Hello BI4 Admins,

In addition to james.rapp guide about Improving the User Experience in SAP BI Platform - BI 4.1 and Apache 2.4 Supplement,

I want to explain how to migrate an existing Tomcat SSL configuration to Apache and how to enable some logging improvements.

Apache SSL Setup

Assuming that there is already a working SSL configuration for Tomcat in place,
the existing certificate and it's private key, can be extracted from the keystore used by Tomcat,
with the help of the java keytool and openssl:

- Open CMD.exe

- Change directory to "<BOBJ>\win64_x64\sapjvm\bin",

  where <BOBJ> is C:\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\

  (or on which drive it's installed in your deployment)

- Export existing certificate with the following command (always adapt the values in < > according to your deployment):

keytool -exportcert -keyalg RSA -alias <cert alias> -file apache.crt -keystore "C:\<keystore location>\<keystorename>"

- Clone existing keystore to PKCS12

keytool -v -importkeystore -srckeystore "C:\<keystore location>\<keystorename>" -srcalias <cert alias> -destkeystore myp12file.p12 -deststoretype PKCS12

- Switch directory to openssl in <Apache root>\bin, e.g. C:\Apache24\bin

- Extract private key from the PKCS12 keystore with openssl by the following command:

openssl pkcs12 -in myp12file.p12 -nocerts -nodes

- Copy the private key, shown in CMD as plain text, to a text file and save it

Please keep in mind that this is sensitive information since it's your certificates private key!!

- Rename the text file to apache.key

- Move the created files apache.crt and apache.key from "<BOBJ>\win64_x64\sapjvm\bin"
  to your default keystore location

- Stop Tomcat and Apache

- Change your Tomcat SSL port to another value by modifying the corresponding connector  

  in "<BOBJ>\tomcat\conf\server.xml", to avoid conflicts, e.g. to 44380

- Open httpd.conf located in <Apache root>\conf, to configure SSL for Apache:

- Search for LoadModule ssl_module modules/mod_ssl.so

  and uncomment it by deleting the # at the beginning of the line

- Insert the following lines, for example after the default Listen statement for HTTP.

  Please adapt the <Apache root>, <HTTPS port>, <servername> and <default keystore location>

  according to your deployment.

  Keep in mind that <servername> has to match the common name (CN) of the certificate,
  as well as the hostname used when accessing the BIP via HTTPS and that Apache needs "/" instead of "\" for paths:

Listen <HTTPS port>

SSLSessionCache shmcb:<Apache root>/logs/SSLCache(512000)

SSLSessionCacheTimeout 300

<VirtualHost *:<HTTPS port>>

    ServerName <servername>

    SSLEngine on

    SSLCertificateFile <default keystore location>/apache.crt

    SSLCertificateKeyFile <default keystore location>/apache.key

Include conf/bobj.BOE.conf

Include conf/bobj.AdminTools.conf

Include conf/bobj.BusinessProcessBI.conf

Include conf/bobj.MOBIServer.conf

Include conf/bobj.MobileBIService.conf

Include conf/bobj.clientapi.conf

Include conf/bobj.dswsbobje.conf

Include conf/bobj.explorer.conf

Include conf/bobj.explorer_help.conf

</VirtualHost>

- Start Tomcat and Apache

- Basic check of SSL configuration by accessing

https://<servername>/

-> should show the default "It works!" page

- Check BI Launchpad access via
https://<servername>/BOE/BI

-> should show BI Launcpad login

The deployment is now configured for SSL (HTTPS client access).

- Not specific to SSL, but can be helpful in this context:

  In contrast to Tomcat, it is not possible to access http(s)://<servername>/BOE/BI/ or /BOE/CMC/,

  while using the default bobj.BOE.conf, created by the WDeploy Split Deployment.

  If you need that working, add the following parameters at the end of bobj.BOE.conf in <Apache root>\conf:

JkMount /BOE/CMC/ ajp13

JkMount /BOE/BI/ ajp13

Improving Apache logging

By default, Apache writes logs until the disk is full,

which is not a desirable behavior in a production environment.

In this simple example, we limit error.log, access.log and deflate_log.log

to write max. 10 files with 50 MB each, overwriting old files (like a ring buffer).

This is done by the help of rotatelogs, which is contained in <Apache root>\bin:

- Open httpd.conf, located in <Apache root>\conf

- Deactivate the following lines by commenting them with #:

ErrorLog "logs/error.log"

CustomLog "logs/access.log" common

- After that, add the matching one of the following lines, below each one deactivated in the step before:

ErrorLog "|bin/rotatelogs.exe -n 10 logs/errorlog.log 50M"

CustomLog "|bin/rotatelogs.exe -n 10 logs/access.log 50M" common

- Open httpd-bi41.conf, located in <Apache root>\conf\extra

- Deactivate the following lines by commenting them with #:

LogFormat '"%r" %b (%{ratio}n) "%{User-agent}i"' deflate

CustomLog logs/deflate_log.log deflate

- After that, add the matching one of the following lines, below each one deactivated in the step before:

LogFormat '"%r" %b (%{ratio}n%%) "%{User-agent}i"' deflate

CustomLog "|bin/rotatelogs.exe -n 10 logs/deflate_log.log 50M" deflate

- The LogFormat change, adds a % character after the deflate ratio, for better readability of the deflate_log.log

  This can be further modified, see mod_deflate - Apache HTTP Server for more details.

- Restart Apache

Now we have configured a simple log rotation.

If you want to do more sophisticated things, have a look at cronolog,
also mentioned in the Apache documentation:
Log Files - Apache HTTP Server

I hope this helps some of you

Regards

Moritz

(Sorry for not providing any screenshots, but since this topic covers collection of sensitive information,

I didn't want to add some of our original systems)