This chapter describes how to integrate Oracle Business Intelligence with Oracle Identity Management.
Before you perform the steps in this chapter, you must have successfully completed the installation and configuration steps described in both of the following:
Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management
The previous chapters of this guide
Important:
Oracle strongly recommends that you read the Oracle Fusion Middleware Release Notes for any additional installation and deployment considerations before starting the setup process.
This chapter contains the following topics:
This section contains the following topics:
Section 12.1.1, "Overview of Credential and Policy Store Configuration"
Section 12.1.5, "Refreshing User GUIDs After Identity Store Reassociation"
Oracle Fusion Middleware allows using different types of credentials and policy stores in a WebLogic domain. Domains can use stores based on an XML file or on different types of LDAP providers. When a domain uses an LDAP store, all policy and credential data is kept and maintained in a centralized store. However, when using XML policy stores, the changes that are made on Managed Servers are not propagated to the Administration Server unless they use the same domain home. Because the Oracle Business Intelligence EDG topology uses different domain homes for the Administration Server and the Managed Server, Oracle requires the use of an LDAP store as policy and credential store for integrity and consistency.
By default, Oracle WebLogic Server domains use an XML file for the policy store. The following sections describe the steps that are required to change the default store to Oracle Internet Directory LDAP for credentials or policies.
Note:
The back-end repository for the policy store and the credential store must use the same kind of LDAP server. To preserve this coherence, note that reassociating one store implies reassociating the other one; that is, the reassociation of both credential and the policy stores is accomplished as a unit using Oracle Enterprise Manager Fusion Middleware Control or the WLST command reassociateSecurityStore
.
This section explains how to configure the credential store and contains the following topics:
Section 12.1.2.3, "Configuring the Identity Store to Use LDAP"
Section 12.1.2.5, "Moving the WebLogic Administrator to LDAP"
Create the users and groups that you need in Oracle Internet Directory, if you have not done so already. See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Chapter 3: Using Alternative Authentication Providers in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for more information.
To ensure that you have a copy of the latest version of files, first back up the relevant configuration files:
ORACLE_BASE
/admin/
domain_name
/aserver/
domain_name
/config/config.xml
ORACLE_BASE
/admin/
domain_name
/aserver/
domain_name
/config/fmwconfig/
jps-config.xml
ORACLE_BASE
/admin/
domain_name
/aserver/
domain_name
/config/fmwconfig/
system-jazn-data.xml
Also back up the boot.properties file for the Administration Server.
Perform the following steps to configure the credential store to use LDAP by setting the proper authenticator using the Oracle WebLogic Server Administration Console:
Log in to the Administration Console.
Click the Security Realms link on the left navigation bar.
Click the myrealm default realm entry to configure it.
Open the Providers tab within the realm. Notice that there is a DefaultAuthenticator provider configured for the realm.
In the Change Center, click Lock & Edit.
Click New to add a new provider.
Enter a name for the provider, such as OIDAuthenticator
.
Select the OracleInternetDirectoryAuthenticator type from the list of authenticators.
Click OK.
In the Providers screen, click the newly created authenticator.
Set the control flag to SUFFICIENT. This indicates that if a user can be authenticated successfully by this authenticator, then that authentication is accepted and any additional authenticators are not invoked. If the authentication fails, then it is passed to the next authenticator in the chain.
Ensure that all subsequent authenticators also have their control flag set to SUFFICIENT. In particular, check the control flag for the DefaultAuthenticator and set it to SUFFICIENT if necessary.
Click Save.
Open the Provider Specific tab, then enter details that are specific to the LDAP server, as shown in Table 12-1.
Table 12-1 LDAP Server Details
Parameter | Value | Description |
---|---|---|
Host |
For example: oid.mycompany.com |
The host name of the LDAP server. |
Port |
For example: 636 |
The LDAP server port number. |
Principal |
For example: cn=orcladmin |
The LDAP user DN used to connect to the LDAP server. |
Credential |
your_password |
The password used to connect to the LDAP server. |
SSL Enabled |
Selected |
Specifies whether SSL protocol is used when connecting to the LDAP server. |
User Base DN |
For example: cn=Users,dc=mycompany, |
Specifies the DN under which the Users start. |
Group Base DN |
For example: cn=Groups,dc=mycompany, |
Specifies the DN that points to the Groups node. |
User Name Attribute |
cn |
The user name attribute. |
Use Retrieved User Name as Principal |
Selected |
This option must be enabled. |
Click Save when done.
Click Activate Changes to propagate the changes.
Restart the Administration Server and the Managed Servers.
Reorder the OID Authenticator and Default Authenticator and ensure that the control flags for each authenticator is set as follows:
OID LDAP Authenticator: SUFFICIENT
Default Authenticator: SUFFICIENT
Restart the Administration Server, the Managed Servers, and the Oracle Business Intelligence system components.
After LDAP has been configured, all users (including administrative users) must be LDAP users. This must be configured by the LDAP administrator. Create an administration group with the necessary users. For information about the required steps, see "Creating Users and Groups for Oracle Identity Manager" in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. Use "BIAdministrators" for the group name.
After this group is created, perform the following steps to update the role definition for the WLS Global Admin role in Oracle WebLogic Server:
Log in to the Administration Console.
Go to the location that defines the Admin role by selecting Security Realms, then the realm name, then Role and Policies, then Global Roles, then Roles, then Admin. Click the View Role Conditions link.
By default, you can see that the Administrators group in Oracle Internet Directory defines who has the Admin role in Oracle WebLogic Server
Click Add Conditions to add a different group name (BIAdministrators). Then, delete the Administrators group, leaving the new one that you added.
Click Save.
After making this change, any members of the new group that you specified are authorized to administer Oracle WebLogic Server.
The boot.properties file for the Administration Server must be updated with the WebLogic admin user that was created in Oracle Internet Directory. Perform the following steps to update the boot.properties file:
On APPHOST1, change to the following directory:
APPHOST1> cd ORACLE_BASE/admin/domain_name/aserver/ domain_name/servers/AdminServer/security
Rename the existing boot.properties file:
APPHOST1> mv boot.properties boot.properties.backup
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=admin_user password=admin_user_password
Save the file.
