configuring obiee ssl

BI Oracle CEAL Team, Author: Veera Raghavendra Rao Koka (Updated on 17-July-2014) Page 1 of 36
Configuring OBIEE 11.1.1.7.x with SSL What do we need?
1. CA Root Certificate
3. Java Keystores :: Identity Keystore and Trust Keystore
4. OBIEE Server Certificate
5. If External LDAP Directory like Oracle Internet Directory running in SSL
OID Server’s CA Root Certificate
OID Server’s CA Intermediate Certificate (if exists)
OID Server Certificate
http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/toc.htm

A Commercial Certificate Authority (CA) will be providing its CA Root and CA
Intermediate Certificates.
All we need is to submit a Certificate Signing Request (csr) for the particular server in any format like
(hostname.domainname.com/Web Site Name/Wildcard Certificate like *.domainname.com) and get
the CA Signed Server Certificate.
NOTE: If you are using a wildcard certificate remember to turnoff WebLogic Hostname Verification.
Here we will be using Custom Identity and Custom Trust Keystores.
Create Java Keystore for Custom Identity:
Create a certificate key pair for the Server Certificate using the keytool genkeypair command
Command: keytool -genkeypair -alias scl34225 -keyalg RSA -keysize 2048 -validity 365 -keypass
Oracle123 -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123

Create a Certificate Signing Request (csr) which has to be submitted to Internal/Third Party CA
(Certificate Authority).
Command: keytool -certreq -alias scl34225 -file C:\Oracle\Middleware\ssl\scl34225_certreq.csr -
keystore C:\Oracle\Middleware\ssl\myIdentity.jks
NOTE: Certreq can be in .csr or .pem format not a problem.
Note: Above screenshot shows the Certificate Signing Request in .pem format
Note: The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.
A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
Submit the CSR file to the Certification Authority (CA) and get the Signed Certificate Here we are using our own internal Certification Authority (CA)
Save CA Root, CA Intermediate & Signed Server Certificates into a folder like C:\Oracle\Middleware\ssl
Only on Windows Machine: Generally the CA Root Certificates are already available in the
Trust Certificate Stores along with the Browser’s installation. But if you are using your own internal
CA you need to import the CA Root Certificate to the Trusted Certificate Stores for successful
validation of the Intermediate and Server Certificates.

CealCARoot.crt

CealCAInter.crt
scl34225.crt
Install the server certificate into Personal (Optional)
Now we need to import these certificates into Custom Identity Keystore myIdentity.jks
Import the intermediate certificate first --> then the root certificate --> and then the signed server certificate in the same sequence.
Command: keytool -importcert -alias CEALCAInter -file C:\Oracle\Middleware\ssl\CealCAInter.pem - keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123

Command: keytool -importcert -alias CEALCARoot -file C:\Oracle\Middleware\ssl\CealCARoot.pem - keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
Command: keytool -importcert -alias scl34225 -file C:\Oracle\Middleware\ssl\scl34225.pem - keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
Note: The intermediate and root certificate should have different alias name, but the signed certificate should be imported with the same alias that was used while creating a certificate key pair/keystore. After importing all three certificates you should see: “Certificate reply was installed in Keystore” message.
CEALCAInter.pem
CEALCARoot.pem
Scl34225_chain.pem

keytool -list -v -keystore C:\Oracle\Middleware\ssl\myIdentity.jks -storepass Oracle123
NOTE: The Server Certificate should be shown as
Alias Name: scl34225
Entry Type: PrivateKeyEntry

Run the following command to check if the certificate chain is valid.
In a Command Prompt run setDomainEnv.cmd to set Java Home and other variables.
Syntax : java utils.ValidateCertChain -jks <alias> <identity_keystore>
Command : java utils.ValidateCertChain -jks scl34225 C:\Oracle\Middleware\ssl\myIdentity.jks
Create a Java Keystore for Custom Trust:

Command: keytool -list -v -keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Now that we have successfully created an Identity Keystore and a Trust Keystore, we can configure WebLogic to use it by configuring Custom Identity and Custom Trust Keystores.
Import the CARoot and CAInter into the Java install locations
First Root Certificate and then the Intermediate Certificate
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts

Command: keytool -list -v -keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
First Root Certificate and then the Intermediate Certificate
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot -
keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter -
keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
Command: keytool -list -v -keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Configuring Node Manager in SSL mode
Open file “C:\Oracle\Middleware\wlserver_10.3\common\nodemanager\nodemanager.properties”
and enter below lines:
Restart Node Manager

If there is an issue with nodemanager port, either change the port or perform the following steps:
Windows: Open a command window set JAVA_OPTIONS=-DDomainRegistrationEnabled=true In the same command shell run: <MW_HOME>\wlserver_10.3\server\bin\startNodeManager.cmd
Unix: cd <MW_HOME>/wlserver_10.3/server/bin export JAVA_OPTIONS=-DDomainRegistrationEnabled=true ./startNodeManager.sh
Configure SSL for WebLogic Servers Oracle WebLogic Server Admin Console

NOTE: We need to select the hostname verification as none if the CN of the certificate is not the same
as the hostname of the machine where WLS is installed. (In case of Wild Card Certificates also) in the
SSL tab under Advanced link.

Changing Other URLs to Match the New Listener Address
As OBI can work only on one protocol and we disabled non-ssl port 7001, we need to change the Embedded LDAP URLs to match the new listener address.
To change other URLs to match the new listener address:
1.
Log in to Fusion Middleware Control and navigate to bifoundation_domain under WebLogic Domain.
2. From the WebLogic Domain menu, choose Security and Security Provider Configuration. 3. Click Configure in the Identity Store Provider area to display the Identity Store Configuration area
and the Custom Properties table, and check that the ldap.url custom property is present, and correctly configured as follows:
Custom Property Values for ldap.url = ldaps://scl34225.us.oracle.com:7002

Restart the Administration Server and Managed Servers
Enabling Trust between Codes Running in WebLogic Servers
You must enable trust between codes running in WebLogic Servers before you can enable SSL
communication between Oracle BI EE components.
1. Open the following files for editing:
For Linux: MW_HOME /user_projects/domains/bifoundation_domain/bin/setDomainEnv.sh
For Windows: MW_HOME \user_projects\domains\bifoundation_domain\bin\setDomainEnv.cmd
2. Some Oracle Business Intelligence Java components running in Oracle WebLogic Server
invoke other web services running in Oracle WebLogic Server.
Therefore, you must configure Oracle WebLogic Server to trust itself by setting these properties.You must escape any backslash (\) character in a path by using an additional backslash (\) character.
3. For Linux (enter all on one line):
JAVA_OPTIONS="${JAVA_OPTIONS} - Djavax.net.ssl.trustStore=/Oracle/Middleware/ssl/myTrust.jks - Djavax.net.ssl.CustomTrustStorePassphrase=\"Oracle123\" -Djavax.net.ssl.keyStore=/ Oracle/Middleware/ssl/myIdentity.jks -Djavax.net.ssl.keyStorePassword=\"Oracle123\"" export JAVA_OPTIONS
set JAVA_OPTIONS=%JAVA_OPTIONS% - Djavax.net.ssl.trustStore="C:\\Oracle\\Middleware\\ssl\\myTrust.jks" - Djavax.net.ssl.CustomTrustKeyStorePassphrase="Oracle123" - Djavax.net.ssl.keyStore="C:\\Oracle\\Middleware\\ssl\\myIdentity.jks" - Djavax.net.ssl.keyStorePassword="Oracle123"
5.
6. Save the setDomainEnv.sh or setDomainEnv.bat file.
7. Restart Oracle WebLogic Server to include the Java option changes.

Oracle Business Intelligence Components can communicate only through one protocol at a time. It is not possible to use SSL between some components, while using simple TCP/IP communications between others.
Enabling SSL for Oracle BIEE Components Using Fusion Middleware Control
Login to em :: http://scl34225.us.oracle.com:7001/em
NOTE: The SSL options on this page only enable configuration for internal communications used by
the Oracle BI middle-tier. To set up SSL for outward facing WebLogic ports, you must use the
WebLogic Administration Console before you configure the settings on this page.
If the Use SSL for Middle-Tier Communications option is not available, then you have not successfully enabled SSL on WebLogic. Re-check the SSL Config steps in WebLogic Server.
When selected, this checkbox enables SSL to be the method of communication between Oracle Business Intelligence components.

Do not enter the individual web server certificate. Supported types are .der and .pem.
Ensure that you enter the correct extension for the certificate file. If the certificate for the web server
is signed by Intermediate CA, even then enter the root CA and not the intermediate certificate.

