Configure secure communications for a new Web application (Duet Enterprise)
Applies to: Duet Enterprise for Microsoft SharePoint and SAP
During deployment, administrators must configure secure communications among the following components: one Web application in the Microsoft SharePoint Server 2010 farm, one server that runs SAP NetWeaver, and the Duet Enterprise SAP Add-on.
You can decide to establish a secure Microsoft Business Connectivity Services connection between an additional Web application and the same SAP NetWeaver server for which the Secure Store in the SharePoint Server farm has already been configured. Additionally, you can decide to establish secure communications between an additional Web application and a different server that runs SAP NetWeaver.
This article describes the step-by-step procedures for configuring secure communications between a Web application on a SharePoint Server farm and a server that runs SAP NetWeaver on which secure communications was configured.
To configure secure communications between a Web application and a server that runs SAP NetWeaver, do the following procedures in the order listed:
Create or obtain an SSL certificate
Prepare the Web application
Verify whether a Web application is configured for Windows claims-based authentication
Create a Web application for the thisProduct_2nd_CurrentVer sites
Extend the Web application to use SSL
Create an alternate access mapping for the SSL-enabled Web application
Create the SSL binding for the SSL-enabled zone
Export the SSL certificate
Share the SSL certificate with the SAP administrator
Establish a trust relationship with the SSL certificate from the SAP environment
Create or obtain an SSL certificate
To use Secure Sockets Layer (SSL) to help secure a Web application, you must have an SSL certificate. For a production environment we recommend that you obtain a signed certificate from either a third-party certification authority (CA) or a CA in your intranet domain. However, for test environments you can create a self-signed certificate for this purpose. For more information about how to decide the kind of certificate to use and how to create a self-signed certificate, see How to Setup SSL on IIS 7.0 (https://go.microsoft.com/fwlink/p/?LinkId=193447).
Prepare the Web application
Windows claims-based authentication is required for all Web applications on which you will configure Duet Enterprise solutions. Forms-based authentication is not supported because reports cannot be routed to sites that use forms-based authentication. Typically, you want end users to be able to use the HTTP protocol to access content in SharePoint sites.
Because workflow transactions between the Web application and the SAP system require Basic authentication, which sends all information in clear text, we recommend that you extend the Web application to create a new zone and configure that zone for SSL and Basic authentication.
There are actually several options when you are preparing the Web application. For example, you might want to deploy the Duet Enterprise sites on an existing Web application, or you can create a new Web application.
Do one of the following:
If a Web application on which you want to enable Duet Enterprise functionality exists, you must ensure that it is configured for Windows claims-based authentication. To verify that your existing Web application supports Duet Enterprise, go to Verify whether a Web application is configured for Windows claims-based authentication.
If the Web application does not already exist on which you want to enable Duet Enterprise functionality, go to Create a Web application for the thisProduct_2nd_CurrentVer sites.
Verify whether a Web application is configured for Windows claims-based authentication
If you have a Web application that you want to use for the Duet Enterprise sites, you must ensure that it is configured for Windows claims-based authentication. If you want to create a new Web application for Duet Enterprise sites, proceed to Create a Web application for the thisProduct_2nd_CurrentVer sites.
If the Web application that you want to use for Duet Enterprise sites is not configured for Windows claims-based authentication, you might be able to convert it to Windows claims-based authentication or you can create a new Web application for the Duet Enterprise sites. For information about converting a Web application to Windows claims-based authentication, see Migrate from forms-based authentication to claims-based authentication (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=205651) and Migrate from classic-mode to claims-based authentication (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=205652).
Note
You must be a member of the SharePoint Farm Administrators group to complete this procedure.
To determine whether a Web application is configured for Windows claims authentication
Verify that you have the following administrative credentials:
- You must be a member of the Farm Administrators SharePoint group and a member of the Windows Administrators group on the server that is running Central Administration.
In the Central Administration Web site, on the Quick Launch, click Application Management.
In the Web Applications section, click Manage web applications.
In the Name column, click the Web application for which you want to verify the authentication provider.
In the Security group of the ribbon, click Authentication Providers.
In the Authentication Providers dialog box, under Membership Provider Name, verify that the zone for which you will deploy the Duet Enterprise sites says “Claims Based Authentication”. If it does not, it is not configured for claims-based authentication and you must either convert the Web application to Windows claims-based authentication or create a new Web application for the Duet Enterprise sites.
Create a Web application for the Duet Enterprise sites
The Web application for the Duet Enterprise sites must be configured to use Windows claims-based authentication. If you do not already have a Web application on which you want to enable the Duet Enterprise sites, use this procedure to create one. Otherwise, proceed to Extend the Web application to use SSL.
