https://blogs.oracle.com/pa BI Oracle CEAL Tea m, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014 ) Page 1of 36Configuring OBIEE 11.1.1.7.x with SSL What do we need? 1.CA Root Certificate 2.CA Intermediate Certificate (if exists) 3.Java Keystores :: Identity Keystore and Trust Keystore 4.OBIEE Server Certificate 5.If External LDAP Directory like Oracle Internet Directory running in SSL OID Server’s CA Root CertificateOID Server’s CA Intermediate Certificate (if exists)OID Server Certificate Reference: OBIEE Security Guide (e10543-08) http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/toc.htmA Commercial Certificate Authority (CA) will be providing its CA Root and CA Intermediate Certificates. All we need is to submit a Certificate Signing Request (csr) for the particular server in any format like (hostname.domainname.com/Web Site Name/Wildcard Certificate like *.domainname.com) and get the CA Signed Server Certificate. NOTE: If you are using a wildcard certificate remember to turnoff WebLogic Hostname Verification. Here we will be usingCustom Identity and Custom Trust Keystores. Create Java Keystore for Custom Identity: Create a certificate key pair for the Server Certificate using the keytool genkeypair command Command: keytool -genkeypair -alias scl34225 -keyalg RSA -keysize 2048 -validity 365 -keypass Oracle123 -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 1 of 36
Configuring OBIEE 11.1.1.7.x with SSL What do we need?
1. CA Root Certificate
3. Java Keystores :: Identity Keystore and Trust
Keystore
4. OBIEE Server Certificate
5. If External LDAP Directory like Oracle Internet Directory
running in SSL
OID Server’s CA Root Certificate
OID Server’s CA Intermediate Certificate (if exists)
OID Server Certificate
http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/toc.htm
A Commercial Certificate Authority (CA) will be providing its CA
Root and CA
Intermediate Certificates.
All we need is to submit a Certificate Signing Request (csr) for
the particular server in any format like
(hostname.domainname.com/Web Site Name/Wildcard Certificate like
*.domainname.com) and get
the CA Signed Server Certificate.
NOTE: If you are using a wildcard certificate remember to turnoff
WebLogic Hostname Verification.
Here we will be using Custom Identity and Custom Trust
Keystores.
Create Java Keystore for Custom Identity:
Create a certificate key pair for the Server Certificate using the
keytool genkeypair command
Command: keytool -genkeypair -alias scl34225 -keyalg RSA -keysize
2048 -validity 365 -keypass
Oracle123 -keystore C:\Oracle\Middleware\ssl\myIdentity.jks
-storepass Oracle123
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 2 of 36
Create a Certificate Signing Request (csr) which has to be
submitted to Internal/Third Party CA
(Certificate Authority).
Command: keytool -certreq -alias scl34225 -file
C:\Oracle\Middleware\ssl\scl34225_certreq.csr -
keystore C:\Oracle\Middleware\ssl\myIdentity.jks
NOTE: Certreq can be in .csr or .pem format not a problem.
Note: Above screenshot shows the Certificate Signing Request in
.pem format
Note: The above command generates a Certificate Signing Request
(CSR), using the PKCS#10 format.
A CSR is intended to be sent to a certificate authority (CA). The
CA will authenticate the certificate requestor (usually off-line)
and will return a certificate or certificate chain, used to replace
the existing certificate chain (which initially consists of a
self-signed certificate) in the keystore.
Submit the CSR file to the Certification Authority (CA) and get the
Signed Certificate Here we are using our own internal Certification
Authority (CA)
Save CA Root, CA Intermediate & Signed Server Certificates into
a folder like C:\Oracle\Middleware\ssl
Only on Windows Machine: Generally the CA Root Certificates
are already available in the
Trust Certificate Stores along with the Browser’s
installation. But if you are using your own internal
CA you need to import the CA Root Certificate to the Trusted
Certificate Stores for successful
validation of the Intermediate and Server Certificates.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 3 of 36
CealCARoot.crt
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 4 of 36
CealCAInter.crt
scl34225.crt
Install the server certificate into Personal (Optional)
Now we need to import these certificates into Custom Identity
Keystore myIdentity.jks
Import the intermediate certificate first --> then the root
certificate --> and then the signed server certificate in the
same sequence.
