Skip to Content
Author's profile photo Vishal Mour

Trusted X509 Authentication Support in SAP BusinessObjects Platform Rest SDK – Part 2

This is the second part of the blog series on how to achieve X509
authentication for REST SDK. In the first blog I have provided the steps for
certificate and keystore generation. In this post I will provide the steps needed to configure WACS (which hosts RESTful web-services ) and how to
resolve the errors reported by browsers

Note: We have tested 2 Factor Authentication login for BIL with the same approach. As long as the 2nd Factor returns a Valid X509 certificate of a user, and the certificate is available in Windows Certificate Store, user can same the same certificate for login

Step 1: Logon to CMC, and navigate to Servers -> WACS. Maintain the keystore details generated earlier under the properties as shown below:

Restart WACS.

 

Step 2: Navigate to CMC-> Authentication -> Enterprise

 

Unable the Trusted Authentication checkbox, maintain validity period.

Update the setting and download the Shared Secret

 

Copy the downloaded conf file in the path:

<Install Dir>/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/java/pjs/container/bin/

And restart WACS

 

Step 3: Need to make sure the user account through which I want to X509 based trusted authentication exists in the BusinessObejcts Platform.

Example for my use case, the X509 certificate is in name of TestUser1

 

Step 4: Try to access the below url in your browser to achieve Trusted Authentication based on X509 certificate using REST SDK:

https://<hostname>:<ip>/biprws/logon/v1/logon/trustedx509

 with the above configuration, url looks like: .

https://targetmachine/biprws/v1/logon/trustedx509

In case everything is fine, it should generate the logon token directly or it will ask to select the user certificate see below. In case of error refer next steps

And it will login with that user account. In my case: TestUser1

 

Step 5: In case browser displays the following error:

The security certificate presented by this website was not issued by a trusted certificate authority.

 

Perform this step mentioned below or moved to next step

This error indicates that browser does not trust the signing authority of the server certificate. To bypass this error, upload the server CA certificate to browsers Trusted Certificate Authority list.

Go to Internet Explorer ->Settings -> Internet options

Navigate to content tab and select Certificates.

 

Navigate to Trusted Root Certificate Authority Tab and select Import

 

 

Click on Browse and select the CA certificate created earlier:

 

 

Select Next, Next, Finish. And when it gives a confirmation window to install certificate. Select yes.  

Note: You should not install certificates from unknown sources to your Trusted Root Certificate List, it may lead to security issues.

Try to access the below url in your browser: https://<hostname>:<ip>/biprws/logon/v1/logon/long

with the above configuration, url looks like:

 https://targetmachine/biprws/v1/logon/long

If everything is fine it should display something like below and then go back to step 4. In case there are errors go to next step. 

 

Step 6: In case browser displays the following error:

This error indicates that the required client/ user certificate in not present in your certificate store.

 

Go to Internet Explorer ->Settings -> Internet options

Navigate to content tab and select Certificates.

Navigate to Personal tab and click on import

 

 

Click on browse and select the client/ user certificate created earlier

 

 

Click on Next and provide the Private Key Password of the certificate

 

 

Do next, next and finish. This will successfully import the user certificate in your certificate store.

Try to access the below url in your browser: https://<hostname>:<ip>/biprws/logon/v1/logon/long

with the above configuration, url looks like:

 https://targetmachine/biprws/v1/logon/long

If everything is fine it should display something like below and then go back to step 4

 

 

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Ivan Yin
      Ivan Yin

      Are there any differences in the configuraions if I deploy  RESTFUL in Tomcat? Also, in BI 4.2 SP5, GENPSE is introduced. Is there any change in these two parts?

      Author's profile photo Bharath B N
      Bharath B N

      Yes. Different configuration for REST on Tomcat.

      Link: https://blogs.sap.com/2017/12/15/bi-platform-rest-sdk-rws-in-boe-4.2/

       

      Author's profile photo Ivan Yin
      Ivan Yin

      Thanks a lot!

      Author's profile photo Bill Cheng
      Bill Cheng

      Hi Bharath and Ivan,

       

      in the https://blogs.sap.com/2017/12/15/bi-platform-rest-sdk-rws-in-boe-4.2/ web blog, it is configuring X.509 in Tomcat server.

      Vintela single sign-on for RESTful Web Services:

      To enable Kerberos SSO for Windows Active Directory (secWinAD) authentication, set sso.enabled to true.

       

      Our main concern in our company is that, we want to use X.509 which exists in end user client machines to do the SSO, not Kerberos. It is similar case as https://blogs.sap.com/2017/06/06/trusted-x509-authentication-support-in-sap-businessobjects-platform-rest-sdk-part-1/. it uses client.p12 to do the SSO authentication against Tomcat server, not BOE server.

       

      How do we do that?

       

      Thanks and best regards,

      Bill Cheng

      Author's profile photo Daniel Paulsen
      Daniel Paulsen

      Hi Bill,

      Have a look in the Admin Guide for this configuration:

      Dan

       

      Author's profile photo Bill Cheng
      Bill Cheng

      Dear Daniel,

      In the admin guide-https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.2.5/en-US/b594b341c65d430596f7f57fe6a10d96.html , chapter X509 authentication -> create and configure certificates and keystore -> with trusted CA.

      it says,

      Import the CA and client certificate into the trust keystore using the command below. The command creates trustkeystore.jks.

      Keytool.exe –import –alias client –keystore c:\ssl\trustkeystore.jks –trustcacerts –file c:\ssl\client.pem
      
      
      Why here it uses client.pem for the trustkeystore.jks ?
      
      I believe trustkeystore.jks is used for validate the client private key client.p12 prompt from firefox browser.
      because client.key private key was signed by ca.pem public certificate, therefore here it should use:

       

      Keytool.exe –import –alias client –keystore c:\ssl\trustkeystore.jks –trustcacerts –file c:\ssl\CA.pem
      
      right?
      
      
      if each client.pem needs to add to trustkeystore.jks, it will be very difficult to add all the users to the tomcat trustkeystore.jks.
      and each new user we have to do this and each obsolete user we have to find a way to remove from the tomcat server trustkeystore.jks ?
      
      thanks and best regards,
      Bill Cheng
      Author's profile photo Bill Cheng
      Bill Cheng

      Dear Vishal Mour ,

       

      In new version Lumira 2.1, the biprws web services ideally should run on Tomcat server, not BOE WACS server as your case.

      What are the steps so that Lumira discovery can SSO login https://tomcatserver:443/biprws ?

       

      Thanks and best regards,

      Bill Cheng

      Author's profile photo Bill Cheng
      Bill Cheng

      This SAP BI product is not good from security perspective. All the blogs are simply using self signed CA for end user private key generation. Big corporate must use company-abc.com root CA and issuing intermediate CA. Which company allows generating a CA from openssl and simply use this for the corporate end users?

      Author's profile photo Noyan Durna
      Noyan Durna

       

      Hi;

      Could you please handle us If we use web dispatcher as intermediate server between client and bo system, what is the step to configure Web Dispatcher for forwarding client certificate?

      Best regards

      Noyan

      Author's profile photo Nada BAHRI
      Nada BAHRI

      Hi all,

      It is possible to automate the trusted authentication with Java SDK ? means to ignore all  manual steps of trusted authentication and remplace it with code (enabling trusted authentication , recover the shared secret ....)

      any links to suggest ?

      Thank you & best regards,

      Nada