Hello BI4 Admins,

In addition to James Rapp’s guide about Improving the User Experience in SAP BI Platform – BI 4.1 and Apache 2.4 Supplement,

I want to explain how to migrate an existing Tomcat SSL configuration to Apache and how to enable some logging improvements.

Apache SSL Setup


Assuming that there is already a working SSL configuration for Tomcat in place,
the existing certificate and it’s private key, can be extracted from the keystore used by Tomcat,
with the help of the java keytool and openssl:

– Open CMD.exe

– Change directory to “<BOBJ>\win64_x64\sapjvm\bin”,

  where <BOBJ> is C:\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\

  (or on which drive it’s installed in your deployment)

– Export existing certificate with the following command (always adapt the values in < > according to your deployment):

keytool -exportcert -keyalg RSA -alias <cert alias> -file apache.crt -keystore “C:\<keystore location>\<keystorename>”


– Clone existing keystore to PKCS12

keytool -v -importkeystore -srckeystore “C:\<keystore location>\<keystorename>” -srcalias <cert alias> -destkeystore myp12file.p12 -deststoretype PKCS12

– Switch directory to openssl in <Apache root>\bin, e.g. C:\Apache24\bin

– Extract private key from the PKCS12 keystore with openssl by the following command:

openssl pkcs12 -in myp12file.p12 -nocerts -nodes

– Copy the private key, shown in CMD as plain text, to a text file and save it

Please keep in mind that this is sensitive information since it’s your certificates private key!!

– Rename the text file to apache.key

– Move the created files apache.crt and apache.key from “<BOBJ>\win64_x64\sapjvm\bin”
  to your default keystore location


– Stop Tomcat and Apache


– Change your Tomcat SSL port to another value by modifying the corresponding connector  

  in “<BOBJ>\tomcat\conf\server.xml”, to avoid conflicts, e.g. to 44380


– Open httpd.conf located in <Apache root>\conf, to configure SSL for Apache:

– Search for LoadModule ssl_module modules/mod_ssl.so

  and uncomment it by deleting the # at the beginning of the line

– Insert the following lines, for example after the default Listen statement for HTTP.

  Please adapt the <Apache root>, <HTTPS port>, <servername> and <default keystore location>

  according to your deployment.

  Keep in mind that <servername> has to match the common name (CN) of the certificate,
  as well as the hostname used when accessing the BIP via HTTPS and that Apache needs “/” instead of “\” for paths:


Listen <HTTPS port>

SSLSessionCache shmcb:<Apache root>/logs/SSLCache(512000)

SSLSessionCacheTimeout 300

<VirtualHost *:<HTTPS port>>

    ServerName <servername>

    SSLEngine on

    SSLCertificateFile <default keystore location>/apache.crt

    SSLCertificateKeyFile <default keystore location>/apache.key

Include conf/bobj.BOE.conf

Include conf/bobj.AdminTools.conf

Include conf/bobj.BusinessProcessBI.conf

Include conf/bobj.MOBIServer.conf

Include conf/bobj.MobileBIService.conf

Include conf/bobj.clientapi.conf

Include conf/bobj.dswsbobje.conf

Include conf/bobj.explorer.conf

Include conf/bobj.explorer_help.conf

</VirtualHost>

– Start Tomcat and Apache


– Basic check of SSL configuration by accessing

https://<servername>/

-> should show the default “It works!” page


– Check BI Launchpad access via
https://<servername>/BOE/BI

-> should show BI Launcpad login


The deployment is now configured for SSL (HTTPS client access).



– Not specific to SSL, but can be helpful in this context:

  In contrast to Tomcat, it is not possible to access http(s)://<servername>/BOE/BI/ or /BOE/CMC/,

  while using the default bobj.BOE.conf, created by the WDeploy Split Deployment.

  If you need that working, add the following parameters at the end of bobj.BOE.conf in <Apache root>\conf:

JkMount /BOE/CMC/ ajp13

JkMount /BOE/BI/ ajp13

Improving Apache logging


By default, Apache writes logs until the disk is full,

which is not a desirable behavior in a production environment.

In this simple example, we limit error.log, access.log and deflate_log.log

to write max. 10 files with 50 MB each, overwriting old files (like a ring buffer).

