Securing your deployment using SSL

To ensure the security of data transfers between client and servers in your deployment, use Secure Sockets Layer (SSL). This topic describes how to configure BMC Decision Support – Network Automation and SAP BusinessObjects Business Intelligence (BI) platform for SSL.

Configuring BMC Decision Support – Network Automation for SSL

For configuring BMC Decision Support – Network Automation for SSL, general steps are:

  1. Create a certificate signing request (CSR) for the existing keystore.
  2. Send the CSR to a Certification Authority (CA).
  3. Import the CA-provided certificates.

These steps are explained in the following procedure.

Before you begin

  • Back up the installation directory.
  • Certificate can be issued and authenticated only for the Common Name (CN) that was provided during installation. For example, if you have provided server1 as the CN during installation, you can use only http://server1 as the URL to access web applications, not http://server1.domain.com. If you have provided a Fully Qualified Domain Name (FQDN) name in CN, only then you can use FQDN. However, in that case short name (server1) does not get verified. 

To configure BMC Decision Support – Network Automation for SSL

  1. From the Windows Services console, stop the BL-Decision Support Web Server service.
  2. From the command prompt, navigate to the folder where Keytool is present. Default location is BDSNAInstallDir\java\bin.
  3. Enter the following command to generate a certificate signing request (CSR):

    keytool -certreq -keyalg RSA -alias tomcat -file C:\certreq.txt -keystore C:\Program Files\BMC Software\Bl-Decision Support\tomcat\conf\bdsSslCertificate.cert
  4. When prompted for keystore password, enter 1emprisa (default keystore password).
    certreq.txt is the output file containing CSR, which is generated in the C:\ directory. 
  5. Send certreq.txt to a CA for signing, or use your own CA and get the CSR signed by this CA.
    The CA returns a signed certificate and a root certificate.
  6. Copy the certificate files received from CA to the BDSNAInstallDir\tomcat\conf directory.
  7. From the command prompt, navigate to the BDSNAInstallDir\java\bin directory.

  8. Enter the following command to import the root certificate:

    keytool -import -alias root -keystore C:\Program Files\BMC Software\Bl-Decision Support\tomcat\conf\bdsSslCertificate.cert -trustcacerts -file <rootCertificate>
  9. When prompted for keystore password, enter 1emprisa (default keystore password) and then press Enter.
  10. Enter the following command to import the signed certificate:

    Note

    This step is optional if a signed CA certificate is already present on your computer.

    keytool -import -alias tomcat-keystore C:\Program Files\BMC Software\Bl-Decision Support\tomcat\conf\bdsSslCertificate.cert -file <signedCertificate>

     

  11. When prompted for keystore password, enter 1emprisa (default keystore password) and then press Enter.
  12. Verify that the following messages appears on the command line: Certificate reply was installed in keystore.
  13. From the Windows Services console, start the BL-Decision Support Web Server service.

Configuring SAP BusinessObjects BI servers for SSL

You can use the SSL protocol for all network communication between clients and servers in your BusinessObjects BI platform deployment.

Note

BMC Decision Support – Network Automation does not support a multi-node high availability deployment of SAP BusinessObjects BI platform and requires standalone installation of BI server on one computer. Due to this requirement, you do not need to enable SSL in the Central Configuration Manager (CCM).

To set up SSL for all server communication, perform the following tasks and refer to the mentioned sub-sections in the "Configuring servers for SSL" section in the  Business Intelligence Platform Administrator Guide at PDFs.

  1. Depending on the certificate you are using in your environment, perform the following tasks:
    1. If you are using a self-signed certificate, perform the following tasks and refer to the mentioned sub-sections:
      1. Create key and certificate files. For instructions, see the “Creating key and certificate files” sub-section.
      2. Configure SSL for the web application server. For instructions, see the “To configure the SSL protocol for the web application server” sub-section.
    2. If you are using a certificate that is being managed by a certificate authority, see the “Setting up SSL when the certificate is managed by a certificate authority” sub-section.
  2. If you are using thick clients, such as Crystal Reports, perform the steps mentioned in the “To configure thick clients” sub-section.

After you have configured the web application servers, configure the Tomcat servlet container if you have not configured it while setting up the reporting server, as described in the following procedure.

To configure the Tomcat servlet container for SSL

  1. Stop Tomcat.
  2. Enable SSL for Tomcat by uncommenting the entry for the SSL connector in the server.xml file, which is located at %TOMCAT_HOME%\conf\server.xml by default.
  3. In the server.xml file, add the correct file path of the keystore and truststore and use TLSv1.2 version for the sslEnabledProtocols property. The following example shows a sample file with the keystore and truststore path:

    <Connector port='8443' maxHttpHeaderSize='8192' maxThreads='150' minSpareThreads='25'
    maxSpareThreads='75' enableLookups='false' disableUploadTimeout='true' acceptCount='100' scheme='https'
    secure='true' clientAuth='false' sslProtocol='TLS' sslEnabledProtocols='TLSv1.2' keystoreFile='C:\https\server.ks'
    truststoreFile='C:\https\server.ts'/>
  4. Start Tomcat. 

Was this page helpful? Yes No Submitting... Thank you

Comments