1.High-Level Steps to enable SSL for OBIEE 12c Before getting into the hands on, let’s understand the high level steps involved in this configuration: • Generating the required certificates and keystores for SSL communication • Configuring Weblogic Admin Server, Node Manager and Managed Server for SSL • Configuring Internal WebLogic Server LDAP to Use LDAPs • Configuring Internal WebLogic Server LDAP Trust Store • Disabling HTTP • Configuring OWSM to use t3s • Enabling Oracle BI EE Internal SSL for BIEE 3. End to End SSL configuration for OBIEE 12c 3.1 Generating the required certificates and keystores for SSL communication • Create a folder under Oracle Home where OBIEE 12c is installed. For E.g. /ssl • Set the environment variable PATH to include the JAVA_HOME/bin directory. WINDOWS: 1 set JAVA_HOME=<path to JAVA install root> 2 3 set PATH=%JAVA_HOME%/bin;%PATH% UNIX: 1 export JAVA_HOME=<path to JAVA install root> 2 3 export PATH=$JAVA_HOME/bin:$PATH • Create Java key store: Invoke the Java keytool utility to create a java key store. For example: keytool -genkey -alias <alias> -keyalg RSA -sigalg SHA256withRSA -keysize <key_size> -keypass <password> -keystore <keystore_n 1 <store_type> -validity <days_of_validity> For example: 1 > keytool -genkey -alias obiee12c -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keypass Clearpeaks123 -keystore obiee12c.j 2 -storetype JKS -validity 365 3 What is your first and last name? 4 [Unknown]: obiee12c.clearpeaks.com 5 What is the name of your organizational unit? [Unknown]: admin 6 What is the name of your organization? 7 [Unknown]: Clearpeaks 8 What is the name of your City or Locality? 9 [Unknown]: Abu Dhabi What is the name of your State or Province? 10 [Unknown]: Abu Dhabi 11 csr 3 4 Submit this to your CA • Submit this CSR to the signing authority board and in return. » Import Root Certificate keytool -import -trustcacerts -alias <alias> -file <cacert_file> -keystore <keystore> -keypass <password> - 1 storepass <password> . intermediate and server certificates will be provided. Use the following command to import the root.jks 2 Certification request stored in file root_cert_req. the root. • Import the CA into the Java Keystore. Intermediate and server certificate to the Java Keystore.csr -keypass Clearpeaks123 -storepas Clearpeaks123 -keystore obiee12c. Use the following command to create a Certificate Signing Request: keytool -certreq -v -alias <alias> -keyalg RSA -sigalg SHA256withRSA -file <filename> -keypass <password> -keystore <keystore> 1 -storepass <password> 1 >keytool -certreq -v -alias obiee12c -keyalg RSA -sigalg SHA256withRSA -file root_cert_req. • Create a Certificate Signing Request (CSR). ........................ 4 Trust this certificate? [no]: yes 5 Certificate was added to keystore. » Import Intermediate Certificate keytool -import -trustcacerts -alias <alias> -file <cacert_file> -keystore <keystore> -keypass <password> - 1 storepass <password> >keytool -import -trustcacerts -alias interca -file interca.......jks -keypass Clearpeaks123 - 1 storepass Clearpeaks123 2 3 Certificate was added to keystore » Import Server Certificate keytool -import -alias <alias> -file <servercert_file> -keystore <keystore> -keypass <password> - 1 storepass <password> ................1 >keytool -import -trustcacerts -alias rootca -file rootca.....jks -keypass Clearpeaks123 - 2 storepass Clearpeaks123 ...pem -keystore obiee12c...............pem -keystore obiee12c.... 3 .... jks -keypass Clearpeaks123 - 1 storepass Clearpeaks123 2 3 Certificate reply was installed in keystore • Use the following command to verify whether the keystore contains the certificates 1 keytool -list -keystore <keystore> -storepass <password> 1 >keytool -list -keystore obiee12c.cer -keystore obiee12c. use the following command: 1 >keytool -list -v -keystore obiee12c.2.jks -storepass Clearpeaks123 In case if the key store contains chain of certificates.2 Configuring Weblogic Admin Server.jks 3.1 Configuring Weblogic Admin Server for SSL . >keytool -import -v -alias server -file server. Node Manager and Managed Server for SSL 3. obiee12c. • In the 'General' tab./stop. 'SSL Listen Port’ : e. • Click Lock and Edit. 9501 (make sure the port is available) .sh • Start the admin server only by using the following command 1 > .sh –i Adminserver • Log in to WebLogic console./start.com. • Stop all the BI services using server script – stop. Click on Admin Server.sh 1 . • Check 'SSL Listen Port Enabled'. • Select Environment > Servers.g.clearpeaks. update the Listen Address with the DSN . g.g.g.