SAP StreamWork enterprise agent Installation and Configuration
■ SAP StreamWork enterprise agent Installation and Configuration
2010-11-15
Copyright
© 2010 SAP AG. All rights reserved.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
Business ByDesign, and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business
Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the
United States and in other countries. Business Objects is an SAP company.All other product and
service names mentioned are the trademarks of their respective companies. Data contained in this
document serves informational purposes only. National product specifications may vary.These materials
are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any
kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The
only warranties for SAP Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should be
construed as constituting an additional warranty.
2010-11-15
Contents
Getting Started........................................................................................................................5Chapter 1
1.1
1.2
1.3
2.1
2.1.1
2.1.2
2.1.3
3.1
3.2
3.3
3.4
3.5
4.1
4.2
4.2.1
4.3
4.4
4.5
4.6
4.7
4.7.1
4.7.2
4.8
4.9
4.9.1
About this help.........................................................................................................................5
Who should use this help.........................................................................................................5
About SAP StreamWork enterprise agent................................................................................5
System Architecture................................................................................................................7Chapter 2
SAP StreamWork enterprise agent high level communication .................................................7
SAP StreamWork enterprise agent components .....................................................................8
Enterprise components............................................................................................................8
SAP StreamWork components in the cloud.............................................................................9
Installation.............................................................................................................................11Chapter 3
Installation prerequisites.........................................................................................................11
Workflow for installing the SAP StreamWork enterprise agent ..............................................13
To create a virtual machine from the ISO image file................................................................14
To specify installation options ................................................................................................15
To specify SAP StreamWork enterprise agent configuration options .....................................16
Configuration........................................................................................................................19Chapter 4
Configuration prerequisites....................................................................................................19
Using the Web Administration Console..................................................................................19
To log onto the Web Administration Console.........................................................................20
Workflow for configuring the SAP StreamWork enterprise agent...........................................20
Enabling proxy settings...........................................................................................................21
Registering SAP StreamWork enterprise agent......................................................................22
Managing update settings......................................................................................................23
Managing authentication........................................................................................................24
LDAP authentication..............................................................................................................26
Active Directory authentication..............................................................................................26
Managing certificates.............................................................................................................27
Single Sign-On Settings.........................................................................................................27
Creating a Windows AD service account ..............................................................................28
2010-11-153
Contents
4.9.2
4.9.3
4.10
4.10.1
5.1
Index 33
Adding the service principal name against the Windows AD service account name ...............29
Enabling SPNEGO.................................................................................................................29
Managing users.....................................................................................................................29
To provision a group of users.................................................................................................30
Diagnosis..............................................................................................................................31Chapter 5
Troubleshooting and resolving problems................................................................................31
2010-11-154
Getting Started
Getting Started
1.1 About this help
This help describes how to use SAP StreamWork enterprise agent. Procedures are provided for common
tasks. Conceptual information and technical details are provided for all advanced topics.
1.2 Who should use this help
This help covers installation and configuration procedures performed in SAP StreamWork enterprise
agent. We recommend consulting this help if you are setting up SAP StreamWork enterprise agent
and need more information about a particular task. Common tasks include: creating a virtual machine,
specifying installation options, registering SAP StreamWork enterprise agent with the SAP StreamWork
cloud, working with servers, setting security, and managing users and groups.
1.3 About SAP StreamWork enterprise agent
SAP StreamWork enterprise agent lets you manage enterprise user accounts. Use the SAP StreamWork
enterprise agent to provision users in existing enterprise systems, and create user accounts in the SAP
StreamWork cloud.
2010-11-155
Getting Started
2010-11-156
System Architecture
System Architecture
2.1 SAP StreamWork enterprise agent high level communication
The following diagram illustrates the communication of existing components in your enterprise
(represented in green), the SAP StreamWork cloud components, and SAP StreamWork enterprise
agent components (represented in yellow).
Figure 2-1: SAP StreamWork enterprise agent High Level Communication
The installation section explains how to install and set up SAP StreamWork enterprise agent components.
The configuration section explains how to:
• Enable proxy settings.
• Register SAP StreamWork enterprise agent.
