Skip to end of metadata
Go to start of metadata

Introduction

This tool is intended to simplify the process of securing Platform communication between clients and BI Platform, and between BI Platform processes. The tool uses java keytool in order to generate files for HTTPS, and a combination of keytool, sapgenpse and the bouncycastle java library for creating the files for Corba SSL. The tool strives to utilize default values which are applicable to most deployments, however, administrators should review the settings used with their IT/security teams and consider using the referenced tools directly for more control over the results. The tool will log all commands to the folder where the files are generated*. The tool can be used to create self-signed certificates, or certificate signing requests that can be signed by a CA and imported. Testing for the tool is limited to 64 bit Windows Platforms only. Corba SSL configuration is limited to server side configuration only, and does not include any functionality for thick client configuration.

*This does not include the conversion of the private key from pkcs#8 to pkcs#1 format

This tool is not directly supported by SAP Support, and issues arising from the use of the tool should be put into the comments section below.

Changelog

DateChanges
Mar. 22, 2021
  • Split into multiple individual .zip files, to avoid multi-part zip problems
  • Changed HTTPS wizard to support CN values with spaces
Disclaimer

All screenshots were created on test systems, and any resemblance to any productive system is purely coincidental. Although Tomcat is bundled with BI Platform, it is considered a third party application and support is subject to restrictions as outlined in KBA 2280098.

Release Restrictions
  • There is no support for windows magnification, and text fields may not display correctly. Please run the tool at 100% scaling
  • Full-screening the tool will cause the background to tile
  • There is no provision for automation/scripting of the program at this time
  • The tool is provided as a runnable .jar file
Installation
  1. Download sslWizard.zip, lib1.zip and lib2.zip
  2. Extract sslWizard.zip
  3. Extract lib1.zip and lib2.zip to sslWizard/sslWizard_lib
  4. Run sslwizard.jar

Requirements

HTTPS

  • Tomcat 8.5 or 9

CORBA SSL

  • BI Platform 4.2 SP05+

HTTPS

Overview

The HTTPS configuration wizard will permit the generation of a self-signed certificate or certificate authority certificate signing request for a server, import of any signed certificates, and configuration of the server.xml file. HTTPS is used to secure communication between the Tomcat and a users browser for applications such as BI Launchpad and CMC.

Default Settings

These settings will be used when a self-signed certificate and the default BI Platform Tomcat are used. When using a CA, some of these parameters may vary.

  • Key Algorithm: RSA
  • Key Size: 2048 (4096 for self-signed CA)
  • Validity: 3650 days - Note: Although this is the requested validity length, the CA/Browser Forum industry body permits a maximum of 825 days, and many CAs will issue a certificate with a shorter validity in response to a longer request
  • Certificate Signature Algorithm: SHA256RSA
  • Keystore format: PKCS#12 (.pfx)
  • SSL/TLS level: TLSv1.2 only

Instructions

Required Steps


    1. Select, or enter a directory where the certificates and CA certificates will be stored.
    2. Select HTTPS
    3. Choose whether or not to generate Self-Signed Certificates and click "Start Wizard"

  1. Self-signed only - If not using self-signed certificates, go to step 3
    1. Select a folder where the self-signing certificate authority keystore and certificate will be created, and enter a 6+ character password to protect the keystore. The same CA keystore directory and password should be used if configuring multiple Tomcat servers using self-signed certificates
    2. Click "Next"
    3. Two files will be created, a keystore (SSLWizardCA.pfx) and certificate (SSLWizardCA.cer). This certificate can be imported into any client machine's trusted root certificate authority stores to avoid browser warnings. This should only be done once per landscape, and the same files can be reused across multiple landscapes



    1. Select a folder where the certificates and keystore created by the tool will be created. 
    2. Enter the server name used for the certificate and a 6+ character password used to protect the keystore. 
    3. Enter any of the optional parameters if required
    4. Note: The optional parameters entered must constitute a valid LDAP name. Notably, C should be a 2 letter country code.
    5. Optional parameters: Organizational Unit, Organization, Location, State, Country
    6. Click "Generate"
      1. Self-signed: A keystore (demoServer.pfx) file is created in the certificate output directory
      2. CA signed: A certificate signing request (demoServer.p10) and keystore (demoServer.pfx) file is created in the certificate output directory
      3. Provide demoServer.p10 to your certificate authority to sign

  2. CA Signed Certificates Only - If using self-signed certificates, go to step 5
    1. Select the signed certificate, and the root CA certificate provided by your Certificate Authority.
    2. Click "Next"

    1. Follow the instructions on screen to copy the keystore (<servername>.pfx) to the Tomcat server and modify the <keystorePath> entry in the copied text
    2. click the "i" information button for an example of what this should look like
    3. Save server.xml and restart Tomcat
    4. Check that the HTTPS URL is accessible (A browser warning may appear if not using CA signed certificates, but choosing to continue will allow you to access the webpage)
    5. Click "Next" to receive instructions on disabling HTTP

Optional Steps

Disable HTTP by redirecting HTTP to HTTPS
  1. Follow the instructions displayed to modify web.xml
  2. Restart Tomcat and check that the HTTP URL redirects to HTTPS
Avoiding Browser certificate warnings when using self-signed certificates
  1. Copy BIPSTCA.cer to the client machine where the browser warning appears
  2. Install the certificate into Trusted Root Certification Authorities
  3. Restart the browser

CORBA SSL

Overview

The Corba SSL wizard will permit generation of required files for CORBA SSL. Corba SSL is used to secure communication between BI Platform Servers, between BI Platform Servers and Tomcat, as well as BI Platform Servers and thick clients such as Central Configuration Manager, Crystal Reports 201x etc.

