FPN

Activities for implementing Federated Portal Network – Step by Step

Applies to: Consumer Portal: SAP NetWeaver 2004s (SP12)

Producer Portal: SAP NetWeaver 2004s (SP12)

Summary This article describes the activities to be followed for implementing Federated Portal Network between SAP-SAP portals. It contains step-by-step explanation of the tasks to be performed at both Consumer portal and Producer portal along with screen shots. It is applicable to content usage mode: ‘Remote Role Assignment’

Author(s): Kapil Sharma

Company: Tata Consultancy Services Ltd.

Created on: 05 March 2008

Author Bio

Kapil Sharma is working with Tata Consultancy Services Ltd for the last 3 years.

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2008 SAP AG 1


Table of Contents

1 Introduction................................................................................................................................................3

1.1 Role played by:................................................................................................................................3

1.2 Activities for Content Producers ...................................................................................................4

1.2.1 Portal Tools for NetWeaver Producers ....................................................................................................4

1.2.2 View all Consumers which are registered on Producer Portal ............................................................18

1.2.3 Enabling/Disabling Access to Registered Consumers.........................................................................20

1.2.4 Removing Consumers .............................................................................................................................20

1.2.5 Exposing Content to Consumers ...........................................................................................................24

1.3 Activities for Content Consumers ...............................................................................................25

1.3.1 Portal Tools for NetWeaver Consumers.................................................................................................25

1.3.2 View all Producers which are registered on Consumer Portal ............................................................26

1.3.3 Enabling/Disabling Access to Registered Producers...........................................................................28

1.3.4 Removing Producers ...............................................................................................................................30

1.3.5 Producer Registration (Adding Producers) ...........................................................................................31

1.3.6 Getting Remote Content from Producers ..............................................................................................37

1.3.7 Assigning End-User Permission to Producer Objects and Content....................................................37

1.4 Step-by-Step process of ‘Remote Role Assignment’ ................................................................39

1.5 Problems/Errors/Exception..........................................................................................................45

Related Content ..............................................................................................................................................46

Copyright .........................................................................................................................................................47



1 Introduction

Federated Portal Network

A federated portal network (FPN) allows organizations with multiple portals, SAP and non-SAP, to share content between the portals. By implementing a federated portal network and sharing content between portals, organizations can provide users at each location with a single portal access point. From each portal configured as an access point, the users are able to access information, services and applications distributed on portals throughout the entire organizational network.

This article describes the activities to be followed for implementing Federated Portal Network between SAP-SAP portals. It is applicable to content usage mode: ‘Remote Role Assignment’

1.1 Role played by:

1) User admin

1) Configuring the Federated Portal Network

- Connect to the user repository (Producer and consumer)

2) Creating the Federated Portal Network

- Assign remote roles to local users (consumer, optional)

2) System Admin

1) Configuring the Federated Portal Network

- Configure system settings (producer and consumer)

- Define and configure producers (consumer)

- Set permissions (producer)

2) Maintaining the Federated Portal Network

- Configure user mapping (optional)

- Maintain your portal network

3) Content Admin

1) Creating Federated Portal NetworkContent

- Copy remote content to local portal (consumer, optional)

- Create proxy-to-portlet iViews (consumer, optional)

- Configure content (consumer, optional)

2) Maintaining the Federated Portal Network

- Check copied content for changes (optional)

4) End User

1) Work with the Portal



1.2 Activities for Content Producers

1.2.1 Portal Tools for NetWeaver Producers

Navigation Path Tool/Screen Description

System Administration → System Configuration → Keystore Administration

Keystore Administration

Set up trust between your portal and other NetWeaver consumer portals. Setup trust between Consumer portal and Producer portal

Note: The Visual Administrator tool is also need to complete the trust configuration

Setup trust between Consumer portal and Producer portal

Procedure

The following procedure describes how to exchange portal server certificate files between the producer and the consumer. If you are setting up the mandatory one-way trust configuration, perform the procedure once only. If you are setting up the optional two-way trust configuration, perform the procedure twice by alternating the producer and consumer as shown in the following table.

Certificate-Issuing Portal Certificate-Receiving Portal

Pass 1 (mandatory) Consumer Producer

Pass 2 (optional) Producer Consumer

Activities on the Certificate-Issuing Portal (e.g tcs051014)

Fig. 1 - Activities on the Certificate-Issuing Portal



Description:

Above snapshot is of Consumer Portal while exporting certificate to Producer Portal. This section describes how to export a keystore file from your portal (the certificate-issuing portal).

1. In the Content tab, click on “Download verify.der File”. 2. Browse to the folder in which you want to save the file, and save it. Assign .ZIP extension to the file

name. Here save verify.der.zip file to local system (e.g. C:\Documents and Settings\154085\Desktop\temp\verify.der.zip).

3. Open the compressed file and extract verify.der file (e.g. C:\Documents and Settings\154085\Desktop\temp\verify.der).It will create verify.der folder containing verify.der security certificate.

