Configuring SSL in Oracle WebLogic Server

You can configure one-way and two-way SSL in Oracle WebLogic Server.

This section contains the following topics:

• Configuring One-Way SSL in Oracle WebLogic Server

• Configuring Two-Way SSL in Oracle WebLogic Serve

Configuring One-Way SSL in Oracle WebLogic Server

One-way SSL is required to properly secure the communication between Oracle Business Intelligence and Oracle WebLogic Server.

1. From the Oracle WebLogic Server Administration Console home page, click Servers under the Environment heading.
2. In the Servers table, select the name of the server you want to manage.
3. On the General tab in the Configuration tab, select SSL Listen Port Enabled.
4. Use the Administration Tool to update the appropriate connection pool object in the Physical layer to use https:// instead of http://.
5. Update the port number to use the SSL port number, 7002, by default.

Configuring Two-Way SSL in Oracle WebLogic Server

You can set up two-way SSL to secure the communication between the Oracle BI Server and Oracle WebLogic Server.

Perform queries against ADF using your Oracle BI Server client of choice such as nqcmd. The Oracle BI Server should communicate with the ADF Oracle WebLogic Server using mutual SSL / client certificates.

See Authentication Concepts in Security Guide for Oracle Business Intelligence Enterprise Edition.

1. Create client certificates in the Oracle BI Server, if they do not already exist.
2. Modify the ADF Oracle WebLogic Server to accept SSL connections and to perform mutual SSL using the following steps in the Oracle WebLogic Server Administration Console.
   1. Log in to the Oracle WebLogic Server Administration Console and click Servers under the Environment heading, then click the server name.
   2. In the Change Center, click Lock & Edit to enable configuration changes.
   3. In the General tab, select SSL Listen Port Enabled and record the SSL Listen Port number, and then, click Save.
   4. Select the SSL tab, then select Advanced. For Two Way Client Cert Behavior, select Client Certs Requested and Enforced. Then, click Save.
   5. Select the Keystores tab and record the Trust Keystore.
      For example, if the Demo Trust keystore is used, record its location and file name.
   6. Click Activate Changes.
3. Do the following to verify that the Certificate Authority (CA) for the Oracle BI Server client certificate is trusted by the ADF Oracle WebLogic Server:
   1. On the Oracle BI Server computer, find the CA file for the client certificate.

      If you generated the file in the previous step, the cacert.pem file is located in:

      ORACLE_HOME/user_projects/domains/bifoundation_domain/config/fmwconfig
      /biinstances/coreapplication/ssl
      

   2. Copy the cert.pem file to a known location.
   3. On the ADF Oracle WebLogic Server computer, open a command window and go to the location of the trust keystore.

      Your trust keystore might use a location similar to the following:

      /scratch/user_name/view_storage/user_name_fmw/fmwtools/mw_home/wlserver_10.3/server/lib
      

   4. Copy the client CA file, for example, cacert.pem to the trust keystore location.
   5. Use the following command in the JDK keytool utility to import the client CA into the trust keystore for the ADF server, making it a trusted CA:

      keytool -import -file client_CA_file -keystore 
      keystore_file -keystorepass keystore_password
      

      For example:

      /scratch/my_name/view_storage/my_name_fmw/jdk6/bin/keytool -import -file
      ~/Downloads/SSL/cacert.pem -keystore DemoTrust.jks -keystorepass
      DemoTrustKeyStorePassPhrase
      

4. Use the following steps to update the Physical layer of the Oracle BI repository:
   1. In the Administration Tool, in the Physical layer, open the first ADF connection pool object and select the Miscellaneous tab.
   2. Update the URL field to use the https protocol and the SSL port and then click OK.
   3. Repeat the previous two steps for each additional ADF connection pool object.
   4. Save the repository and restart the Oracle BI Server.
5. Configure the Oracle BI Server ODBC DSN to use SSL.

   For example, on Windows do the following:

   1. Open the ODBC Data Source Administrator and select the System DSN tab.

   2. Double-click the DSN for the Oracle BI Server.

      The DSN should start with coreapplication_OH.

   3. Select Use SSL.

   4. Click Next, click Next again, and then click Finish.