Easy Steps to configure Full SSL On a non Distributed Installation (Single Server Installation) - EPM 11.1.2.2.xxx (Doc ID 1532416.

1)
Modified: Mar 8, 2013 Type: WHITE PAPER Status: PUBLISHED Priority: 3

In this Document Abstract History Details

APPLIESTO:
Enterprise Performance Management and Business Intelligence Information in this document applies to any platform. sgfsd

ABSTRACT
This Document is about setting up in easy steps FULL SSL on an already working EPM 11.1.2.2.xxx Installation. It requires that OHS is used as a web server and is fully configured and working. The idea in this document is to use a combination of wallet and keystores to setup the whole SSL environment.

HISTORY

REQUIREMENTS: Install and Configure fully EPM 11.1.2.2.xxx with OHS as a webServer so that you can login to workspace using the default 19000 port of OHS and that all the EPM modules are accessible from the Workspace portal. NB: Apply any patches you wishes to install before going ahead with the SSL configuration. I have attached OpenSSL (key_cert_gen.zip) for you to unzip to your root drive before you start. CREATING THE CA CERTIFICATES: a) Creating the CA Private Key Start a command prompt and run the following commands: C:\key_cert_gen>openssl version OpenSSL 0.9.7j 04 May 2006 C:\key_cert_gen>openssl genrsa -out BACHVM11122WIN08CA.key -des 1024 Loading 'screen' into random state done Generating RSA private key, 1024 bit long modulus .......++++++ ........................++++++ e is 65537 (0x10001) Enter pass phrase for BACHVM11122WIN08CA.key: Verifying - Enter pass phrase for BACHVM11122WIN08CA.key: The password I have used for the Key is: planning b) Creating the CA Public Key

C:\key_cert_gen>openssl req -new -key BACHVM11122WIN08CA.key -x509 -days 3650 -out BACHVM11122WIN08CA.crt -config openssl.cnf Enter pass phrase for BACHVM11122WIN08CA.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [GB]: GB State or Province Name or County (full name) [Cambridgeshire]: LANCASHIRE Locality Name (eg, city or town) [Cambridge]: MANCHESTER Organization Name (eg, company) [Unicenter]: ORACLE Organizational Unit Name (eg, section) [Demo Example Mike Gleaves]: SUPPORTCA Common Name (eg, your websites domain name) []: BACHVM11122WIN08 Email Address []: The above command would have generated the the CA certificate BACHVM11122WIN08CA.crt. Please note that in the above prompts, Common Name should be the OHS server name.

Install the root certificate on the windows machines in the Trusted Root CertificationAuthorities. (Double click the certificate BACHVM11122WIN08CA.crt to open it and install in the Trusted Root Certification Authorities)

(Double click the certificate BACHVM11122WIN08CA.crt to open it and install in the Trusted Root Certification Authorities)

CREATING THE IIS CERTIFICATE REQUEST: Why do we need to have a certificate for IIS? Because the EPMA dimension server resides in IIS, we therefore need to have it SSL. Go to Microsoft Windows -> Start -> Run and type inetmgr - click on the server name and double click on Server Certificates - Right Click on empty space then Right Click -> Create Certificate request and Go through filling in the details bearing in mind that the Common Name has to be the Machine Name

The IISCert.csr would be created in C:\SSL CREATING THE WALLET:

- Create the User wallet that would use by OHS:

C:\Oracle\Middleware\oracle_common\bin>SET JAVA_HOME=C:\Oracle\Middleware\jdk160_29 C:\Oracle\Middleware\oracle_common\bin>orapki wallet create -wallet c:\SSL pwd Planning99 Oracle PKI Tool : Version 11.1.1.6.0 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. The above command would have created a password protected wallet called c:\SSL\ewallet.p12

- Add a Certificate request to the wallet to be signed later by the certificate authority:
C:\Oracle\Middleware\oracle_common\bin>orapki wallet add -wallet c:\SSL -dn "CN=bachvm11122win08,OU=SUPPORT,O=ORACLE,L=MANCHESTER,ST=LANCASHIRE,C=GB" -keysize 1024 -pwd Planning99 Oracle PKI Tool : Version 11.1.1.6.0 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. The above command would have added the request to the wallet.

