Installing and Configuring EPM 11.1.1.3 System with SSL Enabled on All Layers

Download EPM System 11.1.1.3 assemblies from edelivery.oracle.com.

User had received the public (root) certificate of the CA used for the certificate’s signing in case the CA is not the trusted one.

User had generated and signed personal certificates signed by the CA for the every host used in the EPMSystem's configuration. See “9. Certificates’ generation and management” for details.

User had installed and configured OpenSSL on the system in order to use SSL in Apache2. The latest version of OpenSSL can be found at: http://www.openssl.org. See “11.1 and 11.2” for details.

User had installed and configured all EPMSystem’s products and components and enabled SSL on “Common Settings” and “WebServer Configuration” panels. See «8. Configure EPM System» for details. The installation of Workspace is required in order to get the bundled Apache2 Web Server and “WebServer Configuration» task in the configuration utility.

Launch the configuration utility and select Hyperion Foundation. Note that Common Settings and Configure Database tasks are pre-selected.

Click Next

In the Common Settins panel, select the Enable SSL for Web applications checkbox. This flag makes all EPM applications to use SSL communications and sets the useSSL flag to True in the EPM Registry:

Click Next

Provide the DB connectivity information and proceed to the Application Server Selection panel. Select Oracle WebLogic 9.

Click Next

Specify Foundation Services HTTP and SSL ports. These values are stored in EPM Registry so that all products can access Foundation Services through the specified HTTPS ports in case SSL communications are enabled.

Click Next.

Foundation Services is being configured

Create the %HYPERION_HOME%\ssl folder (For example, c:\HyperionSSL). The folder is used as the single location for all certificates and keystores for EPM System

Note: You need to adjust all statements listed below on 64-bit systems, since the location of JVM is different.

Create a new JKS keystore. This keystore is used to store WebLogic’s Server Certificate. Make sure that the CN reflects you system's fully qualified domain name (For example, hitqew2k3-1.eng.hyperion.com). In the following command, we use epm_ssl as the alias to store our private key in the keystore, and password as the JKS keystore's password. The keystore is generated in the %HYPERION_HOME%\ssl folder. The same syntax applies for UNIX systems:

%HYPERION_HOME%\common\JRE\Sun\1.5.0\bin\keytool.exe -genkey -dname "cn=hitqew2k3-1.eng.hyperion.com" -alias epm_ssl -keypass password -keystore %HYPERION_HOME%\ssl\keystore -storepass password -validity 365 -keyalg RSA

Import the root (public) certificate of the Certification Authority (CA) that is being used for signing of the certificate into the newly generated JKS keystore.

Note: You do not need to do this in case the CA is the trusted one. The list of the Java Trusted Certificate Authorities is available here.

Rename the root certificate of the CA to CA.crt and copy it to the %HYPERION_HOME/ssl/ folder. The following command imports the certificate into JKS keystore using blister alias and marks it as the trusted CA (-trustcacerts option). When prompted, confirm the import by entering yes.

%HYPERION_HOME%\common\JRE\Sun\1.5.0\bin\keytool.exe -import -alias blister -keystore %HYPERION_HOME%\ssl\keystore -trustcacerts -file %HYPERION_HOME%\ssl\CA.crt -storepass password

Generate the certificate request (CSR) for you hostname (make sure to use the same alias that was used for the private key/JKS keystore generation. The certificate request will be stored in the %HYPERION_HOME%\ssl\HyS9WL.csr file):

%HYPERION_HOME%\common\JRE\Sun\1.5.0\bin\keytool.exe -certreq -alias epm_ssl -keyalg RSA -file %HYPERION_HOME%\ssl\HyS9WL.csr -keystore %HYPERION_HOME%\ssl\keystore -storepass password

Open %HYPERION_HOME%\ssl\HyS9WL.csr with Notepad. Copy the certificate request and send it to your CA for the signing. The certificate request should look like the following sample:

-----BEGIN NEW CERTIFICATE REQUEST----- MIIBZzCB0QIBADAoMSYwJAYDVQQDEx1oaXRxZXcyazMtMTguZW5nLmh5cGVyaW9uLmNvbTCBnzANBgkqhki
G9w0BAQEFAAOBjQAwgYkCgYEAy8QisiwnMY9llujuLqyfx5p6vY0jlRZ0Aa5er0+x9gKKSU7VfJHue18FDMY
qgb2NAY0NGAskEjwFtKmitt3dLgvLLvsi+kkpK3XshWvHLvUcWZfR4i82KVWvDuFjpLE6iExJq78X4gN7M2A
6fmgTvxts5lRRyliT//jDNvEc+Y8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAL4AS4ybjTvDF/f8QgnV01g
twMLFp4DGtSU/NSvAsJKyBYslEn2DrryWkOOj2r9PlI/2ugRS+KXpkjj11J2cM6ihzlpFm1nl3aG6Cne6HDu
a5myAOWwXVtfiTZNldCCCl6328M6n77GKhriLBWd/iQ8mty4fXKCRTEqfaEf7gOzl
-----END NEW CERTIFICATE REQUEST-----

The Certification Authority (CA) signs your request (CSR) and issues the personal certificate for you. Open the certificate and save it as %HYPERION_HOME%\ssl\HyS9WL.crt.

