Part 4 Configuring the system after the installation ‘This part explains the tasks that you perform after the installation. You need system administrators access to Content Server. ‘+ “Connecting the SAP system” on page 113. ‘+ “Performing general post-installation tasks in SAP” on page 117 + “Performing system administration tasks in Content Server" on page 151 “Performing system administration tasks in the Archive Center” on page 209 ‘+ “Performing additional optional tasks in the SAP system” on page 211 “Verifying the installation” on page 229 ia ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-02Chapter 21 Connecting the SAP system 21.4 Connecting the SAP system with Content Server After you installed and prepared the SAP system, you connect it to your Content Server instance. Content Server The Content Server instance has been prepared for the connection: ports and firewall are configured accordingly. Content Server uses the following default ports: 443 — Content Server HTTPS default port £8442 — Tomcat HTTPS default port for Web services and OTDS For more information about the connection settings in Content Server, see “Importing root certificates for Secure Sockets Layer (SSL) connections” on page 151 and “Connecting SAP as the business application” on page 152. SAP In your SAP system the HTTPS port must be open. Default port number in SAP is 44300. To find out the HTTPS port number on your system: 1. Start the SIGN transaction, 2. From the menu, select Goto > Parameters > Display. For more information about the connection settings in the SAP system, see “Performing, po: stallation tasks” on page 123. 21.2. Connecting the SAP system with OpenText Archive Center Each archive must be created both in the SAP system and on the OpentText Archive Center, using the same name. To configure an HTTP content repository: 1. In IMG, run the OpenText Archiving and Document Access for SAP Solutions > DesktopLink and Archiving for SAP Solutions > ArchiveL.ink > Maintain Content Repositories activity. Alternatively, you can run the 0ACO transaction, The Content Repositories overview table is displayed. 2. Toswitch to edit mode, click @Display —+ Change. ERLK220400-1GD-EN-02 Installation and Upgrade Guide 13Chapter 21 Connecting the SAP system 3. To create a new content repository, click L) Create. To modify an existing storage system, select it in the list and click Detail Click Full administration. Enter the following parameters: Content Rep. ‘Two-character archive name, which may only contain capital letters and ‘numbers. When you use a two-character name, you have the highest degree of compatibility for different archiving scenarios. For example, for KPro and Data Archiving scenarios, you can use up to 30 characters. For pure ArchiveLink scenarios, only two characters are allowed. For the Extended ECM cloud installation, an archive At is provided by default For Core Archive deployments, ArchiveLink documents should be stored in an own collection/logical archive. A collection A2 is provided for this purpose Description Description of the archive, for example, indication of archive usage and the Archive Center. Document Area For an ArchiveL ink archive, enter ArchiveL ink. For a KPro archive enter the corresponding document area Storage type HTTP Content Server Protocol Name of the protocol used for communication. For more information, see Section 6.1.1.4 "Protocol" in OpenText Core Archive for SAP Solutions Scenario Guide (ER-CCL) ‘The OpenText protocols OT_* can be created manually as described in OpentText Archiving and Document Access for SAP Solutions - Installation and Upgrade Guide (ER-IGD). They are also available with transports that can be downloaded from OpenText My Support (https://knowledge.opentext.com/ knowledge/es.dll?func Version no. ArchiveLink interface or SAP Content Server HTTP Interface version 0045 is the minimum required version, HTTP server Name of the Server where AL. filter is installed. Usually this is the host where Content Server is installed, for example: otes , example , com From SAP basis 6.20, the port no. is entered in a separate field, Port Number For HTTP connections, leave the port number empty for connections to the cloud archive. We ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0221.2. Connecting the SAP system with OpenText Archive Center Port Number of Archivel.ink connection. SSL Port Number When using the secure transfer protocol SSL (Secure Socket Layer) For HTTPS connections, enter the SSL port number 443. J Important Ifyou have an Extended ECM cloud installation, you must use the secure transfer protocol SSI. (Secure Socket Layer). Program (CRM: HTTP Script) ‘The URI part of the URL to the AL Filter. Enter alfilter/archive, Basic Path, Archive Path Path to the exchange directories. For HTTP communication, the Archive Center does not require access to this directory. The SAP system server stores the documents to be archived on the basic path. The Archive Center makes the documents requested by the SAP system available on the archive path. For data archiving, the exchange directory must be entered identically in the FILE or SARA transaction with particular attention to upper/lower case. For more information, see Section 6.3 "Creating an exchange directory” in OpenText Archiving and Document Access for SAP Solutions - Scenario Guide (ER-CCS) BD Notes * The basic path and the archive path are only displayed in Full administration mode. ‘The path must always be closed using a forward slash (/) on UNIX platforms and a backslash (\) on Windows platforms: \\\\\ OutputDevice Enter ARCH, No signature If you select this option, the URIs for this archive are transmitted without encryption. When you disable this option, the URI. is given a SecKey, in ‘which important data is encrypted. In the latter case, a certificate must be sent from the SAP system to the Archive Center and the signature check must be configured in the OpenText Administration Client (see the Section. 8 “Configuring security settings” in Open Text Archive Center - Administration Guide (AR-ACN)). 6. Click Bl save. ‘You can send a certificate from your SAP system directly to the content repository defined here. To send the certifi ate for your content repository: 1. Wait for the confirmation message that the archive is ready. ERLK220400-IGD-EN02 Installation and Upgrade Guide 15Chapter 21 Connecting the SAP system 2. Click Hisend certificate. BB Note: To send certificates centrally, use the oaht transaction 21.2.1 Creating an archive on the OpenText Archive Center ‘On the OpenText Archive Center you must create an archive with the same name as, in the SAP system. When you configure the archive, specify the media type on which the documents are to be archived (for example, CD, DVD, WORM, hard disk), and indicate the exchange directory. For more, information, see Open Text Archive Center - Administration Guide (AR-ACN). 16 ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-02Chapter 22 Performing general post-installation tasks in SAP 221 22.1.1 Before using the Extended ECM for SAP Solutions functions, you must perform a series of post-installation and customizing tasks in SAP. For more information, see “Performing post-installation tasks” on page 123. For information about the scenario-specific post-installation tasks, see OpenText Extended ECM for SAP Solutions - Customizing Guide (ERLK-CGD). Note: The Extended ECM configuration entries are only available in English. Using other languages result in technical identifiers to be shown instead of texts, Performing general post-installation tasks in SAP Using the IMG function Extended ECM for SAP Solutions provides a central customizing menu in SAP in the ‘OpenText Extended ECM for SAP Solutions structure of SAP’s Customizing Implementation Guide (IMG) function. To call the IMG: 1. Start the SPRO transaction, 2. Click SAP Reference IMG 3, Navigate to the OpenText Extended ECM for SAP Solutions structure and open it. ERLK220400-IGD-EN02 Installation and Upgrade Guide 1Chapter 22, Performing general postinstallation tasks in SAP ¥ OpenText Extended ECM for SAP Solutions x Infrastructure + Bs & export system PSE Cert + Bs @ ceate HTTP Connections + By ® create New Logical Ports + Be ® Configure P1 Service + By maintain Extondad ECM Connections + By @ activate HTTP service + By ® vagnostic Progam Fle System = Extended ECM > Business Content Window , Document (ArchiveLink) and PrintList Declarations By & wmamncan search Templates + By © maintain Business Object Declarations Bs ® mainzain Dactaration Queue + By & maintain Receiver Module Events + By & Activate Receiver Mocule Events + Ee & maintain Change Document Events + B® acthate Business Functions + By ® pagnostic Program + Bs © Configuration Report 4, Select the required activity, and then click © Execute Ian SAP system displays a different IMG structure rather than standard reference IMG, the Extended ECM for SAP Solutions customizing is not visible. You have the following options to access the Extended ECM for SAP Solutions customizing, structure: ‘+ Use transaction SINGH, save the Extended ECM for SAP Solutions IMG structure asa favorite and call it from there. + Add the Extended ECM for SAP Solutions customizing to the existing, customizing structure of transaction SPRO. To use transaction SIMGH to access Extended ECM for SAP Solutions customizing: 1. Start the SINGH transaction. 2. In the IMG structure field, open the search help and search for the search term, OpenText*. With this search term, you also find IMG structures for other OpenText products, 3. Double-click on entry. 4, Click Add to Favorites. 5. Inthe Favorites list, select one enty, and then click 49 to acess the IMG structure Te ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.1. Performing general post installation tasks in SAP To add the IMG structure to SPRO transaction: 1 Create an enhancement ID: b, e Start the $_ING_EXTENSION transaction. ‘Open the search help of field Enhancement ID. tick O) Create Enhancement ID (F5) Enter an Enhancement ID, for example Z_OTX_EXTECM, and an explanatory text, for example OpenText Extended ECM. Click B save Click W Continue. Double-click the newly created enhancement ID in the Enhancement ID: Original list to select it for the Enhancement ID field. Enhance the SAP IMG structure for Extended ECM for SAP Solutions: i k, In the IMG structure field, select the IMG structure that is currently displayed in the SPAO transaction and which you want to enhance. For example, in SAP Extended Warehouse Management, select the IMG structure SAP - Implementation Guide Click Favorite to add the IMG structure to your favorites. Select the IMG structure in the Favorites list by double clicking, If not already done, in field Enhancement ID, select the enhancement ID created in Step 1 Click Enhance Structure. Select the root node of the IMG structure. From the menu, select Edit> Nodes > Insert IMG Structure > As Subnode. Enter the node name for the customizing, for example OpenText Extended ECM for SAP Solutions, tick fill Find structure to search for the Extended ECM for SAP Solutions customizing IMG structure. Search for OpenText - Extended ECM for SAP Solutions. Click ¥ Copy. Click B) save Enhance the SAP IMG structure for Archiving and Document Access: Repeat the steps described in Step 2 for the OpenText Archiving and Document Access customizing with the corresponding data: Name of the node: OpenText Archiving and Document Access for SAP Solutions Name of the IMG structure: OpenText Archiving and Document Access for SAP Solutions ERLK220400-IGD-EN02 Installation and Upgrade Guide 18Chapter 22. Performing general postinstallation tasks in SAP 22.1.2 Assigning SAP roles To use the Extended ECM for SAP Solutions functions in SAP, you must assign specific SAP roles in transaction SUO1. The following roles are required B Notes + Ifyou do not want to use these roles, you must assign the respective authorization objects to your own roles. You can also perform transaction assignments in the SU24 transaction and use them later in the profile generation tool PFCG, ‘+ Ifyou want to use field values other than those recommend here, field help provides additional information. {0TX/RM_USER Role for Extended ECM for SAP Solutions application users. This role allows an SAP user declare ArchiveLink documents as records, search Content Server, display a business workspace in the Business Content window, and show record details. This role contains the following authorizations objects: ‘Authorization object Description JOTX/RM Records management authorizations in S Set field /OTX/ RMACT to value 00 oF * for {granting access to functionality related to Records Management, LENRL_DOL, ‘Business attachments authorizations Set field /OTX/ RMDAC to value 00 for {granting access to business-attachments- related functionality "LANRL_WSC Business workspace authorizations Set field /OTX/ RMAC to value 00 for [granting access to business-warkspace- related funet ality J-ONRL_LPS ‘Access to local Tempo Box folder and ‘other local folders Set field /OTX/ RHLAC to value 00 for granting access to local files, (GUT “Access to Drag & Drop functionality in Business Content window. Set field ACTVT to value 60 for granting access to drag and drop. 0 ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.1. Performing general post installation tasks in SAP 22.1.3 /0TX/RM_ADWIN Role for SAP administrator; this role allows for the post-installation and customizing steps as well as administrative tasks like monitoring or running batch jobs. This role contains the following authorizations objects: ‘Authorization object Description JOTXIRM Records management authorizations in Gos LENRE_DOL ‘Business attachments authorizations JL6NRI_WSC Business workspace authorizations 10TK/RM_ADMIN 54 Role for SAP administrator. This role provides additional authorizations or menu items on S/SHANA systems, For example, it allows access to transaction / OTX/Rl_SB0_cONVERT. {0TX/RM_CS_SAP_USER Role for the SAP system connection between Content Server and the SAP system, This role is needed for the SAP user which is configured in Content Server for the connection to SAP. For more information, see “Connecting SAP as the business application” on page 152. {0TX/RM_CS_SAP_USER_S4 Role for the SAP system connection between Content Server and the SAP system. This role is needed in S/4HANA systems to provide additional access to the OData service /OTX/RM_SBO_ODATA,SRV. This role is needed for the SAP user which is configured in Content Server for the connection to SAP. For more information, see “Connecting SAP as the business application” on page 152. {0TX/RM_INPERSONATED_USER_ROLE Role for the SAP user which is used in the RFC destination. For more information, see Section 5.7.1 “Enabling user-specific impersonation (GAP BAdl)” in OpenText Extended ECM for SAP Solutions - User Management and “Access Control Scenarios (ERLK-CUM). Adjusting authorization default values OpenText provides standard authorization assignments for Extended ECM for SAP Solutions transactions as part of the installation packages. You can set default values for the assignment of an authorization to a transaction, which means a simplification ‘compared to using the SU26 transaction, ‘The installation packages provide only the standard entries for SAP assignments, which means those visible in the U2 transaction. Copy the standard Extended ECM assignments into the “customer” tables (SU24) through the standard SAP download/upload programs RSU22D0%N and RSU22UPLD in the following way. ERLK220400-IGD-EN02 Installation and Upgrade Guide aChapter 22. Performing general postinstallation tasks in SAP To copy standard Extended ECM assignments into customer tables: 1 2 Import the Extended ECM for SAP Solutions installation and support packages. Download the authorization-to-transaction-assignment data into a file: a. Use the SE38 transaction to run the RSU22004N program, which downloads the transaction assignments. b, Select the SAP Data options and select Display Al. c. Click ® Execute. d._Entera name for the data file. Repeat this for the following transactions: JOTX/RMMIG JOTX/RMMIGPRINTL JOTX/RMMON JOTX/RMPEQ JOTX/RMPEQPRINTL JOTXIRM_DIAGNOSTIC JOTXIRM_DIAG_INFRA JOTXIRM_CFGREP JOTXIRM_WSC_PEQ JOTX/RM_WSC_Q JOTX/RM_WSC_Q_NR JOTX/SEA_UI If Extended ECM ERP component OTEXALE is installed, repeat this for the following two transactions too: ‘+ JOTX/RMERP_DMS_PEQ + JOTX/RMERP_DMS_MIG If Extended ECM S/4HANA component OTEXRLS4 is installed, repeat this for the following transaction too: ‘+ OTX/RM_SBO_CONVERT Upload the files with the transaction assignments: a. Use the SE38 transaction to run the RSU22UPLD program, which upload the transaction assignments to your customer's table. b. Enter the same list of transactions, for which you downloaded the data files. c. Select the following options, Clear all other + SAP Data ‘+ Copy SAP Data to Customer Table Optionally, you can perform a test run first and also use the option to create a transport file if needed. a ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.2. Performing post-instaltation tasks d._ Select the same file that you created with the download program. 5, After you have successfully completed the upload steps for all transaction, you can adjust the transaction assignments in the $U24 transaction. 6. Use the transaction assignments in the profile generation tool PFS. Note: For authorization checks that will be added or changed in future support packages, OpenText will dlivera list of transactions whose assignments can be copied into the "customer" list of the SU24 transaction. However, you must verify existing transaction assignments in the S25 transaction using step Postprocess the Settings > 2B Compare Affected Transactions 22.2 Performing post-installation tasks 22.2.1 Verifying that SNI is enabled For the cloud connection to work successfully, SNI must be enabled. Run transaction 211 and verify that either iom/HTTPS/client_sni_enabled or, on older kernel versions, ss1/¢lient_sni_enabled is availabie and enabled. If neither parameter is, present, your kernel release is too low, and you must update your SAP system. For more details on SNI, see SAP Note 2124480. 22.2.2 Exporting the SAP PSE certificate for the SAP ‘You need the SAP PSE certificate to create the SAP authentication handler in OpenText Directory Services. The SAP authentication handler validates SAP tickets sent from the SAP system against the exported certificate. You export the certificate in a PSF file from SAP using the Export System PSE Certificate to File System activity in the SAP IMG. Note: If your system uses a different PSE file for SAP Logon Ticket signing (for example, if you have implemented SAP Note 2420548), then you need to export that file without the system PSE, The procedure is similar as described for the system PSE. To export the SAP PSE certificate: 1. Inthe IMG, navigate to the Export System PSE Certificate to File System activity, and then click @ Execute. ERLK220400-IGD-EN02 Installation and Upgrade Guide rrChapter 22. Performing general post installation tasks in SAP © Ee Ew Gow Gena Enrol” een” Ewe a7 e[ =]4 8 ©0@ Sim Chos THOS Trust Manager for Single Sign-On with Logon Ticket (sw cuenst ase onal Sien|ct(cotcas cone Open the System PSE section, and then check whether there is a certificate in this folder. If this is not the case, create a new one. For more information, see SAP Help Portal (http:/elp sap.com/saphelp_nw70/helpdata/de/Qey b993af7700577e10000000a11402f/frameset.htm). ‘Make sure the certificate’s CN value in the Owner field equals to the system ID; in this case, the value is D67. If this is not the case, delete the current one and create a new one. Click Veri. PSE. If there are more certificates available, click Yes in the message window to add only your own certificate to the verification PSE. Click Yes, and then copy the PSE file to an appropriate location on the Directory Services server. ea ‘OpenText™ Extended ECM for SAP® Solutions -ERLK220400:1GD-EN-0222.2. Performing post-instaltation tasks Only if you want to use SAP SRM you must export the SAP certificate from an SAP SRM portal, To export the SAP PSE certificate from an SAP SRM Portal: In addition to the SAP server certificate, you must export a certificate for the portal, 1. Log in to the SAP SRM Portal as Portal Administrator. 