SAP TechEd 2006 – Day 3

I went to five sessions today:
Session:  Designing a Web Infrastructure for a SAP Netweaver Platform
Session: Web Page Composer: A New Way to Create and Publish Web Pages in the Portal
Session: SAP Corporate Portal as an Example for a Company Wide Intranet
Session: SPNego Login Module for Windows Integrated Authentication
Session: Undocumented KM Tips & Tricks

Beware: The following are hastily-typed stream-of-consciousness notes written in 15-minute spaces between sessions.

Session:  Designing a Web Infrastructure for a SAP Netweaver Platform

Some of this session was common to the session on improving WAN performance from Wednesday, but went into useful architectural detail that will be useful for our internal project. There was good detail on the configuration and use of the Apache web server (v2.2) as an application gateway and reverse proxy for an external-facing Netweaver solution, forwarding traffic on to a SAP Web Dispatcher in the DMZ and from there on to the Portal. There were useful security tips, such as only forwarding URLs with /irj, /portal and /webdynpro in them, thus not giving external access to /nwa – the Netweaver Administrator. I also made contact with the architect of the Netweaver Applications over WAN architect, so I can follow up this technology for potentially delivering high performance SAP access over WAN lines to our offices in Malaysia and the USA. Other useful hints included the idea of a terminal server in the DMZ for very low bandwidth connections.

Session: Web Page Composer: A New Way to Create and Publish Web Pages in the Portal

This was more of a preview session than anything else, as the feature will not be available until NW04 SP20 (NW04s SP12), but this takes the basic capabilities offered by KM and makes them usable to deliver proper websites. Essentially, this is the technology used to produce the SAP Developer Network site (http://www.sdn.sap.com), but could also be very useful for companies looking for an intranet or internet solution, which to be honest is a bit of a stretch for KM on its own at the moment. Highlights include a WYSIWYG page composer – content elements from KM can be dragged and dropped onto a page composition template, and the resulting page can be published with a single static URL – which makes indexing by Google that much easier. Use of the light framework page also means that the browser back/forward buttons work correctly. It’s a shame we’re going to have to wait for a while to be able to play with it, as several customers I can think of could use this right now, and have been looking for something like this from SAP for a while.

Session: SAP Corporate Portal as an Example for a Company Wide Intranet

SAP are eating their own dogfood! SAP have had their own portal, based on a customised version of NW04(s?) for about a year now. The business case was easy – it was virtually mandated from the top. The customisations they’ve had to make are going to be contributed to the mainstream product. User data comes from CUA and HR, and initial role assignment also comes from HR, though users (through personalisation) can select certain roles for themselves – for example, they can choose their own region and business unit to be changed from the default. This is nice, and reflects the open culture in SAP (and indeed, on our own – non-SAP – intranet we can browse to see what other countries and business units are up to). To support 40,000 users 24/7, they have some serious hardware split across 2 data centres, and about as many boxes dedicated to TREX search as are in the rest of the solution. There is a lot of use of Collaboration Rooms, seen as fairly dynamic short-term content; anything of particular use can be taken from a Collaboration and moved into the more managed space of global KM content.
Interestingly, ESS and MSS is presented through the portal using the fancy new icon-based pages to get to the services – but the actual services themselves are still done old-skool using SAP GUI for HTML (Web GUI) – Manager’s Desktop, etc.

Session: SPNego Login Module for Windows Integrated Authentication

Bad news: IISProxy for Windows-integrated authentication (i.e. single sign-on from Windows into the Portal) is being retired in December. The good news is that there is a replacement technology which does not require a Windows server in the landscape (so maybe you can repurpose that IISProxy server as a Duet server…).
The new system works as a JAAS Login Module on the Netweaver Java AS. Users must not only be logged into a domain, but need to be connected to it at the tim eof authentication – in other words, simply logging on to a disconnected workstation using cached credentials won’t do the job. On the initial HTTP request, a 401 “Not authorised” message comes back, which prompts the browser (IE, or Firefox with a plugin – not supported) to ask the domain controller for a double-encrypted authentication token for the web server in question. The browser decrypts one layer, and sends the result back to the J2EE server where it checks the token against the domain controller using the Kerberos protocol (port 81, UDP). On authentication success, then the user information is pulled from the AD server as usual over LDAP (port 389). Other user stores (ABAP, other LDAPs) are supported “on request”.
In terms of config, a user needs setting up on the Domain to represent the J2EE server, and this contains a multi-valued field which has all the DNS names the J2EE is known by. The SPNego module itself references a krb.conf file, and this file can contain a list of domain controllers for fail-over purposes. Need to be aware during config that everything is case sensitive.
In terms of issues, the major one is of support – this is a solution which combines Microsoft and SAP technologies, so the IT guys running the Microsoft side need to be bought into the solution and actively engaged in its support. This is actually an enormous issue in many organisations. In one case, it took 6 months just to do that part of the config…

Session: Undocumented KM Tips & Tricks

This session had been moved from its original location, so I was a few minutes late, and there were no handouts. There was some interesting stuff in there, but it was essentially a pretty rushed presentation of “here are some really cool things I did with KM, but I can’t tell you how to do them because they were done for customers”. Still – it was a good insight into some of the things possible with KM, Flex UI, collection renderers, etc.
There was a “Google advanced search”-styled advanced TREX search, waste-basket functionality for KM (using a “deleted” property and a collection renderer – not sure if WebDAV access would respect the waste bin). SP18 apparently introduces mass property changes for KM docs, which could be handy. There was a demo of “transactional” capability – i.e. making a set of different changes to various documents, but committing or aborting all of those changes as a unit. Mention was made of the possibility of exposing the KM API as web services, leading to interesting possibilities with SOA, Web Dynpro integration, AJAX consumption, etc.

Leave a Reply