SAP Business Objects is a Java application. In contrast to the underlying web server, this is usually the focus when something needs to be configured.
In this article I show how to configure Apache Tomcat web server securely.
The Tomcat web server is an open source web server that runs JAVA applications. This is installed by SAP as a standard web server. However, you can install Business Objects on other Java web servers if they are supported by SAP.
Which Tomcat version is available depends on the SAP Business Objects release. This can be found in note 2112338. There you can see that e.g. the following dependencies exist
| SAP product | Tomcat version | SAP JVM | based onOracle JVM |
| BI 4.2 SP04 | 8.5.13 | 8.1.015 | 8u72 |
This is important when it comes to the SSL configuration of the Tomcat server. The Tomcat server can basically rely on an OpenSSL or native Java Secure Socket Extension (JSSE) implementation for SSL configuration. However, OpenSSL is not installed with the SAP Business Objects installation.
With the following command we create a new keystore and set a distinguished name. At least the Common Name (CN) must be specified for this. With the extension SAN (Subject Alternative Name) we once again set the Full Qualified Hostname. This is important later with the signed certificate.
The keystore has been placed in a secure folder on which access rights are restricted.
D:\%JAVA_HOME%\bin\keytool -genkey -alias bopserver -keyalg RSA -keysize 2048 -keystore D:\secure\%COMPUTERNAME%_keystore.jks -dname "CN=hostname.example.org,OU=SAP-Basis, O=an-it, L=Halle, ST=NRW, C=DE" -ext SAN=dns:<hostname.example.org>
To prevent the HTTPS connection from displaying errors in the browser, it is important to set the SAN extension and have this certificate signed by a Certificate Authority (CA). In companies, an internal Public Key Infrastructure (PKI) is usually set up to centrally manage such certificates. If the CA’s certificate is then stored in the users’ browsers, e.g. via AD group policy, there are no errors or warnings in the browser.
The certificate request was generated and the CSR file was sent to the PKI managers for signing.
D:\%JAVA_HOME%\bin\keytool -certreq -alias bopserver -file D:\secure\%COMPUTERNAME%.csr -keystore D:\secure\%COMPUTERNAME%_keystore.jks -ext SAN=dns:<hostname.example.org>
Once the certificate has been signed, it still needs to be imported into the keystore.
D:\%JAVA_HOME%\bin\keytool -import -alias bopserver -file D:\secure\<hostname>_chain_cert.p7b -keystore D:\secure\%COMPUTERNAME%_keystore.jks
After that, the Tomcat web server can be configured for HTTPS.
The Tomcat server configuration is located at
In this folder, the server.xml must be modified as follows. The connector port “8080” is used by default for HTTP. Here there is an attribute redirectPort. This is set from 8443 to 443. I would like to configure away the dedicated port specification here.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="443" compression="on"
URIEncoding="UTF-8" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/javascript,application/json"
/>
<Connector port="443" protocol="HTTP/1.1" proxyName="<hostname>.example.org"
SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" enableLookups="false"
disableUploadTimeout="true" acceptCount="100"
keystorePass="<SecurePassword>"
keystoreFile="D:\secure\%COMPUTERNAME%_keystore.jks"
/>
In the lower section of the configuration, a new connector port must be configured. In addition to the port, the protocol specification is important here. With the generic specification “HTTP/1.1” the implementation is selected automatically. One can also specify a dedicated JSSE implementation:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
...
The other attributes are then dependent on this implementation. After a restart, nothing stands in the way of HTTPS access.
However, HTTP access is still possible with the above configuration.
To force HTTPS, either disable the HTTP Connector port listed above (comment it out with ) or configure a redirect.
The redirect port is already specified in the HTTP Connector port. This must now be enforced. To do this, insert the following entries in the web.xml file in the Tomcat configuration folder and restart the Tomcat web server.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So that the client tool Lumira can also communicate via HTTPS, the following note must also be observed.
In the axis2.xml under SAP BusinessObjects Installation>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\dswsbobje\WEB-INF\conf add the following entries.
<transportReceiver name="http"
class="org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">8080</parameter>
</transportReceiver>
<transportReceiver name="https"
class="org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">443</parameter>
</transportReceiver>
Afterwards the app has to be deployed. After that you can also connect to Lumira via HTTPS.
1648573 – How to configure SSL/TLS on Tomcat in BI 4.x
2659668 – SOAP message MUST NOT contain a Document Type Declaration (DTD)
1807142 – How to enable HTTPS/SSL Designer against BIP