The document discusses on how to enable https on BOBJ web application server and import the wild card CA trusted certificate.
Enabling the https
Enabling https on the web application (Tomcat in this case) requires generation of key store and self-signed certificates using in-built keytool or openssl
Using command line navigate to \SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin
Run the below command, this will generate a keystore.jks file at keytool home directory, copy it to another folder say (C:/SSL)
keytool -genkey -alias tomcat -keyalg RSA –keystore keystore.jks
Export the .crt self-signed certificate using the below command
keytool –export -alias tomcat -keystore c:\SSL\Keystore.jks -file c:\ssl\tomcat.crt
A self-signed certificate tomcat.crt will be stored under C:\SSL folder.
Stop the tomcat
Open server.xml file. Location – /conf
Uncomment the https entry and add the below parameter.
keystoreFile= “location of keystore.jks file” keystorePass=”password”
Restart the tomcat, now https links to BI-Launchpad and CMC should work
Importing the wild card certificate
By following the above process, https links will work as expected. However, a certificate not-trusted warning will appear on the browser which is expected. The reason for this is Tomcat certificate is self-signed but not CA signed
To overcome this error, you can create .CSR file and send it to CA providers , who in return provide certified CRT files. Use the below commands to import the same
Keytool –import –trustcacert –alias tomcat –keystore keystore.jks –file cacertified.crt
If you have root certificate, please import the same into root alias.
Most of time, internal CA have wildcard certificates for the domain already, importing those will be little bit tricky. Importing the wildcard certificate into same alias will give “Public keys mismatch error”. Please follow the below process to import.
Using Openssl tool convert the required wildcard.crt certificate into pfx format
openssl pkcs12 -export -in wildcard.crt -inkey wildcard.key -out C:\SSL\wildcard.pfx
the above command will generate a wildcard.pfx under C:\SSL folder.
Stop the tomcat and make the below changes to https entries
keystoreType =”PKCS12” keystoreFile=”wildcard.pfx” keystorePass=”password”
Restart the tomcat.
All set, now the tomcat will be using the internal wildcard certificate.