Configuring ODI External User Authentication

10/07/12 Configuring ODI External User Authentication

1/16oracle.com/webfolder/technetwork/tutorials/obe/fmw/odi/odi_11g/…/odi_external_authentication.htm

Print Preview

Configuring ODIExternal UserAuthentication

Configuring ODI External User Authentication

Note: Instructions and any text that you need to modify are enclosed in <>.

Purpose

This tutorial walks you through the steps needed to configure Oracle Data Integrator (ODI) for external userauthentication.

Time to Complete

Approximately 20 minutes

Overview

Oracle Data Integrator stores all user information as well as users' privileges in the master repository by default.When a user logs in to ODI, it logs in against the master repository. This authentication method is called InternalAuthentication.

Oracle Data Integrator can optionally use Oracle Platform Security Services (OPSS), a standards-based andportable security framework for Java applications, to authenticate its users against an external Identity Store,

which contains enterprise users and passwords. Such an identity store is used at the enterprise level by allapplications, in order to have centralized user and password definitions and Single Sign-On (SSO). In such aconfiguration, the ODI master repository only contains references to these enterprise users. This authenticationmethod is called External Authentication.

Note: When using External Authentication, only users and their passwords are externalized. ODIprivileges remain within the repository. Data servers and context passwords also remain in the

master repository. It is possible to externalize data server and context passwords, using the ODIExternal Password Storage feature.

ODI can authenticate its users against a variety of external identity stores, such as Oracle Internet Directory (OID)

LDAP Server or WebLogic Server. This OBE provides a step-by-step walkthrough of the process of configuringODI with OID LDAP Server. The steps for configuring authentication with other external identity stores are verysimilar.

Note: The steps to configure ODI external user authentication are also outlined in the ODI 11g Developer'sGuide.

In this tutorial, you learn how to:

Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI Master Repository

Edit the ODI Studio jps-config.xml file to point to your external OID LDAP ServerCreate a new ODI Master Repository using an authenticated user in the external OID LDAP ServerSwitch the Master Repository authentication mode between external and internal authenticationEdit an ODI standalone agent jps-config.xml file to point to your external OID LDAP ServerUnderstand external user authentication in a Java EE context

Scenario

You work as a database administrator for Global Enterprise. In Global Enterprise, you are responsible formanaging the security of the Oracle Data Integrator development environment. Instead of relying upon theinternal user authentication available in ODI, you will establish external user authentication, taking advantage ofthe user accounts managed by your company's centralized OID LDAP Server.



This tutorial contains the

follow ing sections:

Purpose

Time to Complete

Overview

Scenario

Softw are and Hardw are

Requirements

Prerequisites

Use SQL Developer to create

an RDBMS (11g)

Schema/User for a new ODI

Master Repository

Edit the ODI Studio jps-

config.xml File to Point to Your

External OID LDAP Server

Sw itch the Master Repository

Authentication Mode Betw een

External and Internal

Authentication

Edit an ODI Standalone Agent

jps-config.xml File to Point to

Your External OID LDAP

Server

Understand External User

Authentication in a Java EE

Context

Summary

Resources

ViewingScreenshots

Click icon to hide all

screenshots

Note: Alternatively, you can

click an individual icon (or

image) associated w ith each

step to view (or hide) the

screenshot associated w ith that

step.

Software and Hardware Requirements

The following is a list of software requirements:

The system should include the following installed products:Oracle Database 11gOracle Data Integrator 11g Release 1An external authentication provider such as LDAP, OID, or WLS

If not done before, start the services and components for Oracle Database 11g.

Prerequisites

Before you start the tasks, make sure that your system environment meets the following requirements:

1. You have installed Oracle Database 11g. If not done before, start the services and components for OracleDatabase 11g.

2. You have installed Oracle Data Integrator 11g Release 1.

. You have installed an external authentication provider such as LDAP, OID, or WLS.

Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI MasterRepository

1. Start SQL Developer by selecting Start > Programs > [Oracle Database home] > Application Development > SQLDeveloper. When SQL Developer opens, close the Logging Page – Log tab.



2 . In SQL Developer, create a new connection.

3. Name this new connection: Administrator. Enter SYSTEM for Username. Enter oracle1 for Password. For SID,enter: ORCL. Clisk Test, and then click Connect. Click “+” to expand connection Administrator.



