How to setup a Custom Vanity URL for Essbase 19c Marketplace Instance without Load Balancer

Tested on Essbase 19c marketplace Instance Version: 19.3.0.2.0, Build: 362

Action Summary: For a Vanity URL we need to decide on the DNS Name. Generate Private Key and Certificate Signing Request (CSR) for the required DNS Name. Get the CSR file signed by a Well Known Public Certification Authority (CA) like VeriSign, DigiCert, GoDaddy, etc. Once the CSR is signed by a CA, we should be having the below files: 1. Signed DNS Named (for Apache Server) SSL Certificate. 2. CA Intermediate Certificate (If multiple intermediate certificates exist, we need all of them). 3. CA Root Certificate. Upload the above mentioned files and the Private Key on to the Essbase Instance VM and perform the config steps. Map the Essbase Marketplace Instance VM Public IP Address to the desired DNS Name in the DNS Server to be recognized over the Internet. NOTE: If Private IP is used while creating Essbase MP Instance, set the Private IP Address to the DNS Name in the Customer’s DNS Server so that the DNS Name is resolved to the IP in the Intranet. Change the Essbase URL in the IDCS Confidential Application to the DNS Named URL Access Essbase URL using the new DNS Name

There are two ways to get the SSL Certificates: 1. Business User (Admin) generating the Private Key and Certificate Signing Request (CSR) files and submitting them to Security/IT team. 2. Security/IT Team generating the Private Key and Signed Certificate in PFX/p12 format and provide to Business User (Admin).

Generate Private Key and Certificate Signing Request (CSR) files on the Essbase VM or any Linux Machine: 1. Logon to Essbase Instance VM using SSH private key as opc user 2. Create a new folder to host the SSL Files >sudo mkdir /tmp/ssl >cd /tmp/ssl >sudo openssl req -new -newkey rsa:2048 -nodes -keyout /tmp/ssl/.key -out /tmp/ssl/.csr NOTE: Replace the with your required DNS Name. e.g. essmpdev.example.com

3. The certs cannot be locked with a passphrase (for Apache) so simply press the key to skip the passphrase.

4. This will generate the .key file and the .csr file in the /tmp/ssl directory.

5. Provide the CSR file to your Security/IT team to get this Signed by a Public CA.

Get the CSR Signed by Public Certification Authority (CA) Your Security/IT team will get the CSR Signed by the Public CA and give you below files: 1. DNS Named Server Certificate signed by Public CA. 2. Public CA Intermediate Certificate (If multiple intermediate certificates exist, we need all of them). 3. Public CA Root Certificate.

NOTE: While copying make sure you set the ownership of copied files to “root”

If you are given a PFX file by your Security/IT Team, run below commands to get the Private Key and Signed DNS Named Server Certificate from the PFX file.

Extract the Private Key from PFX: >sudo openssl pkcs12 -in essmptest.pfx -out essmptestpwd.key -nocerts –nodes Prompts for the PFX password, enter the password. Extract the Signed Certificate from PFX: >sudo openssl pkcs12 -in essmptest.pfx -out essmptest.crt –nokeys Prompts for the PFX password, enter the password.

We got the Private Key with a Passphrase, we need to remove the Passphrase from the Private Key >sudo openssl rsa -in essmptestpwd.key -out essmptest.key

Configure Apache Server with DNS Name and SSL Certificates >cd /etc/httpd/conf.d >ls -l

Create a file servername.conf and enter “ServerName essmpdev.example.com” in the file NOTE: ServerName varies based on your DNS Name. >sudo vi servername.conf

>ls –l

Edit ssl.conf >sudo vi ssl.conf Add the absolute path to the intermediate.crt in the ssl.conf file. SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt From:

To:

Looking at the ssl.conf file, we know the path where we need to copy the SSL Certificate files. Merge the CAInter.crt and CARoot.crt into one file named intermediate.crt (CAInter.crt appended with CARoot.crt) >cd /tmp/ssl >sudo cat CAInter.crt > intermediate.crt >sudo cat CARoot.crt >> intermediate.crt > cat intermediate.crt Should look as below: -----BEGIN CERTIFICATE----- MIIFTzCCBDegAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx uJBN/HODGbz8H9TWpHpuf2p7DvNkxaJmE0+P2zvM2TBNeENMbt0hDZlWce7iCFLR Ug3k8F4sQAqLo+D24+ou7Qn1FA== -----END CERTIFICATE------BEGIN CERTIFICATE----- MIIFVTCCBD2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx bcA4NekufggDPbNGteY3uP3jXE3u0x0o0BpruZIjm7zjts6DcE2t/BAwNDVPa0vo VGPS4DCKuclDc57iZzNV9F0n7/RYecdkYQ== -----END CERTIFICATE-----

Change the permissions on the intermediate.crt file to root user. >sudo chown root:root intermediate.crt

Apply the DNS Named SSL Certificate, Private Key and the CA Chain Certificates (intermediate.crt) to the respective location >cd /etc/pki/tls/certs

Take backup of existing localhost.crt >sudo mv localhost.crt localhost.crt.orig Copy the Public CA Signed DNS Named Server certificate as localhost.crt >sudo cp /tmp/ssl/essmpdev.crt ./localhost.crt Set the correct Permissions >sudo chmod 644 localhost.crt Copy the intermediate.crt file to /etc/pki/tls/certs >sudo cp /tmp/ssl/intermediate.crt /etc/pki/tls/certs Set the correct Permissions >sudo chmod 644 intermediate.crt >ls -l

>cd /etc/pki/tls/private Take backup of existing localhost.key >sudo mv localhost.key localhost.key.orig Copy the Public CA Signed DNS Named Server certificate as localhost.crt >sudo cp /tmp/ssl/essmpdev.example.com.key ./localhost.key Set the correct Permissions >sudo chmod 600 localhost.key

Restart the Apache Server Services: >sudo systemctl restart httpd

Reset the Essbase redirect URL in IDCS Confidential Application Login to IDCS adminconsole https://idcs-<5238744>.identity.oraclecloud.com/ui/v1/adminconsole

Redirect URL: https://essmpdev.example.com/essbase/redirect_uri Logout URL: https://essmpdev.example.com/essbase/jet/logout.html Post Logout Redirect URL: https://essmpdev.example.com/essbase/jet/logout.html

Import the Essbase Server Public CA Signed SSL Certificate in IDCS as well.

Save the config

Add the DNS Name Mapping to the IP Address in the DNS Server to be recognized over the Internet Map the Public IP Address of Essbase Marketplace Instance VM to the required DNS Name. e.g 15x.xxx.xx.x54 to essmpdev.example.com @here: For testing let’s set the IP Mapping to DNS Name in our Browser i.e. Windows Machine hosts entry Ref: https://www.webhostface.com/kb/knowledgebase/modify-hosts-file

Test Connectivity to Essbase https://docs.oracle.com/en/database/other-databases/essbase/19.3/essad/test-connectivity-essbase.html

Log in to the Essbase Web Interface: https://essmpdev.example.com/essbase/jet It should get redirected to IDCS for Login and upon successful login it should get redirected to Essbase.

Log in to Essbase CLI esscs login –u admin –p password –url https://essmpdev.example.com/essbase

Log in to Cube Designer SmartView:

Log in to Maxl Client > login admin password on https://essmpdev.example.com/essbase;

Connect to Essbase from OAC

In the example below we used an Internal CA Signed SSL Certificate and did not map the IP Address to DNS Name in any DNS Server, we need to tweak some areas so that the client utilities understand the SSL Certificate.

Log in to Essbase CLI Import the CAInter and CARoot certificates to the JDK used by the CLI. Import CAInter.crt to the C:\Program Files\Java\jdk1.8.0_181\jre\lib\security\cacerts

Import CARoot.crt to the C:\Program Files\Java\jdk1.8.0_181\jre\lib\security\cacerts

Log in to Maxl Client Copy the contents of both CAInter.crt and CARoot.crt to the end of the file: Drive:/…/EssbaseMaxl/cacert.pem