This part is very challenging. You need lots of knowledge about networking and security.
1 Create a certificate key pair for the Server Certificate using the keytool genkeypair command.
[tankbiee@oraclebiee ssl]$ keytool -genkeypair -alias oraclebiee -keyalg RSA -keysize 2048 -validity 1865 -keypass welcome1 -keystore /devobieeapp/u01/app/oracle/product/fmw/ssl/myIdentity.jks -storepass welcome1
What is your first and last name?
[Unknown]: oraclebiee
What is the name of your organizational unit?
[Unknown]: IT
What is the name of your organization?
[Unknown]: Tank BI
What is the name of your City or Locality?
[Unknown]: Northbrook
What is the name of your State or Province?
[Unknown]: Illinois
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=oraclebiee, OU=IT, O=Tank BI, L=Northbrook, ST=Illinois, C=US correct?
[no]: yes
2.Create a Certificate Signing Request (csr) which has to be submitted to Internal CA (Certificate Authority).
[tankbiee@oraclebiee ssl]$ keytool -certreq -rfc -alias oraclebiee -file /devobieeapp/u01/app/oracle/product/fmw/ssl/oraclebiee_certreq.csr -keystore /devobieeapp/u01/app/oracle/product/fmw/ssl/myIdentity.jks
Enter keystore password:
3.Submit the CSR file to the Certification Authority (CA) and get the Signed Certificate Here I got our own internal Certification Authority (CA)
[tankbiee@oraclebiee ssl] pwd
/devobieeapp/u01/app/oracle/product/fmw/ssl/
[tankbiee@oraclebiee ssl] ls
oralcebiee_certreq.csr certnew.p7b all.cer root.cer im.cer cert.cer cert.der im.der root.der myIdentity.jks myTrust.jks
4. Import the CA Root Certificate to the Trusted Certificate Stores for successful validation of the Intermediate and Server Certificates
[tankbiee@oraclebiee ssl]$ openssl x509 -outform der -in cert.cer -out cert.der
[tankbiee@oraclebiee ssl]$ openssl x509 -outform der -in im.cer -out im.der
[tankbiee@oraclebiee ssl]$ openssl x509 -outform der -in root.cer -out root.der
5. Import the intermediate certificate first –> then the root certificate –> and then the signed server certificate in the same sequence as last step.
keytool -importcert -alias oraclebieeroot -file /devobieeapp/u01/app/oracle/product/fmw/ssl/root.der -keystore /devobieeapp/u01/app/oracle/product/fmw/ssl/myIdentity.jks -storepass welcome1
keytool -importcert -alias oraclebieeim -file /devobieeapp/u01/app/oracle/product/fmw/ssl/im.der -keystore /devobieeapp/u01/app/oracle/product/fmw/ssl/myIdentity.jks -storepass welcome1
keytool -importcert -alias oraclebiee -file /devobieeapp/u01/app/oracle/product/fmw/ssl/cert.der -keystore /devobieeapp/u01/app/oracle/product/fmw/ssl/myIdentity.jks -storepass welcome1
6. Now list the keystore and check if all the certificates are imported successfully.
keytool -list -v -keystore /devobieeapp/u01/app/oracle/product/fmw/ssl/myIdentity.jks -storepass welcome1
7. Check if the certificate chain is valid.
[tankbiee@oraclebiee ssl]$ . /devobieeapp/u01/app/oracle/product/fmw/user_projects/domains/bifoundation_domain/bin/setDomainEnv.sh
SVR_GRP =
[tankbiee@oraclebiee bifoundation_domain]$ java utils.ValidateCertChain -jks oraclebiee /devobieeapp/u01/app/oracle/product/fmw/ssl/myIdentity.jks
Cert[0]: CN=oraclebiee,OU=IT,O=Underwriter Laboratories,L=Northbrook,ST=Illinois,C=US
Cert[1]: CN=TL NBK Issuing CA 01 V2,dc=global,dc=tl,dc=com
Cert[2]: CN=TL ROOT CA V2,dc=tl,dc=com
Certificate chain appears valid
8. Create a Java Keystore for Custom Trust
keytool -import -file /devobieeapp/u01/app/oracle/product/fmw/ssl/root.der -alias oraclebieeroot -keystore /devobieeapp/u01/app/oracle/product/fmw/ssl/myTrust.jks -storepass welcome1
keytool -import -file /devobieeapp/u01/app/oracle/product/fmw/ssl/im.der -alias oraclebieeim -keystore /devobieeapp/u01/app/oracle/product/fmw/ssl/myTrust.jks -storepass welcome1
9. Import the CARoot and CAInter into the Java install locations
keytool -import -file /devobieeapp/u01/app/oracle/product/fmw/ssl/root.der -alias oraclebieeroot -keystore /devobieeapp/u01/app/oracle/product/fmw/Oracle_BI1/jdk/jre/lib/security/cacerts -storepass changeit
keytool -import -file /devobieeapp/u01/app/oracle/product/fmw/ssl/im.der -alias oraclebieeim -keystore /devobieeapp/u01/app/oracle/product/fmw/Oracle_BI1/jdk/jre/lib/security/cacerts -storepass changeit
keytool -list -v -keystore /devobieeapp/u01/app/oracle/product/fmw/Oracle_BI1/jdk/jre/lib/security/cacerts -storepass changeit
keytool -import -file /devobieeapp/u01/app/oracle/product/fmw/ssl/root.der -alias oraclebieeroot -keystore /devobieeapp/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/cacerts -storepass changeit
keytool -import -file /devobieeapp/u01/app/oracle/product/fmw/ssl/im.der -alias oraclebieeim -keystore /devobieeapp/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/cacerts -storepass changeit
10. Configuring Node Manager in SSL mode.
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/devobieeapp/u01/app/oracle/product/fmw/sslmyIdentity.jks
CustomIdentityKeyStorePassPhrase=Oracle123
CustomIdentityPrivateKeyPassPhrase=Oracle123
CustomIdentityAlias=oraclebiee
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/devobieeapp/u01/app/oracle/product/fmw/sslmyTrust.jks
Restart Node Manager
If there is an issue with nodemanager port, either change the port or perform the following steps:
cd $MW_HOME/wlserver_10.3/server/bin export JAVA_OPTIONS=-DDomainRegistrationEnabled=true
./startNodeManager.sh
For the rest steps follow this blog post: https://blogs.oracle.com/pa/entry/configuring_obiee_11_1_1
Reference:
http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/toc.htm
Tank Liu's Techlog 