4. Manually transfer the verify.der file to a system administrator of the certificate-receiving portal.

Activities on the Certificate-Receiving Portal (e.g saptcs02)

Fig. 2 - Activities on the Certificate-Receiving Portal

Description:

Above snapshot is of Producer Portal while importing certificate from Consumer Portal. This section describes how to import the certificate file you received from another portal (the certificate-issuing portal) and to configure the necessary authorization settings.



Importing the 'verify.der' File

1. In the portal, navigate to System Administration → System Configuration → Keystore Administration.

2. In the Import Trusted Certificate tab, click Browse.

3. Choose the verify.der file you obtained.

4. In the Alias field, specify a unique name (e.g. Fromtcs051014) for the key you are importing. The name should allow you to easily identify the portal it refers to.

5. Click Upload.

6. Open the Content tab and make sure that the key is listed in the keystore list.

Configuring Authorization Settings

1. Open the Visual Administrator tool.

1.1 Click “New”

Note: The above snapshot is after creating connection (e.g. “EP4saptcs02”) with SAP J2EE Engine

1.2 Enter Display Name (e.g. EP4saptcs02). Select “Direct Connection To a Dispatcher Node” radio button.

Click “Next”



1.3 Enter following fields:

User Name (e.g. “Administrator”)

Host (e.g. “XXXX.XXXX.XXXX.XXXX” (IP address) as saptcs02 is Producer Portal i.e. Certificate-Receiving Portal)

Port (e.g. 52004)

Transport Layer: default

1.4 Click “Save”. It will create connection “EP4saptcs02” as shown in the snapshot below and click “Connect”.



1.5 Screen will prompt for Password. Enter authorized password and click “Connect”

2. Navigate to Server Node (e.g. saptcs02) → Services → Security Provider.

3. In the right-hand pane, navigate to the Runtime → Policy Configuration tab.

4. In the Components list, choose the ticket component.

Following screen appears:

Fig. 3 - Visual Administrator for saptcs02



5. Switch to edit mode by clicking icon (encircled in snapshot below).

Select each template or application that uses the login module CreateTicketLoginModule, for example, the template ticket. The login module stack for this component appears.

The table below shows the login module stack for the ticket template as it is delivered with the J2EE Engine. In this case, the option ume.configuration.active=true is set in the policy configuration for the ticket template.

Ticket Template Login Module Stack

Login Modules Flag Options

BasicPasswordLoginModule REQUISITE {}

com.sap.security.core.jaas. EvaluateTicketLoginModule

SUFFICIENT {ume.configuration.active=true}

com.sap.security.core.jaas. CreateTicketLoginModule

OPTIONAL {ume.configuration.active=true}

EvaluateAssertionTicketLoginModule SUFFICIENT {}

6. In the Authentication tab, choose the following login module:

com.sap.security.core.server.jaas.EvaluateTicketLoginModule and click “Modify” and “Edit Logon

Module” screen will appear as below.



Note: Define a new set of parameters in the login module for each certificate-issuing portal. For each set of parameters, increment the suffix in the parameter name. For example: trusteddn2, trustediss2, trustedsys2, and so on.

Here trusteddn3, trustediss3, trustedsys3 are used as trusteddn1, trustediss1, trustedsys1 and trusteddn2,

trustediss2, trustedsys2 are already in use.

7. In the “Edit Logon Module” screen create the following parameters in the Options table:

Parameter Name Value

trusteddn3 Enter the distinguished name of the certificate owner. You can obtain this value as follows:

1. In the receiving portal, navigate to System Administration → System

Configuration → Keystore Administration.

2. In the Content tab, choose the alias of the certificate-issuing portal (e.g

“Fromtcs051014” – refer to section 1.2.2) in the dropdown list.

3. Copy the value of the DN of Owner property (e.g OU=J2EE,CN=EP1).



trustediss3 Enter the distinguished name of the certificate issuer. You can obtain this value as follows:

1. In the receiving portal, navigate to System Administration → System

Configuration → Keystore Administration.

2. In the Content tab, choose the alias of the certificate-issuing portal (e.g

“Fromtcs051014” – refer to section 1.2.2) in the dropdown list.

3. Copy the value of the DN of Issuer (e.g OU=J2EE,CN=EP1) property.



trustedsys3 Enter the system ID and client ID of the certificate-issuing portal. Use the <System_ID>,<client_ID> format and separate values with a comma (,). 1. System ID: Specifies the 3-letter ID defined during the installation of

the portal.

2. Client ID: Specifies the client ID as specified in the login.ticket_client

property of the UME Provider in the portal. For a Java stack, the

default client ID is 000; however, in an Add-In installation, the client

ID must be unique and therefore cannot be 000.

NOTE: Description of the scenario – “Add-In- installation” where

client ID must be unique and cannot be 000 is explained in section

“Specifying the J2EE Engine Client to Use for Logon Tickets”

below.

