Several Oracle Business Intelligence legacy authentication options are still supported for backward compatibility. The best practice for upgrading systems is to begin implementing authentication using an identity store and authentication provider as provided by the default security model. An embedded directory server is configured as the default identity store and authentication provider during installation or upgrade and is available for immediate use.
For more information about the default security model, see Introduction to Security in Oracle Business Intelligence and Understanding the Default Security Configuration.
Authentication is the process by which the user name and password presented during login is verified to ensure the user has the necessary credentials to log in to the system. The BI Server authenticates each connection request it receives. The following legacy authentication methods are supported by the BI Server for backward compatibility in this release:
External LDAP-based directory server.
External initialization block authentication.
Table-based.
This section contains the following topics:
You can set up the Oracle BI Server to pass user credentials to an external LDAP server for authentication.
The legacy LDAP authentication method uses Oracle Business Intelligence session variables that you define using the Variable Manager in the Oracle BI Administration Tool. For more information about the session variables, see Using Variables in the Oracle BI Repository in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
To set up LDAP authentication using initialization blocks:
Create an LDAP Server as follows:
Select Manage then Identity in the Administration Tool to launch the Identity Manager.
Select Directory Servers from the left pane in Identity Manager.
Right-click in the right pane in Identity Manager and select New LDAP Server. The LDAP Server dialog is displayed.
Create the LDAP server by completing the fields.
Create an LDAP initialization block and associate it with an LDAP server. For more information, see Creating Initialization Blocksin Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Define a system variable named USER and assign the USER variable to an LDAP attribute (for example, uid, sAMAccountName, cn).
Session variables get their values when a user begins a session by logging on. Certain session variables, called system session variables, have special uses. The system session variable USER is used with authentication. For more information about the USER system session variable, see Defining a USER Session Variable for LDAP Authentication. For more information about system session variables, see About System Session Variables in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
If applicable, delete users from the repository file.
Associate the USER system variable with the LDAP initialization block. For more information, see Defining a USER Session Variable for LDAP Authentication and Associating Variables with Initialization Blocks in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Note:
When using secure LDAP you must restart the Administration Tool before testing if you have done the following: set the key file name and password, tested the LDAP parameter setting successfully in the Administration Tool, and then changed the key file name and password again.
For instances of Oracle Business Intelligence that use ADSI as the authentication method, the following options should be used when setting up the Active Directory instance:
In Log On To, select All Computers, or if you list some computers, include the Active Directory server as a Logon workstation.
Ensure that User must change password at next logon is not selected.
In the Administration Tool, the CN user used for the BIND DN in the LDAP Server section must have both ldap_bind and ldap_search authority.
Note:
The BI Server uses cleartext passwords in LDAP authentication. Make sure your LDAP Servers are set up to allow this.
To set up LDAP authentication for the repository:
To set up LDAP authentication using initialization blocks, you define a system session variable called USER and associate it with an LDAP initialization block that is associated with an LDAP server.
When a user logs in to the BI Server, the user name and password are passed to the LDAP server for authentication. After the user is authenticated successfully, other session variables for the user could also be populated from information returned by the LDAP server.
Note:
If the user exists in both an external LDAP server using the legacy method and in an LDAP-based identity store based on Oracle Platform Security Services, the user definition in the identity store takes precedence. The legacy LDAP mechanism is only attempted if authentication fails against Oracle Platform Security Services.
The information in this section assumes that an LDAP initialization block has been defined.
For users not defined in an LDAP-based identity store, the presence of the defined system variable USER determines that external authentication is performed. Associating USER with an LDAP initialization block determines that the user is authenticated by LDAP. To provide other forms of authentication, associate the USER variable with an initialization block associated with an external database.
To define the USER session variable for LDAP authentication:
Authentication
in the Name field.USER
in the Name field.You can maintain lists of users and their passwords in an external database table and use this table for authentication purposes.
The external database table contains user names and passwords, and could contain other information, including group membership and display names used for Oracle BI Presentation Services users. The table could also contain the names of specific database catalogs or schemas to use for each user when querying data.
Note:
If a user belongs to multiple groups, the group names should be included in the same column, separated by semicolons. This only applies if you are not using row wise variable for groups or roles.
External table authentication uses session variables that you define using the Variable Manager in the Administration Tool. For more information about the Variable Manager, see Using Variables in the Oracle BI Repositoryin Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Session variables get their values when a user begins a session by logging on. Certain session variables, called system variables, have special uses. The variable USER is a system variable that is used with external table authentication.
To set up external table authentication, you define a system variable called USER and associate it with an initialization block that is associated with an external database table. Whenever a user logs in, the user ID and password are authenticated using SQL that queries this database table for authentication. The initialization block uses the database connection in the physical layer to connect to the database. The connection in the physical layer contains the log in information. After the user is authenticated successfully, other session variables for the user could also be populated from the results of this SQL query.
The presence of the defined system variable USER determines that external authentication is performed. Associating USER with an external database table initialization block determines that the user is authenticated using the information in this table. To provide other forms of authentication, associate the USER system variable with an initialization block associated with a LDAP server or XML source. For more information, see "Setting Up LDAP Authentication Using Initialization Blocks".
To set up external table authentication:
Oracle BI Scheduler Server runs Oracle BI Delivers jobs for users without accessing or storing their passwords.
Using a process called impersonation, Oracle BI Scheduler uses one user name and password with Oracle Business Intelligence administrative privileges that can act on behalf of other users. Oracle BI Scheduler initiates an Agent by logging on to Oracle BI Presentation Services with the Oracle Business Intelligence administrative name and password.
