|
Oracle® Business Intelligence Presentation Services Administration Guide > Customizing the Oracle BI Presentation Services User Interface > Configuring the Oracle Business Intelligence ReportUI Portlet >
Configuring Authentication in the Oracle BI ReportUI Portlet
To authenticate users, the Oracle BI ReportUI Portlet retrieves the login name for the current user from the Portal and passes it to Oracle BI Presentation Services. In order for Oracle BI Presentation Services to trust that the name of the authenticated user, Oracle BI Presentation Services needs to verify that the login name is from a trusted source. You can use one of two approaches to accomplish this verification: - Authenticate with administrative credentials — With this approach, the Portlet remembers the credentials of the Oracle BI Administrator (that is, user name and password) and passes them to Oracle BI Presentation Services along with the login name of the current user. Because Oracle BI Presentation Services knows the user name and password of the Oracle BI Administrator, it knows that it can trust that the login name of the current user is actually the name of the user who was properly authenticated.
- Authenticate with SSL certificates — With this approach, the Portal authenticates itself to Oracle BI Presentation Services using SSL certificates.
To configure authentication using administrative credentials
- Set the following elements in the portlet.xml file:
- For the Oracle Application Server Portal:
- oracle.bi.presentation.portlets.jsr168.reportui.AdminUserName
- oracle.bi.presentation.portlets.jsr168.reportui.AdminPwd
- For the WebSphere Portal: oracle.bi.presentation.portlets.websphere.SuperuserSlotId
For more information on editing the portlet.xml file, see Editing the portlet.xml file to configure Oracle BI ReportUI Portlet. To configure authentication using SSL certificates
NOTE: These procedures assume that you are familiar with general SSL concepts and the administration of the Web server running the Bridge servlet and the Portal server.
- In the portlet.xml file, make sure that the following elements are set to empty strings:
- Create and sign two SSL certificates for the Web server running the Bridge servlet and the Portal server. Make sure that the Web server certificate includes the proper domain name system (DNS) name of the Web server.
- For the Web server running the Bridge servlet, configure the server to:
- Accept "https" connections. Be sure to test that you can access Oracle BI Presentation Services from the browser using "https" and that the Browser does not display a Domain Name Mismatch Security Error.
- Accept client certificates.
For example, in Tomcat, you configure SSL parameters as attributes of the Connector element of the server.xml file, where the clientAuth="want" attribute enables client certificates and the truststoreFile attribute identifies the certificate for the certificate authority that was used for signing the Portal server certificate.
- Configure the Oracle Application Server Portal or WebSphere Portal to accept client certificates.
For example, for the Oracle Application Server Portal, you can edit the Java command line and specify Java properties related to SSL. To do so, display the Administration screen for the OC4J instance that supports WSRP and select the Server Properties link. Then, in the Java Options files, add SSL properties to configure the trust store and the key store, for example:
-Djavax.net.ssl.trustStore=D:/certificates/jsr168portal.keystore
-Jjavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.keyStore=D:/certificates/jsr168portal.keystore
where -Djavax.net.ssl.trustStore identifies the certificate of the certificate authority that was used for signing the Web server running the Bridge servlet and -Djavax.net.ssl.keyStore identifies the certificate of the certificate authority that was used for signing the Portal server.
- Configure the Bridge servlet to recognize the Portal certificate by adding the com.oracle.bi.web.TrustedRemoteDNs element (which identifies the list of Distinguished Names (DNs) of trusted certificates, with each DN separated by a semicolon) to the Web server's web.xml file, for example:
<param-name>com.oracle.bi.web.TrustedRemoteDNs</param-name>
<param-value>
CN=Portal, OU=OrgUnit, O=Organization, L=City, ST=State, C=Country
</param-value>
When the Bridge servlet receives a trusted certificate, it extracts the CN value and passes it to Oracle BI Presentation Services as the current remote user.
- Configure Oracle BI Presentation Services to allow authentication of remote users without a password via SOAP by setting the EnableWebServerAuthInSoap element to Y in the Oracle BI Presentation Services configuration file (instanceconfig.xml).
For information about working in the Oracle BI Presentation Services configuration file (instanceconfig.xml), read Making Oracle BI Presentation Services Configuration Changes.
- Enable Oracle BI Presentation Services to retrieve the user password for the Portal user from the credential store. There are two ways to do this:
- If security is a concern, create an entry in the Oracle BI Presentation Services credential store with the key that matches the value of the CN attribute of the Portal certificate. For more information about the Oracle BI Presentation Services credential store, see Oracle Business Intelligence Enterprise Edition Deployment Guide.
- If security is not a concern:
- Add the following entry to the instanceconfig.xml file:
<CredentialStore>
<CredentialStorage type="file" path={full_path_to_credential_store}/>
</CredentialStore>
- Create a credentialstore.xml file. For more information, see Oracle Business Intelligence Enterprise Edition Deployment Guide.
|