In current scenario value of <System_ID>,<client_ID> is EP1, 000

8. Restart the server.

Specifying the J2EE Engine Client to Use for Logon Tickets

Use

When issuing logon tickets, it is necessary to make sure that the user’s ID for which the logon ticket has been issued is unique. For SAP Web AS, this includes determining the system ID and the client where the user exists. These attributes are necessary when maintaining the access control list in accepting systems and are therefore included in the user’s logon ticket.

When the J2EE Engine is the ticket-issuing system, its system ID is used as specified in the installation. Although the J2EE Engine does not have a client, it still needs to provide a client value to use for logon tickets so that the tickets can be accepted by other systems, for example, from an SAP Web AS ABAP. The default client for the J2EE Engine is 000, however, you can explicitly set a different value to use.



The system ID and client combination must be unique when tickets are to be accepted by an SAP Web AS ABAP system. Therefore, in an Add-In installation, where the system IDs are the same, you must change the default client for the J2EE Engine (000) to a client that does not exist on the SAP Web AS ABAP system.

You can specify the configuration for logon tickets either in the UME properties or in the options for the login module CreateTicketLoginModule. The configuration to use depends on the value of the property ume.configuration.active.

If you use the UME configuration, then to specify the J2EE Engine’s client set the property login.ticket_client in the UME property sheet as specified in the snapshot below:

Note: Value of login.ticket_client must match with the value of client_ID defined for “trustedsys3” in section “In the “Edit Logon Module” screen create the following parameters in the Options table:” In current scenario the value of <System_ID>,<client_ID> is EP1, 000, where client_ID = ‘000’ which matches with login.ticket_client value.

Otherwise, set the property client in the options for the login module CreateTicketLoginModule. (The reason for these two configuration options is to provide for downward compatibility.)

See the procedures below for information about checking the ume.configuration.active property and where to set the logon ticket client property.



Procedure

Checking the Property ume.configuration.active

To check the value of the property ume.configuration.active for the login module CreateTicketLoginModule, use the Security Provider service. Check for this parameter in both the policy configurations as well as in the user store configuration.

1) Checking the Property in the Policy Configurations

1. In the Security Provider service, choose Policy Configurations.

2. Select each template or application that uses the login module CreateTicketLoginModule, for

example, the template ticket.

The login module stack for this component appears.

Select each template or application that uses the login module CreateTicketLoginModule, for example, the template ticket. The login module stack for this component appears.

The table below shows the login module stack for the ticket template as it is delivered with the J2EE Engine. In this case, the option ume.configuration.active=true is set in the policy configuration for the ticket template.

Ticket Template Login Module Stack

Login Modules Flag Options

BasicPasswordLoginModule REQUISITE {}

com.sap.security.core.jaas. EvaluateTicketLoginModule

SUFFICIENT {ume.configuration.active=true}

com.sap.security.core.jaas. CreateTicketLoginModule

OPTIONAL {ume.configuration.active=true}

EvaluateAssertionTicketLoginModule SUFFICIENT {}

2) Checking the Property in the User Store Configuration

1. In the Security Provider service, choose the User Management tab page.

2. Choose UME User Store.



3. Select the login module CreateTicketLoginModule and choose View / Change Properties.

The options are shown in the Options section. Following screen appears. Set the value of ume.configuration.active=true (encircled in snapshot).



Recommendation

If the ume.configuration.active property (or any other property) is set in the policy configurations and not in the login module options in the user store, then we recommend moving the setting(s) to the user store.

Reason

If properties are set in the login module options in the user store, then these properties are inherited by the policy configurations that use the corresponding login module.

However, if a property is set in the policy configurations, then no inheritance will take affect, even for additional properties that are set in the user store. Therefore, we recommend only setting options in the user store and not in the policy configurations.


System Administration → System Configuration → Service Configuration

Service Configuration Editor

1. Configure network proxy settings 2. Configuring your registration password

Configure network proxy settings

Note: Not applicable in current scenario because both Consumer and Producer Portals both are in same domain

Configuring your registration password (To be performed at Producer Portal e.g saptcs02)

Applicable to: remote role assignment, remote delta link, WSRP application sharing (for

NetWeaver consumers only)

Use

For increased security, you can set a registration password, which a NetWeaver consumer needs to enter upon registration with your producer portal

The procedure described here is only applicable for NetWeaver consumers. For non-SAP consumers, you need to set up consumer-specific users on your producer portal

This is a global setting for all NetWeaver consumers; you cannot set a different registration password for each consumer.

Procedure

1. In the producer portal, navigate to System Administration → System Configuration → Service

Configuration.

2. In the Portal Catalog, navigate to the com.sap.portal.ivs.wsrpservice application.

3. Open the AutoGenProducer1_0 service.

4. Enter a password in the REGISTRATION_PASSWORD property.

The default password is password. If you enter a blank password, the consumer does not

request one upon registration. Refer to snapshot below.

5. Save and close the service.

6. Open the com.sap.portal.ivs.wsrpservice application, and restart the



com.sap.portal.ivs.wsrpservice|AutoGenProducer1_0 service.

