Technical Articles
How to configure SSL for Lumira Discovery and Designer in a distributed scenario
Generally in real time BI applications are deployed in a distributed environment example BI servers, Lumira servers are installed in a separate machine and web tier in another.
To connect to the BI Platform, Lumira clients (discovery and designer) use Restful and dswsbobje deployed on web tier. When web tier is deployed on a different machine, there is a problem faced connecting to BI Platform using SSL from Lumira clients.
This blog describes “How to configure SSL for Lumira discovery and designer and connect to BI platform using SSL in distributed setup (server tier and web tier)”
In summary, the configuration provided in this document was implemented on the distributed BI and Lumira setup (server tier) and web content on tomcat as application server (web tier)
Generate SSL certificate
1. Generate https SSL certificate using the command below, when generating certificate for a distributed setup, its important to add the certificate’s alternative subject name.
Ex – keytool.exe -genkey -alias <alias_name> -keyalg RSA -keystore <keystore_name.jks> -validity 9999 -dname “CN=<webtier_hostname_with_domain>” -ext san=dns <webtier_hostname_with_domain>,ip:<webtier_host_ip>
Note – <> indicates user defined value
Important Note – The above command creates only self signed certificate, it is not recommended to use self signed certificate, get a properly signed certificate before proceeding further.
Configure Tomcat
2. Locate the configuration file for Tomcat server at \conf\server.xml, modify it by adding a connector element to support for SSL or https connection
<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ debug=”0″ keystorePass=”Password1″ keystoreFile=”C:\SSL\KeystoreLumira.jks”/>
Restart tomcat
3. Launch BOE/CMC using https in the browser ex – https://<webtier_hostname>:<web_port>/BOE/CMC
Right click on the lock icon, then click “Connection” tab, and click on the Certification Information link. You should see a dialog, click the Details tab at the top and click the “Copy to File…” button and follow the instructions and put it in the folder for ex – SSL folder in C drive (file name ex – KeystoreLumira.cer)
Configure Lumira Clients (Discovery and Designer) for SSL
4. Download the InstallCert program and put its contents into the jre\bin\InstallCert of Lumira discovery.
You will need to manually create the InstallCert subfolder.
5. Import certificate to cacerts using keytool
In Lumira Discovery machine, Run cmd as Administrator and navigate to
<lumira_discovery_installed_directory>\…\Desktop\jre\bin and run below command
keytool.exe -importcert -keystore “<lumira_discovery_installed_directory>\…\Desktop\jre\lib\security\cacerts” -alias <alias_name> -file “c:\KeystoreLumira.cer”
password – changeit
Note – Use the command below to delete keystore with the same alias name from security/cacerts.
6. Navigate to <lumira_discovery_installed_directory>\…\Desktop\jre\bin\InstallCert and run the below command
..\java -cp . InstallCert <webtier_hostname>:<webtier_port>
accept the certificate and will get a success message
Note – Provide machine name or machine IP for <webtier_hostname>
Ex – ..\java -cp . InstallCert WEBTIER.DOMAIN.COM:8443
7. Launch Lumira Discovery and publish/connect to BIP using HTTPs
8. Goto preferences in Lumira discovery for BI Platform, provide following URL
https://<webtier_machine>:<webtier_port>/biprws
Designer
Just login into designer using below https URL
https://<webtier_hostname>:<webtier_port>/dswsbobje/services/Session
Login to BI Platform using SSL from Lumira discovery and designer will now work.
Learn More:
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/
https://blogs.sap.com/2019/11/11/triggering-schedule-bw-events-in-bi-platform-from-bw/
https://blogs.sap.com/2019/11/11/how-to-enable-tls-v1.2-in-sap-netweaver-abap/
Configure Lumira Clients (Discovery and Designer) for SSL
Default configuration LumiraDesigner
-Djavax.net.ssl.trustStoreProvider=SunMSCAPI and -Djavax.net.ssl.trustStoreType=Windows-ROOT
set to the Windows certificate store.
For this install server certificate to Trusted Root Certification Authorities by Certificate import wizard, not by keytool