cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up SSL in BI 4.1

Former Member
0 Kudos

Hello Colleagues,

I am trying to setup SSL in BI 4.1. In the Admin guide we have the first step as :

8.13.2 Setting up SSL when the certificate is managed by a certificate authority

When setting up SSL for server communication, follow these steps if the certificate is managed by a

certificate authority.


1. Export your desired certificate with its private key to PKCS #12 (.PFX) format. This will be used as the certificate for the certificate authority.

What does this mean? Do I need the CA certificate with its Private key?

If I have private key of the CA then I can behave as the CA itself!

Normally I generate my CSR and get it signed from the CA and then import both signed server cert + CA cert. Then SSL should work.

Thanks and Regards,

Nitin

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Nitin,

Please follow the below steps which should help incase the application server at your side is Tomcat:

1. Execute the following from a command line to create a .keystore file:

<Installtion Directory>:\Program Files (x86)\SAP Business Objects\SAP Business Objects Enterprise XI 4.0\win64_x64\jdk\bin\keytool -genkey -alias tomcat -keyalg RSA

2. Upon executing the above command, you will be prompted for a keystore password, your full name, organizational unit, organization, city, state and country. At the end, you will be prompted for the keystore password again. This has to be the same password as the password you entered previously. Newer versions of the keytool will prompt you to hit ENTER to keep it the same.

3. Once finished, a self signed .keystore file will have been created in your user"s home directory:

For example: C:\Users\Administrator

4. Move this .keystore file from this directory to one in the Business Objects folder structure or any other folder

For example: C:\SSL

5. Browse to Tomcat's server.xml file and create a backup file:

For example: C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf

6. Open and edit the server.xml file in wordpad.

7. Uncomment the section below and add the two commands after keystorePass & keystoreFile. This section needs to reference the new location of the .keyfile and the password you specified when creating it.

<!-- Define a SSL HTTP/1.1 Connector on port 8443

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" keystorePass="password" keystoreFile="C:\SSL\.keystore"/>

8. Restart Tomcat and it should now be accessible using

https://Servername:8443/BOE/CMC

Regards,

Arun

Former Member
0 Kudos

Excellent Answer, It works very well

usman1158
Explorer
0 Kudos

i am on BO 4.2 and i am not able to make it work

Answers (5)

Answers (5)

Former Member
0 Kudos

I had the same confusion as Nitin had. Now I stuck with the CA cert display issue. I followed all the procedures as suggested by Tomcat doc and SAP white papers, I think they basically are the same as the ones JRK and everyone else mentioned above ...

There is one thing I'm puzzling with is the CA cert provided by our IT group. It says the issuer is veriSign on the top, but the Distribution Points is  URI:http://sd.symcb.com/sd.crl and Authority Information Access are URIName: http://sd.symcd.com  and URIName: http://sd.symcb.com/sd.crt

Could anyone help please?

Thanks a lot!
Yu

Former Member
0 Kudos

I got the answer for the questions on Distribution Points and Authority Information Access.

But I'm still struggling with the error message "This connection is untrusted".


Any suggestions?

Best,

Yu

Former Member
0 Kudos

1. Export your desired certificate with its private key to PKCS #12 (.PFX) format. This will be used as the certificate for the certificate authority.

What does this mean? Do I need the CA certificate with its Private key?

While creating a CA certificate, a Private key is a basic requirement.  So the answer would be yes, else it wont serve the purpose of a secure socket

If I have private key of the CA then I can behave as the CA itself!

Having a private key does not mean that you have the necessary authorization at user level (where the keystore has been created)

If you have the rights available at the locations where the keystore has been created, I would say yes, you would be co-owner of the certificate and hence can make changes to the same. Usually a certificate authority would not give such rights to any other user.

Normally I generate my CSR and get it signed from the CA and then import both signed server cert + CA cert. Then SSL should work

Yes it would work, CA actually defines the roles needed (authentication / validity of source) for the particular application to specific level in the domain / network.

Hope these answer your queries.

Former Member
0 Kudos

For better understanding of CA being issued...check http://en.wikipedia.org/wiki/Certificate_authority

Former Member
0 Kudos

What I mean is, Generally you cannot get the private key of the CA. It would not be allowed.

If suppose I get the private key of the CA I can sign the certificate.

This is what is mentioned in the BI 4.1 guide. You get the CA cert + Private key. Then you generate the CSR. Now you do not need to send it to CA, you can sign it by itself (Step 7 under section 8.13.2 )

This is I guess should not be correct procedure.

Former Member
0 Kudos

The steps mentioned in the guide for creating a self assigned certificate. It means you are the CA for this certificate. There are no other CAs involved. Ofcourse if you want the key to be changed the keystore would need to be updated with new certificates.

Former Member
0 Kudos

Actually there are 2 sections :

8.13.1.1 To create key and certificate files for a machine (Self-signed approach)

8.13.2 Setting up SSL when the certificate is managed by a Certificate Authority

And thanks for your response

Former Member
0 Kudos

keystoreFile is required for configuring SSL.

SSL will also work with keystoreFile. Additional certificates are based on your organization.

Few of the organizations will be having additional web hosting certificates ( which will be managed by CA). In that case those certificates need to be imported to keystoreFile to have all organizations standards in the SSL.

 

Once you get the additional certificates from CA, you can import those certificate like ( entrust, root..intermediate ...etc) to keystore.

Currently we have same setup and it is working fine.

Let me know if you need any additional details.


Former Member
0 Kudos

Hi Guys,

Thanks for your reply. I know those steps and notes you provided.

But my specific Qs is regarding the step mentioned in the Admin guide. As I emnitoned in my original Qs, I want to find out what the Guide means with the step I mentioned above.

Regards,

Nitin

Former Member
0 Kudos

Are you looking to setup SSL for only Tomcat? If yes, then please check the below SAP note

1648573 - How to Configure SSL on Tomcat in BI 4.0

If you looking for setup SSL for Tomcat and SIA, please check the below

http://blog.davidg.com.au/2012/12/setting-up-ssl-for-tomcat-and-sia-in-6.html

Former Member
0 Kudos

Hi Guys,

I did everything JRK and Arun mentioned above.

The browser always displays a certificate error when accessing the the CMC or LaunchPad  login page with https (port 8443). When I view the certificate from the browser, it only shows the self-signed certificate, not the one managed by CA (VeriSign). Could you please provide some suggestions here?

Thanks! 

Yu

Former Member
0 Kudos

You have to import the certificates which were provided by CA to the Bo SSL certificate.

Former Member
0 Kudos

Thanks for your reply, JRK!  I added the signedCert.crt and the chain certificates from veriSign to the keystore for tomcat, it doesn't work.

Where is BO SSL certificate?

Best,

Yu