As the SAP BI 4.2 SP5 content is still subject to change, please consider the below legal disclaimer statement:
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP’s strategy and possible future developments, products and or platforms
directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions
A. In Windows Operating System:
1 Generating Key store for Tomcat
1.1 Navigate to: “%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\bin”
1.2 Run commands:
keytool.exe -genkey -alias tomcat -keysize 2048 -keyalg RSA
MKDIR C:\SSL
COPY "%USERPROFILE%\.keystore" C:\SSL
2 Generating SSL certificates using GenPSE tool:
2.1 Navigate to:
“%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64”
2.2 Run command:
Now We can generate the certificate in two ways:
- Self-signed certificate – CA and Server Certificates are generated using GENPSE and server certificate signing is also done using GENPSE.
- Generating CSR using GENPSE – CA is generated using 3rd party library and server certificate csr using GENPSE after which, server certificate is signed by 3rd party CA using 3rd party tool. (Refer section C)
To generate self-signed certificate, run command:
GenPSE.exe selfsigned temp.pse servercert.der cacert.der server.key passphrase.txt Default.cnf
**Note: .cnf file should be present in the win64_x64 location which contains default values for the certificate generation like country name, state, etc.
Enter the details as asked, by default it will take the values from Default.cnf file.
You must follow the below rules while creating the default configuration file.
- You should add the values on the left-hand side exactly as mentioned below.
- The values on left-hand side are case-sensitive
- There should be only one space between a value and the ‘equal to’ (=) sign. For example, there is only one space between CA_Common_Name and ‘equal to’ sign.
- You must ensure there is no space after the values on the right-hand side.
Follow the steps below to create a default configuration file:
- Open a new document in a text editor.
- Add the values as given below:
CA_Common_Name = rootnm
CA_Country = DE
CA_State = BW
CA_Locality = RRR
CA_Email = root@gmail.com
CA_Unit = root_u
CA_Expiration[YYMMDD] = yymmdd
User_Expiration[YYMMDD] = yymmdd
User_Country = IN
User_State = KA
User_Locality = BLR
User_Organization = SSS
User_Unit = Unit
User_Common_Name = UserName
Save the file at <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64 with default.cnf name.
Make sure that Root CA certificate and PSE files are given different Common names.
After the above command is run, the following five files are created.
- cacert.der
- servercert.der
- server.key
- passphrase.txt
- temp.pse
Place the above files in C:\SSL
COPY cacert.der C:\SSL
COPY servercert.der C:\SSL
COPY server.key C:\SSL
COPY temp.pse C:\SSL
COPY passphrase.txt C:\SSL
3 Configure Tomcat to communicate with a User's Browser over HTTPS
3.1 Open Central Configuration Manager(
CCM)
3.2 Stop
Tomcat
3.3 Navigate to server.xml path (%BOBJ INSTALL DIR%\tomcat\conf ), keep a copy of server.xml
3.4 Edit server.xml file and search tag with port 8080. Add the below statement after the 8080 port tag
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" keystorePass="Password1" keystoreFile="C:\SSL\.keystore"/>
3.5 Save and close server.xml
4 Configure Tomcat to use the SSL Certificates for Communication With the SIA
4.1 Open
Tomcat configuration
4.2 Go to
java tab
4.3 Add below text in java option
-Dbusinessobjects.orb.oci.protocol=ssl
-DcertDir=C:\SSL
-DtrustedCert=cacert.der
-DsslCert=servercert.der
-DsslKey=server.key
-Dpassphrase=passphrase.txt
(**note : no space at end or beginning. Otherwise, tomcat won’t start)
4.4 Click OK, start Tomcat again
5 Configure the SIA to Use the SSL Certificates
5.1 In the CCM, stop the Server Intelligence Agent.
5.2 Double click on SIA, go to protocol tab
5.3 Select
Enable SSL
5.4 Browse all files
5.5 Click ok, start SIA and it should now be accessible using
https://Servername(localhost):8443/BOE/CMC
5.6 For setting ssl parameters, run command:
sslconfig.exe -dir C:/SSL -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl
6 Setting SSL properties on WACS SERVER
6.1 Login to BOE, navigate to server ->server list ->wacs ,stop wacs, go to properties
6.2 Select enable HTTPS
6.3 Add below details:
Bind to hostname or IP address: localhost
Https port: 1234(unique port number)
Protocol: select SSL
Certificate store type: select JKS
Certificate store file location: copy .keystore file full path (C:/SSL/.keystore)
Private key access password: Password1
6.4 Save and close, restart WACS server
6.5 Once WACS server is restarted, navigate to Applications -> RESTFUL webservices -> Edit the url
http://localhost:6405/biprws to contain the same hostname and port as maintained in WACS server (Ex:
https://localhost:1234/biprws )
6.6 Save and close. Check BI Administrators' cockpit
B. In Non Windows Operating System:
1 Generating key store for Tomcat
1.1 Start Command Prompt and create the following folders
mkdir ~/ssl
1.2 Navigate to : “%BOBJ INSTALL DIR%/sap_bobj/enterprise_xi40/linux_x64/sapjvm/jre/bin”
1.3 Run command: ./keytool -genkey -alias tomcat -keyalg RSA -keystore ~/ssl/.keystore
1.4 Enter all values as prompted
2 Generating SSL certificates using GenPSE tool:
2.1 Navigate to:
“%BOBJ INSTALL DIR%\SAP BusinessObjects Enterprise XI 4.0\win64_x64”
2.2 To set the binary path, run command (export in bash shell)
1. For Linux
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<path of the executable GenPSE>
(For Ex: export LIBRARY_PATH=$LD_LIBRARY_PATH:/build/home/boeuser/boe/sap_bobj/enterprise_xi40/linux_x64)
2. For AIX:
export LIBPATH=$LIBPATH:<path of the executable GenPSE>
(For Ex: export LIBPATH=$LIBPATH:/usr/u/qaunix/boe/sap_bobj/enterprise_xi40/aix_rs6000_64)
2.3 Now, We can generate the certificate in two ways:
- Self-signed certificate – CA and Server Certificates are generated using GENPSE and server certificate signing is also done using GENPSE.
- Generating CSR using GENPSE – CA is generated using 3rd party library and server certificate csr using GENPSE after which, server certificate is signed by 3rd party CA using 3rd party tool. (Refer section C)
2.4 To generate self-signed certificate, run command:
./GenPSE selfsigned temp.pse servercert.der cacert.der server.key passphrase.txt Default.cnf
**Note- .cnf file should be present in the win64_x64 location which contains default values for the certificate generation like country name, state, etc.
Enter the details as asked, by default it will take the values from Default.cnf file.
You must follow the below rules while creating the default configuration file.
- You should add the values on the left-hand side exactly as mentioned below.
- The values on left-hand side are case-sensitive
- There should be only one space between a value and the ‘equal to’ (=) sign. For example, there is only one space between CA_Common_Name and ‘equal to’ sign.
- You must ensure there is no space after the values on the right-hand side.
Follow the steps below to create a default configuration file:
- Open a new document in a text editor.
- Add the values as given below:
CA_Common_Name = rootnm
CA_Country = DE
CA_State = BW
CA_Locality = RRR
CA_Email = root@gmail.com
CA_Unit = root_u
CA_Expiration[YYMMDD] = yymmdd
User_Expiration[YYMMDD] = yymmdd
User_Country = IN
User_State = KA
User_Locality = BLR
User_Organization = SSS
User_Unit = Unit
User_Common_Name = UserName
Save the file as default.cnf.
After the above command is run, the following five files are created.
- cacert.der
- servercert.der
- server.key
- passphrase.txt
- temp.pse
2.5 Place the above files in ~/ssl
cp servercert.der /build/home/boeuser/ssl
cp cacert.der /build/home/boeuser/ssl
cp server.key /build/home/boeuser/ssl
cp passphrase.txt /build/home/boeuser/ssl
cp temp.pse /build/home/boeuser/ssl
3 Configure Tomcat to communicate with a User's Browser over HTTPS
3.1 Navigate to “%BOBJ INSTALL DIR%/sap_bobj/tomcat/conf”
3.2Edit the server.xml Add the following entry
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" keystorePass="Password1" keystoreFile="%HOME_DIRECTORY%/ssl/.keystore"/>
This entry can be appended just below the Port 8080 Connector settings. The following screenshot will provide a reference:
3.3 Save the file.
4 Configure Tomcat to use the SSL Certificates for Communication With the SIA
4.1 Navigate to “%BOBJ INSTALL DIR%/sap_bobj/tomcat/bin”
4.2 Edit the bobjenv.sh and append the following to JAVA_OPTS -Dbusinessobjects.orb.oci.protocol=ssl -DcertDir=%HOME_DIRECTORY%/ssl -DtrustedCert=cacert.der -DsslCert=servercert.der -DsslKey=server.key -Dpassphrase=passphrase.txt