7. Close the editor.



1.2.2 View all Consumers which are registered on Producer Portal


System Administration → Federated Portal → Myself as Content Producer → View My Consumers

View My Consumers

1. View all consumers which are registered on your portal

2. Block and unblock content consumers

3. Remove content consumers

Applicable to: remote role assignment, remote delta link, WSRP application sharing

Use

In the portal you can view all NetWeaver and non-SAP portals that have registered themselves as consumers on your producer portal.

Prerequisites

You have access to the federated portal administration tools in the standard System Administration role on your portal.

Procedure

In the portal, navigate to System Administration → Federated Portal → Myself as Content Producer → View My Consumers.

Fig. 4 – View My Consumers



In the View My Consumers screen, the following details are displayed:

Column Description

Status Displays the current access status of a registered consumer on your portal: • Access allowed: The content consumer is permitted to access your

portal and use shared content. • Access blocked: The content consumer is not permitted to access

your portal and use shared content.

Last Interaction Displays when the consumer last interacted successfully with your portal

(Interactions include WSRP-related procedures only, such as consumer registration, execution of remote content from the consumer portal, and the display of remote portlets in the iView wizard (WSRP application sharing mode).)

It does not include remote Portal Catalog lookup (between NetWeaver portals only) and connection tests, for example.)

Consumer Name Displays the name of the consumer (e.g “tcs051014”)

(NetWeaver consumers define their name in the Producer Registration tool)

Vendor Displays the vendor of the consumer (e.g “NetWeaver”)

In this screen, you can also: 1. Refresh the list of consumers. Click “Refresh”.

2. Block and unblock content consumers (Refer to section: “Enabling/Disabling Access to

Registered Consumers”)

3. Remove content consumers (Refer to section: “Removing Consumers)



1.2.3 Enabling/Disabling Access to Registered Consumers


Use

In the View My Consumers screen, you can block or unblock access to your portal by other portals that are already registered as consumers of your portal. The Status column displays the current access status of the consumer.

The Block Access and Allow Access settings have no effect on your ability to consume content from the same portal if you are a registered consumer of their content.

By default, a consumer is allowed access to your portal upon registration.

Prerequisites

You have access to the federated portal administration tools in the standard System Administration role on the producer portal.

Procedure

2.1 In the portal, navigate to System Administration → Federated Portal → Myself as Content

Producer → View My Consumers.

2.2 Select the checkbox of the consumer(s) whose access status you want to change.

2.3 o Click Block Access to prevent a consumer from interacting with your portal and using

shared content. o Click Allow Access to allow a blocked consumer to interact with your portal and use shared

content.

The Status column displays the current status of each consumer portal.

1.2.4 Removing Consumers


Use

In the View My Consumers screen, you can remove a consumer instance from your portal.

When you remove a consumer, all content (including its personalization data) on the consumer that originates from your portal becomes permanently invalidated. The consumer is then unable to use or restore the validity of these content objects. If the consumer has additional instances registered on the portal, the content consumed through those instances is not affected.

To temporarily prevent a content consumer from using your content, use the Block Access option instead.

Prerequisites

You have access to the federated portal administration tools in the standard System Administration role on the producer portal.



Procedure

1. In the portal, navigate to System Administration → Federated Portal → Myself as Content

Producer → View My Consumers.

2. Select a consumer(s).

3. Click Remove. (Refer to Fig. 4 – View My Consumers)

4. Accept the confirmation message. The consumer is removed from the consumer display list.

Result

You have removed the consumer from your portal. All content consumed by the consumer in the same registration scope becomes invalidated.

The portal does not notify the consumer portal upon its deletion. We recommend that you manually notify the consumer to manually remove the producer from their portal in the Manage My Producers screen.


System Administration → Permissions → Portal Permissions

Permission Editor

Assign permissions to portal content to make it available to consumers and assign runtime permissions.

Note: In current scenario it is applicable to “Remote Role Assignment” content usage mode

(Permission Editor is also accessible from the Portal Content Studio, which allows you to assign permissions to portal content, such as iViews and roles. However, you are required to assign permissions to portal components—the Portal Content Studio does not display portal components. Therefore you will also need to use the main Permission Editor to access portal components.)

In remote role assignment mode, the system administrator on a NetWeaver producer (e.g saptcs02) must set permissions to its roles (e.g “MyRoleBHBP”) to expose them to user administrators from a NetWeaver consumer.

Setting Permissions on the Producer for ‘Remote Role Assignment’

Applicable to: remote role assignment

Use

To support the design time workflow and runtime activities for remote role assignment on the consumer portal, permissions need to be configured by administrators on both the producer and consumer portal.

The permissions that must be assigned on the producer portal so that: - User administrators on a consumer portal can search for remote roles and assign users (e.g user id: “146306” – Preeti Iyer) to them. - Business users on a consumer portal can run content embedded in a remote role.



