Sei sulla pagina 1di 106
OBIEE 11g Security – it’s as easy as 1-2-3! Antony Heljula BI Architect © Peak
OBIEE 11g Security – it’s as easy as 1-2-3! Antony Heljula BI Architect © Peak

OBIEE 11g Security – it’s as easy as 1-2-3!

Antony Heljula BI Architect

© Peak Indicators Limited

OBIEE 11g Security – it’s as easy as 1-2-3! Antony Heljula BI Architect © Peak Indicators

@aheljula

OBIEE 11g Security – it’s as easy as 1-2-3! Antony Heljula BI Architect © Peak Indicators
Agenda  Aim of Presentation  10g Security Model  11g Security Model  What

Agenda

Aim of Presentation

10g Security Model

11g Security Model

What is Supported

Identity Providers

Groups

GUIDs

SSL

Single Sign On (SSO)

Important Files

Migration

Closing Thoughts

© Peak Indicators Limited

2

Aim of Presentation  To explain the key concepts behind the Oracle BI 11g security

Aim of Presentation

To explain the key concepts behind the Oracle BI 11g security model

Clarify what is and what is not supported

Demonstrate that it can achieve great results

Explain why 11g security model is better than 10g – you don’t need the 10g security model any more!

Discuss some advanced topics such as SSO, SSL and migration

It is getting better…

© Peak Indicators Limited

we

can look forward to a brighter future!

3

 10g Security Model © Peak Indicators Limited 4

10g Security Model

© Peak Indicators Limited

4

10g Security Model “Catalog Groups” apply responsibilities BI Presentation Services Catalog for BI Presentation

10g Security Model

“Catalog Groups” apply responsibilities BI Presentation Services Catalog for BI Presentation Services. Can be
“Catalog Groups” apply responsibilities
BI Presentation
Services
Catalog
for BI Presentation Services.
Can be
Groups
inherited from other “Catalog Groups”
and also other BI Server “Groups”
BI Server
Groups
“Groups” apply responsibilities
for BI Server

© Peak Indicators Limited

5

10g Security Model ASMITH is a Sales Manager ASMITH can see the Sales Manager dashboard

10g Security Model

ASMITH is a Sales Manager ASMITH can see the Sales Manager dashboard Corporate LDAP BI
ASMITH is a Sales Manager
ASMITH can see the
Sales Manager dashboard
Corporate LDAP
BI Presentation
Services
Catalog
Groups
GROUPS
Sales Manager
BI Server
Groups
USERS
ASMITH gets data visibility
for a Sales Manager
ASMITH

© Peak Indicators Limited

6

10g Security Model Corporate LDAP BI Presentation Services Catalog Groups GROUPS Sales Manager BI Server

10g Security Model

Corporate LDAP BI Presentation Services Catalog Groups GROUPS Sales Manager BI Server Groups USERS ASMITH
Corporate LDAP
BI Presentation
Services
Catalog
Groups
GROUPS
Sales Manager
BI Server
Groups
USERS
ASMITH
ASMITH is granted
some presentation
privileges directly

© Peak Indicators Limited

7

10g Security Model Additional LDAP “Groups” applied directly to Presentation Services Group inheritance within

10g Security Model

Additional LDAP “Groups” applied directly to Presentation Services Group inheritance within LDAP Corporate LDAP
Additional LDAP
“Groups” applied
directly to
Presentation Services
Group
inheritance
within LDAP
Corporate LDAP
BI Presentation
Services
Catalog
Groups
GROUPS
Sales Manager
Answers Access
Delivers Access
BI Server
Groups
USERS
ASMITH

© Peak Indicators Limited

8

Issues with 10g Security Model Not an easy model to explain! p.s. 10g didn’t even

Issues with 10g Security Model

Issues with 10g Security Model Not an easy model to explain! p.s. 10g didn’t even directly

Not an easy model to explain!

p.s. 10g didn’t even directly support Groups in LDAP

Corporate LDAP BI Presentation Services Catalog Groups GROUPS Sales Manager Answers Access Delivers Access BI
Corporate LDAP
BI Presentation
Services
Catalog
Groups
GROUPS
Sales Manager
Answers Access
Delivers Access
BI Server
Groups
USERS
ASMITH

© Peak Indicators Limited

9

Issues with 10g Security Model Reliance on Corporate LDAP to manage application-only privileges e.g. Answers

Issues with 10g Security Model

Issues with 10g Security Model Reliance on Corporate LDAP to manage application-only privileges e.g. Answers Access

Reliance on Corporate LDAP to manage application-only privileges e.g. Answers Access

Corporate LDAP BI Presentation Services Catalog Groups GROUPS Sales Manager Answers Access Delivers Access BI
Corporate LDAP
BI Presentation
Services
Catalog
Groups
GROUPS
Sales Manager
Answers Access
Delivers Access
BI Server
Groups
USERS
ASMITH

© Peak Indicators Limited

10

Issues with 10g Security Model If every application needed their own hierarchy of privileges how

Issues with 10g Security Model

If every application needed their own hierarchy of privileges how complicated is your Corporate LDAP going to become?

