Oracle^® Business Intelligence Enterprise Edition Deployment Guide > Enabling Secure Communication in Oracle Business Intelligence > Configuring Oracle Business Intelligence to Communicate Over SSL >

Configuring Oracle BI Server in Near-Maximum Security Scenario

On the machine where Oracle BI Server has been installed, modify the NQSConfig.INI file as described in the following procedure. The NQSConfig.INI file is located in the directory OracleBI_HOME\server\Config or in the directory OracleBI_HOME/server/Config.

To configure Oracle BI Server in near-maximum security scenario

1. Open the NQSConfig.INI file for editing. Locate the following lines:

   #SS=NO;
   #SSL_CERTIFICATE_FILE="servercert.pem";
   #SSL_PRIVATE_KEY_FILE="serverkey.pem";
   #SSL_PK_PASSPHRASE_FILE="serverpwd.txt";
   #SSL_PK_PASSPHRASE_PROGRAM="sitepwd.exe";
   #SSL_VERIFY_PEER=NO;
   #SSL_CA_CERTIFICATE_DIR="CACertDIR";
   #SSL_CA_CERTIFICATE_FILE="CACertFile";
   #SSL_TRUSTED_PEER_DNS="";
   #SSL_CERT_VERIFICATION_DEPTH=9;
   #SSL_CIPHER_LIST="";

2. Uncomment the lines shown below and set the parameter values:

   SSL=YES;
   SSL_CERTIFICATE_FILE="<Server Certificate Filename>";
   SSL_PRIVATE_KEY_FILE="<Server Private Key Filename>";
   Set one of the following lines depending on whether you are using a passphrase file or a passphrase program:
   #SSL_PK_PASSPHRASE_FILE="serverpwd.txt";
   #SSL_PK_PASSPHRASE_PROGRAM="sitepwd.exe";
   If you are using a passphrase file, uncomment and set the line:
   SSL_PK_PASSPHRASE_FILE="<passphrase file>";
   If you are using a passphrase program, uncomment and set the line:
   SSL_PK_PASSPHRASE_PROGRAM="<passphrase-producing program>";

3. Uncomment and set the following line:

   SSL_VERIFY_PEER=YES;

   When this parameter is set to YES, Oracle BI Server clients must provide valid certificates.

4. Set one of the following lines depending on whether you are using the Certificate Authority (CA) certificate file or the hashed version of the CA certificate:

   #SSL_CA_CERTIFICATE_DIR="CACertDIR";
   #SSL_CA_CERTIFICATE_FILE="CACertFile";

   If you are using the CA certificate file, uncomment and set the line:

   #SSL_CA_CERTIFICATE_FILE="<Certificate Authority Certificate filename>";

   If you are using the hashed version of the CA certificate, uncomment and set the line:

   SSL_CA_CERTIFICATE_DIR="OracleBI_HOME>\ssl";

   The directory specified must contain the CA certificate named by the hash value.

5. Uncomment and set the following line:

   SSL_TRUSTED_PEER_DNS="";

   The DNS may be empty, multiple or part of one DN. It specifies the clients allowed to connect.

   For example:

   SSL_TRUSTED_PEER_DNS="C=US/ST=CA/L=Redwood Shores/O=Oracle/OU=BI/CN=clientcertificate";

6. Uncomment and set the following line:

   SSL_CERT_VERIFICATION_DEPTH=<value>;

7. Uncomment and set the following line:

   SSL_CIPHER_LIST="";

   For example: SSL_CIPHER_LIST="EXP-DES-56-SHA";

   After modification, the SSL portion of the NQSConfig.INI file should be similar to:

   SSL=YES;
   SSL_CERTIFICATE_FILE="server-cert.pem";
   SSL_PRIVATE_KEY_FILE="server-key.pem";
   #SSL_PK_PASSPHRASE_FILE="serverpwd." \
   # Line above commented out since passphrase program is used
   SSL_PK_PASSPHRASE_PROGRAM="passphrase.exe";
   SSL_VERIFY_PEER=YES;
   #SSL_CA_CERTIFICATE_DIR="CACertDIR";
   # Line above commented out since certificate file is used
   SSL_CA_CERTIFICATE_FILE="cacert.pem";
   SSL_TRUSTED_PEER_DNS="C=US/ST=CA/L=Redwood Shores/O=Oracle/OU=BI/CN=clientcertificate"; SSL_CERT_VERIFICATION_DEPTH=1;
   SSL_CIPHER_LIST=" EXP-DES-56-SHA";

8. Copy the server certificate, private key and passphrase file or program to the directory OracleBI_HOME\server\Config or OracleBI_HOME/server/Config.
9. To the location specified in Step 8, also copy the CA certificate file if you have specified the CA Certificate File parameter.
10. If you have specified the CA Certificate Directory parameter, copy the hash version of the CA certificate to the directory specified.