Skip to Content

As the SAP BI 4.2 SP5 content is still subject to change, please consider the below legal disclaimer statement:

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions

A. In Windows Operating System:

1 Generating Key store for Tomcat

1.1 Navigate to: “%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\bin”

1.2 Run commands:

keytool.exe -genkey -alias tomcat -keysize 2048 -keyalg RSA

MKDIR C:\SSL

COPY “%USERPROFILE%\.keystore” C:\SSL

2 Generating SSL certificates using GenPSE tool:

2.1 Navigate to:

“%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64”

2.2 Run command:

Now We can generate the certificate in two ways:

  1. Self-signed certificate – CA and Server Certificates are generated using GENPSE and server certificate signing is also done using GENPSE.
  2. Generating CSR using GENPSE – CA is generated using 3rd party library and server certificate csr using GENPSE after which, server certificate is signed by 3rd party CA using 3rd party tool. (Refer section C)

To generate self-signed certificate, run command:

GenPSE.exe selfsigned temp.pse servercert.der cacert.der server.key passphrase.txt Default.cnf

 

**Note: .cnf file should be present in the win64_x64 location which contains default values for the certificate generation like country name, state, etc.

 

Enter the details as asked, by default it will take the values from Default.cnf file.

 

You must follow the below rules while creating the default configuration file.

  • You should add the values on the left-hand side exactly as mentioned below.
  • The values on left-hand side are case-sensitive
    • There should be only one space between a value and the ‘equal to’ (=) sign. For example, there is only one space between CA_Common_Name and ‘equal to’ sign.
    • You must ensure there is no space after the values on the right-hand side.

Follow the steps below to create a default configuration file:

  1. Open a new document in a text editor.
  2. Add the values as given below:

CA_Common_Name = rootnm

CA_Country = DE

CA_State = BW

CA_Locality = RRR

CA_Email = root@gmail.com

CA_Unit = root_u

CA_Expiration[YYMMDD] = yymmdd

User_Expiration[YYMMDD] = yymmdd

User_Country = IN

User_State = KA

User_Locality = BLR

User_Organization = SSS

User_Unit = Unit

User_Common_Name = UserName

 

Save the file at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64 with default.cnf  name.

 

Make sure that Root CA certificate and PSE files are given different Common names.

After the above command is run, the following five files are created.

  • cacert.der
  • servercert.der
  • server.key
  • passphrase.txt
  • temp.pse

Place the above files in C:\SSL

COPY cacert.der C:\SSL

COPY servercert.der C:\SSL

COPY server.key C:\SSL

COPY temp.pse C:\SSL

COPY passphrase.txt C:\SSL

3 Configure Tomcat to communicate with a User’s Browser over HTTPS

3.1 Open Central Configuration Manager(CCM)

3.2 Stop Tomcat

3.3 Navigate to server.xml path (%BOBJ INSTALL DIR%\tomcat\conf ), keep a copy of server.xml

3.4 Edit server.xml file and search tag with port 8080. Add the below statement after the 8080 port tag

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ debug=”0″ keystorePass=”Password1″ keystoreFile=”C:\SSL\.keystore”/>

3.5 Save and close server.xml

4 Configure Tomcat to use the SSL Certificates for Communication With the SIA

4.1 Open Tomcat configuration

4.2 Go to java tab

4.3 Add below text in java option

-Dbusinessobjects.orb.oci.protocol=ssl

-DcertDir=C:\SSL

-DtrustedCert=cacert.der

-DsslCert=servercert.der

-DsslKey=server.key

-Dpassphrase=passphrase.txt (**note : no space at end or beginning. Otherwise, tomcat won’t start)

 4.4 Click OK, start Tomcat again

 

5 Configure the SIA to Use the SSL Certificates

5.1 In the CCM, stop the Server Intelligence Agent.

5.2 Double click on SIA, go to protocol tab

5.3 Select Enable SSL

5.4 Browse all files

5.5 Click ok, start SIA  and it should now be accessible using https://Servername(localhost):8443/BOE/CMC

5.6 For setting ssl parameters, run command:

sslconfig.exe -dir C:/SSL -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl

 

6 Setting SSL properties on WACS SERVER

 6.1 Login to BOE, navigate to server ->server list ->wacs ,stop wacs, go to properties

6.2 Select enable HTTPS

6.3 Add below details:

Bind to hostname or IP address: localhost

Https port: 1234(unique port number)

Protocol: select SSL

Certificate store type: select JKS

Certificate store file location: copy .keystore file full path (C:/SSL/.keystore)

