By:Narottam and Chiranjeevi
Contents:
1. Introduction
2. Enabling SSL on Sterling SSFS suite.
2. A: Enabling SSL on applicationserver.
3. Enabling SSL on Cognos BI server
3. A:Enabling SSL on Apache Server
3. B:Enabling SSL on Cognos BI server
4. Integration of Cognos server andSSFS application server.
5. Troubleshoot
Introduction about SSL:
SSL known as Secure Socket Layer is a security protocolthat provides a secure channel between two machines operating over network(Internet or Local Access network). It is mainly used when a web browser needsto securely connect to a web server over the insecure network to remove anysecurity issues.
Difference between Http andHttps:
Http is insecure and is subject to attacks which can let attackers gainaccess to critical information such as bank details etc. whereas
Https makes sure that data being sent on internet is encrypted andhence secure.
Thus there arises a need to enable SSL on Sterling framework since itdeals with highly sensitive data which should be securely send usingencryption.
When a Business user is using IBM Cognos BI server then it must also besecurely encrypted using SSL protocol. Hence this document will try to help toenable SSL on Sterling Framework as well as on Cognos BI server and help themwith the integration.
Enabling SSL on SSFS suite
EnablingSSL on SSFS suite depends on application server where the application EAR/WARis deployed. Enabling SSL on SSFS if your application server is
1. Weblogic
a.Launch the Weblogic admin console as
Http://<<machineip>:<port>/console/login/LoginForm.jsp
eg: http://localhost:7001/console/login/LoginForm.jsp
b. Login into the weblogic using admincredentials
c. Once you logininto the admin console Click on the Environment tab in the left hand side panel.
d. Click on the Server tab in the middleof page.
e. You will be redirected to new page,click on AdminServer.
f. Now a page will open listing port details.Set the SSL port number as desired
g. Click Save. You will be redirected toa new page.
h. Click on Activate changes
i. Activating changes will ask for lock & Edit
j. Once you do lock & edit, everything is saved and you are all setto restart the server.
k. You can see the SSL port enabled in the server trace.
2.JBoss
In thisconfiguration you need three files
1. server.keystore - contains the key pair
2. server.cer - server certificate exported from thekeystore
3. client.truststore - contains the server certificate
1. Set JAVA_HOME andPATH variable. Change directory to JAVA_HOME/jre/lib/security
export JAVA_HOME=/apps/com/jdk1.6.0_22(Change appropriately)
exportPATH=$JAVA_HOME/bin:$PATH
cd $JAVA_HOME/jre/lib/security
2. Create the server keystore
keytool -genkey -alias serverkeys -keyalg RSA-keystore server.keystore -storepass 123456 -keypass 123456 -dname"CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"
3. Create the server certificate
keytool -export -alias serverkeys -keystoreserver.keystore -storepass 123456 -file <certificate_name>.cer
4. Configure Jboss
Comment the following lines in JBOSS_HOME/server/<PROFILE>/deploy/jbossweb.sar/
server.xml:
<Connector protocol="HTTP/1.1"port="8080" address="${jboss.bind.address}"
connectionTimeout="20000"redirectPort="8443" >
Uncomment thefollowing lines...
<Connectorprotocol="HTTP/1.1" SSLEnabled="true"
port="52743"address="${jboss.bind.address}"
scheme="https"secure="true" clientAuth="false"
keystoreFile="JAVA_HOME/jre/lib/security/server. keystore"
keystorePass="123456" sslProtocol = "TLS" />
...and change the values of keystoreFile and keystorePass to values of your key.
5. Restart the server.
· 3.WebSphere
· Login into the admin console of the Websphere instance.
· You will be taken to the Welcome page of theWebsphere Console; wherein you can see all tasks listed on the left hand sidepanel
· Next click on the servers tab listed on the leftside panel.
· Click on the server type tab
· Clicking on server types will list all types ofserver present in the Node.
· Click on the Websphere application Server. This willlist all the Servers Domains running on the machine
· Select the Server on which you are planning toenable SSL. In this case we will be using ‘test04 ‘server forexplanation purpose.
· When you click on ‘test04’ server, you willbe taken to Application server Runtime / Configuration Console.
· Expand the ports tab (under Communications) on theright side of the panel.
· Expanding the ports tab, will list all communicationports in use by the server . Mark the two ports ,
· WC_defaulthost & WC_defaulthost_secure .WC_defaulthost is used for normal http protocol. WC_defaulthost_secure is theSSL / HTTPS port used for Application Communication.
