Restrict access to non-SSL links for BO web applications deployed on Apache Tomcat

Environment

• Apache Tomcat 5.5.x
• SAP BusinessObjects Enterprise Xi 3.1 (applicable to all SP/FP)
• Supported Windows Server

After the SSL is successfully configured, users will be able to access the SSL as well as the non-SSL links for BO web applications; which might be a security vulnerability.

solution

1. Take a backup of the “server.xml”file located at <INSTALL_DIR>\Program Files\Business Objects\Tomcat55\conf\
2. Edit the server.xml and search for the line : “Connector URIEncoding=”UTF-8″
3. Comment this line, as : <!– <Connector URIEncoding=”UTF-8″ acceptCount=”100″ connectionTimeout=”20000″ disableUploadTimeout=”true” enableLookups=”false” maxHttpHeaderSize=”8192″ maxSpareThreads=”75″ maxThreads=”150″ minSpareThreads=”25″ port=”8080″ redirectPort=”8443″/> –>
4. Save and close the file.
5. Stop the SIA from CCM ; SIA -> Properties -> Protocol :: Ensure that “Enable SSL” is unchecked. Start SIA
6. Restart Tomcat from CCM

Now you can logon to the CMC and Infoview only through SSL. Try to access the non- SSL link and you'll get a “Page cannot be displayed” error.

Hope you find this useful.

Umang Patel.

+919979084870

SAP BO BI Solution Architect/Consultant