Enable End-to-End SSL

To achieve end to end SSL you need to configure both internal SSL and WebLogic SSL.

The internal SSL configuration is highly automated whereas the WebLogic SSL configuration requires multiple manual steps. The two are entirely independent, so can be performed in either order. Since the WebLogic configuration requires manual steps Oracle advises doing that first.

Note:

This section does not include configuring SSL for Essbase.

Topics:

Configure a Standard Non-SSL Oracle Analytics Server System

This section explains how to configure a standard non-SSL Oracle Analytics Server system.

  • Install Oracle Analytics Server.

  • Confirm the system is operational.

    Check you can login over HTTP to use:

    • Analytics

      - http://<Host>:<ManagedServerPort>/analytics

    • Fusion Middleware Control

      - http://<Host>:< AdminPort>/em

    • WebLogic Admin Console

      - http://<Host>:<AdminPort>/console

Configure WebLogic SSL

These steps configure WebLogic using the provided demo certificates. These are not secure.

Do not use these tasks in a production environment. Using the demo certificates can help you understand how to configure your environment with real certificates.

To configure with a secure certificate signed by a real Certificate Authority see WebLogic documentation. The certificate authority should return the signed server certificate, and provide a corresponding root CA certificate. Where demoCA is mentioned in task steps replace demoCA with your real CA certificate.

Topics:

Start Only the Administration Server

Starting up just the Administration Server rather than starting everything avoids the need to stop everything while the admin connection properties are in a state of flux, which confuses the stop everything script.

  1. Stop everything with:

    <DomainHome>/bitools/bin/stop.sh

  2. Start up just the Administration server with:

    <DomainHome>/bitools/bin/start.sh -i Adminserver

Configure HTTPS Ports

Follow these steps to configure the HTTPS ports.

  1. Log in to WebLogic Admin console.
  2. Click Lock and Edit.
  3. Select environment, servers.
  4. For each server on the main Configuration tab, select SSL Listen Port Enabled.
  5. Click Save.
  6. Click Activate Changes.
  7. If you're using WebLogic demo certificates, go to URL https://<host>:<AdminServerSSLPort> and set up a single browser certificate exception.

    The URL https://<host>:<AdminServerSSLPort> is the base URL, without Enterprise Manager or the WebLogic Administration console on the path. By first accessing the base URL, you can set up a single browser certificate exception. If you go directly to the Enterprise Manager or the WebLogic Administration console paths, you must setup multiple certificate exceptions.

  8. Enable the certificate exception by going to the base URL.

    You only have to do this once, rather than separately for WebLogic console and Fusion Middleware Control.

    The base URL should give a 404 error once the SSL connection is made. You can ignore the error.

  9. Test the secure WebLogic console URL using a URL similar to the following:

    https://<Host>:<AdminServerSSLPort>/console

  10. Test the secure Fusion Middleware Control URL using a URL similar to the following:

    https://<Host>:<AdminServerSSLPort>/em

    Test the HTTPS URL while logged in to Fusion Middleware Control using HTTP.

    Don't disable HTTPS.

  11. In WebLogic Administration Console, click Lock and Edit to begin enabling secure replication.
  12. Select Environment, select Clusters, and then select bi_cluster.
  13. Select Configuration, and select the Replication tab.
  14. Select secure replication enabled.
    If you don't select secure replication enabled, the managed servers fail to startup and remain in Administration mode preventing the start scripts from running.
  15. Click Save.
  16. Click Activate Changes.

Configure Internal WebLogic Server LDAP to Use LDAPs

If you have configured an external Identity Store, you can skip performing this step.

You can configure an external identity store to use a secure connection. To use an external identity store, you must change the URL in the internal LDAP ID store.

  1. Login to Fusion Middleware Control using a URL similar to the following:

    https://<Host>/<SecureAdminPort>/em

  2. Click WebLogic Domain, click Security, and click Security Provider Configuration.
  3. Expand the Identity Store Provider segment.
  4. Click Configure, and click the plus symbol (+) to add a new property.
  5. Add a ldap.url property using the following format for the administration server address rather than the bi_server1 address:

    ldaps://<host>:<adminServer HTTPS port>, for example, ldaps://myexample_machine.com:9501.

  6. In the Property editor, click OK.
  7. On the Identity Store Provider page, click OK.
  8. Open the jps-config.xml file located in <DomainHome>/config/fmwconfig/jps-config.xml.
  9. In the file look for the line, <property name="ldap.url" value="ldaps://<Host>:<AdminServerSecurePort>"/> to confirm that the configuration change.
On IBM-AIX an additional configuration step is required to configure the IBM JDK supported cipher suites.

  1. Open <DomainHome>/config/fmwconfig/ovd/default/adapters.os_xml

  2. In the <ldap> section of this file, insert the following SSL cipher suites: 

    <ldap id="DefaultAuthenticator" version="0">  
<ssl>  
    <protocols>TLSv1.2,TLSv1.1</protocols>  
    <cipherSuites>  
       <cipher>SSL_RSA_WITH_AES_128_CBC_SHA</cipher>  
       <cipher>SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</cipher>   
       <cipher>SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</cipher>  
    </cipherSuites>  
</ssl>    
</ldap>

Configure Internal WebLogic Server LDAP Trust Store

You must now provide a trust keystore.

Note:

This section only applies when using WebLogic Server LDAP and when virtualize=true is set, as you're explicitly pointing the Administration Server for the embedded WLS LDAP.

