightPauseResumeSchedule

Print the report’s data ceReportRightPrintReportRefresh the report’s data ceReportRightRefreshOnDemandRe

portExport the report’s data ceReportRightPageServerExport


Rights and Access LevelsObject rights for the Report Application ServerD
Object rights for the Report Application Server
To allow users to create or modify reports over the Web through the Report Application Server (RAS), you must have RAS Report Modification licenses available on your system. You must also grant users a minimum set of object rights. When you grant users these rights to a report object, they can select the report as a data source for a new report or modify the report directly:• View objects (or “View document instances”, as appropriate)• Edit objects• Refresh the report’s data• Export the report’s dataUser must also have permission to add objects to at least one folder before they can save new reports back to BusinessObjects Enterprise.To ensure that users retain the ability to perform additional reporting tasks (such as copying, scheduling, printing, and so on), it’s recommended that you first assign the appropriate access level and update your changes. Then, change the access level to Advanced, and add any of the required rights that are not already granted. For instance, if users already have View On Demand rights to a report object, you allow them to modify the report by changing the access level to Advanced and explicitly granting the additional Edit objects right.When users view reports through the Advanced DHTML viewer and the RAS, the View access level is sufficient to display the report, but View On Demand is required to actually use the advanced search features. The extra Edit objects right is not required.


UNIX Tools

appendix

UNIX ToolsUNIX tools overviewE
UNIX tools overview
The UNIX distribution of BusinessObjects Enterprise includes a number of scripts that, together, provide you with all the configuration options that are available in the Windows version of the Central Configuration Manager (CCM). There are a number of other scripts that provide you with UNIX-specific options or serve as templates for your own scripts. Also, there are several secondary scripts that are used by BusinessObjects Enterprise. Each script is described here and the command-line options are provided where applicable.

Script utilitiesThis section describes the administrative scripts that assist you in working with BusinessObjects Enterprise on UNIX. The remainder of this help discusses the concepts behind each of the tasks that you can perform with these scripts. This reference section provides you the main command-line options and their arguments.

ccm.shThe ccm.sh script is installed to the bobje directory of your installation. This script provides you with a command-line version of the CCM. This section lists the command-line options and provides some examples.Note: • Arguments in square brackets [ ] are optional.• By default, servers are named with a hostname.servertype

convention. If the option requires the server name, use servertype as the server name. If the option requires the fully qualified server name, use hostname.servertype. If you are unsure of a server’s fully qualified name, look in the ccm.config file, locate the server’s launch string, and use the value that appears after the -name option.


UNIX ToolsScript utilities E

• Arguments denoted by other authentication information are provided in the second table.

CCM Option Valid Arguments Description-help n/a Display command-line help.-start all or servername Start each server as a process. Use the

short form of the server name.-stop all or servername Stop each server by terminating its

Process ID. Use the short form of the server name.

-restart all or servername Stop each server by terminating its Process ID; then each server is started. Use the short form of the server name.

-enable all or hostname.servertype [other authentication information]

Enable a started server so that it registers with the system and starts listening on the appropriate port. Use the fully qualified form of the server name.

-disable all or hostname.servertype [other authentication information]

Disable a server so that it stops responding to BusinessObjects Enterprise requests but remains started as a process. Use the fully qualified form of the server name.

-display server [other authentication information]

Reports the server’s current status (enabled or disabled). The CMS must be running before you can use this option.

-updateobjects [other authentication information]

Update objects migrated from a previous version of BusinessObjects Enterprise into your current CMS system database. Use this option after running cmsdbsetup.sh.


UNIX ToolsScript utilitiesE

This table describes the options that make up the argument denoted by other authentication information.

The CCM reads the server launch strings and other configuration values from the ccm.config file. For details, see “ccm.config” on page 477.

ExamplesThese two commands start and enable all the servers. The Central Management Server (CMS) is started on the local machine and the default port (6400):ccm.sh -start allccm.sh -enable all

These two commands start and enable all the servers. The CMS is started on port 6701, rather than on the default port:ccm.sh -start allccm.sh -enable all -cms MACHINE01:6701

These two commands start and enable all the servers with a specified administrative account named SysAdmin:ccm.sh -start allccm.sh -enable all -cms MACHINE01:6701 -username SysAdmin -

password 35%bC5@5 -authentication LDAP

This single command logs on with a specified administrative account to disable a Job Server that is running on a second machine:

Authentication Option

Valid arguments Description

-cms cmsname:port# Specify the CMS that you want to log on to. If not specified, the CCM defaults to the local machine and the default port (6400).

-username username Specify an account that provides administrative rights to BusinessObjects Enterprise. If not specified, the default Administrator account is attempted.

-password password Specify the corresponding password. If not specified, a blank password is attempted. Note: To specify the -password argument, you must also specify the -username argument.

