Enabling Oracle BI EE Internal SSL

Follow these steps to enable SSL on internal communication links.

You must run commands from the master host. Oracle Business Intelligence must have been configured by the BI configuration assistant, WebLogic managed servers must have been created, and any scaling out must be complete.

See Manually Configuring SSL Cipher Suite.

  1. Stop the system using:

    ORACLE_HOME/user_projects/domains/bi/bitools/bin/stop.sh

  2. Run the following command to enable SSL on WebLogic internal channels and internal components:

    ORACLE_HOME/user_projects/domains/bi/bitools/bin/ssl.sh internalssl true

  3. (Optional) Configure advanced options by editing the file:

    ORACLE_HOME/user_projects/domains/bi/config/fmwconfig/biconfig/core/ssl/bi-ssl.xml

    Options supported are:

    • Enable server checking of client certificates.

    • Specify cipher suite to use.

  4. Restart the domain and BI component processes using:

    ORACLE_HOME/user_projects/domains/bi/bitools/bin/start.sh

  5. Confirm setup as follows:

    1. Check WebLogic certificates and corresponding trust have been correctly configured using:

      ORACLE_HOME/user_projects/domains/bi/bitools/bin/ssl.sh report

      This command checks that WebLogic certificates and corresponding trust are correctly configured.

    2. Confirm you can login to Analytics at:

      https://<host>:<SecureManagedServerPort>/analytics

      This confirms the HTTPs listener is enabled on each server, before you enable end-to-end SSL. Note that any communication between internal components is encrypted, but is only verifiable using 'ssl.sh report' command, or by checking server traffic.

Post conditions:

  • WebLogic servers:

    • Have https listener enabled on internal channels.

    • The external port configuration is unaltered. See Enabling End-to-End SSL for how to enable SSL on the external ports as well.

      There is a separate internal identity (key/certificate pair) for each listener address. The certificate has a common name matching the listening address, which is compatible with standard https practice. The certificates are signed by the internal certificate authority.

  • System components (other than Essbase Studio):

    • Have https listener enabled on internal channels.

    • The external port configuration is unaltered.

    • There is a separate internal identity (key or certificate pair) for each listener address. The certificate has a common name matching the listening address, which is compatible with standard https practice. The certificates are signed by the internal certificate authority.

  • Essbase Studio:

    • No change. Continues with existing connectivity.