• Manage update settings
2010-11-157
System Architecture
• Set up authentication.
• Manage certificates (optional).
• Set up Single Sign-On (optional).
• Run Diagnosis
• Provision users.
2.1.1 SAP StreamWork enterprise agent components
The SAP StreamWork enterprise agent components, represented in yellow in the communication
diagram, are:
• Enterprise agent, which provisions users in existing enterprise systems, and creates user accounts
in the SAP StreamWork cloud.
• Web Administration Console, a web-based tool used to perform regular administrative tasks, including
user provisioning, certificate management, registration, and server management.
These components are installed and set up when you install SAP StreamWork enterprise agent.
Related Topics
• Using the Web Administration Console
• To specify installation options
• To specify SAP StreamWork enterprise agent configuration options
2.1.2 Enterprise components
Existing components in your enterprise, to which the SAP StreamWork enterprise agent connects, are
shown in green in the communication diagram. These components are:
• Enterprise Directory
• Reverse proxy server
• Proxy server (optional)
To configure SAP StreamWork enterprise agent, you must have an Enterprise Directory and a reverse
proxy in your domain.
An Enterprise Directory lets SAP StreamWork enterprise agent get the users to provision in the SAP
StreamWork cloud. By mapping your user groups to the SAP StreamWork enterprise agent, users are
able to log into the SAP StreamWork cloud with their enterprise user name and password.
A Reverse proxy in the DMZ allows inbound connections from the SAP StreamWork cloud servers to
your corporate network. Reverse proxy servers protect internal servers from external networks. They
receive requests for internal resources, and proxy those requests onto the relevant machines internally.
2010-11-158
System Architecture
A DMZ is a subnetwork that contains your organization's external services and exposes them to a larger
untrusted network, such as the Internet, adding an additional layer of security to your corporate network.
The reverse proxy includes an external address that can be accessed only by the SAP StreamWork
cloud. For example, the following address:
https://ReverseProxy/
Where ReverseProxy is the domain or sub-domain name of your reverse proxy.
The SAP StreamWork cloud uses this address to send information to your corporate network.
The reverse proxy also includes the path to the machine in your network where the SAP StreamWork
enterprise agent is installed. For example, you may use the following path:
proxypass /sapsea https://EnterpriseAgent:8443/sapsea
Where EnterpriseAgent is the name of the machine in your network containing the SAP StreamWork
enterprise agent image installed from the ISO. The SAP StreamWork enterprise agent is configure to
listen from port 8443.
This address is used to redirect information received from the SAP StreamWork cloud to the machine
containing the SAP StreamWork enterprise agent.
SAP StreamWork enterprise agent supports the use of an outbound proxy server, if your corporate
network requires one for internet access.
Related Topics
• Installation prerequisites
• Managing authentication
• Enabling proxy settings
2.1.3 SAP StreamWork components in the cloud
SAP StreamWork components in the cloud are represented in yellow in the communication diagram.
The SAP StreamWork servers in the cloud send information to the SAP StreamWork enterprise agent
through a reverse proxy. You can configure an outbound proxy server, if your corporate network requires
one to send information to the SAP StreamWork cloud.
2010-11-159
System Architecture
2010-11-1510
Installation
Installation
3.1 Installation prerequisites
Before you install and configure the SAP StreamWork enterprise agent on your corporate network,
make sure you can do the following in your domain:
• Create a virtual environment.
• Use Windows Active Directory as your enterprise directory.
• Configure inbound connections through a reverse proxy.
Creating a virtual environment
A virtual environment lets you run multiple virtual machines on a single physical machine, with each
virtual machine sharing the resources of that one physical computer across multiple environments.
To create a virtual machine for the SAP StreamWork enterprise agent, you need a VM Server. SAP
StreamWork enterprise agent currently supports the following VM Servers:
• VMWare vSphere 4.0
• VMWare ESXi 4.0
The virtual machine for the SAP StreamWork enterprise agent must have the following specifications:
SpecificationComponent
SUSE Linux Enterprise 11 64-bitGuest Operating System
4 GBMemory
VM NetworkNetwork Connection
SCSIVirtual Disk Type
50 GBMinimum Disk Size
Using Windows Active Directory as your enterprise directory
An enterprise directory lets the SAP StreamWork enterprise agent get the users to provision in the SAP
StreamWork cloud. The SAP StreamWork enterprise agent supports the use of a Windows Active
Directory (AD) server. Therefore, you need to use Windows AD as your enterprise directory.
