Skip Headers
Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition
11g Release 1 (11.1.1)

Part Number E10543-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

C Troubleshooting Security in Oracle Business Intelligence

This appendix describes common problems that you might encounter when configuring and using Oracle Business Intelligence security, and explains how to solve them. It contains the following sections

C.1 Resolving Inconsistencies With the Identity Store

A number of inconsistencies can develop between a repository, the Oracle BI Presentation Catalog, and an identity store. The following sections describe the usual ways this can occur and how to resolve the inconsistencies.

C.1.1 User is Deleted From the Identity Store

Behavior

If a user is deleted from the identity store then that user can no longer log in to Oracle Business Intelligence. However, references to the deleted user remain in the repository until an administrator removes them.

Cause

References to the deleted user still remain in the repository but that user cannot log in to Oracle Business Intelligence. This behavior ensures that if a user was deleted by accident and re-created in the identity store, then the user's access control rules do not need to be entered again.

Action

An administrator can run the Consistency Checker in the Oracle BI Administration Tool in online mode identify inconsistencies.

C.1.2 User is Renamed in the Identity Store

Behavior

A user is renamed in the identity store and then cannot log in to the repository with the new name.

Cause

This can occur if a reference to the user under the original name still exists in the repository.

Action

An administrator must either restart the Oracle BI Server or run the Consistency Checker in the Oracle BI Administration Tool to update the repository with a reference to the user under the new name. Once this has been resolved the Oracle BI Presentation Server updates the Presentation Catalog to refer to the new user name the next time this user logs in.

C.1.3 User Name is Reused in the Identity Store

Behavior

If a user name is added that is identical to one previously used in the identity stored, the new user with the same name cannot log in.

Cause

This can occur if references to the user name exist in the repository.

Action

An administrator must remove existing references to the user name contained in the repository by either running Consistency Checker in the Oracle BI Administration Tool or by changing the existing user references to use the new user's GUID. When the new user logs in with the reused name, a new home directory is created for them in the Presentation Services Catalog.

C.2 Resolving Inconsistencies With the Policy Store

A number of inconsistencies can develop between the Presentation Services Catalog and the policy store. The following sections describe the usual ways this can occur and how to resolve the inconsistencies.

C.2.1 Application Role Was Deleted From the Policy Store

Behavior

After an Application Role is deleted from the policy store the role name continues to appear in the Oracle BI Administration Tool when working in offline mode. But the role name no longer appears in Presentation Services and users are no longer granted the permissions associated with the deleted role.

Cause

References to the deleted role name persist in the repository enabling the role name to appear in the Administration Tool when working in offline mode.

Action

An administrator runs the Consistency Checker in the Oracle BI Administration Tool in online mode to remove references in the repository to the deleted Application Role name.

C.2.2 Application Role is Renamed in the Policy Store

Behavior

After an Application Role is renamed in the policy store the new name does not appear in the Administration Tool in offline mode. But the new name immediately appears in lists in Presentation Services and the Administration Tool. Users continue to see the permissions the role grants them

Cause

References to the original role name persist in the repository enabling the role name to appear in the Administration Tool when working in offline mode.

Action

An administrator either restarts the BI Server or runs the Consistency Checker in the Administration Tool to update the repository with the new role name.

C.2.3 Application Role Name is Reused in the Policy Store

Behavior

An Application Role is added to the policy store reusing a name used for a previous Application Role. Users are unable to access Oracle Business Intelligence resources according to the permissions granted by the original role and are not granted permissions afforded by the new role.

Cause

The name conflict must be resolved between the original role and new role with the same name.

Action

An administrator resolves the naming conflict by either deleting references to the original role from the repository or by updating the repository references to use the new GUID.

C.2.4 Application Role Reference is Added to a Repository in Offline Mode

Behavior

An Application Role has a blank GUID. This can occur after an Application Role reference is added to the repository in offline mode.

Cause

The Administration Tool in offline mode does not have access to the policy store and cannot fill in the GUID when a reference to the Application Role is added to the repository.

Action

After start up, the Oracle BI Server fills in any blank GUIDs for Application Role references with the actual GUID.

C.3 Resolving SSL Communication Problems

Behavior

Communication error. A process (the client) cannot communicate with another process (the server).

Action

When there is an SSL communication problem the client typically displays a communication error. The error can state only "client refused" with no further information. Check the server log file for the corresponding failure error message which typically provides more information about the issue.

Behavior

The following error message is displayed after the commit operation is performed using the BIDomain MBean (oracle.biee.admin:type=BIDomain, group=Service).

SEVERE: Element Type: DOMAIN, Element Id: null, Operation Result: VALIDATION_FAILED, Detail Message: SSL must be enabled on AdminServer before enabling on BI system; not set on server: AdminServer

Action

This message indicates that SSL has not been enabled on the Oracle WebLogic Server Managed Servers, which is a prerequisite step. For more information, see Section 5.3, "Configuring the Web Server to Use the HTTPS Protocol" and Section 5.4.3, "Commit the SSL Configuration Changes".

C.4 Resolving Issues with BISystemUser Credentials

Issue: Users are unable to log in with their valid user names and passwords. Error message: Invalid user name or Password.

Example C-1 Example bifoundation_domain.log Output When BISystemUser Credentials Become Out of Sync

####<DATE> <Error> <oracle.wsm.resources.enforcement> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244079442> <WSM-07607> <Failure in execution of assertion {http://schemas.oracle.com/ws/2006/01/securitypolicy}wss-username-token executor class oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.>
####<DATE> <Error> <oracle.wsm.resources.enforcement> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244079442> <WSM-07602> <Failure in WS-Policy Execution due to exception.>
####<07-might-2010 15:54:39 o'clock BST> <Error> <oracle.wsm.resources.enforcement> <ukp79330> <bi_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244079442> <WSM-07501> <Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.service, application=bimiddleware#11.1.1.2.0, composite=null, modelObj=SecurityService, policy=oracle/wss_username_token_service_policy, policyVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolicy}wss-username-token.>
####<DATE> <Error> <oracle.wsm.agent.handler.wls.WSMAgentHook> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244079442> <BEA-000000> <WSMAgentHook: An Exception is thrown: FailedAuthentication : The security token cannot be authenticated.>
####<DATE> <Error> <oracle.wsm.resources.security> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244091113> <WSM-00008> <Web service authentication failed.>
####<DATE> <Error> <oracle.wsm.resources.security> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244091113> <WSM-00006> <Error in receiving the request: oracle.wsm.security.SecurityException: WSM-00008 : Web service authentication failed

C.5 Resolving Custom SSO Environment Issues

You might encounter issues when setting up custom SSO environments. For example, when setting up SSO with Windows Native Authentication and Active Directory, or with SiteMinder.

For more information, see article ID 1284399.1 on My Oracle Support at:

https://support.oracle.com

C.6 Resolving IBM LDAP Init Block Based Authentication on Linux x86 (64-Bit)

IBM LDAP based authentication using Init blocks from the RPD is not supported for Oracle Business Intelligence on Linux x86 (64-Bit).

To work around this issue, users must use Oracle WebLogic based authentication.