Private key access password: Password1

6.4 Save and close, restart WACS server

6.5 Once WACS server is restarted, navigate to Applications -> RESTFUL webservices -> Edit the url  http://localhost:6405/biprws to contain the same hostname and port as maintained in WACS server (Ex: https://localhost:1234/biprws )

6.6 Save and close. Check BI Administrators’ cockpit

B. In Non Windows Operating System:

1 Generating key store for Tomcat

1.1 Start Command Prompt and create the following folders

mkdir ~/ssl

1.2 Navigate to :   “%BOBJ INSTALL DIR%/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bin”

1.3 Run command: ./keytool -genkey -alias tomcat -keyalg RSA -keystore ~/ssl/.keystore

1.4 Enter all values as prompted

 

2 Generating SSL certificates using GenPSE tool:

2.1 Navigate to:

“%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64”

2.2 To set the binary path, run command (export in bash shell)

 

1. For Linux

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<path of the executable GenPSE>

(For Ex: export    LIBRARY_PATH=$LD_LIBRARY_PATH:/build/home/boeuser/boe/sap_bobj/enterprise_xi40/linux_x64)

 

2. For AIX: 

export LIBPATH=$LIBPATH:<path of the executable GenPSE>

(For Ex: export LIBPATH=$LIBPATH:/usr/u/qaunix/boe/sap_bobj/enterprise_xi40/aix_rs6000_64)

2.3 Now, We can generate the certificate in two ways:

  1. Self-signed certificate – CA and Server Certificates are generated using GENPSE and server certificate signing is also done using GENPSE.
  2. Generating CSR using GENPSE – CA is generated using 3rd party library and server certificate csr using GENPSE after which, server certificate is signed by 3rd party CA using 3rd party tool. (Refer section C)

2.4 To generate self-signed certificate, run command:

./GenPSE selfsigned temp.pse servercert.der cacert.der server.key passphrase.txt Default.cnf

**Note- .cnf file should be present in the win64_x64 location which contains default values for the certificate generation like country name, state, etc.

Enter the details as asked, by default it will take the values from Default.cnf file.

You must follow the below rules while creating the default configuration file.

  • You should add the values on the left-hand side exactly as mentioned below.
  • The values on left-hand side are case-sensitive
    • There should be only one space between a value and the ‘equal to’ (=) sign. For example, there is only one space between CA_Common_Name and ‘equal to’ sign.
    • You must ensure there is no space after the values on the right-hand side.

Follow the steps below to create a default configuration file:

  1. Open a new document in a text editor.
  2. Add the values as given below:

CA_Common_Name = rootnm

CA_Country = DE

CA_State = BW

CA_Locality = RRR

CA_Email = root@gmail.com

CA_Unit = root_u

CA_Expiration[YYMMDD] = yymmdd

User_Expiration[YYMMDD] = yymmdd

User_Country = IN

User_State = KA

User_Locality = BLR

User_Organization = SSS

User_Unit = Unit

User_Common_Name = UserName

 

Save the file as default.cnf.

 

 

After the above command is run, the following five files are created.

  • cacert.der
  • servercert.der
  • server.key
  • passphrase.txt
  • temp.pse

2.5 Place the above files in ~/ssl

cp servercert.der /build/home/boeuser/ssl

cp cacert.der /build/home/boeuser/ssl

cp server.key /build/home/boeuser/ssl

cp passphrase.txt /build/home/boeuser/ssl

cp temp.pse /build/home/boeuser/ssl

 

3 Configure Tomcat to communicate with a User’s Browser over HTTPS

3.1 Navigate to  “%BOBJ INSTALL DIR%/sap_bobj/tomcat/conf”

3.2Edit the server.xml Add the following entry

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS”  minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ debug=”0″ keystorePass=”Password1″ keystoreFile=”%HOME_DIRECTORY%/ssl/.keystore”/>

This entry can be appended just below the Port 8080 Connector settings. The following screenshot will provide a reference:

3.3 Save the file.

4 Configure Tomcat to use the SSL Certificates for Communication With the SIA

4.1 Navigate to “%BOBJ INSTALL DIR%/sap_bobj/tomcat/bin”

4.2 Edit the bobjenv.sh and append the following to JAVA_OPTS -Dbusinessobjects.orb.oci.protocol=ssl -DcertDir=%HOME_DIRECTORY%/ssl -DtrustedCert=cacert.der -DsslCert=servercert.der -DsslKey=server.key -Dpassphrase=passphrase.txt