By mapping your user groups to SAP StreamWork enterprise agent, users are able to log onto SAP
StreamWork in the cloud with their enterprise user name and password. In order for SAP StreamWork
2010-11-1511
Installation
enterprise agent to read user account information from your enterprise directory, you need to add a
“minimum privilege” (read-only) account for your SAP StreamWork enterprise agent in the Active
Directory Domain controller. To support Single Sign-On to the SAP StreamWork cloud, this account
should be a service account.
Configuring inbound connection through a reverse proxy
To allow inbound connections from the SAP StreamWork cloud servers to your corporate network, you
need to have a reverse proxy in the DMZ.
In your reverse proxy configuration, you need to include an external address that is accessible only by
the SAP StreamWork cloud. For example, you could use the following address:
https://ReverseProxy/
Where ReverseProxy is the domain or sub-domain name of your reverse proxy.
The SAP StreamWork cloud uses this address to send information to your corporate network.
In your configuration, you also need to include the path to the machine in your network where the SAP
StreamWork enterprise agent will be installed. For example, you could use the following path:
proxypass /sapsea https://EnterpriseAgent:8443/sapsea
Where EnterpriseAgent is the name of the machine in your network containing the SAP StreamWork
enterprise agent image installed from the ISO. The SAP StreamWork enterprise agent is configured to
listen from port 8443.
The reverse proxy uses this address to redirect information received from the SAP StreamWork cloud
to the machine containing the SAP StreamWork enterprise agent. Since the SAP StreamWork enterprise
agent communicates with the SAP StreamWork cloud using a secure URL (https), your reverse proxy
must have a trusted certificate and Single-Sign On must be enabled.
Note:
To add a trusted certificate to your reverse proxy, you need to have a domain or sub-domain name for
your reverse proxy.
2010-11-1512
Installation
Figure 3-1: Reverse Proxy Configuration
Related Topics
• To create a service account on a Windows 2003 or 2008 domain
• Enterprise components
3.2 Workflow for installing the SAP StreamWork enterprise agent
The installation and setup of SAP StreamWork enterprise agent involves this workflow:
1.
Creating a VM using the ISO image file that contains the SAP StreamWork enterprise agent, with
the following specifications:
SpecificationComponent
SUSE Linux Enterprise 11 64-bitGuest Operating System
4 GBMemory
VM NetworkNetwork Connection
2010-11-1513
Installation
SpecificationComponent
SCSIVirtual Disk Type
50 GBMinimum Disk Size
An ISO image is an archive file of an optical disc that includes all the data of files contained on the
archived CD or DVD.
2.
Starting the virtual machine.
3.
Specifying installation options.
4.
Specifying SAP StreamWork enterprise agent configuration options.
After you complete these steps, you can use the Web Administration Console to configure SAP
StreamWork enterprise agent.
Related Topics
• Workflow for configuring the SAP StreamWork enterprise agent
3.3 To create a virtual machine from the ISO image file
To complete the steps of this task, you need a supported VM server. For a list of supported VM servers,
see Creating a virtual environment.
Note:
To avoid configuration problems, make sure the VM server time and time zone are correctly set before
the VM is created.
1.
Using your VM server, create a new virtual machine.
Select Virtual Machine version 7. This is required since SAP StreamWork enterprise agent runs on
VMWare ESX server version 4.0 or later.
2.
To install the guest Operating System, install the disc image file using the ISO.
3.
For the guest Operating System, select Linux version SUSE Linux Enterprise 11 64-bit.
4.
Name your virtual machine so that you can remember the SAP StreamWork enterprise agent version.
5.
Give the virtual machine 4 GB (4096 MB) of memory.
6.
For the Network Connection, use “VM Network”.
This allows inbound connections to this machine from the Web Administration Console and from
the SAP StreamWork cloud.
7.
