Configure secure communications between the SharePoint and SAP environments (Duet Enterprise)
Applies to: Duet Enterprise for Microsoft SharePoint and SAP
This article describes the procedures for setting up secure communications between the Web application on which you want to configure solutions that are provided with Duet Enterprise for Microsoft SharePoint and SAP and the SAP environment. The following list summarizes the key steps you will complete in this article.
Use or create a Web application for which you will configure one or more Duet Enterprise solutions. This Web application must be configured to use claims-based authentication. You can use an existing Web application or create a new one. You must then extend the Web application to create a new zone, which you will configure to use the HTTPS protocol (SSL). This zone is used for all transactions between the Web application and SAP system.
Bind an SSL certificate to the zone that is configured for SSL and give the certificate to the SAP administrator to configure a trust relationship on the SAP system.
Export the STS certificate and give it to the SAP administrator to configure a trust relationship on the SAP system.
Establish a trust relationship with the SSL certificate that is provided by the SAP administrator.
Tip
You must complete the procedures in this article in the listed order.
Create or obtain an SSL Certificate
Note
To create an SSL certificate, you must be a member of the Administrators group on a front-end Web server that runs Internet Information Services (IIS) 7.
To use Secure Sockets Layer (SSL) to secure a Web application, you must have an SSL certificate. For a production environment we recommend that you obtain a signed certificate from either a third-party certification authority (CA) or a CA in your intranet domain. However, for test environments you can create a self-signed certificate for this purpose. For more information about the kind of certificate to use and how to create a self-signed certificate, see How to Setup SSL on IIS 7.0 (https://go.microsoft.com/fwlink/p/?LinkID=193447).
.gif "BatonHandoffIcon") |
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), list the location and file name of the SSL certificate on the “SSL certificate file name and location” row of Table 1. |
Prepare the Web application on which you want to enable Duet Enterprise functionality
Duet Enterprise requires at least one Web application that is configured for Windows claims-based authentication. This Web application is used to host one or more sites that surface information from SAP, for example the Duet Enterprise sites. Typically, you want end users to be able to use the HTTP protocol to access content in SharePoint sites.
Because workflow transactions between the Web application and the SAP system require Basic authentication, which sends all information in clear text, we recommend that you extend the Web application to create a new zone and configure that zone for SSL and Basic authentication.
There are actually several options when you are configuring the Web application. For example, you might want to deploy the Duet Enterprise sites on an existing Web application, or you can create a new Web application.
Windows claims-based authentication is required for all Web applications on which you will configure Duet Enterprise solutions. Forms-based authentication is not supported because reports cannot be routed to sites that use forms-based authentication.
Do one of the following:
If a Web application exists on which you want to enable Duet Enterprise functionality, you must ensure that it is configured for Windows claims-based authentication. To verify that your existing Web application supports Duet Enterprise, go to Verify whether a Web application is configured for Windows claims-based authentication.
If the Web application does not already exist on which you want to enable Duet Enterprise functionality, go to Create a Web application for the thisProduct_2nd_CurrentVer sites.
Verify whether a Web application is configured for Windows claims-based authentication
If you have a Web application that you want to use for the Duet Enterprise sites, you must ensure that it is configured for Windows claims-based authentication. If you want to create a new Web application for Duet Enterprise sites, proceed to Create a Web application for the thisProduct_2nd_CurrentVer sites.
If the Web application that you want to use for Duet Enterprise sites is not configured for Windows claims-based authentication, you might be able to convert it to Windows claims-based authentication or you can create a new Web application for the Duet Enterprise sites. For information about converting a Web application to Windows claims-based authentication, see Migrate from forms-based authentication to claims-based authentication (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=205651) and Migrate from classic-mode to claims-based authentication (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=205652).
Note
You must be a member of the SharePoint Farm Administrators group to complete this procedure.
To determine whether a Web application is configured for Windows claims authentication
Verify that you have the following administrative credentials:
- You must be a member of the Farm Administrators SharePoint group and a member of the Windows Administrators group on the server that is running Central Administration.
