Configuring OBIEE SSL

https://blogs.oracle.
com/pa
Configuring OBIEE 11.1.1.7.x with SSL

What do we need?
1. CA Root Certificate
2. CA Intermediate Certificate (if exists)
3. Java Keystores :: Identity Keystore and Trust Keystore
4. OBIEE Server Certificate
5. If External LDAP Directory like Oracle Internet Directory running in SSL
OID Servers CA Root Certificate
OID Servers CA Intermediate Certificate (if exists)
OID Server Certificate
Reference: OBIEE Security Guide (e10543-08)
http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/toc.htm
A Commercial Certificate Authority (CA) will be providing its CA Root and CA

Intermediate Certificates.
All we need is to submit a Certificate Signing Request (csr) for the particular server in any format like
(hostname.domainname.com/Web Site Name/Wildcard Certificate like *.domainname.com) and get
the CA Signed Server Certificate.
NOTE: If you are using a wildcard certificate remember to turnoff WebLogic Hostname Verification.
Here we will be using Custom Identity and Custom Trust Keystores.

Create Java Keystore for Custom Identity:
Create a certificate key pair for the Server Certificate using the keytool genkeypair command
Command: keytool -genkeypair -alias scl34225 -keyalg RSA -keysize 2048 -validity 365 -keypass
Oracle123 -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014)
Page 1 of 36
https://blogs.oracle.com/pa
Create a Certificate Signing Request (csr) which has to be submitted to Internal/Third Party CA
(Certificate Authority).
Command: keytool -certreq -alias scl34225 -file C:\Oracle\Middleware\ssl\scl34225_certreq.csr keystore C:\Oracle\Middleware\ssl\myIdentity.jks
NOTE: Certreq can be in .csr or .pem format not a problem.
Note: Above screenshot shows the Certificate Signing Request in .pem format
Note: The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.
A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate
requestor (usually off-line) and will return a certificate or certificate chain, used to replace the
existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
Submit the CSR file to the Certification Authority (CA) and get the Signed Certificate
Here we are using our own internal Certification Authority (CA)
Save CA Root, CA Intermediate & Signed Server Certificates into a folder like C:\Oracle\Middleware\ssl
Only on Windows Machine:
Generally the CA Root Certificates are already available in the

Trust Certificate Stores along with the Browsers installation. But if you are using your own internal
CA you need to import the CA Root Certificate to the Trusted Certificate Stores for successful
validation of the Intermediate and Server Certificates.
Page 2 of 36
CealCARoot.crt
Install/Import the CARoot Certificate in to Trusted Root Certification Authorities, Its now valid
Page 3 of 36
CealCAInter.crt
scl34225.crt
Install/Import the CA Intermediate Certificate to Intermediate Certification Authorities

Install the server certificate into Personal (Optional)
Now we need to import these certificates into Custom Identity Keystore myIdentity.jks
Import the intermediate certificate first --> then the root certificate --> and then the signed server
certificate in the same sequence.
Command: keytool -importcert -alias CEALCAInter -file C:\Oracle\Middleware\ssl\CealCAInter.pem keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
Page 4 of 36
Command: keytool -importcert -alias CEALCARoot -file C:\Oracle\Middleware\ssl\CealCARoot.pem keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
Command: keytool -importcert -alias scl34225 -file C:\Oracle\Middleware\ssl\scl34225.pem keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
Note: The intermediate and root certificate should have different alias name, but the signed certificate
should be imported with the same alias that was used while creating a certificate key pair/keystore.
After importing all three certificates you should see: Certificate reply was installed in Keystore
message.
CEALCAInter.pem
CEALCARoot.pem
Scl34225_chain.pem
Now list the keystore and check if all the certificates are imported successfully.
keytool -list -v -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
NOTE: The Server Certificate should be shown as
Alias Name: scl34225
Entry Type: PrivateKeyEntry
Certificate Chain Length: 3
Page 5 of 36
Run the following command to check if the certificate chain is valid.

In a Command Prompt run setDomainEnv.cmd to set Java Home and other variables.
Syntax : java utils.ValidateCertChain -jks <alias> <identity_keystore>

Command : java utils.ValidateCertChain -jks scl34225 C:\Oracle\Middleware\ssl\myIdentity.jks
Create a Java Keystore for Custom Trust:

Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Page 6 of 36
Command: keytool -list -v -keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Now that we have successfully created an Identity Keystore and a Trust Keystore, we can configure
WebLogic to use it by configuring Custom Identity and Custom Trust Keystores.
Import the CARoot and CAInter into the Java install locations
First Root Certificate and then the Intermediate Certificate
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot -keystore
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter -keystore

Page 7 of 36
Command: keytool -list -v -keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts

-storepass changeit
First Root Certificate and then the Intermediate Certificate

C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
Command: keytool -list -v -keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Configuring Node Manager in SSL mode

Open file C:\Oracle\Middleware\wlserver_10.3\common\nodemanager\nodemanager.properties
and enter below lines:
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=C:\\Oracle\\Middleware\\ssl\\myIdentity.jks
CustomIdentityKeyStorePassPhrase=Oracle123
CustomIdentityPrivateKeyPassPhrase=Oracle123
CustomIdentityAlias=scl34225
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=C:\\Oracle\\Middleware\\ssl\\myTrust.jks
Restart Node Manager
Page 8 of 36
If there is an issue with nodemanager port, either change the port or perform the following steps:
Windows: Open a command window
set JAVA_OPTIONS=-DDomainRegistrationEnabled=true
In the same command shell run: <MW_HOME>\wlserver_10.3\server\bin\startNodeManager.cmd
Unix:
cd <MW_HOME>/wlserver_10.3/server/bin
export JAVA_OPTIONS=-DDomainRegistrationEnabled=true
./startNodeManager.sh
Configure SSL for WebLogic Servers Oracle WebLogic Server Admin Console
Steps to configure Custom Identity and Custom Trust with WebLogic Server
Page 9 of 36
NOTE: We need to select the hostname verification as none if the CN of the certificate is not the same
as the hostname of the machine where WLS is installed. (In case of Wild Card Certificates also) in the
SSL tab under Advanced link.
Similarly configure the same for all other managed servers like bi_server1, etc
Page 10 of 36
Page 11 of 36
Changing Other URLs to Match the New Listener Address
As OBI can work only on one protocol and we disabled non-ssl port 7001, we need to change the
Embedded LDAP URLs to match the new listener address.
To change other URLs to match the new listener address:
1. Log in to Fusion Middleware Control and navigate to bifoundation_domain under WebLogic
Domain.
2. From the WebLogic Domain menu, choose Security and Security Provider Configuration.
3. Click Configure in the Identity Store Provider area to display the Identity Store Configuration area
and the Custom Properties table, and check that the ldap.url custom property is present, and
correctly configured as follows:
Custom Property Values for ldap.url = ldaps://scl34225.us.oracle.com:7002
Page 12 of 36
Restart the Administration Server and Managed Servers
Enabling Trust between Codes Running in WebLogic Servers

