1. Essbase Stack Deployment on Oracle Cloud Infrastructure
  2. Set Up Oracle Essbase
  3. Complete Post-Deployment Tasks
  4. Set Up SSL Certificates

Set Up SSL Certificates

After you deploy the Essbase stack, Oracle highly recommends that you update the SSL certificates, using the Oracle Cloud Infrastructure console or APIs, to one that has been signed with a trusted certificate authority.

For information on setting up a trusted certificate authority, see Managing SSL Certificates.

If you want use MaxL with self-signed certificates, see Manage Essbase Using the MaxL Client .

If you select to provision the Oracle Cloud Infrastructure Load Balancer during the Essbase stack provisioning process, the Load Balancer is configured with a demo certificate you can use for SSL access. The demo certificate is self-signed.

When you use a self-signed certificate, including the provided demo certificate, you must perform additional configuration to enable the use of partitions, as well as Essbase C- and Java-based clients. You also need to ignore hostname verification on the WebLogic part of the Essbase stack. Caution: use of self-signed certificates should be only temporary, until you can obtain a trusted CA certificate.

Steps for Using Partitions with Self-Signed Certificates

When you use a self-signed certificate, you must perform additional configuration and also disable peer certificate verification, to enable the use of partitions.

  1. Access the Essbase node using SSH, as described in Access Oracle Essbase Using SSH.

  2. Change to oracle user.

    sudo su - oracle

  3. Open essbase.cfg for editing.

    Example location for a stack deployment on OCI:

    vi /u01/config/domains/essbase_domain/config/fmwconfig/essconfig/essbase/essbase.cfg

    The example location is likely different for an independent deployment:

    /scratch/user/oracle_home/user_projects/domains/essbase_domain/config/fmwconfig/essconfig/essbase/essbase.cfg

  4. Add the following variable to the bottom of the file.

    env:API_DISABLE_PEER_VERIFICATION 1

Steps for Using Java-based Clients with Self-Signed Certificates

When you use a self-signed certificate and a Java client, you must configure your Java client.

  1. From an external host, download the certificate provided with Essbase. 

    echo -n | openssl s_client -connect <ESSBASE-ENDPOINT>:443 | sed -ne  '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/lbr.cert

  2. Import the certificate to the Java keystore. For example, if you're working from the Essbase node, and assuming you downloaded the certificate to /tmp/lbr.cert on the Essbase server.

    1. Log in as user opc. Access the Essbase node using SSH.

    2. Run commands to add lbr.cert to the keystore. For example (your path details may differ): 

      sudo /usr/java/default/bin/keytool -noprompt -import –trustcacerts -alias mysert -file /tmp/lbr.cert -keystore /usr/java/default/jre/lib/security/cacerts -storepass

      Note that the -storepass value is the default, or existing, cacerts keystore password.

  3. Restart the Java process, if the Java client is WebLogic.

  4. Stop and restart the Essbase instance.

  5. Set up WebLogic to ignore hostname verification, as described in the next section.

Steps for Configuring WebLogic for Use with Self-Signed Certificates

If you decide to use a self-signed certificate, you must set up the WebLogic component of the Essbase stack to ignore hostname verifications.

  1. Access the Essbase node using SSH.

  2. Change to oracle user.

    sudo su - oracle

  3. Open the setDomainEnv.sh file for editing. 

    vi /u01/config/domains/essbase_domain/bin/setDomainEnv.sh

  4. Add the following line to the JAVA_OPTIONS="${JAVA_OPTIONS}" string: 

    -Dweblogic.security.SSL.ignoreHostnameVerification=true

    When you're finished, it should look like this:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"

  5. Save the file.

  6. Stop and restart the Essbase stack instance.