Set up Weblogic TLS Connection for Essbase

By default, WebLogic is configured in unencrypted mode. Here are the steps to add a WebLogic TLS connection to the existing unsecured domain.

Set up TLS connection for Essbase 21.2 or 21.3+

Note:

Prerequisites and notes for updating JAgent and WebLogic certificates.

• Set Oracle Home environment variables - point to Essbase installation. JAVA_HOME and ORACLE_HOME environment variables must be defined to run configuration.
• The parameter of command file is the response file location (this file is generated in GUI mode and is used in silent mode) or DOMAIN_HOME location.

1. Stop Essbase

   For Linux:

   ${DOMAIN_HOME}/esstools/bin/stop.sh

   For Windows:

   %DOMAIN_HOME%\esstools\bin\stop.cmd

2. To update all TLS certificates (configured in Essbase 21.2 or 21.3+) and the wallet, run the following:

   Note:

   RESPONSE_FILE and DOMAIN_HOME cannot both be used together in script parameters. Only use one of them.

   For 21.2 or 21.3+ on Linux:

   java -cp $ORACLE_HOME/essbase/lib/essbaseconfig.jar com.oracle.wizard.operation.helper.ssl.SslConfigHelper [RESPONSE_FILE=<response file> | DOMAIN_HOME=<${DOMAIN_HOME}>]

   Note:

   For 21.3+ on Linux, you can also use the following command (this doesn't not require export JAVA_HOME and ORACLE_HOME):

   ${ORACLE_HOME}/essbase/bin/ssl_config.sh [RESPONSE_FILE=<response file> | DOMAIN_HOME=<${DOMAIN_HOME}>]

   For 21.3+ on Windows:

   java -cp %ORACLE_HOME%\essbase\lib\essbaseconfig.jar com.oracle.wizard.operation.helper.ssl.SslConfigHelper [RESPONSE_FILE=<response file> | DOMAIN_HOME=<%DOMAIN_HOME%>]

   Note:

   You can also use the following command:

   %ORACLE_HOME%\essbase\bin\ssl_config.cmd [RESPONSE_FILE=<response file> | DOMAIN_HOME=<%DOMAIN_HOME%>]

3. Since passwords of wallet and keystores are not changed, just run WebLogic to start Essbase. Start Essbase. See Stop, Start, and Check Servers.

   For Linux:

   ${DOMAIN_HOME}/esstools/bin/start.sh

   For Windows:

   %DOMAIN_HOME%\esstools\bin\start.cmd

Set up SSL enabled mode for Essbase 21.2 or 21.3+

If Essbase was configured in 21.1 version in encrypted mode, then after patching to Essbase 21.2 or 21.3+, you need to set up ssl enabled mode, using the following steps.

1. Call wlst.

   For Linux:

   ${ORACLE_HOME}/oracle_common/common//bin/wlst.sh
   ${ORACLE_HOME}/essbase/modules/oracle.essbase.sysman/scripts/ssl_settings.py
   ${DOMAIN_HOME} ${DOMAIN_HOME}/security/keystore.jks
   ${DOMAIN_HOME}/config/fmwconfig/ovd/default/keystores/adapters.jksssl
   ${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/walletssl/certwallet.pem <FQDN> <ssl Admin
   Port> <<EOF
   Password1
   Password1
   EOF

   • For 21.2, instead of <FQDN>, use:

     https://<FQDN>:<Essbase Server SSL Port>/essbase/agent

     "
   • For 21.3+, it should be pure FQDN host.

   For Windows:

   %ORACLE_HOME%\oracle_common\common\bin\wlst.cmd
   %ORACLE_HOME%\essbase\modules\oracle.essbase.sysman\scripts\ssl_settings.py
   %ORACLE_HOME%\security\keystore.jks
   %ORACLE_HOME%\config\fmwconfig\ovd\default\keystores\adapters.jksssl
   %ORACLE_HOME%\config\fmwconfig\essconfig\essbase\walletssl\certwallet.pem <FQDN> <ssl Admin
   Port>

   The above command will prompt you to enter Password.

2. Change the following:

   For Linux: edit ${DOMAIN_HOME}/bin/setStartupEnv.sh. Find the substring -Djavax.net.ssl.trustStore and change this line up until the end of the line (expand ${DOMAIN_HOME})

   -Djavax.net.ssl.trustStore=${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/walletssl/cacerts -Dweblogic.security.SSL.ignoreHostnameVerification=true

   For Windows: edit %ORACLE_HOME%\bin\setStartupEnv.cmd. Find the substring -Djavax.net.ssl.trustStore and change this line up until the end of the line (expand %DOMAIN_HOME%)

   -Djavax.net.ssl.trustStore=%ORACLE_HOME%\config\fmwconfig\essconfig\essbase\walletssl\cacerts -Dweblogic.security.SSL.ignoreHostnameVerification=true

3. Change the following:

   For Linux: edit ${DOMAIN_HOME}/bin/setWlstEnv.sh as follows: (expand ${DOMAIN_HOME})

   export WLST_PROPERTIES="-Dweblogic.ssl.JSSEEnabled=true 
   -Dweblogic.security.SSL.enableJSSE=true 
   -Dweblogic.security.SSL.ignoreHostnameVerification=true 
   -Dweblogic.security.CustomTrustKeyStoreType=JKS 
   -Dweblogic.security.TrustKeyStore=CustomTrust 
   -Dweblogic.security.CustomTrustKeyStoreFileName=${DOMAIN_HOME}/config/fmwconfig/ovd/default/keystores/adapters.jks 
   -Djavax.net.ssl.trustAnchors=${DOMAIN_HOME}/config/fmwconfig/ovd/default/keystores/adapters.jks"
   export API_CAINFO=${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/walletssl/certwallet.pem

