Friday, May 24, 2013

Setting up SSL for Weblogic

We recently needed to setup SSL for OBIEE so that we could accept the EBS cookie for single sign on between EBS and OBIEE (post to come soon on how to get that all wired up). Unfortunatly I don't have all of the steps, as someone else on the team handles the making of the actual cert, but I can provide all steps around the process.

Continue on to read what I did to create a private key, create a certificate request (CSR), and configure WebLogic to enable the SSL port for OBIEE.

  1. Log into the server you want to setup SSL on with Putty and run the following commands:

    1. openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out <serverhost>.key 2048
      • Replace file1, file2, etc with random files on the server.
      • Set passphrase to: welcome1 (or any value you like)
    2. openssl req -new -key <serverhost>.key -out <serverhost>.csr
      1. Enter passphrase: welcome1
      2. Answers to the Questions:
        • Country Name (2 letter code) [GB]: US
        • State or Province Name (full name) [Berkshire]: California
        • Locality Name (eg, city) [Newbury]: Sacramento
        • Organization Name (eg, company) [My Company Ltd]: My Corp
        • Organizational Unit Name (eg, section) []: OBIEE
        • Common Name (eg, your name or your server's hostname) []:<serverhost>.blah.com
        • Email Address []: something@aol.com

        • Please enter the following 'extra' attributes to be sent with your certificate request
        • A challenge password []: welcome1
        • An optional company name []: My Corp

  2. Send your CSR to whomever creates certificates for your company. They will return to you a CRT file. This, along with the key you created earlier, will be used to create a java keystore which is what you will configure in WebLogic.
  3. Back in Putty, enter the following commands:
    1. cd <OBIEE_HOME>/wlserver_10.3/server/lib
    2. openssl pkcs12 -export -in ~/path/to/<serverhost>.cer -inkey ~/path/to/<serverhost>.key > ~/path/to/<serverhost>.p12
      • Enter the following for the passphrase and export password: welcome1
    3. <OBIEE_HOME>/Oracle_BI1/jdk/bin/keytool -importkeystore -srckeystore ~/path/to/<serverhost>.p12 -destkeystore <serverhost>Trust.jks -srcstoretype pkcs12
      • Enter the following for the destination keystore password: mykeystore
      • Enter the following for the source keystore password: welcome1
  4. Log into Weblogic Console
    • http://<serverhost>:7001/console
  5. Navigate to Environment->Servers->bi_server1
  6. Click the Lock and Edit button.
  7. Check the SSL Listen Port Enabled box.
  8. Set the port to 9804.
  9. Click Save.
  10. Click on the tab for Keystores
  11. Click the Change button next to Demo Identity and Demo Trust
  12. Select Custom Identity and Java Standard Trust
  13. Click Save.
  14. For Custom Identity Keystore enter:
    • <OBIEE_HOME>/wlserver_10.3/server/lib/<serverhost>Trust.jks
  15. For Custom Identity Keystore Type enter:
    • jks
  16. For Custom Identity Keystore Passphrase and Confirm Custom Identity Keystore Passphrase enter:
    • mykeystore
  17. For Java Standard Trust Keystore Passphrase and Confirm Java Standard Trust Keystore Passphrase enter:
    • changeit
    • NOTE: This is the default password for the Java Standard Trust Keystore. If you have changed it, which you should, update this passphrase to your new Java Standard Trust Keystore password.
  18. Click Save.
  19. Click the SSL tab.
  20. For Private Key Alias enter
    • 1
  21. For Private Key Passphrase and Confirm Private Key Passphrase enter:
    • welcome1
  22. Click Save.
  23. Click Activate Changes.
  24. The process will take a few moments, but will let you know once it has completed.
  25. Now go back to Putty to restart all services (Weblogic, EM, AdminServer, etc).

You should now be able to connect to https://<serverhost>:9804/analytics

SSL Websites for reference

  • http://slacksite.com/apache/certificate.php
  • http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
  • http://www.sslshopper.com/article-most-common-openssl-commands.html

    No comments:

    Post a Comment

    Post a Comment