Set up https (SSL) for Weblogic and OBIEE

I have been blogging about the integration between Oracle eBS and Oracle BI EE. Apart from the integration, there are are few assumptions:

  • Oracle eBS is installed
  • Oracle BI is installed
  • Oracle eBS and Oracle BI are compatible with each other (http vs. https)
  • All necessary Oracle eBS patches are installed
    • R11 check
    • R12 included
  • The Web Browser should be able to accept cookies
  • The ICX session cookie name is case-sensitive
  • Oracle eBS and Oracle BI should be installed into the same domain (machine1.domain.ext = machine2.domain.ext)

At one of our clients we were confronted with the fact that in a new environment, Oracle eBS runs on https while our Oracle BI environment was still http. This conflicts with one of the assumptions above.

This blog entry is inspired by: Debashis Paul by guest authors Menno Harzing and Rob Chou. We have added cluster-configuration and changed the numbering.

These steps are followed to protect your data-transport from/to OBIEE via the internet.
There are two parts described below to accomplish this:

Part One – Configuration under Weblogic Console
Part Two – Configuration under OFMW Enterprise Manager

Part One – Configuration under Weblogic Console

  1. Login to Weblogic Administration Console.
  2. Click on Environments -) Servers -) AdminServer (admin) -) General tab
  3. Click Lock and Edit from the left pane.
  4. Check the ‘SSL Listen Port Enabled’ as 7022
    (this is not the default SSL port, so please check yours and modify based on that)
    This will ensure that you will be able to access the URL using 7022 port using https://
  5. Check also ‘Listen Port Enabled’ if you also want to access BI URL using http://
    Image
  6. Save the configuration
    the location of the resulting file is found at /u01/app/oracle/product/fmw/user_projects/domains/<DOMAIN_NAME>/config/config.xml
  7. Activate the changes from left pane
  8. Change BIEE_MANAGER_URL in start_stop_obiee.sh
    and ADMIN_URL in startManagedWeblogic.sh
    from t3://…PORT (e.g. 7001) to https://….:SSL-PORT (e.g. 7002)
  9. Restart the Weblogic Servers(Admin/Managed) and BI Servers components
  10. Accept the exception in browser when it prompts for it and continue accessing BI URL in secure HTTPS protocol(Note that once this has been made as https:// you have to access OFWM EM Control page and Weblogic Console page also in https:// going forward)

    Part Two – Configuration under OFMW Enterprise Manager

  11. Navigate to “<OFMW Home>\user_projects\domains\bifoundation_domain\bin” and take backup of startManagedWebLogic.cmd
  12. Edit and locate section with below content (on 1 line):JAVA_OPTIONS=”-Dweblogic.security.SSL.trustedCAKeyStore=”/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/cacerts” ${JAVA_OPTIONS}”
  13. Replace the above with below: (Kindly note that you have to change the OFMW Home path as applicable to your environment)JAVA_OPTIONS=”-Djavax.net.ssl.trustStore=”/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/DemoTrust.jks” -Djavax.net.ssl.trustStorePassword=”
  14. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  15. Log in to OFMW Enterprise managerIn the next steps via the System MBean browser SSL across all BI components will be configured
  16. Open System MBean Browser
    Image
  17. Invoke the Lock of BIDomain.
    Image
  18. Now we have to generate the certificates required as a prerequisite for enabling SSL,
    using the specified passphrase to protect both certificate stores and private keys.
    This enables internal https calls to the web server.
    The certificate type (pem or der) must be explicitly stated.Navigate to oracle.biee.admin –> bifoundation_domain –> BIDomain.BIInstance.SecurityConfiguration
    click on the BIDomain.BIInstance.SecurityConfiguration MBean.
    Click on the operation tab click on “generateSSLCertificates”.
    Image
  19. Enter the details asked for: For my case I have included below:
    Passphrase : ><change_password><
    webServerCACertificatePath : /wlserver_10.3/server/lib/CertGenCA.der
    certificateEncoding is: der
  20. Now click on Invoke
  21. Return to the path specified in step 17
  22. Click on simpleCommit (two items below lock).
  23. Repeat step 17 to lock
  24. Enable SSL for BI_SERVER1 on Weblogic Console (the same way as part 1, step 5)
    Image
  25. perform step 22 for simpleCommit.
  26. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  27. Go to Domain Structure – Environment – Clusters
  28. Click on Lock & Edit in top left pane
  29. Enable “Secured replication Enabled” for the cluster
    Image
  30. Click on Save at top or bottom
  31. Click on Activate Changes in top left pane
  32. Repeat step 17 to lock
  33. Click on attributes tab of the step 8
    (at BIDOMAIN.BIINSTANCE.SECURITYCONFIGURATION)
    Click on ‘SSLEnabled’ .
    Change the value to True
    Click on Apply
  34. perform step 22 for simpleCommit.
  35. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  36. Return to Step 8 and click on “runSSLReport” ,
    Invoke it and find the output as below to ensure correct SSL communication across all BI components:
    Image

Thanks Menno Harzing and Rob Chou for this blogpost.

RittmanMead BI Forum 2011 – Day I

John Minkjan kicks of Day I of the RittmanMead BI Forum. He’s subject is Oracle BI EE on mobile devices. Very appropriate to the discussion last night during Oracle’s Keynote. Mobile is hot and the audience is very eager to see Oracle BI EE in action on Mobile Devices (Ipad / Galaxy Tab). Before going to the demonstration, John shows us a lot of things you should bare in mind when developing mobile applications. I will not go into the XXX-details or better DDDD.

Oracle BI EE on mobile is not only about nice and fancy dashboards but also about:

  • Equipment
  • Antenna’s
  • Environment
  • Security
  • Usage
  • Cost
  • Health
  • Type (Wifi, Bluetooth, Cellular)
  • Content Control
  • Operating System
  • Device
  • Patching

You have to think about dashboards which are firstly built for a laptop/desktop. Now you should redesign to fit the dashboard into the device. You could use some kind of landing page to navigate to the different dashboards, depending on where you are coming from.

Next up is Adam Bloom. Adam is opening the lid on Oracle BI 11g security. He has a lot to open!! First he shows us the architecture of a Weblogic deployment. The best thing is try to use the Fusion Middleware (FMW) Security. Although 10g  Security via Init Blocks is supported you should make a choice between the two. Another thing is you should stick to whatever is certified, because of the limitations of the Oracle Platform Security Services (OPSS).

Adam also demystified some of the GUID issues. There are some issues when you login with the weblogic-user in different RPD’s. When you set the following parameter; FMW_UPDATE_ROLE_AND_USER_REF_GUIDS in the NQSConfig-file to ‘YES’, the problem is solved. You refresh the GUID’s only when you are moving the indentity stores to a new server. Also when a RPD hasn’t been used on a server yet.

Unfortunately this topic is so new and so complex, some other subjects could not be covered. We shortly addressed configuration and logging but according to Adam; “There are no bugs, only bad configuration”.

On to Andreas Nobbmann, who is going to; “Script for a Jester’s tear” referring to a song of Marillion. Andreas is scripting fanatic and he warns us not to exaggerate the scripting. Scripting could make your life easier and can be used for;

  • repeating tasks
  • deployment
  • configuration
  • backups
  • starting / stopping / status

Downside of scripting is the lack of logging.

Andreas cover various elements of scripting:

If it comes to migrating security check here.

After lunch, Mike Brooks did his ‘Warts and All’-presentation about his real-life experiences when implementing Oracle BI 11g. It turns out that a major release like Oracle 11g is, is not that easy. Not even for experienced people like Mike, supported by the RittmanMead guys. Over at Play.com, they tried to do a one week POC. Based on advice and documentation plans could be made, but due to later experiences the had to switch plans every once and a while.

Implementing the BI part of Oracle BI 11g is no rocket science, but the Weblogic Server is a whole new ballgame. That needs additional skills and training.

