Importing security certificates for the TrueSight Operations Management Report Engine

TrueSight Operations Management Reporting communicates with various components in a secure manner using TLS. These components might operate like a client or a server based on the context of communication. To achieve TLS mode of communication, the security certificates need to be authenticated between a client and a server. If a component is operating as a client, it requires a truststore to verify the server's credentials. If a component is operating as a server, it requires a keystore that provides credentials to the client to verify. You must procure these certificate files from your organization's security administrator or generate the CA-signed certificates.

There are two types of certificate files that are used for authentication.

A public certificate file which is a Certificate Authority (CA) signed certificate in .crt format.
A private key file which is in Public-Key Cryptography Standards (PKCS) that is .p12 format.

Before you start the communication between these components, you must complete the task of importing the security certificates into the truststore or keystore files of the respective components. The following diagram indicates the default keystores and truststores used.

Step a: To apply TrueSight Infrastructure Management SQL Anywhere database certificate to Reporting Engine

The Report engine uses the following certificate files procured from the Infrastructure Management SQL Anywhere database administrator for its communication.

certificate file in .pem format
key file in .pem format
identity file in .pem format

Perform the following sequence of steps to procure these certificates from Infrastructure Management SQL Anywhere database administrator.

Log on to the computer where the TrueSight Operations Management Report Engine is installed.
Procure the certificate, key, and identity file in .pem format from the Infrastructure Management SQL Anywhere database administrator and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
Note
- You can either procure the SQL Anywhere certificates from the database administrator, or create certificates and get it signed by CA. For step-by-step instructions about how to create a certificate and get it signed by a CA, see Implementing private certificates in the SQL Anywhere database.
- You can choose to place the procured certificate in any other directory location other than \security directory.

Step b: To apply Infrastructure Management server and cell certificate to Reporting Engine

The Report engine uses the cacerts as the default keystore and truststore for its communication with the Infrastructure Management server cell component. This truststore and keystore file is present along with the TrueSight Operations Management Reporting installation, and is located in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.

Perform the following sequence of steps to secure the communication between the Infrastructure Management server cell and the Report engine component.

Log on to the computer where the TrueSight Operations Management Reporting is installed.
Procure the Infrastructure Management server cell signed certificate, and place it in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.

For step-by-step instructions about how to create a CA-signed certificate for TrueSight Infrastructure Management and cell, see Implementing private certificates in the TrueSight Infrastructure Management .
The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

# Microsoft Windows operating system
CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin
#Unix operating system
$cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/bin
Navigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured certificate from the Infrastructure Management server cell to the default truststore file by running the following command:

keytool -import -alias cell -file mcell.crt -keystore cacerts
Parameter description
The following notes describe the key parameters used in the preceding commands:
- mcell.crt is the name of the public certificate procured from the Infrastructure Management server system administrator. If the name of the procured public certificate is different, use the relevant file name in the preceding command.
- changeit is the default password for the cacerts keystore. If you want to change this default password, run the following command:
  
  keytool -storepasswd -keystore cacerts
  Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

Step c: To apply Oracle/SQL database certificates to Reporting Engine

The Reporting engine uses the cacerts as the default truststore file for its communication with the Reporting database (Oracle/SQL) or the external Oracle database communication. This truststore is present along with the TrueSight Operations Management Reporting installation, and is located in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.

Perform the following sequence of steps to secure the communication between the Reporting database (Oracle) and the Report engine component.

Log on to the computer where the TrueSight Operations Management Reporting is installed.
Perform the following steps depending on the type of the Reporting database used:
1. Oracle database: Procure the oracle certificate from the oracle database administrator, and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
2. SQL database: Procure the SQL certificate from the SQL database administrator, and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

#Microsoft windows operating system
CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin
#Unix operating system
$cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/bin
Navigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured Oracle certificate/SQL certificate into the default truststore file by running the following commands:

#Oracle database
keytool -importcert -trustcacerts -file oracle.crt -keystore cacert -alias oracleCert #SQL database
keytool -importcert -trustcacerts -file sqlcert.crt -keystore cacert -alias sqlCert
Note
- oracle.crt is the name of the Oracle certificate. If the name of the Oracle certificate procured from your oracle database administrator is different, use the relevant file name in the preceding command.
- sqlcert.crt is the name of the SQL database certificate. If the name of the SQL certificate procured from your SQL database administrator is different, use the relevant file name in the preceding command.

