I have been to many blogs, snotes and apache documents for securing my tomcat server but was stuck in one or other place. I am documenting this steps which i have explored and followed to secure the tomcat server.
Environment-BO 4.2 SP05,database-MSSQL Server ,OS-Windows,tomcat 8.5+
If the BO environment has multiple tomcat server then each tomcat server needs to be secured separately .
1-keystore and certificate creation-I will be using the keytool which is present by default in sapvm for window server, you can go for openssl as well ,there are different document available for openssl.
Navigate to BI 4.1/4.2: <Installdir>\SAP Business Objects Enterprise XI 4.0\win64_x64\sapjvm\bin\ and run below command to generate keystore
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore myserver.keystore
It will ask you for below attributes details, provide it,and make sure to note down the password you have used,it will be used later as well for verfication and at other locations:
|enter the password again at the end|
Once the myservertest.keystore is created,you will see it on the same folder.
Step2-Generate certificate signing request ( CSR) using the keystore generated in previous steps
Generate csr request and make sure to include the attribute san(secondary alternative name which is mandatory field from crome 88 patch).
You may be able to see the /BOE/BI link secured in Internet explorer without it but from chrome it is mandatory else you would end up with below error:
command to generate csr keytool -certreq -keyalg RSA -alias tomcat -file cert.csr -keystore myserver.keystore -ext san=dns:hostname,dns:hostname with FQDN.
example keytool -certreq -keyalg RSA -alias test -file csrtest.csr -keystore myservertest.keystore -ext san=dns:abc,dns:abc.com
Step3–Sign it from CA authority -the certificate signing request generated in the previous steps should be signed by the CA authority of your organization or using any 3rd party tool.
Step4-Download the signed certificate along with the chain certificate-If the certificate chain is downloaded in *.p7b format, convert it into base 64 X.509 format separately for Root, Intermediate and server signed certificate using cert manager.
Using the cert manager:Double click on the *.p7b chain certificate downloaded or Received from CA authority:
Double clicking on the certificate ,it would open in cert manager with all the three certificates ,export one by one by clicking on each certificate, and go to details tab ,copy to file.
For example, here is the steps for importing Root certificate,follow the same steps to export intermediate CA and signed certificate.
Select the format as Base 64 encoded X.509.(CER)
Browse for the location where you want to save the certificate.
Save it by clicking on finish ,Similary export the intermediate CA and server signed certificate.
Step5-copy all the three certificate in the location where we have keytool- <Installdir>\SAP Business Objects Enterprise XI 4.0\win64_x64\sapjvm\bin\.
Keep a copy of Root and Intermediate CA handy if you have multiple tomcat servers, you can use the same and you have to export only the particular server signed certificate ,exporting chain is not required everytime.
Step 6-Import all the three certificate one by one on the keystore we have generated in the previous steps.
Make sure to keep a copy of the keystore and csr we have have generated in previous steps so that in case you encounter any error while importing the certificate you dont have to generate the keystore again. Keep it in folder other than bin.
Imorting sequence -make sure you have the credentials handy that has been given during keystore generation ,it will ask you for confirmation.
keytool -import -alias root -keystore myservertest.keystore -trustcacerts -file root.cer
keytool -import -alias intermed -keystore myservertest.keystore -trustcacerts -file intermediate.cer
3-server signed certificate
keytool -import -alias tomcat -keystore myservertest.keystore -trustcacerts -file bobj.cer
Step7-Create a folder ssl in the base location or anywhere in the tomcat server from where you want server.xml to access it. for example-create a ssl folder under D:\SAPBusinessObject\ssl
place the keystore file under this ssl folder.
Step 8-backup the server.xml file as we will be passing the parameter to use keystore and its password.
location- D:\SAP BusinessObjects\Tomcat6\conf\
Step 9-open the server.xml in notepad and add below entry:
Uncomment the section below and add the two commands after keystorePass & keystoreFile
Provide the location wherever keystore is stored and the credential we have kept from starting.
Uncomment the connector below:
"<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol....>" Modify the connector to match the parameters below: <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig protocols="TLSv1.2"> <Certificate certificateKeystoreFile="C:/SSL/myserver.keystore" certificateKeystorePassword="mypassword" /> </SSLHostConfig> </Connector>
Step10-Restart tomcat server
Testing-now check the tomcat url with https ,it should show you as secure with lock icon.
Repeat the same steps for other tomcat server in your environment.
You can also check the SAN field which is added to support google chrome browser patch 88 with the DNS entires.