Skip Headers
Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition
11g Release 1 (11.1.1)
E10543-02
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

3 Configuring Oracle BI to use Oracle Internet Directory

This chapter explains how Oracle Business Intelligence can be configured to use commercial directory servers for authentication. It covers configuring Oracle Business Intelligence to use OID for authentication, and configuring Oracle Business Intelligence to use OID as a policy store and credential store.

This chapter contains the following sections:

3.1 Common Tasks for Deploying Security With Oracle Internet Directory

Table 3-1 contains common authorization configuration tasks and provides links for more information.

Table 3-1 Task Map: Configuring Authorization for Oracle Business Intelligence

Task Description Information

Re-configure Oracle BI to use an LDAP based Authentication Provider.

Re-configure Oracle BI to use an LDAP based Authentication Provider, such as Oracle Internet Directory.

Section 3.3, "Configuring an Alternative Policy Store and Credentials Store"


Re-configure Oracle BI to use an LDAP based Credential Store and Policy Store Provider.

Re-configure Oracle BI to use an LDAP based Credential Store and Policy Store Provider, such as Oracle Internet Directory.

Section 3.3, "Configuring an Alternative Policy Store and Credentials Store"



3.2 Configuring an Alternative Authentication Provider

When you use OID as the Authentication Provider, you use OID Console to set up your Users and Groups. You can then map these Users and Groups to the preconfigured Application Roles (for example, BIConsumer, BIAuthors, and BIAdministrator), and any additional Application Roles that you create. For more information about mapping Users and Groups to Application Roles, see Section 2.5, "Managing Application Roles and Application Policies Using Fusion Middleware Control".

You continue to use the other Oracle Business Intelligence tools (i.e. BI Administration Tool, Enterprise Manager Fusion Middleware Control, and Administration Page in Oracle BI Presentation Catalog) to manage the other areas of the security model.

For a current list of supported authentication providers and directory servers to use with Oracle Business Intelligence, see the system requirements and certification documentation. For more information, see System Requirements and Certification.

If a directory server other than the default the Embedded WebLogic LDAP Server is being used, you can view the users and groups from that directory server in Oracle WebLogic Server Administration Console. However, you must continue to manage the users and groups in the interface for the directory server being used. For example, if you are using OID, you must use OID Console to create and edit Users and Groups.

3.2.1 How to Configure Oracle Internet Directory as an Authentication Store Provider

To configure OID as an Authentication Store Provider, do the following:

Prerequisite: Shut down all servers except Admin Server.

  1. Configure Oracle Internet Directory as an authentication provider as described in Section 3.2.1.1, "How to Configure Oracle Business Intelligence to use Oracle Internet Directory as an Authentication Provider".

  2. Configure the User Name Attribute in the Identity Store to match the User Name Attribute in the Authentication Provider as described in Section 3.2.1.2, "How to Configure the User Name Attribute in the Identity Store".

  3. Use the myrealm\Users and Groups tab to verify that the Users and Group from OID are displayed correctly. If the Users and Groups are displayed correctly, then proceed to Step 4. Otherwise, re-set your configuration settings and re-try.

  4. Configure a new BISystemUser account for a user in Oracle Internet Directory to match the account for DefaultAuthenticator as described in Section 3.2.1.3, "Configure a New Trusted User (BISystemUser)".

  5. Update the user GUIDs to be the values in Oracle Internet Directory as described in Section 3.2.1.4, "Refresh the User GUIDs".

Notes

3.2.1.1 How to Configure Oracle Business Intelligence to use Oracle Internet Directory as an Authentication Provider

You perform this task to reconfigure your installation to use OID instead of the default Oracle WebLogic Administration Server.

To configure the OID authentication provider:

Note: MyOIDDirectory is used to represent the Oracle Internet Directory in the following procedure.

  1. In Oracle WebLogic Server Administration Console, click Lock & Edit in the Change Center.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls01.gif

  2. Select Security Realms from the left pane and click myrealm.

    The default Security Realm is named myrealm.

  3. Display the Providers tab, then display the Authentication sub-tab.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls03.gif

  4. Click New to launch the Create a New Authentication Provider page.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls04.gif

  5. Enter values in the Create a New Authentication Provider page as follows:

    • Name: Enter a name for the authentication provider. For example, MyOIDDirectory.

    • Type: Select OracleInternetDirectoryAuthenticator from the list.

    • Click OK to save the changes and display the Authentication Providers list updated with the new Authentication Provider.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration wls07.gif

  6. Click the new Authenticator Provider in the Name column to display the Settings for <Authentication Provider Name> page.

