11 Feb How to secure an Enterprise OBIEE 11g environment: the Oracle HTTP Server
Most clients have their Oracle Business Intelligence Enterprise Edition (OBIEE) 11g environment inside their Local Area Network (LAN) secured behind two firewalls, one between the World Wide Web (WWW) and the DeMilitarized Zone (DMZ) and another one between the DMZ and their LAN as it can be seen in the following graph.
Organizations usually deploy their OBIEE content within their internal LAN network and for users behind the internal Firewall. These environments are secure because they can only be accessed from inside the LAN; but now there is a new player into the typical Business Intelligence environment (BI), the mobile BI.
Mobile BI refers to the distribution of business data to mobile devices such as smartphones and tablet computers. A large number of companies are rapidly undertaking mobile BI owing to a large number of market pressures such as the need for higher efficiency in business processes, improvement in employee productivity (e.g. time spent looking for information), better and faster decision making, better customer service, and delivery of real-time bi-directional data access to make decisions anytime and anywhere.
It is a challenging task for the networking team to implement the OBIEE environment so the reports can be accessed from outside of the DMZ or by the general public in a secured fashion that would avoid external attacks because with this configuration the repository, the web-catalog and even the database may get exposed.
ORACLE’s suggestion for enterprise installations when deploying OBIEE 11g content outside the organization is to place an additional HTTP server, typically an Oracle HTTP Server (OHS), into the DMZ side firewall as it can be seen in the following graph.
Oracle HTTP Server is the Web server component for Oracle Fusion Middleware. It provides a HTTP listener for Oracle WebLogic Server and the framework for hosting static pages, dynamic pages, and applications over the Web. Oracle HTTP Server 11 g is based on Apache 2.2 infrastructure, and includes all base Apache modules and modules developed specifically by Oracle.
How the new environment works
– Install Oracle Fusion Middleware Web Tier (Oracle HTTP Server) on DMZ Server to redirect traffic from default port 4443 if Secure Socket Layer (SSL) is enabled (default port 7777 if SSL is not enabled) to 9704 port which is the default used by the OBIEE reporting services.
– Even if the Oracle HTTP Server is then compromised (hacked) it doesn’t provide access to the repository, the web-catalog, the data, etc.
– For an even more secured environment SSL can be enabled between the DMZ and the LAN, but then SSL may become a bottleneck and slow down traffic.
– This environment configuration will enable the access for general browsers from the WWW to the company’s reports and dashboards.
High level OHS Web Tier configuration details
– Download and install Oracle Web Tier OHS software
– Configure mod_wl_ohs.conf file on OHS Web Tier to point to internal BI server (analytics virtual host usually on port 9704). This file can be edited manually or in a graphical fashion from the Fusion Middleware Control.
– In order to secure the environment with SSL and to avoid the annoying “not trusted server” messages from the browsers we need to import a server certificate for the OHS Web Tier
- Create Wallet
- Create Certificate Request
- Submit to a Signing Authority
- Import server certificate and root certificate from the Signing Authority
– Update SSL configuration so OHS Web Tier listens on 4443 (not listen on port 7777)
– Open port 4443 (SSL port ) on DMZ Firewall and port 9704 on Internal Firewall
– Verify access from web browser using an IP from outside the company’s network (URL would be https://OHSWebTierHost:4443/analytics)
– Configure your mobile BI device http://docs.oracle.com/cd/E21764_01/bi.1111/e10544/bimobile.htm
Mobile BI will significantly expand the population of BI users and the decision makers from your company will want to use mobile devices to access corporate BI data from any place. Now you need to ensure that the current BI environment supports these demands without forgetting terms such as performance and security, an Oracle HTTP Server Web Tier installed within the DMZ firewall will help you to achieve the best results.