Configuring SSL for EPM 11.1.2.3/4 Products (Cont ) Configure IIS for SSL If you have a server certificate with its private key skip creating the Certificate Request and continue with Complete Certificate Request veera.raghavendra.rao@oracle.com Page 15 of 31
Submit the IIS csr file to your CA and getn it signed. Now import the CA signed IIS Server Certificate by Completing the Certificate Request veera.raghavendra.rao@oracle.com Page 16 of 31
veera.raghavendra.rao@oracle.com Page 17 of 31
For IIS you need to import the trusted certificates (CAInter and CARoot) veera.raghavendra.rao@oracle.com Page 18 of 31
Configure EPM System with SSL Import the CA Inter and CA Root Certificates into the java install locations keytool -import -alias CEALCAInter -keystore %EPM_ORACLE_HOME%\common\JRE\Sun\1.6.0\lib\security\cacerts -trustcacerts -file C:\Oracle\Middleware\ssl\CAInter.crt -storepass changeit keytool -import -alias CEALCARoot -keystore %EPM_ORACLE_HOME%\common\JRE\Sun\1.6.0\lib\security\cacerts -trustcacerts -file C:\Oracle\Middleware\ssl\CARoot.crt -storepass changeit C:\Oracle\Middleware\EPMSystem11R1\common\JRE\Sun\1.6.0\lib\security\cacerts veera.raghavendra.rao@oracle.com Page 19 of 31
C:\Oracle\Middleware\jdk160_35\jre\lib\security\cacerts C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts Sometimes it may display like below screen Sometimes it may display like below screen Since in EPM default installation Java Home is set to jrockit C:\Oracle\Middleware\jrockit_160_37\jre\lib\security\cacerts Sometimes it may display like below screen veera.raghavendra.rao@oracle.com Page 20 of 31
Sometimes it may display like below screen Run the EPM System Configurator If you plan to SSL-enable the database connections, during the configuration process, you must select the Advanced Options link on each database configuration screen, and then specify the required settings, which include the following: Select Use secure connection to the database (SSL) and enter a secure database URL; for example, jdbc:oracle:thin:@(description=(address=(protocol=tcps) (HOST=myDBhost)(PORT=1529)(CONNECT_DATA=(SERVICENAME=myDBhost.myCompany.com))) Trusted Keystore Trusted Keystore Password veera.raghavendra.rao@oracle.com Page 21 of 31
First configure Foundation Services in SSL mode and then Config other products. Steps to configure Custom Identity and Custom Trust with WebLogic Server veera.raghavendra.rao@oracle.com Page 22 of 31
veera.raghavendra.rao@oracle.com Page 23 of 31
NOTE : We need to select the hostname verification as none if the CN of the certificate is not the same as the hostname of the machine where WLS is installed. (In case of Wild card Certificates also) in same SSL Tab under Advanced Section. Similarly configure the same for all other managed servers like FoundationServices0, etc Configuring node manager in SSL mode veera.raghavendra.rao@oracle.com Page 24 of 31
Restart node manager In the StartManagedWebLogic.cmd change the admin server url veera.raghavendra.rao@oracle.com Page 25 of 31
After configuring Essbase add few ssl parameters to the Essbase.cfg file WalletPath C:\\Oracle\\Middleware\\ssl\\essbase EnableClearMode FALSE ;deactivates http EnableSecureMode TRUE ;activates SSL AgentSecurePort 6423 ClientPreferredMode SECURE ; always prefer secure communication Restart Essbase Server Check if Essbase is successfully running in ssl mode at 6423 port If we are using any clients like EAS/Essbase Client to connect to Essbase Server in Secure mode, we need to copy the wallet files (ewallet.p12 & cwallet.sso) under the below locations: 1. C:\Oracle\Middleware\EPMSystem11R1\common\EssbaseRTC-64\11.1.2.0\bin\wallet 2. C:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseServer\bin\wallet 3. C:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseClient\bin\wallet Now start/restart EAS Managed Server and test the connectivity of Essbase Server in Secure mode veera.raghavendra.rao@oracle.com Page 26 of 31
HFM also available from IIS in SSL mode. veera.raghavendra.rao@oracle.com Page 27 of 31
Enter the NameVirtualHost veera.raghavendra.rao@oracle.com Page 28 of 31
veera.raghavendra.rao@oracle.com Page 29 of 31
Please follow the same steps to configure other products related to weblogic Managed Server and specific steps related to the product. Refer the Epm Security guide for more information. veera.raghavendra.rao@oracle.com Page 30 of 31
Configuring SSL-Enabled External User Directories Import the Root CA Certificate of the External Directory to the below Java Keystores: On All EPM System Servers: Sun JVM keystore: MIDDLEWARE_HOME/jdk160_35/jre/lib/security/cacerts JRockit JVM keystore: MIDDLEWARE_HOME/jrockit_160_37/jre/lib/security/cacerts Custom Trust Keystore: C:\Oracle\Middleware\ssl\myTrust.jks Configure External User Directories You configure user directories using the Shared Services Console. While configuring user directories, you must select the SSL Enabled option that instructs EPM System security to use the secure protocol to communicate with the user directory. Enabling Encryption for Financial Reporting Studio To configure Oracle Hyperion Financial Reporting Studio for encrypted RMI communication, add the following to the JVM startup parameters (shell script files in UNIX servers) or JVMOption Windows registry entries (Windows servers). -Djavax.net.ssl.trustStore=TRUSTSTORE_LOCATION Replace TRUSTSTORE_LOCATION with the absolute location of the keystore where you installed the CA root certificate. The registry location for adding this parameter for Financial Reporting Studio on a Windows server is HKEY_LOCAL_MACHINE\SOFTWARE\Hyperion Solutions\Hyperion Reports\HReports\JVM. The location for adding JVM parameters for Financial Reporting is HKEY_LOCAL_MACHINE\SOFTWARE\Hyperion Solutions\FinancialReporting0\HyS9FRReports. ***************************************************************************** References: EPM Security Guide http://docs.oracle.com/cd/e40248_01/epm.1112/epm_security.pdf http://docs.oracle.com/cd/e40248_01/nav/portal_1.htm veera.raghavendra.rao@oracle.com Page 31 of 31