We have a old installation of Oracle Business Intelligence 10.1.3.4 which somehow has not been kept up to date – This happens through all businesses throughout the planet, the rule: If it works don’t touch it, applies to it.
So this server isn’t still running as HTTP, we needed to get it secured ASAP – 9 years late is better than never.
So how do you go about it?
Create a Java Keystore
For this you need to use the Keytool utility which comes with Java JDK / JRE on your server. See notes about this later on as this is a very outdated version of the Keytool utility.
Command to create a Java Keystore:
keytool -genkey -keyalg RSA -alias mykey -keystore mykeystore.jks
Enter a keystore password and remember it, I recommend that you use Password Safe to generate and remember the password.
Create and Update secure-web-site.xml file
Make a copy of your existing file default-web-site.xml and name it secure-web-site.xml edit the new file and add secure=”true” to the end of the line as well as change your port, 9704 is HTTP as 9706 is the standard BI HTTPS port:
<web-site xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/web-site-10_0.xsd" port="9706" display-name="OC4J 10g (10.1.3) Default Web Site" schema-major-version="10" schema-minor-version="0" secure="true">
Now add the line:
<ssl-config keystore="full_path_to_your_keystore.jks" keystore-password="your_keystore_password" />
Before the closing tag
Register secure-web-site.xml file in server.xml
Towards the bottom of your server.xml file add:
<web-site default="true" path="./secure-web-site.xml" />
Remove the line referencing the ./default-web-site.xml you no longer need HTTP access once you have HTTPS enabled. You’ll need to do something which I didn’t to have both HTTP and HTTPS URL’s accessible on a reboot the server will automatically delete the second
Add a local firewall rule for the new 9706 port
Use ‘Windows Firewall’ and look for an existing Inbound rule for 9704, copy this rule and change the port number to 9706.
Test if HTTPS URL is working
Save the changes and restart ‘Oracle BI EE OC4J‘ server in ‘Services’ to reflect the changes, that or reboot the server.
Browse to : https://:9706/xmlpserver/ using the servers available web browser or your local machine, as there could be corporate firewalls in the way still, these will not know about you new port 9706 so will need to be enabled.
A quick test from a command prompt on your local machine to see is:
Telnet YourServer 9706
Secure your new address with a certificate
Go back to where you created your mykeystore.jks file and delete the mykey from within it:
keytool -delete -alias mykey -keystore mykeystore.jks
Now follow the following steps:
- Request your certificate from your certification authority
- Complete your certificate request in IIS or elsewhere
- Export your your certificate as a .PFX file
- Extract from the PFX your Key and Pem files
openssl pkcs12 -in yourCertificate.pfx -out yourCertificate.pem
- Convert yourCertificate.pem to .pkcs12 file
openssl pkcs12 -export -in yourCertificate.pem -out yourCertificate.pkcs12
- Now and very importantly move the yourCertificate.pkcs12 file away from your Oracle BI server as this will have a very old version of Java Keytool on it, which does not support the -importkeystore command, mine was running JRE 1.4.2.
- Also move the empty mykeystore.jks file to the same directory as the yourCertificate.pkcs12
- Check your mykeystore.jks to check it is empty
keytool -v -list -keystore mykeystore.jks
- On the server with JRE / JDK 1.6 or above, I ran this using JRE 1.8, run the following command to import yourCertificate.pkcs12 to the mykeystore.jks
"C:\Program Files (x86)\Java\jre1.8.0_131\bin\keytool.exe" -v -importkeystore -srckeystore yourCertificate.pkcs12 -srcstoretype PKCS12 -destkeystore mykeystore.jks -deststoretype JKS
- Now check your mykeystore.jks again and you should now have the imported certificate
- Move this mykeystore.jks to the Oracle BI server
Restart ‘Oracle BI EE OC4J‘ server in ‘Services’ to reload the application with the new certificate or reboot the server.
You should now have a lovely secured server, if at first it doesn’t show check it on a browser that you haven’t used yet or clear your cache.