This is done by the help of rotatelogs, which is contained in <Apache root>\bin:


– Open httpd.conf, located in <Apache root>\conf

– Deactivate the following lines by commenting them with #:

ErrorLog “logs/error.log”

CustomLog “logs/access.log” common

– After that, add the matching one of the following lines, below each one deactivated in the step before:

ErrorLog “|bin/rotatelogs.exe -n 10 logs/errorlog.log 50M”

CustomLog “|bin/rotatelogs.exe -n 10 logs/access.log 50M” common


– Open httpd-bi41.conf, located in <Apache root>\conf\extra

– Deactivate the following lines by commenting them with #:

LogFormat ‘”%r” %b (%{ratio}n) “%{User-agent}i”‘ deflate

CustomLog logs/deflate_log.log deflate

– After that, add the matching one of the following lines, below each one deactivated in the step before:

LogFormat ‘”%r” %b (%{ratio}n%%) “%{User-agent}i”‘ deflate

CustomLog “|bin/rotatelogs.exe -n 10 logs/deflate_log.log 50M” deflate


– The LogFormat change, adds a % character after the deflate ratio, for better readability of the deflate_log.log

  This can be further modified, see mod_deflate – Apache HTTP Server for more details.


– Restart Apache


Now we have configured a simple log rotation.

If you want to do more sophisticated things, have a look at cronolog,
also mentioned in the Apache documentation:

Log Files – Apache HTTP Server


I hope this helps some of you


Regards

Moritz



(Sorry for not providing any screenshots, but since this topic covers collection of sensitive information,

I didn’t want to add some of our original systems)

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. James Rapp

    Thanks for sharing Moritz!

    One thing to keep in mind is that if your Tomcat is using the Apache Portable Runtime (APR), which is enabled by placing the tcnative-1.dll in the Tomcat/bin directory, it is capable of using the exact same certificate and key files as Apache.  It even uses the same parameters (i.e. SSLCertificateFile and SSLCertificateKeyFile) in the server.xml!

    This is nice because you can set up SSL independently for Tomcat and Apache using the same set of files.

    (0) 
        1. Moritz Hödel Post author

          Thanks for bringing this up, but I’ve already had a look at it and it’s not relevant for us at the moment, since we didn’t switch to APR so far.

          But what is not covered by this article: You also have to update Apache to get rid of the heartbleed bug, if you are using the version 2.4.7, mentioned in your Improving the User Experience in SAP BI Platform – BI 4.1 and Apache 2.4 Supplement guide.

          We’ve updated to 2.4.9 recently, which contains an updated OpenSSL version, without the heartbleed bug.

          Besides the conversion from CRT to PEM, everything still has to be done as listed in this guide.

          I will update it accordingly if I find time for it 🙂

          (0) 
  2. Ricky M

    Hello James Rapp and Moritz (I could not tag you)

    A Very nice blog and I have followed it pretty much to the T but now my apache is not getting started.

    Apache 2.4.29, openssl version – g

    BO 4.0, Tomcat 7

    What my initial requirement was to have 1. Split BO with apache and tomcat 2. implement ssl on apache

    I completed the 1st point and its working fine, then I was trying to configure SSL on Apache without configuring SSL on tomcat and SAP suggested that its fundamental to have SSL on Tomcat .. So I came upon this blog. I followed SAP note of configuring SSL on Tomcat, which was pretty much simple, generate a keystore file, put it at some common place, point server.xml to that file ( I had to disable APR as it was not working with that) So SSL on tomcat is working…

    Then I tried following this blog and after completing everything my apache fails to start it says

    [Sun May 18 09:30:51.543154 2014] [ssl:emerg] [pid 7092:tid 412] AH02562: Failed to configure certificate *********************6115:0 (with chain), check C:/SSL/apache.crt

    [Sun May 18 09:30:51.543154 2014] [ssl:emerg] [pid 7092:tid 412] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) — Bad file contents or format – or even just a forgotten SSLCertificateKeyFile?

    [Sun May 18 09:30:51.543154 2014] [ssl:emerg] [pid 7092:tid 412] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

    AH00016: Configuration Failed

    I know it points to some problem with apache.crt, but what ?? I followed SAP note 1648573 and then this blog. My certificates are self signed.

    Can you please help

    (0) 
    1. Ricky M

      Okay, I think i solved this, i converted the certificate to pem

      openssl x509 -inform der -in apache.crt -out certificate.pem

      Now my biggest problem came again, which was there before implementing SSL on Tomcat and for which I asked SAP.

      http://localhost:<portno>/index.html – It Works !!

      https://localhost:<sslPortNo>/index.html – It Works !!

      BUT, when i try to login to

      http://localhost:<portno>/BOE/BI — It works !!

      https://localhost:<sslPortNo>/BOE/BI — It DOES NOT work.



      It gives me 403 and 404 error… I have checked the logs, it says ..

      *************************************

      [Wed Apr 30 07:39:29.026297 2014] [mpm_winnt:notice] [pid 8352:tid 352] AH00364: Child: All worker threads have exited.

      [Wed Apr 30 07:39:29.041922 2014] [mpm_winnt:notice] [pid 9528:tid 412] AH00430: Parent: Child process 8352 exited successfully.