Command: keytool -importcert -alias CEALCAInter -file
C:\Oracle\Middleware\ssl\CealCAInter.pem - keystore
C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 5 of 36
Command: keytool -importcert -alias CEALCARoot -file
C:\Oracle\Middleware\ssl\CealCARoot.pem - keystore
C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
Command: keytool -importcert -alias scl34225 -file
C:\Oracle\Middleware\ssl\scl34225.pem - keystore
C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
Note: The intermediate and root certificate should have different
alias name, but the signed certificate should be imported with the
same alias that was used while creating a certificate key
pair/keystore. After importing all three certificates you
should see: “Certificate reply was installed in Keystore”
message.
CEALCAInter.pem
CEALCARoot.pem
Scl34225_chain.pem
keytool -list -v -keystore C:\Oracle\Middleware\ssl\myIdentity.jks
-storepass Oracle123
NOTE: The Server Certificate should be shown as
Alias Name: scl34225
Entry Type: PrivateKeyEntry
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 6 of 36
Run the following command to check if the certificate chain is
valid.
In a Command Prompt run setDomainEnv.cmd to set Java Home and other
variables.
Syntax : java utils.ValidateCertChain -jks <alias>
<identity_keystore>
Command : java utils.ValidateCertChain -jks scl34225
C:\Oracle\Middleware\ssl\myIdentity.jks
Create a Java Keystore for Custom Trust:
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 7 of 36
Command: keytool -list -v -keystore
C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Now that we have successfully created an Identity Keystore and a
Trust Keystore, we can configure WebLogic to use it by configuring
Custom Identity and Custom Trust Keystores.
Import the CARoot and CAInter into the Java install locations
First Root Certificate and then the Intermediate Certificate
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 8 of 36
Command: keytool -list -v -keystore
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
-storepass changeit
First Root Certificate and then the Intermediate Certificate
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
Command: keytool -import -file
C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot -
keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
-storepass changeit
Command: keytool -import -file
C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter -
keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
-storepass changeit
Command: keytool -list -v -keystore
C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Configuring Node Manager in SSL mode
Open file
“C:\Oracle\Middleware\wlserver_10.3\common\nodemanager\nodemanager.properties”
and enter below lines:
Restart Node Manager
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 9 of 36
If there is an issue with nodemanager port, either change the port
or perform the following steps:
Windows: Open a command window set
JAVA_OPTIONS=-DDomainRegistrationEnabled=true In the same command
shell run:
<MW_HOME>\wlserver_10.3\server\bin\startNodeManager.cmd
Unix: cd <MW_HOME>/wlserver_10.3/server/bin export
JAVA_OPTIONS=-DDomainRegistrationEnabled=true
./startNodeManager.sh
Configure SSL for WebLogic Servers Oracle WebLogic Server Admin
Console
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 10 of 36
NOTE: We need to select the hostname verification as none if the CN
of the certificate is not the same
as the hostname of the machine where WLS is installed. (In case of
Wild Card Certificates also) in the
SSL tab under Advanced link.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 12 of 36
Changing Other URLs to Match the New Listener Address
As OBI can work only on one protocol and we disabled non-ssl port
7001, we need to change the Embedded LDAP URLs to match the new
listener address.
To change other URLs to match the new listener address:
1.
Log in to Fusion Middleware Control and navigate to
bifoundation_domain under WebLogic Domain.
2. From the WebLogic Domain menu, choose Security and Security
Provider Configuration. 3. Click Configure in the
Identity Store Provider area to display the Identity Store
Configuration area
and the Custom Properties table, and check that the ldap.url custom
property is present, and correctly configured as follows:
Custom Property Values for ldap.url =
ldaps://scl34225.us.oracle.com:7002
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 13 of 36
Restart the Administration Server and Managed Servers
Enabling Trust between Codes Running in WebLogic Servers
You must enable trust between codes running in WebLogic Servers
before you can enable SSL
communication between Oracle BI EE components.
1. Open the following files for editing:
For Linux:
MW_HOME /user_projects/domains/bifoundation_domain/bin/setDomainEnv.sh
For Windows:
MW_HOME \user_projects\domains\bifoundation_domain\bin\setDomainEnv.cmd
2. Some Oracle Business Intelligence Java components running
in Oracle WebLogic Server
invoke other web services running in Oracle WebLogic Server.
Therefore, you must configure Oracle WebLogic Server to trust
itself by setting these properties.You must escape any backslash
(\) character in a path by using an additional backslash (\)
character.