  1. In a terminal window set the ORACLE_HOME and WL_HOME environment variables.

    For example, on Linux:

    setenv ORACLE_HOME <OracleHome>

    setenv WL_HOME <OracleHome>/wlserver/

  2. Ensure that both your path and JAVA_HOME point to the JDK 8 installation.

    setenv JAVA_HOME <path_to_your_jdk8>

    setenv PATH $JAVA_HOME/bin

  3. Check the Java version by running:

    java -version

  4. Run (without the line breaks):

    <OracleHome>/oracle_common/bin/libovdconfig.sh

    -host <Host>

    -port <AdminServerNonSSLPort>

    -userName <AdminUserName>

    -domainPath <DomainHome>

    -createKeystore

    When prompted enter the existing password for<AdminUserName>.

    When prompted for the OVD Keystore password, choose a new password.

    For example:

    oracle_common/bin/libovdconfig.sh -host myhost -port 9500 -userName weblogic -domainPath /OracleHome/user_projects/domains/bi -createKeystore

Enter AdminServer password:
Enter OVD Keystore password:
OVD config files already exist for context: default
CSF credential creation successful
Permission grant already available for context: default
OVD MBeans already configured for context: default
Successfully created OVD keystore.

    The -port <AdminServerNonSSL> command doesn't work against the Admin server non-SSL port when it's been disabled. If you enable SSL and then configure LDAPs you would need to temporarily re-enable the non-SSL port on the Administration Server.

  5. Check the resultant keystore exists, and see its initial contents, by running:

    keytool -list -keystore <DomainHome>/config/fmwconfig/ovd/default/keystores/adapters.jks

  6. We now need to export the demo certificate in a suitable format to import into the above keystore.

    In Fusion Middleware Control:

    If using the demo WebLogic certificate you can get the required root CA from the system keystore using Fusion Middleware Control.

    1. Select WebLogicDomain, Security, Keystore.

    2. Expand System.

    3. Select Trust.

    4. Click Manage.

    5. Select democa, not olddemoca.

    6. Click Export.

    7. Select export certificate.

    8. Choose a file name.

      For example, demotrust.pem

      If not using the demo WebLogic certificate then you must obtain the root CA of the CA which singed your secure server certificate.

  7. Now import into the just created keystore:

    keytool -importcert -keystore <DomainHome>/config/fmwconfig/ovd/default/keystores/adapters.jks -alias localldap -file <DemoTrustFile>

  8. When prompted enter the keystore password you chose earlier, and confirm that the certificate is to be trusted.

  9. If you repeat the keystore -list command you should see a new entry under localldap, for example: 

    localldap, Jul 8, 2015, trustedCertEntry,

    Certificate fingerprint (SHA1):

    CA:61:71:5B:64:6B:02:63:C6:FB:83:B1:71:F0:99:D3:54:6A:F7:C8

Disable HTTP

After securing the system to use HTTPS, you must also disable HTTP to fully secure the environment.

  1. Login to WebLogic Administration console.

  2. Click Lock & Edit.

  3. Select environment, servers.

    For each server:

    1. Display the Configuration tab

    2. Clear Listen Port Enabled.

    3. Click Save.

  4. Click Activate Changes.

Verify Server Keystores

You must check that the Administration Server and Managed Servers are configured to use the trust keystore containing your trust certificate.

  1. Login to WebLogic Administration console.
  2. Click Lock and Edit.
  3. Select environment, servers.
  4. For each Managed Server.
    1. Display the Keystores tab.
    2. Ensure that the value for Keystores is Custom Identity and Custom Trust.

      Note:

      If you're using WebLogic demo certificates you must still use Custom Identity and Custom Trust, configuring the custom settings to point to the demo keystores as described in these steps. You mustn't use Demo Identity and Demo Trust because this overrides the internal channel's SSL configuration.
    3. Verify that the location of the identity keystore points to the correct identity keystore.

      The WebLogic demo identity keystore is kss://system/demoidentity.

    4. Verify that the location of the trust keystore points to the correct trust keystore.

      The WebLogic demo trust keystore is kss://system/trust.

  5. Click Save.
  6. Click Activate Changes.

Restart

Now you must restart Oracle Analytics Server.

You can't login through Oracle Analytics Server since Oracle Web Service Manager (OWSM) uses the disabled HTTP port.

Only the HTTPS one should work.

HTTP should quickly display an error similar to Unable to connect error. Don't mix the protocols and ports. The browser can hang when attempting to connect to a running port with the wrong protocol.

  1. Stop the Administration Server with <DomainHome>/bitools/bin/stop.sh.
  2. Start the Administration Server with <DomainHome>/bitools/bin/start.sh -i AdminServer.
  3. Confirm that HTTP is disabled by logging into both the HTTP and HTTPS WebLogic console URLs.

Configure OWSM to Use t3s

You must now change the Oracle Web Services Manager (OWSM) configuration to use the HTTPS port.

The HTTP(S) OWSM link isn't used when you use a local OWSM.

After you complete this task, you must restart the system and confirm the OWSM configuration. See Restart System.

  1. Login to Fusion Middleware Control.

    https://<Host>/<SecureAdminPort>/em

  2. Select WebLogic domain, and cross component wiring, components.
  3. Select component type, OWSM agent.
  4. Select the row owsm-pm-connection-t3 status 'Out of Sync', and click Bind.
  5. Select Yes.

Restart System

You must stop and restart all servers then test Analytics login with HTTPS.

  1. Stop all servers using the <DomainHome>/bitools/bin/stop.sh script.
  2. Use the <DomainHome>/bitools/bin/start.sh script to start everything.
  3. Confirm your ability to log in to Analytics using a URL similar to the following:

    https://<Host>:<SecureManagedServerPort>/analytics

    The WebLogic tier using HTTPS only for its outward facing ports and all WebLogic infrastructure. The internal BI channel and Analytics system components use HTTP.

  4. Optional: If you configured OWSM to use t3s, then use the validator to access the policy and confirm the configuration:

    https://<host>:<ManagedServerSSLPort>/wsm-pm/validator