Prerequisites

1. The same user (e.g user id: “146306” – Preeti Iyer) base exists on both producer (e.g saptcs02) and consumer (e.g tcs051014) portals.

2. Roles (e.g “MyRoleBHBP”) have been created on the producer portal.

3. Owner permission in the objects to which you want to assign permissions.

4. Access to the Permission Editor in the portal.

Procedure

Certain settings must be configured on the producer before the consumer can perform remote role assignment, while other settings must be performed after remote role assignment has taken place on the consumer.

Permissions Settings on the Producer Portal before Remote Role Assignment

In the Permission Editor on the producer portal, assign the permissions described below: Object (on Producer)

Target User (on Consumer)

Permission Level

Description

Role User Admin -or- Delegated User Admin

Role assigner: enabled

Allows the user administrator on the consumer portal to do the following in the Identity Management tool:

1. Search for and view the remote role.

2. Assign local users on the consumer to the remote role.

Permissions Settings on the Producer Portal after Remote Role Assignment

Object (on Producer)

Target User (on Consumer)

Permission Level Description

Portal component (for iViews, pages, and page layouts)

Business user End user: enabled

Allows users to execute the iViews, pages, and layouts at runtime, which are assigned to remotely assigned roles.

System Business user End user: enabled

If an iView on the producer uses a system object to enable access to a backend system, the system administrator on the producer must assign end-user permission to business users in these system objects.

Once the remote roles can be accessed by the consumer, the user administrator can then assign these roles to their users and groups.

Note: Once a remote consumer has assigned users to your roles, make sure you adhere to the following instructions to ensure the continuous availability of remote roles:

Do not change the ID of the role. You can however change the role name. Steps to change the ID of the role (e.g “MyRemoteBHBP”) are shown in snapshots below.

Do not move the role to a new PCD location.



Fig. 5 – Step 1 to change ID of the role “MyRemoteBHBP”

Fig. 6 – Step 2 to change ID of the role “MyRemoteBHBP”




Content Administration → Portal Content

Portal Content Studio

1. Create and manage content.

The Portal Content Studio provides a central

environment for developing and managing

the following types of portal content:

(iViews, pages, Layouts, roles, worksets,

business objects, business object operations)

2. Set permissions to portal content objects

(see references above for “Permission

Editor”)

1.2.5 Exposing Content to Consumers

To make content on your portal available to other consumers, you need to assign the appropriate portal permissions to content on your producer portal. The manner, in which you assign the permission, the type of permission needed, and the need to apply additional settings, depends on which content usage mode you choose to support.

Content usage modes that support the federated portal network scenario in SAP NetWeaver Portal:

1) ‘Remote Role Assignment’ Mode

2) ‘Remote Delta Link’ Mode

3) ‘WSRP Application Sharing’ Mode

Note: Out of these 3 content usage modes only ‘Remote Role Assignment’ mode is applicable for the current scenario



1.3 Activities for Content Consumers

1.3.1 Portal Tools for NetWeaver Consumers

Navigation Path Tool/Screen Functionality

System Administration → System Configuration → Keystore Administration

Keystore Administration Set up trust between your portal and other NetWeaver producer portals)

Refer to section:

Setup trust between Consumer portal and Producer portal

Activities on the Certificate-Issuing Portal

Navigation Path Tool/Screen Functionality

System Administration → System Configuration → Service Configuration

Service Configuration Editor ● Configure network proxy settings (Configuring Proxy Settings)

● Configure general cache settings for a portal in a federated network (Congiguring Caching for the Federated Portal)

● Configure settings to optimize your consumer profile (Optimizing Your Consumer Profile)

Note: Following activities are not applicable in current scenario:

Configure network proxy settings Configure general cache settings for a portal in a federated network Configure settings to optimize your consumer profile

Navigation Path Tool/Screen Functionality System Administration → Federated Portal → Myself as Content Consumer → Cache Management

Content Cache ● Clear cached role content that you have consumed through remote role assignment.

● Synchronize remote delta link content on the consumer with updates made to its source content on the producer. (Configuring Caching for the Federated Portal)




Clear cached role content that you have consumed through remote role assignment Synchronize remote delta link content on the consumer with updates made to its source content on the

producer.

Navigation Path Tool/Screen Functionality System Administration → Federated Portal → Myself as Content Consumer → Cache Management

Cache Configuration Configure cache settings specific to federated portal content (Configuring Caching for the Federated Portal)


Configure cache settings specific to federated portal content

1.3.2 View all Producers which are registered on Consumer Portal

Navigation Path Tool/Screen Functionality System Administration → Federated Portal → Myself as Content Consumer → View My Producers

View My Producers 1. View all the producers on which you are registered 2. Block and unblock content

producers


Use

You can view all the NetWeaver and non-SAP producers you have defined on your consumer portal. Useful information about each producer is also displayed.

Prerequisites

You have access to the federated portal administration tools in the standard System Admin role on your portal.

Procedure

In the portal, navigate to System Administration → Federated Portal → Myself as Content Consumer → View My Producers.