3. For Linux (enter all on one line):
JAVA_OPTIONS="${JAVA_OPTIONS} -
Djavax.net.ssl.trustStore=/Oracle/Middleware/ssl/myTrust.jks -
Djavax.net.ssl.CustomTrustStorePassphrase=\"Oracle123\"
-Djavax.net.ssl.keyStore=/ Oracle/Middleware/ssl/myIdentity.jks
-Djavax.net.ssl.keyStorePassword=\"Oracle123\"" export
JAVA_OPTIONS
set JAVA_OPTIONS=%JAVA_OPTIONS% -
Djavax.net.ssl.trustStore="C:\\Oracle\\Middleware\\ssl\\myTrust.jks"
- Djavax.net.ssl.CustomTrustKeyStorePassphrase="Oracle123" -
Djavax.net.ssl.keyStore="C:\\Oracle\\Middleware\\ssl\\myIdentity.jks"
- Djavax.net.ssl.keyStorePassword="Oracle123"
5.
6. Save the setDomainEnv.sh or setDomainEnv.bat file.
7. Restart Oracle WebLogic Server to include the Java option
changes.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 14 of 36
Oracle Business Intelligence Components can communicate only
through one protocol at a time. It is not possible to use SSL
between some components, while using simple TCP/IP communications
between others.
Enabling SSL for Oracle BIEE Components Using Fusion Middleware
Control
Login to em :: http://scl34225.us.oracle.com:7001/em
NOTE: The SSL options on this page only enable configuration for
internal communications used by
the Oracle BI middle-tier. To set up SSL for outward facing
WebLogic ports, you must use the
WebLogic Administration Console before you configure the settings
on this page.
If the Use SSL for Middle-Tier Communications option is not
available, then you have not successfully enabled SSL on WebLogic.
Re-check the SSL Config steps in WebLogic Server.
When selected, this checkbox enables SSL to be the method of
communication between Oracle Business Intelligence
components.
Do not enter the individual web server certificate. Supported types
are .der and .pem.
Ensure that you enter the correct extension for the certificate
file. If the certificate for the web server
is signed by Intermediate CA, even then enter the root CA and not
the intermediate certificate.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 15 of 36
You will receive a confirmation message: "Confirmation Generate New
Certificates - Completed Successfully"
If you don’t see the above message/on issues please follow the
Steps stated in red color font below
If you see the following error message: CA certificate <your
certificate path> format <PEM or CER> is not a CA
certificate. It does not have the expected basic constraints for a
CA.: If you see this message complete the following steps:
a. Visually check that the contents of your CA certificate
are correct, by entering the following command: For pem
certificates use:
<mwhome>/Oracle_BI1/bifoundation/server/bin>openssl x509
-in < yourcertificate>.pem -text. For der certificates
use: <mwhome>/Oracle_BI1/bifoundation/server/bin>openssl
x509 -inform der -in < yourcertificate>.der -text. These
read only openssl commands do not need a configuration file.
Therefore you can safely ignore any warnings starting with:
WARNING: can't open config file
b. Check that your CA certificate is the expected root CA
certificate. CA certificates should contain a basic constraints
section but some CA's still do not conform to this standard.
c. If the contents of your CA certificate are correct, you
can turn off the strict CA certificate check by setting the
following property in the setDomainEnv.sh file (for Linux), or
setDomainEnv.bat file (for Windows): Note:
Do not configure this property unless you have checked the CA
certificate, and it is correct.
oracle.bi.management.ssl.omitcacheck=true
d. Save the setDomainEnv.sh or setDomainEnv.bat file.
e. Repeat the section : Enabling SSL for Oracle BI EE
Components Using Fusion Middleware Control
If its success: Activate Changes Stop all OPMN services and
WebLogic Server
After this, if you observe the value of ssl=?? In below
instanceconfig.xml file it shows ssl=”true”
C:\Oracle\Middleware\instances\instance1\config\OracleBIPresentationServicesComponent\coreap
plication_obips1\instanceconfig.xml
Restart WebLogic Server, Administration Server, Managed Servers,
then start the OPMN
components, and Oracle Business Intelligence components.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 16 of 36
In Fusion Middleware Control go to the SSL page, click View SSL
report to verify internal SSL
communications status to view the SSL status. If you can see
this link, SSL is enabled.
