Jan 14, 2014

Securing your EPM Installation with SSL (OHS terminated configuration)

You have many options to secure your EPM installation with SSL. One of which is to enable SSL terminated at the OHS layer. The graphic below shows how one can secure an OHS server surrounded by firewalls. Even though the purpose of this post is not to discuss security design, I felt it would be important to explain the difference between securing your environment with OHS terminated SSL and an SSL off-loader which are the two most commons methods for securing EPM.




The graphic above depicts how OHS can be enabled to communicate securely between end user and the web server. In this case all users would be directed to a secure URL (i.e. https://servername.host.com:19443/workspace/index.jsp)


The graphic above depicts how one can use a load balancer off-loader to secure your entire EPM environment. Just as with OHS terminated SSL configuration, you would be directed to a URL using HTTPS, the main difference is that you do not have to configure SSL within the EPM environment, just in the SSL off-loader.

Steps for enabling SSL

Wallet configuration


Open Wallet Manager and create a new Wallet specifying a password


Once you create the wallet it will prompt you if you want to create a CSR. You can either answer yes or generate your CSR at a later time if you answered no.



When creating the CSR make sure you use the FQDN of the server as the common name


At this point the request has been generated, so we want to save the wallet. By default, I always save my wallets outside of the Oracle EPM directory structure to make sure it doesn’t disappear after an upgrade or a patch. So I will save my wallet on E:\SSL. After saving your wallet, you will need to export the request and have it signed by either a private CA (your company would need to sign this) or pay someone to sign it (like VeriSign, Comodo, GoDaddy, etc). To export the CSR you can right click the Certificate and select “Export Certificate Request”



I saved the exported CSR on E:\SSL\epmlabapp.csr I will not cover the process of sending the CSR to a CA but I’m sure you understand what the process is, if not, you can ask a security admin to sign the certificate for you from an internal CA.

After the certificate has been signed you need to import it on the wallet. Right click the request and select “Import User Certificate”


If the CSR was correctly signed you will see the Certificate in the wallet look like the below screenshot (In my case, I used a bogus CA to sign my certificate request)



Note about certificates: If a self signed certificate is used or an internal certificate authority signed the certificate, you will need to ensure that the root CA that signed the certificate is trusted by all computers accessing the EPM URL’s. Otherwise, you will either get a warning message that the URL you are trying to open is not trusted or components just won’t work (i.e. Smart View, Reporting Studio, etc.)  A “wild card” certificate can also be used. This is a certificate where a CA has signed *.yourcompanyname.com so as long as your server resolves to something with that ending domain name you will be ok.

The last thing you need to do to the wallet is to enable the auto-login feature so you don’t have to enter a password every time you try to start OHS.


You can save and close the wallet.

OHS Configuration Steps


After you have configured the OHS wallet, it’s time to configure OHS to use this wallet to encrypt all communications. You will have to edit the following file (always remember to make backups):
E:\Oracle\Middleware\user_projects\FOUNDATION\httpConfig\ohs\config\OHS\ohs_component\ssl.conf. Change the path to the wallet on the following line:



to point to the location where the wallet you created lives, in my case:



Also, you need to include the ssl.conf file in the main httpd.conf file. The httpd.conf file is located in the same directory where ssl.conf is. You can edit it with your favorite editor and look for the following line:


and uncomment the include as follows:




After this things should’ve worked. However, in EPM 11.1.2.3 for some reason Oracle left out the other conf’s from the ssl VirtualHost directive, so you will need to add those to the ssl.conf file like so:


You can go to the end of the VirtualHost directive in the ssl.conf file and add the same four includes that are in the VirtualHost directive from the httpd.conf (at the end of the file)

Save both files and restart OHS and you should be able to access the EPM URL’s with SSL enabled.


If you get a red address bar, it’s because the certificate you installed is not trusted or not signed by a trusted CA and will have to be signed by a trusted CA or add the CA (if you trust it) to the computer’s certificate trusted CA’s.

That’s all folks



8 comments:

  1. Very good post.

    Do you have to make any changes to Weblogic or Hyperion for this to work? Is the only change done on the OHS side?

    Also will this same configuration work with the following.

    OHS/Weblogic and Hyperion are all installed on same server. No external configuration/access. But we must have SSL configured. So, no OHS outside the firewall everything is inside.

    ReplyDelete
  2. This is very useful.

    I do have a couple of questions.

    1. Is this all that needs to be configured? No changes on Weblogic or Hyperion side?
    2. I have a configuration with OHS, Weblogic and Hyperion all on the same server. We require SSL. But, we do not have any external users. So, we have no OHS sitting outside the firewall. Everything is inside the firewall. Can we use the same setup as you have indicated?

    ReplyDelete
    Replies
    1. Yes, you should be able to only enable SSL on OHS and communicate via 443 to end users and then open the WL ports with the OHS IP address as source on the WL servers and communicate openly (http). No need to configure SSL on Weblogic if it isn't required, however if you want to do a full SSL configuration you will need to configure SSL on the WL servers as well. Maybe I'll blog about that next :)

      Delete
  3. Do you need to make any entry related to the port?

    ReplyDelete
    Replies
    1. If you look closely to the ssl.conf file you will see at the beginning of the SSL section that there is a ListenPort directive with the port you want to listen on. You can change that to whichever port you need to listen on.

      Delete
  4. Your steps are perfect. Tried it and it worked great. I do have a question. Now that HTTPS is enabled what is the preferred method of disabling HTTP? We do not want both protocols running.

    ReplyDelete
  5. Thanks Pablo - this was useful

    Atul
    atulrd65@gmail.com

    ReplyDelete
  6. Thanks Pablo! It works fine!

    atul

    ReplyDelete