Professional Documents
Culture Documents
Configuring Obiee With Ful End To End SSL PDF
Configuring Obiee With Ful End To End SSL PDF
com/pa
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 1 of 36
https://blogs.oracle.com/pa
Create a Certificate Signing Request (csr) which has to be submitted to Internal/Third Party CA
(Certificate Authority).
Command: keytool -certreq -alias scl34225 -file C:\Oracle\Middleware\ssl\scl34225_certreq.csr -
keystore C:\Oracle\Middleware\ssl\myIdentity.jks
Note: Above screenshot shows the Certificate Signing Request in .pem format
Note: The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.
A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate
requestor (usually off-line) and will return a certificate or certificate chain, used to replace the
existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
Submit the CSR file to the Certification Authority (CA) and get the Signed Certificate
Here we are using our own internal Certification Authority (CA)
Save CA Root, CA Intermediate & Signed Server Certificates into a folder like C:\Oracle\Middleware\ssl
Only on Windows Machine: Generally the CA Root Certificates are already available in the
Trust Certificate Stores along with the Browser’s installation. But if you are using your own internal
CA you need to import the CA Root Certificate to the Trusted Certificate Stores for successful
validation of the Intermediate and Server Certificates.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 2 of 36
https://blogs.oracle.com/pa
CealCARoot.crt
Install/Import the CARoot Certificate in to Trusted Root Certification Authorities, It’s now valid
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 3 of 36
https://blogs.oracle.com/pa
CealCAInter.crt
scl34225.crt
Now we need to import these certificates into Custom Identity Keystore myIdentity.jks
Import the intermediate certificate first --> then the root certificate --> and then the signed server
certificate in the same sequence.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 4 of 36
https://blogs.oracle.com/pa
Command: keytool -importcert -alias CEALCARoot -file C:\Oracle\Middleware\ssl\CealCARoot.pem -
keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
Note: The intermediate and root certificate should have different alias name, but the signed certificate
should be imported with the same alias that was used while creating a certificate key pair/keystore.
After importing all three certificates you should see: “Certificate reply was installed in Keystore”
message.
CEALCAInter.pem
CEALCARoot.pem
Scl34225_chain.pem
Now list the keystore and check if all the certificates are imported successfully.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 5 of 36
https://blogs.oracle.com/pa
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 6 of 36
https://blogs.oracle.com/pa
Now that we have successfully created an Identity Keystore and a Trust Keystore, we can configure
WebLogic to use it by configuring Custom Identity and Custom Trust Keystores.
Import the CARoot and CAInter into the Java install locations
First Root Certificate and then the Intermediate Certificate
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot -keystore
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 7 of 36
https://blogs.oracle.com/pa
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 8 of 36
https://blogs.oracle.com/pa
If there is an issue with nodemanager port, either change the port or perform the following steps:
Windows: Open a command window
set JAVA_OPTIONS=-DDomainRegistrationEnabled=true
In the same command shell run: <MW_HOME>\wlserver_10.3\server\bin\startNodeManager.cmd
Unix:
cd <MW_HOME>/wlserver_10.3/server/bin
export JAVA_OPTIONS=-DDomainRegistrationEnabled=true
./startNodeManager.sh
Configure SSL for WebLogic Servers Oracle WebLogic Server Admin Console
Steps to configure Custom Identity and Custom Trust with WebLogic Server
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 9 of 36
https://blogs.oracle.com/pa
NOTE: We need to select the hostname verification as none if the CN of the certificate is not the same
as the hostname of the machine where WLS is installed. (In case of Wild Card Certificates also) in the
SSL tab under Advanced link.
Similarly configure the same for all other managed servers like bi_server1, etc
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 10 of 36
https://blogs.oracle.com/pa
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 11 of 36
https://blogs.oracle.com/pa
Changing Other URLs to Match the New Listener Address
As OBI can work only on one protocol and we disabled non-ssl port 7001, we need to change the
Embedded LDAP URLs to match the new listener address.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 12 of 36
https://blogs.oracle.com/pa
You must enable trust between codes running in WebLogic Servers before you can enable SSL
communication between Oracle BI EE components.
2. Some Oracle Business Intelligence Java components running in Oracle WebLogic Server
invoke other web services running in Oracle WebLogic Server.