Stop and restart the Administration Server.
The domain policy store is the repository of system and application-specific policies. In a given domain, there is one store that stores all policies that all applications that are deployed in the domain can use. This section provides the steps to configure Oracle Internet Directory LDAP as the policy store for the Oracle Business Intelligence EDG topology.
To ensure proper access to the Oracle Internet Directory LDAP server directory that is used as a policy store, you must set a node in the server directory.
Perform the following steps as an Oracle Internet Directory administrator to create the appropriate node in the Oracle Internet Directory server:
Create an LDIF file (jpstestnode.ldif in this example), specifying the following DN and CN entries:
dn: cn=jpsroot_bi,dc=mycompany,dc=com cn: jpsroot_bi objectclass: top objectclass: OrclContainer
The DN of the root node (jpsroot_bi in the previous step) must be distinct from any other DN. One root node can be shared by multiple WebLogic domains. It is not required that this node be created at the top level, as long as read and write access to the subtree is granted to the Oracle Internet Directory administrator.
Import this data into the Oracle Internet Directory server using the command ldapadd
, as shown in the following example:
OIDHOST1> ORACLE_HOME/bin/ldapadd -h ldap_host -p ldap_port -D cn=orcladmin
-w password -c -v -f jpstestnode.ldif
Verify that the node has been successfully inserted using the command ldapsearch
, as shown in the following example:
OIDHOST1> ORACLE_HOME/bin/ldapsearch -h ldap_host -p ldap_port -D cn=orcladmin
-w password -b "cn=jpsroot_bi,dc=mycompany,dc=com" objectclass="orclContainer"
When using Oracle Internet Directory as the LDAP-Based policy store, run the oidstats.sql utility in the INFRADBHOST to generate database statistics for optimal database performance:
OIDHOST1> connect ods/password OIDHOST1> @ORACLE_HOME/ldap/admin/oidstats.sql
Note: The oidstats.sql utility needs to be run only once after the initial provisioning.
Perform the following steps to reassociate the policy and credential store with Oracle Internet Directory using the WLST reassociateSecurityStore
command:
From APPHOST1, start the wlst shell:
APPHOST1> cd ORACLE_COMMON_HOME/common/bin
APPHOST1> ./wlst.sh
Connect to the WebLogic Administration Server using the wlst connect
command, as follows:
connect ("AdminUser", "AdminPassword", "t3://hostname:port")
For example:
connect ("weblogic", "password", "t3://ADMINVHN:7001")
Run the reassociateSecurityStore
command, as follows:
reassociateSecurityStore(domain="domainName", admin="cn=admin_user_name", password="orclPassword", ldapurl="ldap://LDAPHOST:LDAPPORT", servertype="OID", jpsroot="cn=jpsroot_bi")
For example:
wls:/bifoundation_domain/serverConfig>
reassociateSecurityStore(domain="bifoundation_domain", admin="cn=orcladmin",
password="password", ldapurl="ldap://oid.mycompany.com:389", servertype="OID",
jpsroot="cn=jpsroot_bi,dc=mycompany,dc=com")
Restart the Administration Server after the command completes successfully.
Note:
For credential and policy changes to take effect, you must restart the servers in the domain.
This section contains the following topics:
In Oracle Business Intelligence 11g Release 1 (11.1.1), users are recognized by their global unique identifiers (GUIDs), not by their names. GUIDs are identifiers that are completely unique for a given user. Using GUIDs to identify users provides a higher level of security, because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name.
Oracle recommends that you follow these two best practices to ensure that GUIDs are consistently applied in each phase of the development to production lifecycle:
Ensure that a fan-out replica of the identity store is used between development, test, and production systems, so that user GUIDs are consistent and identical across the complete development to production lifecycle. See "Setting Up Replication" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for further information about creating fan-out replicas.
Wherever possible, secure access to data and metadata using application roles rather than individual users.
GUID refresh (also called GUID synchronization or GUID regeneration) updates any metadata references to user GUIDs in the Oracle BI repository and Oracle BI Presentation Catalog. During the GUID refresh process, each user name is looked up in the identity store. Then, all metadata references to the GUID associated with that user name are replaced with the GUID in the identity store.
GUID refresh might be required when Oracle Business Intelligence is reassociated with an identity store that has different GUIDs for the same users. This situation might occur when reassociating Oracle Business Intelligence with a different type of identity store and is usually a rare event.
Note that if Oracle best practices are not observed and Oracle Business Intelligence repository data is migrated between systems that have different GUIDs for the same users, GUID refresh is required for the system to function. This is not a recommended practice, because it raises the risk that data and metadata secured to one user (for example, John Smith, who left the company two weeks ago) becomes accessible to another user (for example, John Smith, who joined last week). Using application roles wherever possible and using GUIDs consistently across the full development production lifecycle prevents this problem from occurring.
To refresh user GUIDs, perform the following steps on APPHOST1 and APPHOST2. Note that GUID refresh must occur with only one node operating at a time.
Stop the Oracle BI Server and Presentation Services on all nodes except where you are refreshing the user GUIDs. For example:
cd ORACLE_BASE/admin/instancen/bin ./opmnctl stopproc ias-component=coreapplication_obips1 ./opmnctl stopproc ias-component=coreapplication_obis1
Update the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS
parameter in the NQSConfig.INI file using the following steps:
Open the NQSConfig.INI file for editing in the following directory:
ORACLE_INSTANCE/config/OracleBIServerComponent/coreapplication_obisn
Locate the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS
parameter and set it to YES
, as follows:
FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;
Save and close the file.
Update the Catalog element in the instanceconfig.xml file using the following steps:
Open the instanceconfig.xml file for editing in the following directory:
ORACLE_INSTANCE/config/OracleBIPresentationServicesComponent/ coreapplication_obipsn
Locate the Catalog element and update it as follows:
<Catalog>
<UpgradeAndExit>false</UpgradeAndExit>
<UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs>
</Catalog>
Save and close the file.