In the Central Administration Web site, on the Quick Launch, click Application Management.
In the Web Applications section, click Manage web applications.
In the Name column, click the Web application for which you want to verify the authentication provider.
In the Security group of the ribbon, click Authentication Providers.
In the Authentication Providers dialog box, under Membership Provider Name, verify that the zone for which you will deploy the Duet Enterprise sites says “Claims Based Authentication”. If it does not, it is not configured for claims-based authentication and you must either convert the Web application to Windows claims-based authentication or create a new Web application for the Duet Enterprise sites.
Create a Web application for the Duet Enterprise sites
The Web application for the Duet Enterprise sites must be configured to use Windows claims-based authentication. If you do not already have a Web application on which you want to enable the Duet Enterprise sites, use this procedure to create one. Otherwise, proceed to Extend the Web application.
Note
You must be a member of the SharePoint Farm Administrators group to complete this procedure.
To create a Web application that uses Windows claims based authentication
Verify that you have the following administrative credentials:
- To create a Web application, you must be a member of the Farm Administrators SharePoint group and a member of the Windows Administrators group on the server that is running Central Administration.
On the Central Administration Home page, in the Application Management section, click Manage Web applications.
In the Contribute group of the ribbon, click New.
On the Create New Web Application page, in the Authentication section, click Claims Based Authentication.
In the IIS Web Site section, in the Port box, type the port number that you want to use to access the Web application.
By default, this field is populated with a random port number.
Note
The default port number for HTTP access is 80. If you want users to access the Web application without typing in a port number, use the default port number.
Optional: In the IIS Web Site section, in the Host Header box, optionally type the host name (for example, www.contoso.com) that you want to use to access the Web application.
Note
In general, this value is not set unless you want to configure two or more IIS Web sites that share the same port number on the same server, and DNS is configured to route requests to the same server.
In the IIS Web Site section, in the Path box, optionally type the path of the IIS Web site root directory on the server.
This box is populated with a suggested path.
In the Claims Authentication Types section, ensure that the Enable Windows Authentication check box is selected and in the drop-down menu select either Negotiate (Kerberos) or NTLM. For more information, see Plan for Kerberos authentication (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=192622).
In the Public URL section, change the URL to the fully qualified domain name. For example, https://corp.contoso.com:80.
Note
The Zone value is automatically set to Default for a new Web application.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), type this URL in the ”URL of Web application for Duet Enterprise sites” row of Table 1 of the worksheet.
In the Application Pool section, ensure that Create a new application pool is selected, and then type the name that you want to use for the new application pool or keep the default name.
Under Select a security account for this application pool, ensure that Configurable is selected and select the managed account that you want to use for this application pool.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), and you previously identified or created the accounts needed for deployment, this account is listed in the “Service account for the Duet Enterprise sites Web application” row of Table 3.
In the Database Name and Authentication section, select the database server and database name for your new Web application as described in the following table or accept the default values.
Item Action Database Server
Type the name of the database server and Microsoft SQL Server instance that you want to use in the format, SERVERNAME\instance. You can also use the default entry.
Database Name
Type the name of the database, or use the default entry.
In the Database Name and Authentication section, ensure that Windows Authentication (recommended) is selected.
If you use database mirroring, in the Failover Server section, in the Failover Database Server box, type the name of a specific failover database server that you want to associate with a content database.
In the Service Application Connections section, select the service application connections that will be available to the Web application. In the drop-down menu, click default or custom. You use the custom option to select the services application connections that you want to use for the Web application.
Tip
Duet Enterprise requires that the following service applications are associated with this Web application: Business Data Connectivity service, Secure Store Service, and User Profile Service Application.
In the Customer Experience Improvement Program section, click Yes or No.
Click OK to create the new Web application.
Click OK in the dialog box that appears. The Web application that you created appears on the Web Applications Management page in Central Administration. Do not close this page because you will need it for the next procedure.
Extend the Web application
Use this procedure to extend the Web application in order to create a zone that will be used for all transactions between the Web application and the SAP system.
Note
You must be a member of the SharePoint Farm Administrators group and a member of the Windows Administrators group on the server that is running Central Administration to complete this procedure.
To extend the Web application
Verify that you have the following administrative credentials:
- To create a Web application, you must be a member of the Farm Administrators SharePoint group and a member of the Windows Administrators group on the server that is running Central Administration.
On the Central Administration Home page, in the Application Management section, click Manage Web applications.
On the Web Applications Management page, select the Web application that you created in the previous procedure.
On the Contribute group of the ribbon, click Extend.
On the Extend Web Application to Another IIS Web Site page, in the IIS Web Site section, ensure that Create a new IIS web site is selected, and then optionally type the name of the Web site in the Name box.
In the IIS Web Site section, in the Port box, type the port number that you want to use to access the Web application. By default this field is populated with a random port number.
Optional: In the IIS Web Site section, in the Host Header box, type the host name (for example, www.contoso.com) that you want to use to access the Web application.
Note
Typically, this field is not set unless you want to configure two or more IIS Web sites that share the same port number on the same server, and DNS is configured to route requests to the same server.
Optional: In the IIS Web Site section, in the Path box, type the path of the IIS Web site root directory on the server. By default, this field is populated with a suggested path.
In the Security Configuration section, under Use Secure Sockets Layer (SSL), click Yes.
In the Claims Authentication Types section, ensure that Enable Windows Authentication is selected and in the drop-down menu select either Negotiate (Kerberos) or NTLM. For more information, see Plan for Kerberos authentication (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkID=192622).
Select the Basic authentication (credentials are sent in clear text) check box.
In the Public URL section, change the URL to the fully qualified domain name. For example, https://corp.contoso.com:443.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), type this URL in the “URL of Web application for report publishing” row of Table 1.
In the Zone list, select the zone that you want to use for this port. You can choose any available zone, but we recommend that you choose the Custom zone because the name best describes the purpose of this zone.
Click OK to extend the Web application.
For more information about how to set up SSL, see How to Setup SSL on IIS 7.0 (https://go.microsoft.com/fwlink/p/?LinkId=187887).
Create an alternate access mapping for the SSL-enabled Web application
The Web application that you created in the previous procedure must be available by using the URL that is specified in the SSL certificate that you will bind to that Web application (in a later procedure). If it is not the same URL, for example if the Web application was created by using the fully qualified domain name (FQDN) but the certificate uses the short URL, you must create an alternate access mapping to specify the URL that is listed in the certificate.
Note
An example of a FQDN is http://contoso.corp.com. In this example, the short URL would be http://contoso.
If the URL listed in the SSL certificate and the URL used to create the Web application are the same, then you do not have to perform this procedure.
To create an alternate access mapping
In Central Administration, on the Quick Launch, click System Settings.
In the Farm Management section, click Configure alternate access mappings.
Click Add Internal URLs.
In the Alternate Access Mapping Collection section, select the Web application that you will use for your Duet Enterprise sites.
In the Add Internal URL section, do the following:
In the URL protocol, host and port box, type the URL that is listed in the SSL certificate.
In the Zone list, select the zone that you want to use for this URL.
Note
This is the name of the zone that you selected when you extended the Web application in the previous procedure.
Click Save.
The alternate access mapping that you created appears on the Alternate Access Mappings page.
Create the SSL Binding for the SSL enabled zone
Complete this procedure to bind an SSL certificate to the SSL-enabled zone of your Web application.
Note
You must be a member of the Administrators group on the computer that is running SharePoint Server 2010 to complete this procedure.
To create the SSL Binding for the extended Web application
Log on to a front-end Web server as a member of the Windows Administrators group.
Click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the Connections pane, expand Sites and then select the site that is associated with the SSL-enabled Web application that you created in an earlier procedure.
Tip
This site can be identified by the port number and name that you assigned to the site when you extended the Web application.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), this URL is listed in the “URL of Web application for report publishing” row of Table 1.
In the Actions pane, under Edit Site, click Bindings.
In the Site Bindings dialog box, click Add.
In the Add Site Binding dialog box, select https from the Type drop-down list.
From the SSL certificate list, select the SSL certificate that you created or obtained in Create or obtain an SSL Certificate, and then click OK.
Click Close to close the Site Bindings dialog box.
Repeat steps 1 through 8 for each additional front-end Web server in the load balance rotation of your SharePoint Server 2010 server farm
Export the SSL certificate
If you obtained an SSL certificate from a certification authority (CA), then you do not have to do this procedure because you already have the certificate in your file system. However, if you used IIS on a SharePoint front-end Web server to create a self-signed certificate for testing, you must export the certificate so that you can share a copy of that certificate with the SAP administrator.
Note
You must be a member of the Windows Administrators group on the SharePoint front-end Web server to perform this procedure.
To export the SSL certificate
Log on to a SharePoint front-end Web server for which you have bound the certificate.
If it is not already open, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the tree view, select the server node.
In the middle pane, under IIS, double-click Server Certificates.
In the middle pane, double-click the certificate that you bound to your extended Web application.
In the Certificate dialog box, on the Details tab, click Copy to File.
On the Welcome to the Certificate Export Wizard page, click Next.
On the Export Private Key page, ensure that No, do not export the private key is selected, and then click Next.
On the Export File Format page, click Next.
On the File to Export page, in the File name box, type the path and file name to which you want to export the certificate, and then click Next.
Tip
You do not have to type a file name extension.
Click Finish.
Click OK to close the The export was successful dialog box.
Click OK to close the Certificate dialog box.
Share the SSL certificate with the SAP administrator
You must give a copy of the SSL certificate to the SAP administrator. The SAP administrator will use the SSL certificate to establish communication between the SAP NetWeaver server in the SAP system and your Web application.
|
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), the path and file name of the SSL certificate is listed in the “SSL certificate file name and location” row of Table 1. |
Export the SharePoint Security Token Service Certificate
This procedure assumes that the SharePoint Security Token Service is already running. You can verify this on the Manage Service Applications page in Central Administration.
Note
You must be a member of the SharePoint Farm Administrators group to complete this procedure.
To export the SharePoint Security Token Service certificate
Verify that you are a member of the Windows Administrators group on the SharePoint front-end Web server.
Log on to a front-end Web server as a member of the Windows Administrators group.
Click Start, click Run, type mmc in the Open box, and then click OK.
If the Certificate snap-in is listed in the Name column, go to step 5. Otherwise, do the following:
In the console, click File, and then click Add/Remove Snap-ins.
In the Add or Remove Snap-ins dialog box, in the Snap-in column, click Certificates, and then click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
Click Finish and then click OK.
You will now see the Certificates snap-in listed in the Name column.
In the Console Root (navigation pane) expand the Certificates tree, expand SharePoint, and then click Certificates.
In the Issued To column, right-click SharePoint Security Token Service, point to All Tasks, and then click Open.
In the Certificate dialog box, on the Details tab, click Copy to File.
On the Welcome to the Certificate Export Wizard page, click Next.
Because only the public certificate is needed and not the private key, on the Export Private Key page, ensure that No, do not export the private key is selected, and then click Next.
On the Export File Format page, click Next.
On the Export File Format page, in the File name box, type the path and file name to which you want export your certificate, and then click Next.
For example, c:\share\STScert.
Tip
You do not have to type the file name extension.
On the Completing the Certificate Export Wizard page, click Finish.
In The export was successful dialog box, click OK.
Click OK to close the Certificate dialog box.
Leave the Console open because you will need it in a later procedure.
Give the STS certificate to the SAP administrator
Provide a copy of the Security Token Service (STS) certificate that you exported to the SAP administrator. The SAP administrator will use the STS certificate to establish a one-way trust relationship with the Security Token Service.
|
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), type the name and location of the STS certificate into the “STS certificate file name and location” row of Table 1. |
Provide information about the STS certificate to the SAP administrator
You must provide the STS Issuer name to the SAP administrator. Use the procedure in this section to collect this information.
Note
You must be a member of the Windows Administrators group on a SharePoint front-end Web server to perform the procedures listed in this section.
To collect the STS Issuer name
In the MMC, in the Certificate dialog box, click the Details tab.
In the Field column, click Issuer.
In the bottom pane, note the value for CN, OU, O, and C.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), add this information to the “STS Issuer name” row of Table 1.
Ensure a key is generated for the Secure Store Service Application
Before the BDC models that are provided with Duet Enterprise can be imported, a SharePoint administrator must first generate a key for the Secure Store Service application. Complete this procedure to verify that a key has been generated and to generate a key if it has not. To complete this procedure, the Secure Store Service Application must be started.
Note
You must be a member of the Farm Administrators group to complete this procedure.
To ensure a key is generated
In Central Administration, on the Quick Launch, click Application Management.
In the Service Applications section, click Manage service applications.
On the Service Applications tab, in the Name column, click the link for the Secure Store Service Application Proxy.
If a key is not listed on this page, on the ribbon, click Generate New Key.
Type a passphrase in the Pass Phrase and Confirm Pass Phrase boxes.
Identify user domains and Active Directory Domain Services (AD DS) information
For the SAP administrator to pull user accounts from AD DS, you must provide the SAP administrator with the following information for each Windows domain or directory service in which user accounts that are used by SharePoint are stored:
Host name of the server that is running AD DS. For example, ContosoDC1.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), add this name to the “AD DS Server name” row of Table 1.
Port number that is used to connect to AD DS. The default port number is 389. If the default port number is not used, the AD DS domain administrator can provide the port number to use.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), add this port number to the “Port number of AD DS service” row of Table 1.
User account that has a minimum of DirSync permissions to the AD DS service (For example, contoso\admin1) and the password for this account.
Note
The AD DS domain administrator can provide this account name and password.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), add this account (in the form of domain\username) and the password for this account to the “AD DS account and password” row of Table 1.
Name of the attribute that stores the SAP user name.
Note
If the SAP user name is stored in AD DS, the AD DS administrator can provide the name of this attribute.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), add the name of this attribute to the “Attribute in AD DS where SAP user name is maintained” row of Table 1.
User Base Domain Name. For example, CN=Users,DC=dev24,DC=devwdf, DC=sap,DC=corp
Note
The AD DS administrator can provide this information.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), add this information to the “User Base Domain Name” row of Table 1.
Establish a trust relationship with the SSL certificate from the SAP environment
For the SSL-enabled Web application to accept information from the SAP environment, you must establish a trust relationship with the SSL certificate that was provided by the SAP administrator. If you and the SAP administrator are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), the location and file name of this certificate will be listed in the “SSL Certificate location and file name” row of Table 2 of the worksheet.
Note
You must be a member of the Farm Administrators SharePoint group to complete this procedure.
To trust the SSL certificate from the SAP environment
In Central Administration, on the Quick Launch, click Security.
In the General Security section, click Manage trust.
In the Manage group of the ribbon, click New.
In the Establish Trust Relationship dialog box, in the Name box, type the name that you want to use for this trust relationship.
Next to the Root Authority Certificate box, click Browse.
In the Choose File to Upload dialog box, in the File name box, type the path and file name of the certificate for which you want to establish a trust relationship, and then click Open.
If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), the file name and location of the certificate is listed in the “SSL Certificate location and file name” row of Table 2 of the worksheet.
Click OK to close the Establish Trust Relationship dialog box.
The name that you typed in step 4 appears in the Name column on the Trust Relationship page.