Note
You must be a member of the SharePoint Farm Administrators group to complete this procedure.
To create a Web application that uses Windows claims-based authentication
Verify that you have the following administrative credentials:
- To create a Web application, you must be a member of the Farm Administrators SharePoint group and a member of the Windows Administrators group on the server that is running Central Administration.
On the Central Administration Home page, in the Application Management section, click Manage Web applications.
In the Contribute group of the Ribbon, click New.
On the Create New Web Application page, in the Authentication section, click Claims Based Authentication.
In the IIS Web Site section, in the Port box, type the port number that you want to use to access the Web application.
By default, this field is populated with a random port number.
Note
The standard port number for HTTP access is 80. If you want users to access the Web application without typing in a port number, use the standard port number.
Optional: In the IIS Web Site section, in the Host Header box, type the host name (for example, www.contoso.com) that you want to use to access the Web application.
Note
In general, this value is not set unless you want to configure two or more IIS Web sites that share the same port number on the same server, and DNS is configured to route requests to the same server.
In the IIS Web Site section, in the Path box, optionally type the path of the IIS Web site root directory on the server.
This box is populated with a suggested path.
In the Claims Authentication Types section, ensure that the Enable Windows Authentication check box is selected and in the drop-down menu select either Negotiate (Kerberos) or NTLM. For more information, see Plan for Kerberos authentication (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=192622).
In the Public URL section, change the URL to the fully qualified domain name. For example, https://corp.contoso.com:80.
Note
The Zone value is automatically set to Default for a new Web application.
In the Application Pool section, ensure that Create a new application pool is selected, and then type the name that you want to use for the new application pool or keep the default name.
Under Select a security account for this application pool, ensure that Configurable is selected and select the managed account that you want to use for this application pool.
In the Database Name and Authentication section, select the database server and database name for your new Web application as described in the following table or accept the default values.
Item Action Database Server
Type the name of the database server and Microsoft SQL Server instance that you want to use, in the format SERVERNAME\instance. You can also use the default entry.
Database Name
Type the name of the database, or use the default entry.
In the Database Name and Authentication section, ensure that Windows Authentication (recommended) is selected.
If you use database mirroring, in the Failover Server section, in the Failover Database Server box, type the name of a specific failover database server that you want to associate with a content database.
In the Service Application Connections section, select the service application connections that will be available to the Web application. In the drop-down menu, click default or custom. You use the custom option to select the services application connections that you want to use for the Web application.
Tip
Duet Enterprise requires that the following service applications are associated with this Web application: Business Data Connectivity service, Secure Store Service, and User Profile Service Application.
In the Customer Experience Improvement Program section, click Yes if you want to participate in the customer experience improvement program or No if you do not.
Click OK to create the new Web application.
Click OK in the dialog box that appears. The Web application that you created appears on the Web Applications Management page in Central Administration. Do not close this page because you will need it for the next procedure.
Extend the Web application to use SSL
Use this procedure to extend the Web application in order to create a zone that will be used for all transactions between the Web application and the SAP system.
To extend the Web application
Verify that you have the following administrative credentials:
- To create a Web application, you must be a member of the Farm Administrators SharePoint group and a member of the Windows Administrators group on the server that is running Central Administration.
On the Central Administration Home page, in the Application Management section, click Manage Web applications.
On the Web Applications Management page, select the Web application that you created in the previous procedure.
On the Contribute group on the Ribbon, click Extend.
On the Extend Web Application to Another IIS Web Site page, in the IIS Web Site section, ensure that Create a new IIS Web site is selected, and then optionally type the name of the Web site in the Name box.
In the IIS Web Site section, in the Port box, type the port number that you want to use to access the Web application. By default this field is populated with a random port number.
Optional: In the IIS Web Site section, in the Host Header box, type the host name (for example, www.contoso.com) that you want to use to access the Web application.
Note
Typically, this field is not set unless you want to configure two or more IIS Web sites that share the same port number on the same server, and DNS is configured to route requests to the same server.
Optional: In the IIS Web Site section, in the Path box, type the path of the IIS Web site root directory on the server. By default, this field is populated with a suggested path.
In the Security Configuration section, under Use Secure Sockets Layer (SSL), click Yes.
In the Claims Authentication Types section, ensure that Enable Windows Authentication is selected and in the drop-down menu select either Negotiate (Kerberos) or NTLM. For more information, see Plan for Kerberos authentication (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkID=192622).
Select the Basic authentication (credentials are sent in clear text) check box.
In the Public URL section, change the URL to the fully qualified domain name. For example, https://corp.contoso.com:443.
In the Zone list, select the zone that you want to use for this port. You can choose any available zone. However, we recommend that you choose the Custom zone because this name best describes the purpose of this zone.
