cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to enable SSL for WACS

Go to solution
former_member299688
Explorer

on ‎10-19-2017 9:19 AM

Hi experts

We are currently trying to enable SSL for WACS to get BI-Administrators-Cockpit to work. We only see “a network error occurred” at the moment. But we don’t manage to get it running properly. We tried the following two variants:

1) PKCS12:

We used the pfx file that we created based on the same certificate we use for tomcat. But when we start the WACS server we get the following error message:

Failed to load keystore type PKCS12 with path C:\Windows\xxx.pfx due to Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40

WACS does not even start.

2) JKS

We created our own JKS keystore and WACS started properly. But when we try to connect to the RESTful URL: “https://<servername>:<port>/biprws “ we get the following error message in Chrome: “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”.

We also tried to convert the existing .p12 keystore (BO / BW SSO) to JKS but we get the same error.

Does anybody have an idea on how to enable SSL for WACS? And yes we basically followed the notes mentioned here: https://launchpad.support.sap.com/#/notes/2391613

SAP BI 4.2 SP4 Patch 2

Thank you very much
Lars

Show replies
Show replies
denis_konovalov
Active Contributor
‎12-15-2017 9:14 PM
0 Kudos

Fixed the tags for you. Security tag is not related to WACS and SSL.

Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member299688
Explorer
‎10-19-2017 2:02 PM

Hi everybody

I finally managed to get it working. If someone is interessted our problem was the following:

The default keysize of the keystore generated with JKS method is not sufficient (with BI 4.2 SP4 PL2). This is due to security enhancements described in SAP Note 2433337.

“Minimum certificate key length required 2048 (Earlier it was 1024)”

In Note 1618311 SAP does not indicate that the keysize has to be configured.

Original Command to create the keystore:

<installation_directory>\Program Files (x86)\SAP Business Objects\SAP Business Objects Enterprise XI 4.0\win64_x64\sapjvm\bin\keytool -genkey -alias WACS -keyalg RSA

Actually working command to create the keystore (for BI 4.2 SP4 PL2):

<installation_directory>\Program Files (x86)\SAP Business Objects\SAP Business Objects Enterprise XI 4.0\win64_x64\sapjvm\bin\keytool -genkey -alias WACS -keyalg RSA -keysize 2048

Hope this information will help others who are struggling with WACS SSL too.

Regards
Lars

Show replies
Show replies
mario_panzenboeck
Contributor
‎06-29-2018 11:55 AM
0 Kudos

This helped a lot - thank you very much!!!

Answers (1)

Answers (1)

JohnClark
Active Participant
‎01-07-2019 8:49 PM
0 Kudos

While I don't think our issue was with the 2048 key length, this post did prompt me to try a *.jks key instead of a *.pfx key. The service started with the *.jks key. This could be an issue for some one else who is having problems getting this running.

Show replies
Show replies
Ask a Question