3 Configure OBIEE authentication

In this step, you install and configure the authentication plugin that allows you to access Topics reports in OBIEE using your Empirica Signal password.

This chapter includes the following sections:

Configuring the credential store
Copying and extracting the authentication files
Creating a new authentication provider
Verifying attribute information

Configuring the credential store

Log into the Oracle Fusion Middleware Enterprise Manager using the WebLogic administrator username and password. You can access the server at:

http://<server name>:<port>/em
Expand WebLogic Domain in the left-hand pane.
Click the name of your Empirica BI domain (for example, empirica_bi), and select WebLogic Domain/Security/Credentials from the drop-down menu, under your domain name in the top left of the center pane.
Click Create Map and type oracle.hsgbu.empirica as Map Name.
Click OK.
Select oracle.hsgbu.empirica in the Credential column, and click Create Key.
Create the following keys:
- DatabaseCredentials—Use the same user name and password as the corresponding DatabaseCredentials key on the Signal instance
- AuthenticatorCredentials—Use the WebLogic administrator user name and password from the current OBIEE instance.
Select WebLogic Domain > Security > System Policies from the drop-down menu under your domain name in the top left of the center pane.
From the Type drop-down list, select Principal.
Click Create.
Under Permissions, click Add. Select the Select here to enter details for a new permission check box, and type the following values:

Permission Class: oracle.security.jps.service.credstore.CredentialAccessPermission

Resource Name: context=SYSTEM,mapName=oracle.hsgbu.empirica,keyName=*

Permission Actions: read
Click OK.
Set the drop-down selector Grant to to Principal.
Under Grantee, do the following:
1. Click Add.
2. Set the Type drop-down list value to Group.
3. Set the Principal Name drop-down list value to Starts With.
4. Type BI in the text field, and click the blue Search roles button.
5. Select BIAdministrators.
6. Click OK.
Click OK.
Set the Type to Principal and search for entries starting with BI. Select BIAdministrators, and click Create Like.
Under Grantee, do the following:
1. Click Add.
2. Set the Type drop-down list value to Group.
3. Set the Principal Name drop-down list value to Starts With.
4. Type BI in the text field, and click the blue Search roles button.
5. Select BIAuthors.
6. Click OK.
Click OK.
Select BIAdministrators, and click Create Like.
Under Grantee, do the following:
1. Click Add.
2. Set the Type drop-down list value to Group.
3. Set the Principal Name drop-down list value to Starts With.
4. Type BI in the text field, and click Search roles.
5. Select BIConsumers.
6. Click OK.
7. Click OK again.
The following provides access to the oracle.hsgbu.empirica Credential Store map for the patch directory:
1. Set the Type to Principal and search for entries starting with BI. Select BIAdministrators, and click Create Like.
2. Change the drop-down selector Grant to from Principal to Codebase.
3. Enter the following value for Codebase:
  
  file:${wls.home}/../../patch_wls1036/-
4. Click OK.
5. Click OK again.
Logout.

Copying and extracting the authentication files

If you have not already done so, unzip the OBIEE.zip file. Open the OBIEE\empiricaprovider\obiee_auth.properties file and verify the information:
1. Navigate to the OBIEE\empiricaprovider directory.
2. Open the obiee_auth.properties file.
3. Verify that the following properties are set to the appropriate values for your OBIEE WebLogic server, editing the default values if necessary:
  
  HOSTNAME=localhost
  
  PORT=7001
Create the following folder on the OBIEE server:

/u01/app/oracle/empiricaprovider
Copy the following file from local folder OBIEE\empiricaprovider to the /u01/app/oracle/empiricaprovider folder on the OBIEE server:
- obiee_auth.properties
- ESAPI.properties
- messages.properties
Copy the following files from the current Signal deployment on Linux. The file should be located in the stage/Signal_Install/Signal/Web_root/WEB-INF/classes sub-directory:
- webvdme.properties
Navigate to local directory OBIEE/mbeans and copy the following files to the <WebLogic server>/server/lib/mbeantypes folder on the OBIEE server:
- empirica<version>.jar
- EmpiricaCore<version>.jar
- empiricaprovider<version>.jar
- esapi-2.0.1.jar
- log4j-1.2.16.jar
- secure-coding<version>.jar
Add the empiricaprovider folder to the Java CLASSPATH in the Weblogic startup script:
1. Open a Command Prompt window (for example, PuTTY) on the OBIEE server and navigate to /u01/app/oracle/product/Middleware/user_projects/domains/empirica_bi/bin (substitute your domain's name for empirica_bi if it is different).
2. Open startWebLogic.sh in a text editor.
3. After the "fi" at line 127 (it ends the MEDREC_WEBLOGIC_CLASSPATH if-block), and before the following "echo" line, add the following two lines (keeping the double-quotes):
  
  CLASSPATH="${CLASSPATH}${CLASSPATHSEP}/u01/app/oracle/empiricaprovider"
  
  PATH="${PATH}${PATHSEP}/u01/app/oracle/empiricaprovider"
4. Save the changes and close the file
Stop and restart the WebLogic administration server. See for more information.

