Enabling SSL in BI Platform 4.2 SP05
As the SAP BI 4.2 SP5 content is still subject to change, please consider the below legal disclaimer statement:
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions
A. In Windows Operating System:
1 Generating Key store for Tomcat
1.1 Navigate to: “%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\bin”
1.2 Run commands:
keytool.exe -genkey -alias tomcat -keysize 2048 -keyalg RSA
MKDIR C:\SSL
COPY “%USERPROFILE%\.keystore” C:\SSL
2 Generating SSL certificates using GenPSE tool:
2.1 Navigate to:
“%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64”
2.2 Run command:
Now We can generate the certificate in two ways:
- Self-signed certificate – CA and Server Certificates are generated using GENPSE and server certificate signing is also done using GENPSE.
- Generating CSR using GENPSE – CA is generated using 3rd party library and server certificate csr using GENPSE after which, server certificate is signed by 3rd party CA using 3rd party tool. (Refer section C)
To generate self-signed certificate, run command:
GenPSE.exe selfsigned temp.pse servercert.der cacert.der server.key passphrase.txt Default.cnf
**Note: .cnf file should be present in the win64_x64 location which contains default values for the certificate generation like country name, state, etc.
Enter the details as asked, by default it will take the values from Default.cnf file.
You must follow the below rules while creating the default configuration file.
- You should add the values on the left-hand side exactly as mentioned below.
- The values on left-hand side are case-sensitive
- There should be only one space between a value and the ‘equal to’ (=) sign. For example, there is only one space between CA_Common_Name and ‘equal to’ sign.
- You must ensure there is no space after the values on the right-hand side.
Follow the steps below to create a default configuration file:
- Open a new document in a text editor.
- Add the values as given below:
CA_Common_Name = rootnm
CA_Country = DE
CA_State = BW
CA_Locality = RRR
CA_Email = root@gmail.com
CA_Unit = root_u
CA_Expiration[YYMMDD] = yymmdd
User_Expiration[YYMMDD] = yymmdd
User_Country = IN
User_State = KA
User_Locality = BLR
User_Organization = SSS
User_Unit = Unit
User_Common_Name = UserName
Save the file at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64 with default.cnf name.
Make sure that Root CA certificate and PSE files are given different Common names.
After the above command is run, the following five files are created.
- cacert.der
- servercert.der
- server.key
- passphrase.txt
- temp.pse
Place the above files in C:\SSL
COPY cacert.der C:\SSL
COPY servercert.der C:\SSL
COPY server.key C:\SSL
COPY temp.pse C:\SSL
COPY passphrase.txt C:\SSL
3 Configure Tomcat to communicate with a User’s Browser over HTTPS
3.1 Open Central Configuration Manager(CCM)
3.2 Stop Tomcat
3.3 Navigate to server.xml path (%BOBJ INSTALL DIR%\tomcat\conf ), keep a copy of server.xml
3.4 Edit server.xml file and search tag with port 8080. Add the below statement after the 8080 port tag
<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ debug=”0″ keystorePass=”Password1″ keystoreFile=”C:\SSL\.keystore”/>
3.5 Save and close server.xml
4 Configure Tomcat to use the SSL Certificates for Communication With the SIA
4.1 Open Tomcat configuration
4.2 Go to java tab
4.3 Add below text in java option
-Dbusinessobjects.orb.oci.protocol=ssl
-DcertDir=C:\SSL
-DtrustedCert=cacert.der
-DsslCert=servercert.der
-DsslKey=server.key
-Dpassphrase=passphrase.txt (**note : no space at end or beginning. Otherwise, tomcat won’t start)
