Enabling End-to-End SSL

To achieve end to end SSL you need to configure both internal BIEE SSL and WebLogic SSL. The internal SSL configuration is highly automated whereas the WebLogic SSL configuration requires multiple manual steps. The two are entirely independent, so can be performed in either order. Since the WebLogic configuration requires manual steps Oracle advises doing that first.


This section does not include configuring SSL for Essbase.

Perform the following steps. Confirmation steps are highlighted:

Configuring a Standard Non-SSL Oracle BI EE System

This section explains how to configure a standard non-SSL Oracle Business Intelligence system.

  • Install Oracle BI EE.

  • Confirm the system is operational.

    Check you can login over http to use:

    • Analytics

      - http://<Host>:< ManagedServerPort >/analytics

    • Fusion Middleware Control

      - http://<Host>:< AdminPort>/em

    • WebLogic Admin Console

      - http://<Host>:<AdminPort>/console

Configuring WebLogic SSL

These steps configure WebLogic using the provided demo certificates. These are not secure. They must not be used in a production environment. Nevertheless configuring with demo certificates first is a useful familiarization exercise prior to configuring with real certificates.

To configure with a secure certificate signed by a real Certificate Authority see WebLogic documentation. The certificate authority should return the signed server certificate, and provide a corresponding root CA certificate. Where ever democa is mentioned in these steps replace with your real CA certificate.

This section contains the following topics:

Starting Only the Administration Server

Starting up just the Administration Server rather than starting everything avoids the need to stop everything while the admin connection properties are in a state of flux, which confuses the stop everything script.

  1. Stop everything with:


  2. Start up just the Administration server with:

    <DomainHome>/bitools/bin/start.sh -i Adminserver

Configuring HTTPS Ports

Follow these steps to configure the HTTPs ports.

  1. Login to WebLogic Admin console.

  2. Click Lock and Edit.

  3. Select environment, servers.

    For each server:

    1. On the main Configuration tab, select SSL Listen Port Enabled.

    2. Click Save.

    3. Click Activate Changes.

  4. Enable trust of demo certificates in your browser:

    If you are using WebLogic demo certificates your browser will not trust the WebLogic server. You will need to enable trust in your browser. If using a standard Certificate Authority whose certificates are trusted by default by your browser then you can omit this step.

    1. Go to URL https://<host>:<AdminServerSSLPort>

      Note that this is the base URL, with no em or console on the path. By first accessing the base URL you can set up a single browser certificate exception. If you go directly to the em and console paths you will have to setup multiple certificate exceptions.

      Your browser will warn you about the demo certificate.

    2. Enable the certificate exception by going to the base URL.

      You only have to do this once, rather than separately for WebLogic console and Fusion Middleware Control.

      The base URL should give a 404 error once the ssl connection is made. This is fine.

  5. Check the secure WebLogic console URL:


  6. Check the secure Fusion Middleware Control URL:


    Do not disable HTTPs yet. You will run a script later that needs to access the Admin Server using the non-SSL port.

    HTTPs check should be in existing browser already logged into Fusion Middleware Control using HTTP.

  7. Enabling secure replication:

    1. In WebLogic Administration Console:

      Click Lock and Edit.

    2. Select Environment, Clusters, and bi_cluster.

    3. Select Configuration, and the Replication tab.

    4. Select secure replication enabled.

      If you do not do this, the managed servers will fail to startup, remaining in admin mode. This prevents the start scripts from running.

    5. Click Save.

    6. Click Activate Changes.

Configuring Internal WebLogic Server LDAP to Use LDAPs

If you have configured an external Identity Store, you can skip performing this step. Perform this task if using WebLogic Server LDAP, and the virtualize property is not set to true.

You can configure an external identity store to use a secure connection. To use an external identity store, you must change the URL in the internal LDAP ID store.

  1. Login to Fusion Middleware Control using a URL similar to the following:


  2. Click WebLogic Domain, click Security, and click Security Provider Configuration.
  3. Expand theIdentity Store Provider segment.
  4. Click Configure, and click the plus symbol (+) to add a new property.
  5. Add a ldap.url property using the following format for the administration server address rather than the bi_server1 address:

    ldaps://<host>:<adminServer HTTPS port>, for example, ldaps://myexample_machine.com:9501.

  6. In the Property editor, click OK.
  7. On the Identity Store Provider page, click OK.
  8. Open the jps-config.xml file located in <DomainHome>/config/fmwconfig/jps-config.xml.
  9. In the file look for the line, <property name="ldap.url" value="ldaps://<Host>:<AdminServerSecurePort>"/> to confirm that the configuration change.

Configuring Internal WebLogic Server LDAP Trust Store

You must now provide a trust keystore.

See One-way SSL in a Multi-LDAP Scenario in Securing Applications with Oracle Platform Security Services


This section only applies when using WebLogic Server LDAP and when virtualize=true is set, as you are explicitly pointing the Administration Server.

  1. In a terminal window set the environment variables ORACLE_HOME and WL_HOME.

    For example, on Linux:

    setenv ORACLE_HOME <OracleHome>

    setenv WL_HOME <OracleHome>/wlserver/

  2. Ensure that both your path and JAVA_HOME point to the JDK 8 installation.

    setenv JAVA_HOME <path_to_your_jdk8>

    setenv PATH $JAVA_HOME/bin

  3. Check the java version by running:

    java -version

  4. Run (without the line breaks):


    -host <Host>

    -port <AdminServerNonSSLPort>

    -userName <AdminUserName>

    -domainPath <DomainHome>


    When prompted enter the existing password for <AdminUserName>.

    When prompted for the OVD Keystore password, choose a new password. You will need this later.

    For example:

    oracle_common/bin/libovdconfig.sh -host myhost -port 7001 -userName weblogic -domainPath /OracleHome/user_projects/domains/bi -createKeystore
    Enter AdminServer password:
    Enter OVD Keystore password:
    OVD config files already exist for context: default
    CSF credential creation successful
    Permission grant already available for context: default
    OVD MBeans already configured for context: default
    Successfully created OVD keystore.

    Note: The -port <AdminServerNonSSL> command does not work against the Admin server non-SSL port when it has been disabled. If you enable SSL and then configure LDAPs you would need to temporarily re-enable the non-SSL port on the Administration Server.

  5. Check the resultant keystore exists, and see its initial contents, by running:

    keytool -list -keystore <DomainHome>/config/fmwconfig/ovd/default/keystores/adapters.jks

  6. We now need to export the demo certificate in a suitable format to import into the above keystore.

    In Fusion Middleware Control:

    If using the demo WebLogic certificate you can get the required root CA from the system keystore using Fusion Middleware Control.

    1. Select WebLogicDomain, Security, Keystore.

    2. Expand System.

    3. Select Trust.

    4. Click Manage.

    5. Select democa (NOT olddemoca).

    6. Click Export.

    7. Select export certificate.

    8. Choose a file name.

      For example, demotrust.pem

      If not using the demo WebLogic certificate then you will need to obtain the root CA of the CA which singed your secure server certificate.

  7. Now import into the just created keystore:

    keytool -importcert -keystore <DomainHome>/config/fmwconfig/ovd/default/keystores/adapters.jks -alias localldap -file <DemoTrustFile>
  8. When prompted enter the keystore password you chose earlier, and confirm that the certificate is to be trusted.

  9. If you repeat the keystore -list command you should see a new entry under localldap, for example:

    localldap, Jul 8, 2015, trustedCertEntry,

    Certificate fingerprint (SHA1):


Disabling HTTP

After securing the system to use HTTPS, you must also disable HTTP to fully secure the environment.

  1. Login to WebLogic Administration console.

  2. Click Lock & Edit.

  3. Select environment, servers.

    For each server:

    1. Display the Configuration tab

    2. Clear Listen Port Enabled.

    3. Click Save.

  4. Click Activate Changes.


Now you must restart Oracle Business Intelligence.

You cannot login through Analytics since Oracle Web Service Manager (OWSM) is using the disabled HTTP port.

Only the HTTPs one should work.

HTTP should quickly display an error similar to Unable to connect error. Do not to mix the protocols and ports. The browser can hang when attempting to connect to a running port with the wrong protocol.

  1. Stop the Administration Server from within WebLogic Administration console using the start.sh script located in <DomainHome>/bitools/bin/start.sh script.
  2. Confirm that HTTP is disabled by logging into both the HTTP and HTTPs WebLogic console URLs.

Configuring OWSM to Use t3s

You must now change the Oracle Web Services Manager (OWSM) configuration to use the HTTPs port.

The HTTP(s) OWSM link is not used when using a local OWSM.

  1. Login to Fusion Middleware Control 12c.


  2. Select WebLogic domain, and cross component wiring, components.
  3. Select component type, OWSM agent.
  4. Select the row owsm-pm-connection-t3 status 'Out of Sync', and click Bind.
  5. Select Yes .
  6. Confirm by accessing the policy via the validator:


Restarting System

You must stop and restart all servers then test Analytics login with HTTPs.

  1. Stop all servers using the <DomainHome>/bitools/bin/stop.sh script.
  2. Use the <DomainHome>/bitools/bin/start.sh script to start everything.
  3. Confirm your ability to log in to Analytics using a URL similar to the following:


    The WebLogic tier using HTTPs only for its outward facing ports and all WebLogic infrastructure. The internal BI channel and BI system components use HTTP.