P. 1
Weblogic Heljula Security 123

Weblogic Heljula Security 123

|Views: 12|Likes:
Published by hassanshoaib
Weblogic Security
Weblogic Security

More info:

Published by: hassanshoaib on Apr 15, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

04/15/2013

pdf

text

original

Sections

  • No More “Cryptotools”
  • Default Configuration
  • Default Roles and Policies
  • Custom Roles
  • Support
  • Multiple Identity Providers
  • BISQLGroupProvider
  • WebLogic Console
  • Refreshing GUIDs
  • Regenerating GUIDs : Step 1 / 4
  • Regenerating GUIDs : Step 2 / 4
  • Regenerating GUIDs : Step 3 / 4
  • Regenerating GUIDs : Step 4 / 4
  • config.xml
  • System-jazn-data.xml
  • cwallet.sso
  • Weblogic LDAP Users/Groups
  • Application Roles
  • During an 10g-11g upgrade?
  • Further Notes
  • SSO Support (11.1.1.6)
  • OAM
  • Identity Providers
  • FMW Control
  • Active Directory / Kerberos
  • Try different logins
  • Check Services
  • Check Log Files
  • Further Actions
  • More Drastic Actions
  • Last Ditch Attempts…
  • Oracle Technote
  • Contact Oracle!
  • Summary

OBIEE 11g Security – it’s as easy as 1-2-3!

Antony Heljula BI Architect
© Peak Indicators Limited

@aheljula

Agenda
           

Aim of Presentation 10g Security Model 11g Security Model What is Supported Identity Providers Groups GUIDs SSL Single Sign On (SSO) Important Files Migration Closing Thoughts

© Peak Indicators Limited

2

Aim of Presentation
   

To explain the key concepts behind the Oracle BI 11g security model Clarify what is and what is not supported Demonstrate that it can achieve great results Explain why 11g security model is better than 10g – you don’t need the 10g security model any more! Discuss some advanced topics such as SSO, SSL and migration It is getting better…..we can look forward to a brighter future!

 

© Peak Indicators Limited

3

 10g Security Model © Peak Indicators Limited 4 .

Can be inherited from other “Catalog Groups” and also other BI Server “Groups” “Groups” apply responsibilities for BI Server BI Server Groups © Peak Indicators Limited 5 .10g Security Model BI Presentation Services Catalog Groups “Catalog Groups” apply responsibilities for BI Presentation Services.

10g Security Model ASMITH is a Sales Manager ASMITH can see the Sales Manager dashboard BI Presentation Services Catalog Groups Corporate LDAP GROUPS Sales Manager BI Server Groups USERS ASMITH ASMITH gets data visibility for a Sales Manager © Peak Indicators Limited 6 .

10g Security Model BI Presentation Services Catalog Groups Corporate LDAP GROUPS Sales Manager BI Server Groups USERS ASMITH ASMITH is granted some presentation privileges directly © Peak Indicators Limited 7 .

10g Security Model Additional LDAP “Groups” applied directly to Presentation Services Group inheritance within LDAP BI Presentation Services Catalog Groups Corporate LDAP GROUPS Sales Manager Answers Access Delivers Access BI Server Groups USERS ASMITH © Peak Indicators Limited 8 .

s. 10g didn’t even directly support Groups in LDAP Not an easy model to explain! BI Presentation Services Catalog Groups Corporate LDAP GROUPS Sales Manager Answers Access Delivers Access BI Server Groups USERS ASMITH © Peak Indicators Limited 9 .Issues with 10g Security Model p.

Answers Access Corporate LDAP GROUPS Sales Manager Answers Access Delivers Access BI Presentation Services Catalog Groups BI Server Groups USERS ASMITH © Peak Indicators Limited 10 .g.Issues with 10g Security Model Reliance on Corporate LDAP to manage application-only privileges e.

Issues with 10g Security Model If every application needed their own hierarchy of privileges how complicated is your Corporate LDAP going to become? Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Corporate LDAP GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS 11 © Peak Indicators Limited .

 11g Security Model © Peak Indicators Limited 12 .

The 11g Security Model Your Corporate LDAP just contains “corporate” Users and Groups BI Presentation Services Corporate LDAP GROUPS Sales Manager BI Server USERS ASMITH © Peak Indicators Limited 13 .

The 11g Security Model A new layer of “Application Roles” define the application-specific roles. The OBI Administrators maintain these BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Corporate LDAP GROUPS Sales Manager BI Server USERS ASMITH © Peak Indicators Limited 14 .

g.The 11g Security Model A Group can belong to multiple Application Roles e. Sales Managers also have “Answers Access” BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Corporate LDAP GROUPS Sales Manager BI Server USERS ASMITH © Peak Indicators Limited 15 .

g.The 11g Security Model But if you prefer. Application Roles can belong to other Application Roles e. “Sales Manager” Role also has “Answers Access” Role BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Corporate LDAP GROUPS Sales Manager BI Server USERS ASMITH © Peak Indicators Limited 16 .

The 11g Security Model Application Roles are used by both BI Presentation Services and BI Server BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Corporate LDAP GROUPS Sales Manager BI Server USERS ASMITH © Peak Indicators Limited 17 .

The 11g Security Model BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Corporate LDAP GROUPS Sales Manager BI Server USERS ASMITH You can also assign a User to an Application Role © Peak Indicators Limited 18 .

The 11g Security Model 1) Advantages 2) 3) 4) 5) Greater control for the OBI Administrator Corporate LDAP less complex Simpler architecture More flexibility Greater consistency between OBIPS and OBIS BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Corporate LDAP GROUPS Sales Manager BI Server USERS ASMITH © Peak Indicators Limited 19 .

The 11g Security Model Administration Points 2 4 Catalog & Manage Privileges FMW Control 1 Weblogic Console BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Corporate LDAP GROUPS Sales Manager 3 RPD BI Server USERS ASMITH © Peak Indicators Limited 20 .

The 11g Security Model 1) Weblogic Console  In the Weblogic Console you can: Configure Identity Providers  Configure Users and Groups  (discussed later) (Embedded LDAP) © Peak Indicators Limited 21 .

The 11g Security Model 2) FMW Control  You can use FMW Control for: Creating new Application Roles  Assigning Roles/Groups/Users to Application Roles  Menu option: Security > Application Roles © Peak Indicators Limited 22 .

The 11g Security Model 3) RPD  Within the RPD you can apply security rules to Application Roles: Access to Subject Area contents  Access to Connection Pools  Apply Data Filters  Apply Query Limits  © Peak Indicators Limited 23 .

The 11g Security Model 4) Catalog and Manage Privileges  Within the Presentation Layer you can use Application Roles for: Managing privileges  Object access permissions within the Catalog  © Peak Indicators Limited 24 .

for custom web services)  © Peak Indicators Limited 25 .g.The 11g Security Model No More “Cryptotools”  FMW Control comes with its own embedded “Credential Store”  WebLogic Domain > bifoundation_domain > Security > Credentials  In here are stored passwords for: BISystemUser  RPD Passwords  Any other credentials (e.

you get the following mapping between Users  Groups  Roles: USERS BISystem Component GROUPS BIAdministrators ROLES BIAdministrator member of BIAuthors BIAuthor member of BIAdministrators: BIAuthors: BIConsumers: All Functions Create new content Read-only BIConsumers BIConsumer © Peak Indicators Limited 26 .The 11g Security Model Default Configuration  When you install Oracle BI 11g.

The 11g Security Model Application Policies  Each of the default Application Roles is allocated one or more “Application Policies”. These Application Policies provide access to certain “Resources” within Oracle BI The “BIAdministator” role can: • Manage Repositories • Manage Jobs • Manage the Presentation Catalog • Administer BI Server © Peak Indicators Limited 28 .

The 11g Security Model Application Policies  The policies for the “BIAdministrator” role provide access to the “Administration” screen The policies for the “BIAuthor” role provide access to the entire “New” menu to create new reporting objects NOTE:    Confusion still remains as to why these types of privilege are not on the “Manage Privileges” screen along with everything else © Peak Indicators Limited 29 .

Where Do I Get My Groups From? .How Do We Migrate Between Environments? .How Do You Implement SSO? .Do I Still Need SA System Subject Area? .Can I Still Use The 10g Security Model? .When Should I Use the WebLogic LDAP? .What Are The Important Files? .What are GUIDs? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 30 . Frequently Asked Questions .Can I Have Multiple Identity Providers? .How Do You Implement SSL? .What Roles and Policies Should I Have? .

How Do You Implement SSO? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 31 .Where Do I Get My Groups From? .What Are The Important Files? .When Should I Use the WebLogic LDAP? .Do I Still Need SA System Subject Area? .What Roles and Policies Should I Have? .What are GUIDs? . Frequently Asked Questions .How Do You Implement SSL? .How Do We Migrate Between Environments? .Can I Have Multiple Identity Providers? .Can I Still Use The 10g Security Model? .

all authenticated users will get “BI Consumer Role”.What Roles and Policies Should I Have? Default Roles and Policies  First of all. so you only need to manage the allocation of BI Auther/Administrator Roles There is typically no need to alter the Application Policies that are assigned to each role   The default policies provide a convenient way to restrict access to core Oracle BI system resources © Peak Indicators Limited 32 . use the new default Application Roles to distinguish between your 3 main types of user: Administrators  Report Developers  Everyone Else  BI Administrator Role BI Author Role BI Consumer Role  By default.

What Roles and Policies Should I Have? Custom Roles  You can then have your own custom Application Roles to manage access and privileges at a more granular level For example: Sales Manager Role  HR Manager Role  BI Answers Role  BI Delivers Role   Access to the “Sales Manager” Dashboard Access to the “HR Manager” Dashboards Access to Answers Access to Delivers  NOTE: In most cases. 1 LDAP Group will map to 1 Application Role © Peak Indicators Limited 33 .

What Roles and Policies Should I Have? A Combination of Default/Custom Roles BI Presentation Services APPLICATION ROLES BIAdministrator BIAuthor BIConsumer Sales Manager Answers Access Delivers Access LDAP GROUPS BIAdministrator BIAuthor BIConsumer Sales Manager BI Server USERS ASMITH © Peak Indicators Limited 34 .

Can I Still Use The 10g Security Model? .Where Do I Get My Groups From? . Frequently Asked Questions .Can I Have Multiple Identity Providers? .How Do You Implement SSL? .How Do You Implement SSO? .When Should I Use the WebLogic LDAP? .How Do We Migrate Between Environments? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 35 .Do I Still Need SA System Subject Area? .What Roles and Policies Should I Have? .What are GUIDs? .What Are The Important Files? .

OID.000 users  © Peak Indicators Limited 36 .When Should I Use the WebLogic LDAP?  The Embedded WebLogic LDAP is relatively basic compared to the more “enterprise” LDAP solutions e.g. AD Oracle advise no more than 1.

When Should I Use the WebLogic LDAP? Treat the WebLogic LDAP much like you treated the RPD as a user store in OBI 10g (weblogic. system accounts and test users only) All other users go in the Corporate LDAP BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access WebLogic LDAP Weblogic BISystemUser Test users BI Server Corporate LDAP All other users © Peak Indicators Limited 37 .

Do I Still Need SA System Subject Area? .What are GUIDs? . Frequently Asked Questions .How Do You Implement SSL? .What Roles and Policies Should I Have? .Can I Still Use The 10g Security Model? .How Do You Implement SSO? .Where Do I Get My Groups From? .What Are The Important Files? .How Do We Migrate Between Environments? .Can I Have Multiple Identity Providers? .When Should I Use the WebLogic LDAP? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 38 .

OID © Peak Indicators Limited 39 .g.Can I Have Multiple Identity Providers?   Yes. there are two embedded WebLogic providers: DefaultAuthenticator (Embedded Weblogic LDAP)  DefaultIdentityAsserter   It is possible though to add further “Identity Providers” e. It is possible to add multiple other Identity Providers within WebLogic console By default.

5)  Identity Providers for Authentication:           (NOTE: not exhaustive) Weblogic LDAP Active Direcitory iPlanet Oracle Internet Directory (OID) Oracle Virtual Directory (OVD) Novell (eDirectory 8.Can I Have Multiple Identity Providers? Support  Multiple Identity Providers with either:    Users and Groups in LDAP Users and Groups in Database Users in LDAP and Groups in Database (in 11.6.2 SQL Group Lookup (New with 11.6.1.1.1.5) 40 © Peak Indicators Limited .8) OpenLDAP SQL Tivoli Directory Server 6. patch for 11. patch in 11.1.1.1.1.1.

Can I Have Multiple Identity Providers? Adding a New Provider  Adding new Identity Providers is straight forward via the “New” button  Supported providers in red (not exhaustive)  You can reorder the list of providers so that authentication is performed in a different order e.g. OID  Weblogic LDAP  © Peak Indicators Limited 41 .

EBS)  BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Weblogic Corporate LDAP Groups BI Server EBS © Peak Indicators Limited 43 .g.Can I Have Multiple Identity Providers? BISQLGroupProvider  It is a common situation with Oracle BI Apps where you have: Users to be authenticated in a Corporate LDAP  Groups to be obtained from the source OLTP (e.

1.1 to obtain the TechNote:  TechNote_LDAP_Auth_DB_Groups_V3.pdf © Peak Indicators Limited 44 .6 (with some configuration)  Available in 11.1.1.1.Can I Have Multiple Identity Providers? BISQLGroupProvider   The 11g security model now supports this type of arrangement A new provider “BISQLGroupProvider” is available to obtain Groups from a database: Available in 11.5 (patch 11667221)   To configure. see Oracle Support article 1428008.

Can I Have Multiple Identity Providers? Virtualize=True

When you have multiple Identity Providers you should set the “virtualize = true” custom property within FMW Control:

Bifoundation_domain > Security > Security Provider Configuration

Without this setting:
Only the first identity provider listed will be used by OBI  You won’t be able to log in if the AdminServer dies

NOTE:

If you can get the setting to work, try restarting Managed Server and OPMN processes via FMW Control rather than the command line
45

© Peak Indicators Limited

Can I Have Multiple Identity Providers? Managing “BISystemUser”
When you implement an additional identity provider, The Oracle BI documentation suggests to migrate the BISystemUser to your external LDAP provider.

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

WebLogic LDAP

BI Server

Corporate LDAP BISystemUser

© Peak Indicators Limited

46

Can I Have Multiple Identity Providers? Managing “BISystemUser”

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

WebLogic LDAP

BI Server

Corporate LDAP BISystemUser

x

But what happens if the Corporate LDAP becomes unavailable?
© Peak Indicators Limited 47

Can I Have Multiple Identity Providers? Managing “BISystemUser” It is better to keep the BISystemUser account in the WebLogic LDAP store – you can still start up and use Oracle BI even when the Corporate LDAP is unavailable (NOTE: need to set virtualize=true) BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access WebLogic LDAP BISystemUser  x BI Server Corporate LDAP BISystemUser © Peak Indicators Limited 48 .

What are GUIDs? .How Do You Implement SSO? .What Roles and Policies Should I Have? .How Do You Implement SSL? .What Are The Important Files? .Can I Have Multiple Identity Providers? .When Should I Use the WebLogic LDAP? .Do I Still Need SA System Subject Area? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 49 .Where Do I Get My Groups From? .How Do We Migrate Between Environments? . Frequently Asked Questions .Can I Still Use The 10g Security Model? .

Where Do I Get My Groups From? Multiple Identity Providers  When you have multiple identity providers. the Groups for each users will be obtained from the same provider that they authenticated against For example:  WebLogic user will obtain Groups from “DefaultAuthenticator” Corporate End Users will obtain their Groups from “OracleInternetDirectory”. as this is where they are authenticated © Peak Indicators Limited 50 .

© Peak Indicators Limited 51 .Where Do I Get My Groups From? BISQLGroupProvider  A “BI SQL Group Lookup” identity provider is always assigned to a single LDAP provider The Groups will only come from the BI SQL Group Lookup provider  Any Groups in the LDAP store are ignored  In this example. Any Groups assigned to the user in OID will be ignored. any user authenticating using “OracleInternetDirectory” will obtain their Groups from the “BISQLGroupProvider”.

you don’t need to create them manually External Group from OID © Peak Indicators Limited 52 .g.Where Do I Get My Groups From? WebLogic Console   If you are using the WebLogic LDAP as an authenticator then you will need to maintain your “Groups” in this store But Groups from other identity providers (e. OID) will be automatically integrated (as shown below).

Where Do I Get My Groups From? FMW Control  Your internal and external Groups are immediately available to be assigned to Application Roles: The “BIAuthor Role” will be assigned to users belonging to the corresponding “BIAuthor” groups in both Weblogic LDAP and OID © Peak Indicators Limited 53 .

