Configuring SSL in OBIEE 11g
By Krishna MarurThis white paper covers configuring SSL for OBIEE 11g in a scenario where the SSL certificate is not in a format that Web Logic Server (WLS) readily accepts - Java Key Store (JKS) file.
First a certificate request (.csr) should have been generated on the server where SSL will be configured and a signed certificate obtained from a Certificate Authority (CA). Consider that IIS web server was used to generate the certificate request. The signed certificate from the CA will have to be installed on IIS since the request originated from IIS where the private key for the certificate is stored. Once the signed certificate is installed you can export it along with the private key.
SSL
Ensure that the certificate request and the signed certificate are available in a folder on the server - say C:\SSL. Complete installing the certificate on IIS if not already done.
In order to setup a secure connection in OBIEE the certificate has to be provided in a JKS keystore format to the WebLogic server.
Prior to setting SSL for OBIEE, WebLogic must be enabled for SSL and certificates must be prepared for this.
Export Certificate from IIS
1. Open the Internet Information Services administration console located in the Control Panel -> Administrative Tools.
3. The server certificate with DNS (Alias) name is displayed.
4. Right Click the certificate and select View. Go to the Detail tab. Webserverurl.com OBIEEInstallation Directory
5.
6. Click on Copy to File.
Import Certificate to a java keystore (JKS)
Open command prompt on the server and change to the directory C:\SSL. OR the location of the path where you saved the exported certificate.
Type the following command to add the imported PFX file to a new java keystore file.
Note: We use the keytool command which is located in the OBIEE installation directory under the Oracle_BI1 folder. Change the path depending on where you have OBIEE installed.
C:\SSL> OIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool –importkeystore –destkeystore WLSOBIEECert.jks -deststoretype JKS –srckeystore OBIEECert.pfx –srcstoretype pkcs12
You will be prompted for the destination and source password. The source password is the password provided during the certificate export. Source and destination passwords can be same. The Java KeyStore is now created and you will see a message “1 entries successfully imported”.
Leave the command prompt open and take a note/copy the alias displayed next to “Entry for alias … successfully imported”.
The default alias given during the import is not user friendly and will have to be changed so it can be remembered for later.
To change the alias:
Type the following keytool command in the command prompt.
C:\SSL>OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -keystore WLSOBIEECert.jks -storepass mypassword changealias alias le105613ddd41049008c6d103a12feb7c3 keypass mypassword -destalias MyAliasName
List contents of the keystore:
To ensure your entire certificate chain was imported into the keystore, you can list the contents of the keystore using the following command:
>OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool –list –v –keystore WLOBIKeyStore.jks
You will be prompted for the keystore password. Enter the password you provided when creating the keystore (mypassword).
The output should match the below screen shot. Look for Certificate Chain Length. This should match your original certificate chain length.
MyAliasName
Import certificate into cacerts.jks
The WebLogic server looks for trusted certificates in the OBIEE install directory in the file cacerts.jks located at - OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts.jks keystore.
In order for WebLogic to recognize the certificate as a trusted certificate, you have to import the signed certificate, secondary intermediate and primary intermediate into cacerts.jks. Combine these into a single file in the order stated and then import into cacerts.jks. Depending on the CA you may or may not have intermediate certificates.
Open the certificate in IIS. The Certification Path tab shows the certificate root, Primary and secondary certificates.
In the email that you received from the CA with the signed certificate, you will see that the text of the certificate is embedded in the email in addition to the attachment.
Copy the text from the email, starting from ---BEGIN CERTIFICATE---
upto
---END CERTIFICATE---
(including the five dashes) and paste it in a notepad.
CA Root Certificate
CA Primary Intermediate Certificate CA Secondary Intermediate Certificate
The email that you receive from your CA with the signed certificate will also contain links to the Root and Intermediate certificates. An example screen shot is given below.
The link will display Primary and Secondary intermediate certificates.
Copy the text in the Secondary SSL Intermediate CA Certificate and paste it under the server certificate in a notepad. Press enter after ---END CERTIFICATE---. Make sure there are no spaces after the five hyphens.
Save the notepad as OBICACERTS.pem to the folder C:\SSL or where ever you have been saving the certificates in the previous steps on the server.
Import the file to cacerts.jks using the below command. This command also uses keytool located in the OBIEE installation directory.
C:\SSL> OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -import -trustcacerts -keystore OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit -alias
MyAliasName -import -file OBICACERTS.pem
You may be prompted asking if you trust the certificate. Type yes at the prompt. Set up SSL in WebLogic Console
Log in to the WebLogic Console as the Admin user that was set up during installation. Under Environment click on Servers. Then click on bi_server1
Note: Before making any changes take a backup of the entire config folder under
OBIEEInstallationDirectory\user_projects\domains\bifoundation_domain.
Select Custom Identity and Java Standard Trust. Click Save.
Back in the keystores tab, enter the following information: Custom Identity Keystore: C:\SSL\WLSOBIEECert.jks Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: mypassword
Confirm Custom Identity Keystore Passphrase: mypassword
Leave the Trust section with the prepopulate values. You already added the CA certificates to cacert.jks, so the Custom Keystore can be recognized as trusted.
Repeat above steps for Admin Server back from the Environment Servers page.
Click Activate Changes and restart the services from the start menu on the server. Manually configure WebLogic
Open the file
OBIEEInstallationDirectory\user_projects\domains\bifoundation_domain\bin\setDomainEnv.c md for editing.
set JAVA_OPTIONS=%JAVA_OPTIONS% Djavax.net.ssl.trustStore="C:\\SSL\\WLSOBICert.jks" Djavax.net.ssl.keyStore="C:\\SSL\\ WLSOBICert.jks"
-Djavax.net.ssl.keyStorePassword="mypassword"
Note: You must escape any backslash (\) character in a path by using an additional backslash (\) character.
Restart all services. Enable SSL for OBIEE Components
To enable SSL for OBIEE components, go to WebLogic Enterprise Manager (Fusion Middleware Control) http://enteryourOBIEEwebserverurl:7001/em
Log in as Administrative user set up during installation.
From the navigation pane expand the Business Intelligence folder and select coreapplication.
Go to the Security Tab.
Click on Lock and Edit Configuration
Note from Oracle document: If the Use SSL for Middle-Tier Communications option is not available, then you have not successfully enabled SSL on WebLogic. When selected, this
checkbox enables SSL to be the method of communication between Oracle Business Intelligence components.
In the Weblogic CA Certificate location give the path C:\SSL\ OBIRootCert.cer or the location where you saved the root certificate.
Click Apply
You will receive a confirmation message: "Confirmation Generate New Certificates - Completed Successfully"
Close this dialog. Click Activate Changes. Restart all services.
Back in Fusion Middleware Control go to the SSL page, click View SSL report to verify internal SSL communications status to view the SSL status. If you can see this link, SSL is enabled.
Log in to the below as Administrative user
o Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7001 and 9704.
o Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7002 and 9804.
o All logins should be successful.
Also add the CA root certificate to WebLogic as a trusted certificate.
> OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -import -trustcacerts -keystore OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit -alias MyAliasName -import -file OBIRootCert.cer
