Securing the EPM installation with SSL is certainly not rocket science but finding the right document relevant to a simple installation is very difficult. I had to hunt for too many documents and implement it. When I asked my friends around in EPM Infrastructure they were in similar soup like me.
This post is specially for DattaTray who requested it.
There are many methods of implementing SSL and one of them is SSL Termination at OHS. I will try to cover other methods in a different post.
SSL Termination at Oracle HTTP Server
HTTPS requests ------> OHS ---------> Application Server
Things required
1. Working EPM Instance
2. OHS installed and working with all components
3. Certificates - Root CA , Intermediate Certificate , OHS certificate
Assumptions
Since we will use these on Development, Test, Production environment we will use Third party or Internal IT signing authority to sign the certificates.
DIY
1) Root Certificate,Intermediate Certificate
c) Provide password and click on yes.
Note down this password
d) Since our client IT team had internal signing authority we used "wildcard" certificate.
Common Name: Is the name of your EPM website. Example if your URL is http://1nphyp33.amokin.amokininc.com then enter common name as *.amokin.amokinic.com
Make sure you get this step right.
Organizational Unit : Give your Org Unit's name Ex: IT Dept
Organization: Organisation Name Ex: Amokin Inc
Locality/City :
State/Province:
KeySize: 2048 or 1024. (2048 is more secure)
Click OK.
Your wallet should look like below now. Certificate[Requested]
e) Right click on the certificate and export it.
f) Create a wallet location. Wallet is like your personal wallet where you store all your cards. This wallet will hold all the certificates.
Here I have created in D:\WildCard location and save it with name like OHSCert.crs
g) Go to the OWM , File menu and SAVE the wallet.
Beginners mistake: We tend to forget this step of saving the wallet.We send the certificates to be signed by the authority but on receiving it we have no place where to import the signed certificates.
h) This is how the wallet looks
Send this OHSCert.crs file to the Certificate Signing Authority (CA) and relax.
If its already the day when the CA sent back signed certificates then follow the steps below
3. Import the certificates
Go to Oracle Wallet Manager
1. Click on Open
2. Browse to the wallet you saved , in my case D:\WildCard
3. Enter the password you saved from Tip1
4. Click on the certificate that is in Certificate[Requested] state and Select Import
5. Click Yes
6. We have to have Trusted Certificate to make sure that the certificate is from a trustable source and not malicious.
7. Import the certificates your CA sent Root, intermediate.
This is how the wallet looks now. The highlighted certificates are the one's sent by the CA. So I had to import 01 first then 02.
Note the Certificate[Ready] state
8. Now go to File and check "Auto Login". This step will create a .sso file. This file is copied to all the OHS locations.
9.Save the wallet again (Now you will not forget)
4) OHS configuration with SSL
Since we have everything ready. We can move to configuring OHS and modifying a few files to import the above wallet.
a) Go to <EPM_Instance_Home>/httpConfig/ohs/config/OHS/ohs_component
b) Make a backup of httpconfig folder in a different location.
c) Edit the ssl.conf file
Change the ssl port to 443 (as shown below)
and virtual host
<virtualhost *:443> (DEFAULT IS 4443)
d) Edit the location of SSLWallet. Don't use default location as it might get replaced during an upgrade
e) Copy the below lines from the httpd.conf (EOF) and paste it in SSL.conf before the </virtualhost> tag closes. This should have come by default but it does not unless you have done LW configuration
f) Include ssl.conf file in the httpd.conf file. Go to httpd.conf and locate include directive for ssl.conf and uncomment it.
g) Save the file. Restart OHS if running and browse the following URL
NEVER RECONFIGURE OHS THROUGH CONFIGTOOL.CMD as we have done manual changes and it will overwrite all of it.
5) Additional Mandatory Changes
FR Studio Post SSL
EAS Console Post SSL
EPMA
Calculation Manager
Redirect traffic from HTTP to HTTPS
This post is specially for DattaTray who requested it.
There are many methods of implementing SSL and one of them is SSL Termination at OHS. I will try to cover other methods in a different post.
