Bookshelf Home | Contents | Index | PDF     

Oracle® Business Intelligence Enterprise Edition Deployment Guide > Enabling Secure Communication in Oracle Business Intelligence > Configuring Oracle Business Intelligence to Communicate Over SSL >

Configuring Oracle BI Cluster Controller in Near-Maximum Security Scenario

On the machine where the Oracle BI Cluster Controller has been installed, modify the NQClusterConfig.INI file as described in the following procedure.

To configure the cluster controller for near-maximum security in NQClusterConfig.INI

  1. Open the NQClusterConfig.INI file for editing. Locate the following lines:

    #SSL=NO;
    #SSL_CERTIFICATE_FILE="servercert.pem";
    #SSL_PRIVATE_KEY_FILE="serverkey.pem";
    #SSL_PK_PASSPHRASE_FILE="serverpwd.txt";
    #SSL_PK_PASSPHRASE_PROGRAM="sitepwd.exe";
    #SSL_VERIFY_PEER=NO;
    #SSL_CA_CERTIFICATE_DIR="CACertDIR";
    #SSL_CA_CERTIFICATE_FILE="CACertFile";
    #SSL_TRUSTED_PEER_DNS="";
    #SSL_CERT_VERIFICATION_DEPTH=9;
    #SSL_CIPHER_LIST="";

  2. Uncomment these lines and change the settings as follows:

    SSL=YES;
    SSL_CERTIFICATE_FILE="<Server Certificate Filename>";
    SSL_PRIVATE_KEY_FILE="<Server Private Key Filename>";

  3. Set one of the following lines, depending on if you are using a passphrase file or a passphrase program:
    • If you are using a passphrase file, uncomment and set the line:

    SSL_PK_PASSPHRASE_FILE="<passphrase file>";

    • If you are using a passphrase program, uncomment and set the line:

    SSL_PK_PASSPHRASE_PROGRAM="<passphrase-producing program>";

  4. Uncomment and set the following line:

    SSL_VERIFY_PEER=YES;

    When this parameter is set to YES, Oracle BI Server clients must provide valid certificates that will be verified by a trusted CA.

  5. Set one of the following lines, depending on if you are using the Certification Authority (CA) certificate file or the hashed version of the CA certificate:
    • If you are using the CA certificate file, uncomment and set the line:

    #SSL_CA_CERTIFICATE_FILE="<Certificate Authority Certificate filename>";

    • If you are using the hashed version of the CA certificate, uncomment and set the line:

    SSL_CA_CERTIFICATE_DIR="OracleBI_HOME\ssl";

    The directory specified must contain the hash version of the CA certificate.

  6. Uncomment and set the following line:

    SSL_TRUSTED_PEER_DNS="";

    The DNS identifies the clients allowed to connect. The DNS entry can be empty, multiple, or part of one Distinguished Name.

  7. Uncomment and set the following line:

    SSL_CERT_VERIFICATION_DEPTH=<value>;

  8. Uncomment and set the following line:

    SSL_CIPHER_LIST="";

    After modification, the SSL portion of the NQClusterConfig.INI file should be similar to:

    SSL=YES;
    SSL_CERTIFICATE_FILE="server-cert.pem";
    SSL_PRIVATE_KEY_FILE="server-key.pem";
    #SSL_PK_PASSPHRASE_FILE="serverpwd."

    # Line above commented out since passphrase program is used
    SSL_PK_PASSPHRASE_PROGRAM="passphrase.exe";
    SSL_VERIFY_PEER=YES;
    #SSL_CA_CERTIFICATE_DIR="CACertDIR";

    # Line above commented out since certificate file is used
    SSL_CA_CERTIFICATE_FILE="cacert.pem";
    SSL_TRUSTED_PEER_DNS="C=US/ST=CA/L=Redwood Shores/O=Oracle/OU=BI/CN=clientcertificate"; SSL_CERT_VERIFICATION_DEPTH=1;
    SSL_CIPHER_LIST=" EXP-DES-56-SHA";

  9. Copy the server certificate, private key, and passphrase file or program.

    For example, copy the server-cert.pem, server-key.pem and serverpwd.txt files to OracleBI_HOME\server\Config or to OracleBI_HOME/server/Config.

  10. If you have specified the CA Certificate File parameter, also copy the CA certificate file to this same location, and copy the hash version of the CA certificate to the directory specified.
  
Oracle® Business Intelligence Enterprise Edition Deployment Guide Copyright © 2006, Oracle. All rights reserved.