1. Managing Security for Oracle Analytics Server
  2. Configure SSL in Oracle Analytics Server
  3. Enable Internal SSL

Enable Internal SSL

Follow these steps to enable SSL on internal communication links.

You must run commands from the primary host. Oracle Analytics Server must have been configured by the BI configuration assistant, WebLogic managed servers must have been created, and any scaling out must be complete. Only use this procedure if you have configured security using the configuration assistant.

If you used the Configuration Template for SSL, see Enabling SSL in a Configuration Template Configured System.

You can configure the following advance options:

Post conditions:

  1. Stop the system using the following command:

    ORACLE_HOME/user_projects/domains/bi/bitools/bin/stop.sh

  2. Run the following command to enable SSL on WebLogic internal channels and internal components:

    ORACLE_HOME/user_projects/domains/bi/bitools/bin/ssl.sh internalssl true

  3. Optional: Configure advanced options by editing the file:

    ORACLE_HOME/user_projects/domains/bi/config/fmwconfig/biconfig/core/ssl/bi-ssl.xml

  4. Restart the domain and Oracle Analytics Server component processes using the following command:

    ORACLE_HOME/user_projects/domains/bi/bitools/bin/start.sh

  5. Confirm that WebLogic certificates and the corresponding trust have been correctly configured using the following:

    ORACLE_HOME/user_projects/domains/bi/bitools/bin/ssl.sh report

  6. Confirm you can login to Oracle Analytics Server using your environment variables in:

    https://<host>:<SecureManagedServerPort>/analytics

    Note:

    You must perform this login to confirm that the HTTPS listener is enabled on each server before you enable end-to-end SSL. Any communication between internal components is encrypted, and is only verifiable using ssl.sh report command, or by checking server traffic.

Post-conditions

  • WebLogic servers:

    • Have HTTPS listener enabled on internal channels.

    • The external port configuration is unaltered. See Enable End-to-End SSL for how to enable SSL on the external ports as well.

      There is a separate internal identity (key/certificate pair) for each listener address. The certificate has a common name matching the listening address, which is compatible with standard HTTPS practice. The certificates are signed by the internal certificate authority.

  • System components, other than Essbase Studio:

    • Enable an HTTPS listener on internal channels.

    • The external port configuration is unaltered.

    • There is a separate internal identity (key or certificate pair) for each listener address. The certificate has a common name matching the listening address, which is compatible with standard HTTPS practice. The certificates are signed by the internal certificate authority.

  • Essbase Studio:

    • No change. Continues with existing connectivity.