-
ConfiguringODIExternalUserAuthenticationNote:Instructionsandanytextthatyouneedtomodifyareenclosedin.
Thistutorialcontainsthefollowingsections:
PurposeTimetoCompleteOverviewScenarioSoftwareandHardwareRequirementsPrerequisitesUseSQLDevelopertocreateanRDBMS(11g)Schema/UserforanewODIMasterRepositoryEdittheODIStudiojpsconfig.xmlFiletoPointtoYourExternalOIDLDAPServerSwitchtheMasterRepositoryAuthenticationModeBetweenExternalandInternalAuthenticationEditanODIStandaloneAgentjpsconfig.xmlFiletoPointtoYourExternalOIDLDAPServerUnderstandExternalUserAuthenticationinaJavaEEContextSummaryResources
Purpose
ThistutorialwalksyouthroughthestepsneededtoconfigureOracleDataIntegrator(ODI)forexternaluserauthentication.
TimetoComplete
Approximately20minutes
Overview
OracleDataIntegratorstoresalluserinformationaswellasusers'privilegesinthemasterrepositorybydefault.WhenauserlogsintoODI,itlogsinagainstthemasterrepository.ThisauthenticationmethodiscalledInternalAuthentication.
OracleDataIntegratorcanoptionallyuseOraclePlatformSecurityServices(OPSS),astandardsbasedandportablesecurityframeworkforJavaapplications,toauthenticateitsusersagainstanexternalIdentityStore,whichcontainsenterpriseusersandpasswords.Suchanidentitystoreisusedattheenterpriselevelbyallapplications,inordertohavecentralizeduserandpassworddefinitionsandSingleSignOn(SSO).Insuchaconfiguration,theODImasterrepositoryonlycontainsreferencestotheseenterpriseusers.ThisauthenticationmethodiscalledExternalAuthentication.
Note:WhenusingExternalAuthentication,onlyusersandtheirpasswordsareexternalized.ODIprivilegesremainwithintherepository.Dataserversandcontextpasswordsalsoremaininthemasterrepository.Itispossibletoexternalizedataserverandcontextpasswords,usingtheODIExternalPasswordStoragefeature.
ODIcanauthenticateitsusersagainstavarietyofexternalidentitystores,suchasOracleInternetDirectory(OID)LDAPServerorWebLogicServer.ThisOBEprovidesastepbystepwalkthroughoftheprocessofconfiguringODIwithOIDLDAPServer.Thestepsforconfiguringauthenticationwithotherexternalidentitystoresareverysimilar.
Note:ThestepstoconfigureODIexternaluserauthenticationarealsooutlinedintheODI11gDeveloper'sGuide.
Inthistutorial,youlearnhowto:
UseSQLDevelopertocreateanRDBMS(11g)Schema/UserforanewODIMasterRepositoryEdittheODIStudiojpsconfig.xmlfiletopointtoyourexternalOIDLDAPServerCreateanewODIMasterRepositoryusinganauthenticateduserintheexternalOIDLDAPServerSwitchtheMasterRepositoryauthenticationmodebetweenexternalandinternalauthenticationEditanODIstandaloneagentjpsconfig.xmlfiletopointtoyourexternalOIDLDAPServerUnderstandexternaluserauthenticationinaJavaEEcontext
-
Scenario
YouworkasadatabaseadministratorforGlobalEnterprise.InGlobalEnterprise,youareresponsibleformanagingthesecurityoftheOracleDataIntegratordevelopmentenvironment.InsteadofrelyingupontheinternaluserauthenticationavailableinODI,youwillestablishexternaluserauthentication,takingadvantageoftheuseraccountsmanagedbyyourcompany'scentralizedOIDLDAPServer.
SoftwareandHardwareRequirements
Thefollowingisalistofsoftwarerequirements:
Thesystemshouldincludethefollowinginstalledproducts:OracleDatabase11gOracleDataIntegrator11gRelease1AnexternalauthenticationprovidersuchasLDAP,OID,orWLS
Ifnotdonebefore,starttheservicesandcomponentsforOracleDatabase11g.
Prerequisites
Beforeyoustartthetasks,makesurethatyoursystemenvironmentmeetsthefollowingrequirements:
-
1.
