Wednesday, July 23, 2008

OBIEE running it as a HTTPS / SSL service

We where recently asked how to run OBIEE as a HTTPS / SSL service. The customer wanted this because of in house security policy. Here is how we did it:

Step 1: Navigate to your OC4J config directory, ussally found in ..:\OracleBI\oc4j_bi\j2ee\home\config. Add a new directory called: "backup_orignal". Copy the whole content of the config directory to the new directory. (better save then sorry......)

Step 2: Creating the SSLFILE (site certificate).
Open a command box and navigate to your OC4J config directory, ussally found at: ..:\OracleBI\oc4j_bi\j2ee\home\config. Enter

keytool -genkey -keyalg "RSA" -keystore sslfile -storepass MySecretPassword -validity 365

Next you will get a couple of questions on your name and organisation, the values entered here are used for "encrypting" the key.


On the last question just give RETURN, else if you do not enter the same password as the storepassword, you may get “”Cannot recover key” errors when deploying your website.

Step 3: Creating a new website config file
From the config directory copy and paste the file "default-web-site.xml" rename the copy to "secure-web-site.xml". Open the new file in a editor. In the {web-site} change the port number to "443" (or an other you like) add the sub tag: secure="true". Add the SSL-config tag: {ssl-config keystore="sslfile" keystore-password="MySecretPassword"/}


Step 4: Edit SERVER.XML
Open the file "SERVER.XML" in a editor and add reference to "secure-web-site.xml". Between the application-server tags add: {web-site path="./secure-web-site.xml" /}. Your file should look something like this:

save the file!

Step 5: an extra backup!
Add a new directory called: "backup_change_YYYYMMDDNNN" (fi:backup_change_20080723001. Copy the whole content of the config directory to the new directory. (Why?, if you not carefull during an upgrade you loose all your OC4J settings......)

Step 6: Restart OC4J
Stop and start your OC4J.
You can now run your OBIEE website from the default HTTPS adress.
Remember: All your users still have to import the certificate!

Of course you also have to alter the port number in the OBIEE config files:
...\OracleBI\oc4j_bi\j2ee\home\applications\bioffice\bioffice\WEB-INF\bioffice.xml
...\OracleBI\xmlp\XMLP\Admin\Configuration\xmlp-server-config.xml
...\OracleBIData\web\config\instanceconfig.xml

Till Next Time

This article is also published on: http://knowledge.ciber.nl/weblog/

9 comments:

Anonymous said...

Is this configration good for OC4J only. What if we are using IBM Websphere and analytics.war is deployed on it. Would like to introduced reports on internet and intranet. How do we do it?

John Minkjan said...

@Anonymous,

I have no experience with IBM Websphere please share any knowledge you have.

regards

John

Akash said...
This comment has been removed by the author.
Akash said...

Hi John..

First of all Thanks for the Post on SSL.

But I have a concern over here.

I implemented it as per the given steps.
The only thing I want to know is How do I update the port in Start up link?
When I click on Presentation Services from Start menu, it is again pointing to earlier port number. and infact it is again taking http in the url rather than taking https and updated port. If I manually update the port number and https in the url, it works fine.
Can you pls help me out to fix this.

John Minkjan said...

Hi Akash

Rigth click on the presentations menu and edit the properties

Akash said...

I already tried that..it is not allowing me to change the properties.."cannot change the properties"
Might be administrator issue.

Akash said...

Thanks I am able to do it now..

Anonymous said...

Hi,

Thanks for the post. With keytool -genkey, we generate the key; what about generating the certificate and having it signed by a CA?

Please advise.

Thanks

Mike said...

Hey John, Thanks for this helpful post.

I tried this first attempt and failed. Just wondering, do we have to do any changes in NQSConfig.ini file?

There is a section which reads;

[ SECURITY ]

DEFAULT_PRIVILEGES = READ;
PROJECT_INACCESSIBLE_COLUMN_AS_NULL = NO;
MINIMUM_PASSWORD_LENGTH = 0;

#IGNORE_LDAP_PWD_EXPIRY_WARNING = NO; // default is no.

#SSL=NO;
#SSL_CERTIFICATE_FILE="servercert.pem";
#SSL_PRIVATE_KEY_FILE="serverkey.pem";
#SSL_PK_PASSPHRASE_FILE="serverpwd.txt";
#SSL_PK_PASSPHRASE_PROGRAM="sitepwd.exe";
#SSL_VERIFY_PEER=NO;
#SSL_CA_CERTIFICATE_DIR="CACertDIR";
#SSL_CA_CERTIFICATE_FILE="CACertFile";
#SSL_TRUSTED_PEER_DNS="";
#SSL_CERT_VERIFICATION_DEPTH=9;
#SSL_CIPHER_LIST="";
______________________

Cheers