In BI 4.3 SP02, existing cryptographic libraries are replaced by SAPJCE libraries. To know more about these changes, please refer SAP Note 3218399. SAP Note 3112068 describes the steps to configure SAP JCE libraries for different application servers. The steps require to copy the SAP JCE binaries to the JRE lib/ext and bin folders of the application server. In case of WebSphere, its not supported to copy external binaries inside the WebSphere application Server folder. The SAP JCE can be configured by copying the binaries to a custom folder. Here are the steps to configure the SAP JCE binaries to a custom folder:
1. Deploy BOE on Websphere application server as recommended in Web Application Deployment Guide for Unix or Web Application Deployment Guide for Windows.
2. Create a folder C:/sapcrpto (Windows) or /home/boeuser/sapcrpto (Unix).
3. Copy the SAP JCE binaries to the custom folder C:/sapcrpto (Windows) or /home/boeuser/sapcrypto (Unix).
Windows:
Unix:
4. Navigate to WebSphere Integrated Solutions Console at http://was_server:was_port/ibm/console.
5. In the WebSphere Integrated Solutions Console home, navigate to Environment > Shared Libraries.
6. In Shared Library page, set the scope to Server1 and click on New. Please refer the below snapshot:
7. In New page, set the Classpath to the location of sapjce.jar file and the Native Library Path to the location of DLL/SO files. For example, enter sapcrypto for Name.
Windows:
C:/sapcrpto/sapjce.jar C:/sapcrpto/ |
C:sapcryptosapcrypto.dll C:sapcryptoslcryptokernel.dll C:sapcryptoslcryptokernel.dll.sha256 C:sapcrypto |
Unix:
/home/boeuser/sapcrypto/sapjce.jar /home/boeuser/sapcrypto/ |
/home/boeuser/sapcrypto/libsapcrypto.so /home/boeuser/sapcrypto/libslcryptokernel.so /home/boeuser/sapcrypto/libslcryptokernel.so.sha256 /home/boeuser/sapcrypto |
8. Select “Use an isolated class loader for this shared library”. Click Apply and Save.
9. In the WebSphere Integrated Solutions Console home, navigate to Applications > WebSphere Enterprise Applications. In Enterprise Applications page, click BOE.
10. In Enterprise Applications > BOE page, click Shared library references.
11. In Enterprise Applications page, Select BOE (Application) and click Reference shared libraries.
12. In Shared Library Mapping page, select sapcrypto and click Add (). Click Ok. Click ok in Enterprise Applications page. Click Save.
13. The shared library sapcrypto is linked to enterprise application BOE now.
14. In the Enterprise Applications page, select BOE, stop and then start BOE.
15. Launch CMC to test: http://was_server:was_http_port/BOE/CMC. Logon to CMC should be successful.
16. The shared library references should be updated for all the BI applications by following the steps from Step 9 to Step 15.
Configure Websphere 9 with SSL with java.security in a custom folder
- Create a file java.security in the custom folder created above, C:/sapcrypto (Windows) or /home/boeuser/sapcrypto (Unix).
- Add below line in the java.security file and save.
java.security
security.provider.
11
=com.sap.commoncryptolib.provider.SAPJCE enableFIPS
- Navigate to WebSphere Integrated Solutions Console at http://was_server:was_port/ibm/console.
- Navigate to Servers > Server Types > WebSphere application servers.
5. Click on the name of your server. For example, server1. Navigate to Java and Process Management and select Process Definition. Under the Additional Properties section, click Java Virtual Machine. Scroll down and locate the textbox for Generic JVM arguments. Add the custom java.security file path in the Generic JVM arguments as shown below.
-Djava.security.properties=/sapmnt/is4120/a/home/qaunix/sapcrypto/java.security -Djava.library.path=/sapmnt/is4120/a/home/qaunix/sapcrypto |
6. Click ok and save the change to the master configuration. Restart the WebSphere application server.
7. To test, logon to https://was_server:was_https_port/BOE/CMC. Logon to CMC should be successful.
References:
Shared library reference and mapping settings – IBM Documentation
How to override the default java.security at jvm level in WebSphere Application Server (ibm.com)