SSL for BI Publisher Standalone

We have a old installation of Oracle Business Intelligence which somehow has not been kept up to date – This happens through all businesses throughout the planet, the rule: If it works don’t touch it, applies to it.

So this server isn’t still running as HTTP, we needed to get it secured ASAP – 9 years late is better than never.

So how do you go about it?

Create a Java Keystore

For this you need to use the Keytool utility which comes with Java JDK / JRE on your server. See notes about this later on as this is a very outdated version of the Keytool utility.

Command to create a Java Keystore:

keytool -genkey -keyalg RSA -alias mykey -keystore mykeystore.jks

Enter a keystore password and remember it, I recommend that you use  Password Safe to generate and remember the password.

Create and Update secure-web-site.xml file

Make a copy of your existing file default-web-site.xml and name it secure-web-site.xml edit the new file and add secure=”true” to the end of the line as well as change your port, 9704 is HTTP as 9706 is the standard BI HTTPS port:

<web-site xmlns:xsi="" xsi:noNamespaceSchemaLocation="" port="9706" display-name="OC4J 10g (10.1.3) Default Web Site" schema-major-version="10" schema-minor-version="0" secure="true">

Now add the line:

<ssl-config keystore="full_path_to_your_keystore.jks" keystore-password="your_keystore_password" />

Before the closing tag

Register secure-web-site.xml file in server.xml

Towards the bottom of your server.xml file add:

<web-site default="true" path="./secure-web-site.xml" />

Remove the line referencing the ./default-web-site.xml you no longer need HTTP access once you have HTTPS enabled. You’ll need to do something which I didn’t to have both HTTP and HTTPS URL’s accessible on a reboot the server will automatically delete the second

Add a local firewall rule for the new 9706 port

Use ‘Windows Firewall’ and look for an existing Inbound rule for 9704, copy this rule and change the port number to 9706.

Test if HTTPS URL is working

Save the changes and restart ‘Oracle BI EE OC4J‘ server in ‘Services’ to reflect the changes, that or reboot the server.

Browse to : https://:9706/xmlpserver/ using the servers available web browser or your local machine, as there could be corporate firewalls in the way still, these will not know about you new port 9706 so will need to be enabled.

A quick test from a command prompt on your local machine to see is:

Telnet YourServer 9706

Secure your new address with a certificate

Go back to where you created your mykeystore.jks file and delete the mykey from within it:

keytool -delete -alias mykey -keystore mykeystore.jks

Now follow the following steps:

  • Request your certificate from your certification authority
  • Complete your certificate request in IIS or elsewhere
  • Export your your certificate as a .PFX file
  • Extract from the PFX your Key and Pem files
openssl pkcs12 -in yourCertificate.pfx -out yourCertificate.pem
  • Convert yourCertificate.pem to .pkcs12 file
openssl pkcs12 -export -in yourCertificate.pem -out yourCertificate.pkcs12
  • Now and very importantly move the yourCertificate.pkcs12 file away from your Oracle BI server as this will have a very old version of Java Keytool on it, which does not support the -importkeystore command, mine was running JRE 1.4.2.
  • Also move the empty mykeystore.jks file to the same directory as the yourCertificate.pkcs12
  • Check your mykeystore.jks to check it is empty
keytool -v -list -keystore mykeystore.jks
  • On the server with JRE / JDK 1.6 or above, I ran this using JRE 1.8, run the following command to import yourCertificate.pkcs12 to the mykeystore.jks
"C:\Program Files (x86)\Java\jre1.8.0_131\bin\keytool.exe" -v -importkeystore -srckeystore yourCertificate.pkcs12 -srcstoretype PKCS12 -destkeystore mykeystore.jks -deststoretype JKS
  • Now check your mykeystore.jks again and you should now have the imported certificate
  • Move this mykeystore.jks to the Oracle BI server

Restart ‘Oracle BI EE OC4J‘ server in ‘Services’ to reload the application with the new certificate or reboot the server.

You should now have a lovely secured server, if at first it doesn’t show check it on a browser that you haven’t used yet or clear your cache.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s