YouhaveinstalledOracleDatabase11g.Ifnotdonebefore,starttheservicesandcomponentsforOracleDatabase11g.
2. YouhaveinstalledOracleDataIntegrator11gRelease1.
.
YouhaveinstalledanexternalauthenticationprovidersuchasLDAP,OID,orWLS.
UseSQLDevelopertocreateanRDBMS(11g)Schema/UserforanewODIMasterRepository
1.
StartSQLDeveloperbyselectingStart>Programs>[OracleDatabasehome]>ApplicationDevelopment>SQLDeveloper.WhenSQLDeveloperopens,closetheLoggingPageLogtab.
2. InSQLDeveloper,createanewconnection.
3.
Namethisnewconnection:Administrator.EnterSYSTEMforUsername.Enteroracle1forPassword.ForSID,enter:ORCL.CliskTest,andthenclickConnect.Click+toexpandconnectionAdministrator.
-
4.
YouhavetocreatetheRDBMSschema/user(Oracle11g)fortheMasterrepository.TheschemascanbecreatedbyexecutingthefollowingSQLcommands:
createuseridentifiedbydefaulttablespacetemporarytablespacegrantconnect,resourceto
Where:correspondstothenameoftheschemathatyouwanttocreatecorrespondstothepasswordthatyougavecorrespondstotheOracletablespacewherethedatawillbestoredcorrespondstothetemporarydefaulttablespace
Inthisexample,tocreatetheuservishalformasterrepository,enterthefollowingcommand.ClickExecutestatementicon.
createuservishalidentifiedbyvishaldefaulttablespaceuserstemporarytablespacetemp
Note:Inthiscommand,vishalisthevalueofthepasswordtoconnecttotheuservishal.
EdittheODIStudiojpsconfig.xmlFiletoPointtoYourExternalOIDLDAPServer
Inthisexample,wearegoingtopointtoanexternalidentitystorethatisanOIDLDAPServer.Foryourpurposes,usethefollowinginstructionstopointtoyourownidentitystore,whichmightbeanOIDorWebLogicorotherLDAPServer.
Let'stakealookatatypicalOIDLDAPServer,whichhasausernamedSUPERVISORalreadydefined.Later,thisSUPERVISORuserwillbecomeourexternallyauthenticatedODIuser.
OracleDirectoryServicesManagercanbeusedtolookatthecontentsofanOIDLDAPServer:
-
Below,weseetheusernamedSUPERVISOR.LaterinthisOBE,wewillseehowtodefineanewODIMasterRepositoryusingthisexternallyauthenticatedSUPERVISORuser:
1.
TheconfigurationtoconnecttoandusetheidentitystoreiscontainedinanOPSSConfigurationfilecalledjpsconfig.xmlfile.Editthejpsconfig.xmlfiletopointtoyourexternalOIDLDAPServer.
Note:Thefollowingsamplesectionfromajpsconfig.xmlfilepointstoanimaginaryOIDLDAPServer.Donotattempttocopythissampleliterallyforyourenvironment.RefertotheOracleFusionMiddlewareSecurityGuideformoreinformationoneditingyourjpsconfig.xmlfile.
Thesamplesection,below,fromajpsconfig.xmlfileshowsanLDAPServersectionadded,inwhichthecredentialsfortheLDAPServerareestablished:
-
user.search.bases
cn=users,dc=us,dc=oracle,dc=com
group.search.bases
cn=groups,dc=us,dc=oracle,dc=com
ReferencethisserviceinstanceinthedefaultJPScontextbyitsnameidstore.oidandalsoaddtheloginmoduleconfigurationasfollows:
Aftereditingthisfiletopointtoyourexternalidentitystore,copythefileintotheODI_HOME/oracledi/client/odi/bin/directory.TheODIStudioreadstheidentitystoreconfigurationandauthenticatesagainsttheconfiguredidentitystore.
