| Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1) Part Number E10543-04 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1) Part Number E10543-04 |
|
|
PDF · Mobi · ePub |
This appendix describes common problems that you might encounter when configuring and using Oracle Business Intelligence security, and explains how to solve them. It contains the following sections
Section C.1, "Resolving Inconsistencies With the Identity Store"
Section C.2, "Resolving Inconsistencies With the Policy Store"
Section C.4, "Resolving Issues with BISystemUser Credentials"
Section C.6, "Resolving IBM LDAP Init Block Based Authentication on Linux x86 (64-Bit)"
A number of inconsistencies can develop between a repository, the Oracle BI Presentation Catalog, and an identity store. The following sections describe the usual ways this can occur and how to resolve the inconsistencies.
Behavior
If a user is deleted from the identity store then that user can no longer log in to Oracle Business Intelligence. However, references to the deleted user remain in the repository until an administrator removes them.
Cause
References to the deleted user still remain in the repository but that user cannot log in to Oracle Business Intelligence. This behavior ensures that if a user was deleted by accident and re-created in the identity store, then the user's access control rules do not need to be entered again.
Action
An administrator can run the Consistency Checker in the Oracle BI Administration Tool in online mode identify inconsistencies.
Behavior
A user is renamed in the identity store and then cannot log in to the repository with the new name.
Cause
This can occur if a reference to the user under the original name still exists in the repository.
Action
An administrator must either restart the Oracle BI Server or run the Consistency Checker in the Oracle BI Administration Tool to update the repository with a reference to the user under the new name. Once this has been resolved the Oracle BI Presentation Server updates the Presentation Catalog to refer to the new user name the next time this user logs in.
Behavior
If a user name is added that is identical to one previously used in the identity stored, the new user with the same name cannot log in.
Cause
This can occur if references to the user name exist in the repository.
Action
An administrator must remove existing references to the user name contained in the repository by either running Consistency Checker in the Oracle BI Administration Tool or by changing the existing user references to use the new user's GUID. When the new user logs in with the reused name, a new home directory is created for them in the Presentation Services Catalog.
A number of inconsistencies can develop between the Presentation Services Catalog and the policy store. The following sections describe the usual ways this can occur and how to resolve the inconsistencies.
Behavior
After an Application Role is deleted from the policy store the role name continues to appear in the Oracle BI Administration Tool when working in offline mode. But the role name no longer appears in Presentation Services and users are no longer granted the permissions associated with the deleted role.
Cause
References to the deleted role name persist in the repository enabling the role name to appear in the Administration Tool when working in offline mode.
Action
An administrator runs the Consistency Checker in the Oracle BI Administration Tool in online mode to remove references in the repository to the deleted Application Role name.
Behavior
After an Application Role is renamed in the policy store the new name does not appear in the Administration Tool in offline mode. But the new name immediately appears in lists in Presentation Services and the Administration Tool. Users continue to see the permissions the role grants them
Cause
References to the original role name persist in the repository enabling the role name to appear in the Administration Tool when working in offline mode.
Action
An administrator either restarts the BI Server or runs the Consistency Checker in the Administration Tool to update the repository with the new role name.
Behavior
An Application Role is added to the policy store reusing a name used for a previous Application Role. Users are unable to access Oracle Business Intelligence resources according to the permissions granted by the original role and are not granted permissions afforded by the new role.
Cause
The name conflict must be resolved between the original role and new role with the same name.
Action
An administrator resolves the naming conflict by either deleting references to the original role from the repository or by updating the repository references to use the new GUID.
Behavior
An Application Role has a blank GUID. This can occur after an Application Role reference is added to the repository in offline mode.
Cause
The Administration Tool in offline mode does not have access to the policy store and cannot fill in the GUID when a reference to the Application Role is added to the repository.
Action
After start up, the Oracle BI Server fills in any blank GUIDs for Application Role references with the actual GUID.
Behavior
Communication error. A process (the client) cannot communicate with another process (the server).
Action
When there is an SSL communication problem the client typically displays a communication error. The error can state only "client refused" with no further information. Check the server log file for the corresponding failure error message which typically provides more information about the issue.
Behavior
The following error message is displayed after the commit operation is performed using the BIDomain MBean (oracle.biee.admin:type=BIDomain, group=Service).
SEVERE: Element Type: DOMAIN, Element Id: null, Operation Result: VALIDATION_FAILED, Detail Message: SSL must be enabled on AdminServer before enabling on BI system; not set on server: AdminServer
Action
This message indicates that SSL has not been enabled on the Oracle WebLogic Server Managed Servers, which is a prerequisite step. For more information, see Section 5.3, "Configuring the Web Server to Use the HTTPS Protocol" and Section 5.4.3, "Commit the SSL Configuration Changes".
Issue: Users are unable to log in with their valid user names and passwords. Error message: Invalid user name or Password.
Example C-1 Example bifoundation_domain.log Output When BISystemUser Credentials Become Out of Sync
####<DATE> <Error> <oracle.wsm.resources.enforcement> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244079442> <WSM-07607> <Failure in execution of assertion {http://schemas.oracle.com/ws/2006/01/securitypolicy}wss-username-token executor class oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.>
####<DATE> <Error> <oracle.wsm.resources.enforcement> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244079442> <WSM-07602> <Failure in WS-Policy Execution due to exception.>
####<07-might-2010 15:54:39 o'clock BST> <Error> <oracle.wsm.resources.enforcement> <ukp79330> <bi_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244079442> <WSM-07501> <Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.service, application=bimiddleware#11.1.1.2.0, composite=null, modelObj=SecurityService, policy=oracle/wss_username_token_service_policy, policyVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolicy}wss-username-token.>
####<DATE> <Error> <oracle.wsm.agent.handler.wls.WSMAgentHook> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244079442> <BEA-000000> <WSMAgentHook: An Exception is thrown: FailedAuthentication : The security token cannot be authenticated.>
####<DATE> <Error> <oracle.wsm.resources.security> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244091113> <WSM-00008> <Web service authentication failed.>
####<DATE> <Error> <oracle.wsm.resources.security> <Machine_Name> <bi_server1> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1273244091113> <WSM-00006> <Error in receiving the request: oracle.wsm.security.SecurityException: WSM-00008 : Web service authentication failed
You might encounter issues when setting up custom SSO environments. For example, when setting up SSO with Windows Native Authentication and Active Directory, or with SiteMinder.
For more information, see article ID 1284399.1 on My Oracle Support at:
|
 Copyright © 2010, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|