Oracle by Example brandingConfiguring External Authentication for ODI

section 0Before You Begin

This tutorial walks you through the steps needed to configure external user authentication for Oracle Data Integrator (ODI).
This tutorial takes approximately 20 minutes to complete.

Background

Oracle Data Integrator stores all user information as well as users' privileges in the master repository by default. When a user logs in to ODI, it logs in against the master repository. This authentication method is called Internal Authentication.

Oracle Data Integrator can optionally use Oracle Platform Security Services (OPSS), a standards-based and portable security framework for Java applications, to authenticate its users against an external Identity Store, which contains enterprise users and passwords. Such an identity store is used at the enterprise level by all applications, in order to have centralized user and password definitions and Single Sign-On (SSO). In such a configuration, the ODI master repository only contains references to these enterprise users. This authentication method is called External Authentication.

Note: When using External Authentication, only users and their passwords are externalized. ODI privileges remain within the repository. Data servers and context passwords also remain in the master repository. It is possible to externalize data server and context passwords, using the ODI External Password Storage feature.

ODI can authenticate its users against a variety of external identity stores, such as Oracle Internet Directory (OID) LDAP Server or WebLogic Server. This OBE provides a step-by-step walkthrough of the process of configuring ODI with OID LDAP Server. The steps for configuring authentication with other external identity stores are very similar.

Note: The steps to configure ODI external user authentication are also outlined in the ODI 12c Admin Guide.

What Do You Need?

Software and Hardware Requirements

The system should include the following installed products:

  1. Oracle Database 12c
  2. Oracle Data Integrator 12c
  3. An external authentication provider such as LDAP, OID, or WLS

If not done before, start the services and components for Oracle Database 12c.

Prerequisites

Before you start the tasks, make sure that your system environment meets the following requirements:

  1. You have installed Oracle Database 12c. If not done before, start the services and components for Oracle Database 12c.
  2. You have installed Oracle Data Integrator.
  3. You have installed an external authentication provider such as LDAP, OID, or WLS.

section 1Creating a Schema/User for new ODI Master Repository

To create an RDBMS schema using SQL Developer,

  1. On Windows, start SQL Developer by selecting Start > Programs > [Oracle Database home] > Application Development > SQL Developer.
    When SQL Developer opens, close the Logging Page � Log tab.
  2. In SQL Developer, create a new connection.
  3. Name this new connection: Administrator. Enter SYSTEM for Username. Enter oracle1 for Password. For SID, enter: ORCL. Clisk Test, and then click Connect. Click �+� to expand connection Administrator.
  4. You have to create the RDBMS schema/user (Oracle 12c) for the Master repository. The schemas can be created by executing the following SQL commands:

create user <MY_SCHEMA> identified by <MY_PASS>
default tablespace <MY_TBS> temporary tablespace <MY_TEMP>;
grant connect, resource to <MY_SCHEMA>;

where:
<MY_SCHEMA> corresponds to the name of the schema that you want to create
<MY_PASS> corresponds to the password that you gave
<MY_TBS> corresponds to the Oracle tablespace where the data will be stored
<MY_TEMP> corresponds to the temporary default tablespace

In this example, to create the user oracle for master repository, enter the following command. Click Execute statement icon .

Execute_Statement

create user oracle identified by passwd
default tablespace users temporary tablespace temp;

Note: In this command, passwd is the value of the password to connect to the user oracle.

section 2Configuring Oracle Data Integrator Studio for External Authentication

To configure Oracle Data Integrator Studio with external authentication, you must do the following:

Set Up the OPSS Configuration File

The configuration to connect and use the identity store is contained in the OPSS configuration file, called jps-config-jse.xml. To configure Oracle Data Integrator components with external authentication, you must set up this configuration file to correspond to the external identity store that you plan to use.

