Have you ever thought of accessing your BusinessObject’s platform through the Internet? Do you need to access externally your BusinessObjects platform without using a VPN connection? Is secure access for your external users a must for you? If the answer to these three questions is “Yes, I do” and your seeking for a solution, you have just landed on the page that will guide you to successfully meeting your objectives. So look no further because in this article, I will explain how you can improve your current BusinessObjects environment in a very simple way. As a matter of fact, one of our customer’s requested we find a way to allow his users access the BusinessObjects platform through the Internet in a secure way and without using a VPN connection. After analyzing several scenarios, we decided to split the web server (WAS) so that, in the end, our customer would dispose of two web servers: a server for external access and another for internal users. In the lines below, I will explain the steps and key items to developing this original solution.
Infrastructure changes
Many companies don’t usually connect servers with data (i.e: Database servers) in DMZ networks. Given this is our case, I recommend we split the BOXI Web Server. Our next step would be to place one web server in the DMZ network and the other web server, including the repository server, should be kept in the LAN. Finally, we should set up a new configuration, one for each firewall (INTERNET–DMZ and DMZ–LAN).
Having made these changes to the infrastructure, the internal users (LAN users) will still be able to connect to the BOXI platform, just as they would normally do, and at the same time the external users, who will connect through the Internet, will be able to access a secure web server, through an HTTPS connection, and use any BOXI web tool they need, such as Infoview, WebI, etc. This means, for example, that the external users can connect in a secure way to their Infoview by using a web browser and without the need of a VPN connection.
Security requirements
We must not forget yet another important requirement which is to assure our users with a secured access once they’re connected through the internet. This is a topic that I will treat more in depth in the next lines.We can use the Secure Sockets Layer (SSL) protocol to allow for communication between external users (users connected through the Internet) and the external web server in the DMZ network.
To set up the SSL for the server communication we need to perform the following steps:
1. Set Environment Variables
Before starting, it’s always good to make sure that the following environment variables are set correctly. The values which I will outline within the course of this article and that I’ll be using as a reference are correct for those of you have installed Business Objects with the default settings. Otherwise, use the list below as a guide to finding the correct paths.
- CATALINA_HOME -- C:Program FilesBusiness ObjectsTomcat55
- JAVA_HOME -- C:Program FilesBusiness Objectsjavasdk
- TOMCAT_HOME -- C:Program FilesBusiness ObjectsTomcat55
- Path -- C:Program FilesBusiness Objectsjavasdkbin (Add this to the existing Path)
2. Keystore and Keypair Creation
Next, open a command prompt (Start->Run, cmd) and run the following command to create a keystore.
keytool -genkey -alias tomcat -keyalg RSA -keystore C:keystore
The keytool utility will then ask you for your general personal information before generating your keypair. This information is used to identify your server. When you visualize a message from keytool asking you for the “key password for Tomcat”, just hit return to use the same password.
Check to make sure your key was created by running this command:
keytool -list -v -keystore c:keystore.keystore
3. Enable SSL in server.xml
While you are waiting for your signed certificate, you can enable SSL in Tomcat. We proceed to doing so by opening up Tomcat’s server.xml file, which is located by default in C:Program FilesBusiness ObjectsTomcat55conf. Look for thefile for the SSL Connector entry, which should look like this:
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->