4.4 Click OK, start Tomcat again
5 Configure the SIA to Use the SSL Certificates
5.1 In the CCM, stop the Server Intelligence Agent.
5.2 Double click on SIA, go to protocol tab
5.3 Select Enable SSL
5.4 Browse all files
5.5 Click ok, start SIA and it should now be accessible using https://Servername(localhost):8443/BOE/CMC
5.6 For setting ssl parameters, run command:
sslconfig.exe -dir C:/SSL -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl
6 Setting SSL properties on WACS SERVER
6.1 Login to BOE, navigate to server ->server list ->wacs ,stop wacs, go to properties
6.2 Select enable HTTPS
6.3 Add below details:
Bind to hostname or IP address: localhost
Https port: 1234(unique port number)
Protocol: select SSL
Certificate store type: select JKS
Certificate store file location: copy .keystore file full path (C:/SSL/.keystore)
Private key access password: Password1
6.4 Save and close, restart WACS server
6.5 Once WACS server is restarted, navigate to Applications -> RESTFUL webservices -> Edit the url http://localhost:6405/biprws to contain the same hostname and port as maintained in WACS server (Ex: https://localhost:1234/biprws )
6.6 Save and close. Check BI Administrators’ cockpit
B. In Non Windows Operating System:
1 Generating key store for Tomcat
1.1 Start Command Prompt and create the following folders
mkdir ~/ssl
1.2 Navigate to : “%BOBJ INSTALL DIR%/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bin”
1.3 Run command: ./keytool -genkey -alias tomcat -keyalg RSA -keystore ~/ssl/.keystore
1.4 Enter all values as prompted
2 Generating SSL certificates using GenPSE tool:
2.1 Navigate to:
“%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64”
2.2 To set the binary path, run command (export in bash shell)
1. For Linux
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<path of the executable GenPSE>
(For Ex: export LIBRARY_PATH=$LD_LIBRARY_PATH:/build/home/boeuser/boe/sap_bobj/enterprise_xi40/linux_x64)
2. For AIX:
export LIBPATH=$LIBPATH:<path of the executable GenPSE>
(For Ex: export LIBPATH=$LIBPATH:/usr/u/qaunix/boe/sap_bobj/enterprise_xi40/aix_rs6000_64)
2.3 Now, We can generate the certificate in two ways:
- Self-signed certificate – CA and Server Certificates are generated using GENPSE and server certificate signing is also done using GENPSE.
- Generating CSR using GENPSE – CA is generated using 3rd party library and server certificate csr using GENPSE after which, server certificate is signed by 3rd party CA using 3rd party tool. (Refer section C)
2.4 To generate self-signed certificate, run command:
./GenPSE selfsigned temp.pse servercert.der cacert.der server.key passphrase.txt Default.cnf
**Note- .cnf file should be present in the win64_x64 location which contains default values for the certificate generation like country name, state, etc.
Enter the details as asked, by default it will take the values from Default.cnf file.
You must follow the below rules while creating the default configuration file.
- You should add the values on the left-hand side exactly as mentioned below.
- The values on left-hand side are case-sensitive
- There should be only one space between a value and the ‘equal to’ (=) sign. For example, there is only one space between CA_Common_Name and ‘equal to’ sign.
- You must ensure there is no space after the values on the right-hand side.
Follow the steps below to create a default configuration file:
- Open a new document in a text editor.
- Add the values as given below:
CA_Common_Name = rootnm
CA_Country = DE
CA_State = BW
CA_Locality = RRR
CA_Email = root@gmail.com
CA_Unit = root_u
CA_Expiration[YYMMDD] = yymmdd
User_Expiration[YYMMDD] = yymmdd
User_Country = IN
User_State = KA
User_Locality = BLR
User_Organization = SSS
User_Unit = Unit
User_Common_Name = UserName
Save the file as default.cnf.
After the above command is run, the following five files are created.