For the SCSI Controller, select “LSI Logic Parallel”.
8.
Set the Maximum disk size to 50 GB or more.
2010-11-1514
Installation
Note:
Since 50 GB is the minimum disk size required, you need to set the virtual machine's maximum disk
size to be at least 50 GB.
After the virtual machine is created, power-on the machine to launch the SAP StreamWork enterprise
agent installation wizard.
3.4 To specify installation options
After you create a virtual machine from the ISO image, follow these steps to specify installation options
for the operating system of the machine. The SAP StreamWork enterprise agent is installed in the virtual
machine from the ISO image.
Note:
If you need to change any of the values entered during the installation, click the Back button.
1.
Power-on the virtual machine and select the option Install/Restore StreamWork Enterprise Agent.
The installation wizard starts.
2.
Enter the Hostname and Domain name.
The "Hostname" is the name of your machine and the "Domain name" is the domain in the network
where the machine is installed. They are used to identify the machine where the SAP StreamWork
enterprise agent will be installed.
3.
Provide a password for the operating system root user.
The root user is the user name or account that by default has access to all commands and files on
the Linux operating system.
4.
(Optional) To edit your network settings, click Configure.
Note:
By default, your network is configured and an IP address is assigned using DHCP.
2010-11-1515
Installation
5.
(Optional) If you are not using DHCP, click Edit, select the option Statically assign IP address,
type an IP Address and Subnet Mask to assign to the machine, and click Next.
Note:
Optionally, you can enter a fully qualified hostname for this IP address.
6.
Click Next.
The operating system of the virtual machine is installed. Follow the steps in the next section to
specify the SAP StreamWork enterprise agent installation options.
3.5 To specify SAP StreamWork enterprise agent configuration options
After installing and configuring the operating system, follow the steps in the installation wizard to install
the SAP StreamWork enterprise agent.
1.
From within your “virtual machine monitor”, select Install VMWare Tools and click Next.
VMWare tools is required for performance enhancements, such as memory management
optimizations, and time synchronization.
2010-11-1516
Installation
2.
Select a system administrator password.
Note:
You will need to use this password when you log onto the Web Administration Console to configure
SAP StreamWork enterprise agent.
3.
Click Finish.
The installation of SAP StreamWork enterprise agent is complete. Log onto the Web Administration
Console and follow the steps to configure and register SAP StreamWork enterprise agent. The URL to
the Web Administration Console is:
http://hostname/
The variable hostname is the name of the web server machine you specified in the installation.
Related Topics
• Workflow for configuring the SAP StreamWork enterprise agent
• To log onto the Web Administration Console
2010-11-1517
Installation
2010-11-1518
Configuration
Configuration
4.1 Configuration prerequisites
To configure SAP StreamWork enterprise agent from the Web Administration Console, you need the
following in your domain:
• SAP StreamWork enterprise agent installed in a virtualized environment.
• A computer that can access the network where SAP StreamWork enterprise agent is installed.
• Adobe Flash Player installed to open Audit Reports.
• A third party SSL certificate or your company's own certificate for the SAP StreamWork enterprise
agent.
• A supported browser to access the Web Administration Console. Currently, SAP StreamWork
enterprise agent supports the following web browsers:
• Internet Explorer 7
• Internet Explorer 8
• Firefox 3.5
• Firefox 3.6
Related Topics
• Workflow for installing the SAP StreamWork enterprise agent
• Managing certificates
4.2 Using the Web Administration Console
The Web Administration Console of SAP StreamWork enterprise agent is a web-based tool to perform
regular administrative tasks, including user provisioning, certificate management, registration, and
server management.
Because the Web Administration Console is a web-based application, you can perform all of these
administrative tasks through a web browser on any machine that can connect to the server.
Related Topics
• Configuration prerequisites
2010-11-1519
Configuration
4.2.1 To log onto the Web Administration Console
Log onto the Web Administration Console to configure SAP StreamWork enterprise agent. Follow these
steps to log onto the Web Administration Console for the first time.
1.
Type the appropriate URL for the Web Administration Console:
• Go to the page http://hostname.
Replace hostname with the name of the web server machine you specified during the installation.
2.
For the User Name, enter “Administrator”.
3.
In the Password field, enter the "system administrator password".
Note:
The "system administrator password" is the password you specified during the installation.
4.
For the type of Authentication, select "Enterprise".
LDAP authentication also appear in the list; however, third-party user accounts and groups must be
mapped to SAP StreamWork enterprise agent before you can use this type of authentication.
5.
Click Log On.
The Web Administration Console Home page appears.
Figure 4-1: Log on to the Web Administration Console
Related Topics
• To specify SAP StreamWork enterprise agent configuration options
4.3 Workflow for configuring the SAP StreamWork enterprise agent
2010-11-1520
Configuration
To start the SAP StreamWork enterprise agent configuration, click the Begin Setup button. Configuring
the SAP StreamWork enterprise agent generally involves this workflow:
1.
Enabling proxy settings.
2.
Registering the SAP StreamWork enterprise agent with the SAP StreamWork cloud.
3.
Managing software update settings.
4.
Setting up authentication.
5.
Managing certificates (optional).
6.
Setting up Single Sign-On (optional).
7.
Running a diagnosis.
8.
Managing users.
When the configuration is finished, the Begin Setup button changes to Move to Production. This
button changes to indicate the tasks that you need to perform.
4.4 Enabling proxy settings
A proxy server acts as an intermediary for requests from clients seeking resources from other servers.
If your network requires a proxy for outbound connections, enable your proxy settings in the "System
Settings" page. This is required to connect to SAP StreamWork in the cloud and receive system updates.
You need to specify both the HTTP Proxy URL and HTTPS Proxy URL. When SAP StreamWork
enterprise agent connects to SAP StreamWork in the cloud, the "HTTPS Proxy" URL is used. To receive
system updates, the "HTTP Proxy" URL is used. If necessary, specify the Username and Password
for your proxy.
If you specify your local machine hostname in the No Proxy Hosts field, your local machine hostname
will not be proxied when it connects to SAP StreamWork enterprise agent.
Figure 4-2: Enabling proxy settings
2010-11-1521
Configuration
4.5 Registering SAP StreamWork enterprise agent
To connect the enterprise agent to the SAP StreamWork cloud, register SAP StreamWork enterprise
agent from the registration page.
To register SAP StreamWork enterprise agent to the SAP StreamWork cloud, you need to provide the
following information:
Agent ID
The "Agent ID" is used to match SAP StreamWork enterprise agent with the corresponding organization
in the SAP StreamWork cloud.
When you get a SAP StreamWork enterprise agent license for your organization, an "Agent ID" is
created in the SAP StreamWork cloud and assigned to your organization. After your organization is
created, you receive the "Agent ID".
Agent Password
The "Agent Password" is used to register SAP StreamWork enterprise agent in the cloud, and it
corresponds to the "Agent ID" for your organization. After your organization is created in the SAP
StreamWork cloud in the SAP StreamWork cloud, you receive the corresponding "Agent Password".
Note:
Once you have registered SAP StreamWork enterprise agent in the SAP StreamWork cloud, click
Change Password to change the "Agent Password". The new password must be at least six characters
long and contain special characters, letters, and numbers.
Enterprise Agent Server URL
The "Enterprise Agent Server URL" is the address of the machine in your network where the SAP
StreamWork enterprise agent is installed inside the organization's firewall.
For example, you could use the following address :
https://EnterpriseAgent:8443/
EnterpriseAgent is the name of the machine in your network containing the SAP StreamWork
enterprise agent image installed from the ISO. The SAP StreamWork enterprise agent is configured to
listen from port 8443.
When an enterprise user tries to connect to the SAP StreamWork cloud, the cloud uses the "Enterprise
Agent Server URL" to request the user to connect through the SAP StreamWork enterprise agent.
Enterprise Agent Server external URL
If you are using a reverse proxy, the "Enterprise Agent Server external URL" is the web address that
the SAP StreamWork cloud will use to contact SAP StreamWork enterprise agent, and should be in
the organization's DMZ.
For example, you could use the following address:
2010-11-1522
Configuration
https://ReverseProxy/
ReverseProxy is the domain name of your reverse proxy.