Now follows a panel discussion about the following subject; “Was it worth the wait”, My personal opinion is; Yes!! Of course we have been waiting very long and of coures not everything is running as smoothly as we would like it to. On the other hand, the product looks fantastic and it gives us a lot of new opportunities, both technically as well as functionally. I guess we should focus on the good things and let Oracle work on the rest to improve the product.

A few highlights of the discussion;

  • focus on security issues instead of improved BI capabilities
  • sexy Front-end
  • early access, release dates
  • data lineage
  • versioning
  • MUD
  • charting like BI Publisher
  • Oracle OLAP vs Essbase
  • Essbase (Front-end Yes!!, Back-end No!!)
  • Stability
  • Integrated

Was it worth the wait or was worth the technical change? In the end, I guess it was a cautious yes.

Michael Wilcke finished the day with a presentation about why the Oracle BI Server is the ultimate choice for a BICC. BI is a circular process which never stops. When BI stops it is finished. Michael features on two subjects;

  • Business versus IT
  • Process and Organization

There is ‘always’ tension between business and IT. The Oracle BI Server offers the ability to separate these two (logical sql versus physical sql). This way you can de-couple the Front-end from the Back-end.

Requirement engineering can be done via prototyping in Excel and de-coupling. The requirement process is all about understanding the user instead of believing you know what he/she wants. You should define, establish and review. Top-down DWH vs. Bottom-up DWH.

In the end it turned out that Michael did a great job. He was elected by the audience as the Best Speaker. Therefor Mr. Wilcke went home with the most prestigious Brighton #biforum Best Speaker Award. Congratulations Michael.

It was a very interesting day. I think the speakers of this day have taken this event to a higher level (again!)

Security issues when upgrading a Web Catalog from 10g to 11g

I blogged about upgrading from Oracle BI EE 10g to Oracle BI EE 11g R1 earlier. Although this is a very straight forward process, you could end up with some security issues.

Picture the following. You are an administrator user with the appropriate security roles to act as an (Presentation Server) Administrator. You are able to login and manage the Weblogic Console and the Enterprise Manager. When you log into the upgraded Web Catalog you are not able to see the Administration-link.

There already a lot of good blogpost about the new Oracle BI 11g security setup. Just to name a few;

When upgradin a WebCatlog you could be forced to do a work-around  for the security, thanks to René Kuipers. The workaround is as follows;

  • Do the upgrade according to the documentation
  • Make a backup via the Catalog Manager or upgrade a second time so you have a copy of the Web Catalog
  • Throw away the user folders via the Catalog Manager
  • Login again into the Web Catalog via; http://localhost:9704/analytics (a new user folder should be created)
  • If necessary you could move the reports from the backup to the online Web Catalog

It’s a workaround and could be very time-consuming when you have to upgrade a Catalog with a lot of users. Hopefully this issue will be solved in a future release.

Oracle BI 11g – Startup Sequence

Reading through the Oracle Forum I stumbled upon a possible startup sequence for Oracle BI 11g.

Before you complete the steps below the following Windows Services should **not** be running.

a. Oracle Process Manager (instance1)
b. Oracle Weblogic NodeManager

After that follow the next steps;

–> Start NodeManager from the Command Prompt

Cd <MIDDLEWARE_HOME>\wlserver_10.3\server\bin

startNodeManager.cmd

Wait untill you see message “Secure socket listener start at port……”

–> Start Admin server from command prompt

Cd <MIDDLEWARE_HOME>\user_projects\domains\bifoundation_domain\bin

startWebLogic.cmd

It will ask for user name / password. Specify the user details that you used at the time of the Oracle BI 11g install. You could also use a ‘Boot Identity File’ -(boot.properties). Check the documentation for more details.

Wait untill you see message Admin server is in ‘RUNNING MODE’.

–> Now start Managed server from GUI

Access WebLogic console from a webbrowser

http://<machinename>:7001/console

Login, Environment > servers > Control > select bi_server1 > click on start

It would take some time for the Managed server to start. Wait untill you see the ‘Running’ status.

–> Now start the OBIEE components from command prompt

Cd <MIDDLEWARE_HOME>\instances\instance1\bin

opmnctl startall

Note that it’s a possible startup sequence. There are multiple ways to statup.