Import this personal certificate into the JKS keystore under the same alias that was used for the CSR generation ( For example, epm_ssl):

%HYPERION_HOME%\common\JRE\Sun\1.5.0\bin\keytool.exe -import -alias epm_ssl -keystore %HYPERION_HOME%\ssl\keystore -storepass password -file %HYPERION_HOME%\ssl\HyS9WL.crt

The following message is displayed: "Certificate reply was installed in keystore".

In case your CA is not the JVM-trusted one, import the root (public) certificate of the Certification Authority (CA) that is being used for signing of the personal certificate into the configuration utility's JVM:

%HYPERION_HOME%\common\JRE\Sun\1.5.0\bin\keytool.exe -import -alias blister –keystore %HYPERION_HOME%\common\JRE\Sun\1.5.0\lib\security\cacerts -trustcacerts -file %HYPERION_HOME%\ssl\CA.crt -storepass changeit

Note: "changeit" is the default JVM's keystore password. It is highly recommended to change it right after the installation.

In case your CA is not the JVM-trusted one, import the root (public) certificate of the Certification Authority (CA) that is being used for signing of the Server certificate into WebLogic's JRockIt:

C:\bea\jrockit90_150_10\jre\bin\keytool -import -alias blister -keystore C:\bea\jrockit90_150_10\jre\lib\security\cacerts -trustcacerts -file %HYPERION_HOME%\ssl\CA.crt -storepass changeit

Note: "changeit" is the default JVM's keystore password. It is highly recommended to change it right after the installation.

Start WebLogic Admin Server:

%HYPERION_HOME%\deployments\WebLogic9\startWebLogic.cmd

Log in to WebLogic Console at: http://localhost:7001/console

Note: Default credentials are hyperion/hyperion.

Navigate to Servers | SharedService9

On the left pane, click Lock & Edit.

On the General tab, disable HTTP Port and enable the HTTPS port. Verify that HTTPS port matches the one that was specified during Foundation Services deployment.

Click Save.

Navigate to the Keystores tab and perform the following tasks:

• In the Keystores list, select Custom Identity and Java Standard Trust.
  Note: Since the root certificate of the CA was imported to the WebLogic's JVM it is possible to select Java Standard Trust keystore. (C:\bea\jdk150_10\jre\lib\security\cacerts).
  
  
• In the Custom Identity Keystore field, enter the location of the JKS keystore that contains WebLogic Server's certificate (For exampple, %HYPERION_HOME%\ssl\keystore).
  Note: enter the absolute PATH, do not use environment variables.
  
  
• In the Custom Identity Keystore Type field, enter JKS.
  
  
• In the Custom Identity Keystore Passphrase field and in the Confirm Custom Identity Keystore Passphrase field, enter password to the JKS keystore with the server's certificate (For example, password).
  Note: If you only want to trust the CA that issued your certificate, you can choose “Java Custom Trust” and point to the JKS keystore where we imported the CA’s root certificate

Click Save.

Navigate to the SSL tab and perform the following tasks:

• In the Private Key Alias field, enter the alias that was used to import the server's certificate into the JKS keystore (For example, epm_ssl).
  
  
• In the Private Key Passphrase field and in the Confirm Private Key Passphrase field, enter the certificate's (private key) password (For example, password).
  

Click Save.

On the left pane, click Activate Changes.

Install and configure OpenSSL on your system in order to use SSL in Apache2. The latest version of OpenSSL can be found at: http://www.openssl.org.

Configure OpenSSL:

• Add the path to the OpenSSL's bin directory to the system's %PATH% environment variable.
  
  
• Set the OPENSSL_CONF environment variable and point to the location of openssl.cnf: (For example, OPENSSL_CONF=c:\openSSL\bin\openssl.cnf).
  

