1.

High-Level Steps to enable SSL for OBIEE 12c

Before getting into the hands on, lets understand the high level steps involved in this configuration:

Generating the required certificates and keystores for SSL communication

Configuring Weblogic Admin Server, Node Manager and Managed Server for SSL
Configuring Internal WebLogic Server LDAP to Use LDAPs
Configuring Internal WebLogic Server LDAP Trust Store
Disabling HTTP
Configuring OWSM to use t3s
Enabling Oracle BI EE Internal SSL for BIEE

3. End to End SSL configuration for OBIEE 12c

3.1 Generating the required certificates and keystores for SSL communication

Create a folder under Oracle Home where OBIEE 12c is installed. For E.g. /ssl
Set the environment variable PATH to include the JAVA_HOME/bin directory.

WINDOWS:
1 set JAVA_HOME=<path to JAVA install root>
2
3 set PATH=%JAVA_HOME%/bin;%PATH%

UNIX:
1 export JAVA_HOME=<path to JAVA install root>
2
3 export PATH=$JAVA_HOME/bin:$PATH

Create Java key store: Invoke the Java keytool utility to create a java key store. For example:

keytool -genkey -alias <alias> -keyalg RSA -sigalg SHA256withRSA -keysize <key_size> -keypass <password> -keystore <keystore_n
1 <store_type> -validity <days_of_validity>

For example:

1 > keytool -genkey -alias obiee12c -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keypass Clearpeaks123 -keystore obiee12c.j
2 -storetype JKS -validity 365
3 What is your first and last name?
4 [Unknown]: obiee12c.clearpeaks.com
5 What is the name of your organizational unit?
[Unknown]: admin
6 What is the name of your organization?
7 [Unknown]: Clearpeaks
8 What is the name of your City or Locality?
9 [Unknown]: Abu Dhabi
What is the name of your State or Province?
10
[Unknown]: Abu Dhabi
11
 Create a Certificate Signing Request (CSR). Use the following command to create a Certificate Signing Request:

keytool -certreq -v -alias <alias> -keyalg RSA -sigalg SHA256withRSA -file <filename> -keypass <password> -keystore <keystore>
1 -storepass <password>

1 >keytool -certreq -v -alias obiee12c -keyalg RSA -sigalg SHA256withRSA -file root_cert_req.csr -keypass Clearpeaks123 -storepas
Clearpeaks123 -keystore obiee12c.jks
2 Certification request stored in file root_cert_req.csr
3
4 Submit this to your CA

Submit this CSR to the signing authority board and in return, the root, intermediate and server certificates will be provided.

Import the CA into the Java Keystore. Use the following command to import the root, Intermediate and server certificate to the Java Keystore.

Import Root Certificate

keytool -import -trustcacerts -alias <alias> -file <cacert_file> -keystore <keystore> -keypass <password> -
1 storepass <password>
1 >keytool -import -trustcacerts -alias rootca -file rootca.pem -keystore obiee12c.jks -keypass Clearpeaks123 -
2 storepass Clearpeaks123
.....................................
3 ....................................
4 Trust this certificate? [no]: yes
5 Certificate was added to keystore.

Import Intermediate Certificate

keytool -import -trustcacerts -alias <alias> -file <cacert_file> -keystore <keystore> -keypass <password> -
1 storepass <password>

>keytool -import -trustcacerts -alias interca -file interca.pem -keystore obiee12c.jks -keypass Clearpeaks123 -
1 storepass Clearpeaks123
2
3 Certificate was added to keystore

Import Server Certificate

keytool -import -alias <alias> -file <servercert_file> -keystore <keystore> -keypass <password> -
1 storepass <password>
 >keytool -import -v -alias server -file server.cer -keystore obiee12c.jks -keypass Clearpeaks123 -
1 storepass Clearpeaks123
2
3 Certificate reply was installed in keystore

Use the following command to verify whether the keystore contains the certificates

1 keytool -list -keystore <keystore> -storepass <password>

1 >keytool -list -keystore obiee12c.jks -storepass Clearpeaks123

In case if the key store contains chain of certificates, use the following command:

1 >keytool -list -v -keystore obiee12c.jks

3.2 Configuring Weblogic Admin Server, Node Manager and Managed Server for SSL
3.2.1 Configuring Weblogic Admin Server for SSL
 Stop all the BI services using server script stop.sh

1 ./stop.sh

Start the admin server only by using the following command

1 > ./start.sh i Adminserver

Log in to WebLogic console.

Click Lock and Edit.
Select Environment > Servers. Click on Admin Server.
In the 'General' tab, update the Listen Address with the DSN - obiee12c.clearpeaks.com.
Check 'SSL Listen Port Enabled'. 'SSL Listen Port : e.g. 9501 (make sure the port is available)
 Click 'Save'
Select Keystores tab and click the change button to select Custom Identity and Custom Trust for keystores.
Update the details as follows.
'Custom Identity Keystore: <path_to_keystore> eg. <ORACLE_HOME>/ssl/ obiee12c.jks
'Custom Identity Keystore': JKS
'Custom Identity Keystore Passphrase': <storepass_pwd> e.g.: Clearpeaks123
'Confirm Custom Identity Keystore Passphrase': <storepass_pwd> e.g.: Clearpeaks123
'Custom Trust Keystore': <path_to_keystore> e.g. <ORACLE_HOME>/ssl/obiee12c.jks
'Custom Trust Keystore Type': JKS
 'Custom 'Custom Trust Keystore Passphrase': <storepass_pwd> e.g.: Clearpeaks123
'Custom 'Confirm Custom Trust Keystore Passphrase': <storepass_pwd> e.g.: Clearpeaks123
'Click 'Save'.

