4 Replies Latest reply on Jun 14, 2016 1:45 PM by user11970052

OBIEE and HTTPS err_ssl_protocol_error ssl_error_no_cypher_overlap

user11970052 Jun 14, 2016 10:31 AM

Hi,

I'm using OBIEE 11.1.1.6 and I want to access from Internet using the HTTPS protocol (using a self-signed certificate for DEV and a CA-signed certificate for PROD).

For Test, we have created a self signed cert issuing following commands:

1: keytool -genkey -alias parex_cert -keyalg RSA -keysize 1024 -validity 1020 -keypass parexcert -keystore identity.jks -storepass parexcert

Answers: CN=****, OU=*****, O=*************, L=********************, ST=*************, C=****

2: keytool -export -alias parex_cert -file root.cer -keystore identity.jks -storepass parexcert

3: keytool -import -alias parex_cert -file root.cer -keystore trust.jks -storepass parexcert

We configured bi_server domain to listen on https (port 443) and identity store and trust store are correctly used. If we try to access with chrome, we get error (ERR_SSL_PROTOCOL_ERROR) and can't do anything.

So happens with firefox (it gives us the error: ssl_error_no_cypher_overlap) , but if we go to "about:config" on firefox and query "security.tls.insecure_fallback_hosts" and we set "ceresm3" parameter, then we do get the certificate warning and can continue forward.

Having said that, we would like to know what we must do to avoid to configure that parameter on firefox and (why we can't or) how we can access with chrome.

Any recommendation? Is this problem related to self-signeds certificates? Would it happen again in PROD if I use CA-signed certificate?

1. Re: OBIEE and HTTPS err_ssl_protocol_error ssl_error_no_cypher_overlap

handat Jun 14, 2016 10:39 AM (in response to user11970052)

Its because browsers have stricter security these days and specifically disable SSLv3 support in favour of TLS1.1+
The 11.1.1.6 version of Oracle products only do SSLv3 and TLS1.0, thus the browsers will refuse to handshake with them unless you do hacks like the one you have done.
The 11.1.1.9 version of Oracle products support TLS1.1+, so if possible/available upgrade to that version. There are also some security patches on top of 11.1.1.7 for some products that will allow TLS1.1+.
You should also use a keysize of 2048 instead of 1024.
Like Show 0 Likes(0)

Actions
2. Re: OBIEE and HTTPS err_ssl_protocol_error ssl_error_no_cypher_overlap

user11970052 Jun 14, 2016 1:33 PM (in response to user11970052)

Thanks handat,

And one last question. We use a reverse proxy in front of the OBIEE server, in order to redirect external requests.

Now , I want to buy a digicatil certificate from Thawte. There is this question:

Website URL to secure:

¿Do I have to write the URL published to Internet in the reverse proxy, or the internal URL of the OBIEE Server?
Like Show 0 Likes(0)

Actions
3. Re: OBIEE and HTTPS err_ssl_protocol_error ssl_error_no_cypher_overlap

handat Jun 14, 2016 1:39 PM (in response to user11970052)

The external internet facing one.
Like Show 0 Likes(0)

Actions
4. Re: OBIEE and HTTPS err_ssl_protocol_error ssl_error_no_cypher_overlap

user11970052 Jun 14, 2016 1:45 PM (in response to handat)

in the moment to create a certficate pair using keytool, I was asked with this question:

keytool -genkey -alias parex_cert -keyalg RSA -keysize 1024 -validity 1020 -keypass parexcert -keystore identity.jks -storepass parexcert
What is your first and last name?

and I wrote the full qualified name of the OBIEE server. ¿So....Should I also write the name published on the Internet instead of the OBIEE Server?
Like Show 0 Likes(0)

Actions

Go to original post

Join the world’s largest interactive community dedicated to Oracle technologies.