      [Wed Apr 30 07:39:44.745148 2014] [mpm_winnt:notice] [pid 2264:tid 412] AH00455: Apache/2.4.9 (Win64) OpenSSL/1.0.1g mod_jk/1.2.40 configured — resuming normal operations

      [Wed Apr 30 07:39:44.745148 2014] [mpm_winnt:notice] [pid 2264:tid 412] AH00456: Apache Lounge VC11 Server built: Mar 16 2014 12:42:59

      [Wed Apr 30 07:39:44.745148 2014] [core:notice] [pid 2264:tid 412] AH00094: Command line: ‘D:\\Apache24\\bin\\httpd.exe -d D:/Apache24’

      [Wed Apr 30 07:39:44.745148 2014] [mpm_winnt:notice] [pid 2264:tid 412] AH00418: Parent: Created child process 3116

      [Wed Apr 30 07:39:45.713904 2014] [mpm_winnt:notice] [pid 3116:tid 352] AH00354: Child: Starting 64 worker threads.

      [Wed Apr 30 07:40:29.057931 2014] [autoindex:error] [pid 3116:tid 944] [client ::1:58834] AH01276: Cannot serve directory D:/Apache24/htdocs/BOE/CMC/: No matching DirectoryIndex (default.htm,index.htm,default.html,index.html) found, and server-generated directory index forbidden by Options directive

      ***************************************


      ***If I put index.html from Root directory to BOE/CMC or BOE/BI folder, it pickts it up and shows IT WORKS !! *****


      Can you please help me, I dont know what the error means…

      (0) 
      1. Moritz Hödel Post author

        Hello Ricky,

        I’m glad that you managed to fix the first issue already. The guide was written when Apache 2.4.7 was the newest available version and there the conversion to pem wasn’t necessary.

        Regarding the problem you have now, the first two things which came into my mind were the following:

        – The additional bobj.*.conf includes in the VirtualHost for SSL are missing, but I guess you didn’t miss them (please have a look at the guide again if you don’t know what I mean)

        – The JkMounts for BOE/CMC/ and BOE/BI/ are missing.

        By default, there are only JkMounts for BOE/CMC and BOE/BI (without the / at the end) done by wdeploy.

        Because you wrote that you’ve tried to access  https://localhost:<sslPortNo>/BOE/BI,

        but the log shows an error for BOE/CMC/.

        I guess that’s the one you are looking for.

        Just add

        JkMount /BOE/BI/ ajp13

        JkMount /BOE/CMC/ ajp13

        to your bobj.BOE.conf and it should work fine.

        And when you are doing this, also add

        JkMount /BOE/*/BOETimeoutPing ajp13

        to it if not already done. Otherwise the session expiration popups won’t work.

        If you have a look at the comments of Jims blog for the Apache 2.4 split deployment, you can also find these infos there.

        Krgds

        Moritz

        (0) 
        1. Ricky M

          Hi Moritz,

          Thanx for replying, feels good when someone keeps updating and helping fellow members through the blog 🙂

          Regarding your points

          1. JKMount /BOE/CMC/ ajp13 and JKMount /BOE/CMC/ ajp13 is maintained in bobj.BOE.conf have also maintained Timeout parameter as suggested, but still the same problem.

          ** As told previously, whenever I put index.html inside /BOE/CMC or BOE/BI it picks up index.html, otherwise it gives the error as previously stated**

          2. The additional bobj.*.conf includes in the VirtualHost for SSL are missing — Sorry, but I am not sure what it is could you point me to the guide you are talking about here ? Is it the BO Admin guide ? or the Split guide by James ?

          Thank you once again for helping me out here..

          Regards,

          Ricky

          (0) 
          1. Moritz Hödel Post author

            Hi Ricky,

            You’re welcome.

            Yeah, I got that part with the index.html, but that’s not the behavior you want to have I guess.

            Regarding the VirtualHost:

            It’s THIS guide.

            Just search for “VirtualHost” in here and you will see the necessary httpd.conf entries.

            If the shown BOBJ includes are not done in this section,

            access to BIP via SSL will never work fine.

            It’s been some time since I’ve configured this and I can only tell you these two tips at the moment. I can only remember that I had similar issues and one of the two listed points fixed my problem. Maybe Jim has some better ideas if this doesn’t help.

            Krgds

            Moritz

            (0) 
            1. Ricky M

              Hello Moritz,

              Thank you so very much, that solved the problem.

              I somehow missed it (cursing myself for it)…

              But, thanks again for pointing it our pretty clearly.

              Thanks,

              Rajat Sharma

              (0) 

Leave a Reply