Calyx RIM for Analytics 6.2 CHF 3 Installation Guide

Setting up SSL Configuration in Calyx RIM for Analytics

Due to the complexity of configuring Calyx RIM for use in an SSL (Secure Sockets Layer) environment, all SSL configurations must be done by the Client Enablement team. Outside RSA certificates may be involved, several browser-specific configuration modifications are necessary, and there are multiple ways to set up SSL, some of which Calyx RIM may not be able to support.

Warning: SSL configurations are supported only when they are installed by Client Enablement, and only defects that can be duplicated on a normal Calyx RIM installation will be addressed.
Note: SSL configuration is not required. These steps are needed to setup this security feature. Because WebFOCUS Express uses a standard tomcat 7x application container, the instructions to configure SSL are at this location: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
  1. Create a keystore file to store the server's private key and self-signed certificate by executing the following:
    1. Open an administrative command prompt and change the directory to the location of the keytool: install location\WebFOCUS_Express80\jre\bin\
    2. At the prompt, type: keytool -genkey -alias tomcat -keyalg RSA and press Enter.
    3. Complete the process by entering the following values:
      • New keystore Password
      • Re-enter Password
      • Calyx RIM for Analytics server name
      • Your Organizational Unit
      • Your Organization
      • Your City
      • Your State
      • Your two letter Country Code
      • Confirm values are correct by entering Yes
      • New password for Tomcat – to use same password as keystore, press Enter.
      Note: The Calyx RIM for Analytics server name is entered when prompted for Your Name.
  2. Verify the new .keystore file is created in the location C:\users\user name\.keystore
  3. Move the .keystore file to the install location\WebFOCUS_Express80\tomcat folder.
  4. From the same administrative command prompt type: keytool -export -keystore ..\..\tomcat\.keystore -alias tomcat -file webfocus.cer
    1. Press Enter
    2. Type exit and press Enter
  5. Stop the WebFOCUS Express 80 services.
  6. Open WordPad as Administrator.
  7. Using WordPad, navigate to: install location\WebFOCUS_Express80\tomcat\conf
    1. Open the server.xml file for editing
  8. In the server.xml file, uncomment the SSL HTTP/1.1 Connector entry in the file: 
    
<Connector port="25001" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
  9. Modify the maxThread value from 150 to 200.
  10. Add the keystoreFile and your keystorePassword where indicated: 
    
<Connector port="25001" protocol="HTTP/1.1" SSLEnabled="true"
                  
maxThreads="200" scheme="https" secure="true"
                  
keystoreFile=".keystore" keystorePass="<password>"
                  
clientAuth="false" sslProtocol="TLS" />
    Note: keystorePass must be the password value entered when the keytool was used to create the .keystore file.
  11. Disable the original connection information by commenting out the following lines: 
    
<Connector connectionTimeout="20000" maxPostSize="0" port="25000"
protocol="HTTP/1.1" redirectPort="25001" server=" "
useBodyEncodingForURI="true"/>
  12. Save your changes and close the server.xml file.
  13. From WordPad, navigate to: install location\WebFOCUS_Express80\tomcat\conf
    1. Open the web.xml file for editing
  14. Add the following lines after the last </servlet-mapping> tag in the web.xml file: 
    <security-constraint>
        <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
  15. Save your changes and close the web.xml file.
  16. Close WordPad.
  17. Run WordPad as an administrator and open install location\WebFOCUS_Express80\WebFOCUS\ReportCaster\bin\dserver.xml.
  18. Change these values (existing server name is not changed):
    1. <url>http://<server name>:25000/ibi_apps/WFServlet</url> is changed to: <url>https://<server name>:25001/ibi_apps/WFServlet</url>
    2. <default_url>http://<server name>:25000/ibi_apps/library/report.rc</default_url> is changed to: <default_url>https://<server name>:25001/ibi_apps/library/report.rc</default_url>
    3. <LIBRARYURL>http://<server name>:25000/ibi_apps/library/report.rc</LIBRARYURL> is changed to: <LIBRARYURL>https://<server name>:25001/ibi_apps/library/report.rc</LIBRARYURL>
  19. Save the file
  20. Close WordPad
  21. Restart the WebFocus services. After this, users will be able to connect to the Web client over the default SSL port for Tomcat - 25001.
    https://<server>:25001/ibi_apps/
  22. From an administrative command prompt run: install location\WebFOCUS_Express80\WebFOCUS\ReportCaster\bin\importcfg.bat
  23. Copy install location\WebFOCUS_Express80\jre\bin\webfocus.cer to the Calyx RIM Server C:\InSightManager folder.
  24. Open a command prompt on the Calyx RIM server and type: cd “%JAVA_HOME%\jre\lib\security
    1. Press Enter
  25. From that command prompt type: ..\..\bin\keytool -importcert -alias webfocus -keystore cacerts –file C:\InSightManager\webfocus.cer0
    1. Press Enter
      The password is changeit when asked
    2. When asked Trust this certificate, enter Yes and press Enter.
  26. Update the Calyx RIM system insight.var file to add the following WebFocus Security Settings:
    • wf.server.url=https://<WebFocus server>:25001/ibi_apps/
    • wf.sharedKey=<Insight license key>
    • wf.tokenLife=1800
  27. Restart the Calyx RIM Server.