How To Change Cipher-suites Used By OBIEE 12c Nqscheduler

(Doc ID 2340560.1)

Last updated on APRIL 26, 2018

Applies to:

Business Intelligence Server Enterprise Edition - Version 12.2.1.2.0 and later
Information in this document applies to any platform.

Goal

Security SCAN on the OBIEE 12c server cames back with "SSL Medium Strength Cipher Suites Supported" for port 8012, which maps to the "/opt/oracle/obiee/12.2.1.2/binaries/bi/bifoundation/server/bin/nqscheduler" process.

These are the current ones supported by nqscheduler, most of which may not be allowed in the company:


$ java -jar /home/admin/pkgs/oracle/weblogic/utils/TestSSL/TestSSLServer.jar  <servername.domaine>  8012
Supported versions: TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.2
RSA_WITH_RC4_128_MD5
RSA_WITH_RC4_128_SHA
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

...

And ssl report shows the following :

$ /data/obiee/weblogic/fmw/domains/taspo_cert_obiee/bitools/bin/ssl.sh report
Logging to: /data/obiee/weblogic/12.2.1.2/domains/taspo_cert_obiee/bilogs/sslcommand.log

Internal SSL enabled
Client verification disabled (One way SSL)
Using all available default ciphers
Type: OBICCS
Scanning endpoint OBICCS.obiccs1 tcp(s)://<servername.domaine>:8009(8009)/ - System Component
Type: OBIJH
Scanning endpoint OBIJH.obijh1 tcp(s)://<servername.domaine>:8011(8011)/ - System Component
Type: OBIPS
Scanning endpoint OBIPS.obips1 tcp(s)://<servername.domaine>:8008(8008)/ - System Component
Type: OBIS
Scanning endpoint OBIS.obis1 tcp(s)://<servername.domaine>:8015(8015)/ - System Component
Type: OBISCH
Scanning endpoint OBISCH.obisch1 tcp(s)://<servername.domaine>:8012(8012)/ - System Component
Type: BI-SECURITY-SOAP
Scanning endpoint BI-SECURITY-SOAP.bi_server1 https://<servername.domaine>:8006/bi-security/service - custom channel bi_internal_channel1

Summary: Out of 6 endpoints 6 succeeded, and 0 failed.

Ping successes (6):
Target: obiccs1:OBICCS @ <servername.domaine>:8009
Java client: SSL ping OK.
Protocol: TLSv1.2. Cipher: TLS_RSA_WITH_AES_256_CBC_SHA256. One way SSL.
Openssl client: SSL ping OK.
Target: obijh1:OBIJH @ <servername.domaine>:8011
Java client: SSL ping OK.
Protocol: TLSv1.2. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. One way SSL.
Openssl client: SSL ping OK.
Target: obips1:OBIPS @ <servername.domaine>:8008
Java client: SSL ping OK.
Protocol: TLSv1.2. Cipher: TLS_RSA_WITH_AES_256_CBC_SHA256. One way SSL.
Openssl client: SSL ping OK.
Target: obis1:OBIS @ <servername.domaine>:8015
Java client: SSL ping OK.
Protocol: TLSv1.2. Cipher: TLS_RSA_WITH_AES_256_CBC_SHA256. One way SSL.
Openssl client: SSL ping OK.
Target: obisch1:OBISCH @ <servername.domaine>:8012
Java client: SSL ping OK.
Protocol: TLSv1.2. Cipher: TLS_RSA_WITH_AES_256_CBC_SHA256. One way SSL.
Openssl client: SSL ping OK.
Target: bi_server1:BI-SECURITY-SOAP @ <servername.domaine>:8006
Java client: SSL ping OK.
Protocol: TLSv1.2. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. One way SSL.
Openssl client: SSL ping OK.

The Cipher  "TLS_RSA_WITH_AES_256_CBC_SHA256" is supported along with the other ones listed above. but according to company's policy no MD5/DHE/RC4 or any cipher less then 256 CANNOT be used, it is more of a matter of preventing port 8012/nqschedular from still supporting those ciphers.

How to change the cipher-suites for nqscheduler ?
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms