Configure SSL for Clients

Use these topics to configure SSL for clients.

You must configure clients accessing the Oracle Analytics Server components to use Oracle Analytics Server certificates. You must export the certificates by running the following command:

<DomainHome>/bitools/bin/ssl.sh exportclientcerts <exportDir>

Topics:

• Export Client Certificates

• Use SASchInvoke when BI Scheduler is SSL-Enabled

• Configure the Model Administration Tool to Communicate Over SSL

• Configure an ODBC DSN for Remote Client Access

• Configure Oracle Analytics Publisher to Communicate Over SSL

• Configure SSL when Using Multiple Authenticators

Export Client Certificates

Use these steps to create the passphrase for use when exporting client certificates.

The passphrase is used to protect the export certificates. You must remember this passphrase for use when configuring each client.

The command exports Java keystores for use by Java clients, and individual certificate files for use non Java clients. To make moving the certificates to a remote machine more convenient, the export also packages all the files into a single zip file.

1. Run the following command:

   <DomainHome>/bitools/bin/ssl.sh exportclientcerts <exportDir>

2. Type the new passphrase at the prompt.

Use SASchInvoke when BI Scheduler is SSL-Enabled

When the BI Scheduler is enabled for communication over SSL, you can invoke the BI Scheduler using the SASchInvoke command line utility.

The SASchInvoke tool is a command line job invocation tool which allows you to run pre-existing Oracle BI Scheduler jobs.

1. Create a new text file containing on a single line the passphrase you used when running the ./ssl.sh exportclientcerts command.

   Ensure this file has appropriately restrictive file permissions to protect it. Typically it should only be readable by the owner. See Exporting Client Certificates.

2. Locate the SASchInvoke tool:

   Windows: <Domain_Home>/bitools/bin/saschinvoke.cmd

3. Use the following syntax to run the SASchInvoke command:

   SASchInvoke -u <Admin Name>  (-j <job id> | -i <iBot path>)  
   	([-m <machine name>[:<port>]] | -p <primaryCCS>[:<port>] -s <secondaryCCS>[:<port>])  
   	([(-r <replace parameter filename> | -a <append parameter filename>)]  | [-x <re-run instance id>]) 
   	[-l [-c <SSL certificate filename> -k <SSL certificate private key filename>] [ -w <SSL passphrase>  | -q <passphrase file>  | -y ] 
   	[-h <SSL cipher list>] 
   	[-v [-e <SSL verification depth>] -d <CA certificate directory> | -f <CA certificate file> [-t <SSL trusted peer DNs>] ] ]
   
   where:
   -a  File containing additional parameters.
   -c  File containing SSL certificate. SSL certificate filename = clientcert.pem
   -d  Certificate authority directory.
   -e  SSL certificate verification depth.
   -f  Certificate authority file.
   -h  SSL cipher list
   -i  Agent path
   -j  Job id
   -k  SSL certificate private key filename. SSL certificate private key filename = clientkey.pem
   -l  Use SSL
   -m  Machine name:port of scheduler.  Provides direct access to scheduler.
   -p  Primary cluster controller name:port.  Provides access to clustered scheduler.
   -q  Location of the passphrase file created in step 1 containing the SSL passphrase protecting SSL private key (see -k).
   -r  File containing replacement parameters.
   -s  Secondary cluster controller name:port.  Provides access to clustered scheduler.
   -t  Distinguished names of trusted peers.
   -u  Username
   -v  Verify peer
   -w  SSL passphrase protecting SSL private key (see -k).
   -x  Rerun instance id.
   -y  Interactively prompt for SSL passphrase protecting SSL private key (see -k).
   

4. The command prompts you to enter the administrator password. Once entered, the SASchInvoke tool will get the BI Scheduler to run the specified job.

Configure the Model Administration Tool to Communicate Over SSL

To successfully connect to a BI Server configured to use SSL, you must also configure the Model Administration Tool to communicate over SSL.

The data source name (DSN) for the BI Server data source is required.

1. Determine the BI Server data source DSN in use by logging into the Presentation Services Administration page as an administrative user.
2. Locate the BI Server Data Source field.

   The DSN is listed in the following format, coreapplication_OH<DSNnumber>.

3. In the Model Administration Tool, select File, then Open, then Online.
4. Select the DSN from the list.
5. Enter the semantic model user name and password.

   The Model Administration Tool is now connected to the BI Server using SSL.

Configure an ODBC DSN for Remote Client Access

You can create an ODBC DSN for the BI Server to enable remote client access.

Configure Oracle Analytics Publisher to Communicate Over SSL

You can configure Oracle Analytics Publisher to communicate securely over the internet using SSL.