SAP Solution Manager can be accessed through the SAP GUI and through a SAP Web Application Server (SAP NetWeaver). Applications like this should be protected especially when it is accessed from the outside world, a name and password combination will simply not do. This is when Access Manager comes into place.
SAP systems will mostly be hidden somewhere deep within a company’s infrastructure, it will not be in the DMZ. In this case the SAP systems we even hosted at SAPHosting – Waldorf Germany. So no way we can reach it from the outside world. Again a good opportunity for Access Manager.
The problem with enabling SAP Web Application Server (and especially Solution Manager) is that all communication is tightly checked. If security domains are wrong, if you are using a wrong DNS name to do the requests or if you are using an ip-address, the scripts will simply give you an access denied.
This problem can partially be solved by the naming the SAP server with the same (DNS) name as it will have when available on the outside world. (Somewhat like the published DNS name in sharepoint). However in most cases this is not possible, and it is not a solution for all the security checking.
The pages within Solution Manager have frames which are filled from different java scripts. If the security domain from one script is different than the frame expects, a access denied will be issued. Some of this checking is done with document.domain settings within the java scripts. We will not go into why and how in this article.
The following procedure is a way to enable SAP Solution Manager through Access Manager. The actual SAP system is at SAPHosting and DNS names are different on the host and on the outside world.
Step 1 : Enable different domain on the SAP side.
First step is to let the SAP-WAS know that requests will be issued using a different DNS name and make sure it is allowed. As mentioned, in Sharepoint this is done via the published DNS name. SAP, however, has the possibility to advertise multiple domains for one, more or all SAP applications and specify different ports per application.
In order to do this you will need to change the table HTTPURLLOC. Make sure you provide the wanted name in the HOST field.
More information on this can be found at : http://help.sap.com/saphelp_nw70/helpdata/EN/42/d547ab30b6473ce10000000a114e5d/content.htm
Step 2 : Proxy service name
Add a DOMAIN-BASED proxy service name to the proxy service list in a reverse proxy and provide a valid DNS name (solman.company.com). Information on this can be found in the Access Manager documentation : http://www.novell.com/documentation/novellaccessmanager/index.html
Step 3 : Configuration – Web Servers
Open the proxy service. On the first page a few items need to be set :
1) The cookie domain must be at company level (company.com) which is done by default.
2) On the HTTP Options enable the “Enable X-Forwarded-For“.
3) On the tab Web Servers : Set “Host Header” to Web Server Host Name and provide the full web server name : server.company.sap.com.
Also make sure the connect port is set right. (By default it runs on port 8000. But in HTTPURLLOC you can change this.)
Step 4 : HTML Rewriting
On the next tab, Enable HTML rewriting.
1) You need to add both the full DNS name and the domain part of the DNS name in the Additional DNS Name List.
2) In the HTML Rewriter Profile List : Additional String to rewrite, an entry must be made to rewrite the document.domain entries.
It is very important here to just rewrite the domain name. Do not include server hostname part like sapserver1.company.com, for it will not work.
Step 5: Protected resources.
Make sure you configure this for it is not a wise idea to just use name/password combinations to get in.
On the overview tab, provide a contract you’ll want to use. In this case we use One Time Passwords via SMS.
Next provide the URL path lists like in the next picture :
We leave the Authorization for now, but make sure only the right users are allowed to get in. In our case we use the active users container and we check a SAP attribute.
We don’t use a Identity Injection, we handle this in a form fill.
On the form fill tab :
1) Make sure you handle a failed login.
2) Match the form on loginForm and some text on the form , for example :
3) Fill the input fields “sap-user” and “sap-password” with the Identity Vault credentials and do an auto commit. The passwords have to be synchronized to do this.
4) Make sure that any error is handled by redirecting the user to an error page.
Save all and update the Access Manager with the new information.
SAP Solution Manager should now be available through Novell Access Manager.
(and some special thx to Ed)
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.