   For Windows: similarly edit %ORACLE_HOME%\bin\setWlstEnv.cmd

   export WLST_PROPERTIES="-Dweblogic.ssl.JSSEEnabled=true 
   -Dweblogic.security.SSL.enableJSSE=true 
   -Dweblogic.security.SSL.ignoreHostnameVerification=true 
   -Dweblogic.security.CustomTrustKeyStoreType=JKS 
   -Dweblogic.security.TrustKeyStore=CustomTrust 
   -Dweblogic.security.CustomTrustKeyStoreFileName=%DOMAIN_HOME%\config\fmwconfig\ovd\default\keystores\adapters.jks 
   -Djavax.net.ssl.trustAnchors=%DOMAIN_HOME%\config\fmwconfig\ovd\default\keystores\adapters.jks"
   export API_CAINFO=%DOMAIN_HOME%\config\fmwconfig\essconfig\essbase\walletssl\certwallet.pem

4. Add rows of code as follows:

   For Linux: add the following lines rows of code to ${DOMAIN_HOME}/nodemanager/nodemanager.properties (expand ${DOMAIN_HOME}).

   KeyStores=CustomIdentityAndCustomTrust
   CustomIdentityKeystoreType=jks
   CustomIdentityKeyStoreFileName=${DOMAIN_HOME}/security/keystore.jks
   CustomIdentityKeyStorePassPhrase=Password1
   CustomIdentityPrivateKeyPassPhrase=Password1
   CustomIdentityAlias=ssl
   CustomTrustKeystoreType=jks
   CustomTrustKeyStoreFileName=${DOMAIN_HOME}/config/fmwconfig/ovd/default/keystores/adapters.jks
   CustomTrustKeyStorePassPhrase=Password1

   For Windows: add the following lines of code to %DOMAIN_HOME%\nodemanager\nodemanager.properties (expand %DOMAIN_HOME%).

   KeyStores=CustomIdentityAndCustomTrust
   CustomIdentityKeystoreType=jks
   CustomIdentityKeyStoreFileName=%DOMAIN_HOME%\security\keystore.jks
   CustomIdentityKeyStorePassPhrase=Password1
   CustomIdentityPrivateKeyPassPhrase=Password1
   CustomIdentityAlias=ssl
   CustomTrustKeystoreType=jks
   CustomTrustKeyStoreFileName=%DOMAIN_HOME%\config\fmwconfig\ovd\default\keystores\adapters.jks
   CustomTrustKeyStorePassPhrase=Password1

5. Update as follows:

   For Linux: update ${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/essbase.cfg with the values below:

   For Windows: update %DOMAIN_HOME%\config\fmwconfig\essconfig\essbase\essbase.cfg with the values below:

   AgentSecurePort 6423
   
   EnableSecureMode true
   EnableClearMode false
   ClientPreferredMode SECURE

6. Update credentials and OPSS key stores.

   For Linux: Replace ${DOMAIN_HOME} in .wlst script to the actual path.

   source ${DOMAIN_HOME}/bin/setWlstEnv.sh
    
   ${ORACLE_HOME}/oracle_common/common/bin/wlst.sh <<EOF
   wlAddress='t3s://<fqdn>:<AdminServer SSL port>'
   wlUser='<user name>'
   wlPassword='<password>'
   keystorePath='${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/walletssl/keystore.jks'
   connect(wlUser, wlPassword, wlAddress)
   svc = getOpssService(name='KeyStoreService')
   svc.importKeyStore(appStripe='essbase', name='internalidentity', password='Password1', aliases='orakey', keypasswords='Password1', type='JKS', permission=true, filepath=keystorePath)
   svc.importKeyStore(appStripe='essbase', name='internaltrust', password='Password1', aliases='orakey', keypasswords='Password1', type='JKS', permission=true, filepath=keystorePath)
   updateCred(map='oracle.essbase', key='ssl.passphrase', user='ssl.passphrase', password='Password1') exit()EOF

   For Windows: Replace %DOMAIN_HOME% in .wlst script to the actual path.

   call %DOMAIN_HOME%\bin\setWlstEnv.cmd
   call %DOMAIN_HOME%\oracle_common\common\bin\wlst.cmd 

   The above command will enter you into WLST mode. Then run the following:

   wls:\offline>wlAddress='t3s:\\<fqdn>:<AdminServer SSL port>'
   wls:\offline>wlUser='<user name>'wls:\offline>wlPassword='<password>'
   wls:\offline>keystorePath='%DOMAIN_HOME%\\config\\fmwconfig\\essconfig\\essbase\\walletssl\\keystore.jks'
   wls:\offline>connect(wlUser, wlPassword, wlAddress)wls:\offline>svc = getOpssService(name='KeyStoreService')
   wls:\offline>svc.importKeyStore(appStripe='essbase', name='internalidentity', password='Password1', aliases='orakey',
   keypasswords='Password1', type='JKS', permission=true, filepath=keystorePath)
   wls:\offline>svc.importKeyStore(appStripe='essbase', name='internaltrust', password='Password1', aliases='orakey',
   keypasswords='Password1', type='JKS', permission=true, filepath=keystorePath)
   wls:\offline>updateCred(map='oracle.essbase', key='ssl.passphrase', user='ssl.passphrase', password='Password1')
   wls:\offline>exit()