SSL Termination at Oracle HTTP Server
HTTPS requests ------> OHS ---------> Application Server
Things required
1. Working EPM Instance
2. OHS installed and working with all components
3. Certificates - Root CA , Intermediate Certificate , OHS certificate
Assumptions
Since we will use these on Development, Test, Production environment we will use Third party or Internal IT signing authority to sign the certificates.
DIY
1) Root Certificate,Intermediate Certificate
This certificate is provided by the certificate authority
(CA) who signs all the certificate requests you send.
2) OHS Certificate
a) Open Oracle Wallet Manager(OWM) and click on New
Oracle Wallet Manager |
b) Click on Yes
Create Default Wallet |
c) Provide password and click on yes.
Note down this password
d) Since our client IT team had internal signing authority we used "wildcard" certificate.
Common Name: Is the name of your EPM website. Example if your URL is http://1nphyp33.amokin.amokininc.com then enter common name as *.amokin.amokinic.com
Make sure you get this step right.
Organizational Unit : Give your Org Unit's name Ex: IT Dept
Organization: Organisation Name Ex: Amokin Inc
Locality/City :
State/Province:
KeySize: 2048 or 1024. (2048 is more secure)
Click OK.
Your wallet should look like below now. Certificate[Requested]
e) Right click on the certificate and export it.
f) Create a wallet location. Wallet is like your personal wallet where you store all your cards. This wallet will hold all the certificates.
Here I have created in D:\WildCard location and save it with name like OHSCert.crs
g) Go to the OWM , File menu and SAVE the wallet.
Beginners mistake: We tend to forget this step of saving the wallet.We send the certificates to be signed by the authority but on receiving it we have no place where to import the signed certificates.
h) This is how the wallet looks
Send this OHSCert.crs file to the Certificate Signing Authority (CA) and relax.
If its already the day when the CA sent back signed certificates then follow the steps below
3. Import the certificates
Go to Oracle Wallet Manager
1. Click on Open
2. Browse to the wallet you saved , in my case D:\WildCard
3. Enter the password you saved from Tip1
4. Click on the certificate that is in Certificate[Requested] state and Select Import
5. Click Yes
6. We have to have Trusted Certificate to make sure that the certificate is from a trustable source and not malicious.
7. Import the certificates your CA sent Root, intermediate.
This is how the wallet looks now. The highlighted certificates are the one's sent by the CA. So I had to import 01 first then 02.
Note the Certificate[Ready] state
8. Now go to File and check "Auto Login". This step will create a .sso file. This file is copied to all the OHS locations.
9.Save the wallet again (Now you will not forget)
4) OHS configuration with SSL
Since we have everything ready. We can move to configuring OHS and modifying a few files to import the above wallet.
a) Go to <EPM_Instance_Home>/httpConfig/ohs/config/OHS/ohs_component
b) Make a backup of httpconfig folder in a different location.
c) Edit the ssl.conf file
Change the ssl port to 443 (as shown below)
and virtual host
<virtualhost *:443> (DEFAULT IS 4443)
d) Edit the location of SSLWallet. Don't use default location as it might get replaced during an upgrade
e) Copy the below lines from the httpd.conf (EOF) and paste it in SSL.conf before the </virtualhost> tag closes. This should have come by default but it does not unless you have done LW configuration
f) Include ssl.conf file in the httpd.conf file. Go to httpd.conf and locate include directive for ssl.conf and uncomment it.
g) Save the file. Restart OHS if running and browse the following URL
https://<servername>:<port> . OHS
loads successfully with a good certificate.
Since I have used 443 as the port. I don't have to affix it in Windows
https://1nphyp33.amokin.amokininc.com works fine.
Default Linux SSL port 4443 and Windows 443
NEVER RECONFIGURE OHS THROUGH CONFIGTOOL.CMD as we have done manual changes and it will overwrite all of it.
5) Additional Mandatory Changes
FR Studio Post SSL
EAS Console Post SSL
EPMA
Calculation Manager
Redirect traffic from HTTP to HTTPS
2 comments:
hi
thanks for the post. i have been waiting for this post for long time .
thanks again !
regards,
Dattatray
Thanks and Great Article Anjum
Post a Comment