Enabling End-to-End SSL

To achieve end to end SSL you need to configure both internal BIEE SSL and WebLogic SSL. The internal SSL configuration is highly automated whereas the WebLogic SSL configuration requires multiple manual steps. The two are entirely independent, so can be performed in either order. Since the WebLogic configuration requires manual steps Oracle advises doing that first.

Note:

This section does not include configuring SSL for Essbase.

Perform the following steps. Confirmation steps are highlighted:

Configuring a Standard Non-SSL Oracle BI EE System

To configure a standard non-SSL Oracle Business Intelligence system:

  • Install Oracle BI EE.

  • Confirm the system is operational.

    Check you can login over http to use:

    • Analytics

      - http://<Host>:< ManagedServerPort >/analytics

    • Fusion Middleware Control

      - http://<Host>:< AdminPort>/em

    • WebLogic Admin Console

      - http://<Host>:<AdminPort>/console

Configuring WebLogic SSL

These steps configure WebLogic using the provided demo certificates. These are not secure. They must not be used in a production environment. Nevertheless configuring with demo certificates first is a useful familiarization exercise prior to configuring with real certificates.

To configure with a secure certificate signed by a real Certificate Authority see WebLogic documentation. The certificate authority should return the signed server certificate, and provide a corresponding root CA certificate. Where ever democa is mentioned in these steps replace with your real CA certificate.

This section contains the following topics:

Starting Only the Administration Server

Starting up just the Administration Server rather than starting everything avoids the need to stop everything while the admin connection properties are in a state of flux, which confuses the stop everything script.

To start only the Administration server:
  1. Stop everything with:

    <DomainHome>/bitools/bin/stop.sh

  2. Start up just the Administration server with:

    <DomainHome>/bitools/bin/start.sh -i Adminserver

Configuring HTTPS Ports

Follow these steps to configure the HTTPs ports.

To configure HTTPs Ports:

  1. Login to WebLogic Admin console.

  2. Click Lock and Edit.

  3. Select environment, servers.

    For each server:

    1. On the main Configuration tab, select SSL Listen Port Enabled.

    2. Click Save.

    3. Click Activate Changes.

  4. Enable trust of demo certificates in your browser:

    If you are using WebLogic demo certificates your browser will not trust the WebLogic server. You will need to enable trust in your browser. If using a standard Certificate Authority whose certificates are trusted by default by your browser then you can omit this step.

    1. Go to URL https://<host>:<AdminServerSSLPort>

      Note that this is the base URL, with no em or console on the path. By first accessing the base URL you can set up a single browser certificate exception. If you go directly to the em and console paths you will have to setup multiple certificate exceptions.

      Your browser will warn you about the demo certificate.

    2. Enable the certificate exception by going to the base URL.

      You only have to do this once, rather than separately for WebLogic console and Fusion Middleware Control.

      The base URL should give a 404 error once the ssl connection is made. This is fine.

  5. Check the secure WebLogic console URL:

    https://<Host>:<AdminServerSSLPort>/console

  6. Check the secure Fusion Middleware Control URL:

    https://<Host>:<AdminServerSSLPort>/em

    Do not disable HTTPs yet. You will run a script later that needs to access the Admin Server using the non-SSL port.

    Note: HTTPs check should be in existing browser already logged into Fusion Middleware Control using HTTP.

  7. Enabling secure replication:

    1. In WebLogic Administration Console:

      Click Lock and Edit.

    2. Select Environment, Clusters, and bi_cluster.

    3. Select Configuration, and the Replication tab. '

    4. Select secure replication enabled.

      If you do not do this, the managed servers will fail to startup, remaining in admin mode. This prevents the start scripts from running.

    5. Click Save.

    6. Click Activate Changes.

Configuring Internal WebLogic Server LDAP to Use LDAPs

If an external Identity Store has already been configured omit this step.

You may later wish to configure the external identity store to use a secure connection. The steps to do that depend on the type of external identity store.

The internal LDAP ID Store must have its URL amended.

Note:

This section only applies when using WebLogic Server LDAP and when virtualize=true is not set, as you are explicitly pointing to the Adminserver.

To configure internal LDAPs to use HTTPs:

  1. Login to Fusion Middleware Control 12c:

    https://<Host>/<SecureAdminPort>/em

  2. Select WebLogic Domain , Security, Security Provider Configuration.

  3. Expand theIdentity Store Provider segment.

  4. Click Configure.

    1. Click the plus symbol (+) to add a new property.

    2. Add a property ldap.url, with the value:

      ldaps://<host>:<adminServer HTTPS port>.

      For example:

      ldaps://example_machine.com:9501

      Note: This is the admin server address, not the bi_server1 address.

    3. Click OK in the property editor.

  5. Click OK in the Identity Store Provider page.

  6. Confirm that the change has been made.

    1. Open the jps-config.xml file located in:

      <DomainHome>/config/fmwconfig/jps-config.xml.

    2. Check the file contains the line:

      <property name="ldap.url" value="ldaps://<Host>:<AdminServerSecurePort>"/>

Configuring Internal WebLogic Server LDAP Trust Store

You must now provide a trust keystore.

For a full description see: One-way SSL in a Multi-LDAP Scenario in Securing Applications with Oracle Platform Security Services

Note:

This section only applies when using WebLogic Server LDAP and when virtualize=true is set, as you are explicitly pointing the Administration Server.

