Configure SIA to Use SSL Certificates in BI 4.2 SP4
To set up SSL in BI 4.2 SP4 in SIA, perform below steps
-
Generate Certificate
-
Configure the SIA with SSL certificates
Generate Certificates:
In BI 4.2SP4, in addition to the root/trusted and server certificate (as shown below), BOE requires generation of PSE certificate using sapgenpse
For PSE certificate generation in BI4.2 SP4, prerequisite is to regenerate below certificates (refer to adimn guide for how to generate below certificates)
As prerequisite, all above certificates are created under C:/SSL folder, now follow below steps to generate PSE certificate.
Generate PSE file from the Server certificates
Navigate to the binary folder of the product (for e.g. SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64), You will find sapgenpse.exe there.
Run the below commands to set the secure directory
- set SECUDIR=. for windows
- export SECUDIR=. for linux
sapgenpse import_p8 -p C:\SSL\temp.pse -c C:\SSL\servercert.der -r C:\SSL\cacert.der -z C:\SSL\passphrase.txt C:\SSL\server.key
Give empty password by pressing enter on password prompt.
You need to add the user credentials to the created pse file. For Ex if the BOEuser is LocalSystem you need to execute following command sapgenpse seclogin -p C:\SSL\temp.pse -O SYSTEM
Please check that the temp.pse is generated.
Admin can now enable SSL in SIA using PSE and others certificates
NOTE : you can give any name of your choice for the pse file.
Configure the SIA with SSL certificates (Including PSE file)
- In the CCM, stop the Server Intelligence Agent.
- Double click the SIA to edit its properties.
- Go to the Protocol tab.
- Tick Enable SSL.
- Fill in each of the fields so that it looks like this
Note: Prior to BI4.2 SP4, we had all certificate except temp.pse, this is newly included in BI 4.2 SP4
- Click OK.
- Start the SIA and it should now be accessible usinghttps://Servername:8443/BOE/CMC.
- Configure the SDK and Processing Tier (Do this on every SIA Host)
***If this step produces an error, such as the command cannot be found, the executable can be copied from the host where the CMS was installed. Depending on the options chosen during the initial installation the boe_sslconfig or sslconfig.exe might not get installed. Without this step certain workflows will fail, such as scheduling to an inbox.
cd <BINPATH>
<UNIX> Source the setup/env.sh script as follows: . ../../setup/env.sh
<UNIX> ./boe_sslconfig -dir <SSLFILEPATH> -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl
<UNIX> exit the shell so that scripts run in the future will source the env.sh script properly.
<WINDOWS> sslconfig.exe -dir C:/SSL -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl
Pranav :
Thanks for the update.
Assuming that new temp.pse certificate will also change the certificate(s) and configuration for all the Desktop Clients that can connect to the SIA after SSL is enabled, right..?
CLIENT TOOL
Is there good 4.2 (SP04) documentation from SAP for how new temp.pse certificate needs to be configured for each of those Desktop Clients after the new "enhanced" CORBA SSL is enabled on the SIA Nodes..?
Thanks,
Mark
If SIA is running with LocalSystem account, then you have to execute the following command:
sapgenpse seclogin -p C:\SSL\cert.pse -O SYSTEM to add the user credentials in the pse file.
is there more info for doing this on a linux server install?
Hello,
in my opinion this is misleading.
The communication and the configuration of SIA with BO has nothing to do with the reachability from clients to the BO Tomcat resp. Webserver.
The access of
https://server:8443/BO/CMC or https://server:8443/BO/BI etc.
as well as the access of WACS and the webservice URL is lonely configured with the java keytool for tomcat and the related settings for the keystore. The certificates used here should be signed and follow the IETF standard especially when working with uptodate browsers on clientside (SANs instead of FQHN in the CN).
There is no PSE involved this is only "needed" for server internal communication e.g. on clustered config. On a server wich hosts all the BO parts in one lonely place, this is overhead.
But if you have a different opinion, I'm open for corrections and other opinions.
Regards
Georg