On the node where you are refreshing the GUIDs, stop and start the Oracle BI Server and Presentation Services using the opmnctl
command:
cd ORACLE_BASE/admin/instancen/bin ./opmnctl stopproc ias-component=coreapplication_obips1 ./opmnctl stopproc ias-component=coreapplication_obis1 ./opmnctl startproc ias-component=coreapplication_obis1
After you confirm that the Oracle BI Server is running, then start Presentation Services:
./opmnctl startproc ias-component=coreapplication_obips1
Set the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS
parameter in the NQSConfig.INI file back to NO
.
Important: You must perform this step to ensure that the system is secure.
Update the Catalog element in the instanceconfig.xml file to remove the UpdateAccount GUIDs entry.
Restart the Oracle Business Intelligence system components using the opmnctl
command:
cd ORACLE_BASE/admin/instancen/bin ./opmnctl stopall ./opmnctl startall
This section describes how to configure Oracle Access Manager 10g as a single sign-on solution for the Oracle Business Intelligence topology.
This section contains the following topics:
The instructions for Oracle Access Manager 10g assume an existing Oracle Access Manager installation, complete with Access Managers and a policy that protects the Policy manager. For more information about installing and configuring an Oracle Access Manager installation, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.
The configuration that is described in this chapter includes a directory service such as Oracle Internet Directory, either as a standalone component or as part of an Oracle Virtual Directory configuration. This section provides the necessary steps for configuring the Oracle Business Intelligence installation with Oracle Internet Directory.
In addition, the Oracle Access Manager installation should have its own web server configured with WebGate. This section also provides steps for using the Oracle Access Manager web server as a delegated authentication server.
This section explains how to use the Oracle Access Manager Configuration Tool and contains the following topics:
Section 12.2.2.1, "About the Oracle Access Manager Configuration Tool"
Section 12.2.2.2, "Collecting Information for the Oracle Access Manager Configuration Tool"
Section 12.2.2.3, "Running the Oracle Access Manager Configuration Tool"
Section 12.2.2.4, "Verifying Successful Creation of the Policy Domain and AccessGate"
The Oracle Access Manager Configuration Tool (oamcfgtool) starts a series of scripts and sets up the required policies. It requires various parameters as inputs. Specifically, the tool creates the following:
A Form Authentication scheme in Oracle Access Manager
Policies to enable authentication in Oracle WebLogic Server
A WebGate entry in Oracle Access Manager to enable Oracle HTTP Server WebGates (from the Web tier) to protect the configured application
A Host Identifier, depending on the scenario chosen (a default host identifier is used, if not provided)
Policies to protect and unprotect the application-specific URL
Collect or prepare the following information before running the Oracle Access Manager Configuration Tool:
Password: Create a secure password. This is used as the password for the WebGate installation performed later.
LDAP Host: The host name of the Directory Server or load balancer address, for HA/EDG configurations.
LDAP Port: The port number of the Directory Server.
LDAP USER DN: The DN of the LDAP administrator user (for example, "cn=orcladmin").
LDAP password: The password of the LDAP administrator user.
OAM_AA_HOST: The host name of the Oracle Access Manager instance.
OAM_AA_PORT: The Oracle Access Manager port number.
The Oracle Access Manager Configuration Tool is located in the following directory:
MW_HOME
/oracle_common/modules/oracle.oamprovider_11.1.1
You can run the tool from any computer with the required installation files. In this case, you run it from APPHOST1.
Note:
When integrating with Oracle Identity Management, use the transport mode currently in use by the Oracle Identity Management servers. For example, Open, Simple, or Cert.
Set the JAVA_HOME value before running the tool using the following command:
export JAVA_HOME=$MW_HOME/jrockit_160_05_R27.6.2-20
Run the Oracle Access Manager Configuration Tool, as follows (all on a single line):
$JAVA_HOME/bin/java -jar oamcfgtool.jar mode=CREATE app_domain="bifoundation_domain" protected_uris="$PROTECTED_URI_LIST" public_uris="$PUBLIC_URI_LIST" ldap_host="oid.mycompany.com" ldap_port=389 ldap_userdn="cn=LDAP_admin_user_name" ldap_userpassword=LDAP_admin_user_password oam_aaa_host=OAMHOST1 oam_aaa_port=OAMPORT1 oam_aaa_mode=simple
For $PROTECTED_URI_LIST
, use:
"/bicontent,/mapviewer,/em/.../*,/console/.../*,/aps,/calcmgr,/hr, /workspace,/analytics/saw.dll,/xmlpserver,/ui,/em,/console,/ui/adfAuthentication,/mobile,/mobile/.../*"
For $PUBLIC_URI_LIST
, use:
"/analytics,/analytics/saw.dll/wsdl,/analytics-ws/saw.dll,/xmlpserver/services, /xmlpserver/report_service,/xmlpserver/ReportTemplateService.xls, /xmlpserver/Guest,/ui/do/logout,/ui/images,/biservices"
You are prompted for the app_agent_password.
Note:
If additional URLs must be protected later, then run the Oracle Access Manager Configuration Tool again using the same app_domain. Ensure that you include all the URLs that must be protected, not just the new ones.
This section describes how to validate that the Policy Domain and AccessGate were created successfully.
Perform the following steps to verify the policy domain:
Log on to Oracle Access Manager at:
http://OAMADMINHOST:port/access/oblix
Click Policy Manager.
Click the My Policy Domains link on the left panel. A list of all policy domains is displayed, including the domain that you just created.
Click the link to the policy domain that you just created. The General area of the domain is displayed.
Click the Resources tab. The URIs that you specified are displayed. You can also click other tabs to view other settings.
Verifying the AccessGate Configuration
Perform the following steps to verify the AccessGate configuration:
Click the Access System Console link on the top right. Note that this link toggles between Access System Console and Policy Manager when you click it.
Click the Access System Configuration tab.
Click the AccessGate Configuration link in the left pane.
Enter bifoundation_domain
as the search criterion (or another substring in the app_domain), then click Go.
The AccessGate for the domain that you just created is displayed. This result has the suffix _AG (for example, bifoundation_domain_AG).
Click the AccessGate for the domain to see details.
The Oracle Access Manager Configuration Tool uses the value of the app_domain parameter to create a host identifier for the policy domain. This host identifier must be updated with all the host name variations for the host so that the configuration works correctly.
