1 Landscape
The project architect requires all http communication must be configure to use encryption. By default, SAP Business Objects use http instead https, which implies in certificates, SSL and Tomcat configuration.
The landscape proposed implies the BOBJ servers should be accessible by hostname, FQDN[1] and "n" aliases.
Following a simplified diagram:
Figure 1‑1 Simplified landscape diagram
1.1 Pre-requisites
1.1.1 Java Key tool from SAPJVM
Actually, the SAP Business Objects 4.1is installed using the java supported by SAP (sapjvm) which its version is 1.6.0_75 (build 6.1.066 24.55-b13). Using this version, TOMCAT will be able to handle SSL connections using TLS 1.0. If required use of TLS 1.1 or 1.2 the java component must be raised to Java 7 or higher.
The SAPJVM is located on the following path:
<drive><path choose on installation>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin
Figure 1‑2 - SAPJVM version
Mostly the installations use hostname and more than one alias. If so, some specific steps must be followed and JAVA 7 must be used together SAPJVM 6.
1.1.2 Java Key tool from JAVA 7 or higher
The SAPJVM 6 does not have support for SAN[2] which it is only supported on JAVA 7 or higher. The Keytool for Java 7 is used to generate the CSR's[3] using the extension option for the Certificate. The java provided by SAP (sapjvm) shouldn't be updated and this installation must be done in a different folder.
Figure 1‑3 - Java 7 installed on another folder
1.1.3 Certified authority
As the server administrator you will be able to generate the certificate for the server but probably you aren't in charge of generate the Certificates Sign Authority. You need to send the CSR's generated to the CA[4] and receive back the certificate signed to be imported into the keystore.
2 Backup files
Before begin the procedure, make a backup for the following files. As a good practice, copy twice renaming it in accordance of the reference of the file. It is recommended to modify the files named on the meaning instead the originals.
File | Description | Path |
Server.xml | Tomcat main configuration | <drive><path>\SAP BusinessObjects\tomcat\conf |
Web.xml | Default configuration for all applications | <drive><path>\SAP BusinessObjects\tomcat\conf |
Axis2.xml | Configuration for the Axis component | <drive><path>\SAP BusinessObjects\tomcat\webapps\BusinessProcessBI\WEB-INF\conf
<drive><path>\SAP BusinessObjects\tomcat\webapps\dswsbobje\WEB-INF\conf |
Figure 2‑1 - Backup of server.xml and web.xml
Figure 2‑2 - Backup of axis for BPBI application
Figure 2‑3 - Backup of axis2.xml for dsws application
3 Create Keystore and CSR
3.1 Creating the Keystore
The first step is create the keystore and add to this keystore information about the certificate like keysize, alias and signaling algorithm. To do so, type the following using SAPJVM:
keytool -genkey -keyalg RSA -keysize 4096 -sigalg sha256withRSA -alias Change here for the alias -keystore Change here the path for the Keystore
Figure 3‑1 - Creating the Keystore
If required by CA, change the keysize and signaling algorithm in accordance his polices.
This procedure will generate a Keystore in the path specified and the data typed when asked. At the end, the keytool will inform all the identification for the certificate. Copy it to send to the CA.
CN=sapbobj.xxxx.yyy, OU=Type the OU, O=Type the Company, L=Type the city, ST=Type the province (2 letters), C=Type the county (2 letters)
3.2 Create the CSR
Once created the keystore, you must create the CSR and send it to the CA for generation of the signed certificate. To do so, enter on the JAVA 7 installation and type the follow:
keytool -certreq -keyalg RSA -keysize 4096 -alias Change here by the alias -file Change here by the response file that will be generated -keystore Change here by the path of the keystore -ext SAN=dns:Change by the hostname,dns: Change by the FQDN,dns: Change by the alias 1,dns: Change by the alias 2 and etc...
This procedure will generate a file named on the option -file. Send this file and the identification to the CA for generation of the signed certificate.
3.3 Import of the Signed Certificate into Keystore
The CA will generate the signed certificate and send it to be imported into Keystore. To import the certificate, type the following using SAPJVM:
keytool -importcert -keystore Change here by the path of the keystore -alias Change here by the alias -file Change here by the file sent by CA
4 Configurations
4.1 Edit server.xml
On this example, the tomcat was configured to use the standard ports (http on 80 and https on 443) but mostly of the installations are using http on the 8080 port. Change it in accordance of the project.
Using a text editor under an account with administrator rights edit the file server.xml SSL and locate the Connector port session and make the following modifications:
Reason | Modification |
Redirect all requests to SSL | <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/> |
Enable SSL | <Connector protocol="org.apache.coyote.http11.Http11Protocol" port="443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="Replace by your keystore file path" keystorePass="Replace by your password" clientAuth="false" SSLProtocol="TLSv1.1" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json" maxHttpHeaderSize="65536" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"/> |
Change keystoreFile and Keystorepassword as required.
Figure 4‑1 - Server.xml edited
4.2 Edit web.xml
For TOMCAT be able to redirect the requests from HTTP to HTTP, the file web must be modified as follow.
Figure 4‑2 - Web.xml
Figure 4‑3 - Modifications on WEB.xml
4.3 Edit axis2.xml for applications
The last part of this configuration is editing of the axis2.xml of the applications on Tomcat. Locate these files and edit then as follow.
..\SAP BusinessObjects\tomcat\webapps\dswsbobje\WEB-INF\conf\axis2.xml
..\SAP BusinessObjects\tomcat\webapps\BusinessProcessBI\WEB-INF\conf\axis2.xml
Figure 4‑4 - Editing axis2.xml
Copy and paste the following statements and make the necessary modifications for ports:
4.4 Final Actions
Once finished the configurations, you must restart TOMCAT to effective the configurations. This web server may take until 5 minutes to put all applications running fine. To make sure everything is ok, you can check the TOMCAT logs regularly.
Figure 4‑5 - Restart TOMCAT
5 Tests
To make sure the certificate is working properly, you must open a connection to SAP BOBJ server using HTTPS and on all alias configured. Do not forget to test it on all browsers used by the company.
Figure 5‑1 - SSL on FQDN and Google Chrome
6 About the author
Frederich Murador is a SAP Basis certified consultant (SAP HANA SUP01 and SAP Netweaver), actually working in Vancouver - Canada.
6.1 Other interesting useful links
6.1.1 Backup and Sybase
http://scn.sap.com/community/ase/blog/2013/05/31/backup-challenges-on-sybase
6.1.2 DMS step-by-step
http://scn.sap.com/docs/DOC-64266
6.1.3 Roadmap to SAP on Exadata installation
http://scn.sap.com/docs/DOC-64233