Log in to Fusion Middleware Control, Oracle WebLogic Server
Administration Console, and Oracle BI EE using the ports 7001 and
9704. All logins should be successful.
Log in to Fusion Middleware Control, Oracle WebLogic Server
Administration Console, and Oracle BI EE using the ports 7002 and
9804. All logins should be successful.
Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol
by
Disabling Non-SSL Listen Ports
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 17 of 36
Complete these steps for WebLogic Server's embedded LDAP
directory
Property Name Value Comments
java.naming.security.protocol ssl
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 18 of 36
In the StartManagedWebLogic.cmd change the Admin Server URL
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 19 of 36
Also edit StartStopServices.cmd in windows machine only
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 20 of 36
And change all http to be https in the StartStopServices.xml
file.
Restart the Admin Server, Managed Server and BI Components
Additional SSL Configuration Options
Updating Expired SSL Certificates Using Fusion Middleware Control
Please follow the steps specified in the OBI Security document
under “SSL Configuration in Oracle Business Intelligence”
Sect ion.
Configuring SSL for the SMTP Server Using Fusion Middleware Control
Please follow the steps specified in the OBI Security document
under “SSL Configuration in Oracle Business Intelligence”
Section.
Using SASchInvoke when BI Scheduler is SSL-Enabled Please follow
the steps specified in the OBI Security document under “SSL
Configuration in Oracle Business Intelligence” Section.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 21 of 36
Enabling the Online Catalog Manager to Connect
The online Catalog Manager might fail to connect to Oracle BI
Presentation Services when the HTTP
web server for Oracle Business Intelligence is enabled for
SSL.
You must import the CA Root, CA Intermediate and OBIEE Server
Certificates (also OHS certs if ohs exists) into the Java Keystore
of the JVM that is specified by the system JAVA_HOME
variable.
Java Keystore of the JAVA_HOME:
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
Command: keytool -import -file
C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot -
keystore
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
-storepass changeit
Command: keytool -import -file
C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter -
keystore
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
-storepass changeit
NOTE: Since we will be having OHS on the same machine and is signed
by the same CA we have already imported these certificates into
the
java install keystores (If using the online Catalog using OHS
URL)
Catalog online
URL: https://scl34225.us.oracle.com:9804/analytics/saw.dll
Configuring the Oracle BI Administration Tool to Communicate Over
SSL
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 22 of 36
Configuring an ODBC DSN for Remote Client Access Please
fol low the steps specified in the OBI Security document under
“SSL Configuration in Oracle Business Intelligence” Section.
Configuring Oracle BI Publisher to Communicate Over SSL Please
follow the steps specified in the OBI Security document under “SSL
Configuration in Oracle Business Intelligence” Section.
Configuring SSL when Using Multiple Authenticators
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 23 of 36
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 24 of 36
Create a Keystore for running External LDAP in SSL
(adapter.jks)
Set the environment variables ORACLE_HOME, WL_HOME and
JAVA_HOME
NOTE: libovdconfig.bat fails if we use 7002 ssl port. So enable
Admin Server at 7001 port and execute.
Command: C:\Oracle\Middleware\oracle_common\bin\libovdconfig.bat
-host
scl34225.us.oracle.com -port 7001 -userName weblogic
–domainPath
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain
–createKeystore
Once this command runs, you should see two new credentials in the
Credential Store and a new
Keystore file called adapters.jks under
MW_HOME \user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores
Import the OID CA Root Certificate into the libOVD Keystore:
Command: keytool -import -alias oid -file
C:\Oracle\Middleware\ssl\oid\cealoidca.pem -keystore
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default
\keystores\adapters.jks -storepass Oracle123
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 25 of 36
Import the OID CA Intermediate Certificate (if exists) into the
libOVD
Keystore Here we don’t have this certificate
Import the OID Server Certificate into the libOVD Keystore:
keytool -import -alias oidsvr -file
C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem -keystore
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default
\keystores\adapters.jks -storepass Oracle123
Import the OBIEE Server CA Root certificate into the libOVD
Keystore using
the keytool command:
Import the OBIEE Server CA Intermediate certificate into the
libOVD
Keystore using the keytool command:
keytool -import -alias CEALCAInter -file
C:\Oracle\Middleware\ssl\CealCAInter.pem -keystore
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default
\keystores\adapters.jks -storepass Oracle123
Import OID CA Root and OID Server Certificate into below Java
Keystores:
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 26 of 36
Not required but if you encounter any ssl handshake issues only,
import this certificate
Command: keytool -import -alias oidsvr -file
C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem - keystore
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
-storepass changeit
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
Command: keytool -import -file
C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid
–keystore
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass
changeit
Not required but if you encounter any ssl handshake issues only,
import this certificate
Command: keytool -import -alias oidsvr -file
C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem - keystore
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass
changeit
C:\Oracle\Middleware\ssl\myTrust.jks
Command: keytool -import -file
C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid
-keystore
C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Import the OID Server Certificate into the myTrust Keystore:
Command: keytool -import -alias oidsvr -file
C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem - keystore
C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
NOTE: If the OID Server cert is not imported into Trust Keystore
Admin Server log shows SSL
Handshake failure. So please import this certificate too.
Steps to be followed for successful Config of External LDAP (OBIEE
running
in SSL and External LDAP in SSL):
1.
OBIEE up and Running, able to login with WebLogic embedded LDAP
Users. 2. Configure OBIEE with SSL 3. Check if SSL is
working with Embedded LDAP Users both (console/em and analytics)
4. Configure external LDAP with SSL (As Additional SSL Config
Steps :: check the Security Guide
SSL Config Section) 5. Set Control Flag to SUFFICIENT for
both Default Authenticator and External LDAP Authenticator 6.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 27 of 36
9.
Import (CA Root cert of LDAP Server, CA Intermediate cert of LDAP
Server, LDAP Server cert, CA Root cert of OBIEE Server, CA
Intermediate cert of OBIEE Server) into adapter.jks
10. Now reorder external LDAP to the top in the providers
list. 11. Restart Admin Server.
Test Login to analytics as OID Users configured in ssl mode
An alternative method (not recommend) is to use the
System MBean Browser
Configuring SSL Communication between BI Components Using the
System
MBean Browser
This section describes how to configure SSL communication between
components using the System
MBean Browser.
This alternative method enables you to choose several advanced
configuration options; including
choosing the passphrase that protects the various certificate
stores.
Oracle recommends not to use this approach, but to follow Section
"Configuring WebLogic to use SSL
in Oracle WebLogic Server Administration Console".
Manually Configuring SSL Communication between Components Using
System MBean Browser
Task Description
Lock the configuration. Use the BIDomain MBean to lock the domain
configuration before making
changes.
certificate.
Commit the SSL configuration changes. Use the BIDomain MBean to
commit the SSL configuration changes.
Verify SSL certificates in credential store. Verify that the SSL
certificates are saved in the credential store.
Enable the SSL configuration and restart Oracle
Business Intelligence components.
configuration between components, and then restart the components
so the
changes take effect.
between components.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 28 of 36
Task Description
Configure SSL communication for the mail server. Configure SSL
communication for the mail server.
Update expired SSL certificates. Update expired SSL certificates
and replace with new ones.
Expand Application Defined Mbeans
Expand the oracle.biee.admin node, then expand the
bifoundation_domain node
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 29 of 36
Select the BIDomain MBean having the full name
oracle.biee.admin:type=BIDomain, group=Service
from the MBean navigation tree.
Select the Operations tab, then Lock .
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 30 of 36
Click Invoke.
A confirmation displays to indicate that the configuration is
locked. The next step is to generate the
SSL certificates.
Configuration options for the MBean display in the right
pane.
Select the Attributes tab, and then locate the
SSLCertificatesGenerated attribute.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 31 of 36
If certificates have been previously generated, you can continue to
replace them with new certificates.
NOTE: Since we have implemented SSL for BI Components using
WebLogic Admin Console,
Fusion Middleware Control and manually editing files (Oracle
recommended method), we can
see that the SSL Certificates are already generated.
But just think if we haven’t done any SSL Certificate Generation
from (WLS Console, FMW em &
Manual editing files).... the values should be “false”.
Let us proceed in this assumption that we are enabling SSL from
System MBean Browser
Select the Operations tab
MBean are displayed.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 32 of 36
passphrase: The SSL passphrase that protects the certificates and,
most importantly, the private key. Remember
this passphrase.
webServerCACertificatePath : The path for the Certificate Authority
(CA) root certificate for the CA used to sign the
web server's certificate. Do not enter the individual web server
certificate or the (CA) intermediate certificate.
certificateEncoding : Supported types are .der. and
.pem.
Click Invoke.
A confirmation displays if the operation executed successfully. If
successful, the input CA certificate
has been validated and the certificate generation request is
queued.
The next step is to commit the changes, which completes certificate
creation and
distribution throughout the domain.
