cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

wildcard certificates into BOBJ Web application

Go to solution
former_member209540
Explorer

on ‎08-16-2016 4:47 PM

0 Kudos

Hello All,

I configured tomcat https on BOBJ 4.2 , it works as expected except the certificate trusted warning when opening in the browser. I have valid wild card certificate for the domain. I imported it using the keytool . However, when i open the link, the browser still warns and when i check the certificate it is still using the privatekey certificate but not the trusted wildcard

Steps followed

1) Generated Keystore as per note 1648573 - when asked first name and last name , i used ABC (name changed)

2) changed server.xml file

https started working with warning

wildcard import process

1) got the wildcard.crt certificate ( wildcard entry name :123.com, issued by CA) ( names changed)

2) imported certificate using keytool (keytool -import -file wildcard.crt -alias wildcard -keystore -keystore) . The certifcate imported , but https still uses the same old privatekey entry certificate (i.e ABC, not 123.com)

3) Keytool list shows two enteries 1) privatekey 2) trustedentry

When i tried to import the wildcard card certificate to ssme alias generated in step 1 , it complains public keys in reply dont match keystore

Can someone please share the process followed in importing wildcards

Thanks

Karthik

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-17-2016 2:26 PM
0 Kudos

Hi Karthik,

In a similar case scenario, we were given a PKCS#12 wildcard certificate (*.pfx file format). In order to use it with Tomcat we have followed the steps below:

  1. Receive the wildcard certificate as well as the password. This certificate has to be created by a Certification Authority (e.g. Comodo, Symantec).
  2. Copy the certificate in a selected directory which can be accessed by the account that is used for running BO services etc.
  3. Stop Tomcat.
  4. Modify the 'server.xml' which is located either in '<LINUX_BO_DIR>/sap_bobj/tomcat/conf' or '<WIN_BO_DIR>/tomcat/conf'
  5. Modify accordingly the HTTPS connector

< Connector

    port="8443"

    protocol="org.apache.coyote.http11.Http11Protocol"

    URIEncoding="UTF-8"

    SSLEnabled="true"

    maxThreads="900"

    scheme="https"

    secure="true"

    clientAuth="false"

    sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

    keystoreFile="<CERTIFICATE_PATH>/wildcard_certificate.pfx"

    keystorePass="CERTIFICATE_PASSWORD"

    keystoreType="PKCS12"

    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,     TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,     TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

/>

Notes

  • The password can be presented either in plain text or with the corresponding XML entities.

Finally, you may find useful the following resources:

Title: Create a .pfx/.p12 certificate file using OpenSSL

URL: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Title: Passwords - Why are plain text passwords in the config files?

URL: http://wiki.apache.org/tomcat/FAQ/Password

Thanks,

ilias

Show replies
Show replies
former_member209540
Explorer
‎08-17-2016 2:58 PM
0 Kudos

Hi Ilias

Thanks a lot , this is what exactly i was looking for

No matter how many ways i import .crt wildcard, tomcat is still using the self-signed certificate it created at the time of keystore generation .

After converting to PCKS format, and pointing tomcat to use this keystore, it worked (i converted crt to PCKS12 using openssl )

Thanks a lot again

Thanks

Karthik

Answers (1)

Answers (1)

denis_konovalov
Active Contributor
‎08-16-2016 5:01 PM
0 Kudos

this has nothing to do with BOE/SAP products, it's the browser and your certificate. You should google the browser warning and see how to resolve it.

Show replies
Show replies
former_member209540
Explorer
‎08-16-2016 5:09 PM
0 Kudos

Hello Denis -

I understand this  is not SAP issue, but trying to see if anyone imported wildcards in BOBJ

the browser warning is pretty gerenic says " certificate not trsuted , its still using the self-signed certificate")

Thanks

Karthik

denis_konovalov
Active Contributor
‎08-16-2016 5:32 PM
0 Kudos

you're not importing the certificate into BOBJ, you're using it in Tomcat to enable HTTPS.
HTTPS handshake is between Tomcat and the Browser (server/client) and it happens before any part of BOE is involved.

The part when browser thinks the certificate is not valid or not secured needs to be addressed via Tomcat/browser settings.

From BOE side - BOE mobile apps are not supported with wildcat certificates :

2215428 - Unable to connect to SAP BI Mobile App on Android O/S while using HTTPS connection

former_member209540
Explorer
‎08-16-2016 9:02 PM
0 Kudos

Hello Denis -

Thankyou very much for the note

Yes, the settings are on tomcat and none of BOE components are in pciture. However, i am trying to see if anyone else here imported  wildcards into tomcat , just to understand how it worked for them

Thanks

Karthik

Ask a Question