Set up Weblogic TLS Connection for Essbase
By default, WebLogic is configured in unencrypted mode. Here are the steps to add a WebLogic TLS connection to the existing unsecured domain.
Set up TLS connection for Essbase 21.2 or 21.3+
Note:
Prerequisites and notes for updating JAgent and WebLogic certificates.
- Set Oracle Home environment variables - point to Essbase installation. JAVA_HOME and ORACLE_HOME environment variables must be defined to run configuration.
- The parameter of command file is the response file location (this file is generated in GUI mode and is used in silent mode) or DOMAIN_HOME location.
- Stop Essbase
For Linux:
${DOMAIN_HOME}/esstools/bin/stop.sh
For Windows:
%DOMAIN_HOME%\esstools\bin\stop.cmd
- To update all TLS certificates (configured in Essbase 21.2 or 21.3+) and the wallet, run the following:
Note:
RESPONSE_FILE and DOMAIN_HOME cannot both be used together in script parameters. Only use one of them.For 21.2 or 21.3+ on Linux:
java -cp $ORACLE_HOME/essbase/lib/essbaseconfig.jar com.oracle.wizard.operation.helper.ssl.SslConfigHelper [RESPONSE_FILE=<response file> | DOMAIN_HOME=<${DOMAIN_HOME}>]
Note:
For 21.3+ on Linux, you can also use the following command (this does not require export JAVA_HOME and ORACLE_HOME):
${ORACLE_HOME}/essbase/bin/ssl_config.sh [RESPONSE_FILE=<response file> | DOMAIN_HOME=<${DOMAIN_HOME}>]
For 21.3+ on Windows:
java -cp %ORACLE_HOME%\essbase\lib\essbaseconfig.jar com.oracle.wizard.operation.helper.ssl.SslConfigHelper [RESPONSE_FILE=<response file> | DOMAIN_HOME=<%DOMAIN_HOME%>]
Note:
You can also use the following command:
%ORACLE_HOME%\essbase\bin\ssl_config.cmd [RESPONSE_FILE=<response file> | DOMAIN_HOME=<%DOMAIN_HOME%>]
- Since passwords of wallet and keystores are not changed, just run WebLogic to start Essbase. Start Essbase. See Stop, Start, and Check Servers.
For Linux:
${DOMAIN_HOME}/esstools/bin/start.sh
For Windows:
%DOMAIN_HOME%\esstools\bin\start.cmd
Set up SSL enabled mode for Essbase 21.2 or 21.3+
If Essbase was configured in 21.1 version in encrypted mode, then after patching to Essbase 21.2 or 21.3+, you need to set up ssl enabled mode, using the following steps.
- Call wlst.
For Linux:
${ORACLE_HOME}/oracle_common/common//bin/wlst.sh ${ORACLE_HOME}/essbase/modules/oracle.essbase.sysman/scripts/ssl_settings.py ${DOMAIN_HOME} ${DOMAIN_HOME}/security/keystore.jks ${DOMAIN_HOME}/config/fmwconfig/ovd/default/keystores/adapters.jks ${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/walletssl/certwallet.pem <FQDN> <ssl Admin Port> <<EOF Password1 Password1 EOF
- For 21.2, instead of the Fully Qualified Domain Name
<FQDN>
, use:https://<FQDN>:<Essbase Server SSL Port>/essbase/agent
- For 21.3+, it should be pure FQDN host.
For Windows:
%ORACLE_HOME%\oracle_common\common\bin\wlst.cmd %ORACLE_HOME%\essbase\modules\oracle.essbase.sysman\scripts\ssl_settings.py %ORACLE_HOME%\security\keystore.jks %ORACLE_HOME%\config\fmwconfig\ovd\default\keystores\adapters.jks %ORACLE_HOME%\config\fmwconfig\essconfig\essbase\walletssl\certwallet.pem <FQDN> <ssl Admin Port>
The above command will prompt you to enter Password.