Fig. 7 – View My Producers

In the View My Producers screen, the following details are displayed: Column Description

Status Displays the current registration and access status of a registered producer on your portal: • Not registered: You have not registered the content producer. • Access allowed: You have registered the producer and all types of interaction

with it from your portal are permitted. • Access blocked: You have registered the producer, but all types of interaction

with it from your portal are not permitted.

Last Interaction

Displays when your portal last interacted successfully with the producer. (Interactions include WSRP-related procedures only, such as consumer registration, execution of remote content from the consumer portal, and the display of remote portlets in the iView wizard (WSRP application sharing mode).) It does not include remote Portal Catalog lookup (between NetWeaver portals only) and connection tests, for example.

Producer Name

Displays the name of the producer. (e.g. “saptcs02_Producer”)

Producer URL

Displays the URL of the producer. (e.g. “http://saptcs02:52000/irj/servlet/prt/portal/prtroot/com.sap.portal.wsrp.coreproducer.WsdlGenerator”)

Vendor Displays the vendor of the producer. (e.g. “NetWeaver”)

Alias Displays the aliases assigned to the producer. (e.g “saptcs02_Producer”)



In this view, you can also:

1. Refresh the list of producers. Click Refresh.

2. Block and unblock content producers. (Refer to section: “Enabling/Disabling Access to

Registered Producers”)

1.3.3 Enabling/Disabling Access to Registered Producers Applicable to: remote role assignment, remote delta link, WSRP application sharing Use In the View My Producers screen you can permit or block access to registered producers from your

consumer portal.

If the producer is registered as a consumer on your portal, the Block Access and Allow Access capabilities you have as a consumer have no effect on the producer's ability (as a consumer) to consume content from your portal. Explanation as below:

On “tcs051014” Portal acting as both Consumer and Producer Portal

In Fig. 8 Myself as Content Consumer -> View My Producers saptcs02 with Producer Name “saptcs02_Producer” acts as Producer Portal

Fig. 8 – saptcs02 with Producer Name “saptcs02_Producer” acts as Producer Portal



In Fig. 9 Myself as Content Producer -> View My Consumers saptcs02 with Consumer Name “saptcs02” also acts as a Consumer Portal

Fig. 9 - saptcs02 with Consumer Name “saptcs02” also acts as a Consumer Portal

So here even if “Block Access” is enabled under Myself as Content Consumer -> View My Producers -> saptcs02_Producer (Producer Name), it have no effect on the producer’s (saptcs02) ability (as a consumer and tcs051014 as a producer) to consume content from “tcs051014” portal.

Prerequisites You have access to the federated portal administration tools in the standard System Admin role on the

consumer portal. Procedure 1. In the portal, navigate to System Administration → Federated Portal → Myself as Content Consumer → View My Producers.

2. Select the checkbox of the producer(s) whose access status you want to change. 3.

o Click Allow Access to permit your portal to interact with a blocked producer and use its shared content.



o Click Block Access to prevent your portal from interacting with a producer and using its shared content.

The Status column displays the current status of each producer portal.

1.3.4 Removing Producers Applicable to: remote role assignment, remote delta link, WSRP application sharing Use You can remove a producer if you no longer want to use the content exposed by it, if the producer portal is no longer running, or for any other reason.

(When you remove a producer, all content that originates from the producer in the same registration scope remains intact on your portal, but becomes invalidated and all personalization settings are permanently lost. Content you have consumed through additional instances of the same producer are not affected. If you add the same producer, you still are not able to restore the functionality of the invalidated content.)

You can remove a producer if you no longer want to use the content exposed by it, if the producer portal is To temporarily prevent a content consumer from using your content without deleting it, use the Block Access feature instead. For more information, refer to Section: “Enabling/Disabling Access to Registered Producers”

Prerequisites You have access to the federated portal administration tools in the standard System Admin role on the consumer portal.

Fig. 10 – Removing Producer/s



Procedure 1. In the portal, navigate to System Administration → Federated Portal → Myself as Content Consumer → Manage My Producers. 2. In the Portal Catalog, navigate to the producer object you want to remove. 3. Right-click the producer object and choose Delete. A confirmation message is displayed. 4. Confirm the delete action.(Refer to Fig. 10) 5. Delete any proxy-to-portlet iViews and copied content you have generated on your consumer

Result You have removed the selected producer instance from your portal.

Note: However that no unregistration procedure for your consumer is performed on the producer portal. Therefore, on a NetWeaver producer you are still listed in their View My Consumers screen. We recommend that you notify the producer and request they remove your consumer instance from their portal.