Default Settings

These settings will be used when a self-signed certificate are used. When using a CA, some of these parameters may vary.

  • Key Algorithm: RSA
  • Key Size: 2048 (4096 for self-signed CA)
  • Validity: 3650 days - Note: Although this is the requested validity length, the CA/Browser Forum industry body permits a maximum of 825 days, and many CAs will issue a certificate with a shorter validity in response to a longer request
  • Certificate Signature Algorithm: SHA256RSA
  • Keystore format: PKCS#12 (.pfx)
  • Private Key format: PKCS#1 (.key)
  • See Note 2433337 for details on TLS security

Instructions

  1. Acquire SAP Cryptographic Libraries containing sapgenpse.exe, sapcrypto.dll. This can be obtained from one of the following sources:
    1. Within the BI Platform Support Tool from <installdir>\BISupport\bin\resources\AuthWizard\SNC\win64 
    2. From the SAP Support portal by downloading the latest version of sapcryptolib - commoncryptolib 8
    3. From a Windows BI Platform Installation, inside the <installdir>\SAP BusinessObjects Enterprise XI 4.0\win64_x64 directory
  2. Copy the two files to the sslwizard <installdir>\resources folder

  3. Select, or enter a directory where the certificates and CA certificates will be stored.
  4. Select BI Platform (CORBA) SSL
  5. Choose whether or not to generate Self-Signed Certificates and click "Start Wizard"
  6. Self-signed only - If not using self-signed certificates, go to step 8
    1. Select a folder where the self-signing certificate authority keystore and certificate will be created, and enter a 6+ character password to protect the keystore. The same CA keystore directory and password should be used if configuring multiple Tomcat servers using self-signed certificates
    2. Click "Next"
    3. Two files will be created, a keystore (SSLWizardCA.pfx) and certificate (SSLWizardCA.cer). This certificate can be imported into any client machine's trusted root certificate authority stores to avoid browser warnings. This should only be done once per landscape, and the same files can be reused across multiple landscapes
  7. Select a folder where the certificates and keystore created by the tool will be created. 
  8. Enter the server name used for the certificate and a 6+ character password used to protect the keystore. 
  9. Enter any of the optional parameters if required
  10. Note: The optional parameters entered must constitute a valid LDAP name. Notably, C should be a 2 letter country code.
  11. Optional parameters: Organizational Unit, Organization, Location, State, Country
  12. Click "Generate"
    1. Self-signed: Server certificate (demoServer.der), CA certificate (SSLWizardCA.cer and .der - both are identical besides file extension), private key (demoServer.key), PSE file (demoServer.pse), passphrase file (passphrase.txt). Go to step 15
    2. CA signed: Server certificate signing request (demoServer.p10), private key (demoServer.key), PSE file (demoServer.pse), passphrase file (passphrase.txt). 
    3. Send demoServer.p10 to your certificate signing authority to sign.
    4. Select the signed certificate and the root CA certificate provided by your Certificate Authority . The certificates should be in binary format.
    5. Click "Next"
  13. Follow the onscreen instructions to configure the SIA for SSL communication
  14. Click "Next"
  15. Follow the onscreen instructions to configure the Tomcat for SSL communication
  16. Click "Finish
  17. Note: Additional configuration will be required for thick client connectivity such as CCM and Crystal Reports. This is outside the scope of the tool, but instructions can be found here

References

  • KBA 1648573 - How to configure SSL/TLS on Tomcat in BI 4.x
  • KBA 2212795 - How to configure Tomcat to always use SSL protocol
  • Java keytool
  • Tomcat 8 Configuration Reference - SSL Support


  • No labels

6 Comments

  1. hm, after weeks spending discussing with IT to get a valid certificate - this is another source of hope - but the tool itself is not very well designed. Standard zip can't handle it - you need java to start and the layout ist quite distorted  - so without the screen shots here I would not be able to use it (wink)


  2. Nice and handy tool. The comments from Wolfgang indeed apply and it would be nice to have it a bit more convenient to unzip and use.

    One bug is in the tool although, that should be fixed ASAP please:

    If you enter Text containing spaces in the LDAP attributes like ou or o, then it does not work. The keystore and cert request is not generated at all. Root cause seems to be, that in the commandline the tool executes under the hood, it needs to set quotation marks around the parameter value for -dname then, which is missing!

    Thanks and regards

    Harald

    1. Thank you for the feedback.

      Unfortunately I had to split the upload as the wiki limits the maximum size of uploads.
      I originally wrote this as part of the BI support tool, and retains some quirks including some UI/text scaling issues with higher resolution displays/windows magnification settings.

      I'll update the generated command to include the quotes later this week when I have some time to test it.

      Regards,
      Leslie

    2. Hi Harald,

      Sorry about the delay, I've updated the tool to use quotes around the -dname parameter. I've also split the file into multiple zip files that should work with standard tools.

      I'll look into updating the tool for high dpi/windows magnification support when I have time.

      Regards,
      Leslie

  3. I really like the idea of this tool - our Notes, KBAs, and documentations make it hard to do simple things. This tool could be a great help. However, I found some topics which are not covered (yet?)

    • SAN names. Browsers require SNA DNS names to accept server certificates, and the generated CSR does not contain SAN attributes. Sometimes the CA is able to fix this. Maybe you could add the -ext dns:<value from server name> when creating the .p10 file.
    • Additional fields for the DN. Some company's PKIs required special attributes present, like an email address. A free text field in addition to OU, O, L ... could cover this.
    • HTTPS for WACS. It is a good idea to operate other HTTP-based services with HTTPS as well, and the WACS could be easily covered. Certificates for LDAP and AD connections could be another option.

    many thanks for your work

    Joachim

  4. Very useful and handy tool. Thanks for coming up with this.