The graphic above depicts how OHS can be enabled to communicate securely between end user and the web server. In this case all users would be directed to a secure URL (i.e. https://servername.host.com:19443/workspace/index.jsp)
Steps for enabling SSL
Wallet configuration
Open Wallet Manager and create a new Wallet specifying a password
Once you create the wallet it will prompt you if you want to create a CSR. You can either answer yes or generate your CSR at a later time if you answered no.
When creating the CSR make sure you use the FQDN of the server as the common name
At this point the request has been generated, so we want to save the wallet. By default, I always save my wallets outside of the Oracle EPM directory structure to make sure it doesn’t disappear after an upgrade or a patch. So I will save my wallet on E:\SSL. After saving your wallet, you will need to export the request and have it signed by either a private CA (your company would need to sign this) or pay someone to sign it (like VeriSign, Comodo, GoDaddy, etc). To export the CSR you can right click the Certificate and select “Export Certificate Request”
I saved the exported CSR on E:\SSL\epmlabapp.csr I will not cover the process of sending the CSR to a CA but I’m sure you understand what the process is, if not, you can ask a security admin to sign the certificate for you from an internal CA.
After the certificate has been signed you need to import it on the wallet. Right click the request and select “Import User Certificate”
If the CSR was correctly signed you will see the Certificate in the wallet look like the below screenshot (In my case, I used a bogus CA to sign my certificate request)
Note about certificates: If a self signed certificate is used or an internal certificate authority signed the certificate, you will need to ensure that the root CA that signed the certificate is trusted by all computers accessing the EPM URL’s. Otherwise, you will either get a warning message that the URL you are trying to open is not trusted or components just won’t work (i.e. Smart View, Reporting Studio, etc.) A “wild card” certificate can also be used. This is a certificate where a CA has signed *.yourcompanyname.com so as long as your server resolves to something with that ending domain name you will be ok.
The last thing you need to do to the wallet is to enable the auto-login feature so you don’t have to enter a password every time you try to start OHS.
You can save and close the wallet.
OHS Configuration Steps
After you have configured the OHS wallet, it’s time to configure OHS to use this wallet to encrypt all communications. You will have to edit the following file (always remember to make backups):
E:\Oracle\Middleware\user_projects\FOUNDATION\httpConfig\ohs\config\OHS\ohs_component\ssl.conf. Change the path to the wallet on the following line:
to point to the location where the wallet you created lives, in my case:
Also, you need to include the ssl.conf file in the main httpd.conf file. The httpd.conf file is located in the same directory where ssl.conf is. You can edit it with your favorite editor and look for the following line:
and uncomment the include as follows:
After this things should’ve worked. However, in EPM 11.1.2.3 for some reason Oracle left out the other conf’s from the ssl VirtualHost directive, so you will need to add those to the ssl.conf file like so:
You can go to the end of the VirtualHost directive in the ssl.conf file and add the same four includes that are in the VirtualHost directive from the httpd.conf (at the end of the file)
Save both files and restart OHS and you should be able to access the EPM URL’s with SSL enabled.
If you get a red address bar, it’s because the certificate you installed is not trusted or not signed by a trusted CA and will have to be signed by a trusted CA or add the CA (if you trust it) to the computer’s certificate trusted CA’s.
That’s all folks
