4/17/2019 Document Display

Copyright (c) 2019, Oracle. All rights reserved. Oracle Confidential.

Easy Steps For Full SSL Configuration in Enterprise Performance Management 11.1.2.x -
Distributed installation across two Servers (Doc ID 1391487.1)

In this Document

Abstract
History
Details
I. Preparing Keystores and Certificates
a) Creating the CA Private Key
b) Creating the CA Public Key
c) Creating the Servers Public Keys and CSRs
d) Signing CSRs Generated for the EPM Servers
e) Generating Certificates from OHS and Microsoft IIS
f) Adding Certificates to Keystore
g) Setting Up the Default JRockit Keystore on Each Server
II. Setting Up SSL To The Already Deployed Web Application
a) Hyperion Foundation Services (HSS) Web Application SSL Configuration
b) Hyperion Planning Web Application SSL Configuration
III. Setting SSL to EPMA, HFM And OHS
a) Setting Up EPMA with SSL
b) Setting Up HFM with SSL
c) Setting Up OHS with SSL
IV. OHS Webserver Configuration/Re-Configuration
V. Additional Configurations
a) HFM
b) EAS
c) Configure IIS 7 (Windows 2008) for SSL
Summary
References

APPLIES TO:

Hyperion Planning - Version 11.1.2.1.000 and later

Information in this document applies to any platform.
11.23.15

ABSTRACT

The purpose of this article is to explain SSL configuration in an EPM 11.1.2.1 distributed installation using the following
setup:

Oracle Linux OS: HSS, Planning, OHS, Calc manager, Profitability,

Microsoft Windows 2003 SP2 64 Bit: Essbase, EAS, APS (Provider Services), EPMA (Webtier and dimension server),
HFM

This Whitepaper could also be used in the following installation setups:

Single Server EPM Installation

SSL OffLoading where only the OHS server is SSL and not the web application servers

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 1/15
4/17/2019 Document Display

This whitepaper is meant to be used for testing purposes in a test environment.

See also the following White papers:

Document 1530169.1 Easy Steps To Setting up SSL Offloading With OHS Webserver On EPM 11.1.2.2
Document 1532416.1 Easy Steps to configure Full SSL On a non Distributed Installation (Single Server Installation)

HISTORY

Author: Bachir Ndiaye

04-01-2012

DETAILS

The first section is included for ease of implementation in a situation where you do not have certificates available.

Please note that all the Screenshots referenced are attached as EPM11121SSL_Screenshots.doc

I. Preparing Keystores and Certificates

In this exercise, we will use Openssl as a tool to create our own CA authority in order to sign certificate requests that we
will create later. The certificate authority will be named after the Linux server Bachirlnx2 for simplicity Unzip the folder
key_cert_gen to a root drive (E:\). As a Certificate Authority (CA) we should have a good private key encryption (2048 or
1024 bit long) in order to store it securely in files. This can be done using OpenSSL commands.

a) Creating the CA Private Key

E:\key_cert_gen>openssl version

OpenSSL 0.9.7j 04 May 2006

E:\key_cert_gen>openssl genrsa -out Bachirlnx2CA.key -des 1024

"Loading screen into random state -done

Generating RSA private key, 1024 bit long modulus
..........................++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for Bachirlnx2CA.key:
Verifying: Enter pass phrase for Bachirlnx2CA.key:"

E:\key_cert_gen>type Bachirlnx2CA.key

  -----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,B3C2746A8E4B5DC9
QaEOvtka4J1Z9ct9om7SFFO3YBHehKiKHOPfFMIPkotXaoJX3kmg4FhueQ958N3o
ivE7PqR0h7MxrcvCU6lxdk0Hs5YVK4oMdQ0/H7TAXC9Z8I6/Wq08uYb8izYPqDvA
YoZXPsv3Nkoo4vqrfgvivi3rhKlxCHCEqmjwyCLdbFKpgCgT+ir3j1w0dp7yl7Es
25f+N6FiJtRZdCBuDtJCDrxU6UIGskr8ZkQPXMF8vdFCpjvC2Pn2WrnKjR627zun
tNS3phdJLUYFIwqW0ATPCtK0UCcZPXwRGcWng6S5/rwifjjGCvM2AflDPJkbPNHm
QCnnN7jP+rjXMMyR+vVobwszCa3DcNykWSG/Jh+I47ajSpdis9Boh2xqnOM1vItj
9qEbLx2Ff8AbbTipdJf1+Xnno3ZZ0B8xd3gPVDSjXhP5vu3uaaqwJOx1swWI02sr
WyDBd12ykpecqO7/RpBnbmLXUu41Y6TzxoxkMBdn+Fc7rCAPV/cvPrzOPF6Q/MQh
vmm4TPvRt1luZDP4jAzTReAR9i4q+3pJ2syxAtvKyA0v4fnfmEdhOpOFEvmq/WHN
+XvjFdVSdYmnWC1Hw5OxEFUCA0w4XGRT8ASwIbtKkAgNUBpWEaoKWB+dF9V6Ql7J
S6Work/9wU5PHUi0pNAU8RyjN5faRTc91fD3bbQLpCVBsAy52CCC3cS7ug8T1ysa
XE9pedUjpqaMKnpEQNAQ5NlI7p5IHFJp9svcQlpBARyyN1l1uFrcdexdjG+aU4IG
2hBs2xmMLcCarvI46xp1Uld/tekLldPVxF9V75GFJ6g=
-----END RSA PRIVATE KEY-----

Explanation of the commands:

genrsa command is used to generate a pair of private key and public key using RSA algorithm.
-out Bachirlnx2CA.key tells openssl to store the private key in a file called Bachirlnx2CA.key.
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 2/15
4/17/2019 Document Display

-des option is used to encrypt the private key file Bachirlnx2CA.key with DES algorithm.
1024 used to force openssl to generate keys a length of 1024 bits.
type Bachirlnx2CA.key is Windows command to show the content of Bachirlnx2CA.key.