2. On the System Administration tab, click System Configuration > Keystore Administration 3. From the list, select SAPLogonTicketKeypair-cert, 4, Click Download verify.pse File, and then save the file to your desktop. 5. Extract the downloaded file. Optionally, you can rename it to your system name, for example, .pse. Creating an SAP authentication handle: Directory Ser es ‘The SAP authentication handler validates the user against the SAP PSE certificate and extracts user information from the SAP logon ticket. This is relevant for synchronized and non-synchronized partitions. You create the respective authentication handler using the Directory Services Administration web client. Note: Fora detailed description of authentication handlers, see Section 4.2 “Creating an authentication handler” in OpenText Directory Service Installation and Administration Guide (OTDSWC) To create an SAP authentication handler: 1, Start Directory Services Administration in a web browser. Open : || : /otds-admin/, and then sign in as otadmingotds. admin. 2. On the Directory Services Administration menu, click Authentication Handlers. 3. Click Add. 4, In the New Authentication Handler assistant, define the following settings: ‘+ On the General page, set the Authentication handler type to SAPSSOEXT Authentication Handler and enter a name. Click Next. ‘+ On the User Partition page, set the scope to Global only if the user name exists only once across all partitions. Ifthe user exists in more than one partition, specify the partition in the User Partition field. Click Next. ‘+ On the Parameters page, set the following parameters: = In the SAP Certificate (PSE) 1 field, add the certificate you exported from SAP, and, optionally, provide a password. You can add additional ERLK220400-IGD-EN02 Installation and Upgrade Guide 125Chapter 22, Performing general postinstallation tasks in SAP certificates if necessary. The Description field is automatically filled with the path to the certificate; you can change the text. = Only if you want to map all SAP users to one user in Content Server according to the scenario described in Section 3.2.3.4 “Mapping all SAP users to one OTDS user in OTDS SAPSSOEXT authentication handler” in OpenText Extended ECM for SAP Solutions - User Management and Access Controt Scenarios (ERLK-CUM), in the Map all SAP users to field, enter the name of the OTDS user name to which all authenticated SAP users will be mapped once their logon ticket is verified. Use the same format that you define in the Authentication principal attribute field, ‘* On the Configuration page, set the following parameters: — Select Enable authentication handler. = Set Priority to 1. This setting defines that this authentication handler is used first before the other authentication handlers. — From the list box, select an attribute that will uniquely find a given user in Directory Services. Enter the attribute that complies to the SAP user ID which is sent with the SAP logon ticket, for example oTExternaLID or oTExtrattrt. Typically, this is oTExternal1D1 Click Add to add the attribute to the Authentication principal attribute list. Click Save. 22.2.3. Activating the SSO HTTP service ‘You must activate the HTTP service to use the Single sign-on (SSO) service. a Note: Make sure that the SSO profile parameters of your SAP system are set to the following values: + login/accept_sso2_ticket = 1 for the Web Service communication between SAP and Content Server + login/create_sso2_ticket = 2 for the display of Content Server HTML. dialogs in SAP GUI + login/create_sso2_ticket = 3 to increase the security for the Web Service communication between SAP and Content Server to the highest level. This needs special settings in configuration. For more information, see “Using the assertion-based authentication mechanism” on page 140, For a temporary setting, start the RZ11 transaction, enter the parameter name, and then click Display. For a permanent setting, use the R210 transaction, and. restart the system after setting the parameter. cry ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.2. Performing post-instaltation tasks To activate the HTTP service: 1. In IMG, navigate to the OpenText Extended ECM for SAP Solutions > Infrastructure > Activate HTTP Service activity, and then click () Execute. 2. Inthe Hierarchy Type field, select SERVICE, and then click @ Execute. 3. In the Maintain service dialog, open the following node default_host > sap > public. © tearen ee ca Gee oem Bee ite” e 74 @/©@@ (SHR HHSe HOw 2 Propsemmaeinscne Te toe D Qopn RESERVED SERACESAUALGLECLCBL + Giwie —_ Reucsennces PQs ne ee Son anon > Oe suhesssemen ices as) Qictona Fein rename Sicran ive SIM se renrswrssoz conc coro. (@ same ss Opeied Race tnepener Une «Bons wea a toot Pa , fete TREE RASErUNETONS) i envosromercoocar Hee [Seeded Comeents E 4, From the context menu of the myssoentl item, select Activate Service. To activate the redirect service: Note: The redirect service xeom_redirect, delivered by OpenText, has to be activated for services that use value 2 and 3 for the Login/create_sso2_ ‘ticket system parameter. 1. Enter the SIGF transaction, 2. In the Define Services window in the Filter for Calling ICF Hierarchy section, select the Hierarchy Type SERVICES and click Execute, ERLK220400-IGD-EN02 Installation and Upgrade Guide 7chi apter 22. Performing general post installation tasks in SAP In the Virtual Host / Services, open the default_host list. (Open the new node otexrl with the xeom_redirect redirect service. Right-click on otexrl and in the menu select Activate Service. 6. In the Activation of ICF Services, click Yes. 22.2.4 Creating logical ports in the SAP system Extended ECM for SAP Solutions connects to OpenText web services using logical ports. The creation of logical ports differs depending on the SAP Basis version that your system uses Note: The ping button in the SOA Manager is not supported by Extended ECM webservices. It will always return an error. Use the diagnostic report to verify the webservices configuration. 22.2.4.1 Creating logical ports for SAP Basis 7.0 Extended ECM for SAP Solutions connects to OpenText components using HTTP connections and logical ports Create the following IITTP connections to the required web services: + Extended ECM + OpenText Directory Services + Content Server Member Services To create the HTTP connections: 1. In IMG, navigate to the OpenText Extended ECM for SAP Solutio: Infrastructure > Create HTTP Connections activity, and then click @ Execute. ie ‘OpenText™ Extended ECM for SAP? Solutions ERLK2204001GD-EN-0222.2. Performing post-installation tasks Gwe iw Gwe oem ume Seem Lee eae @ "45 ©G@ 28k ONSSIAR” |_Contiguration of RFC Connections (eae lee) REC Connection > Casi Gumnacions > HTTP Conecions io Eaarnal Sewer > Giinierna connections > G tosicaConnectons + Grorar connecrons > Gconnecrons a ABP Diver Comment 2. Click D create. 3. Enterprise Library Services (GR Create the HT following settings: connection for Enterprise Library Services with the ‘+ REC Destination Enter a name for this connection, for example ELS_DEST_CORE. ‘+ Connection Type G (HTTP Connection to External Server) ‘+ Description Enter a descriptive text. 4. Click B) save Customize the connection: ‘+ Technical Settings tab ‘Target host: Fully qualified host name of your Content Server installation Service No.: Content Server Web Services port; port 8080 is typically used for Apache Tomcat. Path Prefix: /ot-e1ib/services/Enterprisel ibrary + Logon & Security tab The options No Logon and Send Assertion Ticket must be enabled. See also SAP_BAS 1S component with a version later than 16 on page 130. ERLK220400-IGD-EN02 Installation and Upgrade Guide 128Chapter 22. Performing general postinstallation tasks in SAP 7. Click Connection Test. ‘Check that the value in the Status HTTP Response field is 200 which indicates that the request was successful. Save your settings. Repeat steps 2 to 7 and create more HTTP connections according to the following table: Extended ECM | OpenText ‘Content Server Directory Services | Member Service REC Destination | Enter a name, Enter a name, Enter a name, for ‘example EXTEGM_ | example 0TDS_ _| example DEST. DEST. CSMEMBER_DEST. Connections Type | G (HTTP G(aTTP GqaTTP Connection to ‘Connection to Connection to External Server) | External Server) _| External Server) Technical Settings tab Target host ‘otcsexamplecom | otds-example.comll | otes.example.com Path Prefix Jotsapxecn/ | jot-authws/ _| /ows/services/ services/ services/ MemberService ECMLink Authentication FEIF you are using user-specific mapping with impersonation (SAP BAd), and if OTDS and Content Server are installed on different servers, enter the hostname of the Content Server installation The following settings are the same for all ports: ‘+ On the Logon & Security tab, select No Logon, and Send Assertion Ticket. ‘+ On the Messaging tab, in the Message ID Protocol field, select the Suppress ID Transfer value. ‘SAP_BASIS component with a version later than 16 If you are using an SAP_BASIS component with a version later than 16, you might experience the following changes: The Send SAP Logon Ticket is now called Send SAP Assertion Ticket and you must provide as destination system the system ID and the client of the ‘current SAP system. If this is the case, you must also do the following: ‘+ Ensure that the latest sapssoext..d11 file isin the \bin directory. ‘+ Set the following system wide environment variables with the same values that you specified in SAP: — SAPSYSTEMNAME wo ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.2. Performing post-installation tasks = SAPSYSTEMCLIENT After creating the IITTP connection, you must create a corresponding logical port for each connection: ‘+ Extended ECM logical port © Open ext Directory Services logical port ‘+ Content Server Member Services To create a logical port for SAP Basis 7.0: 1. In IMG, navigate to the OpenText Extended ECM for SAP Solutions > Infrastructure > Create New Logical Ports activity, and then click @ Execute. © Display/Create Logical Port ay e| ] Infrastructure > Create New Logical Ports activity, and then click Execute. ERLK220400-IGD-EN02 Installation and Upgrade Guide 3Chapter 22, Performing general postinstallation tasks in SAP SOA Management Toe on on _ ACTER CHIT, Lopes Monty ‘Sno Sense motion Ectereihe ommaneaes ta hom baane sen be pula Sere eg 2, In the SOA Management dialog, on the Application and Scenario ‘Communication tab, click Single Service Administration. (On the Search tab, change the Search by value to Consumer Proxy, enter a* in the Search Pattern field, and then click Go. 4, In the Search Results pane, select the entry for Extended ECM (/0TX/CO_AM_ WSM_ECMLINK), and then click Apply Selection. 5. On the Configurations tab, click Create Logical Port. 6. Enter a new name in the Logical Port Name field and add a description, Select Logical Port is Default if you have only one logical port for the Extended ECM. If you have multiple logical ports for Extended ECM, select this option only for one of the logical ports. For the Configuration Type, select Manual Configuration. 7. Click Apply Settings. The Web Service Configuration of Proxy Definition section is displayed. 8 Open the Consumer Security tab, and then select SAP Authentication Assertion Ticket. 9. Open the Messaging tab. In the Message ID Protocol field, select the Suppress ID Transfer value. eb Stns Cnn ea CO EL ESE A Bessie agent geet 4S Loca, oar Ce a | kate ARR, erst ts «te | edn ne nei een) ur emia 10. Open the Transport settings tab, and then enter the following parameters: a ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.2. Performing post-instaltation tasks © URL Access Path: fotsapxecm/services/ECMLink ‘+ Computer Name of Access URL Extended ECM installation host name ‘+ Port Number of Access URL: port. For cloud installations, enter 443. Click Save. A message at the top of the screen indicates that the binding has been created. 