-authentication secEnterprise, secLDAP Specify the appropriate authentication type for the administrative account. If not specified, secEnterprise is attempted.



ccm.sh -disable MACHINE02.businessobjects.com.reportserver -cms MACHINE01:6701 -username SysAdmin -password 35%bC5@5 -authentication secLDAP

ccm.configThis configuration file defines the server launch strings and other values that are used by the CCM when you run its commands. This file is maintained by the CCM itself, and by the other BusinessObjects Enterprise script utilities. You typically edit this file only when you need to modify a server’s command line. For details, see “Command lines overview” on page 454.

cmsdbsetup.shThe cmsdbsetup.sh script is installed to the bobje directory of your installation. The script provides a text-based program that enables you to configure the CMS database, CMS clusters, and to set up the audit database.You can add a CMS to a cluster by selecting a new data source for its CMS database. You can also delete and recreate (re-initialize) a CMS database, copy data from another data source, or change the existing cluster name.Note: Before running this script, back up your current CMS database. Also be sure to see “Clustering Central Management Servers” on page 114 for additional information about CMS clusters and configuring the CMS database.The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. To check the name of your CMS (or any other server), view the contents of ccm.config and look for the server’s launch string. The server’s current name appears after the -name option.For more information about configuring the CMS database or setting up the auditing database, see “Managing Auditing” on page 391.

configpatch.shThe configpatch.sh script is installed to the bobje/enterprise/generic directory of your installation. Use the configpatch.sh script when installing patches that require updates to system configuration values. After installing the patch, run configpatch.sh with the appropriate .cf file name as an argument. The readme.txt file that accompanies BusinessObjects Enterprise patches tells you when to run configpatch.sh, and the name of the .cf file to use.


UNIX ToolsScript utilitiesE
serverconfig.sh
The serverconfig.sh script is installed to the bobje directory of your installation. This script provides a text-based program that enables you to view server information and to add and delete servers from your installation. This script adds, deletes, modifies, and lists information from the ccm.config file. When you modify a server using serverconfig.sh, you can change the location of its temporary files. For the Central Management Server, you can change its port number or enable auditing. For the Input File Repository Server or the Output File Repository Server, you can enter the root directory.

To add/delete/modify/list UNIX servers1. Go to the bobje directory of your installation.2. Issue the following command:

./serverconfig.sh

The script prompts you with a list of options:• 1 - Add a server• 2 - Delete a server• 3 - Modify a server• 4 - List all servers in the config file

3. Type the number that corresponds to the action you want to perform.4. If you are adding, deleting, or modifying a server, provide the script with

any additional information that it requests.Tip: The script will prompt you for the name of your CMS. By default, the CMS name is hostname.cms. That is, the default name of a CMS installed on a machine called MACHINE01 is MACHINE01.cms. However, in this script you can enter hostname to check the name of your CMS (or any other server), view the contents of ccm.config, and look for the server’s launch string. The server’s current name appears after the -name option.

5. Once you have added or modified a server, use the CCM to ensure that the server is both started and enabled.

For more information about working with servers, see “Managing and Configuring Servers” on page 97.



sockssetup.shThe sockssetup.sh script is installed to the bobje directory of your installation. The script provides a text-based program that enables you to configure the Web Component Adapter (WCA) and the Central Management Server (CMS) when they must communicate across one or more SOCKS proxy server firewalls. For technical information about BusinessObjects Enterprise and firewalls, see “Working with Firewalls” on page 157.

To modify SOCKS configuration1. Go to the bobje directory of your installation.2. Issue the following command:

./sockssetup.sh

3. Type wca to configure the communication between the WCA and the CMS. Or, type servers to configure SOCKS information between the remaining servers.The script may prompt you for the name or “friendly name” of the server. By default, each server’s name is hostname.servertype. To check the name of a server, view the contents of ccm.config and look for the server’s launch string. The server’s current name appears after the -name option.The “friendly name” of the WCA by default is hostname.wca. To check the name of the WCA, look for the <display-name> of the WCA as listed in the web.xml file in the WEB-INF directory of the webcompadapter.war archive. (This archive is found in the businessobjects_root/enterprise/JavaSDK/applications directory, where businessobjects_root is the root directory of your BusinessObjects Enterprise installation.)

4. Specify one of the available actions:• Type show to display any SOCKS servers that have already been

entered with this script. A blank list is displayed if no servers have been added.

• Type create to add a new SOCKS server to the list.• Type modify to change one of the SOCKS servers in the list.• Type delete to remove a SOCKS server from the list.• Type moveup or movedown to modify the sequence of SOCKS

servers.5. Proceed through the script and provide any additional information that it

requests:


UNIX ToolsScript templatesE

• If you are creating a new entry in the list, you will typically need to provide the name or IP address of the SOCKS server, the port number it is listening on, the version number of the SOCKS server (4 or 5), and any authentication information that the BusinessObjects Enterprise servers will require in order to establish a connection with your SOCKS server.

• If you choose to delete, modify, or move an existing entry, you will be asked to specify the server “by index.” Type the number that corresponds to the SOCKS server you want to modify.

For details about SOCKS and the importance of the sequence of servers, see “Configuring for SOCKS servers” on page 175.

uninstallBOBJE.shThe uninstallBOBJE.sh script is installed to the bobje directory of your installation. This script deletes all of the files installed during your original installation of BusinessObjects Enterprise by running the scripts in the bobje/uninstall directory. Do not run the scripts in the uninstall directory yourself: each of these scripts removes only the files associated with a single BusinessObjects Enterprise component, which may leave your BusinessObjects Enterprise system in an indeterminate state.Before running this script, you must disable and stop all of the BusinessObjects Enterprise servers. Note: • The uninstallBOBJE.sh script will not remove files created during the

installation process, or files created by the system or by users after installation. To remove these files, after running installBOBJE.sh, perform an rm -rf command on the bobje directory.

• If you performed the “system” installation type, you will also need to delete the run control scripts from the appropriate /etc/rc# directories.

Script templatesThese scripts are provided primarily as templates upon which you can base your own automation scripts.


