Bookshelf Home | Contents | Index | PDF     

Oracle® Business Intelligence Enterprise Edition Deployment Guide > Implementing Single Sign-On Products With Oracle Business Intelligence > Enabling SSO Authentication for Oracle Business Intelligence >

Configuring Oracle BI Presentation Services to Use Impersonator User

This configuration consists of the following tasks:

Creating the Oracle BI Server Impersonator User

Oracle BI Presentation Services uses the Oracle BI Impersonation feature to establish a connection to the Oracle BI Server on behalf of the authenticated end user. For this purpose, a special user that Oracle BI Presentation Services will utilize for impersonating the authenticated end user needs to be created. This document refers to this special user as the impersonator user.

NOTE:  The Oracle BI Server supports a notion of privileged users being able to impersonate other users. This functionality is used by OBI PS to implement SSO support in various scenarios.

The impersonator user is created in the Oracle BI Server repository. If an impersonator user has already been created, you do not need to create a new one. Use this procedure to create the impersonator user in the Oracle BI Server repository. For more information on creating users and granting Group membership, refer to the Oracle Business Intelligence Server Administration Guide.

To create the Oracle BI Server impersonator user

  1. Open the Oracle BI Server repository file (.rpd) using Oracle BI Administration Tool.
  2. Select Manage > Security to display the Security Manager.
  3. Select Action > New > User to open the User dialog box.
  4. Enter a name and password for this user.

    For example, Name = Impersonator and Password = secret.

  5. Click OK to create the user.
  6. To make this user a member of the group Administrators, double-click on the icon for the user that was created. In the
  7. In the Group Membership portion of the dialog box, check the Administrators group to grant the user created above membership to this group.

Adding Impersonator User Credentials to Oracle BI Presentation Services Credential Store

For Oracle BI Presentation Services to be able to utilize the user created above for impersonation of the authenticated end user, it must be able to identify the impersonator user and obtain the impersonator user credentials. The impersonator user credentials must be added to the Oracle BI Presentation Services Credential Store. To obtain the impersonator user credentials, Oracle BI Presentation Services will search the credential store for a username-password credential with an alias of impersonation.

For more information about the BI Presentation Services Credential Store and the supported storage systems, see Oracle BI Presentation Services Credential Store.

Use the procedure below to add the impersonator user credentials to the credential store called credentialstore.xml with an alias of impersonation. The default location of the credentialstore.xml file is OracleBIData_HOME\web\config on Windows and OracleBIData_HOME/web/config on Linux or UNIX.

To add impersonator user credentials to Oracle BI Presentation Services Credential Store

The procedure below assumes that the credentials store is the BI Presentation Services proprietary XML file store. You may choose to store credentials in a Java keystore or a custom store.

  1. Open a command prompt window or command shell on the machine where Oracle BI Presentation Services has been installed.
  2. Navigate to the directory OracleBI_HOME\web\bin on Windows or OracleBI_HOME/web/bin on Linux or UNIX. This is the location for the CryptoTools utility.
  3. Execute the CryptoTools utility to add the impersonator user credentials to the Oracle BI Presentation Services Credential Store:

    cryptotools credstore -add -infile <OracleBIData>/web/config/credentialstore.xml

    For more information on the CryptoTool utility, its syntax and supported sub-commands, refer to Using the CryptoTools Utility.

  4. Supply values for the prompted parameters, as shown in the following table.
    Parameter or Prompt
    Value or Input
    Description

    Credential Alias

    impersonation

    Specify the value impersonation to identify the user as the impersonator user.

    Username

    <name of the user>

    Name of the user created in the topic Creating the Oracle BI Server Impersonator User. For example, Impersonator.

    Password

    <password of the user>

    Password of the user created in the topic Creating the Oracle BI Server Impersonator User. For example, secret.

    Do you want to encrypt the password?

    y

     

    Passphrase for encryption

    <passphrase>

    Provide a passphrase. For example, another_secret.

    Do you want to write the passphrase to the xml?

    n

     

For example:

cryptotools credstore -add -infile <OracleBIData>/web/config/credentialstore.xml
>Credential Alias: impersonation
>Username: Impersonator
>Password: secret
>Do you want to encrypt the password? y/n (y):
>Passphrase for encryption: another_secret
>Do you want to write the passphrase to the xml? y/n (n):
>File "<OracleBIData>/web/config/credentialstore.xml" exists. Do you want to overwrite it? y/n (y):

The CryptoTools utility updates the credentialstore.xml file. After executing the CryptoTools utility with inputs as specified above, the credentialstore.xml file contains entries similar to the following example:

<sawcs:credential type="usernamePassword" alias="impersonation">
<sawcs:username>Impersonator</sawcs:username>
<sawcs:password>
   <xenc:EncryptedData>
   <xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
      <pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
         <pkcs-5:KeyDerivationFunc>
         <pkcs-5:Parameters>
         <pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
      </pkcs-5:Parameters>
      </pkcs-5:KeyDerivationFunc>
      <pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      </pkcs-5:PBES2-params>
   </xenc:EncryptionMethod>
   <xenc:CipherData>
   <xenc:CipherValue>jeThdk8ZklnTlyKIat8Dkw</xenc:CipherValue>
   </xenc:CipherData>
   </xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>

NOTE:  If you have multiple instances of BI Presentation Services in your deployment, you must add the Impersonator credentials to the credential store for every BI Presentation Services instance. Or, you may copy the credential store with updated credentials to each BI Presentation Services machine. The instanceconfig.xml file for each BI Presentation Services must specify the location of the credential store.

Configuring Oracle BI Presentation Services to Identify the Credential Store and Decryption Passphrase

Oracle BI Presentation Services must be directed to the credential store that contains the impersonator user credentials. This is done by setting parameters in the Oracle BI Presentation Servicesconfiguration file, instanceconfig.xml. In addition, the passphrase that Oracle BI Presentation Services will use to decrypt the impersonator password credential must be specified.

To configure Oracle BI Presentation Services to identify the Credential Store and decryption passphrase

  1. Open the instanceconfig.xml file for editing.
  2. Locate the <CredentialStore> node within this file.

    Specify attribute values as shown below. If the <CredentialStore> node does not exist, create this element with sub-elements and attributes with attribute values as shown in the following example.

    <WebConfig>
       <ServerInstance>
          <!-- other settings ... -->
          <CredentialStore>
             <CredentialStorage type="file" path="<path to credentialstore.xml>" passphrase="<passphrase>"/>
             <!-- other settings ... -->
          </CredentialStore>
          <!-- other settings ... -->
       </ServerInstance>
    </WebConfig>

Table 12 summarizes the attributes and attribute values for the CredentialStorage element. For more information on the CredentialStore and CredentialStorage elements of the instanceconfig.xml file, and for their settings when credential stores other than the XML file store are used, see Oracle BI Presentation Services Credential Store.

Table 12. CredentialStorage Element Attributes
Attribute
Attribute Value
Description

type

file

This describes the type of credential store. Set to file for the proprietary XML file credential store.

path

<path to XML file credential store (credentialstore.xml)>

Location and filename for the XML file credential store. For example, OracleBIData_HOME/web/config/credentialstore.xml

passphrase

<passphrase>

Determines the passphrase used to decrypt encrypted files. Provide the value entered in step 4 under topic Adding Impersonator User Credentials to Oracle BI Presentation Services Credential Store. In the example provided, this value is another_secret.

After the modification described in the preceding procedure, the instanceconfig.xml contains entries should appear as in the following example:

<?xml version="1.0"?>

<WebConfig>
   <ServerInstance>
   <!-- other settings ... -->
      <CredentialStore>
         <CredentialStorage type="file" path="<OracleBIData>/web/config/credentialstore.xml" passphrase="another_secret"/>
   <!-- other settings ... -->
      </CredentialStore>
   <!-- other settings ... -->
   </ServerInstance>
</WebConfig>

NOTE:  Both the files, credentialstore.xml and instanceconfig.xml should be protected using OS filesystem protection capabilities as their combination could reveal a privileged user's password. Note that neither file on its own has enough information to expose the password.

  
Oracle® Business Intelligence Enterprise Edition Deployment Guide Copyright © 2006, Oracle. All rights reserved.