Replace Self-Signed Certificates with CA Certificates
You can replace self-signed certificates with certificates sent by Certificate Authority (CA) company. After running the update tool, all external certificates that were added before, remain in the trust store file.
Prerequisites and Notes
- Configure Essbase with TLS connection. See Set up Weblogic TLS Connection for Essbase.
- Stop WebLogic.
- Set environment variables:
- JAVA_HOME
- ORACLE_HOME - Path to Fusion Middleware and Essbase folder
- DOMAIN_HOME
- Validate content of Certificate Authority (CA) files:
- All CA-based certificate files, received from the Certificate Authority, are in PEM format (RFC 7468).
- One file must contain the private key; it is recommended to store it as RSA private key (RFC 3447), which supports two steps of security.
- All certificates in all files must form a full certificate chain, from root to user certificates.
Update tool usage and properties file parameters
Before updating certificates, the update tool backs up all necessary files. The update tool prompts you for the private key password and replaces identity and trust store with CA-based certificates.
The command to run the tool is:
For Linux:
java -jar ${ORACLE_HOME}/essbase/lib/tlsTools.jar <properties file>For Windows:
java -jar %ORACLE_HOME%\essbase\lib\tlsTools.jar <properties file>where
properties file is tls_tools.properties, and located at the following path:
-
for Linux:
${ORACLE_HOME}/essbase/bin/tls_tools.properties -
for Windows:
%ORACLE_HOME%\essbase\bin\tls_tools.properties
and includes the following parameter for adding CA-based certificates:
certCA=Files in the certCA property are separated by a colon (:) in Linux, or a semicolon (;) in Windows.
If certCA parameter has a value, CA-based certificates are added; All other parameters are ignored)
Run Java command with update tool to update certificates
- Add
certCAparameter totls_tools.propertiesfile, as described above. - Run Java command as shown above.