Skip to Content
Business Trends

Configure SSL in BI 4.2 SP05 to support browser google chrome patch 88

I have been to many blogs, snotes and apache documents for securing my tomcat server but was stuck in one or other place. I am documenting this steps which i have explored and followed to secure the tomcat server.

link referred

https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

https://apps.support.sap.com/sap/support/knowledge/en/1648573

https://stackoverflow.com/questions/25983440/keytool-keytool-error-java-lang-exception-input-not-an-x-509-certificate

https://apps.support.sap.com/sap/support/knowledge/en/2579572

 

Environment-BO 4.2 SP05,database-MSSQL Server ,OS-Windows,tomcat 8.5+

If the BO environment has multiple tomcat server then each tomcat server needs to be secured separately .

Steps:

1-keystore and certificate creation-I will be using the keytool which is present by default in sapvm for window server, you can go for openssl as well ,there are different document available for openssl.

Navigate to BI 4.1/4.2: <Installdir>\SAP Business Objects Enterprise XI 4.0\win64_x64\sapjvm\bin\ and run below command to generate keystore

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore myserver.keystore

It will ask you for below attributes details, provide it,and make sure to note down the password you have used,it will be used later as well for verfication and at other locations:

keystore password
full name
Organization unit
Organization
City
State
Country
enter the password again at the end

 

Once the myservertest.keystore is created,you will see it on the same folder.

Step2-Generate certificate signing request ( CSR) using the keystore generated in previous steps

Generate csr request and make sure to include the attribute san(secondary alternative name which is mandatory field from crome 88 patch).

You may be able to see the /BOE/BI link secured in Internet explorer without it but from chrome it is mandatory else you would end up with below error:

 

 

command to generate csr keytool -certreq -keyalg RSA -alias tomcat -file cert.csr -keystore myserver.keystore -ext san=dns:hostname,dns:hostname with FQDN.

example keytool -certreq -keyalg RSA -alias test -file csrtest.csr -keystore myservertest.keystore -ext san=dns:abc,dns:abc.com

Step3Sign it from CA authority -the certificate signing request generated in the previous steps should be signed by the CA authority of your organization or using any 3rd party tool.

 

Step4-Download the signed certificate along with the chain certificate-If the certificate  chain is downloaded in *.p7b format, convert it into base 64 X.509 format separately for Root, Intermediate and server signed certificate using cert manager.

Using the cert manager:Double click on the *.p7b chain certificate downloaded or Received from CA authority:

Double clicking on the certificate ,it would open in cert manager with all the three certificates ,export one by one by clicking on each certificate, and go to details tab ,copy to file.

For example,  here is the steps for importing Root certificate,follow the same steps to export intermediate CA and signed certificate.

Select the format as Base 64 encoded X.509.(CER)

Browse for the location where you want to save the certificate.

Save it by clicking on finish ,Similary export the intermediate  CA and server signed certificate.

Step5-copy all the three certificate in the location where we have keytool- <Installdir>\SAP Business Objects Enterprise XI 4.0\win64_x64\sapjvm\bin\.

Keep a copy of Root and Intermediate CA handy if you have multiple tomcat servers, you can use the same and you have to export only the particular server signed certificate ,exporting chain is not required everytime.

Step 6-Import all the three certificate one by one on the keystore we have generated in the previous steps.

Make sure to keep a copy of the keystore and csr we have have generated in previous steps so that  in case you encounter any error while importing the certificate you dont have to generate the keystore again. Keep it in folder other than bin.

Imorting sequence -make sure you have the credentials handy that has been given during keystore generation ,it will ask you for confirmation.

1-import Root

keytool -import -alias root -keystore myservertest.keystore -trustcacerts -file root.cer

2-import Intermediate

keytool -import -alias intermed -keystore myservertest.keystore -trustcacerts -file intermediate.cer

3-server signed certificate

keytool -import -alias tomcat -keystore myservertest.keystore -trustcacerts -file bobj.cer

 

Step7-Create a folder ssl in the base location or anywhere in the tomcat server from where you want server.xml to access it. for example-create a ssl folder under D:\SAPBusinessObject\ssl

place the keystore file under this ssl folder.

Step 8-backup the server.xml file as we will be passing the parameter to use keystore and its password.

location- D:\SAP BusinessObjects\Tomcat6\conf\

 

Step 9-open the server.xml in notepad and add below entry:

Uncomment the section below and add the two commands after keystorePass & keystoreFile

Provide the location wherever keystore is stored and the credential we have kept from starting.

 

Uncomment the connector below:

"<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol....>"

Modify the connector to match the parameters below:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="TLSv1.2">
<Certificate
certificateKeystoreFile="C:/SSL/myserver.keystore"
certificateKeystorePassword="mypassword"
/>
</SSLHostConfig>
</Connector>

 

Step10-Restart tomcat server 

 

Testing-now check the tomcat url with https ,it should show you as secure with lock icon.

url -https://Servername:8443/BOE/BI

Repeat the same steps for other tomcat server in your environment.

You can also check the SAN field which is added to support google chrome browser patch 88 with the DNS entires.

 

 

 

 

4 Comments
You must be Logged on to comment or reply to a post.
  • Hi

    Thank you for the blog. In step 3, you says :

    Step3Sign it from CA authority -the certificate signing request generated in the previous steps should be signed by the CA authority of your organization or using any 3rd party tool.

     

    Where can I signed the csr generate for free or which "third party tool" I can use ?

    How did you complete this step ?

     

    Thank you in advance for your help.

    Cheikh

    • Normally every organization do have their own CA authority for signing CSR,in case you want to use the free one you can use openssl and other signing tool available in Google.

  • Hello,

    Is it a good post.

    however, just wanted to highlight that it should also have additional 2 more steps for completeness before re-starting tomcat.

    Step11 : add certificate information in Tomcat configuration

    Step 12: -> add certificate path and names in SIA Protocol after enabling SSL.

    Restart Tomcat

    Without these login to CMC will not work. servercert.der login fails