    For example, click MyOIDDirectory.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls08.gif

  7. Display the Configuration\Common tab, and use the Control Flag drop down list to select 'SUFFICIENT', then click Save.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls05.gif

  8. Display the Provider Specific tab.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls09.gif

  9. Use the Provider Specific tab to specify the details listed in the table below.

    Section Name Field Name Description
    Connection Host The host name of the Oracle Internet Directory server.
    Port The port number on which the Oracle Internet Directory server is listening.
    Principal The distinquished name (DN) of the Oracle Internet Directory user to be used to connect to the Oracle Internet Directory server. For example: cn=OIDUser,cn=users,dc=us,dc=mycompany,dc=com.
    Credential Password for the Oracle Internet Directory user entered as the Principal.
    Groups Group Base DN The base distinguished name (DN) of the Oracle Internet Directory server tree that contains groups.
    Users User Base DN The base distinguished name (DN) of the Oracle Internet Directory server tree that contains users.
    All Users Filter LDAP search filter. Click More Info... for details.
    User From Name Filter LDAP search filter. Click More Info... for details.
    User Name Attribute The attribute that you want to use to authenticate (for example, cn, uid, or mail). For example, to authenticate using a User's email address you set this value to 'mail'.

    Note: The value that you specify here must match the User Name Attribute that you are using in the Authentication Provider, as described in the next task Section 3.2.1.2, "How to Configure the User Name Attribute in the Identity Store".


    The screenshot below shows the Users area of the Provider Specific tab.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls10.gif

  10. Click Save.

  11. At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls07.gif

  12. Click Reorder. to display the Reorder Authentication Providers page.

  13. Select the name of the Oracle Internet Directory authentication provider (for example, MyOIDDirectory) and use the arrow buttons to move it into the first position in the list, then click OK.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls11.gif

    The screenshot below shows the re-ordered list of Authentication Providers.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration oid23_crop.gif

  14. Click DefaultAuthenticator in the Name column to display the Settings for DefaultAuthenticator page.

  15. Display the Configuration\Common tab, and use the Control Flag drop down list to select 'SUFFICIENT', then click Save.

3.2.1.2 How to Configure the User Name Attribute in the Identity Store

If you configure a different Authentication Provider such as OID, then you must ensure that the User Name Attribute that you use in the Identity Store matches the User Name Attribute that you use in the Authentication Provider.

For example, to authenticate using a User's email address you might set the User Name Attribute to 'mail' in both the Identity Store and the Authentication Provider.

The screenshot below shows an example where the User Name Attribute in OID Authenticator has been set to 'mail'.

This screenshot or diagram is described in surrounding text.
Description of the illustration a_oid.gif

To configure the User Name Attribute:

  1. In Oracle Enterprise Manager - Fusion Middleware Control, navigate to \Weblogic domain\bifoundation_domain in the navigation pane.

  2. Right-click bifoundation_domain and select Security, then Security Provider Configuration to display the Security Provider Configuration page.

    This screenshot is described in surrounding text.
  3. In the Identity Store Provider area, click Configure to display the Identity Store Configuration page.

    This screenshot is described in surrounding text.
  4. In the Custom Properties area, use the Add option to add the following two Custom Properties:

    Table 3-2 Custom Properties

    Property Name Value

    user.login.attr

    Specify the User Name Attribute that is set in the Authentication Provider. For example, if the User Name Attribute is set to 'mail' in the Authentication Provider, then set this value to 'mail'.

    username.attr

    Specify the User Name Attribute that is set in the Authentication Provider. For example, if the User Name Attribute is set to 'mail' in the Authentication Provider, then set this value to 'mail'.


    The screenshot below shows an example set of Custom Properties with the User Name Attribute set to 'mail'.

    This screenshot is described in surrounding text.
  5. Click OK to save the changes.

  6. Restart the Admin Server.

Note: Ensure that the Users and Groups in OID are displayed in WebLogic Console, as described in step 3 in Section 3.2.1, "How to Configure Oracle Internet Directory as an Authentication Store Provider".

3.2.1.3 Configure a New Trusted User (BISystemUser)

Oracle Business Intelligence uses a specific user for the configured authentication provider for internal communication. If you configure Oracle BI to use an OID authentication provider, then you must select a user from OID to use for this purpose and give that user the required permissions. You can create a new user in OID for this purpose or use a pre-existing user. You give the chosen user the permission they need by making them a member of the pre-existing BISystem Application Role.

Pre-requisite: Delete the default 'BISystemUser' from the realm myrealm. Display the Settings for myrealm page, display the Users and Groups tab, then the Users sub-tab, and delete the user named BISystemUser with DefaultAuthenticator in the Provider column of the table (see example screenshot below).

This screenshot or diagram is described in surrounding text.
Description of the illustration wls12.gif

To create a new trusted user account with a user in OID:

  1. In Oracle Internet Directory, create a user for the trusted user.

    Best practice is to name this trusted user BISystemUser to clarify its purpose, but you might choose any name you want.

    When you are finished, the Users table in Oracle WebLogic Server Administration Console should resemble the screenshot below.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration oid08gif.gif

    Next you must make the new trusted user a member of the BISystem Application Role.

  2. In Fusion Middleware Control target navigation pane, go to the Oracle WebLogic Server domain in which Oracle Business Intelligence is installed. For example, bifoundation_domain.

  3. Go to the Application Roles page in Fusion Middleware Control.

  4. In the Select Application Stripe to Search list, select obi from the list. Click the search arrow to the right of the Role Name field.

    The Oracle Business Intelligence Application Roles are displayed and should resemble the screenshot below.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration bisystem_edit.gif

  5. Select the BISystem Application Role and click Edit.

  6. In the Edit Application Role page, click Add User.

  7. In the Add User dialog, search for the trusted user created in Oracle Internet Directory. Use the shuttle controls to move the trusted user name (BISystemUser) from the Available Users list to the Selected Users list.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration bisystem_edit02.gif

  8. Click OK.

    The trusted user (BISystemUser) contained in Oracle Internet Directory is now a member of the BISystem Application Role.

    Next add the trusted user's credentials to the oracle.bi.system credential map.

  9. From Fusion Middleware Control target navigation pane, expand the farm, then expand WebLogic Domain, and select bifoundation_domain.

    • From the WebLogic Domain menu, select Security, then Credentials.

    • Open the oracle.bi.system credential map, select system.user and click Edit.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration bisystem_cred.gif

    • In the Edit Key dialog, enter BISystemUser (or name you selected) in the User Name field. In the Password field, enter the trusted user's password that is contained in Oracle Internet Directory.

    • Click OK.

  10. In WebLogic Console, click myrealm to display the Settings for <Realm> page, display the Roles and Policies tab, and add the new System user to the Global 'Admin Role'.

  11. Start the Managed Servers.

The new trusted user from Oracle Internet Directory is configured for Oracle Business Intelligence

3.2.1.4 Refresh the User GUIDs

If you change the directory server used as the identity store for the authentication provider, then you must refresh the user GUIDs as described below. If you do not refresh the GUIDs and the same user name exists in both directory servers (original and new), then the original user GUID might conflict with the user GUID contained in new directory server, resulting in authentication errors.

To refresh the user GUIDs:

This task requires that you manually edit the configuration files to instruct Oracle BI Server and Oracle BI Presentation Server to refresh the GUIDs on restart. Once completed, you edit these files to remove the modification. For information about where to locate Oracle Business Intelligence configuration files, see "Where Configuration Files are Located" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

  1. Update the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI:

    1. Open NQSConfig.INI for editing at:

      ORACLE_INSTANCE/config/OracleBIServerComponent/coreapplication_obisn
      
    2. Locate the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter and set it to YES, as follows:

      FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;
      
    3. Save and close the file.

  2. Update the ps:Catalog element in instanceconfig.xml:

    1. Open instanceconfig.xml for editing at:

      ORACLE_INSTANCE/config/OracleBIPresentationServicesComponent/
      coreapplication_obipsn
      
    2. Locate the ps:Catalog element and update it as follows:

      <ps:Catalog xmlns:ps="oracle.bi.presentation.services/config/v1.1">
      <ps:UpgradeAndExit>false</ps:UpgradeAndExit>
      <ps:UpdateAccountGUIDs>UpdateAndExit</ps:UpdateAccountGUIDs>
      </ps:Catalog>
      
    3. Save and close the file.

  3. Start the Oracle Business Intelligence system components using opmnctl:

    cd ORACLE_BASE/admin/instancen/bin
    ./opmnctl startall
    
  4. Set the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI back to NO.

    Important: You must perform this step to ensure that your system is secure.

  5. Update the ps:Catalog element in instanceconfig.xml to remove the <ps:UpdateAccount GUIDs> entry.

  6. Restart the Oracle Business Intelligence system components using opmnctl:

    cd ORACLE_BASE/admin/instancen/bin
    ./opmnctl stopall
    ./opmnctl startall
    

3.3 Configuring an Alternative Policy Store and Credentials Store

To re-configure Oracle Business Intelligence to use OID as a Credential Store and Policy Store Provider, follow the steps in Section 8.2 Reassociating the Domain Policy Store in Oracle Fusion Middleware Security Guide.

Notes