Perform the following steps to update the host identifier that is created by the Oracle Access Manager Configuration Tool:
Navigate to the Access System Console by entering the following URL in a web browser:
http://hostname:port/access/oblix
where hostname refers to the host where the WebPass Oracle HTTP Server instance is running, and port refers to the HTTP port of the Oracle HTTP Server instance.
When prompted for a user name and password, log in as an administrator. Click OK.
On the Access System main page, click the Access System Console link.
On the Access System Console page, click the Access System Configuration tab.
On the Access System Configuration page, click Host Identifiers on the bottom left.
On the List all host identifiers page, click the host identifier that was created by the Oracle Access Manager Configuration Tool. For example, select bifoundation_domain.
On the Host Identifier Details page, click Modify.
On the Modifying host identifier page, add all the possible host name variations for the host. Click the plus and minus symbols to add or delete fields as necessary.
The Preferred HTTP Host value used in the Access System Configuration must be added as one of the host name variations. For example:
bifoundation_domain, webhost1.mycompany.com:7777, webhost2.mycompany.com:7777, APPHOST1VHN1.mycompany.com:9704, APPHOST2VHN1.mycompany.com:9704, ADMIN.mycompany.com:80, ADMINVHN.mycompany.com:7001, APPHOST1VHN1:9704, APPHOST2VHN1:9704, ADMINVHN:7001
Select Update Cache and click Save.
The following message is displayed: "Updating the cache at this point will flush all the cache in the system. Are you sure?"
Click OK to finish saving the configuration changes.
Verify the changes on the Host Identifier Details page.
The Oracle Access Manager Configuration Tool populates the Preferred_HTTP_Host and hostname attributes for the WebGate profile that is created with the value of the app_domain parameter. Both of these attributes must be updated with the correct values for the configuration to work.
Perform the following steps to update the WebGate profile that was created by the Oracle Access Manager Configuration Tool:
Navigate to the Access System Console by entering the following URL in a web browser:
http://hostname:port/access/oblix
where hostname refers to the host where the WebPass Oracle HTTP Server instance is running, and port refers to the HTTP port of the Oracle HTTP Server instance.
When prompted for a user name and password, log in as an administrator. Click OK.
On the Access System main page, click the Access System Console link.
On the Access System Console page, click the Access System Configuration tab to display the AccessGate Search page.
Enter the appropriate search criteria and click Go to display a list of AccessGates.
Select the AccessGate that was created by the Oracle Access Manager Configuration Tool. For example: bifoundation_domain_AG
On the AccessGate Details page, select Modify to display the Modify AccessGate page.
On the Modify AccessGate page, update the following:
Hostname: Update the host name with the name of the computer on which WebGate is running. For example: webhost1.mycompany.com
Preferred HTTP Host: Update the Preferred_HTTP_Host with one of the host name variations that is specified in the previous section. For example: webhost1.mycompany.com:7777
Primary HTTP Cookie Domain: Update the Primary HTTP Cookie Domain with the Domain suffix or the host identifier. For example: mycompany.com
Port: Update the port with the port number on which WebGate is running. For example: 7777
Maximum Connections: Set to 4.
Click Save, then click OK to confirm.
Verify the values that are displayed on the Details for AccessGate page to confirm that the updates were successful.
WebGate must be installed on each of the WEBHOSTn computers to secure the Web tier. Perform the following steps to install and configure WebGate:
Launch the WebGate installer using the following command:
./Oracle_Access_Manager10_1_4_3_0_linux_OHS11g_WebGate -gui
The Welcome screen is displayed. Click Next.
In the Customer Information screen, enter the user name and user group under which the Web server is running. Click Next to continue.
In the installation target screen, specify the directory where WebGate is installed. Click Next to continue.
In the installation summary screen, click Next.
Download the required GCC runtime libraries for WebGate as instructed in the WebGate configuration screen, and use Browse to point to their location on the local computer. Click Next to continue.
The installer now creates the required artifacts. After that process is complete, click Next to continue.
In the transport security mode screen, select the same mode that was configured for the BI Access Gate (for example, Simple) and click Next to continue.
Note:
When integrating with Oracle Identity Management, use the transport mode that is currently in use by the Oracle Identity Management servers. For example, Open, Simple, or Cert.
In the WebGate Configuration screen, provide the details of the Access Server that are used. You must provide the following information:
WebGate ID, as provided when the Oracle Access Manager Configuration Tool was executed
Password for WebGate
Access Server ID, as reported by the Oracle Access Manager Access Server configuration
Access Server host name, as reported by the Oracle Access Manager Access Server configuration
Access Server port number, as reported by the Oracle Access Manager Access Server configuration
Global Access Protocol Pass Phrase
You can obtain these details from the Oracle Access Manager administrator. Click Next to continue.
In the Configure Web Server screen, click Yes to automatically update the Web server. Click Next to continue.
In the next Configure Web Server screen, specify the full path of the directory that contains the httpd.conf file. Click Next to continue.
In the next Configure Web Server page, a message informs you that the web server configuration has been modified for WebGate. Click Yes to confirm.
Stop and start the web server for the configuration updates to take effect. Click Next to continue.
In the next Configure Web Server screen, a message about SSL is displayed. Click Next to continue.
In the next Configure Web Server screen, a message with the location of the document that has information about the rest of the product setup and web server configuration is displayed. Choose No and click Next to continue.
The final Configure Web Server screen is displayed with a message to manually launch a browser and open the HTML document for further information on configuring the web server. Click Next to continue.
The Oracle COREid Readme screen is displayed. Review the information on the screen and click Next to continue.
A message is displayed, providing details of the installation and informing you that the installation was successful.
IP Validation determines if a client's IP address is the same as the IP address that is stored in the ObSSOCookie that is generated for single sign-on. IP Validation can cause issues in systems using load balancer devices that are configured to perform IP termination, or when the authenticating WebGate is front-ended by a different load balancer from the one front-ending the enterprise deployment. Perform the following steps to configure the load balancer so that it is not validated in these cases:
Navigate to the Access System Console using the following URL:
http://hostname:port/access/oblix
Where hostname refers to the host where the WebPass Oracle HTTP Server instance is running, and port refers to the HTTP port of the Oracle HTTP Server instance.