Therefore, you must configure Oracle WebLogic Server to trust itself by setting these
properties.You must escape any backslash (\) character in a path by using an additional backslash
(\) character.
JAVA_OPTIONS="${JAVA_OPTIONS} -
Djavax.net.ssl.trustStore=/Oracle/Middleware/ssl/myTrust.jks -
Djavax.net.ssl.CustomTrustStorePassphrase=\"Oracle123\" -Djavax.net.ssl.keyStore=/
Oracle/Middleware/ssl/myIdentity.jks -Djavax.net.ssl.keyStorePassword=\"Oracle123\""
export JAVA_OPTIONS
set JAVA_OPTIONS=%JAVA_OPTIONS% -
Djavax.net.ssl.trustStore="C:\\Oracle\\Middleware\\ssl\\myTrust.jks" -
Djavax.net.ssl.CustomTrustKeyStorePassphrase="Oracle123" -
Djavax.net.ssl.keyStore="C:\\Oracle\\Middleware\\ssl\\myIdentity.jks" -
Djavax.net.ssl.keyStorePassword="Oracle123"
If you do not restart Oracle WebLogic Server, attempts to log in to Oracle Business Intelligence will
fail.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 13 of 36
https://blogs.oracle.com/pa
Oracle Business Intelligence Components can communicate only through one protocol at a time. It is
not possible to use SSL between some components, while using simple TCP/IP communications
between others.
Enabling SSL for Oracle BIEE Components Using Fusion Middleware Control
Login to em :: http://scl34225.us.oracle.com:7001/em
NOTE: The SSL options on this page only enable configuration for internal communications used by
the Oracle BI middle-tier. To set up SSL for outward facing WebLogic ports, you must use the
WebLogic Administration Console before you configure the settings on this page.
If the Use SSL for Middle-Tier Communications option is not available, then you have not
successfully enabled SSL on WebLogic. Re-check the SSL Config steps in WebLogic Server.
When selected, this checkbox enables SSL to be the method of communication between Oracle
Business Intelligence components.
CA Certificate location is the absolute path of the OBIEE Server’s CA Root Certificate.
Do not enter the individual web server certificate. Supported types are .der and .pem.
Ensure that you enter the correct extension for the certificate file. If the certificate for the web server
is signed by Intermediate CA, even then enter the root CA and not the intermediate certificate.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 14 of 36
https://blogs.oracle.com/pa
You will receive a confirmation message: "Confirmation Generate New Certificates - Completed
Successfully"
If you don’t see the above message/on issues please follow the Steps stated in red color font below
If you see the following error message:
CA certificate <your certificate path> format <PEM or CER> is not a CA certificate. It does not have the expected basic constraints for a
CA.:
If you see this message complete the following steps:
a. Visually check that the contents of your CA certificate are correct, by entering the following command:
For pem certificates use:
<mwhome>/Oracle_BI1/bifoundation/server/bin>openssl x509 -in <yourcertificate>.pem -text.
For der certificates use:
<mwhome>/Oracle_BI1/bifoundation/server/bin>openssl x509 -inform der -in <yourcertificate>.der -text.
These read only openssl commands do not need a configuration file. Therefore you can safely ignore any warnings starting with:
WARNING: can't open config file
b. Check that your CA certificate is the expected root CA certificate. CA certificates should contain a basic constraints section but
some CA's still do not conform to this standard.
c. If the contents of your CA certificate are correct, you can turn off the strict CA certificate check by setting the following property
in the setDomainEnv.sh file (for Linux), or setDomainEnv.bat file (for Windows):
Note:
Do not configure this property unless you have checked the CA certificate, and it is correct.
oracle.bi.management.ssl.omitcacheck=true
d. Save the setDomainEnv.sh or setDomainEnv.bat file.
e. Repeat the section : Enabling SSL for Oracle BI EE Components Using Fusion Middleware Control
If its success: Activate Changes Stop all OPMN services and WebLogic Server
After this, if you observe the value of ssl=?? In below instanceconfig.xml file it shows ssl=”true”
C:\Oracle\Middleware\instances\instance1\config\OracleBIPresentationServicesComponent\coreap
plication_obips1\instanceconfig.xml
Restart WebLogic Server, Administration Server, Managed Servers, then start the OPMN
components, and Oracle Business Intelligence components.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 15 of 36
https://blogs.oracle.com/pa
In Fusion Middleware Control go to the SSL page, click View SSL report to verify internal SSL
communications status to view the SSL status. If you can see this link, SSL is enabled.
Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI
EE using the ports 7001 and 9704. All logins should be successful.
Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI
EE using the ports 7002 and 9804. All logins should be successful.
Click Save, In the Change Center, click Activate Changes. Restart the Oracle WebLogic Servers.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 16 of 36
https://blogs.oracle.com/pa
Complete these steps for WebLogic Server's embedded LDAP directory
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 17 of 36
https://blogs.oracle.com/pa
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 18 of 36
https://blogs.oracle.com/pa
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 19 of 36
https://blogs.oracle.com/pa
Configuring SSL for the SMTP Server Using Fusion Middleware Control
Please follow the steps specified in the OBI Security document under “SSL Configuration in Oracle Business Intelligence” Section.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 20 of 36
https://blogs.oracle.com/pa
Enabling the Online Catalog Manager to Connect
The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP
web server for Oracle Business Intelligence is enabled for SSL.
You must import the CA Root, CA Intermediate and OBIEE Server Certificates (also OHS certs if ohs
exists) into the Java Keystore of the JVM that is specified by the system JAVA_HOME variable.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 21 of 36
https://blogs.oracle.com/pa
Before completing this task, you must already have an External LDAP Directory configured and
configure the custom property called virtualize (lower case), and set its value to true
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 22 of 36
https://blogs.oracle.com/pa
NOTE: If you are using External Directories (LDAP) and Database in ssl mode, import the CA Root &
CA Intermediate (If exists) certificates of the respective servers into the below keystores.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 23 of 36
https://blogs.oracle.com/pa
Create a Keystore for running External LDAP in SSL (adapter.jks)
Set the environment variables ORACLE_HOME, WL_HOME and JAVA_HOME
NOTE: libovdconfig.bat fails if we use 7002 ssl port. So enable Admin Server at 7001 port and execute.
Command: C:\Oracle\Middleware\oracle_common\bin\libovdconfig.bat -host
scl34225.us.oracle.com -port 7001 -userName weblogic –domainPath
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain –createKeystore
Once this command runs, you should see two new credentials in the Credential Store and a new
Keystore file called adapters.jks under
MW_HOME\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 24 of 36
https://blogs.oracle.com/pa
Import the OID CA Intermediate Certificate (if exists) into the libOVD
Keystore Here we don’t have this certificate
Import the OID Server Certificate into the libOVD Keystore:
keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem -keystore
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default
\keystores\adapters.jks -storepass Oracle123
Import the OBIEE Server CA Root certificate into the libOVD Keystore using
the keytool command:
keytool -import -alias CEALCARoot -file C:\Oracle\Middleware\ssl\CealCARoot.pem -keystore
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default
\keystores\adapters.jks -storepass Oracle123
Import OID CA Root and OID Server Certificate into below Java Keystores:
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid -keystore
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 25 of 36
https://blogs.oracle.com/pa
Not required but if you encounter any ssl handshake issues only, import this certificate
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid –keystore
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
Not required but if you encounter any ssl handshake issues only, import this certificate
C:\Oracle\Middleware\ssl\myTrust.jks
Command: keytool -import -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid -keystore
C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
NOTE: If the OID Server cert is not imported into Trust Keystore Admin Server log shows SSL
Handshake failure. So please import this certificate too.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 26 of 36
https://blogs.oracle.com/pa
9. Import (CA Root cert of LDAP Server, CA Intermediate cert of LDAP Server, LDAP Server cert, CA
Root cert of OBIEE Server, CA Intermediate cert of OBIEE Server) into adapter.jks
10. Now reorder external LDAP to the top in the providers list.
11. Restart Admin Server.
This alternative method enables you to choose several advanced configuration options; including
choosing the passphrase that protects the various certificate stores.
Oracle recommends not to use this approach, but to follow Section "Configuring WebLogic to use SSL
in Oracle WebLogic Server Administration Console".
Manually Configuring SSL Communication between Components Using System MBean Browser
Task Description
Lock the configuration. Use the BIDomain MBean to lock the domain configuration before making
changes.
Generate the SSL certificate. Use the BIDomain.BIInstance.SecurityConfiguration MBean to generate the SSL
certificate.
