Skip Headers
Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition
11g Release 1 (11.1.1)

Part Number E10543-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 SSL Configuration in Oracle Business Intelligence

This chapter describes how to configure Oracle Business Intelligence components to communicate over the Secure Socket Layer (SSL).

Note:

For a detailed list of security setup steps, see Section 1.7, "Detailed List of Steps for Setting Up Security in Oracle Business Intelligence".

The SSL Everywhere feature of Oracle Business Intelligence enables secure communications between the components. You can configure SSL communication between the Oracle Business Intelligence components and between Oracle WebLogic Server for secure HTTP communication across your deployment. This section does not cover configuring secure communications to external services, such as databases and web servers. For information about how to configure SSL for Oracle WebLogic Server, see "SSL Configuration in Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide.

This chapter contains the following sections:

5.1 Common SSL Configuration Tasks for Oracle Business Intelligence

Table 5-1 contains common SSL configuration tasks and provides links for obtaining more information.

Table 5-1 Task Map: Configuring SSL Communication for Oracle Business Intelligence

Task Description Information

Understand SSL communication in Oracle Business Intelligence.

Understand how SSL communication between components and the application server works.

Section 5.2, "What is SSL?"

Configure SSL communication between the Oracle WebLogic Server Managed servers.

The web server must be configured to use HTTPS before enabling SSL communication for Oracle Business Intelligence.

Section 5.3.4, "Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by Disabling Non-SSL Listen Ports"

"SSL Configuration in Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide

Configure SSL communication between components.

Configure SSL communication between Oracle Business Intelligence components.

Section 5.3, "Configuring SSL Communication Between Components"


5.2 What is SSL?

SSL is a cryptographic protocol that enables secure communication between applications across a network. Enabling SSL communication provides several benefits, including message encryption, data integrity, and authentication. An encrypted message ensures confidentiality in that only authorized users have access to it. Data integrity ensures that a message is received intact without any tampering. Authentication guarantees that the person sending the message is who he or she claims to be. This section contains the following topics:

For more information about SSL concepts and public key cryptography, see "How SSL Works" in Oracle Fusion Middleware Administrator's Guide.

5.2.1 Using SSL in Oracle Business Intelligence

Oracle Business Intelligence components communicate with each other using TCP/IP by default. Configuring SSL between the Oracle Business Intelligence components enables secured network communication.

Oracle Business Intelligence components can communicate only through one protocol at a time. It is not possible to use SSL between some components, while using simple TCP/IP communications between others. To enable secure communication, all instances of the following Oracle Business Intelligence components must be configured to communicate over SSL:

  • Oracle BI Server

  • Oracle BI Presentation Services

  • Oracle BI JavaHost

  • Oracle BI Scheduler

  • Oracle BI Job Manager

  • Oracle BI Cluster Controller

  • Oracle BI Server Clients, such as Oracle BI ODBC Client

SSL requires that the server possess a public key and a private key for session negotiation. The public key is made available through a server certificate. The certificate also contains information that identifies the server. The private key is protected by the server.

SSL is configured throughout the Oracle Business Intelligence installation from a single centralized point. Certificates are created for you and every Oracle Business Intelligence component is configured to use SSL. The following default security level is configured by SSL:

  • SSL encryption is enabled.

  • Mutual SSL authentication is not enabled. Since mutual SSL authentication is not enabled, clients do not need their own private SSL keys. All security sensitive inter-component communication links are authenticated by the BISystemUser credentials, or a user's credential.

  • The default cipher suites are used. For information about how to use a non-default cipher suite, see Section 5.5, "Advanced SSL Configuration Options".

  • When scaling out, the centrally managed SSL configuration is automatically propagated to any new components that are added.

If a higher level of security is required, manual configuration might be used to augment or replace the SSL central configuration. This is considerably more complex. For more information about how to configure SSL manually, contact Oracle Support. For more information, see Access to Oracle Support.

5.2.2 Creating Certificates and Keys in Oracle Business Intelligence

Secure communication over SSL requires certificates signed by a certificate authority (CA). For internal communication, the SSL Everywhere feature creates both a private certificate authority and the certificates for you. The internal certificates cannot be used for the outward facing web server because user web browsers are not aware of the private certificate authority. The web server must therefore be provided with a web server certificate signed by an externally recognized certificate authority. The central SSL configuration must be given the external certificate authority's root certificate so that the Oracle Business Intelligence components can recognize the web server certificate.

5.2.3 What is the Credential Store?

The Oracle Business Intelligence credential store is used to store the SSL credentials, such as certificates, trusted certificates, certificate requests, and private keys. SSL-related credentials are stored in the oracle.bi.enterprise credential map. The supported certificate file formats use are .der and .pem.

5.3 Configuring SSL Communication Between Components

This section explains how to configure SSL communication between components using Oracle WebLogic Server Administration Console, Fusion Middleware Control, and manually editing files (Oracle recommends this method). An alternative method (not recommended) is to use the System MBean Browser.

This section contains the following topics:

5.3.1 Configuring WebLogic to use SSL in Oracle WebLogic Server Administration Console

You must configure the Oracle WebLogic Server to use HTTPS (for Administration Server and Managed Servers) before you enable SSL communication between Oracle BI EE components.