You must enable trust between codes running in WebLogic Servers before you can enable SSL
communication between Oracle BI EE components.
1. Open the following files for editing:
For Linux: MW_HOME/user_projects/domains/bifoundation_domain/bin/setDomainEnv.sh
For Windows: MW_HOME\user_projects\domains\bifoundation_domain\bin\setDomainEnv.cmd
2. Some Oracle Business Intelligence Java components running in Oracle WebLogic Server
invoke other web services running in Oracle WebLogic Server.
Therefore, you must configure Oracle WebLogic Server to trust itself by setting these
properties.You must escape any backslash (\) character in a path by using an additional backslash
(\) character.
3. For Linux (enter all on one line):
JAVA_OPTIONS="${JAVA_OPTIONS} Djavax.net.ssl.trustStore=/Oracle/Middleware/ssl/myTrust.jks Djavax.net.ssl.CustomTrustStorePassphrase=\"Oracle123\" -Djavax.net.ssl.keyStore=/
Oracle/Middleware/ssl/myIdentity.jks -Djavax.net.ssl.keyStorePassword=\"Oracle123\""
export JAVA_OPTIONS
4. For Windows (enter all on one line):
set JAVA_OPTIONS=%JAVA_OPTIONS% Djavax.net.ssl.trustStore="C:\\Oracle\\Middleware\\ssl\\myTrust.jks" Djavax.net.ssl.CustomTrustKeyStorePassphrase="Oracle123" Djavax.net.ssl.keyStore="C:\\Oracle\\Middleware\\ssl\\myIdentity.jks" Djavax.net.ssl.keyStorePassword="Oracle123"
5. If you omit these steps, login will fail.
6. Save the setDomainEnv.sh or setDomainEnv.bat file.
7. Restart Oracle WebLogic Server to include the Java option changes.
If you do not restart Oracle WebLogic Server, attempts to log in to Oracle Business Intelligence will
fail.
Page 13 of 36
Oracle Business Intelligence Components can communicate only through one protocol at a time. It is
not possible to use SSL between some components, while using simple TCP/IP communications
between others.
Enabling SSL for Oracle BIEE Components Using Fusion Middleware Control
Login to em :: http://scl34225.us.oracle.com:7001/em
NOTE: The SSL options on this page only enable configuration for internal communications used by
the Oracle BI middle-tier. To set up SSL for outward facing WebLogic ports, you must use the
WebLogic Administration Console before you configure the settings on this page.
If the Use SSL for Middle-Tier Communications option is not available, then you have not
successfully enabled SSL on WebLogic. Re-check the SSL Config steps in WebLogic Server.
When selected, this checkbox enables SSL to be the method of communication between Oracle
Business Intelligence components.
CA Certificate location is the absolute path of the OBIEE Servers CA Root Certificate.
Do not enter the individual web server certificate. Supported types are .der and .pem.
Ensure that you enter the correct extension for the certificate file. If the certificate for the web server
is signed by Intermediate CA, even then enter the root CA and not the intermediate certificate.
Page 14 of 36
You will receive a confirmation message: "Confirmation Generate New Certificates - Completed
Successfully"
If you dont see the above message/on issues please follow the Steps stated in red color font below
If you see the following error message:
CA certificate <your certificate path> format <PEM or CER> is not a CA certificate. It does not have the expected basic constraints for a
CA.:
If you see this message complete the following steps:
a. Visually check that the contents of your CA certificate are correct, by entering the following command:
For pem certificates use:
<mwhome>/Oracle_BI1/bifoundation/server/bin>openssl x509 -in <yourcertificate>.pem -text.
For der certificates use:
<mwhome>/Oracle_BI1/bifoundation/server/bin>openssl x509 -inform der -in <yourcertificate>.der -text.
These read only openssl commands do not need a configuration file. Therefore you can safely ignore any warnings starting with:
WARNING: can't open config file
b. Check that your CA certificate is the expected root CA certificate. CA certificates should contain a basic constraints section but
some CA's still do not conform to this standard.
c. If the contents of your CA certificate are correct, you can turn off the strict CA certificate check by setting the following property
in the setDomainEnv.sh file (for Linux), or setDomainEnv.bat file (for Windows):
Note:
Do not configure this property unless you have checked the CA certificate, and it is correct.
oracle.bi.management.ssl.omitcacheck=true
d. Save the setDomainEnv.sh or setDomainEnv.bat file.
e. Repeat the section : Enabling SSL for Oracle BI EE Components Using Fusion Middleware Control
If its success: Activate Changes Stop all OPMN services and WebLogic Server
After this, if you observe the value of ssl=?? In below instanceconfig.xml file it shows ssl=true
C:\Oracle\Middleware\instances\instance1\config\OracleBIPresentationServicesComponent\coreap
plication_obips1\instanceconfig.xml
Restart WebLogic Server, Administration Server, Managed Servers, then start the OPMN
components, and Oracle Business Intelligence components.
Page 15 of 36
In Fusion Middleware Control go to the SSL page, click View SSL report to verify internal SSL
communications status to view the SSL status. If you can see this link, SSL is enabled.
Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI
EE using the ports 7001 and 9704. All logins should be successful.
Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI
EE using the ports 7002 and 9804. All logins should be successful.
Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by

Disabling Non-SSL Listen Ports
Click Save, In the Change Center, click Activate Changes.
Restart the Oracle WebLogic Servers.
Page 16 of 36
Complete these steps for WebLogic Server's embedded LDAP directory
Property Name
Value
Comments
ldap.url
ldaps://scl34225.us.oracle.com:7002 If already done, ignore it
java.naming.security.protocol ssl
Page 17 of 36
In the StartManagedWebLogic.cmd change the Admin Server URL
Page 18 of 36
Also edit StartStopServices.cmd in windows machine only
Page 19 of 36
And change all http to be https in the StartStopServices.xml file.
Restart the Admin Server, Managed Server and BI Components
Additional SSL Configuration Options

Updating Expired SSL Certificates Using Fusion Middleware Control
Please follow the steps specified in the OBI Security document under SSL Configuration in Oracle Business Intelligence Section.
Configuring SSL for the SMTP Server Using Fusion Middleware Control
Using SASchInvoke when BI Scheduler is SSL-Enabled

Configuring Oracle BI Job Manager

Page 20 of 36
Enabling the Online Catalog Manager to Connect
The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP
web server for Oracle Business Intelligence is enabled for SSL.
You must import the CA Root, CA Intermediate and OBIEE Server Certificates (also OHS certs if ohs
exists) into the Java Keystore of the JVM that is specified by the system JAVA_HOME variable.
Java Keystore of the JAVA_HOME: C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
NOTE: Since we will be having OHS on the same machine and is signed by the same CA we have already imported these certificates into the
java install keystores (If using the online Catalog using OHS URL)
Catalog online URL: https://scl34225.us.oracle.com:9804/analytics/saw.dll
Configuring the Oracle BI Administration Tool to Communicate Over SSL
Page 21 of 36
Configuring an ODBC DSN for Remote Client Access

Configuring Oracle BI Publisher to Communicate Over SSL

Configuring SSL when Using Multiple Authenticators

Before completing this task, you must already have an External LDAP Directory configured and
configure the custom property called virtualize (lower case), and set its value to true
Page 22 of 36
NOTE: If you are using External Directories (LDAP) and Database in ssl mode, import the CA Root &
CA Intermediate (If exists) certificates of the respective servers into the below keystores.
Page 23 of 36
Create a Keystore for running External LDAP in SSL (adapter.jks)
Set the environment variables ORACLE_HOME, WL_HOME and JAVA_HOME
NOTE: libovdconfig.bat fails if we use 7002 ssl port. So enable Admin Server at 7001 port and execute.
Command: C:\Oracle\Middleware\oracle_common\bin\libovdconfig.bat -host
scl34225.us.oracle.com -port 7001 -userName weblogic domainPath
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain createKeystore
Once this command runs, you should see two new credentials in the Credential Store and a new
Keystore file called adapters.jks under
MW_HOME\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores
Import the OID CA Root Certificate into the libOVD Keystore:

Command: keytool -import -alias oid -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -keystore
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default
\keystores\adapters.jks -storepass Oracle123
Page 24 of 36
Import the OID CA Intermediate Certificate (if exists) into the libOVD
Keystore Here we dont have this certificate
Import the OID Server Certificate into the libOVD Keystore:
keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem -keystore
Import the OBIEE Server CA Root certificate into the libOVD Keystore using
the keytool command:
keytool -import -alias CEALCARoot -file C:\Oracle\Middleware\ssl\CealCARoot.pem -keystore
Import the OBIEE Server CA Intermediate certificate into the libOVD

Keystore using the keytool command:
keytool -import -alias CEALCAInter -file C:\Oracle\Middleware\ssl\CealCAInter.pem -keystore
Import OID CA Root and OID Server Certificate into below Java Keystores:
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid -keystore
Page 25 of 36
Not required but if you encounter any ssl handshake issues only, import this certificate
Command: keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid keystore
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
Not required but if you encounter any ssl handshake issues only, import this certificate
Command: keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
C:\Oracle\Middleware\ssl\myTrust.jks
Command: keytool -import -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid -keystore
C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Import the OID Server Certificate into the myTrust Keystore:

Command: keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
NOTE: If the OID Server cert is not imported into Trust Keystore Admin Server log shows SSL
Handshake failure. So please import this certificate too.
Steps to be followed for successful Config of External LDAP (OBIEE running

in SSL and External LDAP in SSL):
1.
2.
3.
4.
5.
6.
7.
8.
OBIEE up and Running, able to login with WebLogic embedded LDAP Users.
Configure OBIEE with SSL
Check if SSL is working with Embedded LDAP Users both (console/em and analytics)
Configure external LDAP with SSL (As Additional SSL Config Steps :: check the Security Guide
SSL Config Section)
Set Control Flag to SUFFICIENT for both Default Authenticator and External LDAP Authenticator
Dont reorder External LDAP to be the first in the providers list.
Add virtualize=true in em (Security Provider Configuration)
Restart Admin Server and then run libovdconfig.bat/sh to create adapter.jks file
Page 26 of 36
9. Import (CA Root cert of LDAP Server, CA Intermediate cert of LDAP Server, LDAP Server cert, CA
Root cert of OBIEE Server, CA Intermediate cert of OBIEE Server) into adapter.jks
10. Now reorder external LDAP to the top in the providers list.
11. Restart Admin Server.
Test Login to analytics as OID Users configured in ssl mode
An alternative method (not recommend) is to use the System MBean Browser

Configuring SSL Communication between BI Components Using the System
MBean Browser
This section describes how to configure SSL communication between components using the System
MBean Browser.
This alternative method enables you to choose several advanced configuration options; including
choosing the passphrase that protects the various certificate stores.
Oracle recommends not to use this approach, but to follow Section "Configuring WebLogic to use SSL
in Oracle WebLogic Server Administration Console".
Manually Configuring SSL Communication between Components Using System MBean Browser
Task
Description
Lock the configuration.
Use the BIDomain MBean to lock the domain configuration before making
changes.
Generate the SSL certificate.
Use the BIDomain.BIInstance.SecurityConfiguration MBean to generate the SSL

certificate.
Commit the SSL configuration changes.
Use the BIDomain MBean to commit the SSL configuration changes.
Verify SSL certificates in credential store.
Verify that the SSL certificates are saved in the credential store.
Enable the SSL configuration and restart Oracle

Business Intelligence components.
Use the BIDomain.BIInstance.SecurityConfiguration MBean to enable the SSL

configuration between components, and then restart the components so the
changes take effect.
Confirm that SSL communication is enabled

between components.
Run the SSL report to confirm status.
Page 27 of 36
Task
Description
Configure SSL communication for the mail server.
Configure SSL communication for the mail server.
Update expired SSL certificates.
Update expired SSL certificates and replace with new ones.
Expand Application Defined Mbeans
Expand the oracle.biee.admin node, then expand the bifoundation_domain node
Locate and expand the BIDomain node to display two BIDomain MBeans
Page 28 of 36
Select the BIDomain MBean having the full name oracle.biee.admin:type=BIDomain, group=Service
from the MBean navigation tree.
Select the Operations tab, then Lock.
Page 29 of 36
Click Invoke.
A confirmation displays to indicate that the configuration is locked. The next step is to generate the
SSL certificates.
System Mbean Browser Application Defined Mbeans oracle.biee.admin bifoundation_domain
Locate & expand BIDomain.BIInstance.SecurityConfiguration Select the
BIDomain.BIInstance.SecurityConfiguration MBean.
Configuration options for the MBean display in the right pane.
Select the Attributes tab, and then locate the SSLCertificatesGenerated attribute.
A value of false indicates that SSL certificates have not been generated.
Page 30 of 36
If certificates have been previously generated, you can continue to replace them with new certificates.
NOTE: Since we have implemented SSL for BI Components using WebLogic Admin Console,
Fusion Middleware Control and manually editing files (Oracle recommended method), we can
see that the SSL Certificates are already generated.
But just think if we havent done any SSL Certificate Generation from (WLS Console, FMW em &
Manual editing files).... the values should be false.
Let us proceed in this assumption that we are enabling SSL from System MBean Browser
Select the Operations tab
Select generateSSLCertificates operation.

The parameters for the generateSSLCertificates attribute for the BIDomain.BIInstance.SecurityConfiguration
MBean are displayed.
Page 31 of 36
passphrase: The SSL passphrase that protects the certificates and, most importantly, the private key. Remember
this passphrase.
webServerCACertificatePath: The path for the Certificate Authority (CA) root certificate for the CA used to sign the
web server's certificate. Do not enter the individual web server certificate or the (CA) intermediate certificate.
certificateEncoding: Supported types are .der. and .pem.
Click Invoke.
A confirmation displays if the operation executed successfully. If successful, the input CA certificate
has been validated and the certificate generation request is queued.
The next step is to commit the changes, which completes certificate creation and
distribution throughout the domain.
To commit the SSL configuration and release the lock: Use the BIDomain MBean.
The next step is to verify the SSL credentials are in the credential store.
Verifying the SSL Credentials in the Credential Store
Page 32 of 36
Open oracle.bi.enterprise credential map and verify the SSL credentials have been saved to the
credential store. If successful, the following SSL credentials display in the oracle.bi.enterprise
credential map:
ssl.java.private.key
ssl.java.public.certificate
config.version
About Oracle BIEE SSL Everywhere Generated Certificates

Client tools need access to these generated certificates for secure communications. Located at:
Page 33 of 36
Cacert.pem
combinedcacert.pem
Server-cert.pem
webservercacert.pem
Server-key.pem is the Private key for the openssl servers.

Clients need to have access to the internal CA certificate. Java clients need the certificate in a keystore
which they have access to.
The javaserver.keystore cannot be used if you created the certificates from Fusion Middleware
Control since it is protected by a private passphrase.
Create a new keystore for use by your clients with the following command:
keytool -keystore clientkeystore -import -file cacert.pem -alias biee
The command prompts you to choose your own passphrase.
Page 34 of 36
The next step is to enable the SSL configuration changes.
Enabling the SSL Configuration
From the System MBean Browser again use the BIDomain and lock the Security Configuration and
select BIInstanceSecurityConfiguration MBean.
Select the Attributes tab, then for the SSLEnabled attribute select true from the Value list, then click
Apply. You must have the SSL listen port on for the Administration Server and Manager Servers.
Navigate to the BIDomain MBean and commit the changes.
SSL communication is now enabled between the components. You must restart the
Oracle Business Intelligence components for the changes to take effect.
Restart WebLogic Admin & Managed Servers and BI Components.
Confirming SSL Status Using the MBean Browser

You can run an SSL report using the BIDomain.BIInstance.SecurityConfiguration MBean to verify that
SSL communication is operating between components.
From the System MBean Browser, select the BIDomain.BIInstanceSecurityConfiguration MBean.
You do not need to lock the configuration to run the SSL report.
Select the Operations tab, and then select the runSSLReport option.
Page 35 of 36
To run the report, click Invoke.
The report indicating the status of SSL communication between components displays.
If the SSL ping fails, check the following:
Verify the target component is running.
Verify that the component has been restarted since SSL was enabled. SSL configuration changes
require a restart to take effect.
Verify that the SSLEnabled attribute for the BIDomain.BIInstanceSecurityConfiguration MBean is
set to true. When changing SSL properties, both apply and commit steps must be performed.
All the 5 BI Components should show:
SSL ping OK. SSL Version as SSL v3, Cipher Suite: SSL_RSA_WITH_RC4_128_MD5 (Default)
Certificate Expiry details and Certificate CA dn details.
Updating Expired SSL Certificates Using the MBean Browser

Advanced SSL Configuration Options

A manually configured SSL environment can co-exist with a default SSL configuration.
If OBIEE is on Linux and client tools on Windows