You will receive a confirmation message: "Confirmation Generate New Certificates - Completed Successfully"
If you don’t see the above message/on issues please follow the Steps stated in red color font below
If you see the following error message: CA certificate <your certificate path> format <PEM or CER> is not a CA certificate. It does not have the expected basic constraints for a CA.: If you see this message complete the following steps:
a. Visually check that the contents of your CA certificate are correct, by entering the following command: For pem certificates use: <mwhome>/Oracle_BI1/bifoundation/server/bin>openssl x509 -in < yourcertificate>.pem -text. For der certificates use: <mwhome>/Oracle_BI1/bifoundation/server/bin>openssl x509 -inform der -in < yourcertificate>.der -text. These read only openssl commands do not need a configuration file. Therefore you can safely ignore any warnings starting with: WARNING: can't open config file
b. Check that your CA certificate is the expected root CA certificate. CA certificates should contain a basic constraints section but some CA's still do not conform to this standard.
c. If the contents of your CA certificate are correct, you can turn off the strict CA certificate check by setting the following property in the setDomainEnv.sh file (for Linux), or setDomainEnv.bat file (for Windows): Note:
Do not configure this property unless you have checked the CA certificate, and it is correct. oracle.bi.management.ssl.omitcacheck=true
d. Save the setDomainEnv.sh or setDomainEnv.bat file. e. Repeat the section : Enabling SSL for Oracle BI EE Components Using Fusion Middleware Control
If its success: Activate Changes Stop all OPMN services and WebLogic Server
After this, if you observe the value of ssl=?? In below instanceconfig.xml file it shows ssl=”true”
C:\Oracle\Middleware\instances\instance1\config\OracleBIPresentationServicesComponent\coreap
plication_obips1\instanceconfig.xml
Restart WebLogic Server, Administration Server, Managed Servers, then start the OPMN
components, and Oracle Business Intelligence components.

In Fusion Middleware Control go to the SSL page, click View SSL report to verify internal SSL
communications status to view the SSL status. If you can see this link, SSL is enabled.
Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7001 and 9704. All logins should be successful.
Log in to Fusion Middleware Control, Oracle WebLogic Server Administration Console, and Oracle BI EE using the ports 7002 and 9804. All logins should be successful.
Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by
Disabling Non-SSL Listen Ports

Complete these steps for WebLogic Server's embedded LDAP directory
Property Name Value Comments
java.naming.security.protocol ssl

In the StartManagedWebLogic.cmd change the Admin Server URL

Also edit StartStopServices.cmd in windows machine only

And change all http to be https in the StartStopServices.xml file.
Restart the Admin Server, Managed Server and BI Components
Additional SSL Configuration Options
Updating Expired SSL Certificates Using Fusion Middleware Control Please follow the steps specified in the OBI Security document under “SSL Configuration in Oracle Business Intelligence” Sect ion.
Configuring SSL for the SMTP Server Using Fusion Middleware Control Please follow the steps specified in the OBI Security document under “SSL Configuration in Oracle Business Intelligence” Section.
Using SASchInvoke when BI Scheduler is SSL-Enabled Please follow the steps specified in the OBI Security document under “SSL Configuration in Oracle Business Intelligence” Section.

Enabling the Online Catalog Manager to Connect
The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP
web server for Oracle Business Intelligence is enabled for SSL.
You must import the CA Root, CA Intermediate and OBIEE Server Certificates (also OHS certs if ohs exists) into the Java Keystore of the JVM that is specified by the system JAVA_HOME variable.
Java Keystore of the JAVA_HOME: C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCARoot.pem -alias CEALCARoot -
keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
Command: keytool -import -file C:\Oracle\Middleware\ssl\CealCAInter.pem -alias CEALCAInter -
keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
NOTE: Since we will be having OHS on the same machine and is signed by the same CA we have already imported these certificates into the
java install keystores (If using the online Catalog using OHS URL)
Catalog online URL: https://scl34225.us.oracle.com:9804/analytics/saw.dll
Configuring the Oracle BI Administration Tool to Communicate Over SSL

Configuring an ODBC DSN for Remote Client Access Please fol low the steps specified in the OBI Security document under “SSL Configuration in Oracle Business Intelligence” Section.
Configuring Oracle BI Publisher to Communicate Over SSL Please follow the steps specified in the OBI Security document under “SSL Configuration in Oracle Business Intelligence” Section.
Configuring SSL when Using Multiple Authenticators


Create a Keystore for running External LDAP in SSL (adapter.jks)
Set the environment variables ORACLE_HOME, WL_HOME and JAVA_HOME
NOTE: libovdconfig.bat fails if we use 7002 ssl port. So enable Admin Server at 7001 port and execute.
Command: C:\Oracle\Middleware\oracle_common\bin\libovdconfig.bat -host
scl34225.us.oracle.com -port 7001 -userName weblogic –domainPath
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain –createKeystore
Once this command runs, you should see two new credentials in the Credential Store and a new
Keystore file called adapters.jks under
MW_HOME \user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores
Import the OID CA Root Certificate into the libOVD Keystore:
Command: keytool -import -alias oid -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -keystore
C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default
\keystores\adapters.jks -storepass Oracle123