To configure WebLogic to use SSL in Oracle WebLogic Server Administration Console:

  1. Log in to Oracle WebLogic Server Administration Console.

    For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

  2. In the Change Center click Lock & Edit.

  3. Expand Environment and click Servers to display the Summary of Servers Configuration tab.

  4. Click AdminServer.

  5. Go to the Settings for AdminServer page: General tab.

  6. Select SSL Listen Port Enabled.

  7. Click Save.

  8. If there is a cluster with one or more Managed Servers, complete the following steps for each Managed Server in the cluster:

    1. Go to the Settings for <ClusterName> Configuration page, Servers tab.

    2. Click the Managed Server link (for example, bi_server1).

    3. Select SSL Listen Port Enabled.

    4. Click Save.

  9. In the Change Center, click Activate Changes.

  10. If needed, restart the Administration Server and any Managed Servers.

    You do not need to restart unless a message indicates that one or more components need to be restarted.

    For more information, see "Starting and Stopping the Oracle Business Intelligence Components" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

5.3.2 Enabling SSL for Oracle BI EE Components Using Fusion Middleware Control

You enable SSL for Oracle BI EE components using Fusion Middleware Control.

To enable SSL for Oracle BI EE components using Fusion Middleware Control:

  1. Log in to Fusion Middleware Control.

    For more information, see Section 1.6.2, "Using Oracle Fusion Middleware Control".

  2. From the navigation pane expand the Business Intelligence folder and select coreapplication.

  3. Go to the Secure Sockets Layer tab in the Security page.

  4. If the Use SSL for Middle-Tier Communications option is available, select it.

    If the Use SSL for Middle-Tier Communications option is not available, then you have not successfully enabled SSL on WebLogic. Check the steps in Section 5.3.1.

    When selected, this checkbox enables SSL to be the method of communication between Oracle Business Intelligence components.

  5. Enter the path of the WebLogic CA certificate into the WebLogic CA certificate location field.

    To use the default WebLogic Server demonstration certificate authority, enter the following:

    MW_HOME/wlserver_10.3/server/lib/CertGenCA.der.

    This path is the Certificate Authority (CA) root certificate for the CA used to sign the web server's certificate. Do not enter the individual web server certificate. Supported types are .der and .pem. Ensure that you enter the correct extension for the certificate file. If the certificate for the web server is signed using a CA certificate, then enter the root CA and not the intermediate certificate.

    When you activate the configuration changes, the CA certificate is tested at each destination Managed Server. If the certificate for a Managed Server does not verify against the CA certificate, then a warning message is included in the log file for the Managed Server. The message includes the full details of the certificate chain from the Managed Server and text for the contents of the CA certificate.

  6. Click Apply.

    You will receive a confirmation message:

    "Confirmation Generate New Certificates - Completed Successfully"

  7. Close this dialog.

  8. Click Activate Changes.

  9. Stop the OPMN components and WebLogic Server.

    For more information, see "Starting and Stopping the Oracle Business Intelligence Components" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition

  10. Restart WebLogic Server, Administration Server, Managed Servers, then start the OPMN components, and Oracle Business Intelligence components.

  11. In Fusion Middleware Control go to the SSL page, click View SSL report to verify internal SSL communications status to view the SSL status.

    If you can see this link, SSL is enabled.

  12. Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7001 and 9704.

    All logins should be successful.

  13. Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7002 and 9804.

    All logins should be successful.

5.3.3 Manually Configuring the WebLogic Server Environment

You must manually configure the WebLogic Server environment before you can enable SSL communication between Oracle BI EE components.

To manually configure the WebLogic Server environment:

  1. Open the following files for editing:

    For Linux:

    MW_HOME/user_projects/domains/bifoundation_domain/bin/setDomainEnv.sh

    For Windows:

    MW_HOME\user_projects\domains\bifoundation_domain\bin\setDomainEnv.cmd

  2. Identify the DemoTrust and DemoIdentity keystore passphrases.

    You will need to use them later when you add properties to the JAVA_OPTIONS value.

    To identify the DemoTrust keystore passphrase:

    1. Open the JDK bin directory in a command line window.

      The JDK bin directory is located in:

      MW_HOME\Oracle_BI1\jdk\bin

    2. Execute the following command, for example:

      keytool -keystore mw_home/wlsserver_10.3/server/lib/DemoTrust.jks -list.

    3. Enter the password.

      The password can be either "password" or "DemoTrustKeyStorePassPhrase".

    4. When you use the correct password, the output looks like this:

      "Keystore type: JKS
      Keystore provider: SUN
       
      Your keystore contains 4 entries
       
      certgenca, Mar 22, 2002, trustedCertEntry,
      Certificate fingerprint (MD5):
      8E:AB:55:50:A4:BC:06:F3:FE:C6:A9:72:1F:4F:D3:89
      wlsdemocanew2, Jan 24, 2003, trustedCertEntry,
      Certificate fingerprint (MD5):
      5B:10:D5:3C:C8:53:ED:75:43:58:BF:D5:E5:96:1A:CF
      wlsdemocanew1, Jan 24, 2003, trustedCertEntry,
      Certificate fingerprint (MD5):
      A1:17:A1:73:9B:70:21:B9:72:85:4D:83:01:69:C8:37
      wlscertgencab, Jan 24, 2003, trustedCertEntry,
      Certificate fingerprint (MD5):
      A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE " 
      

    To identify DemoIdentity keystore passphrase:

    1. Open the JDK bin directory in a command line window.

      The JDK bin directory is located in:

      MW_HOME\Oracle_BI1\jdk\bin

    2. Execute the following command, for example:

      keytool -keystore MW_Home/wlsserver_10.3/server/lib/DemoIdentity.jks -list.

    3. Enter the password.

      The password can be either "password" or "DemoIdentityKeyStorePassPhrase".

