Enabling SSL for BI Publisher - Siebel Security Model

In Siebel 8.1.1.1 and BI Publisher 10.1.3.4.1 a new security model, Siebel Security, is introduced. In this security model BI Publisher uses the Siebel responsibilities as functional roles. How to deploy is excellent described in the Blog Siebel Essentials. When the Siebel Security Model in BI Publisher requests the available roles (responsibilities) in Siebel, the username and password of the Siebel administrator and the Siebel user are passed in clear-text in the header and body of the webservice request. It would be more secure when you could make a secure (HTTPS) webservice call to your Siebel Web Server. This article describes how you can achieve this.

BI Publisher utilizes the javax.net.sll.* classes for SSL connections. When connecting to a Siebel Server using SSL, the certificates supplied by this server during the set-up of session must be verifiable by the BI Publisher server, or more precise by the JRE running the server. JRE can verify a certificate when the certificate or it's Certificate Authority is added to the keystore. You can add the certificate of the Siebel Web Server to the JRE keystore, but it is more elegant to add your companies internal RootCA certificate to the keystore. Adding a certificate to your BI Publisher keystore requires a few simple steps.

First open a command prompt on your BI Publisher server and change your current directory to {Orace_Home}\jre\1.4.2\bin. Then import the certificate of the Siebel Web Server or the RootCA by entering the instruction keytool -import -alias {Descriptive_Name} -keystore ..\lib\security\cacerts -file {Certificate_file}. Do not forget to replace {Descriptive_Name} and {Certificate_file} The initial password for the cacerts keystore is changeit. Now run the instruction keytool -list -keystore ...\lib\security\cacerts to verify the certificate was added.

Now you have stored the certificates in your keystore, the JRE must know where to find the keystore. You can set the location of he keystore using the javax.net.ssl.trustStore system property. This can be done by modiying the oc4j.cmd windows command-file. This file is executed by the shortcut “Start BI Publisher” in the Windows Start menu. To modify the file, open the file {Oracle_Home}\oc4j_bi\bin\oc4j.cmd using an editor and find the line starting with the label Gaspc4j which is around line 174. This is the entry of the 'function' which starts the OC4J application server. Now you have to find the line which starts the OC4J server. In the snippet from the original command-file below, it is shown at line 13.

01 rem
02 rem execute oc4j.jar command
03 rem
04 Gaspc4j
05 if /I "%VERBOSE%"=="on" (
06 rem echo Executing: D:\OraHome_1\jdk\bin\java......
07 echo.
08 )
09 if not EXIST "%OC4J_JAR%" (
10 echo Error: Can not find %OC4J_JAR%.
11 goto end
12 )
13 "D:\OraHome_1\jdk\bin\java" -XX:MaxPermSize=128m -........
14 goto end


The complete code at line 13 is; "D:\OraHome_1\jdk\bin\java" -XX:MaxPermSize=128m -Xmx512m -Duser.language=en -Duser.country=US -jar "%OC4J_JAR%" %CMDARGS% when you have installed BIP on drive D in directory OraHome_1. Somewhere in this line you have to add the system property javax.net.ssl.trustStore to specify the location of the keystore. You can add a system property using the -D argument followed by the system property name, =, and last the assigned value, e.g.
-Djavax.net.ssl.trustStore={Oracle_home}\jre\1.4.2\lib\security\cacerts. Add the system property after the Java maximum heap size parameter, -Xmx512m. After adding the new system property, the line will similar like
"D:\OraHome_1\jdk\bin\java" -XX:MaxPermSize=128m -Xmx512m -Djavax.net.ssl.trustStore=D:\OraHome_1\jre\1.4.2\lib\security\cacerts -Duser.language=en -Duser.country=US -jar "%OC4J_JAR%" %CMDARGS% when you have installed BIP on drive D in directory OraHome_1. Now you have loaded the CA in the JRE keystore and specified the location you can enable SSL.

Log on to the BI Publisher web interface using an account with the XMLP_ADMIN role or as the Local Superuser. Go to Admin -> Security Configuration and Change the URL of the Siebel Web Service Endpoint HTTP to HTTPS. Select Apply to save the changes and verify the connection by opening the Roles and permissions screen on the Admin page.




blog comments powered by Disqus