After appending the JAVA_OPTS would look similar to the picture below

4.3 Save the file

 

5 Configure the SIA to Use the SSL Certificates

5.1 Naigate to:  “%BOBJ INSTALL DIR%/sap_bobj/”

5.2 Run command: ./serverconfig

5.3 Select: Modify node (Option 3) and choose the node that you need to configure.

Give all the details like

  • SSL dir
  • SSLCertificate = servercert.der
  • SSLTrustCertificate = cacert.der
  • SSLKey = server.key
  • Pse file = temp.pse
  • SSLPassphrase = passphrase.txt

5.4 Navigate to  “%BOBJ INSTALL DIR%/sap_bobj/”

Run the following:

./sqlanywhere_startup.sh ./startservers ./tomcatstartup.sh

Verify that tomcat is up and running https by loading the CMC page using https://Servername(localhost):8443/BOE/CMC

and CORBA in CMC Properties

Note: If tomcat restart fails due to out of memory exception include below option  under JAVA_OPTS in bobjenv.sh file

-Djava.net.preferIPv4Stack=false -Xmx2048m -XX:MaxPermSize=384m

5.5 Configure the SDK and Processing Tier

cd <BINPATH> Source the setup/env.sh script as follows: . ../../setup/env.sh ./boe_sslconfig -dir <SSLFILEPATH> -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl Exit the shell so that scripts run in the future will source the env.sh script properly.

 

6 Setting SSL properties on WACS SERVER

Same as in Windows

C. Generating CSR using GenPSE

 

For Windows, run:

GenPSE.exe gencsr csrname.p10 server.key passphrase.txt Default.cnf

For Non-Windows:

Set library path

  1. For Linux:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<path of the executable GenPSE>

(For Ex: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/build/home/boeuser/boe/sap_bobj/enterprise_xi40/linux_x64)

  1. For AIX:

export LIBPATH=$LIBPATH:<path of the executable GenPSE>

(For Ex: export LIBPATH=$LIBPATH:/usr/u/qaunix/boe/sap_bobj/enterprise_xi40/aix_rs6000_64)

and then run

./GenPSE gencsr csrname.p10 server.key passphrase.txt Default.cnf

After this step we will get 3 files:

  1. csrname.p10
  2. server.key
  3. passphrase.txt

Copy the above files to SSL folder

COPY csrname.p10 C:\SSL

COPY server.key C:\SSL

COPY passphrase.txt C:\SSL

 

Run the below commands to generate CA using openssl and signing the csrname.p10 certificate using openssl tool.

NOTE: Make sure that Openssl tool is downloaded to perform the following steps

Navigate to openssl folder:

cd C:\Users\Administrator\Downloads\openssl-0.9.8h-1-bin\bin

Set the environment:

Set OPENSSL_CONF=C:\Users\Administrator\Downloads\openssl-0.9.8h-1-bin\share\openssl.cnf

Create CA with openssl:

Openssl.exe req -newkey rsa:2048 -nodes -out c:\SSL\cacert.req -keyout c:\SSL\cakey.pem -sha256

Openssl.exe x509 -req -trustout -signkey c:\SSL\cakey.pem -days 365 -in c:\SSL\cacert.req -out c:\SSL\cacert.pem -sha256

Generate a serial file which will be used to sign a server cert with openssl command:

Echo 02 >c:\SSL\ca.srl

**** Generate server cert, server key,passphrase with genpse *****

Sign server cert with ca cert using openssl tool:

Openssl.exe x509 -CA c:\SSL\cacert.pem -CAkey c:\SSL\cakey.pem -CAserial c:\SSL\ca.srl -req -in c:\SSL\ csrname.p10 -out c:\SSL\ csrname.crt -days 365 -sha256

Conversion of pem format to der format:

openssl x509 -outform der -in c:\SSL\cacert.pem -out c:\SSL\cacert.der

openssl x509 -outform der -in c:\SSL\ csrname.crt -out c:\SSL\ csrname.der

To generate .pse file

set SECUDIR=.

sapgenpse import_p8 -p C:\SSL\temp.pse -c C:\SSL\ csrname.der -r C:\SSL\cacert.der -z C:\SSL\passphrase.txt C:\SSL\server.key

Enter PSE password as blank.

sapgenpse seclogin -p C:\SSL\temp.pse -O SYSTEM

sslconfig.exe -dir C:\SSL -mycert csrname.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl

 

Copy the generated files to SSL folder and configure the certificates.

 

 

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply