Set up https (SSL) for Weblogic and OBIEE

I have been blogging about the integration between Oracle eBS and Oracle BI EE. Apart from the integration, there are are few assumptions:

  • Oracle eBS is installed
  • Oracle BI is installed
  • Oracle eBS and Oracle BI are compatible with each other (http vs. https)
  • All necessary Oracle eBS patches are installed
    • R11 check
    • R12 included
  • The Web Browser should be able to accept cookies
  • The ICX session cookie name is case-sensitive
  • Oracle eBS and Oracle BI should be installed into the same domain (machine1.domain.ext = machine2.domain.ext)

At one of our clients we were confronted with the fact that in a new environment, Oracle eBS runs on https while our Oracle BI environment was still http. This conflicts with one of the assumptions above.

This blog entry is inspired by: Debashis Paul by guest authors Menno Harzing and Rob Chou. We have added cluster-configuration and changed the numbering.

These steps are followed to protect your data-transport from/to OBIEE via the internet.
There are two parts described below to accomplish this:

Part One – Configuration under Weblogic Console
Part Two – Configuration under OFMW Enterprise Manager

Part One – Configuration under Weblogic Console

  1. Login to Weblogic Administration Console.
  2. Click on Environments -) Servers -) AdminServer (admin) -) General tab
  3. Click Lock and Edit from the left pane.
  4. Check the ‘SSL Listen Port Enabled’ as 7022
    (this is not the default SSL port, so please check yours and modify based on that)
    This will ensure that you will be able to access the URL using 7022 port using https://
  5. Check also ‘Listen Port Enabled’ if you also want to access BI URL using http://
  6. Save the configuration
    the location of the resulting file is found at /u01/app/oracle/product/fmw/user_projects/domains/<DOMAIN_NAME>/config/config.xml
  7. Activate the changes from left pane
  8. Change BIEE_MANAGER_URL in
    and ADMIN_URL in
    from t3://…PORT (e.g. 7001) to https://….:SSL-PORT (e.g. 7002)
  9. Restart the Weblogic Servers(Admin/Managed) and BI Servers components
  10. Accept the exception in browser when it prompts for it and continue accessing BI URL in secure HTTPS protocol(Note that once this has been made as https:// you have to access OFWM EM Control page and Weblogic Console page also in https:// going forward)

    Part Two – Configuration under OFMW Enterprise Manager

  11. Navigate to “<OFMW Home>\user_projects\domains\bifoundation_domain\bin” and take backup of startManagedWebLogic.cmd
  12. Edit and locate section with below content (on 1 line):JAVA_OPTIONS=””/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/cacerts” ${JAVA_OPTIONS}”
  13. Replace the above with below: (Kindly note that you have to change the OFMW Home path as applicable to your environment)JAVA_OPTIONS=””/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/DemoTrust.jks””
  14. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  15. Log in to OFMW Enterprise managerIn the next steps via the System MBean browser SSL across all BI components will be configured
  16. Open System MBean Browser
  17. Invoke the Lock of BIDomain.
  18. Now we have to generate the certificates required as a prerequisite for enabling SSL,
    using the specified passphrase to protect both certificate stores and private keys.
    This enables internal https calls to the web server.
    The certificate type (pem or der) must be explicitly stated.Navigate to oracle.biee.admin –> bifoundation_domain –> BIDomain.BIInstance.SecurityConfiguration
    click on the BIDomain.BIInstance.SecurityConfiguration MBean.
    Click on the operation tab click on “generateSSLCertificates”.
  19. Enter the details asked for: For my case I have included below:
    Passphrase : ><change_password><
    webServerCACertificatePath : /wlserver_10.3/server/lib/CertGenCA.der
    certificateEncoding is: der
  20. Now click on Invoke
  21. Return to the path specified in step 17
  22. Click on simpleCommit (two items below lock).
  23. Repeat step 17 to lock
  24. Enable SSL for BI_SERVER1 on Weblogic Console (the same way as part 1, step 5)
  25. perform step 22 for simpleCommit.
  26. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  27. Go to Domain Structure – Environment – Clusters
  28. Click on Lock & Edit in top left pane
  29. Enable “Secured replication Enabled” for the cluster
  30. Click on Save at top or bottom
  31. Click on Activate Changes in top left pane
  32. Repeat step 17 to lock
  33. Click on attributes tab of the step 8
    Click on ‘SSLEnabled’ .
    Change the value to True
    Click on Apply
  34. perform step 22 for simpleCommit.
  35. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  36. Return to Step 8 and click on “runSSLReport” ,
    Invoke it and find the output as below to ensure correct SSL communication across all BI components:

Thanks Menno Harzing and Rob Chou for this blogpost.

