Scribd Logo
Upload

Welcome to Scribd!

  • Configuring Epm Productswithfullssl Part1

    Uploaded by

    R Sreenu
    56 views14 pages
    ssl cONFIG

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ssl cONFIG

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    56 views14 pages

    Configuring Epm Productswithfullssl Part1

    Uploaded by

    R Sreenu
    ssl cONFIG

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    https://blogs.oracle.

    com/pa

    Configuring SSL for EPM 11.1.2.3/4 Products


    Resources needed for Configuring EPM Products with SSL
    1. WebLogic Server: Java Keystores (JKS)
     myIdentity.jks (with Server Private Key, Server Certificate, CA Inter, CA Root certificates imported)
     myTrust.jks (with CA Inter and CA Root certificates imported) to use Custom Identity and Custom Trust
     CAInter.pem certificate
     CARoot.pem certificate
     slc01hsu.pem (epm server certificate with its chain certificates chain)
     Can create jks keystore

     Using Keytool (Command line interface tool)

     https://blogs.oracle.com/pa/entry/importing_server_and_private_key

    2. Oracle HTTP Server: Oracle Wallet


     Oracle Wallet for OHS (with brownbag.oracle.com :: website certificate)
     Can create Oracle Wallet

     Using Wallet Manager (GUI Mode)

     Using orapki command line interface

     By converting jks file into a Wallet

     https://blogs.oracle.com/pa/entry/importing_server_and_private_key

    3. Essbase Server: Oracle Wallet


     Oracle Wallet for Essbase (with Essbase Hostname FQDM)
     Can create Oracle Wallet

     Using Wallet Manager (GUI Mode)

     Using orapki command line interface

     By converting jks file into a Wallet

     https://blogs.oracle.com/pa/entry/importing_server_and_private_key

    veera.raghavendra.rao@oracle.com Page 1 of 31
    https://blogs.oracle.com/pa

    4. IIS Server:
     IIS configured for SSL on 443 port
     Generate CSR and submit to CA
     Import the CA signed Server certificate
     Can import (IIS Server certificate with its private key already available from CA)
     Create https binding for the web site to run at 443 port

    5. Configure EPM System with SSL


     Import the CA Inter and CA Root certificates to the Java installation keystores
     Run the Config Utility
     Configure EPM System Common Settings with “Use SSL for Web Application Server …”
     If database is also in SSL import the Database CA Root certificate into the EPM
    Configurator Keystore
     For Essbase Server Config it with enabling the SSL Agent Port “6423” to be “Active”.

    A Commercial Certificate Authority (CA) will be providing its CA Root and CA


    Intermediate Certificates.
    All we need is to submit a Certificate Signing Request (csr) for the particular server in any format like
    (hostname.domainname.com/Web Site Name/Wildcard Certificate like *.domainname.com) and get
    the CA Signed Server Certificate.

    NOTE: If you are using a wildcard certificate remember to turnoff WebLogic Hostname Verification.

    Here we will be using Custom Identity and Custom Trust Keystores.


    Will be using Our Own Internal CA

    Create Java Keystore for Custom Identity:


    Create a certificate key pair for the Server Certificate using the keytool genkeypair command
    Command: keytool -genkeypair -alias slc01hsu -keyalg RSA -keysize 2048 -validity 365 -keypass
    Oracle123 -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123

    veera.raghavendra.rao@oracle.com Page 2 of 31
    https://blogs.oracle.com/pa

    Create a certificate signing request (csr) which has to be passed on to your external / third party CA
    (Certificate Authority).
    Command: keytool -certreq -alias slc01hsu -file C:\Oracle\Middleware\ssl\slc01hsu_certreq.pem -
    keystore C:\Oracle\Middleware\ssl\myIdentity.jks

    NOTE: Certreq can be in .csr or .pem format not a problem.

    Note: The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.

    A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate
    requestor (usually off-line) and will return a certificate or certificate chain, used to replace the
    existing certificate chain (which initially consists of a self-signed certificate) in the keystore.

    Submit the CSR file to the Certification Authority (CA) and get the Signed Certificate
    Here we are using our own internal Certification Authority (CA)

    Save CA Root, CA Intermediate & Signed Server Certificates into a folder like C:\Oracle\Middleware\ssl

    veera.raghavendra.rao@oracle.com Page 3 of 31
    https://blogs.oracle.com/pa

    Only on Windows Machine:


    Install the Certificate in to Trusted Root Certification Authorities, It’s now valid

    veera.raghavendra.rao@oracle.com Page 4 of 31
    https://blogs.oracle.com/pa

    Install the CA Intermediate certificate to Intermediate Certification Authorities

    veera.raghavendra.rao@oracle.com Page 5 of 31
    https://blogs.oracle.com/pa

    Now we need to import these certificates into myIdentity.jks keystore


    - Import the intermediate certificate first --> then the root certificate --> and then the signedcert.

    Command : keytool -importcert -alias CEALCAInter -file C:\Oracle\Middleware\ssl\CAInter.pem -


    keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123

    Command : keytool -importcert -alias CEALCARoot -file C:\Oracle\Middleware\ssl\CARoot.pem -


    keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123

    Command : keytool -importcert -alias slc01hsu -file C:\Oracle\Middleware\ssl\slc01hsu.pem -


    keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123

    Note:

    The intermediate and root certificate should have different alias name, but the signed certificate
    should be imported with the same alias that was used while creating a certificate key pair.

    After importing all three certificates you should see: “Certificate reply was installed in Keystore”
    message.

