Upload
nmd2305
View
71
Download
0
Tags:
Embed Size (px)
Citation preview
Easy Steps to configure Full SSL On a non Distributed Installation (Single Server Installation) - EPM 11.1.2.2.xxx (Doc ID 1532416.1)
Modified: Mar 8, 2013 Type: WHITE PAPER Status: PUBLISHED Priority: 3
In this Document
Abstract
History
Details
APPLIES TO:
Enterprise Performance Management and Business IntelligenceInformation in this document applies to any platform.sgfsd
ABSTRACT
This Document is about setting up in easy steps FULL SSL on an already working EPM 11.1.2.2.xxx Installation.
It requires that OHS is used as a web server and is fully configured and working.
The idea in this document is to use a combination of wallet and keystores to setup the whole SSL environment.
HISTORY
REQUIREMENTS:
Install and Configure fully EPM 11.1.2.2.xxx with OHS as a webServer so that you can login to workspace using the default 19000 port of OHS and that all the EPM modules areaccessible from the Workspace portal.
NB: Apply any patches you wishes to install before going ahead with the SSL configuration.
I have attached OpenSSL (key_cert_gen.zip) for you to unzip to your root drive before you start.
CREATING THE CA CERTIFICATES:
a) Creating the CA Private Key
Start a command prompt and run the following commands:
C:\key_cert_gen>openssl version
OpenSSL 0.9.7j 04 May 2006
C:\key_cert_gen>openssl genrsa -out BACHVM11122WIN08CA.key -des 1024
Loading 'screen' into random state – doneGenerating RSA private key, 1024 bit long modulus.......++++++........................++++++e is 65537 (0x10001)Enter pass phrase for BACHVM11122WIN08CA.key:Verifying - Enter pass phrase for BACHVM11122WIN08CA.key:
The password I have used for the Key is: planning
b) Creating the CA Public Key
C:\key_cert_gen>openssl req -new -key BACHVM11122WIN08CA.key -x509 -days 3650 -out BACHVM11122WIN08CA.crt -config openssl.cnf
Enter pass phrase for BACHVM11122WIN08CA.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:GBState or Province Name or County (full name) [Cambridgeshire]:LANCASHIRELocality Name (eg, city or town) [Cambridge]:MANCHESTEROrganization Name (eg, company) [Unicenter]:ORACLEOrganizational Unit Name (eg, section) [Demo Example Mike Gleaves]:SUPPORTCACommon Name (eg, your websites domain name) []:BACHVM11122WIN08Email Address []:
The above command would have generated the the CA certificate BACHVM11122WIN08CA.crt. Please note that in the above prompts, Common Name should be the OHS server name.
Install the root certificate on the windows machines in the ‘Trusted Root CertificationAuthorities’.(Double click the certificate BACHVM11122WIN08CA.crt to open it and install in the Trusted Root Certification Authorities)
(Double click the certificate BACHVM11122WIN08CA.crt to open it and install in the Trusted Root Certification Authorities)
CREATING THE IIS CERTIFICATE REQUEST:
Why do we need to have a certificate for IIS?Because the EPMA dimension server resides in IIS, we therefore need to have it SSL.
Go to Microsoft Windows -> Start -> Run and type inetmgr
- click on the server name and double click on ‘Server Certificates’- Right Click on empty space then Right Click -> Create Certificate request and Go through filling in the details bearing in mind that the Common Name has to be the Machine Name
The IISCert.csr would be created in C:\SSL
CREATING THE WALLET:
- Create the User wallet that would use by OHS:
C:\Oracle\Middleware\oracle_common\bin>SET JAVA_HOME=C:\Oracle\Middleware\jdk160_29C:\Oracle\Middleware\oracle_common\bin>orapki wallet create -wallet c:\SSL –pwd Planning99Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
The above command would have created a password protected wallet called c:\SSL\ewallet.p12
- Add a Certificate request to the wallet to be signed later by the certificate authority:
C:\Oracle\Middleware\oracle_common\bin>orapki wallet add -wallet c:\SSL -dn"CN=bachvm11122win08,OU=SUPPORT,O=ORACLE,L=MANCHESTER,ST=LANCASHIRE,C=GB" -keysize 1024 -pwd Planning99
Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
The above command would have added the request to the wallet.