To configure the internal LDAP trust store:

  1. In a terminal window set the environment variables ORACLE_HOME and WL_HOME.

    For example, on Linux:

    setenv ORACLE_HOME <OracleHome>

    setenv WL_HOME <OracleHome>/wlserver/

  2. Ensure that both your path and JAVA_HOME point to the JDK 8 installation.

    setenv JAVA_HOME <path_to_your_jdk8>

    setenv PATH $JAVA_HOME/bin

  3. Check the java version by running:

    java -version

  4. Run (without the line breaks):

    <OracleHome>/oracle_common/bin/libovdconfig.sh

    -host <Host>

    -port <AdminServerNonSSLPort>

    -userName <AdminUserName>

    -domainPath <DomainHome>

    -createKeystore

    When prompted enter the existing password for <AdminUserName>.

    When prompted for the OVD Keystore password, choose a new password. You will need this later.

    For example:

    oracle_common/bin/libovdconfig.sh -host myhost -port 7001 -userName weblogic -domainPath /OracleHome/user_projects/domains/bi -createKeystore

Enter AdminServer password:
Enter OVD Keystore password:
OVD config files already exist for context: default
CSF credential creation successful
Permission grant already available for context: default
OVD MBeans already configured for context: default
Successfully created OVD keystore.

    Note: The -port <AdminServerNonSSL> command does not work against the Admin server non-SSL port when it has been disabled. If you enable SSL and then configure LDAPs you would need to temporarily re-enable the non-SSL port on the Administration Server.

  5. Check the resultant keystore exists, and see its initial contents, by running:

    keytool -list -keystore <DomainHome>/config/fmwconfig/ovd/default/keystores/adapters.jks

  6. We now need to export the demo certificate in a suitable format to import into the above keystore.

    In Fusion Middleware Control:

    If using the demo WebLogic certificate you can get the required root CA from the system keystore using Fusion Middleware Control.

    1. Select WebLogicDomain, Security, Keystore.

    2. Expand System.

    3. Select Trust.

    4. Click Manage.

    5. Select democa (NOT olddemoca).

    6. Click Export.

    7. Select export certificate.

    8. Choose a file name.

      For example, demotrust.pem

      If not using the demo WebLogic certificate then you will need to obtain the root CA of the CA which singed your secure server certificate.

  7. Now import into the just created keystore:

    keytool -importcert -keystore <DomainHome>/config/fmwconfig/ovd/default/keystores/adapters.jks -alias localldap -file <DemoTrustFile>

  8. When prompted enter the keystore password you chose earlier, and confirm that the certificate is to be trusted.

  9. If you repeat the keystore -list command you should see a new entry under localldap, for example:

    localldap, Jul 8, 2015, trustedCertEntry,

    Certificate fingerprint (SHA1):

    CA:61:71:5B:64:6B:02:63:C6:FB:83:B1:71:F0:99:D3:54:6A:F7:C8

Disabling HTTP

The system is only fully secure if in addition to HTTPS being enabled we also disable HTTP.

To disable HTTP:

  1. Login to WebLogic Admin console.

  2. Click Lock & Edit.

  3. Select environment, servers.

    For each server:

    1. Display the Configuration tab

    2. Clear Listen Port Enabled.

    3. Click Save.

  4. Click Activate Changes.

Restarting

Now you must restart Oracle Business Intelligence.

To restart Oracle Business Intelligence:

  1. Stop the Administration Server from within WebLogic Admin console.

    Everything should now be stopped.

  2. Use the <DomainHome>/bitools/bin/start.sh script to start everything.

    You won't yet be able to login through Analytics since Oracle Web Service Manager (OWSM) is still using the disabled HTTP port.

  3. Confirm that HTTP is disabled by logging into both the HTTP and HTTPs WebLogic console URLs. Only the HTTPs one should work.

    HTTP should quickly display an 'Unable to connect error' (the wording varies with the browser). Be careful not to mix the protocols and ports. The browser may hang when attempting to connect to a running port with the wrong protocol.

Configuring OWSM to Use t3s

You must now change the Oracle Web Services Manager (OWSM) configuration to use the HTTPs port.

To configure OWSM to use t3s:

  1. Login to Fusion Middleware Control 12c.

    https://<Host>/<SecureAdminPort>/em)

  2. Select WebLogic domain, and cross component wiring, components.
  3. Select component type, OWSM agent.
  4. Select the row owsm-pm-connection-t3 status 'Out of Sync', and click Bind.

    The HTTP(s) OWSM link is not used when using a local OWSM.

  5. Select Yes in the pop-up box.
  6. Confirm by accessing the policy via the validator:

    https://<host>:<ManagedServerSSLPort>/wsm-pm/validator

Restarting System

You must stop and restart all servers then test Analytics login with HTTPs.

To restart Oracle Business Intelligence:

  1. Stop all servers using the <DomainHome>/bitools/bin/stop.sh script.

    Everything should now be stopped.

  2. Use the <DomainHome>/bitools/bin/start.sh script to start everything.
  3. Confirm that you can login to Analytics at:

    https://<Host>:<SecureManagedServerPort>/analytics

    The WebLogic tier is now using HTTPs only for its outward facing ports and therefore for all WebLogic infrastructure. The internal BI channel and BI system components are still using HTTP.