There I was, trying to wrap up a client’s installation but I was stuck. This particular client has security concerns, they even have an external security company verify their installations and enforce corporate security policy. That meant that OBIEE and EPM needed to both be secured by SSL.
I went down a rabbit hole to get SSL installed in OBIEE, that was an adventure in itself and it took me quite awhile to make sure everything was working properly. I found a great resource from Oracle on their blogs page here: https://blogs.oracle.com/pa/resource/Configuring_OBIEE_with_Ful_End_to_End_SSL.pdf. Thank you to Veera Raghavendra Rao Koka for the detailed information. I wish it was documented similarly in the BI documentation.
For awhile, I wasn’t concerned with EPM SSL. I had implemented SSL termination at Oracle HTTP Server before in version 126.96.36.199, so I figured it would be pretty easy on 188.8.131.52.500+. Wrong. According to the documentation, there are only two supported scenarios for SSL deployment:
- SSL Termination at an SSL Offloader (load balancer or bridge with SSL termination enabled)
- Full SSL deployment
Hmm. I don’t want either one of these options. My client doesn’t really want un-encrypted traffic from their SSL bridge in their DMZ to the server inside the firewall. So, I started to go down the path of full SSL. This is a distributed installation, so that requires two different keystores for my servers running WebLogic JVMs, plus another keystore for Oracle HTTP Server. I worked at it for awhile and was able to get the Foundation server deployed with full SSL. I started the services and things appeared to be ok. I was able to get into Workspace and click around into Shared Services fine. I went into Calc Manager and the application appeared to be ok, but I got an error about not being able to connect to EPMA. I tried to go into the Dimension Library, then I saw an error message:
Nested exception is: HTTP transport error:javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Unrecognized SSL message, plaintext connection?
At this point, I had pretty much had enough. Oracle Support’s Knowledge Base article 1904344.1 states that this is a known issue that should be fixed with Shared Services patch 184.108.40.206.501. Unfortunately, I had already applied that patch during the installation and I was still seeing the error. Ain’t nobody got time for that.
So, I really didn’t want to pursue full SSL at this point. What I really wanted was to do what I had done back in 220.127.116.11 and accept SSL connections at the Oracle HTTP Server layer and terminate those SSL requests there. That would preclude me from needing to mess with keystores at the WebLogic layer and avoid any issues with EPMA in SSL mode. This is what I’m talking about:
The 18.104.22.168 Security guide mentions terminating SSL at the HTTP server; however, the architecture diagram they provide is the same diagram as SSL termination at an offloader. The above diagram is actually from the 22.214.171.124 documentation and exactly what I want. So, I did some Google magic and found that Pablo Bryan of Infratects has a blog and documented the exact steps that I needed back in January of 2014. You can read his blog post here: http://hyperionvirtuoso.blogspot.com/2014/01/you-have-many-options-to-secure-your_14.html. Thank you, Pablo!
So, I took his advice and made the two or three changes to the ssl.conf and httpd.conf files. After restarting Oracle HTTP Server, all was right with the world and my client now has encrypted communication terminating at the HTTP Server. It really is amazing how easy it was to set up the EPM encryption at the HTTP Server compared to the full SSL required by OBIEE.