UNIX ToolsScript templates E

startserversThe startservers script is installed to the bobje directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that starts the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see “ccm.sh” on page 474.

stopserversThe stopservers script is installed to the bobje directory of your installation. This script can be used as a template for your own scripts: it is provided as an example to show how you could set up your own script that stops the BusinessObjects Enterprise servers by running a series of CCM commands. For details on writing CCM commands for your servers, see “ccm.sh” on page 474.

silentinstall.shThe silentinstall.sh script is installed to the bobje directory of your installation. Once you have set up BusinessObjects Enterprise on one machine, you can use this template to create your own scripts that install BusinessObjects Enterprise automatically on other machines. Essentially, once you have edited the silentinstall.sh template accordingly, it defines the required environment variables, runs the installation and setup scripts, and sets up BusinessObjects Enterprise according to your specifications, without requiring any further input.The silent installation is particularly useful when you need to perform multiple installations and do not want to interrupt people who are currently working on machines in your system. You can also use the silent installation script in your own scripts. For example, if your organization uses scripts to install software on machines, you can add the silent BusinessObjects Enterprise installation command to your scripts.For information about script parameters, see the comments in the silentinstall.sh script.Note: • Because the silentinstall.sh file is installed with BusinessObjects

Enterprise, you cannot install silently the first time you install BusinessObjects Enterprise.


UNIX ToolsScripts used by BusinessObjects EnterpriseE

• The silent installation is not recommended if you need to perform custom installations. The installation options are simplified and do not allow for the same level of customization provided in the BusinessObjects Enterprise install script.

Scripts used by BusinessObjects EnterpriseThese secondary scripts are often run in the background when you run the main BusinessObjects Enterprise script utilities. You need not run these scripts yourself.

bobjerestart.shThis script is run internally by the CCM when it starts the BusinessObjects Enterprise server components. If a server process ends abruptly without returning its normal exit code, this script automatically restarts a new server process in its place. Do not run this script yourself.

env.shThe env.sh script is installed to the bobje directory of your installation. This script sets up the BusinessObjects Enterprise environment variables that are required by some of the other scripts. BusinessObjects Enterprise scripts run env.sh as required. When you install BusinessObjects Enterprise on UNIX, you must configure your Java application server to source this script on startup. See the BusinessObjects Enterprise Installation Guide for more details.

env-locale.shThe env-locale.sh script is used for converting the script language strings between different types of encoding (for example, UTF8 or EUC or Shift-JIS). This script is run by env.sh as needed.

initlaunch.shThe initlaunch.sh script runs env.sh to set up the BusinessObjects Enterprise environment variables, and then runs any command that you have added as a command-line argument for the script. This script is intended primarily for use as a debugging tool by Business Objects SA.


UNIX ToolsScripts used by BusinessObjects Enterprise E

patchlevel.shThe patchlevel.sh is installed to the bobje/enterprise/generic directory of your installation. This script reports on the patch level of your UNIX distribution. This script is intended primarily for use by Business Objects SA support staff.

postinstall.shThe postinstall.sh script is installed to the bobje directory of your installation. This script runs automatically at the end of the installation script and launches the setup.sh script. You need not run this script yourself.

setup.shThe setup.sh script is installed to the bobje directory of your installation. This script provides a text-based program that allows you to set up your BusinessObjects Enterprise installation. This script is run automatically when you install BusinessObjects Enterprise. It prompts you for the information that is required in order to set up BusinessObjects Enterprise for the first time.For complete details on responding to the setup script when you install BusinessObjects Enterprise, see the BusinessObjects Enterprise Installation Guide.

setupinit.shThe setupinit.sh script is installed to the bobje directory of your installation when you perform a system installation. This script copies the run control scripts to your rc# directories for automated startup. When you run a system installation you are directed to run this script after the setup.sh script completes.Note: You must have root privileges to run this script.

Option Valid Arguments Descriptionlist n/a List all the installed patches.query patch # Query the operating system for the presence

of a particular patch by numeric ID.check textfile Check that all the patches listed in textfile

are installed on your operating system.


UNIX ToolsScripts used by BusinessObjects EnterpriseE


Enabling support for ASP.NET 2.0

appendix

Enabling support for ASP.NET 2.0Enabling support for ASP.NET 2.0F
Enabling support for ASP.NET 2.0
If you have upgraded to ASP.NET 2.0 after you installed BusinessObjects Enterprise, you will need to modify the web.xml to add support for ASP.NET 2.0.Note: If you install ASP.NET 2.0 before you install BusinessObjects Enterprise, this step is not required. The required tag <xhtmlConformance mode="Legacy"/> will be added to the Web.config file by the BusinessObjects Enterprise installer during the installation.

To enable ASP.NET 2.0 support1. Open the Web.config file from the following location:


2. Locate the following two comments in the file:• 

• 3. Copy the string <xhtmlConformance mode="Legacy"/> from the first

comment.4. Replace the comment  with string copied

in the previous step.5. When your change is complete, the file should look like this:

<xhtmlConformance mode="Legacy"/>



Enabling support for ASP.NET 2.0Enabling support for ASP.NET 2.0 F


Enabling support for ASP.NET 2.0Enabling support for ASP.NET 2.0F


Business Objects Information Resources

appendix

Business Objects Information ResourcesDocumentation and information servicesG
Documentation and information services
Business Objects offers a full documentation set covering its products and their deployment. Additional support and services are also available to help maximize the return on your business intelligence investment. The following sections detail where to get Business Objects documentation and how to use the resources at Business Objects to meet your needs for technical support, education, and consulting.

DocumentationYou can find answers to your questions on how to install, configure, deploy, and use Business Objects products from the documentation.

What’s in the documentation set?View or download the Business Objects Documentation Roadmap, available with the product documentation at http://www.businessobjects.com/support/.The Documentation Roadmap references all Business Objects guides and lets you see at a glance what information is available, from where, and in what format.

Where is the documentation?You can access electronic documentation at any time from the product interface, the web, or from your product CD.

Documentation from the productsOnline help and guides in Adobe PDF format are available from the product Help menus. Where only online help is provided, the online help file contains the entire contents of the PDF version of the guide.

Documentation on the webThe full electronic documentation set is available to customers on the web from support web site at: http://www.businessobjects.com/support/.

Documentation on the product CDLook in the docs directory of your product CD for versions of guides in Adobe PDF format.


http://www.businessobjects.com/support/


Business Objects Information ResourcesCustomer support, consulting and training G

Send us your feedbackDo you have a suggestion on how we can improve our documentation? Is there something you particularly like or have found useful? Drop us a line, and we will do our best to ensure that your suggestion is included in the next release of our documentation: [email protected]: If your issue concerns a Business Objects product and not the documentation, please contact our Customer Support experts. For information about Customer Support visit: http://www.businessobjects.com/support/.

Customer support, consulting and trainingA global network of Business Objects technology experts provides customer support, education, and consulting to ensure maximum business intelligence benefit to your business.

How can we support you?Business Objects offers customer support plans to best suit the size and requirements of your deployment. We operate customer support centers in the following countries:• USA• Australia• Canada• United Kingdom• Japan

Online Customer SupportThe Business Objects Customer Support web site contains information about Customer Support programs and services. It also has links to a wide range of technical information including knowledgebase articles, downloads, and support forums.http://www.businessobjects.com/support/





Business Objects Information ResourcesUseful addresses at a glanceG
Looking for the best deployment solution for your company?
Business Objects consultants can accompany you from the initial analysis stage to the delivery of your deployment project. Expertise is available in relational and multidimensional databases, in connectivities, database design tools, customized embedding technology, and more.For more information, contact your local sales office, or contact us at:http://www.businessobjects.com/services/consulting/

Looking for training options?From traditional classroom learning to targeted e-learning seminars, we can offer a training package to suit your learning needs and preferred learning style. Find more information on the Business Objects Education web site:http://www.businessobjects.com/services/training

Useful addresses at a glance

Address Content

Business Objects product informationhttp://www.businessobjects.com

Information about the full range of Business Objects products.

Product documentationhttp://www.businessobjects.com/support

Business Objects product documentation, including the Business Objects Documentation Roadmap.

Business Objects Documentation [email protected]

Send us feedback or questions about documentation.

Online Customer Supporthttp://www.businessobjects.com/support/

Information on Customer Support programs, as well as links to technical articles, downloads, and online forums.


http://www.businessobjects.com/services/consulting.htm

http://www.businessobjects.com/services/consulting.htm

http://www.businessobjects.com/services/education.htm

http://www.businessobjects.com/services/education.htm

http://www.businessobjects.com

http://www.businessobjects.com/support

http://www.businessobjects.com/support



http://www.businessobjects.com/forms/tipsandtricks_login.asp

http://www.techsupport.businessobjects.com/

http://www.techsupport.businessobjects.com/

Business Objects Information ResourcesUseful addresses at a glance G

Business Objects Consulting Serviceshttp://www.businessobjects.com/services/consulting/

Information on how Business Objects can help maximize your business intelligence investment.

Business Objects Education Serviceshttp://www.businessobjects.com/services/training

Information on Business Objects training options and modules.

Address Content


http://www.businessobjects.com/services/consulting/

http://www.businessobjects.com/services/consulting/

http://www.businessobjects.com/services/training

http://www.businessobjects.com/services/training

Business Objects Information ResourcesUseful addresses at a glanceG


Index
Aaccess levels
available in the CMC 469for RAS 472

active sessions, viewing 341, 341active trust relationship 188AD authentication plug-in 246adding

CMS cluster members 114servers 105

administrationconfiguration tools 98, 338

Administrators group, default rights 471affinity, and SSL 189anonymous single sign-on 184application servers 35application tier 34applications

CCM 33CMC 33Import Wizard 34InfoView 32Publishing Wizard 34

applications, installing 93apsdbsetup.sh 477architecture

balanced processing 79firewalled 81high availability 80single-machine 79

ASP pages display code 376ASP.NET 2.0

modifying web.config to support 486ASP.NET component, verifying 377attributes, logon tokens 188audit actions

enabling auditing of 399reference list 395

synchronizing records 403audit enablement 399auditable actions

CMS 399Destination Job Server 398Event Server 398Job Server 399

auditee 392auditing

configuring database 393database schema 416enabling 399information flow 392optimizing performance 404reporting results 402, 416synchronizing records 403user and system actions 395web activity 194

auditing databaseconfiguring 393database schema 416

Application_Type table 419Audit_Detail table 417Audit_Event table 416Detail_Type table 420Event_Type table 419Server_Process table 418

auditor 392Auditor report names 408

Average Number of Users Logged In 408Average Refresh Time 409Average Session Duration 409Average Session Duration per Cluster 409Average Session Duration per User 409Cluster Nodes 410Document Information Detail 410Document Scheduling and Viewing Status 410Job Servers on the System 411Job Summary 410


Index

Jobs per Job Server 411Jobs per User 411Last Login for User 411Least Accessed Documents 412Modifications 413Most Accessed Documents 412Most Active Users 412Most Popular Actions 412Most Popular Actions per Document 413Number of User Sessions 413Number of Users in the System 413Peak Usage 414Refresh and Edit Activity 414Rights Modification 414Total Users Logged in by Day 414User Activity 414User Activity per Session 415Users Who Logged Off Incorrectly 415

authenticationBusinessObjects Enterprise security plug-in

186Kerberos configuration

IBM WebSphere 304IIS 266Java AD 302Java application server 290, 302Java options, modify 307See also IIS, IIS 5, IIS 6Windows AD 297

LDAP security plug-in 228primary 181security plug-ins 55, 185troubleshooting log on 380Trusted Authentication 328Windows AD security plug-in 246Windows NT Challenge/Response 213, 248Windows NT security plug-in 212

BBusiness Objects

consulting services 492, 493support services 491training services 492, 493

Business Objects applicationsCCM 33

CMC 33CMS 38Import Wizard 34InfoView 32Publishing Wizard 34

BusinessObjects Enterprisecommunication between servers 162firewall integration 162primary authentication process 181single sign-on 187single sign-on with NT 213

BusinessObjects Enterprise SDK 187Java SDK 35.NET SDK 35

BusinessObjects Enterprise security plug-in 186BusinessObjects Enterprise servers

Cache Server 40configuring hosts file for firewall 169description 30Event Server 39File Repository Servers 40Job Server 42Page Server 44Program Job Server 42Report Application Server 44

BusinessObjects Enterprise servers, configureconfigure IIS and browsers 275configure servers to use service account 297configuring the servers

configuring servers to use service account 270granting service account rights 270

grant service account rights 295setting service account 268, 292

BusinessObjects Enterprise Sizing Guide 366BusinessObjects WAR files

deploying 93mapping to cluster

in WebSphere 5.1 95in WebSphere 6.0 95

Ccacert.der 153Cache Server 40

command-line options 459


Index

configuring 131, 352metrics 340, 342performance 68performance settings 131, 352viewing with 49

Cache Server auditable actions 396cakey.pem 153CCM

adding a server 105changing

server startup type 151server user account 152Windows server dependencies 150

copying server status 104deleting a server 107enabling and disabling servers 102printing server status 104refreshing the list of servers 104starting, stopping, and restarting servers 99

CCM, for UNIX 474ccm.sh 474Central Configuration Manager. See CCMCentral Management Console. See CMCCentral Management Server. See CMScertificate files 153Changing Tomcat connect port 112, 378client side viewers 45client tier 32clusters 114, 116, 117

changing names 121requirements 114viewing details 345

clusters, creating 87CMC

enabling and disabling servers 102starting, stopping, and restarting servers 99unable to connect 379

CMC timeout setting 110CMS

adding to a cluster 117and authentication 181and distributed security 189as nameserver 147changing cluster name 121

clustering 114installing new cluster member 116requirements 114

CMS tasks 38command-line options 456configuring 127, 128, 147

NAT 168SOCKS 176

database 38default port 147limitations 65metrics 341, 345performance 65security 54security plug-ins 54session variables 191

and authentication 181tracking 193

stopping 102unable to connect 379when enabling and disabling other servers

102CMS auditable actions 399CMS clustering 77CMS database

changing password 128configuring 122copying 122deleting 127migrating 122recreating 127selecting 128

command lines, overview 454command-line options

all servers 455Cache Server 459CMS 456Event Server 466Input and Output File Repository Servers 465Job Server 461Page Server 459Program Job Server 461Report Application Server 462Web Intelligence Job Server 461Web Intelligence Report Server 464


Index

command-line options, SSL 152communication

between browser and Web application server181

between BusinessObjects Enterprise servers162

components, security management 53computer

contstrained delegation 294concurrent active users 62configuration

planning 58sample 436

configuration, common scenarios 78Configure the thick client to use SSL 376configuring

auditing database 393auditing database on UNIX 394auditing database on windows 394Cache Server 131, 352CMS clusters 114, 121CMS database 122, 127, 128Event Server 351File Repository Servers 130, 352firewalls 166intelligence tier 114Job Server 133, 140, 355, 355Page Server 132, 140, 356, 363processing tier 132server settings 98, 338servers 98, 338universe connection 401

configuring trusted authentication 329Connection Server

metrics 341constrained delegation

service account 295, 295consultants, Business Objects 492cookies

and session tracking 191logon tokens 188

CORBA 437creating custom audit reports 416Crystal reports

troubleshooting reports 383

Crystal Reports Cache Server. See Cache ServerCrystal Reports Page Server. See Page ServerCrystal Reports sample audit reports 402Crystal xCelsius 69

performance 69CSP pages display code 376custom audit report creation 416custom web applications, enhancing 370customer support 491customizing

your configuration 366

Ddaemons, signal handling 456data

live 52saved 53

data sharing 98, 338on Cache Server 131, 352on Page Server 132, 356, 363on RAS 360

data sourceson UNIX 141on Windows 140

data tier 45databases

configuring servers for 140copying CMS data 122initializing the CMS 127modifying RAS interactions 360selecting for the CMS 128single sign-on access 184troubleshooting logon 385

default settingsauthentication 186Enterprise accounts 186NT account 213ports 147security plug-in 186

default timeout 110defaultconfig.xml

about 428customizing elements 432finding correct version to change 430modifying for Java Report Panel 431


Index

modifying for .NET InfoView 431deleting

CMS database 127servers 107

dependencies of servers on Windows 150deployment

planning 58sample 436

deployment manageradding nodes 85, 86starting 85

Designerfirewall settings 166

Desktop Intelligencefirewall settings 166

Destination Job Serverdestinations

configuring 134enabling or disabling 133

enabling Inbox destination 133performance settings 355

Destination Job Server auditable actions 398destinations

for job serversconfiguring 134enabling or disabling 133

troubleshooting 390directory servers

about LDAP 229security plug-in 228

disablingdestinations for job servers 133servers 102

Disabling logon tokens 196disabling logon tokens 196, 200disabling restoration of a timed out session 200disabling the restoration of a timed out session 200disabling the restoration of a timed out session in

Java 200disabling the restoration of a timed out session in

.NET 201disaster recovery 76DLL. See dynamic-link librariesdocumentation

additional 375

feedback on 491on product CD 490on the web 490roadmap 490

DSNs on UNIX 143dynamic-link libraries as processing extensions

187

Eeducation. See trainingemail destination

setting defaults 136enable ASP.NET 2.0 support 486enable .NET 2.0 support 486enabling

destinations for a job server 133servers 102

enabling auditing 399encoding logon tokens 188end-to-end single sign-on 185environment variables

ODBC 143env.sh 482ePortfolio. See InfoViewerrors

Page Server 389troubleshooting 374

Event Log 150, 345Event Server

auditable actions 399configuring 351metrics 343polling time 351

Event Server auditable actions 398Event Server, command-line options 466events

polling time 351Everyone group, default rights 471expanding the system 366extensions, processing 187

Ffault tolerance 76feedback, on documentation 491


Index

File Repository Serverscommand-line options 465maximum idle times 130, 352metrics 340Properties page 130, 352root directories 130, 352

firewall rulesspecifying for NAT 170specifying for packet filtering 173

firewall types 159NAT 160packet filtering 160SOCKS 161

firewall, desktop product 166firewalls 158, 194, 436

configuration scenarios 164configuring 166

NAT 167packet filtering 172SOCKS 175thick client 171with application tier 168with WCA 177

forcing servers to register by name 149integration with BusinessObjects Enterprise

162Job Servers 442server communications, and 162

foldersdefault rights 471root 471

FTP destinationsetting defaults 138

Full Control access level 471

GGuest account, default rights 471

Hheap sizes, setting


help, documentation resources 375high availability 76

hosts file, configuring for NAT firewall 169HTTP 181, 191HTTP server, check status 87HTTP server, starting 86

IIBM WebSphere

Kerberos configuration 304idle times

Cache Server 131, 352File Repository Servers 130, 352Page Server 132, 356, 363

IISdatabase single sign-on configuration 281end-to-end single sign on configuration 277single sign-on configuration 275

IIS 5database single sign-on configuration 282end-to-end single sign on configuration 277

IIS 6database single sign-on configuration 283end-to-end single sign on configuration 279

IIS 6, run under local system 379Import Wizard 34information flow, between servers 46information resources 490InfoView

considerations 390Java version 108troubleshooting 390

initializing CMS database 127initlaunch.sh 483Input File Repository Server

maximum idle time 130, 352metrics 340root directory 130, 352

intelligence tier 37configuring 114

internal system configuration, setting 92Internet Explorer, configuring 276Internet Information Services (IIS), default web

site 375IOR 437


Index

JJAAS login configuration files, create

Oracle 306Tomcat/WebLogic 305WebSphere 306

Java CMC timeout 110Java InfoView timeout 111Java InfoView, customizing appearance of Web

Intelligence documents 431Java Options, modify

Kerberos 307Oracle 308WebLogic 307

Java platform 36Java SDK 36Job Server

command-line options 461configuring 140

for firewalls 442on UNIX 141

destinationsconfiguring 134enabling or disabling 133

performance settings 355Job servers

types 41job servers

configuring destinations 134performance settings 355

Job Servers auditable actions 399

KKerberos configuration

IBM WebSphere 304IIS 266Java AD 302Java application server 290, 302Java options, modify 307See also IIS, IIS 5, IIS 6Windows AD 297

Kerberos configuration filesIBM WebSphere 304Java AD 302

Kerberos single sign-on 53

Kerberos troubleshootingenable logging 310testing Java Kerberos configuration 310

key files 153

LLDAP 229

about 229and SSL 229

LDAP accounts 229managing 228modifying

connection parameters 242member groups 242

troubleshooting 243, 243LDAP authentication

configuring 230LDAP authentication plug-in 228LDAP groups

mapping 238unmapping 241viewing mapped groups 242

LDAP hostsconfiguring 231managing multiple 243

LDAP security plug-in 228LDAP single sign-on, configuring 236, 255Least Accessed Documents 412license keys

and CMS database migration 119reinitializing the CMS database 127

Lightweight Directory Access Protocol. See LDAPList of Values Job Server

auditable actions 399description 43destinations


performance 69performance settings 355

live data 52load

managing 60load balancing

and distributed security 189


Index

CMS clustering 114Local System account 140log on

processing server accounts 140protection against malicious attempts 194

loggingserver activity 345web activity 194

logon tokens 188and authentication 181and distributed security 189and session tracking 191

logon.csp 181

Mmalicious logon attempts, protection against 194mapped drives 388mapped groups

viewingWindows NT 221

mappingWindows AD accounts and groups 249Windows NT accounts 215

metricsviewing 339

migratingCMS database 122from BusinessObjects Enterprise 6.x 495

modify InfoView timeout 111Most Accessed Documents 412Most Active Users 412Most Popular Actions 412Most Popular Actions per Document 413multihomed machines 149