Click OK to extend the Web application.
For more information about how to set up SSL, see How to Setup SSL on IIS 7.0 (https://go.microsoft.com/fwlink/p/?LinkId=187887).
Create an alternate access mapping for the SSL-enabled Web application
The Web application that you created in the previous procedure must be available by using the URL that is specified in the SSL certificate that you will bind to that Web application (in a later procedure). If it is not the same URL, for example if the Web application was created by using the fully qualified domain name (FQDN) but the certificate uses the short URL, you must create an alternate access mapping to specify the URL that is listed in the certificate.
Note
An example of an FQDN is http://contoso.corp.com. In this example, the short URL would be http://contoso.
If the URL listed in the SSL certificate and the URL used to create the Web application are the same, then you do not have to perform this procedure.
To create an alternate access mapping
In Central Administration, on the Quick Launch, click System Settings.
In the Farm Management section, click Configure alternate access mappings.
Click Add Internal URLs.
In the Alternate Access Mapping Collection section, select the Web application that you will use for your Duet Enterprise sites.
In the Add Internal URL section, do the following:
In the URL protocol, host and port box, type the URL that is listed in the SSL certificate.
In the Zone list, select the zone that you want to use for this URL.
Note
This is the name of the zone that you selected when you extended the Web application in the previous procedure.
Click Save.
The alternate access mapping that you created appears on the Alternate Access Mappings page.
Create the SSL binding for the SSL-enabled zone
Complete this procedure to bind an SSL certificate to the SSL-enabled zone of your Web application.
Note
You must be a member of the Administrators group on the computer that is running SharePoint Server 2010 to complete this procedure.
To create the SSL binding for the extended Web application
Log on to a front-end Web server as a member of the Windows Administrators group.
Click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the Connections pane, expand Sites and then select the site that is associated with the SSL-enabled Web application that you created in an earlier procedure.
Tip
This site can be identified by the port number and name that you assigned to the site when you extended the Web application.
In the Actions pane, under Edit Site, click Bindings.
In the Site Bindings dialog box, click Add.
In the Add Site Binding dialog box, select https from the Type drop-down list.
From the SSL certificate list, select the SSL certificate that you created or obtained in Create or obtain an SSL Certificate, and then click OK.
Click Close to close the Site Bindings dialog box.
Repeat steps 1 through 8 for each additional front-end Web server in the load balance rotation of your SharePoint Server 2010 server farm
Export the SSL certificate
If you obtained an SSL certificate from a certification authority (CA), then you do not have to do this procedure because you already have the certificate in your file system. However, if you used IIS on a SharePoint front-end Web server to create a self-signed certificate for testing, you must export the certificate so that you can share a copy of that certificate with the SAP administrator.
Note
You must be a member of the Windows Administrators group on the SharePoint front-end Web server to perform this procedure.
To export the SSL certificate
Log on to a SharePoint front-end Web server for which you have bound the certificate.
If it is not already open, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the tree view, select the server node.
In the middle pane, under IIS, double-click Server Certificates.
In the middle pane, double-click the certificate that you bound to your extended Web application.
In the Certificate dialog box, on the Details tab, click Copy to File.
On the Welcome to the Certificate Export Wizard page, click Next.
On the Export Private Key page, ensure that No, do not export the private key is selected, and then click Next.
On the Export File Format page, click Next.
On the File to Export page, in the File name box, type the path and file name to which you want to export the certificate, and then click Next.
Tip
You do not have to type a file name extension.
Click Finish.
Click OK to close the The export was successful dialog box.
Click OK to close the Certificate dialog box.
Share the SSL certificate with the SAP administrator
You must give a copy of the SSL certificate to the SAP administrator. The SAP administrator will use the SSL certificate to establish communication from the SAP NetWeaver server in the SAP system to your Web application.
Establish a trust relationship with the SSL certificate from the SAP environment
For the SSL-enabled Web application to accept information from the SAP environment, you must establish a trust relationship with the SSL certificate that is provided by the SAP administrator.
Note
You must be a member of the Farm Administrators SharePoint group to complete this procedure.
To trust the SSL certificate from the SAP environment
In Central Administration, on the Quick Launch, click Security.
In the General Security section, click Manage trust.
In the Manage group of the Ribbon, click New.
In the Establish Trust Relationship dialog box, in the Name box, type the name that you want to use for this trust relationship.
Next to the Root Authority Certificate box, click Browse.
In the Choose File to Upload dialog box, in the File name box, type the path and file name of the certificate for which you want to establish a trust relationship, and then click Open.
Click OK to close the Establish Trust Relationship dialog box.
The name that you typed in step 4 appears in the Name column on the Trust Relationship page.