- For 21.2, instead of the Fully Qualified Domain Name
- Change the following:
For Linux: edit
${DOMAIN_HOME}/bin/setStartupEnv.sh
. Find the substring -Djavax.net.ssl.trustStore and change this line up until the end of the line (expand${DOMAIN_HOME}
)-Djavax.net.ssl.trustStore=${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/walletssl/cacerts -Dweblogic.security.SSL.ignoreHostnameVerification=true
For Windows: edit
%ORACLE_HOME%\bin\setStartupEnv.cmd
. Find the substring -Djavax.net.ssl.trustStore and change this line up until the end of the line (expand%DOMAIN_HOME%
)-Djavax.net.ssl.trustStore=%ORACLE_HOME%\config\fmwconfig\essconfig\essbase\walletssl\cacerts -Dweblogic.security.SSL.ignoreHostnameVerification=true
- Change the following:
For Linux: edit
${DOMAIN_HOME}/bin/setWlstEnv.sh
as follows: (expand ${DOMAIN_HOME})export WLST_PROPERTIES="-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.CustomTrustKeyStoreType=JKS -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=${DOMAIN_HOME}/config/fmwconfig/ovd/default/keystores/adapters.jks -Djavax.net.ssl.trustAnchors=${DOMAIN_HOME}/config/fmwconfig/ovd/default/keystores/adapters.jks" export API_CAINFO=${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/walletssl/certwallet.pem
For Windows: similarly edit
%ORACLE_HOME%\bin\setWlstEnv.cmd
export WLST_PROPERTIES="-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.CustomTrustKeyStoreType=JKS -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=%DOMAIN_HOME%\config\fmwconfig\ovd\default\keystores\adapters.jks -Djavax.net.ssl.trustAnchors=%DOMAIN_HOME%\config\fmwconfig\ovd\default\keystores\adapters.jks" export API_CAINFO=%DOMAIN_HOME%\config\fmwconfig\essconfig\essbase\walletssl\certwallet.pem
- Add rows of code as follows:
For Linux: add the following lines rows of code to
${DOMAIN_HOME}/nodemanager/nodemanager.properties
(expand ${DOMAIN_HOME}).KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeystoreType=jks CustomIdentityKeyStoreFileName=${DOMAIN_HOME}/security/keystore.jks CustomIdentityKeyStorePassPhrase=Password1 CustomIdentityPrivateKeyPassPhrase=Password1 CustomIdentityAlias=ssl CustomTrustKeystoreType=jks CustomTrustKeyStoreFileName=${DOMAIN_HOME}/config/fmwconfig/ovd/default/keystores/adapters.jks CustomTrustKeyStorePassPhrase=Password1
For Windows: add the following lines of code to
%DOMAIN_HOME%\nodemanager\nodemanager.properties
(expand %DOMAIN_HOME%).KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeystoreType=jks CustomIdentityKeyStoreFileName=%DOMAIN_HOME%\security\keystore.jks CustomIdentityKeyStorePassPhrase=Password1 CustomIdentityPrivateKeyPassPhrase=Password1 CustomIdentityAlias=ssl CustomTrustKeystoreType=jks CustomTrustKeyStoreFileName=%DOMAIN_HOME%\config\fmwconfig\ovd\default\keystores\adapters.jks CustomTrustKeyStorePassPhrase=Password1
- Update as follows:
For Linux: update
${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/essbase.cfg
with the values below:For Windows: update
%DOMAIN_HOME%\config\fmwconfig\essconfig\essbase\essbase.cfg
with the values below:AgentSecurePort 6423 EnableSecureMode true EnableClearMode false ClientPreferredMode SECURE
- Update credentials and OPSS key stores.
For Linux: Replace ${DOMAIN_HOME} in .wlst script to the actual path.
source ${DOMAIN_HOME}/bin/setWlstEnv.sh ${ORACLE_HOME}/oracle_common/common/bin/wlst.sh <<EOF wlAddress='t3s://<fqdn>:<AdminServer SSL port>' wlUser='<user name>' wlPassword='<password>' keystorePath='${DOMAIN_HOME}/config/fmwconfig/essconfig/essbase/walletssl/keystore.jks' connect(wlUser, wlPassword, wlAddress) svc = getOpssService(name='KeyStoreService') svc.importKeyStore(appStripe='essbase', name='internalidentity', password='Password1', aliases='orakey', keypasswords='Password1', type='JKS', permission=true, filepath=keystorePath) svc.importKeyStore(appStripe='essbase', name='internaltrust', password='Password1', aliases='orakey', keypasswords='Password1', type='JKS', permission=true, filepath=keystorePath) updateCred(map='oracle.essbase', key='ssl.passphrase', user='ssl.passphrase', password='Password1') exit()EOF
For Windows: Replace %DOMAIN_HOME% in .wlst script to the actual path.
call %DOMAIN_HOME%\bin\setWlstEnv.cmd call %DOMAIN_HOME%\oracle_common\common\bin\wlst.cmd
The above command will enter you into WLST mode. Then run the following:
wls:\offline>wlAddress='t3s:\\<fqdn>:<AdminServer SSL port>' wls:\offline>wlUser='<user name>'wls:\offline>wlPassword='<password>' wls:\offline>keystorePath='%DOMAIN_HOME%\\config\\fmwconfig\\essconfig\\essbase\\walletssl\\keystore.jks' wls:\offline>connect(wlUser, wlPassword, wlAddress)wls:\offline>svc = getOpssService(name='KeyStoreService') wls:\offline>svc.importKeyStore(appStripe='essbase', name='internalidentity', password='Password1', aliases='orakey', keypasswords='Password1', type='JKS', permission=true, filepath=keystorePath) wls:\offline>svc.importKeyStore(appStripe='essbase', name='internaltrust', password='Password1', aliases='orakey', keypasswords='Password1', type='JKS', permission=true, filepath=keystorePath) wls:\offline>updateCred(map='oracle.essbase', key='ssl.passphrase', user='ssl.passphrase', password='Password1') wls:\offline>exit()