    CAInter.pem

    veera.raghavendra.rao@oracle.com Page 6 of 31
    https://blogs.oracle.com/pa

    CARoot.pem

    Slc01hsu.pem

    Now list the keystore and check if all the certificates are imported successfully.

    Command: keytool -list -v -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123

    Run the following command to check if the certificate chain is valid.

    Syntax : java utils.ValidateCertChain -jks <alias> <identity_keystore>

    Command : java utils.ValidateCertChain -jks slc01hsu C:\Oracle\Middleware\ssl\myIdentity.jks

    veera.raghavendra.rao@oracle.com Page 7 of 31
    https://blogs.oracle.com/pa

    Create Java Keystore for custom trust (myTrust.jks)


    Command : keytool -import -file C:\Oracle\Middleware\ssl\CAInter.pem -alias CEALCAInter -
    keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123

    Command : keytool -import -file C:\Oracle\Middleware\ssl\CARoot.pem -alias root -keystore


    C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123

    Command: keytool -list -v -keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123

    Now that we have successfully created a third party CA signed Identity keystore and a Trust keystore,
    we can configure WLS to use it by configuring Custom Identity and Custom Trust.
    veera.raghavendra.rao@oracle.com Page 8 of 31
    https://blogs.oracle.com/pa

    Create Oracle Wallet for OHS Using Wallet Manager:

    UNIX: Execute MIDDLEWARE_HOME/ohs/bin/owm to launch Wallet Manager.

    Click No, Right Click Trusted Certificates and add your CA intermediate and CA root certificates

    veera.raghavendra.rao@oracle.com Page 9 of 31
    https://blogs.oracle.com/pa

    Submit this CSR to your CA and get the Signed Certificate


    Import the CA Signed Server Certificate into the Wallet

    veera.raghavendra.rao@oracle.com Page 10 of 31
    https://blogs.oracle.com/pa

    Select Save As, and save the wallet to


    Oracle_home>\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component\keystores\default

    Here it’s C:\Oracle\Middleware\ssl\ohs\wallet (created for WebSiteName) brownbag.oracle.com

    veera.raghavendra.rao@oracle.com Page 11 of 31
    https://blogs.oracle.com/pa

    Once Auto Login is checked cwallet.sso file is created.

    Create Oracle Wallet for OHS using orapki command line:

    Create an auto-login wallet and use the wallet


    orapki wallet create -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -auto_login -pwd Oracle123

    We need a key pair for the server certificate signing request:

    Unfortunately we will fail validating the java key store if we use anything other than orapki. So we
    have to use the wallet. The signing request will be created along:
    orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -dn "CN=
    brownbag.oracle.com, OU=CEAL, O=Oracle Corporation, L=Santa Clara, ST=California, C=US" -keysize
    2048 -pwd Oracle123 -validity 365

    export the CSR from the wallet:


    orapki wallet export -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -dn "CN=
    brownbag.oracle.com, OU=CEAL, O=Oracle Corporation, L=Santa Clara, ST=California, C=US" -request
    C:\Oracle\Middleware\ssl\ohs\ohs_slc01hsu.csr
    veera.raghavendra.rao@oracle.com Page 12 of 31
    https://blogs.oracle.com/pa

    Submit the csr to your CA and get it signed

    Import CA Inter, CA Root, brownbag (ohs) certificates into the wallet


    orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -trusted_cert -cert
    C:\Oracle\Middleware\ssl\CAInter.pem
    orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -trusted_cert -cert
    C:\Oracle\Middleware\ssl\CARoot.pem
    orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -pwd Oracle123 -user_cert -cert
    C:\Oracle\Middleware\ssl\ohs\brownbag.pem

    Open the wallet in Wallet Manager and validate it

    veera.raghavendra.rao@oracle.com Page 13 of 31
    https://blogs.oracle.com/pa

    Creating a wallet for Essbase


    You want to create a wallet containing your server cert and private key provided by your PKI
    administrator as a yourcert.p12 file. Let’s assume the password for the private key is "mypassword".
    One way is to convert this p12 to jks
    keytool -v -importkeystore -srckeystore yourcert.p12 -srcstoretype PKCS12 -destkeystore
    yournewkeystore.jks -deststoretype JKS
    You must use the same password for the new jks and the private key = "mypassword"
    Import in this keystore, the intermediate and root certs for your server cert. This is required to create
    a valid wallet.
    keytool -import -alias Root -keystore yournewkeystore.jks -trustcacerts -file root.cer
    keytool -import -alias Intermediate -keystore yournewkeystore.jks -trustcacerts -file intermediate.cer
    Validate all entries are there using keytool -list -keystore yournewkeystore.jks

    Since we already have a jks file let us ignore the above steps.

    Using the jks file let us create a wallet:


    Create an empty wallet with auto login:

    C:\Oracle\Middleware\oracle_common\bin\orapki wallet create -wallet


    C:\Oracle\Middleware\ssl\essbase -auto_login -pwd Oracle123

    Convert the jks to a wallet:

    C:\Oracle\Middleware\oracle_common\bin\orapki wallet jks_to_pkcs12 -wallet


    C:\Oracle\Middleware\ssl\essbase -pwd Oracle123 -keystore
    C:\Oracle\Middleware\ssl\myIdentity.jks -jkspwd Oracle123

    Make sure the private key password and the wallet password match = Oracle123

    Your wallet is ready to be used by Essbase!

    veera.raghavendra.rao@oracle.com Page 14 of 31

    You might also like