- Export the user request from the wallet to be signed by the CA (Certificate authority):
C:\Oracle\Middleware\oracle_common\bin>orapki wallet export -wallet c:\SSL -dn "CN=bachvm11122win08,OU=SUPPORT,O=ORACLE,L=MANCHESTER,ST=LANCASHIRE,C=GB" -request c:\SSL\OHScert.csr -pwd Planning99 Oracle PKI Tool : Version 11.1.1.6.0 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. The above command would have exported the certificate request c:\SSL\OHScert.csr to be signed by the certificate authority.

As for signing the IIS and OHS certificate requests then proceed to the following section:

SIGNING CERTIFICATE REQUESTS: C:\key_cert_gen>openssl x509 -req -in c:\SSL\IIScert.csr -CA Bachvm11122win08CA.crt -CAkey Bachvm11122win08CA.key -out IIScert.crt -days 3650 CAcreateserial CAserial Bachvm11122win08CA.seq Loading 'screen' into random state done Signature ok subject=/C=GB/ST=LANCASHIRE/L=MANCHESTER/O=ORACLE/OU=SUPPORT/CN=bachvm11122win08 Getting CA Private Key Enter pass phrase for Bachvm11122win08CA.key: The above command would generate the signed certificate IIScert.crt.

C:\key_cert_gen>openssl x509 -req -in c:\SSL\OHScert.csr -CA Bachvm11122win08CA.crt -CAkey Bachvm11122win08CA.key -out OHScert.crt -days 3650 CAcreateserial CAserial Bachvm11122win08CA.seq Loading 'screen' into random state done Signature ok subject=/C=GB/ST=LANCASHIRE/L=MANCHESTER/O=ORACLE/OU=SUPPORT/CN=bachvm11122win08 Getting CA Private Key Enter pass phrase for Bachvm11122win08CA.key:

The above command would generate the signed certificate OHScert.crt.

The above command would generate the signed certificate OHScert.crt.

IMPORTING CERTIFICATES INTO THE WALLET: Import the following certificates in sequence - Import the CA certificate: C:\Oracle\Middleware\oracle_common\bin>orapki wallet add -wallet c:\SSL -trusted_cert -cert c:\SSL\bachvm11122win08CA.crt -pwd Planning99 Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.port CA certificate - Import the User Certificate: C:\Oracle\Middleware\oracle_common\bin>orapki wallet add -wallet c:\SSL -user_cert -cert c:\SSL\OHScert.crt -pwd Planning99 Oracle PKI Tool : Version 11.1.1.6.0 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. - Import the IIS Certificate: C:\Oracle\Middleware\oracle_common\bin>orapki wallet add -wallet c:\SSL -trusted_cert -cert c:\SSL\IIScert.crt -pwd Planning99 Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.port CA certificate

What have we done so far? We did the following: Created a password protected wallet ewallet.p12 Create a user certificate request and exported it to be signed We signed the user certificate using the CA certificate bachvm11122win08CA.crt We imported the CA bachvm11122win08CA.crt certificate into the wallet We imported the user certificate OHScert.crt into the wallet We imported the IIS certificate IIScert.crt into the wallet

Next is to convert the wallet to a jks store to be used by the EPM JVMs and then the wallet has to be set to be to auto_login so that password is not required. - Convert wallet to a keystore C:\Oracle\Middleware\oracle_common\bin>orapki wallet pkcs12_to_jks -wallet c:\SSL -pwd Planning99 -jksKeyStoreLoc c:\SSL\ewallet.jks -jksKeyStorepwd Planning99 Oracle PKI Tool : Version 11.1.1.6.0 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. The above command would have converted the wallet ewallet.p12 to ewallet.jks. List the content of the Keystore ewallet.jks: C:\Oracle\Middleware\jdk160_29\bin>keytool -list -keystore C:\SSL\ewallet.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 7 entries cn=gte cybertrust global root, Feb 23, 2013, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB orakey, Feb 23, 2013, PrivateKeyEntry, Certificate fingerprint (MD5): 99:5F:64:CE:00:42:E3:F4:BC:D9:E1:0D:7E:8E:AB:48 ou=class 1 public primary certification authority, Feb 23, 2013, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 ou=class 2 public primary certification authority, Feb 23, 2013, trustedCertEntry, Certificate fingerprint (MD5): B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E ou=class 3 public primary certification authority, Feb 23, 2013, trustedCertEntry, Certificate fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 cn=bachvm11122win08 1, Feb 23, 2013, trustedCertEntry, Certificate fingerprint (MD5): E9:69:A2:0B:72:F7:F1:4C:17:41:96:21:66:53:27:D5 cn=bachvm11122win08, Feb 23, 2013, trustedCertEntry, Certificate fingerprint (MD5): 68:7F:04:0E:1E:24:01:FD:6E:EF:06:CC:C4:2D:2B:53

NB: Take note of the following entry from the listing: orakey, Feb 23, 2013, PrivateKeyEntry orakey is the alias that would be used when setting up the EPM web application servers to SSL in Weblogic and the password for this alias is in this example Planning99 (refer to section when wallet was created for the first time).

