Month: March 2017

Certificate not trusted warning – How to Import wildcard certificate into Tomcat (BOBJ web application server)

The document discusses on how to enable https on BOBJ web application server and import the wild card CA trusted certificate.

Enabling the https

Enabling https on the web application (Tomcat in this case) requires generation of key store and self-signed certificates using in-built keytool or openssl

Using command line navigate to <installdir>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin

Run the below command, this will generate a keystore.jks file at keytool home directory, copy it to another folder say (C:/SSL)

keytool -genkey -alias tomcat -keyalg RSA –keystore keystore.jks

Export the .crt self-signed certificate using the below command

keytool –export -alias tomcat -keystore c:\SSL\Keystore.jks -file c:\ssl\tomcat.crt

A self-signed certificate tomcat.crt will be stored under C:\SSL folder.

Stop the tomcat

Open server.xml file. Location – <Tomcathome>/conf

Uncomment the https entry and add the below parameter.

keystoreFile= “location of keystore.jks file” keystorePass=”password”

Restart the tomcat, now https links to BI-Launchpad and CMC should work



Importing the wild card certificate

By following the above process, https links will work as expected. However, a certificate not-trusted warning will appear on the browser which is expected. The reason for this is Tomcat certificate is self-signed but not CA signed

To overcome this error, you can create .CSR file and send it to CA providers , who in return provide certified CRT files. Use the below commands to import the same

Keytool –import –trustcacert –alias tomcat –keystore keystore.jks –file cacertified.crt

If you have root certificate, please import the same into root alias.

Most of time, internal CA have wildcard certificates for the domain already, importing those will be little bit tricky. Importing the wildcard certificate into same alias will give “Public keys mismatch error”. Please follow the below process to import.

Using Openssl tool convert the required wildcard.crt certificate into pfx format

openssl pkcs12 -export -in wildcard.crt -inkey wildcard.key -out C:\SSL\wildcard.pfx

the above command will generate a wildcard.pfx under C:\SSL folder.

Stop the tomcat and make the below changes to https entries

keystoreType =”PKCS12” keystoreFile=”wildcard.pfx” keystorePass=”password”

Restart the tomcat.

All set, now the tomcat will be using the internal wildcard certificate.

 Karthik Addula

SAP BI reports on Hadoop

What is Hadoop?

Hadoop is an open source software platform for distributed storage and distributed processing of very large data sets on computer clusters built from commodity hardware.  Hadoop services provide for data storage, data processing, data access, data governance, security, and operations.

HDFS – Hadoop Distributed file system – data storage and processing layer, data will be store on multiple slave nodes with metadata on master node

Hive – Query tool for Hadoop, we can say SQL wrapper on HDFS

All the reporting suite in SAP BOBJ platform consumes Hadoop HDFS data via HIVE through BOBJ Universe. SAP Lumira has self-inbuilt Hadoop data connectors (Both Hive and HDFS)

Steps involved in creating BOBJ report over Hadoop Hive

1) Creating a Connection

2) Create a Data Foundation Layer

3) Publish the Universe

4) Create a Webi Report

Creating a Connection and Universe

In this article , I am using generic database connections. Theoretically, you can also use Apache/Simbha JDBC drivers to connect Hive (I any day prefer JDBC over ODBC)

  • Download Hadoop ODBC drivers (32bit) on to your local machine. ( 4.2 Client tools automatically installed the drivers on my machine J )
  • Configure the 32 bit Hadoop ODBC on the local machine. if the hadoop environment is kerborized , please make sure you installed MIT Kerberos and ticket is active.

  • Create a relation connection in BOBJ IDT

  • Create a Data foundation layer

  • Create a Business layer and export it to BOBJ repository

Creating a Webi report on top of Hadoop Universe

Once the Universe is exported, the reporting tools consume the universe as any other relational universe (Some exceptions to middleware drivers used)

In my next post, i will detail on consuming and exploring Hadoop data in Lumira


Karthik Addula


Integrating Fiori with BOBJ – SSO

Fiori – BOBJ integration with SSO.


Considering Fiori Launchpad as global point of entry for SAP applications, Users always want to see analytical content in the same place. To avoid users launching Business Objects documents via portal or BI Launchpad separately, this document outlines the process of integrating Fiori with Business Objects

Tools used

SAP Business Objects enterprise – BOBJ 4.1 SP4

Design studio – 1.6 SP02

SAP Gateway, Fiori



Configuration – (Assuming, the sapgateway protocol is https (which is most likely to be))

Configuring BOBJ Platform

Enable https on BOBJ web application server, no backend https is required.  I am using Tomcat in this example

  • Use Keytool in tomcat java home bin directory to create a self-signed keystore


keytool -genkey -alias tomcat -keyalg RSA –keystore keystore.jks.

This command will create a self-signed keystore named keystore.jks under keytool home   directoty

  • Please export self-signed certificate in .crt format.


keytool -export -alias tomcat -keystore keystore.jks –file https.crt

This command will create https.crt in same directory.

  • Generate SSO certificates and keystore files using PCKS12 tool

Windows location : <INSTALLDIR>\SAP BusinessObjects Enterprise XI4.0\java\lib

Windows Command :  “<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\java” -jar PKCS12Tool.jar -alias bobj -storepass password -dname CN=BOS

The above command generates keystore and cert.der files .

Stop the tomcat, navigate to <Tomcathomedir>/conf/server.xml . Edit the server.xml file as below

Uncomment the https entries and add below parameters.

keystoreFile=”keystore.jks” keystorePass=”password”


Restart the tomcat , https links should work .

Configuring Fiori server

Install the https.crt ( certificate generated from keystore.jks )  into fiori abap stack using the below command at OS level

sapgenpse.exe maintain_pk -p <Client_PSE> -a https.crt

Configure SAP gateway to forward the requests to BOBJ platform.

wdisp/system_<number> = SID=BOE, EXTSRV=https://bod:8443 SRCSRV=*:8000 SRCURL=/BOE/

On the ABAP front end server using T code Strustss002 , please import the SSO certifictes generated by BOBJ Platform.

Setting up single sign on on BOBJ Platform

1) Add the ABAP front end as the entitlement system in CMC

2) Import the required Roles and keystore in CMC

3) Setup SAP ABAP stack to send SAP Logon Tokens

Now create a Tile in Fiori Launchpad, redirecting to BOBJ Design studio Opendocument link.  The navigation should work seamlessly


Karthik Addula