11. Create the other logical ports according to the following table. Extended ECM | Authentication | Content Server ‘Member Service Internal name J0TX/CO_RM_wsw_] /OTX/CO_ JOTX/CO_ ECMLINK OTDSAUTHENTICAT | MBLLMEMBER_ TON SERVICE URL Access Path | /otsapxecm/ | /ot-authws/ _| /ows/services/ services/ services/ MemberService ECMLink Authentication Computer Name | otcs.examplecom — | otds.example.com®l | otes.example.com ‘Access URL ‘efyou are using user-specific mapping with impersonation (SAP BAI), and if OTDS and Content Server are installed on different servers enter the host name ofthe Content Server installation The following settings are the same for all ports ‘* On the Consumer Security tab, select SAP Authentication Assertion Ticket. ‘+ On the Messaging tab, in the Message ID Protocol field, select the Suppress ID Transfer value. 22.2.4.3 Creating logical ports for SAP Basis 7.31 for SAP Solutions connects to OpenText components using logical Create a corresponding logical port for each connection: ‘+ Extended ECM logical port © OpenText Directory Services logical port + Content Server Member Services ‘© Enterprise Library logical port (if required) + Enterprise Library Content Services logical port (if required) To create a logical port for SAP Basis 7.31 1. In the IMG, navigate to the OpenText Extended ECM for SAP Solytions > Infrastructure > Create New Logical Ports activity, and then click @ Execute. ERLK220400-IGD-EN02 Installation and Upgrade Guide 135Chapter 22. Performing general postinstallation tasks in SAP In SOA Management, on the Service Administration tab, click Web Service Configuration. On the Design Time Object Search tab, select the search criteria Object Type, and then search for Consumer Proxy. In the Search Results list, select the entry for Extended ECM (/0TX/CO_FM_ WSM_ECMLINK).. On the Configurations tab, click Create > Manual Configuration. In the Logical Port Name step, enter a new name in the Logical Port Name field, and then add a description. Select Logical Port is Default if this is the only logical port for Enterprise Library Services or if this is the preferred port of several logical ports for Enterprise Library Services. Click Next. Web Service Configuration asl out Log Pst et Cotes Pn CO HELE RE A ‘conto Sage LepeaPettine= [6ST apa oa eugene rapes me In the Consumer Security step, select SAP Authentication Assertion Ticket. Click Next. In the HTTP Settings step, configure at least the following: + URL Access Path: Jotsapxecm/ services /ECML ink ‘+ Computer Name of Access URL: 1 ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.2, Performing post.installation tasks Content Server installation hast name ‘+ Port Number of Access URL: port. For cloud installations, enter 443, ‘+ Transport Binding Type: SOAPLI Click Next In the SOAP Protocol step, set the Message ID Protocol option to Suppress ID Transfer. Lepeiniine Gr Senty TFs SOR Cproonope Click Next. Click Finish. ‘The new logical port is saved and activated. 11. Repeat Step 4 to Step 10 to create a logical ports according the following table: ERLK220400:1GD-EN-02 Installation and Upgrade Guide rdChapter 22, Performing general postinstallation tasks in SAP Extended ECM | Authentication | Content Server Member Service (MemberService) Internal name 1orx/co_AM_wsW_| /OTX/C0_ 1OTK/CO_ ECMLINK, OTDSAUTHENTICAT | MBLLMEMBER_ ION, SERVICE URL Access Path | Jotsapxecn/ — | /ot-authws/ _| /ows/services/ services/ services/ MemberService ECMLink Authentication ‘Computer Name of | otcs.example.com | otds.example.coml | otes.example.com Access URL Port Number of | 443 408 443 Access URL Uf you are sing user specific mapping with impersonation (GAP BAI, and if OTDS and Content Server are installed on different servers, enter the host name ofthe Content Server installation ‘The following settings are the same for all ports: ‘+ Consumer Security: SAP Authentication Assertion Ticket ‘+ Transport Binding Type: SOAP .1 ‘+ Message ID Protocol: Suppress 10 Transfer 22.2.4.4 Creating logical ports for SAP Basis 7.51 Extended ECM for SAP Solutions connects to Open'Text components using logical ports. Create a corresponding logical port for each connection: Extended ECM ‘© OpenText Directory Services Content Server Member Services ‘+ Enterprise Library (if required) + Enterprise Library Content Services (if required) To create a logical port for SAP Basis 7.51 I. Inthe IMG, navigate to the OpenText Extended ECM for SAP Solutions > Infrastructure > Create New Logical Ports activity, and then click Execute. ie ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.2. Performing post-instaltation tasks ‘SOA Management (D00;100) tere eee 51805) eg Ste tins, corre ese ara sevee ours ‘eae sonics eins ar Web seve ceneuner wl ee eapaitie eke in sed tse conan conten Froese pois enact by buses scenario onfauaton ‘Cea mine sence etna srs groups urparng change management [Setdes @ clammy ecever Iter dang sevice ru rine ae nies cetera recs IC. ser I reer ane ar afer msfod Arn consumer toy rnin 2. In SOA Management, on the Ser Configuration :¢ Administration tab, click Web Service 3. On the Design Time Object Search tab, select the search criteria Object Type, and then search for Consumer Proxy. 4. Inthe Search Results list, select the entry for Extended ECM (/OTX/C0_AM_ WSW_ECULINK). On the Configurations tab, click Create > Manual Configuration. 6. In the Logical Port Name step, enter a new name in the Logical Port Name field, and then add a description. Select Logical Port is Default if this is the only logical port for Enterprise Library Services or if this is the preferred port of several logical ports for Enterprise Library Services. Click Next 7. Inthe Consumer Security step, select SAP Authentication Assertion Ticket. Click Next. 8. Inthe HTTP Settings step, configure atleast the following + URL Access Path: Jotsapxecn/ services /ECULink ‘+ Computer Name of Access URL: otes.example..con ‘+ Port Number of Access URL: Web Services port (443 for cloud deployments) ‘+ Transport Binding Type: SOAPL1 ERLK220400-IGD-EN02 Installation and Upgrade Guide 138Chapter 22. Performing general postinstallation tasks in SAP Click Next 9. In the SOAP Protocol step, set the Message ID Protocol option to Suppress ID ‘Transfer. Click Next. 10. Click Finish, ‘The new logical port is saved and activated. 11. Repeat Step 4 to Step 10 to create a logical ports according the following table: Extended ECM | Authentication _| Content Server ‘Member Service (MemberService) Internal name J0Tx/Co_AM_wsi_ | /OTX/CO_ JOTX/CO_ ECMLINK’ OTDSAUTHENTICATI MBLLMENBER_ oN SERVICE URL Access Path | /otsapxecn/ Jot-authws/ Jows/services/ services /ECMLink| services/ MenberService Authentication ComputerName of | ota.examplecom | otdsexamplecoml) | otes.examplecom Access URL Port Number of | 443, 3 43 ‘Access URL [EF you are using user-specific mapping with impersonation (SAP BAUD, and if OTDS and Content Server are installed on different servers, enter the host name of the Content Server instalation ‘The following settings are the same for all ports: ‘+ Consumer Security: SAP Authentication Assertion Ticket ‘+ Transport Binding Type: SOAP1.1 ‘+ Message ID Protocol: Suppress 1D Transfer 22.2.4.5 Using the assertion-based authentication mechanism SAP recommend that you use value 9 for the login/create_sso2_ticket system parameter. With this value, Extended ECM for SAP Solutions needs some special configuration steps. B Notes + To use the assertion-based authentication, Extended ECM for SAP Solutions ‘must use RFC destinations managed by $9 transaction, In these RFC destinations you can maintain the assertion ticket parameters, + The assertion-based authentication mechanism does not work in the Internet Explorer compatibility mode, For implementing the assertion-based authentication mechanism you must modify the configuration as follows: vo ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.2. Performing post-instaltation tasks + Download and install the predefined WSDL/OTDS web service, delivered in wsdl_for_assertion tickets level_3.zip. ‘* Configure additional security settings for RFC destinations. To install the predefined WSDLs for the ECM Link and OTDS web service: I. In OpenText My Support Portal, navigate to Knowledge Base article KB0779691: WSDL for using SAP assertion-based authentication meckanism (https:// support.opentext.com/csm?sys_kb_id=a80483e1db139110e26e1736059619dage b_article_viewSesysparm_ranl sysparm_tsqueryld=681f3131475b5510d8047d1e436d43c6). Download the file. The attached ZIP file contains the required WSDL. files. 2. To install the predefined WSDLs for the ECMLink, OTDS and authentication web services, unpack the ZIP file and click on wsd1_for_assertion_tickets_ levels 3. In the SOAMANAGER, create a logical port based on this definitions by using, file based WSDL access. Set the parameters as follows: ‘+ Authentication section — Authentication method: sapsp:HTTPSSO2 = System ID: = SAP Client: ‘+ Transport Security section — Secure Communications: SSL — Signature Expected: False —_ Encryption Expected: False — Sign Message: False Add Encryption: False ‘+ Transport Settings section = URL Access Path: Complete URL, for example, https: // : /otsapxeon/services/ECMLink = Proxy: Leave blank — Transport Binding: Make Local Call: No Call in Local System Transport Binding Type: SOAP 1.1 Maximum Wait for WS Consumer: 0 Optimized XML Transfer: None Compress HTTP Message: Inactive ERLK220400-IGD-EN02 Installation and Upgrade Guide “iChapter 22, Performing general postinstallation tasks in SAP Compress Response: True + Messaging section — Message ID Protocol: Supress ID Transfer — Data transfer scope: Enhance Data Transfer — Transfer protocol: Transfer via SOAP header + Message Attachments section — Process Attachments: No 4. Repeat the above steps for each Extended ECM web service in use Maintain the environment parameters for OTDS: ‘+ SAPSYSTEMCLIENT: 001 ‘+ SAPSYSTEMNAME: OTX To configure additional security settings for RFC destinations, 1, Enter the M59 transaction. 2. Inthe REC Connections list, open the HTTP Connections to External Server section and find the destination configuration which is referred to in the Extended ECM communication configuration. 3. In the Logon & Security tab in section Logon with Ticket, select Send Assertion Ticket for Dedicated Target System. 4. In the System ID field enter OTX, and in the Client field enter 001 22.2.6 Configuring the Service Provider Interface service For communication from Content Server to the SAP systemn a web service is used. You configre the web service on SAP side. Content Server uses this web service to connect to the SAP system BD) Note: This activity is required to connect the SAP system as business application in Content Server. For more information, see “Connecting SAP 28 the business application” on page 152 1. Inthe IMG, navigate to the OpenText Extended ECM for SAP Solutions > Infrastructure structure and open it For the Configure SPI Service activity, click Execute The SOA Manager opens in a web browser Note: In the SOA Manager, the option names differ from release to release The following steps cover some ofthe possible option names. For detailed information, see the SAP documentation 142 ‘OpenText™ Extended ECM for SAP® Solutions ERLK220400-IGD-EN-0222.2. Performing post-installation tasks 10. re Click the Business Administration, Business Administrator or Service Administration tab. Click the Web Service Administration or Single Service Configuration link to manage the web service, Search for the /OTX/ECML INKSERVICE web service to display details. Select the web service and click Apply Selection. Click the Configurations tab. To create a service and an end point, click Create Service Enter the following: ‘+ New Service Name or Web Service Name: Enter a name of your web service, for example ECMLinkSPIService ‘+ Description: Enter a description for your web service. ‘+ New Binding Name: Enter a binding of your web service, for example BasicAuthBinding. [B) Note: The information you enter here will be part ofthe address used to access the SAP systom from Content Server: Example: Click Apply Settings to save. |. To configure your web service and binding, select your web service and end point in the table, and then click Edit. Define the security and authentication settings. The following authentication scenario is supported ‘+ HTTPS and HTTP basic authentication with user and password (On the Provider security tab, enter the following: — Transport Guarantee Type: Select HTTPS. Note: For HTTPS, the SSL. certificate must be imported to the keystore. For more information, see “Importing root certificates for Secure Sockets Layer (SSL) connections” on page 151. — Transport Protocol or Communication Security: Select HTTP Using Secure SSL Connection. — HTTP Authentication or Transport Channel Authentication: Select, User ID/Password, ERLK220400-IGD-EN02 Installation and Upgrade Guide 18Chapter 22. Performing general postinstallation tasks in SAP 22.2.6 13. Click Save. 14, Go back to SAP GUI and start the SIGF transaction. 15. In the Maintain Service dialog open the sap/be/ srt /xip/otx/ ecm] inkservice//, for example sap/be/srt/ xip/otx/eomlinkservice /800/ecmlinkspiservice node and check if the (for example basicauthbinding) service is activated. If not, activate it, Creating logical destinations The SAP system uses the Internet Communication Framework (ICF) to connect through REST calls to OTDS and the Content Server. For this, you define a logical destinations for each of the following systems: + OpenText Directory Services (OTDS) + Content Server ‘You will need these logical destinations when you set up the connection to the Extended ECM system. For more information, see “Maintaining Extended ECM connections” on page 145. To create logical destinations: 1, Run transaction su59 to open the Configuration of RFC Connections screen, 2. Createa new connection of type with the following parameters + REC destination: Enter a name for the connection + Connection Type: Select 6 HTTP Connection to External Server. + Technical Settings tab — Target Host: Enter the fully qualified hostname of the server. = Service No.: Enter the port of the server. If you want to use SSL (HTTPS), you also must activate SSL usage on the Logon & Security tab, — Path Prefix: Leave empty. — HTTP Proxy Options: You can define proxy settings specific to this, logical destination or a global configuration for all logical destinations ‘The proxy settings are only active for direct connections from the SAP server to external server. They are not relevant to frontend UI or Web UI connections. ‘+ Logon & Security tab: — Logon procedure: Select No Logon. a ‘OpenText™ Extended ECM for SAP® Solutions ERLK2204001GD-EN-0222.2. Performing post-instaltation tasks = Send Assertion Ticket: Select the option if itis a checkbox under the area Logon Procedure. The option must be set at least for the OTDS destination in order to allow single sign-on (S50). BB Note: in newer SAP releases you have 3 options under the Logon with Ticket area. The right option depends on the single sign-on (SSO) settings, see “Activating the SSO HTTP service” on page 126. If login/accept_sso2_ticket value 2 is used, select the Send. ticket without reference to target system option. If login/accept_sso2_ticket value 9 is used, select the Send assertion ticket for dedicated target system option. Then you must provide the system ID and client, see “Using the assertion-based authentication mechanism” on page 140. = SSL: Select Active. If you connect through IITTPS, use the correct port in the Property Service No. field on the Technical Settings tab. — SSL Client Certificate: Select ANONYM if SSL is active — Authorization for Destination: Leave empty. = User/Password Status: Leave empty. + Special Options tab: — Timeout: Select ICM Default Timeout. — HTTP Setting Version: Select [TTP 1.1. If you experienced unexpected issues, you may switch back to 1.0, = Compression: Select Inactive. Note: Compression of request bodies is not supported by Content Server. Leave compression status Inactive, — Compressed Response: Select Yes. — HTTP Cookies: Select No. 22.2.7 Maintaining Extended ECM connections All parameters for a connection to OpenText servers are collected with an connection ID. For an installation, you have to create a new connection ID. To maintain connection settings in: 1. Navigate to the Infrastructure > Maintain Extended ECM Connections activity, and then click @ Execute. 2. Click New Entries. ERLK220400-IGD-EN02 Installation and Upgrade Guide 145Chapter 22. Performing general postinstallation tasks in SAP © nave Ee ao face Wana aon \ ell *| Resources > > Edit and copy the Resource identifier, for example, d7¢6b26b- at 12-4487 -87cd-050de0768F 4a, ERLK220400-IGD-EN02 Installation and Upgrade Guide 7Chapter 22, Performing general postinstallation tasks in SAP RFC Impersonation uses a web service for SSO: if you want to restrict this web service to redirect to a certain Content Server, you can maintain a ‘whitelist. For more information, see “Improving data security for impersonation connections” on page 148. ‘Suppress Sending SAP Logon Ticket Select this option if you do not want to send the SAP Logon Ticket. Search UI Enter the logical destination, you created for it. 4. Click Bl save. 22.2.8 Improving data security for impersonation connections If you are using impersonation with web-based SSO to call embedded Content Server windows in SAP GUI, you can explicitly create a list of Content Servers that are allowed for this kind of connection. This follows the SAP whitelist concept. For ‘more information, see the SAP Help Portal (http://help.sap.com/saphelp_nw73ehp1/ helpdata/en/ee/984daaa3834eeaa77d5edb82257016 frameset htm). To create a whitelist for allowed impersonation connections: 1. Use transaction $430 to open table /OTK/RM_THTWHITE 2. Create an entry for each Content Server that is allowed to connect to your SAP system: Use Redirect URL /sap/publiclotx_rmuic_sso as Whitelist Entry Type. Provide the protocol, host name, port and an URL template. Notes + You can use the * wildcard in these fields, + You must add the wildcard at the end of the URL Template to cover all URLs based on that template Example: ‘Protocol of URL: HTTPS ‘+ Host Name: NYHOST. EXAMPLE. COW + Port 443 + URL Template: /es /es ve ‘OpenText™ Extended ECM for SAP? Solutions ERLK2204001GD-EN-0222.2. Performing post-installation tasks 22.2.9 Importing the Content Server SSL certificate To use SSL for the communication between Content Server and the SAP system, you must import the Content Server SSL certificate into the SAP system. Note: For the general setup of SSL in your SAP system, follow the procedure cutlined in http:/fhelp sap com/saphelprvs70ehp2ihelpdataler/49) 23601 ebfSa190Pe1 0000000012183 frameset tn, Prerequisites + You have configured the web servers for HTTPS, + You have exported the certificate from Content Server in the Base64 format, To export certificate from Content Server: 1. Callan URL from the environment in a browser. For example, https: / /otace. example. com/archive. 2. Click the lock symbol to access the certificate. In MS Edge, you must click ‘Connection is secure and then click the certificate symbol in the top right 3. In the certificate dialog, click the Certification Path tab and then click the top most certificate. Click the View Certificate button. 4. Switch to the Details tab of the certificate and click the Copy to File... button. Follow the assistant to save the certificate. To import the certificate: In the SAP system, start the TRUST transaction. (Open the SSL client SSL Client (Anonymous) node. (On the Certificate menu, click Import Enter the file path, and then select Base64. 5, Click the Add to Certificate List button and save your settings. 6. Repeat the steps for the SSL client SSL Client (Standard) node. ERLK220400-IGD-EN02 Installation and Upgrade Guide 148