Secure Communication : Secure communication for Business Intelligence
  

Secure communication for Business Intelligence

This section describes how to set up secure communication for Business Intelligence/Tomcat.

Prerequisite

This section assumes:
That you have installed Orchestra and set up secure communication for Orchestra Central, as described in “Enable HTTPS for Orchestra Central” .
That you have installed Business Intelligence. See “Business Intelligence” .
That you have installed Orchestra and Business Intelligence using http, i.e you entered http in the installation wizards.
That you are using the same kind of certificate for Business Intelligence as in Orchestra. For a description of different kinds of certificates, please see “Different kinds of certificates” .

Preparation

It is possible to reuse the settings from Orchestra. It is also possible to create a new keystore file with different settings (Country, Organization, etc).
If you are using the same certificate as in Orchestra, copy the keystore.jks and truststore.jks files from <orchestra install dir>\system\conf\security to <bi install dir>\system\conf\security Replace the already existing files.
If you need to generate a separate certificate for Business Intelligence, a private key pair must be generated, which is done in the following way:
1. Open Keystore Explorer and select Open an existing keystore. Select the file <bi install dir>\system\conf\security\keystore.jks. The default password is changeit.
2. From the Tools menu, select Generate Keypair.
3. Select Algorithm and Key Size, eg RSA and 2048. Click OK.
4. In the next page, click the Edit name button next to the Name field.
5. Fill out your details. eg: CN=hostname , O=yourCompany, L=yourCity, S=yourState, C=yourCountry. Finally, click OK twice.
6. Give an Alias name, for example qpbusinessintelligence and click OK.
7. Enter and confirm a new password. Click OK.
Now you are ready to follow the procedure described below.

Certificate that is Already Signed and Ready to Use

If you entered https url:s in the installation wizards, this procedure can be skipped.
We recommend using a tool such as Keystore Explorer, http://keystore-explorer.org/, for managing your keystores and truststore.
Before you start, make sure that you read the Prerequisite and Preparation sections above!
1. Open the file <bi_install_dir>\server\pentaho-server\tomcat\conf\server.xml.
a) Uncomment the SSL HTTP/1.1 Connector entry in the file.
b) Modify the file, to reflect your specific settings, for example:
<Connector port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false"sslProtocol="TLS"keystoreFile="C:\qmatic\bi\conf\security\keystore.jks" keystorePass="changeit"keyAlias="qpBi"/>
 
The keyAlias parameter is the entry name or the alias of the entry in the keystore file.
For more information, see the Tomcat documentation, https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html.
2. Open the file <bi_install_dir>\server\pentaho-server\pentaho-solutions\system\security.properties and edit it, so that protocol andare the ones used for SSL.
Example:
central.orchestra.url = https://t54.qmaticcloud.com:8443
bi.url = https://t50.qmaticcloud.com:8444/businessintelligence
3. Open the file <bi_install_dir>\server\pentaho-server\pentaho-solutions\system\server.properties and edit it, so that protocol andare the ones used for SSL.
Example:
fully-qualified-server-url = https//t50.qmaticcloud.com:8444/businessintelligence
4. Restart the Business Intelligence service.
5. Edit the url to the Business Intelligence application in the database and make sure that protocol andare set for SSL, in the following two tables:
qp_central.applications
qp_agent.applications
Example from PostgreSQL, qp_agent.applications table:
6. Edit the web_server_redirect_url to the Business Intelligence application in the database and make sure that protocol andare set for SSL in the following table:
qp_central.oauth_client_details
7. Follow the instructions in “Updates to shiro.ini - Implementing Single Sign Off” .

Updates to shiro.ini - Implementing Single Sign Off

To enable single sign off for Business Intelligence (closing both the Orchestra and the Business Intelligence session at the same time, via the Logout option in the Orchestra top bar), you need to manually update the shiro.ini file on the Orchestra server, located in <orchestra_install_dir>\conf\ in the following ways:
Add the Business Intelligence logout URL to the orchestratedLogout.logoutUrls section, as in the following example:
 
#orchestratedLogout.logoutUrls = http://<separate-bi-server-hostname>:<bi-server-port>/businessintelligence/Logout
 
orchestratedLogout.logoutUrls = https://t167.qmaticcloud.com:8444/businessintelligence/Logout
 
Note that Logout must be written with a capital L!

Updates to shiro.ini - Adding the Business Intelligence Server IP

Add the Business Intelligence Server IP to the following section:
/qsystem/rest/security/account/** = oauth2, noSessionCreation, ipFilter[127.0.0.1,0:0:0:0:0:0:0:1]
 
Example - How to Prevent Faulty Entry:
Update the section above to this:
/qsystem/rest/security/account/** = oauth2, noSessionCreation, ipFilter[127.0.0.1,192.168.22.50,got-antwin-005]
For the changes to take place, a restart of Orchestra is needed.