Have you ever thought of accessing your BusinessObject’s platform through the Internet? Do you need to access externally your BusinessObjects platform without using a VPN connection? Is secure access for your external users a must for you? If the answer to these three questions is “Yes, I do” and your seeking for a solution, you have just landed on the page that will guide you to successfully meeting your objectives. So look no further because in this article, I will explain how you can improve your current BusinessObjects environment in a very simple way. As a matter of fact, one of our customer’s requested we find a way to allow his users access the BusinessObjects platform through the Internet in a secure way and without using a VPN connection. After analyzing several scenarios, we decided to split the web server (WAS) so that, in the end, our customer would dispose of two web servers: a server for external access and another for internal users. In the lines below, I will explain the steps and key items to developing this original solution.
Infrastructure changes
Many companies don’t usually connect servers with data (i.e: Database servers) in DMZ networks. Given this is our case, I recommend we split the BOXI Web Server. Our next step would be to place one web server in the DMZ network and the other web server, including the repository server, should be kept in the LAN. Finally, we should set up a new configuration, one for each firewall (INTERNET–DMZ and DMZ–LAN).
Having made these changes to the infrastructure, the internal users (LAN users) will still be able to connect to the BOXI platform, just as they would normally do, and at the same time the external users, who will connect through the Internet, will be able to access a secure web server, through an HTTPS connection, and use any BOXI web tool they need, such as Infoview, WebI, etc. This means, for example, that the external users can connect in a secure way to their Infoview by using a web browser and without the need of a VPN connection.
Security requirements
We must not forget yet another important requirement which is to assure our users with a secured access once they’re connected through the internet. This is a topic that I will treat more in depth in the next lines.We can use the Secure Sockets Layer (SSL) protocol to allow for communication between external users (users connected through the Internet) and the external web server in the DMZ network.
To set up the SSL for the server communication we need to perform the following steps:
1. Set Environment Variables
Before starting, it’s always good to make sure that the following environment variables are set correctly. The values which I will outline within the course of this article and that I’ll be using as a reference are correct for those of you have installed Business Objects with the default settings. Otherwise, use the list below as a guide to finding the correct paths.
- CATALINA_HOME -- C:Program FilesBusiness ObjectsTomcat55
- JAVA_HOME -- C:Program FilesBusiness Objectsjavasdk
- TOMCAT_HOME -- C:Program FilesBusiness ObjectsTomcat55
- Path -- C:Program FilesBusiness Objectsjavasdkbin (Add this to the existing Path)
2. Keystore and Keypair Creation
Next, open a command prompt (Start->Run, cmd) and run the following command to create a keystore.
keytool -genkey -alias tomcat -keyalg RSA -keystore C:keystore
The keytool utility will then ask you for your general personal information before generating your keypair. This information is used to identify your server. When you visualize a message from keytool asking you for the “key password for Tomcat”, just hit return to use the same password.
Check to make sure your key was created by running this command:
keytool -list -v -keystore c:keystore.keystore
3. Enable SSL in server.xml
While you are waiting for your signed certificate, you can enable SSL in Tomcat. We proceed to doing so by opening up Tomcat’s server.xml file, which is located by default in C:Program FilesBusiness ObjectsTomcat55conf. Look for thefile for the SSL Connector entry, which should look like this:
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --><!--<Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; clientAuth="false" sslProtocol="TLS"/> ->
First, remove the comment tags (<!– and –>) from around this connector to enable it. Then, you will need to add the following property:
keystoreFile="C:keystore.keystore"
You may also want to change the port from 8443 to the default HTTPS port of 443. If you decide to do so, you will also want to change the redirectPort property on the non-SSL connector in order for it to match the very port. This should be located immediately above the SSL connector in the server.xml.
Once the changes are made, close the server.xml and restart Tomcat. Open a browser and go to https://localhost (of course, assuming you have changed the port from 8443 to 443). Depending on your browser, you should see the Tomcat default page along with a certificate error. This means that Tomcat is set up correctly, we only need a signed certificate.
4. Install your certificate
Once you receive your signed certificate, you simply need to install it into the keystore in order to complete the process. First of all, you have to install the root (or chain) certificate from your vendor. Check with your vendor to get this certificate. Save the root certificate file in the server, with a name such as rootcert.txt, then execute this command:
keytool -import -alias tomcat -keystore C:keystore.keystore -trustcacerts -file rootcert.txt
Finally, install your new certificate. Save your new certificate in the server, with a name such as mycert.txt:
keytool -import -alias tomcat -keystore C: keystore.keystore -trustcacerts -file mycert.txt
From here, you should run a test and check that SSL is set up correctly by going to https://localhost on the server (assuming you changed the SSL port to 443). If you see the Tomcat default page without any certificate errors, then SSL is configured properly.
Deployment needs
We strongly recommend you run this deployment in a Test environment in order to troubleshoot and to be prepared for any issues that could arise when passing to installing in the actual Production environment . I would like to point out that you need a new server (a VM server is also fine) placed in a DMZ network. In this way it can be accessed through the Internet.
The next step is to install a web server on the machine, using the BOXI R3.1 SP3 installation package and selecting the “Web Tier” option.
Once you have done this, you can now start configurating the HTTPS connections. That is why you also need an SSL certificate installed on the new server.
Last but not least, your Firewalls need to be reconfigured to grant you access from this web server to the BOXI repository server(placed on the LAN).
In summary, if you find yourself in need to to allow external users to access your BusinessObjects platform in a secure way, without using a VPN connection, then we recommend you split your current web server into two web servers (one being internal and the other external).
De esta forma, un usuario externo puede conectarse fácilmente a un servidor web utilizando una conexión HTTPS (los datos se cifrarán) y podrá usar las herramientas BOXI como Infoview o WebI, y sus datos estarán seguros ya que todavía se almacenan de forma segura en la red LAN.
What’s more is that your internal users will not experience any change whatsoever, and most importantly you can deploy this solution without interfering on their daily tasks.
If you have any questions about accessing your BusinessObjects platform via internet simply leave a comment in the box below and I will readily reply to you.