How to enable SSL (Secure Sockets Layer) for my BI Publisher Server installed with OC4J standalone ?
SSL is a cryptographic protocols that provides a encrypted therefore secured communications over internet. This can be enabled for your BI Publisher Server to secure the communication between the server and the clients.
I’m sure many of you have installed BI Publisher as a part of Oracle BI EE suite or as just a BI Publisher Server standalone following the standard installation with the installer. The standard installation installs an embedded OC4J server and deploy BI Publisher Server on the OC4J server. In this deployment architecture you don’t have any HTTP server. OC4J Server directly interacts with clients http requests and returns response to the clients for the BI Publisher Server.
Today, I will talk about how to enable the SSL for such configuration, which is that BI Publisher Server standalone deployed on OC4J standalone. I will focus only on enabling SSL communication.
Here is a list of the brief steps that you need to perform.
- Create a Keystore
- Create and Update secure-web-site.xml
- Register the secure-web-site.xml in server.xml
Create a Keystore
A keystore stores certificates, including the certificates of all trusted parties, for use by a program. Through its keystore, an entity such as OC4J (for example) can authenticate other parties, as well as authenticate itself to other parties. In Java, a keystore is a
java.security.KeyStore instance that you can create and manipulate using the
keytool utility that is provided with the Sun Microsystems JDK. The underlying physical manifestation of this object is a file.
Here are the steps to create the keystore.
Change the directory to
Create a keystore with an RSA private/public keypair using the
keytoolcommand. In this example, we generate a keystore to reside in a file named
mykeystore, which has a password of
123456and is valid for 365 days, using the RSA key pair generation algorithm with the following syntax:
% keytool -genkey -keyalg "RSA" -keystore mykeystore -storepass 123456 \ -validity 21
keystoreoption sets the filename where the keys are stored.
storepassoption sets the password for protecting the keystore.
validityoption sets number of days the certificate is valid.
The keytool prompts you for more information, as follows:
What is your first and last name? [Unknown]: Kan Nishida
mykeystore file is created in the current directory. The default alias of the key is
Create and Update secure-web-site.xml file
- If you do not have a
secure-web-site.xmlfile, copy the
- Open the
secure="true" to the
<web-site>element, as follows:
<web-site port="4446" display-name="Default OracleAS Containers for J2EE Web Site" secure="true" >
- Change the
<web-site>port setting to some available port. For example,
port="4443". (To use the default of 443, you have to be a super user.)
- Add the following under the
<web-site>element to define the keystore and password.
<ssl-config keystore="your_keystore" keystore-password="your_password" />
your_keystoreis the path to the keystore—either absolute, or relative to
/j2ee/home/config(where the Web site XML file is located)—and
your_passwordis the keystore password. For example:
<!-- Enable SSL -->
<ssl-config keystore="../../keystore" keystore-password="123456"/>
Register secure-web-site.xml file in server.xml
Add the following line in
<web-site path="./secure-web-site.xml" />
Save the changes and restart OC4J server to reflect the changes.
Access to BI Publisher Server for Testing
Now all the settings are done. Let’s test. You should be able to use ‘https’ to access to your BI Publisher.
where the port number is the one you set in the secure-web-site.xml file.
Now OC4J listens for SSL requests on one port (in this example 4446) and non-SSL requests on another (the default is 9704). You can disable either SSL requests or non-SSL requests, by commenting out the appropriate
*-web-site.xml pointer in the
server.xml configuration file:
<web-site path="./secure-web-site.xml" /> - comment this to remove SSL
<default-site path="./default-web-site.xml" /> - comment this to remove non-SSL
Well, it’s pretty simple right?. But of course if you want to really secure then you can do more in the configuration. Also if you have a http server involved, which is a typical architecture with Oracle Application Server, then it requires extra steps. You can take a look at OC4J Security Guide 10.1.3 for the detail. Also, if you need to integrate with Oracle BI EE, which is SSL enabled then there will be more steps, though they are documented in the Oracle BI EE Deployment Guide.