• Click 'Save' • Select Keystores’ tab and click the ‘change’ button to select Custom Identity and Custom Trust for keystores.jks » 'Custom Identity Keystore': JKS » 'Custom Identity Keystore Passphrase': <storepass_pwd> e. Update the details as follows. <ORACLE_HOME>/ssl/obiee12c.: Clearpeaks123 » 'Confirm Custom Identity Keystore Passphrase': <storepass_pwd> e.: Clearpeaks123 » 'Custom Trust Keystore': <path_to_keystore> e.jks » 'Custom Trust Keystore Type': JKS . <ORACLE_HOME>/ssl/ obiee12c. » 'Custom Identity Keystore’: <path_to_keystore> eg. : Clearpeaks123 » 'Click 'Save'.: Clearpeaks123 » 'Custom 'Confirm Custom Trust Keystore Passphrase': <storepass_pwd> e. Clearpeaks123 » 'Confirm Private Key Password': <keypass_pwd> e.g. Note: In this.g. • Select the 'SSL' tab and enter the relevant information based on Step 1. » 'Custom 'Custom Trust Keystore Passphrase': <storepass_pwd> e. obiee12c » 'Private Key Password': <keypass_pwd> e.g. example the Custom Identity Trust keystore and Custom Trust Keystore are same.g. Clearpeaks123 » Click 'Save' . » 'Private Key Alias': <alias_given_when_creating_key> e.g. 3. Click ‘Managed Server bi_server1’ • Perform the same changes done on the general tab in the Admin server described in the earlier step.2. by selecting the 9503 port for SSL (if available) .2 Configure Managed Server for SSL • Select Environment > Servers. • Select the keystores tab and perform the changes as done in the keystore tab for Admin server and Click ‘Save’ . • Select the SSL tab and perform the changes as done in then keystore tab for Admin server and Click ‘Save’ . properties in <DOMAIN_HOME>/nodemanager folder with Custom Identity Keystore and Custom Trust Keystore details 1 KeyStores=CustomIdentityAndCustomTrust 2 3 CustomIdentityKeyStoreFileName=<Path to the Keystore> 4 5 CustomIdentityAlias=<Keystore Alias> 6 7 CustomIdentityPrivateKeyPassPhrase=<Key Passphrase> 8 CustomTrustKeyStoreFileName=<Path to the Keystore> 9 .2.3.3 Configure Node manager for SSL • Update the nodemanager. 3 Configuring Internal WebLogic Server LDAP to Use LDAPs • Make sure WebLogic Admin and Managed Servers are up and running • Login to EM.pem -keystore cacerts - 1 storepass changeit 2 3 >keytool -import -trustcacerts -alias interca -file <oracle_home>/ssl/interca. For example> 1 KeyStores=CustomIdentityAndCustomTrust 2 3 CustomIdentityKeyStoreFileName=<oracle_home>/ssl/obiee12c. Click weblogic domain>Security >Security Provider configuration . /jre/lib/security >keytool -import -trustcacerts -alias rootca -file <oracle_home>/ssl/rootca.jks 9 • Import the Public certificates (root and intermediate) to Java Standard Trust Store.pem -keystore cacerts - storepass changeit 3.jks 4 5 CustomIdentityAlias=obiee12c 6 7 CustomIdentityPrivateKeyPassPhrase=Clearpeaks123 8 CustomTrustKeyStoreFileName=<oracle_home>/ssl/obiee12c. as you are explicitly pointing the Administration Server • Restart all the BI services • Create LDAP Trust Store "adapters.clearpeaks. • Expand the Identity Store Provider • Click ‘Configure’ • Click ‘+’ or ‘Add’ to add a new property • Select ‘ldap. Enter "true" as the value • Click ‘OK • Make sure virtualize=true is set.com:9501' • Click ‘Ok’ 3.: ‘ldaps://obiee12c.g.url’ from the list.jks" • Set the following environment variables . Enter the value’ ldaps://:’ For e.4 Configuring Internal WebLogic Server LDAP Trust Store • Expand the Identity Store Provider • Click ‘Configure’ • Expand the Identity Store Provider • Click ‘Configure’ • Click ‘+’ or ‘Add’ to add a new property • Select virtualize from the list. 1 >export ORACLE_HOME=<Oracle_Home> 2 3 >export WL_HOME=<Oracle_home> /wlserver 4 5 >export JAVA_HOME=<path to JAVA install root> 6 7 >export PATH=$JAVA_HOME/bin:$PATH 8 >cd $ORACLE_HOME/oracle_common/bin 9 ./libovdconfig. uncheck ‘Listen Port’.5 Disabling HTTP • Login to Admin Console • Lock and Edit • Navigate to Environment > Servers > Admin Server • In the Admin Server General tab.clearpeaks. Click ‘Save’ • Navigate to Environment > Cluster > bi_cluster • Click Replication Check the ‘Secure Replication’ .com -port 9500 -domainPath <Oracle_home> 1 /user_projects/domains/bi -userName • Import the SSL certificates into ‘adapters.sh -host obiee12c.jks’ created in the <DOMAIN_HOME>/config/fmwconfig/ovd/default/keystores folder 3. uncheck ‘Listen Port’ • Click 'Save' • Navigate to Environment > Servers > bi_server1 • In the Managed Server bi_server1 general tab. 6 Configuring OWSM to Use t3s • Login to EM • Select WebLogic domain. and cross component wiring. The HTTP(s) OWSM link is not used when using a local OWSM • Select ‘Yes’ in the pop-up box . components • Select component type. components • Select the row owsm-pm-connection-t3 status 'Out of Sync'. and click ‘Bind’. OWSM agent • Select WebLogic domain. • Click 'Save' • Activate changes • Restart the BI services 3. and cross component wiring. clearpeaks.7 Enabling Internal SSL for OBIEE • Stop all the BI services • Execute the following command ./bitools/bin/ssl.sh report 4./ssl. EM. Validating the SSL configuration • Try accessing the Weblogic console.sh internalssl true • Restart the BI services • Validate the internal ssl configuration by running the following command 1 >./ssl. analytics and visual analyser with the configured SSL ports .cmd script to enable internal SSL for OBIEE 1 >. • Confirm by accessing the policy via the validator: https://obiee12c.com:9503/wsm-pm/validator 3.sh | . com:9501/console » EM Console .https://obiee12c.https://obiee12c.» WebLogic Console .clearpeaks.com:9501/em .clearpeaks. com:9503/analytics .» BI Presentation services: https://obiee12c.clearpeaks.