· Note this WC_default_secure; you just need to addthis SSL port in the Virtual host list. For this ,
· Click on the Environment tab on the left hand side panel
· Expand the Environment tab; you will something asshown in Figure below.
· Click on the Virtual Host tab.You will see all theVirtual Hosts on the Machine. In our BLR functional QA set up, we at most ofthe cases use ‘default host ‘ to listen to ourports.
· Click on default host; then on host aliases as shownin the figure below.
· Click on the new Tab at the top to add new ports inthe Virtual Host list.
· Fill in the general properties. Put * mark in thehost name and add the SSL port in the port field. Click apply / OK once done .
· Click Save once done as directed in the abovediagram.
· You need to restart the server now. Please check theserver trace in SystemOut.log for the port you can see the SystemOut.log, bylogging into the machine and navigating into the folder location;/apps/AppServer/was7.0/profiles/AppSrv01/logs. There a folder with the servername is present. All Server logs are generated there. Navigate to this folder ,to see SystemOut.log
Enabling SSL on Cognos BI Server
EnablingSSL for SBI Application requires SSL to implemented for the followingcomponents:
1. Enabling SSL in Apache Server:
InstallApache App Server with SSL:
Make sure to pass the --enable-ssl --enable-setenvif parameters(in order to enable) while installing Apache Server:
./configure --enable-mods-shared=all--enable-proxy --enable-proxy-connect --enable-proxy-balancer--enable-proxy-http --enable-rewrite --enable-cache --enable-headers--enable-deflate --with-included-apr --prefix=/opt/apache/install --enable-so --enable-ssl --enable-setenvif--with-mpm=worker --with-pcre=/opt/pcre
--enable-ssl activates Apache'sbuilt-in encryption capabilities to protect visitors to your Web site.
--enable-setenvif gives Apache thecapability to handle some quirks in Internet Explorer.
Compile and Install apache with the following commands:
• make
• make install
Changesto be done in httpd.conf file:
Uncomment the httpd-ssl.conf Include line in the <ApacheInstallLocation>//conf/httpd.conf file.
Include conf/extra/httpd-ssl.conf
Changesto be done in httpd-ssl.conf:
1. Specify the Listener port(SSL port).By Default the port is 443. Change it to port of your choice if you do notintend to use the Default port
2. Point the SSLCertificateFile parameterto the certificate provided or created
For Eg: SSLCertificateFile "/opt/apache/install/conf/server.crt"
Startthe Apache Server from <ApacheInstallLocation>/bin folder:
./ apachectl start
Withthis, SSL is configured in Apache Server
2. Enabling SSL in Cognos BI Server(10.1.1):
1. Start IBM Cognos Configuration.
2. In the Explorer window, click Environment.
3. In the Properties window, type the appropriate values for the internal dispatcher URI and External dispatcher URI values.
o To configure SSL for internalconnections only, for the internaldispatcher URI property, type httpsand a port for SSL communication. For the Externaldispatcher URI property, type httpand use the default or another available port.
o To configure SSL for externalconnections only, for the Externaldispatcher URI property, type https anda secure port. For the Internaldispatcher URI property, type httpand use the default or another available port.
o To configure SSL for all connections,type the same URI for both the internaldispatcher URI and Externaldispatcher URI properties. Type httpsand a secure port, such as 9343.
Note: You do not have to use port 9343, thedefault SSL port. You can choose any available port.
4. Configure the SSL protocol for theother environment URIs, including the ContentManager URIs, the Dispatcher URI forexternal applications, and GatewayURI.
o For internal connections only, type https in the URIs that containlocalhost or ip.
o For external connections only, type https in the URIs that do not containlocalhost or ip.
o For all connections, type https in all the URIs.
5. From the File menu, click Save.
Import the certificate by typing the specifiedcommand from <Cognos10InstallLocation>/bin folder:
OnUNIX or LINUX:
ThirdPartyCertificateTool.sh -T -i -rcertificate.cert -D
../configuration/signkeypair/jCAKeystore -p password
OnWindows:
ThirdPartyCertificateTool.bat -T -i -rcertificate.cert -D
../configuration/signkeypair/jCAKeystore -p password
Note: certificate.cert is assumed to be thethird party certificate.
6.Start the Cognos Service
Withthis, SSL is configured in Cognos BI Server
7.Make changes in the customer_overrides.properties file to include “https” urlin the yfs.analytics.reportnet.urlproperty
ForEg: yfs.analytics.reportnet.url=https://9.113.210.101:8999/ibmcognos1/cgi-bin/cognos.cgi
Integration over SSL
Integrating the two servers mainly depends on acommon certificate which will be imported in respective JVMs. We have SterlingJVM and Cognos JVM (In case of windows if JAVA_HOME is not specified thenCognos uses its own JVM, In Linux there is no Cognos JVM.)
For example purpose we will use a certificatecreated by apache Server. The steps are mentioned below
a. Go to <ApacheInstallLocation>/bin folder:
b. Run thefollowing command :
openssl req -new -x509 -days 365-sha1 -newkey rsa:1024 -nodes -keyout server.key-out server.crt -subj '/O=Company/OU=Department/CN=www.example.com'
c. On runningthe following command, the following files are created under <ApacheInstallLocation>/binfolder:
• server.key
• server.cert
Importing thecertificate in Cognos JVM:
Import the certificate by typing the specified command from<Cognos10InstallLocation>/bin folder:
On UNIX or LINUX:
ThirdPartyCertificateTool.sh -T -i -rserver.cert -D
../configuration/signkeypair/jCAKeystore -p password
OnWindows:
ThirdPartyCertificateTool.bat-T -i -r server.cert -D
../configuration/signkeypair/jCAKeystore -p password
Note:The password should have already been set. If not, thedefault password is NoPassWordSet.
Importing the certificate in Sterling JVM:
Run the following command from JRE_HOME
<JRE_HOME>\bin\keytool.exe-import -trustcacerts -alias myCert -keystore<JRE_HOME>/lib/security/cacerts -storepass changeit -file <CA.crt>
Troubleshoot
There might be some issue because of which theintegration might fail. Some of the issues found and their remediation arelisted below.
Issue:-
Not able to login from Sterling application whenauthentication is enabled on Cognos.
Cause:-
The possible reason might be unknown to end usersince this error is not captured in SCI logs. So we need to enable a proper logging mechanism so that exacterror can be captured.
1. Enabling debug:
a. Copy these debug setting in<Cognos_Install>\webapps\p2pd\WEB-INF\classes\ analytics.properties
#Debug settings
log4j.rootLogger=debug,logfile
log4j.appender.logfile=org.apache.log4j.RollingFileAppender
log4j.appender.logfile.File=E:/logs/sbilog.log
b. sscap-auth.jar
And add this line ininit method of YantraAuthentication.java and Compile
PropertyConfigurator.configure(YantraAuthentication.class.getResource("/analytics.properties"));
Note:-Make sure toimport
importorg.apache.log4j.PropertyConfigurator;
Replace the YantraAuthentication.classfile in sscap-auth.jar
Steps:
1. Copy thesscap-auth.jar file to <Cognos_Install>\webapps\p2pd\WEB-INF\lib
2. Make changes inanalytics.properties in #Debug settings as per Requirements (Logfile name , path )
3. Restart thecognos server.
2. Error Log captured:
Error Log1:
“javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
athBuilderException: unable to find valid certification path to requested target
Cause: Certificate is not imported in either of JVM:
1. Check to see whether there is a key with the same CN information but a different alias because Java would check if there is existing CN key in keystore even though we want the newer one to be used. You need to have all the certificates all the way down the authentication chain to the root, existing in your keystore, so that it understands how to validate your credentials.
2. Try re-importing the certificates as shown in steps above.
Error Log2:
Exceptionin thread "main" javax.net.ssl.SSLPeerUnverifiedException: could notverify peer certificate:C=BH,ST=India,L=Banglore,O=XYZ-CORP,OU=Test,CN=oms.xyz.xyzcorp.net,q.r.xyz.abc.d.e.f=alis@xyz.com
at gnu.javax.net.ssl.provider.SSLSocket.doClientHandshake(libgcj.so.7rh)
atgnu.javax.net.ssl.provider.SSLSocket.startHandshake(libgcj.so.7rh)
atgnu.java.net.protocol.http.HTTPConnection.getSocket(libgcj.so.7rh)
Caused by: java.security.cert.CertificateException at gnu.javax.net.ssl.provider.X509TrustManagerFactory$Manager.checkTrusted(libgcj.so.7rh) at gnu.javax.net.ssl.provider.X509TrustManagerFactory$Manager.checkServerTrusted(libgcj.so.7rh) at gnu.javax.net.ssl.provider.SSLSocket.doClientHandshake(libgcj.so.7rh)
Cause: Server doesn't have a valid SSL certificate or Certificate might have expired. The certificates are not at all imported in JVM .
1. Make sure to use below command with correct JVM for both servers:
<JRE_HOME>\bin\keytool.exe -import -trustcacerts -alias <CAName> -keystore <JRE_HOME>/lib/security/cacerts -storepass changeit -file <CA.crt>
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
