Configuring WebFOCUS Business User Edition for SSL

Topics:

How to:

The Hypertext Transfer Protocol over Secure Socket Layer (https) establishes an encrypted Secure Socket Layer (SSL) connection, and should be used to secure communications between WebFOCUS Business User Edition and browsers assigned to end users. There are many configuration options that enable the use of this protocol, one of which is the Apache Tomcat configuration, as described in this section. WebFOCUS Business User Edition uses this configuration by default.

To activate Secure Socket Layer-based communications, create a self-signed certificate for Java. You can optionally submit it to a Certificate Authority to establish it as a trusted certificate. The keytool utility that creates the certificate also modifies the connection type from open to SSL. Therefore, you must comment out the default Connector Protocol setting in the Tomcat server.xml file, and ensure that a setting for the new SSL Connector Protocol appears there instead.

Procedure: How to Create a Self-Signed Certificate

To create a Self-Signed Certificate with Java:

  1. Open the command prompt window and redirect the command prompt to the following directory:

    drive:\ibi\WebFOCUS_BUE82\jre\bin

  2. Type the keytool command and values as shown in the following example.
    keytool -genkeypair -alias mykey -ext san=dns:dnsName1,dns:dnsName2… -keyalg RSA -validity 720 -keystore /path_to_keystore/keystore -keysize 2048 –storepass MyPassword

    where:

    dnsName

    Is the name, or alias, of the entity (the subject) that will present this certificate for authentication. You can include multiple names to ensure that all versions of the subject names are recognized. For multiple alternative names use the syntax, dns:first_dnsName,dns:second_dnsName and so on.

    For example, dns:bue,dns:bue.ibi.com.

    MyPassword

    Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.

    /path_to_keystore/keystore

    Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.

    Note: The name mykey is important if you need to issue a -certreq (certificate request) for a certificate signed by a Certificate Authority.

  3. Press Enter.

    The command prompt displays the first in a series of questions.

  4. Respond to each question as follows:
    • “What is your first and last name?” Type the first and last name of the certificate holder.
    • “What is the name of your organizational unit?” Type the name of the organizational unit of the certificate holder.
    • “What is the name of your organization?” Type the name of the organization of the certificate holder.
    • “What is the name of your City or Locality?” Type the name of the city or locality of the certificate holder.
    • “What is the name of your State or Province?” Type the two-letter abbreviation for the state in which the certificate holder is located.
    • “What is the two-letter country code for this unit?” Type the two-letter abbreviation for the country in which the certificate holder is located.
  5. When the command prompt displays the question, “Is CN=__, OU=__, O=__, L=__, ST=__, C=__ correct?”, review the values and type y if they are correct.

    If they are not correct, Type n and retype the keytool command from step 2.

    If they are correct, the new Self-Signed Certificate is ready for use.

Establishing the Self-Signed Certificate as a Trusted Certificate

Until you identify the new self-signed certificate to the browser as a Trusted Certificate, the browser will display errors when you use it. During the initial testing period, you can add the new self-signed certificate directly to the Trusted Certificate Authority of those browsers included in the test. However, to fully establish the new certificate as a trusted certificate, you typically request certification for it from a Certificate Authority using the following request:

keytool -certreq -alias mykey -storepass MyPassword –file ./mykey.csr –keystore /path_to_keystore/keystore

where:

MyPassword

Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.

/path_to_keystore/keystore

Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.

You can then send the certificate request file (mykey.csr) to a Certificate Authority to sign, and when the authority returns the signed certificate, import it into the keystore.

Importing the Trusted Certificate into the Keystore

To import your certificate from the CA, type the following command:

keytool –import –alias mykey –file ./mykey.crt –keystore /path_to_keystore/keystore

where:

/path_to_keystore/keystore

Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.

If your CA is an internal CA, then type the following command to import the certificate from your Certificate Authority.

keytool –import –alias CA –trustcacerts –file ./ca.crt –keystore /path_to_keystore/keystore

where:

/path_to_keystore/keystore

Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.

Updating the Connector Protocols in the Tomcat Server.xml File

The Tomcat server.xml file is located in the following directory:

drive:\ibi\WebFOCUS_BUE82\tomcat\conf
The keytool utility disables the http connection assigned to port 26000. Therefore you must comment out the Connector tag in the server.xml file that defines this http-based connection by typing an exclamation point (!) after the open tag symbol (<).
<Connector connectionTimeout="20000" maxPostSize="-1" port="26000" protocol="HTTP/1.1" redirectPort="26001" useBodyEncodingForURI="true"/>

The keytool utility also establishes an SSL connector on port 443. This connection replaces the old http based connection. Therefore, if it does not appear in the file, you must type this updated version of the connector tag, with its attributes and values, as shown in the following example.

<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="443" SSLEnabled="true" keystoreFile="C:/users/path_to_keystore/keystore" keystorePass="MyPassword" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"/>

where:

/path_to_keystore/keystore

Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.

MyPassword

Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.

WebFOCUS

Feedback