    4. When you use the correct password, the output looks like this:

      "Keystore type: JKS
      Keystore provider: SUN
      
      Your keystore contains 1 entry
      demoidentity, Jan 14, 2013, PrivateKeyEntry,
      Certificate fingerprint (MD5):
      DA:9B:F7:A2:B7:12:56:56:3F:E5:1D:C7:C1:7A:2D:8E" 
      
  3. Add the passwords identified in step 2 to the JAVA_OPTIONS properties.

    Some Oracle Business Intelligence Java components running in Oracle WebLogic Server invoke other web services running in Oracle WebLogic Server. Therefore, you must configure Oracle WebLogic Server to trust itself by setting these properties.

    You must escape any backslash (\) character in a path by using an additional backslash (\) character.

    If using the demonstration Oracle WebLogic Server certificate, make the following edits, for example:

    For Linux (enter all on one line):

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/BIEE11G/wlserver_10.3/server/lib/DemoTrust.jks -Djavax.net.ssl.DemoTrustStorePassphrase=\"DemoTrustKeyStorePassPhrase\" -Djavax.net.ssl.keyStore=/BIEE11G/wlserver_10.3/server/lib/DemoIdentity.jks -Djavax.net.ssl.keyStorePassword=\"DemoIdentityKeyStorePassPhrase\"" 
    export JAVA_OPTIONS
     
    

    For Windows (enter all on one line):

    set JAVA_OPTIONS=%JAVA_OPTIONS% -Djavax.net.ssl.trustStore="BIEE11G\\wlserver_10.3\\server\\lib\\DemoTrust.jks" -Djavax.net.ssl.DemoTrustKeyStorePassphrase="DemoTrustKeyStorePassPhrase" -Djavax.net.ssl.keyStore="BIEE11G\\wlserver_10.3\\server\\lib\\DemoIdentity.jks" -Djavax.net.ssl.keyStorePassword="DemoIdentityKeyStorePassPhrase"
    
    

    If you omit this step then login will fail.

    If you provided an incorrect trust store location, then you might see an error message. For example for Web Services for SOA, you might see an error message similar to the following:

    java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 
    
  4. Save the setDomainEnv.sh or setDomainEnv.bat file.

  5. Restart Oracle WebLogic Server to include the Java option changes.

    If you do not restart Oracle WebLogic Server, attempts to log in to Oracle Business Intelligence will fail.

5.3.4 Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by Disabling Non-SSL Listen Ports

You configure Oracle WebLogic Server to use only the HTTPs protocol, by disabling non-SSL listen ports.

For more information, see "SSL Configuration in Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide.

To configure Oracle WebLogic Server to use only the HTTPs protocol:

  1. If there is a cluster with one or more Managed Servers, complete the following steps:

    1. Log in to Oracle WebLogic Server Administration Console.

      For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

    2. In the Change Center click Lock & Edit.

    3. Expand Environment and click Clusters to display the the Summary of Clusters page.

    4. Click bi_cluster to display the Settings for <ClusterName>.

    5. Go to the Configuration page, Replication tab.

    6. Select Secure Replication Enabled.

    7. Click Save.

    8. In the Change Center, click Activate Changes.

    9. Restart the Oracle WebLogic Server.

      For more information, see Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

  2. Complete these steps if you are using WebLogic Server's embedded LDAP directory server.

    For more information, see "Viewing the Contents of the Embedded LDAP Server from an LDAP Browser" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

    1. Log in to Fusion Middleware Control, expand the WebLogic Domain folder and select bifoundation_domain.

      For more information, see Section 1.6.2, "Using Oracle Fusion Middleware Control".

    2. Select Security, and Security Provider Configuration from the menu.

    3. Expand Identity Store Provider Configuration.

    4. Click Configure.

    5. Click the Plus (+) sign and add the following properties.

      For example:

      Property Name = ldap.url, Property Value = ldaps://localhost:7002

      Property Name = java.naming.security.protocol, Property Value = SSL

      The port is not always 7002. Check the WebLogic startup or server logs for the correct port (for example, "DefaultSecure[1]" is now listening on 10.240.84.117:7503 for protocols iiops, t3s, ldaps, https)

    6. Click Ok.

  3. Log in to Oracle WebLogic Server Administration Console.

    For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

  4. In the Change Center click Lock & Edit.

  5. Expand Environment and click Servers to display the Summary of Servers Configuration tab.

  6. Click AdminServer.

  7. Go to the Settings for AdminServer page, General tab.

  8. Clear Listen Port Enabled.

  9. If there is a cluster with one or more Managed Servers, complete the following steps for each Managed Server in the cluster:

    1. Go to the Settings for <ClusterName> Configuration page, Servers tab.

    2. Click the Managed Server link (for example, bi_server1).

    3. Clear Listen Port Enabled.

    4. Click Save.

  10. In the Change Center, click Activate Changes.

  11. Restart the Administration Server and any Managed Servers.

    For more information, see "Starting and Stopping the Oracle Business Intelligence Components" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

5.3.5 Updating Expired SSL Certificates Using Fusion Middleware Control

Certificates generated by the SSL Everywhere central configuration expire after one year. The expiration date for a certificate is listed in the SSL status report in the Message column. Hover your mouse over the Message to see the full detail for that link. You can view the SSL status report by clicking the View SSL report to verify internal SSL communications status link in the Secure Sockets Layer tab in the Security page in Fusion Middleware Control.

To generate new certificates repeat the SSL setup (described in Section 5.3.1) and make sure to re-enter the CA certificate location. Re-entering the CA certificate location triggers regeneration of certificates.

5.3.6 Configuring SSL for the SMTP Server Using Fusion Middleware Control

You must obtain the SMTP server certificate to complete this task.

To configure SSL for the SMTP server using Fusion Middleware Control:

  1. Login to Fusion Middleware Control.

    For more information, see Section 1.6.2, "Using Oracle Fusion Middleware Control".