On the Access System main page, click the Access System Console link, and log in as an administrator.
On the Access System Console main page, click Access System Configuration, and click the Access Gate Configuration link on the left pane to display the AccessGates Search page.
Enter the appropriate search criteria and click Go to display a list of AccessGates.
Select the AccessGate that is created by the Oracle Access Manager configuration tool.
Click Modify at the bottom of the page.
In the IPValidationException field, enter the address of the load balancer that is used to front-end the deployment.
Click Save at the bottom of the page.
The instructions in this section assume that you have already configured the LDAP Authenticators.
This section contains the following topics:
Perform the following steps to set up the Oracle Access Manager ID Asserter:
Log in to the Administration Console.
In the Change Center, click Lock & Edit.
Navigate to SecurityRealms\myrealm\Providers.
Click New and select OAM Identity Asserter from the drop-down menu.
Name the asserter (for example: OAM ID Asserter) and click OK.
Click the newly added asserter to see the configuration screen for OAM Identity Asserter.
Set the control flag to REQUIRED and click Save.
Open the Provider Specific tab to configure the following required settings:
Primary Access Server: Provide the Oracle Access Manager server endpoint information in HOST:PORT format.
AccessGate Name: Provide the name of the AccessGate (for example, bifoundation_domain_AG).
AccessGate password: Provide the password for the AccessGate.
Click Save when done
Click Activate Changes to propagate the changes.
Restart the Administration Server and the Managed Servers.
Reorder the Oracle Access Manager Identity Asserter, Oracle Internet Directory Authenticator, and Default Authenticator by ensuring that the control flag for each authenticator is set, as follows:
OAM Identity Asserter: REQUIRED
OID LDAP Authenticator: SUFFICIENT
Default Authenticator: SUFFICIENT
Then, restart the Administration Server, the Managed Servers, and the Oracle Business Intelligence system components.
This section explains how to configure applications, and contains the following topics:
Section 12.2.8.1, "Enabling SSO/Oracle Access Manager for Oracle BI EE"
Section 12.2.8.2, "Enabling SSO and Oracle Access Manager for BI Publisher"
Section 12.2.8.3, "Enabling SSO/Oracle Access Manager for Oracle BI Search"
Section 12.2.8.4, "Enabling SSO/Oracle Access Manager for Oracle RTD"
Perform the following steps to enable SSO and Oracle Access Manager for Oracle BI EE:
Log in to Fusion Middleware Control.
Go to Business Intelligence > coreapplication > Security.
Click Lock and Edit Configuration.
Choose Enable SSO and select Oracle Access Manager for SSO Provider.
Configure the login/logout information for the Oracle BI Presentation Services processes by entering the logon and logoff URLs in the following fields:
The SSO Provider Logon URL: http://OAM_host:OAM_port/oamsso/login.html
The SSO Provider Logoff URL: http://OAM_host:OAM_port/access/oblix/lang/en-us/logout.html
Click Apply.
Click Activate Changes.
Restart all Oracle Business Intelligence system components using opmnctl or Fusion Middleware Control.
Perform the following steps to enable SSO and Oracle Access Manager for BI Publisher:
In BI Publisher, go to the Administration > Security Configuration page to enable SSO.
On the Security Configuration Page, provide the following information in the Single Sign-On section:
Select Use Single Sign-On.
For Single Sign-On Type, select Oracle Access Manager.
For Single Sign-Off URL, enter a URL of the following format:
http://OAM_host:OAM_port/access/oblix/lang/en-us/logout.html
Click Apply.
Restart the bipublisher application from the Administration Console.
Perform the following steps to enable SSO and Oracle Access Manager for Oracle BI Search:
Open the BISearchConfig.properties file for editing in the following directory:
DOMAIN_HOME/config/fmwconfig/biinstances/coreapplication/
Set the value of BIServerSSOUrl to the following:
https://bi.mycompany.com/analytics
Save and close the file.
This section provides information about Oracle RTD configuration with Oracle Access Manager.
This section contains the following topic:
For Oracle RTD to comply with Oracle Access Manager logout guidelines (in particular, invoking a logout through /adfAuthentication?logout=true&end_url=/ui/do/logout), integration with Oracle Access Manager 10g requires additional WebGate configuration to handle the end_url. Without this additional configuration, you are logged out, but not redirected to the end URL because Oracle Access Manager 10g WebGate does not process end_url.
For information about configuration procedures, see Oracle Fusion Middleware Application Security Guide.
This section describes how to configure Oracle Access Manager 11g as the single sign-on solution for the Oracle Business Intelligence Enterprise Deployment topology.
This section contains the following sections:
Oracle Access Manager is the recommended single sign-on solution for Oracle Fusion Middleware 11g Release 1. For more information on installing and configuring an Oracle Access Manager installation, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. This section explains the procedure for configuring the Oracle Business Intelligence installation with an existing Oracle Access Manager 11g installation and the underlying directory service. Oracle recommends using either Oracle Internet Directory, Oracle Virtual Directory, or both of these directory services.
Note:
The Oracle Business Intelligence topology that is described in this guide uses a Single Sign-On configuration where both the Oracle Business Intelligence system and the Single Sign-On system are in the same network domain (mycompany.com). For a multi-domain configuration, refer to the required configuration steps in Chapter 11, "Introduction to Single Sign-On with Oracle Access Manager 11g," in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
The setup for Oracle Access Manager assumes an existing Oracle Access Manager installation that is complete with Access Managers and a policy that is protecting the Policy Manager. For more information on installing and configuring Oracle Access Manager, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. This setup includes a directory service such as Oracle Internet Directory, either standalone or as part of an Oracle Virtual Directory configuration. This chapter provides the necessary steps for configuring the Oracle Business Intelligence installation with either Oracle Internet Directory or Oracle Virtual Directory.
In addition, the Oracle Access Manager installation must have its own web server that is configured with a WebGate. This section also provides the steps for using the Oracle Access Manager web server as a delegated authentication server.
You must install a WebGate on each of the WEBHOST computers where an HTTP Server has already been installed. Repeat Section 12.3.3 and Section 12.3.4 for each WEBHOST in the deployment environment.