4. You have to create the RDBMS schema/user (Oracle 11g) for the Master repository. The schemas can be createdby executing the following SQL commands:

create user <MY_SCHEMA> identified by <MY_PASS>default tablespace <MY_TBS> temporary tablespace <MY_TEMP>;grant connect, resource to <MY_SCHEMA>;

Where:<MY_SCHEMA> corresponds to the name of the schema that you want to create<MY_PASS> corresponds to the password that you gave <MY_TBS> corresponds to the Oracle tablespace where the data will be stored<MY_TEMP> corresponds to the temporary default tablespace

In this example, to create the user vishal for master repository, enter the following command. Click Executestatement icon .

create user vishal identified by vishal

default tablespace users temporary tablespace temp;

Note: In this command, vishal is the value of the password to connect to the user vishal.



Edit the ODI Studio jps-config.xml File to Point to Your External OID LDAP Server

In this example, we are going to point to an external identity store that is an OID LDAP Server. For your purposes,use the following instructions to point to your own identity store, which might be an OID or WebLogic or other LDAPServer.

Let's take a look at a typical OID LDAP Server, which has a user named SUPERVISOR already defined. Later, thisSUPERVISOR user will become our externally authenticated ODI user.

Oracle Directory Services Manager can be used to look at the contents of an OID LDAP Server:

Below, we see the user named SUPERVISOR. Later in this OBE, we will see how to define a new ODI MasterRepository using this externally authenticated SUPERVISOR user:



1 . The configuration to connect to and use the identity store is contained in an OPSS Configuration file called jps-

config.xml file. Edit the jps-config.xml file to point to your external OID LDAP Server.

Note: The following sample section from a jps-config.xml file points to an imaginary OID LDAP Server. Do notattempt to copy this sample literally for your environment. Refer to the Oracle Fusion Middleware Security Guidemore information on editing your jps-config.xml file.

The sample section, below, from a jps-config.xml file shows an LDAP Server section added, in which thecredentials for the LDAP Server are established:



<serviceInstance name="idstore.oid" provider="idstore.ldap.provider">

<property name="subscriber.name" value="dc=us,dc=oracle,dc=com" />

<property name="idstore.type" value="OID" />

<property name="security.principal.key" value="ldap.credential"/>

<property name="security.principal.alias" value="JPS"/>

<property name="ldap.url" value="ldap://*****PUT_YOUR_LDAP_SERVER_HERE*****" />

<extendedProperty>

<name>user.search.bases</name>

<values>

<value>cn=users,dc=us,dc=oracle,dc=com</value>

</values>

</extendedProperty>

<extendedProperty>

<name>group.search.bases</name>

<values>

<value>cn=groups,dc=us,dc=oracle,dc=com</value>

</values>

</extendedProperty>

<property name="username.attr" value="uid" />

<property name="groupname.attr" value="cn" />

</serviceInstance>

Reference this service instance in the default JPS context by its name idstore.oid and also add the login moduleconfiguration as follows:

<jpsContext name="default">

<serviceInstanceRef ref=" idstore.oid "/><serviceInstanceRef ref="idstore.loginmodule"/>

</jpsContext>

After editing this file to point to your external identity store, copy the file into the ODI_HOME/oracledi/client/odi/bin/directory. The ODI Studio reads the identity store configuration and authenticates against the configured identity

store.

If you want to locate this file in a different location, edit the ODI_HOME/oracledi/client/odi/bin/odi.conf file and editthe option that sets the location of the configuration file. This option is set in the following line:

AddVMOption -Doracle.security.jps.config=./jps-config.xml

By default, odi.conf expects jps-config.xml to reside in the same execution directory as odi.conf.

2 . Run the script to set up the credentials for idstore.oid or other LDAP in the identity store:

Navigate to where the run_credtool script resides in your environment,

perhaps <HOME>/custom/FusionLibraries/tools.Run the run_credtool.cmd or sh script.

When the script prompts for input, defaults are shown in [].

Enter the input on the line following the prompt. The following 5 lines show you which defaults to take. In the5th line, use the location path where your jps-config.xml file resides:



[input] Alias: [JPS]

[input] Key: [ldap.credential] [input] User Name:cn=user name

[input] Password:password [input] JPS Config:[ORACLE_HOME\custom\FusionLibraries\tools/../../../config/jps-config.xml]

Note:

The Alias and Key input must match the values used in the serviceInstance security.principal.alias andsecurity.principal.key respectively.

Again, refer to the Oracle Fusion Middleware Security Guide for more information on editing your jps-config.xmlfile.

3 . Restart the WebLogic Server domain.

Create a new ODI Master Repository Referencing a User in the External OIDLDAP Server

1 . In the next few steps you create the ODI Master repository. Start Oracle Data Integrator: Start > Programs > OracleODI 11g-Home> Oracle Data Integrator > ODI Studio

2 . Open the New Gallery by choosing File > New. In the New Gallery, in the Categories tree, select ODI. Select fromthe Items list the Master Repository Creation Wizard. Click OK. The Master Repository Creation Wizard appears.



3 . In the Master Repository Creation Wizard, select the browse icon of the JDBC Driver and then select Oracle JDBC

Driver. Click OK. Edit the JDBC URL to read: jdbc:oracle:thin: localhost:1521:orcl

Enter the User as vishal and the Password as vishal. Click the Test Connection button and verify successfulconnection. Click OK. Click Next on the Master Repository Creation Wizard screen.

4 . In the Authentication window, select Use External Authentication. (If you had selected Use ODI Authenticationyou would have been using ODI's internal authentication.)

Enter Supervisor User and Supervisor Password, as they exist in your external data store; in our case, we are

specifying the user "SUPERVISOR" in our OID LDAP Server . Click Next.

Note: User names and passwords are case-sensitive in ODI.



5 . In the Password Storage window, select Internal password Storage, and then click Finish. When the MasterRepository is successfully created, you will see the Oracle Data Integrator Information message. Click OK. The

ODI Master repository is now created.



6 . You connect to the ODI Master repository by creating a new ODI Master Login. Open the New Gallery by choosingFile > New. In the New Gallery, in the Categories tree, select ODI. From the Items list, select Create a New ODI

Repository Login.

7 . Configure Repository Connections with the parameters from the table provided below.

In the Oracle Data Integrator Connection section, enter the User and Password of the authenticated user in yourexternal store. In this example, we specify SUPERVISOR/SUNOPSIS from the OID LDAP Server.

In the Database Connection (Master Repository) section, enter the User and Password of the schema user you

created for the master repository. In this example, we specify vishal/vishal.

To enter the JDBC URL, click the button next to JDBC URL field and select jdbc:oracle:thin:@<host>:<port>:<sid>

as shown in the screenshot, then edit the URL. Select Master Repository Only button. Click Test button. Verifysuccessful connection and click OK. Click OK to save the connection.

Oracle Data Integrator Connection

Parameter Value

Login Name Master Repository

User SUPERVISOR



Password SUNOPSIS

Database Connection (Master Repository)

Parameter Value

User vishal

Password vishal

Driver List Oracle JDBC Driver

Driver Name oracle.jdbc.OracleDriver

Url jdbc:oracle:thin:@localhost:1521:orcl

Note: Do not copy and paste in the JDBC URL field. This may cause problems with entering a valid URL string.

Instead, open the drop-down menu and select the correct driver from the list. Type the correct URL in the URLfield.

Switch the Master Repository Authentication Mode Between External and InternalAuthentication

1. Switching the authentication mode of the Oracle Data Integrator repository changes the way users authenticate.



This operation must be performed by a Supervisor user.

WARNING:

When switching from an External to Internal authentication, user passwords are not copied from the

identity store to the repository. The passwords are nullified. All the user accounts are marked asexpired and must be reactivated by a SUPERVISOR that is created during the switch.

When switching from Internal to External authentication, the users that exist in the repository and

match a user in the identity store are automatically mapped. Users that do not match a user in theidentity store are disabled. A Supervisor must edit the users so that their name has a match in the

identity store.

The context passwords are lost. Passwords for data servers, jdbc password of the work repository,

and ESS related passwords are removed from their credential store.

Use the Switch Authentication Mode wizard to change the user authentication mode.

Before launching the Switch Authentication Mode wizard perform the following tasks:

Disconnect Oracle Data Integrator Studio from the repository.

Shut down every component using the Oracle Data Integrator repository.

To use the Switch Authentication Mode wizard:

From the ODI main menu, select Switch Authentication Mode.

The Switch Authentication Mode wizard appears.



2. Specify the JDBC connectivity details of your Oracle Data Integrator master repository as defined when youconnected to the Master Repository.

Click Next.

3. The next action varies, depending on the current Authentication Mode in use:

If currently using Internal Authentication, you are prompted to switch to external authentication.

If currently using External Authentication, you are prompted to switch to internal authentication. You must



provide and confirm a password for the SUPERVISOR user that the wizard will automatically create in therepository.

Click Finish.