Client tools like Catalog Manager and Admin Tool cannot open due to certificate SSL issues, so import
the (CA Root, CA Intermediate and OBIEE Server) Certificates to the Client Tools Java Home Security
Keystore.
On Windows Machine: In a command prompt

cd "C:\Program Files\Oracle Business Intelligence Enterprise Edition Plus Client Tools\jre\bin"
Command: keytool -import -alias CEALCARoot -file C:\Oracle\Middleware\ssl\CealCARoot.pem -keystore
"C:\Program Files\Oracle Business Intelligence Enterprise Edition Plus Client
Tools\jre\lib\security\cacerts" -storepass changeit
Command: keytool -import -alias CEALCAInter -file C:\Oracle\Middleware\ssl\CealCAInter.pem -keystore
Command: keytool -import -alias scl34225 -file C:\Oracle\Middleware\ssl\scl34225.pem -keystore
For RPD access create the DSN with SSL enabled
*****************************************************************************
Page 36 of 36

Configuring OBIEE SSL

Uploaded by

Copyright:

Available Formats

Configuring OBIEE SSL

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring OBIEE SSL

Uploaded by

Copyright:

Available Formats

https://blogs.oracle.

Configuring OBIEE 11.1.1.7.x with SSL

A Commercial Certificate Authority (CA) will be providing its CA Root and CA

Here we will be using Custom Identity and Custom Trust Keystores.

NOTE: Certreq can be in .csr or .pem format not a problem.

Only on Windows Machine:

Generally the CA Root Certificates are already available in the

Install/Import the CA Intermediate Certificate to Intermediate Certification Authorities

Run the following command to check if the certificate chain is valid.

Syntax : java utils.ValidateCertChain -jks <alias> <identity_keystore>

Create a Java Keystore for Custom Trust:

Command: keytool -list -v -keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123

Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter -keystore

Command: keytool -list -v -keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts

First Root Certificate and then the Intermediate Certificate

Command: keytool -list -v -keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123

Configuring Node Manager in SSL mode

Restart Node Manager

Restart the Administration Server and Managed Servers

Enabling Trust between Codes Running in WebLogic Servers

Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by

Click Save, In the Change Center, click Activate Changes.

Restart the Oracle WebLogic Servers.

ldaps://scl34225.us.oracle.com:7002 If already done, ignore it

In the StartManagedWebLogic.cmd change the Admin Server URL

Also edit StartStopServices.cmd in windows machine only

And change all http to be https in the StartStopServices.xml file.

Restart the Admin Server, Managed Server and BI Components

Additional SSL Configuration Options

Using SASchInvoke when BI Scheduler is SSL-Enabled

Configuring Oracle BI Job Manager

Catalog online URL: https://scl34225.us.oracle.com:9804/analytics/saw.dll

Configuring the Oracle BI Administration Tool to Communicate Over SSL

Configuring an ODBC DSN for Remote Client Access

Configuring Oracle BI Publisher to Communicate Over SSL

Configuring SSL when Using Multiple Authenticators

Import the OID CA Root Certificate into the libOVD Keystore:

Import the OBIEE Server CA Intermediate certificate into the libOVD

Import the OID Server Certificate into the myTrust Keystore:

Steps to be followed for successful Config of External LDAP (OBIEE running

Test Login to analytics as OID Users configured in ssl mode

An alternative method (not recommend) is to use the System MBean Browser

Lock the configuration.

Generate the SSL certificate.

Use the BIDomain.BIInstance.SecurityConfiguration MBean to generate the SSL

Commit the SSL configuration changes.

Use the BIDomain MBean to commit the SSL configuration changes.

Verify SSL certificates in credential store.

Enable the SSL configuration and restart Oracle

Use the BIDomain.BIInstance.SecurityConfiguration MBean to enable the SSL

Confirm that SSL communication is enabled

Run the SSL report to confirm status.

Configure SSL communication for the mail server.

Configure SSL communication for the mail server.

Update expired SSL certificates.

Update expired SSL certificates and replace with new ones.

Expand Application Defined Mbeans

Expand the oracle.biee.admin node, then expand the bifoundation_domain node

Select the Operations tab, then Lock.