To achieve end to end SSL you need to configure both internal BIEE SSL and WebLogic SSL. The internal SSL configuration is highly automated whereas the WebLogic SSL configuration requires multiple manual steps. The two are entirely independent, so can be performed in either order. Since the WebLogic configuration requires manual steps Oracle advises doing that first.
Note:
This section does not include configuring SSL for Essbase.
Perform the following steps. Confirmation steps are highlighted:
This section explains how to configure a standard non-SSL Oracle Business Intelligence system.
Install Oracle BI EE.
Confirm the system is operational.
Check you can login over http to use:
Analytics
- http://<Host>:< ManagedServerPort >/analytics
Fusion Middleware Control
- http://<Host>:< AdminPort>/em
WebLogic Admin Console
- http://<Host>:<AdminPort>/console
These steps configure WebLogic using the provided demo certificates. These are not secure. They must not be used in a production environment. Nevertheless configuring with demo certificates first is a useful familiarization exercise prior to configuring with real certificates.
To configure with a secure certificate signed by a real Certificate Authority see WebLogic documentation. The certificate authority should return the signed server certificate, and provide a corresponding root CA certificate. Where ever democa is mentioned in these steps replace with your real CA certificate.
This section contains the following topics:
Starting up just the Administration Server rather than starting everything avoids the need to stop everything while the admin connection properties are in a state of flux, which confuses the stop everything script.
Follow these steps to configure the HTTPs ports.
Login to WebLogic Admin console.
Click Lock and Edit.
Select environment, servers.
For each server:
On the main Configuration tab, select SSL Listen Port Enabled.
Click Save.
Click Activate Changes.
Enable trust of demo certificates in your browser:
If you are using WebLogic demo certificates your browser will not trust the WebLogic server. You will need to enable trust in your browser. If using a standard Certificate Authority whose certificates are trusted by default by your browser then you can omit this step.
Go to URL https://<host>:<AdminServerSSLPort>
Note that this is the base URL, with no em or console on the path. By first accessing the base URL you can set up a single browser certificate exception. If you go directly to the em and console paths you will have to setup multiple certificate exceptions.
Your browser will warn you about the demo certificate.
Enable the certificate exception by going to the base URL.
You only have to do this once, rather than separately for WebLogic console and Fusion Middleware Control.
The base URL should give a 404 error once the ssl connection is made. This is fine.
Check the secure WebLogic console URL:
https://<Host>:<AdminServerSSLPort>/console
Check the secure Fusion Middleware Control URL:
https://<Host>:<AdminServerSSLPort>/em
Do not disable HTTPs yet. You will run a script later that needs to access the Admin Server using the non-SSL port.
HTTPs check should be in existing browser already logged into Fusion Middleware Control using HTTP.
Enabling secure replication:
In WebLogic Administration Console:
Click Lock and Edit.
Select Environment, Clusters, and bi_cluster.
Select Configuration, and the Replication tab.
Select secure replication enabled.
If you do not do this, the managed servers will fail to startup, remaining in admin mode. This prevents the start scripts from running.
Click Save.
Click Activate Changes.
If you have configured an external Identity Store, you can skip performing this step. Perform this task if using WebLogic Server LDAP, and the virtualize
property is not set to true.
You can configure an external identity store to use a secure connection. To use an external identity store, you must change the URL in the internal LDAP ID store.
You must now provide a trust keystore.
See One-way SSL in a Multi-LDAP Scenario in Securing Applications with Oracle Platform Security Services
Note:
This section only applies when using WebLogic Server LDAP and when virtualize=true is set, as you are explicitly pointing the Administration Server.
In a terminal window set the environment variables ORACLE_HOME and WL_HOME.
For example, on Linux:
setenv ORACLE_HOME <OracleHome>
setenv WL_HOME <OracleHome>/wlserver/
Ensure that both your path and JAVA_HOME point to the JDK 8 installation.
setenv JAVA_HOME <path_to_your_jdk8>
setenv PATH $JAVA_HOME/bin
Check the java version by running:
java -version
Run (without the line breaks):
<OracleHome>/oracle_common/bin/libovdconfig.sh
-host <Host>
-port <AdminServerNonSSLPort>
-userName <AdminUserName>
-domainPath <DomainHome>
-createKeystore
When prompted enter the existing password for <AdminUserName>.
When prompted for the OVD Keystore password, choose a new password. You will need this later.
For example:
oracle_common/bin/libovdconfig.sh -host myhost -port 7001 -userName weblogic -domainPath /OracleHome/user_projects/domains/bi -createKeystore Enter AdminServer password: Enter OVD Keystore password: OVD config files already exist for context: default CSF credential creation successful Permission grant already available for context: default OVD MBeans already configured for context: default Successfully created OVD keystore.
Note: The -port <AdminServerNonSSL> command does not work against the Admin server non-SSL port when it has been disabled. If you enable SSL and then configure LDAPs you would need to temporarily re-enable the non-SSL port on the Administration Server.
Check the resultant keystore exists, and see its initial contents, by running:
keytool -list -keystore <DomainHome>/config/fmwconfig/ovd/default/keystores/adapters.jks
We now need to export the demo certificate in a suitable format to import into the above keystore.
In Fusion Middleware Control:
If using the demo WebLogic certificate you can get the required root CA from the system keystore using Fusion Middleware Control.
Select WebLogicDomain, Security, Keystore.
Expand System.
Select Trust.
Click Manage.
Select democa (NOT olddemoca).
Click Export.
Select export certificate.
Choose a file name.
For example, demotrust.pem
If not using the demo WebLogic certificate then you will need to obtain the root CA of the CA which singed your secure server certificate.
Now import into the just created keystore:
keytool -importcert -keystore <DomainHome>/config/fmwconfig/ovd/default/keystores/adapters.jks -alias localldap -file <DemoTrustFile>
When prompted enter the keystore password you chose earlier, and confirm that the certificate is to be trusted.
If you repeat the keystore -list command you should see a new entry under localldap, for example:
localldap, Jul 8, 2015, trustedCertEntry,
Certificate fingerprint (SHA1):
CA:61:71:5B:64:6B:02:63:C6:FB:83:B1:71:F0:99:D3:54:6A:F7:C8
After securing the system to use HTTPS, you must also disable HTTP to fully secure the environment.
Login to WebLogic Administration console.
Click Lock & Edit.
Select environment, servers.
For each server:
Display the Configuration tab
Clear Listen Port Enabled.
Click Save.
Click Activate Changes.
Now you must restart Oracle Business Intelligence.
You cannot login through Analytics since Oracle Web Service Manager (OWSM) is using the disabled HTTP port.
Only the HTTPs one should work.
HTTP should quickly display an error similar to Unable to connect error. Do not to mix the protocols and ports. The browser can hang when attempting to connect to a running port with the wrong protocol.
start.sh
script located in <DomainHome>/bitools/bin/start.sh
script.You must now change the Oracle Web Services Manager (OWSM) configuration to use the HTTPs port.
The HTTP(s) OWSM link is not used when using a local OWSM.