  2. Go to the Business Intelligence Overview page.

  3. Display the Mail tab of the Deployment page.

    Click the Help button on the page to access the page-level help for its elements.

  4. Lock the configuring by clicking Lock and Edit Configuration.

  5. Complete the fields under Secure Socket Layer (SSL) as follows:

    • Connection Security: Select an option, other fields may become active afterward.

    • Specify CA certificate source: Select Directory or File.

    • CA certificate directory: Specify the directory containing CA certificates.

    • CA certificate file: Specify the file name for the CA certificate.

    • SSL certificate verification depth: Specify the verification level applied to the certificate.

    • SSL cipher list: Specify the list of ciphers matching the cipher suite name that the SMTP server supports. For example, RSA+RC4+SHA.

  6. Click Apply, then Activate Changes.

5.3.7 Configuring SSL Communication Between Components Using the System MBean Browser

This section describes how to configure SSL communication between components using the System MBean Browser. This alternative method enables you to choose several advanced configuration options, including choosing the passphrase that protects the various certificate stores. Oracle recommends not to use this approach, but to follow Section 5.3.1, "Configuring WebLogic to use SSL in Oracle WebLogic Server Administration Console".

Table 5-2 displays the tasks for manually configuring SSL communication between components using the System MBean Browser, and provides links to more information.

Note:

You must configure SSL for the web server before enabling SSL for Oracle Business Intelligence. For more information, see Section 5.3.4, "Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by Disabling Non-SSL Listen Ports".

You can manually configure internal SSL communication between components using Oracle Business Intelligence managed beans (MBeans). An MBean is a Java object that represents a JMX manageable resource in a distributed environment, such as an application.

Table 5-2 Task Map: Manually Configuring SSL Communication Between Components Using the System MBean Browser

Task Description For Information

Lock the configuration.

Use the BIDomain MBean to lock the domain configuration before making changes.

Section 5.3.7.1, "Locking the Configuration"

Generate the SSL certificate.

Use the BIDomain.BIInstance.SecurityConfiguration MBean to generate the SSL certificate.

Section 5.3.7.2, "Generating the SSL Certificates"

Commit the SSL configuration changes.

Use the BIDomain MBean to commit the SSL configuration changes.

Section 5.3.7.3, "Committing the SSL Configuration Changes and Releasing the Lock"

Verify SSL certificates in credential store.

Verify that the SSL certificates are saved in the credential store.

Section 5.3.7.4, "Verifying the SSL Credentials in the Credential Store"

Enable the SSL configuration and restart Oracle Business Intelligence components.

Use the BIDomain.BIInstance.SecurityConfiguration MBean to enable the SSL configuration between components, then restart the components so the changes take effect.

Section 5.3.7.6, "Enabling the SSL Configuration"

Confirm that SSL communication is enabled between components.

Run the SSL report to confirm status.

Section 5.3.7.7, "Confirming SSL Status Using the MBean Browser"

Configure SSL communication for the mail server.

Configure SSL communication for the mail server.

Section 5.3.6, "Configuring SSL for the SMTP Server Using Fusion Middleware Control"

Update expired SSL certificates.

Update expired SSL certificates and replace with new ones.

Section 5.3.7.8, "Updating Expired SSL Certificates Using the MBean Browser"


Use the Fusion Middleware Control System MBean Browser to manually configure SSL communication between Oracle Business Intelligence components. You access the System MBean Browser from the Oracle WebLogic Server domain where Oracle Business Intelligence is installed in Fusion Middleware Control. For example, bifoundation_domain.

For more information about using and navigating within Fusion Middleware Control, see "Navigating Within Fusion Middleware" Control in Oracle Fusion Middleware Administrator's Guide.

5.3.7.1 Locking the Configuration

Configuring SSL between components requires that you lock the configuration before making changes, using the BIDomain MBean.

To lock the configuration:

  1. In Fusion Middleware Control target navigation pane, go to the Oracle WebLogic Server domain in which Oracle Business Intelligence is installed. Select this domain. For example, bifoundation_domain.

  2. From the WebLogic Domain menu, select System MBean Browser.

  3. Expand the Application Defined MBeans node in the MBean navigation tree, then expand the oracle.biee.admin node, then expand the bifoundation_domain node.

  4. Locate and expand the BIDomain node to display two BIDomain MBeans. Then either hover your cursor over each MBean or click Show MBean Information to display their full names:

    • oracle.biee.admin:type=BIDomain, group=Service

    • oracle.biee.admin:type=BIDomain, group=Config

  5. Select the BIDomain MBean having the full name oracle.biee.admin:type=BIDomain, group=Service from the MBean navigation tree.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration bidomain_mbean.gif

  6. Select the Operations tab, then Lock.

  7. Click Invoke.

    A confirmation displays to indicate that the configuration is locked. The next step is to generate the SSL certificates. For more information, see Section 5.3.7.2, "Generating the SSL Certificates".

5.3.7.2 Generating the SSL Certificates

Internal SSL communication requires that server certificates, a server public key, and a private key be generated. Oracle Business Intelligence acts as a private CA (certificate authority) for internal communication only. The BIDomain.BIInstance.SecurityConfiguration MBean is used to generate the SSL certificates.

Note:

If you have existing certificates, best practice is to discard them and generate new certificates by following these steps. To use your existing certificates you must manually configure SSL.

To generate the SSL certificate:

  1. Lock the configuration.

    For information, see Section 5.3.7.1, "Locking the Configuration".

  2. In Fusion Middleware Control target navigation pane, expand the farm, then expand WebLogic Domain, and select bifoundation_domain.

  3. Display the WebLogic Domain menu, and select System MBean Browser.

    The System MBean Browser page is displayed.

  4. Expand the Application Defined MBeans node in the MBean navigation tree, then expand the oracle.biee.admin node, then expand the bifoundation_domain node.

  5. Locate and expand the BIDomain.BIInstance.SecurityConfiguration node.

    The BIDomain.BIInstance.SecurityConfiguration MBean is displayed.

  6. Select the BIDomain.BIInstance.SecurityConfiguration MBean.

    Configuration options for the MBean display in the right pane.

  7. Select the Attributes tab, then locate the SSLCertificatesGenerated attribute. A value of false indicates that SSL certificates have not been generated. If certificates have been previously generated, you can continue to replace them with new certificates.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration mbean_sslenabled_false.gif

  8. Select the Operations tab

    This screenshot or diagram is described in surrounding text.
    Description of the illustration securityconfig_mbean_oper.gif

  9. Select generateSSLCertificates operation.

    The parameters for the generateSSLCertificates attribute for the BIDomain.BIInstance.SecurityConfiguration MBean are displayed.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration securityconfig_mbean_genssl.gif

  10. Provide values for the following parameters:

    • passphrase: The SSL passphrase that protects the certificates and, most importantly, the private key. Remember this passphrase. For example, you need to use it to connect to a BI Server using command line tools that require the tool to verify the BI Server certificate. Must be more than six characters.

    • webServerCACertificatePath: The path for the Certificate Authority (CA) root certificate for the CA used to sign the web server's certificate. Do not enter the individual web server certificate. For Oracle WebLogic Server default demonstration certificate authority, enter MW_HOME/wlserver_10.3/server/lib/CertGenCA.der. Supported types are .der. and .pem.

      Note:

      The recommended practice is to install a non-demonstration certificate in Oracle WebLogic Server, signed either by a recognized public certificate authority or your organization's certificate authority. You can obtain the CA root certificate direct from the certificate authority or by exporting it from your web browser.

    • certificateEncoding: Supported types are .der. and .pem. For Oracle WebLogic Server default, enter der

  11. Click Invoke.

    A confirmation displays if the operation executed successfully. If successful, the input CA certificate has been validated and the certificate generation request is queued. The next step is to commit the changes, which completes certificate creation and distribution throughout the domain. For more information, see Section 5.3.7.3, "Committing the SSL Configuration Changes and Releasing the Lock".

5.3.7.3 Committing the SSL Configuration Changes and Releasing the Lock

You commit the SSL configuration changes and release the lock using the BIDomain MBean.

Note:

You must configure SSL for the web server before enabling SSL for Oracle Business Intelligence. For more information, see Section 5.3.4, "Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by Disabling Non-SSL Listen Ports".

To commit the SSL configuration and release the lock:

  1. From the System MBean Browser, navigate to the BIDomain MBean. You want the MBean with the complete name of oracle.biee.admin:type=BIDomain, group=Service.

    For more information about navigating to the BIDomain MBean, follow Steps 1 through 5 in Section 5.3.7.1, "Locking the Configuration".

  2. Select the BIDomain MBean having the complete name oracle.biee.admin:type=BIDomain, group=Service.

  3. Select the Operations tab, then simpleCommit to save your changes and release the lock.

  4. Click Invoke.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration bidomain_mbean_commit.gif

    A confirmation displays to indicate if the commit operation was successful.

    The next step is to verify the SSL credentials are in the credential store. For more information, see Section 5.3.7.4, "Verifying the SSL Credentials in the Credential Store".

5.3.7.3.1 Troubleshooting Tip

If the commit operation fails you might see the following error message:

SEVERE: Element Type: DOMAIN, Element Id: null, Operation Result:
VALIDATION_FAILED, Detail Message: SSL must be enabled on AdminServer before
enabling on BI system; not set on server: AdminServer 

This message indicates that SSL has not been enabled on the Oracle WebLogic Server Managed Servers, which is a prerequisite step. For more information, see Section 5.3.4, "Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by Disabling Non-SSL Listen Ports". After this prerequisite is completed you can repeat the commit operation.

5.3.7.4 Verifying the SSL Credentials in the Credential Store

The SSL credentials are stored in the credential store for Oracle Business Intelligence.

To verify the SSL credentials in the credential store:

  1. If necessary, from Fusion Middleware Control target navigation pane, expand the farm, then expand WebLogic Domain, and select bifoundation_domain.

  2. From the WebLogic Domain menu, select Security, then Credentials.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration fmc_navigation.gif

  3. Open oracle.bi.enterprise credential map and verify the SSL credentials have been saved to the credential store. If successful, the following SSL credentials display in the oracle.bi.enterprise credential map:

    • ssl.java.private.key

    • ssl.java.public.certificate

    • config.version

    This screenshot or diagram is described in surrounding text.
    Description of the illustration credentials.gif

5.3.7.5 About Oracle BI EE SSL Everywhere Generated Certificates

Client tools need access to these generated certificates for secure communications. For more information, see Section 5.3.7.2, "Generating the SSL Certificates".

The certificates are located at:

MW_HOME\user_projects\domains\bifoundation_domain\config\fmwconfig\biinstances\coreapplication\ssl.

The certificate files are:

  • cacert.pem: The certificate of the private CA. Command line tools that want to verify the BI Server certificates point to this file.

  • webservercacert.pem: The certificate of the public CA that signed the web server certificate. This is a copy of the CA certificate registered in the generateSSLCertificate operation, in .pem format.