- cacert.der
- servercert.der
- server.key
- passphrase.txt
- temp.pse
2.5 Place the above files in ~/ssl
cp servercert.der /build/home/boeuser/ssl
cp cacert.der /build/home/boeuser/ssl
cp server.key /build/home/boeuser/ssl
cp passphrase.txt /build/home/boeuser/ssl
cp temp.pse /build/home/boeuser/ssl
3 Configure Tomcat to communicate with a User’s Browser over HTTPS
3.1 Navigate to “%BOBJ INSTALL DIR%/sap_bobj/tomcat/conf”
3.2Edit the server.xml Add the following entry
<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ debug=”0″ keystorePass=”Password1″ keystoreFile=”%HOME_DIRECTORY%/ssl/.keystore”/>
This entry can be appended just below the Port 8080 Connector settings. The following screenshot will provide a reference:
3.3 Save the file.
4 Configure Tomcat to use the SSL Certificates for Communication With the SIA
4.1 Navigate to “%BOBJ INSTALL DIR%/sap_bobj/tomcat/bin”
4.2 Edit the bobjenv.sh and append the following to JAVA_OPTS -Dbusinessobjects.orb.oci.protocol=ssl -DcertDir=%HOME_DIRECTORY%/ssl -DtrustedCert=cacert.der -DsslCert=servercert.der -DsslKey=server.key -Dpassphrase=passphrase.txt
After appending the JAVA_OPTS would look similar to the picture below
4.3 Save the file
5 Configure the SIA to Use the SSL Certificates
5.1 Naigate to: “%BOBJ INSTALL DIR%/sap_bobj/”
5.2 Run command: ./serverconfig
5.3 Select: Modify node (Option 3) and choose the node that you need to configure.
Give all the details like
- SSL dir
- SSLCertificate = servercert.der
- SSLTrustCertificate = cacert.der
- SSLKey = server.key
- Pse file = temp.pse
- SSLPassphrase = passphrase.txt
5.4 Navigate to “%BOBJ INSTALL DIR%/sap_bobj/”
Run the following:
./sqlanywhere_startup.sh ./startservers ./tomcatstartup.sh
Verify that tomcat is up and running https by loading the CMC page using https://Servername(localhost):8443/BOE/CMC
and CORBA in CMC Properties
Note: If tomcat restart fails due to out of memory exception include below option under JAVA_OPTS in bobjenv.sh file
-Djava.net.preferIPv4Stack=false -Xmx2048m -XX:MaxPermSize=384m
5.5 Configure the SDK and Processing Tier
cd <BINPATH> Source the setup/env.sh script as follows: . ../../setup/env.sh ./boe_sslconfig -dir <SSLFILEPATH> -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl Exit the shell so that scripts run in the future will source the env.sh script properly.
6 Setting SSL properties on WACS SERVER
Same as in Windows
C. Generating CSR using GenPSE
For Windows, run:
GenPSE.exe gencsr csrname.p10 server.key passphrase.txt Default.cnf
For Non-Windows:
Set library path
- For Linux:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<path of the executable GenPSE>
(For Ex: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/build/home/boeuser/boe/sap_bobj/enterprise_xi40/linux_x64)
- For AIX:
export LIBPATH=$LIBPATH:<path of the executable GenPSE>
(For Ex: export LIBPATH=$LIBPATH:/usr/u/qaunix/boe/sap_bobj/enterprise_xi40/aix_rs6000_64)
and then run
./GenPSE gencsr csrname.p10 server.key passphrase.txt Default.cnf
After this step we will get 3 files:
- csrname.p10
- server.key
- passphrase.txt
Copy the above files to SSL folder
COPY csrname.p10 C:\SSL
COPY server.key C:\SSL
COPY passphrase.txt C:\SSL
Run the below commands to generate CA using openssl and signing the csrname.p10 certificate using openssl tool.