Application Application Application Application Application Application Corporate LDAP GROUPS Application Application
Application Application
Application Application
Application Application
Corporate LDAP
GROUPS
Application Application Application Application
GROUPS
GROUPS
Application Application
Application Application
GROUPS
Application
GROUPS
GROUPS
GROUPS
GROUPS
GROUPS
Application Application Application
Application Application
Application Application
GROUPS
GROUPS
GROUPS
GROUPS
GROUPS
USERS
USERS
USERS
USERS
USERS
USERS
USERS
USERS
Application Application Application Application Application Application Application Application Application
USERS
USERS
USERS
USERS
USERS
USERS USERS
USERS
USERS

© Peak Indicators Limited

11

 11g Security Model © Peak Indicators Limited 1 2

11g Security Model

© Peak Indicators Limited

12

The 11g Security Model BI Presentation Services BI Server © Peak Indicators Limited Your Corporate

The 11g Security Model

BI Presentation Services BI Server
BI Presentation
Services
BI Server

© Peak Indicators Limited

Your Corporate LDAP just contains “corporate” Users and Groups Corporate LDAP GROUPS Sales Manager USERS
Your Corporate LDAP just
contains “corporate”
Users and Groups
Corporate LDAP
GROUPS
Sales Manager
USERS
ASMITH

13

The 11g Security Model A new layer of “Application Roles” define the application-specific roles. The

The 11g Security Model

A new layer of “Application Roles” define the application-specific roles. The OBI Administrators maintain these
A new layer of “Application Roles”
define the application-specific roles.
The OBI Administrators maintain these
Corporate LDAP
APPLICATION
BI Presentation
Services
ROLES
Sales Manager
Answers Access
Delivers Access
GROUPS
Sales Manager
BI Server
USERS
ASMITH

© Peak Indicators Limited

14

The 11g Security Model A Group can belong to multiple Application Roles e.g. Sales Managers

The 11g Security Model

A Group can belong to multiple Application Roles e.g. Sales Managers also have “Answers Access”
A Group can belong to multiple
Application Roles e.g. Sales Managers
also have “Answers Access”
Corporate LDAP
APPLICATION
BI Presentation
Services
ROLES
Sales Manager
Answers Access
Delivers Access
GROUPS
Sales Manager
BI Server
USERS
ASMITH

© Peak Indicators Limited

15

The 11g Security Model But if you prefer, Application Roles can belong to other Application

The 11g Security Model

But if you prefer, Application Roles can belong to other Application Roles e.g. “Sales Manager”
But if you prefer, Application Roles can belong to
other Application Roles e.g. “Sales Manager”
Role also has “Answers Access” Role
Corporate LDAP
APPLICATION
BI Presentation
Services
ROLES
Sales Manager
Answers Access
Delivers Access
GROUPS
Sales Manager
BI Server
USERS
ASMITH

© Peak Indicators Limited

16

The 11g Security Model Application Roles are used by both BI Presentation Services and BI

The 11g Security Model

Application Roles are used by both BI Presentation Services and BI Server Corporate LDAP APPLICATION
Application Roles are used by both BI
Presentation Services and BI Server
Corporate LDAP
APPLICATION
BI Presentation
Services
ROLES
Sales Manager
Answers Access
Delivers Access
GROUPS
Sales Manager
BI Server
USERS
ASMITH

© Peak Indicators Limited

17

The 11g Security Model Corporate LDAP APPLICATION BI Presentation Services ROLES Sales Manager Answers Access

The 11g Security Model

Corporate LDAP APPLICATION BI Presentation Services ROLES Sales Manager Answers Access Delivers Access GROUPS
Corporate LDAP
APPLICATION
BI Presentation
Services
ROLES
Sales Manager
Answers Access
Delivers Access
GROUPS
Sales Manager
BI Server
USERS
ASMITH
You can also assign a User
to an Application Role

© Peak Indicators Limited

18

The 11g Security Model Advantages 1) Greater control for the OBI Administrator 2) Corporate LDAP

The 11g Security Model Advantages

The 11g Security Model Advantages 1) Greater control for the OBI Administrator 2) Corporate LDAP less

1)

Greater control for the OBI Administrator

2)

Corporate LDAP less complex

3)

Simpler architecture

4)

More flexibility

5)

Greater consistency between OBIPS and OBIS

Corporate LDAP APPLICATION BI Presentation Services ROLES Sales Manager Answers Access Delivers Access GROUPS
Corporate LDAP
APPLICATION
BI Presentation
Services
ROLES
Sales Manager
Answers Access
Delivers Access
GROUPS
Sales Manager
BI Server
USERS
ASMITH

© Peak Indicators Limited

19

The 11g Security Model Administration Points 2 FMW Control 1 Weblogic Console 4 Corporate LDAP

The 11g Security Model Administration Points

The 11g Security Model Administration Points 2 FMW Control 1 Weblogic Console 4 Corporate LDAP APPLICATION
2 FMW Control 1 Weblogic Console 4 Corporate LDAP APPLICATION BI Presentation Services ROLES GROUPS
2 FMW Control
1 Weblogic Console
4
Corporate LDAP
APPLICATION
BI Presentation
Services
ROLES
GROUPS
Sales Manager
3
Sales Manager
Answers Access
Delivers Access
RPD
BI Server
USERS
ASMITH

Catalog

&

Manage

Privileges

© Peak Indicators Limited

20

The 11g Security Model 1) Weblogic Console  In the Weblogic Console you can: 

The 11g Security Model

1) Weblogic Console

In the Weblogic Console you can:

Configure Identity Providers

Configure Users and Groups

(discussed later) (Embedded LDAP)

Identity Providers  Configure Users and Groups (discussed later) (Embedded LDAP) © Peak Indicators Limited 2

© Peak Indicators Limited

21

The 11g Security Model 2) FMW Control  You can use FMW Control for: 

The 11g Security Model

2) FMW Control

You can use FMW Control for:

Creating new Application Roles

Assigning Roles/Groups/Users to Application Roles

Menu option: Security > Application Roles
Menu option:
Security > Application Roles

© Peak Indicators Limited

22

The 11g Security Model 3) RPD  Within the RPD you can apply security rules

The 11g Security Model

3) RPD

Within the RPD you can apply security rules to Application Roles:

Access to Subject Area contents

Access to Connection Pools

Apply Data Filters

Apply Query Limits

contents  Access to Connection Pools  Apply Data Filters  Apply Query Limits © Peak

© Peak Indicators Limited

23

The 11g Security Model 4) Catalog and Manage Privileges  Within the Presentation Layer you

The 11g Security Model

4) Catalog and Manage Privileges

Within the Presentation Layer you can use Application Roles for:

Managing privileges

Object access permissions within the Catalog

Roles for:  Managing privileges  Object access permissions within the Catalog © Peak Indicators Limited

© Peak Indicators Limited

Roles for:  Managing privileges  Object access permissions within the Catalog © Peak Indicators Limited

24

The 11g Security Model No More “Cryptotools”  FMW Control comes with its own embedded

The 11g Security Model No More “Cryptotools”

FMW Control comes with its own embedded “Credential Store”

WebLogic Domain > bifoundation_domain > Security > Credentials

> bifoundation_domain > Security > Credentials  In here are stored passwords for:  BISystemUser 

In here are stored passwords for:

BISystemUser

RPD Passwords

Any other credentials (e.g. for custom web services)

© Peak Indicators Limited

25

The 11g Security Model Default Configuration  When you install Oracle BI 11g, you get

The 11g Security Model Default Configuration

When you install Oracle BI 11g, you get the following mapping between Users Groups Roles:

USERS GROUPS ROLES BISystem BIAdministrators BIAdministrator Component member of BIAuthors BIAuthor member of
USERS
GROUPS
ROLES
BISystem
BIAdministrators
BIAdministrator
Component
member of
BIAuthors
BIAuthor
member of
BIAdministrators:
BIAuthors:
All Functions
Create new content
Read-only
BIConsumers
BIConsumer
BIConsumers:

© Peak Indicators Limited

26

The 11g Security Model Application Policies  Each of the default Application Roles is allocated

The 11g Security Model Application Policies

Each of the default Application Roles is allocated one or more “Application

Policies”.

“Resources” within Oracle BI

These Application Policies provide access to certain

The “BIAdministator” role can: • Manage Repositories • Manage Jobs • Manage the Presentation Catalog
The “BIAdministator” role can:
• Manage Repositories
• Manage Jobs
• Manage the Presentation Catalog
• Administer BI Server

© Peak Indicators Limited

28

The 11g Security Model Application Policies  The policies for the “ BIAdministrator ” role

The 11g Security Model Application Policies

The 11g Security Model Application Policies  The policies for the “ BIAdministrator ” role provide

The policies for the “BIAdministrator” role provide access to the “Administration” screen

The policies for the “BIAuthor” role provide access to the entire “New” menu to create new reporting objects

NOTE:

Confusion still remains as to why these types of privilege are not on the “Manage Privileges” screen along with everything else

© Peak Indicators Limited

29

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

30

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

31

What Roles and Policies Should I Have? Default Roles and Policies  First of all,

What Roles and Policies Should I Have? Default Roles and Policies

First of all, use the new default Application Roles to distinguish between your 3 main types of user:

Administrators

Report Developers

Everyone Else

BI Administrator Role BI Author Role BI Consumer Role

By default, all authenticated users will get “BI Consumer Role”, so you only need to manage the allocation of BI Auther/Administrator Roles

There is typically no need to alter the Application Policies that are assigned to each role

The default policies provide a convenient way to restrict access to core Oracle BI system resources

© Peak Indicators Limited

32

What Roles and Policies Should I Have? Custom Roles  You can then have your

What Roles and Policies Should I Have? Custom Roles

You can then have your own custom Application Roles to manage access and privileges at a more granular level

For example:

Sales Manager Role

HR Manager Role

BI Answers Role

BI Delivers Role

Access to the “Sales Manager” Dashboard Access to the “HR Manager” Dashboards Access to Answers Access to Delivers

NOTE: In most cases, 1 LDAP Group will map to 1 Application Role

© Peak Indicators Limited

33

What Roles and Policies Should I Have? A Combination of Default/Custom Roles LDAP APPLICATION BI

What Roles and Policies Should I Have? A Combination of Default/Custom Roles

LDAP APPLICATION BI Presentation Services ROLES BIAdministrator BIAuthor BIConsumer Sales Manager Answers Access
LDAP
APPLICATION
BI Presentation
Services
ROLES
BIAdministrator
BIAuthor
BIConsumer
Sales Manager
Answers Access
Delivers Access
GROUPS
BIAdministrator
BIAuthor
BIConsumer
Sales Manager
BI Server
USERS
ASMITH

© Peak Indicators Limited

34

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

35

When Should I Use the WebLogic LDAP?  The Embedded WebLogic LDAP is relatively basic

When Should I Use the WebLogic LDAP?

The Embedded WebLogic LDAP is relatively basic compared to the more “enterprise” LDAP solutions e.g. OID, AD

Oracle advise no more than 1,000 users

“enterprise” LDAP solutions e.g. OID, AD  Oracle advise no more than 1,000 users © Peak

© Peak Indicators Limited

36

When Should I Use the WebLogic LDAP? Treat the WebLogic LDAP much like you treated

When Should I Use the WebLogic LDAP?

Treat the WebLogic LDAP much like you treated the RPD as a user store in
Treat the WebLogic LDAP much like you treated the RPD as a user
store in OBI 10g (weblogic, system accounts and test users only)
All other users go in the Corporate LDAP
WebLogic LDAP
APPLICATION
BI Presentation
Services
Weblogic
ROLES
BISystemUser
Test users
Sales Manager
Answers Access
Delivers Access
BI Server
Corporate LDAP
All other users

© Peak Indicators Limited

37

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

38

Can I Have Multiple Identity Providers?  Yes. It is possible to add multiple other

Can I Have Multiple Identity Providers?

Yes.

It is possible to add multiple other Identity Providers within WebLogic console

By default, there are two embedded WebLogic providers:

DefaultAuthenticator

DefaultIdentityAsserter

(Embedded Weblogic LDAP)

It is possible though to add further “Identity Providers” e.g. OID

Weblogic LDAP)  It is possible though to add further “Identity Providers” e.g. OID © Peak

© Peak Indicators Limited

39

Can I Have Multiple Identity Providers? Support  Multiple Identity Providers with either:  Users

Can I Have Multiple Identity Providers? Support

Multiple Identity Providers with either:

Users and Groups in LDAP

Users and Groups in Database

Users in LDAP and Groups in Database

Identity Providers for Authentication:

Weblogic LDAP

Active Direcitory

iPlanet

Oracle Internet Directory (OID)

Oracle Virtual Directory (OVD)

Novell (eDirectory 8.8)

OpenLDAP

SQL

Tivoli Directory Server 6.2

SQL Group Lookup

© Peak Indicators Limited

(in 11.1.1.6, patch in 11.1.1.5)

(NOTE: not exhaustive)

(New with 11.1.1.6, patch for 11.1.1.5)

40

Can I Have Multiple Identity Providers? Adding a New Provider  Adding new Identity Providers

Can I Have Multiple Identity Providers?

Adding a New Provider

 Adding new Identity Providers is straight forward via the “New” button  Supported providers
 Adding new Identity Providers is straight forward
via the “New” button
 Supported providers in red (not exhaustive)
 You can reorder the list of providers so that
authentication is performed in a different order
e.g.
 OID
 Weblogic LDAP

© Peak Indicators Limited

41

Can I Have Multiple Identity Providers? BISQLGroupProvider  It is a common situation with Oracle

Can I Have Multiple Identity Providers? BISQLGroupProvider

It is a common situation with Oracle BI Apps where you have:

Users to be authenticated in a Corporate LDAP Groups to be obtained from the source OLTP (e.g. EBS)

APPLICATION BI Presentation Services Corporate ROLES Weblogic LDAP Sales Manager Answers Access Delivers Access
APPLICATION
BI Presentation
Services
Corporate
ROLES
Weblogic
LDAP
Sales Manager
Answers Access
Delivers Access
Groups
BI Server
EBS
Weblogic LDAP Sales Manager Answers Access Delivers Access Groups BI Server EBS © Peak Indicators Limited

© Peak Indicators Limited

43

Can I Have Multiple Identity Providers? BISQLGroupProvider  The 11g security model now supports this

Can I Have Multiple Identity Providers? BISQLGroupProvider

The 11g security model now supports this type of arrangement

A new provider “BISQLGroupProvider” is available to obtain Groups from a database:

Available in 11.1.1.6 (with some configuration)

Available in 11.1.1.5 (patch 11667221)

To configure, see Oracle Support article 1428008.1 to obtain the TechNote:

TechNote_LDAP_Auth_DB_Groups_V3.pdf

article 1428008.1 to obtain the TechNote:  TechNote_LDAP_Auth_DB_Groups_V3.pdf © Peak Indicators Limited 4 4

© Peak Indicators Limited

44

Can I Have Multiple Identity Providers? Virtualize=True  When you have multiple Identity Providers you

Can I Have Multiple Identity Providers?

Virtualize=True

When you have multiple Identity Providers you should set the “virtualize = true” custom property within FMW Control:

Bifoundation_domain > Security > Security Provider Configuration

> Security > Security Provider Configuration  Without this setting:  Only the first identity

Without this setting:

Only the first identity provider listed will be used by OBI

You won’t be able to log in if the AdminServer dies

NOTE:

If you can get the setting to work, try restarting Managed Server and OPMN processes via FMW Control rather than the command line

© Peak Indicators Limited

45

Can I Have Multiple Identity Providers? Managing “BISystemUser” When you implement an additional identity provider,

Can I Have Multiple Identity Providers? Managing “BISystemUser”

When you implement an additional identity provider, The Oracle BI documentation suggests to migrate the
When you implement an additional identity provider, The
Oracle BI documentation suggests to migrate the
BISystemUser to your external LDAP provider.
APPLICATION
WebLogic LDAP
BI Presentation
Services
ROLES
Sales Manager
Answers Access
Delivers Access
BI Server
Corporate LDAP
BISystemUser

© Peak Indicators Limited

46

Can I Have Multiple Identity Providers? Managing “BISystemUser” APPLICATION WebLogic LDAP BI Presentation Services

Can I Have Multiple Identity Providers? Managing “BISystemUser”

APPLICATION WebLogic LDAP BI Presentation Services ROLES Sales Manager Answers Access Delivers Access BI Server
APPLICATION
WebLogic LDAP
BI Presentation
Services
ROLES
Sales Manager
Answers Access
Delivers Access
BI Server
Corporate LDAP
x
BISystemUser
But what happens if the Corporate LDAP becomes unavailable?

© Peak Indicators Limited

47

Can I Have Multiple Identity Providers? Managing “BISystemUser” It is better to keep the BISystemUser

Can I Have Multiple Identity Providers? Managing “BISystemUser”

It is better to keep the BISystemUser account in the WebLogic LDAP store – you
It is better to keep the BISystemUser account in the WebLogic LDAP
store – you can still start up and use Oracle BI even when the
Corporate LDAP is unavailable (NOTE: need to set virtualize=true)
APPLICATION
WebLogic LDAP
BI Presentation
Services
ROLES
BISystemUser
Sales Manager
Answers Access
Delivers Access
BI Server
Corporate LDAP
x
BISystemUser

© Peak Indicators Limited

48

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

49

Where Do I Get My Groups From? Multiple Identity Providers  When you have multiple

Where Do I Get My Groups From? Multiple Identity Providers

When you have multiple identity providers, the Groups for each users will be obtained from the same provider that they authenticated against

For example:

WebLogic user will obtain Groups from “DefaultAuthenticator” Corporate End Users will obtain their Groups from
WebLogic user will obtain Groups from “DefaultAuthenticator”
Corporate End Users will obtain their Groups from “ OracleInternetDirectory”,
as this is where they are authenticated

© Peak Indicators Limited

50

Where Do I Get My Groups From? BISQLGroupProvider  A “ BI SQL Group Lookup

Where Do I Get My Groups From? BISQLGroupProvider

A “BI SQL Group Lookup” identity provider is always assigned to a single LDAP provider

The Groups will only come from the BI SQL Group Lookup provider

Any Groups in the LDAP store are ignored

In this example, any user authenticating using “OracleInternetDirectory” will obtain their Groups from the
In this example, any user authenticating using “OracleInternetDirectory”
will obtain their Groups from the “BISQLGroupProvider”.
Any Groups assigned to the user in OID will be ignored.

© Peak Indicators Limited

51

Where Do I Get My Groups From? WebLogic Console  If you are using the

Where Do I Get My Groups From? WebLogic Console

If you are using the WebLogic LDAP as an authenticator then you will need to maintain your “Groups” in this store

But Groups from other identity providers (e.g. OID) will be automatically integrated (as shown below), you don’t need to create them manually

External Group from OID
External Group from OID

© Peak Indicators Limited

52

Where Do I Get My Groups From? FMW Control  Your internal and external Groups

Where Do I Get My Groups From? FMW Control

Your internal and external Groups are immediately available to be assigned to Application Roles:

The “BIAuthor Role” will be assigned to users belonging to the corresponding “BIAuthor” groups in
The “BIAuthor Role” will be
assigned to users belonging to the
corresponding “BIAuthor” groups in
both Weblogic LDAP and OID

© Peak Indicators Limited

53

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

54

What are GUIDs?  In Oracle BI 11g, users are recognized by their Global Unique

What are GUIDs?

In Oracle BI 11g, users are recognized by their Global Unique Identifiers (GUIDs), not by their names

GUIDs are identifiers that are completely unique for a given user

Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name

© Peak Indicators Limited

55

What are GUIDs? Example Scenario BI Presentation Services BI Server 1) User “ASMITH” has been

What are GUIDs? Example Scenario

What are GUIDs? Example Scenario BI Presentation Services BI Server 1) User “ASMITH” has been given
BI Presentation Services BI Server
BI Presentation
Services
BI Server
1) User “ASMITH” has been given access to the “Administrator” screen within the Oracle BI
1) User “ASMITH” has been given access to the
“Administrator” screen within the Oracle BI front-end

ASMITH

Administration Corporate LDAP ASMITH
Administration
Corporate LDAP
ASMITH

© Peak Indicators Limited

56

What are GUIDs? Example Scenario BI Presentation Services BI Server ASMITH Administration © Peak Indicators

What are GUIDs? Example Scenario

What are GUIDs? Example Scenario BI Presentation Services BI Server ASMITH Administration © Peak Indicators Limited
BI Presentation Services BI Server
BI Presentation
Services
BI Server

ASMITH

Administration

© Peak Indicators Limited

2) User “ASMITH” leaves the company and is removed from the Corporate LDAP Corporate LDAP
2) User “ASMITH” leaves the company and
is removed from the Corporate LDAP
Corporate LDAP
ASMITH

57

What are GUIDs? Example Scenario BI Presentation Services BI Server ASMITH Administration © Peak Indicators

What are GUIDs? Example Scenario

What are GUIDs? Example Scenario BI Presentation Services BI Server ASMITH Administration © Peak Indicators Limited
BI Presentation Services BI Server
BI Presentation
Services
BI Server

ASMITH

Administration

© Peak Indicators Limited

3) A few months later, a new “ASMITH” joins the company Corporate LDAP ASMITH ASMITH
3) A few months later, a new “ASMITH”
joins the company
Corporate LDAP
ASMITH
ASMITH

58

What are GUIDs? Example Scenario BI Presentation Services BI Server 4) Can the new “ASMITH”

What are GUIDs? Example Scenario

What are GUIDs? Example Scenario BI Presentation Services BI Server 4) Can the new “ASMITH” log
BI Presentation Services BI Server
BI Presentation
Services
BI Server
4) Can the new “ASMITH” log on to Oracle BI and get Administration privileges? Corporate
4) Can the new “ASMITH” log on to Oracle
BI and get Administration privileges?
Corporate LDAP
ASMITH
ASMITH

ASMITH

Administration
Administration
and get Administration privileges? Corporate LDAP ASMITH ASMITH ASMITH Administration © Peak Indicators Limited 5 9

© Peak Indicators Limited

59

What are GUIDs? Example Scenario 5) The answer is NO! Because the new “ASMITH” user

What are GUIDs? Example Scenario

5) The answer is NO! Because the new “ASMITH” user has a different GUID to
5) The answer is NO!
Because the new “ASMITH”
user has a different GUID to the original AMSITH
BI Presentation
Services
ASMITH (1234)
Administration
Corporate LDAP
ASMITH (1234)
ASMITH (5678)
BI Server

© Peak Indicators Limited

60

What are GUIDs? The Outcome In fact, the “ASSMITH” wont be able to log on

What are GUIDs? The Outcome

In fact, the “ASSMITH” wont be able to log on at all!
In fact, the “ASSMITH” wont
be able to log on at all!
What are GUIDs? The Outcome In fact, the “ASSMITH” wont be able to log on at

© Peak Indicators Limited

61

What are GUIDs? Refreshing GUIDs  The GUID feature is there to help secure your

What are GUIDs? Refreshing GUIDs

The GUID feature is there to help secure your OBI environments – especially production

There may however be times when GUIDs become out of sync in and you cannot log in as certain users:

Migrating from WebLogic Embedded LDAP to an alternative identity provider

Deleting users and then recreating them

Migrating “Production” Presentation Catalog / RPD to the “Development” environment

In order to work around this, you can either:

Delete the offending users from the Presentation Catalog and log in again

or

Refresh GUIDs (explained overleaf)

© Peak Indicators Limited

62

What are GUIDs? Regenerating GUIDs : Step 1 / 4  Open up the NQSConfig.ini

What are GUIDs? Regenerating GUIDs : Step 1 / 4

Open up the NQSConfig.ini file for editing:

[OBI Home]/config/OracleBIServerComponent/coreapplication_obis1/NQSConfig.ini

Set the following parameter within the [SERVER] section:

FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;

Save the file

© Peak Indicators Limited

63

What are GUIDs? Regenerating GUIDs : Step 2 / 4  Open up the instanceconfig.xml

What are GUIDs? Regenerating GUIDs : Step 2 / 4

Open up the instanceconfig.xml file for editing:

[OBI Home]/config/OracleBIPresentationServicesComponent/coreapplication_obips1/instanceconfig.xml

Add an “UpdateAccountGUIDs” entry to the <Catalog> section as follows:

<ps:Catalog xmlns:ps="oracle.bi.presentation.services/config/v1.1">

<ps:UpgradeAndExit>false</ps:UpgradeAndExit>

<ps:UpdateAccountGUIDs>UpdateAndExit</ps:UpdateAccountGUIDs>

</ps:Catalog>

Save the file

© Peak Indicators Limited

64

What are GUIDs? Regenerating GUIDs : Step 3 / 4  Restart Oracle BI System

What are GUIDs? Regenerating GUIDs : Step 3 / 4

Restart Oracle BI System components:

$ORACLE_BASE/instances/instance1/bin/opmnctl stopall $ORACLE_BASE/instances/instance1/bin/opmnctl startall

stopall $ORACLE_BASE/instances/instance1/bin/opmnctl startall © Peak Indicators Limited 6 5

© Peak Indicators Limited

65

What are GUIDs? Regenerating GUIDs : Step 4 / 4  To ensure your system

What are GUIDs? Regenerating GUIDs : Step 4 / 4

To ensure your system is secure once again you must revert the configuration changes!

NQSConfig.ini

:

FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = NO;

Instanceconfig.xml

:

Remove entry for <ps:UpdateAccountGUIDs>

Restart Processes

:

opmnctl stopall / startall

© Peak Indicators Limited

66

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- What Happens During An Upgrade?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

69

Do I Still Need SA System Subject Area? Delivers Recipients  It is now possible

Do I Still Need SA System Subject Area? Delivers Recipients

It is now possible to use an Application Role to specify the recipients of an “Agent”

Previously in 10g this approach would not work unless you stored all the User > Catalog Group mappings in the BI Presentation Catalog

Very rarely done

the User > Catalog Group mappings in the BI Presentation Catalog  Very rarely done ©

© Peak Indicators Limited

70

Do I Still Need SA System Subject Area? Delivery Profiles  Direct access to LDAP

Do I Still Need SA System Subject Area? Delivery Profiles

Direct access to LDAP Servers

With Oracle BI 11g, Delivers can now access information about users, their groups, and email addresses directly from the configured identity store

In many cases this completely removes the need to extract this information from your corporate directory into a database

© Peak Indicators Limited

71

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

72

What Are The Important Files? config.xml  [middleware]\user_projects\domains\bifoundation_domain\config\ config.xml

What Are The Important Files? config.xml

[middleware]\user_projects\domains\bifoundation_domain\config\config.xml

Contains:

SSL Configuration of Admin and Managed Servers

Definitions and setup of Identity Providers

of Admin and Managed Servers  Definitions and setup of Identity Providers © Peak Indicators Limited

© Peak Indicators Limited

73

What Are The Important Files? System-jazn-data.xml 

What Are The Important Files? System-jazn-data.xml

[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml

Contains definition of all Application Roles

During BI Apps install, you deploy this file to install all the BI Apps roles

Roles  During BI Apps install, you deploy this file to install all the BI Apps

© Peak Indicators Limited

74

What Are The Important Files? cwallet.sso  [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\

What Are The Important Files? cwallet.sso

[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\cwallet.sso

This is your “Credential Store” containing encrypted usernames/passwords for your system accounts:

BI System User

Web service credentials

RPD passwords

etc

If you don’t know all the passwords, it is a good idea to back this up before you change any configuration….just in case

© Peak Indicators Limited

75

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

76

How Do I Migrate Between Environments? 11g Security Migration Points 2 FMW Control 1 Weblogic

How Do I Migrate Between Environments? 11g Security Migration Points

Migrate Between Environments? 11g Security Migration Points 2 FMW Control 1 Weblogic Console 4 Corporate LDAP
2 FMW Control 1 Weblogic Console 4 Corporate LDAP APPLICATION BI Presentation Services ROLES GROUPS
2 FMW Control
1 Weblogic Console
4
Corporate LDAP
APPLICATION
BI Presentation
Services
ROLES
GROUPS
Sales Manager
3
Sales Manager
Answers Access
Delivers Access
RPD
BI Server
USERS
ASMITH

Catalog

&

Manage

Privileges

© Peak Indicators Limited

77

How Do I Migrate Between Environments?  The topic of migration is covered in the

How Do I Migrate Between Environments?

The topic of migration is covered in the Rittman Mead blogs:

Just to summarise…

© Peak Indicators Limited

78

How Do I Migrate Between Environments? Weblogic LDAP Users/Groups  You can import/export the entire

How Do I Migrate Between Environments? Weblogic LDAP Users/Groups

You can import/export the entire set of users/groups within the Weblogic LDAP via the WL Console

of users/groups within the Weblogic LDAP via the WL Console  If you wish to do
of users/groups within the Weblogic LDAP via the WL Console  If you wish to do

If you wish to do an incremental update then you will need to script using WLST

© Peak Indicators Limited

79

How Do I Migrate Between Environments? Application Roles  To migrate the full set of

How Do I Migrate Between Environments? Application Roles

To migrate the full set of Application Roles, simply copy/paste the system- jazn-data.xml file to your target environment:

[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml

system-jazn-data.xml  If you need to do an incremental update then either:

If you need to do an incremental update then either:

Set up the Application Roles manually via FMW Control

Use WLST scripting

© Peak Indicators Limited

80

How Do I Migrate Between Environments? During an 10g-11g upgrade?  Running the 11g “Upgrade

How Do I Migrate Between Environments? During an 10g-11g upgrade?

Running the 11g “Upgrade Assistant”will automatically migrate the 10g security configuration to 11:

RPD “Groups” migrated to WebLogic LDAP

RPD “Users” migrated to WebLogic LDAP (and assigned to relevant Groups)

Application Role created for each Group

OBIEE 10g

OBIEE 11g

to relevant Groups)  Application Role created for each Group OBIEE 10g OBIEE 11g © Peak
to relevant Groups)  Application Role created for each Group OBIEE 10g OBIEE 11g © Peak

© Peak Indicators Limited

81

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

82

 Can I Still Use The 10g Security Model? Yes… if you must! But hopefully

Can I Still Use The 10g Security Model?

Yes…

if

you must!

But hopefully the need for the 10g model is diminishing

The “old” method of using Initialization Blocks to populate USER/GROUP session variables will still work in Oracle BI 11g

Use the new Session Variable “ROLES” instead of “GROUP” to map a user to one or more Application Roles

Whenever you log in, the 10g security model is attempted first

Some users can use the 10g model, others can use 11g

Don’t mix security models for the same user:

A user should authenticate/authorize using either the 11g model or the 10g

model…

but

not both

© Peak Indicators Limited

83

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model? - How Do You Implement SSL?

- How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

84

How Do You Implement SSL?  SSL is the mechanism used to enable secured HTTPS

How Do You Implement SSL?

SSL is the mechanism used to enable secured HTTPS communications between client web browser and the BI Server:

communications between client web browser and the BI Server:  SSL works fully in OBIEE, the

SSL works fully in OBIEE, the implementation details are in the documentation (Security Guide)

You have to do all four sections…

no shortcuts!

documentation ( Security Guide )  You have to do all four sections… no shortcuts! ©

© Peak Indicators Limited

85

How Do You Implement SSL? Further Notes  SSL configuration is fiddly by nature, set

How Do You Implement SSL? Further Notes

SSL configuration is fiddly by nature, set aside around 2 man-days to configure it for the first time in development

The duration to implement could take longer, since you have to obtain a trusted certificate from a “certificate authority”

Demo certificates are available (but you will get a standard security warning in the browser if you use them)

The following Tech Notes on myOracle Support compliment the Oracle Documentation:

OBIEE 11g SSL Setup and Configuration (Doc ID 1326781.1)

Procedure for configuring Node Manager with SSL. (Doc ID 1142995.1)

© Peak Indicators Limited

86

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL? - How Do You Implement SSO?

- What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

87

How Do You Implement SSO? SSO Support (11.1.1.6)  Supported SSO Mechanisms:  Oracle Access

How Do You Implement SSO? SSO Support (11.1.1.6)

Supported SSO Mechanisms:

Oracle Access Manager (OAM)

Oracle Single Sign on (OSSO)

Windows Native Authentication without IIS (Kerberos)

Weblogic Default Asserter (Client Certificate Authentication)

Other supported features:

EBS ICX Cookie Mechanism

Siteminder 6 via HTTP Header

Go-URL with NQUser / NQPassword

SSO via HTTP header & cookie (requires customisation of BI Config)

© Peak Indicators Limited

88

How Do You Implement SSO? OAM  With OAM you need an HTTP Proxy and

How Do You Implement SSO? OAM

With OAM you need an HTTP Proxy and Webgate to sit in front of WebLogic and perform the SSO redirection:

an HTTP Proxy and Webgate to sit in front of WebLogic and perform the SSO redirection:

© Peak Indicators Limited

89

How Do You Implement SSO? Identity Providers  With SSO, the order of authenticators should

How Do You Implement SSO? Identity Providers

With SSO, the order of authenticators should be as follows:

1. Your LDAP authenticator

(Sufficient)

2. Your SSO Asserter

(Required)

3. WebLogic Embedded LDAP

(Sufficient)

(Required) 3. WebLogic Embedded LDAP (Sufficient)  The LDAP authenticator is required for two reasons: 

The LDAP authenticator is required for two reasons:

Perform authentication for non-SSO access (e.g. BI Office)

Obtain Groups for users who have authenticated via SSO

© Peak Indicators Limited

90

How Do You Implement SSO? FMW Control  You also need to enable SSO within

How Do You Implement SSO? FMW Control

You also need to enable SSO within FMW Control:

Specify SSO provider

SSO Logon URL

SSO Logoff URL

SSO within FMW Control:  Specify SSO provider  SSO Logon URL  SSO Logoff URL

© Peak Indicators Limited

91

How Do You Implement SSO? OAM Install Steps © Peak Indicators Limited 9 2

How Do You Implement SSO? OAM Install Steps

How Do You Implement SSO? OAM Install Steps © Peak Indicators Limited 9 2

© Peak Indicators Limited

92

How Do You Implement SSO? Active Directory / Kerberos  A tech note / white

How Do You Implement SSO? Active Directory / Kerberos

How Do You Implement SSO? Active Directory / Kerberos  A tech note / white paper

A tech note / white paper exists for implementing SSO with AD

Not for the faint hearted!

note / white paper exists for implementing SSO with AD  Not for the faint hearted!

© Peak Indicators Limited

93

 Frequently Asked Questions - What Roles and Policies Should I Have? - When Should

Frequently Asked Questions

- What Roles and Policies Should I Have?

- When Should I Use the WebLogic LDAP?

- Can I Have Multiple Identity Providers?

- Where Do I Get My Groups From?

- What are GUIDs?

- Do I Still Need SA System Subject Area?

- What Are The Important Files?

- How Do We Migrate Between Environments?

- Can I Still Use The 10g Security Model?

- How Do You Implement SSL?

- How Do You Implement SSO? - What Do I Do When it All Goes Wrong?