  • javaserver.keystore: Contains all the certificates in a format suitable for use by Java clients. Contents include:

    Alias Certificate

    javaservercert

    Server

    javaserverkey

    Key

    internalcacertificate

    Private Key

    webservercacertificate

    Web server CA


  • server-key.pem: Private key for the openssl servers.

    Clients need to have access to the internal CA certificate. Java clients need the certificate in a keystore which they have access to. The javaserver.keystore cannot be used if you created the certificates from Fusion Middleware Control since it is protected by a private passphrase. Create a new keystore for use by your clients with the following command:

    keytool -keystore clientkeystore -import -file cacert.pem -alias biee

    The command prompts you to choose your own passphrase.

The next step is to enable the SSL configuration changes. For more information, see Section 5.3.7.6, "Enabling the SSL Configuration".

5.3.7.6 Enabling the SSL Configuration

To enable the SSL configuration:

  1. Verify that the web server is configured to use HTTPS before enabling the SSL configuration. If necessary, configure the web server before proceeding.

    For information about how to configure SSL for Oracle WebLogic Server, see Section 5.3.4, "Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by Disabling Non-SSL Listen Ports".

  2. Lock the configuration.

    For information, see Section 5.3.7.1, "Locking the Configuration".

  3. From the System MBean Browser, select the BIDomain.BIInstanceSecurityConfiguration MBean.

    For information about how to navigate to the MBean, see Section 5.3.7.2, "Generating the SSL Certificates".

  4. Select the Attributes tab, then for the SSLEnabled attribute select true from the Value list, then click Apply. You must have the SSL listen port on for the Administration Server and Manager Servers. For more information, see Section 5.3.4, "Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by Disabling Non-SSL Listen Ports".

    This screenshot or diagram is described in surrounding text.
    Description of the illustration mbean_sslenabled_true.gif

  5. Navigate to the BIDomain MBean and commit the changes.

    For information, see Section 5.3.7.3, "Committing the SSL Configuration Changes and Releasing the Lock".

    SSL communication is now enabled between the components. You must restart the Oracle Business Intelligence components for the changes to take effect.

  6. Restart the Oracle Business Intelligence components from the Oracle Business Intelligence Overview page in Fusion Middleware Control.

    For more information, see "Starting and Stopping Oracle Business Intelligence System Components" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

5.3.7.7 Confirming SSL Status Using the MBean Browser

You can run an SSL report using the BIDomain.BIInstance.SecurityConfiguration MBean to verify that SSL communication is operating between components.

To run the SSL report to confirm status:

  1. From the System MBean Browser, select the BIDomain.BIInstanceSecurityConfiguration MBean .

    For information about how to navigate to the MBean, see Section 5.3.7.2, "Generating the SSL Certificates". You do not need to lock the configuration to run the SSL report.

  2. Select the Operations tab, then select the runSSLReport option.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration securityconfig_mbean_oper.gif

  3. To run the report, click Invoke.

    The report indicating the status of SSL communication between components displays. See Example 5-1, "Sample SSL Report Output".

    If the SSL ping fails, check the following:

    • Verify the target component is running.

    • Verify that the component has been restarted since SSL was enabled. SSL configuration changes require a restart to take effect.

    • Verify that the SSLEnabled attribute for the BIDomain.BIInstanceSecurityConfiguration MBean is set to true. When changing SSL properties, both the apply and commit steps must be performed.

Example 5-1 Sample SSL Report Output

OracleBIPresentationServicesComponent
(1) <machine_name>:9710. SSL ping OK. peer: <machine_name> port: 9710 protocol: SSLv3 cipher suite: SSL_RSA_WITH_RC4_128_MD5
 local certificates: null 
peer certificates: #18, expires Tue might 17 15:23:02 BST 2011 for CN=OBIEE Installer Openssl, OU=Business Intelligence, O=Oracle, C=US#9879704091745165219, expires Tue might 17 15:23:02 BST 2011 for C=US, O=org, OU=unit, CN=OBIEE Installer CA
 
OracleBIClusterControllerComponent
(No instances configured)

OracleBISchedulerComponent
(1) <machine_name>:9705. SSL ping OK. peer: <machine_name> port: 9705 protocol: SSLv3 cipher suite: SSL_RSA_WITH_RC4_128_MD5
local certificates: null 
peer certificates: #18, expires Tue might 17 15:23:02 BST 2011 for CN=OBIEE Installer Openssl, OU=Business Intelligence, O=Oracle, C=US 

OracleBIJavaHostComponent
(1) <machine_name>:9810. SSL ping OK. peer: <machine_name> port: 9810 protocol: SSLv3 cipher suite: SSL_RSA_WITH_RC4_128_MD5
 local certificates: null
peer certificates: #19, expires Tue might 17 15:23:03 BST 2011 for CN=OBIEE Installer Java, OU=Business Intelligence, O=Oracle, C=US 

OracleBIServerComponent
(1) <machine_name>:9703. SSL ping OK. peer: <machine_name> port: 9703 protocol: SSLv3 cipher suite: SSL_RSA_WITH_RC4_128_MD5
local certificates: null 
 peer certificates: #18, expires Tue might 17 15:23:02 BST 2011 for CN=OBIEE Installer Openssl, OU=Business Intelligence, O=Oracle, C=US

SSL ok on 4 out of 4 components.

5.3.7.8 Updating Expired SSL Certificates Using the MBean Browser

Certificates generated by the SSL Everywhere central configuration expire after one year. The expiration date for a certificate is listed in the SSL status report. For more information about how to run an SSL report, see Section 5.3.7.7, "Confirming SSL Status Using the MBean Browser". For an example of the certificate expiration message that is displayed, see Example 5-1, "Sample SSL Report Output".