Can I Still Use The 10g Security Model? . Frequently Asked Questions .How Do You Implement SSL? .Where Do I Get My Groups From? .Do I Still Need SA System Subject Area? .What Are The Important Files? .How Do We Migrate Between Environments? .How Do You Implement SSO? .When Should I Use the WebLogic LDAP? .Can I Have Multiple Identity Providers? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 54 .What Roles and Policies Should I Have? .What are GUIDs? .

not by their names GUIDs are identifiers that are completely unique for a given user Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user. independent of the user name   © Peak Indicators Limited 55 . users are recognized by their Global Unique Identifiers (GUIDs).What are GUIDs?  In Oracle BI 11g.

What are GUIDs? Example Scenario 1) User “ASMITH” has been given access to the “Administrator” screen within the Oracle BI front-end ASMITH BI Presentation Administration Services Corporate LDAP ASMITH BI Server © Peak Indicators Limited 56 .

What are GUIDs? Example Scenario 2) User “ASMITH” leaves the company and is removed from the Corporate LDAP ASMITH BI Presentation Administration Services Corporate LDAP ASMITH BI Server © Peak Indicators Limited 57 .

a new “ASMITH” joins the company ASMITH BI Presentation Administration Services Corporate LDAP ASMITH BI Server ASMITH © Peak Indicators Limited 58 .What are GUIDs? Example Scenario 3) A few months later.

What are GUIDs? Example Scenario 4) Can the new “ASMITH” log on to Oracle BI and get Administration privileges? ASMITH BI Presentation Administration Services Corporate LDAP ASMITH BI Server ASMITH © Peak Indicators Limited 59 .

What are GUIDs? Example Scenario 5) The answer is NO! Because the new “ASMITH” user has a different GUID to the original AMSITH ASMITH (1234) BI Presentation Administration Services Corporate LDAP ASMITH (1234) BI Server ASMITH (5678) © Peak Indicators Limited 60 .

the “ASSMITH” wont be able to log on at all! © Peak Indicators Limited 61 .What are GUIDs? The Outcome In fact.

you can either:  Delete the offending users from the Presentation Catalog and log in again Refresh GUIDs (explained overleaf) 62 or  © Peak Indicators Limited .What are GUIDs? Refreshing GUIDs  The GUID feature is there to help secure your OBI environments – especially production There may however be times when GUIDs become out of sync in and you cannot log in as certain users: Migrating from WebLogic Embedded LDAP to an alternative identity provider  Deleting users and then recreating them  Migrating “Production” Presentation Catalog / RPD to the “Development” environment    In order to work around this.

ini file for editing: [OBI Home]/config/OracleBIServerComponent/coreapplication_obis1/NQSConfig.  Save the file © Peak Indicators Limited 63 .ini  Set the following parameter within the [SERVER] section: FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES.What are GUIDs? Regenerating GUIDs : Step 1 / 4  Open up the NQSConfig.

bi.services/config/v1.What are GUIDs? Regenerating GUIDs : Step 2 / 4  Open up the instanceconfig.presentation.1"> <ps:UpgradeAndExit>false</ps:UpgradeAndExit> <ps:UpdateAccountGUIDs>UpdateAndExit</ps:UpdateAccountGUIDs> </ps:Catalog>  Save the file © Peak Indicators Limited 64 .xml file for editing: [OBI Home]/config/OracleBIPresentationServicesComponent/coreapplication_obips1/instanceconfig.xml  Add an “UpdateAccountGUIDs” entry to the <Catalog> section as follows: <ps:Catalog xmlns:ps="oracle.

What are GUIDs? Regenerating GUIDs : Step 3 / 4  Restart Oracle BI System components: $ORACLE_BASE/instances/instance1/bin/opmnctl stopall $ORACLE_BASE/instances/instance1/bin/opmnctl startall © Peak Indicators Limited 65 .

What are GUIDs? Regenerating GUIDs : Step 4 / 4  To ensure your system is secure once again you must revert the configuration changes!    NQSConfig. Remove entry for <ps:UpdateAccountGUIDs> opmnctl stopall / startall © Peak Indicators Limited 66 .xml Restart Processes : : : FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = NO.ini Instanceconfig.

What Are The Important Files? .What Happens During An Upgrade? .What Roles and Policies Should I Have? .How Do You Implement SSO? .When Should I Use the WebLogic LDAP? .Can I Have Multiple Identity Providers? .Where Do I Get My Groups From? .How Do We Migrate Between Environments? .Can I Still Use The 10g Security Model? . .How Do You Implement SSL? .Do I Still Need SA System Subject Area? .What Do I Do When it All Goes Wrong? Frequently Asked Questions © Peak Indicators Limited 69 .What are GUIDs? .

Do I Still Need SA System Subject Area? Delivers Recipients  It is now possible to use an Application Role to specify the recipients of an “Agent” Previously in 10g this approach would not work unless you stored all the User > Catalog Group mappings in the BI Presentation Catalog   Very rarely done © Peak Indicators Limited 70 .

and email addresses directly from the configured identity store In many cases this completely removes the need to extract this information from your corporate directory into a database  © Peak Indicators Limited 71 .Do I Still Need SA System Subject Area? Delivery Profiles  Direct access to LDAP Servers  With Oracle BI 11g. their groups. Delivers can now access information about users.

How Do You Implement SSL? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 72 .Can I Still Use The 10g Security Model? .Where Do I Get My Groups From? .What Are The Important Files? .Do I Still Need SA System Subject Area? .When Should I Use the WebLogic LDAP? .How Do We Migrate Between Environments? .What Roles and Policies Should I Have? .What are GUIDs? .Can I Have Multiple Identity Providers? .How Do You Implement SSO? . Frequently Asked Questions .

xml   [middleware]\user_projects\domains\bifoundation_domain\config\config.What Are The Important Files? config.xml Contains:  SSL Configuration of Admin and Managed Servers  Definitions and setup of Identity Providers © Peak Indicators Limited 73 .

What Are The Important Files? System-jazn-data.xml  Contains definition of all Application Roles  During BI Apps install.xml  [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data. you deploy this file to install all the BI Apps roles © Peak Indicators Limited 74 .

sso  This is your “Credential Store” containing encrypted usernames/passwords for your system accounts: BI System User  Web service credentials  RPD passwords  etc   If you don’t know all the passwords.sso  [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\cwallet.What Are The Important Files? cwallet.just in case © Peak Indicators Limited 75 . it is a good idea to back this up before you change any configuration….

 Frequently Asked Questions .How Do You Implement SSL? .What are GUIDs? .Do I Still Need SA System Subject Area? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 76 .What Are The Important Files? .Can I Still Use The 10g Security Model? .What Roles and Policies Should I Have? .Where Do I Get My Groups From? .Can I Have Multiple Identity Providers? .How Do We Migrate Between Environments? .How Do You Implement SSO? .When Should I Use the WebLogic LDAP? .

How Do I Migrate Between Environments? 11g Security Migration Points 2 4 Catalog & Manage Privileges FMW Control 1 Weblogic Console BI Presentation Services APPLICATION ROLES Sales Manager Answers Access Delivers Access Corporate LDAP GROUPS Sales Manager 3 RPD BI Server USERS ASMITH © Peak Indicators Limited 77 .

How Do I Migrate Between Environments?  The topic of migration is covered in the Rittman Mead blogs:    Oracle BI EE 11g – Migrating Security – Identity Stores – Part 1 Oracle BI EE 11g – Migrating Security – Policy Store – Part 2 Oracle BI EE 11g – Migrating Security – Credential Store – Part 3  Just to summarise…. © Peak Indicators Limited 78 ..

How Do I Migrate Between Environments? Weblogic LDAP Users/Groups  You can import/export the entire set of users/groups within the Weblogic LDAP via the WL Console  If you wish to do an incremental update then you will need to script using WLST 79 © Peak Indicators Limited .

xml  If you need to do an incremental update then either: Set up the Application Roles manually via FMW Control  Use WLST scripting  © Peak Indicators Limited 80 .xml file to your target environment:  [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.How Do I Migrate Between Environments? Application Roles  To migrate the full set of Application Roles. simply copy/paste the systemjazn-data.

How Do I Migrate Between Environments? During an 10g-11g upgrade?  Running the 11g “Upgrade Assistant”will automatically migrate the 10g security configuration to 11: RPD “Groups” migrated to WebLogic LDAP  RPD “Users” migrated to WebLogic LDAP (and assigned to relevant Groups)  Application Role created for each Group  OBIEE 10g OBIEE 11g © Peak Indicators Limited 81 .