To commit the SSL configuration and release the lock: Use the
BIDomain MBean.
The next step is to verify the SSL credentials are in the
credential store.
Verifying the SSL Credentials in the Credential Store
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 33 of 36
Open oracle.bi.enterprise credential map and verify the SSL
credentials have been saved to the credential store. If successful,
the following SSL credentials display in the oracle.bi.enterprise
credential map:
ssl.java.private.key
ssl.java.public.certificate config.version
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 34 of 36
Cacert.pem combinedcacert.pem
Server-cert.pem webservercacert.pem
Server-key.pem is the Private key for the openssl servers.
Clients need to have access to the internal CA certificate. Java
clients need the certificate in a keystore which they have access
to.
The javaserver.keystore cannot be used if you created the
certificates from Fusion Middleware Control since it is protected
by a private passphrase.
Create a new keystore for use by your clients with the following
command:
keytool -keystore clientkeystore -import -file cacert.pem -alias
biee
The command prompts you to choose your own passphrase.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 35 of 36
The next step is to enable the SSL configuration changes.
Enabling the SSL Configuration
From the System MBean Browser again use the BIDomain and
lock the Security Configuration and
select BIInstanceSecurityConfiguration MBean.
Select the Attributes tab, then for the
SSLEnabled attribute select true from the Value list,
then click
Apply. You must have the SSL listen port on for the
Administration Server and Manager Servers.
Navigate to the BIDomain MBean and commit the
changes.
SSL communication is now enabled between the components. You must
restart the
Oracle Business Intelligence components for the changes to take
effect.
Restart WebLogic Admin & Managed Servers and BI
Components.
Confirming SSL Status Using the MBean Browser
You can run an SSL report using the
BIDomain.BIInstance.SecurityConfiguration MBean to verify
that
SSL communication is operating between components.
From the System MBean Browser, select the
BIDomain.BIInstanceSecurityConfiguration MBean.
You do not need to lock the configuration to run the SSL
report.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on
17-July-2014) Page 36 of 36
To run the report, click Invoke. The report indicating the status
of SSL communication between components displays.
If the SSL ping fails, check the following: Verify the
target component is running. Verify that the component has
been restarted since SSL was enabled. SSL configuration
changes
require a restart to take effect.
Verify that the SSLEnabled attribute for the
BIDomain.BIInstanceSecurityConfiguration MBean is set to true. When
changing SSL properties, both apply and commit steps must be
performed.
All the 5 BI Components should show:
SSL ping OK. SSL Version as SSL v3, Cipher Suite:
SSL_RSA_WITH_RC4_128_MD5 (Default)
Certificate Expiry details and Certificate CA dn details.
Updating Expired SSL Certificates Using the MBean Browser Please
follow the steps specified in the OBI Security document under “SSL
Configuration in Oracle Business Intelligence” Section.
Advanced SSL Configuration Options Please follow the steps
specified in the OBI Security document under “SSL Configuration in
Oracle Business Intelligence” Sect ion.
A manually configured SSL environment can co-exist with a default
SSL configuration.
If OBIEE is on Linux and client tools on Windows
Client tools like Catalog Manager and Admin Tool cannot open due to
certificate SSL issues, so import
the (CA Root, CA Intermediate and OBIEE Server) Certificates to the
Client Tools Java Home Security
Keystore.
On Windows Machine: In a command prompt cd "C:\Program
Files\Oracle Business Intelligence Enterprise Edition Plus Client
Tools\jre\bin"
Command: keytool -import -alias CEALCARoot -file
C:\Oracle\Middleware\ssl\CealCARoot.pem-keystore
"C:\Program Files\Oracle Business Intelligence Enterprise Edition
Plus Client
Tools\jre\lib\security\cacerts" -storepass changeit
Command: keytool -import -alias CEALCAInter -file
C:\Oracle\Middleware\ssl\CealCAInter.pem-keystore
"C:\Program Files\Oracle Business Intelligence Enterprise Edition
Plus Client
Tools\jre\lib\security\cacerts" -storepass changeit
Command: keytool -import -alias scl34225 -file
C:\Oracle\Middleware\ssl\scl34225.pem -keystore
"C:\Program Files\Oracle Business Intelligence Enterprise Edition
Plus Client
Tools\jre\lib\security\cacerts" -storepass changeit
For RPD access create the DSN with SSL enabled
*****************************************************************************