Configuring SSL for Clients

Use this topic to configure SSL for clients.

Clients accessing the BIEE components must be configured to use BIEE certificates.

Note:

First you must export the certificates by running the following command:

<DomainHome>/bitools/bin/ssl.sh exportclientcerts <exportDir>

This section explains how to configure SSL for clients, and contains the following topics:

• Exporting Client Certificates

• Using SASchInvoke when BI Scheduler is SSL-Enabled

• Configuring Oracle BI Job Manager

• Connecting the Online Catalog Manager to Oracle BI Presentation Services

• Configuring the Oracle BI Administration Tool to Communicate Over SSL

• Configuring an ODBC DSN for Remote Client Access

• Configuring Oracle BI Publisher to Communicate Over SSL

• Configuring SSL when Using Multiple Authenticators

Exporting Client Certificates

Use these steps to create the passphrase for use when exporting client certificates.

The passphrase is used to protect the export certificates. You must remember this passphrase for use when configuring each client.

The command exports Java keystores for use by Java clients, and individual certificate files for use non Java clients. To make moving the certificates to a remote machine more convenient, the export also packages all the files into a single zip file.

1. Run the following command:

   <DomainHome>/bitools/bin/ssl.sh exportclientcerts <exportDir>
   

2. Type the new passphrase at the prompt.

Using SASchInvoke when BI Scheduler is SSL-Enabled

When the BI Scheduler is enabled for communication over SSL, you can invoke the BI Scheduler using the SASchInvoke command line utility .

See Exporting Client Certificates.

1. Create a new text file containing on a single line the passphrase you used when running the ./ssl.sh exportclientcerts command.

   Ensure this file has appropriately restrictive file permissions to protect it. Typically it should only be readable by the owner.

2. Use the following syntax to run the SASchInvoke command:

   SASchInvoke -u <Admin Name>  (-j <job id> | -i <iBot path>)  [-m <machine name>[:<port>]]  [(-r <replace parameter filename> | -a <append parameter filename>)] [-l [ -c <SSL certificate filename> -k <SSL certificate private key filename> [ -w <SSL passphrase>  | -q <passphrase file>  | -y ]] [-h <SSL cipher list>] [-v [-e <SSL verification depth>] [-d <CA certificate directory>] [-f <CA certificate file>] [-t <SSL trusted peer DNs>] ] ]
   
   where:
   SSL certificate filename = clientcert.pem
   SSL certificate private key filename = clientkey.prm
   passphrase file = location of the passphrase file created above.
   

   The command prompts you to enter the administrator password.

3. Enter the administrator password to start BI Scheduler.

Configuring Oracle BI Job Manager

To successfully connect to BI Scheduler that has been enabled for SSL, Oracle BI Job Manager must also be configured to communicate over SSL.

Oracle BI Job Manager is a Java based component and the keys and certificates that it uses must be stored in a Java keystore database. See Exporting Client Certificates.

1. From the File menu, select Oracle BI Job Manager, then select Open Scheduler Connection.

2. In the Secure Socket Layer section of the dialog box, select the SSL check box.

3. If the server setting “verify client certificates” is false (one way SSL) then you can leave Key Store and Key Store Password blank. This is the default setting.

4. If the server setting “verify client certificates” is true (two way SSL) then you must set Key Store and Key Store Password as follows:

   • Key Store=<exportclientcerts_directory>\identity.jks

   • Key Store Password = passphrase.

5. To provide a secure link you should tick the verify server certificate. Without verification the connection will still work, but a person in the middle attack which impersonates the server will not be detected.

   1. Select the Verify Server Certificate check box. When this is checked, the trust store file must be specified. This trust store contains the CA that verifies the Scheduler server certificate.

   2. In the Trust Store text box, set the trust store to:

      <exportclientcerts_directory>\internaltrust.jks

   3. Set the Trust Store Password to the passphrase.

Connecting the Online Catalog Manager to Oracle BI Presentation Services

For the online Catalog Manager to connect to Oracle BI Presentation Services, you might need to import the SSL server certificate or CA certificate.

The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP web server for Oracle Business Intelligence is enabled for SSL. You must import the SSL server certificate or CA certificate from the web server into the Java Keystore of the JVM that is specified by the system JAVA_HOME variable.

The default password for the Java trust store is changeit.

1. Navigate to Java's default trust store, named cacerts, located at ORACLE_HOME/JAVA_HOME/jre/lib/security.
2. Copy the certificate exported from the web server to the same location as Java's default trust store.
3. Execute the following command to import the certificate to the default trust store:

   keytool -importcert -trustcacerts -alias bicert -file $WebServerCertFilename -keystore cacerts -storetype JKS
   

   When the web server certificate file $WebserverCertFilename is imported into Java's default trust store, under an alias of bicert.

   For example, if using theOracle WebLogic Server default demonstration certificate, use the full path to the certificate located in ORACLE_HOME/wlserver/server/lib/CertGenCA.der.

4. Restart Catalog Manager using the secure HTTPS URL.

Configuring the Oracle BI Administration Tool to Communicate Over SSL

To successfully connect to an Oracle BI Server configured to use SSL, you must also configure the Oracle BI Administration Tool to communicate over SSL.

The data source name (DSN) for the BI Server data source is required.

1. Determine the BI Server data source DSN in use by logging into the Presentation Services Administration page as an administrative user.
2. Locate the Oracle BI Server Data Source field in the upper left corner.

   The DSN is listed in the following format, coreapplication_OH<DSNnumber>.

3. In the Administration Tool, select File, then Open, then Online.
4. Select the DSN from the list.
5. Enter the repository user name and password.

   The Administration Tool is now connected to the BI Server using SSL.

Configuring an ODBC DSN for Remote Client Access

You can create an ODBC DSN for the BI Server to enable remote client access.

To enable SSL communication for an ODBC DSN, see Integrating Other Clients with Oracle Business Intelligence in Integrator's Guide for Oracle Business Intelligence Enterprise Edition.

Configuring Oracle BI Publisher to Communicate Over SSL

You can configure Oracle BI Publisher to communicate securely over the internet using SSL.

See Configuring BI Publisher for Secure Socket Layer (SSL) Communication in the Administrator's Guide for Oracle Business Intelligence Publisher.

If BI Publisher does not work after configuring SSL, you might need to reconfigure the HTTPs protocol, and SSL Port. See Configuring Integration with Oracle BI Presentation Services in Administrator's Guide for Oracle Business Intelligence Publisher.