Upload
-
View
68
Download
6
Tags:
Embed Size (px)
Citation preview
© Peak Indicators Limited
OBIEE 11g Security – it’s as easy as 1-2-3!
Antony Heljula @aheljula
BI Architect
© Peak Indicators Limited 2
Agenda
Aim of Presentation
10g Security Model
11g Security Model
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 3
Aim of Presentation
To explain the key concepts behind the Oracle BI 11g security model
Clarify what is and what is not supported
Demonstrate that it can achieve great results
Explain why 11g security model is better than 10g – you don’t need the 10g security model any more!
Discuss some advanced topics such as SSO, SSL and migration
© Peak Indicators Limited 4
10g Security Model
© Peak Indicators Limited 5
10g Security Model
BI Presentation Services
BI Server
Catalog Groups
Groups “Groups” apply responsibilities
for BI Server
“Catalog Groups” apply responsibilities for BI Presentation Services. Can be
inherited from other “Catalog Groups” and also other BI Server “Groups”
© Peak Indicators Limited 6
10g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
Catalog Groups
Groups
ASMITH is a Sales Manager
ASMITH gets data visibility for a Sales Manager
ASMITH can see the Sales Manager dashboard
© Peak Indicators Limited 7
10g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
Catalog Groups
Groups
ASMITH is granted some presentation privileges directly
© Peak Indicators Limited 8
10g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager Answers Access Delivers Access
Catalog Groups
Groups
Additional LDAP “Groups” applied
directly to Presentation Services
Group inheritance within LDAP
© Peak Indicators Limited 9
Issues with 10g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager Answers Access Delivers Access
Catalog Groups
Groups
Not an easy model to explain! p.s. 10g didn’t even directly support Groups in LDAP
© Peak Indicators Limited 10
Issues with 10g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager Answers Access Delivers Access
Catalog Groups
Groups
Reliance on Corporate LDAP to manage application-only privileges
e.g. Answers Access
© Peak Indicators Limited 11
11g Security Model
© Peak Indicators Limited 12
The 11g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
Your Corporate LDAP just contains “corporate”
Users and Groups
© Peak Indicators Limited 13
The 11g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
A new layer of “Application Roles” define the application-specific roles.
The OBI Administrators maintain these
© Peak Indicators Limited 14
The 11g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
A Group can belong to multiple Application Roles e.g. Sales Managers
also have “Answers Access”
© Peak Indicators Limited 15
The 11g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
But if you prefer, Application Roles can belong to other Application Roles e.g. “Sales Manager”
Role also has “Answers Access” Role
© Peak Indicators Limited 16
The 11g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
Application Roles are used by both BI Presentation Services and BI Server
© Peak Indicators Limited 17
The 11g Security Model
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
You can also assign a User to an Application Role
© Peak Indicators Limited 18
The 11g Security Model
Advantages
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
1) Greater control for the OBI Administrator 2) Corporate LDAP less complex 3) Simpler architecture 4) More flexibility 5) Greater consistency between OBIPS and OBIS
© Peak Indicators Limited 19
The 11g Security Model
Administration Points
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
1 2
3
4
Weblogic Console FMW Control
RPD
Catalog & Manage Privileges
© Peak Indicators Limited 20
The 11g Security Model
In the Weblogic Console you can:
Configure Identity Providers (discussed later)
Configure Users and Groups (Embedded LDAP)
1) Weblogic Console
© Peak Indicators Limited 21
The 11g Security Model
You can use FMW Control for:
Creating new Application Roles
Assigning Roles/Groups/Users to Application Roles
2) FMW Control
Menu option: Security > Application Roles
© Peak Indicators Limited 22
The 11g Security Model
Within the RPD you can apply security rules to Application Roles:
Access to Subject Area contents
Access to Connection Pools
Apply Data Filters
Apply Query Limits
3) RPD
© Peak Indicators Limited 23
The 11g Security Model
Within the Presentation Layer you can use Application Roles for:
Managing privileges
Object access permissions within the Catalog
4) Catalog and Manage Privileges
© Peak Indicators Limited 24
The 11g Security Model
FMW Control comes with its own embedded “Credential Store”
WebLogic Domain > bifoundation_domain > Security > Credentials
In here are stored passwords for:
BISystemUser
RPD Passwords
Any other credentials (e.g. for custom web services)
No More “Cryptotools”
© Peak Indicators Limited 25
The 11g Security Model
When you install Oracle BI 11g, you get the following mapping between Users Groups Roles:
Default Configuration
BISystem Component
BIAdministrators
BIAuthors
BIConsumers
BIAdministrator
BIAuthor
BIConsumer
member of
member of
USERS GROUPS ROLES
BIAdministrators: All Functions BIAuthors: Create new content BIConsumers: Read-only
© Peak Indicators Limited 27
The 11g Security Model
Each of the default Application Roles is allocated one or more “Application Policies”. These Application Policies provide access to certain “Resources” within Oracle BI
Application Policies
The “BIAdministator” role can: • Manage Repositories • Manage Jobs • Manage the Presentation Catalog • Administer BI Server
© Peak Indicators Limited 28
The 11g Security Model
The policies for the “BIAdministrator” role provide access to the “Administration” screen
The policies for the “BIAuthor” role provide access to the entire “New” menu to create new reporting objects
Application Policies
© Peak Indicators Limited 29
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 30
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 31
What Roles and Policies Should I Have?