NOTE: Make sure that Openssl tool is downloaded to perform the following steps
Navigate to openssl folder:
cd C:\Users\Administrator\Downloads\openssl-0.9.8h-1-bin\bin
Set the environment:
Set OPENSSL_CONF=C:\Users\Administrator\Downloads\openssl-0.9.8h-1-bin\share\openssl.cnf
Create CA with openssl:
Openssl.exe req -newkey rsa:2048 -nodes -out c:\SSL\cacert.req -keyout c:\SSL\cakey.pem -sha256
Openssl.exe x509 -req -trustout -signkey c:\SSL\cakey.pem -days 365 -in c:\SSL\cacert.req -out c:\SSL\cacert.pem -sha256
Generate a serial file which will be used to sign a server cert with openssl command:
Echo 02 >c:\SSL\ca.srl
**** Generate server cert, server key,passphrase with genpse *****
Sign server cert with ca cert using openssl tool:
Openssl.exe x509 -CA c:\SSL\cacert.pem -CAkey c:\SSL\cakey.pem -CAserial c:\SSL\ca.srl -req -in c:\SSL\ csrname.p10 -out c:\SSL\ csrname.crt -days 365 -sha256
Conversion of pem format to der format:
openssl x509 -outform der -in c:\SSL\cacert.pem -out c:\SSL\cacert.der
openssl x509 -outform der -in c:\SSL\ csrname.crt -out c:\SSL\ csrname.der
To generate .pse file
set SECUDIR=.
sapgenpse import_p8 -p C:\SSL\temp.pse -c C:\SSL\ csrname.der -r C:\SSL\cacert.der -z C:\SSL\passphrase.txt C:\SSL\server.key
Enter PSE password as blank.
sapgenpse seclogin -p C:\SSL\temp.pse -O SYSTEM
sslconfig.exe -dir C:\SSL -mycert csrname.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl
Copy the generated files to SSL folder and configure the certificates.
Hello Pranav,
Really helpful blog. Can we use these instructions to enable SSL on BOBI 4.2 SP4 ?
Regards,
Asif
Hi Pranav,
I am trying to set this up for SAP BI Platform 4.2 SP5, however in section 2 'Generating SSL certificates using GenPSE tool, i am stuck, i do not not have that .exe in my ..\win64_x64 folder, nor a .cnf file.
Where can i get this .exe file from and the default .cnf file?
btw i have a 'sapgenpse' file, but this accepts different switch commands
Many Thanks
Howard
Hi Howard,
which .exe file are you missing? Is it GenPSE.exe?
I am also von 4.2 SP5 but all the files are available...
Hello,
I was able to establish the https Connection to my BO Server but my browser is showing a warning regarding the certificate. I have chosen the self-signed certificate and so I have to choose the option "continue to sebsite" when accessing BI Launchpad or CMC.
How to fix this certificate error? Do I have to sign the certificate from a CA? How does that work? Thank you!
Br,
Mario
Hi Mario,
This warning is due to self-signed certificate, using CA signed certificate you can get rid of the warning.
Regards, Pranav
Hi Pranav,
I have a question here, I sent my CSR file (server.csr) to my IT team to get it signed by CA and i have received 3 certificates ( Intermediate, Root & ServerCerticiate) from them. How can i make use of these in the Tomcat configuration ( as per your notes in Step 4 ) and with SIA (as per your notes in Step 5) because i don't have "servercert.der" and "cacert.der".
Can you please help me?
Regards,
Anil Saribala
I am on SAP BI 4.2 SP3 version
Hi,
Did you got this worked? We are also in same situation. It will be helpful if you can update the resolution
Thanks
Narayan Vaster
Anil/Narayan,
These steps are for Corba SSL setup between tomcat and BOE servers.
If your requirement is to enable https in your BO url just follow below steps:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
Create a local Certificate Signing Request (CSR)
Importing the Certificate
Hi Pranav,
two comments from my side:
But anyway thanks for wrapping this up in a brief format.
