Hi Guys,
I work for a consulting firm currently a intern and we work with Business Objects XI 3.1 and yesterday we were told to see if we can implement SSL in Business Objects. As of now I am totally confused as of what to do or where to start. If anybody can leave a tip. It be helpful. We are using the default Apache Tomcat 5.5.20.
Thank You
Ninjataktikz (BOB member since 2010-03-06)
Using SSL for the web interface has nothing to do with Business Objects other than it will make it harder for a third party to see your web traffic. What you need to find is how to implement SSL on Tomcat since that is your web server.
I recommend also redirecting port 80 (non-SSL) traffic to the URL on port 443 (SSL) as part of your implementation. I have used IIS on Windows for that is it is very easy to add the redirection but you can also do the same in Apache or other web servers and on some firewalls.
To configure Tomcat for SSL start here: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html. Also several of the SSL certificate authorities have instructions on their sites.
Now if you are talking about SSL between the Business Objects services, that is an entirely different topic and is covered in the Business Objects administrators/deployment guides.
Steve Rademacher 
(BOB member since 2004-02-17)
-Steve,
Thank You for your quick reply. I really appreciate the help. That site is awesome. Now i’ll just need to follow the steps. Thank You once again.
-Gary
Ninjataktikz (BOB member since 2010-03-06)
the steps to achieve SSL between the business objects servers are not explained in great detail in the xir3 admin guide. I have tried looking for other documents explaining the steps but no luck.
Murtuza Morbiwala (BOB member since 2010-02-08)
The first step includes the creation of Tomcat keystore file.The first and the foremost thing is the creation of .keystore file. This can be done by performing the following steps:
Go to the command prompt and navigate to the bin file which is located in the installation directory of Business Objects.
This can be done by typing the following command:
cd “Program Files\Business Objects\javasdk\bin” and press enter.
Type in the following command: keytool -genkey -alias tomcat -keyalg RSA.
After running this command, you will be prompted to type in the following information:
Enter keystore password: (enter a password which is greater than equal to 6 characters) (say like AdminPwd)
What is your first and last name?
[Unknown]: (Type in your first and last name)
What is the name of your organizational unit?
[Unknown]: (Type in the name of your organizational unit)
What is the name of your organization?
[Unknown]: (Type in the name of your organization)
What is the name of your City or Locality?
[Unknown]: (Type in the name of your City)
What is the name of your State or Province?
[Unknown]: (Type in the name of your State)
What is the two-letter country code for this unit?
[Unknown]: The two letter Country code.
Is CN= XXXXX, OU=XXXXX, O=XXXXX, L=VXXXXX, ST=XXXXX, C=XXXXX correct?
[no]: yes (Type yes)
Enter key password for
(RETURN if same as keystore password): XXXXX
This creates a .keystore file in currently logged in users profile directory (such as C:\Documents and Settings"Name of the User")
Create a folder with any name on the drive on which Business Objects is installed. (C:\Program Files\BusinessObjects)
Copy and paste the .keystore file from the user folder (i.e :\Documents and Settings"Name of the User") to the Default User folder as well as the folder which we had created.
The second step includes the editing of servers.xml file.
This can be done by performing the following steps:
Go to the directory: \Program Files\Business Objects\Tomcat55\conf
Make Sure you make a backup of the server.xml file before edit it.
Open the server.xml file with the wordpad editor.
Search for “Connector on port 8443” string.
You will get something as below:
<!--
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
Note: In the server.xml file, if you do not enter the keystore path or password, Tomcat will use the defaults.
Uncomment the above paragraph in the servers.xml file.
After the string: sslProtocol=“TLS”, add keystore=“path of the .keystore file which was pasted in the created folder” keystorePass=“Specify the password of the .keystore file”
Save the file.
Go to the Central Configuration Manager and stop the Server Intelligence Agent.
Go to its properties and click on Protocol tab.
Make sure the “Enable SSL” checkbox is unchecked.
Start the Server Intelligence Agent.
Restart the Apache Tomcat 5.5.20 in the Central Configuration Manager.
Now you can logon to the CMC and Infoview through SSL with 8443 port
Regards
karthik
sarvankarthik6 (BOB member since 2009-10-02)
-Krathik
Hey thanks for replying. I have worked my way through and configured Tomcat with SSL on it. But if I don’t implement SSL on Service Intelligence Agent how will BO be secured. The main reason I am doing this is so I can send email directly to Gmail instead of using anyprograms like Stunnel or something like that.
