OAS supports visualization and analyses of data residing on several types of external data sources. For the OAS platform to connect and load data from these external data sources, it requires that a proper SSL communication be configured. An appropriate SSL handshake must take place between the application tier and the load balancer. This handshake is not possible unless the Admin Server and the Managed Servers in the application tier are started by using the appropriate SSL configuration.
In our design, we implemented and configured the appropriate SSL communication between the application tier and the load balancer. The high-level steps performed in our setup is listed as under:
- Create the Java KeyStore home directory on an NFS volume shared between both the OAS-BIHOSTs.
In our example, KEYSTORE_HOME = /u01/oracle/config/keystores/
- Run the utils.CertGen tool to create self-signed certificates for hostnames (oas-bihost1.delllabs.net, oas-bihost2.delllabs.net) and aliases (virtual host names) used by the Admin (adminvhn.delllabs.net) and the Managed Servers (oas-bihost1vhn.delllabs.net and oas-bihost2vhn.delllabs.net), one per host, in the KeyStore home directory.
- Import the certificates and private keys generated in the previous step (step 2 above) for the hostnames and the aliases into a newly created Identity KeyStore - $KEYSTORE_HOME/appIdentityKeyStore.jks - using the utils.ImportPrivateKey utility.
- Create a new trust keystore - $KEYSTORE_HOME/appTrustKeyStore.jks - using the existing standard Java keystore ($WL_HOME/server/lib/cacerts), change its default password, and import the CA certificate into it using the keytool utility.
- Import the load balancer certificate into the trust keystore appTrustKeyStore.jks.
- Add the updated trust keystore (appTrustKeyStore.jks) to WLS startup scripts. Add the following two lines to the end of the Admin Server’s startup script $ASERVER_HOME/bin/setDomainEnv.sh and to the end of the Managed Server startup script $MSERVER_HOME/bin/setDomainEnv.sh (on both hosts):
EXTRA_JAVA_PROPERTIES="-Djavax.net.ssl.trustStore=/u01/oracle/config/keystores/appTrustKeyStore.jks ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
- Edit and configure the nodemanager.properties file in both the Admin Server home (ASERVER_HOME) and the Managed Servers home (MSERVER_HOME on both hosts) to use the custom identity keystores appIdentityKeyStore.jks.
- Log in to the Oracle FMW Admin Console and configure WLS to use the custom identity (appIdentityKeyStore.jks) and trust keystores (appTrustKeyStore.jks) we created in the previous steps.
- Restart all components and services across the OAS three-tiers for the new SSL configuration to take effect.