First of all, use the new default Application Roles to distinguish between your 3 main types of user:
Administrators BI Administrator Role
Report Developers BI Author Role
Everyone Else BI Consumer Role
By default, all authenticated users will get “BI Consumer Role”, so you only need to manage the allocation of BI Auther/Administrator Roles
There is typically no need to alter the Application Policies that are assigned to each role
The default policies provide a convenient way to restrict access to core Oracle BI system resources
Default Roles and Policies
© Peak Indicators Limited 32
What Roles and Policies Should I Have?
You can then have your own custom Application Roles to manage access and privileges at a more granular level
For example:
Sales Manager Role Access to the “Sales Manager” Dashboard
HR Manager Role Access to the “HR Manager” Dashboards
BI Answers Role Access to Answers
BI Delivers Role Access to Delivers
NOTE: In most cases, 1 LDAP Group will map to 1 Application Role
Custom Roles
© Peak Indicators Limited 33
What Roles and Policies Should I Have?
A Combination of Default/Custom Roles
BI Presentation Services
BI Server
LDAP
USERS ASMITH
GROUPS BIAdministrator
BIAuthor BIConsumer
Sales Manager
APPLICATION ROLES
BIAdministrator
BIAuthor BIConsumer
Sales Manager Answers Access Delivers Access
© Peak Indicators Limited 34
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 35
When Should I Use the WebLogic LDAP?
The Embedded WebLogic LDAP is relatively basic compared to the more “enterprise” LDAP solutions e.g. OID, AD
Oracle advise no more than 1,000 users
© Peak Indicators Limited 36
When Should I Use the WebLogic LDAP?
BI Presentation Services
BI Server Corporate LDAP
All other users
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
Weblogic BISystemUser
Test users
Treat the WebLogic LDAP much like you treated the RPD as a user store in OBI 10g (weblogic, system accounts and test users only)
All other users go in the Corporate LDAP
© Peak Indicators Limited 37
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 38
Can I Have Multiple Identity Providers?
Yes. It is possible to add multiple other Identity Providers within WebLogic console
By default, there are two embedded WebLogic providers:
DefaultAuthenticator (Embedded Weblogic LDAP)
DefaultIdentityAsserter
It is possible though to add further “Identity Providers” e.g. OID
© Peak Indicators Limited 39
Can I Have Multiple Identity Providers?
Multiple Identity Providers with either: Users and Groups in LDAP
Users and Groups in Database
Users in LDAP and Groups in Database (in 11.1.1.6, patch in 11.1.1.5)
Identity Providers for Authentication: (NOTE: not exhaustive) Weblogic LDAP
Active Direcitory
iPlanet
Oracle Internet Directory (OID)
Oracle Virtual Directory (OVD)
Novell (eDirectory 8.8)
OpenLDAP
SQL
Tivoli Directory Server 6.2
SQL Group Lookup (New with 11.1.1.6, patch for 11.1.1.5)
Support
© Peak Indicators Limited 40
Can I Have Multiple Identity Providers?
Adding new Identity Providers is straight forward via the “New” button
Supported providers in red (not exhaustive)
You can reorder the list of providers so that authentication is performed in a different order e.g.
