To set up SSL (4.2 SP04) for all server communication, perform below steps
Configure the SIA with SSL certificates
From SP04, in addition to the root/trusted and server certificate (as shown below), BOE requires generation of PSE certificate using sapgenpse
For PSE certificate generation in SP04, prerequisite is to regenerate below certificates (refer to adimn guide for how to generate below certificates)
As prerequisite, we have created above certificates under C:/SSL folder, now follow below steps to generate PSE certificate.
Navigate to the binary folder of the product (for e.g. SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64), You will find sapgenpse.exe there.
Run the below commands to set the secure directory
- set SECUDIR=. for windows
- export SECUDIR=. for linux
sapgenpse import_p8 -p C:\SSL\temp.pse -c C:\SSL\servercert.der -r C:\SSL\cacert.der -z C:\SSL\passphrase.txt C:\SSL\server.key Give empty password by pressing enter on password prompt.
You need to add the user credentials to the created pse file. For Ex if the BOEuser is LocalSystem you need to execute following command sapgenpse seclogin -p C:\SSL\temp.pse -O SYSTEM
Please check that the temp.pse is generated.
Admin can now enable SSL in SIA using PSE and others certificates
NOTE : you can give any name of your choice for the pse file.
Configure the SIA with SSL certificates (Including PSE file)
- In the CCM, stop the Server Intelligence Agent.
- Double click the SIA to edit its properties.
- Go to the Protocol tab.
- Tick Enable SSL.
- Fill in each of the fields so that it looks like this
Note: Prior to BI4.2 SP04, we had all certificate except temp.pse, this is newly included in BI4.2 SP04
- Click OK.
- Start the SIA
Configure the SDK and Processing Tier (Do this on every SIA Host)
***If this step produces an error, such as the command cannot be found, the executable can be copied from the host where the CMS was installed. Depending on the options chosen during the initial installation the boe_sslconfig or sslconfig.exe might not get installed. Without this step certain workflows will fail, such as scheduling to an inbox.
<UNIX> Source the setup/env.sh script as follows: . ../../setup/env.sh
<UNIX> ./boe_sslconfig -dir <SSLFILEPATH> -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl
<UNIX> exit the shell so that scripts run in the future will source the env.sh script properly.
<WINDOWS> sslconfig.exe -dir C:/SSL -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl