Caution! | Complete this step only after SSODiag successfully retrieves the Kerberos principal name. See Using SSODiag to Test WebLogic Server Configuration for Kerberos Authentication. |
The default security model for web applications secured by the security realm is DDonly. You must change the security model to CustomRolesAndPolicies.
To change the security model:
Using a text editor, open MIDDLEWARE_HOME/user_projects/domains/EPMSystem/config/config.xml.
Locate the following element in the application deployment descriptor for each Foundation Services component:
<security-dd-model>DDOnly</security-dd-model>
Change the security model as follows for each component:
<security-dd-model>CustomRolesAndPolicies</security-dd-model>
Change EPM System security configuration to enable Kerberos SSO.
To configure EPM System for Kerberos authentication:
Add the Active Directory domain that is configured for Kerberos authentication as an external user directory in Shared Services. See “Configuring OID, Active Directory, and Other LDAP-based User Directories” in the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide.
Enable SSO. See “Setting Security Options” in the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide.
In Security Options, select the settings in Table 19 to enable Kerberos SSO.
Log in to Foundation Services to verify that Kerberos SSO is working properly.