OID
Weblogic LDAP
Adding a New Provider
© Peak Indicators Limited 42
Can I Have Multiple Identity Providers?
It is a common situation with Oracle BI Apps where you have:
Users to be authenticated in a Corporate LDAP
Groups to be obtained from the source OLTP (e.g. EBS)
BISQLGroupProvider
BI Presentation Services
BI Server
Corporate LDAP
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
EBS
Weblogic
Groups
© Peak Indicators Limited 43
Can I Have Multiple Identity Providers?
The 11g security model now supports this type of arrangement
A new provider “BISQLGroupProvider” is available to obtain Groups from a database:
Available in 11.1.1.6 (with some configuration)
Available in 11.1.1.5 (patch 11667221)
To configure, see Oracle Support article 1428008.1 to obtain the TechNote:
TechNote_LDAP_Auth_DB_Groups_V3.pdf
BISQLGroupProvider
© Peak Indicators Limited 44
Can I Have Multiple Identity Providers?
When you have multiple Identity Providers you should set the “virtualize = true” custom property within FMW Control:
Bifoundation_domain > Security > Security Provider Configuration
Without this setting:
Only the first identity provider listed will be used by OBI
You won’t be able to log in if the AdminServer dies
NOTE:
If you can get the setting to work, try restarting Managed Server and OPMN processes via FMW Control rather than the command line
Virtualize=True
© Peak Indicators Limited 45
Can I Have Multiple Identity Providers?
Managing “BISystemUser”
BI Presentation Services
BI Server Corporate LDAP
BISystemUser
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
When you implement an additional identity provider, The Oracle BI documentation suggests to migrate the
BISystemUser to your external LDAP provider.
© Peak Indicators Limited 46
Can I Have Multiple Identity Providers?
Managing “BISystemUser”
BI Presentation Services
BI Server Corporate LDAP
BISystemUser
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
But what happens if the Corporate LDAP becomes unavailable?
x
© Peak Indicators Limited 47
Can I Have Multiple Identity Providers?
Managing “BISystemUser”
BI Presentation Services
BI Server Corporate LDAP
BISystemUser
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
WebLogic LDAP
BISystemUser
It is better to keep the BISystemUser account in the WebLogic LDAP store – you can still start up and use Oracle BI even when the
Corporate LDAP is unavailable (NOTE: need to set virtualize=true)
x
© Peak Indicators Limited 48
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 49
Where Do I Get My Groups From?
When you have multiple identity providers, the Groups for each users will be obtained from the same provider that they authenticated against
For example:
Multiple Identity Providers
WebLogic user will obtain Groups from “DefaultAuthenticator”
Corporate End Users will obtain their Groups from “OracleInternetDirectory”, as this is where they are authenticated
© Peak Indicators Limited 50
Where Do I Get My Groups From?
A “BI SQL Group Lookup” identity provider is always assigned to a single LDAP provider
The Groups will only come from the BI SQL Group Lookup provider
Any Groups in the LDAP store are ignored
BISQLGroupProvider
In this example, any user authenticating using “OracleInternetDirectory” will obtain their Groups from the “BISQLGroupProvider”.
Any Groups assigned to the user in OID will be ignored.
© Peak Indicators Limited 51
Where Do I Get My Groups From?
If you are using the WebLogic LDAP as an authenticator then you will need to maintain your “Groups” in this store
But Groups from other identity providers (e.g. OID) will be automatically integrated (as shown below), you don’t need to create them manually
WebLogic Console
External Group from OID
© Peak Indicators Limited 52
Where Do I Get My Groups From?
Your internal and external Groups are immediately available to be assigned to Application Roles:
FMW Control
The “BIAuthor Role” will be assigned to users belonging to the
corresponding “BIAuthor” groups in both Weblogic LDAP and OID
© Peak Indicators Limited 53
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 54
What are GUIDs?
In Oracle BI 11g, users are recognized by their Global Unique Identifiers (GUIDs), not by their names
GUIDs are identifiers that are completely unique for a given user
Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name
© Peak Indicators Limited 55
What are GUIDs?
Example Scenario
BI Presentation Services
BI Server
Corporate LDAP
ASMITH
1) User “ASMITH” has been given access to the “Administrator” screen within the Oracle BI front-end
ASMITH Administration
© Peak Indicators Limited 56
What are GUIDs?
Example Scenario
BI Presentation Services
BI Server
Corporate LDAP
ASMITH
2) User “ASMITH” leaves the company and is removed from the Corporate LDAP
ASMITH Administration
© Peak Indicators Limited 57
What are GUIDs?
Example Scenario
BI Presentation Services
BI Server
Corporate LDAP
ASMITH
ASMITH
3) A few months later, a new “ASMITH” joins the company
ASMITH Administration
© Peak Indicators Limited 58
What are GUIDs?
Example Scenario
BI Presentation Services
BI Server
Corporate LDAP
ASMITH
ASMITH
4) Can the new “ASMITH” log on to Oracle BI and get Administration privileges?
ASMITH Administration
© Peak Indicators Limited 59
What are GUIDs?
Example Scenario
BI Presentation Services
BI Server
Corporate LDAP
ASMITH (1234)
ASMITH (5678)
5) The answer is NO! Because the new “ASMITH” user has a different GUID to the original AMSITH
ASMITH (1234) Administration
© Peak Indicators Limited 60
What are GUIDs?
The Outcome
In fact, the “ASSMITH” wont be able to log on at all!
© Peak Indicators Limited 61
What are GUIDs?
The GUID feature is there to help secure your OBI environments – especially production
There may however be times when GUIDs become out of sync in and you cannot log in as certain users:
Migrating from WebLogic Embedded LDAP to an alternative identity provider
Deleting users and then recreating them
Migrating “Production” Presentation Catalog / RPD to the “Development” environment
In order to work around this, you can either:
Delete the offending users from the Presentation Catalog and log in again
or
Refresh GUIDs (explained overleaf)
Refreshing GUIDs
© Peak Indicators Limited 62
What are GUIDs?
Open up the NQSConfig.ini file for editing:
[OBI Home]/config/OracleBIServerComponent/coreapplication_obis1/NQSConfig.ini
Set the following parameter within the [SERVER] section:
FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;
Save the file
Regenerating GUIDs : Step 1 / 4
© Peak Indicators Limited 63
What are GUIDs?
Open up the instanceconfig.xml file for editing:
[OBI Home]/config/OracleBIPresentationServicesComponent/coreapplication_obips1/instanceconfig.xml
Add an “UpdateAccountGUIDs” entry to the <Catalog> section as follows:
<ps:Catalog xmlns:ps="oracle.bi.presentation.services/config/v1.1">
<ps:UpgradeAndExit>false</ps:UpgradeAndExit>
<ps:UpdateAccountGUIDs>UpdateAndExit</ps:UpdateAccountGUIDs>
</ps:Catalog>
Save the file
Regenerating GUIDs : Step 2 / 4
© Peak Indicators Limited 64
What are GUIDs?
Restart Oracle BI System components:
$ORACLE_BASE/instances/instance1/bin/opmnctl stopall
$ORACLE_BASE/instances/instance1/bin/opmnctl startall
Regenerating GUIDs : Step 3 / 4
© Peak Indicators Limited 65
What are GUIDs?
To ensure your system is secure once again you must revert the configuration changes!
NQSConfig.ini : FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = NO;
Instanceconfig.xml : Remove entry for <ps:UpdateAccountGUIDs>
Restart Processes : opmnctl stopall / startall
Regenerating GUIDs : Step 4 / 4
© Peak Indicators Limited 68
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - What Happens During An Upgrade? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 69
Do I Still Need SA System Subject Area?
Delivers Recipients
It is now possible to use an Application Role to specify the recipients of an “Agent”
Previously in 10g this approach would not work unless you stored all the User > Catalog Group mappings in the BI Presentation Catalog
Very rarely done
© Peak Indicators Limited 70
Do I Still Need SA System Subject Area?
Delivery Profiles
Direct access to LDAP Servers
With Oracle BI 11g, Delivers can now access information about users, their groups, and email addresses directly from the configured identity store
In many cases this completely removes the need to extract this information from your corporate directory into a database
© Peak Indicators Limited 71
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 72
What Are The Important Files?
[middleware]\user_projects\domains\bifoundation_domain\config\config.xml
Contains:
SSL Configuration of Admin and Managed Servers
Definitions and setup of Identity Providers
config.xml
© Peak Indicators Limited 73
What Are The Important Files?