You must download and install third-party GCC libraries on the computer before installing WebGate.
You can download the appropriate GCC library from the following third-party web site:
For Linux 32-bit, the required libraries are libgcc_s.so.1 and libstdc++.so.5 with a version number of 3.3.2. Table 12-2 lists the versions of GCC third-party libraries for Linux and Solaris.
This section describes the procedures for installing WebGate.
The Installer program for Oracle HTTP Server 11g WebGate for Oracle Access Manager is included in the webgate.zip file.
Perform the following steps to start the installation wizard:
Extract the contents of the webgate.zip file to a directory. By default, this directory is namedwebgate.
Move to the Disk1 directory under the webgate folder.
Start the installer using the following command:
$ ./runInstaller -jreLoc WebTier_Home/jdk
After the installer starts, the Welcome screen is displayed.
Installation Flow and Procedure
If you need additional help with any of the installation screens, then click Help to access the online help.
Perform the following steps to install Oracle HTTP Server 11g WebGate for Oracle Access Manager:
In the Welcome screen, click Next.
In the Prerequisite Checks screen, click Next.
In the Specify Installation Location screen, specify the Middleware Home and Oracle Home locations. You can use the default location, or choose another location.
Note:
The Middleware home contains an Oracle home for Oracle Web Tier.
Click Next.
In the Specify GCC Library screen, specify the directory that contains the GCC libraries, and click Next.
In the Installation Summary screen, verify the information on this screen and click Install to begin the installation.
In the Installation Progress screen, you might be prompted to run the ORACLE_HOME
/oracleRoot.sh
script to configure the proper file and directory permissions.
Click Next to continue.
In the Installation Complete screen, click Finish to exit the installer.
Perform the following steps after installing Oracle HTTP Server 11g WebGate for Oracle Access Manager:
Move to the following directory under the Oracle home for WebGate:
$ cd Webgate_Home/webgate/ohs/tools/deployWebGate
On the command line, run the following command to copy the required bits of agent from the Webgate_Home directory to the WebGate Instance location:
$ ./deployWebGateInstance.sh -w Webgate_Instance_Directory -oh Webgate_Oracle_Home
where Webgate_Oracle_Home is the directory where you have installed Oracle HTTP Server WebGate and created as the Oracle home for WebGate, as in the following example:
MW_HOME/Oracle_OAMWebGate1
The Webgate_Instance_Directory is the location of WebGate Instance Home, which is the same as the Instance Home of Oracle HTTP Server, as in the following example:
MW_HOME/ORACLE_BASE/admin/webn/config/OHS/ohsn
Note:
An Instance Home for Oracle HTTP Server is created after you configure Oracle HTTP Server.
Run the following command to ensure that the LD_LIBRARY_PATH variable contains Oracle_Home_for_Oracle_HTTP_Server/lib:
$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:Oracle_Home_for_Oracle_HTTP_Server/lib
From the present working directory, move up one directory level:
$ cd Webgate_Home/webgate/ohs/tools/setup/InstallTools
On the command line, run the following command to copy the apache_webgate.template from the Webgate_Home directory to the WebGate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf:
$ ./EditHttpConf -w Webgate_Instance_Directory [-oh Webgate_Oracle_Home] [-o output_file]
Note:
The -oh WebGate_Oracle_Home and -o output_file parameters are optional.
where WebGate_Oracle_Home is the directory where you have installed Oracle HTTP Server WebGate for Oracle Access Manager and created as the Oracle Home for WebGate, as in the following example:
MW_HOME/Oracle_OAMWebGate1
The Webgate_Instance_Directory is the location of WebGate Instance Home, which is same as the Instance Home of Oracle HTTP Server, as in the following example:
MW_HOME/ORACLE_BASE/admin/webn/config/OHS/ohsn
The output_file is the name of the temporary output file that is used by the tool, as in the following example:
Edithttpconf.log
This section describes the procedures for registering the WebGate Agent and contains the following topics:
The RREG tool is part of the Oracle Access Manager 11g installation. If it is not already available, then perform the following steps to extract it:
After installing and configuring Oracle Access Manager, navigate to the following location:
IDM_Home/oam/server/rreg/client
On the command line, untar the RREG.tar.gz file using gunzip, as in the following example:
gunzip RREG.tar.gz tar -xvf RREG.tar
You can find the tool that is used to register the agent in the following location:
RREG_Home/bin/oamreg.sh
RREG_Home is the directory to which you extracted the contents of RREG.tar.gz/rreg.
The RREG Configuration Tool provides a way to register protected and public resources into the OAM system. The list of protected resources to be added to the OAM system is as follows:
/analytics/saw.dll /bicontent /xmlpserver /ui /mapviewer /bicomposer /bisearch /em /em/…/* /console /console/…/* /calcmgr /hr /workspace /ui/adfAuthentication /mobile /mobile/.../* /bioffice
where "/…/*" implies all resources under the base url context.
The list of public resources is:
/analytics /analytics/saw.dll/wsdl /analytics-ws/saw.dll /ui/do/logout /xmlpserver/services /xmlpserver/report_service /xmlpserver/ReportTemplateService.xls /xmlpserver/Guest /biservices /bioffice/services/saw?WSDL /hr/services /aps /aps/JAPI /aps/Essbase /hr/modules/com/hyperion/reporting/web/repository/HRRepositoryXML.jsp /hr/modules/com/hyperion/reporting/web/images /ui/images/*
The list of excluded resources is:
/rtis /rtis/.../* /schema /schema/.../* /ws /ws/.../* /wsm-pm /wsm-pm/.../*
In the RREG_Home
/input
directory, there is a template file named OAM11GRequest.xml. Copy this template to a new file called BIOAM11GRequest.xml and edit it to create the policies for the Oracle Business Intelligence installation. After editing, the file looks as follows.
Note:
Replace $$webtierhost$$, $$oamadminserverport$$, $$oamhost$$, and load_balancer_source_IP with their respective values in the installation.