Creating a new authentication provider

Log into Oracle WebLogic Server Administration Console on the OBIEE server using your WebLogic administrator username and password.

You can access the server at http://<server>:<port>/console.
In the Domain Structure pane, click Security Realms.

The Summary of Security Realms page appears.
In the Realms table, click myrealm.

The Settings for myrealm page appears.
In the Change Center pane, click Lock & Edit.
Click the Providers tab, and then click the Authentication subtab.
If SSO is configured, perform the following steps to install the OAMIdentityAsserter:
1. Click New.
2. Specify the following:
  - Name: Type OAMIdentityAsserter.
  - Type: Select OAMIdentityAsserter.
3. Click OK.
4. Click the OAMIdentityAsserter link.
  - In the Common tab, make sure that OAM_REMOTE_USER is selected as one of the Active Types. Leave the Control Flag as OPTIONAL.
  - In the Provider Specific tab, set: SSOHeader Name: SSO_USER_LOGIN_ID
  - Click Save.
5. On the Providers page, click Reorder.
6. Move the OAMIdentityAsserter to the top of the list of authentication providers.
7. Click OK.
Click New.

The Create a New Authentication Provider page appears.
Specify the following:
- Name: Type EmpiricaAuthenticationProvider.
- Type: Select EmpiricaAuthenticator.
Click OK.

The authentication provider is created.
On the Providers page, click Reorder.

If the OAMIdentityAsserter is installed, move the EmpiricaAuthenticationProvider immediately after the OAMIdentityAsserter and before the DefaultAuthenticator.

If the OAMIdentityAsserter is not installed, move the EmpiricaAuthenticationProvider to the top of the list of authentication providers.
Click OK
Click the EmpiricaAuthenticationProvider link. Change the Control Flag to REQUISITE.
Click Save.
Click the DefaultAuthenticator link. Change the Control Flag to SUFFICIENT for non-SSO systems. Change the Control Flag to REQUIRED for SSO systems.
Click Save.
Click Activate Changes in the Change Center.
If the OAMIdentityAsserter has been installed, the following steps must be taken:
1. Save changes and shutdown all the servers in the domain.
2. Take a backup of the $DOMAIN_HOME/bin/setDomainEnv.sh file and make the following changes to setDomainEnv.sh file.
  
  Add the following lines just before JAVA_PROPERTIES are defined:
  
  EXTRA_JAVA_PROPERTIES="-Dsso.filter.ssotoken=SSO_USER_LOGIN_ID ${EXTRA_JAVA_PROPERTIES}"
  
  export EXTRA_JAVA_PROPERTIES

Stop and restart the WebLogic administration server. See for more information.

Note:

Once the Empirica Authenticator is configured, you can no longer log into OBIEE using a non-Signal account.
The SSO properties for OBIEE's copy of webvdme.properties must agree with the installation. If OBIEE is configured for SSO, then the SSO properties must be set in webvdme.properties. Likewise, if OBIEE is not configured for SSO, then the SSO properties must not be set in webvdme.properties.

Verifying attribute information

Log into Oracle Fusion Middleware Enterprise Manager using your WebLogic administrator username and password.

You can access Oracle Fusion Middleware Enterprise Manager at http://<server>:<port>/em.
Expand the WebLogic Domain folder.
Right-click the domain name, and select System MBean Browser.

The System MBean Browser appears.
In the System MBean Browser pane, expand the Configuration Mbeans folder.
Expand the Security folder.
Click the myrealmEmpiricaAuthenticationProvider mbean.

The attributes appear.
On the Attributes tab, verify that the Value column for the EmpiricaSignalApplicationRoot attribute contains the /u01/app/oracle/empiricaprovider folder that you created in step 2 in Copying and extracting the authentication files.
Edit the value if necessary, and click Apply.
Log out.
Log into Oracle WebLogic Server Administration Console using your WebLogic administrator username and password.

You can access the server at http://<server>:<port>/console.
To make your OBIEE usernames case-insensitive to ensure successful logins from the Empirica Signal application, do the following:
1. In the Domain Structure pane, click the domain name. For example, empirica_bi.
  
  The Settings for <domain name> page appears.
2. Click the Security tab, and click the General tab if it is not already selected.
3. Click Advanced at the bottom of the page.
  
  Advanced options appear.
4. Select the Principal Equals Case Insensitive check box.
  
  If the check box is not editable, click Lock and Edit.
5. Click Save.
  
  Your changes are saved.
  
  For more information, see the following documentation:
  
  http://docs.oracle.com/cd/E21764_01/web.1111/e13707/domain.htm
In the Change Center pane, click Activate Changes.

Your changes are activated.
Log out.
Stop and restart the WebLogic administration server. See for more information.