1. Security Configuration Guide
  2. SSL-Enabling EPM System Components
  3. Terminating SSL at the SSL Offloader

Terminating SSL at the SSL Offloader

Deployment Architecture

In this scenario, SSL is used to secure the communication link between Oracle Enterprise Performance Management System clients (for example, a browser) and an SSL Offloader. The illustrated concept:


A typical deployment of EPM System products with terminated at the web server.

Assumptions

SSL Offloader and Load Balancer

A fully configured SSL offloader with a load balancer must be present in the deployment environment.

The load balancer must be configured to forward all requests received by the virtual hosts to Oracle HTTP Servers.

When SSL is being terminated at Oracle HTTP Server (OHS) or load balancer, you must:

  • Set every Logical Web Application to non-ssl virtual host of load balancer or Oracle HTTP Server (for example, empinternal.myCompany.com:80 where 80 is the non-SSL port). Open Configuration screen, complete these steps:
    1. Expand Hyperion Foundation configuration task.
    2. Select Configure Logical Address for Web Applications.
    3. Specify the Host name, non-SSL port number and SSL port number.
  • Set external URL to SSL-enabled virtual host of load balancer or Oracle HTTP Server (for example, empexternal.myCompany.com:443 where 443 is the SSL port). Open Configuration screen, complete these steps:
    1. Expand Hyperion Foundation configuration task.
    2. Select Configure Common Settings.
    3. Select Enable SSL offloading under External URL Details.
    4. Specify the External URL Host and External URL Port.

    Note:

    Redeploying web applications or reconfiguring the web server using configtool will replace the settings for Logical Web Application and external URLs.

Virtual Hosts

SSL terminated at SSL offloader configuration uses two server aliases; for example, epm.myCompany.com and empinternal.myCompany.com, on the SSL offloader/load balancer, one for external communication between the offloader and browsers, and the other for internal communication among EPM System servers. Ensure that the server aliases point to the IP address of the machine, and that they are resolvable through DNS.

A signed certificate to support external communication between the offloader and browsers (through epm.myCompany.com) must be installed on the offloader/load balancer.

Configuring EPM System

The default deployment of EPM System components supports SSL termination at the SSL offloader. No additional action is required.

While configuring EPM System, ensure that the logical address for web applications point to the alias (for example, empinternal.myCompany.com) that was created for internal communication. See the following information sources to install and configure EPM System:

  • Oracle Enterprise Performance Management System Installation and Configuration Guide

  • Oracle Enterprise Performance Management System Installation Start Here

  • Oracle Enterprise Performance Management System Installation and Configuration Troubleshooting Guide

Testing the Deployment

After completing the deployment process, verify that everything works by connecting to the secure Oracle Hyperion Enterprise Performance Management Workspace URL: 

https://virtual_host_external:SSL_PORT/workspace/index.jsp

For example, https://epm.myCompany.com:443/workspace/index.jsp where 443 is the SSL port.