First backup the existing cacerts files and then Copy the above keystore ewallet.jks to the following locations and rename the file to cacerts: \Oracle\Middleware\jdk160_29\jre\lib\security \Oracle\Middleware\jrockit_160_29\jre\lib\security Now lets convert the wallet ewallet.p12 to an auto-login wallet cwallet.sso: C:\Oracle\Middleware\oracle_common\bin>orapki wallet create -wallet c:\SSL -auto_login Oracle PKI Tool : Version 11.1.1.6.0 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Enter wallet password: The above command would have created the Auto_Login wallet cwallet.sso that is going to be used by OHS and Essbase (to use Essbase in SSL Mode)

COMPLETING THE IIS SSL SETUP: So far for IIS we have done the following generated the certificate request IISCert.csr Signed the certificate to generate IISCert.crt Go to Microsoft Windows -> Start -> Run and type inetmgr - click on the server name and double click on Server Certificates - Right Click on empty space then Right Click -> Complete Certificate Request

Test the IIS SSL by loading the Home page in SSL

Test the Dimension server SSL url by launching the following url https://IISserver/hyperion-bpma-server/Sessions.asmx

We are now ready to apply SSL to the Web Application Deployments.

SETTING FOUNDATION SERVICES TO SSL MODE: - Launch the EPM Configuration Utility and make the following selection to set the SSL communication between web applications

Select Use SSL for web application server communication and complete configuration

- Start the weblogic server in order to be able to use the weblogic admin console - Login to the weblogic admin console and Go to EPMSystem -> Environment -> Servers -> FoundationServices0 -> General Tab and enable SSL (the default port is 28443)

- Then go to the Keystore tab and change the keystores: to point to the ewallet.jks, for that you would need to select Custom Identity and Custom Trust and fill in the details regarding the keystore

- Go to the SSL tab and fill in the details: Private key alias -> orakey and then the password

- Click on the Advanced link and set the Hostname Verification to None

- Activate changes and start the foundation Windows service to test: https://HSSserver:28443/interop/index.jsp

The above five steps are what is required to SSL enable all the web application deployments. NB: Configure all Web applications deployed to weblogic using the above procedure before going any further!

Note that for some deployed web applications such as Calculation manager, there arent direct URLs to test on and can only be accessed via workspace. So for those web apps check logs if you suspect SSL errors. After you have configured all web application servers, reconfigure the HTTP WEB SERVER, in this case OHS.

CONFIGURE OHS FOR SSL: Go to the following location: C:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component Edit the file ssl.conf and make sure that the following are set:

# OHS Listen Port Listen 4443

## ## SSL Virtual Host Context ## <VirtualHost *:4443> <IfModule ossl_module> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on

#Path to the wallet SSLWallet "C:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component\keystores\default"

The above entry in the ssl.conf makes reference to the following path: C:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component\keystores\default But as I am going to create my own wallet, I will modify the path to where my wallet would be created:

SSLWallet c:\SSL
Restart the OHS service and launch the following url: https://OHSservername:4443/ Launch the OHS SSL home page

Make sure that the certificate chain is correct

Restart all Services and test workspace on SSL

DETAILS
This white paper shows how to setup SSL in an already configured EPM 11.1.2.2.xxx installation. What is specific in this document is that it is on a single server installation in a non distributed environment as opposed to the following white paper which was based on a distributed installation across 2 servers: EASY STEPS TO ENTERPRISE PERFORMANCE MANAGEMENT 11.1.2.X FULL SSL CONFIGURATION - DISTRIBUTED INSTALLATION ACROSS TWO SERVERS (DOC ID 1391487.1) As for SSL OffLoading whereby only the Web Server is setup for SSL, see the following White Paper: EASY STEPS TO SETTING UP SSL OFFLOADING WITH OHS WEBSERVER ON EPM 11.1.2.2(Doc ID 1530169.1)