[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml
Contains definition of all Application Roles
During BI Apps install, you deploy this file to install all the BI Apps roles
System-jazn-data.xml
© Peak Indicators Limited 74
What Are The Important Files?
[middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\cwallet.sso
This is your “Credential Store” containing encrypted usernames/passwords for your system accounts:
BI System User
Web service credentials
RPD passwords
etc
If you don’t know all the passwords, it is a good idea to back this up before you change any configuration….just in case
cwallet.sso
© Peak Indicators Limited 75
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 76
How Do I Migrate Between Environments?
11g Security Migration Points
BI Presentation Services
BI Server
Corporate LDAP
USERS ASMITH
GROUPS Sales Manager
APPLICATION ROLES
Sales Manager Answers Access Delivers Access
1 2
3
4
Weblogic Console FMW Control
RPD
Catalog & Manage Privileges
© Peak Indicators Limited 77
How Do I Migrate Between Environments?
The topic of migration is covered in the Rittman Mead blogs: Oracle BI EE 11g – Migrating Security – Identity Stores – Part 1
Oracle BI EE 11g – Migrating Security – Policy Store – Part 2
Oracle BI EE 11g – Migrating Security – Credential Store – Part 3
Just to summarise…..
© Peak Indicators Limited 78
How Do I Migrate Between Environments?
You can import/export the entire set of users/groups within the Weblogic LDAP via the WL Console
If you wish to do an incremental update then you will need to script using WLST
Weblogic LDAP Users/Groups
© Peak Indicators Limited 79
How Do I Migrate Between Environments?
To migrate the full set of Application Roles, simply copy/paste the system-jazn-data.xml file to your target environment: [middleware]\user_projects\domains\bifoundation_domain\config\fmwconfig\system-jazn-data.xml
If you need to do an incremental update then either:
Set up the Application Roles manually via FMW Control
Use WLST scripting
Application Roles
© Peak Indicators Limited 80
How Do I Migrate Between Environments?
Running the 11g “Upgrade Assistant”will automatically migrate the 10g security configuration to 11:
RPD “Groups” migrated to WebLogic LDAP
RPD “Users” migrated to WebLogic LDAP (and assigned to relevant Groups)
Application Role created for each Group
During an 10g-11g upgrade?
OBIEE 11g
OBIEE 10g
© Peak Indicators Limited 81
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 82
Can I Still Use The 10g Security Model?
Yes…..if you must! But hopefully the need for the 10g model is diminishing
The “old” method of using Initialization Blocks to populate USER/GROUP session variables will still work in Oracle BI 11g
Use the new Session Variable “ROLES” instead of “GROUP” to map a user to one or more Application Roles
Whenever you log in, the 10g security model is attempted first
Some users can use the 10g model, others can use 11g
Don’t mix security models for the same user:
A user should authenticate/authorize using either the 11g model or the 10g model…..but not both
© Peak Indicators Limited 83
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 84
How Do You Implement SSL?
SSL is the mechanism used to enable secured HTTPS communications between client web browser and the BI Server:
SSL works fully in OBIEE, the implementation details are in the documentation (Security Guide)
You have to do all four sections…..no shortcuts!
© Peak Indicators Limited 85
How Do You Implement SSL?
SSL configuration is fiddly by nature, set aside around 2 man-days to configure it for the first time in development
The duration to implement could take longer, since you have to obtain a trusted certificate from a “certificate authority”
Demo certificates are available (but you will get a standard security warning in the browser if you use them)
The following Tech Notes on myOracle Support compliment the Oracle Documentation:
OBIEE 11g SSL Setup and Configuration (Doc ID 1326781.1)
Procedure for configuring Node Manager with SSL. (Doc ID 1142995.1)
Further Notes
© Peak Indicators Limited 86
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 87
How Do You Implement SSO?
Supported SSO Mechanisms:
Oracle Access Manager (OAM)
Oracle Single Sign on (OSSO)
Windows Native Authentication without IIS (Kerberos)
Weblogic Default Asserter (Client Certificate Authentication)
Other supported features:
EBS ICX Cookie Mechanism
Siteminder 6 via HTTP Header
Go-URL with NQUser / NQPassword
SSO via HTTP header & cookie (requires customisation of BI Config)
SSO Support (11.1.1.6)
© Peak Indicators Limited 88
How Do You Implement SSO?
With OAM you need an HTTP Proxy and Webgate to sit in front of WebLogic and perform the SSO redirection:
OAM
© Peak Indicators Limited 89
How Do You Implement SSO?
With SSO, the order of authenticators should be as follows: 1. Your LDAP authenticator (Sufficient)
2. Your SSO Asserter (Required)
3. WebLogic Embedded LDAP (Sufficient)
The LDAP authenticator is required for two reasons: Perform authentication for non-SSO access (e.g. BI Office)
Obtain Groups for users who have authenticated via SSO
Identity Providers
© Peak Indicators Limited 90
How Do You Implement SSO?
You also need to enable SSO within FMW Control:
Specify SSO provider
SSO Logon URL
SSO Logoff URL
FMW Control
© Peak Indicators Limited 91
How Do You Implement SSO?
OAM Install Steps
© Peak Indicators Limited 92
How Do You Implement SSO?
A tech note / white paper exists for implementing SSO with AD
Active Directory / Kerberos
© Peak Indicators Limited 93
Frequently Asked Questions - What Roles and Policies Should I Have? - When Should I Use the WebLogic LDAP? - Can I Have Multiple Identity Providers? - Where Do I Get My Groups From? - What are GUIDs? - Do I Still Need SA System Subject Area? - What Are The Important Files? - How Do We Migrate Between Environments? - Can I Still Use The 10g Security Model? - How Do You Implement SSL? - How Do You Implement SSO? - What Do I Do When it All Goes Wrong?
© Peak Indicators Limited 94
Error Messages That Could Mean a Million Things
© Peak Indicators Limited 95
What Do I Do When It All Goes Wrong?
1. Try a different user account
2. Try logging on with a system user account e.g. weblogic
3. Confirm you can log on to Weblogic Console and/or FMW Control (to confirm authentication is actually working)
4. Reset the user’s password
5. Archive and delete user from the catalog, restart Presentation Services and then unarchive user back into the catalog
If issue is just with one user
Try different logins
© Peak Indicators Limited 96
What Do I Do When It All Goes Wrong?
6. Check OPMN services are running
7. Check database and listener are working to _BIPLATFORM and _MDS schemas (and make sure db passwords have not expired!):
Check Services
© Peak Indicators Limited 97
What Do I Do When It All Goes Wrong?
8. Check the Admin and Managed Server log files:
…./user_projects/domains/bifoundation_domain/servers/AdminServer/log
…./user_projects/domains/bifoundation_domain/servers/bi_server1/log
9. Check BI Server and BI Presentation Services logs: …./instances/instance1/diagnostics/log/OracleBIPresentationServices/coreapplcation
…./instances/instance1/diagnostics/log/OracleBIBIServer/coreapplcation
Check Log Files
© Peak Indicators Limited 98
What Do I Do When It All Goes Wrong?
10. Check connectivity to LDAP / AD server is ok (you do this in WebLogic Console – make sure you can see the external Groups and Users)
11. Check HOSTS file has not changed, the very first entry should have IP address and server name
12. Refresh GUIDs
13. Restart WebLogic and OPMN Services
14. Restart WebLogic AdminServer, and then start all other process from within the WebLogic Admin Console and FMW Control (i.e. no command-line)
15. Restart whole server, then start up WebLogic and OPMN services
Further Actions
© Peak Indicators Limited 99
What Do I Do When It All Goes Wrong?
16. Delete the two “BISystemUser” user entries from Presentation Catalog, then restart services: [Catalog Root]\root\users
17. Delete the two “sawguidstate” entries from the “System” Presentation Catalog folder, then restart services: [Catalog Root]\root\system\mktgcache\[Hostname]
More Drastic Actions
© Peak Indicators Limited 100
What Do I Do When It All Goes Wrong?
18. Re-enter “BISystemUser” credentials in the Credential Store, then restart all services:
Last Ditch Attempts….
© Peak Indicators Limited 101
What Do I Do When It All Goes Wrong?
19. See Oracle Support article 1359798.1 to download Technote on troubleshooting OBIEE security:
Oracle BI Enterprise Edition 11g Security - Troubleshooting.pdf
Oracle Technote
© Peak Indicators Limited 102
What Do I Do When It All Goes Wrong?
20. http://support.oracle.com
Contact Oracle!
© Peak Indicators Limited
Questions?
© Peak Indicators Limited
Helping Your Business Intelligence Journey