ODI’s Guide to Configuring HTTPS with Collocated Agents
This article is a step-by-step on how to configure HTTPS on existing ODI Collocated Agent.
In my case, I have an ODI Marketplace with repositories on ADW. The collocated agent is running on a local machine. All configurations will be made on this machine.
You have two options to configure the HTTPS collocated agent. Option 1 is to reuse existing SSL certificates from the ODI installation. Option 2 is to create your own SSL certificates.
Pre-requisites
- Having ODI Collocated installed and running using HTTP protocol
Option 1 — Using existing certificates
To use the default certificate, refer to the documentation for the required passwords:
“The keyStore, key, and trustStore passwords are DemoIdentityKeyStorePassPhrase
, DemoIdentityPassPhrase
, and DemoTrustKeyStorePassPhrase
respectively. However, the keyStore and key passwords must be DemoIdentityKeyStorePassPhrase
.”
Let’s start by removing the SSL certificate from demoidentity
.
[opc@odi-agent ~]$ keytool -delete -alias demoidentity -keystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentity.jks
Enter keystore password: DemoIdentityKeyStorePassPhrase
#Generate a key for the agent using the Keytool utility.
[opc@odi-agent ~]$ keytool -genkey -alias demoidentity -keyalg RSA -keystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentity.jks
Enter keystore password:
What is your first and last name?
[Unknown]: <FQDN of your instance>
What is the name of your organizational unit?
[Unknown]: ODI
What is the name of your organization?
[Unknown]: Oracle
What is the name of your City or Locality?
[Unknown]: London
What is the name of your State or Province?
[Unknown]: London
What is the two-letter country code for this unit?
[Unknown]: UK
Is CN=odi-<FQDN of your instance>, OU=ODI, O=Oracle, L=London, ST=London, C=UK correct?
[no]: yes
#Export the key
[opc@odi-agent ~]$ keytool -export -alias demoidentity -keystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentity.jks -rfc -file public.cert
Enter keystore password: DemoIdentityKeyStorePassPhrase
Certificate stored in file <public.cert>
#Import the key into a client truststore
[opc@odi-agent ~]$ keytool -import -alias demoidentity -file public.cert -storetype JKS -keystore /u02/app/oracle/product/12.2.1.4/odi_1/wlserver/server/lib/DemoTrust.jks
Enter keystore password: DemoIdentityKeyStorePassPhrase
Owner: CN=<FQDN of your instance>, OU=ODI, O=Oracle, L=London, ST=London, C=UK
Issuer: CN=<FQDN of your instance>, OU=ODI, O=Oracle, L=London, ST=London, C=UK
Serial number: 3e912e54
Valid from: Sat Sep 02 14:46:16 GMT 2023 until: Fri Dec 01 14:46:16 GMT 2023
....
....
....
Trust this certificate? [no]: yes
Certificate was added to keystore
Encrypt the 3 passwords:
#Encode password
cd /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/bin/
#Encripting KeyStore and key password
[opc@odi-agent bin]$ ./encode.sh -INSTANCE=OracleDIAgent
2023-09-02 15:01:24.898 NOTIFICATION Created OdiInstance instance id=1
Enter password to encode: DemoIdentityKeyStorePassPhrase
Output with encrypted password
#Encripting Truststore password
[opc@odi-agent bin]$ ./encode.sh -INSTANCE=OracleDIAgent
2023-09-02 15:01:24.898 NOTIFICATION Created OdiInstance instance id=1
Enter password to encode: DemoTrustKeyStorePassPhrase
Output with encrypted password
Change instance.properties and set the encrypted password.
cd /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/config/fmwconfig/components/ODI/OracleDIAgent
vi instance.properties
#update these 3 variables
ODI_KEYSTORE_ENCODED_PASS=<KeyStore encrypted>
ODI_KEY_ENCODED_PASS=<KeyStore encrypted>
ODI_TRUST_STORE_ENCODED_PASS=<Truststore encrypted>
Edit the file instance.sh and add the certificates.
cd /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/config/fmwconfig/components/ODI/OracleDIAgent/bin/
vi instance.sh
#edit ODI_INSTANCE_JAVA_OPTIONS variable
ODI_INSTANCE_JAVA_OPTIONS="
-Djavax.net.ssl.keyStore=/u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentity.jks
-Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.trustStore=/u02/app/oracle/product/12.2.1.4/odi_1/wlserver/server/lib/DemoTrust.jks
-Djavax.net.ssl.trustStoreType=JKS $ODI_ADDITIONAL_JAVA_OPTIONS"
Upload the DemoTrust.jks into ODI Marketplace instance and edit the odi.conf file:
cd /u01/oracle/mwh/odi/studio/bin
vi odi.conf
#previously you have to upload the files into MP instance
AddVMOption -Djavax.net.ssl.trustStore=/home/oracle/Desktop/certificates_agent/DemoTrust.jks
AddVMOption -Djavax.net.ssl.trustStorePassword=DemoTrustKeyStorePassPhrase
Change the ODI agent in ODI Studio:
Go to instance where agent is running and stop it:
./agentstop.sh -NAME=OracleDIAgent
nohup ./agent.sh -NAME=OracleDIAgent -PORT=20911 -PROTOCOL=HTTPS &
Option 2 — Using your own certificates
The option 2 is similar to option 1 but the main difference is not using the demoidentiy certificates.
Generating self signed certificated:
#Generate certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentityNew.jks -storepass oracle -validity 360 -keysize 2048
What is your first and last name?
[Unknown]: <fqnd>
What is the name of your organizational unit?
[Unknown]: ORCL
What is the name of your organization?
[Unknown]: Oracle
What is the name of your City or Locality?
[Unknown]: London
What is the name of your State or Province?
[Unknown]: London
What is the two-letter country code for this unit?
[Unknown]: UK
Is ...
[no]: yes
Enter key password for <selfsigned>
(RETURN if same as keystore password): <password>
Re-enter new password: <password>
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentityNew.jks -destkeystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentityNew.jks -deststoretype pkcs12".
#export
keytool -export -alias selfsigned -storepass <password> -file server.cer -keystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentityNew.jks
Certificate stored in file <server.cer>
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentityNew.jks -destkeystore /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentityNew.jks -deststoretype pkcs12".
keytool -import -v -trustcacerts -alias selfsigned -file server.cer -keystore /u02/app/oracle/product/12.2.1.4/odi_1/wlserver/server/lib/DemoTrustNew.jks -keypass <keypass> -storepass <password>
4. Verify that 2 files have been created like below:
[ODI_HOME]/user_projects/domains/<DOMAIN NAME>/security/DemoIdentityNew.jks
[ODI_HOME]/wlserver/server/lib/DemoTrustNew.jks
#Encode password
cd /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/bin/
./encode.sh -INSTANCE=OracleDIAgent oracle
[main] INFO org.apache.sshd.common.io.DefaultIoServiceFactoryFactory - No detected/configured IoServiceFactoryFactory using Nio2ServiceFactoryFactory
2023-09-15 12:31:56.043 NOTIFICATION New data source: [DEV_ODI_REPO/*******@jdbc:oracle:thin:....
2023-09-15 12:32:02.563 WARNING odi.core.security.SecurityManager.loadAuthenticationMode found the authMode:mUsingLDAPAuthentication: false,mUsingIDCSAuthentication:false,indExternalAuth:null.
2023-09-15 12:32:02.563 NOTIFICATION Created OdiInstance instance id=1
<password encrypted>
cd /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/config/fmwconfig/components/ODI/OracleDIAgent
vi instance.properties
#update these 3 variables
ODI_KEYSTORE_ENCODED_PASS=<password encrypted>
ODI_KEY_ENCODED_PASS=<password encrypted>
ODI_TRUST_STORE_ENCODED_PASS=<password encrypted>
cd /u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/config/fmwconfig/components/ODI/OracleDIAgent/bin/
vi instance.sh
#edit ODI_INSTANCE_JAVA_OPTIONS variable
ODI_INSTANCE_JAVA_OPTIONS="
-Djavax.net.ssl.keyStore=/u02/app/oracle/product/12.2.1.4/odi_1/user_projects/domains/odi1/security/DemoIdentityNew.jks
-Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.trustStore=/u02/app/oracle/product/12.2.1.4/odi_1/wlserver/server/lib/DemoTrustNew.jks
-Djavax.net.ssl.trustStoreType=JKS $ODI_ADDITIONAL_JAVA_OPTIONS"
Copy file /u02/app/oracle/product/12.2.1.4/odi_1/wlserver/server/lib/DemoTrustNew.jks to ODI MP and put on directory --> /u01/oracle/mwh/odi/studio/bin
Edit file odi.conf
#add these 2 lines:
AddVMOption -Djavax.net.ssl.trustStore=/u01/oracle/mwh/odi/studio/bin/DemoTrustNew.jks
AddVMOption -Djavax.net.ssl.trustStorePassword=<password>
#stop agent
./agentstop.sh -NAME=OracleDIAgent
#edit agent in ODI studio and change the protocol to HTTPS and put the FQDN in Host
#start agent
nohup ./agent.sh -NAME=OracleDIAgent -PORT=20911 -PROTOCOL=HTTPS &
I hope this helps. If you have any doubt, please reach out to me through LinkedIn or Medium.