To set up the OPSS configuration file, complete the following steps:

  1. Copy the following files into the odi/oracledi directory:

ORACLE_HOME/oracle_common/modules/oracle.jps_12.1.2/domain_config/jse/jps-config.xml

ORACLE_HOME/oracle_common/modules/oracle.jps_12.1.2/domain_config/jse/system-jazn-data.xml

  1. Change to the odi/oracledi directory.
  2. Rename jps-config.xml to jps-config-jse.xml.
  3. Open jps-config-jse.xml in an editor.
  4. Add a service instance for the identity store provider and include the following properties:
    • The service instance name. For example, for Oracle Internet Directory, name="idstore.oid".
    • The idstore.type property.
    • The bootstrap.security.principal.map property.
    • The bootstrap.security.principal.key property.
    For an example service instance configuration, see Example 11-1 Example Service Instance Configuration in Administering Oracle Data Integrator guide.
    For details about specifying these properties for your identity store, see the LDAP Identity Store Properties section in Securing Applications with Oracle Platform Security Services.
  5. In the default jps context, change the serviceInstanceRef name="idstore.xml" value to "idstore.<your-idstore-type>", as in the following example that sets the identity store type for Oracle Internet Directory: <serviceInstanceRef ref="idstore.oid"/>
  6. Comment out the keystore and audit service instance references in the default jps context. For example:
    <jpsContext name="default">
    <serviceInstanceRef ref="credstore"/>
    <!-- <serviceInstanceRef ref="keystore"/> -->
    <serviceInstanceRef ref="policystore.xml"/>
    <!-- <serviceInstanceRef ref="audit"/> -->
  7. Set any additional property attribute values as appropriate for your identity store.

For complete details about the OPSS configuration file, see the Configuring Java SE Applications to Use OPSS chapter in Securing Applications with Oracle Platform Security Services for more information.

Set External Authentication when Creating the Master Repository

To create the master repository and set it to use external authentication:

  1. Change to the ORACLE_HOME/odi/studio directory.
  2. Launch Oracle Data Integrator Studio by running the following command:

    Windows - odi.exe

    UNIX - ./odi.sh

  3. In Oracle Data Integrator Studio, select File > New, select Master Repository Creation Wizard, and click OK.
  4. In the repository selection screen of the Master Repository Creation Wizard, enter the connection parameters for the database that is to contain the master repository. For this,
    • Click the browse icon present beside to JDBC Driver text box and then select Oracle JDBC Driver and Click OK.
    • Edit the JDBC URL - jdbc:oracle:thin: <host name>:<port>:<SID>
      For Example -jdbc:oracle:thin: localhost:1521:orcl
    • Enter the User name (oracle) and Password (passwd) (username and password created during Schema creation).
    • Enter DBA user details such as SYS or SYSTEM.
    • Click Test Connection, to ensure the parameters are correct.
    • When the connection test is successful, click OK.
    For details about configuring this database, see Installing and Configuring Oracle Data Integrator.
  5. In the authentication screen of the Master Repository Creation Wizard, select Use External Authentication.

For information about how to update an existing master repository to use external authentication, refer to the next section Switching an Existing Master Repository to External Authentication Mode.

section 3Switching an Existing Master Repository to External Authentication Mode

To switch the authentication mode from internal to external in an existing master repository, complete the following steps:

  1. Change to the ORACLE_HOME/odi/studio directory.
  2. Launch Oracle Data Integrator Studio by running the following command:

    Windows - odi.exe

    UNIX - ./odi.sh

  3. In Oracle Data Integrator Studio, select ODI > Switch Authentication Mode.
    The Login screen of the Switch Authentication Mode wizard is displayed.
  4. Enter the login name of the master repository, the JDBC connection parameters, and the user name and password for the master repository database user, then click Next.
    The Credentials screen of the Switch Authentication Mode wizard is displayed.
  5. Click the Add button, which is shown as the green plus symbol adjacent to the search field, to display the Enterprise Roles and Users Retrieval dialog box.
    You can use the Enterprise Roles and Users Retrieval dialog box to either:
    • Enter a filter expression to display the roles and users in the identity store that match the filter.
    • Search the identity store for a specific role or user name.
    You can expand the Enterprise Roles and Enterprise Users nodes to browse the available enterprise roles and users in the identity store.
  6. Select the user or role you wish to assign to the SUPERVISOR_ROLE role, then click Finish.

Upon successful switch to the external authentication mode, External Authentication Success dialog appears.

section 4Reactivating Users After Switching to External Authentication

If you have an existing set of Oracle Data Integrator users defined, you can re-enable them after switching to external authentication as explained in this section. To re-enable users, first reconnect to Studio as a user with supervisor privileges�for example, SUPERVISOR�using the password specified in the external identity store, and not the one stored in the internal Oracle Data Integrator repository.

Then peform the following steps:

  1. In the Security Navigator, expand the Users navigation tree.
  2. From the list of users displayed, select the user that you want to re-enable.
  3. Right-click and select Open. The User administrator dialog appears.
  4. Click Retrieve GUID. If the user name has a match in the identity store, this external user's GUID appear in the External GUID field.
  5. From the File main menu, select Save and disconnect.
  6. Reconnect as this user (for example, the user SUPERVISOR) using the password in the external identity store.

You should now be able to connect to Oracle Data Integrator Studio using the external authentication.

section 5Configuring Standalone or Standalone Colocated Agents for External Authentication

To configure the Standalone or Standalone Colocated agents for external authentication, perform the following steps:

  1. Copy the following files into the DOMAIN_HOME/config/fmwconfig directory, if they do not already exist there, where DOMAIN_HOME represents the root directory of your Oracle Data Integrator domain.

ORACLE_HOME/oracle_common/modules/oracle.jps_12.1.2/domain_config/jse/jps-config.xmlORACLE_HOME/oracle_common/modules/oracle.jps_12.1.2/domain_config/jse/system-jazn-data.xml

Note: For information about creating an Oracle Data Integrator domain, see Installing and Configuring Oracle Data Integrator.

  1. Change to the DOMAIN_HOME/config/fmwconfig directory.
  2. Rename jps-config.xml to jps-config-jse.xml.
  3. Open jps-config-jse.xml in an editor.
  4. Add a service instance for the identity store provider and include the following properties:
    • The service instance name. For example, for Oracle Internet Directory, name="idstore.oid".
    • The idstore.type property.
    • The bootstrap.security.principal.map property.
    • The bootstrap.security.principal.key property.
    For an example service instance configuration, see Example 11-1 Example Service Instance Configuration in Administering Oracle Data Integrator guide.
    For details about specifying these properties for your identity store, see the LDAP Identity Store Properties section in Securing Applications with Oracle Platform Security Services.
  1. In the default jps context, change the serviceInstanceRef name="idstore.xml" value to "idstore.<your-idstore-type>", as in the following example that sets the identity store type for Oracle Internet Directory:
    <serviceInstanceRef ref="idstore.oid"/>
  2. Comment out the keystore and audit service instance references in the default jps context element. For example:
    <jpsContext name="default">
    <serviceInstanceRef ref="credstore"/>
    <!-- <serviceInstanceRef ref="keystore"/> -->
    <serviceInstanceRef ref="policystore.xml"/>
    <!-- <serviceInstanceRef ref="audit"/> -->
  3. Save your changes to jps-config-jse.xml and exit from your editor.
  4. Change to the DOMAIN_HOME/bin directory.
  5. Run the odi_credtool script.
  6. You are prompted to enter the following parameters:
    Parameter
    		Value
    User name This is the Distinguished Name (DN) of the bootstrap user account used to connect to the identity store with Administrator privileges.
    For example, for Microsoft Active Directory, specify this user as follows:
    CN=Administrator,CN=Users,DC=ad,DC=vm,DC=company,DC=com
    Password The password for the bootstrap user account that is used to connect to the identity store.

After you enter the correct credentials for the bootstrap user account, the following message is displayed: The credentials have been successfully added to the boostrap credential store.

more informationWant to Learn More?