If your organization does not use a DMZ, leave the checkbox unselected to use the "Enterprise Agent
Server URL" to access the Enterprise Agent Server from outside your firewall.
Figure 4-3: Reverse Proxy Configuration
Related Topics
• Installation prerequisites
• Single Sign-On Settings
4.6 Managing update settings
The Update Management page lets you manage updates for your SAP StreamWork enterprise agent
deployment.
2010-11-1523
Configuration
To change the time when SAP StreamWork enterprise agent checks for updates and installs them,
click Update Preferences.
You can schedule a time to check for updates and select a date, time, and recurrence to install
downloaded updates.
Note:
By default SAP StreamWork enterprise agent checks for available updates every day at 4:00 UTC and
installs downloaded updates every Saturday at 5:00 UTC. The two scheduled times should be at least
one hour apart.
Backing up current system settings to a file
SAP StreamWork enterprise agent lets you back up your system settings into a data file to later restore
them on a new system.
To restore and replace the system on a new installation, from the homepage, click Restore
Configuration. The host name of the new system must be the same as the original system.
Figure 4-4: Update Preferences
4.7 Managing authentication
2010-11-1524
Configuration
An authentication server lets administrators provision groups of users to the SAP StreamWork cloud.
The following authentication servers are supported by the SAP StreamWork enterprise agent:
• Microsoft Active Directory
• SAP Netweaver Virtual Directory Server
• Lotus Domino Directory
• Custom
The LDAP server settings identify the Active Directory domain controller, SAP Netweaver Virtual Directory
Server, Lotus Domino Directory, or custom LDAP servers, where the SAP StreamWork enterprise agent
gets the users to provision to the SAP StreamWork cloud. The LDAP account privileges need to be set
to read-only for an Active Directory domain account. If you enable SSO, the LDAP privileges for the
service account need to be set to read-only plus search.
If you select Microsoft Active Directory as the "LDAP Server Type", you need to specify the "Host
Information" Domain and the "AD Domain" credentials (Username and Password). The "Host
Information" Domain is the fully qualified domain name of the AD Domain. For example, mycorp.com.
After you provide the AD Domain, SAP StreamWork enterprise agent automatically determines the list
of AD Controllers and then accesses them using the service account you added in the Active Directory
Domain controller for your SAP StreamWork enterprise agent.
If you select one of the LDAP servers, you need to specify the" Host Information" (Host, Current
Servers, and Base DN) and "LDAP Server Credentials" (Distingushed Name, and Password. To add
a new server to the server list, click Add Server. To remove a server from the server list, select the
server and click Remove Selected.
Figure 4-5: LDAP Server Settings
Related Topics
• Creating a Windows AD service account
2010-11-1525
Configuration
4.7.1 LDAP authentication
Lightweight Directory Access Protocol (LDAP) is a set of protocols used to access information stored
in directories.
LDAP authentication is enabled using the Authentication and Single Sign On page.
SAP StreamWork enterprise agent supports the use of SAP Netweaver Virtual Directory Server, Lotus
Domino Directory, and custom LDAP servers, eliminating the need to recreate user and group accounts.
By mapping your user groups to the SAP StreamWork enterprise agent, users are able to log onto the
cloud with their enterprise user name and password.
Mapping LDAP users to SAP StreamWork enterprise agent
To map LDAP users to the SAP StreamWork enterprise agent, some LDAP attributes should be defined.
The default attribute mappings are specified for supported LDAP server types, but you may change
them if your company use customer settings. Here is the definition of the required attributes:
DescriptionLDAP attribute
Specifies the enterprise user nameUser ID
User Full Name
Specifies the user full name. This information will be propagated to StreamWork cloud as part of user profile.
User Email
Specifies the user email address. This information will be propagated to
StreamWork cloud as the unique ID.
The value for objectclass, that indicates this object is a user.User Object Class
The value for objectclass, that indicates this object is a group.Static Group
The attribute inside a group object, that indicates members of this group.Static Group Member
Default Group Search
Attributes
Default User Search
Attributes
The common name of a group object, which is used for group search in the
Add Group dialog in the User Management page.
