You are on page 1of 100

OBIEE 11g Security its as easy as 1-2-3!

Antony Heljula BI Architect


Peak Indicators Limited

@aheljula

Agenda
Aim of Presentation 10g Security Model 11g Security Model Frequently Asked Questions

- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

Aim of Presentation

To explain the key concepts behind the Oracle BI 11g security model Clarify what is and what is not supported Demonstrate that it can achieve great results Explain why 11g security model is better than 10g you dont need the 10g security model any more! Discuss some advanced topics such as SSO, SSL and migration

Peak Indicators Limited

10g Security Model

Peak Indicators Limited

10g Security Model

BI Presentation Services

Catalog Groups

Catalog Groups apply responsibilities for BI Presentation Services. Can be inherited from other Catalog Groups and also other BI Server Groups

BI Server

Groups

Groups apply responsibilities for BI Server

Peak Indicators Limited

10g Security Model

ASMITH can see the Sales Manager dashboard

ASMITH is a Sales Manager

BI Presentation Services

Catalog Groups

Corporate LDAP
GROUPS Sales Manager

BI Server

Groups
USERS ASMITH

ASMITH gets data visibility for a Sales Manager

Peak Indicators Limited

10g Security Model

BI Presentation Services

Catalog Groups

Corporate LDAP
GROUPS Sales Manager

BI Server

Groups
USERS ASMITH

ASMITH is granted some presentation privileges directly


Peak Indicators Limited

10g Security Model


Additional LDAP Groups applied directly to Presentation Services

Group inheritance within LDAP

BI Presentation Services

Catalog Groups

Corporate LDAP
GROUPS Sales Manager Answers Access Delivers Access

BI Server

Groups
USERS ASMITH

Peak Indicators Limited

Issues with 10g Security Model


Not an easy model to explain!
p.s. 10g didnt even directly support Groups in LDAP

BI Presentation Services

Catalog Groups

Corporate LDAP
GROUPS Sales Manager Answers Access Delivers Access

BI Server

Groups
USERS ASMITH

Peak Indicators Limited

Issues with 10g Security Model


Reliance on Corporate LDAP to manage application-only privileges e.g. Answers Access
Corporate LDAP
GROUPS Sales Manager Answers Access Delivers Access

BI Presentation Services

Catalog Groups

BI Server

Groups
USERS ASMITH

Peak Indicators Limited

10

11g Security Model

Peak Indicators Limited

11

The 11g Security Model


Your Corporate LDAP just contains corporate Users and Groups

BI Presentation Services

Corporate LDAP
GROUPS Sales Manager

BI Server
USERS ASMITH

Peak Indicators Limited

12

The 11g Security Model


A new layer of Application Roles define the application-specific roles. The OBI Administrators maintain these

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Corporate LDAP
GROUPS Sales Manager

BI Server
USERS ASMITH

Peak Indicators Limited

13

The 11g Security Model


A Group can belong to multiple Application Roles e.g. Sales Managers also have Answers Access

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Corporate LDAP
GROUPS Sales Manager

BI Server
USERS ASMITH

Peak Indicators Limited

14

The 11g Security Model


But if you prefer, Application Roles can belong to other Application Roles e.g. Sales Manager Role also has Answers Access Role

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Corporate LDAP
GROUPS Sales Manager

BI Server
USERS ASMITH

Peak Indicators Limited

15

The 11g Security Model


Application Roles are used by both BI Presentation Services and BI Server

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Corporate LDAP
GROUPS Sales Manager

BI Server
USERS ASMITH

Peak Indicators Limited

16

The 11g Security Model

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Corporate LDAP
GROUPS Sales Manager

BI Server
USERS ASMITH

You can also assign a User to an Application Role

Peak Indicators Limited

17

The 11g Security Model 1) Advantages

2) 3) 4) 5)

Greater control for the OBI Administrator Corporate LDAP less complex Simpler architecture More flexibility Greater consistency between OBIPS and OBIS

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Corporate LDAP
GROUPS Sales Manager

BI Server
USERS ASMITH

Peak Indicators Limited

18

The 11g Security Model Administration Points

2 4
Catalog & Manage Privileges

FMW Control

Weblogic Console

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Corporate LDAP
GROUPS Sales Manager

3
RPD

BI Server
USERS ASMITH

Peak Indicators Limited

19

The 11g Security Model 1) Weblogic Console

In the Weblogic Console you can:


Configure Identity Providers Configure Users and Groups

(discussed later) (Embedded LDAP)

Peak Indicators Limited

20

The 11g Security Model 2) FMW Control

You can use FMW Control for:


Creating new Application Roles Assigning Roles/Groups/Users to Application Roles

Menu option: Security > Application Roles

Peak Indicators Limited

21

The 11g Security Model 3) RPD

Within the RPD you can apply security rules to Application Roles:
Access to Subject Area contents Access to Connection Pools Apply Data Filters Apply Query Limits

Peak Indicators Limited

22

The 11g Security Model 4) Catalog and Manage Privileges

Within the Presentation Layer you can use Application Roles for:
Managing privileges Object access permissions within the Catalog

Peak Indicators Limited

23

The 11g Security Model No More Cryptotools

FMW Control comes with its own embedded Credential Store


WebLogic Domain > bifoundation_domain > Security > Credentials

In here are stored passwords for:


BISystemUser RPD Passwords Any other credentials (e.g. for custom web services)

Peak Indicators Limited

24

The 11g Security Model Default Configuration

When you install Oracle BI 11g, you get the following mapping between Users Groups Roles:

USERS
BISystem Component

GROUPS
BIAdministrators

ROLES
BIAdministrator
member of

BIAuthors

BIAuthor
member of

BIAdministrators: BIAuthors: BIConsumers:

All Functions Create new content Read-only

BIConsumers

BIConsumer

Peak Indicators Limited

25

The 11g Security Model Application Policies

Each of the default Application Roles is allocated one or more Application Policies. These Application Policies provide access to certain Resources within Oracle BI

The BIAdministator role can: Manage Repositories Manage Jobs Manage the Presentation Catalog Administer BI Server

Peak Indicators Limited

27

The 11g Security Model Application Policies

The policies for the BIAdministrator role provide access to the Administration screen The policies for the BIAuthor role provide access to the entire New menu to create new reporting objects

Peak Indicators Limited

28

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

29

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

30

What Roles and Policies Should I Have? Default Roles and Policies

First of all, use the new default Application Roles to distinguish between your 3 main types of user:
Administrators Report Developers Everyone Else

BI Administrator Role BI Author Role BI Consumer Role

By default, all authenticated users will get BI Consumer Role, so you only need to manage the allocation of BI Auther/Administrator Roles There is typically no need to alter the Application Policies that are assigned to each role

The default policies provide a convenient way to restrict access to core Oracle BI system resources

Peak Indicators Limited

31

What Roles and Policies Should I Have? Custom Roles

You can then have your own custom Application Roles to manage access and privileges at a more granular level

For example:
Sales Manager Role HR Manager Role BI Answers Role BI Delivers Role

Access to the Sales Manager Dashboard Access to the HR Manager Dashboards Access to Answers Access to Delivers

NOTE: In most cases, 1 LDAP Group will map to 1 Application Role

Peak Indicators Limited

32

What Roles and Policies Should I Have? A Combination of Default/Custom Roles

BI Presentation Services

APPLICATION ROLES
BIAdministrator BIAuthor BIConsumer Sales Manager Answers Access Delivers Access

LDAP
GROUPS BIAdministrator BIAuthor BIConsumer Sales Manager

BI Server

USERS ASMITH

Peak Indicators Limited

33

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

34

When Should I Use the WebLogic LDAP?

The Embedded WebLogic LDAP is relatively basic compared to the more enterprise LDAP solutions e.g. OID, AD

Oracle advise no more than 1,000 users

Peak Indicators Limited

35

When Should I Use the WebLogic LDAP?


Treat the WebLogic LDAP much like you treated the RPD as a user store in OBI 10g (weblogic, system accounts and test users only) All other users go in the Corporate LDAP

WebLogic LDAP

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Weblogic BISystemUser Test users

BI Server

Corporate LDAP All other users

Peak Indicators Limited

36

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

37

Can I Have Multiple Identity Providers?

