Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

How to enable SSL (corba) on BI4 platform on UNIX systems

Purpose

This document provides SAP BusinessObjects administrators with a step-by-step procedure to set up SSL protocol for server communication (corba) in the BI4 Platform.

Overview

The BI Platform provides you with the ability to use Secure Socket Layer (SSL) protocol for all network communication between clients and  servers in the BI Platform deployment. To setup SSL for all server communication, you will need to perform the following high-level steps:

  1. Create Key and Certificate Files for each machine in your deployment
  2. Configure the location of these files in Central Configuration Manager (CCM) or equivalent in UNIX platform
  3. Configure SSL protocol for your web application servers
  4. Configure SSL protocol for client workstations for Thick clients (Crystal Reports or Designer)

Create Key and Certificate files for each machine in your deployment

To setup SSL protocol for server communication, you use the SSLC command line tool to create key and certificate files for each machine in your deployment. Before creating these files, here are a few noteworthy pointers to remember

  • In this document, a standalone deployment of BI4 platform SP04 on a RedHat Linux (RHEL 5) using Tomcat 6 is used as a reference deployment
  • For a more comprehensive list of notes, refer to the BI Platform Administrator Guide
  1. Start by sourcing the BOE specific environment variables by running following script
    [bobje@BI40 linux_x64]$ cd /usr/sap/bi4/sap_bobj/setup
    [bobje@BI40 setup]$ . ./env.sh

  2. Creating CA keys & Certificates:  Run SSLC command as follows to start creating keys and certificates

    [bobje@BI40 setup]$ cd /usr/sap/bi4/sap_bobj/enterprise_xi40/linux_x64
    [bobje@BI40 linux_x64]$ ./sslc req -config sslc.cnf -new -out cacert.req
    Using configuration from sslc.cnf
    Loading 'screen' into random state -Generating a 1024 bit RSA private key
    ........+++++
    ..........+++++
    writing new private key to 'privkey.pem'
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:  password
    -----
    You will be prompted to enter information to incorporate
    into the certificate request.
    This information is called a Distinguished Name or a DN.
    There are many fields however some can remain blank.
    Some fields have default values.
    Enter '.', to leave the field blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:GA
    Locality Name (eg, city) []:Atlanta
    Organization Name (eg, company) [Some-Organization Pty Ltd]:SAP
    Organizational Unit Name (eg, section) []:AGS
    Common Name (eg, YOUR name) []:SAP
    Email Address []:xyz@abc.org
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:No
    string is too short, it must be at least 4 bytes long
    A challenge password []:FALSE
    An optional company name []:
    [bobje@BI40 linux_x64]$


    This command creates two files, a Certificate Authority (CA) certificate request (cacert.req) and a
    private key (privkey.pem).
    -rw-rw-r--  1 bobje bobje      963 Aug 30 13:20 privkey.pem
    -rw-rw-r--  1 bobje bobje      696 Aug 30 13:20 cacert.req


  3. To decrypt the private key, type the following command
    [bobje@BI40 linux_x64]$ sslc rsa -in privkey.pem -out cakey.pem
    read RSA private key
    Enter PEM pass phrase: password
    writing RSA private key

    This command creates the decrypted key, cakey.pem
    -rw-rw-r--  1 bobje bobje      887 Aug 30 13:26 cakey.pem

  4. To sign the CA certificate, type the following command:

    [bobje@BI40 linux_x64]$ sslc x509 -in cacert.req -out cacert.pem -req -signkey cakey.pem -days 365
    Signature OK
    subject=/C=US/ST=GA/L=Atlanta/O=SAP/OU=AGS/CN=SAP/EMAIL=xyz@abc.org
    Obtaining Private key



    This command creates a self-signed certificate, cacert.pem, that expires after 365 days. Choose
    the number of days that suits your security needs.
    -rw-rw-r--  1 bobje bobje      867 Aug 30 13:29 cacert.pem


  5. Place the cakey.pem and cacert.pem files in the directories specified by sslc.cnf files
    By default, the settings in the sslc.cnf file are:
    certificate = $dir/cacert.pem
    private_key = $dir/private/cakey.pem

  6. Create a file with the name specified by the sslc.cnf file's database setting.
    By default, this file is
    $dir/index.txt

    The file should be empty.

  7. Create a file with the name specified by the sslc.cnf file's serial setting
    By default, this file is
    $dir/serial.


    Note: To ensure that you can create and sign more certificates, choose a large hexadecimal number  with an even number of digits, such as 11111111111111111111111111111111.
  8. Create the directory specified by the sslc.cnf file's new_certs_dir setting.
    By default, this is
    $dir/newcerts


    At this stage, Your directory structure should look like this -
    [bobje@BI40 demoCA]$ ls
    cacert.pem  cakey.pem  newcerts  privkey.pem
    cacert.req  index.txt  private   serial

  9. Creating Server keys & Certificates: To create a certificate request and a private key, type the following command

    [bobje@BI40 linux_x64]$ sslc req -config sslc.cnf -new -out servercert.req
    Using configuration from sslc.cnf
    Loading 'screen' into random state -Generating a 1024 bit RSA private key
    .....................+++++
    ............................+++++
    writing new private key to 'privkey.pem'
    Enter PEM pass phrase: password
    Verifying password - Enter PEM pass phrase:
    Verify failure
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:
    -----
    You will be prompted to enter information to incorporate
    into the certificate request.
    This information is called a Distinguished Name or a DN.
    There are many fields however some can remain blank.
    Some fields have default values.
    Enter '.', to leave the field blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:GA
    Locality Name (eg, city) []:Atlanta
    Organization Name (eg, company) [Some-Organization Pty Ltd]:SAP
    Organizational Unit Name (eg, section) []:AGS
    Common Name (eg, YOUR name) []:SAP
    Email Address []:xyz@abc.org
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:FALSE
    An optional company name []:


    The certificate and key files generated are placed under the current working folder.
    -rw-rw-r--  1 bobje bobje      696 Aug 30 13:46 servercert.req
    -rw-rw-r--  1 bobje bobje      963 Aug 30 13:46 privkey.pem

  10. Run the following command to decrypt the key in the privkey.pem file.
    [bobje@BI40 linux_x64]$ sslc rsa -in privkey.pem -out server.key
    read RSA private key
    Enter PEM pass phrase:
    writing RSA private key


    results in server.key getting generated
    -rw-rw-r--  1 bobje bobje      696 Aug 30 13:46 servercert.req
    -rw-rw-r--  1 bobje bobje      963 Aug 30 13:46 privkey.pem
    -rw-rw-r--  1 bobje bobje      891 Aug 30 13:51 server.key

  11. To sign the certificate with the CA certificate, type the following command:
    sslc ca -config sslc.cnf -days 365 -out servercert.pem -in servercert.req


    [bobje@BI40 linux_x64]$ sslc ca -config sslc.cnf -days 365 -out servercert.pem -in servercert.req
    Using configuration from sslc.cnf
    Check that the request matches the signature
    Signature ok
    The Subjects Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'GA'
    localityName          :PRINTABLE:'Atlanta'
    organizationName      :PRINTABLE:'SAP'
    organizationalUnitName:PRINTABLE:'AGS'
    commonName            :PRINTABLE:'SAP'
    emailAddress          :IA5STRING:'xyz@abc.org'
    Certificate is to be certified until Aug 30 17:53:32 2013 GMT (365 days)
    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Database Updated

    This command creates the servercert.pem file, which contains the signed certificate.
    -rw-rw-r--  1 bobje bobje     2947 Aug 30 13:53 servercert.pem
    drwxrwxr-x  4 bobje bobje     4096 Aug 30 13:53 demoCA

  12. Use the following commands to convert the certificates to DER encoded certificates:
    sslc x509 -in cacert.pem -out cacert.der -outform DER
    sslc x509 -in servercert.pem -out servercert.der -outform DER


    [bobje@BI40 linux_x64]$ sslc x509 -in cacert.pem -out cacert.der -outform DER
    [bobje@BI40 linux_x64]$ sslc x509 -in servercert.pem -out servercert.der -outform DER


    Result: below files are created…
    -rw-rw-r--  1 bobje bobje      599 Aug 30 13:58 cacert.der
    -rw-rw-r--  1 bobje bobje      652 Aug 30 13:58 servercert.der

    Note:  The CA certificate (cacert.der) and its corresponding private key (cakey.pem) need to be
    generated only once per deployment. All machines in the same deployment must share the same
    CA certificates. All other certificates need to be signed by the private key of any of the CA certificates.
  13.  Create a text file (passphrase.txt) for storing the plain text passphrase used for decrypting the generated private key. 
    This file contains the same passphrase  used throughout the process  eg. password
    -rw-rw-r--  1 bobje bobje        9 Aug 30 14:03 passphrase.txt

  14. Store the following key and certificate files in a secure location (under the same directory (eg: d:/ssl)) that can be accessed by the machines in your BI platform deployment:
    • the trusted certificate file (cacert.der)
    • the generated server certificate file (servercert.der)
    • the server key file (server.key)
    • the passphrase file (passphrase.txt)

      This location will be used to configure SSL for the CCM and your web application server. 
      On the reference environment, these files reside in the
      <BI4_install>/ sap_bobj/enterprise_xi40/os _X64 folder  ( for example: /usr/sap/bi4/sap_bobj/enterprise_xi40/linux_x64 )

Configure the SSL protocol for BI server on Unix platform

To configure the SSL protocol on Unix, you will be using the serverconfig.sh script which can be used to configure the SSL protocol for each SIA.
This script provides a text-based program that enables you to view server information and to add and delete servers from your installation.
The serverconfig.sh script is installed to the sap_bobj directory of your installation.

  1. Use the ccm.sh script to stop the SIA and all the SAP BusinessObjects servers.
  2. Run the serverconfig.sh script.
  3. Select 3 - Modify Node, and press Enter.
  4. Specify the target SIA and press Enter.
  5. Select the 1 - Modify Server Intelligence Agent SSL configuration option.
  6. Select ssl.
  7. If your BI platform deployment is an SIA cluster, repeat steps 1-6 for each SIA.
  8. Start the SIA with the ccm.sh script and wait for the servers to start.
    As in my example, when prompted, specify the values as relevant :

    Enter the directory that holds the SSL certificates
    /usr/sap/bi4/sap_bobj/enterprise_xi40/linux_x64

    Enter the server's SSL Certificate file
    servercert.der

    Enter the SSL Trusted Certificate File
    cacert.der

    Would you like to enter more SSL Trusted Certificates
    []2- no

    Enter the SSL Private Key File
    server.key

    Enter the SSL Private Key Passphrase File
    passphrase.txt

    Changes complete. Do you want to exit or return to the main menu?
    quit

To Confirm that your SSL configuration:

  • Startup the BI4 servers using startservers script
    [bobje@BI40 sap_bobj]$ ./startservers
    Starting all servers...
    Starting BI40...

    The SIA and CMS servers should start without any issues.

Configure the SSL protocol for Web Application server (Java)

To configure a J2EE Web Application Server for this SSL Protocol, run the Java SDK with the following system properties set.

-Dbusinessobjects.orb.oci.protocol=ssl -DcertDir=d:\ssl -DtrustedCert=cacert.der -DsslCert=clientcert.der -DsslKey=client.key -Dpassphrase=passphrase.txt

In a vanilla installation with Tomcat Configuration, you can do this by modifying the JAVA_OPTS either in the bobje/setup/env.sh script or setenv.sh script within the tomcat/bin folder:

-Dbusinessobjects.orb.oci.protocol=ssl -DcertDir=/usr/sap/bi4/sap_bobj/enterprise_xi40/linux_x64 -DtrustedCert=cacert.der -DsslCert= servercert.der -DsslKey=server.key -Dpassphrase=passphrase.txt


To Confirm that your SSL configuration, When the web application server startups -

  1. You should be able to login to your CMC
  2. CMS properties in CMC will have the following entries including “–protocol ssl” as shown below



Configure the SSL protocol for clients (Thick clients)

  1. To configure thick clients on the client machine, COPY OVER the following files from the BI4 unix server and run sslconfig as follows

    TIP: to avoid corruption, on the UNIX box, copy these files into a folder, tar the folder and copy over the folder into Windows client and untar them using winzip or winrar.



  2. Then bring up the CMD window on your client and run the following command

    Change directory to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86> (or equivalent location)

    C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86>sslconfig .exe -dir C:\bi4sslsv -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -protocol ssl


    **********************
    COM/.Net SDK
    **********************
    \===== Begin SSL configuration =====
    \===== End SSL configuration =====
    \===== Begin Current SSL Settings =====
    CommunicationProtocol = ssl
    SSLCertDirectory = C:\bi4sslsv
    SSLCertificate = servercert.der
    SSLTrustCertificate = cacert.der
    SSLKey = server.key
    SSLPassphrase = passphrase.txt
    \===== End Current SSL Settings =====


  3. Once the command is run, you can already login to several of the thick clients as below on your Client machine



  4. For InformationDesignTool or IDT:
    Edit the configuration file called InformationDesignTool.ini as showin below with arguments below the snapshot.




    -Dbusinessobjects.orb.oci.protocol=ssl
    -DcertDir=C:\bi4sslsv
    -DtrustedCert=cacert.der
    -DsslCert=servercert.der
    -DsslKey=server.key
    -Dpassphrase=passphrase.txt
    -jar program.jar

  5. Save the file and restart IDT and login as you can see, snapshot below shows that the login works as well



Related Content

Related Documents

Business Intelligence Platform Administrator Guide

Related SAP Notes/KBAs

SAP Note: 1722634  How to configure SSL for Information Design Tool (IDT) and Translation Management Tool (TMT)

1 Comment

  1. Guest

    Thanks, Shiva, for this very crisp and clear step by step explanation.