I have been to many blogs, snotes and apache documents for securing my tomcat server but was stuck in one or other place. I am documenting this steps which i have explored and followed to secure the tomcat server.

link referred

https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

https://apps.support.sap.com/sap/support/knowledge/en/1648573

https://stackoverflow.com/questions/25983440/keytool-keytool-error-java-lang-exception-input-not-an-...

https://apps.support.sap.com/sap/support/knowledge/en/2579572

 

Environment-BO 4.2 SP05,database-MSSQL Server ,OS-Windows,tomcat 8.5+

If the BO environment has multiple tomcat server then each tomcat server needs to be secured separately .

Steps:

1-keystore and certificate creation-I will be using the keytool which is present by default in sapvm for window server, you can go for openssl as well ,there are different document available for openssl.

Navigate to BI 4.1/4.2: <Installdir>\SAP Business Objects Enterprise XI 4.0\win64_x64\sapjvm\bin\ and run below command to generate keystore

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore myserver.keystore

It will ask you for below attributes details, provide it,and make sure to note down the password you have used,it will be used later as well for verfication and at other locations:

keystore password

full name

Organization unit

Organization

City

State

Country

enter the password again at the end

 

Once the myservertest.keystore is created,you will see it on the same folder.

Step2-Generate certificate signing request ( CSR) using the keystore generated in previous steps

Generate csr request and make sure to include the attribute san(secondary alternative name which is mandatory field from crome 88 patch).

You may be able to see the /BOE/BI link secured in Internet explorer without it but from chrome it is mandatory else you would end up with below error:

 

 

command to generate csr keytool -certreq -keyalg RSA -alias tomcat -file cert.csr -keystore myserver.keystore -ext san=dns:hostname,dns:hostname with FQDN.

example keytool -certreq -keyalg RSA -alias test -file csrtest.csr -keystore myservertest.keystore -ext san=dns:abc,dns:abc.com

Step3-Sign it from CA authority -the certificate signing request generated in the previous steps should be signed by the CA authority of your organization or using any 3rd party tool.

 

Step4-Download the signed certificate along with the chain certificate-If the certificate  chain is downloaded in *.p7b format, convert it into base 64 X.509 format separately for Root, Intermediate and server signed certificate using cert manager.

Using the cert manager:Double click on the *.p7b chain certificate downloaded or Received from CA authority:

Double clicking on the certificate ,it would open in cert manager with all the three certificates ,export one by one by clicking on each certificate, and go to details tab ,copy to file.

For example,  here is the steps for importing Root certificate,follow the same steps to export intermediate CA and signed certificate.

Select the format as Base 64 encoded X.509.(CER)

Browse for the location where you want to save the certificate.

Save it by clicking on finish ,Similary export the intermediate  CA and server signed certificate.

Step5-copy all the three certificate in the location where we have keytool- <Installdir>\SAP Business Objects Enterprise XI 4.0\win64_x64\sapjvm\bin\.

Keep a copy of Root and Intermediate CA handy if you have multiple tomcat servers, you can use the same and you have to export only the particular server signed certificate ,exporting chain is not required everytime.

Step 6-Import all the three certificate one by one on the keystore we have generated in the previous steps.

Make sure to keep a copy of the keystore and csr we have have generated in previous steps so that  in case you encounter any error while importing the certificate you dont have to generate the keystore again. Keep it in folder other than bin.

Imorting sequence -make sure you have the credentials handy that has been given during keystore generation ,it will ask you for confirmation.

1-import Root

keytool -import -alias root -keystore myservertest.keystore -trustcacerts -file root.cer

2-import Intermediate

keytool -import -alias intermed -keystore myservertest.keystore -trustcacerts -file intermediate.cer

3-server signed certificate

keytool -import -alias tomcat -keystore myservertest.keystore -trustcacerts -file bobj.cer

 

Step7-Create a folder ssl in the base location or anywhere in the tomcat server from where you want server.xml to access it. for example-create a ssl folder under D:\SAPBusinessObject\ssl

place the keystore file under this ssl folder.

Step 8-backup the server.xml file as we will be passing the parameter to use keystore and its password.

location- D:\SAP BusinessObjects\Tomcat6\conf\

 

Step 9-open the server.xml in notepad and add below entry:

Uncomment the section below and add the two commands after keystorePass & keystoreFile

Provide the location wherever keystore is stored and the credential we have kept from starting.

 

Uncomment the connector below:

"<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol....>"



Modify the connector to match the parameters below:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="200" SSLEnabled="true" scheme="https" secure="true">

<SSLHostConfig protocols="TLSv1.2">

<Certificate

certificateKeystoreFile="C:/SSL/myserver.keystore"

certificateKeystorePassword="mypassword"

/>

</SSLHostConfig>

</Connector>

 

Step10-Restart tomcat server 

 

Testing-now check the tomcat url with https ,it should show you as secure with lock icon.

url -https://Servername:8443/BOE/BI

Repeat the same steps for other tomcat server in your environment.

You can also check the SAN field which is added to support google chrome browser patch 88 with the DNS entires.