| SAP Solution Manager & NAM |
 |
 |
 |
|
Enable the SAP Solution Manager through Novell Access Manager.
(Clic to view complete artlicle on Collsolutions)
SAP Solution Manager can be accessed through the SAP GUI and through a SAP Web Application Server (SAP NetWeaver). Applications like this must be protected especially when it is accessed from the outside world, a simple name – password combination will simply not do. This is when Access Manager comes into place. SAP systems will mostly be hidden somewhere deep within a company's infrastructure, it will not be in the DMZ. In this case the SAP systems we even hosted at SAPHosting – Waldorf Germany. So no way we can reach it from the outside world. Again a good opportunity for Access Manager.
The problem with enabling SAP Web Application Server (and especially Solution Manager) is that all communication is tightly checked. If security domains are wrong, if you are using a wrong DNS name or using a ip-address, the scripts will simply give you an access denied. This problem can partially be solved by using the naming the SAP server with the same (DNS) name as is available on the outside world. (Somewhat like the published DNS name in sharepoint). However in most cases this is not possible, and it is not a solution for all the security checking.
The pages within Solution Manager have frames which are filled from different java scripts. If the security domain from one script is different than the frame expects a access denied will be issued. Al this is done with document.domain settings within the java scripts. We will not go into this in this article.
The following procedure is a way to enable SAP Solution Manager through Access Manager. The actual SAP system is at SAPHosting and DNS names are different on the host and on the outside world.
Step 1 : Enable different domain on the SAP side. First step is to let SAP know requests can come from different DNS names and allowing this. As told, in Sharepoint this is done via the published DNS name. SAP however has the possibility to advertise multiple domain, for one, more or all SAP applications and specify different ports per application. In order to do this you will need to change the table HTTPURLLOC. Make sure you provide the wanted name in the HOST field. More information on this can be found at : http://help.sap.com/saphelp_nw70/helpdata/EN/42/d547ab30b6473ce10000000a114e5d/content.htm
Step 2 : Add a DOMAIN-BASED proxy service name to the proxy service list in a reverse proxy and provide a valid DNS name (solman.company.com). Information on this can be found in the Access Manager documentation : http://www.novell.com/documentation/novellaccessmanager/index.html
Step 3 : Configuration – Web Servers Open the proxy service. On the first page a few items needs to be set : 1) The cookie domain must be at company level (company.com) 2) On the HTTP Options enable the “Enable X-Forwarded-For“ 3) On the tab Web Servers : Set “Host Header” to Web Server Host Name and provide the full web server name : server.company.sap.com. Also make sure the connect port is set right (By default it runs on port 8000. But in HTTPURLLOC you can change this.
Step 4 : HTML Rewriting On the next tab, Enable HTML rewriting. 1) You need to add both the full DNS names in the Additional DNS Name List.
Step 4 : HTML Rewriting On the next tab, Enable HTML rewriting. 1) You need to add both the full DNS names in the Additional DNS Name List.
It is very important here to just rewrite de domain name. Do not include server hostname part like sapserver1.company.com, for it will not work.
Step 5: Protected recources. Make sure you configure this for it is not a wise idea to just use name password combinations to get in. On the overview tab, provide a contract you'll want to use. In this case we use One Time Passwords via SMS. Next provide the URL path lists like in the next picture :
We leave the Authorization for now, but make sure only the right users are allowed to get in. In our case we use the active users container and we check a sap attribute. We don't use a Identity Injection, we handle this in a form fill. On the form fill tab :
Save all and update the Access Manager with the new information. Congratulations. SAP Solution Manager is now available through Novell Access Manager
|