The Authentication mode is changed.

If you have switched from external to internal authentication, you can now re-connect to the Oracle DataIntegrator repository as SUPERVISOR, with the password you have provided in the wizard. Once connected,

you can edit each user to reactivate it and set a password for this user.If you have switched from internal to external authentication, you can now re-connect to the Oracle DataIntegrator repository as one of the users with supervisor privileges, and re-enable the Oracle Data Integrator

users that have been disabled during the switch.

4. Reactivating Users After Switching to Internal Authentication

To reactivate a User:

1. In Security Navigator expand the Users accordion.

2. Select the user that you want to reactivate from the list of users.3. Right-click and select Edit. The User editor appears.4. Un-select Allow Expiration Date.5. If you want to set a password for this user, click Change Password and enter the new password for this

user.6. From the File main menu, select Save.7. Re-Enable Users After Switching to External Authentication.

To re-enable a User:

1. In Security Navigator expand the Users accordion.



2. Select the user that you want to re-enable from the list of users.

3. Right-click and select Edit. The User editor appears.4. In the Name field, enter a user name that matches the login of an enterprise user in the identity store.5. Click Retrieve GUID. If the user name has a match in the identity store, this external user's GUID appear in

the External GUID field.

6. From the File main menu, select Save.

Edit an ODI Standalone Agent jps-config.xml File to Point to Your External OIDLDAP Server

1 . A common task using ODI is to set up and install ODI agents. After the ODI scenarios are created, they can bescheduled and orchestrated using an ODI agent, which is a lightweight Java process that orchestrates theexecution of ODI scenarios.

For standalone agents, the configuration to connect and use the external identity store is contained in a copy of thesame OPSS configuration file jps-config.xml that you used to configure the ODI Studio.

However, you need to place the copy of this file for standalone agent in a different folder. Copy this file to theODI_HOME/oracledi/agent/bin/ directory. The agent and the command line scripts will authenticate against theconfigured identity store.

Refer to the Oracle Fusion Middleware Security Guide for more information.

2 . Edit the odiparams.sh file, entering appropriate values, such as:

ODI_MASTER_DRIVER=oracle.jdbc.driver.OracleDriver

ODI_MASTER_URL=jdbc:oracle:thin:@localhost:1521:nrdb

ODI_MASTER_USER=EAMASTER ODI_MASTER_ENCODED_PASS=gxfpqkz074jeaCpL4XSEFzxoj8E0p

ODI_SECU_WORK_REP=WORKREP1

ODI_SUPERVISOR=SUPERVISOR

ODI_SUPERVISOR_ENCODED_PASS=fJya.vR5kvNcu9TtV,jVZEt

3 . To encode the password: <ODI_HOME>/oracledi/agent/bin/encode.sh <password>

Understand External User Authentication in a Java EE Context

1 . Oracle Data Integrator components deployed in a container (Java EE Agent, Oracle Data Integrator Console) donot require a specific configuration. They use the configuration of their container.

Refer to the Oracle Fusion Middleware Security Guide for more information on OPSS configuration in a Java EEcontext.



In JRF-enabled J2EE containers (Agent in WebLogic Server [WLS]):

Configure Java Required Files (JRF) on WLS.As soon as you configure your J2EE container (currently only WLS is supported) with JRF enabled, OPSS willbe configured for the application deployed inside.

By default, OPSS is configured to use the WLS internal LDAP Identity Store. You need to configure a newAuthenticator inside WLS if you want to use an external, central OID.

Useful resources

Introduction to Oracle Platform Security Services:

http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/underjps.htm

OPSS Configuration File Reference:

http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/apjpscfg.htm#BEHDBJED

Summary

In this tutorial, you have learned how to:

Use SQL Developer to create an RDBMS (11g) Schema/User for a new ODI Master Repository

Edit the ODI Studio jps-config.xml file to point to your external OID LDAP ServerCreate a new ODI Master Repository using an authenticated user in the external OID LDAP ServerSwitch the Master Repository authentication mode between external and internal authenticationEdit an ODI standalone agent jps-config.xml file to point to your external OID LDAP Server

Understand external user authentication in a Java EE context

ResourcesOracle Data Intergator 11g DocumentationTo learn more about other Oracle products, refer to additional OBEs in the Learning Library.

About Oracle |Oracle and Sun | | Careers | Contact Us | Site

Maps | Legal Notices | Terms of Use | Your Privacy Rights

Documents

Configuring ODI External User Authentication