To replace a certificate that is about to expire, generate new certificates by following the steps in Section 5.3.7.2, "Generating the SSL Certificates" and restart the Oracle Business Intelligence components.

5.4 Additional SSL Configuration Options

Additional configuration options are required for Oracle Business Intelligence components and tools as follows:

5.4.1 Using SASchInvoke when BI Scheduler is SSL-Enabled

When the BI Scheduler is enabled for communication over SSL, you can invoke the BI Scheduler using the SASchInvoke command line utility.

Use the following syntax to run the SASchInvoke command:

SASchInvoke -u <Admin Name>  (-j <job id> | -i <iBot path>)  [-m <machine name>[:<port>]]  [(-r <replace parameter filename> | -a <append parameter filename>)] [-l [ -c SSL certificate filename> -k <SSL certificate private key filename> [ -w <SSL passphrase>  | -q <passphrase file>  | -y ]] [-h <SSL cipher list>] [-v [-e <SSL verification depth>] [-d <CA certificate directory>] [-f <CA certificate file>] [-t <SSL trusted peer DNs>] ] ]

The command will prompt you to enter the administrator password.

5.4.2 Configuring Oracle BI Job Manager

To successfully connect to BI Scheduler that has been enabled for SSL, Oracle BI Job Manager must also be configured to communicate over SSL.

Oracle BI Job Manager is a Java based component and the keys and certificates that it uses must be stored in a Java keystore database.

Use this procedure to configure Oracle BI Job Manager to communicate with the BI Scheduler server over SSL.

To configure Oracle BI Job Manager:

  1. From the File menu, select Oracle BI Job Manager, then select Open Scheduler Connection.

  2. In the Secure Socket Layer section of the dialog box, select the SSL check box.

    If you are using the central SSL configuration, which does not set up mutual authentication, you do not need to provide any additional values in this dialog box.

  3. Click OK to exit.

  4. If BI Scheduler has been set to "Require Client Certificate", then you must set Key Store and Key Store Password as follows:

    • Key Store=MW_HOME\user_projects\domains\bifoundation_domain\config\fmwconfig\biinstances\coreapplication\ssl\client.keystore.

    • Key Store Password = passphrase entered in the generateSSLCertificates operation. See Step 10 of Section 5.3.7.2, "Generating the SSL Certificates"

  5. Select the Verify Server Certificate check box. When this is checked, the trust store file must be specified. This trust store contains the CA that verifies the Scheduler server certificate.

  6. In the Trust Store text box, enter the path and file name of the keystore that contains the Certificate Authority file.

    In the example provided previously, the CA certificate was stored in the same keystore that contains the certificate and private key, client.keystore.

  7. In the Trust Store Password text box, enter the password of the keystore entered in Step 6.

  8. Copy the keystore and trust store files to the locations specified in the parameters above.

5.4.3 Enabling the Online Catalog Manager to Connect

The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP web server for Oracle Business Intelligence is enabled for SSL. You must import the SSL server certificate or CA certificate from the web server into the Java Keystore of the JVM (for example, JRocket) that is specified by the system JAVA_HOME variable.

To enable the online Catalog Manager to connect:

  1. Navigate to Java's default trust store located at MW_HOME/JAVA_HOME/ jre/lib/security.

    For example, mw_home\jrocket_160_17_R28.0.0-679\jre\lib\security.

    The default trust store is named cacerts.

  2. Copy the certificate exported from the web server to the same location as Java's default truststore.

  3. Execute the command to import the certificate to the default truststore:

    keytool -importcert -trustcacerts -alias bicert -file $WebServerCertFilename -keystore cacerts -storetype JKS
    

    where the web server certificate file $WebserverCertFilename is imported into Java's default trust store named cacerts under an alias of bicert.

    For example if using the Oracle WebLogic Server default demonstration certificate, then use the full path to the certificate located in WLS_HOME/server/lib/CertGenCA.der.

    Note:

    The default password for the Java trust store is "changeit".

  4. Restart Catalog Manager.

    Note:

    You must start Catalog Manager using the secure HTTPS URL.

5.4.4 Configuring the Oracle BI Administration Tool to Communicate Over SSL

To successfully connect to a BI Server that has been enabled for SSL, the Administration Tool must also be configured to communicate over SSL. The DSN for the Oracle BI Server data source is required.

To configure the Administration Tool to communicate over SSL:

  1. Determine the Oracle BI Server data source DSN being used by logging into the Presentation Services Administration page as an administrative user.

    For more information, see Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

  2. Locate the Oracle BI Server Data Source field in the upper left corner. The DSN is listed in the following format: coreapplication_OH<DSNnumber>.

  3. In the Administration Tool, enter the DSN number by selecting File, then Open, then Online. Select the DSN from the list.

  4. Enter the repository user name and password.

    The Administration Tool is now connected to the BI Server using SSL.

5.4.5 Configuring an ODBC DSN for Remote Client Access

You can create an ODBC DSN for the Oracle BI Server to enable remote client access. For more information about how to enable SSL communication for an ODBC DSN, see "Integrating Other Clients with Oracle Business Intelligence" in Oracle Fusion Middleware Integrator's Guide for Oracle Business Intelligence Enterprise Edition.

5.4.6 Configuring Oracle BI Publisher to Communicate Over SSL

You can configure BI Publisher to communicate securely over the internet using SSL. For more information, see "Configuring BI Publisher for Secure Socket Layer (SSL) Communication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Business Intelligence Publisher.

If BI Publisher does not work after configuring SSL, you might need to reconfigure the HTTPs protocol, and SSL Port. For more information, see "Configuring Integration with Oracle BI Presentation Services" in the Oracle Fusion Middleware Administrator's Guide for Oracle Business Intelligence Publisher.