The common name of a user object, which is used during logon to the administration console by a promoted administrator.
4.7.2 Active Directory authentication
With the SAP StreamWork enterprise agent authentication server setup, you can map user accounts
and groups from your Windows Server 2003 or Windows Server 2008 AD system to the SAP StreamWork
2010-11-1526
Configuration
enterprise agent. Users are authenticated against the Windows AD system, and have their membership
in a mapped AD group.
4.8 Managing certificates
A certificate identifies the SAP StreamWork enterprise agent when you connect it to other applications.
SAP StreamWork enterprise agent includes a default certificate that is self-signed. To eliminate the
certificate warning that users get when logging in to the StreamWork cloud, it is recommended that you
replace the default certificate with your company's own certificate.
On the "Certificate Management" page, you can view and download the current certificate or upload a
different one.
To upload a new certificate you need to specify the following information:
• Certificate
• Private Key
• Password
• Root Certificate (optional)
4.9 Single Sign-On Settings
Enabling Single Sign-On (SSO) settings is an optional step in the "Setup Wizard". When you enable
SSO settings, provisioned users do not need to enter their enterprise credentials to log onto the SAP
StreamWork cloud. The credentials you specify are used to process SSO to SAP StreamWork through
the SAP StreamWork enterprise agent.
To enable SSO settings, you need to:
• Create a service account.
• Add the service principal name against the service account name.
• Enable SPNEGO.
Note:
To enable SSO, you need to set the LDAP account privileges for the service account to read-only plus
search.
Related Topics
• Creating a Windows AD service account
• Adding the service principal name against the Windows AD service account name
• Enabling SPNEGO
2010-11-1527
Configuration
4.9.1 Creating a Windows AD service account
To configure SAP StreamWork enterprise agent for Windows AD authentication, you require a service
account. You can either create a new domain account or use an existing domain account. The service
account will be used to run the SAP StreamWork enterprise agent servers.
SAP StreamWork enterprise agent supports the use of a Windows 2003 or 2008 domain.
Note:
In a forest with multiple domains you can create this service account in the domain that the SAP
StreamWork enterprise agent is installed on. All domains that trust the domain you have created the
service account in will be able to authenticate.
4.9.1.1 To create a service account on a Windows 2003 or 2008 domain
Note:
With a Windows 2003 or 2008 domain, RC4 is the default encryption type and should be used.
1.
Create a new account on the domain controller or use an existing account.
For detailed instructions, refer to http://msdn.microsoft.com/.
2.
Open a command prompt and enter this command:
SETSPN.exe –A <ServiceClass>/<DomainName> <ServiceAccount>
Replace <ServiceClass> with any desired name. For example, myCorp. Replace <DomainName>
with the domain name of the service account. For example, domain.com. Replace <ServiceAc
count> with the domain user account that you have configured.
Note:
• The name of your service account is case-sensitive.
• The Service Principal Name (SPN) must be unique in the forest in which it is registered. One
way to check is to use Windows support tool Ldp.exe to search for the SPN.
3.
Verify that you receive a message similar to this one:
Registering ServicePrincipalNames for CN=ServiceSEA,CN=Users,DC=DOMAIN,DC=COM
myCorp/domain.com Updated object
Note:
You will not see the Delegation tab until after you have entered the SETSPN command.
4.
Click OK.
2010-11-1528
Configuration
4.9.2 Adding the service principal name against the Windows AD service account
name
To enable SSO settings, you need to add the service principal name against the service account name
created in Active Directory. This can be done by using the following command in your Active Directory
Domain controller:
setspn -a HTTP/<fully qualified masternode
name> <service account name>
The fully qualified masternode name is the name of the SAP StreamWork enterprise agent
server, and the service account name is the name of the Active Directory service account that you
create for SAP StreamWork enterprise agent.
For example, if your are using the following configuration:
The command you need to use will look like this:
setspn -a HTTP/machinename.mycorp.com sso_sea
4.9.3 Enabling SPNEGO
To SSO from a web browser, you need to enable SPNEGO (Simple and Protected GSSAPI Negotiation
Mechanism). SPNEGO is a protocol used to implement SSO solutions. SPNEGO is used when a client
application wants to authenticate to a remote server, but neither end is sure what authentication protocols
the other supports. For detailed instructions about SPNEGO configuration on your web browser, refer
to http://appliedcrypto.com/files/doc/spnego-browser-configuration-.pdf .