Import the OID CA Intermediate Certificate (if exists) into the libOVD
Keystore Here we don’t have this certificate
Import the OID Server Certificate into the libOVD Keystore:
keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem -keystore C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default \keystores\adapters.jks -storepass Oracle123
Import the OBIEE Server CA Root certificate into the libOVD Keystore using
the keytool command:
Import the OBIEE Server CA Intermediate certificate into the libOVD
Keystore using the keytool command:
keytool -import -alias CEALCAInter -file C:\Oracle\Middleware\ssl\CealCAInter.pem -keystore C:\Oracle\Middleware\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default \keystores\adapters.jks -storepass Oracle123
Import OID CA Root and OID Server Certificate into below Java Keystores:
C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts

Not required but if you encounter any ssl handshake issues only, import this certificate
Command: keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem - keystore C:\Oracle\Middleware\Oracle_BI1\jdk\jre\lib\security\cacerts -storepass changeit
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts
Command: keytool -import -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid –keystore
C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
Not required but if you encounter any ssl handshake issues only, import this certificate
Command: keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem - keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\cacerts -storepass changeit
C:\Oracle\Middleware\ssl\myTrust.jks
Command: keytool -import -file C:\Oracle\Middleware\ssl\oid\cealoidca.pem -alias oid -keystore
C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
Import the OID Server Certificate into the myTrust Keystore:
Command: keytool -import -alias oidsvr -file C:\Oracle\Middleware\ssl\oid\slc01pfs_chain.pem - keystore C:\Oracle\Middleware\ssl\myTrust.jks -storepass Oracle123
NOTE: If the OID Server cert is not imported into Trust Keystore Admin Server log shows SSL
Handshake failure. So please import this certificate too.
Steps to be followed for successful Config of External LDAP (OBIEE running
in SSL and External LDAP in SSL):
1.
OBIEE up and Running, able to login with WebLogic embedded LDAP Users. 2. Configure OBIEE with SSL 3. Check if SSL is working with Embedded LDAP Users both (console/em and analytics) 4. Configure external LDAP with SSL (As Additional SSL Config Steps :: check the Security Guide
SSL Config Section) 5. Set Control Flag to SUFFICIENT for both Default Authenticator and External LDAP Authenticator 6.

9.
Import (CA Root cert of LDAP Server, CA Intermediate cert of LDAP Server, LDAP Server cert, CA Root cert of OBIEE Server, CA Intermediate cert of OBIEE Server) into adapter.jks
10. Now reorder external LDAP to the top in the providers list. 11. Restart Admin Server.
Test Login to analytics as OID Users configured in ssl mode
An alternative method (not recommend) is to use the System MBean Browser
Configuring SSL Communication between BI Components Using the System
MBean Browser
This section describes how to configure SSL communication between components using the System
MBean Browser.
This alternative method enables you to choose several advanced configuration options; including
choosing the passphrase that protects the various certificate stores.
Oracle recommends not to use this approach, but to follow Section "Configuring WebLogic to use SSL
in Oracle WebLogic Server Administration Console".
Manually Configuring SSL Communication between Components Using System MBean Browser
Task Description
Lock the configuration. Use the BIDomain MBean to lock the domain configuration before making
changes.
certificate.
Commit the SSL configuration changes. Use the BIDomain MBean to commit the SSL configuration changes.
Verify SSL certificates in credential store. Verify that the SSL certificates are saved in the credential store.
Enable the SSL configuration and restart Oracle
Business Intelligence components.
configuration between components, and then restart the components so the
changes take effect.
between components.

Task Description
Configure SSL communication for the mail server. Configure SSL communication for the mail server.
Update expired SSL certificates. Update expired SSL certificates and replace with new ones.
Expand Application Defined Mbeans
Expand the oracle.biee.admin node, then expand the bifoundation_domain node

Select the BIDomain MBean having the full name oracle.biee.admin:type=BIDomain, group=Service
from the MBean navigation tree.
Select the Operations tab, then Lock .

Click Invoke.
A confirmation displays to indicate that the configuration is locked. The next step is to generate the
SSL certificates.
Configuration options for the MBean display in the right pane.
Select the Attributes tab, and then locate the SSLCertificatesGenerated attribute.