Step d: To import the private key into the Report Engine keystore

TrueSight Operations Management Report Engine communicates with the Infrastructure Management server cell. In this context of communication the Report Engine operates as a server. To establish this communication the Report Engine has to have a keystore with a private key imported into it.

Log on to the computer where the TrueSight Operations Management Report Engine is installed.
Procure a private key in the PKCS12 format from the TrueSight Operations Management Report Engine security administrator, and place it in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.
The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

# Microsoft Windows operating system
CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin
# Unix operating system
$cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/bin
Navigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured private key from the Report Engine system administrator to the default keystore file by running the following command:

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password
Parameter description
- server.p12 is the name of the private key file (PKCS12 format) procured from the Report Engine system administrator. If the name of the procured private key is different, use the relevant file name in the preceding command.
- changeit is the default password for the cacerts keystore. If you want to change this default password, run the following command:
  
  keytool -storepasswd -keystore cacerts
  Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.
- password is the password for the server.p12 private key.

Step e: To create the signed certificates for SAP Business Objects Web client and secure it

SAP Business Object Central Management Server communicates with the BI Launchpad web client. The SAP BO TOMCAT server uses BIKeystore keystore for its communication with the BI Launchpad web client. The SAP Business Objects 4.1 is installed using the java supported by SAP (sapjvm) SAPJVM. The keytool utility that is used to create certificate files is located in the <SAP Business objects Install directory>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin directory. Perform the following set of steps to generate a CA signed certificate and place it in the BIKeystore keystore file:

Note

To support TLS 1.2 the java component must be raised to Java 7 or later. The java provided by SAP (sapjvm) shouldn't be updated to Java version 7, but this installation must be done in a different folder.

To create a keystore, navigate to the <SAP Business objects Install directory>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin directory and run the following command: The command prompts you to enter the details such as name, organization details as shown in the following code block. Enter the details appropriately.

keytool -genkey -keyalg RSA -keysize 4096 -sigalg sha256withRSA -alias sapserv –keystore C:\SSL\BIKeystore.keystore
 ...
 ...
 What is the name of your organizational unit?
 [Unknown]:  <organizational unit>
 What is the name of your organization?
 [Unknown]:  <company>
 What is the name of your City or Locality?
 [Unknown]:  <city>
 What is the name of your State or Province?
 [Unknown]:  <state>
 What is the two-letter country code for this unit?
 [Unknown]:  <country code>
 Is CN=<FQDN of SAP server<organizational unit>, O=<company>, L=<city>, ST=<state>, C=<country code> correct?
 [no]:  yes

Parameter description

The various parameters and values used in the genkey command in the preceding example are described here:

Parameter	Description	Value
alias	Specifies the alias name.	sapserv
keyalg	Specifies the algorithm to be used to generate the key pair.	RSA
keysize	Specifies the size of each key to be generated.	4096
sigalg	Specifies the algorithm that should be used to sign the self-signed certificate. This algorithm must be compatible with keyalg.	SHA1withRSA
keystore	Specifies the keystore location and name	C:\SSL\BIKeystore.keystore BIKestore.keystore

In the preceding example the keystore file name is specified as BIKestore.keystore. If you want to specify a different keystore file name, then ensure that you use the keystore name accordingly in the following commands.

The preceding command generates BIKeystore.keystore file in the C:\SSL directory.

To create a Certificate Signing Request (CSR), navigate to the keytool location where the JAVA 7 or later is installed and run the following command:
```
keytool -certreq -keyalg RSA -keysize 4096 -alias sapserv -file C:\SSL\SAPBO.csr -keystore C:\SSL\BIKeystore.keystore -ext SAN=dns:Change by the hostname,dns: Change by the FQDN,dns: Change by the alias 1,dns: Change by the alias 2 and etc...
```
Send the SAPBO.csr to the Certifying Authority (CA) to generate a CA signed certificate.

You can create a self-signed certificate instead of CA signed certificate.

Import the CA signed certificate into the BIKeystore.keystore file by running the following command:

#Syntax
keytool -importcert -keystore <path of the keystore file> -alias <alias name>  -file <CA signed certificate name>
 
#Example
keytool -importcert -keystore C:\SSL\BIKeystore.keystore -alias sapcert  -file SAPBO.cer

Where to go from here

Configuring TrueSight Operations Management Report Engine to enable TLS

Page tree