The file Bachirlnx2CA.key will be created under the folder E:\key_cert_gen

b) Creating the CA Public Key

Now we are ready to generate a self-signed public key certificate based on our private key. Actually the private key file
Bachirlnx2CA.key contains a pair of keys: a private key and a public key. The private key will be used only by the CA
Authority (us) to sign any documents and the public key will be used by whoever (EPM Servers) receives the document
signed by us to verify the signature.

To give out the public key, we need to be put it into a certificate with our name, and signed by our own private key. This
process is call generating a self-signed public key certificate. OpenSSL can do this in a single command:

E:\key_cert_gen>openssl req -new -key Bachirlnx2CA.key -x509 -days 3650 -out Bachirlnx2CA.crt -
config openssl.cnf

E:\key_cert_gen>type Bachirlnx2CA.cr

-----BEGIN CERTIFICATE-----
MIICWzCCAcQCCQDUDxvV8AKwiTANBgkqhkiG9w0BAQQFADByMQswCQYDVQQGEwJH
QjETMBEGA1UECBMKTEFOQ0FTSElSRTETMBEGA1UEBxMKTUFOQ0hFU1RFUjEPMA0G
A1UEChMGT1JBQ0xFMRMwEQYDVQQLEwpTVVBQT1JUIENBMRMwEQYDVQQDEwpCYWNo
aXJsbngyMB4XDTExMTIwNTEwMTY1NVoXDTIxMTIwMjEwMTY1NVowcjELMAkGA1UE
BhMCR0IxEzARBgNVBAgTCkxBTkNBU0hJUkUxEzARBgNVBAcTCk1BTkNIRVNURVIx
DzANBgNVBAoTBk9SQUNMRTETMBEGA1UECxMKU1VQUE9SVCBDQTETMBEGA1UEAxMK
QmFjaGlybG54MjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoxcLLyNEP+Va
/zs6ypgJup8qPUghN73a++q7iNrdoosOokg26/4fGHdy/Qi28Rk4+QIQy+VbTo6e
WnBP7E/QMtEJUZJBgifdJ5WCZF+1k+1EjLV7DxUxPd9o7+X1vluNOnyVChjIAwwR
efv3u/eV4cJp8QDEP7ppJVASVhElr9kCAwEAATANBgkqhkiG9w0BAQQFAAOBgQB9
mSzci9yWWIWK2BSH7k4T1re00KGBF0mljaZLFgO2Z0MclVmPKW3MWLEyUqTEuD5E
G3AurY3eZcQqgYuNp2AwE3YwS4McCsQGMhuWQiNNy2pmz0/FGA5e8EIEUPRTi8FL
QyguZR0s9i8+MYApWqET2/DB9btpxQubFH2trDFR3w==
-----END CERTIFICATE----

Explanation of the commands:

-req command is used to generate a certificate signing request or self-signed certificate.

-new option is used to prompt for certificate subject information.
-key Bachirlnx2CA.key option is used to specify the key file containing the private key and public key. Password will
be prompted.
-x509 option is used to tell req to generate self-signed certificate.
-days 3650 option is used to make the self-signed certificate valid for 3650 days, about 10 years.
-out Bachirlnx2CA.crt option is used to tell req to store the self-signed certificate in a file called Bachirlnx2CA.crt.
-config openssl.cnf option is used to specify the configuration file.
type Bachirlnx2CA.crt is Windows command to show the content of Bachirlnx2CA.crt.

When you are prompted for distinguished name information, just press Enter key to take the default values.

To print the certificate in clear text then type the following command:

E:\key_cert_gen>openssl x509 -in Bachirlnx2CA.crt -noout -text

Certificate:
Data:
Version: 1 (0x0)
Serial Number:
d4:0f:1b:d5:f0:02:b0:89
Signature Algorithm: md5WithRSAEncryption
Issuer: C=GB, ST=LANCASHIRE, L=MANCHESTER, O=ORACLE, OU=SUPPORT CA, CN=B
achirlnx2
Validity
Not Before: Dec 5 10:16:55 2011 GMT
Not After : Dec 2 10:16:55 2021 GMT
Subject: C=GB, ST=LANCASHIRE, L=MANCHESTER, O=ORACLE, OU=SUPPORT CA, CN=
Bachirlnx2
Subject Public Key Info:
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 3/15
4/17/2019 Document Display
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a3:17:0b:2f:23:44:3f:e5:5a:ff:3b:3a:ca:98:
09:ba:9f:2a:3d:48:21:37:bd:da:fb:ea:bb:88:da:
...
...

As a CA, now we have our private key (Bachirlnx2CA.key) and our public key certificate (Bachirlnx2CA.crt). We are now
ready to sign any requests. To get the CA to be trusted by the Machines in our EPM environment, the CA public key that's
been generated needs to be copied to any Microsoft Windows machines that are part of the EPM system Installation and
installed to its trusted root Certification Authority.
(see Fig Ib1_1)
(see Fig Ib1_2)

c) Creating the Servers Public Keys and CSRs

The next section describes how someone else can use keytool to generate a public key and ask us to sign it. In this
section, let's assume that userA is using the keytool and wants to have his own private key to sign documents. But he
needs his public key certificate to be signed by us, Bachirlnx2. Why? Because our CA is trusted. So UserA starts to
generate his own private key and stores it in a keystore file which is more like a keys/certificates container.

