Configuring SSL in OBIEE 11g

By Krishna Marur Configuring SSL in OBIEE 11g This white paper covers configuring SSL for OBIEE 11g in a scenario where the SSL certificate is not in a format that Web Logic Server (WLS) readily accepts - Java Key Store (JKS) file. First a certificate request (.csr) should have been generated on the server where SSL will be configured and a signed certificate obtained from a Certificate Authority (CA). Consider that IIS web server was used to generate the certificate request. The signed certificate from the CA will have to be installed on IIS since the request originated from IIS where the private key for the certificate is stored. Once the signed certificate is installed you can export it along with the private key. SSL Ensure that the certificate request and the signed certificate are available in a folder on the server - say C:\SSL. Complete installing the certificate on IIS if not already done. In order to setup a secure connection in OBIEE the certificate has to be provided in a JKS keystore format to the WebLogic server. Prior to setting SSL for OBIEE, WebLogic must be enabled for SSL and certificates must be prepared for this. Export Certificate from IIS 1. Open the Internet Information Services administration console located in the Control Panel -> Administrative Tools. 2. In IIS Manager Click on the server name. The server properties are displayed on the right pane. Double click on Server Certificates property.

3. The server certificate with DNS (Alias) name is displayed. Webserverurl.com OBIEEInstallation Directory CA name 4. Right Click the certificate and select View. Go to the Detail tab.

5. Webserverurl.com

Certificate Information 6. Click on Copy to File. 7. The Certificate Export Wizard is displayed. Click Next.

8. Select Yes, export the private key and click Next.

9. Personal Information Exchange format is selected. Check the box Include all certificates in the certificate path if possible and click on Next.

10. Provide a password for the private key (for instance mypassword) and click Next.

11. In the File to Export window, click on Browse button and save the file locally on the server and click Save. Click Next to complete the export and save the certificate with Private Key as a.pfx(pkcs12) file.

C:\SSL\OBIEECert Import Certificate to a java keystore (JKS) Open command prompt on the server and change to the directory C:\SSL. OR the location of the path where you saved the exported certificate. Type the following command to add the imported PFX file to a new java keystore file. Note: We use the keytool command which is located in the OBIEE installation directory under the Oracle_BI1 folder. Change the path depending on where you have OBIEE installed. C:\SSL> OIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool importkeystore destkeystore WLSOBIEECert.jks -deststoretype JKS srckeystore OBIEECert.pfx srcstoretype pkcs12 You will be prompted for the destination and source password. The source password is the password provided during the certificate export. Source and destination passwords can be same. The Java KeyStore is now created and you will see a message 1 entries successfully imported. Leave the command prompt open and take a note/copy the alias displayed next to Entry for alias successfully imported.

The default alias given during the import is not user friendly and will have to be changed so it can be remembered for later. To change the alias: Type the following keytool command in the command prompt. C:\SSL>OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -keystore WLSOBIEECert.jks -storepass mypassword -changealias -alias le-105613dd-d410-4900-8c6d-103a12feb7c3 -keypass mypassword - destalias MyAliasName List contents of the keystore: To ensure your entire certificate chain was imported into the keystore, you can list the contents of the keystore using the following command: > OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool list v keystore WLOBIKeyStore.jks You will be prompted for the keystore password. Enter the password you provided when creating the keystore (mypassword). The output should match the below screen shot. Look for Certificate Chain Length. This should match your original certificate chain length. MyAliasName CERTIFICATE INFO

Import certificate into cacerts.jks The WebLogic server looks for trusted certificates in the OBIEE install directory in the file cacerts.jks located at - OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts.jks keystore. In order for WebLogic to recognize the certificate as a trusted certificate, you have to import the signed certificate, secondary intermediate and primary intermediate into cacerts.jks. Combine these into a single file in the order stated and then import into cacerts.jks. Depending on the CA you may or may not have intermediate certificates. Open the certificate in IIS. The Certification Path tab shows the certificate root, Primary and secondary certificates. CA Root Certificate CA Primary Intermediate Certificate CA Secondary Intermediate Certificate Server Signed Certificate In the email that you received from the CA with the signed certificate, you will see that the text of the certificate is embedded in the email in addition to the attachment. Copy the text from the email, starting from -----BEGIN CERTIFICATE----- upto -----END CERTIFICATE----- (including the five dashes) and paste it in a notepad.

The email that you receive from your CA with the signed certificate will also contain links to the Root and Intermediate certificates. An example screen shot is given below. The link will display Primary and Secondary intermediate certificates. Copy the text in the Secondary SSL Intermediate CA Certificate and paste it under the server certificate in a notepad. Press enter after -----END CERTIFICATE-----. Make sure there are no spaces after the five hyphens. Copy and paste the Primary Intermediate CA Certificate similarly. Make sure no spaces or new line character gets added to the end of the file.

Save the notepad as OBICACERTS.pem to the folder C:\SSL or where ever you have been saving the certificates in the previous steps on the server. Import the file to cacerts.jks using the below command. This command also uses keytool located in the OBIEE installation directory. C:\SSL> OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -import -trustcacerts -keystore OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit -alias MyAliasName -import -file OBICACERTS.pem You may be prompted asking if you trust the certificate. Type yes at the prompt. Set up SSL in WebLogic Console Log in to the WebLogic Console as the Admin user that was set up during installation. Under Environment click on Servers. Then click on bi_server1 Note: Before making any changes take a backup of the entire config folder under OBIEEInstallationDirectory\user_projects\domains\bifoundation_domain. Click Lock and Edit in the left pane to start making changes. In the General tab, select SSL Listen Port Enabled.

Go to the Keystores tab and click on Change next the Keystores:

Select Custom Identity and Java Standard Trust. Click Save. Back in the keystores tab, enter the following information: Custom Identity Keystore: C:\SSL\WLSOBIEECert.jks Custom Identity Keystore Type: JKS Custom Identity Keystore Passphrase: mypassword Confirm Custom Identity Keystore Passphrase: mypassword Leave the Trust section with the prepopulate values. You already added the CA certificates to cacert.jks, so the Custom Keystore can be recognized as trusted. Click Save.

Repeat above steps for Admin Server back from the Environment Servers page. Click Activate Changes and restart the services from the start menu on the server. Manually configure WebLogic Open the file OBIEEInstallationDirectory\user_projects\domains\bifoundation_domain\bin\setDomainEnv.c md for editing. Add the following line if it does not already exist.

set JAVA_OPTIONS=%JAVA_OPTIONS% -Djavax.net.ssl.trustStore="C:\\SSL\\WLSOBICert.jks" - Djavax.net.ssl.keyStore="C:\\SSL\\ WLSOBICert.jks" - Djavax.net.ssl.keyStorePassword="mypassword" Note: You must escape any backslash (\) character in a path by using an additional backslash (\) character. Restart all services. Enable SSL for OBIEE Components Open the server certificate from IIS export the Root CA Certificate to a Der encoded format. Save the file as C:\SSL\OBIRootCert.cer.

To enable SSL for OBIEE components, go to WebLogic Enterprise Manager (Fusion Middleware Control) http://enteryourobieewebserverurl:7001/em Log in as Administrative user set up during installation. From the navigation pane expand the Business Intelligence folder and select coreapplication. Go to the Security Tab. Click on Lock and Edit Configuration Select Use SSL for Middle-Tier Communications.

Note from Oracle document: If the Use SSL for Middle-Tier Communications option is not available, then you have not successfully enabled SSL on WebLogic. When selected, this checkbox enables SSL to be the method of communication between Oracle Business Intelligence components. In the Weblogic CA Certificate location give the path C:\SSL\ OBIRootCert.cer or the location where you saved the root certificate. Click Apply You will receive a confirmation message: "Confirmation Generate New Certificates - Completed Successfully" Close this dialog. Click Activate Changes. Restart all services. Back in Fusion Middleware Control go to the SSL page, click View SSL report to verify internal SSL communications status to view the SSL status. If you can see this link, SSL is enabled. Log in to the below as Administrative user o Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7001 and 9704. o Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7002 and 9804. o All logins should be successful. Also add the CA root certificate to WebLogic as a trusted certificate. > OBIEEInstallationDirectory\Oracle_BI1\jdk\bin\keytool -import -trustcacerts -keystore OBIEEInstallationDirectory\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit -alias MyAliasName -import -file OBIRootCert.cer Restart all services. You OBIEE environment is now set up to use SSL.