Can I Still Use The 10g Security Model? .Do I Still Need SA System Subject Area? .How Do You Implement SSL? .Can I Have Multiple Identity Providers? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 82 .How Do You Implement SSO? .Where Do I Get My Groups From? . Frequently Asked Questions .What Roles and Policies Should I Have? .What Are The Important Files? .What are GUIDs? .When Should I Use the WebLogic LDAP? .How Do We Migrate Between Environments? .

. others can use 11g  Don’t mix security models for the same user:  A user should authenticate/authorize using either the 11g model or the 10g model….but not both © Peak Indicators Limited 83 .if you must! But hopefully the need for the 10g model is diminishing The “old” method of using Initialization Blocks to populate USER/GROUP session variables will still work in Oracle BI 11g  Use the new Session Variable “ROLES” instead of “GROUP” to map a user to one or more Application Roles  Whenever you log in..Can I Still Use The 10g Security Model?   Yes…. the 10g security model is attempted first  Some users can use the 10g model.

Can I Still Use The 10g Security Model? .What Roles and Policies Should I Have? .Do I Still Need SA System Subject Area? .How Do You Implement SSO? .How Do You Implement SSL? . Frequently Asked Questions .What are GUIDs? .How Do We Migrate Between Environments? .What Are The Important Files? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 84 .When Should I Use the WebLogic LDAP? .Can I Have Multiple Identity Providers? .Where Do I Get My Groups From? .

no shortcuts!  © Peak Indicators Limited 85 .How Do You Implement SSL?  SSL is the mechanism used to enable secured HTTPS communications between client web browser and the BI Server:  SSL works fully in OBIEE.. the implementation details are in the documentation (Security Guide) You have to do all four sections….

set aside around 2 man-days to configure it for the first time in development The duration to implement could take longer.1)  Procedure for configuring Node Manager with SSL. (Doc ID 1142995.1)  © Peak Indicators Limited 86 . since you have to obtain a trusted certificate from a “certificate authority”   Demo certificates are available (but you will get a standard security warning in the browser if you use them)  The following Tech Notes on myOracle Support compliment the Oracle Documentation: OBIEE 11g SSL Setup and Configuration (Doc ID 1326781.How Do You Implement SSL? Further Notes  SSL configuration is fiddly by nature.

What are GUIDs? .What Roles and Policies Should I Have? .Do I Still Need SA System Subject Area? .How Do You Implement SSL? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 87 .Where Do I Get My Groups From? .What Are The Important Files? .When Should I Use the WebLogic LDAP? .How Do You Implement SSO? .How Do We Migrate Between Environments? .Can I Have Multiple Identity Providers? . Frequently Asked Questions .Can I Still Use The 10g Security Model? .

6)  Supported SSO Mechanisms: Oracle Access Manager (OAM)  Oracle Single Sign on (OSSO)  Windows Native Authentication without IIS (Kerberos)  Weblogic Default Asserter (Client Certificate Authentication)   Other supported features: EBS ICX Cookie Mechanism  Siteminder 6 via HTTP Header  Go-URL with NQUser / NQPassword  SSO via HTTP header & cookie (requires customisation of BI Config)  © Peak Indicators Limited 88 .How Do You Implement SSO? SSO Support (11.1.1.

How Do You Implement SSO? OAM  With OAM you need an HTTP Proxy and Webgate to sit in front of WebLogic and perform the SSO redirection: © Peak Indicators Limited 89 .

the order of authenticators should be as follows: Your LDAP authenticator 2.How Do You Implement SSO? Identity Providers  With SSO.g. BI Office)  Obtain Groups for users who have authenticated via SSO  © Peak Indicators Limited 90 . Your SSO Asserter 3. WebLogic Embedded LDAP 1. (Sufficient) (Required) (Sufficient)  The LDAP authenticator is required for two reasons: Perform authentication for non-SSO access (e.

How Do You Implement SSO? FMW Control  You also need to enable SSO within FMW Control: Specify SSO provider  SSO Logon URL  SSO Logoff URL  © Peak Indicators Limited 91 .

How Do You Implement SSO? OAM Install Steps © Peak Indicators Limited 92 .