This can be done by a single keytool -genkeypair command as shown in the following command session:

F:\Oracle\Middleware\jrockit_160_20\jre\bin>java -version

java version 1.6.0_20

JavaI SE Runtime Environment (build 1.6.0_20-b02)
Oracle JrockitI (build R28.0.2-11-135406-1.6.0_20-20100624-2119-windows-x86_64 , compiled mode)

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -genkeypair -keyalg RSA -alias Bachirlnx2_key

-keysize 1024 -keystore E:\EPM\EPMStore.jks -storepass jksplanning -keypass keyplanning

What is your first and last name?

[Unknown]: Bachirlnx2
What is the name of your organizational unit?
[Unknown]: SUPPORT
What is the name of your organization?
[Unknown]: ORACLE
What is the name of your City or Locality?
[Unknown]: MANCHESTER
What is the name of your State or Province?
[Unknown]: LANCASHIRE
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=Bachirlnx2, OU=SUPPORT, O=ORACLE, L=MANCHESTER, ST=LANCASHIRE, C=GB correct?
[no]: yes

The keystore with the private key is created in E:\EPM\EPMStore.jks.

Important to note that the first and last name should always be the server name concerned. In this case the server name
is the Linux server (Bachirlnx2) where HSS, Hyperion Planning amongst others will be installed. Nothing to do with the CA
server, it just so happened that in this case the CA server is also the server where some of the EPM components will be
installed.

Explanation:

java -version command is used to check the Java version.

keytool -genkeypair command is used to generated a key pair: UserA's private key and UserA's public key.
-keyalg RSA is the encryption algorithm. Beware that if you do not mention this parameter then the default
encryption would be DSA which is not supported by weblogic.
-keystore EPMStore.jks option specifies the keystore file name to hold the key pair.
-alias Bachirlnx2_key option specifies the entry name of the key pair in the keystore file, because keystore file can
hold multiple key and certificate entries.
-keysize 1024 option specifies the key size to be 1024 bits.
-storepass option specifies a password to protect the keystore file (in this case I used password: jksplanning)
-keypass option specifies a password to protect Bachirlnx2_key entry in the keystore file (in this case I used
password: keyplanning).

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 4/15
4/17/2019 Document Display

Now that the keystore with the key file for EPM server Bachirlnx2 has been created under E:\EPM, you can view its content
with the following command:

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -list -keystore e:\EPM\EPMStore.jks -storepass

jksplanning

Keystore type: JKS

Keystore provider: SUN
Your keystore contains 1 entry
bachirlnx2_key, Dec 5, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 98:F4:E9:B8:34:B3:7C:0D:E7:58:10:B6:DC:1A:F5:B8

UserA can now use keytool to generate a CSR (Certificate Signing Request) containing his public key and ask us as a CA to
sign it for him. To do this, He needs to run one keytool certreq command as shown below:

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -certreq -alias Bachirlnx2_key -Keypass

keyplanning -keystore E:\EPM\EPMStore.jks -storepass jksplanning -file E:\EPM\Bachirlnx2.csr

Explanation:

keytool -certreq command is used to generated a CSR (Certificate Sign Request) based on the given key pair
Bachirlnx2.key.
-alias Bachirlnx2_key option specifies the entry in the keystore file where to get the key pair.
-keystore EPMStore.jks option specifies the keystore file.
-file Bachirlnx2.csr option specifies the file name where the CSR will be stored.
type Bachirlnx2.csr command shows the content of Bachirlnx2.csr

Normally, the distinguished name of the owner of the key pair should be asked when generating a CSR, but keytool has
already asked and stored the distinguished name when generating the key pair. Now UserA sends his CSR file,
Bachirlnx2.csr, to the CA to be signed. The CA Bachirlnx2CA will sign his CSR file into a public key certificate Bachirlnx2.crt.

d) Signing CSRs Generated for the EPM Servers

When we as a CA got UserA's CSR (Certificate Signing Request), Bachirlnx2.csr, we can then sign it with our CA private
key (created earlier) using the "openssl x509 -req" command as shown in the command session below:

E:\key_cert_gen>openssl x509 -req -in Bachirlnx2.csr -CA Bachirlnx2CA.crt -CAkey Bachirlnx2CA.key

-out Bachirlnx2.crt -days 3650 -CAcreateserial -CAserial bachirlnx2CA.seq

Loading 'screen' into random state - done

Signature ok subject=/C=GB/ST=LANCASHIRE/L=MANCHESTER/O=ORACLE/OU=SUPPORT/CN=Bachirlnx2 Getting CA Private K
Enter pass phrase for Bachirlnx2CA.key: Note that CSR generated by "keytool" is compatible with "OpenSSL".

Note that CSR generated by keytool is compatible with OpenSSL.

Explanation:

openssl x509 -req command signs a CSR (Certificate Sign Request) with my private key Bachirlnx2CA.key and public
key certificate Bachirlnx2CA.crt.
-in Bachirlnx2.csr option specifies the CSR file received from UserA.
-CA Bachirlnx2CA.crt option specifies the CA public key certificate file.
-CAkey Bachirlnx2CA.key option specifies the CA private key file. Password will be prompted.
-days 3650 option specifies that the signed certificate is good for 3650 days.
-out Bachirlnx2.crt option specifies the file name to store UserA's public key certificate signed by the CA.
-CAcreateserial option tells OpenSSL to created a serial number file, if it has not been created. The serial number
value will start with 1. It will be inserted into the resulting certificate.
-CAserial Bachirlnx2CA.seq option specifies the serial number file name.

Run the following command to view the content of the generated certificate using OpenSSL:

E:\key_cert_gen>openssl x509 -in Bachirlnx2.crt -noout -text

Certificate:
Data
Version: 1 (0x0)

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 5/15
4/17/2019 Document Display
Serial Number
dc:0b:13:91:1f:0a:7d:5f
Signature Algorithm: md5WithRSAEncryption
Issuer: C=GB, ST=LANCASHIRE, L=MANCHESTER, O=ORACLE, OU=SUPPORT CA, CN=Bachirlnx2
Validity
Not Before: Dec5 14:32:08 2011 GMT
Not After : Feb 21 14:32:08 2020 GMT
Subject: C=GB, ST=LANCASHIRE, L=MANCHESTER, O=ORACLE, OU=SUPPORT, CN=Bachirlnx2 
Subject Public Key Info: 
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
0f:03:65:3f:77:fb:6c:b8:dc:fd:fd:81:a1:7d:05:
8f:2a:13:06:bf:f1:03:06:0d:71:83:61:7b:c5:b4:
88:b3:ad:76:5b:92:c4:2a:ae:64:ca:a6:d2:a1:5e:
13:dc:b8:49:92:81:ec:50:e9:2c:69:5d:ee:88:ad:
.......
........
.......

The detailed information of the certificate seems to be good. The issuer is the correct CA created earlier Bachirlnx2CA. The
subject is CN=Bachirlnx2. The expiration date is 2020. We have finished with generating the certificate for Server
Bachirlnx2 (for UserA). As this is a distributed installation over 2 Machines, we need to generate the certificate for the
other server (Server name=VMBNTALLEY64).
For Server VMBNTALLEY64 we need to generate a private key signed by the same CA. We will use the same keystore so
that at the end of the process we have a keystore that has all the certificates and Keys used across the EPM System. Then
all we have to do is copy the same keystore to the servers participating in the installation.

Here are the following tasks that must be performed:

Generate the server private key in the same keystore EPMStore.jks

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -genkeypair -keyalg RSA -alias

vmbntalley64_key -keysize 1024 -keystore E:\EPM\EPMStore.jks -storepass jksplanning -keypass
keyplanning

What is your first and last name?

[Unknown]:<span>&nbsp; </span>VMBNTalley64&nbsp;&nbsp; (It is Important here to give the Machine Name)
What is the name of your organizational unit?
knownSUPPORT
What is the name of your organization?
[Unknown]:ORACLE
What is the name of your City or Locality?
[Unknown]:MANCHESTER
What is the name of your State or Province?
[Unknown]:LANCASHIRE
What is the two-letter country code for this unit?
[Unknown]:GB
Is CN=VMBNTalley64, OU=SUPPORT, O=ORACLE, L=MANCHESTER, ST=LANCASHIRE, C=GB correct?
[no]:yes

Generate the certificate request (CSR file) to be signed by the CA Authority Bachirlnx2CA

E:\key_cert_gen>openssl x509 -req -in vmbntalley64.csr -CA Bachirlnx2CA.crt -CAkey

Bachirlnx2CA.key -out vmbntalley64.crt -days 3000 -CAcreateserial -CAserial bachirlnx2CA.seq

Loading 'screen' into random state - done

Signature ok
subject=/C=GB/ST=LANCASHIRE/L=MANCHESTER/O=ORACLE/OU=SUPPORT/CN=VMBNTalley64
Getting CA Private Key
Enter pass phrase for Bachirlnx2CA.key:

At this point we have dealt with the 2 servers (Bachirlnx2 and VMBNTALLEY64), as far as preparing the certificates is
concerned for the servers participating in the installation.

e) Generating Certificates from OHS and Microsoft IIS

For The Oracle HTTP Server OHS:

Start the Wallet manager:

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 6/15
4/17/2019 Document Display

Microsoft Windows: Start -> all Programs -> Oracle OHSxxxx -> Integrated Management Tools -> Wallet Manage
Linux/Unix: Start a terminal and change directory to Oracle\Middleware\ohs\bin.
Run ./owm
Go to Wallet -> New and enter an alphanumeric password (i.e planning99)

(see Fig Ie1_1)

Click on Yes in order to create a new Certificate Request

(see fig Ie1_2)

Enter the details of the certificate request bearing in mind that the common name is in fact the server name where the
OHS server resides.

(see fig Ie1_3)

(see fig Ie1_4)

Right click on Certificate [Requested] -> Export Certificate Request. Specify a path and a filename (i.e OHS.csr)

(see fig Ie1_5)

Sign the exported OHS certificate request with the CA using OpenSSL:

E:\key_cert_gen>openssl x509 -req -in E:\EPM\OHS.csr -CA E:\EPM\Bachirlnx2CA.crt -CAkey

E:\EPM\Bachirlnx2CA.key -out E:\EPM\OHS.crt -days 3000 -CAcreateserial -CAserial bachirlnx2CA.seq

Loading 'screen' into random state - done

Signature ok
subject=/CN=Bachirlnx2/OU=SUPPORT/O=ORACLE/L=MANCHESTER/ST=LANCASHIRE/C=GB
Getting CA Private Key
Enter pass phrase for Bachirlnx2CA.key:

Now that OHS certificate has been signed, we are left with IIS. Generating IIS certificate is only necessary when setting up
EPM components that use IIS such as EPMA.