Installing Oracle XE 11gR2

Last week Oracle XE 11gR2 has become available for download.Lucas Jellema must be among the first ones to write about the installation. This installation seems to be very straight forward. Unfortunately I was presented with an error message about my Physical Memory. A search on Google showed that I was not the only one. On OTN there were a few people with similar ‘problems’.

After going through the documentation I found out that the installations requires a free Disk Space of 1.5 GB minimum. When I freed up to 1,5 GB of Disk Space (it was less than 750 MB) on my C-drive (Windows), I was able to continue the installation. If necessary you can even install the software on another drive if you want to.

Implementing Row-Level-Security in Oracle BI EE

Sometimes there is a need to restrict data access to certain groups of users. Oracle provides a mechanism called Row-Level-Security. You could achieve similar functionality from within Oracle BI EE.

Picture this; You have a table of Sales Managers which are responsible for a certain region. Each Sales Manger may only see the data for his / her region.

First you have to know which user has logged on and to which region this user belongs. Therefore you should use Session variables. To set this up properly you could refer to the documentation. You validate the logged on user to a table of Sales Managers. This way you could also select the region a Sales Manager is responsible for. The principle of this solution is that you have the Sales Manager and their regions in a table which you can select from. Let’s say we now have a ‘REGION’ session variable.

We can go on to the Security Groups. Create a new Security Group called; ‘Sales Managers’. Assign all the Sales Managers (Repository Users) to this newly created group.

The final step is to set Business Model Filters on this group. The concept of these filters is thatb you add all Logical Tables to this group, which you want to restrict on a Sales Managers’ region. You could achieve this by following the next steps;

  1. Open the ‘Sales Manager’-Security Group,
  2. Click on; ‘Permissions’,
  3. Click on the Tab; ‘Filters’,
  4. Click; ‘Add’,
  5. Select the table you want to restrict, eg.; “Sales”.”Dim Region”.”Region Name”,
  6. Use the Expression Builder to create the actual filter; “Sales”.”Dim Region”.”Region Name” = VALUEOF(NQ_SESSION.”REGION”).

Now when you use the “Sales”.”Dim Region”-table in an Oracle BI Answers query, the Business Model Filter will be applied. This filter only applies to this Security Group. User which do not belong to this group will see all the regions.

Similar functionality is used when implementing Oracle BI Apps Security.

Security issues when upgrading a Web Catalog from 10g to 11g

I blogged about upgrading from Oracle BI EE 10g to Oracle BI EE 11g R1 earlier. Although this is a very straight forward process, you could end up with some security issues.

Picture the following. You are an administrator user with the appropriate security roles to act as an (Presentation Server) Administrator. You are able to login and manage the Weblogic Console and the Enterprise Manager. When you log into the upgraded Web Catalog you are not able to see the Administration-link.

There already a lot of good blogpost about the new Oracle BI 11g security setup. Just to name a few;

When upgradin a WebCatlog you could be forced to do a work-around  for the security, thanks to René Kuipers. The workaround is as follows;

  • Do the upgrade according to the documentation
  • Make a backup via the Catalog Manager or upgrade a second time so you have a copy of the Web Catalog
  • Throw away the user folders via the Catalog Manager
  • Login again into the Web Catalog via; http://localhost:9704/analytics (a new user folder should be created)
  • If necessary you could move the reports from the backup to the online Web Catalog

It’s a workaround and could be very time-consuming when you have to upgrade a Catalog with a lot of users. Hopefully this issue will be solved in a future release.

Connect to the Database from Oracle BI 11g

I ran into the following issue when I upgraded from Oracle BI 10g to Oracle BI 11g. Although the upgrade went smoothly, all of a sudden I was not able to reach the database anymore. After doing some research on the internet I stumbled upon the following thread on OTN.

The main difference between Oracle BI 10g and Oracle BI 11g is the fact that Oracle BI 11g has it’s own Oracle_Home.

Thanks to Dirk and Venkat for the possible solutions:


navigate to; {ORACLE_INSTANCE}\bifoundation\OracleBIApplication\coreapplication\setup,

alter user.cmd or depending on your OS,

set your TNS_ADMIN location to point to; {MIDDLEWARE_HOME}\Oracle_BI1\network\admin


Copy your tnsnames.ora to {MIDDLEWARE_HOME}\Oracle_BI1\network\admin directory


Use the full expanded tnsnames as shown below and use this one as the datasource name in your Connection Pool:

(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = host_name/ip_address)(PORT = port_number))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = service_name)))