Note: In this, example the Custom Identity Trust keystore and Custom Trust Keystore are same.

Select the 'SSL' tab and enter the relevant information based on Step 1.
'Private Key Alias': <alias_given_when_creating_key> e.g. obiee12c
'Private Key Password': <keypass_pwd> e.g. Clearpeaks123
'Confirm Private Key Password': <keypass_pwd> e.g. Clearpeaks123
Click 'Save'
3.2.2 Configure Managed Server for SSL

Select Environment > Servers. Click Managed Server bi_server1

Perform the same changes done on the general tab in the Admin server described in the earlier step, by selecting the 9503 port for SSL (if available)
 Select the keystores tab and perform the changes as done in the keystore tab for Admin server and Click Save
 Select the SSL tab and perform the changes as done in then keystore tab for Admin server and Click Save
3.2.3 Configure Node manager for SSL

Update the nodemanager.properties in <DOMAIN_HOME>/nodemanager folder with Custom Identity Keystore and Custom Trust Keystore details

1 KeyStores=CustomIdentityAndCustomTrust
2
3 CustomIdentityKeyStoreFileName=<Path to the Keystore>
4
5 CustomIdentityAlias=<Keystore Alias>
6
7 CustomIdentityPrivateKeyPassPhrase=<Key Passphrase>
8
CustomTrustKeyStoreFileName=<Path to the Keystore>
9
 For example>

1 KeyStores=CustomIdentityAndCustomTrust
2
3 CustomIdentityKeyStoreFileName=<oracle_home>/ssl/obiee12c.jks
4
5 CustomIdentityAlias=obiee12c
6
7 CustomIdentityPrivateKeyPassPhrase=Clearpeaks123
8
CustomTrustKeyStoreFileName=<oracle_home>/ssl/obiee12c.jks
9

Import the Public certificates (root and intermediate) to Java Standard Trust Store, /jre/lib/security

>keytool -import -trustcacerts -alias rootca -file <oracle_home>/ssl/rootca.pem -keystore cacerts -

1 storepass changeit
2
3 >keytool -import -trustcacerts -alias interca -file <oracle_home>/ssl/interca.pem -keystore cacerts -
storepass changeit

3.3 Configuring Internal WebLogic Server LDAP to Use LDAPs

Make sure WebLogic Admin and Managed Servers are up and running
Login to EM. Click weblogic domain>Security >Security Provider configuration
 Expand the Identity Store Provider
Click Configure
Click + or Add to add a new property
Select ldap.url from the list. Enter the value ldaps://:
For e.g.: ldaps://obiee12c.clearpeaks.com:9501'

Click Ok

3.4 Configuring Internal WebLogic Server LDAP Trust Store

Expand the Identity Store Provider

Click Configure
Expand the Identity Store Provider
Click Configure
Click + or Add to add a new property
Select virtualize from the list. Enter "true" as the value
Click OK
Make sure virtualize=true is set, as you are explicitly pointing the Administration Server
Restart all the BI services
Create LDAP Trust Store "adapters.jks"
Set the following environment variables
1 >export ORACLE_HOME=<Oracle_Home>
2
3 >export WL_HOME=<Oracle_home> /wlserver
4
5 >export JAVA_HOME=<path to JAVA install root>
6
7 >export PATH=$JAVA_HOME/bin:$PATH
8
>cd $ORACLE_HOME/oracle_common/bin
9

./libovdconfig.sh -host obiee12c.clearpeaks.com -port 9500 -domainPath <Oracle_home>

1 /user_projects/domains/bi -userName

Import the SSL certificates into adapters.jks created in the <DOMAIN_HOME>/config/fmwconfig/ovd/default/keystores folder

3.5 Disabling HTTP

Login to Admin Console

Lock and Edit
Navigate to Environment > Servers > Admin Server
In the Admin Server General tab, uncheck Listen Port
Click 'Save'
Navigate to Environment > Servers > bi_server1
In the Managed Server bi_server1 general tab, uncheck Listen Port. Click Save
Navigate to Environment > Cluster > bi_cluster
Click Replication Check the Secure Replication
 Click 'Save'
Activate changes
Restart the BI services

3.6 Configuring OWSM to Use t3s

Login to EM
Select WebLogic domain, and cross component wiring, components
Select component type, OWSM agent
Select WebLogic domain, and cross component wiring, components
Select the row owsm-pm-connection-t3 status 'Out of Sync', and click Bind.
The HTTP(s) OWSM link is not used when using a local OWSM
Select Yes in the pop-up box
 Confirm by accessing the policy via the validator: https://obiee12c.clearpeaks.com:9503/wsm-pm/validator

3.7 Enabling Internal SSL for OBIEE

Stop all the BI services

Execute the following command - /bitools/bin/ssl.sh | .cmd script to enable internal SSL for OBIEE

1 >./ssl.sh internalssl true

Restart the BI services

Validate the internal ssl configuration by running the following command

1 >./ssl.sh report

4. Validating the SSL configuration

Try accessing the Weblogic console, EM, analytics and visual analyser with the configured SSL ports
 WebLogic Console - https://obiee12c.clearpeaks.com:9501/console

EM Console - https://obiee12c.clearpeaks.com:9501/em
 BI Presentation services: https://obiee12c.clearpeaks.com:9503/analytics