Generate you private SSL key. It is encrypted and stored in %HYPERION_HOME%\ssl\privkey.pem

openssl genrsa -out %HYPERION_HOME%\ssl\privkey.pem 1024 -des3

Generate a Certificate Signing Request (CSR) for your Apache2 Web Server using your private key. Make sure that the CN reflects you system's fully-qualified domain name. It is highly recommended to avoid default passwords, such as changeit, password, and so on. Store the CSR in the %HYPERION_HOME%\ssl\epm_apache.csr file.

openssl req -new -out %HYPERION_HOME%\ssl\epm_apache.csr –key %HYPERION_HOME%\ssl\privkey.pem

When prompted, enter the following data:

• Common Name (eg, your name or your server's hostname): hitqew2k3-1.eng.hyperion.com
• Passphrase: password

Remove the passphrase from the private key:

openssl rsa -in %HYPERION_HOME%\ssl\privkey.pem -out %HYPERION_HOME%\ssl\epm_apache.key

When prompted, enter passphrase for privkey.pem (For example, password).

Send the CSR (%HYPERION_HOME%\epm_apache.csr) that you created to your Certification Authority (CA) for signing. After the CA signs your CSR request and issues a personal certificate for you, open the certificate and save it in the %HYPERION_HOME%\ssl\epm_apache.crt file.

Note: Make sure that there are no spaces or empty lines after the -----END CERTIFICATE----- tag.

Stop Apache Web Server using the corresponding Windows service or batch script.

Edit the %hyperion_home%\common\httpServers\Apache\2.0.59\conf\httpd.conf file by performing the following tasks:

• Comment out the existing Listen XXXXX and Port XXXXX parameters.
• Uncomment the following entry: LoadModule ssl_module modules/mod_ssl.so
• Comment out the existing ServerName localhost:xxxx.
  
  

Edit the %hyperion_home%\common\httpServers\Apache\2.0.59\conf\ssl.conf file by performing the following tasks:

• Rename <VirtualHost _default_> to the FQDN of your system (For example, <VirtualHost hitqew2k3-1.eng.hyperion.com:19000> )
  
  Note: Make sure that the hostname matches CN in your certificate, and port matches to the one, specified in the Listen directive.
  
  
• Specify the location of Apache's Server certificate:
  SSLCertificateFile ${HYPERION_HOME}/ssl/epm_apache.crt
• Specify the location of the private key that was used during certificate generation:
  SSLCertificateKeyFile ${HYPERION_HOME}/ssl/epm_apache.crt

Edit the %hyperion_home%\common\httpServers\Apache\2.0.59\conf\HYSL-WebLogic.conf file by Adding the following parameter:

TrustedCAFile %HYPERION_HOME%\ssl\CA.crt

Note: You need to resolve %HYPERION_HOME% and enter the absolute path.

Note: CA.crt is the root (public) certificate of the CA that was used for signing WebLogic certificates. This parameter tells Apache - WebLogic plug-in that it should trust all certificates issued by this CA.

Enable SSL mode in Apache's startup parameters by performing one of the following tasks:

• If you have configured EPM System using Windows Services:

1. Open Windows Registry Editor (regedit.exe) and navigate to:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HyS9Apache2
   
   
2. Open the ImagePath key.
   
   The key value should be similar to the following sample:
   
   "C:\Hyperion\common\httpServers\Apache\2.0.59\bin\Apache.exe" -k runservice
   
   
3. Add the -DSSL option to these startup options.
   
   "C:\Hyperion\common\httpServers\Apache\2.0.59\bin\Apache.exe" -k runservice -DSSL
   
   
4. Start the Hyperion Apache 2.0 Windows Service.

• If you have not configured EPM System using Windows Services, then start Apache Web Server:
  
  %HYPERION_HOME%\common\httpServers\Apache\2.0.59\bin\Apache.exe –DSSL
  
  

Verify that Apache is up and running (listen port specified in the configuration utility and Apache's SSL.conf), open the certificate in the browser, and check that all parameters are correct.

https://hitqew2k3-1.eng.hyperion.com:19000

Verify that all EPM System’s WebLogic applications are available via Apache Web server:

https://hitqew2k3-1.eng.hyperion.com:19000/interop/index.jsp

Verify that all EPM System’s IIS applications are available via Apache Web server:

https://hitqew2k3-1.eng.hyperion.com:19000/hfm/

Launch IIS Manager from Windows toolbar by selecting Start Menu > Administration Tools or from Windows command prompt by running the inetmgr command.

The Welcome to the Web Server Certificate Wizard page is displayed.

Click Next.

Click Next.

Click Next.

Click Next.

Click Next.

Click Next.

Iin the Certificate Request File Name, enter c:\certreq.txt.

Click Next.

Note: Make sure there are no spaces, or empty lines after the -----END CERTIFICATE----- tag.

Launch IIS Management Console.

Click Next.

In the Default Web Site Properties window, select the Web Site tab, enter the HTTPS port you want IIS to listen on (the default port is 443). If you enter a non-default port for IIS and you have already configured EPM System, then you need to re-configure Web Server Configuration task in the configuration utility.

Verify that IIS is running at the specified HTTPS port.

https://hitqew2k3-1.eng.hyperion.com:4443