Antony Heljula @aheljula BI Architect Peak Indicators Limited 2 Agenda Aim of Presentation 10g Security Model 11g Security Model What is Supported Identity Providers Groups GUIDs SSL Single Sign On (SSO) Important Files Migration Closing Thoughts
Peak Indicators Limited 3 Aim of Presentation To explain the key concepts behind the Oracle BI 11g security model
Clarify what is and what is not supported
Demonstrate that it can achieve great results
Explain why 11g security model is better than 10g you dont need the 10g security model any more!
Discuss some advanced topics such as SSO, SSL and migration
It is getting better..we can look forward to a brighter future! Peak Indicators Limited 4 10g Security Model Peak Indicators Limited 5 10g Security Model BI Presentation Services BI Server Catalog Groups Groups Groups apply responsibilities for BI Server Catalog Groups apply responsibilities for BI Presentation Services. Can be inherited from other Catalog Groups and also other BI Server Groups Peak Indicators Limited 6 10g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
Catalog Groups Groups ASMITH is a Sales Manager ASMITH gets data visibility for a Sales Manager ASMITH can see the Sales Manager dashboard Peak Indicators Limited 7 10g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
Catalog Groups Groups ASMITH is granted some presentation privileges directly Peak Indicators Limited 8 10g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager Answers Access Delivers Access Catalog Groups Groups Additional LDAP Groups applied directly to Presentation Services Group inheritance within LDAP Peak Indicators Limited 9 Issues with 10g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager Answers Access Delivers Access Catalog Groups Groups Not an easy model to explain! p.s. 10g didnt even directly support Groups in LDAP Peak Indicators Limited 10 Issues with 10g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager Answers Access Delivers Access Catalog Groups Groups Reliance on Corporate LDAP to manage application-only privileges e.g. Answers Access Peak Indicators Limited 11 Issues with 10g Security Model Corporate LDAP
USERS GROUPS If every application needed their own hierarchy of privileges how complicated is your Corporate LDAP going to become? GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS GROUPS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS USERS Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Application Peak Indicators Limited 12 11g Security Model Peak Indicators Limited 13 The 11g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
Your Corporate LDAP just contains corporate Users and Groups Peak Indicators Limited 14 The 11g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
A new layer of Application Roles define the application-specific roles. The OBI Administrators maintain these Peak Indicators Limited 15 The 11g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
A Group can belong to multiple Application Roles e.g. Sales Managers also have Answers Access Peak Indicators Limited 16 The 11g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
But if you prefer, Application Roles can belong to other Application Roles e.g. Sales Manager Role also has Answers Access Role Peak Indicators Limited 17 The 11g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Application Roles are used by both BI Presentation Services and BI Server Peak Indicators Limited 18 The 11g Security Model BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
You can also assign a User to an Application Role Peak Indicators Limited 19 The 11g Security Model Advantages BI Presentation Services BI Server Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
1) Greater control for the OBI Administrator 2) Corporate LDAP less complex 3) Simpler architecture 4) More flexibility 5) Greater consistency between OBIPS and OBIS Peak Indicators Limited 20 The 11g Security Model Administration Points BI Presentation Services BI Server Corporate LDAP
Peak Indicators Limited 21 The 11g Security Model In the Weblogic Console you can: Configure Identity Providers (discussed later) Configure Users and Groups (Embedded LDAP) 1) Weblogic Console Peak Indicators Limited 22 The 11g Security Model You can use FMW Control for: Creating new Application Roles Assigning Roles/Groups/Users to Application Roles 2) FMW Control Menu option: Security > Application Roles Peak Indicators Limited 23 The 11g Security Model Within the RPD you can apply security rules to Application Roles: Access to Subject Area contents Access to Connection Pools Apply Data Filters Apply Query Limits 3) RPD Peak Indicators Limited 24 The 11g Security Model Within the Presentation Layer you can use Application Roles for: Managing privileges Object access permissions within the Catalog 4) Catalog and Manage Privileges Peak Indicators Limited 25 The 11g Security Model FMW Control comes with its own embedded Credential Store WebLogic Domain > bifoundation_domain > Security > Credentials
In here are stored passwords for: BISystemUser RPD Passwords Any other credentials (e.g. for custom web services) No More Cryptotools Peak Indicators Limited 26 The 11g Security Model When you install Oracle BI 11g, you get the following mapping between Users Groups Roles:
Default Configuration BISystem Component BIAdministrators BIAuthors BIConsumers BIAdministrator BIAuthor BIConsumer member of member of USERS GROUPS ROLES BIAdministrators: All Functions BIAuthors: Create new content BIConsumers: Read-only Peak Indicators Limited 28 The 11g Security Model Each of the default Application Roles is allocated one or more Application Policies. These Application Policies provide access to certain Resources within Oracle BI Application Policies The BIAdministator role can: Manage Repositories Manage Jobs Manage the Presentation Catalog Administer BI Server Peak Indicators Limited 29 The 11g Security Model The policies for the BIAdministrator role provide access to the Administration screen
The policies for the BIAuthor role provide access to the entire New menu to create new reporting objects
NOTE: Confusion still remains as to why these types of privilege are not on the Manage Privileges screen along with everything else Application Policies
Peak Indicators Limited 30 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 31 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 32 What Roles and Policies Should I Have? First of all, use the new default Application Roles to distinguish between your 3 main types of user: Administrators BI Administrator Role Report Developers BI Author Role Everyone Else BI Consumer Role
By default, all authenticated users will get BI Consumer Role, so you only need to manage the allocation of BI Auther/Administrator Roles
There is typically no need to alter the Application Policies that are assigned to each role The default policies provide a convenient way to restrict access to core Oracle BI system resources Default Roles and Policies Peak Indicators Limited 33 What Roles and Policies Should I Have? You can then have your own custom Application Roles to manage access and privileges at a more granular level
For example: Sales Manager Role Access to the Sales Manager Dashboard HR Manager Role Access to the HR Manager Dashboards BI Answers Role Access to Answers BI Delivers Role Access to Delivers
NOTE: In most cases, 1 LDAP Group will map to 1 Application Role
Custom Roles Peak Indicators Limited 34 What Roles and Policies Should I Have? A Combination of Default/Custom Roles BI Presentation Services BI Server LDAP
USERS ASMITH
GROUPS BIAdministrator BIAuthor BIConsumer Sales Manager
Peak Indicators Limited 35 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 36 When Should I Use the WebLogic LDAP? The Embedded WebLogic LDAP is relatively basic compared to the more enterprise LDAP solutions e.g. OID, AD
Oracle advise no more than 1,000 users Peak Indicators Limited 37 When Should I Use the WebLogic LDAP? BI Presentation Services BI Server Corporate LDAP
All other users
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
Weblogic BISystemUser Test users Treat the WebLogic LDAP much like you treated the RPD as a user store in OBI 10g (weblogic, system accounts and test users only) All other users go in the Corporate LDAP Peak Indicators Limited 38 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 39 Can I Have Multiple Identity Providers? Yes. It is possible to add multiple other Identity Providers within WebLogic console
By default, there are two embedded WebLogic providers: DefaultAuthenticator (Embedded Weblogic LDAP) DefaultIdentityAsserter
It is possible though to add further Identity Providers e.g. OID Peak Indicators Limited 40 Can I Have Multiple Identity Providers? Multiple Identity Providers with either: Users and Groups in LDAP Users and Groups in Database Users in LDAP and Groups in Database (in 11.1.1.6, patch in 11.1.1.5)
Identity Providers for Authentication: (NOTE: not exhaustive) Weblogic LDAP Active Direcitory iPlanet Oracle Internet Directory (OID) Oracle Virtual Directory (OVD) Novell (eDirectory 8.8) OpenLDAP SQL Tivoli Directory Server 6.2 SQL Group Lookup (New with 11.1.1.6, patch for 11.1.1.5) Support Peak Indicators Limited 41 Can I Have Multiple Identity Providers? Adding new Identity Providers is straight forward via the New button Supported providers in red (not exhaustive)
You can reorder the list of providers so that authentication is performed in a different order e.g. OID Weblogic LDAP
Adding a New Provider Peak Indicators Limited 43 Can I Have Multiple Identity Providers? It is a common situation with Oracle BI Apps where you have: Users to be authenticated in a Corporate LDAP Groups to be obtained from the source OLTP (e.g. EBS)
BISQLGroupProvider BI Presentation Services BI Server
Corporate LDAP
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
EBS
Weblogic
Groups Peak Indicators Limited 44 Can I Have Multiple Identity Providers? The 11g security model now supports this type of arrangement
A new provider BISQLGroupProvider is available to obtain Groups from a database: Available in 11.1.1.6 (with some configuration) Available in 11.1.1.5 (patch 11667221)
To configure, see Oracle Support article 1428008.1 to obtain the TechNote: TechNote_LDAP_Auth_DB_Groups_V3.pdf BISQLGroupProvider Peak Indicators Limited 45 Can I Have Multiple Identity Providers? When you have multiple Identity Providers you should set the virtualize = true custom property within FMW Control: Bifoundation_domain > Security > Security Provider Configuration
Without this setting: Only the first identity provider listed will be used by OBI You wont be able to log in if the AdminServer dies
NOTE: If you can get the setting to work, try restarting Managed Server and OPMN processes via FMW Control rather than the command line
Virtualize=True Peak Indicators Limited 46 Can I Have Multiple Identity Providers? Managing BISystemUser BI Presentation Services BI Server Corporate LDAP
BISystemUser
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
When you implement an additional identity provider, The Oracle BI documentation suggests to migrate the BISystemUser to your external LDAP provider. Peak Indicators Limited 47 Can I Have Multiple Identity Providers? Managing BISystemUser BI Presentation Services BI Server Corporate LDAP
BISystemUser
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
But what happens if the Corporate LDAP becomes unavailable? x Peak Indicators Limited 48 Can I Have Multiple Identity Providers? Managing BISystemUser BI Presentation Services BI Server Corporate LDAP
BISystemUser
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
BISystemUser It is better to keep the BISystemUser account in the WebLogic LDAP store you can still start up and use Oracle BI even when the Corporate LDAP is unavailable (NOTE: need to set virtualize=true) x
Peak Indicators Limited 49 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 50 Where Do I Get My Groups From? When you have multiple identity providers, the Groups for each users will be obtained from the same provider that they authenticated against
For example: Multiple Identity Providers WebLogic user will obtain Groups from DefaultAuthenticator Corporate End Users will obtain their Groups from OracleInternetDirectory, as this is where they are authenticated Peak Indicators Limited 51 Where Do I Get My Groups From? A BI SQL Group Lookup identity provider is always assigned to a single LDAP provider The Groups will only come from the BI SQL Group Lookup provider Any Groups in the LDAP store are ignored BISQLGroupProvider In this example, any user authenticating using OracleInternetDirectory will obtain their Groups from the BISQLGroupProvider. Any Groups assigned to the user in OID will be ignored. Peak Indicators Limited 52 Where Do I Get My Groups From? If you are using the WebLogic LDAP as an authenticator then you will need to maintain your Groups in this store But Groups from other identity providers (e.g. OID) will be automatically integrated (as shown below), you dont need to create them manually WebLogic Console External Group from OID Peak Indicators Limited 53 Where Do I Get My Groups From? Your internal and external Groups are immediately available to be assigned to Application Roles: FMW Control The BIAuthor Role will be assigned to users belonging to the corresponding BIAuthor groups in both Weblogic LDAP and OID Peak Indicators Limited 54 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 55 What are GUIDs? In Oracle BI 11g, users are recognized by their Global Unique Identifiers (GUIDs), not by their names
GUIDs are identifiers that are completely unique for a given user
Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name
Peak Indicators Limited 56 What are GUIDs? Example Scenario BI Presentation Services BI Server Corporate LDAP
ASMITH
1) User ASMITH has been given access to the Administrator screen within the Oracle BI front-end ASMITH Administration Peak Indicators Limited 57 What are GUIDs? Example Scenario BI Presentation Services BI Server Corporate LDAP
ASMITH
2) User ASMITH leaves the company and is removed from the Corporate LDAP ASMITH Administration Peak Indicators Limited 58 What are GUIDs? Example Scenario BI Presentation Services BI Server Corporate LDAP
ASMITH
ASMITH
3) A few months later, a new ASMITH joins the company ASMITH Administration Peak Indicators Limited 59 What are GUIDs? Example Scenario BI Presentation Services BI Server Corporate LDAP
ASMITH
ASMITH
4) Can the new ASMITH log on to Oracle BI and get Administration privileges? ASMITH Administration Peak Indicators Limited 60 What are GUIDs? Example Scenario BI Presentation Services BI Server Corporate LDAP
ASMITH (1234)
ASMITH (5678)
5) The answer is NO! Because the new ASMITH user has a different GUID to the original AMSITH ASMITH (1234) Administration Peak Indicators Limited 61 What are GUIDs? The Outcome In fact, the ASSMITH wont be able to log on at all! Peak Indicators Limited 62 What are GUIDs? The GUID feature is there to help secure your OBI environments especially production
There may however be times when GUIDs become out of sync in and you cannot log in as certain users: Migrating from WebLogic Embedded LDAP to an alternative identity provider Deleting users and then recreating them Migrating Production Presentation Catalog / RPD to the Development environment
In order to work around this, you can either: Delete the offending users from the Presentation Catalog and log in again or Refresh GUIDs (explained overleaf)
Refreshing GUIDs Peak Indicators Limited 63 What are GUIDs? Open up the NQSConfig.ini file for editing:
Regenerating GUIDs : Step 3 / 4 Peak Indicators Limited 66 What are GUIDs? To ensure your system is secure once again you must revert the configuration changes!
Instanceconfig.xml : Remove entry for <ps:UpdateAccountGUIDs>
Restart Processes : opmnctl stopall / startall Regenerating GUIDs : Step 4 / 4 Peak Indicators Limited 69 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - What Happens During An Upgrade? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 70 Do I Still Need SA System Subject Area? Delivers Recipients It is now possible to use an Application Role to specify the recipients of an Agent
Previously in 10g this approach would not work unless you stored all the User > Catalog Group mappings in the BI Presentation Catalog Very rarely done
Peak Indicators Limited 71 Do I Still Need SA System Subject Area? Delivery Profiles Direct access to LDAP Servers
With Oracle BI 11g, Delivers can now access information about users, their groups, and email addresses directly from the configured identity store
In many cases this completely removes the need to extract this information from your corporate directory into a database
Peak Indicators Limited 72 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 73 What Are The Important Files? [middleware]\user_projects\domains\bifoundation_domain\config\config.xml
Contains: SSL Configuration of Admin and Managed Servers Definitions and setup of Identity Providers config.xml Peak Indicators Limited 74 What Are The Important Files? [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml
Contains definition of all Application Roles During BI Apps install, you deploy this file to install all the BI Apps roles System-jazn-data.xml Peak Indicators Limited 75 What Are The Important Files? [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\cwallet.sso
This is your Credential Store containing encrypted usernames/passwords for your system accounts: BI System User Web service credentials RPD passwords etc
If you dont know all the passwords, it is a good idea to back this up before you change any configuration.just in case cwallet.sso Peak Indicators Limited 76 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 77 How Do I Migrate Between Environments? 11g Security Migration Points BI Presentation Services BI Server Corporate LDAP
Peak Indicators Limited 78 How Do I Migrate Between Environments? The topic of migration is covered in the Rittman Mead blogs: Oracle BI EE 11g Migrating Security Identity Stores Part 1 Oracle BI EE 11g Migrating Security Policy Store Part 2 Oracle BI EE 11g Migrating Security Credential Store Part 3
Just to summarise..
Peak Indicators Limited 79 How Do I Migrate Between Environments? You can import/export the entire set of users/groups within the Weblogic LDAP via the WL Console
If you wish to do an incremental update then you will need to script using WLST
Weblogic LDAP Users/Groups Peak Indicators Limited 80 How Do I Migrate Between Environments? To migrate the full set of Application Roles, simply copy/paste the system- jazn-data.xml file to your target environment: [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml
If you need to do an incremental update then either: Set up the Application Roles manually via FMW Control Use WLST scripting
Application Roles Peak Indicators Limited 81 How Do I Migrate Between Environments? Running the 11g Upgrade Assistantwill automatically migrate the 10g security configuration to 11: RPD Groups migrated to WebLogic LDAP RPD Users migrated to WebLogic LDAP (and assigned to relevant Groups) Application Role created for each Group
During an 10g-11g upgrade? OBIEE 11g OBIEE 10g Peak Indicators Limited 82 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 83 Can I Still Use The 10g Security Model? Yes..if you must! But hopefully the need for the 10g model is diminishing
The old method of using Initialization Blocks to populate USER/GROUP session variables will still work in Oracle BI 11g Use the new Session Variable ROLES instead of GROUP to map a user to one or more Application Roles
Whenever you log in, the 10g security model is attempted first Some users can use the 10g model, others can use 11g
Dont mix security models for the same user: A user should authenticate/authorize using either the 11g model or the 10g model..but not both
Peak Indicators Limited 84 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 85 How Do You Implement SSL? SSL is the mechanism used to enable secured HTTPS communications between client web browser and the BI Server:
SSL works fully in OBIEE, the implementation details are in the documentation (Security Guide)
You have to do all four sections..no shortcuts!
Peak Indicators Limited 86 How Do You Implement SSL? SSL configuration is fiddly by nature, set aside around 2 man-days to configure it for the first time in development
The duration to implement could take longer, since you have to obtain a trusted certificate from a certificate authority Demo certificates are available (but you will get a standard security warning in the browser if you use them)
The following Tech Notes on myOracle Support compliment the Oracle Documentation: OBIEE 11g SSL Setup and Configuration (Doc ID 1326781.1) Procedure for configuring Node Manager with SSL. (Doc ID 1142995.1)
Further Notes Peak Indicators Limited 87 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 88 How Do You Implement SSO? Supported SSO Mechanisms: Oracle Access Manager (OAM) Oracle Single Sign on (OSSO) Windows Native Authentication without IIS (Kerberos) Weblogic Default Asserter (Client Certificate Authentication)
Other supported features: EBS ICX Cookie Mechanism Siteminder 6 via HTTP Header Go-URL with NQUser / NQPassword SSO via HTTP header & cookie (requires customisation of BI Config) SSO Support (11.1.1.6) Peak Indicators Limited 89 How Do You Implement SSO? With OAM you need an HTTP Proxy and Webgate to sit in front of WebLogic and perform the SSO redirection: OAM Peak Indicators Limited 90 How Do You Implement SSO? With SSO, the order of authenticators should be as follows: 1. Your LDAP authenticator (Sufficient) 2. Your SSO Asserter (Required) 3. WebLogic Embedded LDAP (Sufficient)
The LDAP authenticator is required for two reasons: Perform authentication for non-SSO access (e.g. BI Office) Obtain Groups for users who have authenticated via SSO Identity Providers Peak Indicators Limited 91 How Do You Implement SSO? You also need to enable SSO within FMW Control: Specify SSO provider SSO Logon URL SSO Logoff URL FMW Control Peak Indicators Limited 92 How Do You Implement SSO? OAM Install Steps Peak Indicators Limited 93 How Do You Implement SSO? A tech note / white paper exists for implementing SSO with AD
Not for the faint hearted! Active Directory / Kerberos Peak Indicators Limited 94 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
Peak Indicators Limited 95 Error Messages That Could Mean a Million Things Peak Indicators Limited 96 Error Messages That Could Mean a Million Things Peak Indicators Limited 97 Error Messages That Could Mean a Million Things Peak Indicators Limited 98 Error Messages That Could Mean a Million Things Peak Indicators Limited 99 What Do I Do When It All Goes Wrong? 1. Try a different user account
2. Try logging on with a system user account e.g. weblogic
3. Confirm you can log on to Weblogic Console and/or FMW Control (to confirm authentication is actually working)
4. Reset the users password
5. Archive and delete user from the catalog, restart Presentation Services and then unarchive user back into the catalog If issue is just with one user Try different logins Peak Indicators Limited 100 What Do I Do When It All Goes Wrong? 6. Check OPMN services are running
7. Check database and listener are working to _BIPLATFORM and _MDS schemas (and make sure db passwords have not expired!): Check Services Peak Indicators Limited 101 What Do I Do When It All Goes Wrong? 8. Check the Admin and Managed Server log files: ./user_projects/domains/bifoundation_domain/servers/AdminServer/log ./user_projects/domains/bifoundation_domain/servers/bi_server1/log
9. Check BI Server and BI Presentation Services logs: ./instances/instance1/diagnostics/log/OracleBIPresentationServices/coreapplcation ./instances/instance1/diagnostics/log/OracleBIBIServer/coreapplcation
Check Log Files Peak Indicators Limited 102 What Do I Do When It All Goes Wrong? 10. Check connectivity to LDAP / AD server is ok (you do this in WebLogic Console make sure you can see the external Groups and Users)
11. Check HOSTS file has not changed, the very first entry should have IP address and server name
12. Refresh GUIDs
13. Restart WebLogic and OPMN Services
14. Restart WebLogic AdminServer, and then start all other process from within the WebLogic Admin Console and FMW Control (i.e. no command- line)
15. Restart whole server, then start up WebLogic and OPMN services
Further Actions Peak Indicators Limited 103 What Do I Do When It All Goes Wrong? 16. Delete the two BISystemUser user entries from Presentation Catalog, then restart services: [Catalog Root]\root\users
17. Delete the two sawguidstate entries from the System Presentation Catalog folder, then restart services: [Catalog Root]\root\system\mktgcache\[Hostname] More Drastic Actions Peak Indicators Limited 104 What Do I Do When It All Goes Wrong? 18. Re-enter BISystemUser credentials in the Credential Store, then restart all services: Last Ditch Attempts. Peak Indicators Limited 105 What Do I Do When It All Goes Wrong? 19. See Oracle Support article 1359798.1 to download Technote on troubleshooting OBIEE security: Oracle BI Enterprise Edition 11g Security - Troubleshooting.pdf Oracle Technote Peak Indicators Limited 106 What Do I Do When It All Goes Wrong? 20. http://support.oracle.com
Contact Oracle! Peak Indicators Limited 107 Closing Thoughts Peak Indicators Limited 108 Closing Thoughts Security is by nature a complex topic it is not just complicated in Oracle BI
There is obviously more work that can be done to simplify things in Oracle BI 11g but lets try to be pleased with what we have:
A huge array of security capability
Support for small implementations all the way up to very large enterprise deployments
A common model across Fusion Middleware applications
Summary Peak Indicators Limited Questions? Peak Indicators Limited Helping Your Business Intelligence Journey