How Do You Implement SSO? Active Directory / Kerberos  A tech note / white paper exists for implementing SSO with AD Not for the faint hearted!  © Peak Indicators Limited 93 .

Can I Still Use The 10g Security Model? .What Roles and Policies Should I Have? .Do I Still Need SA System Subject Area? . Frequently Asked Questions .How Do You Implement SSL? .How Do You Implement SSO? .What are GUIDs? .How Do We Migrate Between Environments? .What Do I Do When it All Goes Wrong? © Peak Indicators Limited 94 .What Are The Important Files? .Can I Have Multiple Identity Providers? .Where Do I Get My Groups From? .When Should I Use the WebLogic LDAP? .

 Error Messages That Could Mean a Million Things © Peak Indicators Limited 95 .

Error Messages That Could Mean a Million Things © Peak Indicators Limited 96 .

Error Messages That Could Mean a Million Things © Peak Indicators Limited 97 .

Error Messages That Could Mean a Million Things

© Peak Indicators Limited

98

What Do I Do When It All Goes Wrong? Try different logins
1. 2. 3.

Try a different user account Try logging on with a system user account e.g. weblogic Confirm you can log on to Weblogic Console and/or FMW Control (to confirm authentication is actually working) Reset the user’s password Archive and delete user from the catalog, restart Presentation Services and then unarchive user back into the catalog

4. 5.

If issue is just with one user

© Peak Indicators Limited

99

What Do I Do When It All Goes Wrong? Check Services
6.

Check OPMN services are running

7.

Check database and listener are working to _BIPLATFORM and _MDS schemas (and make sure db passwords have not expired!):

© Peak Indicators Limited

100

What Do I Do When It All Goes Wrong? Check Log Files 8./user_projects/domains/bifoundation_domain/servers/AdminServer/log  …./user_projects/domains/bifoundation_domain/servers/bi_server1/log  9./instances/instance1/diagnostics/log/OracleBIPresentationServices/coreapplcation  …. Check BI Server and BI Presentation Services logs: …./instances/instance1/diagnostics/log/OracleBIBIServer/coreapplcation  © Peak Indicators Limited 101 . Check the Admin and Managed Server log files: ….

13. then start up WebLogic and OPMN services 102 11. the very first entry should have IP address and server name Refresh GUIDs Restart WebLogic and OPMN Services Restart WebLogic AdminServer. 14. 15. 12.What Do I Do When It All Goes Wrong? Further Actions 10. and then start all other process from within the WebLogic Admin Console and FMW Control (i. Check connectivity to LDAP / AD server is ok (you do this in WebLogic Console – make sure you can see the external Groups and Users) Check HOSTS file has not changed. © Peak Indicators Limited . no commandline) Restart whole server.e.

Delete the two “sawguidstate” entries from the “System” Presentation Catalog folder. then restart services:  [Catalog Root]\root\system\mktgcache\[Hostname] © Peak Indicators Limited 103 . then restart services:  [Catalog Root]\root\users 17.What Do I Do When It All Goes Wrong? More Drastic Actions 16. Delete the two “BISystemUser” user entries from Presentation Catalog.

What Do I Do When It All Goes Wrong? Last Ditch Attempts…. then restart all services: © Peak Indicators Limited 104 . Re-enter “BISystemUser” credentials in the Credential Store. 18.

Troubleshooting. See Oracle Support article 1359798.pdf © Peak Indicators Limited 105 .1 to download Technote on troubleshooting OBIEE security:  Oracle BI Enterprise Edition 11g Security .What Do I Do When It All Goes Wrong? Oracle Technote 19.

oracle. http://support.What Do I Do When It All Goes Wrong? Contact Oracle! 20.com © Peak Indicators Limited 106 .

 Closing Thoughts © Peak Indicators Limited 107 .

Closing Thoughts Summary   Security is by nature a complex topic – it is not just complicated in Oracle BI There is obviously more work that can be done to simplify things in Oracle BI 11g but let’s try to be pleased with what we have:  A huge array of security capability Support for small implementations all the way up to very large enterprise deployments A common model across Fusion Middleware applications   © Peak Indicators Limited 108 .

 Questions? © Peak Indicators Limited .

Helping Your Business Intelligence Journey © Peak Indicators Limited .

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->