1. Configuring SSL for EPM products requires setting up keystores/wallets for WebLogic Server, Oracle HTTP Server, and Essbase Server containing certificates from a Certificate Authority.
2. The keystores/wallets need to contain the server certificate, intermediate CA certificate, and root CA certificate in order to validate the certificate chain.
3. The tools Keytool and Wallet Manager can be used to generate key pairs, import certificates, and create the keystores/wallets in the proper format for each product.
1. Configuring SSL for EPM products requires setting up keystores/wallets for WebLogic Server, Oracle HTTP Server, and Essbase Server containing certificates from a Certificate Authority.
2. The keystores/wallets need to contain the server certificate, intermediate CA certificate, and root CA certificate in order to validate the certificate chain.
3. The tools Keytool and Wallet Manager can be used to generate key pairs, import certificates, and create the keystores/wallets in the proper format for each product.
1. Configuring SSL for EPM products requires setting up keystores/wallets for WebLogic Server, Oracle HTTP Server, and Essbase Server containing certificates from a Certificate Authority.
2. The keystores/wallets need to contain the server certificate, intermediate CA certificate, and root CA certificate in order to validate the certificate chain.
3. The tools Keytool and Wallet Manager can be used to generate key pairs, import certificates, and create the keystores/wallets in the proper format for each product.
1. Configuring SSL for EPM products requires setting up keystores/wallets for WebLogic Server, Oracle HTTP Server, and Essbase Server containing certificates from a Certificate Authority.
2. The keystores/wallets need to contain the server certificate, intermediate CA certificate, and root CA certificate in order to validate the certificate chain.
3. The tools Keytool and Wallet Manager can be used to generate key pairs, import certificates, and create the keystores/wallets in the proper format for each product.
Resources needed for Configuring EPM Products with SSL 1. WebLogic Server: Java Keystores (JKS) myIdentity.jks (with Server Private Key, Server Certificate, CA Inter, CA Root certificates imported) myTrust.jks (with CA Inter and CA Root certificates imported) to use Custom Identity and Custom Trust CAInter.pem certificate CARoot.pem certificate slc01hsu.pem (epm server certificate with its chain certificates chain) Can create jks keystore
[email protected] Page 1 of 31 https://blogs.oracle.com/pa
4. IIS Server: IIS configured for SSL on 443 port Generate CSR and submit to CA Import the CA signed Server certificate Can import (IIS Server certificate with its private key already available from CA) Create https binding for the web site to run at 443 port
5. Configure EPM System with SSL
Import the CA Inter and CA Root certificates to the Java installation keystores Run the Config Utility Configure EPM System Common Settings with “Use SSL for Web Application Server …” If database is also in SSL import the Database CA Root certificate into the EPM Configurator Keystore For Essbase Server Config it with enabling the SSL Agent Port “6423” to be “Active”.
A Commercial Certificate Authority (CA) will be providing its CA Root and CA
Intermediate Certificates. All we need is to submit a Certificate Signing Request (csr) for the particular server in any format like (hostname.domainname.com/Web Site Name/Wildcard Certificate like *.domainname.com) and get the CA Signed Server Certificate.
NOTE: If you are using a wildcard certificate remember to turnoff WebLogic Hostname Verification.
Here we will be using Custom Identity and Custom Trust Keystores.
Will be using Our Own Internal CA
Create Java Keystore for Custom Identity:
Create a certificate key pair for the Server Certificate using the keytool genkeypair command Command: keytool -genkeypair -alias slc01hsu -keyalg RSA -keysize 2048 -validity 365 -keypass Oracle123 -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
[email protected] Page 2 of 31 https://blogs.oracle.com/pa
Create a certificate signing request (csr) which has to be passed on to your external / third party CA (Certificate Authority). Command: keytool -certreq -alias slc01hsu -file C:\Oracle\Middleware\ssl\slc01hsu_certreq.pem - keystore C:\Oracle\Middleware\ssl\myIdentity.jks
NOTE: Certreq can be in .csr or .pem format not a problem.
Note: The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.
A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
Submit the CSR file to the Certification Authority (CA) and get the Signed Certificate Here we are using our own internal Certification Authority (CA)
Save CA Root, CA Intermediate & Signed Server Certificates into a folder like C:\Oracle\Middleware\ssl
[email protected] Page 3 of 31 https://blogs.oracle.com/pa
Only on Windows Machine:
Install the Certificate in to Trusted Root Certification Authorities, It’s now valid
[email protected] Page 4 of 31 https://blogs.oracle.com/pa
Install the CA Intermediate certificate to Intermediate Certification Authorities
[email protected] Page 5 of 31 https://blogs.oracle.com/pa
Now we need to import these certificates into myIdentity.jks keystore
- Import the intermediate certificate first --> then the root certificate --> and then the signedcert.
The intermediate and root certificate should have different alias name, but the signed certificate should be imported with the same alias that was used while creating a certificate key pair.
After importing all three certificates you should see: “Certificate reply was installed in Keystore” message.
CAInter.pem
[email protected] Page 6 of 31 https://blogs.oracle.com/pa
CARoot.pem
Slc01hsu.pem
Now list the keystore and check if all the certificates are imported successfully.
Now that we have successfully created a third party CA signed Identity keystore and a Trust keystore, we can configure WLS to use it by configuring Custom Identity and Custom Trust. [email protected] Page 8 of 31 https://blogs.oracle.com/pa
Create Oracle Wallet for OHS Using Wallet Manager:
UNIX: Execute MIDDLEWARE_HOME/ohs/bin/owm to launch Wallet Manager.
Click No, Right Click Trusted Certificates and add your CA intermediate and CA root certificates
[email protected] Page 9 of 31 https://blogs.oracle.com/pa
Submit this CSR to your CA and get the Signed Certificate
Import the CA Signed Server Certificate into the Wallet
[email protected] Page 10 of 31 https://blogs.oracle.com/pa
We need a key pair for the server certificate signing request:
Unfortunately we will fail validating the java key store if we use anything other than orapki. So we have to use the wallet. The signing request will be created along: orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -dn "CN= brownbag.oracle.com, OU=CEAL, O=Oracle Corporation, L=Santa Clara, ST=California, C=US" -keysize 2048 -pwd Oracle123 -validity 365
[email protected] Page 13 of 31 https://blogs.oracle.com/pa
Creating a wallet for Essbase
You want to create a wallet containing your server cert and private key provided by your PKI administrator as a yourcert.p12 file. Let’s assume the password for the private key is "mypassword". One way is to convert this p12 to jks keytool -v -importkeystore -srckeystore yourcert.p12 -srcstoretype PKCS12 -destkeystore yournewkeystore.jks -deststoretype JKS You must use the same password for the new jks and the private key = "mypassword" Import in this keystore, the intermediate and root certs for your server cert. This is required to create a valid wallet. keytool -import -alias Root -keystore yournewkeystore.jks -trustcacerts -file root.cer keytool -import -alias Intermediate -keystore yournewkeystore.jks -trustcacerts -file intermediate.cer Validate all entries are there using keytool -list -keystore yournewkeystore.jks
Since we already have a jks file let us ignore the above steps.