Commit the SSL configuration changes. Use the BIDomain MBean to commit the SSL configuration changes.
Verify SSL certificates in credential store. Verify that the SSL certificates are saved in the credential store.
Enable the SSL configuration and restart Oracle Use the BIDomain.BIInstance.SecurityConfiguration MBean to enable the SSL
Business Intelligence components. configuration between components, and then restart the components so the
changes take effect.
Confirm that SSL communication is enabled Run the SSL report to confirm status.
between components.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 27 of 36
https://blogs.oracle.com/pa
Task Description
Configure SSL communication for the mail server. Configure SSL communication for the mail server.
Update expired SSL certificates. Update expired SSL certificates and replace with new ones.
Locate and expand the BIDomain node to display two BIDomain MBeans
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 28 of 36
https://blogs.oracle.com/pa
Select the BIDomain MBean having the full name oracle.biee.admin:type=BIDomain, group=Service
from the MBean navigation tree.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 29 of 36
https://blogs.oracle.com/pa
Click Invoke.
A confirmation displays to indicate that the configuration is locked. The next step is to generate the
SSL certificates.
Select the Attributes tab, and then locate the SSLCertificatesGenerated attribute.
A value of false indicates that SSL certificates have not been generated.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 30 of 36
https://blogs.oracle.com/pa
If certificates have been previously generated, you can continue to replace them with new certificates.
NOTE: Since we have implemented SSL for BI Components using WebLogic Admin Console,
Fusion Middleware Control and manually editing files (Oracle recommended method), we can
see that the SSL Certificates are already generated.
But just think if we haven’t done any SSL Certificate Generation from (WLS Console, FMW em &
Manual editing files).... the values should be “false”.
Let us proceed in this assumption that we are enabling SSL from System MBean Browser
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 31 of 36
https://blogs.oracle.com/pa
passphrase: The SSL passphrase that protects the certificates and, most importantly, the private key. Remember
this passphrase.
webServerCACertificatePath: The path for the Certificate Authority (CA) root certificate for the CA used to sign the
web server's certificate. Do not enter the individual web server certificate or the (CA) intermediate certificate.
certificateEncoding: Supported types are .der. and .pem.
Click Invoke.
A confirmation displays if the operation executed successfully. If successful, the input CA certificate
has been validated and the certificate generation request is queued.
The next step is to commit the changes, which completes certificate creation and
distribution throughout the domain.
To commit the SSL configuration and release the lock: Use the BIDomain MBean.
The next step is to verify the SSL credentials are in the credential store.
Verifying the SSL Credentials in the Credential Store
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 32 of 36
https://blogs.oracle.com/pa
Open oracle.bi.enterprise credential map and verify the SSL credentials have been saved to the
credential store. If successful, the following SSL credentials display in the oracle.bi.enterprise
credential map:
ssl.java.private.key
ssl.java.public.certificate
config.version
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 33 of 36
https://blogs.oracle.com/pa
Cacert.pem combinedcacert.pem
Server-cert.pem webservercacert.pem
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 34 of 36
https://blogs.oracle.com/pa
The next step is to enable the SSL configuration changes.
Enabling the SSL Configuration
From the System MBean Browser again use the BIDomain and lock the Security Configuration and
select BIInstanceSecurityConfiguration MBean.
Select the Attributes tab, then for the SSLEnabled attribute select true from the Value list, then click
Apply. You must have the SSL listen port on for the Administration Server and Manager Servers.
SSL communication is now enabled between the components. You must restart the
Oracle Business Intelligence components for the changes to take effect.
Restart WebLogic Admin & Managed Servers and BI Components.
Select the Operations tab, and then select the runSSLReport option.
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 35 of 36
https://blogs.oracle.com/pa
To run the report, click Invoke.
The report indicating the status of SSL communication between components displays.
If the SSL ping fails, check the following:
Verify the target component is running.
Verify that the component has been restarted since SSL was enabled. SSL configuration changes
require a restart to take effect.
Verify that the SSLEnabled attribute for the BIDomain.BIInstanceSecurityConfiguration MBean is
set to true. When changing SSL properties, both apply and commit steps must be performed.
A manually configured SSL environment can co-exist with a default SSL configuration.
*****************************************************************************
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 36 of 36