<?xml version="1.0" encoding="UTF-8"?> <!-- Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. NAME: OAM11GRequest_short.xml - Template for OAM 11G Agent Registration request file (Shorter version - Only mandatory values - Default values will be used for all other fields) DESCRIPTION: Modify with specific values and pass file as input to the tool. --> <OAM11GRegRequest> <serverAddress>http://$$oamhost$$:$$oamadminserverport$$</serverAddress> <hostIdentifier>$$webtierhost$$_bi</hostIdentifier> <agentName>$$webtierhost$$_bi</agentName> <applicationDomain>$$webtierhost$$_bi</applicationDomain> <cachePragmaHeader>private</cachePragmaHeader> <cacheControlHeader>private</cacheControlHeader> <ipValidation>1</ipValidation> <logOutUrls> <url>/oamsso/logout.html</url> </logOutUrls> <protectedResourcesList> <resource>/analytics/saw.dll</resource> <resource>/bicontent</resource> <resource>/xmlpserver</resource> <resource>/ui</resource> <resource>/mapviewer</resource> <resource>/bicomposer</resource> <resource>/bisearch</resource> <resource>/em</resource> <resource>/em/…/*</resource> <resource>/bioffice</resource> <resource>/console</resource> <resource>/console/…/*</resource> <resource>/mobile</resource> <resource>/mobile/.../*</resource> <resource>/calcmgr</resource> <resource>/hr</resource> <resource>/workspace</resource> <resource>/ui/adfAuthentication</resource> </protectedResourcesList> <publicResourcesList> <resource>/analytics</resource> <resource>/analytics/saw.dll/wsdl</resource> <resource>/aps</resource> <resource>/ui/do/logout</resource> <resource>/xmlpserver/services</resource> <resource>/xmlpserver/report_service</resource> <resource>/bioffice/services/saw?WSDL</resource> <resource>/hr/services</resource> <resource>/aps/JAPI</resource> <resource>/aps/Essbase</resource> <resource>/hr/modules/com/hyperion/reporting/web/repository/HRRepositoryXML.jsp</resource> <resource>/hr/modules/com/hyperion/reporting/web/images</resource> <resource>/xmlpserver/ReportTemplateService.xls</resource> <resource>/xmlpserver/Guest</resource> <resource>/biservices</resource> <resource>/ui/images/*</resource> <resource>/analytics-ws/saw.dll</resource> </publicResourcesList> <excludedResourcesList> <resource>/rtis</resource> <resource>/rtis/.../*</resource> <resource>/schema</resource> <resource>/schema/.../*</resource> <resource>/ws</resource> <resource>/ws/.../*</resource> <resource>/wsm-pm</resource> <resource>/wsm-pm/.../*</resource> </excludedResourcesList> </OAM11GRegRequest>
Run the oamreg tool using the following command:
$ RREG_Home/bin/oamreg.sh inband RREG_Home/input/BIOAM11gRequest.xml
Note that the JAVA_HOME operating system environment variable must be set to jdk6 for this command to work.
The output looks similar to the following:
------------------------------------------------ Welcome to OAM Remote Registration Tool! Parameters passed to the registration tool are: Mode: inband Filename: /u01/oim/oim_home/oam/server/rreg/client/rreg/input/BIOAM11GRequest.xml Enter admin username: oamadmin_user Username: oamadmin_user Enter admin password: my_password Do you want to enter a Webgate password?(y/n): y Enter webgate password: my_password Enter webgate password again: my_password Password accepted. Proceeding to register.. Nov 9, 2011 6:48:44 PM oracle.security.am.engines.rreg.client.handlers.request.OAM11GRequestHandler getWebgatePassword INFO: Passwords matched and accepted. Do you want to import an URIs file?(y/n): n ---------------------------------------- Request summary: OAM11G Agent Name:WEBHOST_bi URL String:WEBHOST_bi Registering in Mode:inband Your registration request is being been sent to the Admin server at: http://oamserver.mycompany.com:OAM_ADMINSERVER_PORT ---------------------------------------- Inband registration process completed successfully! Output artifacts are created in the output folder.
In OPEN mode, the following two files are generated in the OAM_REG_HOME
/output/$$webtierhost$$_bi
directory:
ObAccessClient.xml
cwallet.sso
Copy these files to the webgate instance (Webgate_Instance_Home
/config/OHS/ohsN/webgate/config/
) location on WEBHOST1 and WEBHOST2.
In SIMPLE mode, copy the following files from the OAM_REG_HOME
/output/$$webtierhost$$_bi
directory to the Webgate_Instance_Home
/webgate/config
directory on WEBHOST1 and WEBHOST2:
ObAccessClient.xml
cwallet.sso
password.xml
In addition, copy the following files from the OAM_REG_HOME
/output/$$webtierhost$$_bi
directory to the Webgate_Instance_Home
/config/OHS/ohsN/webgate/config/simple
directory on WEBHOST1 and WEBHOST2:
aaa_key.pem
aaa_cert.pem
Note:
When integrating with Oracle Identity Management, use the transport mode that is currently in use by the Oracle Identity Management servers. For example, Open, Simple, or Cert.
After you copy the access files to WEBHOST1 and WEBHOST2, you must restart the Oracle HTTP Server instances for the changes to take effect.
IP Validation determines if a client's IP address is the same as the IP address that is stored in the ObSSOCookie that is generated for single sign-on. IP Validation can cause issues in systems using load balancer devices that are configured to perform IP termination, or when the authenticating WebGate is front-ended by a different load balancer from the one that is front-ending the enterprise deployment. Perform the following steps to configure the load balancer so that it is not validated in these cases:
Go to the Oracle Access Manager 11g Console using the following URL:
http://hostname:port/oamconsole
Log in as the Oracle Access Manager 11g Administrator.
On the Welcome page, click the System Configuration tab.
In the Access Manager Settings section, expand the SSO Agents node. Then, double-click OAM Agents to display the OAM Agents Search page.
Enter the appropriate search criteria and click Search to display a list of OAM Agents.
Select the OAM Agent that is created by the Oracle Access Manager configuration tool.
In the IP Validation Exception field, enter the address of the load balancer that is used to front-end the deployment.
Click Apply at the top of the page.
This section assumes that you have already configured the LDAP authenticator by following the steps in Section 12.1.2.3, "Configuring the Identity Store to Use LDAP." If you have not already created the LDAP authenticator, then do so before continuing with this section.
This section contains the following topics:
To be safe, first back up the relevant configuration files:
ORACLE_BASE/admin/domain_name/aserver/domain_name/config/config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fmwconfig/jps-config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fwmconfig/system-jazn-data.xml
In addition, back up the boot.properties file for the Administration Server.
Perform the following steps to set up the OAM ID Asserter:
Log into Weblogic Console using the following URL:
http://ADMINVHN.mycompany.com:7001/console
Click Lock and Edit.
Navigate to SecurityRealms, <Default Realm Name>, and Providers.
Click New and select OAM Identity Asserter from the dropdown menu.
Name the asserter (for example, OAM ID Asserter) and click Save.
Click the newly added asserter to see the configuration screen for OAM Identity Asserter.
Set the control flag to 'REQUIRED' .
Ensure that both the ObSSOCookie and OAM_REMOTE_USER options are selected under active types.
Click Save when done.
Click Activate Changes to propagate the changes.
Restart the Administration Server and Managed Servers.
Finally, log in as admin to the WLST console at:
ORACLE_COMMON_HOME/common/bin/wlst.sh
Then, run the following command:
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html")
For example:
wls:/offline> connect('weblogic','my_password','t3://ADMINVHN:7001') Connecting to t3:ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'bifoundation_domain'. wls:/bifoundation_domain/serverConfig> addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",logouturi="/oamsso/logout.html")
Reorder the OAM Identity Asserter, OID Authenticator, and Default Authenticator by ensuring that the control flag for each authenticator is set as follows:
OAM Identity Asserter: REQUIRED
OID LDAP Authenticator (or OVD LDAP Authenticator): SUFFICIENT
Default Authenticator: SUFFICIENT
Then, restart the Administration Server, the Managed Servers, and the Oracle Business Intelligence system components.
This section explains how to configure applications and contains the following topics:
Section 12.3.7.1, "Enabling SSO and Oracle Access Manager for Oracle BI EE"
Section 12.3.7.2, "Enabling SSO and Oracle Access Manager for BI Publisher"
Section 12.3.7.3, "Enabling SSO and Oracle Access Manager for Oracle BI Search"
Section 12.3.7.4, "Enabling SSO and Oracle Access Manager for Oracle RTD"
Perform the following steps to enable SSO and Oracle Access Manager for Oracle BI EE:
Log in to Fusion Middleware Control.
Go to Business Intelligence, coreapplication, Security, and Single Sign On.
Click Lock and Edit Configuration.
Select Enable SSO and select Oracle Access Manager for SSO Provider.
Configure the login and logout information for the Oracle BI Presentation Services processes by entering the logon and logoff URLs in the following fields:
The SSO Provider Logon URL: http://OAM_host:OAM_port/oamsso/login.html
The SSO Provider Logoff URL: http://OAM_host:OAM_port/oamsso/logout.html
Click Apply.
Click Activate Changes.
Restart all Oracle Business Intelligence system components using opmnctl or Fusion Middleware Control.
Perform the following steps to enable SSO and Oracle Access Manager for BI Publisher:
In BI Publisher, go to the Administration > Security Configuration page to enable SSO.
On the Security Configuration Page, provide the following information in the Single Sign-On section:
Select Use Single Sign-On.
For Single Sign-On Type, select Oracle Access Manager.
For Single Sign-Off URL, enter a URL of the following format:
http://OAM_host:OAM_port/oamsso/logout.html
For User Name Parameter, specify OAM_REMOTE_USER
.
Click Apply.
Restart the bipublisher application from the Administration Console.
Perform the following steps to enable SSO and Oracle Access Manager for Oracle BI Search:
Open the BISearchConfig.properties file for editing in the following directory:
DOMAIN_HOME/config/fmwconfig/biinstances/coreapplication/
Set the value of BIServerSSOUrl to the following:
https://bi.mycompany.com/analytics
Save and close the file.
This section provides information about Oracle RTD configuration with Oracle Access Manager.
This section contains the following topic:
When Webgate 10g against Oracle Access Manager (OAM) 11g is configured as the SSO provider for Oracle Real-Time Decisions Decision Center access, logging out of, then back into Oracle RTD Decision Center prompts users for their user name and password credentials on the re-login. To ensure that this occurs correctly, you must configure the following Oracle RTD Decision Center resources in OAM/WebGate as public (unprotected or anonymous access):
Decision Center logout URI /ui/do/logout
Decision Center images /ui/images/*
After you have verified that the extended domain is working, back up the configuration. This is a quick backup for the express purpose of immediate restore in case of problems in the further steps. The backup destination is the local disk. This backup can be discarded after the enterprise deployment setup is complete. At this point, the regular deployment-specific backup and recovery process can be initiated. The Oracle Fusion Middleware Administrator's Guide provides further details. For information on describing the Oracle HTTP Server data that must be backed up and restored, refer to the "Backup and Recovery Recommendations for Oracle HTTP Server" section in that guide. For information on how to recover components, see the "Recovering Components" and "Recovering After Loss of Component Host" sections in the guide. For recommendations specific to recovering from the loss of a host, see the "Recovering Oracle HTTP Server to a Different Host" section in the guide. Also refer to Oracle Database Backup and Recovery User's Guide for information on database backup.
Perform the following steps to back up the configuration at this point:
Back up the web tier using the following steps:
Shut down the instance using opmnctl
.
WEBHOSTn> ORACLE_BASE/admin/instance_name/bin/opmnctl stopall
Back up the Middleware Home on the web tier using the following command (as root):
WEBHOSTn> tar -cvpf BACKUP_LOCATION/web.tar $MW_HOME
Back up the Instance home on the web tier using the following command (as root):
WEBHOSTn> tar -cvpf BACKUP_LOCATION/web_instance.tar $ORACLE_INSTANCE
Start the instance using opmnctl
:
WEBHOSTn> ORACLE_BASE/admin/instance_name/bin/opmnctl startall
Back up the Administration Server domain directory. Perform a backup to save the domain configuration. The configuration files all exist under the ORACLE_BASE
/admin/
domain_name
directory. Run the following command to create the backup:
APPHOSTn> tar -cvpf edgdomainback.tar ORACLE_BASE/admin/domain_name