Ifyouwanttolocatethisfileinadifferentlocation,edittheODI_HOME/oracledi/client/odi/bin/odi.conffileandedittheoptionthatsetsthelocationoftheconfigurationfile.Thisoptionissetinthefollowingline:
AddVMOptionDoracle.security.jps.config=./jpsconfig.xml
Bydefault,odi.confexpectsjpsconfig.xmltoresideinthesameexecutiondirectoryasodi.conf.
2.
Runthescripttosetupthecredentialsforidstore.oidorotherLDAPintheidentitystore:
Navigatetowheretherun_credtoolscriptresidesinyourenvironment,perhaps/custom/FusionLibraries/tools.Runtherun_credtool.cmdorshscript.Whenthescriptpromptsforinput,defaultsareshownin[].
Entertheinputonthelinefollowingtheprompt.Thefollowing5linesshowyouwhichdefaultstotake.Inthe5thline,usethelocationpathwhereyourjpsconfig.xmlfileresides:
[input]Alias:[JPS][input]Key:[ldap.credential][input]UserName:cn=username[input]Password:password[input]JPSConfig:[ORACLE_HOME\custom\FusionLibraries\tools/../../../config/jpsconfig.xml]
Note:TheAliasandKeyinputmustmatchthevaluesusedintheserviceInstancesecurity.principal.aliasandsecurity.principal.keyrespectively.Again,refertotheOracleFusionMiddlewareSecurityGuideformoreinformationoneditingyourjpsconfig.xmlfile.
3. RestarttheWebLogicServerdomain.
-
CreateanewODIMasterRepositoryReferencingaUserintheExternalOIDLDAPServer
1.
InthenextfewstepsyoucreatetheODIMasterrepository.StartOracleDataIntegrator:Start>Programs>OracleODI11gHome>OracleDataIntegrator>ODIStudio
2.
OpentheNewGallerybychoosingFile>New.IntheNewGallery,intheCategoriestree,selectODI.SelectfromtheItemslisttheMasterRepositoryCreationWizard.ClickOK.TheMasterRepositoryCreationWizardappears.
3.
IntheMasterRepositoryCreationWizard,selectthebrowseiconoftheJDBCDriverandthenselectOracleJDBCDriver.ClickOK.EdittheJDBCURLtoread:jdbc:oracle:thin:localhost:1521:orclEntertheUserasvishalandthePasswordasvishal.ClicktheTestConnectionbuttonandverifysuccessfulconnection.ClickOK.ClickNextontheMasterRepositoryCreationWizardscreen.
-
4.
IntheAuthenticationwindow,selectUseExternalAuthentication.(IfyouhadselectedUseODIAuthentication,youwouldhavebeenusingODI'sinternalauthentication.)
EnterSupervisorUserandSupervisorPassword,astheyexistinyourexternaldatastoreinourcase,wearespecifyingtheuser"SUPERVISOR"inourOIDLDAPServer.ClickNext.
Note:UsernamesandpasswordsarecasesensitiveinODI.
-
5.
InthePasswordStoragewindow,selectInternalpasswordStorage,andthenclickFinish.WhentheMasterRepositoryissuccessfullycreated,youwillseetheOracleDataIntegratorInformationmessage.ClickOK.TheODIMasterrepositoryisnowcreated.
-
6.
YouconnecttotheODIMasterrepositorybycreatinganewODIMasterLogin.OpentheNewGallerybychoosingFile>New.IntheNewGallery,intheCategoriestree,selectODI.FromtheItemslist,selectCreateaNewODIRepositoryLogin.
7.
ConfigureRepositoryConnectionswiththeparametersfromthetableprovidedbelow.
IntheOracleDataIntegratorConnectionsection,entertheUserandPasswordoftheauthenticateduserinyourexternalstore.Inthisexample,wespecifySUPERVISOR/SUNOPSISfromtheOIDLDAPServer.
IntheDatabaseConnection(MasterRepository)section,entertheUserandPasswordoftheschemauseryoucreatedforthemasterrepository.Inthisexample,wespecifyvishal/vishal.
ToentertheJDBCURL,clickthebuttonnexttoJDBCURLfieldandselectjdbc:oracle:thin:@::asshowninthescreenshot,thenedittheURL.SelectMasterRepositoryOnlybutton.ClickTestbutton.VerifysuccessfulconnectionandclickOK.ClickOKtosavetheconnection.
OracleDataIntegratorConnection
Parameter Value
LoginName MasterRepository
User SUPERVISOR
Password SUNOPSIS
DatabaseConnection(MasterRepository)
-
Parameter Value
User vishal
Password vishal
DriverList OracleJDBCDriver
DriverName oracle.jdbc.OracleDriver
Url jdbc:oracle:thin:@localhost:1521:orcl
Note:DonotcopyandpasteintheJDBCURLfield.ThismaycauseproblemswithenteringavalidURLstring.Instead,openthedropdownmenuandselectthecorrectdriverfromthelist.TypethecorrectURLintheURLfield.
-
SwitchtheMasterRepositoryAuthenticationModeBetweenExternalandInternalAuthentication
1.
SwitchingtheauthenticationmodeoftheOracleDataIntegratorrepositorychangesthewayusersauthenticate.ThisoperationmustbeperformedbyaSupervisoruser.
WARNING:
WhenswitchingfromanExternaltoInternalauthentication,userpasswordsarenotcopiedfromtheidentitystoretotherepository.Thepasswordsarenullified.AlltheuseraccountsaremarkedasexpiredandmustbereactivatedbyaSUPERVISORthatiscreatedduringtheswitch.
WhenswitchingfromInternaltoExternalauthentication,theusersthatexistintherepositoryandmatchauserintheidentitystoreareautomaticallymapped.Usersthatdonotmatchauserintheidentitystorearedisabled.ASupervisormustedittheuserssothattheirnamehasamatchintheidentitystore.
Thecontextpasswordsarelost.Passwordsfordataservers,jdbcpasswordoftheworkrepository,andESSrelatedpasswordsareremovedfromtheircredentialstore.
UsetheSwitchAuthenticationModewizardtochangetheuserauthenticationmode.
BeforelaunchingtheSwitchAuthenticationModewizardperformthefollowingtasks:
DisconnectOracleDataIntegratorStudiofromtherepository.
ShutdowneverycomponentusingtheOracleDataIntegratorrepository.
TousetheSwitchAuthenticationModewizard:
FromtheODImainmenu,selectSwitchAuthenticationMode.
-
TheSwitchAuthenticationModewizardappears.
2.
SpecifytheJDBCconnectivitydetailsofyourOracleDataIntegratormasterrepositoryasdefinedwhenyouconnectedtotheMasterRepository.
-
ClickNext.
3.
Thenextactionvaries,dependingonthecurrentAuthenticationModeinuse:
IfcurrentlyusingInternalAuthentication,youarepromptedtoswitchtoexternalauthentication.IfcurrentlyusingExternalAuthentication,youarepromptedtoswitchtointernalauthentication.YoumustprovideandconfirmapasswordfortheSUPERVISORuserthatthewizardwillautomaticallycreateintherepository.
-
ClickFinish.
TheAuthenticationmodeischanged.
Ifyouhaveswitchedfromexternaltointernalauthentication,youcannowreconnecttotheOracleDataIntegratorrepositoryasSUPERVISOR,withthepasswordyouhaveprovidedinthewizard.Onceconnected,youcanediteachusertoreactivateitandsetapasswordforthisuser.Ifyouhaveswitchedfrominternaltoexternalauthentication,youcannowreconnecttotheOracleDataIntegratorrepositoryasoneoftheuserswithsupervisorprivileges,andreenabletheOracleDataIntegratorusersthathavebeendisabledduringtheswitch.
4. ReactivatingUsersAfterSwitchingtoInternalAuthentication
ToreactivateaUser:
1. InSecurityNavigatorexpandtheUsersaccordion.2.
Selecttheuserthatyouwanttoreactivatefromthelistofusers.3.
RightclickandselectEdit.TheUsereditorappears.4.
UnselectAllowExpirationDate.5.
Ifyouwanttosetapasswordforthisuser,clickChangePasswordandenterthenewpasswordforthis
user.6. FromtheFilemainmenu,selectSave.7.
ReEnableUsersAfterSwitchingtoExternalAuthentication.
ToreenableaUser:
1. InSecurityNavigatorexpandtheUsersaccordion.2.
Selecttheuserthatyouwanttoreenablefromthelistofusers.3.
