Configuring SSL in OBIEE 11g

Configuring SSL in OBIEE 11g

This blogs covers configuring SSL for OBIEE 11g in a scenario where the SSL certificate is not in a format that WebLogic Server (WLS) readily accepts: Java KeyStore (JKS) file.

First, a certificate request (.csr) should have been generated on the server where SSL will be configured and a signed certificate obtained from a Certificate Authority (CA). Consider that IIS web server was used to generate the certificate request. The signed certificate from the CA will have to be installed on IIS because the request originated from IIS where the private key for the certificate is stored. Once the signed certificate is installed, you can export it along with the private key.

SSL

Ensure that the certificate request and the signed certificate are available in a folder on the server, say C:\SSL. Complete installing the certificate on IIS, if not already done.

To set up a secure connection in OBIEE, the certificate has to be provided in a JKS format to the WebLogic server.

Prior to setting SSL for OBIEE, WebLogic must be enabled for SSL and certificates must be prepared for this.

Export Certificate from IIS

1. Open the Internet Information Services administration console located in the Control Panel -> Administrative Tools.

2. In IIS Manager, click on the server name. The server properties are displayed in the right pane. Double-click on Server Certificates property.

CA name

Webserverurl.com OBIEEInstallationDirectory 

3. The server certificate with DNS (alias) name is displayed.

4. Right-click the certificate and select View. Go to the Detail tab.

Webserverurl.com

5.                                               

Certificate Information

6. Click on Copy to File.

7. The Certificate Export Wizard is displayed. Click Next.

8. Select Yes, export the private key and click Next.

9. Personal Information Exchange format is selected. Check the box Include all certificates in the certificate path if possible and click on Next.

10. Provide a password for the private key (for instance, mypassword) and click Next.

11. In the File to Export window, click on Browse button, save the file locally on the server, and click Save. Click Next to complete the export and save the certificate with Private Key as a .pfx(PKCS12) file.

C:\SSL\OBIEECert

Import Certificate to a Java KeyStore (JKS)

Open command prompt on the server and change to the directory C:\SSL OR the location of the path where you saved the exported certificate. Type the following command to add the imported PFX file to a new Java KeyStore file.

Note: We use the keytool command, which is located in the OBIEE installation directory under the Oracle_BI1 folder. Change the path depending on where you have OBIEE installed.

C:\SSL> OIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool –importkeystore –destkeystore WLSOBIEECert.jks -deststoretype JKS –srckeystore OBIEECert.pfx –srcstoretype pkcs12 

You will be prompted for the destination and source password. The source password is the password provided during the certificate export. Source and destination passwords can be same. The Java KeyStore is now created and you will see a message “1 entries successfully imported”.

Leave the command prompt open and take a note/copy the alias displayed next to “Entry for alias … successfully imported”.

CERTIFICATE INFO

MyAliasName

The default alias given during the import is not user-friendly and will have to be changed so it can be remembered for later.

To change the alias, type the following keytool command in the command prompt:

C:\SSL>OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -keystore WLSOBIEECert.jks -storepass mypassword -changealias -alias le-105613dd-d410-4900-8c6d-103a12feb7c3 -keypass mypassword -destalias MyAliasName

List contents of the keystore: 

To ensure your entire certificate chain was imported into the keystore, you can list the contents of the keystore using the following command:

> OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool –list –v –keystore WLOBIKeyStore.jks 

You will be prompted for the keystore password. Enter the password you provided when creating the keystore (mypassword). The output should match the screen shot below. Look for Certificate Chain Length. This should match your original certificate chain length.

Import Certificate into cacerts.jks

The WebLogic server looks for trusted certificates in the OBIEE install directory in the file cacerts.jks located at OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts.jks keystore.

CA Secondary Intermediate Certificate 

CA Primary Intermediate Certificate 

CA Root Certificate 

Server Signed Certificate 

In order for WebLogic to recognize the certificate as a trusted certificate, you have to import the signed certificate, secondary intermediate, and primary intermediate into cacerts.jks. Combine these into a single file in the order stated and then import into cacerts.jks. Depending on the CA, you may or may not have intermediate certificates.

Open the certificate in IIS. The Certification Path tab shows the certificate root and primary and secondary certificates.

In the email you received from the CA with the signed certificate, you will see the text of the certificate is embedded in the email in addition to the attachment.

 Copy the text from the email, starting from

—–BEGIN CERTIFICATE—–

upto

—–END CERTIFICATE—–

(including the five dashes) and paste it in Notepad.