For Delivers to work, all database authentication must be performed in only one connection pool, and that connection pool can only be selected in an initialization block for the USER system session variable. This is typically called the Authentication Initialization Block. When impersonation is used, this initialization block is skipped. All other initialization blocks must use connection pools that do not use database authentication.
Caution:
An authentication initialization block is the only initialization block in which it is acceptable to use a connection pool where :USER and :PASSWORD are passed to a physical database.
For other initialization blocks, SQL statements can use :USER and :PASSWORD. However, because Oracle BI Scheduler Server does not store user passwords, the WHERE clause must be constructed as shown in the following example:
SELECT username, groupname, dbname, schemaname FROM users WHERE username=':USER' NQS_PASSWORD_CLAUSE(and pwd=':PASSWORD')NQS_PASSWORD_CLAUSE
When impersonation is used, everything in the parentheses is extracted from the SQL statement at runtime.
For more information, see the Oracle BI Delivers examples in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
The BI Server populates session variables using the initialization blocks in the desired order that are specified by the dependency rules defined in the initialization blocks.
If the server finds the session variable USER, it performs authentication against an LDAP server or an external database table, depending on the configuration of the initialization block with which the USER variable is associated.
Authentication against the identity store configured in Oracle WebLogic Server Administration Console occurs first, and if that fails, then initialization block authentication occurs.
You can create a customized authentication module using initialization blocks.
An authenticator is a dynamic link library (DLL), or shared object on UNIX, written by a customer or developer that conforms to the Oracle BI Authenticator API Specification and can be used by the BI Server to perform authentication and other tasks at run time. The dynamically loadable authentication module is a BI Server module with a cache layer that uses the authenticator to perform authentication and related tasks at run time.
Sample custom authenticator code can be found in the Oracle BI EE Sample Application downloadable from Oracle Technology Network (OTN).
After you create an authentication object (authenticator plug-in) and specify a set of parameters for the authentication module (such as configuration file path, number of cache entries, and cache expiration time), you must associate the authentication object with an initialization block. You can associate the USER variable (required) and other variables with the initialization blocks.
When a user logs in, if the authentication is successful, this populates a list of variables, as specified in the initialization block.
A custom authenticator is an object in the repository that represents a custom C authenticator plug-in. This object is used with an authentication init block to enable the BI Server component to authenticate users against the custom authenticator. The recommended method for authentication is to use Oracle WebLogic Server's embedded LDAP server. However, the practice of using custom authenticators can continue to be used.
To add a custom authenticator:
In the Administration Tool, select Manage, then Identity. Select Custom Authenticators from the navigation tree. Select from the following options:
To create a new custom authenticator: Right-click in the right pane and select New Custom Authenticator.
To edit a custom authenticator: Double-click the name.
In the Custom Authenticator dialog, complete the necessary fields.
Authenticator plug-in: The path and name of the plug-in DLL for this custom authenticator.
Configuration parameters: The parameters that have been explicitly exposed for configuration for this custom authenticator.
Encrypted parameter: The parameters that have been encrypted, such as passwords for this custom authenticator.
Cache persistence time: The interval at which the authentication cache entry for a logged on user is refreshed, for this custom authenticator.
Number of cache entries: The maximum number of entries in the authentication cache for this custom authenticator (preallocated when the Oracle BI Server starts). If the number of users exceeds this limit, cache entries are replaced using the LRU algorithm. If this value is 0, then the authentication cache is disabled.
Click OK.
System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables.
Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see Using Variables in the Oracle BI Repository in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
The Administration Tool Session Manager is used in online mode to monitor activity.
The Session Manager shows all users logged in to the session, all current query requests for each user, and variables and their values for a selected session. Additionally, an administrative user can disconnect any users and terminate any query requests with the Session Manager.
How often the Session Manager data is refreshed depends on the amount of activity on the system. To refresh the display at any time, click Refresh.
The Session Manager contains an upper pane and a lower pane:
The top pane, the Session pane, shows users currently logged in to the BI Server. To control the update speed, from the Update Speed list, select Normal, High, or Low. Select Pause to keep the display from being refreshed.
The bottom pane contains two tabs:
The Request tab shows active query requests for the user selected in the Session pane.
The Variables tab shows variables and their values for a selected session. You can click the column headers to sort the data.
The tables describe the columns in the Session Manager dialog.
Column Name | Description |
---|---|
Client Type |
The type of client connected to the server. |
Last Active Time |
The time stamp of the last activity on the session. |
Logon Time |
The time stamp that shows when the session initially connected to the BI Server. |
Repository |
The logical name of the repository to which the session is connected. |
Session ID |
The unique internal identifier that the BI Server assigns each session when the session is initiated. |
User |
The name of the user connected. |
Column Name | Description |
---|---|
Last Active Time |
The time stamp of the last activity on the query. |
Request ID |
The unique internal identifier that the BI Server assigns each query when the query is initiated. |
Session ID |
The unique internal identifier that the BI Server assigns each session when the session is initiated. |
Start Time |
The time of the individual query request. |
To view the variables for a session:
In the Administration Tool, open a repository in online mode and select Manage then Sessions.
Select a session and click the Variables tab.
For more information about variables, see Using Variables in the Oracle BI Repositoryin Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
To refresh the view, click Refresh.
To close Session Manager, click Close.
To disconnect a user from a session:
In the Administration Tool, open a repository in online mode and select Manage then Sessions.
Select the user in the Session Manager top pane.
Click Disconnect.
The user session receives a message that indicates that the session was terminated by an administrative user. Any currently running queries are immediately terminated, and any outstanding queries to underlying databases are canceled.
To close the Session Manager, click Close.
To terminate an active query: