Skip to Content
Author's profile photo Pranav Kumar
Pranav Kumar
February 24, 2017 2 minute read

Configure SIA to Use SSL Certificates in BI 4.2 SP4

To set up SSL in BI 4.2 SP4 in SIA, perform below steps

  • Generate Certificate

  • Configure the SIA with SSL certificates

Generate Certificates:

In BI 4.2SP4, in addition to the root/trusted and server certificate (as shown below), BOE requires generation of PSE certificate using sapgenpse

For PSE certificate generation in BI4.2 SP4, prerequisite is to regenerate below certificates (refer to adimn guide for how to generate below certificates)

As prerequisite, all above certificates are created under C:/SSL folder, now follow below steps to generate PSE certificate.

Generate PSE file from the Server certificates

Navigate to the binary folder of the product (for e.g. SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64), You will find sapgenpse.exe there.

Run the below commands to set the secure directory

  • set SECUDIR=.  for windows
  • export SECUDIR=. for linux

sapgenpse import_p8 -p C:\SSL\temp.pse -c C:\SSL\servercert.der -r C:\SSL\cacert.der -z  C:\SSL\passphrase.txt C:\SSL\server.key

Give empty password by pressing enter on password prompt.

You need to add the user credentials to the created pse file. For Ex if the BOEuser is LocalSystem you need to execute following command sapgenpse seclogin -p C:\SSL\temp.pse -O SYSTEM

Please check that the temp.pse is generated.

Admin can now enable SSL in SIA using PSE and others certificates

NOTE  : you can give any name of your choice for the pse file.

Configure the SIA with SSL certificates (Including PSE file)

 

  • In the CCM, stop the Server Intelligence Agent.
  • Double click the SIA to edit its properties.
  • Go to the Protocol tab.
  • Tick Enable SSL.
  • Fill in each of the fields so that it looks like this

Note: Prior to BI4.2 SP4, we had all certificate except temp.pse, this is newly included in BI 4.2 SP4          

  • Click OK.
  • Start the SIA and it should now be accessible usinghttps://Servername:8443/BOE/CMC.
  • Configure the SDK and Processing Tier (Do this on every SIA Host)

***If this step produces an error, such as the command cannot be found, the executable can be copied from the host where the CMS was installed.  Depending on the options chosen during the initial installation the boe_sslconfig or sslconfig.exe might not get installed.  Without this step certain workflows will fail, such as scheduling to an inbox.

cd <BINPATH>
<UNIX> Source the setup/env.sh script as follows:  . ../../setup/env.sh
<UNIX> ./boe_sslconfig -dir <SSLFILEPATH> -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl
<UNIX> exit the shell so that scripts run in the future will source the env.sh script properly.

<WINDOWS>  sslconfig.exe -dir C:/SSL -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl

 

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Mark Richardson
      Mark Richardson

      Pranav :

      Thanks for the update.

      Assuming that new temp.pse certificate will also change the certificate(s) and configuration for all the Desktop Clients that can connect to the SIA after SSL is enabled, right..?

      CLIENT TOOL

      1. Business View Manager
      2. Crystal Reports 2016
      3. Crystal Reports for Enterprise 4.2
      4. Design Studio 1.61
      5. Information Design Tool
      6. Lumira 1.31
      7. Lumira 2.0
      8. Query As A Web Service Builder
      9. Report Conversion Tool
      10. Translation Management Tool
      11. Universe Design Tool
      12. Web Intelligence Rich Client
      13. Widgets for Business Objects Platform

      Is there good 4.2 (SP04) documentation from SAP for how new temp.pse certificate needs to be configured for each of those Desktop Clients after the new "enhanced" CORBA SSL is enabled on the SIA Nodes..?

      Thanks,
      Mark

      Author's profile photo Former Member
      Former Member
      1. Open <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64.
      2. Launch command line console and run set SECUDIR=. for Windows and export SECUDIR=. for Linux.
      3. Run sapgenpse import_p8 -p C:\SSL\cert.pse -c C:\SSL\servercert.der -r C:\SSL\cacert.der -z C:\SSL\passphrase.txt C:\SSL\server.key.
      4. Provide an empty password by pressing enter on password prompt.
      5. Add the user credentials to the created pse file.

      If SIA is running with LocalSystem account, then you have to execute the following command:

      sapgenpse seclogin -p C:\SSL\cert.pse -O SYSTEM to add the user credentials in the pse file.

       

      Author's profile photo James Troutman
      James Troutman

      is there more info for doing this on a linux server install?

      Author's profile photo Georg Thome
      Georg Thome

      Hello,

      in my opinion this is misleading.

      The communication and the configuration of SIA with BO has nothing to do with the reachability from clients to the BO Tomcat resp. Webserver.

      The access of

      https://server:8443/BO/CMC or https://server:8443/BO/BI etc.

      as well as the access of WACS and the webservice URL is lonely configured with the java keytool for tomcat and the related settings for the keystore. The certificates used here should be signed and follow the IETF standard especially when working with uptodate browsers on clientside (SANs instead of FQHN in the CN).

      There is no PSE involved this is only "needed" for server internal communication e.g. on clustered config. On a server wich hosts all the BO parts in one lonely place, this is overhead.

      But if you have a different opinion, I'm open for corrections and other opinions.

      Regards

      Georg