Configuring SSL for Clients

Use this topic to configure SSL for clients.

Clients accessing the BIEE components must be configured to use BIEE certificates.

Note:

First you must export the certificates by running the following command:

<DomainHome>/bitools/bin/ssl.sh exportclientcerts <exportDir>

This section explains how to configure SSL for clients, and contains the following topics:

• Exporting Client Certificates

• Using SASchInvoke when BI Scheduler is SSL-Enabled

• Configuring Oracle BI Job Manager

• Enabling the Online Catalog Manager to Connect

• Configuring the Oracle BI Administration Tool to Communicate Over SSL

• Configuring an ODBC DSN for Remote Client Access

• Configuring Oracle BI Publisher to Communicate Over SSL

• Configuring SSL when Using Multiple Authenticators

Exporting Client Certificates

First you must export the client certificates.

To export the client certificates:

1. Run the following command:

   <DomainHome>/bitools/bin/ssl.sh exportclientcerts <exportDir>
   

2. When prompted enter a new passphrase.

   The passphrase is used to protect the export certificates. You must remember this passphrase for use when configuring each client.

   The command exports Java keystores for use by Java clients, and individual certificate files for use non Java clients. To make moving the certificates to a remote machine more convenient, the export also packages all the files into a single zip file.

Using SASchInvoke when BI Scheduler is SSL-Enabled

When the BI Scheduler is enabled for communication over SSL, you can invoke the BI Scheduler using the SASchInvoke command line utility .

To invoke the BI Scheduler when SSL-enabled using the SASchInvoke utility:

1. Create a new text file containing on a single line the passphrase you used when running the ./ssl.sh exportclientcerts command (see Exporting Client Certificates).

   Ensure this file has appropriately restrictive file permissions to protect it. Typically it should only be readable by the owner.

2. Use the following syntax to run the SASchInvoke command:

   SASchInvoke -u <Admin Name>  (-j <job id> | -i <iBot path>)  [-m <machine name>[:<port>]]  [(-r <replace parameter filename> | -a <append parameter filename>)] [-l [ -c <SSL certificate filename> -k <SSL certificate private key filename> [ -w <SSL passphrase>  | -q <passphrase file>  | -y ]] [-h <SSL cipher list>] [-v [-e <SSL verification depth>] [-d <CA certificate directory>] [-f <CA certificate file>] [-t <SSL trusted peer DNs>] ] ]
   
   where:
   SSL certificate filename = clientcert.pem
   SSL certificate private key filename = clientkey.prm
   passphrase file = location of the passphrase file created above.
   

   The command prompts you to enter the administrator password.

3. Enter the administrator password to start BI Scheduler.

Configuring Oracle BI Job Manager

To successfully connect to BI Scheduler that has been enabled for SSL, Oracle BI Job Manager must also be configured to communicate over SSL.

Oracle BI Job Manager is a Java based component and the keys and certificates that it uses must be stored in a Java keystore database.

To configure Oracle BI Job Manager to communicate with the BI Scheduler server over SSL:

1. From the File menu, select Oracle BI Job Manager, then select Open Scheduler Connection.

2. In the Secure Socket Layer section of the dialog box, select the SSL check box.

3. If the server setting “verify client certificates” is false (one way SSL) then you can leave Key Store and Key Store Password blank. This is the default setting.

4. If the server setting “verify client certificates” is true (two way SSL) then you must set Key Store and Key Store Password as follows:

   • Key Store=<exportclientcerts_directory>\identity.jks

   • Key Store Password = passphrase entered in Exporting Client Certificates.

5. To provide a secure link you should tick the verify server certificate. Without verification the connection will still work, but a person in the middle attack which impersonates the server will not be detected.

   1. Select the Verify Server Certificate check box. When this is checked, the trust store file must be specified. This trust store contains the CA that verifies the Scheduler server certificate.

   2. In the Trust Store text box, set the trust store to:

      <exportclientcerts_directory>\internaltrust.jks

   3. Set the Trust Store Password to the passphrase entered in Exporting Client Certificates.

Enabling the Online Catalog Manager to Connect

For the online Catalog Manager to connect you may need to import the SSL server certificate or CA certificate.

The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP web server for Oracle Business Intelligence is enabled for SSL. You must import the SSL server certificate or CA certificate from the web server into the Java Keystore of the JVM that is specified by the system JAVA_HOME variable.

To enable the online Catalog Manager to connect:

1. Navigate to Java's default trust store located at ORACLE_HOME/JAVA_HOME/ jre/lib/security.

   The default trust store is named cacerts.

2. Copy the certificate exported from the web server to the same location as Java's default truststore.
3. Execute the command to import the certificate to the default truststore:

   keytool -importcert -trustcacerts -alias bicert -file $WebServerCertFilename -keystore cacerts -storetype JKS
   

   where the web server certificate file $WebserverCertFilename is imported into Java's default trust store named cacerts under an alias of bicert.

   For example if using theOracle WebLogic Server default demonstration certificate, then use the full path to the certificate located in ORACLE_HOME/wlserver/server/lib/CertGenCA.der.

   Note:

   The default password for the Java trust store is "changeit".

4. Restart Catalog Manager.

   Note:

   You must start Catalog Manager using the secure HTTPS URL.

Configuring the Oracle BI Administration Tool to Communicate Over SSL

To successfully connect to a BI Server that has been enabled for SSL, the Administration Tool must also be configured to communicate over SSL. The DSN for the BI Server data source is required.

To configure the Administration Tool to communicate over SSL:

1. Determine the BI Server data source DSN being used by logging into the Presentation Services Administration page as an administrative user.

   For more information, see System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

2. Locate the Oracle BI Server Data Source field in the upper left corner. The DSN is listed in the following format: coreapplication_OH<DSNnumber>.
3. In the Administration Tool, enter the DSN name by selecting File, then Open, then Online. Select the DSN from the list.
4. Enter the repository user name and password.

   The Administration Tool is now connected to the BI Server using SSL.

Configuring an ODBC DSN for Remote Client Access

You can create an ODBC DSN for the BI Server to enable remote client access.

For more information about how to enable SSL communication for an ODBC DSN, see Integrating Other Clients with Oracle Business Intelligence in Integrator's Guide for Oracle Business Intelligence Enterprise Edition.

Configuring Oracle BI Publisher to Communicate Over SSL

You can configure Oracle BI Publisher to communicate securely over the internet using SSL.

For more information, see "Configuring BI Publisher for Secure Socket Layer (SSL) Communication" in the Administrator's Guide for Oracle Business Intelligence Publisher.

If BI Publisher does not work after configuring SSL, you might need to reconfigure the HTTPs protocol, and SSL Port. For more information, see "Configuring Integration with Oracle BI Presentation Services" in Administrator's Guide for Oracle Business Intelligence Publisher.