-Gary
Ninjataktikz (BOB member since 2010-03-06)
hi… This might help you…
Start Notepad and open the following file:
“C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86[b]sslc.cnf[/b]”
Change the “dir” from “./demoCA” to C:/SSL and save the changes.
Start Command Prompt and create the following folders using the following command.
MKDIR C:\SSL
MKDIR C:\SSL\private
MKDIR C:\SSL\newcerts
Change the cursor to “C:\SSL”
cd C:\SSL
Create a CA certificate request and the associate private key:
“C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslc.exe” req -config “C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslc.cnf” -new -out cacert.req
The following is the output of this command. Please enter the information it asks for.
Using configuration from C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\sslc.cnf
Loading ‘screen’ into random state -unable to load ‘random state’
What this means is that the random number generator has not been seeded with much random data.
Consider setting the RANDFILE environment variable to point at a file that ‘random’ data can be kept in.
Generating a 1024 bit RSA private key
…+++++
…+++++
writing new private key to ‘privkey.pem’
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:gd
Locality Name (eg, city) []:gz
Organization Name (eg, company) [Some-Organization Pty Ltd]:sap
Organizational Unit Name (eg, section) []:sc
Common Name (eg, YOUR name) []:daniel
Email Address []:daniel.tang@sap.com
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
read RSA private key
Enter PEM pass phrase:*****
writing RSA private key
Signature OK
subject=/C=CN/ST=BJ/L=BJ/O=Business Objects/OU=Customer Support/CN=Daniel
Obtaining Private key
Move the private key to appropriate folder using the following command.
move cakey.pem C:\SSL\private\cakey.pem
Create the following empty text file (database index file): C:\SSL\index.txt
Crete another text file: C:\SSL\serial
Open the “C:\SSL\serial” file in WordPad and enter the following value + save it:
11111111111111111111
Create a certificate request and private key:
“C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslc.exe” req -config “C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslc.cnf” -new -out servercert.req
The following is the output of this command. Please enter the information it asks for.
Using configuration from C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\sslc.cnf
Loading ‘screen’ into random state -Generating a 1024 bit RSA private key
…+++++
…+++++
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:gd
Locality Name (eg, city) []:gz
Organization Name (eg, company) [Some-Organization Pty Ltd]:sap
Organizational Unit Name (eg, section) []:sc
Common Name (eg, YOUR name) []:daniel
Email Address []:daniel.tang@sap.com
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Make a copy of the private key using the following command.
copy privkey.pem server.key
Sign the certificate
“C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslc.exe” ca -config “C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslc.cnf” -days 365 -in servercert.req -out servercert.pem
The following is the output of this command. Please enter the information it asks for.
Using configuration from C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\sslc.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:‘UK’
stateOrProvinceName :PRINTABLE:‘London’
localityName :PRINTABLE:‘Ealing’
organizationName :PRINTABLE:‘Business Objects’
organizationalUnitName:PRINTABLE:‘XIr2’
commonName :PRINTABLE:‘Architecture’
Certificate is to be certified until Sep 18 23:06:00 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database Updated
“C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslc.exe” x509 -in servercert.pem -out servercert.der -outform DER
Create “passphrase.txt” text file. The content of the file should be the password you entered in step 12 (Enter PEM pass phrase:*****). Type only the password.
Store the following files in a secure location (e.g. “C:!test”).
-server.key
-cacert.der
-servercert.der
-passphrase.txt
NOTE:
Just type the PEM password into your passphrase.txt and save it.
SSL Certificates Folder: C:!test
Server SSL Certificate File: servercert.der
SSL Trusted Certificate File: cacert.der
SSL Private Key File: server.key
SSL Private Key Passphrase File: passphrase.txt
-Dbusinessobjects.orb.oci.protocol=ssl
-DcertDir=C:/!test
-DtrustedCert=cacert.der
-DsslCert=servercert.der
-DsslKey=server.key
-Dpassphrase=passphrase.txt
If you use Websphere as your Web Application Server, please take the following actions:
NOTE:
The difference between XI 3.0/3.1 and XI R2 is that you dont need to configure each server under BOE the same as CMS.
Further more, if you want your Business Objects thick client such as Designer, Deski Report Designer work with CMS under SSL or use IIS as Web Application Server, you should complete the following action.
“C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslconfig.exe” -dir C:/!test -mycert servercert.der -rootcert cacert.der -mykey server.key -passphrase passphrase.txt -protocol ssl
sarvankarthik6 (BOB member since 2009-10-02)
-Karthik
Your instructions were really clear. Thank You. I have Tomcat and Service Intelligence Agent Configured with SSL. Now I just have one more question. How will I make sure Service Intelligence Agent is SSL secured. I mean is there any way to check out or like a test. Thank You for all your help.
-Gary
Ninjataktikz (BOB member since 2010-03-06)
I’m wondering the same thing? Does something show in the logs that proves that the SSL configuration for server communication is working?
smitchcoff (BOB member since 2006-05-03)
I’m having difficulty getting the CCM SSL configured in conjunction with Infoview SSL. For infoview, I used keytool to create a keystore and then geotrust to obtain a certificate chain. After configuring server.xml and web.xml for infoview/opendocument, I can use infoview and opendocument with sso and https with no problem. Now, when I try to enable the CCM SIA SSL protocol with the steps outlined in this message thread, Infoview will no longer load. I don’t get any errors, it just stops mid-authentication. Tomcat shows that Kerberos has obtained credentials, and SIA log shows nothing. Infoview shows a login screen. Any suggestions?
smitchcoff (BOB member since 2006-05-03)
So I’ve gotten Infoview and OpenDocument SSL up and running with SSO. Now I’ve enabled SIA SSL and both are working… Sort of. I can connect to Deski, Webi Rich, QAAWS through 3-tier mode. The problem I’m getting now is that when I try to run the other client tools (Designer, Publishing Wizard, XCelsius) in 2-tier mode, I get the following error from Designer:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Transport error: Insufficient resources.(FWM 00002)
(hr=#0x80042a01)smitchcoff (BOB member since 2006-05-03)
Does the certificate we self generate ever expire? If it does, do we have to create another certificate every time it expires? Thanks!
gjwl_8 (BOB member since 2010-02-17)
When you run this:
C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\sslc.exe" x509 -in cacert.req -out cacert.pem -req -signkey cakey.pem -days 365 You are assigning the number of days it will be valid for.
smitchcoff (BOB member since 2006-05-03)
[quote:b3d4ddb117=“gary.li”]Does the certificate we self generate ever expire? If it does, do we have to create another certificate every time it expires? Thanks!
[/quote]
All SSL certificates have “valid from” and “valid to” dates. Those dates are checked by your browser whenever you access an SSL protected page. They are compared to the current date on that computer as one of the checks to see if that certificate is valid. Querying against the trusted certificate authorities is another check that is performed.
Steve Rademacher (BOB member since 2004-02-17)
Smitchcoff,
I know this thread is a little old, but I’m hoping you’re still out there somewhere. Would you mind letting me know what method you used for retrieving the username in infoview (through config of web.xml).
I’m trying to figure out whether tomcat will automagically retrieve the username from the user certificate and if i can retrieve it using REMOTE_USER or USER_PRINCIPAL methods or whether custom code is required.
Thanks,
Rob
Rockstar12 (BOB member since 2010-07-23)
I tried setting up SSL with Tomcat - Business Objects XI 3.1.
I cannot get it working, I am unable to display the InfoView login page or the https://localhost page.
I tried following the SAP document here: http://service.sap.com/sap/support/notes/1299147
Is this document complete? Is it missing information?
unds 
(BOB member since 2006-12-09)
I have similar question that I hope to know what should I config after import keys to the bo and tomcat’s server.xml ? it should be works but I cannot use https://localhost
Thanks for your help!
elulue 
(BOB member since 2010-05-28)
I was able to get SSL working using this link - have you looked at this (or similar from Tomcat)?
http://tomcat.apache.org/tomcat-3.3-doc/tomcat-ssl-howto.html
I did a dummy certificate, but I imported that and now can hit my 8443 ported Tomcat instance / BO.
Good luck!
B
bdouglas 
(BOB member since 2002-08-29)
Which section would I use if I run Tomcat (as part of the Business Objects Enterprise install), running on Windows Server?
unds (BOB member since 2006-12-09)
I pasted the wrong link - try this:
and pretty much all of it - the Edit Tomcat Configuration File is the key to turning on SSL, though.
Like I said, I made up a dummy certificate and imported it - then I ignored the certificate error and pressed on. If you have a good certificate, it should work.
Good luck!
B
bdouglas (BOB member since 2002-08-29)