Nnameserver, role of CMS 147NAT. See Network Address Translationnative drivers 140

on UNIX 141needs assessment 58.NET 20 support 486.NET InfoView or CMC, unable to view 377

.NET InfoView, customizing appearance of Web Intelligence documents 431

.NET pages display code 376Network Address Translation

application tier, and 168configuring 167

server hosts file 169servers behind firewall 168

definition 160specifying firewall rules 170thick client, and 171

No Access level 469node agent, start 85NT authentication and UNIX 212NT authentication plug-in 212NT LM Security Support Provider 150NT single sign-on 225NT single sign-on and Windows NT security plug-

in 213number of logons, logon tokens 188number of minutes, logon tokens 188Number of User Sessions 413Number of Users in the System 413

Oobject

rights 468, 472ODBC

CMS database 117connectivity 120

drivers 140environment variables 143processing server accounts 140reporting on UNIX 142system information file 143

.odbc.ini 143Online Customer Support 491optimizing system 404Optimizing system performance 404Oracle application Server

reverse proxies 202Output File Repository Server

maximum idle time 130, 352metrics 340root directory 130, 352


Index

Ppacket filtering 160

configuring for 172packets, firewalls and 158Page Server

command-line options 459configuring for data source 140configuring on UNIX 141metrics 343performance 70performance settings 132, 356, 363Properties page 132, 356, 363viewing with 49

Password Modifications 413passwords

changingfor CMS database 128

restrictions 195patchlevel.sh 483Peak Usage 414performance 366, 404

assessment 338Cache Server 68Cache Server settings 131, 352CMS clusters 114common scenarios 78general considerations 367List of Values Job Server 69load balancing 189of jobs per server 355Page Server 70Page Server settings 132, 356, 363RAS settings 362Report Job Server 68Web Application Server 67Web Intelligence Report Server 69Windows NT Challenge/Response

authentication 213, 248performance improvement, delegating XSL

transformation 370performance while auditing 404planning

deployment 58platforms

Java 36

Windows .NET 36plug-ins, security 55, 185polling time, setting for Event Server 351port numbers

adding 90checking


port numbers, changing 147ports

definition 159firewalls, and 159opening on firewall 168

postinstall.sh 483primary authentication 181processing extensions 187processing servers, configuring 141processing threads

Cache Server 131, 352Page Server 132, 356, 363

processing tier 41configuring 132

Program Job Server 399destinations


Program Job Server auditable actions 399Program Job Server, command-line options 461Properties tab for job servers 355

Q.qry files 388

RRAS

database settings 360metrics 344performance settings 362Properties page 362

Refresh and Edit Activity 414refreshing

cache files 131, 352registry keys 238Remote Procedure Call 150


Index

remote resources, troubleshooting 388Report Application Server

auditable actions 396command-line options 462performance 70required object rights 472viewing report 50

Report Job Server 399auditable actions 399performance 68

Report Job Server, performance settings 355report objects, rights for creating/modifying 472report viewers 45report_view_advanced.aspx 48report_view_dhtml.aspx 48reports

audit 402, 416custom 416sample 402

configuring servers for data sources 140modifying RAS SQL options 360scheduling 46troubleshooting 383, 385viewing 47

required steps to audit actions 392requirements, clustering 114resource

requirements 73resources 490

estimating 64requirements 71

restarting servers 99restart.sh 482restrictions

guest account 196logon 195password 195user 195

reverse proxies 202rights

advance, reference 468Report Application Server 472top-level folder 471

Rights Modification 414root directories, File Repository Servers 130, 352

row-level security, processing extensions 187

Ssample audit reports 402saved data 53scalability 366

common scenarios 78scaling the system 366Schedule access level 469scheduling

increasing capacity 367information flow 46

secEnterprise.dll 186secLDAP.dll 228Secure Sockets Layer 152Secure Sockets Layer (SSL) 193, 229

and LDAP 229and load balancing 189

security 180active trust relationship 188auditing web activity 194components 53distributed 189environment protection 193firewalls 194Guest account restrictions 196logon restrictions 195, 195password restrictions 195, 195plug-ins 55, 185processing extensions 187protection against malicious logon attempts

194restrictions 195session tracking 191user restrictions 195web browser to web server 193web servers 193

security plug-ins 55, 185Enterprise authentication 186LDAP authentication 228Windows AD authentication 246Windows NT authentication 212

secWindows.dll 212selecting CMS database 128sending


Index

to inboxes, default configuration 133Server cache expiry, modifying default expiry

value 287server dependencies, changing 150serverconfig.sh 478servers 98, 338

activity, logging 345adding 105adding nodes 85application tier 34changing

status 99user account on Windows 152

changing startup type 151command lines 454communication 162

application tier and CMS 163CMS directory listing 162

configuring 98, 338default settings 98, 338deleting 107dependencies, adding or removing 150deployment manager 85disabling 102enabling 102information flow 46intelligence tier 37limitations 64logging activity 345managing 97metrics, viewing 340node agent 85processing tier 41refreshing list using the CCM 104registering by name 149restarting 99standard command-line options 455starting 85, 99status

changing 99copying 104printing 104

stopping 99troubleshooting 388UNIX signal handling 456

user account, changing 152service account

contstrained delegation 295service thresholds 64session variables 191

and authentication 181primary authentication 181

sessionstracking 191viewing active 341

setup.sh 483shared libraries, as processing extensions 187signal handling 456silentinstall.sh 481simultaneous requests 61single sign-on

anonymous 184authentication

Enterprise 187LDAP 230NT 213Windows AD 248

end-to-end 185Java, Kerberos configuration 311, 312setting up

AD 255LDAP 236SiteMinder 236, 255Windows AD 252Windows NT 223

to BusinessObjects Enterprise 184to database 184troubleshooting 238

single sign-on optionsdatabase single sign-on 266

modify AD plug-in settings 275setting up database single sign-on 267web applications configuration 285

end-to-end single sign-on 266configuring IIS for end-to-end single sign-on 277configuring Internet Explorer 276setting up end-to-end single sign-on 267


