You can configure one-way and two-way SSL in Oracle WebLogic Server.
This section contains the following topics:
One-way SSL is required to properly secure the communication between Oracle Business Intelligence and Oracle WebLogic Server.
To configure one-way SSL in Oracle WebLogic Server:
You can set up two-way SSL to secure the communication between the Oracle BI Server and Oracle WebLogic Server.
To set up and test two-way SSL:
Create client certificates in the Oracle BI Server, if they do not already exist. See Authentication Concepts in Security Guide for Oracle Business Intelligence Enterprise Edition for more information.
Modify the ADF Oracle WebLogic Server to accept SSL connections and to perform mutual SSL. To do this, perform the following steps in the Oracle WebLogic Server Administration Console:
Log in to the Administration Console and click Servers under the Environment heading, then click the server name (for example, AdminServer).
In the General tab, select SSL Listen Port Enabled and record the SSL Listen Port number. Then, click Save.
Select the SSL tab, then select Advanced. For Two Way Client Cert Behavior, select Client Certs Requested and Enforced. Then, click Save.
Select the Keystores tab and record the Trust Keystore that is being used. For example, if the Demo Trust keystore is used, record its location and file name.
Click Activate Changes.
Ensure that the Certificate Authority (CA) for the Oracle BI Server client certificate is trusted by the ADF Oracle WebLogic Server. To do this, follow these steps:
On the Oracle BI Server computer, find the CA file for the client certificate. If the file was generated using the instructions referenced in Step 1, the file will be "cacert.pem" in:
ORACLE_HOME/user_projects/domains/bifoundation_domain/config/fmwconfig
/biinstances/coreapplication/ssl
Copy this file to a known location.
On the ADF Oracle WebLogic Server computer, open a command window and go to the location of the trust keystore. You recorded this value in Step 2. For example:
/scratch/user_name/view_storage/user_name_fmw/fmwtools/mw_home/wlserver_10.3/server/lib
Copy the client CA file (for example, cacert.pem), stored in the previous step, to this location.
Use the JDK keytool utility to import the client CA into the trust keystore for the ADF server, making it a trusted CA. Use the following command:
keytool -import -file client_CA_file -keystore keystore_file -keystorepass keystore_password
For example:
/scratch/my_name/view_storage/my_name_fmw/jdk6/bin/keytool -import -file ~/Downloads/SSL/cacert.pem -keystore DemoTrust.jks -keystorepass DemoTrustKeyStorePassPhrase
Restart the ADF Oracle WebLogic Server.
Update the Physical layer of the Oracle BI repository, as follows:
In the Administration Tool, in the Physical layer, open the first ADF connection pool object and select the Miscellaneous tab.
Update the URL field to use the https protocol and the SSL port noted in Step 2, and then click OK.
Repeat the previous two steps for each additional ADF connection pool object.
Save the repository and restart the Oracle BI Server.
Configure the Oracle BI Server ODBC DSN to use SSL. For example, on Windows:
Open the ODBC Data Source Administrator and select the System DSN tab.
Double-click the DSN for the Oracle BI Server. The DSN should start with "coreapplication_OH."
Select Use SSL.
Click Next, click Next again, and then click Finish.
Perform queries against ADF using your Oracle BI Server client of choice (such as nqcmd). The Oracle BI Server should now be communicating with the ADF Oracle WebLogic Server using mutual SSL / client certs.