© Peak Indicators Limited

94

 Error Messages That Could Mean a Million Things © Peak Indicators Limited 9 5

Error Messages That Could Mean a Million Things

© Peak Indicators Limited

95

Error Messages That Could Mean a Million Things © Peak Indicators Limited 9 6

Error Messages That Could Mean a Million Things

Error Messages That Could Mean a Million Things © Peak Indicators Limited 9 6

© Peak Indicators Limited

96

Error Messages That Could Mean a Million Things © Peak Indicators Limited 9 7

Error Messages That Could Mean a Million Things

Error Messages That Could Mean a Million Things © Peak Indicators Limited 9 7

© Peak Indicators Limited

97

Error Messages That Could Mean a Million Things © Peak Indicators Limited 9 8

Error Messages That Could Mean a Million Things

Error Messages That Could Mean a Million Things © Peak Indicators Limited 9 8

© Peak Indicators Limited

98

What Do I Do When It All Goes Wrong? Try different logins 1. Try a

What Do I Do When It All Goes Wrong? Try different logins

1. Try a different user account

2. Try logging on with a system user account e.g. weblogic

3. Confirm you can log on to Weblogic Console and/or FMW Control (to confirm authentication is actually working)

4. Reset the user’s password

5. Archive and delete user from the catalog, restart Presentation Services and then unarchive user back into the catalog

If issue is just with one user

© Peak Indicators Limited

99

What Do I Do When It All Goes Wrong? Check Services 6. Check OPMN services

What Do I Do When It All Goes Wrong? Check Services

6. Check OPMN services are running

Wrong? Check Services 6. Check OPMN services are running 7. Check database and listener are working

7. Check database and listener are working to _BIPLATFORM and _MDS schemas (and make sure db passwords have not expired!):

working to _BIPLATFORM and _MDS schemas (and make sure db passwords have not expired!): © Peak

© Peak Indicators Limited

100

What Do I Do When It All Goes Wrong? Check Log Files 8. Check the

What Do I Do When It All Goes Wrong? Check Log Files

8. Check the Admin and Managed Server log files:

…./user_projects/domains/bifoundation_domain/servers/AdminServer/log

…./user_projects/domains/bifoundation_domain/servers/bi_server1/log

9. Check BI Server and BI Presentation Services logs:

…./instances/instance1/diagnostics/log/OracleBIPresentationServices/coreapplcation

…./instances/instance1/diagnostics/log/OracleBIBIServer/coreapplcation

© Peak Indicators Limited

101

What Do I Do When It All Goes Wrong? Further Actions 10. Check connectivity to

What Do I Do When It All Goes Wrong? Further Actions

10. Check connectivity to LDAP / AD server is ok (you do this in WebLogic Console – make sure you can see the external Groups and Users)

11. Check HOSTS file has not changed, the very first entry should have IP address and server name

12. Refresh GUIDs

13. Restart WebLogic and OPMN Services

14. Restart WebLogic AdminServer, and then start all other process from within the WebLogic Admin Console and FMW Control (i.e. no command- line)

15. Restart whole server, then start up WebLogic and OPMN services

© Peak Indicators Limited

102

What Do I Do When It All Goes Wrong? More Drastic Actions 16. Delete the

What Do I Do When It All Goes Wrong? More Drastic Actions

16. Delete the two “BISystemUser” user entries from Presentation Catalog, then restart services:

[Catalog Root]\root\users

then restart services:  [Catalog Root]\root\users 17. Delete the two “sawguidstate” entries from the

17. Delete the two “sawguidstate” entries from the “System” Presentation Catalog folder, then restart services:

[Catalog Root]\root\system\mktgcache\[Hostname]

© Peak Indicators Limited

folder, then restart services:  [Catalog Root]\root\system\mktgcache\[Hostname] © Peak Indicators Limited 1 0 3

103

What Do I Do When It All Goes Wrong? Last Ditch Attempts…. 18. Re-enter “BISystemUser”

What Do I Do When It All Goes Wrong? Last Ditch Attempts….

18. Re-enter “BISystemUser” credentials in the Credential Store, then restart all services:

“BISystemUser” credentials in the Credential Store, then restart all services: © Peak Indicators Limited 1 0

© Peak Indicators Limited

104

What Do I Do When It All Goes Wrong? Oracle Technote 19. See Oracle Support

What Do I Do When It All Goes Wrong? Oracle Technote

19. See Oracle Support article 1359798.1 to download Technote on troubleshooting OBIEE security:

Oracle BI Enterprise Edition 11g Security - Troubleshooting.pdf

OBIEE security:  Oracle BI Enterprise Edition 11g Security - Troubleshooting.pdf © Peak Indicators Limited 1

© Peak Indicators Limited

105

20. What Do I Do When It All Goes Wrong? Contact Oracle! http://support.oracle.com © Peak

20.

What Do I Do When It All Goes Wrong? Contact Oracle!

© Peak Indicators Limited

106

 Closing Thoughts © Peak Indicators Limited 1 0 7

Closing Thoughts

© Peak Indicators Limited

107

Closing Thoughts Summary  Security is by nature a complex topic – it is not

Closing Thoughts Summary

Security is by nature a complex topic – it is not just complicated in Oracle BI

There is obviously more work that can be done to simplify things in Oracle BI 11g but let’s try to be pleased with what we have:

A huge array of security capability

Support for small implementations all the way up to very large enterprise deployments

A common model across Fusion Middleware applications

© Peak Indicators Limited

108

 Questions? © Peak Indicators Limited

Questions?

 Questions? © Peak Indicators Limited

© Peak Indicators Limited

Helping Your Business Intelligence Journey © Peak Indicators Limited
Helping Your Business Intelligence Journey © Peak Indicators Limited

Helping Your Business Intelligence Journey

© Peak Indicators Limited

Helping Your Business Intelligence Journey © Peak Indicators Limited