Setting IIS with SSL:

On the windows Machine, Go to Start -> Run -> inetmgr

(see Fig Ie1_6)

(see Fig Ie1_7)

(see Fig Ie1_8)

(see Fig Ie1_9)

(see Fig Ie1_10)

(see Fig Ie1_11)

(see Fig Ie1_12)

(see Fig Ie1_13)

(see Fig Ie1_14)

(see Fig Ie1_15)

For IIS 7 see end section: Configure IIS 7 for SSL.

Sign the certificate request iiscert.csr:

E:\key_cert_gen>openssl x509 -req -in E:\EPM\iiscert.csr -CA Bachirlnx2CA.crt -CAkey
Bachirlnx2CA.key -out E:\EPM\iiscert.crt -days 3000 -CAcreateserial -CAserial
bachirlnx2CA_RSA.seq

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 7/15
4/17/2019 Document Display
Loading 'screen' into random state - done
Signature ok subject=/C=GB/ST=LANCASHIRE/L=MANCHESTER/O=ORACLE/OU=SUPPORT/CN=VMBNTalley64
Getting CA Private Key
Enter pass phrase for Bachirlnx2CA.key:

Make a copy of the certificate iiscert.crt to iiscert.cer and import the certificate back to IIS. Right click on Default web site
-> Properties -> Directory Certificate -> Server Certificate

(see Fig Ie1_16)

(see Fig Ie1_17)

(see Fig Ie1_18 )

(see Fig Ie1_19)

(see Fig Ie1_20)

(see Fig Ie1_21)

(see Fig Ie1_22)

IIS is now SSLed. Test by launching the following URL:

(see Fig Ie1_23)

So what have we got so far?

We created a CA called Bachirlnx2 in order to sign certificates and as a result, we generated a private key
Bachirlnx2CA.key and a public key Bachirlnx2CA.crt.
We created a keystore called EPMStore.jks (to be used as a central storage for all certificates across the
EPMSystem).The keystore was created with private keys from each server that is part of the EPM Install. The
private keys created in the EPMStore.jks are Bachirlnx2.key and VMBNTALLEY64.ke.
A certificate request was then created for the server hosting HSS, Planning, Calcmanager, Profitablity called
Bachirnlnx2.csr. This was then signed by the CA and we ended up with a public key Bachirlnx2.crt
A certificate request was also created for the server (VMBNTALLEY64) hosting EPMA, HFM, EAS called
vmbntalley64.csr. This was then signed by the CA and we ended up with a public key vmbntalley64.crt
A certificate request was generated from the OHS wallet manager, signed by the CA which resulted in OHS.crt.
A certificate request from the IIS server which was then signed by the CA and resulted in iiscert.crt.

f) Adding Certificates to Keystore

The next step now is to get all these certificates into the same keystore EPMStore.jks which will be then copied over to
each server in the EPM system.CA certificates have to be imported first then the other certificates:

Importing CA certificate:

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -importcert -alias Bachirlnx2CA -keypass

planning -file E:\EPM\Bachirlnx2CA.crt -keystore E:\EPM\EPMStore.jks -storepass jksplanning

Owner: CN=Bachirlnx2, OU=SUPPORT CA, O=ORACLE, L=MANCHESTER, ST=LANCASHIRE, C=GB

Issuer: CN=Bachirlnx2, OU=SUPPORT CA, O=ORACLE, L=MANCHESTER, ST=LANCASHIRE, C=GB
Serial number: d40f1bd5f002b08
Valid from: Mon Dec 05 10:16:55 GMT 2011 until: Thu Dec 02 10:16:55 GMT 2021 Certificate fingerprints:
MD5:B6:8F:82:C9:3B:02:8D:55:CB:B6:44:2D:E2:06:67:5C
SHA1: 61:B4:23:AC:D5:5E:97:56:D2:1C:85:7F:B1:41:FF:5C:7A:B8:80:FF
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]:yes

Certificate was successfully added to keystore

Importing certificate from Bachirlnx2

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -importcert -alias Bachirlnx2rsa -file

E:\EPM\Bachirlnx2.crt -keystore E:\EPM\EPMStore.jks -storepass jksplanning

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 8/15
4/17/2019 Document Display

Certificate was added to keystore

Importing certificate from VMBNTALLEY64

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -importcert -alias vmbntalley64rsa -file

E:\EPM\vmbntalley64.crt -keystore E:\EPM\EPMStore.jks -storepass jksplanning

Certificate was added to keystore

Importing certificate from OHS

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -importcert -alias OHScrt -file E:\EPM\OHS.crt

-keystore E:\EPM\EPMStore.jks -storepass jksplanning

Certificate was added to keystore

Importing IIS certificate iicert.cer into the Keystore:

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -importcert -alias iiscert -file

E:\EPM\iiscert.cer -keystore E:\EPM\EPMStore.jks -storepass jksplanning

Certificate was added to keystore

Now that all certificates have been imported into the keystore as shown by the following command, we will use the same
keystore across the EPM System:

For the weblogic application deployment servers

And as a JRockit keystore.