Index

single sign-on 266configuring IIS for single sign-on 275database server configuration 286setting up basic single sign-on 267SQL server configuration 286

SiteMinderconfiguring LDAP plug-in 236error 238setting up single sign-on with LDAP 236, 255troubleshooting 238Window AD 255

SiteminderAD 255

SMTP destinations, setting defaults 136SOCKS 161

configuring 175CMS 176WCA 177

sockssetup.sh 479SPN

Vintella 315web application server 315

SPN utilityWindows 2003 293, 294

SSL 152certificates 153configuring servers 152, 152keys 153

SSL. See Secure Sockets Layer (SSL)SSL, thick client configuration 376sslc.cnf 152sslc.exe 152starting

servers 99startservers 481startup types

changing for servers 151configuring servers 151

statistics, auditing web activity 194status, viewing and changing for servers 99steps to audit actions 392stopping

CMS 102servers 99

stopservers 481

supportcustomer 491locations 491technical 491web site 491

synchronizing audit actions 403syslog 345system actions, list of auditable 399system data, copying 122system database, migrating 122system information file (ODBC) 143system metrics, viewing 345system security 180

TTCP/IP, firewalls and 158technical support 491temporary files, configuring Page Server 132, 356,

363the 200thick client, firewall configuration 165

NAT 171third-party security plug-ins 55, 185tickets

for distributed security 189logon tokens 188

tiersapplication 34client 32data 45intelligence 37processing 41

time zones 60supporting multiple 390

timeoutCMC modify 110Infoview modify 111

Tomcatreverse proxies 202

Tomcat connect port, changing 112, 378tools, UNIX 474Total Users Logged in by Day 414tracking, sessions 191training, on Business Objects products 492transfer of trust 189


Index

troubleshooting 374InfoView deployments 390LDAP accounts 243report viewing and processing 383single sign-on 238web accessibility 375

trust, active trust relationship 188trusted authenitcation

configuring in web.xml 329Trusted Authentication 328

UUNC paths 388uninstall 480uninstallCE.sh 480universe connection configuration 401UNIX

and NT authentication 212application server 35installation 36syslog 345WCA 36

UNIX tools, overview 474unmanaged disk destination

setting defaults 139unmapping

Windows NT accounts 220user accounts

configuring servers 152user actions, list of auditable 396User Activity 414User Activity per Session 415user databases, NT4 and Windows 2000 Active

Directory 212users

concurrent active users 62estimating 59types 59viewing active sessions 341, 341

Users Who Logged Off Incorrectly 415

VView access level 469viewers

client-side 45in InfoView 47zero client 45

viewingactive users 341, 341BusinessObjects Enterprise architecture 47CMS cluster details 345current metrics 339information flow 47server metrics 340system metrics 345with the Cache Server 49with the Page Server 49

viewing sessions 62viewrpt.aspx 48

WWCA

and logon tokens 54and security 54auditing web activity 194configuring for SOCKS 177description 35

WCA session variables 191tracking 192

webcustomer support 491getting documentation via 490useful addresses 492

Web application environments 37Web Application Server

performance 67Web application server

authentication 181Web Component Adapter. See WCAweb desktop. See InfoViewWeb Intelligence

Job Server 461Report Server 464

Web Intelligence documentschanging default appearance 428customizing for Java InfoView 431customizing for .NET InfoView 431delegating XSL transformation 370finding correct defaultconfig.xml 430


Index

list of customizable elements 432Web Intelligence Job Server

auditable actions 399destinations

enabling or disabling 133performance settings 355

Web Intelligence Report Serverauditable actions 396, 397performance 69performance settings 357

Web Intelligence sample audit reports 402web response speeds, improving 371Web server plugin, regenerating


web servers 37improving response speeds 371securing 193

web sitessupport 491training 492

web.config.Windows authentication 274

WebSpherecluster, creating 87installing applications 93

WebSphere deployment 308, 309Windows

Event Log 345Local System account 140server dependencies 150

Windows 2000 Active Directory 212Windows 2000, unmapping accounts in 220Windows AD

database single sign-on, modify AD plug-in settings 275

Kerberos authentication 271, 297single sign-on, modifying web.config 284

Windows AD accountsSee also Windows AD usersmapping 249

Windows AD groupsmapping 249

Windows AD security plug-in 246Windows AD single sign-on 252

to BusinessObjects Enterprise 252Windows AD users

See also Windows AD accountsWindows .NET platform 36Windows NT accounts

adding to mapped groups 222disabling 222managing 214mapping 215

in CMC 217in Windows 2000 216in Windows NT 215

unmapping 220Windows NT Challenge/Response authentication

193, 213, 248Windows NT groups

creating 222mapping 215unmapping 220, 220viewing 221

Windows NT security plug-in 212and UNIX 212

Windows NT single sign-on, setting up 223Windows NT users, viewing 221

XXSL transformation for Web Intelligence

documents 370

Zzero client viewers 45