Karthik Addula

wildcard certificates into BOBJ Web application

Posted on Aug 16, 2016 at 03:47 PM 392 Views

Hello All,

I configured tomcat https on BOBJ 4.2 , it works as expected except the certificate trusted warning when opening in the browser. I have valid wild card certificate for the domain. I imported it using the keytool . However, when i open the link, the browser still warns and when i check the certificate it is still using the privatekey certificate but not the trusted wildcard

Steps followed

1) Generated Keystore as per note 1648573 - when asked first name and last name , i used ABC (name changed)

2) changed server.xml file

https started working with warning

wildcard import process

1) got the wildcard.crt certificate ( wildcard entry name :123.com, issued by CA) ( names changed)

2) imported certificate using keytool (keytool -import -file wildcard.crt -alias wildcard -keystore -keystore) . The certifcate imported , but https still uses the same old privatekey entry certificate (i.e ABC, not 123.com)

3) Keytool list shows two enteries 1) privatekey 2) trustedentry

When i tried to import the wildcard card certificate to ssme alias generated in step 1 , it complains public keys in reply dont match keystore

Can someone please share the process followed in importing wildcards

Thanks

Karthik

Add a comment

2 Answers

Sort by:

Votes

Newest

Oldest

Best Answer

This answer has been deleted.

This answer has been undeleted.

Ilias Fytrakis

Posted on Aug 17, 2016 at 01:26 PM

2
Hi Karthik,

In a similar case scenario, we were given a PKCS#12 wildcard certificate (*.pfx file format). In order to use it with Tomcat we have followed the steps below:
1. Receive the wildcard certificate as well as the password. This certificate has to be created by a Certification Authority (e.g. Comodo, Symantec).
2. Copy the certificate in a selected directory which can be accessed by the account that is used for running BO services etc.
3. Stop Tomcat.
4. Modify the 'server.xml' which is located either in '<LINUX_BO_DIR>/sap_bobj/tomcat/conf' or '<WIN_BO_DIR>/tomcat/conf'
5. Modify accordingly the HTTPS connector
< Connector

port="8443"

protocol="org.apache.coyote.http11.Http11Protocol"

URIEncoding="UTF-8"

SSLEnabled="true"

maxThreads="900"

scheme="https"

secure="true"

clientAuth="false"

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

keystoreFile="<CERTIFICATE_PATH>/wildcard_certificate.pfx"

keystorePass="CERTIFICATE_PASSWORD"

keystoreType="PKCS12"

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

/>

Notes
- The password can be presented either in plain text or with the corresponding XML entities.
Finally, you may find useful the following resources:

Title: Create a .pfx/.p12 certificate file using OpenSSL

URL: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Title: Passwords - Why are plain text passwords in the config files?

URL: http://wiki.apache.org/tomcat/FAQ/Password

Thanks,

ilias
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
1 Comment
- Karthik Addula
  
  Aug 17, 2016 at 01:58 PM
  
  Hi Ilias
  
  Thanks a lot , this is what exactly i was looking for
  
  No matter how many ways i import .crt wildcard, tomcat is still using the self-signed certificate it created at the time of keystore generation .
  
  After converting to PCKS format, and pointing tomcat to use this keystore, it worked (i converted crt to PCKS12 using openssl )
  
  Thanks a lot again
  
  Thanks
  
  Karthik
  - Like 0
  - Share
  - Alert Moderator
Comment on This Answer

Comment
This answer has been deleted.

This answer has been undeleted.

Denis Konovalov

Posted on Aug 16, 2016 at 04:01 PM

1
this has nothing to do with BOE/SAP products, it's the browser and your certificate. You should google the browser warning and see how to resolve it.
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
3 Comments
- Karthik Addula Denis Konovalov
  
  Aug 16, 2016 at 08:02 PM
  
  Hello Denis -
  
  Thankyou very much for the note
  
  Yes, the settings are on tomcat and none of BOE components are in pciture. However, i am trying to see if anyone else here imported wildcards into tomcat , just to understand how it worked for them
  
  Thanks
  
  Karthik
  - Like 0
  - Share
  - Alert Moderator
Comment on This Answer

Comment

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.

Rules of Engagement

Know someone who can answer? Share a link to this question.

Attachments: Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.

wildcard certificates into BOBJ Web application

Add a comment

Assigned Tags

Related questions

2 Answers

Add a comment

Add a comment

Before answering