After appending the JAVA_OPTS would look similar to the picture below
4.3 Save the file
5 Configure the SIA to Use the SSL Certificates
5.1 Naigate to: “%BOBJ INSTALL DIR%/sap_bobj/”
5.2 Run command: ./serverconfig
5.3 Select: Modify node (Option 3) and choose the node that you need to configure.
Give all the details like
- SSL dir
- SSLCertificate = servercert.der
- SSLTrustCertificate = cacert.der
- SSLKey = server.key
- Pse file = temp.pse
- SSLPassphrase = passphrase.txt
5.4 Navigate to “%BOBJ INSTALL DIR%/sap_bobj/”
Run the following:
./sqlanywhere_startup.sh ./startservers ./tomcatstartup.sh
Verify that tomcat is up and running https by loading the CMC page using
https://Servername(localhost):8443/BOE/CMC
and CORBA in CMC Properties
Note: If tomcat restart fails due to out of memory exception include below option under JAVA_OPTS in bobjenv.sh file
-Djava.net.preferIPv4Stack=false -Xmx2048m -XX:MaxPermSize=384m
5.5 Configure the SDK and Processing Tier
cd <BINPATH> Source the setup/env.sh script as follows: . ../../setup/env.sh ./boe_sslconfig -dir <SSLFILEPATH> -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl Exit the shell so that scripts run in the future will source the env.sh script properly.
6 Setting SSL properties on WACS SERVER
Same as in Windows
C. Generating CSR using GenPSE
For Windows, run:
GenPSE.exe gencsr csrname.p10 server.key passphrase.txt Default.cnf
For Non-Windows:
Set library path
- For Linux:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<path of the executable GenPSE>
(For Ex: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/build/home/boeuser/boe/sap_bobj/enterprise_xi40/linux_x64)
- For AIX:
export LIBPATH=$LIBPATH:<path of the executable GenPSE>
(For Ex: export LIBPATH=$LIBPATH:/usr/u/qaunix/boe/sap_bobj/enterprise_xi40/aix_rs6000_64)
and then run
./GenPSE gencsr csrname.p10 server.key passphrase.txt Default.cnf
After this step we will get 3 files:
- csrname.p10
- server.key
- passphrase.txt
Copy the above files to SSL folder
COPY csrname.p10 C:\SSL
COPY server.key C:\SSL
COPY passphrase.txt C:\SSL
Run the below commands to generate CA using openssl and signing the csrname.p10 certificate using openssl tool.
NOTE: Make sure that Openssl tool is downloaded to perform the following steps
Navigate to openssl folder:
cd C:\Users\Administrator\Downloads\openssl-0.9.8h-1-bin\bin
Set the environment:
Set OPENSSL_CONF=C:\Users\Administrator\Downloads\openssl-0.9.8h-1-bin\share\openssl.cnf
Create CA with openssl:
Openssl.exe req -newkey rsa:2048 -nodes -out c:\SSL\cacert.req -keyout c:\SSL\cakey.pem -sha256
Openssl.exe x509 -req -trustout -signkey c:\SSL\cakey.pem -days 365 -in c:\SSL\cacert.req -out c:\SSL\cacert.pem -sha256
Generate a serial file which will be used to sign a server cert with openssl command:
Echo 02 >c:\SSL\ca.srl
**** Generate server cert, server key,passphrase with genpse *****
Sign server cert with ca cert using openssl tool:
Openssl.exe x509 -CA c:\SSL\cacert.pem -CAkey c:\SSL\cakey.pem -CAserial c:\SSL\ca.srl -req -in c:\SSL\ csrname.p10 -out c:\SSL\ csrname.crt -days 365 -sha256
Conversion of pem format to der format:
openssl x509 -outform der -in c:\SSL\cacert.pem -out c:\SSL\cacert.der
openssl x509 -outform der -in c:\SSL\ csrname.crt -out c:\SSL\ csrname.der
To generate .pse file
set SECUDIR=.
sapgenpse import_p8 -p C:\SSL\temp.pse -c C:\SSL\ csrname.der -r C:\SSL\cacert.der -z C:\SSL\passphrase.txt C:\SSL\server.key
Enter PSE password as blank.
sapgenpse seclogin -p C:\SSL\temp.pse -O SYSTEM
sslconfig.exe -dir C:\SSL -mycert csrname.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -psecert temp.pse -protocol ssl
Copy the generated files to SSL folder and configure the certificates.