Track Data Changes

What is Data tracking?

Data tracking is a new feature available in Web intelligence in BOXI 3.1. Data tracking places your current report data in context by highlighting changed data and displaying the previous value of a dimension or measure along with its current value.

Data Tracking Options:

Web Intelligence XI 3.1 highlights changed data according to parameters you set. You control the formatting of the changed data, the types of changed data highlighted and the amount of data change that triggers data highlighting.

Reference Data:

When you track data changes, you select a particular data refresh as a reference point. This data is known as the reference data. When you display the data changes, Web Intelligence places your current data in context by showing how it relates to the reference data.

Data Refresh with Data Tracking Options and Reference Data:

After some time, when we refresh the same report, it will check the new updated data with the reference report data (given above) and it will show the changes as per the parameters you set in data tracking options.

Advantages:

We can focus our analysis on key areas and avoid wasting time exploring irrelevant data.

Read More about  Data Tracking

Business Objects FRS Pruning

Hello Techies,

This is the continuation of Business Objects File Repository Servers Blog and we are going to see how to optimise the File Repository Servers by FRS pruning.

Have you ever got the chance to see how a Crystal or WebI document or Instance stored internally in the File System? Here it is.

The document will be saved internally in the file system with in one or more folders named based on random name generation.
What will happen if the report or the Instance deleted?

The report or the Instance alone will be deleted and leaving the temporary folders as it is. As a result of this over the period of time, there will be thousands of folders in the FRS and will be a intricacy for the Administrator when he goes for the FRS Backup. The Backup process will be very time consuming as well as occupy more space and finally the FRS will be inefficient.

How to get rid of this?

The “-Prune” command, added at the end of the command line of the File repository servers will be handy at this moment.

Working with FRS Pruning and Tracing

-Prune command, added at the end of the command line of servers triggers the server to go through the ‘Input’ or ‘Output’ folders in the internal ‘Filestore’ folder of Business Objects Enterprise to clean up all the empty directories.

-Trace command, added at the end of the command lines of the servers logs the activity of that specific server in the ‘Logging’ folder of the BOE installation directory.

We need to periodically delete the empty FRS directories to cleanup the disk but not to be manually. Instead the FRS server should be started with the -Prune command line switch. When this switch is used, the FRS servers’ status will remain ‘Starting’ till the deletion is done. Once deletion is done, the servers will stop. The -Prune switch will have to be removed manually to allow the servers to start normally.

Working with FRS Pruning and Tracing

Add -Trace and -Prune

1. Stop File Servers (both IFRS and OFRS) in CCM (XIR2) or in CMC (XI 3.x).

2. Add -Prune command at the end of the line to FRS (Input and Output) and also –Trace Command at the end of the line to check it is cleaning up files and folders that are empty.

3. Start the servers and Monitor the pruning process, you should gain more hard disk space.

Remove -Trace and -Prune

1. Stop the Servers and remove -trace and -prune commands from the command line Parameters of FRS.

2. Start the Servers again normally.

Viewing Log files

You can find the log files in the below location (for XI 3.x)

C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\Logging

Points to remember

• After the Pruning process if any empty folders still exists, they may be used by BO to keep for its housekeeping process.

• Don’t leave the prune option enabled even after the prune completed. Once pruning completed successfully the FRS will be stopped. We have to re-modify the command line by removing –Prune and -Trace and Server has to be started manually.

• Pruning process does not clean-up any CMS object that lost the FRS files that they need to point to.

Please Note -Prune is an undocumented feature in Business Objects.

We will see more about the Business Objects Servers Tuning in the upcoming blogs.

Happy Blogging!!  Keep reading!!

Windows AD authentication for Business Objects using Kerberos – Part II

This is our continuation of our SSO configuration from starting from SIA configuration.

4.     Configuring the Server Intelligence Agent to use the service account

In order to support Kerberos, Server Intelligence Agent must be configured in CCM to log on as the service account:

To configure a Server Intelligence Agent

1)  Start the CCM.

2)  Stop the Server Intelligence Agent.

3)  Double-click the Server Intelligence Agent and the Properties dialog box is displayed.

4)  On the Properties tab:

• In the Log On As area, deselect the System Account check box.
• Enter the user name and password for the service account.
• Click Apply, and click OK.

5)       Start the server again.

5.     Configure the AD plug-in

In order to support Kerberos, we have to configure the Windows AD security plug-in the CMC to use Kerberos authentication.

To configure the Windows AD security plug-in for Kerberos

• Go to the Authentication management area of the CMC and Click the Windows AD tab.

• Ensure that the Windows Active Directory Authentication is enabled check box is selected.
• In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.
• Enter the credentials that have read access to Active Directory in the Name and Password fields.

Note:

Use the format Domain\Account in the Name field LIKE NA\ BOLab-Admin.

• Enter the default domain in the Default AD Domain field.

Note:

Use FQDN format and enter the domain in uppercase, here it is NA.HEXAWARE.COM

• In the Mapped AD Member Group area, enter the name of an AD group whose users require access to Business Objects Enterprise, and then click Add.

• In the Authentication Options area, select Use Kerberos authentication.
• In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account which was created

In this case, BOBJCentralMS/TESTSERVER.NA.HEXAWARE.COM.

• Click Update

6.     Configure Tomcat web.xml file

Modify the web.config file to ensure Windows authentication is enabled.

To configure InfoView for AD authentication mode, configure the web.config file in the

\Tomcat55\webapps\InfoViewApp\WEB-INF directory.

Edit the web.xml. Then, change the authentication default value to secWinAD.

7.     Configure the Krb5AuthLoginModule and krb5.ini

Create a folder in C:\WINNT to store the following two files:

1. krb5.ini
2. bscLogin.conf

The contents of the krb5.ini and the bscLogin.conf were the following:

Note: 1. This should be done on all computers that run application servers.

2.  KDC is the Domain Controller(s) of the particular domain.

8.     Configure the Tomcat Java option

Launch the Tomcat Configuration program & add the following Java command in the Java Optionsof the Java tab.

-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf

-Djava.security.krb5.conf= C:\WINNT \krb5.ini

Hope this will be useful for Kerberos based windows AD authentication. Feel free to get back to me in case of any issues. I am privileged to helping you all. Happy Blogging!

Windows AD authentication for Business Objects using Kerberos

Hi All,

Hope you continue to read our Series of blogs. Let me discuss something about Single Sign-on implementation in Business Objects in this blog.

Configuring Windows Active Directory SSO with the SAP BusinessObjects XI 3.1 is one of the challenges for a Business Objects Administrator. If you go with java based BO deployment, utmost care should be taken as Java is case sensitive.

What is Single sign-on?

Single sign-on (SSO) is a user authentication process that permits a user to enter one name and password to access multiple applications. This authenticates the user for all the applications they have been given rights to and eliminates further prompts.

Role of Kerberos in SSO

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography where a user authenticates to an authentication server that creates a ticket. This ticket is actually sent to the application which can recognize the ticket and the user is granted access.

This blog refers

TESTSERVER - BusinessObjects server installed with Windows 2008 server. The version is XI 3.1 SP3

ADSERVER – Active Directory server installed with Windows 2003 server. Its Domain Functional Level is 2003.

BOLAB-ADMIN – Service Account used to run Business Objects Service.

Steps for configuring Windows AD authentication

Below is the general overview of the steps, which are required to configure the Business objects windows authentication using Kerberos.

• Setting up a service account
• Configure the service account rights
• Register Service Principle Name (SPN)
• Configuring the Server Intelligence Agent to use the service account
• Configure the AD plug-in
• Configure Tomcat web.xml file
• Configure the Krb5AuthLoginModule and krb5.ini
• Configure the Tomcat Java option

Setting up a service account

To configure Business Objects Enterprise using Kerberos and Windows AD authentication, we require a service account which should be a domain account that has been trusted for delegation. We can either use an existing domain account or create a new domain account. The service account will be used to run the Business Objects Enterprise servers.

Setting up a service account with delegation on a Windows 2003 Domain

• Create an account on the domain controller or use an existing account.
• Right-click on the user accounts, then select Properties.
• Click the Delegation tab.
  • Select the Trust this user for delegation to any service(Kerberos Only

1.     Configure the service account rights

In order to support the Active Directory authentication, you must grant the service account the right to act as part of the operating system and log on as a service. This must be done on each machine running the Server Intelligence Agent Service.

To configure this

1. Click Start -> Administrative Tools -> Local Security Policy

2. Then Local Policies and then click User Rights Assignment.

3. Double-click Act as part of the operating system and click Add User or Group button.

4. Add the user account that has been trusted for delegation and clicked OK.

5. Double-click Logon as service and click Add and click Add User or Group button.

6. Add the user account that has been trusted for delegation and clicked OK.

In order to support Kerberos, we must grant the service account the right to act as part of the operating system. This must be done on each machine running the below servers:

• CMS
• Page Server
• Report Application Server
• Web Intelligence Report Server

Adding the Service account to the Administrators Group

• On the desired machine, right-click My Computer and then click Manage.
• Go to Configuration > Local Users and Groups > Groups.
• Right-click Administrators and then click Add to Group
• Click Add… and enter the logon name of the service account.
• Click Check Names to ensure the account resolves.
• Click Ok and then click OK again.
• Repeat these steps for each Business Objects server that has to be configured.

2.     Register Service Principle Name (SPN)

If you are deploying Business Objects Services in a network that uses the Kerberos protocol for mutual authentication, you must create a Service Principal Name (SPN) for the Business Objects services if you configure it to run as a domain user account. The SETSPN utility is a program that allows managing the Service Principal Name (SPN) for service accounts in Active Directory.

• Open a command prompt and enter this command:

SETSPN.exe –A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the fully qualified domain name of the machine running the CMS service, for example Testserver.NA.HEXAWARE.COM. Replace service account with the name of the service account that runs the CMS service. In this case it is BOLab-Admin.

SETSPN.exe –A BOBJCentralMS/TESTSERVER.NA.HEXAWARE.COM BOLab-Admin

• Once run, we should receive a message similar to the below:

Registering ServicePrincipalNames for CN=ServiceCMS, CN=Users, DC=DOMAIN, DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

To get a listing of what is currently registered for the account.

SETSPN.exe –L BOLab-Admin

I will discuss more about the subsequent steps in the upcoming blog.

Read More about  Windows AD Authentication