Thursday Jul 17, 2014

Configuring OBIEE with Full End to End SSL

What do we need to configure SSL:
1. CA Root Certificate
2. CA Intermediate Certificate (if exists)
3. Java Keystores :: Identity Keystore and Trust Keystore
4. OBIEE Server Certificate
5. If External LDAP Directory like Oracle Internet Directory running in SSL
   OID Server’s CA Root Certificate
   OID Server’s CA Intermediate Certificate (if exists)
   OID Server Certificate

[Read More]

Tuesday Jun 18, 2013

Importing server and private key in Oracle wallet

You want to create a wallet containing your server cert and private key provided by your PKI administrator as a yourcert.p12 file.

Use keytool and orapki. But make sure your wallet and the private key passwords match.

[Read More]

Thursday Oct 20, 2011

EPM 11.1.2 - SSL Offloading flavors

While EPM documentation clearly lists the different SSL flavors available in ( - termination at web server, ssl offloading, full ssl, 2 way ssl...), it requires additional information to adapt further depending on your environment.

Three main elements to know about:

  • Some EPM pages generate HTTPS links in their web pages based on request scheme. An http request will generate an http link, and an https request will generate an https link. This is the standard behavior of the request.getScheme servlet api method. The solution to let Weblogic know it has to use HTTPS in link is through a header named WL-Proxy-SSL true or false. This header has to be set by layers fronting Weblogic.
  • The Weblogic plugin (in Oracle Http Server, or IIS) has 2 parameters to add or propagate this header: WLProxySSL and WLProxyPassThrough and

quoting from above url: When WLProxySSL is set to ON, the location header returned to the client from WebLogic Server specifies the HTTPS protocol.

If you have a chained proxy setup, where a proxy plug-in or HttpClusterServlet is running behind some other proxy or load balancer, you must explicitly enable the WLProxyPassThrough parameter. Enabling this parameter allows the plug-in to trust the proxy fronting it, under the assumption that the network between them is trusted so user certs and so forth can be passed along.

This also means the WL-Proxy-SSL header amongst other headers are not going to be removed by the weblogic plugin when it receives headers from SSL Offloader.