Command to list the certificates installed so far in the keystore:

F:\Oracle\Middleware\jrockit_160_20\jre\bin>keytool -list -keystore E:\EPM\EPMStore.jks -storepass

jksplanning

Keystore type: JKS

Keystore provider: SUN
Your keystore contains 7 entries
bachirlnx2ca, 06-Dec-2011, trustedCertEntry,
Certificate fingerprint (MD5): B6:8F:82:C9:3B:02:8D:55:CB:B6:44:2D:E2:06:67:5C
vmbntalley64_key, 06-Dec-2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 3F:AB:49:9F:D8:06:91:83:69:17:49:06:F1:C1:56:68
ohscrt, 06-Dec-2011, trustedCertEntry,
Certificate fingerprint (MD5): 8D:3F:DF:19:D7:B5:01:A1:AF:ED:C6:0B:1F:0F:0E:FA
iiscert, 07-Dec-2011, trustedCertEntry,
Certificate fingerprint (MD5): E6:71:AC:D5:88:91:E2:12:70:A6:E1:65:9E:3C:42:AE
vmbntalley64rsa, 06-Dec-2011, trustedCertEntry,
Certificate fingerprint (MD5): 5E:BE:EF:18:87:76:91:73:38:E7:6A:A8:59:8F:79:AB
bachirlnx2rsa, 06-Dec-2011, trustedCertEntry,
Certificate fingerprint (MD5): 8C:39:A7:7E:42:BD:C3:7B:AD:6B:24:F8:93:69:BF:4C
bachirlnx2_key, 06-Dec-2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 69:1C:9D:0D:42:E0:58:44:E6:F8:95:67:50:13:EC:76.

g) Setting Up the Default JRockit Keystore on Each Server

- On each Server, go to the following location Oracle\Middleware\jrockit_160_20\jre\lib\security rename the file cacerts
to cacertsold. Copy EPMStore.jks to location Oracle\Middleware\jrockit_160_20\jre\lib\security and rename it to cacerts

- On each server create the folder structure E:\EPM and copy the keystore EPMStore.jks to that folder.
THIS ENDS THE SECTION ON PREPARING KEYSTORES AND CERTIFICATES!

II. Setting Up SSL To The Already Deployed Web Application

a) Hyperion Foundation Services (HSS) Web Application SSL Configuration

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 9/15
4/17/2019 Document Display

Go through the HSS deployment following the documentation without SSL. Once HSS has been successfully deployed
without SSL and that you are able to login successfully.Stop the HSS service and start the Weblogic admin server by doing
the following:

Windows:
Start -> Programs -> Oracle Weblogic -> User Projects -> Start Admin Server for Weblogic

On Linux:
Change Directory to Oracle/Middleware/User_Projects/domains/EPMSystem/bin and Run ./startWeblogic.sh

After the admin server has been started, launch the following url to login to the admin console http://server:7001/console
and login. In this example the weblogic admin user is epm_admin

(see Fig IIa1_1)

Go to environment -> Servers to show the list of servers deployed to this instance.

(see Fig IIa1_2)

(see Fig IIa1_3)

Click on the FoundationServices0 server to edit the HSSconfiguration. On the General page, enable SSL by selecting the
checkbox 'ssl listen portenabled'. This requires that the Keystore HSS be specified

(see Fig IIa1_4)

On this linux server hosting Shared Services I have copied the keystore EPMStore.jks to
/u01/OHS_WALLET/RSA_Encrypt/.

Note also that the same keystore EPMStore.jks was copied to Oracle\Middleware\jrockit_160_20\jre\lib\security and
renamed tocacerts. The password to be entered here is the keystore password generated during the Keytool GenKeyPair
command and in this example, it wasjksplanning
(see Fig IIa1_5)

The SSL page allows to specify the server Private key. Recall that when the user UserA used the keytool to generate the
key pair, an entry was added to the keystore (EPMStore.jks) named Bachirlnx2_key with a password keyplanning, which
is the server private key that needs to be specified here.
(see Fig IIa1_6 )

The hostname verification needs to be set to None to disable the hostnameverifier.

(see Fig IIa1_7 )

Save the configuration changes and restart the HSS service (for Windows) or stop and start process(for linux/Unix)
(seeFig IIa1_8 )

Start HSS in the foreground to make sure that the SSL configurations are correct.Once Server has fully started without
errors, login to HSS using the SSL port specified in the configuration (default is 28443)

Start up entries that shows that SSL has initialised successfully:

<06-Dec-2011 16:11:32 o'clock GMT> <Notice> <Security> <BEA-090171>

<Loading the identity certificate and private key stored under the alias
Bachirlnx2_key
from the jks keystore file /u01/OHS_WALLET/RSA_Encrypt/EPMStore.jks.>
<06-Dec-2011 16:11:33 o'clock GMT> <Notice> <Security> <BEA-090169>
<Loading trusted certificates from the jks keystore file /u01/OHS_WALLET/RSA_Encrypt/EPMStore.jks.>
<06-Dec-2011 16:11:33 o'clock GMT> <Notice> <Server> <BEA-002613>
<Channel "Default[1]" is now listening on fe80:0:0:0:213:72ff:fe99:174d:28080 for protocols iiop, t3,
<Channel "DefaultSecure[3]" is now listening on 0:0:0:0:0:0:0:1:28443 for protocols iiops, t3s,
CLUSTER-BROADCAST-SECURE, ldaps, https.> <06-Dec-2011 16:11:33 o'clock GMT>
<Notice> <Server> <BEA-002613><Channel "Default[2]" is now listening on 127.0.0.1:28080 for protocols iiop,
CLUSTER-BROADCAST, ldap, snmp, http.>
<06-Dec-2011 16:11:33 o'clock GMT> <Notice> <Server> <BEA-002613>
<Channel "DefaultSecure[2]" is now listening on 127.0.0.1:28443 for protocols iiops, t3s,

(see Fig IIa1_9)

