Skip to Content

From SAP BusinessObjects Enterprise Platform version 4.2 SP04 onwards there is a new authentication mechanism supported for web services SDK. It now supports trusted Authentication based on X509 certificate.

In this blog series, I will provide the steps to configure X509 authentication for REST SDK.

I would divide this blog series into two parts:

  • Certificate and keystore creation (CA, Server and User)
  • Configuration for WACS (wher RESTful SDK is hosted) and browser.

 

Please note the steps contained in this blog was used by me for my testing purpose. I have used openssl binaries and java keytool utility for my CA, server and user certificate and for keystore creations.

Part 1: Certificate and keystore Creation

Pre-requisite openssl binaries and java keytool utility are already present.

Create a folder C:\cert

Step 1: Generating self-signed CA certificate and key

openssl req -x509 -sha256 -newkey rsa:2048 -keyout C:\cert\TestCAkey.pem -out C:\cert\TestCAcert.pem -days 365

 

On executing the above command provide the necessary details as shown below.

 

Self-signed CA certificate and key will be generated something like

 

 

Step 2: generating server keystore

keytool -genkey -alias <machine hostname> -keyalg RSA -keystore C:\cert\serverkeystore.jks -keysize 2048

On executing the above command provide the necessary details as shown below.

 

It generates server keystore file as shown below:

Step 3: Generating CSR for the server certificate

keytool.exe -certreq -alias <machine hostname> -keystore C:\cert\serverkeystore.jks -file C:\cert\<machine hostname>.csr

Above command generates csr file as shown below

Note: here TargetMachine is hostname of my test VM

 

Step 4: Create CA serial file using below command

Echo 02 >C:\cert\TestCAcert.srl

Step 5: create server certificate

openssl x509 -sha256 -CA C:\cert\TestCAcert.pem -CAkey C:\cert\TestCAkey.pem -req -in C:\cert\<machine hostname>.csr -out C:\cert\<machine hostname>.crt -days 365

On executing the above command it will ask for CA private key as maintained in Step 1

It should generate server certificate as shown below.

Step 6: Import CA certificate into the server keystore:

keytool -import -trustcacerts -alias CA -file C:\cert\TestCAcert.pem -keystore C:\cert\serverkeystore.jks

It should show something like, provide keystore password and yes once ask for confirmation

Step 7: Import server certificate into the server keystore:

keytool -import -alias <machine hostname> -file C:\cert\<machine hostname>.crt -keystore C:\cert\serverkeystore.jks

It should show something like, provide keystore password

Step 8: Generate the Trust keystore and import the Client (user) CA certificate into trust keystore by using below commands.

keytool -import -trustcacerts -alias CA -file C:\cert\TestCAcert.pem -keystore C:\cert\trustkeystore.jks

In this case, the client and server CA are the same. But you can have separate CA as well. Make sure to use the same CA in below steps for client certificate creation

 

It should show something like, provide keystore password and yes once ask for confirmation

 

It should generate trust keystore as shown below.

Step 9: Generate Client/ user certificate request:

openssl.exe req -sha256 -newkey rsa:2048 -nodes -out C:\cert\client.req -keyout C:\cert\client.key

On executing the above command provide the necessary details as shown below.

It should generate client key and certficate as shown below.

Step 10: Sign and generate the client/ user certificate

openssl.exe x509 -CA C:\cert\TestCAcert.pem -CAkey C:\cert\TestCAkey.pem -CAserial C:\cert\TestCAcert.srl -req -in C:\cert\client.req -out C:\cert\client.crt -days 365

Provide the details as requested and it should generate client certificate as shown below

Step 11: Export the client certificate with the client private key in PKCS12 format

openssl.exe pkcs12 -export -clcerts -in C:\cert\client.crt -inkey C:\cert\client.key -out C:\cert\client.p12

Provide the details as requested and it should generate client certificate in p12 format as shown below

Note: Steps 9-11 can be followed to create certificates for multiple users.

 

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply