Importing security certificates for the TrueSight Operations Management Report Engine
TrueSight Operations Management Reporting communicates with various components in a secure manner using TLS. These components might operate like a client or a server based on the context of communication. To achieve TLS mode of communication, the security certificates need to be authenticated between a client and a server. If a component is operating as a client, it requires a truststore to verify the server's credentials. If a component is operating as a server, it requires a keystore that provides credentials to the client to verify. You must procure these certificate files from your organization's security administrator or generate the CA-signed certificates.
There are two types of certificate files that are used for authentication.
- A public certificate file which is a Certificate Authority (CA) signed certificate in .crt format.
- A private key file which is in Public-Key Cryptography Standards (PKCS) that is .p12 format.
Before you start the communication between these components, you must complete the task of importing the security certificates into the truststore or keystore files of the respective components. The following diagram indicates the default keystores and truststores used.
- Step a: To apply TrueSight Infrastructure Management SQL Anywhere database certificate to Reporting Engine
- Step b: To apply Infrastructure Management server and cell certificate to Reporting Engine
- Step c: To apply Oracle/SQL database certificates to Reporting Engine
- Step d: To import the private key into the Report Engine keystore
- Step e: To create the signed certificates for SAP Business Objects Web client and secure it
- Where to go from here
Step a: To apply TrueSight Infrastructure Management SQL Anywhere database certificate to Reporting Engine
The Report engine uses the following certificate files procured from the Infrastructure Management SQL Anywhere database administrator for its communication.
- certificate file in .pem format
- key file in .pem format
- identity file in .pem format
Perform the following sequence of steps to procure these certificates from Infrastructure Management SQL Anywhere database administrator.
- Log on to the computer where the TrueSight Operations Management Report Engine is installed.
Procure the certificate, key, and identity file in .pem format from the Infrastructure Management SQL Anywhere database administrator and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
Step b: To apply Infrastructure Management server and cell certificate to Reporting Engine
The Report engine uses the cacerts as the default keystore and truststore for its communication with the Infrastructure Management server cell component. This truststore and keystore file is present along with the TrueSight Operations Management Reporting installation, and is located in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.
Perform the following sequence of steps to secure the communication between the Infrastructure Management server cell and the Report engine component.
- Log on to the computer where the TrueSight Operations Management Reporting is installed.
Procure the Infrastructure Management server cell signed certificate, and place it in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.
The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
# Microsoft Windows operating system
CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin#Unix operating system
$cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/binNavigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured certificate from the Infrastructure Management server cell to the default truststore file by running the following command:
keytool -import -alias cell -file mcell.crt -keystore cacerts
Step c: To apply Oracle/SQL database certificates to Reporting Engine
The Reporting engine uses the cacerts as the default truststore file for its communication with the Reporting database (Oracle/SQL) or the external Oracle database communication. This truststore is present along with the TrueSight Operations Management Reporting installation, and is located in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
Perform the following sequence of steps to secure the communication between the Reporting database (Oracle) and the Report engine component.
- Log on to the computer where the TrueSight Operations Management Reporting is installed.
- Perform the following steps depending on the type of the Reporting database used:
- Oracle database: Procure the oracle certificate from the oracle database administrator, and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
- SQL database: Procure the SQL certificate from the SQL database administrator, and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
#Microsoft windows operating system
CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin#Unix operating system$cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/bin
Navigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured Oracle certificate/SQL certificate into the default truststore file by running the following commands:
#Oracle database
keytool -importcert -trustcacerts -file oracle.crt -keystore cacert -alias oracleCert #SQL database
keytool -importcert -trustcacerts -file sqlcert.crt -keystore cacert -alias sqlCert
Step d: To import the private key into the Report Engine keystore
TrueSight Operations Management Report Engine communicates with the Infrastructure Management server cell. In this context of communication the Report Engine operates as a server. To establish this communication the Report Engine has to have a keystore with a private key imported into it.
- Log on to the computer where the TrueSight Operations Management Report Engine is installed.
- Procure a private key in the PKCS12 format from the TrueSight Operations Management Report Engine security administrator, and place it in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.
The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
# Microsoft Windows operating system
CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin# Unix operating system
$cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/binNavigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured private key from the Report Engine system administrator to the default keystore file by running the following command:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password
Step e: To create the signed certificates for SAP Business Objects Web client and secure it
SAP Business Object Central Management Server communicates with the BI Launchpad web client. The SAP BO TOMCAT server uses BIKeystore keystore for its communication with the BI Launchpad web client. The SAP Business Objects 4.1 is installed using the java supported by SAP (sapjvm) SAPJVM. The keytool utility that is used to create certificate files is located in the <SAP Business objects Install directory>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin directory. Perform the following set of steps to generate a CA signed certificate and place it in the BIKeystore keystore file:
To create a keystore, navigate to the <SAP Business objects Install directory>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin directory and run the following command: The command prompts you to enter the details such as name, organization details as shown in the following code block. Enter the details appropriately.
keytool -genkey -keyalg RSA -keysize 4096 -sigalg sha256withRSA -alias sapserv –keystore C:\SSL\BIKeystore.keystore
...
...
What is the name of your organizational unit?
[Unknown]: <organizational unit>
What is the name of your organization?
[Unknown]: <company>
What is the name of your City or Locality?
[Unknown]: <city>
What is the name of your State or Province?
[Unknown]: <state>
What is the two-letter country code for this unit?
[Unknown]: <country code>
Is CN=<FQDN of SAP server<organizational unit>, O=<company>, L=<city>, ST=<state>, C=<country code> correct?
[no]: yesThe preceding command generates BIKeystore.keystore file in the C:\SSL directory.
To create a Certificate Signing Request (CSR), navigate to the keytool location where the JAVA 7 or later is installed and run the following command:
keytool -certreq -keyalg RSA -keysize 4096 -alias sapserv -file C:\SSL\SAPBO.csr -keystore C:\SSL\BIKeystore.keystore -ext SAN=dns:Change by the hostname,dns: Change by the FQDN,dns: Change by the alias 1,dns: Change by the alias 2 and etc...Send the SAPBO.csr to the Certifying Authority (CA) to generate a CA signed certificate.
Import the CA signed certificate into the BIKeystore.keystore file by running the following command:
#Syntax
keytool -importcert -keystore <path of the keystore file> -alias <alias name> -file <CA signed certificate name>
#Example
keytool -importcert -keystore C:\SSL\BIKeystore.keystore -alias sapcert -file SAPBO.cer