Bookshelf Home | Contents | Index | PDF     

Oracle® Business Intelligence Enterprise Edition Deployment Guide > Enabling Secure Communication in Oracle Business Intelligence > Configuring Oracle Business Intelligence to Communicate Over SSL >

Configuring Oracle BI Presentation Services for Communication Over SSL

The process of configuring Oracle BI Presentation Services to communicate over SSL consists of modifying parameters in the instanceconfig.xml configuration file. BI Presentation Services accesses certificates and key files from its credential store. The paths to certificates and keys that BI Presentation Services uses must be stored in its credential store.

Specifying Certificate and Key Paths in BI Presentation Services Credential Store

Add locations of all certificates and keys that BI Presentation Services will access into its credential store. The procedure described below adds certificates and keys to the default credential store XML file called credentialstore.xml for BI Presentation Services. You may choose to define the BI Presentation Services Credential Store as a Java keystore or a custom store. For more information on the BI Presentation Services Credential Store and the supported storage systems, refer to Oracle BI Presentation Services Credential Store.

Use this procedure to specify server certificate, private key and CA certificate paths in the credential store called credentialstore.xml. The default location of the credentialstore.xml file is

  • For Windows, OracleBIData_HOME\web\config
  • For Linux or UNIX, OracleBIData_HOME/web/config

To specify certificate and key paths in BI Presentation Services Credential Store

  1. Open the credentialstore.xml file for editing.
  2. Add lines similar to the following to specify the paths to the server certificate and private key files:

    <sawcs:credential type="x509" alias="sawclient">
       <sawcs:key
          encoding="pem"
             passphraseFile="OracleBI_HOME\ssl\serverpwd.txt"
             path="OracleBI_HOME\ssl\server-key.pem"/>
        <sawcs:certificate encoding="pem" path="OracleBI_HOME\ssl\server-cert.pem"/>
    </sawcs:credential>

    NOTE:  In the above example, the certificate and key paths are stored under the alias "sawclient". You may specify any alias value.

  3. Specify the CA certificate file or the directory of trusted CAs.
  4. If using the CA certificate file, add lines similar to the following example:

    <sawcs:trustedCertificate alias="cacert" encoding="pem" path="OracleBI_HOME\ssl\cacert.pem"/>

  5. Where the path to the trusted CA certificate file is stored under the alias "cacert"
  6. If using the hash version of the CA certificate, specify the path to the trusted CA directory by adding lines similar to:

    <sawcs:trustedCertificateDir path="OracleBI_HOME\ssl\CA"/>

    where the trusted CAs are in a directory called CA under OracleBI_HOME\ssl.

  7. Copy the server certificate, private key, passphrase file and CA certificate or hash version of the file to the locations that you have specified in the xml file.

Configuring BI Presentation Services for SSL Communication

The instanceconfig.xml file is located in the OracleBIData_HOME\web\config directory. On Linux or UNIX, it is located in the OracleBIData_HOME/web/config directory.

To configure Oracle BI Presentation Services for communication over SSL

  1. Open the instanceconfig.xml file for editing.
  2. Modify the existing <ScheduleServer> node:

    <Alerts>
    <ScheduleServer ssl="true" credentialAlias="sawclient" certificateVerificationDepth="1" verifyPeers="true"><BI Scheduler Host></ScheduleServer>
    </Alerts>

  3. Add the following elements between the <ServerInstance></ServerInstance> node

    <Listener ssl="true" credentialAlias="sawclient" certificateVerificationDepth="1" verifyPeers="true">
    </Listener>
    <JavaHostProxy>
       <Hosts>
          <Host address="<BI Javahost Host>" port="9810" ssl="true" credentialAlias="sawclient" certificateVerificationDepth="1" verifyPeers="true"/>
       </Hosts>
    </JavaHostProxy>

  4. Specify the credential store that stores the paths to the server certificate, private key, and CA.

    <CredentialStore>
       <CredentialStorage type="file" path="<OracleBIData_HOME\web\config\credentialstore.xml"/>
    </CredentialStore>

    In the preceding example configuration, BI Presentation Services is directed to obtain the certificate and key using the alias "sawclient". You must specify the alias under which the certificates and keys were stored in the credential store. In the example, the keystore that contains the certificate, private key, and CA is the XML file store called credentialstore.xml.

Online Catalog Manager

The online Catalog Manager may fail to connect to BI Presentation Services when the HTTP web server for Oracle BI is enabled for SSL. You must import the SSL server certificate or CA certificate from the web server into the Java Keystore of the JVM that is specified by the system JAVA_HOME variable.

To import the exported web server certificate to Java's default truststore:

  1. Navigate to Java's default trust store located at JAVA_HOME/ jre/lib/security. The default trust store is called cacerts.
  2. Copy the certificate exported from the web server to the same location as Java's default truststore.
  3. Execute the command to import the certificate to the default truststore:

    keytool -import -trustcacerts -alias bicert -file $WebServerCertFilename -keystore cacerts -storetype JKS

    NOTE:  The default password for the Java trust store is "changeit".

    where the web server certificate file $WebserverCertFilename is imported into Java's default trust store named cacerts under an alias of bicert.

  4. Restart the Java process.
  
Oracle® Business Intelligence Enterprise Edition Deployment Guide Copyright © 2006, Oracle. All rights reserved.