Configuring WebFOCUS in an SSL Environment

The Secure Sockets Layer (SSL) is a protocol for managing the confidentiality of data transmitted over the Internet. In order to configure WebFOCUS for use with SSL, a certificate must be installed for the Web server and enabled for SSL.

Some WebFOCUS components make internal calls to the Web server. Depending on the application server you use, these components may be able to make https (SSL) calls using the default certificate provided by your application server. If your application server does not provide a default certificate, or if you want to enhance performance by minimizing the number of https calls, you can configure WebFOCUS to make more efficient http calls by operating within the secure environment established when the user connected to the Web using SSL.

Reference: ReportCaster in an SSL Environment

When you open the ReportCaster Development and Administration interface, you will be notified that an SSL certificate is being passed through to the browser. Click Yes in order to continue using the ReportCaster interface.

Warning Security image

A certificate is your public key. A public key is a value provided by a third party (known as the Certificate Authority) as an encryption key. The public key combines with a private key (derived from the public key) to encrypt messages transmitted on the Internet.

Certificates establish trust. If you trust a Certificate Authority, then you trust all of its certificates. As shipped by Sun, the Java Development Kit (JDK) trusts Verisign and Thawte.

Other trusted authorities can be added to your JDK/JRE with the keytool utility that is shipped with the JDK/JRE.

To configure WebFOCUS for use with SSL, you must perform the following steps:

Acquiring a certificate for use with SSL.
Using the keytool utility to add additional trusted authorities.
Registering HTTPS support.
Configuring ReportCaster for use with SSL (ReportCaster only).

Acquiring a Certificate

To acquire a certificate, you must create a certificate request and deliver it to a Certificate Authority, who generates the certificate. You must then install the certificate for a particular Web server.

For more information about acquiring a certificate, see https://digitalid.verisign.com/server/help/hlpEnrollServer.htm.

Note: For testing purposes, a self-signed certificate can be generated and used without using a third-party Certificate Authority.

Registering a Self-Signed Certificate With the JVM

How to:

Add a Self-Signed Certificate to the Keystore Using the KeyTool Utility on Windows

Note: You may skip this step if you have a trusted certificate.

You can add trusted authorities to the Java installation used by your WebFOCUS installation with the keytool utility that is shipped with the JDK/JRE. By default, the keytool utility is located in the $JAVA_HOME/bin directory. The default keystore is located in the $JAVA_HOME/jre/lib/security directory.

Note: $JAVA_HOME is a UNIX environment variable. On Windows, this is %JAVA_HOME%.

Top of page

Procedure: How to Add a Self-Signed Certificate to the Keystore Using the KeyTool Utility on Windows

From the Command Prompt, navigate to the keytool utility directory, as follows:
```
cd %JAVA_HOME%\bin
```
where:

%JAVA_HOME%

Is an environment variable defined on the machine that specifies the JDK or JRE installation directory. If this environment variable is not defined on the machine, you must explicitly specify the path to the Java installation directory.
Enter the following command at the prompt to import the trusted certificate into the keystore:
```
keytool -importcert -alias alias_name -trustcacerts -file certificate_filename -keystore keystore_filename
```
where:

alias_name

Is the name of the self-signed certificate alias in the keystore.

certificate_filename

Is the name of the certificate you will be adding to the keystore. For example, certnew.cer.

keystore_filename

Is the name of the keystore. For example, cacerts.

Registering HTTPS Support

In order for WebFOCUS to request an HTTPS URL, a system property must be set to register HTTPS support. Add the following to the JVM options of your Application Server or servlet container:

-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol

Configuring ReportCaster for Use With SSL

In this section:

Configuring ReportCaster Cookies for Use in SSL Environments

Note: Even if WebFOCUS and ReportCaster reside on the same machine, both the Application server and the distribution server must have JRE certificates.

The ReportCaster Development and Administration Interface uses a Java™ application to configure ReportCaster for use with SSL. To configure ReportCaster for use with SSL, perform the following steps on each individual client machine:

Acquire a certificate for use with SSL. See Acquiring a Certificate.
Use the keytool utility to add additional trusted authorities. See Registering a Self-Signed Certificate With the JVM.
Access the ReportCaster Server Configuration tool (see previous step) and click the MR Info tab. Change the URL in the Repository Node parameter so that it uses https instead of http.
Click the Save icon, or select Save from the Action menu. A message appears asking for confirmation that you want to save the changes to the configuration file.
Click Yes to save the changes, and then reload the ReportCaster Web application and restart the ReportCaster Distribution Server.

Top of page

Configuring ReportCaster Cookies for Use in SSL Environments

You can restrict the exchange of cookies to only HTTPS sessions by configuring the IBI_COOKIE_SECURE parameter in the ReportCaster menu under the Application Settings section of the WebFOCUS Administration Console.