1. Security Configuration Guide
  2. SSL-Enabling EPM System Components
  3. Full SSL Deployment of EPM System
  4. Configuring EPM System for Full SSL
  5. Oracle HTTP Server Procedures

Oracle HTTP Server Procedures

Creating a Wallet and Installing Certificate for Oracle HTTP Server

A default wallet is automatically installed with Oracle HTTP Server. You must configure a real wallet for each Oracle HTTP Server in your deployment.

Note: Starting 11.2.x, Oracle Wallet Manager is not installed with Oracle HTTP Server. The Oracle Wallet Manager gets installed only if you install the Oracle Database Client. You must use the wallet manager available with Database Client to create the wallet and import the certificate. If you are configuring Oracle HTTP Server for SSL, ensure that you always install the Oracle Database Client 64-bit as part of the installation of your EPM system products.

To create and install Oracle HTTP Server certificate :

  1. On each machine that hosts Oracle HTTP Server, launch the Wallet Manager.

    Select Start, then All Programs, Oracle-OHxxxxxx, then Integrated Management Tools, and then Wallet Manager.

    xxxxxx is the Oracle HTTP Server instance number.

  2. Create a new, empty Wallet.

    1. In Oracle Wallet Manager, select Wallet, and then New.

    2. Click Yes to create a default wallet directory, or No to create the Wallet file in a location of your choice.

    3. In Wallet Password and Confirm Password on the New Wallet screen, enter the password that you want to use.

    4. Click OK.

    5. In the confirmation dialog box, click No.

  3. Optional: If you are not using a CA that is known to Oracle HTTP Server, import the root CA certificate into the Wallet.

    1. In Oracle Wallet Manager, right-click Trusted Certificates and select Import Trusted Certificate.

    2. Browse and select the root CA certificate.

    3. Select Open.

  4. Create a certificate request.

    1. In Oracle Wallet Manager, right-click Certificate: [Empty] and select Add Certificate Request.

    2. In Create Certificate Request, enter the required information.

      For the common name, enter the fully qualified server alias; for example, epm.myCompany.com or epminternal.myCompany.com, available in the hosts file on your system.

    3. Click OK.

    4. In the confirmation dialog box, click OK.

    5. Right-click the certificate request that you created, and then select Export Certificate Request.

    6. Specify a name for the certificate request file.

  5. Using the certificate request files, obtain signed certificates from the CA.

  6. Import signed certificates.

    1. In Oracle Wallet Manager, right-click the certificate request that was used to obtain the signed certificate, and then select Import User Certificate.

    2. In Import Certificate, click OK to import the certificate from a file.

    3. In Import Certificate, select the Certificate file, and then click Open.

  7. Save the Wallet to a convenient location; for example, EPM_ORACLE_INSTANCE/httpConfig/ohs/config/OHS/ohs_component/keystores/epmsystem.

  8. Select Wallet, and then Auto Login to activate auto login.

Setting Up Oracle Wallet Using ORAPKI (on Linux)

To set up Oracle Wallet using ORAPKI command line, complete the following steps:

  1. Create a folder for your wallet:
    $ mkdir /MIDDLEWARE_HOME/oracle_common/wallet
  2. Add the location of the orapki utility to your path:
    $ export PATH=$PATH:$MIDDLEWARE_HOME/oracle_common/bin
  3. Create a wallet to hold your certificate:
    >$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet [wallet_location] -auto_login
    This command prompts you to enter and reenter a wallet password, if no password has been specified on the command line. It creates a wallet in the location specified for -wallet.
  4. Generate a certificate signing request (CSR) and add it to your wallet:
    $ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -dn 'CN=<CommonName>,OU=<OrganizationUnit>, O=<Company>, L=<Location>, ST=<State>, C=<Country>' -keysize 512|1024|2048|4096 -pwd [Wallet_Password]
  5. Add the root and intermediate certificate into the trusted keystore
    $ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -trusted_cert -cert [certificate_location] [-pwd]
  6. Use your CA (Cerificate Authority) to sign the CSR (Certificate Signing Request). To export the certtificate request from an Oracle Wallet:
    $ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet export -wallet [wallet_location] -dn 'CN=<CommonName>,OU=<OrganizationUnit>, O=<Company>, L=<Location>, ST=<State>, C=<Country>' -request [certificate_request_filename] [-pwd]
  7. Import the signed CSR into the wallet:
    
    $ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -user_cert -cert [certificate_location] [-pwd]
  8. To display the contents of the wallet:
    $ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet display -wallet [wallet_location] [-pwd]

SSL-Enabling Oracle HTTP Server

After reconfiguring the web server on each machine that hosts Oracle HTTP Server, update Oracle HTTP Server configuration file by replacing the location of the default Wallet with the location of the wallet that you created.

To configure Oracle HTTP Server for SSL:

  1. Reconfigure the web server on each Oracle HTTP Server host machine in your deployment.

  2. Start EPM System Configurator for the instance.

  3. In the configuration task selection screen, complete these steps, and then click Next.

    1. Clear the selection from Uncheck All.

    2. Expand Hyperion Foundation task group, and then select Configure Web Server.

  4. In Configure Web Server, click Next.

  5. In Confirmation, click Next.

  6. In Summary, click Finish.

  7. Using a text editor, open EPM_ORACLE_INSTANCE/httpConfig/ohs/config/fmwconfig/components/OHS/ohs_component/ssl.conf.

  8. Ensure that the SSL port you are using is listed under OHS Listen port. similar to the following:

    If you are using 19443 as the SSL communication port, your entries should be as follows: 

    Listen 19443

  9. Set SSLSessionCache parameter value to none.

  10. Update the configuration settings of each Oracle HTTP Server in your deployment.

    1. Using a text editor, open EPM_ORACLE_INSTANCE/httpConfig//ohs/config/fmwconfig/components/OHS/ohs_component/ssl.conf.

    2. Locate the SSLWallet directive and change its value so that it points to the wallet where you installed the certificate. If you created the wallet in EPM_ORACLE_INSTANCEhttpConfig/ohs/config/OHS/ohs_component/keystores/epmsystem, your SSLWallet directive may be as follows: 

      SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/epmsystem"

    3. Save and close ssl.conf.

  11. Update mod_wl_ohs.conf on each Oracle HTTP Server in your deployment.

    1. Using a text editor, open EPM_ORACLE_INSTANCE/httpConfig//ohs/config/fmwconfig/components/OHS/ohs_component/mod_wl_ohs.conf.

    2. Ensure that the WLSSLWallet directive points to the Oracle Wallet where the SSL certificate is stored. 

      WLSSLWallet MIDDLEWARE_HOME/ohs/bin/wallets/myWallet

      For example, C:/Oracle/Middleware/ohs/bin/wallets/myWallet

    3. Set the value of SecureProxy directive is set to ON. 

      SecureProxy ON

    4. Ensure that the LocationMatch definitions for deployed Oracle Enterprise Performance Management System components are similar to the following Oracle Hyperion Shared Services example, which assumes a Oracle WebLogic Server cluster (on myserver1 and myserver2 using SSL port 28443): 

      <LocationMatch /interop/>
    SetHandler weblogic-handler
    pathTrim /
    WeblogicCluster myServer1:28443,myServer2:28443
    WLProxySSL ON
</LocationMatch>

    5. Save and close mod_wl_ohs.conf.