on 11-12-2013 12:57 PM
Hello Colleagues,
I am trying to setup SSL in BI 4.1. In the Admin guide we have the first step as :
8.13.2 Setting up SSL when the certificate is managed by a certificate authority
When setting up SSL for server communication, follow these steps if the certificate is managed by a
certificate authority.
1. Export your desired certificate with its private key to PKCS #12 (.PFX) format. This will be used as the certificate for the certificate authority.
What does this mean? Do I need the CA certificate with its Private key?
If I have private key of the CA then I can behave as the CA itself!
Normally I generate my CSR and get it signed from the CA and then import both signed server cert + CA cert. Then SSL should work.
Thanks and Regards,
Nitin
Hi Nitin,
Please follow the below steps which should help incase the application server at your side is Tomcat:
1. Execute the following from a command line to create a .keystore file:
<Installtion Directory>:\Program Files (x86)\SAP Business Objects\SAP Business Objects Enterprise XI 4.0\win64_x64\jdk\bin\keytool -genkey -alias tomcat -keyalg RSA
2. Upon executing the above command, you will be prompted for a keystore password, your full name, organizational unit, organization, city, state and country. At the end, you will be prompted for the keystore password again. This has to be the same password as the password you entered previously. Newer versions of the keytool will prompt you to hit ENTER to keep it the same.
3. Once finished, a self signed .keystore file will have been created in your user"s home directory:
For example: C:\Users\Administrator
4. Move this .keystore file from this directory to one in the Business Objects folder structure or any other folder
For example: C:\SSL
5. Browse to Tomcat's server.xml file and create a backup file:
For example: C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf
6. Open and edit the server.xml file in wordpad.
7. Uncomment the section below and add the two commands after keystorePass & keystoreFile. This section needs to reference the new location of the .keyfile and the password you specified when creating it.
<!-- Define a SSL HTTP/1.1 Connector on port 8443
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass="password" keystoreFile="C:\SSL\.keystore"/>
8. Restart Tomcat and it should now be accessible using
https://Servername:8443/BOE/CMC
Regards,
Arun
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I had the same confusion as Nitin had. Now I stuck with the CA cert display issue. I followed all the procedures as suggested by Tomcat doc and SAP white papers, I think they basically are the same as the ones JRK and everyone else mentioned above ...
There is one thing I'm puzzling with is the CA cert provided by our IT group. It says the issuer is veriSign on the top, but the Distribution Points is URI:http://sd.symcb.com/sd.crl and Authority Information Access are URIName: http://sd.symcd.com and URIName: http://sd.symcb.com/sd.crt
Could anyone help please?
Thanks a lot!
Yu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
1. Export your desired certificate with its private key to PKCS #12 (.PFX) format. This will be used as the certificate for the certificate authority.
What does this mean? Do I need the CA certificate with its Private key?
While creating a CA certificate, a Private key is a basic requirement. So the answer would be yes, else it wont serve the purpose of a secure socket
If I have private key of the CA then I can behave as the CA itself!
Having a private key does not mean that you have the necessary authorization at user level (where the keystore has been created)
If you have the rights available at the locations where the keystore has been created, I would say yes, you would be co-owner of the certificate and hence can make changes to the same. Usually a certificate authority would not give such rights to any other user.
Normally I generate my CSR and get it signed from the CA and then import both signed server cert + CA cert. Then SSL should work
Yes it would work, CA actually defines the roles needed (authentication / validity of source) for the particular application to specific level in the domain / network.
Hope these answer your queries.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
For better understanding of CA being issued...check http://en.wikipedia.org/wiki/Certificate_authority
What I mean is, Generally you cannot get the private key of the CA. It would not be allowed.
If suppose I get the private key of the CA I can sign the certificate.
This is what is mentioned in the BI 4.1 guide. You get the CA cert + Private key. Then you generate the CSR. Now you do not need to send it to CA, you can sign it by itself (Step 7 under section 8.13.2 )
This is I guess should not be correct procedure.
keystoreFile is required for configuring SSL.
SSL will also work with keystoreFile. Additional certificates are based on your organization.
Few of the organizations will be having additional web hosting certificates ( which will be managed by CA). In that case those certificates need to be imported to keystoreFile to have all organizations standards in the SSL.
Once you get the additional certificates from CA, you can import those certificate like ( entrust, root..intermediate ...etc) to keystore.
Currently we have same setup and it is working fine.
Let me know if you need any additional details.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Guys,
Thanks for your reply. I know those steps and notes you provided.
But my specific Qs is regarding the step mentioned in the Admin guide. As I emnitoned in my original Qs, I want to find out what the Guide means with the step I mentioned above.
Regards,
Nitin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Are you looking to setup SSL for only Tomcat? If yes, then please check the below SAP note
1648573 - How to Configure SSL on Tomcat in BI 4.0
If you looking for setup SSL for Tomcat and SIA, please check the below
http://blog.davidg.com.au/2012/12/setting-up-ssl-for-tomcat-and-sia-in-6.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Guys,
I did everything JRK and Arun mentioned above.
The browser always displays a certificate error when accessing the the CMC or LaunchPad login page with https (port 8443). When I view the certificate from the browser, it only shows the self-signed certificate, not the one managed by CA (VeriSign). Could you please provide some suggestions here?
Thanks!
Yu
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.