Now that HSS has been manually setup with SSL, you will need to run the configuration utility again on the same server to
reconfigure The Hyperion Foundation -> Configure Common Settings

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 10/15
4/17/2019 Document Display

(see Fig IIa1_10)

Select the option to use SSL for Web Application Server Communication.
(see Fig IIa1_11)

Once that's done, configure the other already deployed EPM web application servers.

b) Hyperion Planning Web Application SSL Configuration

We will configure Hyperion Planning as an example but the process and information entered are the same for all Web
applications deployed in the same server:

Login to the Weblogic admin console and edit the Hyperion planning Server. Enable the SSL port (8343)

(see Fig IIb1_1)

Navigate to the Keystore and SSL ports and enable the following settings which are similar to those of HSS

(see Fig IIb1_2)

(see Fig IIb1_3)

(see Fig IIb1_4)

Restart Hyperion Planning web application server in foreground in order to make sure that the settings are correct:

<06-Dec-2011 17:18:49 o'clock GMT> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private
key stored under the alias Bachirlnx2from the jks keystore file /u01/OHS_WALLET/RSA_Encrypt/EPMStore.jks.>
<06-Dec-2011 17:18:49 o'clock GMT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks
keystore file /u01/OHS_WALLET/RSA_Encrypt/EPMStore.jks.>
<Channel "DefaultSecure" is now listening on 10.167.110.40:8343 for protocols iiops, t3s, CLUSTER-BROADCAST-
SECURE, ldaps, https.>

You should be able to login directly to Hyperion planning web via the SSL port:

(see Fig IIb1_5)

Use the same procedure to enable SSL on all EPM Products deployed on the same Machine.

III. Setting SSL to EPMA, HFM And OHS

a) Setting Up EPMA with SSL

It has two tiers to it, the Dimension sever tier on IIS application server and the Web application tier on Weblogic
Application Server. As for the Dimension then it has already been setup with SSL which was achieved by simply setting IIS
with SSL (see section on IIS). To test that the Dimension Server is listening on SSL, launch the following url on https:
https://IISserver/hyperion-bpma-server/Sessions.asmx

(see Fig IIIa1_1)

To test the login section, click on the link CreateSession and then login as admin user and the password.

Once you click on the Invoke button a new popup will appear with the session ID which means that everything works
fineas far as the dimension server/Shared Services interaction is concerned. As for the EPMA Webtier then the process is
the same as the SSL configuration of the other web application servers. The only difference here is that it is on a different
machine.

Login to the weblogic admin console on the EPMA machine and edit the EpmWebReports0 Server. Enable the SSL port
(19047 but in this example I have changed it to 19043)

(see Fig IIIa1_2)

Navigate to the Keystore and SSL tabs and make the necessary changes

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 11/15
4/17/2019 Document Display

(see Fig IIIa1_3)

Remember the server private key alias was created as vmbntalley64_key

(see Fig IIIa1_4)

Login directly to EPMA web tier using the SSL port and launch the dimension library to make sure that all works in SSL
(https://vmbntalley64:19043/awb):

(see Fig IIIa1_5)

Do the same for the Datasync web application:

(see Fig IIIa1_6)

(see Fig IIIa1_7)

EPMA is done!

b) Setting Up HFM with SSL

(see Fig IIIb1_1)

(see Fig IIIb1_2)

(see Fig IIIb1_3)

The IIS side of HFM could be tested by launching the following url (https://vmbntalley64/hfm): HFM works fine when
accessed via the IIS SSL port (port 443)

(see Fig IIIb1_4)

Now that all the components have been setup in SSL, We need now to configure OHS so that users can go through SSL
via OHS -> Workspace to access all available components via SSL. This type of Architecture is a full SSL configuration and
in a case where only OHS needs to be configured for SSL (SSL OFFLOADING) then you would only do the OHS part.

c) Setting Up OHS with SSL

The OHS certificate request was already generated via the Wallet and signed by our CA Authority Bachirlnx2 to generate
OHS.crt. The next step now is to import all required certificates into the wallet starting with the CA certificate
Bachirlnx2CA.crt:

Bachirlnx2CA.crt
OHS.cert
IIS certificate IIcert.cer
Certificate from each of the servers: Bachirlnx2.crt and vmbntalley64.crt

Importing the CA certificate Bachirlnx2CA.

Start by importing the CA certificate. Right click on Trusted certificates -> Import trusted certificates

(see Fig IIIc1_1)

(see Fig IIIc1_2)

Now import the certificate generated from the Wallet request:

Import user certificate and select the OHS certificate signed by our CA Authority. A successful import will show the status
Certificate ready

(see Fig IIIc1_3)

Save the Wallet (the password that we have setup during the initial creation is planning99)

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 12/15
4/17/2019 Document Display

Once it is saved, set the auto login to ON.

(see Fig IIIc1_4)

Now that the CA certificate and the OHS certificate have been imported, import the other certificates:

(see Fig IIIc1_5)

Import Certificate from server Vmbntalley64

(see Fig IIIc1_6)

Import Certificate from server Bachirlnx2

(see Fig IIIc1_7)

Once the wallet has been saved, you would need to make the following changes to some of the configuration
files:

Go to the following file location on the OHS server:

/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ohs/config/OHS/ohs_component

Edit the file ssl.conf and make the following changes:

Set the Listen to the desired SSL port to be used and the Vistual Host Context

# OHS Listen Port

Listen 20443

- Set the virtual Host context

*******************************************************************
##
## SSL Virtual Host Context
##
NameVirtualHost Bachirlnx2:20443
<VirtualHost Bachirlnx2:20443>
<IfModule ossl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProxyEngine On

# Client Authentication (Type):

# Client certificate verification type and depth. Types are
# none, optional and require.
SSLVerifyClient None

# SSL Ciphis Suite:

# List the ciphiss that the client is permitted to negotiate.
SSLCiphisSuite
SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_
WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
# SSL Certificate Revocation List Check
# Valid values are On and Off
SSLCRLCheck Off

#Path to the wallet

SSLWallet "/u01/OHS_WALLET"
SSLProxyWallet "/u01/OHS_WALLET"
***********************************************************************

Save and Restart the OHS server and test the OHS SSL by launching the following URL

https://OHSserver:20443/

OHS loads in SSL and is happy with the certificate.

(see Fig IIIc1_8)

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 13/15
4/17/2019 Document Display

IV. OHS Webserver Configuration/Re-Configuration

Now that all components are setup for SSL, we need to configure the OHS webserver to complete the configuration. The
configuration utility has to be run from the OHS server to be used as a webserver:

(see Fig IV1_1)

(see Fig IV1_2)

Start OHS once the configuration is finished. You can start OHS via the Windows services if on Windows. If on Linux then
you can use the following command:
CD to /home/oracle/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ohs/bin
run ./opmnctl startall

Launch the workspace url and here we are all Configured EPM products are available and communicating in Full SSL:

(see Fig IV1_3)

V. Additional Configurations

a) HFM

One issue to be aware with HFM is that the reverse proxy with IIS does not work as shown below when trying to access
an application via workspace:

(see Fig Va1_1)

To resolve this issue, you would need to disable the SSLSessionCache in the file
/home/oracle/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ohs/config/OHS/ohs_component/ssl.conf
Disable the existing SSLSession... parameters and add the parameter SSLSessionCache none

# SSLSessionCache
"shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}${COMPONENT_NAME}/ssl_scache(512000)"
# SSLSessionCacheTimeout 300
SSLSessionCache none

Restart OHS and this time it should work:

(see Fig Va1_2)

b) EAS

On the Server where the EAS console is installed, Go to the following directory
Oracle\Middleware\EPMSystem11R1\products\Essbase\eas\console\bin and edit the file admincon.bat
Add a reference to the keystore EPMStore.jks used by the web applications :

set JAVA_OPTIONS=-client -Xmx256M -DEPM_ORACLE_HOME=%EPM_ORACLE_HOME% -Djava.io.tmpdir=..\temp -

Djava.util.logging.config.class=oracle.core.ojdl.logging.LoggingConfiguration
%EAS_JAVA_OPTIONS% -Djavax.net.ssl.trustStore=E:\EPM\EPMStore.jks

Save. You should now be able to login to the EAS console in https

(see Fig Vb1_1)

(see Fig Vb1_2)

c) Configure IIS 7 (Windows 2008) for SSL

1. Click Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
2. Click on the server name
3. From the centre menu, double-click the "Server Certificates" button in the "Security" section (it is near the bottom
of the menu) (see Fig Vc1_1)

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 14/15
4/17/2019 Document Display

4. Next, from the "Actions" menu (on the right), click on "Create Certificate Request." This will open the Request
certificate wizard. (see Fig Vc1_2)
5. In the "Distinguished Name Properties" window, enter the information as follows
Common Name: The name through which the certificate will be accessed. In EPM environment it will be the server
name.
Organisation: The legally registered name of your organisation/company
City/Locality: City your organisation is located
State/Province: The state in which your organisation is located
Country/Region: Two digit country code (see Fig Vc1_3)
6. Click Next
7. In the "Cryptographic Service Provider Properties" window, leave both settings at their default and then Click Next
(see Fig Vc1_4)
8. Enter a filename for your CSR file. Remember the filename that you choose and the location to which you save it.
You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate
Request tags) into the online order process when prompted. (see Fig Vc1_5)
9. Get the CSR file signed by the CA
10. Reimport the signed certificate into IIS again
11. Choose Start | Administrative Tools | Internet Information Services (IIS) Manager
12. In the IIS Manager, choose your server name. In the features pane (the middle pane), double-click the Server
Certificates option located under the Security heading.
13. To complete the process of requesting a new certificate, from the Actions pane, choose the Complete Certificate
Request option.
14. The complete Certificate Request window opens and asks you to provide the location at which the certificate file
can be located. Provide this location and also indicate what friendly name you would like to use for the certificate
(for EPM just use the server name). (see Fig Vc1_6)
15. Bind your Web site to the newly installed SSL certificate:
a. Select your web site and in Actions menu click on 'Bindings'
b. If entry for 'https' is already there click on it and then click 'Edit...'. If there is no such entry click on 'Add...'
c. Select Type: https, IP Address: All Unassigned, Port: 443 and choose your recently added certificate.
d. Click on OK and close Bindings window.
16. The server is now ready to be used.

NOTE: This procedure could also be used on an already configured non SSL EPM Environment. We have already explained
the different options.

SUMMARY

We have just shown in hopefully easy steps how you can configure EPM 11.1.2.x with full SSL.

We started by going breaking down the whole Myth surrounding certificates and certificate authorities by:

being our own certificate authority

Generating our own certificate requests
Signing them with our certificate authority

We then move on to get the our keystores ready and in the right places for the EPM environment and once that was done
we were then ready to configure EPM with SSL in easy steps.

Note: The white paper is intended to be used in test environment only but could be used as a reference.

Didn't find what you are looking for?

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ayysteym0_9#WP_BODY 15/15