ValueParameter
machinename.mycorp.comfully qualified masternode name
sso_seaservice account name
4.10 Managing users
In the "User Management" page, you can import and provision groups of users, manage group and
user settings, and assign administrator privileges to users.
2010-11-1529
Configuration
When you provision users, their accounts and user attributes, as they exist in your enterprise directory,
are created in SAP StreamWork enterprise agent.
An administrator can provide and revoke administrator rights to users, as well as provision and
de-provision groups of users.
When a user is provisioned, an email invitation to join SAP StreamWork is sent to the user. Provisioned
users can log onto the SAP StreamWork cloud using their enterprise credentials.
4.10.1 To provision a group of users
1.
From the "User Management" page, click the Add New Group button.
The "Add New Group" window appears.
2.
Do one of the following depending on the LDAP Server Type you are using:
• If you are using Windows Active Directory as your LDAP Server Type, type the Group Name of
your group.
• If you are using an LDAP custom server, type the "Distinguished name" of your group. For
example, you can type “cn=marketingteam, ou=Group, o=Company”.
You can also type a partial group name, click the search button to display all groups starting with
the partial name, and choose the one you want to add.
3.
Type the Display Name of your group.
The Display Name is the name of the group that you can see in the "User Management" page.
4.
To grant administrator rights to the group of users, select the grant administrator rights checkbox.
5.
Click Save.
Figure 4-6: Add New Group window
2010-11-1530
Diagnosis
Diagnosis
5.1 Troubleshooting and resolving problems
To troubleshoot and resolve problems, you can use the "Diagnosis" page to test different areas of
StreamWork Enterprise.
Figure 5-1: Diagnosis page
A green circle indicates a passed test, an orange circle indicates a warning, and a red circle indicates
a failed test. A green check mark adjacent to a test category, indicates all of the tests in the category
were passed. For more details about a test, click the test name.
To run a test category, click Run. A test category runs in the background and you can see the last time
it was run.
You can run the following “test categories” on the "Diagnosis Page". To run all test categories, click
Run Diagnosis.
Cloud Connection
The "Cloud Connection" test category checks for connection problems between the StreamWork
Enterprise Agent and the StreamWork servers in the cloud. If there is a failure, the diagnosis message
tells you the cause. The cause of failure may be incorrect proxy settings during installation (outbound
requests), or incorrect reverse proxy settings in the DMZ (inbound requests).
2010-11-1531
Diagnosis
Update
The "Update" test category shows you when new updates are available. To install an update, go to the
"Update Management" page. To schedule updates to install automatically weekly or monthly, click the
Update Preferences button.
Logs
If you cannot resolve connectivity or server issues, download the trace logs from the "Logs" test category
and send them to SAP support for further investigation.
Servers and Services
The "Servers and Services " test category checks whether the StreamWork Enterprise servers and the
services (StreamWork Enterprise Agent service and SSO service) are running properly. The diagnosis
message will tell you the cause of the failure.
Authentication and Single Sign-On
The "Authentication and Single Sign-On " test category checks connection problems between the
StreamWork Enterprise Agent and the enterprise directory. The test category also shows whether the
SSO service is enabled.
Users
The "Users" test category checks for problems provisioning users. It also shows the number of
provisioned users, active users, and seats left on the current license.
2010-11-1532
Index
A
architecture 7
authentication
Active Directory 25, 26
LDAP 25, 26
C
certificates 27
communication 7
components
enterprise 8
SAP StreamWork enterprise agent
8
StreamWork cloud 9
configuration
prerequisites 19
workflow 21
D
diagnosis 31
I
installation
prerequisites 11
M
management
user 29
P
proxy settings 21
R
registration 22
S
Single Sign-On 27
T
troubleshooting 31
U
update settings 23
W
Web Administration Console 19, 20
2010-11-1533
Index
2010-11-1534
Loading...