SSL woes

There I was, trying to wrap up a client’s installation but I was stuck.  This particular client has security concerns, they even have an external security company verify their installations and enforce corporate security policy.  That meant that OBIEE and EPM needed to both be secured by SSL.

I went down a rabbit hole to get SSL installed in OBIEE, that was an adventure in itself and it took me quite awhile to make sure everything was working properly.  I found a great resource from Oracle on their blogs page here: https://blogs.oracle.com/pa/resource/Configuring_OBIEE_with_Ful_End_to_End_SSL.pdf.  Thank you to  Veera Raghavendra Rao Koka for the detailed information.  I wish it was documented similarly in the BI documentation.

For awhile, I wasn’t concerned with EPM SSL.  I had implemented SSL termination at Oracle HTTP Server before in version 11.1.2.1, so I figured it would be pretty easy on 11.1.2.3.500+.  Wrong.  According to the documentation, there are only two supported scenarios for SSL deployment:

  • SSL Termination at an SSL Offloader (load balancer or bridge with SSL termination enabled)

SSL terminating at an Offloader

  • Full SSL deployment

Full SSL deployment

Hmm.  I don’t want either one of these options.  My client doesn’t really want un-encrypted traffic from their SSL bridge in their DMZ to the server inside the firewall.  So, I started to go down the path of full SSL.  This is a distributed installation, so that requires two different keystores for my servers running WebLogic JVMs, plus another keystore for Oracle HTTP Server.  I worked at it for awhile and was able to get the Foundation server deployed with full SSL.  I started the services and things appeared to be ok.  I was able to get into Workspace and click around into Shared Services fine.  I went into Calc Manager and the application appeared to be ok, but I got an error about not being able to connect to EPMA.  I tried to go into the Dimension Library, then I saw an error message:

Nested exception is: HTTP transport error:javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Unrecognized SSL message, plaintext connection?

At this point, I had pretty much had enough.  Oracle Support’s Knowledge Base article 1904344.1 states that this is a known issue that should be fixed with Shared Services patch 11.1.2.3.501.  Unfortunately, I had already applied that patch during the installation and I was still seeing the error.  Ain’t nobody got time for that.

So, I really didn’t want to pursue full SSL at this point.  What I really wanted was to do what I had done back in 11.1.2.1 and accept SSL connections at the Oracle HTTP Server layer and terminate those SSL requests there.  That would preclude me from needing to mess with keystores at the WebLogic layer and avoid any issues with EPMA in SSL mode.  This is what I’m talking about:

SSL termination at Oracle HTTP Server

The 11.1.2.3 Security guide mentions terminating SSL at the HTTP server; however, the architecture diagram they provide is the same diagram as SSL termination at an offloader.  The above diagram is actually from the 11.1.2.1 documentation and exactly what I want.  So, I did some Google magic and found that Pablo Bryan of Infratects has a blog and documented the exact steps that I needed back in January of 2014.  You can read his blog post here: http://hyperionvirtuoso.blogspot.com/2014/01/you-have-many-options-to-secure-your_14.html.  Thank you, Pablo!

So, I took his advice and made the two or three changes to the ssl.conf and httpd.conf files.  After restarting Oracle HTTP Server, all was right with the world and my client now has encrypted communication terminating at the HTTP Server.  It really is amazing how easy it was to set up the EPM encryption at the HTTP Server compared to the full SSL required by OBIEE.

Advertisements

One comment

  1. Agreed. This was a pain point for me in one of my installs. Client wanted Full SSL. Still not sure why, but had to do.
    Suffice it to say, I leveraged my own VM build with Full SSL, since I would have rather broken that first, than risk the client install.
    Pablo’s note lead me down the same path.
    Very helpful, and I made sure to keep a copy of the SSL build VM.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s