Regards,
Harald
Hi,
I was following the guide for Windows and got everything setup up until the SIA. But after enabling SSL and supplying the folder and files I get an error when starting the SIA:
com.crystaldecisions.enterprise.ocaframework.ServiceMgr||(ServiceMgr:455): failed to initialize SSL
com.crystaldecisions.thirdparty.org.omg.CORBA.DATA_CONVERSION: minor code: 0x0 completed: No
at com.crystaldecisions.thirdparty.com.ooc.FSSL.rsa.Certificate_impl.<init>(Certificate_impl.java:85)
at com.crystaldecisions.thirdparty.com.ooc.FSSL.rsa.FSSLImpl.createCertificate(FSSLImpl.java:70)
at com.crystaldecisions.thirdparty.com.ooc.FSSL.Manager_impl.create_certificate(Manager_impl.java:130)
at com.crystaldecisions.enterprise.ocaframework.SSLConfig$SSLParameters.getCertificates(SSLConfig.java:131)
at com.crystaldecisions.enterprise.ocaframework.SSLConfig$SSLParameters.getTrustedCertificates(SSLConfig.java:117)
at com.crystaldecisions.enterprise.ocaframework.SSLConfig.initializeSSL(SSLConfig.java:63)
at com.crystaldecisions.enterprise.ocaframework.ServiceMgr.<init>(ServiceMgr.java:419)
at com.crystaldecisions.enterprise.ocaframework.ServiceMgrFactory.getServiceMgr(ServiceMgrFactory.java:66)
at com.businessobjects.cad.CADServant.init(CADServant.java:56)
at com.businessobjects.cad.ClusterAgent.init(ClusterAgent.java:40)
at com.businessobjects.cad.CAD.init(CAD.java:41)
at com.businessobjects.cad.CADmain.main(CADmain.java:263)
Any idea what might be wrong here? Tomcat starts normal after I made the changes as described in the guide and I also get the login screen on port 8443 with https but of course cannot login to the CMS as it is not running.
Thanks, Juergen
Hi,
I meet the same error, have you found a solution?
Thanks, Patrice
Y have the same error. Did you found a solution?
Regards,
Hello,
If it can help this error occurs when certificates are in wrong format, you have to use binary format
(commands
Windows
Linux
Regards,
Guillaume,
Couple of questions :
hello,
I have applied above steps in our 4.2 SP05, Update 3 with Hotfix 2 environment on windows server 2016 R2. We have separate Tomcat with IIS website configured to redirect to BI launchpad.
IIS with redirect works as expected except for the HTTPS part where it throws the following error
Logon Failed
Transport error: Insufficient resources.(FWM 00002)
URL https://Servername(localhost):8443/BOE/CMC lands the page as it should but when ID and Password provided following error shows up
Account information not recognized: Could not reach CMS ‘pmod1d2a:6400’. Specify the correct host and port and check for network issues. (FWM 20030)
Not sure what's missing. Question on server.xml file, after adding the connector port, it looks like below
Connector port=”8080″ redirectPort=”8443″ connectionTimeout=”20000″ protocol=”HTTP/1.1″/><Connector port=”8443″ protocol=”HTTP/1.1″ keystoreFile=”D:\SSL\.keystore” keystorePass=”123456″ debug=”0″ acceptCount=”100″ disableUploadTimeout=”true” enableLookups=”false” maxSpareThreads=”75″ minSpareThreads=”25″ sslProtocol=”TLS” clientAuth=”false” secure=”true” scheme=”https” maxThreads=”150″ SSLEnabled=”true”/>
We are using D:SSL instead of C:SSL
Any thoughts ?
Thanks,
Hello, I have the same issue. Have you a solution?
Hi! how can we generate the CSR file in Windows system with SAN (Subject Alternative Name)?
Thanks in advance
Hi Miguel,
did you find out out to set the SAN (Subject Alternative Name)? Because I face the exact same problem 🙂
Thanks and best regards,
Axel
I am using a certificate managed by a CA. Under step 4 adding the the Java Options. When I add those Java options(-DcertDir, -DtrustedCert, etc.), I'm able to bring up, the CMC login screen using SSL, but when I log in, I get a FWM 20030 error (could not reach CMS).
Also, on the next step (5. Configure the SIA....). When I configure this, SIA doesn't start.
Why am I getting the above errors? Are those steps needed?
Since I am usin a CA managed certificate would the passphrase.txt file be empty?
thanks
conrado
Hi, Where to find OpenSSL for Windows 2012 Server. - Prem
Hi,
Today we got an email from CA team indicating SSL getting expire soon, please let me know the process to renew it
Thanks
Hi Pranav,
It is a great document, but I am still having issue with the certificate error. So how do I fix it?
Thank you very much!
Chuong