RightclickandselectEdit.TheUsereditorappears.4.
IntheNamefield,enterausernamethatmatchestheloginofanenterpriseuserintheidentitystore.5.
ClickRetrieveGUID.Iftheusernamehasamatchintheidentitystore,thisexternaluser'sGUIDappearin
theExternalGUIDfield.6. FromtheFilemainmenu,selectSave.
EditanODIStandaloneAgentjpsconfig.xmlFiletoPointtoYourExternalOIDLDAP
-
Server
1.
AcommontaskusingODIistosetupandinstallODIagents.AftertheODIscenariosarecreated,theycanbescheduledandorchestratedusinganODIagent,whichisalightweightJavaprocessthatorchestratestheexecutionofODIscenarios.
Forstandaloneagents,theconfigurationtoconnectandusetheexternalidentitystoreiscontainedinacopyofthesameOPSSconfigurationfilejpsconfig.xmlthatyouusedtoconfiguretheODIStudio.
However,youneedtoplacethecopyofthisfileforstandaloneagentinadifferentfolder.CopythisfiletotheODI_HOME/oracledi/agent/bin/directory.Theagentandthecommandlinescriptswillauthenticateagainsttheconfiguredidentitystore.
RefertotheOracleFusionMiddlewareSecurityGuideformoreinformation.
2. Edittheodiparams.shfile,enteringappropriatevalues,suchas:
ODI_MASTER_DRIVER=oracle.jdbc.driver.OracleDriverODI_MASTER_URL=jdbc:oracle:thin:@localhost:1521:nrdbODI_MASTER_USER=EAMASTERODI_MASTER_ENCODED_PASS=gxfpqkz074jeaCpL4XSEFzxoj8E0pODI_SECU_WORK_REP=WORKREP1ODI_SUPERVISOR=SUPERVISORODI_SUPERVISOR_ENCODED_PASS=fJya.vR5kvNcu9TtV,jVZEt
3. Toencodethepassword:/oracledi/agent/bin/encode.sh
UnderstandExternalUserAuthenticationinaJavaEEContext
1.
OracleDataIntegratorcomponentsdeployedinacontainer(JavaEEAgent,OracleDataIntegratorConsole)donotrequireaspecificconfiguration.Theyusetheconfigurationoftheircontainer.
RefertotheOracleFusionMiddlewareSecurityGuideformoreinformationonOPSSconfigurationinaJavaEE
-
context.
InJRFenabledJ2EEcontainers(AgentinWebLogicServer[WLS]):ConfigureJavaRequiredFiles(JRF)onWLS.AssoonasyouconfigureyourJ2EEcontainer(currentlyonlyWLSissupported)withJRFenabled,OPSSwillbeconfiguredfortheapplicationdeployedinside.Bydefault,OPSSisconfiguredtousetheWLSinternalLDAPIdentityStore.YouneedtoconfigureanewAuthenticatorinsideWLSifyouwanttouseanexternal,centralOID.
UsefulresourcesIntroductiontoOraclePlatformSecurityServices:
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/underjps.htm
OPSSConfigurationFileReference:
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/apjpscfg.htm#BEHDBJED
SummaryInthistutorial,youhavelearnedhowto:
UseSQLDevelopertocreateanRDBMS(11g)Schema/UserforanewODIMasterRepositoryEdittheODIStudiojpsconfig.xmlfiletopointtoyourexternalOIDLDAPServerCreateanewODIMasterRepositoryusinganauthenticateduserintheexternalOIDLDAPServerSwitchtheMasterRepositoryauthenticationmodebetweenexternalandinternalauthenticationEditanODIstandaloneagentjpsconfig.xmlfiletopointtoyourexternalOIDLDAPServerUnderstandexternaluserauthenticationinaJavaEEcontext
ResourcesOracleDataIntergator11gDocumentationTolearnmoreaboutotherOracleproducts,refertoadditionalOBEsintheLearningLibrary.
AboutOracle|OracleandSun|
|Careers|ContactUs|SiteMaps|LegalNotices|TermsofUse|YourPrivacyRights