1.3.5 Producer Registration (Adding Producers)

System Administration -> Myself as Content Consumer -> Manage My Producers

Under “NetWeaver Content Producers” folder

1) Right click “NetWeaver Content Producers” folder -> New -> NetWeaver Content Producer (Refer to Fig. 11)

Fig. 11 – Producer Registration



2) Step 1: General Properties

Producer Name: “saptcs02_Producer”

Producer ID: “saptcs02_Producer”

Producer ID Prefix (optional)

Click “Next”

Fig. 12 – Producer Registration (Step 1 – General Properties)

3) Step 2: Define Producer URL

Protocol: http

Host name: “saptcs02”

Port: 52000

Path of WSDL Definition File: (Default path to the WSDL file)

/irj/servlet/prt/portal/prtroot/com.sap.portal.wsrp.coreproducer.WsdlGenerator

Click “Next”



Fig. 13 – Producer Registration (Step 2 – Define Producer URL)

4) Step 3: Summary

Click “Finish

Open the object for editing”



Fig. 12 – Producer Registration (Step 3 – Summary)

5) Producer Alias Editor (Alias Name: “saptcs02_Producer”)

In this screen, you can view the alias of the selected producer portal. The alias is used in various administrative and user interfaces to identify the producer portal.

The alias is automatically defined by your portal and cannot be changed. You cannot add or remove aliases.

Fig. 13 – Producer Registration (Producer Alias - “saptcs02_Producer”)

6) Tests the connection to the WSDL file and ports of a content producer

Fig. 14 – Producer Registration (Test the Connection)



7) Producer Registration

Your Consumer Name: “tcs051014_Consumer_Demo”

Your Consumer URL: “http://tcs051014:50000/irj/portal”

Registration Password: “Marudhar123”. This is the password which is set at Producer Portal (saptcs02) shown in snapshot below:

Note: Password setting is optional. It is used to provide high level of security

Note: Before registering, check connectivity to the producer in the 'Connection Tests' screen.



Fig. 14 – Producer Registration (Producer Registration)

8) Manage My Producers

Manage My Producers enables you to add NetWeaver and WSRP content producers to your portal. You can also test connections as well as register, edit, and delete producers. And you can set permissions to producers and define aliases.

Fig. 14 – Consumer Portal: “tcs051014” successfully registered on Producer Portal: saptcs02



1.3.6 Getting Remote Content from Producers NetWeaver consumer can bring remote content from another portal (NetWeaver and non-SAP) to your portal using the various tools offered in the portal user interface. The “Identity Management tool” supports the federated portal network scenario in SAP NetWeaver Portal: Content Usage Modes:

1) ‘Remote Role Assignment’ Mode 2) ‘Remote Delta Link’ Mode 3) ‘WSRP Application Sharing’ Mode

Note: Currently only ‘Remote Role Assignment’ Mode is applicable

Purpose

In remote role assignment mode, a user administrator on a NetWeaver portal (the consumer) assigns local users to NetWeaver remote roles residing on another portal (the producer).

Process Flow

In the Identity Management tool in the consumer portal, the user administrator does either of the following: o Searches for a remote role and then assigns local users or groups to it. o Searches for a local user or group and then assigns a remote role to it.

1.3.7 Assigning End-User Permission to Producer Objects and Content


Use

End-user permission enables business users to run content at runtime. Just as end users require end-user permission to run local content on your portal, they also need end-user permission for local content originating from a remote producer.

This topic describes when to assign end-user permission to a producer object and the remote-based local content on the consumer portal.

Prerequisites 1. You have authorization to access the main Permission Editor. (Not mandatory for system

administrators who have authorization to access the Manage My Producers screen.) 2. You have owner administrator permission. 3. You have consumed remote content from a producer portal.

Procedure

In the Permission Editor, assign end-user permission as follows:

Content usage mode End-user permission to producer object on consumer

End-user permission to localized content on consumer



Remote role assignment Yes (not applicable)1

Remote content copy Yes Yes2

WSRP application sharing

Yes Yes3

1 No local content is created on the consumer during remote role assignment. 2 Permission is assigned to remote-based local iViews, pages, worksets and roles on the consumer. 3 Permission is assigned to proxy-to-portlet iViews on the consumer.

(In addition to the end-user permission assigned to remote-based local content on the consumer, the system administrator on the producer must also assign end-user permission to the remote content on the producer. End users also require permission to run the portal components on which remote iViews and pages are based; these portal components are located in security zones on the producer.)

If an iView on the producer uses a system object to enable access to a backend system, the system administrator on the producer must assign end-user permission to consumer-based business users in these system objects.



1.4 Step-by-Step process of ‘Remote Role Assignment’

Step 1: Remote role creation at Producer Portal • “MyRoleBHBP” role is created at Producer Portal (saptcs02) having “BHBP_WS” as workset and

“BHBP_Page” page within workset.



Step 2: Scenario before ‘Remote Role Assignment’ • When user “146306” (Preeti Iyer) logs in Consumer Portal (tcs051014), following screen appears.

Here remote role “MyRoleBHBP” assignment is still not done.

Note: User “146306” (Preeti Iyer) must have “End User” role on the content object at Producer Portal

Step 3: User Mapping (Remote iViews)

Description

- Mapping of logon credentials for users, such as user name and password, to secured data sources

provides Single Sign-on (SSO) capabilities.

- With SSO with user mapping, users are not prompted for logon information every time an iView

retrieves data from a secure source at runtime.

- In the federated portal network users which are executing producer content connected to systems

must be mapped to systems defined on the producer.

- The user mapping can be accomplished from the producer or the consumer.

• User “154085” (Kapil Sharma - Role to be played by “User Admin”) logs in Consumer Portal

(tcs051014).



• Go to Personalize -> User Mapping (Remote iViews) -> Select “saptcs02_Producer” from Remote

Content Provider. Here choose a producer to display its systems and properties for entering logon data. Following screen appears prompting to enter your user mapping credentials for content originating from a remote producer portal. Exit from User Mapping (Remote iViews) screen.

• Enter User credentials of Remote Producer Portal i.e “saptcs02”

User id: 154085 (Kapil Sharma)

Password:XXXX

Now “User Admin” (154085 – Kapil Sharma) can perform remote role assignments on Consumer Portal



Step 4: Assigning remote roles (“MyRoleBHBP”) local users “146306” (Preeti Iyer)

• Navigate to User Administration -> Identity Management. Perform role “MyRoleBHBP” assignment to

local users “146306” (Preeti Iyer) • Steps:

o Enter “146306” in search criteria o Click Modify. Select Assigned Roles tab o Under “Available Role”, select “saptcs02_Producer” in search criteria. o Enter “*” to search all the remote roles available on Producer Portal “saptcs02”. Alternatively

search for “MyRoleBHBP” remote role. Following screen appears displaying remote role “MyRoleBHBP”.

o Assign “MyRoleBHBP” to user “146306” (Preeti Iyer). Following screen shows remote role

“MyRoleBHPB” successfully assigned to local user “146306” (Preeti Iyer).



o Save the changes



Step 5: Scenario after ‘Remote Role Assignment’

• Now when user “146306” (Preeti Iyer) logs in Consumer Portal (tcs051014), following screen

appears. Here remote role “MyRoleBHBP” assignment is still successfully done, so remote role “MyRoleBHBP” (encircled) appears under Navigation Structure

NOTE: To enable remote role “MyRoleBHBP” to appear under Navigation Structure set “Entry

Point” property of remote object = true

• Following screen appears on click to “MyRoleBHBP”



1.5 Problems/Errors/Exception • Problem may get encounter due to following reason:

1. User should exist in both user store of Consumer and Producer portal otherwise it won’t work.

2. Incase if the registration is successful then there might be some problem with your servers

(Consumer & Producer) clock timings. 3. If runtime exception gets encountered on click to remote role because of Access denied to

Object (snapshot below), then user (User Admin) need to enter user mapping credentials for content originating from a remote producer portal through User Mapping (Remote iViews)

4. ‘Remote Role Assignment’ may get fail perhaps because user to whom remote role assignment is done doesn’t have “End User” role assigned to him/her at Producer Portal. End-user permission enables business users to run content at runtime. Just as end users require end-user permission to run local content on your portal, they also need end-user permission for local content originating from a remote producer.

5. You should have Owner permission in the objects to which you want to assign permissions

otherwise ‘Remote Role Assignment’ wont work.

6. In the portal content studio, open the producer under 'NetWeaver content producers'. If it does not contain folders in it, the registration is considered to be unsuccessful even though it stated it was successful while registration.

7. Change the data source to Producer object id while searching producer role in consumer

user administration

8. Make sure your administrator does not have any remote roles assigned to him/her. Do this when you can afford a potential downtime. In System administration -> System configuration -> Service configuration you'll find com.sap.portal.gpnavigationconnector. Restart it. After this is done (might take a while) try to get the remote roles again. If this works, you have probably not updated your system with the latest patch from SMP. Another thing to check: In the portal content studio, open the producer under 'NetWeaver content producers'. If it does not contain folders in it, the registration was unsuccessful even though it stated it was.

9. During the process of Registering (Adding) Producer Portal, while entering the connection

parameters of the NetWeaver producer portal use appropriate Host name against “Host Name” input field instead of IP address. Perhaps this might create some problem during execution in later stage. E.g. Host Name: use “saptcs02” instead of XXXX.XXXX.XXXX.XXXX (IP address)



Related Content 1) Activities for Content Consumers

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/22387b0b413fe1e10000000a11466f/frameset.htm

2) Activities for Content Producers


3) Workflow: Remote Role Assignment

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/23fd33cad10d23e10000000a1553f7/frameset.htm

4) Configure Remote Role Assignment

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/2dd5abcd-0b01-0010-2c92-81b9f8efc2e1




http://help.sap.com/saphelp_nw2004s/helpdata/en/43/23fd33cad10d23e10000000a1553f7/frameset.htm




Copyright © 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.

Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.


FPN

Documents

settings 154085 desktop temp verify

interactions include wsrp

remote delta link

login module createticketloginmodule

identity management tool

login module stack

remote role assignment

content usage modes