Set Up the SSL Certificate

After you deploy the Essbase stack, Oracle highly recommends that you update the SSL certificate, using the Oracle Cloud Infrastructure console or APIs, to one that has been signed with a trusted certificate authority.

For information on setting up a trusted certificate authority, see Managing SSL Certificates.

If you select to provision the Oracle Cloud Infrastructure Load Balancer during the Essbase stack provisioning process, the Load Balancer is configured with a demo certificate you can use for SSL access. The demo certificate is self-signed.

When you use a self-signed certificate, including the provided demo certificate, you must perform additional configuration to enable the use of partitions, as well as Essbase C- and Java-based clients. MaxL is a C-based client. You also need to ignore hostname verification on the WebLogic part of the Essbase stack. Caution: use of self-signed certificates should be only temporary, until you can obtain a trusted CA certificate.

Steps for Using Partitions with Self-Signed Certificates

When you use a self-signed certificate, you must perform additional configuration and also disable peer certificate verification, to enable the use of partitions.

  1. Access the Essbase node using SSH, as described in Access Oracle Essbase Using SSH.

  2. Change to oracle user.

    sudo su - oracle
  3. Open essbase.cfg for editing.

    vi /u01/config/domains/essbase_domain/config/fmwconfig/essconfig/essbase/essbase.cfg
  4. Add the following variable to the bottom of the file.

    env:API_DISABLE_PEER_VERIFICATION 1

Steps for Using MaxL with Self-Signed Certificates

  1. When you use a self-signed certificate, you must perform configurations to enable the use of MaxL.

    • Either use MaxL client, following the instructions in Manage Essbase Using the MaxL Client.

    • OR use MaxL on the server, using the startMAXLsh file at the following path on the server:
      /u01/config/domains/essbase_domain/esstools/bin
  2. In order to use self-signed certificate, peer verification should be disabled, by setting the environment variable API_DISABLE_PEER_VERIFICATION=1.

    • In Linux, edit the MaxL startup script (startMAXL.sh) and add the following line:

      export API_DISABLE_PEER_VERIFICATION=1
    • In Windows, edit start maxl script (startMAXL.bat) and add the following line:
      set API_DISABLE_PEER_VERIFICATION=1

Steps for Using Java-based Clients with Self-Signed Certificates

When you use a self-signed certificate and a Java client, you must configure your Java client.

  1. From an external host:
    1. When Load Balancer was configured:

      Download the certificate provided with the Oracle Cloud Infrastructure Load Balancer.

      echo -n | openssl s_client -connect <LOAD BALANCER IP>:443 | sed -ne  '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/lbr.cert
    2. When Load Balancer wasn't configured:

      Download the certificate as follows.

      echo /p' > /tmp/lbr.cert
  2. Import the certificate to the Java keystore. For example, if you're working from the Essbase node, and assuming you downloaded the certificate to /tmp/lbr.cert on the Essbase server,

    1. Log in as user opc. Access the Essbase node using SSH.

    2. Run commands to add lbr.cert to the keystore. For example (your path details may differ):

      sudo /usr/java/default/bin/keytool -import -alias mysert - file /tmp/lbr.cert -keystore /usr/java/default/jre/lib/security/cacerts -storepass new2mepass 
           Trust this certificate? [no]: yes     
           Certificate was added to keystore
  3. Restart the Java process, if the Java client is WebLogic.

  4. Stop and restart the Essbase stack instance.

  5. Set up WebLogic to ignore hostname verification, as described in the next section.

Steps for Configuring WebLogic for Use with Self-Signed Certificates

If you decide to use a self-signed certificate, you must set up the WebLogic component of the Essbase stack to ignore hostname verifications.

  1. Access the Essbase node using SSH.

  2. Change to oracle user.

    sudo su - oracle
  3. Open the setDomainEnv.sh file for editing.

    vi /u01/config/domains/essbase_domain/bin/setDomainEnv.sh
  4. Add the following line to the JAVA_OPTIONS="${JAVA_OPTIONS}" string:

    -Dweblogic.security.SSL.ignoreHostnameVerification=true

    When you're finished, it should look like this:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"
  5. Save the file.

  6. Stop and restart the Essbase stack instance.