SSL Enable Your OBIEE / BI Publisher Installation

April 21, 2009 by Pablo Bryan

I recently had the need of exposing an OBIEE implementation out to the internet. As I finished the installation, I realized that the login prompt and other components are passed as plain text openly through the wire. So the need came up to secure this installation with SSL. SSL will encrypt with a private/public key all the communication between the server and the browser.

In order to SSL enable OBIEE there are several components that you need to modify, but first you need to generate a server certificate and have it signed by a trusted certificate authority. If you don’t want to pay the $200 or so you can self sign the certificate, but you will get the annoying warning messages in the browser. I got a free 90 day signed certificate from instantssl.com. Before we get started, I would recommend that you backup all the configuration files you are going to modify in case something goes wrong you can always go back to the saved versions.

The first step is to generate a keystore with keytool like so:

keytool -genkey -keyalg RSA -alias myserver_mycompany_com -keystore myserver_mycompany_com.key -storepass password -dname "CN=myserver.myhost.com, OU=MyCompanyDept, O=MyCompany, L=Irving, ST=Texas, C=US"

This will generate a file called myserver_mycompany_com.key that is the keystore where your key lives. I saved this file in a secure place with restricted access where only Administrators (or root for linux/unix systems) have access. In my case I saved it to /root/ssl/ The alias is important as you will use it to import the signed chain from the Trusted CA.

Make sure you specify the fully qualified name of your server as the CN (i.e. obiee.mycompany.com) especially if you are going to have the certificate signed by a trusted CA.

If you are going to self sign the certificate, run the following:

keytool -selfcert -alias myserver_mycompany_com -keystore myserver_mycompany_com.key –storepass password

If you are going to get a Trusted CA to sign your certificate, run the following:

keytool -certreq -alias myserver_mycompany_com –keystore myserver_mycompany_com.key -file myserver_mycompany_com.cert

This will generate a file called myserver_mycompany_com.cert which you need to use when getting your certificate from a trusted CA. I used instantssl.com. Use the content of this file to request your signed certificate (it's free for 90 days).

If you are using a self signed certificate, all you need to do is export the certificate from your key and import it into the SA (OBIEE) and JAVA certificte store like so:

keytool -export -alias myserver_mycompany_com -keystore keystore.ssl -file myserver_mycompany_com.cert

And to import the file:

keytool -import -alias myserver_mycompany_com -file myserver_mycompany_com.cert -keystore JRE_HOME/lib/security/cacerts

for Java, and:

keytool -import -file chapulin.cert -keystore OracleBIData_HOME/web/config/certificates/saw.keystore

For the OBIEE keystore. The default password for the OBIEE certificate store is "password". Of course you need to replace the values JRE_HOME and OracleBIData_HOME with actual values from your installation. What this does is enable the signed certificate to be trusted by the OBIEE installation and any programs using JAVA in this server.

Once you have added your certificate files to the keystores, you need to update the OC4J configuration of your OBIEE server. The files to edit are as follows:

Edit the file OracleBIHOME/oc4j_bi/j2ee/home/config/default-web-site.xml

The first tag should be the web-site tag you need to add the secure="true" attribute like so:

<web-site ... port="443" display-name="OC4J 10g (10.1.3) Default Web Site" schema-major-version="10" secure="true" schema-minor-version="0" >

Also note that I changed the port from the default 9704 to 443. I did this since some firewalls block odd ports like 9704 and I needed to access this box from anywhere even behind firewalls and most firewalls open up the standard SSL port of 443.

Next, you need to add a tag with the following info:

<ssl-config keystore="PATH_TO_KEYSTORE/myserver_mycompany_com.key" keystore-password="password" />

Where PATH_TO_KEYSTORE points to the folder where you saved the keystore that we generated on the first step above, and the password matches the password you've been using in all the "keytool" steps.

We're almost done, but not quite there yet. In order to fully utilize SSL we need to update the BI Publisher config file to use SSL as well. We already added the certificate to the keystore. Now we need to update the pointers in the config files.

First we need to update OracleBIData_HOME/web/config/instanceconfig.xml file. Look for the following entries and update the protocol from "http" to "https" and update the port, in my case from "9704" to "443" like so:

<ServerURL>https://myserver.mycompany.com:443/xmlpserver/services/XMLPService</ServerURL>
<WebURL>https://myserver.mycompany.com:443/xmlpserver

And finally, we need to update the BI Publisher's xml config file. You can also do this via the web, but I found it much easier to do it all at the command line while I'm updating all the other configuration files.

OracleBI_HOME/xml/XML/Admin/Configuration/xmlp-server-config.xml

You need to look for the tags:

<property name="SAW_PROTOCOL" value="https"/>
<property name="SAW_PORT" value="443"/>

And update their values to the values you are using.

After all of these changes, restart all services including oc4j and you should be able to have OBIEE SSL enabled with BI Publisher.