Yes. It is possible to add multiple other Identity Providers within WebLogic console

By default, there are two embedded WebLogic providers:


DefaultAuthenticator (Embedded Weblogic LDAP) DefaultIdentityAsserter

It is possible though to add further Identity Providers e.g. OID

Peak Indicators Limited

38

Can I Have Multiple Identity Providers? Support

Multiple Identity Providers with either:


Users and Groups in LDAP Users and Groups in Database Users in LDAP and Groups in Database

(in 11.1.1.6, patch in 11.1.1.5)

Identity Providers for Authentication:


(NOTE: not exhaustive)

Weblogic LDAP Active Direcitory iPlanet Oracle Internet Directory (OID) Oracle Virtual Directory (OVD) Novell (eDirectory 8.8) OpenLDAP SQL Tivoli Directory Server 6.2 SQL Group Lookup

(New with 11.1.1.6, patch for 11.1.1.5)

Peak Indicators Limited

39

Can I Have Multiple Identity Providers? Adding a New Provider

Adding new Identity Providers is straight forward via the New button

Supported providers in red (not exhaustive)

You can reorder the list of providers so that authentication is performed in a different order e.g.
OID Weblogic LDAP

Peak Indicators Limited

40

Can I Have Multiple Identity Providers? BISQLGroupProvider

It is a common situation with Oracle BI Apps where you have:


Users to be authenticated in a Corporate LDAP Groups to be obtained from the source OLTP (e.g. EBS)

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Weblogic

Corporate LDAP Groups

BI Server

EBS

Peak Indicators Limited

42

Can I Have Multiple Identity Providers? BISQLGroupProvider


The 11g security model now supports this type of arrangement A new provider BISQLGroupProvider is available to obtain Groups from a database:
Available in 11.1.1.6 (with some configuration) Available in 11.1.1.5 (patch 11667221)

To configure, see Oracle Support article 1428008.1 to obtain the TechNote:

TechNote_LDAP_Auth_DB_Groups_V3.pdf

Peak Indicators Limited

43

Can I Have Multiple Identity Providers? Virtualize=True

When you have multiple Identity Providers you should set the virtualize = true custom property within FMW Control:

Bifoundation_domain > Security > Security Provider Configuration

Without this setting:

Only the first identity provider listed will be used by OBI You wont be able to log in if the AdminServer dies

NOTE:

If you can get the setting to work, try restarting Managed Server and OPMN processes via FMW Control rather than the command line
44

Peak Indicators Limited

Can I Have Multiple Identity Providers? Managing BISystemUser


When you implement an additional identity provider, The Oracle BI documentation suggests to migrate the BISystemUser to your external LDAP provider.

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

WebLogic LDAP

BI Server

Corporate LDAP BISystemUser

Peak Indicators Limited

45

Can I Have Multiple Identity Providers? Managing BISystemUser

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

WebLogic LDAP

BI Server

Corporate LDAP BISystemUser

But what happens if the Corporate LDAP becomes unavailable?


Peak Indicators Limited 46

Can I Have Multiple Identity Providers? Managing BISystemUser


It is better to keep the BISystemUser account in the WebLogic LDAP store you can still start up and use Oracle BI even when the Corporate LDAP is unavailable (NOTE: need to set virtualize=true)

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

WebLogic LDAP

BISystemUser

BI Server

Corporate LDAP BISystemUser

Peak Indicators Limited

47

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

48

Where Do I Get My Groups From? Multiple Identity Providers

When you have multiple identity providers, the Groups for each users will be obtained from the same provider that they authenticated against

For example:

WebLogic user will obtain Groups from DefaultAuthenticator

Corporate End Users will obtain their Groups from OracleInternetDirectory, as this is where they are authenticated

Peak Indicators Limited

49

Where Do I Get My Groups From? BISQLGroupProvider

A BI SQL Group Lookup identity provider is always assigned to a single LDAP provider
The Groups will only come from the BI SQL Group Lookup provider Any Groups in the LDAP store are ignored

In this example, any user authenticating using OracleInternetDirectory will obtain their Groups from the BISQLGroupProvider . Any Groups assigned to the user in OID will be ignored.

Peak Indicators Limited

50

Where Do I Get My Groups From? WebLogic Console


If you are using the WebLogic LDAP as an authenticator then you will need to maintain your Groups in this store But Groups from other identity providers (e.g. OID) will be automatically integrated (as shown below), you dont need to create them manually

External Group from OID

Peak Indicators Limited

51

Where Do I Get My Groups From? FMW Control

Your internal and external Groups are immediately available to be assigned to Application Roles:

The BIAuthor Role will be assigned to users belonging to the corresponding BIAuthor groups in both Weblogic LDAP and OID
Peak Indicators Limited

52

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

53

What are GUIDs?

In Oracle BI 11g, users are recognized by their Global Unique Identifiers (GUIDs), not by their names

GUIDs are identifiers that are completely unique for a given user
Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name

Peak Indicators Limited

54

What are GUIDs? Example Scenario


1) User ASMITH has been given access to the Administrator screen within the Oracle BI front-end

ASMITH BI Presentation Administration Services

Corporate LDAP ASMITH

BI Server

Peak Indicators Limited

55

What are GUIDs? Example Scenario


2) User ASMITH leaves the company and is removed from the Corporate LDAP

ASMITH BI Presentation Administration Services

Corporate LDAP ASMITH

BI Server

Peak Indicators Limited

56

What are GUIDs? Example Scenario


3) A few months later, a new ASMITH joins the company

ASMITH BI Presentation Administration Services

Corporate LDAP ASMITH

BI Server

ASMITH

Peak Indicators Limited

57

What are GUIDs? Example Scenario


4) Can the new ASMITH log on to Oracle BI and get Administration privileges?

ASMITH BI Presentation Administration Services

Corporate LDAP ASMITH

BI Server

ASMITH

Peak Indicators Limited

58

What are GUIDs? Example Scenario


5) The answer is NO! Because the new ASMITH user has a different GUID to the original AMSITH

ASMITH (1234) BI Presentation Administration Services

Corporate LDAP ASMITH (1234)

BI Server

ASMITH (5678)

Peak Indicators Limited

59

What are GUIDs? The Outcome


In fact, the ASSMITH wont be able to log on at all!

Peak Indicators Limited

60

What are GUIDs? Refreshing GUIDs

The GUID feature is there to help secure your OBI environments especially production

There may however be times when GUIDs become out of sync in and you cannot log in as certain users:
Migrating from WebLogic Embedded LDAP to an alternative identity provider Deleting users and then recreating them Migrating Production Presentation Catalog / RPD to the Development environment

In order to work around this, you can either:

Delete the offending users from the Presentation Catalog and log in again Refresh GUIDs (explained overleaf)
61

or

Peak Indicators Limited

What are GUIDs? Regenerating GUIDs : Step 1 / 4

Open up the NQSConfig.ini file for editing:


[OBI Home]/config/OracleBIServerComponent/coreapplication_obis1/NQSConfig.ini

Set the following parameter within the [SERVER] section:


FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;

Save the file

Peak Indicators Limited

62

What are GUIDs? Regenerating GUIDs : Step 2 / 4

Open up the instanceconfig.xml file for editing:


[OBI Home]/config/OracleBIPresentationServicesComponent/coreapplication_obips1/instanceconfig.xml

Add an UpdateAccountGUIDs entry to the <Catalog> section as follows:


<ps:Catalog xmlns:ps="oracle.bi.presentation.services/config/v1.1"> <ps:UpgradeAndExit>false</ps:UpgradeAndExit> <ps:UpdateAccountGUIDs>UpdateAndExit</ps:UpdateAccountGUIDs> </ps:Catalog>

Save the file

Peak Indicators Limited

63

What are GUIDs? Regenerating GUIDs : Step 3 / 4

Restart Oracle BI System components:


$ORACLE_BASE/instances/instance1/bin/opmnctl stopall $ORACLE_BASE/instances/instance1/bin/opmnctl startall

Peak Indicators Limited

64

What are GUIDs? Regenerating GUIDs : Step 4 / 4

To ensure your system is secure once again you must revert the configuration changes!