5.4.7 Configuring SSL when Using Multiple Authenticators

If you are configuring multiple authenticators, and have configured an additional LDAP Authenticator to communicate over SSL (one-way SSL only), you need to put the corresponding LDAP server's root certificate in an additional keystore used by the virtualization (libOVD) functionality.

To configure SSL when using multiple authenticators:

Note:

Before completing this task, you must configure the custom property called virtualize (lower case), and set its value to true (for more information, see Section 3.4.5, "Configuring Multiple Authentication Providers Using Fusion Middleware Control").

  1. Create the keystore:

    1. Set environment variables ORACLE_HOME, WL_HOME and JAVA_HOME.

      For example (on Windows):

      set ORACLE_HOME=MW_HOME\Oracle_BI1

      set WL_HOME=MW_HOME\wlserver_10.3

      set JAVA_HOME=MW_HOME\jdk160_24

    2. Set up the keystore by running libovdconfig.sh (on UNIX), or libovdconfig.bat (on Windows), using -createKeystore option.

      For example, on UNIX, open a shell prompt and change the directory to MW_HOME/oracle_common/bin. Then, run the following command (which prompts for the Oracle Business Intelligence administrator user name and password), for example:

      ./libovdconfig.sh -host <hostname> -port <Admin_Server_Port> -username <BI Admin User> -domainPath MW_HOME/user_projects/domains/bifoundation_domain -createKeystore

      Windows location:

      MW_HOME\oracle_common\bin\libovdconfig.bat

    3. When prompted, enter the Oracle Business Intelligence administrator password, and the OVD Keystore password (a new password that will be used to secure a Keystore file), created by the libovdconfig.sh -createKeystore command.

      Once this command runs, you should see two new credentials in the Credential Store and a new Keystore file called adapters.jks under MW_HOME\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores.

  2. Export the root certificate from the LDAP directory (refer to your LDAP documentation on how to do this).

  3. Import the root certificate to the libOVD keystore using the keytool command:

    MW_HOME/jdk160_24/bin/keytool -import -keystore MW_HOME\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores/adapters.jks -storepass <KeyStore password> -alias <alias of your choice> -file <Certificate filename>

  4. Restart WebLogic Server and Oracle Business Intelligence processes.

    For more information, see Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

5.5 Advanced SSL Configuration Options

The default SSL configuration uses default cipher suite negotiation. You can configure the system to use a different cipher suite if your organization's security standards do not allow for the default choice. The default choice can be viewed in the output from the SSL status report.

This advanced option is not configured by the SSL Everywhere central configuration. Instead, individual components must be manually configured. If new components are added by scaling out, each additional component must be manually configured. Manual configuration involves editing of the configuration files (.ini and .xml). Be careful to observe the syntactic conventions of these file types. If the files are incorrect, the corresponding component logs an error in its log file and will not start.

A manually configured SSL environment can co-exist with a default SSL configuration.

To manually configure SSL cipher suite:

  1. Configure SSL Everywhere by following the instructions in Section 5.3.7, "Configuring SSL Communication Between Components Using the System MBean Browser".

    Note:

    Before making manual changes, use the System MBean Browser to invoke the SSLManualConfig MBean under BIDomain.BIInstance.SecurityConfiguration. For more information, see Section 5.3.7.1, "Locking the Configuration".

  2. Select the desired Java Cipher Suite name from the options located at http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA.

  3. Create an Open SSL Cipher Suite Name that matches the cipher suite chosen, using the list at http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT.

    For example, Java Cipher Suite name SSL_RSA_WITH_RC4_128_SHA maps to Open SSL: RSA+RC4+SHA.

  4. Edit the JavaHost configuration file located at ORACLE_INSTANCE\config\OracleBIJavaHostComponent\coreapplication_obijhn\ config.xml and add following sub-element to JavaHost/Listener/SSL element. For example:

    <EnabledCipherSuites>SSL_RSA_WITH_RC4_128_SHA</EnabledCipherSuites>
    

    For more information about the location of the configuration files mentioned in these steps, see "Where Are Configuration Files Located?" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

  5. Edit the Presentation Services configuration file located at ORACLE_INSTANCE/config/OracleBIPresentationServicesComponent/coreapplication_obipsn/instanceconfig.xml and add the attribute cipherSuites="RSA+RC4+SHA" to the Listener and the JavaHostProxy elements within the ServerInstance element.

  6. Edit the BI Scheduler configuration file located at ORACLE_INSTANCE/config/OracleBISchedulerComponent/coreapplication_obischn/instanceconfig.xml and add following sub-element to scheduler/ServerInstance/SSL. For example:

    <CipherList>RSA+RC4+SHA</CipherList>
    
  7. If in a clustered environment, edit the Cluster Controller configuration file located at ORACLE_INSTANCE/config/OracleBIApplication/coreapplication/NQClusterConfig.INI and set the SSL_CIPHER_LIST value, as in the following example:

    SSL_CIPHER_LIST = "RSA+RC4+SHA";
    
  8. Restart all the Oracle Business Intelligence components.

    For more information, see "Starting and Stopping Oracle Business Intelligence System Components" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

  9. From the System MBean Browser, select the BIDomain.BIInstanceSecurityConfiguration MBean.

    Make sure that the SSLManualConfig attribute is set to false before running the SSL status report.

    For information about how to navigate to the MBean, see Section 5.3.7.2, "Generating the SSL Certificates". You do not need to lock the configuration to run the SSL report.

  10. Run a SSL status report to confirm SSL is enabled by following the steps in Section 5.3.7.7, "Confirming SSL Status Using the MBean Browser".