If certificates have been previously generated, you can continue to replace them with new certificates.
NOTE: Since we have implemented SSL for BI Components using WebLogic Admin Console,
Fusion Middleware Control and manually editing files (Oracle recommended method), we can
see that the SSL Certificates are already generated.
But just think if we haven’t done any SSL Certificate Generation from (WLS Console, FMW em &
Manual editing files).... the values should be “false”.
Let us proceed in this assumption that we are enabling SSL from System MBean Browser
Select the Operations tab
MBean are displayed.

passphrase: The SSL passphrase that protects the certificates and, most importantly, the private key. Remember
this passphrase.
webServerCACertificatePath : The path for the Certificate Authority (CA) root certificate for the CA used to sign the
web server's certificate. Do not enter the individual web server certificate or the (CA) intermediate certificate.
certificateEncoding : Supported types are .der. and .pem.
Click Invoke.
A confirmation displays if the operation executed successfully. If successful, the input CA certificate
has been validated and the certificate generation request is queued.
The next step is to commit the changes, which completes certificate creation and
distribution throughout the domain.
To commit the SSL configuration and release the lock: Use the BIDomain MBean.
The next step is to verify the SSL credentials are in the credential store.
Verifying the SSL Credentials in the Credential Store

Open oracle.bi.enterprise credential map and verify the SSL credentials have been saved to the credential store. If successful, the following SSL credentials display in the oracle.bi.enterprise credential map:
ssl.java.private.key ssl.java.public.certificate config.version

Cacert.pem combinedcacert.pem
Server-cert.pem webservercacert.pem
Server-key.pem is the Private key for the openssl servers.
Clients need to have access to the internal CA certificate. Java clients need the certificate in a keystore which they have access to.
The javaserver.keystore cannot be used if you created the certificates from Fusion Middleware Control since it is protected by a private passphrase.
Create a new keystore for use by your clients with the following command:
keytool -keystore clientkeystore -import -file cacert.pem -alias biee
The command prompts you to choose your own passphrase.

The next step is to enable the SSL configuration changes.
Enabling the SSL Configuration
From the System MBean Browser again use the BIDomain and lock the Security Configuration and
select BIInstanceSecurityConfiguration MBean.
Select the Attributes tab, then for the SSLEnabled attribute select true from the Value list, then click
Apply. You must have the SSL listen port on for the Administration Server and Manager Servers.
Navigate to the BIDomain MBean and commit the changes.
SSL communication is now enabled between the components. You must restart the
Oracle Business Intelligence components for the changes to take effect.
Restart WebLogic Admin & Managed Servers and BI Components.
Confirming SSL Status Using the MBean Browser
You can run an SSL report using the BIDomain.BIInstance.SecurityConfiguration MBean to verify that
SSL communication is operating between components.
From the System MBean Browser, select the BIDomain.BIInstanceSecurityConfiguration MBean.
You do not need to lock the configuration to run the SSL report.

To run the report, click Invoke. The report indicating the status of SSL communication between components displays.
If the SSL ping fails, check the following: Verify the target component is running. Verify that the component has been restarted since SSL was enabled. SSL configuration changes
require a restart to take effect.
Verify that the SSLEnabled attribute for the BIDomain.BIInstanceSecurityConfiguration MBean is set to true. When changing SSL properties, both apply and commit steps must be performed.
All the 5 BI Components should show:
SSL ping OK. SSL Version as SSL v3, Cipher Suite: SSL_RSA_WITH_RC4_128_MD5 (Default)
Certificate Expiry details and Certificate CA dn details.
Updating Expired SSL Certificates Using the MBean Browser Please follow the steps specified in the OBI Security document under “SSL Configuration in Oracle Business Intelligence” Section.
Advanced SSL Configuration Options Please follow the steps specified in the OBI Security document under “SSL Configuration in Oracle Business Intelligence” Sect ion.
A manually configured SSL environment can co-exist with a default SSL configuration.
If OBIEE is on Linux and client tools on Windows
Client tools like Catalog Manager and Admin Tool cannot open due to certificate SSL issues, so import
the (CA Root, CA Intermediate and OBIEE Server) Certificates to the Client Tools Java Home Security
Keystore.
On Windows Machine: In a command prompt cd "C:\Program Files\Oracle Business Intelligence Enterprise Edition Plus Client Tools\jre\bin"
Command: keytool -import -alias CEALCARoot -file C:\Oracle\Middleware\ssl\CealCARoot.pem-keystore
"C:\Program Files\Oracle Business Intelligence Enterprise Edition Plus Client
Tools\jre\lib\security\cacerts" -storepass changeit
Command: keytool -import -alias CEALCAInter -file C:\Oracle\Middleware\ssl\CealCAInter.pem-keystore
Command: keytool -import -alias scl34225 -file C:\Oracle\Middleware\ssl\scl34225.pem -keystore
For RPD access create the DSN with SSL enabled
*****************************************************************************

configuring obiee ssl

Documents