The email you receive from your CA with the signed certificate will also contain links to the root and intermediate certificates. An example screen shot is given on the next page:

The link will display primary and secondary intermediate certificates.

 Copy the text in the Secondary SSL Intermediate CA Certificate and paste it under the server certificate in Notepad. Press enter after —–END CERTIFICATE—–. Be sure there are no spaces after the five hyphens.

 Copy and paste the Primary Intermediate CA Certificate similarly. Be sure no spaces or new line character gets added to the end of the file.

 Save the Notepad as OBICACERTS.pem to the folder C:\SSL or wherever you have been saving the certificates in the previous steps on the server.

 Import the file to cacerts.jks using the below command. This command also uses keytool, located in the OBIEE installation directory.

C:\SSL> OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -import -trustcacerts -keystore OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit -alias MyAliasName -import -file OBICACERTS.pem

You may be prompted asking if you trust the certificate. Type yes at the prompt.

Set up SSL in WebLogic Console

Log in to the WebLogic Console as the Admin user that was set up during installation.

Under Environment click on Servers. Then click on bi_server1 

Note: Before making any changes, take a backup of the entire config folder under OBIEEInstallationDirectory\user_projects\domains\bifoundation_domain.

Click Lock and Edit in the left pane to start making changes.

In the General tab, select SSL Listen Port Enabled.

Go to the Keystores tab and click on Change next to Keystores: 

Select Custom Identity and Java Standard Trust. Click Save. 

Back in the Keystores tab, enter the following information:

Custom Identity Keystore: C:\SSL\WLSOBIEECert.jks

Custom Identity Keystore Type: JKS

Custom Identity Keystore Passphrase: mypassword

Confirm Custom Identity Keystore Passphrase: mypassword

Leave the Trust section with the prepopulate values. You already added the CA certificates to cacert.jks, so the Custom Keystore can be recognized as trusted.

Click Save. 

Repeat above steps for Admin Server back from the Environment Servers page.

Click Activate Changes and restart the services from the start menu on the server.

Manually configure WebLogic 

 Open the file OBIEEInstallationDirectory\user_projects\domains\bifoundation_domain\bin\setDomainEnv.cmd for editing.

 Add the following line if it does not already exist:

set JAVA_OPTIONS=%JAVA_OPTIONS% -Djavax.net.ssl.trustStore=”C:\\SSL\\WLSOBICert.jks” -Djavax.net.ssl.keyStore=”C:\\SSL\\ WLSOBICert.jks” -Djavax.net.ssl.keyStorePassword=”mypassword”

Note: You must escape any backslash (\) character in a path by using an additional backslash (\) character.

 Restart all services.

Enable SSL for OBIEE Components

 Open the server certificate from IIS; export the Root CA Certificate to a DER encoded format.

 Save the file as C:\SSL\OBIRootCert.cer.

To enable SSL for OBIEE components, go to WebLogic Enterprise Manager (Fusion Middleware Control) at http://enteryourOBIEEwebserverurl:7001/em

•  Log in as Admin user set up during installation.
•  From the navigation pane, expand the Business Intelligence folder and select coreapplication.

•  Go to the Security Tab.
•  Click on Lock and Edit Configuration. 
•  Select Use SSL for Middle-Tier Communications.

Note from Oracle document: If the Use SSL for Middle-Tier Communications option is not available, then you have not successfully enabled SSL on WebLogic. When selected, this checkbox enables SSL to be the method of communication between Oracle BI components.

 In the Weblogic CA Certificate location, give the path C:\SSL\ OBIRootCert.cer or the location where you saved the root certificate.

 Click Apply. 

 You will receive a confirmation message: “Confirmation Generate New Certificates – Completed Successfully”.

 Close this dialog.

 Click Activate Changes. 

 Restart all services.

 Back in Fusion Middleware Control, go to the SSL page, click View SSL report to verify internal SSL communications status. If you can see this link, SSL is enabled.

 Log in below as Admin user:

o Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7001 and 9704.

o Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7002 and 9804.

o All logins should be successful.

Also add the CA root certificate to WebLogic as a trusted certificate.

> OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -import -trustcacerts -keystore OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit -alias MyAliasName -import -file OBIRootCert.cer

Restart all services. Your OBIEE environment is now set up to use SSL.

About the Author 

I have more than 10 years experience of Business Intelligence (BI) in two leading BI stacks (Oracle and Microsoft), cross platform data migration and integration. I always explore possibilities of integrating cross platform BI technologies for clients to stitch heterogeneous systems to save cost, cut waste and improve efficiencies.