BusinessObjects Enterprise Administrator's Guide

Configuring servers for SSL

You can use the Secure Sockets Layer (SSL) protocol for all network communication between clients and servers in your BusinessObjects Enterprise deployment.

To set up SSL for all server communication you need to perform the following steps:

• Deploy BusinessObjects Enterprise with SSL enabled.
• Create key and certificate files for each machine in your deployment.
• Configure the location of these files in the Central Configuration Manager (CCM) and your web application server.

Creating key and certificate files

To set up SSL protocol for your server communication, use the SSLC command line tool to create a key file and a certificate file for each machine in your deployment.

Note:    

• You need to create certificates and keys for all machines in the deployment, including machines running thick client components such as Crystal Reports. For these client machines, use the sslconfig command line tool to do the configuration.
• For maximum security, all private keys should be protected and should not be transferred through unsecured communication channels.
• For more information about using the SSLC command line tool, consult the SSLC documentation.

To create key and certificate files for a machine

1. Run the SSLC.exe command line tool.

The SSLC tool is installed with your BusinessObjects Enterprise software. (On Windows, for example, it is installed by default in C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86.)

2. Type the following command:

sslc req -config sslc.cnf -new -out cacert.req

This command creates two files, a Certificate Authority (CA) certificate request (cacert.req) and a private key (privkey.pem).

3. To decrypt the private key, type the following command:

sslc rsa -in privkey.pem -out cakey.pem

This command creates the decrypted key, cakey.pem.

4. To sign the CA certificate, type the following command:

sslc x509 -in cacert.req -out cacert.pem -req -signkey cakey.pem -days 365

This command creates a self-signed certificate, cacert.pem, that expires after 365 days. Choose the number of days that suits your security needs.

5. Open the sslc.cnf file, stored in the same folder as the SSLC command line tool. Perform the following steps based on settings in the sslc.cnf file.
• Place the cakey.pem and cacert.pem files in the directories specified by sslc.cnf file's certificate and private_key options.

  By default, the settings in the sslc.cnf file are:

  certificate = $dir/cacert.pem

  private_key = $dir/private/cakey.pem

• Create a file with the name specified by the sslc.cnf file's database setting.

  Note:    By default, this file is $dir/index.txt. The file can be empty.

• Create a file with the name specified by the sslc.cnf file's serial setting.

  Ensure that this file provides an octet-string serial number (in hexadecimal format).

  Note:    To ensure that you can create and sign more certificates, choose a large even hexadecimal number, such as 11111111111111111111111111111111.)'

• Create the directory specified by the sslc.cnf file's new_certs_dir setting.
6. To create a certificate request and a private key, type the following command:

sslc req -config sslc.cnf -new -out servercert.req

The certificate and key files generated are placed under the current working folder.

7. Make a copy of the private key.

copy privkey.pem server.key

8. To sign the certificate with the CA certificate, type the following command:

sslc ca -config sslc.cnf -days 365 -out servercert.pem -in servercert.req

This command creates the servercert.pem file, which contains the signed certificate.

9. Use the following commands to convert the certificates to DER encoded certificates:

sslc x509 -in cacert.pem -out cacert.der -outform DER

sslc x509 -in servercert.pem -out servercert.der -outform DER

Note:    The CA certificate (cacert.der) and its corresponding private key (cakey.pem) need to be generated only once per deployment. All machines in the same deployment must share the same CA certificates. All other certificates need to be signed by the private key of any of the CA certificates.

10. Create a text file for storing the plain text passphrase used for decrypting the generated private key.
11. Store the following key and certificate files in a secure location (under the same directory) that can be accessed by the machines in your BusinessObjects Enterprise deployment:
• the trusted certificate file (cacert.der)
• the generated server certificate file (servercert.der)
• the server key file (server.key)
• the passphrase file

  This location will be used to configure SSL for the CCM and your web application server.

Configuring the SSL protocol

After you create keys and certificates for each machine in your deployment, and store them in a secure location, you need to provide the Central Configuration Manager (CCM) and your web application server with the secure location.

To configure the SSL protocol in the CCM

1. In the CCM, right-click a server and choose Properties.
2. In the Properties dialog box, click the Protocol tab.
3. Provide the file path for the directory where you stored the key and certificate files.

Note:    Make sure you provide the directory for the machine that the server is running on.

4. Repeat steps 1 to 3 for all servers.

To configure the SSL protocol for the web application server

1. If you have a J2EE web application server, run the Java SDK with the following system properties set. For example:

-Dbusinessobjects.orb.oci.protocol=ssl
-DcertDir=d:\ssl
-DtrustedCert=cacert.der
-DsslCert=clientcert.der
-DsslKey=client.key
-Dpassphrase=passphrase.txt

The following table shows the descriptions that correspond to these examples:

Example	Description
DcertDir=d:\ssl	The directory to store all the certificates and keys.
DtrustedCert=cacert.der	Trusted certificate file. If specifying more than one, separate with semicolons.
DsslCert=clientcert.der	Certificate used by the SDK.
DsslKey=client.key	Private key of the SDK certificate.
Dpassphrase=passphrase.txt	The file that stores the passphrase for the private key.

2. If you have an IIS web application server, run the sslconfig tool from the command line and follow the configuration steps.