Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE and HTTPS err_ssl_protocol_error ssl_error_no_cypher_overlap

Received Response
3
Views
4
Comments
user11970052
user11970052 Rank 1 - Community Starter
edited Aug 13, 2024 6:17PM in Oracle Analytics Cloud and Server

Hi,

I'm using OBIEE 11.1.1.6 and I want to access from Internet using the HTTPS protocol (using a self-signed certificate for DEV and a CA-signed certificate for PROD).

For Test, we have created a self signed cert issuing following commands:

1: keytool -genkey -alias parex_cert -keyalg RSA -keysize 1024 -validity 1020 -keypass parexcert -keystore identity.jks -storepass parexcert

Answers: CN=****, OU=*****, O=*************, L=********************, ST=*************, C=****

2: keytool -export -alias parex_cert -file root.cer -keystore identity.jks -storepass parexcert

3: keytool -import -alias parex_cert -file root.cer -keystore trust.jks -storepass parexcert

 

We configured bi_server domain to listen on https (port 443) and identity store and trust store are correctly used.  If we try to access with chrome, we get error (ERR_SSL_PROTOCOL_ERROR) and can't do anything.

So happens with firefox (it gives us the error: ssl_error_no_cypher_overlap) , but if we go to "about:config" on firefox and query "security.tls.insecure_fallback_hosts" and we set "ceresm3" parameter, then we do get the certificate warning and can continue forward.

 

Having said that, we would like to know what we must do to avoid to configure that parameter on firefox and (why we can't or) how we can access with chrome.

Any recommendation? Is this problem related to self-signeds certificates? Would it happen again in PROD if I use CA-signed certificate?

Answers

  • handat
    handat Rank 5 - Community Champion

    Its because browsers have stricter security these days and specifically disable SSLv3 support in favour of TLS1.1+

    The 11.1.1.6 version of Oracle products only do SSLv3 and TLS1.0, thus the browsers will refuse to handshake with them unless you do hacks like the one you have done.

    The 11.1.1.9 version of Oracle products support TLS1.1+, so if possible/available upgrade to that version. There are also some security patches on top of 11.1.1.7 for some products that will allow TLS1.1+.

    You should also use a keysize of 2048 instead of 1024.

  • user11970052
    user11970052 Rank 1 - Community Starter

    Thanks handat,

    And one last question. We use a reverse proxy in front of the OBIEE server, in order to redirect external requests.

    Now , I want to buy a digicatil certificate from Thawte. There is this question:

    Website URL to secure:

    ¿Do I have to write the URL published to Internet in the reverse proxy, or the internal URL of the OBIEE Server?

  • handat
    handat Rank 5 - Community Champion

    The external internet facing one.

  • user11970052
    user11970052 Rank 1 - Community Starter

    in the moment to create a certficate pair using keytool, I was asked with this question:

    keytool -genkey -alias parex_cert -keyalg RSA -keysize 1024 -validity 1020 -keypass parexcert -keystore identity.jks -storepass parexcert

    What is your first and last name?

    and I wrote the full qualified name of the OBIEE server. ¿So....Should I also write the name published on the Internet instead of the OBIEE Server?