NQSConfig.ini
Instanceconfig.xml Restart Processes

:
: :

FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = NO;
Remove entry for <ps:UpdateAccountGUIDs> opmnctl stopall / startall

Peak Indicators Limited

65

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - What Happens During An Upgrade? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

68

Do I Still Need SA System Subject Area? Delivers Recipients

It is now possible to use an Application Role to specify the recipients of an Agent Previously in 10g this approach would not work unless you stored all the User > Catalog Group mappings in the BI Presentation Catalog

Very rarely done

Peak Indicators Limited

69

Do I Still Need SA System Subject Area? Delivery Profiles

Direct access to LDAP Servers

With Oracle BI 11g, Delivers can now access information about users, their groups, and email addresses directly from the configured identity store In many cases this completely removes the need to extract this information from your corporate directory into a database

Peak Indicators Limited

70

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

71

What Are The Important Files? config.xml


[middleware]\user_projects\domains\bifoundation_domain\config\config.xml Contains: SSL Configuration of Admin and Managed Servers Definitions and setup of Identity Providers

Peak Indicators Limited

72

What Are The Important Files? System-jazn-data.xml

[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml

Contains definition of all Application Roles

During BI Apps install, you deploy this file to install all the BI Apps roles

Peak Indicators Limited

73

What Are The Important Files? cwallet.sso

[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\cwallet.sso

This is your Credential Store containing encrypted usernames/passwords for your system accounts:
BI System User Web service credentials RPD passwords etc

If you dont know all the passwords, it is a good idea to back this up before you change any configuration.just in case

Peak Indicators Limited

74

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

75

How Do I Migrate Between Environments? 11g Security Migration Points

2 4
Catalog & Manage Privileges

FMW Control

Weblogic Console

BI Presentation Services

APPLICATION ROLES
Sales Manager Answers Access Delivers Access

Corporate LDAP
GROUPS Sales Manager

3
RPD

BI Server
USERS ASMITH

Peak Indicators Limited

76

How Do I Migrate Between Environments?

The topic of migration is covered in the Rittman Mead blogs:


Oracle BI EE 11g Migrating Security Identity Stores Part 1 Oracle BI EE 11g Migrating Security Policy Store Part 2 Oracle BI EE 11g Migrating Security Credential Store Part 3

Just to summarise..

Peak Indicators Limited

77

How Do I Migrate Between Environments? Weblogic LDAP Users/Groups

You can import/export the entire set of users/groups within the Weblogic LDAP via the WL Console

If you wish to do an incremental update then you will need to script using WLST
78

Peak Indicators Limited

How Do I Migrate Between Environments? Application Roles

To migrate the full set of Application Roles, simply copy/paste the systemjazn-data.xml file to your target environment:

[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml

If you need to do an incremental update then either:


Set up the Application Roles manually via FMW Control Use WLST scripting

Peak Indicators Limited

79

How Do I Migrate Between Environments? During an 10g-11g upgrade?

Running the 11g Upgrade Assistantwill automatically migrate the 10g security configuration to 11:
RPD Groups migrated to WebLogic LDAP RPD Users migrated to WebLogic LDAP (and assigned to relevant Groups) Application Role created for each Group

OBIEE 10g

OBIEE 11g

Peak Indicators Limited

80

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

81

Can I Still Use The 10g Security Model?

Yes..if you must! But hopefully the need for the 10g model is diminishing The old method of using Initialization Blocks to populate USER/GROUP session variables will still work in Oracle BI 11g

Use the new Session Variable ROLES instead of GROUP to map a user to one or more Application Roles

Whenever you log in, the 10g security model is attempted first

Some users can use the 10g model, others can use 11g

Dont mix security models for the same user:

A user should authenticate/authorize using either the 11g model or the 10g model..but not both

Peak Indicators Limited

82

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

83

How Do You Implement SSL?

SSL is the mechanism used to enable secured HTTPS communications between client web browser and the BI Server:

SSL works fully in OBIEE, the implementation details are in the documentation (Security Guide) You have to do all four sections..no shortcuts!

Peak Indicators Limited

84

How Do You Implement SSL? Further Notes

SSL configuration is fiddly by nature, set aside around 2 man-days to configure it for the first time in development

The duration to implement could take longer, since you have to obtain a trusted certificate from a certificate authority

Demo certificates are available (but you will get a standard security warning in the browser if you use them)

The following Tech Notes on myOracle Support compliment the Oracle Documentation:
OBIEE 11g SSL Setup and Configuration (Doc ID 1326781.1) Procedure for configuring Node Manager with SSL. (Doc ID 1142995.1)

Peak Indicators Limited

85

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

86

How Do You Implement SSO? SSO Support (11.1.1.6)

Supported SSO Mechanisms:


Oracle Access Manager (OAM) Oracle Single Sign on (OSSO) Windows Native Authentication without IIS (Kerberos) Weblogic Default Asserter (Client Certificate Authentication)

Other supported features:

EBS ICX Cookie Mechanism Siteminder 6 via HTTP Header Go-URL with NQUser / NQPassword SSO via HTTP header & cookie (requires customisation of BI Config)

Peak Indicators Limited

87

How Do You Implement SSO? OAM

With OAM you need an HTTP Proxy and Webgate to sit in front of WebLogic and perform the SSO redirection:

Peak Indicators Limited

88

How Do You Implement SSO? Identity Providers

With SSO, the order of authenticators should be as follows:


Your LDAP authenticator 2. Your SSO Asserter 3. WebLogic Embedded LDAP
1.

(Sufficient) (Required) (Sufficient)

The LDAP authenticator is required for two reasons:


Perform authentication for non-SSO access (e.g. BI Office) Obtain Groups for users who have authenticated via SSO

Peak Indicators Limited

89

How Do You Implement SSO? FMW Control

You also need to enable SSO within FMW Control:


Specify SSO provider SSO Logon URL SSO Logoff URL

Peak Indicators Limited

90

How Do You Implement SSO? OAM Install Steps

Peak Indicators Limited

91

How Do You Implement SSO? Active Directory / Kerberos

A tech note / white paper exists for implementing SSO with AD

Peak Indicators Limited

92

Frequently Asked Questions


- What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

Peak Indicators Limited

93

Error Messages That Could Mean a Million Things

Peak Indicators Limited

94

What Do I Do When It All Goes Wrong? Try different logins


1.

Try a different user account Try logging on with a system user account e.g. weblogic Confirm you can log on to Weblogic Console and/or FMW Control (to confirm authentication is actually working)

2.

3.

4.

Reset the users password


Archive and delete user from the catalog, restart Presentation Services and then unarchive user back into the catalog

5.

If issue is just with one user

Peak Indicators Limited

95

What Do I Do When It All Goes Wrong? Check Services


6.

Check OPMN services are running

7.

Check database and listener are working to _BIPLATFORM and _MDS schemas (and make sure db passwords have not expired!):

Peak Indicators Limited

96

What Do I Do When It All Goes Wrong? Check Log Files


8.

Check the Admin and Managed Server log files:


./user_projects/domains/bifoundation_domain/servers/AdminServer/log ./user_projects/domains/bifoundation_domain/servers/bi_server1/log

9.

Check BI Server and BI Presentation Services logs:


./instances/instance1/diagnostics/log/OracleBIPresentationServices/coreapplcation ./instances/instance1/diagnostics/log/OracleBIBIServer/coreapplcation

Peak Indicators Limited

97

What Do I Do When It All Goes Wrong? Further Actions


10.

Check connectivity to LDAP / AD server is ok (you do this in WebLogic Console make sure you can see the external Groups and Users) Check HOSTS file has not changed, the very first entry should have IP address and server name Refresh GUIDs Restart WebLogic and OPMN Services Restart WebLogic AdminServer, and then start all other process from within the WebLogic Admin Console and FMW Control (i.e. no commandline) Restart whole server, then start up WebLogic and OPMN services
98

11.

12. 13. 14.

15.

Peak Indicators Limited

What Do I Do When It All Goes Wrong? More Drastic Actions


16.

Delete the two BISystemUser user entries from Presentation Catalog, then restart services:

[Catalog Root]\root\users

17.

Delete the two sawguidstate entries from the System Presentation Catalog folder, then restart services:

[Catalog Root]\root\system\mktgcache\[Hostname]

Peak Indicators Limited

99

What Do I Do When It All Goes Wrong? Last Ditch Attempts.


18.

Re-enter BISystemUser credentials in the Credential Store, then restart all services:

Peak Indicators Limited

100

What Do I Do When It All Goes Wrong? Oracle Technote


19.

See Oracle Support article 1359798.1 to download Technote on troubleshooting OBIEE security:

Oracle BI Enterprise Edition 11g Security - Troubleshooting.pdf

Peak Indicators Limited

101

What Do I Do When It All Goes Wrong? Contact Oracle!


20.

http://support.oracle.com

Peak Indicators Limited

102

Questions?

Peak Indicators Limited

Helping Your Business Intelligence Journey

Peak Indicators Limited