- Export the user request from the wallet to be signed by the CA (Certificate authority):
C:\Oracle\Middleware\oracle_common\bin>orapki wallet export -wallet c:\SSL -dn"CN=bachvm11122win08,OU=SUPPORT,O=ORACLE,L=MANCHESTER,ST=LANCASHIRE,C=GB" -request c:\SSL\OHScert.csr -pwd Planning99
Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
The above command would have exported the certificate request c:\SSL\OHScert.csr to be signed by the certificate authority.
As for signing the IIS and OHS certificate requests then proceed to the following section:
SIGNING CERTIFICATE REQUESTS:
C:\key_cert_gen>openssl x509 -req -in c:\SSL\IIScert.csr -CA Bachvm11122win08CA.crt -CAkey Bachvm11122win08CA.key -out IIScert.crt -days 3650 -CAcreateserial –CAserial Bachvm11122win08CA.seq
Loading 'screen' into random state – doneSignature oksubject=/C=GB/ST=LANCASHIRE/L=MANCHESTER/O=ORACLE/OU=SUPPORT/CN=bachvm11122win08Getting CA Private KeyEnter pass phrase for Bachvm11122win08CA.key:
The above command would generate the signed certificate IIScert.crt.
C:\key_cert_gen>openssl x509 -req -in c:\SSL\OHScert.csr -CA Bachvm11122win08CA.crt -CAkey Bachvm11122win08CA.key -out OHScert.crt -days 3650 -CAcreateserial –CAserial Bachvm11122win08CA.seq
Loading 'screen' into random state – doneSignature oksubject=/C=GB/ST=LANCASHIRE/L=MANCHESTER/O=ORACLE/OU=SUPPORT/CN=bachvm11122win08Getting CA Private KeyEnter pass phrase for Bachvm11122win08CA.key:
The above command would generate the signed certificate OHScert.crt.
The above command would generate the signed certificate OHScert.crt.
IMPORTING CERTIFICATES INTO THE WALLET:
Import the following certificates in sequence
- Import the CA certificate:
C:\Oracle\Middleware\oracle_common\bin>orapki wallet add -wallet c:\SSL -trusted_cert -cert c:\SSL\bachvm11122win08CA.crt -pwd Planning99
Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.port CA certificate
- Import the User Certificate:
C:\Oracle\Middleware\oracle_common\bin>orapki wallet add -wallet c:\SSL -user_cert -cert c:\SSL\OHScert.crt -pwd Planning99
Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
- Import the IIS Certificate:
C:\Oracle\Middleware\oracle_common\bin>orapki wallet add -wallet c:\SSL -trusted_cert -cert c:\SSL\IIScert.crt -pwd Planning99
Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.port CA certificate
What have we done so far?
We did the following:
- Created a password protected wallet ewallet.p12- Create a user certificate request and exported it to be signed- We signed the user certificate using the CA certificate bachvm11122win08CA.crt- We imported the CA bachvm11122win08CA.crt certificate into the wallet- We imported the user certificate OHScert.crt into the wallet- We imported the IIS certificate IIScert.crt into the wallet
Next is to convert the wallet to a jks store to be used by the EPM JVMs and then the wallet has to be set to be to auto_login so that password is not required.
- Convert wallet to a keystore
C:\Oracle\Middleware\oracle_common\bin>orapki wallet pkcs12_to_jks -wallet c:\SSL -pwd Planning99 -jksKeyStoreLoc c:\SSL\ewallet.jks -jksKeyStorepwdPlanning99
Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
The above command would have converted the wallet ewallet.p12 to ewallet.jks.
List the content of the Keystore ewallet.jks:
C:\Oracle\Middleware\jdk160_29\bin>keytool -list -keystore C:\SSL\ewallet.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 7 entries
cn=gte cybertrust global root, Feb 23, 2013, trustedCertEntry,
Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
orakey, Feb 23, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 99:5F:64:CE:00:42:E3:F4:BC:D9:E1:0D:7E:8E:AB:48
ou=class 1 public primary certification authority, Feb 23, 2013, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
ou=class 2 public primary certification authority, Feb 23, 2013, trustedCertEntry,
Certificate fingerprint (MD5): B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E
ou=class 3 public primary certification authority, Feb 23, 2013, trustedCertEntry,
Certificate fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
cn=bachvm11122win08 1, Feb 23, 2013, trustedCertEntry,
Certificate fingerprint (MD5): E9:69:A2:0B:72:F7:F1:4C:17:41:96:21:66:53:27:D5
cn=bachvm11122win08, Feb 23, 2013, trustedCertEntry,
Certificate fingerprint (MD5): 68:7F:04:0E:1E:24:01:FD:6E:EF:06:CC:C4:2D:2B:53
NB: Take note of the following entry from the listing: orakey, Feb 23, 2013, PrivateKeyEntry orakey is the alias that would be used when setting up the EPM web application servers to SSL
in Weblogic and the password for this alias is in this example Planning99 (refer to section when
wallet was created for the first time).
First backup the existing cacerts files and then Copy the above keystore ewallet.jks to the following locations and rename the file to cacerts:\Oracle\Middleware\jdk160_29\jre\lib\security\Oracle\Middleware\jrockit_160_29\jre\lib\security
Now let’s convert the wallet ewallet.p12 to an auto-login wallet cwallet.sso:
C:\Oracle\Middleware\oracle_common\bin>orapki wallet create -wallet c:\SSL -auto_login
Oracle PKI Tool : Version 11.1.1.6.0Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
The above command would have created the Auto_Login wallet cwallet.sso that is going to be used by OHS and Essbase (to use Essbase in SSL Mode)
COMPLETING THE IIS SSL SETUP:
So far for IIS we have done the following generated the certificate request IISCert.csr Signed the certificate to generate IISCert.crt
Go to Microsoft Windows -> Start -> Run and type inetmgr
- click on the server name and double click on ‘Server Certificates’- Right Click on empty space then Right Click -> Complete Certificate Request
Test the IIS SSL by loading the Home page in SSL
Test the Dimension server SSL url by launching the following urlhttps://IISserver/hyperion-bpma-server/Sessions.asmx
We are now ready to apply SSL to the Web Application Deployments.
SETTING FOUNDATION SERVICES TO SSL MODE:
- Launch the EPM Configuration Utility and make the following selection to set the SSL communication between web applications
Select ‘Use SSL for web application server communication’ and complete configuration
- Start the weblogic server in order to be able to use the weblogic admin console
- Login to the weblogic admin console and Go to EPMSystem -> Environment -> Servers -> FoundationServices0 -> General Tab and enable SSL (the default port is 28443)
- Then go to the Keystore tab and change the keystores: to point to the ewallet.jks, for that you would need to select ‘Custom Identity and Custom Trust’ and fill in the details regardingthe keystore
- Go to the SSL tab and fill in the details: Private key alias -> orakey and then the password
- Click on the Advanced link and set the Hostname Verification to None
- Activate changes and start the foundation Windows service to test:
https://HSSserver:28443/interop/index.jsp
The above five steps are what is required to SSL enable all the web application deployments.
NB: Configure all Web applications deployed to weblogic using the above procedure before going any further!
Note that for some deployed web applications such as Calculation manager, there aren’t direct URLs to test on and can only be accessed via workspace. So for those web apps checklogs if you suspect SSL errors.
After you have configured all web application servers, reconfigure the HTTP WEB SERVER, in this case OHS.
CONFIGURE OHS FOR SSL:
Go to the following location:
C:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component
Edit the file ssl.conf and make sure that the following are set:
# OHS Listen Port
Listen 4443
##
## SSL Virtual Host Context
##
<VirtualHost *:4443>
<IfModule ossl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
#Path to the wallet
SSLWallet "C:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component\keystores\default"
The above entry in the ssl.conf makes reference to the following path: C:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component\keystores\defaultBut as I am going to create my own wallet, I will modify the path to where my wallet would be created:
SSLWallet “c:\SSL”
Restart the OHS service and launch the following url: https://OHSservername:4443/
Launch the OHS SSL home page
Make sure that the certificate chain is correct
Restart all Services and test workspace on SSL
DETAILS
This white paper shows how to setup SSL in an already configured EPM 11.1.2.2.xxx installation.
What is specific in this document is that it is on a single server installation in a non distributed environment as opposed to the following white paper which was based on a distributedinstallation across 2 servers:
EASY STEPS TO ENTERPRISE PERFORMANCE MANAGEMENT 11.1.2.X FULL SSL CONFIGURATION - DISTRIBUTED INSTALLATION ACROSS TWO SERVERS (DOCID 1391487.1)
As for SSL OffLoading whereby only the Web Server is setup for SSL, see the following White Paper:
EASY STEPS TO SETTING UP SSL OFFLOADING WITH OHS WEBSERVER ON EPM 11.1.2.2(Doc ID 1530169.1)